Salesforce org intelligence · read-only · MCP server

SALESFORCE ORG
INTELLIGENCE YOUR AI
CAN TRUST.

A grounded, fail-closed MCP server for AI assistants working in one Salesforce org - the funnel advises, your LLM decides, and anything it can't ground is refused. Ask metadata, permission, dependency, Apex, Flow, and impact questions in plain language.

176 tools 0 writes 100% offline MIT + Commons Clause

Runs in Claude Code, Claude Desktop, or any MCP client. Needs Node 20+ & the Salesforce CLI.

176
read-only tools
3
intelligence planes
0
writes to your org
100%
offline by default

the problem

A chatbot guesses. This reads the org.

Ask a general model “what breaks if I delete this field?” and it answers from generic Salesforce training data - confidently, and often wrong for your org. sf-intelligence answers only from the metadata you actually retrieved. When it isn't sure, it says so and shows you the candidates.

grounded

Grounded, not generative

Every component it names is backed by a tool call and cited with a canonical ID like CustomField:Account.Industry__c. No invented fields.

asks-first

Asks before it guesses

A typo-tolerant resolver turns messy phrasing into the right component. When several match, it hands you a clarifying question - it never silently picks one.

local-only

Private by design

The vault lives on your machine. Answering makes no network calls. Live org reads are opt-in, read-only, capped - and never backfill stale claims.

$ sfi.capabilities - what can you ask?

The questions your team actually asks.

Not a tool catalogue - the operational questions admins, developers, architects, release managers, and support reps ask every day. You type the question in plain language; the router surfaces the right tools and your AI assistant runs them - across eight areas.

admin

Admin

  • Who can edit the SSN field?
  • Who can see this object's records?
  • What runs when a Case is created?
developer

Developer

  • What breaks if I change this field's type?
  • Where is this class used?
  • What is the test coverage for this method?
architect

Architect

  • What depends on this component?
  • What's the blast radius of deleting this object?
  • Show the org's integration topology.
release

Release manager

  • Is this org ready to deploy?
  • What changed since the last refresh?
  • Which tests should I run for this change?
support

Support

  • Why can't this user see this record?
  • What happens when this Opportunity becomes Closed Won?
  • Who changed this record?
where-used

Where is anything used?

One question for any component - field, class, Flow, layout, custom metadata - answered from the dependency graph plus a source-grep, and honest when there's no evidence (never a false "unused").

  • where is this field used?
  • what references this Flow?

› browse the full capability map› all 176 tools

use cases

Built for the questions that matter.

Intent-matched pages for the operational problems Salesforce teams search for - metadata analysis, dependency analysis, impact analysis, sharing troubleshooting, and MCP setup.

metadata

Salesforce metadata analysis

Search and explain schema, fields, Flows, Apex, permissions, integrations, OmniStudio, and generated documentation from a local org vault.

dependencies

Salesforce dependency analysis

Trace what depends on a field, object, Flow, Apex class, permission set, integration endpoint, or package before you change it.

agents

Claude Salesforce MCP

Register a read-only Salesforce MCP server in Claude Code, Claude Desktop, Cursor, Codex, or any MCP client.

impact

Impact analysis

What breaks if you delete a field, object, Flow, or Apex class? Dependency tracing with confidence tiers.

access

Sharing & visibility

Why can't a user see a record? Who can edit a field? Trace Profiles, Permission Sets, and the sharing cascade.

mcp

Read-only MCP server

Register in Claude Code, Cursor, or Codex. The only free, offline Salesforce MCP built for understanding - not deploying.

› vs Salesforce DX MCP Server › glossary

how it works

One retrieve, then ask anything.

No cloud service, no account. The whole index is files on your machine.

Retrieve

Run sfi refresh. It shells out to sf project retrieve against your org - read-only - and pulls the metadata down once.

Index

It builds a local Markdown vault and a DuckDB dependency graph of objects, fields, Flows, Apex and permissions, connected by typed, confidence-tagged edges.

Ask

Question your org in plain language from any MCP client. Answers are served locally, stamped with provenance and freshness.

trust & provenance

Every answer is labelled.

Findings carry where they came from, how they were derived, and how complete the underlying coverage was.

confidence

declaredSalesforce states it directly - highest trust.
parsedFrom AST/XML parsing of source - high trust.
heuristicRegex / token analysis - spot-check it.

provenance

offline_snapshotThe last refresh's vault - the default.
live_orgAn opt-in, capped, read-only SOQL read.
hybridFuses vault + live, discloses both.

completeness

completeEvery needed family was modeled.
partialA dependency wasn't retrieved - “not checked”, not “none”.
unknownCoverage couldn't be determined.
fail-closed

It tells you no.

Refusal gates run on every question before any routing. "Delete this field for me" is refused - and answered anyway with the read-only simulation that covers it safely, like safe_to_delete_field. Prompt injection ("ignore your previous instructions…") and record-value exfiltration ("dump all SSN values") are hard-refused, with no tool shortlist left to route around. And when no tool models the question - login history, adoption metrics - it returns an honest gap naming the nearest real reads instead of a confident guess.

› how it's tested - ~5,200 tests, full CI gate & the trust model

before you point it at production

Safe to run, honest about limits.

The first question any admin asks. The left column is the one-screen guarantee sfi init prints in your terminal; the right is the boundaries it states plainly instead of papering over.

// guarantees

Read-only to your org.

It never writes, deploys, or modifies anything in Salesforce - only sf project retrieve (metadata read). No create, update, or delete path exists.

Offline by default.

Every answer comes from the local vault built at the last refresh, not a live call. The org is contacted only when you run sfi refresh.

Local & never uploaded.

The vault lives on your machine and is never sent anywhere. No telemetry, no phone-home; feedback is captured locally and shared only if you choose to.

The npm package ships no org data.

The published package is code only - a files whitelist keeps the vault out, and every public version has been downloaded and grepped clean of org identifiers (the leak audit).

// boundaries it states plainly

!
No record-level data.

The vault stores schema and source, not rows. “How many Opportunities closed?” is a live-org question - answered only by the opt-in, capped live plane you turn on yourself.

!
Static analysis, not runtime.

Dynamic SOQL and reflective Apex are invisible - “no references” means “no static evidence”, not “unused”. Heuristic edges are labelled so you know to spot-check.

!
Live plane is off until you turn it on.

The opt-in live read-only plane (capped counts/samples) stays disabled until you enable it - and even then runs a curated query roster, never arbitrary SOQL, never a write.

!
Only as fresh as the last refresh.

Answers reflect the metadata you retrieved. It stamps every answer with freshness and tells you when the vault is stale rather than implying it's current.

highlights

Shipped for real orgs at scale.

Read-only capabilities built for large production orgs - all optional except the defaults you already get on refresh.

staged

Staged refresh

Servable vault in minutes on large orgs - T0 skeleton, T1 priority families, T2 full build. Honest mid-build coverage.

http

HTTP serving

sfi serve --http for CI/shared read-only access. Live plane hard-disabled over the wire.

git

Vault git history

Auto-commit on refresh. component_history and component_as_of for time-travel queries.

annot

Annotations overlay

Curated owner, status, and glossary synonyms that survive every refresh.

ast

AST-parsed Apex

Parser-grade dependency edges by default - stronger than regex heuristics alone.

reports

Usage-ranked reports

Top 500 Reports/Dashboards by actual usage pulled on every refresh - field refs included.

› full configuration reference

install

Register once, then just ask.

Distributed on npm as sf-intelligence - an MCP server plus the sfi CLI.

// Claude Code - project-scoped

terminal
claude mcp add --transport stdio --scope project sf-intelligence -- npx -y sf-intelligence mcp

// Claude Desktop or any MCP client

claude_desktop_config.json
{
 "mcpServers": {
 "sf-intelligence": {
 "type": "stdio",
 "command": "npx",
 "args": ["-y", "sf-intelligence", "mcp"]
 }
 }
}

// first run, from your Salesforce DX repo

terminal
# 1. create the local vault and pick your org alias
sfi init
# 2. retrieve metadata and build the index (read-only)
sfi refresh --target-org my-org-alias
# 3. confirm freshness and component counts any time
sfi status

$ full getting-started guide

Stop guessing about your org.

Free and source-available under MIT + Commons Clause. One retrieve, and every answer after that is grounded in your real metadata.