scc-universal 1.1.0

package/skills/save-session/SKILL.md

@@ -0,0 +1,186 @@
+---
+name: save-session
+description: >-
+  Use when saving current Salesforce development session state. Persist org context, Apex progress,
+  and pending work to a dated file for future session resumption.
+origin: SCC
+user-invocable: true
+disable-model-invocation: true
+---
+
+# Save Session — Capture and Persist Session Context
+
+Capture everything that happened in this session — what was built, what worked, what failed, what's left — and write it to a dated file so the next session can pick up exactly where this one left off.
+
+## When to Use
+
+- End of a work session before closing Claude Code
+- Before hitting context limits (run this first, then start a fresh session)
+- After solving a complex Salesforce problem you want to remember
+- Any time you need to hand off context to a future session
+
+## Process
+
+### Step 1: Gather context
+
+Before writing the file, collect:
+
+- Read all files modified during this session (use git diff or recall from conversation)
+- Review what was discussed, attempted, and decided
+- Note any errors encountered and how they were resolved (or not)
+- Check current test/sf-deployment status if relevant
+- Note org-specific details (scratch org alias, connected org, CLI version)
+
+### Step 2: Create the sessions folder if it doesn't exist
+
+```bash
+mkdir -p ~/.claude/sessions
+```
+
+### Step 3: Write the session file
+
+Create `~/.claude/sessions/YYYY-MM-DD-<short-id>-session.md`, using today's actual date and a short-id:
+
+- Allowed characters: lowercase `a-z`, digits `0-9`, hyphens `-`
+- Minimum length: 8 characters
+- No uppercase letters, no underscores, no spaces
+
+Full valid filename example: `2026-03-18-apex-trig-session.md`
+
+The short-id should include the project name to enable cross-project isolation (e.g., `myapp-apex-trig` instead of just `apex-trig`). This prevents session file collisions when working across multiple Salesforce projects that share the same `~/.claude/sessions/` directory.
+
+### Step 4: Populate the file with all sections below
+
+Keep session files under ~500 lines. Focus on decisions, blockers, and next steps — not full code dumps. If you need to reference large code blocks, point to file paths instead.
+
+Write every section honestly. Do not skip sections — write "Nothing yet" or "N/A" if a section genuinely has no content.
+
+### Step 5: Show the file to the user
+
+After writing, display the full contents and ask:
+
+```
+Session saved to [actual resolved path to the session file]
+
+Does this look accurate? Anything to correct or add before we close?
+```
+
+Wait for confirmation. Make edits if requested.
+
+---
+
+## Session File Format
+
+```markdown
+# Session: YYYY-MM-DD
+
+**Started:** [approximate time if known]
+**Last Updated:** [current time]
+**Project:** [project name or path]
+**Topic:** [one-line summary of what this session was about]
+
+---
+
+## What We Are Building
+
+[1-3 paragraphs describing the feature, bug fix, or task. Include enough
+context that someone with zero memory of this session can understand the goal.
+Include: what it does, why it's needed, how it fits into the Salesforce org.]
+
+---
+
+## What WORKED (with evidence)
+
+[List only things that are confirmed working. For each item include WHY you
+know it works — test passed, deployment succeeded, scratch org validated, etc.
+Without evidence, move it to "Not Tried Yet" instead.]
+
+- **[thing that works]** — confirmed by: [specific evidence]
+
+If nothing is confirmed working yet: "Nothing confirmed working yet."
+
+---
+
+## What Did NOT Work (and why)
+
+[This is the most important section. List every approach tried that failed.
+For each failure write the EXACT reason so the next session doesn't retry it.
+Be specific: "threw X error because Y" is useful. "didn't work" is not.]
+
+- **[approach tried]** — failed because: [exact reason / error message]
+
+If nothing failed: "No failed approaches yet."
+
+---
+
+## What Has NOT Been Tried Yet
+
+[Approaches that seem promising but haven't been attempted.]
+
+- [approach / idea]
+
+If nothing is queued: "No specific untried approaches identified."
+
+---
+
+## Current State of Files
+
+[Every file touched this session. Be precise about what state each file is in.]
+
+| File              | Status         | Notes                      |
+| ----------------- | -------------- | -------------------------- |
+| `path/to/file.cls` | Complete    | [what it does]             |
+| `path/to/file.cls` | In Progress | [what's done, what's left] |
+| `path/to/file.js` | Broken      | [what's wrong]             |
+
+If no files were touched: "No files modified this session."
+
+---
+
+## Decisions Made
+
+[Architecture choices, tradeoffs accepted, approaches chosen and why.]
+
+- **[decision]** — reason: [why this was chosen over alternatives]
+
+If no significant decisions: "No major decisions made this session."
+
+---
+
+## Blockers & Open Questions
+
+[Anything unresolved that the next session needs to address.]
+
+- [blocker / open question]
+
+If none: "No active blockers."
+
+---
+
+## Exact Next Step
+
+[The single most important thing to do when resuming.]
+
+---
+
+## Environment & Setup Notes
+
+[Only fill if relevant — scratch org alias, connected org, SF CLI version, etc.]
+```
+
+---
+
+## Notes
+
+- Each session gets its own file — never append to a previous session's file
+- The "What Did NOT Work" section is the most critical — future sessions will blindly retry failed approaches without it
+- The file is meant to be read by Claude at the start of the next session via the resume-session skill
+- Use the canonical global session store: `~/.claude/sessions/`
+
+## Examples
+
+```
+/save-session
+/save-session Save progress on the AccountManagement feature refactor
+/save-session Checkpoint before switching to the hotfix branch
+```

package/skills/search-first/SKILL.md

@@ -0,0 +1,144 @@
+---
+name: search-first
+origin: SCC
+user-invocable: true
+description: >-
+  Use when researching existing Salesforce tools, Apex libraries, or metadata
+  patterns before writing custom code. Search-first workflow with agent.
+  Do NOT use for implementing code — only for discovery and evaluation.
+---
+
+# /search-first — Research Before You Code
+
+Systematizes the "search for existing solutions before implementing" workflow.
+
+## When to Use
+
+- Before writing any custom utility, library, or integration code
+- When evaluating whether to use npm, AppExchange, or MCP packages for a requirement
+- When starting a new feature that likely has existing open-source or platform solutions
+- When deciding between adopting, extending, composing, or building custom code
+- When the user asks to "add X functionality" and you're about to write net-new code
+
+## Workflow
+
+```
++---------------------------------------------+
+|  1. NEED ANALYSIS                           |
+|     Define what functionality is needed      |
+|     Identify language/framework constraints  |
++---------------------------------------------+
+|  2. PARALLEL SEARCH (general-purpose agent)  |
+|     +----------+ +----------+ +----------+  |
+|     |  npm /   | |  MCP /   | |  GitHub / |  |
+|     |  AppExch | |  Skills  | |  Web      |  |
+|     +----------+ +----------+ +----------+  |
++---------------------------------------------+
+|  3. EVALUATE                                |
+|     Score candidates (functionality, maint, |
+|     community, docs, license, deps)         |
++---------------------------------------------+
+|  4. DECIDE                                  |
+|     +---------+  +----------+  +---------+  |
+|     |  Adopt  |  |  Extend  |  |  Build   |  |
+|     | as-is   |  |  /Wrap   |  |  Custom  |  |
+|     +---------+  +----------+  +---------+  |
++---------------------------------------------+
+|  5. IMPLEMENT                               |
+|     Install package / Configure MCP /       |
+|     Write minimal custom code               |
++---------------------------------------------+
+```
+
+## Decision Matrix
+
+| Signal | Action |
+|--------|--------|
+| Exact match, well-maintained, MIT/Apache | **Adopt** — install and use directly |
+| Partial match, good foundation | **Extend** — install + write thin wrapper |
+| Multiple weak matches | **Compose** — combine 2-3 small packages |
+| Nothing suitable found | **Build** — write custom, but informed by research |
+
+## How to Use
+
+### Quick Mode (inline)
+
+Before writing a utility or adding functionality, mentally run through:
+
+0. Does this already exist in the repo? -> `rg` through relevant modules/tests first
+1. Is this a common problem? -> Search npm/AppExchange
+2. Is there an MCP for this? -> Check `~/.claude/settings.json` and search
+3. Is there a skill for this? -> Check `~/.claude/skills/`
+4. Is there a GitHub implementation/template? -> Run GitHub code search
+
+### Full Mode (agent)
+
+For non-trivial functionality, launch a general-purpose agent:
+
+```
+Task(subagent_type="general-purpose", prompt="
+  Research existing tools for: [DESCRIPTION]
+  Language/framework: [LANG]
+  Constraints: [ANY]
+
+  Search: npm/AppExchange, MCP servers, Claude Code skills, GitHub
+  Return: Structured comparison with recommendation
+")
+```
+
+## Salesforce-Specific Tool Discovery
+
+| Category | Tools to Check | Notes |
+|----------|---------------|-------|
+| **Testing** | ApexMocks, FFLib, at4dx, Apex Replay Debugger | FFLib is the industry standard |
+| **CI/CD** | CumulusCI, sfdx-git-delta, sf scanner, GitHub Actions | sfdx-git-delta for delta deployments |
+| **Data** | SFDX Data Loader, DLRS (Declarative Lookup Rollup Summary), DataWeave | DLRS replaces rollup trigger code |
+| **Security** | Shield Platform Encryption, Event Monitoring, SF Code Analyzer | Scanner catches PMD violations |
+| **Documentation** | ApexDox, SfApexDoc | Auto-generate Apex docs |
+| **MCP** | @salesforce/mcp (official), community MCP servers | Check official first |
+| **Package Mgmt** | CumulusCI, SFDX Package commands | For managed/unlocked packages |
+
+### MCP Server Evaluation
+
+Before building custom tooling, check if an MCP server handles it:
+
+1. **@salesforce/mcp** (official) — orgs, metadata, data, testing, code-analysis, LWC, DevOps
+2. **Community MCP servers** — search npm for `mcp` + your domain
+3. **Build custom only if** — no existing server covers your specific business logic
+
+### Salesforce Decision Examples
+
+**Scenario 1: "We need rollup summary fields on lookup relationships"**
+
+```
+Search: AppExchange "rollup summary lookup"
+Found: DLRS (Declarative Lookup Rollup Summaries) — 4.8★, 5000+ installs
+Decision: ADOPT — install DLRS, configure declaratively
+Result: Zero custom Apex code for rollup calculations
+```
+
+**Scenario 2: "We need delta deployments in CI"**
+
+```
+Search: npm "salesforce delta deployment"
+Found: sfdx-git-delta — actively maintained, 1000+ stars
+Decision: ADOPT — add as sf plugin, configure in GitHub Actions
+Result: Deploy only changed metadata, 10x faster CI
+```
+
+**Scenario 3: "We need custom approval routing based on territory"**
+
+```
+Search: AppExchange "dynamic approval routing territory"
+Found: Several packages but none match exact business rules
+Decision: BUILD — custom Apex approval process with territory-based routing
+Result: Custom code, but informed by research (knew no package fit)
+```
+
+## Anti-Patterns
+
+- **Jumping to code**: Writing a utility without checking if one exists
+- **Ignoring MCP**: Not checking if an MCP server already provides the capability
+- **Over-customizing**: Wrapping a library so heavily it loses its benefits
+- **Not checking AppExchange**: Many common patterns have managed packages with support
+- **Reinventing DLRS**: Writing rollup trigger code when DLRS handles it declaratively

package/skills/security-scan/SKILL.md

@@ -0,0 +1,146 @@
+---
+name: security-scan
+origin: SCC
+user-invocable: false
+description: >-
+  Use when scanning Salesforce org Claude Code configuration for security
+  vulnerabilities, deploy misconfigurations, and injection risks in CLAUDE.md,
+  hooks, and MCP servers. Do NOT use for Apex code review — use sf-security.
+---
+
+> **External tool:** AgentShield is published as `ecc-agentshield` on npm by affaan-m.
+> It is a third-party security scanner, not part of SCC itself.
+> **Maintenance risk:** This package has no SLA or maintenance guarantee. If it becomes unavailable, use the manual scanning section below as a fallback.
+
+# Security Scan Skill
+
+Audit your Claude Code configuration for security issues using [AgentShield](https://github.com/affaan-m/agentshield).
+
+## When to Use
+
+- Before submitting an AppExchange managed package for security review
+- When running a pre-deployment security gate in CI/CD pipelines
+- When auditing a new codebase for SOQL injection, XSS, or FLS violations
+- When a PMD or Checkmarx scan surfaces violations that need triaging
+- When validating that new Apex contributors follow secure coding patterns
+
+## What It Scans
+
+| File | Checks |
+|------|--------|
+| `CLAUDE.md` | Hardcoded secrets, auto-run instructions, prompt injection patterns |
+| `settings.json` | Overly permissive allow lists, missing deny lists, dangerous bypass flags |
+| `mcp.json` | Risky MCP servers, hardcoded env secrets, npx supply chain risks |
+| `hooks/` | Command injection via interpolation, data exfiltration, silent error suppression |
+| `agents/*.md` | Unrestricted tool access, prompt injection surface, missing model specs |
+
+## Salesforce-Specific Security Checks
+
+Beyond configuration scanning, watch for these Salesforce vulnerability patterns:
+
+### SOQL Injection
+
+```apex
+// VULNERABLE — user input concatenated into query
+String query = 'SELECT Id FROM Account WHERE Name = \'' + userInput + '\'';
+
+// SAFE — bind variables
+List<Account> results = [SELECT Id FROM Account WHERE Name = :userInput];
+
+// SAFE — Database.queryWithBinds for dynamic SOQL
+Map<String, Object> binds = new Map<String, Object>{ 'userInput' => userInput };
+List<Account> results = Database.queryWithBinds(
+    'SELECT Id FROM Account WHERE Name = :userInput',
+    binds, AccessLevel.USER_MODE
+);
+```
+
+### FLS/CRUD Bypass
+
+| Pattern | Risk | Fix |
+|---------|------|-----|
+| SOQL without `WITH USER_MODE` | Reads fields user can't see | Add `WITH USER_MODE` |
+| `Database.insert(records)` without AccessLevel | Skips FLS on write | Use `AccessLevel.USER_MODE` |
+| `WITH SECURITY_ENFORCED` | Throws on inaccessible fields, no sharing enforcement | Prefer `WITH USER_MODE` |
+
+### Sharing Model Violations
+
+- `without sharing` on class with `@AuraEnabled` methods — privilege escalation
+- `without sharing` on class with `@RemoteAction` — same risk via Visualforce
+- Missing sharing declaration — inherits calling class context
+
+### XSS Patterns
+
+- **Visualforce:** `{!userInput}` without `JSENCODE`, `HTMLENCODE`, or `URLENCODE`
+- **LWC:** `lwc:dom="manual"` with `innerHTML` from user data
+- **Aura:** `$A.util.isEmpty()` doesn't sanitize — validate before DOM insertion
+
+## Usage
+
+### AgentShield Scan
+
+```bash
+# Install and scan
+npm install -g ecc-agentshield
+npx ecc-agentshield scan
+
+# With severity filter and JSON output for CI
+npx ecc-agentshield scan --min-severity medium --format json
+
+# Auto-fix safe issues
+npx ecc-agentshield scan --fix
+```
+
+### Severity Levels
+
+| Grade | Score | Meaning |
+|-------|-------|---------|
+| A | 90-100 | Secure configuration |
+| B | 75-89 | Minor issues |
+| C | 60-74 | Needs attention |
+| D | 40-59 | Significant risks |
+| F | 0-39 | Critical vulnerabilities |
+
+## Manual Scanning (Without AgentShield)
+
+```bash
+# SOQL Injection — string concatenation in queries
+grep -rn "Database.query" force-app/ --include="*.cls" | grep -v "bind"
+
+# Missing sharing declaration
+grep -rEL "with sharing|without sharing|inherited sharing" force-app/main/default/classes/*.cls
+
+# Hardcoded Salesforce IDs (15 or 18 char)
+grep -rnE "'00[0-9a-zA-Z]{12,15}'" force-app/ --include="*.cls"
+
+# Missing CRUD/FLS on DML
+grep -rn "insert \|update \|delete \|upsert " force-app/ --include="*.cls" | grep -v "stripInaccessible\|USER_MODE\|SECURITY_ENFORCED\|isAccessible\|@IsTest"
+
+# Hardcoded endpoints
+grep -rn "https://\|http://" force-app/ --include="*.cls" | grep -v "Named\|test\|mock\|example.com"
+```
+
+## SF Code Analyzer Integration
+
+```bash
+# Full PMD scan
+sf code-analyzer run --target force-app --format table
+
+# Security-focused scan
+sf code-analyzer run --target force-app --category "Security" --format table
+```
+
+## Remediation Patterns
+
+| Finding | Vulnerable Code | Fixed Code |
+|---------|----------------|------------|
+| **SOQL Injection** | `Database.query('...WHERE Name=\'' + name + '\'')` | `[SELECT Id FROM Account WHERE Name = :name]` |
+| **Missing Sharing** | `public class MyService {` | `public with sharing class MyService {` |
+| **FLS Bypass** | `insert records;` | `Database.insert(records, AccessLevel.USER_MODE);` |
+| **Hardcoded ID** | `'012000000000ABC'` | `Schema.SObjectType.Account.getRecordTypeInfosByDeveloperName().get('Customer').getRecordTypeId()` |
+| **XSS (VF)** | `{!userInput}` | `{!HTMLENCODE(userInput)}` |
+
+## Related
+
+- Constraint: sf-security-constraints (co-activates for enforcement rules)
+- Action: sf-security (CRUD/FLS implementation procedures)

package/skills/sessions/SKILL.md

@@ -0,0 +1,127 @@
+---
+name: sessions
+description: >-
+  Use when managing Salesforce Claude Code session history. List, load, alias, and inspect saved
+  Apex and org development sessions stored in ~/.claude/sessions/.
+origin: SCC
+user-invocable: true
+---
+
+# Sessions — Session History Management
+
+Manage Claude Code session history - list, load, alias, and inspect sessions stored in `~/.claude/sessions/`.
+
+## When to Use
+
+- Listing all saved sessions to find a specific one
+- Loading a previous session by ID, date, or alias
+- Creating memorable aliases for frequently referenced sessions
+- Inspecting session metadata and statistics
+- Managing session aliases (create, remove, list)
+
+## Usage
+
+`/sessions [list|load|alias|info|aliases|help] [options]`
+
+`/sessions help` shows this usage guide.
+
+## Actions
+
+### List Sessions
+
+Display all sessions with metadata, filtering, and pagination.
+
+```bash
+/sessions                              # List all sessions (default)
+/sessions list                         # Same as above
+/sessions list --limit 10              # Show 10 sessions
+/sessions list --date 2026-03-18       # Filter by date
+/sessions list --search apex           # Search by session ID
+```
+
+### Load Session
+
+Load and display a session's content (by ID or alias).
+
+```bash
+/sessions load <id|alias>             # Load session
+/sessions load 2026-03-18             # By date
+/sessions load apex-trig              # By short ID
+/sessions load my-alias               # By alias name
+```
+
+### Create Alias
+
+Create a memorable alias for a session.
+
+```bash
+/sessions alias <id> <name>           # Create alias
+/sessions alias 2026-03-18 trigger-work
+```
+
+### Remove Alias
+
+Delete an existing alias.
+
+```bash
+/sessions alias --remove <name>        # Remove alias
+/sessions unalias <name>               # Same as above
+```
+
+### Session Info
+
+Show detailed information about a session.
+
+```bash
+/sessions info <id|alias>              # Show session details
+```
+
+### List Aliases
+
+Show all session aliases.
+
+```bash
+/sessions aliases                      # List all aliases
+```
+
+## Arguments
+
+- `list [options]` - List sessions
+  - `--limit <n>` - Max sessions to show (default: 50)
+  - `--date <YYYY-MM-DD>` - Filter by date
+  - `--search <pattern>` - Search in session ID
+- `load <id|alias>` - Load session content
+- `alias <id> <name>` - Create alias for session
+- `alias --remove <name>` - Remove alias
+- `unalias <name>` - Same as `--remove`
+- `info <id|alias>` - Show session statistics
+- `aliases` - List all aliases
+- `help` - Show this help
+
+## Examples
+
+```bash
+# List all sessions
+/sessions list
+
+# Create an alias for today's session
+/sessions alias 2026-03-18 trigger-work
+
+# Load session by alias
+/sessions load trigger-work
+
+# Show session info
+/sessions info trigger-work
+
+# Remove alias
+/sessions alias --remove trigger-work
+
+# List all aliases
+/sessions aliases
+```
+
+## Notes
+
+- Sessions are stored as markdown files in `~/.claude/sessions/`
+- Session IDs can be shortened (first 4-8 characters usually unique enough)
+- Use aliases for frequently referenced sessions