salesforce-metadata-review-skill

Salesforce Metadata Review Skill

Purpose

This skill reviews pasted or exported Salesforce metadata for quality, maintainability, security, and compliance indicators. It flags over-customization, unused fields, hardcoded IDs, and deprecated metadata types, and produces a structured findings report. It does not access live orgs and does not authorize changes.

When to use

• A metadata export (objects, fields, layouts, profiles, permission sets, sharing rules) needs review before a release.
• A code review has surfaced questions about the metadata surface.
• A technical debt assessment requires metadata-level findings.
• An audit requires documentation of deprecated or risky metadata patterns.

When not to use

• Full org posture assessment — use salesforce-org-assessment-skill.
• Permission topology review across profiles and permission set groups — use salesforce-permission-model-review-skill.
• Automation logic review (Flow XML, validation rules) — use salesforce-flow-automation-review-skill.
• Live production change review — use salesforce-live-change-approval-protocol.

Minimum payload (required inputs)

• One or more sanitized metadata exports: object XML, field definitions, layout XML, profile XML, permission set XML, sharing rule XML, or equivalent.
• Metadata type(s) being reviewed.
• Context: release context, org type (production/sandbox placeholder), business use case.

Workflow

1. Object and field review

   • Identify fields with zero or low usage indicators (no referenced automation, no layout placement).
   • Flag fields with hardcoded IDs in default values or formula expressions.
   • Flag objects with excessive custom field counts (> configurable threshold).
   • Identify deprecated field types (Text Area vs Rich Text Area misuse, currency without multi-currency awareness).
   • Flag custom objects that duplicate standard object functionality.

2. Layout review

   • Page layouts: flag layouts with > configurable threshold components; flag required fields not aligned with business process.
   • Lightning record pages : flag components using hardcoded record IDs or hardcoded URLs.
   • Flag layouts assigned to no profiles or permission sets (orphaned).

3. Profile and permission set review

   • Flag profiles with excessive object permissions (Create/Edit/Delete/ViewAll/ModifyAll on sensitive objects).
   • Flag permission sets with duplicate coverage of profile permissions (redundant grants).
   • Flag permission sets with no assignees (orphaned).
   • Flag profiles granting API access without IP restrictions.

4. Sharing rule review

   • Identify sharing rules that effectively expose all records to a broad group.
   • Flag criteria-based sharing rules with conditions that evaluate to always-true.
   • Flag sharing rules on objects with OWD = Public Read/Write (redundant).

5. Deprecated metadata types

   • Flag use of: workflow rules, Process Builder (deprecated), legacy assignment rules (where Flow equivalent exists), Visualforce pages in Lightning context without Lightning migration plan.

6. Hardcoded ID detection

   • Flag any string matching Salesforce ID patterns (15- or 18-character alphanumeric) in: field defaults, formula fields, validation rule expressions, layout XML.

Evidence requirements

• Sanitized metadata XML or equivalent export; no credentials, session tokens, or customer data.
• If metadata contains what appears to be record-level data (not schema), decline and ask for schema-only.

Output format

metadata_review_findings:
  objects_and_fields:
    - finding: [description]
      severity: Critical | High | Medium | Low
      evidence: [what in the metadata supports this]
      recommendation: [brief]
  layouts:
    - finding: [description]
      severity: [tier]
      evidence: [...]
      recommendation: [...]
  profiles_and_permission_sets:
    - finding: [description]
      severity: [tier]
      evidence: [...]
      recommendation: [...]
  sharing_rules:
    - finding: [description]
      severity: [tier]
      evidence: [...]
      recommendation: [...]
  deprecated_metadata_types:
    - type: [name]
      usage: [where found]
      migration_path: [recommended replacement]
  hardcoded_ids:
    - location: [metadata element]
      pattern: [describe pattern, do not repeat the ID value]
      recommendation: [use Custom Metadata, Custom Setting, or label instead]

summary:
  total_findings: [count]
  critical_count: [count]
  high_count: [count]
escalation_gates_fired: [from salesforce-risk-taxonomy, or "none"]
assumptions: [list]
missing_evidence: [what would improve the review]

Redaction rules

• Never request secrets, credentials, OAuth tokens, refresh tokens, session IDs, MFA seeds, customer PII.
• Sanitize org IDs, user IDs (replace with placeholders) before sharing in outputs.
• Do not repeat hardcoded ID values in output; describe the pattern and location only.

Privilege / data handling rules

• Metadata review is schema-level only; do not carry record-level data.
• Sharing rule findings involving PII objects escalate to salesforce-permission-model-review-skill.

Handoff rules

• Hands off to: salesforce-permission-model-review-skill (permission findings), salesforce-flow-automation-review-skill (deprecated automation findings), salesforce-org-assessment-skill (if full posture context is needed).
• If escalation gate fires: salesforce-case-capsule with escalation_required = true.
• Required handoff fields: matter_id, metadata_review_findings (summary), escalation_gates_fired.

Audit log fields

• matter_id, skill_id, skill_version, invoked_by, input_hash, evidence_quality, output_verdict, escalation_fired, timestamp

Stop conditions

• Metadata contains live credentials, record-level PII, or session tokens — stop and ask for sanitized version.
• Metadata is from a regulated-vertical org and compliance scope is unknown — flag and escalate.
• Hardcoded ID count is very high (systemic pattern) — escalate to salesforce-org-assessment-skill for full posture review.

Security notes

• Read-only static review of exported metadata; never requests live org access.
• Hardcoded ID values must not be repeated in output to avoid accidental leakage.
• Deprecated metadata flags are informational; migration requires human-authorized release planning.