Salesforce MCP Policy

GET STARTED

Download this policy scaffold and add your rules. Intercept enforces them on every tool call before it reaches Salesforce.

terminal

# Download policy scaffold


curl -o salesforce.yaml https://raw.githubusercontent.com/policylayer/intercept/main/policies/salesforce.yaml

# Run with Intercept


intercept --policy salesforce.yaml -- npx -y @@salesforce/mcp

Server documentation: https://github.com/salesforcecli/mcp

READ TOOLS

14

get_username Get the current Salesforce username

list_all_orgs List all connected Salesforce orgs

retrieve_metadata Retrieve metadata from a Salesforce org

run_soql_query Run a SOQL query against a Salesforce org

list_code_analyzer_rules List available Code Analyser rules

describe_code_analyzer_rule Describe a specific Code Analyser rule

query_code_analyzer_results Query Code Analyser results

sfDevopsListProjects List DevOps Center projects

sfDevopsListWorkItems List DevOps Center work items

sfDevopsDetectConflict Detect conflicts in DevOps Center

checkCommitStatus Check commit status in DevOps Center

get_mobile_lwc_offline_analysis Get mobile LWC offline analysis

get_mobile_lwc_offline_guidance Get mobile LWC offline guidance

list_tools List available MCP tools

WRITE TOOLS

15

deploy_metadata Deploy metadata to a Salesforce org

create_scratch_org Create a new Salesforce scratch org

create_org_snapshot Create an org snapshot

assign_permission_set Assign a permission set to a user

open_org Open a Salesforce org in the browser

createPullRequest Create a pull request in DevOps Center

sfDevopsCreateWorkItem Create a DevOps Center work item

sfDevopsCheckoutWorkItem Check out a DevOps Center work item

sfDevopsCommitWorkItem Commit a DevOps Center work item

sfDevopsPromoteWorkItem Promote a DevOps Center work item

sfDevopsUpdateWorkItemStatus Update a DevOps Center work item status

sfDevopsResolveConflict Resolve a conflict in DevOps Center

create_mobile_lwc_native_capabilities Create mobile LWC native capabilities

enrich_metadata Enrich metadata with additional information

enable_tools Enable additional MCP tools

DESTRUCTIVE TOOLS

1

delete_org Delete a Salesforce org

EXECUTE TOOLS

5

run_code_analyzer Run Code Analyser on source code

run_apex_test Run Apex tests in a Salesforce org

run_agent_test Run agent tests in a Salesforce org

resume_tool_operation Resume a tool operation

scan-apex-antipatterns Scan Apex code for anti-patterns

POLICY YAML

This scaffold lists every tool with empty rules. Add conditions — rate limits, argument validation, deny rules — then deploy with Intercept.

salesforce.yaml

version: "1"
description: "Policy for @salesforce/mcp"
default: "allow"
tools:
    get_username:
        rules: []
    list_all_orgs:
        rules: []
    retrieve_metadata:
        rules: []
    run_soql_query:
        rules: []
    list_code_analyzer_rules:
        rules: []
    describe_code_analyzer_rule:
        rules: []
    query_code_analyzer_results:
        rules: []
    sfDevopsListProjects:
        rules: []
    sfDevopsListWorkItems:
        rules: []
    sfDevopsDetectConflict:
        rules: []
    checkCommitStatus:
        rules: []
    get_mobile_lwc_offline_analysis:
        rules: []
    get_mobile_lwc_offline_guidance:
        rules: []
    list_tools:
        rules: []
    deploy_metadata:
        rules: []
    create_scratch_org:
        rules: []
    create_org_snapshot:
        rules: []
    assign_permission_set:
        rules: []
    open_org:
        rules: []
    createPullRequest:
        rules: []
    sfDevopsCreateWorkItem:
        rules: []
    sfDevopsCheckoutWorkItem:
        rules: []
    sfDevopsCommitWorkItem:
        rules: []
    sfDevopsPromoteWorkItem:
        rules: []
    sfDevopsUpdateWorkItemStatus:
        rules: []
    sfDevopsResolveConflict:
        rules: []
    create_mobile_lwc_native_capabilities:
        rules: []
    enrich_metadata:
        rules: []
    enable_tools:
        rules: []
    delete_org:
        rules: []
    run_code_analyzer:
        rules: []
    run_apex_test:
        rules: []
    run_agent_test:
        rules: []
    resume_tool_operation:
        rules: []
    scan-apex-antipatterns:
        rules: []

RELATED POLICIES

Azure DevOps 84 tools

FREQUENTLY ASKED QUESTIONS

What tools does the Salesforce MCP server expose?

The Salesforce MCP Server exposes 35 tools across 4 categories: Read, Write, Destructive, Execute. Each tool can be individually controlled with Intercept policies.

How do I enforce policies on Salesforce?

Download the policy scaffold, add rules (rate limits, argument validation, deny rules), then run Intercept as a proxy in front of the Salesforce MCP server. Every tool call is evaluated against your YAML policy before execution.

Is the Salesforce policy free to use?

Yes. All Intercept policies are open source under the Apache 2.0 licence. Download, modify, and deploy without restrictions.

ENFORCE POLICIES ON SALESFORCE

Open source. One binary. Zero dependencies.

VIEW ON GITHUB Browse all policies →