technical-debt-assessment
Use when auditing a Salesforce org for technical debt: dead code, unused automations, overlapping Flow and Apex triggers, deprecated features, configuration complexity, and legacy patterns. Triggers: technical debt review, org health check, dead code analysis, automation overlap, deprecated features, complexity audit. NOT for implementing the fixes identified (use role-specific skills) or for security-specific reviews (use security-architecture-review).
Best use case
technical-debt-assessment is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Use when auditing a Salesforce org for technical debt: dead code, unused automations, overlapping Flow and Apex triggers, deprecated features, configuration complexity, and legacy patterns. Triggers: technical debt review, org health check, dead code analysis, automation overlap, deprecated features, complexity audit. NOT for implementing the fixes identified (use role-specific skills) or for security-specific reviews (use security-architecture-review).
Teams using technical-debt-assessment should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/technical-debt-assessment/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How technical-debt-assessment Compares
| Feature / Agent | technical-debt-assessment | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Use when auditing a Salesforce org for technical debt: dead code, unused automations, overlapping Flow and Apex triggers, deprecated features, configuration complexity, and legacy patterns. Triggers: technical debt review, org health check, dead code analysis, automation overlap, deprecated features, complexity audit. NOT for implementing the fixes identified (use role-specific skills) or for security-specific reviews (use security-architecture-review).
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
Use this skill when auditing a Salesforce org to identify and document technical debt across automation, code, data model, security configuration, and integrations. This skill produces a structured findings report with severity ratings and a prioritized remediation backlog. It does not implement fixes — use domain-specific skills (apex/, flow/, security/, integration/) for remediation work. --- ## Before Starting Gather this context before conducting the assessment: - **How old is this org, and when was it last audited?** Older orgs accumulate more automation strata and legacy patterns. - **What features are actively in use?** Apex, Flow, Process Builder, Workflow Rules, Aura components, integrations — each area is a debt category. - **Are there known pain points?** "Automation keeps firing twice on Case" or "deployments break tests" are symptoms that guide where to look first. - **What is the managed package footprint?** Managed package components create debt you cannot modify. Note them separately — they are vendor debt, not org debt. - **What is the scope?** A full org audit, a targeted automation review, or a pre-release health check each require different depth. --- ## Core Concepts ### What Technical Debt Means in Salesforce Technical debt in a Salesforce org falls into six categories: 1. **Dead code** — Apex classes with no test coverage, classes never referenced in metadata or by other code, triggers on objects with no active DML paths. 2. **Unused and redundant automation** — Inactive Flow versions that were never cleaned up, Process Builder flows left over from pre-Summer '22, Workflow Rules that were never migrated when the retirement deadline passed. 3. **Automation overlap** — The same object triggering both a Record-Triggered Flow and an Apex trigger for similar operations, creating double-execution risk, ordering surprises, or governor limit contention. 4. **Deprecated features in active use** — Workflow Rules and Process Builder executing live logic despite official deprecation; Aura components owned by the org team rather than migrated to LWC. 5. **Configuration complexity** — Formula fields referencing deleted fields, validation rules that are tautologies (always-true or always-false), duplicate objects or fields serving the same purpose. 6. **Integration and security debt** — Hardcoded endpoint URLs, deprecated API versions below v50.0, Named Credential gaps, and overly broad permission grants. ### Severity Model Use a consistent four-tier model for all findings: | Severity | Definition | |---|---| | Critical | Poses immediate system stability, compliance, or data integrity risk. Requires urgent attention. | | High | Actively degrades maintainability, causes intermittent failures, or will block future work. Fix within the next sprint cycle. | | Medium | Technical hygiene: increases noise, slows developers, or creates future risk if left unaddressed. Fix within the next quarter. | | Low | Cosmetic or minor: undescriptive names, minor duplication, low-impact patterns. Fix as a housekeeping exercise. | ### Remediation Ownership Pair each finding with the recommended owner role: | Owner | Remediation type | |---|---| | Admin | Configuration-level changes (deactivating flows, cleaning up permission sets, removing unused fields). | | Developer | Code changes (deleting dead Apex, refactoring complex triggers, resolving automation overlap). | | Architect | Structural decisions (consolidating duplicate objects, redesigning automation strategy, planning migration from Workflow Rules to Flow). | | Release Manager | Deployment-related debt (hardcoded IDs, broken metadata dependencies, stale package versions). | --- ## Mode 1: Full Technical Debt Assessment (Fresh Org Audit) Use this mode for a comprehensive review of an org with no recent audit history. ### Step 1 — Dead Code Detection **Apex classes with 0% test coverage:** - Run `sfdx force:apex:test:run --resultformat json` and examine per-class coverage in the results. - Any Apex class with 0 covered lines and 0 uncovered lines is a candidate — it is either untested or unreferenced. - Any class with coverage lines but 0 covered lines has tests that never exercise it — either the tests are bypassing the class or the class is dead. **Apex classes never referenced in metadata:** - Download the full metadata set (SFDX retrieve or Metadata API retrieve). - Search Flow metadata XML files, custom object metadata, and other .cls files for references to each class name. - Classes with no inbound references from other Apex, Flows, or LWC `@wire` calls are deletion candidates. - Exception: scheduled Apex jobs reference class names dynamically — check the Scheduled Jobs list in Setup. **Apex triggers on objects with no active DML:** - An Apex trigger on an object that receives no writes in production (no insert, update, or delete) adds overhead without benefit. - Use the Apex Trigger Manager in Setup to see the last execution timestamp if available. - Cross-reference with the object's record count and last-modified-date statistics. ### Step 2 — Unused Automation Inventory **Inactive Flow versions:** - Each time a Flow is saved, Salesforce creates a new version. Inactive versions consume the org's 2,000 Flow version limit. - Go to Setup → Flows → filter by Inactive status. Large counts of inactive versions for the same flow are a housekeeping finding. - Document the count of inactive versions per flow and flag any flow with more than 5 inactive versions. **Process Builder flows (legacy):** - No new Process Builder flows have been activatable since Summer '22. Any active Process Builder flow is executing legacy automation. - Go to Setup → Process Builder. Any active flow is a migration candidate. - Active Process Builder flows that overlap with existing Record-Triggered Flows on the same object are Critical findings. **Workflow Rules (legacy):** - Workflow Rules were formally deprecated with a migration deadline. Any Workflow Rule still active is a migration risk — Salesforce can enforce retirement at any release. - Go to Setup → Workflow Rules. Export the full list. Flag all active rules. - Workflow Rule field updates can conflict silently with after-save Flow updates on the same field. ### Step 3 — Automation Overlap Analysis For each object with more than one active automation type, assess overlap risk: 1. List all active automations per object: Record-Triggered Flows, Apex triggers, Process Builder, Workflow Rules. 2. For each pair of automations on the same object, answer: - Do they both respond to the same trigger event (before insert, after update, etc.)? - Do they write to any of the same fields? - Do they both send emails, create tasks, or create records of the same type? 3. Any "yes" to the above is an overlap finding. Rate severity by consequence: - Both write the same field → **Critical** (last writer wins; result is non-deterministic depending on execution order) - Both create the same related record type → **High** (duplicate records in production) - Both send email alerts for the same event → **Medium** (user experience degradation) **Known automation execution order (simplified):** 1. Before-save Record-Triggered Flows 2. Before Apex triggers 3. Record committed (in memory) 4. After Apex triggers 5. Workflow Rules (legacy) 6. After-save Record-Triggered Flows A before-save Flow writing a field and an Apex after trigger reading that same field will see the Flow-written value. This is intentional — but it must be documented, because it is not obvious to a developer reading only the Apex code. ### Step 4 — Deprecated Features Inventory | Feature | Status | Finding | |---|---|---| | Workflow Rules | Deprecated — no new activations; existing rules still execute | Migration to Record-Triggered Flow is required | | Process Builder | Deprecated — no new flows since Summer '22; existing flows still execute | Migration to Record-Triggered Flow is required | | Aura components (org-owned) | Legacy — supported but not receiving new features; LWC is the current standard | Migration to LWC for any component that will receive future enhancements | | Legacy API versions (below v50.0) | Approaching end-of-life patterns; Salesforce periodically retires old API versions | Upgrade integration endpoints to current API version | ### Step 5 — Complexity Indicators Flag the following as complexity hotspots: | Hotspot | Why it matters | |---|---| | Apex classes with cyclomatic complexity > 20 | Use a static analysis tool (PMD, CodeScan) or review manually for method-level branching density. High complexity = high maintenance cost and high bug introduction risk. | | Flows with more than 50 elements | The 2,000-element interview limit is rarely approached, but 50+ element Flows are difficult to read, debug, and test. Candidates for subflow decomposition. | | Nested subflows more than 3 levels deep | Subflow chains that go 4+ levels deep become effectively unreadable in the Flow Builder canvas. Refactor using Invocable Actions backed by Apex, or flatten the logic. | | Apex trigger files that contain business logic directly | Logic embedded in trigger files (not delegated to handler classes) cannot be unit tested in isolation. This is both a debt and a test coverage risk. | | Formula fields referencing fields that no longer exist | These produce runtime errors or display `#Error!` in the UI. Identifiable via Setup → Schema Builder or a metadata scan for broken references. | ### Step 6 — Security Debt Indicators These are not full security findings (use `security-architecture-review` for that) but are indicators of accumulated access debt: - Profiles with "View All Data" or "Modify All Data" granted to more users than strictly necessary. - Permission sets with no assigned users — these are either unused (clutter) or documentation gaps (someone should be assigned). - Apex classes running `without sharing` without inline documentation explaining why elevated access is needed. - Validation rules with hard-coded user IDs, profile names, or role names — these are fragile and break on org changes. ### Step 7 — Integration Debt Indicators - Hardcoded endpoint URLs in Named Credentials, Apex classes, or Custom Settings — any URL that is not parameterized will break when the endpoint changes. - API version references below v50.0 in integration code — Salesforce API v50.0 corresponds to Winter '21. Anything older is approaching or past official retirement windows. - HTTP callouts using hardcoded credentials (username/password in Apex string literals) — a security and integration debt item. - Named Credential records with no associated authentication provider — may be using legacy password auth instead of OAuth. ### Step 8 — Compile the Findings Report Structure every finding as: ``` Area: [Dead Code | Automation | Deprecated Feature | Complexity | Security Config | Integration] Finding: [One-sentence description of what was found] Location: [Class name, Flow API name, object name, or Setup path] Severity: [Critical | High | Medium | Low] Remediation Effort: [Hours estimate or T-shirt size: XS/S/M/L/XL] Recommended Owner: [Admin | Developer | Architect | Release Manager] ``` --- ## Mode 2: Targeted Review of a Specific Area Use this mode when the scope is narrowed to one category — automations, code, or data model. ### Targeted Automation Review Focus: identify overlap and legacy automation on a specific object or business process. 1. Pull all automation for the target object from Setup. 2. Map each automation to its trigger event, field writes, and record creates/updates. 3. Draw (or tabulate) the execution sequence using the order of execution reference. 4. Flag any two automations that share a trigger event and share a write target. ### Targeted Code Review Focus: identify dead, over-complex, or untested Apex in a specific domain. 1. Pull test coverage report filtered to the relevant namespace or class prefix. 2. Flag classes below 75% coverage (minimum for deployment) and classes at 0%. 3. Run PMD or equivalent static analysis for cyclomatic complexity on the class set. 4. Review trigger files for direct DML/SOQL (no handler delegation). ### Targeted Data Model Review Focus: identify formula field errors, tautological validation rules, and duplicate objects. 1. Export all custom fields on the target object(s). Check formula fields for references to deleted or renamed fields. 2. Review validation rules: test each rule against a representative record to confirm it actually fires. Rules that never fire are either dead or incorrectly written. 3. Check for duplicate objects: objects with the same purpose introduced at different points in the org's history (e.g., `Custom_Order__c` and `Sales_Order__c` both storing order records). --- ## Mode 3: Pre-Release Health Check Before a Major Project Use this mode before starting a significant feature build to understand the debt landscape that will affect the project. ### Pre-Release Checklist - [ ] **Test coverage baseline:** Is the org at or above 75% overall Apex coverage? Deployments will fail if coverage drops below this. Identify the lowest-coverage classes in the project's domain. - [ ] **Automation overlap on affected objects:** Are there active Process Builder flows or Workflow Rules on the objects the project will touch? These must be accounted for in the automation design. - [ ] **Flow version headroom:** Is the org below 1,800 active Flow versions (leaving 200 of the 2,000 limit as buffer)? If not, clean inactive versions before adding new Flows. - [ ] **API version currency:** Are the integration endpoints the project will use on API v56.0 or higher? If not, plan an upgrade alongside the build. - [ ] **Hardcoded IDs on affected objects:** Are there hardcoded record IDs in Flows or Apex that reference records on the objects the project will touch? These may break during sandbox refresh or deployment. - [ ] **Complexity budget:** Are the Apex classes and Flows the project will extend already at high complexity? If so, refactor before adding to them. --- ## Findings Report Format The output of this skill is a structured findings report. Use the template in `templates/technical-debt-assessment-template.md`. Key sections: 1. **Org Profile** — Age, size, team composition, last audit date. 2. **Automation Audit Summary** — Active vs. inactive counts per automation type; overlap risk matrix. 3. **Dead Code Summary** — Apex classes with low/zero coverage; unreferenced classes; stale triggers. 4. **Deprecated Features Inventory** — Active Process Builder flows, Workflow Rules, Aura components to migrate. 5. **Complexity Hotspots** — High-complexity Apex, oversized Flows, deep subflow chains. 6. **Security Config Indicators** — Broad permission grants, unused permission sets, `without sharing` classes. 7. **Integration Debt** — Hardcoded URLs, old API versions, credential gaps. 8. **Prioritized Remediation Backlog** — All findings sorted by Severity then Effort, with recommended owner. --- ## Related Skills - `architect/solution-design-patterns` — for redesigning automation after debt is identified - `apex/trigger-framework` — for remediating Apex trigger debt - `flow/` skills — for rebuilding migrated Process Builder and Workflow Rule logic - `security/security-architecture-review` — for deep security posture review beyond indicators - `devops/` skills — for setting up deployment pipelines that prevent future debt accumulation ## Recommended Workflow Step-by-step instructions for an AI agent or practitioner activating this skill: 1. Gather context — confirm the org edition, relevant objects, and current configuration state 2. Review official sources — check the references in this skill's well-architected.md before making changes 3. Implement or advise — apply the patterns from Core Concepts and Common Patterns sections above 4. Validate — run the skill's checker script and verify against the Review Checklist below 5. Document — record any deviations from standard patterns and update the template if needed ---
Related Skills
org-cleanup-and-technical-debt
Use when executing admin-level cleanup in a Salesforce org: deleting unused fields, removing inactive Flow versions, deactivating legacy automation, running Salesforce Optimizer or Org Check, and performing destructive metadata deploys. Triggers: 'clean up unused fields', 'delete inactive flows', 'run Optimizer', 'org has too many custom fields', 'remove old workflow rules', 'Flow version limit'. NOT for assessing or reporting on technical debt (use architect/technical-debt-assessment). NOT for code-level refactoring or Apex cleanup (use apex/ skills).
deployment-risk-assessment
Use when a practitioner needs to classify the risk level of an upcoming Salesforce deployment, define rollback trigger conditions, or assign decision authority before the release window opens. Triggers: 'how risky is this release', 'what needs rollback planning', 'classify deployment risk', 'pre-deployment risk checklist', 'rollback decision authority', 'high risk metadata types'. NOT for executing the deployment itself, writing CI/CD pipeline code, or troubleshooting failures after a deployment has already run — use change-management-and-deployment for execution planning and devops/deployment-error-troubleshooting for post-failure diagnosis.
xss-and-injection-prevention
Use when writing or reviewing Visualforce pages, Apex controllers, or LWC components that output user-supplied data, build dynamic queries, or construct HTTP responses. Triggers: 'XSS in Visualforce', 'SOQL injection vulnerability', 'how to encode output in Apex', 'JSENCODE Visualforce', 'open redirect prevention'. NOT for Apex CRUD/FLS enforcement (use soql-security or apex-crud-and-fls), NOT for Shield encryption (use shield-encryption-key-management), NOT for AppExchange security review process (use secure-coding-review-checklist).
visualforce-security-and-modernization
Use when hardening or modernizing legacy Visualforce pages — covers the platform CSRF token model and when disabling it is a security regression, view state encryption guarantees and the 170 KB ceiling, FLS/CRUD enforcement gaps on `<apex:outputField>` and on getters that return sObjects, `<apex:includeScript>` interaction with the org Content Security Policy, hosting LWC inside a VF page via `lightning:container` / `lightning-out`, and the retire-vs-harden-vs-leave-alone decision for an inventory of legacy pages. Triggers: 'should I rewrite this Visualforce page in LWC', 'CSRF protection disabled on Visualforce page is that safe', 'community user sees a field they should not on a Visualforce page', 'view state encryption is that enough for sensitive data', 'how do I host an LWC inside a Visualforce page', 'apex:dynamicComponent and apex:actionFunction safe to keep'. NOT for greenfield Visualforce architecture (use apex/visualforce-fundamentals — controller types, view state pattern selection, PDF rendering); NOT for Visualforce email template authoring (use apex/visualforce-email-templates if/when that skill is authored); NOT for general Apex security review across triggers and async (use apex/soql-security and security/secure-coding-review-checklist).
transaction-security-policies
Transaction Security policy creation and configuration: condition builder, enhanced policies, enforcement actions (block, MFA, notification, end session), real-time monitoring mode, and policy troubleshooting. NOT for Event Monitoring log analysis or Shield Event Monitoring setup (use event-monitoring). NOT for Apex testing or debug-log analysis.
sso-saml-troubleshooting
Diagnosing broken SAML SSO into Salesforce — IdP-initiated vs SP-initiated flows, signing-certificate validity / expiry, NameID format mismatches, RelayState handling, audience / entityId / issuer mismatches, clock skew, the SAML Assertion Validator in Setup, the Login History debug log, and the My Domain prerequisite for SSO. Covers the standard diagnostic loop: read the SAML response, identify which check failed, fix at the IdP or SP. NOT for OAuth / OpenID Connect SSO (see security/oauth-openid-troubleshooting), NOT for setting up SSO from scratch (see security/sso-saml-setup).
shield-kms-byok-setup
Configure Shield Platform Encryption with customer-supplied (BYOK) or customer-held (Cache-Only Key Service) tenant secrets, rotate them, and recover. NOT for Classic Encryption or field masking.
shield-event-log-retention-strategy
Use when designing Salesforce Shield Event Monitoring retention, SIEM routing, and storage-tier strategy — which event types to keep, for how long, where, and how to answer audit queries across hot/warm/cold tiers. Triggers: 'shield event log retention', 'route event monitoring to splunk', 'how long to keep login history', 'siem salesforce integration', 'event monitoring storage tier'. NOT for enabling Shield (see salesforce-shield-deployment).
session-management-and-timeout
Use this skill when configuring session timeout values, concurrent session limits, session IP locking, or logout behavior in Salesforce. Covers org-wide session settings, profile-level overrides, Connected App session policies, and Metadata API SecuritySettings deployment. NOT for OAuth token refresh flows, login IP ranges, or MFA/identity-provider configuration.
session-high-assurance-policies
Enforce step-up authentication for sensitive pages/objects using High Assurance session level and login flow policies. NOT for initial MFA enrollment UX.
service-account-credential-rotation
Use when designing credential rotation for integration users, connected apps, named credentials, and OAuth client secrets in Salesforce. Covers rotation cadence, zero-downtime handover, secret storage, and detection of stale credentials. Triggers: 'rotate integration user password', 'connected app secret rotation', 'named credential rotation', 'stale service account', 'zero downtime secret rotation'. NOT for end-user password policies.
security-incident-response
When to use: active or suspected Salesforce org compromise, unauthorized access investigation, attacker containment, forensic evidence collection from EventLogFile/LoginHistory, session revocation, OAuth token cleanup, eradication of attacker persistence, and post-incident recovery verification. Trigger keywords: org compromised, suspicious login, attacker access, session revocation, forensic investigation, breach response, event log forensics, login anomaly investigation, incident response runbook. Does NOT cover general security setup, permission set design, field-level security configuration, or proactive security hardening — those are separate skills. NOT for general security setup.