@salesforce/afv-skills 1.28.0 → 1.29.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/skills/dx-code-analyzer-configure/SKILL.md +31 -13
- package/skills/dx-code-analyzer-custom-rule-create/SKILL.md +484 -0
- package/skills/dx-code-analyzer-custom-rule-create/assets/pmd-ruleset-template.xml +31 -0
- package/skills/dx-code-analyzer-custom-rule-create/examples/metadata-xml-example-fields-api.md +87 -0
- package/skills/dx-code-analyzer-custom-rule-create/examples/metadata-xml-example-flows.md +105 -0
- package/skills/dx-code-analyzer-custom-rule-create/examples/metadata-xml-example-permissions.md +95 -0
- package/skills/dx-code-analyzer-custom-rule-create/examples/metadata-xml-examples.md +84 -0
- package/skills/dx-code-analyzer-custom-rule-create/examples/regex-examples.md +127 -0
- package/skills/dx-code-analyzer-custom-rule-create/examples/xpath-examples.md +227 -0
- package/skills/dx-code-analyzer-custom-rule-create/references/advanced-pmd-patterns.md +288 -0
- package/skills/dx-code-analyzer-custom-rule-create/references/apex-ast-reference.md +127 -0
- package/skills/dx-code-analyzer-custom-rule-create/references/eslint-custom-plugins.md +247 -0
- package/skills/dx-code-analyzer-custom-rule-create/references/eslint-rules-discovery.md +188 -0
- package/skills/dx-code-analyzer-custom-rule-create/references/eslint-tier2-configurable.md +114 -0
- package/skills/dx-code-analyzer-custom-rule-create/references/eslint-tier3-custom-plugins.md +113 -0
- package/skills/dx-code-analyzer-custom-rule-create/references/metadata-xml-rules.md +285 -0
- package/skills/dx-code-analyzer-custom-rule-create/references/regex-rule-schema.md +174 -0
- package/skills/dx-code-analyzer-custom-rule-create/references/troubleshooting.md +141 -0
- package/skills/dx-code-analyzer-custom-rule-create/references/xpath-patterns-governor-limits.md +83 -0
- package/skills/dx-code-analyzer-custom-rule-create/references/xpath-patterns-method-calls.md +108 -0
- package/skills/dx-code-analyzer-custom-rule-create/references/xpath-patterns-security.md +45 -0
- package/skills/dx-code-analyzer-custom-rule-create/references/xpath-patterns-structure.md +127 -0
- package/skills/dx-code-analyzer-custom-rule-create/references/xpath-patterns.md +131 -0
- package/skills/dx-code-analyzer-custom-rule-create/scripts/create-pmd-rule.js +209 -0
- package/skills/dx-code-analyzer-custom-rule-create/scripts/create-regex-rule.js +220 -0
- package/skills/dx-code-analyzer-run/SKILL.md +41 -8
- package/skills/mobile-platform-native-capabilities-integrate/SKILL.md +3 -3
- package/skills/platform-custom-field-generate/SKILL.md +86 -126
- package/skills/platform-custom-field-generate/references/advanced-picklists.md +590 -0
- package/skills/platform-value-set-generate/SKILL.md +305 -0
package/package.json
CHANGED
|
@@ -1,15 +1,32 @@
|
|
|
1
1
|
---
|
|
2
2
|
name: dx-code-analyzer-configure
|
|
3
|
-
description: "Set up, configure, and troubleshoot Salesforce Code Analyzer for any project. Handles installation, prerequisite checks, diagnosing broken setups, creating and editing code-analyzer.yml overrides, engine-specific settings, ignore patterns, severity overrides, and CI/CD pipeline setup. TRIGGER when: user says 'set up code analyzer', 'configure code analyzer', 'install code analyzer', 'code analyzer not working', 'fix my setup', 'scan
|
|
3
|
+
description: "Set up, configure, and troubleshoot Salesforce Code Analyzer for any project. Handles installation, prerequisite checks, diagnosing broken setups, creating and editing code-analyzer.yml overrides, engine-specific settings, ignore patterns, severity overrides, and CI/CD pipeline setup. TRIGGER when: user says 'set up code analyzer', 'configure code analyzer', 'install code analyzer', 'code analyzer not working', 'fix my setup', 'scan failing', 'check my setup', 'enable/disable engine', 'exclude files', 'change severity', 'set up GitHub Actions', 'set up CI/CD', 'add to pipeline', 'pipeline fail', 'update my workflow', 'quality gate', 'fail on violations', 'scan changed files only', 'add SARIF', 'code-analyzer.yml', 'ESLint config', 'increase SFGE memory', or reports errors running Code Analyzer. DO NOT TRIGGER when: user wants to run a scan (use dx-code-analyzer-run), fix violations, explain rules, create custom rules (use dx-code-analyzer-custom-rule-create), or suppress violations."
|
|
4
4
|
metadata:
|
|
5
5
|
version: "1.0"
|
|
6
|
-
|
|
6
|
+
relatedSkills:
|
|
7
|
+
- "dx-code-analyzer-run"
|
|
8
|
+
- "dx-code-analyzer-custom-rule-create"
|
|
9
|
+
cliTools:
|
|
10
|
+
- tool: ["sf"]
|
|
11
|
+
semver: ">=2.0.0"
|
|
12
|
+
- tool: ["java"]
|
|
13
|
+
semver: ">=11.0.0"
|
|
14
|
+
- tool: ["node"]
|
|
15
|
+
semver: ">=18.0.0"
|
|
16
|
+
- tool: ["python3"]
|
|
17
|
+
semver: ">=3.10.0"
|
|
18
|
+
- tool: ["git"]
|
|
19
|
+
semver: ">=2.0.0"
|
|
20
|
+
- tool: ["npm"]
|
|
21
|
+
semver: ">=9.0.0"
|
|
7
22
|
---
|
|
8
23
|
|
|
9
24
|
# Configuring Code Analyzer Skill
|
|
10
25
|
|
|
11
26
|
## Overview
|
|
12
27
|
|
|
28
|
+
> **Ecosystem:** This skill is part of a 3-skill Code Analyzer suite — `dx-code-analyzer-run` (scans & results) · `dx-code-analyzer-configure` (setup, config, CI/CD) · `dx-code-analyzer-custom-rule-create` (custom rule authoring).
|
|
29
|
+
|
|
13
30
|
This skill manages the `code-analyzer.yml` configuration file — the single source of truth for how Code Analyzer behaves in a project. All customization (engines, rules, ignores, suppressions) is done by creating or editing this file. If the file doesn't exist, this skill creates it in the current working directory.
|
|
14
31
|
|
|
15
32
|
---
|
|
@@ -26,8 +43,9 @@ This skill manages the `code-analyzer.yml` configuration file — the single sou
|
|
|
26
43
|
- Environment validation and troubleshooting
|
|
27
44
|
|
|
28
45
|
**Out of scope:**
|
|
29
|
-
- Running scans
|
|
30
|
-
- Fixing violations, explaining rules,
|
|
46
|
+
- Running scans → use `dx-code-analyzer-run` skill
|
|
47
|
+
- Fixing violations, explaining rules, suppression management → use `dx-code-analyzer-run` skill
|
|
48
|
+
- Creating custom rules → use `dx-code-analyzer-custom-rule-create` skill
|
|
31
49
|
|
|
32
50
|
---
|
|
33
51
|
|
|
@@ -381,14 +399,10 @@ engines:
|
|
|
381
399
|
target_org: "my-org-alias"
|
|
382
400
|
flow:
|
|
383
401
|
python_command: "python3"
|
|
384
|
-
regex
|
|
385
|
-
|
|
386
|
-
|
|
387
|
-
|
|
388
|
-
file_extensions: [".cls", ".trigger"]
|
|
389
|
-
description: "Detects hardcoded Salesforce record IDs"
|
|
390
|
-
severity: 2
|
|
391
|
-
tags: ["Security"]
|
|
402
|
+
# regex.custom_rules — use the dx-code-analyzer-custom-rule-create skill to create these.
|
|
403
|
+
# Never hand-write regex patterns into code-analyzer.yml: quotes/backslashes
|
|
404
|
+
# inside YAML cause parsing failures. The create-regex-rule.js script handles
|
|
405
|
+
# serialization correctly and must always be used for regex rule creation.
|
|
392
406
|
```
|
|
393
407
|
|
|
394
408
|
For full property list per engine, read `<skill_dir>/references/config-schema.md`.
|
|
@@ -427,9 +441,13 @@ If a user says "scan my code" / "run code analyzer" but it fails (CLI missing, p
|
|
|
427
441
|
|
|
428
442
|
After any successful configuration action, offer to run a scan (e.g., "Setup complete! Want me to run a scan?", "Config updated — want to scan and verify?"). If user says yes, proceed with `dx-code-analyzer-run` behavior.
|
|
429
443
|
|
|
444
|
+
### When THIS skill hands off to `dx-code-analyzer-custom-rule-create`:
|
|
445
|
+
|
|
446
|
+
If the user asks to create a custom rule while you are working on configuration (e.g., "also add a rule that bans System.debug", "set up a PMD XPath rule"), delegate to `dx-code-analyzer-custom-rule-create`. When that skill finishes, the `custom_rulesets` or `eslint_config_file` pointer in `code-analyzer.yml` may need to be set — that edit belongs here, in this skill.
|
|
447
|
+
|
|
430
448
|
### When user intent spans BOTH skills:
|
|
431
449
|
|
|
432
|
-
Handle end-to-end: "not working" → Diagnose → Fix → Scan. "Set up and scan" → Install → Scan. "Disable ESLint and scan Apex" → Edit config → Run with `--rule-selector pmd`. Always follow through to the user's final intent.
|
|
450
|
+
Handle end-to-end: "not working" → Diagnose → Fix → Scan. "Set up and scan" → Install → Scan. "Disable ESLint and scan Apex" → Edit config → Run with `--rule-selector pmd`. "Configure custom rules and scan" → dx-code-analyzer-custom-rule-create → wire config → dx-code-analyzer-run. Always follow through to the user's final intent.
|
|
433
451
|
|
|
434
452
|
---
|
|
435
453
|
|
|
@@ -0,0 +1,484 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: dx-code-analyzer-custom-rule-create
|
|
3
|
+
description: "Create custom Code Analyzer rules for Regex (pattern matching), PMD (XPath/AST for Apex and metadata XML), and ESLint (LWC/JavaScript/TypeScript). Use when users want to enforce coding standards, ban patterns, detect hardcoded values, govern metadata, or add rules not in the built-in set. TRIGGER when: user says 'create a rule', 'ban System.debug', 'enforce naming convention', 'detect hardcoded IDs', 'custom rule', 'xpath rule', 'regex rule', 'add a PMD rule', 'enforce a policy', 'create a check for', 'flag this pattern', 'make a rule that catches', 'metadata rule', 'check permissions', 'enforce API version', 'eslint rule', 'lwc rule', 'override rule threshold', 'customize complexity', or describes a pattern to enforce. DO NOT TRIGGER when: user wants to run a scan (use dx-code-analyzer-run), configure engines (use dx-code-analyzer-configure), or explain existing rules (use dx-code-analyzer-run)."
|
|
4
|
+
metadata:
|
|
5
|
+
version: "1.0"
|
|
6
|
+
relatedSkills:
|
|
7
|
+
- "dx-code-analyzer-run"
|
|
8
|
+
- "dx-code-analyzer-configure"
|
|
9
|
+
cliTools:
|
|
10
|
+
- tool: ["sf"]
|
|
11
|
+
semver: ">=2.0.0"
|
|
12
|
+
- tool: ["node"]
|
|
13
|
+
semver: ">=18.0.0"
|
|
14
|
+
- tool: ["npm"]
|
|
15
|
+
semver: ">=9.0.0"
|
|
16
|
+
---
|
|
17
|
+
|
|
18
|
+
# dx-code-analyzer-custom-rule-create: Custom Code Analyzer Rule Authoring
|
|
19
|
+
|
|
20
|
+
> **Ecosystem:** This skill is part of a 3-skill Code Analyzer suite — `dx-code-analyzer-run` (scans & results) · `dx-code-analyzer-configure` (setup, config, CI/CD) · `dx-code-analyzer-custom-rule-create` (custom rule authoring).
|
|
21
|
+
|
|
22
|
+
Use this skill when the user needs to **create a custom rule** that enforces a pattern not covered by Code Analyzer's built-in rules. Supports Regex engine (text pattern matching) and PMD engine (structural XPath queries against the AST).
|
|
23
|
+
|
|
24
|
+
## When This Skill Owns the Task
|
|
25
|
+
|
|
26
|
+
Use `dx-code-analyzer-custom-rule-create` when the work involves:
|
|
27
|
+
- Creating a new custom rule for Code Analyzer (any engine)
|
|
28
|
+
- Enforcing team-specific coding standards via static analysis
|
|
29
|
+
- Banning specific patterns (System.debug, hardcoded IDs, TODOs)
|
|
30
|
+
- Writing XPath expressions for PMD rules (Apex or metadata XML)
|
|
31
|
+
- Writing regex patterns for the Regex engine
|
|
32
|
+
- Setting up custom ESLint rules/plugins for LWC/JavaScript
|
|
33
|
+
- Enforcing metadata governance (API versions, field descriptions, dangerous permissions)
|
|
34
|
+
- Overriding built-in rule thresholds (CyclomaticComplexity, ExcessiveParameterList, etc.)
|
|
35
|
+
- Organizing multiple rules into shared rulesets
|
|
36
|
+
- Iterating on a custom rule that isn't matching correctly
|
|
37
|
+
|
|
38
|
+
Delegate elsewhere when the user is:
|
|
39
|
+
- Running a scan against existing rules → `dx-code-analyzer-run` skill
|
|
40
|
+
- Configuring engines, prerequisites, CI/CD → `dx-code-analyzer-configure` skill
|
|
41
|
+
- Explaining what an existing built-in rule means → `dx-code-analyzer-run` skill
|
|
42
|
+
- Writing Apex code or tests → `generating-apex` / `running-apex-tests` skills
|
|
43
|
+
|
|
44
|
+
---
|
|
45
|
+
|
|
46
|
+
## Required Context to Gather First
|
|
47
|
+
|
|
48
|
+
Ask for or infer:
|
|
49
|
+
- **What pattern to catch** — what code should be flagged? (If user selected code in their IDE, the selection IS the answer — do not re-ask.)
|
|
50
|
+
- **What to allow** — any exceptions? (test classes, specific contexts)
|
|
51
|
+
- **File scope** — which file types? (.cls, .trigger, .js, all?)
|
|
52
|
+
- **Severity** — how critical? (default: 3/Moderate)
|
|
53
|
+
|
|
54
|
+
If the user **selected code** (IDE selection context present), treat it as the pattern definition. Skip clarification unless genuinely ambiguous about what aspect of the selection to target.
|
|
55
|
+
|
|
56
|
+
If the request is vague with NO selection ("add a rule for best practices"), ask ONE clarifying question:
|
|
57
|
+
> "What specific pattern should this rule flag?"
|
|
58
|
+
|
|
59
|
+
---
|
|
60
|
+
|
|
61
|
+
## Hard Constraints
|
|
62
|
+
|
|
63
|
+
These are non-negotiable rules. Violating any of them is a skill failure regardless of whether the output happens to work.
|
|
64
|
+
|
|
65
|
+
1. **ALWAYS run `ast-dump` before writing XPath.** No exceptions. Do not use node names from memory, references, or prior conversations. The AST is the source of truth — run `sf code-analyzer ast-dump`, read the output, then write XPath that matches what you see. Even for "well-known" patterns like SOQL-in-loop, run ast-dump first. If you skip this step and the rule works, it is still a process failure.
|
|
66
|
+
|
|
67
|
+
2. **ALWAYS use the scripts to create rules.** For regex rules, ALWAYS use `create-regex-rule.js`. For PMD rules, ALWAYS use `create-pmd-rule.js`. Do NOT manually edit `code-analyzer.yml` to add rule definitions — regex patterns in YAML cause escaping failures (quotes inside quotes, backslashes getting eaten). The scripts handle YAML serialization correctly every time.
|
|
68
|
+
|
|
69
|
+
3. **NEVER manually edit `code-analyzer.yml` after a script writes to it — even to fix a bad value.** The scripts produce correctly-escaped YAML. If you then rewrite or restructure the file, you WILL break the escaping. If the user added top-level config (like `ignores.files`), leave it alone too — only touch what you wrote.
|
|
70
|
+
|
|
71
|
+
**If a script's output looks wrong (rule fails to validate, YAML parse error, stray characters in the regex):**
|
|
72
|
+
- DO NOT patch the YAML by hand. That is exactly the failure mode this constraint exists to prevent.
|
|
73
|
+
- **Always** delete the broken rule's entire YAML block, then re-invoke the script with corrected arguments. Removing a block you just wrote does not violate this rule; rewriting fields inside it does.
|
|
74
|
+
- If the script accepted bad input and produced bad output, the **input** was wrong (e.g., `--regex "/.../ g"` with a stray space — the flags must be `/g` exactly, no whitespace). Re-invoke with the corrected argument.
|
|
75
|
+
- If you genuinely believe the script has a bug, STOP and surface it to the user. Do not hand-edit as a workaround.
|
|
76
|
+
|
|
77
|
+
4. **`--regex` must be `/pattern/flags` with NO whitespace.** The script trims and validates flags strictly — only `g`, `i`, `m`, `s`, `u`, `y`. `/pat/ g` (with a space) is rejected; so is `/pat/x` (invalid flag) and `/pat/` (no flags). The global flag `g` is mandatory. If validation fails, fix the argument — do NOT bypass by writing YAML directly.
|
|
78
|
+
|
|
79
|
+
5. **ALWAYS validate after creation.** Run `sf code-analyzer rules --rule-selector <engine>:<name>` before testing. If `Found 0 rules`, the YAML didn't parse — delete the block, fix the argument, re-invoke the script.
|
|
80
|
+
|
|
81
|
+
6. **ALWAYS test against a sample file.** Confirm at least one true positive and one true negative.
|
|
82
|
+
|
|
83
|
+
For regex rules, the negative sample MUST NOT contain the pattern text anywhere — including inside comments and string literals. Regex engines scan raw text; `// no System.debug here` IS a match for `/System\.debug/g`. Trace your pattern against the negative file mentally before running it.
|
|
84
|
+
|
|
85
|
+
7. **Create rules ONE AT A TIME, sequentially.** When the user requests multiple rules, create each rule individually through the full workflow (create → validate → test positive → test negative) before starting the next one. Do NOT batch-create rules — if one fails, it corrupts the config for all subsequent rules. Complete each rule end-to-end, confirm it works, then move to the next.
|
|
86
|
+
|
|
87
|
+
8. **For regex rules, exclude test classes via `ignores.files` — `regex_ignore` does NOT do this.** `regex_ignore` is a per-LINE filter (the line must match BOTH the rule and the ignore pattern); it cannot exclude an entire test class. If the user's intent is "skip test classes," add a top-level `ignores.files` block with globs like `"**/*Test.cls"` AFTER all rules are created — do not interleave config edits with script invocations.
|
|
88
|
+
|
|
89
|
+
---
|
|
90
|
+
|
|
91
|
+
## Engine Selection
|
|
92
|
+
|
|
93
|
+
| Pattern Type | Engine | Why |
|
|
94
|
+
|---|---|---|
|
|
95
|
+
| Text/string pattern (TODO, hardcoded ID, keyword) | **Regex** | Simple, fast, no Java needed |
|
|
96
|
+
| Apex code structure (method calls, nesting, SOQL in loops) | **PMD/XPath** (language=apex) | Understands AST, not fooled by comments/strings |
|
|
97
|
+
| Metadata XML governance (API version, permissions, descriptions) | **PMD/XPath** (language=xml) | Structural XML matching with namespace handling |
|
|
98
|
+
| LWC/JavaScript/TypeScript patterns | **ESLint*** | Standard JS tooling, plugin ecosystem |
|
|
99
|
+
| Both could work (Apex/metadata only) | **Regex first** | Simpler to create and maintain |
|
|
100
|
+
|
|
101
|
+
\* **For ESLint:** ALWAYS check Tier 1 (built-in rules) and Tier 2 (configurable rules) BEFORE creating a custom plugin. See `references/eslint-rules-discovery.md`.
|
|
102
|
+
|
|
103
|
+
⚠️ **"Both could work → Regex first" NEVER applies to JavaScript/LWC/TypeScript files.** JS/LWC/TS patterns MUST use ESLint — Regex cannot distinguish code from comments/strings in JS and produces false positives. Do NOT rationalize Regex for JS files based on "simplicity" or "no npm dependencies."
|
|
104
|
+
|
|
105
|
+
Tell the user which engine you chose and why. Respect their preference if they disagree.
|
|
106
|
+
|
|
107
|
+
### Excluding Test Classes — Strategy by Engine
|
|
108
|
+
|
|
109
|
+
When a rule should NOT apply to test classes, the approach differs by engine:
|
|
110
|
+
|
|
111
|
+
| Engine | How to exclude test classes | Notes |
|
|
112
|
+
|--------|---------------------------|-------|
|
|
113
|
+
| **PMD (Apex)** | Add `[not(ancestor::UserClass[ModifierNode[@Test = true()]])]` to the XPath | Structural exclusion — works perfectly, no config changes needed |
|
|
114
|
+
| **Regex** | Use `ignores.files` in `code-analyzer.yml` with globs like `**/*Test.cls` | `regex_ignore` is per-LINE, not per-FILE — it CANNOT exclude entire test classes. Only use `regex_ignore` for per-line patterns like `// NOPMD` |
|
|
115
|
+
| **ESLint** | Use `ignores` array in `eslint.config.js` | Standard ESLint file-level ignores |
|
|
116
|
+
|
|
117
|
+
⚠️ **`regex_ignore` is NOT file-level exclusion.** It only skips matches on lines that ALSO match the ignore pattern. Example: `regex_ignore: "/@isTest/i"` only suppresses violations on lines containing `@isTest` — a SOQL query on line 50 of a test class still flags because line 50 doesn't contain `@isTest`. To exclude test files from regex rules entirely, use:
|
|
118
|
+
```yaml
|
|
119
|
+
ignores:
|
|
120
|
+
files:
|
|
121
|
+
- "**/*Test.cls"
|
|
122
|
+
- "**/*_Test.cls"
|
|
123
|
+
```
|
|
124
|
+
|
|
125
|
+
⚠️ **`ignores.files` is GLOBAL** — it affects ALL engines and ALL rules. If you need test-class exclusion for some rules but not others (e.g., exclude tests from SOQL rules but still scan tests for @AuraEnabled), use **PMD with XPath** for the rules that need selective exclusion. PMD's XPath can structurally check `@Test = true()` per-method or per-class — Regex cannot.
|
|
126
|
+
|
|
127
|
+
**Decision guide for Apex rules that should skip test classes:**
|
|
128
|
+
- If the pattern is structural (method calls, annotations, nesting) → use PMD. XPath handles test-class exclusion natively.
|
|
129
|
+
- If the pattern is purely textual AND all regex rules should skip tests → use Regex + `ignores.files`.
|
|
130
|
+
- If you have a mix (some rules skip tests, others don't) → use PMD for the test-sensitive rules, Regex for the others.
|
|
131
|
+
|
|
132
|
+
---
|
|
133
|
+
|
|
134
|
+
## Workflow
|
|
135
|
+
|
|
136
|
+
### When User Selects Code (IDE Selection)
|
|
137
|
+
|
|
138
|
+
When the user highlights a code block in their editor and asks to "catch this", "flag this pattern", "create a rule for this", or similar:
|
|
139
|
+
|
|
140
|
+
1. **The selection IS your positive sample.** Do NOT ask "what pattern should this rule flag?" — the user already showed you. Do NOT write a new sample from scratch.
|
|
141
|
+
2. **Identify what's structural vs. incidental** in the selection:
|
|
142
|
+
- Structural (rule-worthy): the method call, the loop pattern, the missing keyword, the nesting
|
|
143
|
+
- Incidental (ignore): specific variable names, string values, parameter counts
|
|
144
|
+
- Ask ONE question if ambiguous: "Should the rule catch all `System.debug` calls, or only those without a LoggingLevel parameter?"
|
|
145
|
+
3. **Ast-dump the ACTUAL file** the user has open (not a new sample file):
|
|
146
|
+
```bash
|
|
147
|
+
sf code-analyzer ast-dump --file <the-open-file.cls> --output-file <ast.xml>
|
|
148
|
+
```
|
|
149
|
+
4. **Find the selection in the AST output** — locate the nodes corresponding to the highlighted lines. These are your target nodes.
|
|
150
|
+
5. **Generalize the XPath** — write XPath that matches the structural pattern, NOT the specific instance. Replace specific variable names with wildcards, keep structural nodes and discriminating attributes.
|
|
151
|
+
6. **Continue with standard workflow** (negative sample, create rule, validate, test positive + negative).
|
|
152
|
+
|
|
153
|
+
**Example flow:**
|
|
154
|
+
- User selects: `Database.query('SELECT Id FROM ' + objectName)`
|
|
155
|
+
- Structural pattern: `Database.query` call (dynamic SOQL)
|
|
156
|
+
- Incidental: the specific string concatenation inside
|
|
157
|
+
- Engine: PMD (structural call detection)
|
|
158
|
+
- XPath: `//MethodCallExpression[@FullMethodName='Database.query']`
|
|
159
|
+
- NOT: regex matching `Database.query` (would miss multiline, match comments)
|
|
160
|
+
|
|
161
|
+
**Example flow (block selection):**
|
|
162
|
+
- User selects a 5-line block with SOQL inside a for-each loop
|
|
163
|
+
- Structural: SOQL query as descendant of loop body
|
|
164
|
+
- Incidental: specific query fields, variable names
|
|
165
|
+
- Engine: PMD
|
|
166
|
+
- Ast-dump the open file → find ForEachStatement + SoqlExpression in body
|
|
167
|
+
- XPath: `//ForEachStatement/BlockStatement//SoqlExpression`
|
|
168
|
+
|
|
169
|
+
---
|
|
170
|
+
|
|
171
|
+
### For Regex Rules
|
|
172
|
+
|
|
173
|
+
1. **Write a positive sample** (5-10 lines) demonstrating the violation. Write sample files inside the project workspace (e.g., a temporary `samples/` directory at the project root) so Code Analyzer can target them.
|
|
174
|
+
2. **Write a SEPARATE negative sample file** — code that looks similar but must NOT be flagged. Test your regex mentally against this file BEFORE creating the rule.
|
|
175
|
+
3. **Build and create the rule** — read `references/regex-rule-schema.md` for the complete schema, then run the script:
|
|
176
|
+
```bash
|
|
177
|
+
node "<skill_dir>/scripts/create-regex-rule.js" \
|
|
178
|
+
--name "<RuleName>" --regex "<pattern>" --description "<desc>" \
|
|
179
|
+
--severity <1-5> --file-extensions ".cls,.trigger"
|
|
180
|
+
```
|
|
181
|
+
⚠️ **ALWAYS use the script.** Do NOT manually write regex patterns into `code-analyzer.yml` — regex characters (quotes, backslashes, braces) inside YAML cause parsing failures. The script handles serialization correctly.
|
|
182
|
+
4. **Validate** — `sf code-analyzer rules --rule-selector regex:<RuleName>`
|
|
183
|
+
5. **Test positive** — `sf code-analyzer run --rule-selector regex:<RuleName> --target <violation-sample>` — must find violations
|
|
184
|
+
6. **Test negative** — `sf code-analyzer run --rule-selector regex:<RuleName> --target <clean-sample>` — must find 0 violations. If it flags clean code, your regex is too broad — go back and tighten the pattern.
|
|
185
|
+
7. **Iterate** if test fails (adjust regex, add `regex_ignore`, narrow extensions)
|
|
186
|
+
8. **Cleanup** — delete ALL sample files you created. Do not leave temporary test fixtures in the user's project.
|
|
187
|
+
|
|
188
|
+
### For PMD/XPath Rules (Apex)
|
|
189
|
+
|
|
190
|
+
1. **Write a minimal sample** (5-10 lines) demonstrating the violation. Write sample files inside the project workspace (e.g., a temporary `samples/` directory at the project root) so Code Analyzer can target them. **After both positive and negative tests pass, delete ALL sample files you created** — both the original samples and any copies made during testing. Do not leave temporary test fixtures in the user's project. For loop-based rules, the positive sample MUST include all 3 Apex loop types (`for-each`, traditional `for`, and `while`) — omitting any loop type means the XPath won't be validated against it and may silently miss violations.
|
|
191
|
+
2. **⚠️ MANDATORY: Dump the AST** — `sf code-analyzer ast-dump --file <sample.cls> --output-file <ast.xml>` — this step is NOT optional. Do NOT skip it even if you "already know" the node names. Run it, read the output, confirm the exact node names and attributes.
|
|
192
|
+
3. **Read the AST output** — identify the target node and its attributes from the ACTUAL ast-dump output (not from memory). Use `references/apex-ast-reference.md` and `references/xpath-patterns.md` as supplementary context only.
|
|
193
|
+
4. **Write XPath** — target the smallest stable node with discriminating attributes. Every node name in your XPath MUST appear verbatim in the ast-dump output you just read. Use `/Child` (direct child) vs `//Descendant` deliberately — check the ast-dump to understand which nodes are siblings vs nested.
|
|
194
|
+
5. **⚠️ BEFORE creating the rule: Write a SEPARATE negative sample file** (5-10 lines) showing code that is CORRECT and must NOT be flagged. This MUST be a distinct file from the positive sample — do NOT combine positive and negative cases into one file. For loop-based rules, include `for (x : [SELECT...])` idiom. Run `sf code-analyzer ast-dump` on this negative sample file too. Read the output and trace your XPath against it — confirm it does NOT match any node in the negative AST. If it would match, go back to step 4 and tighten the XPath BEFORE proceeding. Do NOT skip this step or defer it until after rule creation. The negative file will be used again in step 9 for an explicit zero-violation confirmation.
|
|
195
|
+
6. **Create the rule** — run the script:
|
|
196
|
+
```bash
|
|
197
|
+
node "<skill_dir>/scripts/create-pmd-rule.js" \
|
|
198
|
+
--name "<RuleName>" --xpath "<expression>" --message "<msg>" \
|
|
199
|
+
--language apex --priority <1-5>
|
|
200
|
+
```
|
|
201
|
+
7. **Validate** — `sf code-analyzer rules --rule-selector pmd:<RuleName>`
|
|
202
|
+
8. **Test positive** — `sf code-analyzer run --rule-selector pmd:<RuleName> --target <violation-sample.cls>` — must find violations
|
|
203
|
+
9. **Test negative** — `sf code-analyzer run --rule-selector pmd:<RuleName> --target <clean-sample.cls>` — must find 0 violations. If it flags clean code, your XPath is too broad — go back to step 4.
|
|
204
|
+
10. **Iterate** if test fails (re-examine AST, adjust XPath, check node names)
|
|
205
|
+
11. **Cleanup** — delete ALL sample files you created (both positive and negative samples, and any ast-dump output files). Do not leave temporary test fixtures in the user's project.
|
|
206
|
+
|
|
207
|
+
### For PMD/XPath Rules (Metadata XML)
|
|
208
|
+
|
|
209
|
+
1. **Identify the metadata file type** (field, permissionset, profile, flow, etc.)
|
|
210
|
+
2. **Dump the XML AST** — `sf code-analyzer ast-dump --file <file>-meta.xml --language xml --output-file <ast.xml>`. If ast-dump fails with an error (e.g., `"XmlEncoding is not a valid XML name"`), fall back to reading the raw XML file directly — the XML DOM structure IS the AST for metadata files (what you see in the file is what PMD sees). Read the file, note element names, nesting, and text content.
|
|
211
|
+
3. **Read the DOM structure** — confirm element names, nesting, and text content from the ast-dump output OR the raw file. Use `references/metadata-xml-rules.md` as supplementary context only.
|
|
212
|
+
4. **Write XPath for PMD 7** — CRITICAL rules for metadata XML XPath:
|
|
213
|
+
- All element matching MUST use `local-name()='ElementName'` (namespace blocks bare names)
|
|
214
|
+
- **Text content matching MUST use `@Text` attribute** (NOT `text()` — the `text()` function does not work in PMD 7's XML language). Example: `//*[@Text='ModifyAllData']`
|
|
215
|
+
- Navigate from text nodes UP to parent elements using `../..` (text node → element → parent element)
|
|
216
|
+
- Check sibling conditions via `.//*[@Text='value']` on the parent
|
|
217
|
+
- See `references/metadata-xml-rules.md` for the complete PMD 7 XPath pattern
|
|
218
|
+
5. **Configure file extensions** — PMD's XML language only processes `.xml` by default. Salesforce metadata files use compound extensions (`.permissionset-meta.xml`, `.field-meta.xml`, etc.) but `path.extname()` returns `.xml` from these, so `.xml` is sufficient:
|
|
219
|
+
```yaml
|
|
220
|
+
engines:
|
|
221
|
+
pmd:
|
|
222
|
+
file_extensions:
|
|
223
|
+
xml: [".xml"]
|
|
224
|
+
```
|
|
225
|
+
⚠️ Do NOT add compound extensions like `.permissionset-meta.xml` — Code Analyzer's validator rejects them (`/^[.][a-zA-Z0-9]+$/` pattern). Just `.xml` covers all Salesforce metadata files automatically.
|
|
226
|
+
6. **Write a SEPARATE negative sample file** — same as Apex rules: create a metadata file that is correct and must NOT be flagged. Verify the XPath does not match it BEFORE creating the rule. Both positive and negative samples should be `.xml` extension files in the workspace so PMD can scan them directly.
|
|
227
|
+
7. **Create the rule** — run the script:
|
|
228
|
+
```bash
|
|
229
|
+
node "<skill_dir>/scripts/create-pmd-rule.js" \
|
|
230
|
+
--name "<RuleName>" --xpath "<expression>" --message "<msg>" \
|
|
231
|
+
--language xml --priority <1-5>
|
|
232
|
+
```
|
|
233
|
+
8. **Validate** — `sf code-analyzer rules --rule-selector pmd:<RuleName>`
|
|
234
|
+
9. **Test positive** — `sf code-analyzer run --rule-selector pmd:<RuleName> --target <violation-sample>.xml` — must find violations
|
|
235
|
+
10. **Test negative** — `sf code-analyzer run --rule-selector pmd:<RuleName> --target <clean-sample>.xml` — must find 0 violations
|
|
236
|
+
11. **Iterate** if test fails (check `@Text` vs `text()`, verify `local-name()` usage, check file extensions config)
|
|
237
|
+
12. **Cleanup** — delete ALL sample files you created (both positive and negative samples, and any `.xml` copies made for testing). Do not leave temporary test fixtures in the user's project.
|
|
238
|
+
|
|
239
|
+
### For ESLint Rules (LWC/JavaScript/TypeScript)
|
|
240
|
+
|
|
241
|
+
#### ESLint Discovery Workflow (Read First)
|
|
242
|
+
|
|
243
|
+
ESLint has 200+ built-in rules plus thousands more from plugins. DO NOT attempt to create a custom plugin before checking if a built-in rule exists. The discovery workflow is:
|
|
244
|
+
|
|
245
|
+
1. **Tier 1 (Built-In Rules)** — 70% of requests
|
|
246
|
+
- Run: `sf code-analyzer rules --rule-selector eslint`
|
|
247
|
+
- Search for keywords (e.g., "console", "unused", "equal")
|
|
248
|
+
- Check LWC plugin rules (`@lwc/lwc/*`)
|
|
249
|
+
- If found: Configure and STOP
|
|
250
|
+
|
|
251
|
+
2. **Tier 2 (Configurable Rules)** — 20% of requests
|
|
252
|
+
- Pattern is "ban function X"? → `no-restricted-globals`
|
|
253
|
+
- Pattern is "ban syntax Y"? → `no-restricted-syntax`
|
|
254
|
+
- Pattern is "ban property Z"? → `no-restricted-properties`
|
|
255
|
+
- If applicable: Configure and STOP
|
|
256
|
+
|
|
257
|
+
3. **Tier 3 (Custom Plugins)** — 10% of requests
|
|
258
|
+
- Only for domain-specific multi-node patterns
|
|
259
|
+
- Requires Node.js code, testing, meta.docs metadata
|
|
260
|
+
- See: `references/eslint-custom-plugins.md`
|
|
261
|
+
|
|
262
|
+
**See:** `references/eslint-rules-discovery.md` for complete discovery guide with examples.
|
|
263
|
+
|
|
264
|
+
---
|
|
265
|
+
|
|
266
|
+
0. **⚠️ MANDATORY: Run the ESLint discovery workflow FIRST.** 90% of ESLint requests are solved by built-in rules (Tier 1) or configurable rules like `no-restricted-syntax` (Tier 2). Creating a custom plugin (Tier 3) is a LAST RESORT. Before proceeding:
|
|
267
|
+
|
|
268
|
+
a) **Run:** `sf code-analyzer rules --rule-selector eslint`
|
|
269
|
+
b) **Search** the output for keywords from the user's request (e.g., "console", "equal", "unused")
|
|
270
|
+
c) **Check LWC plugin rules:** grep for `@lwc/lwc/` in the output
|
|
271
|
+
d) **If found:** Configure it (see `references/eslint-rules-discovery.md`) and STOP. Do NOT create a custom plugin.
|
|
272
|
+
e) **If not found:** Check if `no-restricted-globals`, `no-restricted-syntax`, or `no-restricted-properties` can express the pattern (Tier 2).
|
|
273
|
+
f) **Only if no Tier 1 or Tier 2 solution exists:** Proceed to custom plugin creation.
|
|
274
|
+
|
|
275
|
+
**Validation:** After configuration, run `sf code-analyzer rules --rule-selector eslint:<ruleName>` to confirm it appears. If it doesn't, the config is wrong.
|
|
276
|
+
|
|
277
|
+
⚠️ **Skipping this discovery workflow and creating a custom plugin when a built-in rule exists is a skill failure**, regardless of whether the custom plugin works.
|
|
278
|
+
|
|
279
|
+
⚠️ **Built-in ESLint rules vs. configurable ESLint rules:** Code Analyzer bundles a SUBSET of ESLint rules in its base config. Rules like `no-restricted-globals`, `no-restricted-syntax`, and `no-restricted-properties` are core ESLint rules but are NOT active until you enable them in an `eslint.config.js`. They WILL appear in `sf code-analyzer rules` output ONLY after you configure them. **Always validate** (step 4) to confirm the rule actually loaded — do NOT assume a rule exists just because it's a core ESLint rule.
|
|
280
|
+
|
|
281
|
+
1. **Install the ESLint plugin** (skip if using a built-in/core ESLint rule) — `npm install --save-dev eslint-plugin-<name>`
|
|
282
|
+
2. **Create/update `eslint.config.js`** — add plugin and rule configuration (or just enable the built-in rule with `"error"` severity). **The file MUST exist** before configuring `engines.eslint.eslint_config_file` in `code-analyzer.yml` — Code Analyzer validates the path and fails if the file is missing.
|
|
283
|
+
3. **Configure Code Analyzer** — set `engines.eslint.eslint_config_file` in `code-analyzer.yml`. Do this AFTER the file exists.
|
|
284
|
+
4. **Validate** — `sf code-analyzer rules --rule-selector eslint:<ruleName>`. If the rule does NOT appear, the config is wrong — do NOT proceed to testing. Check: (a) Is the `eslint.config.js` file in the correct location? (b) Does the plugin have `meta.docs.description` and `meta.docs.url`? (c) Is the rule deprecated? Code Analyzer silently excludes deprecated rules.
|
|
285
|
+
5. **Write a test sample file** in the workspace (e.g., `lwc/testSample/testSample.js`) demonstrating the violation
|
|
286
|
+
6. **Test positive** — `sf code-analyzer run --rule-selector eslint:<ruleName> --target <test-sample>` — must find violations
|
|
287
|
+
7. **Test negative** — run against existing clean LWC files — must find 0 violations
|
|
288
|
+
8. **Cleanup** — delete ALL sample files AND their parent directories (LWC requires a folder per component). Use `rm -rf <directory>`, not just `rm <file>`. Do not leave empty directories or temporary test fixtures in the user's project.
|
|
289
|
+
9. See `references/eslint-custom-plugins.md` for complete guide
|
|
290
|
+
|
|
291
|
+
### Common ESLint patterns without a custom plugin
|
|
292
|
+
|
|
293
|
+
For `no-restricted-globals`, `no-restricted-syntax`, and `no-restricted-properties` config examples, see `<skill_dir>/references/eslint-custom-plugins.md` — "Banning APIs Without a Custom Plugin" section.
|
|
294
|
+
|
|
295
|
+
### ESLint Discovery Examples
|
|
296
|
+
|
|
297
|
+
**Example 1: Built-in rule (Tier 1)**
|
|
298
|
+
- User: "Ban console.log in LWC"
|
|
299
|
+
- Discovery: `sf code-analyzer rules --rule-selector eslint | grep console` → finds `no-console`
|
|
300
|
+
- Action: Enable `no-console` in eslint.config.js
|
|
301
|
+
- Result: ✅ Done in 2 minutes (no custom plugin needed)
|
|
302
|
+
|
|
303
|
+
**Example 2: Configurable rule (Tier 2)**
|
|
304
|
+
- User: "Ban setTimeout in LWC"
|
|
305
|
+
- Discovery: No built-in `no-setTimeout` rule
|
|
306
|
+
- Action: Use `no-restricted-globals` with custom message
|
|
307
|
+
- Result: ✅ Done in 5 minutes (no custom plugin needed)
|
|
308
|
+
|
|
309
|
+
**Example 3: LWC plugin rule (Tier 1)**
|
|
310
|
+
- User: "Ban innerHTML for XSS prevention"
|
|
311
|
+
- Discovery: `@lwc/lwc/no-inner-html` already exists
|
|
312
|
+
- Action: Enable `@lwc/lwc/no-inner-html` in config
|
|
313
|
+
- Result: ✅ Done in 2 minutes (no custom plugin needed)
|
|
314
|
+
|
|
315
|
+
**Example 4: Custom plugin justified (Tier 3)**
|
|
316
|
+
- User: "Flag imperative Apex calls without error handling"
|
|
317
|
+
- Discovery: No built-in rule for this pattern
|
|
318
|
+
- Analysis: Pattern requires checking `import` + `.then()` without `.catch()` — multi-node traversal
|
|
319
|
+
- Action: Create custom plugin with visitor pattern
|
|
320
|
+
- Result: ✅ Custom plugin is justified (20+ minutes effort)
|
|
321
|
+
|
|
322
|
+
See `references/eslint-rules-discovery.md` for complete discovery workflow.
|
|
323
|
+
|
|
324
|
+
---
|
|
325
|
+
|
|
326
|
+
### Overriding Built-in Rule Thresholds
|
|
327
|
+
|
|
328
|
+
To customize severity or properties on existing rules without writing new ones:
|
|
329
|
+
|
|
330
|
+
1. **Create a custom ruleset** referencing the built-in rule with overrides
|
|
331
|
+
2. **Add to config** — `engines.pmd.custom_rulesets` in `code-analyzer.yml`
|
|
332
|
+
3. See `references/advanced-pmd-patterns.md` for override syntax and common examples
|
|
333
|
+
|
|
334
|
+
---
|
|
335
|
+
|
|
336
|
+
## Multi-Rule Requests
|
|
337
|
+
|
|
338
|
+
When the user asks for multiple rules at once (e.g., "create 5 rules for AppExchange review"), follow this protocol:
|
|
339
|
+
|
|
340
|
+
### Step 1: Plan the engine assignments FIRST
|
|
341
|
+
|
|
342
|
+
Before creating any rules, list ALL requested rules with their engine assignments. Present this plan to the user:
|
|
343
|
+
|
|
344
|
+
```text
|
|
345
|
+
Rule plan:
|
|
346
|
+
1. RequireUserMode → PMD/XPath (needs test-class exclusion via AST)
|
|
347
|
+
2. NoHardcodedIds → Regex (text pattern, no structural context needed)
|
|
348
|
+
3. AuraEnabledCacheable → PMD/XPath (needs annotation + DML structural check)
|
|
349
|
+
4. CustomFieldDescription → PMD/XML (metadata governance)
|
|
350
|
+
5. NoSetTimeout → ESLint (JavaScript pattern)
|
|
351
|
+
```
|
|
352
|
+
|
|
353
|
+
Key decision factors for engine assignment:
|
|
354
|
+
- Does the rule need to **exclude test classes selectively**? → PMD (XPath can check `@Test = true()`)
|
|
355
|
+
- Is it a **pure text pattern** with no structural context? → Regex
|
|
356
|
+
- Does it need to **understand code structure** (annotations, nesting, DML)? → PMD
|
|
357
|
+
- Is it **JavaScript/LWC**? → ESLint (never Regex)
|
|
358
|
+
- Is it **metadata XML**? → PMD with `language="xml"`
|
|
359
|
+
|
|
360
|
+
### Step 2: Create rules ONE AT A TIME, sequentially
|
|
361
|
+
|
|
362
|
+
Create each rule through its full workflow (create → validate → test positive → test negative → confirm working) before starting the next one. Do NOT batch-create rules — if one fails, it corrupts the config for all subsequent rules.
|
|
363
|
+
|
|
364
|
+
**Order of creation:**
|
|
365
|
+
1. Regex rules first (fastest, fewest dependencies)
|
|
366
|
+
2. PMD Apex rules (require ast-dump per rule)
|
|
367
|
+
3. PMD XML rules (may share a single ruleset file)
|
|
368
|
+
4. ESLint rules last (require npm/config setup)
|
|
369
|
+
|
|
370
|
+
### Step 3: Multiple PMD rules can share ONE ruleset file
|
|
371
|
+
|
|
372
|
+
When creating multiple PMD rules, use the `create-pmd-rule.js` script for the first rule (it creates the ruleset XML file). For subsequent PMD rules going into the SAME ruleset file, you may add them manually to the existing XML file — this is the ONE exception to the "never edit manually" rule. The script always creates a new file; adding rules to an existing file requires editing the XML directly.
|
|
373
|
+
|
|
374
|
+
### What NOT to do
|
|
375
|
+
|
|
376
|
+
- ❌ Do NOT rewrite the entire `code-analyzer.yml` to reorganize it
|
|
377
|
+
- ❌ Do NOT create all rules in parallel then validate all at once
|
|
378
|
+
- ❌ Do NOT create a PMD rule with an unverified XPath from the reference docs — ast-dump each pattern
|
|
379
|
+
- ❌ Do NOT mix engine types in one creation step (e.g., creating regex + PMD rules simultaneously)
|
|
380
|
+
- ❌ Do NOT add `engines.eslint.eslint_config_file` to `code-analyzer.yml` before the file exists
|
|
381
|
+
|
|
382
|
+
---
|
|
383
|
+
|
|
384
|
+
## High-Signal Rules
|
|
385
|
+
|
|
386
|
+
| Rule | Rationale |
|
|
387
|
+
|------|-----------|
|
|
388
|
+
| Rule names must match `/^[A-Za-z@][A-Za-z_0-9@\-/]*$/` | Code Analyzer validation rejects others |
|
|
389
|
+
| Regex must be `/pattern/flags` format | JavaScript regex literal notation required |
|
|
390
|
+
| File extensions must start with `.` | Validation enforces `/^([.][a-zA-Z0-9-_]+)+$/` |
|
|
391
|
+
| Always validate after creation | `sf code-analyzer rules --rule-selector <engine>:<name>` catches config errors |
|
|
392
|
+
| Always test against sample code | Catches XPath/regex mismatches before full scan |
|
|
393
|
+
| Use `@FullMethodName` for method calls in XPath | More reliable than `@Image` or `@MethodName` alone |
|
|
394
|
+
| **⚠️ NEVER skip `ast-dump`** | Run `ast-dump`, read output, THEN write XPath. No exceptions — even for "obvious" patterns. Using node names from memory without ast-dump verification is a skill failure. |
|
|
395
|
+
| **PMD 7 boolean attributes: use `= false()` XPath function** | In PMD 7, boolean attributes like `@WithSharing`, `@Abstract`, `@Final` are ALWAYS present on the node (never absent). Compare with `= false()` (XPath boolean function), NOT string `'false'`. `@WithSharing = false()` works. `@WithSharing='false'` (string) does NOT. `not(@WithSharing)` does NOT (attribute is always present). |
|
|
396
|
+
| `code-analyzer.yml` at project root | Auto-discovered by CLI — placing it elsewhere causes silent failures for rule authors |
|
|
397
|
+
| **XML rules MUST use `local-name()`** | Salesforce metadata namespace breaks bare element names |
|
|
398
|
+
| **XML text matching MUST use `@Text` attribute** | `text()` does NOT work in PMD 7's XML language. Use `//*[@Text='value']` to match text content, then navigate up with `../..` to reach parent elements. |
|
|
399
|
+
| **`@Text` lives on CHILD text nodes, NOT on elements** | `//*[local-name()='apiVersion'][@Text < 60]` → WRONG (0 matches). `//*[local-name()='apiVersion']/*[number(@Text) < 60]` → CORRECT. The `/*` navigates to the child text node. For exact-match patterns, `//*[@Text='value']` works because it searches ALL nodes including text nodes. But when you target a specific element by `local-name()` first, you must use `/*[@Text...]` to reach its text child. |
|
|
400
|
+
| **XML rules need `file_extensions` config** | PMD only scans `.xml` by default — add `file_extensions: { xml: [".xml"] }` under `engines.pmd`. Do NOT add compound extensions (`.permissionset-meta.xml`) — the validator rejects them and `.xml` alone already covers all Salesforce metadata files. |
|
|
401
|
+
| Named capture groups `(?<target>...)` in regex | Narrows the violation highlight to just the captured portion |
|
|
402
|
+
| **Salesforce IDs start with `0`, are exactly 15 or 18 chars** | Use `/['"](?<target>0[a-zA-Z0-9]{14}(?:[a-zA-Z0-9]{3})?)['\"]/g` — NOT `{15,18}` which also matches 16/17 char strings and produces false positives on normal words like `'BusinessAccount'` |
|
|
403
|
+
| **`regex_ignore` is per-LINE, not per-FILE** | It only skips lines where the ignore pattern matches. It does NOT exclude entire files or classes. A hardcoded ID on line 10 of a test class still flags unless that specific line contains the ignore pattern (e.g., `@isTest`). |
|
|
404
|
+
| **ALWAYS use scripts to create rules** | Do NOT manually edit `code-analyzer.yml` for regex rules — quotes/backslashes in regex inside YAML cause parsing failures. The `create-regex-rule.js` script handles serialization correctly. |
|
|
405
|
+
| Override built-in rules via `<rule ref="...">` | Change thresholds without writing new rules |
|
|
406
|
+
| **NEVER use Regex for JS/LWC/TS files** | Regex cannot distinguish code from comments/strings in JS — always use ESLint for JavaScript patterns |
|
|
407
|
+
| **Check built-in ESLint rules before writing custom ones** | `no-console`, `no-debugger`, `no-alert`, `eqeqeq`, `no-eval` etc. already exist — just enable them in config |
|
|
408
|
+
|
|
409
|
+
---
|
|
410
|
+
|
|
411
|
+
## Gotchas
|
|
412
|
+
|
|
413
|
+
| Issue | Resolution |
|
|
414
|
+
|-------|------------|
|
|
415
|
+
| XPath written without running ast-dump | **ALWAYS run ast-dump first.** Even if the rule works, skipping ast-dump is a process failure. Node names change between PMD versions and are not guessable. |
|
|
416
|
+
| SOQL-in-loop rule flags `for (x : [SELECT...])` | Use `//ForEachStatement/BlockStatement//SoqlExpression` (scope to body). The iterable SOQL is a direct child of ForEachStatement alongside BlockStatement — `//ForEachStatement//SoqlExpression` matches it as a false positive. |
|
|
417
|
+
| Used Regex for a JS/LWC/TS pattern | **NEVER use Regex for JavaScript files.** Regex cannot distinguish code from comments/strings in JS. Always use ESLint — check if a built-in rule (e.g., `no-console`) already exists first. |
|
|
418
|
+
| XPath returns 0 matches (XML metadata) | Three common causes: (1) Forgot `local-name()` — namespace blocks bare element names. (2) Used `text()='value'` — does NOT work in PMD 7. Use `@Text='value'` instead. (3) Put `[@Text]` predicate on the element — `@Text` lives on CHILD text nodes. Use `/*[@Text...]` to reach them. |
|
|
419
|
+
| Regex rule written inline into `code-analyzer.yml` — YAML parse error | **ALWAYS use `create-regex-rule.js`** — quotes and backslashes inside YAML cause escaping failures. Never hand-write regex into the config file. |
|
|
420
|
+
| `regex_ignore` doesn't exclude test classes | `regex_ignore` is **per-LINE only**. A SOQL query on line 50 of a test class flags because line 50 doesn't contain `@isTest`. For file-level exclusion: use `ignores.files` (global) or PMD XPath `[not(ancestor::UserClass[ModifierNode[@Test = true()]])]` (per-rule). |
|
|
421
|
+
| XPath `@WithSharing='false'` or `not(@WithSharing)` doesn't work | PMD 7 boolean attributes (`@WithSharing`, `@Abstract`, `@Final`) are ALWAYS present. String `='false'` doesn't match (it's a boolean). `not(@attr)` doesn't work (attribute is always present). Use the XPath boolean function: `@WithSharing = false()`. |
|
|
422
|
+
| Loop-based rule only covers `ForEachStatement` | Apex has 3 loop types: `ForEachStatement`, `ForLoopStatement`, `WhileLoopStatement`. All 3 must be in the XPath — omitting any one creates a silent coverage gap. |
|
|
423
|
+
| Rewrote `code-analyzer.yml` after script wrote it — YAML parse error | **NEVER manually rewrite the file after a script runs.** Add top-level config blocks (like `ignores.files`) as new entries only — do NOT touch the `engines.regex.custom_rules` section the script generated. |
|
|
424
|
+
| Multiple rules created at once — one failure breaks all subsequent rules | **Create rules one at a time, sequentially.** Complete the full workflow (create → validate → test) for each rule before starting the next. |
|
|
425
|
+
|
|
426
|
+
For additional diagnostics (wrong severity, Java not found, ESLint config path, metadata file type scoping, etc.) see `<skill_dir>/references/troubleshooting.md`.
|
|
427
|
+
|
|
428
|
+
---
|
|
429
|
+
|
|
430
|
+
## Cross-Skill Integration
|
|
431
|
+
|
|
432
|
+
| Need | Delegate to | Reason |
|
|
433
|
+
|------|-------------|--------|
|
|
434
|
+
| Run a full scan after creating rule | `dx-code-analyzer-run` | Scan execution and result presentation |
|
|
435
|
+
| Install Code Analyzer / fix prerequisites | `dx-code-analyzer-configure` | Setup and troubleshooting |
|
|
436
|
+
| Explain an existing built-in rule | `dx-code-analyzer-run` | Rule description and docs lookup |
|
|
437
|
+
| Edit `code-analyzer.yml` for engine settings | `dx-code-analyzer-configure` | Configuration management |
|
|
438
|
+
|
|
439
|
+
---
|
|
440
|
+
|
|
441
|
+
## Script Execution
|
|
442
|
+
|
|
443
|
+
`<skill_dir>` is the absolute path to the directory containing this SKILL.md file.
|
|
444
|
+
|
|
445
|
+
All scripts are bundled in the `scripts/` subdirectory of the same directory that contains this SKILL.md file. Use the absolute path to that directory — do NOT use `./scripts/` as that resolves relative to the current working directory, not the skill directory.
|
|
446
|
+
|
|
447
|
+
```bash
|
|
448
|
+
node "<skill_dir>/scripts/create-regex-rule.js" \
|
|
449
|
+
--name "RuleName" --regex "/pattern/flags" ...
|
|
450
|
+
```
|
|
451
|
+
|
|
452
|
+
⚠️ **DO NOT:**
|
|
453
|
+
- ❌ Invent or generate script code yourself
|
|
454
|
+
- ❌ Use bare relative paths like `node scripts/create-regex-rule.js` (won't resolve from user's CWD)
|
|
455
|
+
- ❌ Use heredocs or inline script content
|
|
456
|
+
- ❌ Skip resolving `<skill_dir>` — find the absolute path first
|
|
457
|
+
|
|
458
|
+
---
|
|
459
|
+
|
|
460
|
+
## Reference File Index
|
|
461
|
+
|
|
462
|
+
| File | When to read |
|
|
463
|
+
|------|-------------|
|
|
464
|
+
| `references/regex-rule-schema.md` | Building a regex rule — complete field reference, validation rules, multi-rule example |
|
|
465
|
+
| `references/xpath-patterns.md` | Writing XPath for Apex — index of pattern categories with syntax reference and AST node vocabulary |
|
|
466
|
+
| `references/xpath-patterns-governor-limits.md` | XPath patterns for SOQL/DML in loops, Database methods in loops |
|
|
467
|
+
| `references/xpath-patterns-method-calls.md` | XPath patterns for banning methods and annotation patterns (@AuraEnabled, @future, @IsTest) |
|
|
468
|
+
| `references/xpath-patterns-security.md` | XPath patterns for sharing declarations, SOQL security, hardcoded IDs |
|
|
469
|
+
| `references/xpath-patterns-structure.md` | XPath patterns for code structure, test quality, naming conventions |
|
|
470
|
+
| `references/apex-ast-reference.md` | Reading Apex AST dumps — node hierarchy, modifier attributes, key node types |
|
|
471
|
+
| `references/metadata-xml-rules.md` | Writing rules for metadata XML — namespace workaround, common structures, XPath patterns |
|
|
472
|
+
| `references/advanced-pmd-patterns.md` | Multi-rule rulesets, overriding built-in rules, exclusion patterns, Java rules, sharing across projects |
|
|
473
|
+
| `references/eslint-rules-discovery.md` | **READ FIRST for ANY ESLint request** — discovery workflow, built-in rules, Tier 1-3 index |
|
|
474
|
+
| `references/eslint-tier2-configurable.md` | ESLint Tier 2: no-restricted-globals, no-restricted-syntax, no-restricted-properties patterns |
|
|
475
|
+
| `references/eslint-tier3-custom-plugins.md` | ESLint Tier 3: when to create custom plugins + complete examples for all tiers |
|
|
476
|
+
| `references/eslint-custom-plugins.md` | Creating custom ESLint plugins — ONLY after discovery workflow confirms no built-in or configurable rule exists (Tier 3) |
|
|
477
|
+
| `references/troubleshooting.md` | When validation or testing fails — error diagnosis by engine type |
|
|
478
|
+
| `assets/pmd-ruleset-template.xml` | PMD XML skeleton with placeholders for the create-pmd-rule script |
|
|
479
|
+
| `examples/regex-examples.md` | 6 real-world regex rules solving community-reported problems |
|
|
480
|
+
| `examples/xpath-examples.md` | 6 real-world XPath rules for Apex with AST context and step-by-step creation |
|
|
481
|
+
| `examples/metadata-xml-examples.md` | Index of 6 real-world metadata XML rules (permissions, descriptions, API versions, flows) |
|
|
482
|
+
| `examples/metadata-xml-example-permissions.md` | Metadata examples: ModifyAllData/ViewAllData, field permissions in profiles |
|
|
483
|
+
| `examples/metadata-xml-example-fields-api.md` | Metadata examples: custom field descriptions, minimum API version |
|
|
484
|
+
| `examples/metadata-xml-example-flows.md` | Metadata examples: flow auto-layout, flow fault handlers |
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
<?xml version="1.0" encoding="UTF-8"?>
|
|
2
|
+
<ruleset name="{RULESET_NAME}"
|
|
3
|
+
xmlns="http://pmd.sourceforge.net/ruleset/2.0.0"
|
|
4
|
+
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
|
5
|
+
xsi:schemaLocation="http://pmd.sourceforge.net/ruleset/2.0.0 https://pmd.sourceforge.io/ruleset_2_0_0.xsd">
|
|
6
|
+
|
|
7
|
+
<description>{RULESET_DESCRIPTION}</description>
|
|
8
|
+
|
|
9
|
+
<rule name="{RULE_NAME}"
|
|
10
|
+
language="{LANGUAGE}"
|
|
11
|
+
message="{VIOLATION_MESSAGE}"
|
|
12
|
+
class="net.sourceforge.pmd.lang.rule.xpath.XPathRule">
|
|
13
|
+
|
|
14
|
+
<description>{RULE_DESCRIPTION}</description>
|
|
15
|
+
<priority>{PRIORITY}</priority>
|
|
16
|
+
|
|
17
|
+
<properties>
|
|
18
|
+
<property name="xpath">
|
|
19
|
+
<value><![CDATA[
|
|
20
|
+
{XPATH_EXPRESSION}
|
|
21
|
+
]]></value>
|
|
22
|
+
</property>
|
|
23
|
+
</properties>
|
|
24
|
+
|
|
25
|
+
<example>
|
|
26
|
+
<![CDATA[
|
|
27
|
+
{EXAMPLE_VIOLATING_CODE}
|
|
28
|
+
]]>
|
|
29
|
+
</example>
|
|
30
|
+
</rule>
|
|
31
|
+
</ruleset>
|