Merge main into feature/W-20893605-ecdn-zones

Resolved conflict in clients/index.ts by keeping both:
- CDN zones client exports (from feature branch)
- error-utils export (from main)

Author: clavery

.changeset/add-setup-config-command.md

@@ -0,0 +1,7 @@
+---
+'@salesforce/b2c-cli': minor
+---
+
+Add `setup config` command to display resolved configuration with source tracking.
+
+Shows all configuration values organized by category (Instance, Authentication, SCAPI, MRT) and indicates which source file or environment variable provided each value. Sensitive values are masked by default; use `--unmask` to reveal them.

.changeset/fix-error-output.md

@@ -0,0 +1,8 @@
+---
+'@salesforce/b2c-cli': patch
+'@salesforce/b2c-tooling-sdk': patch
+---
+
+Fix HTML response bodies appearing in ERROR log lines. When API requests fail with non-JSON responses (like HTML error pages), error messages now show the HTTP status code (e.g., "HTTP 521 Web Server Is Down") instead of serializing the entire response body.
+
+Added `getApiErrorMessage(error, response)` utility that extracts clean error messages from ODS, OCAPI, and SCAPI error patterns with HTTP status fallback.

.claude/skills/api-client-development/SKILL.md

@@ -380,6 +380,62 @@ it('fetches endpoints', async () => {
 
 ---
 
+## Error Handling
+
+When API requests fail, use `getApiErrorMessage()` to extract clean, user-friendly error messages. This utility handles multiple error formats and ensures HTML response bodies (like error pages from stopped sandboxes) are never shown to users.
+
+### Using getApiErrorMessage
+
+```typescript
+import {getApiErrorMessage} from '@salesforce/b2c-tooling-sdk/clients';
+
+const {data, error, response} = await client.GET('/sites', {...});
+
+if (error) {
+  // Returns structured error message or "HTTP 521 Web Server Is Down"
+  const message = getApiErrorMessage(error, response);
+  this.error(`Failed to fetch sites: ${message}`);
+}
+```
+
+### Supported Error Patterns
+
+The utility extracts messages from these patterns in priority order:
+
+| API | Error Structure | Message Location |
+|-----|-----------------|------------------|
+| ODS/SLAS | `{ error: { message } }` | `error.error.message` |
+| OCAPI | `{ fault: { message } }` | `error.fault.message` |
+| SCAPI/Problem+JSON | `{ title, detail }` | `error.detail` or `error.title` |
+| Standard Error | `{ message }` | `error.message` |
+| Fallback | Any | `HTTP {status} {statusText}` |
+
+### Why This Matters
+
+**Without `getApiErrorMessage`:**
+```
+ERROR: Failed to fetch sites: <!DOCTYPE html><html lang="en"><head><title>521 - Sandbox Down</title>...
+```
+
+**With `getApiErrorMessage`:**
+```
+ERROR: Failed to fetch sites: HTTP 521 Web Server Is Down
+```
+
+### Important: Always Destructure `response`
+
+When making API calls, always destructure the `response` object alongside `error`:
+
+```typescript
+// GOOD: Include response for error handling
+const {data, error, response} = await client.GET('/endpoint', {...});
+
+// BAD: Missing response - can't get clean error message
+const {data, error} = await client.GET('/endpoint', {...});
+```
+
+---
+
 ## Checklist: New SCAPI Client
 
 1. Add OpenAPI spec to `specs/`

.claude/skills/cli-command-development/SKILL.md

@@ -57,6 +57,7 @@ import { InstanceCommand, CartridgeCommand, OdsCommand } from '@salesforce/b2c-t
  */
 import {Args, Flags} from '@oclif/core';
 import {InstanceCommand} from '@salesforce/b2c-tooling-sdk/cli';
+import {getApiErrorMessage} from '@salesforce/b2c-tooling-sdk';
 import {t} from '../../i18n/index.js';
 
 interface MyCommandResponse {
@@ -105,27 +106,27 @@ export default class MyCommand extends InstanceCommand<typeof MyCommand> {
     this.log(t('commands.topic.mycommand.working', 'Working on {{name}}...', {name}));
 
     // Implementation
-    const result = await this.instance.ocapi.GET('/some/endpoint');
+    const {data, error, response} = await this.instance.ocapi.GET('/some/endpoint');
 
-    if (!result.data) {
+    if (error) {
       this.error(t('commands.topic.mycommand.error', 'Failed: {{message}}', {
-        message: result.response?.statusText || 'Unknown error',
+        message: getApiErrorMessage(error, response),
       }));
     }
 
-    const response: MyCommandResponse = {
+    const result: MyCommandResponse = {
       success: true,
-      data: result.data,
+      data,
     };
 
     // JSON mode returns the object directly (oclif handles serialization)
     if (this.jsonEnabled()) {
-      return response;
+      return result;
     }
 
     // Human-readable output
     this.log('Success!');
-    return response;
+    return result;
   }
 }
 ```
@@ -305,14 +306,21 @@ this.error('Config file not found', {
 // Warning (continues execution)
 this.warn('Deprecated flag used');
 
-// Structured API errors
-if (result.error) {
+// API errors - use getApiErrorMessage for clean messages
+import {getApiErrorMessage} from '@salesforce/b2c-tooling-sdk';
+
+const {data, error, response} = await this.instance.ocapi.GET('/sites', {...});
+if (error) {
   this.error(t('commands.topic.cmd.apiError', 'API error: {{message}}', {
-    message: formatApiError(result.error),
+    message: getApiErrorMessage(error, response),
   }));
 }
 ```
 
+**Important:** Always destructure `response` alongside `error` when making API calls. The `getApiErrorMessage` utility extracts clean messages from ODS, OCAPI, and SCAPI error patterns, and falls back to HTTP status (e.g., "HTTP 521 Web Server Is Down") for non-JSON responses like HTML error pages.
+
+See [API Client Development](../api-client-development/SKILL.md#error-handling) for supported error patterns.
+
 ## Creating a Command Checklist
 
 1. Create file at `packages/b2c-cli/src/commands/<topic>/<command>.ts`

docs/cli/setup.md

@@ -1,10 +1,107 @@
 ---
-description: Commands for installing AI agent skills for Claude Code, Cursor, Windsurf, and other agentic IDEs.
+description: Commands for viewing configuration, installing AI agent skills, and setting up the development environment.
 ---
 
 # Setup Commands
 
-Commands for setting up the development environment with AI agent skills.
+Commands for viewing configuration and setting up the development environment.
+
+## b2c setup config
+
+Display the resolved configuration from all sources, showing which values are set and where they came from. Useful for debugging configuration issues.
+
+### Usage
+
+```bash
+b2c setup config [FLAGS]
+```
+
+### Flags
+
+| Flag | Description | Default |
+|------|-------------|---------|
+| `--unmask` | Show sensitive values unmasked (passwords, secrets, API keys) | `false` |
+| `--json` | Output results as JSON | `false` |
+
+### Examples
+
+```bash
+# Display resolved configuration (sensitive values masked)
+b2c setup config
+
+# Display configuration with sensitive values unmasked
+b2c setup config --unmask
+
+# Output as JSON for scripting
+b2c setup config --json
+
+# Debug configuration with a specific instance
+b2c setup config -i staging
+```
+
+### Output
+
+The command displays configuration organized by category:
+
+- **Instance**: hostname, webdavHostname, codeVersion
+- **Authentication (Basic)**: username, password
+- **Authentication (OAuth)**: clientId, clientSecret, scopes, authMethods, accountManagerHost
+- **SCAPI**: shortCode
+- **Managed Runtime (MRT)**: mrtProject, mrtEnvironment, mrtApiKey, mrtOrigin
+- **Metadata**: instanceName
+- **Sources**: List of configuration sources that contributed values
+
+Each value shows its source in brackets (e.g., `[dw.json]`, `[SFCC_CLIENT_ID]`, `[~/.mobify]`).
+
+Example output:
+
+```
+Configuration
+────────────────────────────────────────────────────────────
+
+Instance
+  hostname              my-sandbox.dx.commercecloud.salesforce.com  [DwJsonSource]
+  webdavHostname        -
+  codeVersion           version1                                     [DwJsonSource]
+
+Authentication (Basic)
+  username              admin                                        [DwJsonSource]
+  password              admi...REDACTED                              [DwJsonSource]
+
+Authentication (OAuth)
+  clientId              my-client-id                                 [password-store]
+  clientSecret          my-c...REDACTED                              [password-store]
+  scopes                -
+  authMethods           -
+  accountManagerHost    -
+
+SCAPI
+  shortCode             abc123                                       [DwJsonSource]
+
+Managed Runtime (MRT)
+  mrtProject            my-project                                   [MobifySource]
+  mrtApiKey             mrtk...REDACTED                              [MobifySource]
+
+Sources
+────────────────────────────────────────────────────────────
+  1. DwJsonSource         /path/to/project/dw.json
+  2. MobifySource         /Users/user/.mobify
+  3. password-store       pass:b2c-cli/_default
+```
+
+### Sensitive Values
+
+By default, sensitive fields are masked to prevent accidental exposure:
+
+- `password` - Basic auth access key
+- `clientSecret` - OAuth client secret
+- `mrtApiKey` - MRT API key
+
+Use `--unmask` to reveal the actual values when needed for debugging.
+
+### See Also
+
+- [Configuration Guide](/guide/configuration) - How to configure the CLI
 
 ## b2c setup skills
 

docs/guide/configuration.md

@@ -264,6 +264,29 @@ SFCC_AUTH_METHODS=client-credentials,implicit b2c code deploy
 
 The CLI will try each method in order until one succeeds.
 
+## Debugging Configuration
+
+Use `b2c setup config` to view the resolved configuration and see which source provided each value:
+
+```bash
+# Display resolved configuration (sensitive values masked)
+b2c setup config
+
+# Show actual sensitive values
+b2c setup config --unmask
+
+# Output as JSON
+b2c setup config --json
+```
+
+This command helps troubleshoot issues like:
+- Verifying which configuration file is being used
+- Checking if environment variables are being read
+- Understanding credential source priority
+- Identifying hostname mismatch protection triggers
+
+See [setup config](/cli/setup#b2c-setup-config) for full documentation.
+
 ## Next Steps
 
 - [CLI Reference](/cli/) - Browse available commands

packages/b2c-cli/src/commands/ods/create.ts

@@ -6,7 +6,7 @@
 import {Flags, ux} from '@oclif/core';
 import cliui from 'cliui';
 import {OdsCommand} from '@salesforce/b2c-tooling-sdk/cli';
-import type {OdsComponents} from '@salesforce/b2c-tooling-sdk';
+import {getApiErrorMessage, type OdsComponents} from '@salesforce/b2c-tooling-sdk';
 import {t} from '../../i18n/index.js';
 
 type SandboxModel = OdsComponents['schemas']['SandboxModel'];
@@ -139,11 +139,9 @@ export default class OdsCreate extends OdsCommand<typeof OdsCreate> {
     });
 
     if (!result.data?.data) {
-      const errorResponse = result.error as OdsComponents['schemas']['ErrorResponse'] | undefined;
-      const errorMessage = errorResponse?.error?.message || result.response?.statusText || 'Unknown error';
       this.error(
         t('commands.ods.create.error', 'Failed to create sandbox: {{message}}', {
-          message: errorMessage,
+          message: getApiErrorMessage(result.error, result.response),
         }),
       );
     }

packages/b2c-cli/src/commands/ods/delete.ts

@@ -6,7 +6,7 @@
 import * as readline from 'node:readline';
 import {Args, Flags} from '@oclif/core';
 import {OdsCommand} from '@salesforce/b2c-tooling-sdk/cli';
-import type {OdsComponents} from '@salesforce/b2c-tooling-sdk';
+import {getApiErrorMessage} from '@salesforce/b2c-tooling-sdk';
 import {t} from '../../i18n/index.js';
 
 /**
@@ -92,11 +92,9 @@ export default class OdsDelete extends OdsCommand<typeof OdsDelete> {
     });
 
     if (result.response.status !== 202) {
-      const errorResponse = result.error as OdsComponents['schemas']['ErrorResponse'] | undefined;
-      const errorMessage = errorResponse?.error?.message || result.response?.statusText || 'Unknown error';
       this.error(
         t('commands.ods.delete.error', 'Failed to delete sandbox: {{message}}', {
-          message: errorMessage,
+          message: getApiErrorMessage(result.error, result.response),
         }),
       );
     }

packages/b2c-cli/src/commands/ods/list.ts

@@ -5,7 +5,7 @@
  */
 import {Flags} from '@oclif/core';
 import {OdsCommand, TableRenderer, type ColumnDef} from '@salesforce/b2c-tooling-sdk/cli';
-import type {OdsComponents} from '@salesforce/b2c-tooling-sdk';
+import {getApiErrorMessage, type OdsComponents} from '@salesforce/b2c-tooling-sdk';
 import {t} from '../../i18n/index.js';
 
 type SandboxModel = OdsComponents['schemas']['SandboxModel'];
@@ -142,11 +142,9 @@ export default class OdsList extends OdsCommand<typeof OdsList> {
     });
 
     if (result.error) {
-      const errorResponse = result.error as OdsComponents['schemas']['ErrorResponse'] | undefined;
-      const errorMessage = errorResponse?.error?.message || result.response?.statusText || 'Unknown error';
       this.error(
         t('commands.ods.list.error', 'Failed to fetch sandboxes: {{message}}', {
-          message: errorMessage,
+          message: getApiErrorMessage(result.error, result.response),
         }),
       );
     }

packages/b2c-cli/src/commands/ods/restart.ts

@@ -5,7 +5,7 @@
  */
 import {Args} from '@oclif/core';
 import {OdsCommand} from '@salesforce/b2c-tooling-sdk/cli';
-import type {OdsComponents} from '@salesforce/b2c-tooling-sdk';
+import {getApiErrorMessage, type OdsComponents} from '@salesforce/b2c-tooling-sdk';
 import {t} from '../../i18n/index.js';
 
 type SandboxOperationModel = OdsComponents['schemas']['SandboxOperationModel'];
@@ -45,11 +45,9 @@ export default class OdsRestart extends OdsCommand<typeof OdsRestart> {
     });
 
     if (!result.data?.data) {
-      const errorResponse = result.error as OdsComponents['schemas']['ErrorResponse'] | undefined;
-      const errorMessage = errorResponse?.error?.message || result.response?.statusText || 'Unknown error';
       this.error(
         t('commands.ods.restart.error', 'Failed to restart sandbox: {{message}}', {
-          message: errorMessage,
+          message: getApiErrorMessage(result.error, result.response),
         }),
       );
     }