@salesforce/mcp 0.0.1 → 0.2.6

package/README.md

@@ -1,7 +1,244 @@
 # mcp
 
-MCP Server for interacting with Salesforce instances
+MCP Server for Interacting with Salesforce Orgs
 
-[![NPM](https://img.shields.io/npm/v/@salesforce/mcp.svg?label=@salesforce/mcp)](https://www.npmjs.com/package/@salesforce/mcp) [![Downloads/week](https://img.shields.io/npm/dw/@salesforce/mcp.svg)](https://npmjs.org/package/@salesforce/mcp) [![License](https://img.shields.io/badge/License-Apache--2.0-blue.svg)](https://opensource.org/license/apache-2-0)
+[![NPM](https://img.shields.io/npm/v/@salesforce/mcp.svg?label=@salesforce/mcp)](https://www.npmjs.com/package/@salesforce/mcp) [![License](https://img.shields.io/badge/License-Apache--2.0-blue.svg)](https://opensource.org/license/apache-2-0)
 
-Future home of the Salesforce MCP. Stay tuned ✨
+## Overview of the Salesforce MCP Server (Developer Preview)
+
+The Salesforce MCP Server is a specialized Model Context Protocol (MCP) implementation designed to facilitate seamless interaction between large language models (LLMs) and Salesforce orgs. This MCP server provides a robust set of tools and capabilities that enable LLMs to read, manage, and operate Salesforce resources securely.
+
+Key Features:
+
+- Direct interaction with Salesforce orgs through LLM-driven tools.
+- Secure access using TypeScript libraries (not shelling out to the `sf` Salesforce CLI).
+- Improved security by avoiding the exposure of secrets in plain text.
+- Granular access control with org allowlisting.
+- Modular tool architecture for easy extensibility.
+
+**NOTE**: The Salesforce MCP Server is available as a developer preview. The feature isn’t generally available unless or until Salesforce announces its general availability in documentation or in press releases or public statements. All commands, parameters, and other features are subject to change or deprecation at any time, with or without notice. Don't implement functionality developed with these commands or tools. As we continue to enhance and refine the implementation, the available functionality and tools may evolve. We welcome feedback and contributions to help shape the future of this project.
+
+### Security Features
+
+The Salesforce MCP Server was designed with security as a top priority.
+
+- **Uses TypeScript libraries directly**
+
+  - Greatly decreases the size of the MCP Server.
+  - Significantly reduces the risk of remote code execution (RCE).
+
+- **No secrets needed in configuration**
+
+  - Eliminates the risk of plain text secret exposure.
+  - Accesses pre-existing (encrypted) auth files on the user's machine.
+  - Implements allowlisting for auth info key/values to prevent sensitive data exposure.
+
+- **No secrets exposed via MCP tools**
+
+  - Prevents other tools from accessing unencrypted tokens.
+  - Tools pass usernames around instead of tokens.
+
+- **Granular access control**
+
+  - MCP Server can access auth info for only orgs that have been explicitly allowlisted.
+  - Users specify allowed orgs when starting the server.
+
+## Get Started Using VS Code as the Client
+
+Want to jump in and see what all the fuss is about? Read on!
+
+This example uses Visual Studio Code (VS Code) as the MCP client because it's a standard Salesforce DX development tool. After you configure it with the Salesforce MCP server, you then use GitHub Copilot and natural language to easily execute typical Salesforce DX development tasks, such as listing your authorized orgs, viewing org records, and deploying or retrieving metadata.
+
+But you're not limited to using only VS Code and Copilot! You can [configure many other clients](README.md#configure-other-clients-to-use-the-salesforce-mcp-server) to use the Salesforce MCP server, such as Cursor, Cline, Claude Desktop, Zed, Windsurf, and more.
+
+**Before You Begin**
+
+For the best getting-started experience, make sure that you have a Salesforce DX environment set up on your computer. In particular:
+
+- [Install VS Code](https://code.visualstudio.com/docs) on your computer.
+- [Create a Salesforce DX project](https://developer.salesforce.com/docs/atlas.en-us.sfdx_dev.meta/sfdx_dev/sfdx_dev_ws_create_new.htm) and open it in VS Code.  You can also clone an example repo, such as [dreamhouse-lwc](https://developer.salesforce.com/docs/atlas.en-us.sfdx_dev.meta/sfdx_dev/sfdx_dev_intro_sample_repo.htm), which is a ready-to-use DX project that contains a simple Salesforce application, with metadata and test data.  
+- [Authorize at least one Salesforce org](https://developer.salesforce.com/docs/atlas.en-us.sfdx_dev.meta/sfdx_dev/sfdx_dev_auth_web_flow.htm) to use with your DX project.  You can also create a scratch org. 
+
+**Let's Do It**
+
+1. Create a `.vscode/mcp.json` file at the root of your DX project and add this JSON:
+
+   ```json
+   {
+     "servers": {
+       "salesforce": {
+         "type": "stdio",
+         "command": "npx",
+         "args": ["-y", "@salesforce/mcp", "--orgs", "DEFAULT_TARGET_ORG", "--toolsets", "all"]
+       }
+     }
+   }
+   ```
+
+   You can also configure the MCP server globally by editing the VS Code [settings.json](https://code.visualstudio.com/docs/configure/settings#_settings-file-locations) file and adding a similar JSON snippet but contained in an `mcp:servers` section.
+
+   The `--orgs` argument is required and specifies the authorized orgs you're allowing the MCP server to access. The `--toolsets` argument is optional and specifies the toolsets it should consult when determining the specific tool to run. See [Configure Orgs and Toolsets](README.md#configure-orgs-and-toolsets) for the available values for the two arguments.
+
+1. Open VS Code, go to **View -> Command Palette** and enter **MCP: List Servers**.
+
+   TIP: You can also get to the command palette by pressing press Ctrl+Shift+P (Windows or Linux) or Command-Shift-P (macOS).
+
+1. Click `salesforce`, then **Start Server**.
+
+   Check the Output tab for the server status.
+
+1. Run **Chat: Open Chat (Agent)** from the command palette to start a new GitHub Copilot chat session.
+
+1. In the GitHub Copilot chat window, use natural language to explain what you want to do. The MCP server determines which configured tool to use, and then shows it to you along with other information. Click **Continue** to run the tool and see the results of your request. Try out these examples:
+
+   - List all my orgs.
+   - Which are my active scratch orgs?
+   - Show me all the accounts in the org with alias my-org.
+   - Deploy everything in my project to the org with alias my-org.
+
+1. To stop, restart, or view the MCP server configuration, run the **MCP: List Servers** command, click `salesforce`, then click the appropriate option.
+
+## Configure Orgs and Toolsets
+
+You configure the Salesforce MCP server by specifying at least one authorized org and an optional list of MCP toolsets.
+
+### Configure Orgs
+
+The Salesforce MCP tools require an org, and so you must include the required `--orgs` argument to specify at least one authorized org when you configure the MCP server. Separate multiple values with commas.
+
+You must explicitly [authorize the orgs](https://developer.salesforce.com/docs/atlas.en-us.sfdx_dev.meta/sfdx_dev/sfdx_dev_auth_web_flow.htm) on your computer before the MCP server can access them. Use the `org login web` Salesforce CLI command or the VS Code **SFDX: Authorize an Org** command from the command palette.
+
+These are the available values for the `--orgs` argument:
+
+- `DEFAULT_TARGET_ORG` - Allow access to your default org. If you've set a local default org in your DX project, the MCP server uses it. If not, the server uses a globally-set default org.
+- `DEFAULT_TARGET_DEV_HUB` - Allow access to your default Dev Hub org. If you've set a local default Dev Hub org in your DX project, the MCP server uses it. If not, the server uses a globally-set default Dev Hub org.
+- `ALLOW_ALL_ORGS` - Allow access to all authorized orgs. Use this value with caution.
+- `<username or alias>` - Allow access to a specific org by specifying its username or alias.
+
+This example shows how to specify that the MCP tools run against your default org when you configure the MCP server for VS Code:
+
+```json
+     "mcp": {
+       "servers": {
+         "salesforce": {
+           "type": "stdio",
+           "command": "npx",
+           "args": ["-y", "@salesforce/mcp", "--orgs", "DEFAULT_TARGET_ORG"]
+         }
+       }
+     }
+```
+
+This sample snippet shows how to configure access to your default Dev Hub org and an org with username `test-org@example.com`:
+
+```json
+           "args": ["-y", "@salesforce/mcp", "--orgs", "DEFAULT_TARGET_DEV_HUB,test-org@example.com"]
+```
+
+This sample snippet shows how to configure access to two orgs for which you specified aliases when you authorized them:
+
+```json
+           "args": ["-y", "@salesforce/mcp", "--orgs", "my-scratch-org,my-dev-hub"]
+```
+
+### Configure Toolsets
+
+The Salesforce MCP Server supports **toolsets** - a way to selectively enable different groups of MCP tools based on your needs. This allows you to run the MCP server with only the tools you require, which in turn reduces the context.
+
+Use the `--toolsets` (or short name `-t`) argument to specify the toolsets when you configure the Salesforce MCP server. Separate multiple toolsets with commas. The `--toolsets` argument is optional; if you don't specify it, the MCP server is configured with all toolsets.
+
+These are the available toolsets:
+
+- `all` (default) - Enables all available tools from all toolsets.
+- `orgs` - [Tools to manage your authorized orgs.](README.md#orgs-toolset)
+- `data` - [Tools to manage the data in your org, such as listing all accounts.](README.md#data-toolset)
+- `users` - [Tools to manage org users, such as assigning a permission set.](README.md#users-toolset)
+- `metadata` - [Tools to deploy and retrieve metadata to and from your org and your DX project.](README.md#metadata-toolset)
+
+This example shows how to enable the `data`, `orgs`, and `metadata` toolsets when configuring the MCP server for VS Code:
+
+```json
+     "mcp": {
+       "servers": {
+         "salesforce": {
+           "type": "stdio",
+           "command": "npx",
+           "args": ["-y", "@salesforce/mcp", "--orgs", "DEFAULT_TARGET_ORG", "--toolsets", "data,orgs,metadata"]
+         }
+       }
+     }
+```
+
+#### Core Toolset (always enabled)
+
+Includes this tool:
+
+- `sf-get-username` - Determines the appropriate username or alias for Salesforce operations, handling both default orgs and Dev Hubs.
+
+#### Orgs Toolset
+
+Includes this tool:
+
+- `sf-list-all-orgs` - Lists all configured Salesforce orgs, with optional connection status checking.
+
+#### Data Toolset
+
+Includes this tool:
+
+- `sf-query-org` - Runs a SOQL query against a Salesforce org.
+
+#### Users Toolset
+
+Includes this tool:
+
+- `sf-assign-permission-set` - Assigns a permission set to the user or on behalf of another user.
+
+#### Metadata Toolset
+
+Includes these tools:
+
+- `sf-deploy-metadata` - Deploys metadata from your DX project to an org.
+- `sf-retrieve-metadata` - Retrieves metadata from your org to your DX project.
+
+## Configure Other Clients to Use the Salesforce MCP Server
+
+**Cursor**
+
+To configure [Cursor](https://www.cursor.com/) to work with Salesforce MCP server, add this snippet to your Cursor `mcp.json` file:
+
+```json
+{
+  "mcpServers": {
+    "salesforce": {
+      "command": {
+        "path": "npx",
+        "args": ["-y", "@salesforce/mcp", "--orgs", "DEFAULT_TARGET_ORG", "--toolsets", "all"]
+      }
+    }
+  }
+}
+```
+
+**Cline**
+
+To configure [Cline](https://cline.bot), add this snippet to your Cline `cline_mcp_settings.json` file:
+
+```json
+{
+  "mcpServers": {
+    "salesforce": {
+      "command": "npx",
+      "args": ["-y", "@salesforce/mcp", "--orgs", "DEFAULT_TARGET_ORG", "--toolsets", "all"]
+    }
+  }
+}
+```
+
+**Other Clients**
+
+For these other clients, refer to their documentation for adding MCP servers and follow the same pattern as in the preceding VS Code and Cursor JSON snippets:
+
+- [Claude Desktop](https://claude.ai/download)
+- [Zed](https://github.com/zed-industries/zed)
+- [Windsurf](https://www.windsurf.com/)
+- [Trae](https://trae.ai)

package/lib/index.d.ts

@@ -1 +1,2 @@
+#!/usr/bin/env node
 export {};

package/lib/index.js

@@ -1,4 +1,4 @@
-"use strict";
+#!/usr/bin/env node
 /*
  * Copyright 2025, Salesforce, Inc.
  *
@@ -14,7 +14,73 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-Object.defineProperty(exports, "__esModule", { value: true });
-// eslint-disable-next-line no-console
-console.log('Coming soon ✨');
+/* eslint-disable no-console */
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
+import { parseStartupArguments, getEnabledToolsets } from './shared/utils.js';
+import * as core from './tools/core/index.js';
+import * as orgs from './tools/orgs/index.js';
+import * as data from './tools/data/index.js';
+import * as users from './tools/users/index.js';
+import * as metadata from './tools/metadata/index.js';
+// Create server instance
+const server = new McpServer({
+    name: 'sf-mcp-server',
+    version: '0.0.6',
+    capabilities: {
+        resources: {},
+        tools: {},
+    },
+});
+const { values } = parseStartupArguments();
+// Toolsets will always be set. It is 'all' by default
+const availableToolsets = ['all', 'orgs', 'data', 'users', 'metadata'];
+const enabledToolsets = getEnabledToolsets(availableToolsets, values.toolsets);
+const all = enabledToolsets.has('all');
+// TODO: Should we add annotations to our tools? https://modelcontextprotocol.io/docs/concepts/tools#tool-definition-structure
+// TODO: Move tool names into a shared file, that way if we reference them in multiple places, we can update them in one place
+// ************************
+// CORE TOOLS (always on)
+// ************************
+// get username
+core.registerToolGetUsername(server);
+// ************************
+// ORG TOOLS
+// ************************
+if (all || enabledToolsets.has('orgs')) {
+    // list all orgs
+    orgs.registerToolListAllOrgs(server);
+}
+// ************************
+// DATA TOOLS
+// ************************
+if (all || enabledToolsets.has('data')) {
+    // query org
+    data.registerToolQueryOrg(server);
+}
+// ************************
+// USER TOOLS
+// ************************
+if (all || enabledToolsets.has('users')) {
+    // assign permission set
+    users.registerToolAssignPermissionSet(server);
+}
+// ************************
+// METADATA TOOLS
+// ************************
+if (all || enabledToolsets.has('metadata')) {
+    // deploy metadata
+    metadata.registerToolDeployMetadata(server);
+    // retrieve metadata
+    metadata.registerToolRetrieveMetadata(server);
+}
+async function main() {
+    const transport = new StdioServerTransport();
+    await server.connect(transport);
+    console.error('✅ Salesforce MCP Server running on stdio');
+}
+main().catch((error) => {
+    console.error('Fatal error in main():', error);
+    process.exit(1);
+});
 //# sourceMappingURL=index.js.map

package/lib/shared/auth.d.ts

@@ -0,0 +1,20 @@
+import { Connection, type OrgAuthorization } from '@salesforce/core';
+import { type ConfigInfoWithCache, type SanitizedOrgAuthorization } from './types.js';
+/**
+ * Sanitizes org authorization data by filtering out sensitive fields
+ *
+ * @param orgs - Array of OrgAuthorization objects
+ * @returns Array of sanitized org authorization objects with only allowed fields
+ */
+export declare function sanitizeOrgs(orgs: OrgAuthorization[]): SanitizedOrgAuthorization[];
+export declare function suggestUsername(): Promise<{
+    suggestedUsername: string | undefined;
+    reasoning: string;
+    aliasForReference?: string;
+}>;
+export declare function getConnection(username: string): Promise<Connection>;
+export declare function findOrgByUsernameOrAlias(allOrgs: SanitizedOrgAuthorization[], usernameOrAlias: string): SanitizedOrgAuthorization | undefined;
+export declare function getAllAllowedOrgs(): Promise<SanitizedOrgAuthorization[]>;
+export declare function filterAllowedOrgs(orgs: SanitizedOrgAuthorization[], ALLOWLIST?: Set<string>): Promise<SanitizedOrgAuthorization[]>;
+export declare function getDefaultTargetOrg(): Promise<ConfigInfoWithCache | undefined>;
+export declare function getDefaultTargetDevHub(): Promise<ConfigInfoWithCache | undefined>;

package/lib/shared/auth.js

@@ -0,0 +1,186 @@
+/*
+ * Copyright 2025, Salesforce, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/* eslint-disable no-console */
+import { AuthInfo, Connection, ConfigAggregator, OrgConfigProperties } from '@salesforce/core';
+import { buildOrgAllowList, parseStartupArguments } from './utils.js';
+const url = new URL(import.meta.url);
+const params = url.searchParams.get('orgs');
+const paramOrg = params ? params : undefined;
+const { values } = parseStartupArguments();
+const ORG_ALLOWLIST = buildOrgAllowList(paramOrg ?? values.orgs);
+console.error(' - Allowed orgs:', ORG_ALLOWLIST);
+/**
+ * Sanitizes org authorization data by filtering out sensitive fields
+ *
+ * @param orgs - Array of OrgAuthorization objects
+ * @returns Array of sanitized org authorization objects with only allowed fields
+ */
+export function sanitizeOrgs(orgs) {
+    return orgs.map((org) => ({
+        aliases: org.aliases,
+        configs: org.configs,
+        username: org.username,
+        instanceUrl: org.instanceUrl,
+        isScratchOrg: org.isScratchOrg,
+        isDevHub: org.isDevHub,
+        isSandbox: org.isSandbox,
+        orgId: org.orgId,
+        oauthMethod: org.oauthMethod,
+        isExpired: org.isExpired,
+    }));
+}
+export async function suggestUsername() {
+    let reasoning;
+    let suggestedUsername;
+    let aliasForReference;
+    const allAllowedOrgs = await getAllAllowedOrgs();
+    const defaultTargetOrg = await getDefaultTargetOrg();
+    const defaultTargetDevHub = await getDefaultTargetDevHub();
+    const targetOrgLocation = defaultTargetOrg?.location ? `(${defaultTargetOrg.location}) ` : '';
+    const targetDevHubLocation = defaultTargetDevHub?.location ? `(${defaultTargetDevHub.location}) ` : '';
+    if (allAllowedOrgs.length === 1) {
+        suggestedUsername = allAllowedOrgs[0].username;
+        aliasForReference = allAllowedOrgs[0].aliases?.[0];
+        reasoning = 'it was the only org found in the MCP Servers allowlisted orgs';
+    }
+    else if (defaultTargetOrg?.value) {
+        const foundOrg = findOrgByUsernameOrAlias(allAllowedOrgs, defaultTargetOrg.value);
+        suggestedUsername = foundOrg?.username;
+        aliasForReference = foundOrg?.aliases?.[0];
+        reasoning = `it is the default ${targetOrgLocation}target org`;
+    }
+    else if (defaultTargetDevHub?.value) {
+        const foundOrg = findOrgByUsernameOrAlias(allAllowedOrgs, defaultTargetDevHub.value);
+        suggestedUsername = foundOrg?.username;
+        aliasForReference = foundOrg?.aliases?.[0];
+        reasoning = `it is the default ${targetDevHubLocation}dev hub org`;
+    }
+    else {
+        reasoning = 'Error: no org was inferred. Ask the user to specify one';
+    }
+    return {
+        suggestedUsername,
+        aliasForReference,
+        reasoning,
+    };
+}
+// This function is the main entry point for Tools to get an allowlisted Connection
+export async function getConnection(username) {
+    // We get all allowed orgs each call in case the directory has changed (default configs)
+    const allOrgs = await getAllAllowedOrgs();
+    const foundOrg = findOrgByUsernameOrAlias(allOrgs, username);
+    if (!foundOrg)
+        return Promise.reject(new Error('No org found with the provided username/alias. Ask the user to specify one or check their MCP Server startup config.'));
+    const authInfo = await AuthInfo.create({ username: foundOrg.username });
+    const connection = await Connection.create({ authInfo });
+    return connection;
+}
+export function findOrgByUsernameOrAlias(allOrgs, usernameOrAlias) {
+    return allOrgs.find((org) => {
+        // Check if the org's username or alias matches the provided usernameOrAlias
+        const isMatchingUsername = org.username === usernameOrAlias;
+        const isMatchingAlias = org.aliases && Array.isArray(org.aliases) && org.aliases.includes(usernameOrAlias);
+        return isMatchingUsername || isMatchingAlias;
+    });
+}
+export async function getAllAllowedOrgs() {
+    // Get all orgs on the user's machine
+    const allOrgs = await AuthInfo.listAllAuthorizations();
+    // Sanitize the orgs to remove sensitive data
+    const sanitizedOrgs = sanitizeOrgs(allOrgs);
+    // Filter out orgs that are not in ORG_ALLOWLIST
+    const allowedOrgs = await filterAllowedOrgs(sanitizedOrgs, ORG_ALLOWLIST);
+    // If no orgs are found, stop the server
+    if (allowedOrgs.length === 0) {
+        console.error('No orgs found that match the allowed orgs configuration. Check MCP Server startup config.');
+        process.exit(1);
+    }
+    return allowedOrgs;
+}
+// Function to filter orgs based on ORG_ALLOWLIST configuration
+export async function filterAllowedOrgs(orgs, ALLOWLIST = ORG_ALLOWLIST) {
+    // Return all orgs if ALLOW_ALL_ORGS is set
+    if (ALLOWLIST.has('ALLOW_ALL_ORGS'))
+        return orgs;
+    // Get default orgs for filtering
+    const defaultTargetOrg = await getDefaultTargetOrg();
+    const defaultTargetDevHub = await getDefaultTargetDevHub();
+    return orgs.filter((org) => {
+        // Skip orgs without a username
+        if (!org.username)
+            return false;
+        // Check if org is specifically allowed by username
+        if (ALLOWLIST.has(org.username))
+            return true;
+        // Check if org is allowed by alias
+        if (org.aliases?.some((alias) => ALLOWLIST.has(alias)))
+            return true;
+        // If DEFAULT_TARGET_ORG is set, check for a username or alias match
+        if (ALLOWLIST.has('DEFAULT_TARGET_ORG') && defaultTargetOrg?.value) {
+            if (org.username === defaultTargetOrg.value)
+                return true;
+            if (org.aliases?.includes(defaultTargetOrg.value))
+                return true;
+        }
+        // If DEFAULT_TARGET_DEV_HUB is set, check for a username or alias match
+        if (ALLOWLIST.has('DEFAULT_TARGET_DEV_HUB') && defaultTargetDevHub?.value) {
+            if (org.username === defaultTargetDevHub.value)
+                return true;
+            if (org.aliases?.includes(defaultTargetDevHub.value))
+                return true;
+        }
+        // Org not allowed
+        return false;
+    });
+}
+const defaultOrgMaps = {
+    [OrgConfigProperties.TARGET_ORG]: new Map(),
+    [OrgConfigProperties.TARGET_DEV_HUB]: new Map(),
+};
+// Helper function to get default config for a property
+// Values are cached based on ConfigInfo path after first retrieval
+// This is to prevent manipulation of the config file after server start
+async function getDefaultConfig(property) {
+    // If the directory changes, the singleton instance of ConfigAggregator is not updated.
+    // It continues to use the old local or global config.
+    // Note: We could update ConfigAggregator to have a clearInstance method like StateAggregator
+    // @ts-expect-error Accessing private static instance to reset singleton between directory changes
+    ConfigAggregator.instance = undefined;
+    const aggregator = await ConfigAggregator.create();
+    const config = aggregator.getInfo(property);
+    const { value, path, key, location } = config;
+    if (!value || typeof value !== 'string' || !path)
+        return undefined;
+    // Create a typed config object with the necessary properties
+    // This reduces assertions and lowers context returned to the LLM
+    const typedConfig = { key, location, value, path };
+    if (defaultOrgMaps[property].has(path)) {
+        // If the cache has the config's path set, use the cached config
+        const cachedConfig = defaultOrgMaps[property].get(path);
+        return { ...cachedConfig, cached: true };
+    }
+    else {
+        defaultOrgMaps[property].set(path, typedConfig);
+        return typedConfig;
+    }
+}
+export async function getDefaultTargetOrg() {
+    return getDefaultConfig(OrgConfigProperties.TARGET_ORG);
+}
+export async function getDefaultTargetDevHub() {
+    return getDefaultConfig(OrgConfigProperties.TARGET_DEV_HUB);
+}
+//# sourceMappingURL=auth.js.map

package/lib/shared/params.d.ts

@@ -0,0 +1,5 @@
+import { z } from 'zod';
+export declare const usernameOrAliasParam: z.ZodString;
+export declare const useToolingApiParam: z.ZodOptional<z.ZodBoolean>;
+export declare const baseAbsolutePathParam: z.ZodEffects<z.ZodString, string, string>;
+export declare const directoryParam: z.ZodEffects<z.ZodString, string, string>;

package/lib/shared/params.js

@@ -0,0 +1,48 @@
+/*
+ * Copyright 2025, Salesforce, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+import { z } from 'zod';
+import { sanitizePath } from './utils.js';
+/*
+ * A collection of reuseable Tool parameters
+ */
+export const usernameOrAliasParam = z.string()
+    .describe(`The username or alias for the Salesforce org to run this tool against.
+
+AGENT INSTRUCTIONS:
+If it is not clear what username or alias is, run the #sf-get-username tool.
+DO NOT use #sf-get-username if the user mentions an alias or username, like "for my an-alias org" or "for my test-prgelc2petd9@example.com org".
+
+USAGE:
+...for the my-alias org
+...for my 'my-alias' user
+...for alias myAlias
+...for my 'test@example.com' user
+...for the 'test@example.com' org`);
+export const useToolingApiParam = z
+    .boolean()
+    .optional()
+    .describe('Use Tooling API to insert a record in a Tooling API object');
+export const baseAbsolutePathParam = z
+    .string()
+    .refine(sanitizePath, 'Invalid path: Must be an absolute path and cannot contain path traversal sequences');
+export const directoryParam = baseAbsolutePathParam.describe(`The directory to run this tool from.
+AGENT INSTRUCTIONS:
+We need to know where the user wants to run this tool from.
+Look at your current Workspace Context to determine this filepath.
+ALWAYS USE A FULL PATH TO THE DIRECTORY.
+Unless the user explicitly asks for a different directory, or a new directory is created from the action of a tool, use this same directory for future tool calls.
+`);
+//# sourceMappingURL=params.js.map

package/lib/shared/types.d.ts

@@ -0,0 +1,34 @@
+import { ConfigInfo } from '@salesforce/core';
+import { type Nullable } from '@salesforce/ts-types';
+export type ConfigInfoWithCache = {
+    key: string;
+    location?: ConfigInfo['location'];
+    value: string;
+    cached?: boolean;
+    path: string;
+};
+export type SanitizedOrgAuthorization = {
+    aliases?: Nullable<string[]>;
+    configs?: Nullable<string[]>;
+    username?: string;
+    instanceUrl?: string;
+    isScratchOrg?: boolean;
+    isDevHub?: boolean;
+    isSandbox?: boolean;
+    orgId?: string;
+    oauthMethod?: string;
+    isExpired?: boolean | 'unknown';
+};
+export type ToolTextResponse = {
+    isError: boolean;
+    content: Array<{
+        type: 'text';
+        text: string;
+    }>;
+};
+export type ParseArgsResult = {
+    values: {
+        toolsets: string;
+        orgs: string;
+    };
+};

package/lib/shared/types.js

@@ -0,0 +1,17 @@
+/*
+ * Copyright 2025, Salesforce, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/lib/shared/utils.d.ts

@@ -0,0 +1,13 @@
+import { type ToolTextResponse, type ParseArgsResult } from './types.js';
+export declare function parseStartupArguments(): ParseArgsResult;
+export declare function buildOrgAllowList(orgs: string): Set<string>;
+export declare function textResponse(text: string, isError?: boolean): ToolTextResponse;
+/**
+ * Gets the enabled toolsets based on user input and validates against available toolsets
+ *
+ * @param availableToolsets - The list of available toolsets
+ * @param toolsetsInput - The comma-separated list of toolsets
+ * @returns A Set of enabled toolsets
+ */
+export declare function getEnabledToolsets(availableToolsets: string[], toolsetsInput: string): Set<string>;
+export declare function sanitizePath(path: string): boolean;