Package Exports

squirex
squirex/dist/index.js

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (squirex) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

SquireX 🔨

Agentforce Capability Scan Engine · Local Apex Runtime · Schema Inference · CI/CD Security Scanning

Copyright © 2026 SquireX. All Rights Reserved.
Proprietary Software — See LICENSE.md for terms.

SquireX is a Salesforce DevSecOps platform with two integrated capabilities:

Agentforce Capability Scan Engine — Static security analysis for Salesforce AI Agent metadata with 61+ rules across 27 security categories including Headless 360 MCP, AgentExchange supply-chain, OWASP LLM Top 10, and Enterprise Graph Analyzer. Detects excessive agency, prompt injection, privilege escalation, metadata instruction poisoning, supply chain risk, autonomous scheduling drift, commerce integrity violations, sub-agent spawning loops, Slack DLP risks, CDC data leakage, compositional fragment traps, MCP token passthrough, shadow server detection, and Agent Fabric governance gaps. Outputs SARIF v2.1.0 for GitHub Advanced Security. Includes deep pipeline diagnostics via squirex diagnose.
Local Apex Runtime — Run Apex tests locally without deploying to an org. Includes a high-fidelity Go execution engine with DML/SOQL simulation, schema inference, conflict prediction, and governor limit tracking.

Agentforce Capability Scan Engine

61+ Rule Security Scanner

SquireX scans Salesforce Agentforce metadata and produces SARIF reports compatible with GitHub Advanced Security, GitLab Security, and other CI/CD tools.

ID	Rule	Category	Severity
1.1	Mandatory User Confirmation	Action Configuration	Critical
1.2	Schema Synchronization Verification	Action Configuration	High
1.3	Target Context Privilege Analysis (Apex + Flow `runInMode`)	Action Configuration	Critical
2.1	Validation Guard Clause Enforcement	Agent Script Safety	Medium
2.2	Transition Integrity (dead-ends + cycle detection)	Agent Script Safety	High
2.3	Prompt Injection Defense Heuristics	Agent Script Safety	High
3.1	Hardcoded Sensitive Indicators	Grounding Security	Critical
3.2	Field-Level Security Masking Alignment	Grounding Security	High
4.1	Planner Orchestration Completeness	Structural Dependency	High
4.2	State Deactivation Collision	Structural Dependency	Medium
4.3	Synthetic Evaluation Completeness	Governance	High
5.1	System Context Enforcement	Flow Security	Critical
5.2	Silent State Modification	Flow Security	High
5.3	Variable Injection in DML	Flow Security	High
5.4	External Callout Injection	Network Security	High
5.5	Template Context Poisoning	Prompt Injection	Critical
5.6	Experimental Template Activation Exposure	Security Configuration	High
7.1	Topic Action Bloat (God-Topic Prevention)	Agentic Architecture	High
7.2	Inadequate Skill Semantics	Agentic Architecture	High
8.1	Context Traversal Exfiltration	Relational Traversal	High
9.1	Metadata Instruction Poisoning	Instruction Integrity	Critical
9.2	Cross-Topic Instruction Boundary	Instruction Integrity	High
10.1	Validation Rule Conflict	Operational Reliability	Medium
SC-01	Malicious API Downgrade Injection	Supply Chain Security	Critical
SC-02	Silent Schema Desync Exploit	Supply Chain Security	High
SC-03	Managed Package Origin	Supply Chain Security	Medium

Supported Metadata Types (16 Parsers)

Format	Extensions	Parser
Agent Scripts	`.agent`	Recursive descent
GenAiFunction	`.genAiFunction-meta.xml`	Positional XML
GenAiPlugin	`.genAiPlugin-meta.xml`	Positional XML
GenAiPlanner	`.genAiPlannerBundle-meta.xml`	Positional XML
PromptTemplate	`.genAiPromptTemplate-meta.xml`	Positional XML
PromptTemplateActv	`.genAiPromptTemplateActv-meta.xml`	Positional XML
JSON Schema	`schema.json` (input/output)	JSON schema
Apex Classes	`.cls`	Sharing model + capability
Apex Triggers	`.trigger`	Event/CDC/PE detection
Flow	`.flow-meta.xml`	Positional XML
AiEvaluationDefinition	`.aiEvaluationDefinition-meta.xml`	Positional XML
Custom Field	`.field-meta.xml`	Positional XML
Named Credential	`.namedCredential-meta.xml`	Positional XML
LWC Component	`.js` (in `lwc/` dirs)	AST extraction
Connected App	`.connectedApp-meta.xml`	Positional XML
MCP Server Config	`.mcp.json`, `.mcp-config.json`	JSON
Agent Fabric	`agent-network.yaml`	YAML (lite)
Project Config	`sfdx-project.json, package.xml`	JSON/XML

Semantic Graph

The engine constructs a cross-metadata Semantic Graph linking agents → topics → actions → Apex classes → schemas, enabling deep dependency analysis that single-file linters cannot achieve.

23 node types · 21 edge types · BFS traversal · O(1) lookup

Quick Start — Scanning

# Full workspace scan (outputs SARIF to stdout)
squirex scan -d ./force-app

# Full scan with SARIF file output
squirex scan -d ./force-app --sarif results.sarif

# PR-scoped scan (only violations on changed lines)
squirex scan-pr -d ./force-app --base main

# Run specific rules only
squirex scan -d ./force-app --rules AGENTFORCE-1.1,AGENTFORCE-9.1

# Deep pipeline diagnostics (AST health, graph topology, per-rule timing)
squirex diagnose -d ./force-app

# Dump scan request for golden file generation
squirex diagnose -d ./force-app --dump-request

Testing Center Bridge — Agentforce DX Test Generation

SquireX bridges static analysis with Salesforce's native dynamic testing. The generate-tests command converts SARIF scan violations into Agentforce DX test specifications compatible with sf agent test run.

# Scan + generate DX tests in one step
squirex generate-tests -d ./force-app

# Convert an existing SARIF file to DX tests
squirex generate-tests --sarif results.sarif -o agentforce-tests.yaml

# Generate tests for specific rules only
squirex generate-tests --rules AGENTFORCE-1.1,AGENTFORCE-9.1

# Generate, validate, and push to a sandbox org
squirex generate-tests -d ./force-app --validate --push --target-org my-sandbox

# JSON output (for programmatic consumption)
squirex generate-tests --sarif results.sarif --json

Salesforce CLI Prerequisites (required for --validate and --push):

# 1. Install the Salesforce CLI
npm install -g @salesforce/cli

# 2. Install the Agentforce DX plugin
sf plugins install @salesforce/plugin-agent

# 3. Authenticate to your org
sf org login web --alias my-sandbox --instance-url https://test.salesforce.com

# 4. Verify authentication
sf org display --target-org my-sandbox

The full pipeline: squirex scan → squirex generate-tests → sf agent test run → Testing Center

Sample SARIF Output

{
  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
  "version": "2.1.0",
  "runs": [{
    "tool": { "driver": { "name": "SquireX", "version": "2.0.0", "rules": [...] } },
    "results": [{
      "ruleId": "AGENTFORCE-1.1",
      "level": "error",
      "message": { "text": "GenAiFunction 'Submit_Case' invokes apex target without user confirmation..." },
      "locations": [{ "physicalLocation": { "artifactLocation": { "uri": "Submit_Case.genAiFunction-meta.xml" } } }]
    }]
  }]
}

Local Apex Runtime

Quick Start — Testing

squirex init                                    # Generate .squirex.json config
squirex doctor                                  # Verify environment
squirex run -d force-app/main/default/classes   # Run all tests
squirex run --method AccountTest.testInsert     # Run a single test
squirex run --coverage                          # Coverage summary table
squirex impact -f AccountController.cls         # Dependency impact analysis
squirex conflict -b main,feature/my-branch      # Predict merge conflicts

Installation

Install via npm (Recommended)

npm install -g squirex
squirex --version

The Go interpreter binary is automatically downloaded on first use and cached at ~/.squirex/bin/.

Direct Binary Download

Download the latest binary from squirex.dev/download:

Platform	Binary
macOS (Intel)	`squirex-macos-x64`
macOS (Apple Silicon)	`squirex-macos-arm64`
Linux	`squirex-linux-x64`
Windows	`squirex-win-x64.exe`

curl -L -o squirex https://squirex.dev/download/macos-arm64
chmod +x squirex && sudo mv squirex /usr/local/bin/
squirex --version

Build from Source

SquireX is proprietary software. Source builds are available to licensed contributors only. Contact support@squirex.dev for access.

npm install && npm run build
cd interpreter && go build -o squireinterp . && cd ..
npm run build:binary    # single-platform binary

CI/CD Integration

GitHub Actions — Agentforce Capability Scan (Recommended)

Upload SARIF to GitHub Advanced Security for inline PR annotations:

name: SquireX Agentforce Capability Scan
on:
  pull_request:
    branches: [main, develop]
    paths:
      - '**/*.cls'
      - '**/*.agent'
      - '**/*.genAiFunction-meta.xml'
      - '**/*.genAiPlugin-meta.xml'
      - '**/*.genAiPlannerBundle-meta.xml'
      - '**/*.genAiPromptTemplate-meta.xml'
      - '**/*.genAiPromptTemplateActv-meta.xml'
      - '**/*.flow-meta.xml'
      - '**/*.aiEvaluationDefinition-meta.xml'
      - '**/*.field-meta.xml'
      - '**/schema.json'
      - '**/sfdx-project.json'
      - '**/package.xml'

permissions:
  security-events: write
  pull-requests: write

jobs:
  capability-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with: { fetch-depth: 0 }

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with: { node-version: '18' }

      - name: Setup Go
        uses: actions/setup-go@v5
        with: { go-version: '1.21' }

      - name: Build SquireX
        run: |
          npm ci && npm run build
          cd interpreter && go build -o squireinterp . && cd ..

      - name: Run Agentforce Capability Scan Scan
        run: |
          npx squirex scan-pr -d ./force-app --base ${{ github.base_ref }} --sarif results.sarif || true

      - name: Upload SARIF to GitHub Security
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif
          category: agentforce-capability

GitHub Actions — Apex Tests

name: Apex Tests
on: [push, pull_request]

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '18'

      - name: Install SquireX
        run: npm install -g squirex

      - name: Run Tests
        run: squirex run -d force-app/main/default/classes --junit results.xml

      - name: Publish Results
        uses: mikepenz/action-junit-report@v4
        if: always()
        with:
          report_paths: results.xml

GitLab CI

agentforce-capability:
  stage: test
  image: node:18
  script:
    - npm install -g squirex
    - squirex scan -d ./force-app --sarif gl-capability-report.json
  artifacts:
    reports:
      sast: gl-capability-report.json

CLI Reference

Scan Commands (Agentforce Capability Scan)

Command	Description
`squirex scan -d <dir>`	Full workspace capability scan (SARIF output)
`squirex scan -d <dir> --sarif <file>`	Save SARIF to file
`squirex scan -d <dir> --rules <ids>`	Run specific rules (comma-separated)
`squirex scan-pr -d <dir> --base <branch>`	PR-scoped scan (diff-filtered violations)

Testing Center Commands

Command	Description
`squirex generate-tests -d <dir>`	Scan + generate Agentforce DX test YAML
`squirex generate-tests --sarif <file>`	Convert existing SARIF to DX tests
`squirex generate-tests --validate`	Generate + validate spec via sf CLI
`squirex generate-tests --push --target-org <org>`	Generate + push to Testing Center
`squirex generate-tests --rules <ids>`	Generate tests for specific rules only
`squirex generate-tests --json`	Output as JSON instead of YAML

Diagnostic Commands

Command	Description
`squirex diagnose -d <dir>`	Deep pipeline diagnostics (JSON report to stdout)
`squirex diagnose -d <dir> --dump-request`	Also dump scan-request.json for golden files
`squirex diagnose -d <dir> \| jq .graph`	Inspect semantic graph topology
`squirex diagnose -d <dir> \| jq .linker`	Check for dropped/dangling edges
`squirex diagnose -d <dir> \| jq .rules`	Per-rule timing and violation counts

Test Commands (Apex Runtime)

Command	Description
`squirex run -d <dir>`	Run all Apex tests
`squirex run --method <class.method>`	Run single test method
`squirex run --coverage`	Coverage summary table
`squirex run --junit <file>`	JUnit XML report
`squirex run --parallel`	Parallel execution

Analysis Commands

Command	Description
`squirex conflict -b <b1,b2>`	Predict merge conflicts
`squirex impact -f <files>`	Dependency impact analysis
`squirex schema analyze`	Schema inference analysis
`squirex formula eval -e <expr>`	Formula evaluation
`squirex flow run -f <file>`	Flow execution
`squirex doctor`	Environment health check
`squirex init`	Project initialization

Global Options

Flag	Description
`--no-color`	Disable colorized output
`-V, --version`	Print version info
`-h, --help`	Show help

Architecture

┌──────────────────────┐     JSON IPC     ┌────────────────────────┐
│  TypeScript Layer     │ ──────────────► │     Go Engine          │
│  (src/)               │                 │  (interpreter/)        │
│                       │                 │                        │
│  Parsers (16):        │  Parsed ASTs    │  Semantic Graph:       │
│  • AgentScript        │ ──────────────► │    23 node types       │
│  • XmlMetadata        │                 │    21 edge types       │
│  • PromptTemplate     │                 │  Rule Engine:          │
│  • Flow/PT/Eval/Field │                 │    61+ security rules  │
│  • ApexCapability     │  SARIF v2.1.0   │    27 categories       │
│  • NamedCredential    │ ◄────────────── │  SARIF Generator       │
│  • MCPServerConfig    │                 │  Diff Filter           │
│  • AgentFabricYaml    │                 │                        │
│  • ApexTrigger        │                 │                        │
│  Pipeline:            │  Diagnostic     │  Diagnostics:          │
│  • File Discovery     │  JSON Report    │  • Graph topology      │
│  • Diff Parser        │ ◄────────────── │  • Linker trace        │
│  • Runner             │                 │  • Per-rule timing     │
│  • Diagnose           │                 │  • Adversarial detect  │
│                       │                 │  Apex Runtime:         │
│                       │                 │    DML/SOQL/Governor   │
└──────────────────────┘                 └────────────────────────┘

Platform Compatibility

Agentforce Capability Scan Engine

Feature	Status
Agent Script (.agent) parsing	✅
GenAiFunction/Plugin/Planner XML parsing	✅
PromptTemplate/PromptTemplateActv parsing	✅
JSON Schema (input/output) parsing	✅
Apex sharing model extraction	✅
Cross-metadata Semantic Graph	✅
SARIF v2.1.0 output (GitHub-compatible)	✅
PR-scoped diff filtering	✅
61+ security rules across 27 categories + OWASP LLM + Enterprise Graph	✅
Deep pipeline diagnostics (`squirex diagnose`)	✅
Configurable adversarial pattern detection	✅
Instruction content audit (LLM-visible text manifest)	✅

Apex Execution Engine

Feature	Status
DML operations (insert, update, upsert, delete, merge)	✅
SOQL (WHERE, ORDER BY, LIMIT, OFFSET, GROUP BY, aggregates)	✅
Governor limits tracking and enforcement	✅
Code coverage tracking	✅
Try-catch-finally exception handling	✅
Cross-class method resolution	✅
Inner class and interface support	✅
Method overload resolution	✅

Known Limitations

No org connection — all analysis runs entirely offline
Apex SOQL subqueries — not yet supported
SOSL — not yet supported
Async execution — Batch/Queueable/Future run synchronously

License

⚠️ Proprietary License — Source Available

This software is NOT open source. See LICENSE.md for full terms.

Permitted	Prohibited
✅ View source for reference	❌ Copy, redistribute, or republish
✅ Submit contributions via PR	❌ Create derivative works
✅ Personal, non-commercial evaluation	❌ Commercial use without license
✅ Use official binary releases	❌ Fork to create independent projects

For commercial licensing inquiries, contact the maintainer.