rollback-and-hotfix-strategy
Planning and executing metadata rollbacks and emergency hotfixes in Salesforce orgs. Use when a production deployment causes regression and needs to be reverted, or when an urgent fix must bypass the normal release pipeline. Covers pre-deploy archive bundles, quick deploy for hotfixes, non-rollbackable component handling, and hotfix branch isolation. NOT for routine CI/CD pipeline setup (use continuous-integration-testing). NOT for destructive changes authoring (use destructive-changes-deployment).
Best use case
rollback-and-hotfix-strategy is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Planning and executing metadata rollbacks and emergency hotfixes in Salesforce orgs. Use when a production deployment causes regression and needs to be reverted, or when an urgent fix must bypass the normal release pipeline. Covers pre-deploy archive bundles, quick deploy for hotfixes, non-rollbackable component handling, and hotfix branch isolation. NOT for routine CI/CD pipeline setup (use continuous-integration-testing). NOT for destructive changes authoring (use destructive-changes-deployment).
Teams using rollback-and-hotfix-strategy should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/rollback-and-hotfix-strategy/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How rollback-and-hotfix-strategy Compares
| Feature / Agent | rollback-and-hotfix-strategy | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Planning and executing metadata rollbacks and emergency hotfixes in Salesforce orgs. Use when a production deployment causes regression and needs to be reverted, or when an urgent fix must bypass the normal release pipeline. Covers pre-deploy archive bundles, quick deploy for hotfixes, non-rollbackable component handling, and hotfix branch isolation. NOT for routine CI/CD pipeline setup (use continuous-integration-testing). NOT for destructive changes authoring (use destructive-changes-deployment).
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Rollback And Hotfix Strategy This skill activates when a production deployment has caused a regression and the practitioner needs to revert to the previous known-good state, or when an emergency fix must reach production outside the normal release cycle. Salesforce has no native one-click metadata rollback. Rollback means re-deploying the previous version of every changed component, and hotfix means isolating a minimal change and pushing it through a fast-tracked path. --- ## Before Starting Gather this context before working on anything in this domain: - Confirm whether a pre-deploy archive (retrieve snapshot of production metadata taken before the failed deployment) exists. Without it, you must reconstruct the previous state from source control history. - Identify every component that was changed or added in the failed deployment. The Metadata API deploy response and the original `package.xml` are the primary sources for this list. - Determine which changed components are non-rollbackable: Record Types (once created, cannot be deleted via API), Picklist values (cannot be removed via Metadata API), and active Flow versions (cannot be deactivated or deleted via deployment). These require manual admin intervention in Setup. --- ## Core Concepts ### Pre-Deploy Archive Pattern Because Salesforce provides no native rollback mechanism, teams must build their own safety net. The pre-deploy archive pattern works as follows: immediately before every production deployment, run `sf project retrieve start` with the same `package.xml` that will be deployed. This retrieves the current production state of every component that is about to change and stores it as a timestamped bundle (zip or folder). If the deployment causes a regression, this archive becomes the rollback package — you deploy it back to production to restore the previous state. The archive must be stored outside the deployment pipeline artifacts directory to prevent accidental overwrite. Common storage targets include a dedicated Git branch, a CI artifact store, or a shared filesystem with retention policies. ### Quick Deploy for Hotfixes The Metadata API supports a quick deploy workflow that skips Apex test execution for a deployment that has already passed validation. The flow is: first, run `sf project deploy validate` against production with `--test-level RunLocalTests`. This executes all tests and returns a validation ID. Within 10 days (the validation window), you can promote the validated package using `sf project deploy quick --job-id <validationId>` — this deploys immediately without re-running tests. For hotfixes, this means you can validate the fix during business hours and then promote it during a low-traffic window in seconds rather than waiting for a full test run. The 10-day window is a hard platform limit; expired validations must be re-run. ### Non-Rollbackable Components Several Salesforce metadata types cannot be fully rolled back through the Metadata API: | Component | Why rollback is constrained | |---|---| | Record Types | Once created and assigned to page-layout assignments or used in data, they cannot be deleted via deployment. Rollback requires manual deactivation in Setup. | | Picklist values | Values added to a picklist field cannot be removed via Metadata API. Use the Replace Picklist Values feature in Setup or manual editing. | | Active Flow versions | An active Flow version cannot be deleted or deactivated via deployment. Deactivate it manually in Setup before the previous version can be activated. | | Custom metadata records | The type definition can be deployed, but individual records (CustomMetadata) behave like data and may not revert cleanly. | A rollback plan must identify these components upfront and include manual remediation steps. ### Hotfix Branch Isolation A hotfix branch should contain the absolute minimum change required to resolve the production issue. It branches from the production-matching tag or commit (not from a development branch that may contain unreleased work). The hotfix is merged back into both the production branch and the main development branch after deployment to prevent the fix from being overwritten by the next release. --- ## Common Patterns ### Pattern 1 — Full Rollback Using Pre-Deploy Archive **When to use:** A production deployment caused widespread regression and the entire deployment needs to be reverted. **How it works:** 1. Locate the pre-deploy archive bundle that was captured before the failed deployment. 2. Build a `package.xml` from the archive contents (or reuse the original deployment manifest). 3. Deploy the archive to production: `sf project deploy start --manifest package.xml --source-dir <archive-path> --target-org production`. 4. For any components that were newly added (not updates), create a `destructiveChangesPost.xml` to remove them. 5. Handle non-rollbackable components manually in Setup. **Why not the alternative:** Rolling forward (fixing the bug instead of reverting) is sometimes faster, but when the regression is broad or the root cause is unclear, a full rollback restores stability immediately while the team investigates. ### Pattern 2 — Quick Deploy Hotfix **When to use:** A targeted fix is ready and must reach production with minimal downtime. The change is small and well-understood. **How it works:** 1. Create a hotfix branch from the production tag. 2. Make the minimal change (single Apex class fix, LWC patch, configuration update). 3. Validate against production: `sf project deploy validate --manifest package.xml --test-level RunLocalTests --target-org production`. 4. Capture the validation job ID from the output. 5. Promote during the deployment window: `sf project deploy quick --job-id <validationId> --target-org production`. 6. Merge the hotfix branch back into main/develop. **Why not the alternative:** A normal deployment re-runs all local tests, which can take 30-90 minutes in large orgs. Quick deploy skips this because tests already passed during validation, reducing the deployment window to seconds. --- ## Decision Guidance | Situation | Recommended Approach | Reason | |---|---|---| | Broad regression, root cause unclear | Full rollback from pre-deploy archive | Restores stability immediately; investigate later | | Single component is broken, fix is obvious | Quick deploy hotfix | Minimal change, fast promotion, low risk | | Regression involves Record Types or Picklist values | Partial rollback + manual Setup intervention | These components cannot be reverted via API | | No pre-deploy archive exists | Reconstruct from source control history | Git diff between current and previous release tag identifies changed files | | Hotfix validation expired (>10 days) | Re-run validation before quick deploy | Platform enforces 10-day window; no override | --- ## Recommended Workflow Step-by-step instructions for an AI agent or practitioner working on this task: 1. **Assess severity** — Determine whether the production issue requires a full rollback (broad regression, unknown root cause) or a targeted hotfix (isolated defect, known fix). Check whether affected components include non-rollbackable types. 2. **Locate the previous known-good state** — Find the pre-deploy archive bundle, or identify the last known-good Git commit/tag corresponding to production. If neither exists, retrieve the current production state and diff against source control. 3. **Build the rollback or hotfix package** — For rollback: use the pre-deploy archive as the deployment source. For hotfix: create a branch from the production tag and make the minimal change. Include destructive changes manifests if new components were added in the failed deployment. 4. **Validate before deploying** — Run `sf project deploy validate` with `--test-level RunLocalTests` against production. Capture the validation job ID. Review test results for any new failures introduced by the rollback/hotfix itself. 5. **Deploy to production** — Use `sf project deploy quick --job-id <id>` for validated packages, or `sf project deploy start` for immediate deployment. Execute during a low-traffic window when possible. 6. **Handle non-rollbackable components** — Manually deactivate Record Types, remove Picklist values, and deactivate Flow versions in Setup as needed. Document each manual step. 7. **Verify and merge** — Confirm the regression is resolved in production. Merge the hotfix branch back into main/develop. Update release notes with the rollback/hotfix record. --- ## Review Checklist Run through these before marking work in this area complete: - [ ] Pre-deploy archive exists or previous state has been reconstructed from source control - [ ] All changed components from the failed deployment are accounted for in the rollback package - [ ] Non-rollbackable components (Record Types, Picklist values, active Flows) have manual remediation steps documented - [ ] Destructive changes manifest included for any newly-added components that must be removed - [ ] Validation passed against production with RunLocalTests - [ ] Quick deploy job ID captured and promotion executed within the 10-day window - [ ] Hotfix branch merged back into main/develop to prevent regression in next release --- ## Salesforce-Specific Gotchas Non-obvious platform behaviors that cause real production problems: 1. **No native rollback** — Salesforce does not offer a one-click undo for metadata deployments. Every rollback is a forward deployment of the previous version. Teams that skip the pre-deploy archive step have no fast recovery path. 2. **Quick deploy validation window is 10 days** — A validated deployment that is not promoted within 10 days expires silently. The `sf project deploy quick` command will fail with a non-obvious error. Re-validation is required. 3. **Newly added components require destructive changes** — If the failed deployment added new components (not just updated existing ones), simply re-deploying the old versions of changed components will not remove the new additions. A companion `destructiveChangesPost.xml` is required. --- ## Output Artifacts | Artifact | Description | |---|---| | Pre-deploy archive bundle | Retrieved snapshot of production metadata before deployment; serves as rollback source | | Rollback `package.xml` | Manifest listing every component to be reverted to its previous version | | `destructiveChangesPost.xml` | Manifest for removing newly-added components that did not exist before the failed deployment | | Hotfix branch | Minimal Git branch from the production tag containing only the emergency fix | | Validation job ID | Identifier from `sf project deploy validate` used for quick deploy promotion | --- ## Related Skills - `destructive-changes-deployment` — use for authoring destructive changes manifests when rolling back includes removing newly-added components - `continuous-integration-testing` — use for setting up the CI pipeline that validates deployments before production - `release-management` — use for the broader release process including release trains, tagging, and promotion gates
Related Skills
shield-event-log-retention-strategy
Use when designing Salesforce Shield Event Monitoring retention, SIEM routing, and storage-tier strategy — which event types to keep, for how long, where, and how to answer audit queries across hot/warm/cold tiers. Triggers: 'shield event log retention', 'route event monitoring to splunk', 'how long to keep login history', 'siem salesforce integration', 'event monitoring storage tier'. NOT for enabling Shield (see salesforce-shield-deployment).
oauth-redirect-and-domain-strategy
Design Connected App OAuth callback URLs, My Domain naming, Enhanced Domains cutover, and cross-environment redirect handling. Trigger keywords: oauth redirect uri, connected app callback, my domain, enhanced domains, sandbox url change, oauth login host. Does NOT cover: end-user login flow UX, Experience Cloud branding, or SAML-only SSO configuration.
mfa-enforcement-strategy
Plan and operate Salesforce org-wide multi-factor authentication (MFA) enforcement: verification methods, phased rollout, SSO and API-only considerations, exemptions, and operational readiness. NOT for designing Login Flow post-authentication logic, IP allowlists, or conditional step-up policies—use ip-range-and-login-flow-strategy, network-security-and-trusted-ips, or transaction-security-policies instead.
ip-range-and-login-flow-strategy
Design and implement Salesforce Login Flows (Screen Flows assigned to profiles or Experience Cloud sites) that run post-authentication to enforce conditional MFA, IP-based branching, terms-of-service acceptance, or user data collection. Covers Login Flow creation in Flow Builder, profile/site assignment, IP-aware decision logic, and ConnectedAppPlugin extension points. NOT for static IP allowlisting or profile Login IP Ranges (see network-security-and-trusted-ips), org-wide session policies, or SSO/SAML IdP configuration.
data-cloud-integration-strategy
Use this skill when designing or troubleshooting the data pipeline strategy for connecting source systems to Data Cloud — including ingestion API pattern selection (streaming vs. batch), connector type decisions, DSO-to-DLO-to-DMO pipeline lag, and lakehouse federation patterns. Triggers on: Data Cloud ingestion API setup, streaming vs batch connector decision, Data Cloud connector types, MuleSoft Direct for Data Cloud, data pipeline lag for segmentation. NOT for standard Salesforce integration patterns (use integration-patterns skill), not for querying Data Cloud once data is ingested (use data-cloud-query-api), not for configuring standard admin connectors through the UI only.
api-versioning-strategy
Design versioning for custom Apex REST endpoints: URI versioning, backward compatibility, deprecation sunset. NOT for consuming external APIs.
flow-versioning-strategy
Manage Flow versions: activation policy, paused interview compatibility, cleanup cadence, and breaking-change detection. Trigger keywords: flow version management, activate flow version, paused interview, flow cleanup, flow breaking change, flow rollback. Does NOT cover: FlowDefinition metadata deploy order (see devops skill), Process Builder retirement, or Flow test coverage (separate skill).
flow-rollback-patterns
Use the Flow Rollback Records element to undo DML inside the current transaction. Covers when rollback is appropriate vs catastrophic, how to combine with fault paths, partial-commit pitfalls, and the interaction with publish-after-commit Platform Events. NOT for external-system rollback (use compensation patterns). NOT for Database.SavePoint in Apex (use apex-transaction-control).
package-development-strategy
Use this skill when deciding between Salesforce package development approaches — unmanaged, unlocked, 1GP managed, or 2GP managed — including namespace selection, ISV distribution requirements, upgrade path design, and AppExchange packaging strategy. Trigger keywords: should I use managed or unlocked package, Salesforce package type selection, 2GP vs 1GP managed package, namespace decision Salesforce, ISV AppExchange packaging, unlocked package strategy. NOT for individual package creation steps, scratch org setup, or day-to-day package version build commands.
environment-strategy
Use when designing the full environment topology for a Salesforce program — selecting which org types to provision, how many, and how they map to your branching strategy and release pipeline. Trigger keywords: 'environment strategy', 'org topology', 'scratch org vs sandbox', 'how many environments do I need', 'environment planning', 'DevOps environment design'. NOT for sandbox-type-only decisions (use admin/sandbox-strategy), NOT for scratch org lifecycle or daily usage (use devops/scratch-org-management), NOT for release pipeline mechanics (use devops/release-management).
external-id-strategy
Use this skill when designing, selecting, or troubleshooting external ID fields on Salesforce objects for upsert operations, cross-system record correlation, or idempotent data loads. Trigger keywords: external ID field design, upsert key strategy, cross-system record matching, source system ID mapping, composite key for uniqueness, duplicate insert on upsert, relationship resolution by external ID. NOT for data migration steps (use data-migration-planning), NOT for REST API upsert endpoint wiring (use rest-api-patterns), NOT for general data model field decisions (use data-model-design-patterns).
multi-org-strategy
Use when deciding whether to use multiple Salesforce production orgs, designing a hub-and-spoke integration topology, reviewing an existing multi-org architecture for risk, or troubleshooting cross-org integration failures. Trigger phrases: 'should we have separate Salesforce orgs', 'how do we share data between two orgs', 'we acquired a company that uses Salesforce', 'our EU data must stay in Europe', 'cross-org integration keeps hitting API limits', 'Salesforce-to-Salesforce stopped working', 'how do we do SSO across multiple orgs'. NOT for sandbox strategy (use sandbox-strategy). NOT for individual integration callout implementation (use integration/ skills). NOT for Named Credential configuration in isolation (use integration/named-credentials-and-callouts).