scc-universal 1.2.1 → 1.3.0

package/skills/prompt-optimizer/SKILL.md

@@ -96,13 +96,13 @@ Map intent + scope + tech stack (from Phase 0) to specific SCC components.
 
 | Intent | Invocable Skills | Skills | Agents |
 |--------|----------|--------|--------|
-| New Feature | /sf-tdd-workflow, /sf-apex-best-practices | sf-apex-best-practices, sf-apex-enterprise-patterns | sf-architect, sf-apex-agent, sf-review-agent |
-| Bug Fix | /sf-tdd-workflow, /sf-build-fix | sf-apex-testing, sf-debugging | sf-bugfix-agent, sf-apex-agent |
-| Refactor | /refactor-clean, /sf-apex-best-practices | sf-trigger-frameworks, sf-apex-enterprise-patterns | refactor-cleaner, sf-review-agent |
-| Testing | /sf-tdd-workflow, /sf-apex-testing, /sf-e2e-testing | sf-apex-testing, sf-tdd-workflow | sf-apex-agent |
-| Review | /sf-apex-best-practices, /sf-lwc-development, /sf-security | sf-security | sf-review-agent, sf-review-agent |
+| New Feature | sf-tdd-workflow, sf-apex-best-practices | sf-apex-best-practices, sf-apex-enterprise-patterns | sf-architect, sf-apex-agent, sf-review-agent |
+| Bug Fix | sf-tdd-workflow, sf-build-fix | sf-apex-testing, sf-debugging | sf-bugfix-agent, sf-apex-agent |
+| Refactor | /refactor-clean, sf-apex-best-practices | sf-trigger-frameworks, sf-apex-enterprise-patterns | refactor-cleaner, sf-review-agent |
+| Testing | sf-tdd-workflow, sf-apex-testing, sf-e2e-testing | sf-apex-testing, sf-tdd-workflow | sf-apex-agent |
+| Review | sf-apex-best-practices, sf-lwc-development, sf-security | sf-security | sf-review-agent, sf-review-agent |
 | Documentation | /update-docs | — | doc-updater, deep-researcher |
-| Infrastructure | /sf-deployment | sf-devops-ci-cd, sf-deployment | sf-architect |
+| Infrastructure | sf-deployment | sf-devops-ci-cd, sf-deployment | sf-architect |
 | Design (EPIC) | — | — | sf-architect, sf-architect |
 
 #### By Tech Stack
@@ -164,7 +164,7 @@ For tasks that exceed a single session, split into sequential prompts:
 
 - Prompt 1: Research + Plan (use search-first skill, then sf-architect agent)
 - Prompt 2-N: Implement one phase per prompt (each ends with sf-review-agent agent)
-- Final Prompt: Integration test + /sf-apex-best-practices across all phases
+- Final Prompt: Integration test + sf-apex-best-practices across all phases
 - Use /save-session and /resume-session to preserve context between sessions
 
 ---
@@ -191,7 +191,7 @@ If Phase 0 auto-detected the answer, state it instead of asking.
 
 | Type | Component | Purpose |
 |------|-----------|---------|
-| Command | /sf-tdd-workflow | TDD workflow for Apex |
+| Command | sf-tdd-workflow | TDD workflow for Apex |
 | Skill | sf-apex-best-practices | Apex coding standards |
 | Agent | sf-review-agent | Post-implementation review |
 | Model | Sonnet | Recommended for this scope |
@@ -209,7 +209,7 @@ The prompt must be self-contained and ready to copy-paste. Include:
 - Scope boundaries (what NOT to do)
 
 For items that reference blueprint, write: "Use the sf-architect agent to..."
-(not `/blueprint`, since sf-architect is an agent, not a command).
+(not `sf-architect agent`, since sf-architect is an agent, not a command).
 
 ### Section 4: Optimized Prompt — Quick Version
 
@@ -217,12 +217,12 @@ A compact version for experienced SCC users. Vary by intent type:
 
 | Intent | Quick Pattern |
 |--------|--------------|
-| New Feature | `Use sf-architect agent for [feature]. /sf-tdd-workflow to implement. /sf-apex-best-practices. Use sf-review-agent agent.` |
-| Bug Fix | `/sf-tdd-workflow — write failing test for [bug]. Fix to green. Use sf-review-agent agent.` |
-| Refactor | `/refactor-clean [scope]. /sf-apex-best-practices. Use sf-review-agent agent.` |
+| New Feature | `Use sf-architect agent for [feature]. sf-tdd-workflow to implement. sf-apex-best-practices. Use sf-review-agent agent.` |
+| Bug Fix | `sf-tdd-workflow — write failing test for [bug]. Fix to green. Use sf-review-agent agent.` |
+| Refactor | `/refactor-clean [scope]. sf-apex-best-practices. Use sf-review-agent agent.` |
 | Research | `Use search-first skill for [topic]. Use sf-architect agent based on findings.` |
-| Testing | `/sf-tdd-workflow [class]. /sf-e2e-testing for critical flows. /sf-apex-testing.` |
-| Review | `/sf-apex-best-practices. Then use sf-review-agent agent.` |
+| Testing | `sf-tdd-workflow [class]. sf-e2e-testing for critical flows. sf-apex-testing.` |
+| Review | `sf-apex-best-practices. Then use sf-review-agent agent.` |
 | Docs | `/update-docs. Use deep-researcher agent.` |
 | EPIC | `Use sf-architect agent for "[objective]". Execute phases with sf-review-agent agent gates.` |
 
@@ -270,9 +270,9 @@ Technical requirements:
 
 Workflow:
 1. Use sf-architect agent to plan trigger handler structure and business logic
-2. /sf-tdd-workflow — write failing test class first (use @TestSetup and test data factory)
+2. sf-tdd-workflow — write failing test class first (use @TestSetup and test data factory)
 3. Implement AccountTrigger and AccountTriggerHandler
-4. /sf-apex-best-practices to review implementation
+4. sf-apex-best-practices to review implementation
 5. Use sf-review-agent agent to verify all tests pass and coverage reaches 75%+
 
 Security requirements:
@@ -282,7 +282,7 @@ Security requirements:
 Acceptance criteria:
 - Test coverage 85%+
 - Zero governor limit violations
-- Passes /sf-security review
+- Passes sf-security review
 ```
 
 ### Example 2: Moderate English Prompt
@@ -312,10 +312,10 @@ Requirements:
 
 Workflow:
 1. Use sf-architect agent for the endpoint structure, validation logic, and error response envelope
-2. /sf-tdd-workflow — write tests for success, validation failure, permission failure
+2. sf-tdd-workflow — write tests for success, validation failure, permission failure
 3. Implement AccountAPI class following existing REST patterns
-4. /sf-security — verify CRUD/FLS enforcement
-5. /sf-apex-best-practices
+4. sf-security — verify CRUD/FLS enforcement
+5. sf-apex-best-practices
 6. Use sf-review-agent agent — run full test suite, confirm no regressions
 
 Do not:
@@ -345,7 +345,7 @@ Before executing, answer these questions in the blueprint:
 The blueprint should produce phases like:
 - Phase 1: Audit all existing triggers and document business logic
 - Phase 2: Implement TriggerHandler base class and factory
-- Phase 3: Migrate highest-priority object triggers with /sf-tdd-workflow gates
+- Phase 3: Migrate highest-priority object triggers with sf-tdd-workflow gates
 - Phase 4: Migrate remaining triggers
 - Phase N: Remove legacy trigger code, run full regression
 

package/skills/sf-2gp-security-review/SKILL.md

@@ -0,0 +1,168 @@
+---
+name: sf-2gp-security-review
+description: "Use when user asks for a 2GP security review, AppExchange readiness check, or pass/fail prediction for Apex, LWC, SOQL. Do NOT use for general security patterns."
+origin: SCC
+user-invocable: true
+disable-model-invocation: true
+---
+
+# Salesforce 2GP Managed Package Security Review
+
+## When to Use
+
+- User asks for a 2GP managed package security review or AppExchange readiness assessment
+- User wants a pass/fail prediction for their managed package security review submission
+- User needs a 2GP license qualification checklist or submission readiness scoring
+
+This skill performs a comprehensive security review of a Salesforce 2GP managed package,
+assesses readiness for AppExchange security review, and produces a pass/fail prediction
+with actionable remediation steps.
+
+## How This Skill Works
+
+When invoked, you will:
+
+1. **Discover** the package structure (scan for Apex, LWC, objects, permissions, config)
+2. **Audit** every file against the security review criteria below
+3. **Score** each category (PASS / WARN / FAIL)
+4. **Produce** a structured report with an overall pass/fail prediction and remediation plan
+
+The output is a detailed markdown report saved to the project's `docs/security/` directory.
+
+---
+
+## Step 1 — Package Discovery
+
+Before auditing, build a complete inventory of the package contents. Run these searches
+against the project's `force-app/` directory:
+
+```
+Apex classes:      force-app/**/classes/*.cls
+Apex triggers:     force-app/**/triggers/*.trigger
+LWC components:    force-app/**/lwc/*/
+Aura components:   force-app/**/aura/*/
+Visualforce pages: force-app/**/pages/*.page
+Custom objects:    force-app/**/objects/*/
+Permission sets:   force-app/**/permissionsets/*/
+Custom metadata:   force-app/**/customMetadata/*/
+Static resources:  force-app/**/staticresources/*/
+Named credentials: force-app/**/namedCredentials/*/
+Remote site settings: force-app/**/remoteSiteSettings/*/
+Connected apps:    force-app/**/connectedApps/*/
+```
+
+Record the count of each metadata type. This inventory becomes the header of your report.
+
+---
+
+## Step 2 — Security Audit Categories
+
+Audit every file from Step 1 against 15 categories. For each category, assign a status:
+PASS (no issues), WARN (minor issues, unlikely to fail review), or FAIL (will likely
+fail AppExchange security review).
+
+Audit criteria, grep patterns, and PASS/WARN/FAIL thresholds for all 15 categories:
+
+@../_reference/APPEXCHANGE_REVIEW.md
+
+Supporting reference for implementation patterns:
+
+- CRUD/FLS, sharing, injection, XSS, Named Credentials: @../_reference/SECURITY_PATTERNS.md
+- Sharing model details: @../_reference/SHARING_MODEL.md
+- Testing standards and annotations: @../_reference/TESTING_STANDARDS.md
+- Namespace, versioning, package CLI: @../_reference/PACKAGE_DEVELOPMENT.md
+- Governor limits and anti-patterns: @../_reference/GOVERNOR_LIMITS.md
+- LWC lifecycle and patterns: @../_reference/LWC_PATTERNS.md
+
+**Categories:**
+
+1. CRUD/FLS Enforcement (CRITICAL — #1 failure reason)
+2. Sharing Model Enforcement
+3. SOQL/DML Injection Prevention
+4. Sensitive Data Exposure
+5. XSS and Content Security Policy
+6. External Callout Security
+7. Third-Party Library Vulnerabilities
+8. Code Coverage
+9. Namespace and Packaging Compliance
+10. Permission Model
+11. Governor Limit Safety
+12. Lightning Web Security (LWS) Compliance
+13. Connected App and OAuth Configuration
+14. Data at Rest and in Transit
+15. Documentation and Submission Readiness
+
+---
+
+## Step 3 — 2GP License Qualification Checklist
+
+After the security audit, assess readiness for 2GP licensing and AppExchange distribution.
+Check every item and mark as DONE, NOT DONE, or N/A.
+
+Full checklist (Dev Hub, package config, code quality, submission, ISV, post-review):
+
+@../_reference/APPEXCHANGE_REVIEW.md (section: 2GP License Qualification Checklist)
+
+---
+
+## Step 4 — Pass/Fail Prediction
+
+After completing the audit and checklist, calculate the overall score using the scoring
+rules and produce one of these verdicts: READY TO SUBMIT / NEEDS REMEDIATION / MAJOR
+REWORK NEEDED.
+
+Scoring rules and verdict criteria:
+
+@../_reference/APPEXCHANGE_REVIEW.md (section: Scoring Rules)
+
+---
+
+## Step 5 — Report Output
+
+Generate a markdown report with this structure and save it to `docs/security/security-review-report.md`:
+
+```markdown
+# Security Review Report — [Package Name]
+Generated: [Date]
+Package Version: [version from sfdx-project.json]
+Namespace: [namespace]
+
+## Package Inventory
+| Metadata Type | Count |
+|--------------|-------|
+| Apex Classes | X |
+| ... | ... |
+
+## Security Audit Results
+### Overall Verdict: [READY TO SUBMIT / NEEDS REMEDIATION / MAJOR REWORK]
+Score: X/15 categories passing
+
+### Category Results
+| # | Category | Status | Issues |
+|---|----------|--------|--------|
+| 1 | CRUD/FLS Enforcement | PASS/WARN/FAIL | Details |
+| ... | ... | ... | ... |
+
+### Critical Findings (FAIL)
+[List each FAIL with file path, line number, and specific remediation]
+
+### Warnings
+[List each WARN with recommendation]
+
+## 2GP License Qualification
+[Checklist with DONE/NOT DONE status for each item]
+
+## Remediation Plan
+[Prioritized list of fixes, ordered by: automatic fails first, then likely fails, then warnings]
+
+## Appendix: Scanner Commands
+[Commands the user should run for Code Analyzer, Checkmarx, etc.]
+```
+
+---
+
+## Related
+
+- Scanner commands: @../_reference/APPEXCHANGE_REVIEW.md (section: Scanner Commands)
+- Top 20 failures: @../_reference/APPEXCHANGE_REVIEW.md (section: Top 20 Failures)
+- 2026 platform changes: @../_reference/APPEXCHANGE_REVIEW.md (section: 2026 Considerations)