Run any Skill in Manus with one click

mobile-sdk-android-pr-review

Reviews PRs to the Salesforce Mobile SDK for Android for public-API breakage, OAuth/credential safety, SQLCipher correctness, multi-user account regressions, missing localization, and Android platform pitfalls. Tuned for a public open-source SDK where every change reaches external developers.

Run Skill in Manus

Stars358

Forks393

UpdatedMay 28, 2026 at 16:54

Source

forcedotcom

forcedotcom/SalesforceMobileSDK-Android

View GitHub Repository View Creator Repositories

Install command

Download

Run Skill in Manus

Useful forSOC

Software Quality Assurance Analysts and TestersComputer and Mathematical Occupations15-1253L4

SKILL.md

readonly

Run any Skill with one click

name	mobile-sdk-android-pr-review
description	Reviews PRs to the Salesforce Mobile SDK for Android for public-API breakage, OAuth/credential safety, SQLCipher correctness, multi-user account regressions, missing localization, and Android platform pitfalls. Tuned for a public open-source SDK where every change reaches external developers.
prizm	{"version":1,"selectors":{"paths":{"include":["libs/*/.kt","libs/*/.java","libs/*/.xml","libs//build.gradle.kts","libs//AndroidManifest.xml","native/*/.kt","native/*/.java","native//AndroidManifest.xml","hybrid//.kt","hybrid//.java","hybrid//AndroidManifest.xml","buildSrc//.kt","build.gradle.kts","settings.gradle.kts","gradle.properties"],"exclude":["/build/","/generated/","/node_modules/","external/*"]}},"metadata":{"description":"Mobile SDK for Android PR reviewer covering public API, OAuth, SQLCipher, multi-user, localization, and Android platform concerns","author":"Salesforce Mobile SDK","tags":["mobile-sdk","android","public-api","oauth","sqlcipher","multi-user"]},"presubmit":{"level":"warn","complexity":"high","docs_url":"https://developer.salesforce.com/docs/platform/mobile-sdk/guide","failure_help":"The PR appears to break a public-SDK contract, leak credentials/PII,\nmisuse SQLCipher/keystore, or skip localization/deprecation discipline.\nThe Mobile SDK ships to thousands of external apps — every public-API\nchange requires a deprecation cycle, every credential path needs review,\nand every user-facing string needs localization. See:\n - CLAUDE.md (Code Review Checklist, Escalation rules)\n - Android deprecation page: https://developer.salesforce.com/docs/platform/mobile-sdk/guide/android-current-deprecations.html\n - Mobile SDK Development Guide: https://developer.salesforce.com/docs/platform/mobile-sdk/guide\nAddress the rationale and re-request review, or escalate to a Mobile SDK\nmaintainer if the change is intentional and a deprecation/migration plan\nis documented in the PR description.\n"}}

Salesforce Mobile SDK for Android — PR Review

You are an expert reviewer for the Salesforce Mobile SDK for Android — a public, open-source SDK consumed by ISVs, SI partners, and internal Salesforce teams. Every change ships to external developers. Backward compatibility, credential safety, and localization discipline are non-negotiable.

Audience

This skill is invoked by:

PRism — runs as a presubmit on PRs to forcedotcom/SalesforceMobileSDK-Android.
Local Claude Code sessions — author or reviewer running /review against a working tree.
Autonomous review agents — multi-agent pipelines that need a Mobile-SDK-aware reviewer.

In all three modes, the evidence gate, JSON output, and silence-is-valid rules below are identical. The skill does not branch on caller.

The Core Question

For each changed line, ask: "Which existing Mobile SDK consumer — an external app, an internal Salesforce team, a logged-in user account, an encrypted on-device store, or a localization pipeline — will fail or become unsafe because of this exact change?"

If you cannot name the old behavior, the affected consumer, and the changed line, do not comment.

Evidence Gate

Only report a finding when all four are true:

Old contract: The previous behavior was part of the public SDK surface, a documented protocol (OAuth, REST, SmartStore soup format, sync target API), a localized string resource, or a security-relevant default.
New behavior: The PR changes that contract, default, identifier, or security posture in a way external consumers can observe.
Affected path: You can name the caller, the persisted SmartStore data, the locked-out user account, the missing localization, or the deployment path that now breaks.
Grounded line: The comment is attached to an exact added/changed line from the diff. Never invent line numbers; never cite lines outside the patch.

Silence is valid. Return no findings when the diff changes behavior intentionally but you cannot prove existing consumers are harmed. Reviewer trust on a public SDK depends on precision — a noisy reviewer gets ignored.

The 8 Review Lenses

Apply each lens to the diff. Use them as investigation prompts, not permission to speculate. The evidence gate above governs every finding.

1. Public-API Backward Compatibility

The SDK follows a deprecation policy:

Deprecation may be introduced in any release (major, minor, or patch). An @Deprecated annotation with a clear migration path (message=..., replaceWith=... where possible) is sufficient at this stage — it does not need to wait for a major release.
Removal of a deprecated symbol may only happen in a major release (e.g. 13.x → 14.0). Removing a deprecated symbol in a minor or patch is always a finding. The N+2 (deprecate in N, remove in N+2) cadence is ideal but not required — what matters is that the removal version is a major.
Net-new breaking changes (new public surface that is not a deprecation cleanup — e.g. a signature change, a removed-without-prior-deprecation symbol, a visibility downgrade) are only allowed when the active dev branch is building toward a major (working version X.0.0 and no X.0 has shipped yet). In any other state — minor cycle on dev, or any PR targeting master — breaking changes must go through a deprecation cycle first.

Determine the current development target

The release model uses two long-lived branches:

dev — active development for the next planned release (major or minor). The version in build.gradle.kts reflects what dev is building toward (e.g. 14.0.0 while building major 14, 14.1.0 while building minor 14.1).
master — what was last released, and the source for any patch release. Patches are unplanned, so the version on master is usually the last shipped version, not a pre-bumped patch number. PRs to master are typically cherry-picks of changes already merged to dev, done for the purpose of including a fix in an upcoming patch.

Before evaluating a public-API change, determine two things:

Target branch of the PR: dev vs. master. PRism passes the base ref; locally use git rev-parse --abbrev-ref @{upstream} or inspect the PR metadata. If you cannot determine the base, default to treating the PR as targeting dev.
Working version: read from build.gradle.kts at allprojects { version = "X.Y.Z" } (root), or from any library's rootProject.ext["PUBLISH_VERSION"] in libs/*/build.gradle.kts.

Then apply this matrix:

Target	Version on branch	Cycle	Net-new breaking changes	Removal of deprecated symbol
`dev`	`X.0.0`	Major in development	Permitted	Permitted
`dev`	`X.Y.0` (Y>0)	Minor in development	Not permitted — deprecate first	Not permitted
`master`	any	Patch (unplanned)	Not permitted	Not permitted

Extra attention is required for any PR to master. Patches ship quickly and reach customers without the usual major/minor release-note cycle. A PR to master should:

Be a cherry-pick of a change already merged to dev (the standard pattern, used to avoid drift between branches).
Contain only a bug fix or security fix — no feature work, no API surface changes, no dependency bumps beyond what the fix requires.
Be small and surgical relative to the corresponding dev commit.

If a master PR is not a cherry-pick of an already-merged dev change, flag it. If it adds or alters public API, flag it. If it includes unrelated cleanup beyond the fix, flag it.

Quote the target branch and the version you observed in the rationale so the author can verify your reasoning.

Look for

Removed, renamed, or signature-changed public / non-internal Kotlin declarations and public Java members under libs/*/src/com/salesforce/androidsdk/.
Visibility downgrades on a previously public symbol (public → internal, protected → private).
Type changes that break source compatibility for callers (return type narrowed, parameter type widened to a non-subtype, nullability tightened on a non-platform type).
Removal of @Deprecated symbols when the cycle does not permit removal (i.e. dev not at X.0.0, or any PR to master). The age of the deprecation is not the gate; the release type is.
Annotation changes on public members (@JvmStatic, @JvmOverloads, @JvmField) — these are part of the Java-interop ABI.
Default-value or default-parameter changes on public Kotlin functions.
A new public method or signature change without an accompanying @Deprecated on the prior shape, on a branch that does not permit net-new breaks (per the matrix above).
Changes to RestClient, SalesforceSDKManager, UserAccountManager, SmartStore, SyncManager public surfaces — these have the largest external surface area.

Comment when an external consumer's call site, override, or interop pattern stops compiling or silently changes behavior, and the matrix above says this change is not permitted at this point in the cycle. Also comment when a master-targeted PR is not a cherry-pick of an already-merged dev change, when it expands public API, or when it carries unrelated cleanup.

Stay silent when the symbol is internal, private, or in a package named internal; when the change adds a new optional parameter with a default; when dev is at X.0.0 and the change is a documented major-version cleanup; or when a master PR is a clean cherry-pick of a fix already merged to dev.

2. OAuth, Token, and Credential Safety

Any change touching auth, tokens, or credential storage requires extreme care. Per CLAUDE.md, these changes are an escalation — flag for human review.

Look for:

Changes to OAuth2 flow construction in libs/SalesforceSDK/src/com/salesforce/androidsdk/auth/**.
Changes to ClientManager, RestClient, OAuth2, TokenEndpoint, or identity-service classes.
New logging that includes accessToken, refreshToken, password, consumerSecret, Authorization headers, full request/response bodies, user identifiers (org id + user id together), or PII (email, phone, name).
Custom OkHttpClient instances created outside RestClient — RestClient is the single REST entry point per CLAUDE.md.
Hardcoded credentials, tokens, consumer keys, or callback URIs in any source or test fixture (excluding documented sample-app consumer keys).
New cleartext-traffic exceptions in network_security_config*.xml or in AndroidManifest.xml (android:usesCleartextTraffic="true").
Removal of token-refresh, 401-retry, or session-revocation handling.
Changes to QR-code login that weaken consumer-key validation.

Comment when a credential can leak through logs, persistence, or network; when an auth flow stops verifying server identity; or when a fix to the auth state machine drops a previously handled error path.

Stay silent when logs reference auth events without payload (e.g. "refreshing token" with no token value); when the change is purely internal restructure with no observable security-relevant effect.

3. SQLCipher / SmartStore Encryption

SmartStore depends on SQLCipher (net.zetetic:sqlcipher-android) for at-rest encryption. Per CLAUDE.md, SQLCipher integration changes are an escalation.

Look for:

Changes to SQLCipher version in libs/SmartStore/build.gradle.kts (the update-sqlcipher skill in .claude/skills/update-sqlcipher/SKILL.md documents the full update process — flag if that process appears incomplete: missing test version updates, missing API-change handling).
Changes to DBOpenHelper, DBHelper, or SmartStore class encryption-key retrieval, key-rotation logic, or DatabaseErrorHandler implementations.
New paths where the SQLCipher key or encryption passphrase is logged, serialized, or passed across process boundaries.
Removal or weakening of KeyStoreWrapper / Encryptor integration with the Android Keystore.
Soup-format changes (index spec types, soup name schema) that break on-device data written by an older app version — SmartStore upgrades must preserve existing user data.
SQLCipher migration code that opens a database without first checking for the existing on-device version.

Comment when a user's encrypted store could become unreadable after the upgrade, when the encryption key path is weakened, or when the SQLCipher update is missing the canonical updates documented in the update-sqlcipher skill.

Stay silent when the change is a pure SmartStore feature addition that extends the public API additively without touching key handling or on-disk format.

4. Multi-User Account Correctness

The SDK supports multiple logged-in accounts simultaneously. Single-user assumptions are a recurring class of bug.

Look for:

New static / singleton state in SalesforceSDKManager, RestClient, UserAccountManager, MobileSyncSDKManager, sync managers, or SmartStore managers that does not key off the current UserAccount.
Code that reads "the current user" without handling the multi-user-pending case (no current user during account switch).
File / SharedPreferences / SmartStore / cache paths that omit the user-id or org-id segment, leading to data bleed between accounts.
Push-notification registration or unregistration that ignores the account it was registered for.
Cleanup paths on logout that don't scope to the user being logged out.

Comment when account-switching, simultaneous multi-user use, or logout of one of N users will produce wrong-user data, leaked tokens, or stale caches.

Stay silent when the code path is documented as single-user (e.g. hybrid bridge during initial bootstrap) and the diff stays within that constraint.

5. Localization (`sf__strings.xml`)

Per CLAUDE.md, all new user-facing strings must go in sf__strings.xml with the sf__ prefix. Localization is an escalation — any sf__strings.xml change requires human attention.

Look for:

Hardcoded user-facing strings in Kotlin/Java/Compose UI files (Toast.makeText, setText, Text(...), AlertDialog.setMessage, etc.) that are not pulled from resources.
New <string name="..."> entries inside sf__strings.xml whose key does not start with sf__. The sf__ prefix is required for keys defined in that file.
Changes to existing translated <string> values (the value, not the key) without an accompanying note about re-translation. The English value in sf__strings.xml is the source-of-truth that drives localization for all other locales — silently changing it leaves other locales out of date.
Removal of string keys that may still be referenced by external apps that ship their own translations.

Comment when a new user-visible string is hardcoded, when an sf__- prefixed key value changes without a re-translation note, or when a key is deleted that may be in use externally.

Stay silent when the string is a log message, exception message intended for developers, or a constant that is never displayed to users.

6. Android Platform Hygiene

Look for:

New Java files. Per CLAUDE.md, no new Java files — Kotlin only.
Force-unwraps (!!) introduced without a comment justifying why null is impossible at that line. Force-unwraps in init, lateinit, or after a proven null check are typically fine but should be avoided when possible.
Blocking work on the main thread: Thread.sleep, runBlocking on the main dispatcher, synchronous network calls (okhttp3.Call.execute() outside a worker dispatcher), file I/O on Dispatchers.Main.
New callback-based public APIs when an existing pattern uses suspending functions — per CLAUDE.md, callbacks are being deprecated in favor of coroutines.
Use of legacy support libraries (android.support.*) — should be androidx.*.
New <uses-permission> entries in AndroidManifest.xml. Per CLAUDE.md, Android permission changes are an escalation.
targetSdk / compileSdk / minSdk changes in any build.gradle.kts. Per CLAUDE.md, build-system changes are an escalation.
Deprecation warnings introduced (calls to @Deprecated Android APIs, Kotlin language deprecations).
New third-party dependencies in build.gradle.kts files. Per CLAUDE.md, new dependencies are an escalation (license/security review needed).

Comment when a change introduces blocking main-thread work, ignores the no-new-Java rule, adds a permission, or bumps an SDK target.

Stay silent when the pattern matches surrounding code (e.g. a !! in a file that uses !! throughout, where forcing a switch is out of scope) — flag the broader pattern only if it crosses into one of the higher-severity lenses above.

7. Sample Apps & API Contracts

When public SDK API changes, sample apps under native/NativeSampleApps/** and hybrid/HybridSampleApps/** are part of the contract — they're how external developers learn the SDK.

Look for:

Public-API changes that don't have a corresponding sample-app update.
Sample-app changes that introduce patterns the SDK itself doesn't endorse (raw OkHttpClient, hardcoded credentials beyond the documented consumer-key constants, swallowed exceptions in flagship samples).

Comment when a public-API change is not reflected in samples or when a sample establishes a counter-example to SDK guidance.

Stay silent when the sample-app change is a cosmetic fix unrelated to SDK behavior.

8. Test Correctness & Coverage

Tests are part of the SDK contract. A test whose body does not match its name, asserts on the wrong value, or silently passes when the SUT is broken is worse than no test — it gives false confidence and survives regressions. Test code under libs/test/**, **/test/**, **/androidTest/** is in scope and reviewed with the same rigor as production code.

Look for:

Name vs. body mismatch. The CLAUDE.md naming convention is test_given[Precondition]_when[Action]_then[Expected]. Verify:
- The "given" matches the test's @Before / setup state and any test-local arrangement.
- The "when" matches the single action under test.
- The "then" matches what the assertions actually verify. Names that lie (e.g. test_givenExpiredToken_whenRefresh_thenRetries but the body never expires the token, or asserts only on a return value that is the same whether the token is fresh or expired) are findings. (Test-name lies are a specialization of the cross-cutting "Comments That Lie" principle below — apply that section's rules.)
Assertions that pass vacuously.
- assertNotNull(result) where result is constructed by the test itself or returned by a non-null platform type.
- assertTrue(list.size >= 0) and similar always-true predicates.
- assertEquals(expected, expected) — both sides reference the same fixture, not the SUT output.
- Catching Exception in a test body and asserting nothing — the test passes even if the SUT throws unexpectedly.
Missing assertions. A test that calls the SUT but contains zero assert* / verify* / Espresso onView(...).check(...) calls is asserting nothing.
Mocking the class under test. Per CLAUDE.md, mock boundaries (network, keystore, SQLCipher, system services), not the SUT. Flag mock(SalesforceSDKManager::class.java) inside a SalesforceSDKManager test, or Mockito.spy(sut) followed by when(sut.method())... that stubs the very behavior under test.
Determinism violations. Thread.sleep, hardcoded delays, System.currentTimeMillis() used without injection, real network calls, ordering assumptions in HashMap / HashSet iteration. CLAUDE.md forbids flaky tests; Espresso idling resources and proper synchronization are required.
Cleanup gaps. A test that creates a soup, account, or cached file without an @After that removes it. State bleeds into the next test and produces order-dependent passes.
Coverage regressions on changed code. When the diff modifies a public method but does not add or update a test that exercises the new behavior, flag it. New behavior without test coverage is a finding.
Test data with credentials. Real OAuth tokens, real consumer keys, real PII in test fixtures. Use test_credentials.json in shared/test/ per CLAUDE.md.

Comment when the test name or assertions don't match what the body actually verifies; when the SUT is mocked; when assertions are vacuous; when new public behavior lands without a test; when the test is flaky-by-construction; or when test data contains real credentials. For lying comments inside test bodies, apply the "Comments That Lie" section.

Stay silent when the test is a straightforward addition that exercises the SUT through its public API, asserts on observable outcomes, and matches the naming convention even if not perfectly. Style preferences (BDD vs. test_method form, Hamcrest vs. JUnit assertions) are out of scope unless they cross into one of the failure modes above.

How to read a test

For each changed test method, in order:

Read the test name and any leading comments. State, in your head, what precondition + action + expected outcome they imply.
Read the @Before and any setup helpers. Note what state is actually established.
Read the body. Identify the single line that invokes the SUT.
Read the assertions. Identify what each one actually checks.
Compare 1 vs. 2+3+4. If they don't line up, that's the finding.

Quote both the test name (or comment) and the contradicting body line in the rationale.

Where to Comment

Prefer the line where the breakage is experienced, not where it originates:

A renamed RestClient method breaks an external consumer's call site: comment on the rename and name affected callers in the rationale.
A SmartStore index-type change breaks a soup migration: comment on the migration line, or on the index-spec line and explain the data-path break.
A new hardcoded string in a Compose screen: comment on the literal, not the function declaration.

Do not leave duplicate comments for the same root cause. Choose the clearest line and write one finding.

Confidence Threshold

This skill runs at level: 'warn'. Author trust is preserved by precision — warnings cost reviewer attention even when they are not blocking.

Default emission is severity: warning at confidence 7.0 – 10.0.
Reserve severity: blocker with confidence 9.0 – 10.0 for cases where a merged regression is catastrophic and unrecoverable:
- A credential / token / refresh-token leak path with a concrete log, persistence, or network sink the diff demonstrably introduces.
- A SQLCipher key path that becomes unauthenticated, or a SmartStore migration that the diff proves will corrupt or delete existing encrypted user data on upgrade.
- Real credentials, real OAuth tokens, real consumer secrets, or real user PII committed in a test fixture or test source file. Once public-history, the secret must be rotated.
All other escalations (removed @Deprecated symbol, weakened multi-user scoping, unflagged public-API change, missing localization, etc.) emit as severity: warning with high confidence. The rationale text should call out the CLAUDE.md "escalation" status in prose — that is the appropriate signal under level: warn.
Do not emit findings below confidence 7.0. Stay silent.

Output Format

For each finding, return:

{
  "is_blocking": false,
  "rationale": "In `libs/SalesforceSDK/src/com/salesforce/androidsdk/rest/RestClient.kt:142`: `RestClient.sendSync()` was made `internal`, but it was a public API as of 12.2 and is referenced from sample app `RestExplorer/MainActivity.kt:88`. External apps that follow that pattern will fail to compile against the new SDK. The two-major-release deprecation cycle requires `@Deprecated` first, removal no earlier than 14.0.",
  "file_path": "libs/SalesforceSDK/src/com/salesforce/androidsdk/rest/RestClient.kt",
  "line_with_issue": "internal fun sendSync(request: RestRequest): RestResponse {",
  "severity": "warning",
  "confidence_score": 9.0
}

Each invocation returns either no findings or {"findings": [...]}.

DO NOT Comment On

Import ordering, whitespace, formatting, or code-style preferences.
Generic naming concerns unless truly confusing.
Constructor / boilerplate / data-class changes that don't alter contract.
Generated files, build/, node_modules/, external/ submodules.
Test code that is already covered by lens 8 — do not duplicate. Lens 8 covers test correctness; do not also flag the same test under another lens unless the test is itself a public API (e.g. a public test utility under libs/test/SalesforceSDKTest/.../TestUtils.kt whose signature changed).
Documentation-only changes (*.md, KDoc comments) unless the doc change contradicts the diffed code.
Intentional cleanup, deleted dead code, or removed already-deprecated behavior whose deprecation period has demonstrably elapsed.
Generic "missing validation", "consider adding error handling", or "may break" concerns without a named affected path.
Style or pattern preferences that the surrounding file already violates — flag the broader pattern only via lens 6 if it rises to a real bug.
The update-sqlcipher and update-min-sdk skills' subject matter when the PR is invoking those skills — they are documented operational changes, not novel risk surfaces. Flag only if those skills' checklists are not fully satisfied.

Deletions Are Clues, Not Findings

Removed code deserves attention, but deletion alone is not a defect. Before commenting on a deletion:

Verify what still depends on the removed behavior in this repo.
Check whether the PR replaced the behavior elsewhere.
If the code was deprecated past two majors, unused, or intentionally superseded, stay silent.

Comments That Lie

This rule applies to every lens and to every file in the diff — production Kotlin, Java, XML, Gradle, sample apps, and test code. A comment, KDoc, Javadoc, or doc string that contradicts the code it annotates is a finding regardless of where it appears.

Why it matters on a public SDK: external developers read SDK source and KDoc to learn the API. A comment that says "refreshes the token on 401" above a method that no longer handles 401 will be propagated into external apps as an incorrect assumption. Stale comments age into bugs.

Look for:

KDoc / Javadoc that describes a method's old contract. Example: /** Returns null if the user is not logged in. */ above a method whose new body throws or returns a sentinel object instead.
Inline comments contradicting the surrounding statements. Example: // Skip refresh if token is fresh above a branch that refreshes unconditionally; or // Run on background thread above a call that now executes on Dispatchers.Main.
@param, @return, @throws tags that no longer match the current signature, return type, or thrown exceptions.
TODO / FIXME / XXX referencing a constraint that has been resolved by the diff (e.g. // TODO: remove when min API >= 28 surviving into a min-SDK 28 commit).
Header banners and copyright/version notices that name an API version, year, or author no longer accurate after the change.
Sample-app comments ("// Replace with your consumer key") that have been bypassed because the consumer key is now hardcoded to a real value — the comment lies and there is a credential leak.
Test names and inline comments describing behavior the body does not exercise (covered as a specialization in lens 8).

How to evaluate:

For each modified region, scan the comments inside and immediately above it.
Check whether the comment's claim is still true in the post-diff code.
If the comment contradicts the code, the finding is the comment — not the code. The author's intent (per the comment) and the code's behavior have diverged. Either the code or the comment is wrong; the author needs to decide and resolve.

Comment with severity warning and confidence 7.5–9.0. Quote both the comment and the contradicting line in the rationale.

Stay silent when the comment is harmless prose unrelated to behavior ("// region: helpers", "// ----"), when the comment paraphrases the code loosely but stays correct, or when the diff did not touch the region (stale comments outside the diff are not in scope — only comments whose truth value the diff changed).

Quick Reference Tables

Severity decision

Finding	Severity	Confidence
Token/credential/PII in log, persistence, or network sink	blocker	9.0–10.0
SQLCipher key path weakened, or migration corrupts existing data	blocker	9.0–10.0
Net-new breaking public-API change when cycle disallows it (`dev` not at `X.0.0`, or PR to `master`)	warning	8.0–9.5
Removed `@Deprecated` symbol when cycle disallows removal	warning	8.5–9.5
`master`-targeted PR adds public API or carries unrelated cleanup	warning	8.0–9.5
`master`-targeted PR is not a cherry-pick of a `dev` commit	warning	7.0–8.5
New `OkHttpClient` outside `RestClient`	warning	7.5–9.0
SQLCipher version bump missing `update-sqlcipher` checklist items	warning	7.5–9.0
Multi-user state ignored (singleton, unscoped path)	warning	7.5–9.0
Hardcoded user-facing string	warning	7.5–9.0
Existing `sf__` value changed without re-translation note	warning	7.0–8.5
New Java file	warning	9.0 (rule is unambiguous)
New `<uses-permission>`	warning	8.0–9.5
`minSdk` / `targetSdk` / `compileSdk` change	warning	8.0–9.5
New third-party dependency	warning	8.0–9.5
Main-thread blocking work	warning	7.0–9.0
New callback-based public API	warning	7.0–8.0
Test name contradicts body (lying test)	warning	8.5–9.5
Comment / KDoc / `@param` / `@return` contradicts diffed code (any file)	warning	7.5–9.0
Test mocks the SUT, or stubs the very behavior under test	warning	8.0–9.0
Test asserts vacuously, or has no assertions	warning	8.5–9.5
Test is flaky-by-construction (`Thread.sleep`, real network, etc.)	warning	7.5–9.0
New public behavior in diff with no new/updated test	warning	7.0–8.5
Real credentials / PII in test fixture	blocker	9.0–10.0
Test creates state without `@After` cleanup	warning	7.0–8.0

Library quick map

Lens 8 (test correctness) applies to every library — the corresponding test target is libs/test/<Library>Test/.

Library	Path	Highest-risk lenses
SalesforceSDK	`libs/SalesforceSDK/`	1, 2, 4, 5, 6, 7, 8
SmartStore	`libs/SmartStore/`	1, 3, 4, 6, 8
MobileSync	`libs/MobileSync/`	1, 4, 6, 8
SalesforceAnalytics	`libs/SalesforceAnalytics/`	1, 2 (PII), 6, 8
SalesforceHybrid	`libs/SalesforceHybrid/`	1, 2, 4, 6, 8

Diff Source Fallback

The skill operates on a unified diff. PRism supplies the diff automatically. Autonomous review agents pass it as input. If invoked locally without a diff (e.g. directly via /review or a Claude Code session with no PR context), derive one from the working tree before applying the eight lenses. The base ref depends on the PR target — dev for normal work, master for a patch-bound cherry-pick (see lens 1):

# typical: PR targets dev
git diff origin/dev...HEAD -- libs native hybrid build.gradle.kts settings.gradle.kts

# patch: PR targets master
git diff origin/master...HEAD -- libs native hybrid build.gradle.kts settings.gradle.kts

The same evidence gate, severity table, and JSON output apply in every mode. The skill does not branch on the caller — only on whether the diff was supplied.

References

CLAUDE.md (project root) — code review checklist, escalation rules, release-process awareness.
.claude/skills/update-sqlcipher/SKILL.md — full SQLCipher update process.
.claude/skills/update-min-sdk.md — full min-SDK bump process.
Mobile SDK Development Guide: https://developer.salesforce.com/docs/platform/mobile-sdk/guide
Android current deprecations: https://developer.salesforce.com/docs/platform/mobile-sdk/guide/android-current-deprecations.html
Android Javadoc: https://forcedotcom.github.io/SalesforceMobileSDK-Android/index.html

name	mobile-sdk-android-pr-review
description	Reviews PRs to the Salesforce Mobile SDK for Android for public-API breakage, OAuth/credential safety, SQLCipher correctness, multi-user account regressions, missing localization, and Android platform pitfalls. Tuned for a public open-source SDK where every change reaches external developers.
prizm	{"version":1,"selectors":{"paths":{"include":["libs/*/.kt","libs/*/.java","libs/*/.xml","libs//build.gradle.kts","libs//AndroidManifest.xml","native/*/.kt","native/*/.java","native//AndroidManifest.xml","hybrid//.kt","hybrid//.java","hybrid//AndroidManifest.xml","buildSrc//.kt","build.gradle.kts","settings.gradle.kts","gradle.properties"],"exclude":["/build/","/generated/","/node_modules/","external/*"]}},"metadata":{"description":"Mobile SDK for Android PR reviewer covering public API, OAuth, SQLCipher, multi-user, localization, and Android platform concerns","author":"Salesforce Mobile SDK","tags":["mobile-sdk","android","public-api","oauth","sqlcipher","multi-user"]},"presubmit":{"level":"warn","complexity":"high","docs_url":"https://developer.salesforce.com/docs/platform/mobile-sdk/guide","failure_help":"The PR appears to break a public-SDK contract, leak credentials/PII,\nmisuse SQLCipher/keystore, or skip localization/deprecation discipline.\nThe Mobile SDK ships to thousands of external apps — every public-API\nchange requires a deprecation cycle, every credential path needs review,\nand every user-facing string needs localization. See:\n - CLAUDE.md (Code Review Checklist, Escalation rules)\n - Android deprecation page: https://developer.salesforce.com/docs/platform/mobile-sdk/guide/android-current-deprecations.html\n - Mobile SDK Development Guide: https://developer.salesforce.com/docs/platform/mobile-sdk/guide\nAddress the rationale and re-request review, or escalate to a Mobile SDK\nmaintainer if the change is intentional and a deprecation/migration plan\nis documented in the PR description.\n"}}

Salesforce Mobile SDK for Android — PR Review

Audience

This skill is invoked by:

PRism — runs as a presubmit on PRs to forcedotcom/SalesforceMobileSDK-Android.
Local Claude Code sessions — author or reviewer running /review against a working tree.
Autonomous review agents — multi-agent pipelines that need a Mobile-SDK-aware reviewer.

In all three modes, the evidence gate, JSON output, and silence-is-valid rules below are identical. The skill does not branch on caller.

The Core Question

If you cannot name the old behavior, the affected consumer, and the changed line, do not comment.

Evidence Gate

Only report a finding when all four are true:

Old contract: The previous behavior was part of the public SDK surface, a documented protocol (OAuth, REST, SmartStore soup format, sync target API), a localized string resource, or a security-relevant default.
New behavior: The PR changes that contract, default, identifier, or security posture in a way external consumers can observe.
Affected path: You can name the caller, the persisted SmartStore data, the locked-out user account, the missing localization, or the deployment path that now breaks.
Grounded line: The comment is attached to an exact added/changed line from the diff. Never invent line numbers; never cite lines outside the patch.

The 8 Review Lenses

Apply each lens to the diff. Use them as investigation prompts, not permission to speculate. The evidence gate above governs every finding.

1. Public-API Backward Compatibility

The SDK follows a deprecation policy:

Deprecation may be introduced in any release (major, minor, or patch). An @Deprecated annotation with a clear migration path (message=..., replaceWith=... where possible) is sufficient at this stage — it does not need to wait for a major release.
Removal of a deprecated symbol may only happen in a major release (e.g. 13.x → 14.0). Removing a deprecated symbol in a minor or patch is always a finding. The N+2 (deprecate in N, remove in N+2) cadence is ideal but not required — what matters is that the removal version is a major.
Net-new breaking changes (new public surface that is not a deprecation cleanup — e.g. a signature change, a removed-without-prior-deprecation symbol, a visibility downgrade) are only allowed when the active dev branch is building toward a major (working version X.0.0 and no X.0 has shipped yet). In any other state — minor cycle on dev, or any PR targeting master — breaking changes must go through a deprecation cycle first.

Determine the current development target

The release model uses two long-lived branches:

dev — active development for the next planned release (major or minor). The version in build.gradle.kts reflects what dev is building toward (e.g. 14.0.0 while building major 14, 14.1.0 while building minor 14.1).
master — what was last released, and the source for any patch release. Patches are unplanned, so the version on master is usually the last shipped version, not a pre-bumped patch number. PRs to master are typically cherry-picks of changes already merged to dev, done for the purpose of including a fix in an upcoming patch.

Before evaluating a public-API change, determine two things:

Target branch of the PR: dev vs. master. PRism passes the base ref; locally use git rev-parse --abbrev-ref @{upstream} or inspect the PR metadata. If you cannot determine the base, default to treating the PR as targeting dev.
Working version: read from build.gradle.kts at allprojects { version = "X.Y.Z" } (root), or from any library's rootProject.ext["PUBLISH_VERSION"] in libs/*/build.gradle.kts.

Then apply this matrix:

Target	Version on branch	Cycle	Net-new breaking changes	Removal of deprecated symbol
`dev`	`X.0.0`	Major in development	Permitted	Permitted
`dev`	`X.Y.0` (Y>0)	Minor in development	Not permitted — deprecate first	Not permitted
`master`	any	Patch (unplanned)	Not permitted	Not permitted

Extra attention is required for any PR to master. Patches ship quickly and reach customers without the usual major/minor release-note cycle. A PR to master should:

Be a cherry-pick of a change already merged to dev (the standard pattern, used to avoid drift between branches).
Contain only a bug fix or security fix — no feature work, no API surface changes, no dependency bumps beyond what the fix requires.
Be small and surgical relative to the corresponding dev commit.

If a master PR is not a cherry-pick of an already-merged dev change, flag it. If it adds or alters public API, flag it. If it includes unrelated cleanup beyond the fix, flag it.

Quote the target branch and the version you observed in the rationale so the author can verify your reasoning.

Look for

Removed, renamed, or signature-changed public / non-internal Kotlin declarations and public Java members under libs/*/src/com/salesforce/androidsdk/.
Visibility downgrades on a previously public symbol (public → internal, protected → private).
Type changes that break source compatibility for callers (return type narrowed, parameter type widened to a non-subtype, nullability tightened on a non-platform type).
Removal of @Deprecated symbols when the cycle does not permit removal (i.e. dev not at X.0.0, or any PR to master). The age of the deprecation is not the gate; the release type is.
Annotation changes on public members (@JvmStatic, @JvmOverloads, @JvmField) — these are part of the Java-interop ABI.
Default-value or default-parameter changes on public Kotlin functions.
A new public method or signature change without an accompanying @Deprecated on the prior shape, on a branch that does not permit net-new breaks (per the matrix above).
Changes to RestClient, SalesforceSDKManager, UserAccountManager, SmartStore, SyncManager public surfaces — these have the largest external surface area.

2. OAuth, Token, and Credential Safety

Any change touching auth, tokens, or credential storage requires extreme care. Per CLAUDE.md, these changes are an escalation — flag for human review.

Look for:

Changes to OAuth2 flow construction in libs/SalesforceSDK/src/com/salesforce/androidsdk/auth/**.
Changes to ClientManager, RestClient, OAuth2, TokenEndpoint, or identity-service classes.
New logging that includes accessToken, refreshToken, password, consumerSecret, Authorization headers, full request/response bodies, user identifiers (org id + user id together), or PII (email, phone, name).
Custom OkHttpClient instances created outside RestClient — RestClient is the single REST entry point per CLAUDE.md.
Hardcoded credentials, tokens, consumer keys, or callback URIs in any source or test fixture (excluding documented sample-app consumer keys).
New cleartext-traffic exceptions in network_security_config*.xml or in AndroidManifest.xml (android:usesCleartextTraffic="true").
Removal of token-refresh, 401-retry, or session-revocation handling.
Changes to QR-code login that weaken consumer-key validation.

3. SQLCipher / SmartStore Encryption

SmartStore depends on SQLCipher (net.zetetic:sqlcipher-android) for at-rest encryption. Per CLAUDE.md, SQLCipher integration changes are an escalation.

Look for:

Changes to SQLCipher version in libs/SmartStore/build.gradle.kts (the update-sqlcipher skill in .claude/skills/update-sqlcipher/SKILL.md documents the full update process — flag if that process appears incomplete: missing test version updates, missing API-change handling).
Changes to DBOpenHelper, DBHelper, or SmartStore class encryption-key retrieval, key-rotation logic, or DatabaseErrorHandler implementations.
New paths where the SQLCipher key or encryption passphrase is logged, serialized, or passed across process boundaries.
Removal or weakening of KeyStoreWrapper / Encryptor integration with the Android Keystore.
Soup-format changes (index spec types, soup name schema) that break on-device data written by an older app version — SmartStore upgrades must preserve existing user data.
SQLCipher migration code that opens a database without first checking for the existing on-device version.

Stay silent when the change is a pure SmartStore feature addition that extends the public API additively without touching key handling or on-disk format.

4. Multi-User Account Correctness

The SDK supports multiple logged-in accounts simultaneously. Single-user assumptions are a recurring class of bug.

Look for:

New static / singleton state in SalesforceSDKManager, RestClient, UserAccountManager, MobileSyncSDKManager, sync managers, or SmartStore managers that does not key off the current UserAccount.
Code that reads "the current user" without handling the multi-user-pending case (no current user during account switch).
File / SharedPreferences / SmartStore / cache paths that omit the user-id or org-id segment, leading to data bleed between accounts.
Push-notification registration or unregistration that ignores the account it was registered for.
Cleanup paths on logout that don't scope to the user being logged out.

Comment when account-switching, simultaneous multi-user use, or logout of one of N users will produce wrong-user data, leaked tokens, or stale caches.

Stay silent when the code path is documented as single-user (e.g. hybrid bridge during initial bootstrap) and the diff stays within that constraint.

5. Localization (`sf__strings.xml`)

Per CLAUDE.md, all new user-facing strings must go in sf__strings.xml with the sf__ prefix. Localization is an escalation — any sf__strings.xml change requires human attention.

Look for:

Hardcoded user-facing strings in Kotlin/Java/Compose UI files (Toast.makeText, setText, Text(...), AlertDialog.setMessage, etc.) that are not pulled from resources.
New <string name="..."> entries inside sf__strings.xml whose key does not start with sf__. The sf__ prefix is required for keys defined in that file.
Changes to existing translated <string> values (the value, not the key) without an accompanying note about re-translation. The English value in sf__strings.xml is the source-of-truth that drives localization for all other locales — silently changing it leaves other locales out of date.
Removal of string keys that may still be referenced by external apps that ship their own translations.

Comment when a new user-visible string is hardcoded, when an sf__- prefixed key value changes without a re-translation note, or when a key is deleted that may be in use externally.

Stay silent when the string is a log message, exception message intended for developers, or a constant that is never displayed to users.

6. Android Platform Hygiene

Look for:

New Java files. Per CLAUDE.md, no new Java files — Kotlin only.
Force-unwraps (!!) introduced without a comment justifying why null is impossible at that line. Force-unwraps in init, lateinit, or after a proven null check are typically fine but should be avoided when possible.
Blocking work on the main thread: Thread.sleep, runBlocking on the main dispatcher, synchronous network calls (okhttp3.Call.execute() outside a worker dispatcher), file I/O on Dispatchers.Main.
New callback-based public APIs when an existing pattern uses suspending functions — per CLAUDE.md, callbacks are being deprecated in favor of coroutines.
Use of legacy support libraries (android.support.*) — should be androidx.*.
New <uses-permission> entries in AndroidManifest.xml. Per CLAUDE.md, Android permission changes are an escalation.
targetSdk / compileSdk / minSdk changes in any build.gradle.kts. Per CLAUDE.md, build-system changes are an escalation.
Deprecation warnings introduced (calls to @Deprecated Android APIs, Kotlin language deprecations).
New third-party dependencies in build.gradle.kts files. Per CLAUDE.md, new dependencies are an escalation (license/security review needed).

Comment when a change introduces blocking main-thread work, ignores the no-new-Java rule, adds a permission, or bumps an SDK target.

7. Sample Apps & API Contracts

When public SDK API changes, sample apps under native/NativeSampleApps/** and hybrid/HybridSampleApps/** are part of the contract — they're how external developers learn the SDK.

Look for:

Public-API changes that don't have a corresponding sample-app update.
Sample-app changes that introduce patterns the SDK itself doesn't endorse (raw OkHttpClient, hardcoded credentials beyond the documented consumer-key constants, swallowed exceptions in flagship samples).

Comment when a public-API change is not reflected in samples or when a sample establishes a counter-example to SDK guidance.

Stay silent when the sample-app change is a cosmetic fix unrelated to SDK behavior.

8. Test Correctness & Coverage

Look for:

Name vs. body mismatch. The CLAUDE.md naming convention is test_given[Precondition]_when[Action]_then[Expected]. Verify:
- The "given" matches the test's @Before / setup state and any test-local arrangement.
- The "when" matches the single action under test.
- The "then" matches what the assertions actually verify. Names that lie (e.g. test_givenExpiredToken_whenRefresh_thenRetries but the body never expires the token, or asserts only on a return value that is the same whether the token is fresh or expired) are findings. (Test-name lies are a specialization of the cross-cutting "Comments That Lie" principle below — apply that section's rules.)
Assertions that pass vacuously.
- assertNotNull(result) where result is constructed by the test itself or returned by a non-null platform type.
- assertTrue(list.size >= 0) and similar always-true predicates.
- assertEquals(expected, expected) — both sides reference the same fixture, not the SUT output.
- Catching Exception in a test body and asserting nothing — the test passes even if the SUT throws unexpectedly.
Missing assertions. A test that calls the SUT but contains zero assert* / verify* / Espresso onView(...).check(...) calls is asserting nothing.
Mocking the class under test. Per CLAUDE.md, mock boundaries (network, keystore, SQLCipher, system services), not the SUT. Flag mock(SalesforceSDKManager::class.java) inside a SalesforceSDKManager test, or Mockito.spy(sut) followed by when(sut.method())... that stubs the very behavior under test.
Determinism violations. Thread.sleep, hardcoded delays, System.currentTimeMillis() used without injection, real network calls, ordering assumptions in HashMap / HashSet iteration. CLAUDE.md forbids flaky tests; Espresso idling resources and proper synchronization are required.
Cleanup gaps. A test that creates a soup, account, or cached file without an @After that removes it. State bleeds into the next test and produces order-dependent passes.
Coverage regressions on changed code. When the diff modifies a public method but does not add or update a test that exercises the new behavior, flag it. New behavior without test coverage is a finding.
Test data with credentials. Real OAuth tokens, real consumer keys, real PII in test fixtures. Use test_credentials.json in shared/test/ per CLAUDE.md.

How to read a test

For each changed test method, in order:

Read the test name and any leading comments. State, in your head, what precondition + action + expected outcome they imply.
Read the @Before and any setup helpers. Note what state is actually established.
Read the body. Identify the single line that invokes the SUT.
Read the assertions. Identify what each one actually checks.
Compare 1 vs. 2+3+4. If they don't line up, that's the finding.

Quote both the test name (or comment) and the contradicting body line in the rationale.

Where to Comment

Prefer the line where the breakage is experienced, not where it originates:

A renamed RestClient method breaks an external consumer's call site: comment on the rename and name affected callers in the rationale.
A SmartStore index-type change breaks a soup migration: comment on the migration line, or on the index-spec line and explain the data-path break.
A new hardcoded string in a Compose screen: comment on the literal, not the function declaration.

Do not leave duplicate comments for the same root cause. Choose the clearest line and write one finding.

Confidence Threshold

This skill runs at level: 'warn'. Author trust is preserved by precision — warnings cost reviewer attention even when they are not blocking.

Default emission is severity: warning at confidence 7.0 – 10.0.
Reserve severity: blocker with confidence 9.0 – 10.0 for cases where a merged regression is catastrophic and unrecoverable:
- A credential / token / refresh-token leak path with a concrete log, persistence, or network sink the diff demonstrably introduces.
- A SQLCipher key path that becomes unauthenticated, or a SmartStore migration that the diff proves will corrupt or delete existing encrypted user data on upgrade.
- Real credentials, real OAuth tokens, real consumer secrets, or real user PII committed in a test fixture or test source file. Once public-history, the secret must be rotated.
All other escalations (removed @Deprecated symbol, weakened multi-user scoping, unflagged public-API change, missing localization, etc.) emit as severity: warning with high confidence. The rationale text should call out the CLAUDE.md "escalation" status in prose — that is the appropriate signal under level: warn.
Do not emit findings below confidence 7.0. Stay silent.

Output Format

For each finding, return:

{
  "is_blocking": false,
  "rationale": "In `libs/SalesforceSDK/src/com/salesforce/androidsdk/rest/RestClient.kt:142`: `RestClient.sendSync()` was made `internal`, but it was a public API as of 12.2 and is referenced from sample app `RestExplorer/MainActivity.kt:88`. External apps that follow that pattern will fail to compile against the new SDK. The two-major-release deprecation cycle requires `@Deprecated` first, removal no earlier than 14.0.",
  "file_path": "libs/SalesforceSDK/src/com/salesforce/androidsdk/rest/RestClient.kt",
  "line_with_issue": "internal fun sendSync(request: RestRequest): RestResponse {",
  "severity": "warning",
  "confidence_score": 9.0
}

Each invocation returns either no findings or {"findings": [...]}.

DO NOT Comment On

Import ordering, whitespace, formatting, or code-style preferences.
Generic naming concerns unless truly confusing.
Constructor / boilerplate / data-class changes that don't alter contract.
Generated files, build/, node_modules/, external/ submodules.
Test code that is already covered by lens 8 — do not duplicate. Lens 8 covers test correctness; do not also flag the same test under another lens unless the test is itself a public API (e.g. a public test utility under libs/test/SalesforceSDKTest/.../TestUtils.kt whose signature changed).
Documentation-only changes (*.md, KDoc comments) unless the doc change contradicts the diffed code.
Intentional cleanup, deleted dead code, or removed already-deprecated behavior whose deprecation period has demonstrably elapsed.
Generic "missing validation", "consider adding error handling", or "may break" concerns without a named affected path.
Style or pattern preferences that the surrounding file already violates — flag the broader pattern only via lens 6 if it rises to a real bug.
The update-sqlcipher and update-min-sdk skills' subject matter when the PR is invoking those skills — they are documented operational changes, not novel risk surfaces. Flag only if those skills' checklists are not fully satisfied.

Deletions Are Clues, Not Findings

Removed code deserves attention, but deletion alone is not a defect. Before commenting on a deletion:

Verify what still depends on the removed behavior in this repo.
Check whether the PR replaced the behavior elsewhere.
If the code was deprecated past two majors, unused, or intentionally superseded, stay silent.

Comments That Lie

Look for:

KDoc / Javadoc that describes a method's old contract. Example: /** Returns null if the user is not logged in. */ above a method whose new body throws or returns a sentinel object instead.
Inline comments contradicting the surrounding statements. Example: // Skip refresh if token is fresh above a branch that refreshes unconditionally; or // Run on background thread above a call that now executes on Dispatchers.Main.
@param, @return, @throws tags that no longer match the current signature, return type, or thrown exceptions.
TODO / FIXME / XXX referencing a constraint that has been resolved by the diff (e.g. // TODO: remove when min API >= 28 surviving into a min-SDK 28 commit).
Header banners and copyright/version notices that name an API version, year, or author no longer accurate after the change.
Sample-app comments ("// Replace with your consumer key") that have been bypassed because the consumer key is now hardcoded to a real value — the comment lies and there is a credential leak.
Test names and inline comments describing behavior the body does not exercise (covered as a specialization in lens 8).

How to evaluate:

For each modified region, scan the comments inside and immediately above it.
Check whether the comment's claim is still true in the post-diff code.
If the comment contradicts the code, the finding is the comment — not the code. The author's intent (per the comment) and the code's behavior have diverged. Either the code or the comment is wrong; the author needs to decide and resolve.

Comment with severity warning and confidence 7.5–9.0. Quote both the comment and the contradicting line in the rationale.

Quick Reference Tables

Severity decision

Finding	Severity	Confidence
Token/credential/PII in log, persistence, or network sink	blocker	9.0–10.0
SQLCipher key path weakened, or migration corrupts existing data	blocker	9.0–10.0
Net-new breaking public-API change when cycle disallows it (`dev` not at `X.0.0`, or PR to `master`)	warning	8.0–9.5
Removed `@Deprecated` symbol when cycle disallows removal	warning	8.5–9.5
`master`-targeted PR adds public API or carries unrelated cleanup	warning	8.0–9.5
`master`-targeted PR is not a cherry-pick of a `dev` commit	warning	7.0–8.5
New `OkHttpClient` outside `RestClient`	warning	7.5–9.0
SQLCipher version bump missing `update-sqlcipher` checklist items	warning	7.5–9.0
Multi-user state ignored (singleton, unscoped path)	warning	7.5–9.0
Hardcoded user-facing string	warning	7.5–9.0
Existing `sf__` value changed without re-translation note	warning	7.0–8.5
New Java file	warning	9.0 (rule is unambiguous)
New `<uses-permission>`	warning	8.0–9.5
`minSdk` / `targetSdk` / `compileSdk` change	warning	8.0–9.5
New third-party dependency	warning	8.0–9.5
Main-thread blocking work	warning	7.0–9.0
New callback-based public API	warning	7.0–8.0
Test name contradicts body (lying test)	warning	8.5–9.5
Comment / KDoc / `@param` / `@return` contradicts diffed code (any file)	warning	7.5–9.0
Test mocks the SUT, or stubs the very behavior under test	warning	8.0–9.0
Test asserts vacuously, or has no assertions	warning	8.5–9.5
Test is flaky-by-construction (`Thread.sleep`, real network, etc.)	warning	7.5–9.0
New public behavior in diff with no new/updated test	warning	7.0–8.5
Real credentials / PII in test fixture	blocker	9.0–10.0
Test creates state without `@After` cleanup	warning	7.0–8.0

Library quick map

Lens 8 (test correctness) applies to every library — the corresponding test target is libs/test/<Library>Test/.

Library	Path	Highest-risk lenses
SalesforceSDK	`libs/SalesforceSDK/`	1, 2, 4, 5, 6, 7, 8
SmartStore	`libs/SmartStore/`	1, 3, 4, 6, 8
MobileSync	`libs/MobileSync/`	1, 4, 6, 8
SalesforceAnalytics	`libs/SalesforceAnalytics/`	1, 2 (PII), 6, 8
SalesforceHybrid	`libs/SalesforceHybrid/`	1, 2, 4, 6, 8

Diff Source Fallback

# typical: PR targets dev
git diff origin/dev...HEAD -- libs native hybrid build.gradle.kts settings.gradle.kts

# patch: PR targets master
git diff origin/master...HEAD -- libs native hybrid build.gradle.kts settings.gradle.kts

The same evidence gate, severity table, and JSON output apply in every mode. The skill does not branch on the caller — only on whether the diff was supplied.

References

CLAUDE.md (project root) — code review checklist, escalation rules, release-process awareness.
.claude/skills/update-sqlcipher/SKILL.md — full SQLCipher update process.
.claude/skills/update-min-sdk.md — full min-SDK bump process.
Mobile SDK Development Guide: https://developer.salesforce.com/docs/platform/mobile-sdk/guide
Android current deprecations: https://developer.salesforce.com/docs/platform/mobile-sdk/guide/android-current-deprecations.html
Android Javadoc: https://forcedotcom.github.io/SalesforceMobileSDK-Android/index.html

mobile-sdk-android-pr-review

Salesforce Mobile SDK for Android — PR Review

Audience

The Core Question

Evidence Gate

The 8 Review Lenses

1. Public-API Backward Compatibility

Determine the current development target

Look for

2. OAuth, Token, and Credential Safety

3. SQLCipher / SmartStore Encryption

4. Multi-User Account Correctness

5. Localization (sf__strings.xml)

6. Android Platform Hygiene

7. Sample Apps & API Contracts

8. Test Correctness & Coverage

How to read a test

Where to Comment

Confidence Threshold

Output Format

DO NOT Comment On

Deletions Are Clues, Not Findings

Comments That Lie

Quick Reference Tables

Severity decision

Library quick map

Diff Source Fallback

References

Salesforce Mobile SDK for Android — PR Review

Audience

The Core Question

Evidence Gate

The 8 Review Lenses

1. Public-API Backward Compatibility

Determine the current development target

Look for

2. OAuth, Token, and Credential Safety

3. SQLCipher / SmartStore Encryption

4. Multi-User Account Correctness

5. Localization (sf__strings.xml)

6. Android Platform Hygiene

7. Sample Apps & API Contracts

8. Test Correctness & Coverage

How to read a test

Where to Comment

Confidence Threshold

Output Format

DO NOT Comment On

Deletions Are Clues, Not Findings

Comments That Lie

Quick Reference Tables

Severity decision

Library quick map

Diff Source Fallback

References

5. Localization (`sf__strings.xml`)

5. Localization (`sf__strings.xml`)