Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

orcaqubits/sf-setup

Name: sf-setup
Author: orcaqubits

dist/codex/salesforce-commerce/skills/sf-setup/SKILL.md

npx skillsauth add orcaqubits/agentic-commerce-claude-plugins sf-setup

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Salesforce Commerce Development Setup

Before Writing Code

Fetch live docs before setting up a project.

Web-fetch: https://github.com/SalesforceCommerceCloud/sfcc-ci for sfcc-ci CLI commands
Web-search: "site:developer.salesforce.com sf cli getting started 2026" for sf CLI setup
Web-search: "site:developer.salesforce.com SFRA getting started 2026" for SFRA project setup
Web-fetch: https://github.com/SalesforceCommerceCloud/storefront-reference-architecture for SFRA reference
Web-search: "site:developer.salesforce.com commerce cloud b2c b2b documentation 2026"

Conceptual Architecture

Prerequisites

B2C Commerce (SFCC) requires:

Business Manager account (provided by Salesforce or your org)
Sandbox instance (e.g., dev01-realm-customer.demandware.net)
API client credentials (client ID + secret) for sfcc-ci authentication
Account Manager credentials for WebDAV/OCAPI

B2B Commerce (Lightning) requires:

Salesforce org (Developer Edition, sandbox, or production) with B2B Commerce license
sf CLI installed (npm install -g @salesforce/cli)
Scratch org or sandbox for isolated development

CLI Tools

| Tool | Platform | Install | Auth | |---|---|---|---| | sfcc-ci | B2C | npm install -g sfcc-ci | sfcc-ci client:auth (client ID + secret) | | sf CLI | B2B | npm install -g @salesforce/cli | sf org login web or sf org login jwt |

Key sfcc-ci Commands:

sfcc-ci code:deploy -- upload code to sandbox
sfcc-ci code:activate -- activate a code version
sfcc-ci sandbox:create / sandbox:list -- manage on-demand sandboxes
sfcc-ci job:run -- execute Business Manager jobs

Key sf CLI Commands:

sf project deploy start -- deploy metadata to org
sf org create scratch -- create scratch org
sf apex run test -- run Apex tests
sf data import tree -- import sample data

Project Structures

B2C SFRA Cartridge Project:

sfra-project/
  cartridges/
    app_storefront_base/       # Base (never modify)
    app_custom_storefront/     # Custom overlay
      cartridge/
        controllers/, models/, scripts/
        templates/, client/ (js, scss)
  dw.json, package.json, webpack.config.js

B2C PWA Kit Project:

pwa-kit-project/
  app/
    components/, pages/, hooks/, utils/
    commerce-api/              # Commerce Cloud API client
  config/
    default.js, production.js
  package.json, .env

B2B Lightning Project:

b2b-lightning-project/
  force-app/main/default/
    lwc/, classes/, triggers/
    objects/, flexipages/
    experiences/, permissionsets/
  config/project-scratch-def.json
  sfdx-project.json, .forceignore

Configuration Files

dw.json (B2C):

Placed in project root; configures hostname, code-version, cartridge list, excludes
Never commit with credentials -- use environment variables or .env excluded from VCS

sfdx-project.json (B2B):

Placed in project root; defines packageDirectories, sourceApiVersion, namespace, login URL

.forceignore (B2B):

Excludes files from deployment (jsconfig.json, .eslintrc.json, logs, OS files)

Key Configuration Fields

B2C dw.json fields:

hostname -- sandbox domain
username / password -- credentials (prefer env vars)
code-version -- target code version
cartridges -- array of cartridge names to upload
exclude -- files/directories to skip

B2B sfdx-project.json fields:

packageDirectories -- array of source paths (typically force-app)
sourceApiVersion -- Salesforce API version (e.g., "61.0")
namespace -- package namespace (empty for unmanaged)
sfdcLoginUrl -- org login URL

Sandbox and Org Types

| Type | Platform | Purpose | |---|---|---| | Development sandbox | B2C | Developer-specific feature work | | Staging sandbox | B2C | Pre-production validation | | On-demand sandbox | B2C | Temporary, via sfcc-ci sandbox:create | | Scratch org | B2B | Short-lived, disposable dev org | | Developer sandbox | B2B | Partial copy of production | | Full sandbox | B2B | Full copy of production for UAT |

Environment Variables

Store credentials as environment variables, never in committed files.

B2C: SFCC_CLIENT_ID, SFCC_CLIENT_SECRET, SFCC_HOSTNAME, SFCC_USERNAME, SFCC_PASSWORD, SFCC_CODE_VERSION

B2B: SF_USERNAME, SF_ORG_ALIAS, SF_CLIENT_ID, SF_JWT_KEY_FILE (for CI/CD connected app auth)

Deprecated Technologies

| Deprecated | Replacement | |---|---| | dwupload | sfcc-ci | | sfdx CLI (old) | sf CLI (unified) | | Prophet Debugger | Official Salesforce VS Code extensions |

Best Practices

B2C Commerce

Use sfcc-ci for all deployments; never use manual WebDAV upload
Never modify app_storefront_base directly; always overlay in custom cartridge
Build assets (npm run compile:js, npm run compile:scss) before deployment
Keep dw.json out of version control (add to .gitignore)

B2B Commerce

Use sf project deploy start for metadata deployment; avoid Change Sets
Create scratch orgs for feature development; keep them isolated
Use source tracking (sf project deploy preview) to review changes before deploy
Use Permission Sets for access control; avoid modifying profiles directly

Both Platforms

Use environment variables for all secrets and instance-specific configuration
Set up CI/CD pipelines for automated testing and deployment
Use linting (ESLint, Prettier for JS; Apex PMD for Apex)

Fetch the sfcc-ci documentation, SFRA getting-started guide, and sf CLI reference for exact commands and latest project structures before setting up.

orcaqubits/sf-setup

dist/codex/salesforce-commerce/skills/sf-setup/SKILL.md

Set up a Salesforce Commerce development environment — sfcc-ci CLI for B2C, sf CLI for B2B, Business Manager access, sandbox management, dw.json configuration, .sfdx project setup, and project structures for SFRA, PWA Kit, and Lightning. Use when starting a new Salesforce Commerce project.

27 stars

tools

Updated May 14, 2026

$ install --global

skillsauth

npx skillsauth add orcaqubits/agentic-commerce-claude-plugins sf-setup

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 14, 2026, 6:01 AM185.2s1 file scanned

SKILL.md

name:: sf-setup
description:: >

Salesforce Commerce Development Setup

Before Writing Code

Fetch live docs before setting up a project.

Web-fetch: https://github.com/SalesforceCommerceCloud/sfcc-ci for sfcc-ci CLI commands
Web-search: "site:developer.salesforce.com sf cli getting started 2026" for sf CLI setup
Web-search: "site:developer.salesforce.com SFRA getting started 2026" for SFRA project setup
Web-fetch: https://github.com/SalesforceCommerceCloud/storefront-reference-architecture for SFRA reference
Web-search: "site:developer.salesforce.com commerce cloud b2c b2b documentation 2026"

Conceptual Architecture

Prerequisites

B2C Commerce (SFCC) requires:

Business Manager account (provided by Salesforce or your org)
Sandbox instance (e.g., dev01-realm-customer.demandware.net)
API client credentials (client ID + secret) for sfcc-ci authentication
Account Manager credentials for WebDAV/OCAPI

B2B Commerce (Lightning) requires:

Salesforce org (Developer Edition, sandbox, or production) with B2B Commerce license
sf CLI installed (npm install -g @salesforce/cli)
Scratch org or sandbox for isolated development

CLI Tools

Key sfcc-ci Commands:

sfcc-ci code:deploy -- upload code to sandbox
sfcc-ci code:activate -- activate a code version
sfcc-ci sandbox:create / sandbox:list -- manage on-demand sandboxes
sfcc-ci job:run -- execute Business Manager jobs

Key sf CLI Commands:

sf project deploy start -- deploy metadata to org
sf org create scratch -- create scratch org
sf apex run test -- run Apex tests
sf data import tree -- import sample data

Project Structures

B2C SFRA Cartridge Project:

sfra-project/
  cartridges/
    app_storefront_base/       # Base (never modify)
    app_custom_storefront/     # Custom overlay
      cartridge/
        controllers/, models/, scripts/
        templates/, client/ (js, scss)
  dw.json, package.json, webpack.config.js

B2C PWA Kit Project:

pwa-kit-project/
  app/
    components/, pages/, hooks/, utils/
    commerce-api/              # Commerce Cloud API client
  config/
    default.js, production.js
  package.json, .env

B2B Lightning Project:

b2b-lightning-project/
  force-app/main/default/
    lwc/, classes/, triggers/
    objects/, flexipages/
    experiences/, permissionsets/
  config/project-scratch-def.json
  sfdx-project.json, .forceignore

Configuration Files

dw.json (B2C):

Placed in project root; configures hostname, code-version, cartridge list, excludes
Never commit with credentials -- use environment variables or .env excluded from VCS

sfdx-project.json (B2B):

Placed in project root; defines packageDirectories, sourceApiVersion, namespace, login URL

.forceignore (B2B):

Excludes files from deployment (jsconfig.json, .eslintrc.json, logs, OS files)

Key Configuration Fields

B2C dw.json fields:

hostname -- sandbox domain
username / password -- credentials (prefer env vars)
code-version -- target code version
cartridges -- array of cartridge names to upload
exclude -- files/directories to skip

B2B sfdx-project.json fields:

packageDirectories -- array of source paths (typically force-app)
sourceApiVersion -- Salesforce API version (e.g., "61.0")
namespace -- package namespace (empty for unmanaged)
sfdcLoginUrl -- org login URL

Sandbox and Org Types

Environment Variables

Store credentials as environment variables, never in committed files.

B2C: SFCC_CLIENT_ID, SFCC_CLIENT_SECRET, SFCC_HOSTNAME, SFCC_USERNAME, SFCC_PASSWORD, SFCC_CODE_VERSION

B2B: SF_USERNAME, SF_ORG_ALIAS, SF_CLIENT_ID, SF_JWT_KEY_FILE (for CI/CD connected app auth)

Deprecated Technologies

| Deprecated | Replacement | |---|---| | dwupload | sfcc-ci | | sfdx CLI (old) | sf CLI (unified) | | Prophet Debugger | Official Salesforce VS Code extensions |

Best Practices

B2C Commerce

Use sfcc-ci for all deployments; never use manual WebDAV upload
Never modify app_storefront_base directly; always overlay in custom cartridge
Build assets (npm run compile:js, npm run compile:scss) before deployment
Keep dw.json out of version control (add to .gitignore)

B2B Commerce

Use sf project deploy start for metadata deployment; avoid Change Sets
Create scratch orgs for feature development; keep them isolated
Use source tracking (sf project deploy preview) to review changes before deploy
Use Permission Sets for access control; avoid modifying profiles directly

Both Platforms

Use environment variables for all secrets and instance-specific configuration
Set up CI/CD pipelines for automated testing and deployment
Use linting (ESLint, Prettier for JS; Apex PMD for Apex)

Fetch the sfcc-ci documentation, SFRA getting-started guide, and sf CLI reference for exact commands and latest project structures before setting up.

Related Skills

orcaqubits/spree-headless-storefront

development

VerifiedTrustedCommunity

Build with Spree's headless Next.js storefront — the official `spree/storefront` repo (Next.js 16 App Router with Server Actions and Turbopack, React 19 Server Components, Tailwind CSS 4, TypeScript 5, `@spree/sdk`, Sentry), server-only auth (httpOnly JWT cookies + publishable key), MeiliSearch faceted catalog, one-page checkout with Apple/Google Pay/Klarna/Affirm/SEPA, multi-region market routing, GA4 + JSON-LD SEO, and Vercel/Docker deployment. Use when forking or customizing the storefront, or evaluating headless adoption.

27SKILL.mdUpdated May 14, 2026

orcaqubits/spree-headless-storefront

orcaqubits/spree-extensions

tools

VerifiedTrustedCommunity

Build Spree extensions as Rails engines — gem scaffolding, `bin/rails g spree:extension`, mounting routes/migrations/assets, the modern `prepend` decorator pattern (`*_decorator.rb` with `self.prepended(base)`), generators (`spree:model_decorator`, `spree:controller_decorator`), the four customization surfaces in preference order (Events > Webhooks > Dependencies > Decorators), Spree::Dependencies for swapping service objects, gem release/versioning, and the deprecated Deface engine. Use when building a reusable Spree extension or adding non-trivial customization to an app.

27SKILL.mdUpdated May 14, 2026

orcaqubits/spree-extensions

orcaqubits/spree-events-webhooks

development

VerifiedTrustedCommunity

Build with Spree's event bus and Webhooks 2.0 — `Spree::Events` publication, `Spree::Subscriber` DSL with `subscribes_to` and `on`, wildcard matching, lifecycle events (`{model}.created/.updated/.deleted` via `publishes_lifecycle_events`), the canonical event catalog (order.*, payment.*, shipment.*, product.*), Webhooks 2.0 endpoints, HMAC-SHA256 signing (`X-Spree-Webhook-Signature`), exponential-backoff retries, and Sidekiq job orchestration. Use when wiring event-driven business logic, building webhook consumers, or replacing ActiveSupport callback chains.

27SKILL.mdUpdated May 14, 2026

orcaqubits/spree-events-webhooks

orcaqubits/spree-dev-patterns

tools

VerifiedTrustedCommunity

Cross-cutting Spree development patterns — the customization preference hierarchy (Events > Webhooks > Dependencies > Decorators), `Spree::Dependencies` service-object swapping, the `_decorator.rb` + `prepend` + `self.prepended` idiom, idempotent subscribers and webhook receivers, multi-store scoping discipline, prefixed IDs, calculator polymorphism (shipping/promotion/tax share the base), service-object composition with `dry-monads` or simple results, why to avoid `class_eval` reopening and Deface, and Spree-on-Rails idioms (Hotwire/Turbo Stimulus, ActiveStorage, Action Cable, Sidekiq). Use when designing the architecture of a Spree extension or solving cross-cutting concerns.

27SKILL.mdUpdated May 14, 2026

orcaqubits/spree-dev-patterns

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/orcaqubits/agentic-commerce-claude-plugins.git

# Copy into Claude Code skills folder (global)
cp -r agentic-commerce-claude-plugins/dist/codex/salesforce-commerce/skills/sf-setup ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

orcaqubits/agentic-commerce-claude-plugins

27 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT