Add start_debugging_with_config tool for inline-config launches#99
Add start_debugging_with_config tool for inline-config launches#99ksa-real wants to merge 2 commits into
Conversation
Expose a language-agnostic launcher that forwards a raw, caller-supplied DebugConfiguration straight to vscode.debug.startDebugging — no launch.json entry required. The caller owns all toolchain/runtime choices (e.g. runtimeExecutable:"tsx" for TypeScript, debugpy for Python, request:"attach" to a node --inspect-brk process); the extension stays a thin shim. Adds minimal validation (type and request required, name defaulted).
Cover config-forwarded-verbatim (no fields injected or stripped), clean-run "terminated", missing-name defaulting, missing-type and invalid-request validation, and failed-launch surfacing.
Concern: the loopback server is unauthenticatedNot specific to this PR, but it broadens the blast radius so worth raising here. Loopback binding + Mitigation (standard path, not bespoke). The server must stay in the extension host (it needs
|
There was a problem hiding this comment.
Follow-up to my note above: there's now a working implementation of the per-install bearer-token approach on feat/mcp-auth-token.
What it does:
- The HTTP server requires a per-install token (
randomUUID, persisted inSecretStorage). Any request with a missing/invalid token gets401(constant-time compare; token accepted viaAuthorization: Bearerheader or?token=query param). - The token is delivered to the editor's built-in MCP client automatically, so no manual config:
- VS Code / Copilot:
McpHttpServerDefinition+resolveMcpServerDefinition(editor injects theAuthorizationheader). - Cursor:
vscode.cursor.mcp.registerServer, with the token carried in the URL query to work around Cursor's known dropped-headers bug (header is still sent for when the upstream fix lands). - Other agents: the same token is written into the MCP config files the extension already generates.
- VS Code / Copilot:
debugmcp.bindHostwarning updated to reflect that the server is token-gated but still widens the attack surface off loopback; added tests for the 401 path and token extraction.
Verified end-to-end in Cursor (registers via the extension API, unauthenticated/wrong-token requests return 401, valid token drives the full tool surface). Happy to open a PR if there's interest.
Summary
Adds a language-agnostic
start_debugging_with_configtool that lets an agent start a debug session from a raw, caller-suppliedDebugConfiguration— nolaunch.jsonentry required.The existing
start_debuggingtool launches a named configuration that must already exist in the workspace'slaunch.json. That's a hard blocker for the common agent workflow of "debug this arbitrary program/command right now," and it forces users to hand-editlaunch.jsonfor one-off sessions.This tool forwards the config straight to
vscode.debug.startDebugging, keeping the extension a thin shim while the caller owns all toolchain/runtime specifics:{ "type":"node", "request":"launch", "program":"<abs .ts>", "runtimeExecutable":"tsx" }{ "type":"python", "request":"launch", "program":"<abs .py>" }{ "type":"node", "request":"attach", "port":9229 }(e.g. anode --inspect-brkprocess)Adapter-specific fields (
args,env,cwd,console,port,stopOnEntry, …) are passed through unchanged. Minimal validation only:typeandrequestare required;namedefaults when omitted.Tests
startDebuggingMatrix.test.tscovers:terminatednameis defaulted rather than failingtypeand invalidrequestare rejectedNotes
package.jsonchange — implementation + tests only.main(includes Fix MCP connection errors, slow stepping, and stale debug state #96 and Ozzafar/handle session termination #97); the two commits here are the tool and its tests.