Monorepo with two packages, both built on top of the local sf CLI:
packages/sf-core— shared engine that shells out tosf. No state, no auth handling of its own —sfalready owns org authorization locally (sf org login web). Includes the Production write-block guard (see below).packages/mcp-server— MCP server (stdio transport) exposing read-only tools:list_orgs,get_org_info,run_soql,describe_sobject,list_metadata,get_field_dependencies,find_field_in_reports.
Production orgs can be connected and read from, but writes/deploys to Production are structurally blocked, not just discouraged. sf-core classifies every target org via SELECT IsSandbox FROM Organization (the authoritative source, not CLI alias metadata) and gates any raw/write-capable command with a default-deny allowlist of read-only sf subcommands when the org is Production. This guard lives in sf-core, so every caller — current and future MCP tools alike — inherits it automatically. See packages/sf-core/src/rawCommand.ts and classify.ts.
- Node.js 18+ and npm
- Salesforce CLI (
sf) installed and at least one org authorized:sf org login web --alias my-org
npm install
npm run buildnode packages/mcp-server/dist/index.jsPoint your MCP client (e.g. Claude Desktop's claude_desktop_config.json) at this command with an absolute path, or publish the package and run it via npx. Example claude_desktop_config.json entry:
{
"mcpServers": {
"salesforce": {
"command": "node",
"args": ["/absolute/path/to/salesforce-mcp/packages/mcp-server/dist/index.js"]
}
}
}