@salesforce/afv-skills 1.16.0 → 1.18.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (69) hide show
  1. package/package.json +1 -1
  2. package/skills/activating-datacloud/SKILL.md +2 -2
  3. package/skills/analyzing-omnistudio-dependencies/SKILL.md +1 -1
  4. package/skills/building-sf-integrations/SKILL.md +1 -1
  5. package/skills/building-ui-bundle-app/SKILL.md +1 -1
  6. package/skills/configuring-code-analyzer/SKILL.md +482 -0
  7. package/skills/configuring-code-analyzer/examples/apex-project-config.yml +41 -0
  8. package/skills/configuring-code-analyzer/examples/ci-github-actions.yml +96 -0
  9. package/skills/configuring-code-analyzer/examples/fullstack-project-config.yml +46 -0
  10. package/skills/configuring-code-analyzer/examples/lwc-project-config.yml +26 -0
  11. package/skills/configuring-code-analyzer/references/ci-cd-templates.md +648 -0
  12. package/skills/configuring-code-analyzer/references/config-schema.md +257 -0
  13. package/skills/configuring-code-analyzer/references/diagnostic-flow.md +70 -0
  14. package/skills/configuring-code-analyzer/references/engine-prerequisites.md +276 -0
  15. package/skills/configuring-code-analyzer/references/rule-name-resolution.md +67 -0
  16. package/skills/configuring-code-analyzer/references/troubleshooting.md +298 -0
  17. package/skills/configuring-code-analyzer/scripts/check-prerequisites.sh +189 -0
  18. package/skills/configuring-code-analyzer/scripts/generate-config.sh +143 -0
  19. package/skills/configuring-code-analyzer/scripts/validate-config.sh +153 -0
  20. package/skills/connecting-datacloud/SKILL.md +2 -2
  21. package/skills/creating-b2b-commerce-store/SKILL.md +0 -1
  22. package/skills/developing-agentforce/SKILL.md +0 -1
  23. package/skills/generating-apex/SKILL.md +1 -0
  24. package/skills/generating-mermaid-diagrams/assets/datamodel/b2b-commerce-erd.md +1 -1
  25. package/skills/generating-mermaid-diagrams/assets/datamodel/campaigns-erd.md +1 -1
  26. package/skills/generating-mermaid-diagrams/assets/datamodel/consent-erd.md +1 -1
  27. package/skills/generating-mermaid-diagrams/assets/datamodel/files-erd.md +1 -1
  28. package/skills/generating-mermaid-diagrams/assets/datamodel/forecasting-erd.md +1 -1
  29. package/skills/generating-mermaid-diagrams/assets/datamodel/fsl-erd.md +1 -1
  30. package/skills/generating-mermaid-diagrams/assets/datamodel/party-model-erd.md +1 -1
  31. package/skills/generating-mermaid-diagrams/assets/datamodel/quote-order-erd.md +1 -1
  32. package/skills/generating-mermaid-diagrams/assets/datamodel/revenue-cloud-erd.md +1 -1
  33. package/skills/generating-mermaid-diagrams/assets/datamodel/sales-cloud-erd.md +1 -1
  34. package/skills/generating-mermaid-diagrams/assets/datamodel/salesforce-erd.md +1 -1
  35. package/skills/generating-mermaid-diagrams/assets/datamodel/scheduler-erd.md +1 -1
  36. package/skills/generating-mermaid-diagrams/assets/datamodel/service-cloud-erd.md +1 -1
  37. package/skills/generating-mermaid-diagrams/assets/datamodel/territory-management-erd.md +1 -1
  38. package/skills/generating-mermaid-diagrams/references/erd-conventions.md +1 -1
  39. package/skills/generating-mermaid-diagrams/references/preview-guide.md +2 -5
  40. package/skills/harmonizing-datacloud/SKILL.md +2 -2
  41. package/skills/implementing-ui-bundle-agentforce-conversation-client/SKILL.md +1 -2
  42. package/skills/investigating-agentforce-d360/SKILL.md +1 -1
  43. package/skills/managing-cdc-enablement/SKILL.md +164 -0
  44. package/skills/managing-cdc-enablement/assets/PlatformEventChannel-template.xml +5 -0
  45. package/skills/managing-cdc-enablement/assets/PlatformEventChannelMember-template.xml +11 -0
  46. package/skills/managing-cdc-enablement/references/deploy-troubleshooting.md +73 -0
  47. package/skills/managing-cdc-enablement/references/filter-expressions.md +93 -0
  48. package/skills/observing-agentforce/SKILL.md +0 -1
  49. package/skills/observing-agentforce/references/stdm-queries.md +3 -11
  50. package/skills/orchestrating-datacloud/README.md +5 -7
  51. package/skills/orchestrating-datacloud/SKILL.md +3 -3
  52. package/skills/orchestrating-datacloud/references/feature-readiness.md +2 -2
  53. package/skills/orchestrating-datacloud/references/plugin-setup.md +6 -8
  54. package/skills/orchestrating-datacloud/scripts/diagnose-org.mjs +1 -1
  55. package/skills/orchestrating-datacloud/scripts/verify-plugin.sh +2 -2
  56. package/skills/preparing-datacloud/SKILL.md +2 -2
  57. package/skills/retrieving-datacloud/SKILL.md +3 -3
  58. package/skills/reviewing-lwc-mobile-offline/SKILL.md +0 -1
  59. package/skills/running-code-analyzer/SKILL.md +264 -267
  60. package/skills/running-code-analyzer/references/post-scan-workflows.md +286 -0
  61. package/skills/running-code-analyzer/scripts/describe-rule.js +382 -0
  62. package/skills/running-code-analyzer/scripts/list-rules.js +260 -0
  63. package/skills/running-code-analyzer/scripts/query-results.js +230 -0
  64. package/skills/testing-agentforce/SKILL.md +0 -1
  65. package/skills/using-mobile-native-capabilities/SKILL.md +0 -1
  66. package/skills/using-salesforce-archive/SKILL.md +121 -0
  67. package/skills/using-salesforce-archive/examples/monitor-failed-jobs.md +47 -0
  68. package/skills/using-salesforce-archive/references/archive-activity-entity.md +59 -0
  69. package/skills/using-salesforce-archive/references/connect-api-operations.md +157 -0
@@ -1,6 +1,6 @@
1
1
  ---
2
2
  name: running-code-analyzer
3
- description: "Run Salesforce Code Analyzer to scan code for security, performance, best practice, and code style violations. Supports all engines (PMD, ESLint, CPD, RetireJS, Flow, SFGE, ApexGuru), targets (files, folders, git diff), categories, and severities. TRIGGER when: user says 'scan my code', 'check for security issues', 'run PMD/ESLint', 'find duplicates', 'analyze Flows', 'check vulnerable libraries', 'AppExchange review', 'lint my LWC', 'static analysis', 'code quality', or mentions engines/file types (.cls, .trigger, .js, .flow-meta.xml). DO NOT TRIGGER when: user wants to fix code without scanning, or asks about installation/configuration."
3
+ description: "Run Salesforce Code Analyzer to scan code for security, performance, best practice, and code style violations. Supports all engines (PMD, ESLint, CPD, RetireJS, Flow, SFGE, ApexGuru), targets (files, folders, git diff), categories, and severities. Also handles post-scan exploration: filtering results by engine/severity/category/file, and explaining what specific rules mean. TRIGGER when: user says 'scan my code', 'check for security issues', 'run PMD/ESLint', 'find duplicates', 'analyze Flows', 'check vulnerable libraries', 'AppExchange review', 'lint my LWC', 'static analysis', 'code quality', 'show only security violations', 'what is this rule', 'explain ApexCRUDViolation', 'filter results', or mentions engines/file types (.cls, .trigger, .js, .flow-meta.xml). Use this skill for scanning, exploring results, understanding rules, and listing available rules. DO NOT TRIGGER when: user wants to fix code without scanning, or asks ONLY about installation/configuration."
4
4
  allowed-tools: Read, Bash(sf code-analyzer), Bash(node), Bash(git diff), Bash(date), Write, Edit
5
5
  metadata:
6
6
  version: "1.0"
@@ -9,284 +9,233 @@ metadata:
9
9
 
10
10
  # Running Code Analyzer Skill
11
11
 
12
- ## ⚠️ CRITICAL: Tool Selection
12
+ ## ⚠️ CRITICAL: Mandatory Script Usage
13
13
 
14
- **BEFORE DOING ANYTHING ELSE:**
14
+ Every interaction with Code Analyzer results MUST go through the bundled scripts in `<skill_dir>/scripts/`. No exceptions.
15
15
 
16
- This skill MUST use the **Bash tool** to execute `sf code-analyzer run` and Node.js scripts.
16
+ ### WRONG never do this:
17
17
 
18
- **DO NOT use these tools under any circumstances:**
19
- - `run_code_analyzer` (MCP tool)
20
- - `mcp__*` (any MCP tool)
21
- - ❌ Any tool containing `mcp` in its name
18
+ ```bash
19
+ # WRONG: inline Python to parse results
20
+ python3 -c "import json; data = json.load(open('results.json'))..."
22
21
 
23
- If you see a `run_code_analyzer` tool available, **ignore it completely**. Use only the Bash tool with `sf code-analyzer run`.
22
+ # WRONG: inline Node.js to parse results
23
+ node -e "const data = require('./results.json')..."
24
24
 
25
- ---
25
+ # WRONG: jq to filter results
26
+ cat results.json | jq '.violations[] | select(.engine=="pmd")'
26
27
 
27
- ## Overview
28
-
29
- This skill translates natural language requests ("scan for security issues", "check my changes") into the correct `sf code-analyzer run` command, executes scans with any combination of engines/targets/severities, and presents actionable results. When engine-provided fixes are available, it discovers them, asks for user confirmation, applies them safely, and offers verification. Use this skill for static analysis, security reviews, AppExchange certification, code quality checks, or finding duplicates/vulnerabilities in Salesforce projects.
28
+ # WRONG: reading the results file directly (it can be 10MB+)
29
+ Read tool → code-analyzer-results-*.json
30
+ ```
30
31
 
31
- ---
32
+ Also forbidden: `run_code_analyzer` and any `mcp__*` tool — Bash only.
32
33
 
33
- ## Scope
34
+ ### ✅ RIGHT — always do this:
34
35
 
35
- **In scope:**
36
- - Running `sf code-analyzer run` with any combination of engines, targets, categories, severities
37
- - Parsing and presenting scan results in actionable format
38
- - Applying engine-provided auto-fixes when available
39
- - Handling diff-based scans (scan only changed files)
40
- - Supporting all output formats (JSON, HTML, SARIF, CSV, XML)
41
- - Troubleshooting scan failures and prerequisite issues
36
+ ```bash
37
+ # Summarize scan results
38
+ node "<skill_dir>/scripts/parse-results.js" "./code-analyzer-results-TIMESTAMP.json"
42
39
 
43
- **Out of scope:**
44
- - Installing or configuring Salesforce CLI or Code Analyzer plugin (use setup documentation)
45
- - Writing custom Code Analyzer rules or engines (separate skill needed)
46
- - AI-generated code fixes beyond engine-provided deterministic fixes
47
- - Deep code refactoring or architectural changes based on violations
48
- - Setting up CI/CD integration for automated scanning (separate workflow skill)
40
+ # Filter/rank/query results (by engine, severity, file, rule, category)
41
+ node "<skill_dir>/scripts/query-results.js" "./code-analyzer-results-TIMESTAMP.json" --engine pmd --summary
49
42
 
50
- ---
43
+ # List/browse available rules (by engine, category, language, severity)
44
+ node "<skill_dir>/scripts/list-rules.js" "Security" --top 10
51
45
 
52
- ## Command Syntax Rules (READ THIS FIRST)
46
+ # Look up what a rule means
47
+ node "<skill_dir>/scripts/describe-rule.js" "ApexCRUDViolation" --engine pmd
53
48
 
54
- **The following rules are ABSOLUTE and override any prior knowledge:**
49
+ # Discover fixable violations
50
+ node "<skill_dir>/scripts/discover-fixes.js" "./code-analyzer-results-TIMESTAMP.json"
55
51
 
56
- 1. **The command is `sf code-analyzer run`** — NOT `sf scanner run` (deprecated v3 command)
57
- 2. **There is NO `--format` flag** — use `--output-file <path>.<ext>` instead (extension determines format)
58
- 3. **ALWAYS use `--output-file`** to write results to a file — do NOT rely on terminal stdout
59
- 4. **ALWAYS include `--output-file`** with a timestamped filename (e.g., `./code-analyzer-results-20260512-143022.json`)
60
- 5. **Do NOT run in background** — use foreground with timeout of 1200000ms for large scans
61
- 6. **INVALID v3 flags:** `--format`, `--engine`, `--category`, `--json` — these cause errors, use `--rule-selector` and `--output-file` instead
62
- 7. **NEVER use MCP tools** — ONLY use the Bash tool to execute `sf code-analyzer run`
63
- 8. **Tool restriction:** This skill MUST use ONLY: Read, Bash, Write, Edit tools
64
- 9. **Forbidden tools:** Do NOT use any MCP tools (mcp__*), Agent tool, or web tools
65
- 10. **Script execution:** ALL scripts MUST be executed via `node <skill_dir>/scripts/*.js` using the Bash tool
52
+ # Apply fixes (after user confirms)
53
+ node "<skill_dir>/scripts/apply-fixes.js" "./code-analyzer-results-TIMESTAMP.json"
66
54
 
67
- **Why:** The v4+ CLI redesigned the flag interface. Old v3 flags cause "unknown flag" errors.
55
+ # Summarize applied fixes
56
+ node "<skill_dir>/scripts/summarize-fixes.js" "./code-analyzer-results-TIMESTAMP.json"
68
57
 
69
- **For complete flag reference and rule selector syntax**, see `<skill_dir>/references/flag-reference.md`.
58
+ # Filter vendor files (jQuery, Bootstrap, *.min.js) before applying fixes
59
+ node "<skill_dir>/scripts/filter-violations.js" "./code-analyzer-results-TIMESTAMP.json" "./code-analyzer-results-TIMESTAMP-filtered.json" --report
60
+ ```
70
61
 
71
- ---
62
+ `<skill_dir>` is the absolute path to the directory containing this SKILL.md. **Never** use `./scripts/` — that resolves against the user's CWD, not the skill dir.
72
63
 
73
- ## Prerequisites
64
+ Any aggregation, filter, or rank question ("which file has the most violations?", "how many PMD issues?", "top rules by count", "break down by severity") is answered by `query-results.js` — its output already includes `topRules`, `topFiles`, and `severityCounts`.
74
65
 
75
- User must have: **Salesforce CLI** (`sf`), **@salesforce/plugin-code-analyzer** (v5.x+), **Java 11+** (PMD/CPD/SFGE), **Node.js 18+** (ESLint/RetireJS), **Python 3** (Flow), **authenticated org** (ApexGuru).
66
+ ---
76
67
 
77
- If a scan fails, read `<skill_dir>/references/error-handling.md`. For quick command examples, see `<skill_dir>/references/quick-start.md`.
68
+ ## Overview
78
69
 
79
- ---
70
+ This skill translates natural-language requests ("scan for security issues", "check my changes") into the correct `sf code-analyzer run` command, executes scans across any combination of engines/targets/severities, and presents actionable results. When engine-provided fixes are available, it discovers them, asks for user confirmation, applies them safely, and offers verification. Use it for static analysis, security reviews, AppExchange certification, code-quality checks, and finding duplicates/vulnerabilities in Salesforce projects.
80
71
 
81
- ## Tool Usage Rules
72
+ **In scope:** running scans, parsing/filtering/ranking results, applying engine auto-fixes, diff-based scans, all output formats (JSON/HTML/SARIF/CSV/XML), describing/listing rules, scan-failure troubleshooting.
82
73
 
83
- **Allowed:** Bash (sf code-analyzer, node, git, date), Read, Write, Edit
84
- **Forbidden:** MCP tools, Agent tool, Web tools, other skills
74
+ **Out of scope:** installing/configuring `sf` or the plugin (→ `configuring-code-analyzer`), writing custom rules/engines, AI-generated fixes beyond engine-provided ones, deep refactoring, CI/CD setup (→ `configuring-code-analyzer`).
85
75
 
86
- This skill owns the complete scan-fix-verify workflow. Using MCP tools bypasses the validated script workflow.
76
+ **Allowed tools:** Bash (`sf code-analyzer`, `node`, `git diff`, `date`), Read, Write, Edit. **Forbidden:** any MCP tool, Agent tool, web tools, other skills, Python, `jq`, inline scripts/heredocs. This skill owns the complete scan-fix-verify-query-explain workflow end-to-end.
87
77
 
88
78
  ---
89
79
 
90
- ## Quick Start: Common Patterns
80
+ ## Command Syntax Rules (READ FIRST — ABSOLUTE)
91
81
 
92
- Use this decision tree for fast pattern matching before going to Step 1 detailed parsing:
82
+ 1. The command is **`sf code-analyzer run`** NOT `sf scanner run` (deprecated v3).
83
+ 2. **No `--format` flag.** Use `--output-file <path>.<ext>`; the extension determines the format.
84
+ 3. **Always** pass `--output-file` with a timestamped name (e.g., `./code-analyzer-results-20260512-143022.json`) — do not rely on stdout.
85
+ 4. **Foreground only** (no `run_in_background`); timeout 1200000ms for large scans.
86
+ 5. **Invalid v3 flags** that cause errors: `--format`, `--engine`, `--category`, `--json`. Use `--rule-selector` + `--output-file` instead.
87
+ 6. **Tool restriction:** Bash, Read, Write, Edit only. No MCP tools, no Agent tool, no web tools, no other skills.
93
88
 
94
- | User Says | Action | Rule Selector | Notes |
95
- |-----------|--------|---------------|-------|
96
- | "scan my code" / "run code analyzer" | Default scan | `Recommended` | Curated rule set, all file types |
97
- | "check for security issues" / "security review" | Security scan | `all:Security:(1,2)` | All engines, Critical+High only |
98
- | "scan my changes" / "check the diff" | Diff-based scan | Get changed files via `git diff`, filter to scannable types, use `--target` | See Step 1.5 for filtering logic |
99
- | "run PMD" / "check my Apex" | PMD only | `pmd` | Apex classes and triggers |
100
- | "lint my LWC" / "check my JavaScript" | ESLint only | `eslint` | JavaScript/TypeScript/LWC |
101
- | "find duplicates" / "check for copy-paste" | CPD (Copy-Paste Detector) | `cpd` | Detects code clones |
102
- | "check for vulnerabilities" / "scan libraries" | RetireJS | `retire-js` | JavaScript library CVEs |
103
- | "deep analysis" / "data flow analysis" | SFGE (Graph Engine) | `sfge` | Requires Java 11+, 10-20min, use `--workspace "force-app"` |
104
- | "performance analysis" / "governor limits" | ApexGuru | `apexguru` | Requires authenticated org |
105
- | "analyze my Flows" | Flow engine | `flow` | Target: `**/*.flow-meta.xml`, requires Python 3 |
106
- | "AppExchange security review" | AppExchange scan | `all:Security:(1,2)` | Read `<skill_dir>/references/special-behaviors.md` → AppExchange section |
89
+ Why: the v4+ CLI redesigned the flag interface; v3 flags now error.
107
90
 
108
- **If the pattern matches above**, proceed directly to Step 3 (Build Command). Otherwise, continue to Step 1 for detailed parsing.
91
+ Full flag/selector docs: `<skill_dir>/references/flag-reference.md`.
109
92
 
110
93
  ---
111
94
 
112
- ## Step 1: Parse the User's Intent
113
-
114
- Analyze the user's request along these 7 dimensions. Any can be combined freely:
115
-
116
- ### 1.1 ENGINE — Which analysis engine(s)?
95
+ ## Prerequisites
117
96
 
118
- Map user keywords to `--rule-selector` values:
119
- - PMD / Apex rules → `pmd`
120
- - ESLint / JS/TS rules / lint → `eslint`
121
- - Flows / Flow analysis → `flow`
122
- - duplicates / copy-paste / CPD → `cpd`
123
- - vulnerabilities / CVE / libraries / RetireJS → `retire-js`
124
- - SFGE / data flow / deep analysis → `sfge`
125
- - performance / ApexGuru → `apexguru`
126
- - regex / pattern rules → `regex`
127
- - all engines / everything → `all`
128
- - Not specified / general "scan" → `Recommended` (default)
97
+ User needs: **Salesforce CLI** (`sf`), **@salesforce/plugin-code-analyzer** (v5.x+), **Java 11+** (PMD/CPD/SFGE), **Node.js 18+** (ESLint/RetireJS), **Python 3** (Flow), **authenticated org** (ApexGuru).
129
98
 
130
- ### 1.2 CATEGORY What kind of issues?
99
+ Pre-flight: run `sf code-analyzer --help 2>&1 | head -1`. If that fails, or if a scan reports an engine startup error (e.g., "PMD failed to start", "java: command not found", "SFGE failed"):
131
100
 
132
- Map user keywords to category tags:
133
- - security / vulnerabilities / OWASP `Security`
134
- - performance / speed / optimization `Performance`
135
- - best practices / quality → `BestPractices`
136
- - code style / formatting → `CodeStyle`
137
- - design / complexity → `Design`
138
- - error prone / bugs → `ErrorProne`
139
- - documentation / comments → `Documentation`
101
+ 1. **Stop** do not attempt to install/diagnose prerequisites yourself.
102
+ 2. **Delegate to `configuring-code-analyzer`** it handles all setup.
103
+ 3. After it finishes, return here and re-run the scan.
140
104
 
141
- ### 1.3 SEVERITY How critical?
105
+ If a scan fails for other reasons, see `<skill_dir>/references/error-handling.md`.
142
106
 
143
- **Severity levels:** 1=Critical (must fix), 2=High (should fix), 3=Moderate (recommended), 4=Low (nice to fix), 5=Info (FYI)
107
+ ---
144
108
 
145
- Map user keywords:
146
- - "critical only" / "sev 1" → `1`
147
- - "critical and high" / "sev 1-2" → `(1,2)`
148
- - "moderate and above" / "sev 1-3" → `(1,2,3)`
109
+ ## Quick Start: Common Patterns
149
110
 
150
- ### 1.4 SPECIFIC RULE Named rule?
111
+ Match the request below; if it matches, jump to Step 3 (Build Command). Otherwise, walk Step 1.
112
+
113
+ | User Says | Rule Selector | Notes |
114
+ |-----------|---------------|-------|
115
+ | "scan my code" / "run code analyzer" | `Recommended` | Curated set, all file types |
116
+ | "check for security issues" / "security review" | `all:Security:(1,2)` | All engines, Critical+High |
117
+ | "scan my changes" / "check the diff" | (see Step 1.5) | Get files via `git diff`, filter to scannable types, pass via `--target` |
118
+ | "run PMD" / "check my Apex" | `pmd` | Apex classes and triggers |
119
+ | "lint my LWC" / "check my JavaScript" | `eslint` | JavaScript/TypeScript/LWC |
120
+ | "find duplicates" / "check for copy-paste" | `cpd` | Code clones |
121
+ | "check for vulnerabilities" / "scan libraries" | `retire-js` | JavaScript library CVEs |
122
+ | "deep analysis" / "data flow analysis" | `sfge` | Java 11+, 10–20 min, use `--workspace "force-app"` |
123
+ | "performance analysis" / "governor limits" | `apexguru` | Authenticated org required |
124
+ | "analyze my Flows" | `flow` | `--target **/*.flow-meta.xml`, Python 3 |
125
+ | "AppExchange security review" | `all:Security:(1,2)` | See `<skill_dir>/references/special-behaviors.md` → AppExchange |
151
126
 
152
- If the user mentions a specific rule by name (e.g., "ApexCRUDViolation", "no-unused-vars"):
153
- - Map to: `--rule-selector <engine>:<ruleName>`
154
- - If engine is ambiguous, use just the rule name: `--rule-selector <ruleName>`
127
+ ---
155
128
 
156
- **⚠️ IMPORTANT Partial Rule Names:** The `--rule-selector` flag requires the EXACT full rule name (e.g., `@salesforce-ux/slds/no-hardcoded-values-slds2`, not `no-hardcoded-values`). It does NOT support wildcards or partial matches.
129
+ ## Step 1: Parse the User's Intent
157
130
 
158
- **When you are NOT 100% certain of the full rule name:**
159
- - **Do NOT guess** — a wrong name returns 0 results and wastes a scan cycle
160
- - Instead, **look up the rule first** using the `sf code-analyzer rules` command with grep:
161
- ```bash
162
- sf code-analyzer rules --rule-selector all 2>&1 | grep -i "USER_KEYWORD"
163
- ```
164
- - Extract the full rule name from the output, then use it in your scan command
165
- - If grep returns multiple matches, present them to the user and ask which one they meant
166
- - If grep returns 0 matches, tell the user no rule matched their keyword
131
+ Analyze the request along these 7 dimensions; any can combine.
167
132
 
168
- ### 1.5 TARGET — What files to scan?
133
+ ### 1.1 ENGINE
134
+ PMD/Apex → `pmd` · ESLint/JS/TS/lint → `eslint` · Flows → `flow` · duplicates/CPD → `cpd` · vulnerabilities/CVE/RetireJS → `retire-js` · SFGE/data flow → `sfge` · performance/ApexGuru → `apexguru` · regex → `regex` · everything → `all` · unspecified → `Recommended`.
169
135
 
170
- Map user keywords:
171
- - Specific file/folder`--target <path>`
172
- - Glob pattern / "all Apex classes" → `--target **/*.cls,**/*.trigger`
173
- - "my changes" / "diff" → Run `git diff --name-only [base]...HEAD`, filter to scannable types, pass as `--target`
174
- - "LWC" → `--target **/lwc/**`
175
- - "Flows" → `--target **/*.flow-meta.xml`
176
- - Not specified → Entire workspace (omit `--target`)
136
+ ### 1.2 CATEGORY
137
+ security/OWASP `Security` · performance → `Performance` · best practices → `BestPractices` · style/format`CodeStyle` · design/complexity → `Design` · bugs → `ErrorProne` · docs → `Documentation`.
177
138
 
178
- **For diff filtering details:** See `<skill_dir>/references/special-behaviors.md`.
139
+ ### 1.3 SEVERITY
140
+ 1=Critical · 2=High · 3=Moderate · 4=Low · 5=Info. "critical only" → `1` · "critical+high" → `(1,2)` · "moderate and above" → `(1,2,3)`.
179
141
 
180
- ### 1.6 OUTPUT — What format?
142
+ ### 1.4 SPECIFIC RULE
143
+ If the user names a rule (e.g., "ApexCRUDViolation", "no-unused-vars"): `--rule-selector <engine>:<ruleName>`, or just `<ruleName>` if engine is ambiguous.
181
144
 
182
- **DEFAULT:** Always JSON. Only change if user EXPLICITLY requests another format.
145
+ ⚠️ **Partial names:** `--rule-selector` requires the **exact full** rule name (e.g., `@salesforce-ux/slds/no-hardcoded-values-slds2`, not `no-hardcoded-values`). No wildcards. If you are not 100% certain, look it up first — **do not guess**:
146
+ ```bash
147
+ sf code-analyzer rules --rule-selector all 2>&1 | grep -i "USER_KEYWORD"
148
+ ```
149
+ Multiple matches → ask the user which. Zero matches → tell the user nothing matched.
183
150
 
184
- **Naming:** `./code-analyzer-results-<YYYYMMDD-HHmmss>.<ext>` (timestamp via `TIMESTAMP=$(date +%Y%m%d-%H%M%S)`)
151
+ ### 1.5 TARGET
152
+ specific path → `--target <path>` · glob ("all Apex") → `--target **/*.cls,**/*.trigger` · "my changes"/"diff" → `git diff --name-only [base]...HEAD`, filter to scannable types, pass as `--target` · "LWC" → `--target **/lwc/**` · "Flows" → `--target **/*.flow-meta.xml` · unspecified → omit (entire workspace).
185
153
 
186
- Formats: `.json` (default), `.html` (report), `.sarif` (GitHub/IDE), `.csv` (spreadsheet), `.xml`
154
+ Diff-filtering details: `<skill_dir>/references/special-behaviors.md`.
187
155
 
188
- ### 1.7 COMPARISON — Delta/trend analysis?
156
+ ### 1.6 OUTPUT
157
+ **Default JSON.** Only change if the user explicitly asks. Name: `./code-analyzer-results-<YYYYMMDD-HHmmss>.<ext>` via `TIMESTAMP=$(date +%Y%m%d-%H%M%S)`. Formats: `.json` (default), `.html`, `.sarif`, `.csv`, `.xml`.
189
158
 
190
- Map user keywords:
191
- - "new since main" → `git diff --name-only main...HEAD` → scan those files
192
- - "new since last commit" → `git diff --name-only HEAD~1`
193
- - "compared to develop" → `git diff --name-only develop...HEAD`
159
+ ### 1.7 COMPARISON / DELTA
160
+ "new since main" → `git diff --name-only main...HEAD` → scan those · "since last commit" → `HEAD~1` · "vs develop" → `develop...HEAD`.
194
161
 
195
162
  ---
196
163
 
197
164
  ## Step 2: Build the Rule Selector
198
165
 
199
- **Syntax:** `:` = AND, `,` = OR, `()` = grouping
166
+ Syntax: `:` = AND, `,` = OR, `()` = grouping.
200
167
 
201
- **Examples:**
202
168
  - Engine only: `pmd`
203
169
  - Engine + category: `pmd:Security`
204
170
  - Engine + severity: `pmd:2`
205
- - Complex: `(pmd,eslint):Security:(1,2)` = (PMD or ESLint) AND Security AND (sev 1 or 2)
171
+ - Complex: `(pmd,eslint):Security:(1,2)` = (PMD or ESLint) AND Security AND sev (1 or 2)
206
172
  - Specific rule: `pmd:ApexCRUDViolation`
207
- - All rules: `all`
173
+ - All: `all`
208
174
 
209
- **More examples:** `<skill_dir>/references/command-examples.md`
175
+ More: `<skill_dir>/references/command-examples.md`.
210
176
 
211
177
  ---
212
178
 
213
179
  ## Step 3: Build the Full Command
214
180
 
215
- Generate timestamp: `TIMESTAMP=$(date +%Y%m%d-%H%M%S)`
216
-
217
- Build command:
218
181
  ```bash
182
+ TIMESTAMP=$(date +%Y%m%d-%H%M%S)
219
183
  sf code-analyzer run \
220
184
  --rule-selector <selector> \
221
- --target <targets> \ # optional
222
- --output-file "./code-analyzer-results-${TIMESTAMP}.json" \ # DEFAULT: JSON
223
- --include-fixes \ # always
224
- --workspace <path> # optional
185
+ --target <targets> \ # optional
186
+ --output-file "./code-analyzer-results-${TIMESTAMP}.json" \ # default JSON
187
+ --include-fixes \ # always
188
+ --workspace <path> # optional
225
189
  ```
226
190
 
227
- **Key decisions:**
228
- - DEFAULT: timestamped JSON (`.json`). Only change format if user explicitly requests HTML/SARIF/CSV/XML.
229
- - Always include `--include-fixes` (enables Step 6 auto-fix)
230
- - Omit `--target` to scan entire workspace
231
- - For diff-based scans: get files via `git diff --name-only`, filter to scannable types, pass as `--target`
191
+ - Default to timestamped JSON; only change format on explicit request.
192
+ - Always pass `--include-fixes` (enables Step 6 auto-fix).
193
+ - Omit `--target` to scan the whole workspace.
194
+ - Diff scans: `git diff --name-only` filter scannable types → pass as `--target`.
232
195
 
233
- **Special cases:** See `<skill_dir>/references/special-behaviors.md` for SFGE/ApexGuru/AppExchange/diff filtering.
196
+ Special cases (SFGE/ApexGuru/AppExchange/diff): `<skill_dir>/references/special-behaviors.md`.
234
197
 
235
198
  ---
236
199
 
237
200
  ## Step 4: Execute the Scan
238
201
 
239
- **⚠️ TOOL REQUIREMENT: Use Bash tool ONLY. DO NOT use run_code_analyzer (MCP tool) or any MCP tool.**
202
+ Use the **Bash tool only** never the `run_code_analyzer` MCP tool.
240
203
 
241
- **Rules:** Foreground only (no `run_in_background`), hardcoded filename (not `$TIMESTAMP`), timeout 1200000ms, no `sleep`, log output to timestamped file.
242
-
243
- **Steps:**
244
-
245
- 1. Generate timestamp: `date +%Y%m%d-%H%M%S` → capture output (e.g., `20260512-143022`) **using Bash tool**
246
- 2. Tell user:
204
+ 1. Generate the timestamp via Bash: `date +%Y%m%d-%H%M%S` e.g. `20260512-143022`.
205
+ 2. Tell the user:
247
206
  ```
248
207
  Starting scan...
249
208
  Results: ./code-analyzer-results-20260512-143022.json
250
209
  Log: ./code-analyzer-results-20260512-143022.log
251
210
  May take several minutes for large codebases.
252
211
  ```
253
- 3. Run command with literal timestamp in filename and `tee` to capture log (timeout: 1200000):
254
-
255
- ⚠️ **IMPORTANT:** Use the Bash tool, NOT the run_code_analyzer MCP tool.
256
-
212
+ 3. Run with the **literal** timestamp baked in (not `$TIMESTAMP`), foreground, timeout 1200000ms, `tee` to a `.log`:
257
213
  ```bash
258
- sf code-analyzer run --rule-selector Recommended --output-file "./code-analyzer-results-20260512-143022.json" --include-fixes 2>&1 | tee "./code-analyzer-results-20260512-143022.log"
214
+ sf code-analyzer run --rule-selector Recommended \
215
+ --output-file "./code-analyzer-results-20260512-143022.json" \
216
+ --include-fixes 2>&1 | tee "./code-analyzer-results-20260512-143022.log"
259
217
  ```
260
- 4. After completion: Exit 0 = success. Error output check both the log file and `<skill_dir>/references/error-handling.md`.
261
- 5. IMMEDIATELY parse results (Step 5). Do NOT ask user what they want.
218
+ 4. Exit 0 = success. On error, read both the log file and `<skill_dir>/references/error-handling.md`.
219
+ 5. **Immediately** parse results (Step 5) do not ask the user what to do next.
262
220
 
263
221
  ---
264
222
 
265
223
  ## Step 5: Parse and Present Results
266
224
 
267
- ### Parsing Rules:
268
-
269
- 1. **Execute the parse script using `<skill_dir>`** — see below
270
- 2. **NEVER use `jq` to parse results** — jq one-liners WILL fail due to shell quoting issues
271
- 3. **Run it IMMEDIATELY after the scan** — do NOT ask the user "what would you like next?"
272
-
273
- ### Script Execution
274
-
275
- All scripts are bundled in the `scripts/` subdirectory of the same directory that contains this SKILL.md file. Use the absolute path to that directory — do NOT use `./scripts/` as that resolves relative to the current working directory, not the skill directory.
225
+ Run the parse script straight after the scan — do not pause to ask:
276
226
 
277
227
  ```bash
278
- node <skill_dir>/scripts/parse-results.js "./code-analyzer-results-TIMESTAMP.json"
228
+ node "<skill_dir>/scripts/parse-results.js" "./code-analyzer-results-TIMESTAMP.json"
279
229
  ```
280
230
 
281
231
  ⚠️ **DO NOT:**
282
232
  - ❌ Invent or generate script code yourself
283
233
  - ❌ Use bare relative paths like `node scripts/parse-results.js` (won't resolve from user's CWD)
284
234
  - ❌ Use heredocs or inline script content
285
- - ❌ Use `jq` as a substitute for the parse script
235
+ - ❌ Use `jq` as a substitute for the parse script (shell quoting will break)
236
+ - ❌ Read the JSON file directly
286
237
 
287
- ### How to Present Results:
288
-
289
- **ALWAYS present a concise summary, then point to the output file for full details.**
238
+ ### Presentation template
290
239
 
291
240
  ```
292
241
  ## Scan Complete
@@ -305,44 +254,30 @@ node <skill_dir>/scripts/parse-results.js "./code-analyzer-results-TIMESTAMP.jso
305
254
  | # | Rule | Engine | Sev | File | Line |
306
255
  |---|------|--------|-----|------|------|
307
256
  | 1 | ApexCRUDViolation | pmd | 2 | AccountService.cls | 42 |
308
- | 2 | ApexSOQLInjection | pmd | 1 | QueryHelper.cls | 18 |
309
- | ... (show up to 10 most critical) |
257
+ | ... up to 10 most critical |
310
258
 
311
259
  ### Top Rules by Frequency
312
260
  | Rule | Engine | Count |
313
261
  |------|--------|-------|
314
262
  | no-var | eslint | 170 |
315
- | ApexDoc | pmd | 165 |
316
263
  | ... |
317
264
 
318
265
  Full results: `./code-analyzer-results-20260512-143022.json`
319
266
  ```
320
267
 
321
- ### Result Presentation Rules:
322
-
323
- - **0 violations**: "Scan complete — no violations found! Output: `<path>`"
324
- - **1-10**: Show all violations in table
325
- - **11-50**: Show severity counts + top 10 violations
326
- - **50-5000**: Show counts + top 10 violations + top 10 rules + top 5 files
327
- - **5000+**: Same as 50-5000, plus suggest narrowing scope (severity/category/folder)
268
+ Scale to result size: **0** → "no violations found"; **1–10** → all in one table; **11–50** → severity counts + top 10; **50–5000** → counts + top 10 violations + top 10 rules + top 5 files; **5000+** → same, plus suggest narrowing scope (severity/category/folder). Always end with the output path and offer next actions: filter / explain rule / apply fixes.
328
269
 
329
- **Always end with:** Output file path + next-action offers (explain rules / apply fixes)
330
-
331
- **For large result sets:** See `<skill_dir>/references/special-behaviors.md`.
270
+ Large-result handling: `<skill_dir>/references/special-behaviors.md`.
332
271
 
333
272
  ---
334
273
 
335
274
  ## Step 6: Apply Engine-Provided Fixes (Post-Scan)
336
275
 
337
- After presenting results, check if violations have **engine-provided fixes** (deterministic, not AI-generated).
338
-
339
- **Rules:** NEVER apply without confirmation. Use EXACT scripts from `<skill_dir>/scripts/`. Filter vendor files if needed, then: Discover → Apply → Summarize.
276
+ Engine-provided fixes are **deterministic** (not AI-generated). Flow: vendor filter (if needed) discover → present → **wait for user confirmation** apply → summarize.
340
277
 
341
- **Flow:** Filter vendor (6.1 if needed) discover (6.2) → present (6.3) → ASK user → apply (6.4) → summarize (6.5) → present results.
278
+ ### 6.1 Vendor file filter (when needed)
342
279
 
343
- ### 6.1 Check for vendor files (if needed)
344
-
345
- If user said "fix my code" or "project source", or if top files by violation count are vendor libraries (jQuery, Bootstrap, *.min.js), run:
280
+ Run if the user said "fix my code" / "project source", or if top-violation files are vendor libs (jQuery, Bootstrap, `*.min.js`):
346
281
 
347
282
  ```bash
348
283
  node "<skill_dir>/scripts/filter-violations.js" \
@@ -351,31 +286,23 @@ node "<skill_dir>/scripts/filter-violations.js" \
351
286
  --report
352
287
  ```
353
288
 
354
- Present: "Excluded X vendor files (Y violations) - jQuery, Bootstrap, etc. Applying fixes to Z project files only."
355
-
356
- Use filtered file for Step 6.3+. **See:** `<skill_dir>/references/vendor-file-handling.md` for detailed logic.
289
+ Report: "Excluded X vendor files (Y violations) jQuery, Bootstrap, etc. Applying fixes to Z project files only." Use the filtered file in 6.2+. Detection logic: `<skill_dir>/references/vendor-file-handling.md`.
357
290
 
358
- ### 6.2 Discover fixable violations
291
+ ### 6.2 Discover
359
292
 
360
293
  ```bash
361
294
  node "<skill_dir>/scripts/discover-fixes.js" "./code-analyzer-results-TIMESTAMP.json"
362
295
  ```
363
296
 
364
- (Use filtered file from Step 6.1 if created.)
365
-
366
- ### 6.3 — Present fixable violations and ASK for confirmation
367
-
368
- After running the discovery script, present results:
297
+ ### 6.3 Present + ASK (then STOP)
369
298
 
370
299
  ```
371
300
  ### Engine-Provided Fixes Available
372
-
373
301
  **X of Y violations** have auto-fixes provided by the analysis engine:
374
302
 
375
303
  | Rule | Engine | Sev | Fixable Count |
376
304
  |------|--------|-----|---------------|
377
305
  | no-var | eslint | 3 | 170 |
378
- | no-hardcoded-values-slds2 | eslint | 4 | 76 |
379
306
  | ... |
380
307
 
381
308
  These are safe, deterministic fixes generated by the engines (not AI-generated).
@@ -383,39 +310,30 @@ These are safe, deterministic fixes generated by the engines (not AI-generated).
383
310
  Would you like me to apply these fixes? (yes / no / select specific rules)
384
311
  ```
385
312
 
386
- ### ⚠️ STOP HERE AND WAIT FOR USER RESPONSE.
313
+ ⚠️ **Stop and wait for the user's reply, even if they originally said "scan and fix everything".** Apply only on a fresh "yes" / "apply" / "go ahead" in the next turn.
387
314
 
388
- **Even if the user originally said "scan and fix everything", you MUST still stop here and wait.** Present the table, ask the question, and WAIT for a response in the NEXT turn.
389
-
390
- ### 6.4 — Apply fixes ONLY after user confirms
391
-
392
- **Only proceed after user says "yes", "apply", "go ahead" IN A SEPARATE RESPONSE.**
315
+ ### 6.4 Apply
393
316
 
394
317
  ```bash
395
318
  node "<skill_dir>/scripts/apply-fixes.js" "./code-analyzer-results-TIMESTAMP.json"
396
319
  ```
320
+ (Filtered file if 6.1 created one.)
397
321
 
398
- (Use filtered file if Step 6.1 created one.)
399
-
400
- ### 6.5 — After applying, ALWAYS run the summary script
401
-
402
- ⚠️ **MANDATORY**: After the apply script completes, you MUST run the summary script as your VERY NEXT action.
322
+ ### 6.5 Summarize (MANDATORY immediately after 6.4)
403
323
 
404
324
  ```bash
405
325
  node "<skill_dir>/scripts/summarize-fixes.js" "./code-analyzer-results-TIMESTAMP.json"
406
326
  ```
407
327
 
408
- Then present to the user:
328
+ Then present:
409
329
 
410
330
  ```
411
331
  ### Engine-Provided Fixes Applied Successfully ✓
412
-
413
332
  **Applied X auto-fixes across Y files.**
414
333
 
415
334
  | Severity | Fixes Applied |
416
335
  |----------|---------------|
417
336
  | Critical (1) | X |
418
- | High (2) | X |
419
337
  | ... |
420
338
 
421
339
  | Rule | Fixes Applied |
@@ -426,56 +344,130 @@ Then present to the user:
426
344
  Want me to re-run the scan to verify the fixes resolved the violations?
427
345
  ```
428
346
 
429
- ### 6.6 — If user declines: Skip. If selects rules: filter. If "all": run as-is.
347
+ ### 6.6 — Handling the user's choice
348
+ - **Decline / "no":** skip apply, skip summarize. Do not re-scan.
349
+ - **"Select rules":** filter the discovery list to those rules and pass the filtered file to `apply-fixes.js`.
350
+ - **"All" / "yes":** run `apply-fixes.js` against the full (or vendor-filtered) results file as-is.
351
+
352
+ ### 6.7 — Optional re-scan for verification
353
+ If the user accepts the offer in 6.5, re-run the same scan with a **new timestamp** (do not overwrite the original). Compare violation counts before vs. after and show the delta — fixes that resolved cleanly will drop out; remaining violations either need manual remediation or are unrelated.
430
354
 
431
- ### 6.7 — Re-scan (optional): Re-run with new timestamp, compare before/after counts.
432
355
  ---
433
- ## Rules / Constraints
434
-
435
- | Constraint | Rationale |
436
- |-----------|-----------|
437
- | Timestamped output (JSON + log) | Prevents overwrite; enables history tracking |
438
- | Use `tee` for logs | Keeps logs in working dir with matching timestamp |
439
- | Never use `--format` flag | Removed in v4+; use `--output-file <path>.<ext>` instead |
440
- | Foreground scans, 1200000ms timeout | SFGE takes 10-20min; backgrounding loses output |
441
- | Execute scripts from `<skill_dir>/scripts/` | Never write inline scripts or heredocs |
442
- | Never apply fixes without confirmation | User must explicitly approve code modifications |
443
- | Check for vendor files before fixes | If 50%+ vendor (jQuery, Bootstrap), filter first |
444
- | Run fix scripts in order | Filter (if needed) Discover → Apply → Summarize |
445
- | SFGE needs explicit `--workspace` | Prevents template file compilation errors |
446
- | Look up partial rule names first | Guessing fails; use `sf code-analyzer rules` to find exact name |
447
- | ONLY Bash tool, never MCP | run_code_analyzer MCP tool bypasses script workflow |
448
- | Never invoke other skills for fixes | This skill owns complete workflow end-to-end |
356
+
357
+ ## Step 7: Query and Filter Existing Results
358
+
359
+ After Step 5, the user may want to **drill into specific subsets** without re-running the entire scan. This step handles all result-exploration requests.
360
+
361
+ ### When to trigger
362
+ Activate when the user asks to slice, filter, rank, or explore existing results:
363
+ - "Show me just the security violations"
364
+ - "What's in AccountService.cls?"
365
+ - "Show only PMD issues" / "Filter to critical and high"
366
+ - "What ESLint rules fired?" / "Show violations in the lwc folder"
367
+ - "Top 20 most severe" / "Which file has the most violations?"
368
+ - "What are the most common rules?" / "How many violations per engine?" / "Break it down by severity"
369
+
370
+ **Important:** Any question about existing scan results — filtering, ranking, counting, aggregating MUST use `query-results.js`. NEVER write inline Python, `jq`, or ad-hoc scripts to parse the results JSON. The query script already provides `topRules`, `topFiles`, and `severityCounts` in its output.
371
+
372
+ ### How to execute
373
+ Run the query script against the **same results file** from Step 4 (no re-scan needed):
374
+
375
+ ```bash
376
+ node "<skill_dir>/scripts/query-results.js" "./code-analyzer-results-TIMESTAMP.json" [options]
377
+ ```
378
+
379
+ | User says | Options |
380
+ |-----------|---------|
381
+ | "security violations" | `--category Security` |
382
+ | "PMD issues only" | `--engine pmd` |
383
+ | "critical and high" / "sev 1-2" | `--severity 1,2` |
384
+ | "in AccountService.cls" | `--file AccountService.cls` |
385
+ | "the ApexCRUDViolation rule" | `--rule ApexCRUDViolation` |
386
+ | "top 20" | `--top 20` |
387
+ | "sort by file" | `--sort file` |
388
+ | "just give me counts" | `--summary` |
389
+ | "which file has the most violations?" | `--sort file --summary` (read `topFiles`) |
390
+ | "which file has most PMD violations?" | `--engine pmd --summary` (read `topFiles`) |
391
+ | "most common rules?" | `--summary` (read `topRules`) |
392
+ | "how many per engine?" | use Step 5's summary, or run with `--engine X --summary` per engine |
393
+ | Combinations | `--engine pmd --severity 1,2 --top 5` |
394
+
395
+ Output format and presentation templates: `<skill_dir>/references/post-scan-workflows.md`.
449
396
 
450
397
  ---
451
398
 
452
- ## Gotchas
399
+ ## Step 8: Describe a Rule
400
+
401
+ When the user asks "what does this rule mean?" or "how do I fix this?", use this step to look up and explain a specific rule.
453
402
 
454
- | Issue | Why It Happens | Solution |
455
- |-------|---------------|----------|
456
- | `--format` flag error | Removed in v4+ | Use `--output-file <path>.<ext>` |
457
- | Scan returns 0 results | Invalid rule selector | Run `sf code-analyzer rules --rule-selector <selector>` to verify |
458
- | SFGE compilation error | Template files in workspace | Set `--workspace "force-app"` |
459
- | jq parsing fails | Shell quoting issues | Use `node "<skill_dir>/scripts/parse-results.js"` |
460
- | Inline scripts written | LLM generates custom code | NEVER write scripts — use existing from <skill_dir>/scripts/ |
461
- | Scan times out | Large SFGE | Increase timeout to 1200000ms |
462
- | run_code_analyzer MCP used | LLM prefers MCP over Bash | Use Bash tool ONLY |
463
- | Other skills invoked | LLM delegates to other skills | Use apply-fixes.js from this skill only |
464
- | Most violations are vendor | Includes jQuery, Bootstrap, *.min.js | Run filter-violations.js before applying fixes |
403
+ ### When to trigger
404
+ - "What is ApexCRUDViolation?"
405
+ - "Explain this rule" / "Why is this flagged?"
406
+ - "What does no-var mean?"
407
+ - "How do I fix OperationWithLimitsInLoop?"
408
+ - "Tell me about this violation"
409
+
410
+ ### How to execute
411
+
412
+ ```bash
413
+ node "<skill_dir>/scripts/describe-rule.js" "<rule-name>" [--engine <engine>]
414
+ ```
415
+
416
+ Pass `--engine` when known (from scan context); omit for a broader search. Returns one of `success` / `multiple_matches` / `not_found`. Status handling and templates: `<skill_dir>/references/post-scan-workflows.md`.
465
417
 
466
418
  ---
467
419
 
468
- ## Output Expectations
420
+ ## Step 9: List Available Rules
421
+
422
+ Triggers: "what security rules are available?", "list all PMD rules", "rules for JavaScript", "Recommended rules", "how many ESLint rules?", "rules for Apex".
469
423
 
470
- Every scan produces: timestamped JSON file, concise summary (severity/top violations/rules/files), next-action offers. If fixes applied: summary by severity/rule, offer verification.
424
+ ```bash
425
+ node "<skill_dir>/scripts/list-rules.js" "<selector>" [options]
426
+ ```
427
+
428
+ | User says | Selector | Options |
429
+ |-----------|----------|---------|
430
+ | "security rules" | `Security` | |
431
+ | "PMD rules" | `pmd` | |
432
+ | "ESLint security rules" | `eslint:Security` | |
433
+ | "JavaScript rules" | `JavaScript` | |
434
+ | "Apex rules" | `Apex` | |
435
+ | "Recommended rules" | `Recommended` | |
436
+ | "high severity rules" | `(1,2)` | |
437
+ | "just give me counts" | `Recommended` | `--count-only` |
438
+ | "top 10 security rules" | `Security` | `--top 10` |
439
+
440
+ Filters: `--engine`, `--severity`, `--top` (default 100), `--count-only`. The script pre-validates selector tokens (catches typos like `secruity`) before calling the CLI. Presentation: `<skill_dir>/references/post-scan-workflows.md`.
441
+
442
+ ---
443
+
444
+ ## Constraints & Gotchas
445
+
446
+ | Item | Why / Fix |
447
+ |------|-----------|
448
+ | Use timestamped JSON + `.log` via `tee` | Prevents overwrite; matches log to results |
449
+ | `--format` flag | Removed in v4+; use `--output-file <path>.<ext>` |
450
+ | Foreground, 1200000ms timeout | SFGE can take 10–20 min; backgrounding loses output |
451
+ | Run scripts with absolute `<skill_dir>` path | `./scripts/` resolves against the user's CWD, not the skill dir |
452
+ | Never apply fixes without confirmation | User must approve code modifications |
453
+ | Vendor file check before fixes | If 50%+ vendor (jQuery/Bootstrap/`*.min.js`), filter first |
454
+ | Fix-script order: filter (if needed) → discover → apply → summarize | Skipping summary leaves the user without an outcome report |
455
+ | SFGE needs explicit `--workspace` | Otherwise template files cause compilation errors |
456
+ | Look up partial rule names first | Guessing returns 0 results; use `sf code-analyzer rules` |
457
+ | `ONLY` Bash tool, never MCP | `run_code_analyzer` and other MCP tools bypass the script workflow |
458
+ | Never invoke other skills for fixes | This skill owns the full workflow end-to-end |
459
+ | Query existing results, don't re-scan | Step 7 filters existing JSON instantly |
460
+ | Scan returns 0 results | Invalid rule selector — verify with `sf code-analyzer rules --rule-selector <selector>` |
461
+ | `jq` parsing fails | Shell quoting — use `parse-results.js` / `query-results.js` instead |
462
+ | Inline scripts written by LLM | Never write scripts — use existing ones in `<skill_dir>/scripts/` |
463
+ | Ranking/aggregation answered by ad-hoc Python | Always use `query-results.js`; output already has `topFiles`/`topRules`/`severityCounts` |
471
464
 
472
465
  ---
473
466
 
474
467
  ## Reference File Index
475
468
 
476
- `<skill_dir>` is the absolute path to the directory containing this SKILL.md file.
469
+ **Scripts** (always execute via `node` with the absolute `<skill_dir>/` prefix, never Read):
477
470
 
478
- ### Scripts (Always execute, never read)
479
471
  | File | When to use |
480
472
  |------|-------------|
481
473
  | `<skill_dir>/scripts/parse-results.js` | Step 5 — extract summary from scan JSON |
@@ -483,16 +475,21 @@ Every scan produces: timestamped JSON file, concise summary (severity/top violat
483
475
  | `<skill_dir>/scripts/discover-fixes.js` | Step 6.2 — identify fixable violations |
484
476
  | `<skill_dir>/scripts/apply-fixes.js` | Step 6.4 — apply engine fixes after user confirms |
485
477
  | `<skill_dir>/scripts/summarize-fixes.js` | Step 6.5 — summarize applied changes |
478
+ | `<skill_dir>/scripts/query-results.js` | Step 7 — filter/drill into existing results without re-scanning |
479
+ | `<skill_dir>/scripts/describe-rule.js` | Step 8 — look up rule description and documentation |
480
+ | `<skill_dir>/scripts/list-rules.js` | Step 9 — list/browse available rules by selector with validation |
481
+
482
+ **References** (read on demand):
486
483
 
487
- ### References (Read when needed)
488
484
  | File | When to read |
489
- |------|-------------|
490
- | `<skill_dir>/references/quick-start.md` | Command syntax templates |
491
- | `<skill_dir>/references/flag-reference.md` | Flag docs, rule selector syntax |
492
- | `<skill_dir>/references/error-handling.md` | Scan failure diagnosis |
493
- | `<skill_dir>/references/engine-reference.md` | Engine capabilities, file types, rule tags |
494
- | `<skill_dir>/references/command-examples.md` | Uncommon command scenarios |
495
- | `<skill_dir>/references/special-behaviors.md` | SFGE/ApexGuru/AppExchange/diff/large scans |
496
- | `<skill_dir>/references/vendor-file-handling.md` | Vendor file detection and filtering logic |
497
-
498
- Examples in `<skill_dir>/examples/` show output structure validation and command patterns (basic/large/security scans, fix workflows).
485
+ |------|--------------|
486
+ | `references/quick-start.md` | Command-syntax templates |
487
+ | `references/flag-reference.md` | Full flag docs, rule-selector syntax |
488
+ | `references/error-handling.md` | Scan-failure diagnosis |
489
+ | `references/engine-reference.md` | Engine capabilities, file types, rule tags |
490
+ | `references/command-examples.md` | Less-common command scenarios |
491
+ | `references/special-behaviors.md` | SFGE/ApexGuru/AppExchange/diff/large scans |
492
+ | `references/vendor-file-handling.md` | Vendor-file detection and filtering |
493
+ | `references/post-scan-workflows.md` | Steps 7–9 — querying, rule description, rule listing |
494
+
495
+ `examples/` contains output-structure validation and command patterns (basic/large/security scans, fix workflows).