AI coding agents write better Salesforce code when they know the org they're coding against. The dx0 CLI gives any AI agent — Cursor, Claude, Windsurf, or any tool that supports agent skills — real-time access to org metadata, structure, and health: field schemas, validation rules, security posture, trigger patterns, tech debt, and more. None of this needs to be in the repo.
This is what dx0 is built for: closing the gap between an AI agent's assumptions about a Salesforce org and the reality of it.
How it works
The dx0 CLI is a lightweight Node.js tool that connects to your dx0 account and queries your connected orgs. It returns structured JSON designed for AI consumption — raw data alongside a _guide field that explains what the data means and how to apply it to code decisions.
When your AI coding agent has the dx0 Skill installed, it knows when and which commands to run based on the task: inspecting an object before writing a trigger, checking security posture before writing sharing logic, auditing existing patterns before adding new automation. The agent pulls org context on demand — no metadata committed to the repo, no manual copy-paste, no stale screenshots of Setup pages.
Step 1: Generate a personal API key
Go to Profile → CLI & API Keys in dx0. Click Generate Personal API Key and give it a label — for example, the device or IDE where you'll use it.
Copy the key when it appears. It will not be shown again. Store it somewhere secure.
API keys are personal — they authenticate as you within your workspace. Don't share your key with teammates; each person should generate their own. Any CLI or AI agent activity using your key is attributed to your account.
To revoke a key at any time, return to Profile → CLI & API Keys and click the delete icon.
Step 2: Install and authenticate the CLI
Requires Node.js 18 or higher.
npm install -g @dx0team/dx0-cli dx0 auth login YOUR_API_KEY
Credentials are saved to ~/.config/dx0/credentials.json. You'll see confirmation with your name and email. To verify at any time:
dx0 auth user
Step 3: Set the active org
dx0 orgs list dx0 orgs use "My Sandbox"
All CLI commands run against the active org. You can match by org name, username, or Salesforce org ID. Switch orgs at any time with dx0 orgs use.
Always confirm the active org when starting a new engagement or switching between client environments — the wrong org produces confident-sounding but incorrect context.
Step 4: Install the dx0 Skill in your AI coding tool
The dx0 Skill (SKILL.md) tells your AI agent when to call dx0 commands and what to do with the output. Without it, the CLI is available but the agent won't know to reach for it.
Follow your AI coding tool's instructions for adding agent skills or persistent context rules. Common patterns:
Cursor — Add it as an Agent Skill (
.cursor/skills/) or as a rules file (.cursor/rules/). Cursor will reference it automatically when the agent is working on relevant tasks.Claude / Windsurf / other tools — Paste the Skill content into your tool's custom instructions, system prompt, or rules file following that tool's conventions.
Once installed, the agent knows: inspect the object before writing a trigger, check the security audit before touching data access, check for existing trigger patterns before writing new automation. It brings up the right context without being asked.
What the agent can query
Object structure
dx0 object inspect <ObjectApiName>
Returns the complete structural context for any standard or custom object: every picklist field with allowed values (by API name), key fields (checkboxes, dates, relationships), active validation rules the code must satisfy on DML, record types, child relationships with cascade-delete risk, and recent record volume. Run this before writing any Apex trigger, LWC, flow, or SOQL against a specific object.
Org-wide audits
dx0 audit security # Security Health Check posture, session controls dx0 audit code # Apex patterns, trigger frameworks, LWC vs Aura ratio dx0 audit data # Objects, record types, validation rule density dx0 audit permissions # Permission sets with Modify All / View All Data dx0 audit users # User counts, admin roster, license distribution dx0 audit integrations # Named credentials, Remote Site Settings, integration users dx0 audit history # Deployment patterns, CI/CD pipeline signals dx0 audit packages # Installed packages and namespace prefixes
Tech debt assessments
dx0 assessment tech-debt fields-missing-description # Undocumented fields by object dx0 assessment tech-debt multiple-triggers # Trigger event conflicts per object dx0 assessment tech-debt inactive-validation-rules # Disabled data integrity constraints dx0 assessment tech-debt unassigned-permission-sets # Orphaned high-privilege permission sets
Every response includes a _guide field with interpretation rules and field definitions specific to that command. The agent reads both the data and the guide — the data is the evidence, the guide tells it what conclusions to draw.
Practical scenarios
You drop into a new codebase at the start of an engagement. Run dx0 audit code to understand existing Apex patterns and dx0 audit packages to map the namespace prefixes in play. The agent uses both before generating anything, so its output fits the patterns already established — not invented ones.
Your agent is writing a trigger on a custom object. Without dx0, it invents field names and assumes a data model. With dx0, it first runs dx0 object inspect MyObject__c, reads the real field list, picklist values, validation rules, and existing trigger inventory — and writes code that will compile and satisfy DML constraints on the first try.
A client reports a permissions issue in production. Before proposing a fix, the agent runs dx0 audit permissions and dx0 audit security. Its recommendation accounts for the actual permission set structure and Health Check posture — not textbook Salesforce defaults.
You're adding a new trigger and want to know if the object already has one. dx0 assessment tech-debt multiple-triggers tells you immediately whether there's an existing trigger conflict on the target object, what events are racing, and whether adding another trigger makes an already broken situation worse.
Two consultants are on the same org. Each generates their own API key. The active org is set per-machine, so both can work against different orgs simultaneously without affecting each other. CLI activity is attributed individually for audit purposes.
You rotate off an engagement. Revoke your API key in Profile → CLI & API Keys. Any CLI or AI agent instance using that key stops working immediately. The connected org remains accessible to other workspace members.