omniscript-session-state

Use when an OmniScript must persist mid-flow state across refresh, navigation, multi-device resume, or abandonment recovery. Covers session objects, staging data, OmniScript tracking, and resume URLs. Does NOT cover OmniScript UI step layout (see omniscript-design) or general Flow pause/resume (see flow-transaction-finalizer-patterns).

Best use case

omniscript-session-state is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Use when an OmniScript must persist mid-flow state across refresh, navigation, multi-device resume, or abandonment recovery. Covers session objects, staging data, OmniScript tracking, and resume URLs. Does NOT cover OmniScript UI step layout (see omniscript-design) or general Flow pause/resume (see flow-transaction-finalizer-patterns).

Teams using omniscript-session-state should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/omniscript-session-state/SKILL.md --create-dirs "https://raw.githubusercontent.com/PranavNagrecha/AwesomeSalesforceSkills/main/skills/omnistudio/omniscript-session-state/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/omniscript-session-state/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How omniscript-session-state Compares

Feature / Agentomniscript-session-stateStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Use when an OmniScript must persist mid-flow state across refresh, navigation, multi-device resume, or abandonment recovery. Covers session objects, staging data, OmniScript tracking, and resume URLs. Does NOT cover OmniScript UI step layout (see omniscript-design) or general Flow pause/resume (see flow-transaction-finalizer-patterns).

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# OmniScript Session State

## Purpose

Long-running OmniScripts — onboarding, quote configuration, compliance
questionnaires — lose users when a refresh wipes progress. OmniScript
ships native tracking but most teams mis-use it: they either persist
too little (UI state only, not answers) or too much (including PII that
should not be stored in plain object fields). This skill codifies the
session-state model: what to persist, where, with what retention, and
how to resume across devices without re-authenticating mid-flow.

## Recommended Workflow

1. **Define the state schema.** What answers, selections, derived values
   must survive? Exclude UI-only state.
2. **Pick the store.** OmniScript tracking record (`OmniScript_Session__c`
   pattern) vs Big Object for retention vs Platform Cache for short
   sessions.
3. **Persist at boundaries.** Save on step transition, not every
   keystroke. Debounce frequent edits.
4. **Design the resume URL.** Tokenized link that validates identity and
   session id, expires, and re-authenticates if necessary.
5. **Handle concurrency.** Two open tabs of the same session — last
   write wins with version field to detect conflicts.
6. **Set expiry.** Abandoned sessions time out; document a retention
   matching compliance.
7. **Purge.** Scheduled job clears expired sessions and PII.

## State Schema

- Keep the schema flat with typed fields where possible for queryability.
- Sensitive fields (SSN, card numbers) must be in encrypted custom fields
  or tokenized.
- Always include `userId`, `createdAt`, `lastUpdatedAt`, `version`.

## Store Selection

| Store | Use When | Cons |
|---|---|---|
| Custom object (`Session__c`) | Durable, queryable, cheap | Counts against data storage |
| Platform Cache (Session) | Short-lived, in-memory, fast | Lost on logout / restart |
| Big Object | Very high volume / long retention | Limited query shapes |

## Resume URL Design

- Short-lived signed token (JWT with narrow scope) embedded in the URL.
- Server validates the token, loads session, continues OmniScript at
  `stepId`.
- Token expires in hours, not days; long-term resume requires re-auth.
- Never embed answers in the URL.

## Concurrency

- Include a `version` field on the session. Each write increments.
- On save, compare versions; on mismatch, surface a "this session was
  updated elsewhere" branch.
- Do not silently overwrite.

## Expiry

- Tier 1 (sensitive): expire ≤ 24h, purge immediately after.
- Tier 2 (non-sensitive): expire ≤ 7d.
- Tier 3 (non-PII only): up to 30d.
- Retention policy is a compliance decision; confirm with stakeholders.

## Anti-Patterns (see references/llm-anti-patterns.md)

- Store raw PII in session object fields.
- Base64-encoded state in URL.
- Persist every keystroke via DataRaptor.
- Treat session object as "temporary" without retention.

## Official Sources Used

- OmniScript Tracking — https://help.salesforce.com/s/articleView?id=sf.os_omniscript_tracking.htm
- OmniScript Save/Resume — https://help.salesforce.com/s/articleView?id=sf.os_use_save_for_later.htm
- Platform Cache — https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_cache_namespace_overview.htm
- Salesforce Shield Platform Encryption — https://help.salesforce.com/s/articleView?id=sf.security_pe_overview.htm

Related Skills

session-management-and-timeout

8
from PranavNagrecha/AwesomeSalesforceSkills

Use this skill when configuring session timeout values, concurrent session limits, session IP locking, or logout behavior in Salesforce. Covers org-wide session settings, profile-level overrides, Connected App session policies, and Metadata API SecuritySettings deployment. NOT for OAuth token refresh flows, login IP ranges, or MFA/identity-provider configuration.

session-high-assurance-policies

8
from PranavNagrecha/AwesomeSalesforceSkills

Enforce step-up authentication for sensitive pages/objects using High Assurance session level and login flow policies. NOT for initial MFA enrollment UX.

omnistudio-lwc-omniscript-migration

8
from PranavNagrecha/AwesomeSalesforceSkills

Migrate classic Visualforce-based OmniScripts to LWC-based runtime with feature parity and regression testing. NOT for new OmniScript design.

omniscript-versioning

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when managing OmniScript versions: activating new versions, deactivating prior versions, testing a specific version before activation, rolling back to a previous version, or understanding version identity (Type/Subtype/Language triplet). NOT for OmniStudio deployment or DataPack migration (use omnistudio/omnistudio-deployment-datapacks).

omniscript-design-patterns

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when designing or reviewing OmniScripts for guided experiences, step structure, branching, save/resume, and the boundary between OmniScript, Integration Procedures, DataRaptors, and custom LWCs. Triggers: 'omniscript design', 'too many steps in omniscript', 'save and resume omniscript', 'branching in omniscript', 'when should this be an integration procedure'. NOT for deep Integration Procedure or DataRaptor design when the guided interaction layer is not the main concern.

flexcard-state-management

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when designing FlexCard actions, conditional visibility, and state that must survive navigation, refresh, or parent/child card transitions. Triggers: 'flexcard state', 'flexcard conditional visibility', 'flexcard actions', 'flexcard refresh', 'child flexcard state'. NOT for raw LWC state or for OmniScript step state.

lwc-state-management

8
from PranavNagrecha/AwesomeSalesforceSkills

Share state across LWCs using pub/sub, Lightning Message Service, @wire, and reactive stores. NOT for in-component reactivity.

lwc-reactive-state-patterns

8
from PranavNagrecha/AwesomeSalesforceSkills

How LWC reactivity actually works after Spring '20 (API v48+) — every class field is reactive on reassignment, but @track is still required for in-place mutation of plain object/array contents, and Date / Set / Map mutations are NEVER observed. Covers the renderedCallback infinite-loop trap, reactive-getter caching rules, and when @track is genuinely needed today. NOT for @wire reactive parameters (see lwc/wire-adapters), NOT for Lightning Data Service caching (see lwc/ldws-and-uirecordapi), NOT for cross-component reactive state (see lwc/message-channel-patterns and lwc/state-management-with-modules).

lwc-cross-tab-state-sync

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when an LWC needs to react to events that happen in another browser tab — record updates, login state, draft autosave, console-tab navigation. Triggers: 'sync data across tabs', 'BroadcastChannel LWC', 'storage event LWC', 'one tab updates the other', 'console workspace tab close detection'. NOT for state sync within the same Lightning page (use Lightning Message Service) or for server-pushed updates (use CometD or refreshApex).

omniscript-flow-design-requirements

8
from PranavNagrecha/AwesomeSalesforceSkills

Use this skill to gather, document, and validate OmniScript flow design requirements before development begins — covering screen layout requirements, branching logic, data source requirements, and user journey mapping. Trigger keywords: OmniScript requirements, OmniScript BA, OmniScript screen design, OmniScript user journey, OmniScript branching requirements. NOT for OmniScript development implementation, DataRaptor mapping, Integration Procedure design, or standard Screen Flow requirements.

xss-and-injection-prevention

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when writing or reviewing Visualforce pages, Apex controllers, or LWC components that output user-supplied data, build dynamic queries, or construct HTTP responses. Triggers: 'XSS in Visualforce', 'SOQL injection vulnerability', 'how to encode output in Apex', 'JSENCODE Visualforce', 'open redirect prevention'. NOT for Apex CRUD/FLS enforcement (use soql-security or apex-crud-and-fls), NOT for Shield encryption (use shield-encryption-key-management), NOT for AppExchange security review process (use secure-coding-review-checklist).

visualforce-security-and-modernization

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when hardening or modernizing legacy Visualforce pages — covers the platform CSRF token model and when disabling it is a security regression, view state encryption guarantees and the 170 KB ceiling, FLS/CRUD enforcement gaps on `<apex:outputField>` and on getters that return sObjects, `<apex:includeScript>` interaction with the org Content Security Policy, hosting LWC inside a VF page via `lightning:container` / `lightning-out`, and the retire-vs-harden-vs-leave-alone decision for an inventory of legacy pages. Triggers: 'should I rewrite this Visualforce page in LWC', 'CSRF protection disabled on Visualforce page is that safe', 'community user sees a field they should not on a Visualforce page', 'view state encryption is that enough for sensitive data', 'how do I host an LWC inside a Visualforce page', 'apex:dynamicComponent and apex:actionFunction safe to keep'. NOT for greenfield Visualforce architecture (use apex/visualforce-fundamentals — controller types, view state pattern selection, PDF rendering); NOT for Visualforce email template authoring (use apex/visualforce-email-templates if/when that skill is authored); NOT for general Apex security review across triggers and async (use apex/soql-security and security/secure-coding-review-checklist).