UNPKG

sf-agent-framework

Version:

AI Agent Orchestration Framework for Salesforce Development - Two-phase architecture with 70% context reduction

github.com/kripaSFDC/sf-agent-framework

kripaSFDC/sf-agent-framework

189 lines (145 loc) 4.77 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
# API Security Checklist ## Purpose Ensure all API implementations follow security best practices and protect against common vulnerabilities. ## Checklist Items ### Authentication and Authorization - [ ] OAuth 2.0 implemented correctly - [ ] JWT tokens properly validated - [ ] API keys securely stored - [ ] Named credentials utilized - [ ] Session management secure - [ ] Token expiration configured ### Access Control - [ ] API user profiles restricted - [ ] Minimum required permissions granted - [ ] IP whitelisting implemented - [ ] Rate limiting configured - [ ] Concurrent request limits set - [ ] Resource-level permissions enforced ### Data Security - [ ] TLS/SSL encryption enforced - [ ] Sensitive data encrypted at rest - [ ] PII data protection implemented - [ ] Data masking in non-production - [ ] Field-level encryption utilized - [ ] Secure data transmission verified ### Input Validation - [ ] Input sanitization implemented - [ ] SQL injection prevention verified - [ ] SOQL injection protection enabled - [ ] XSS protection implemented - [ ] Data type validation enforced - [ ] Size limits configured ### Error Handling - [ ] Generic error messages returned - [ ] Sensitive data excluded from errors - [ ] Stack traces hidden - [ ] Error logging implemented - [ ] Rate limiting on errors - [ ] Proper HTTP status codes used ### API Design Security - [ ] RESTful principles followed - [ ] Versioning strategy implemented - [ ] Deprecated endpoints removed - [ ] CORS properly configured - [ ] HTTP methods restricted - [ ] Unsafe operations protected ### Monitoring and Logging - [ ] API calls logged appropriately - [ ] Anomaly detection configured - [ ] Performance metrics tracked - [ ] Security events monitored - [ ] Audit trail maintained - [ ] Real-time alerts configured ### Integration Security - [ ] External endpoints verified - [ ] Certificate validation enabled - [ ] Mutual TLS where required - [ ] Secure credential storage - [ ] Connection pooling configured - [ ] Timeout settings appropriate ### Governor Limits Protection - [ ] API call limits monitored - [ ] Bulk operation limits considered - [ ] Query optimization implemented - [ ] Pagination implemented - [ ] Selective field queries used - [ ] Caching strategy defined ### Testing and Validation - [ ] Security testing completed - [ ] Penetration testing performed - [ ] OWASP Top 10 addressed - [ ] Load testing conducted - [ ] Negative testing scenarios - [ ] Security scanning automated ### Documentation and Standards - [ ] API documentation complete - [ ] Security guidelines documented - [ ] Authentication flows documented - [ ] Error codes documented - [ ] Rate limits published - [ ] SLA defined ### Compliance Requirements - [ ] GDPR compliance verified - [ ] CCPA requirements met - [ ] HIPAA compliance (if applicable) - [ ] PCI DSS compliance (if applicable) - [ ] Industry standards followed - [ ] Data residency requirements met ### Vulnerability Management - [ ] Regular security assessments - [ ] Dependency scanning implemented - [ ] Patch management process - [ ] Zero-day response plan - [ ] Security advisories monitored - [ ] Remediation SLAs defined ### API Gateway Security - [ ] Gateway properly configured - [ ] Request filtering enabled - [ ] Response filtering implemented - [ ] Threat protection active - [ ] API key rotation scheduled - [ ] Backend services protected ### Mobile API Security - [ ] Mobile-specific endpoints secured - [ ] Certificate pinning implemented - [ ] Offline data protection - [ ] Device authentication required - [ ] Jailbreak detection (if needed) - [ ] App attestation verified ### Third-Party Integration - [ ] Vendor security assessed - [ ] API agreements in place - [ ] Data sharing agreements signed - [ ] Security certifications verified - [ ] Incident response coordinated - [ ] Regular security reviews ### Incident Response - [ ] Incident response plan documented - [ ] Security team contacts current - [ ] Escalation procedures defined - [ ] Communication plan ready - [ ] Forensics capability available - [ ] Recovery procedures tested ### Performance Security - [ ] DDoS protection enabled - [ ] Resource exhaustion prevented - [ ] Query complexity limited - [ ] Payload size restricted - [ ] Concurrent user limits set - [ ] Circuit breakers implemented ## Security Review Sign-off - [ ] Code review completed - [ ] Security scan passed - [ ] Penetration test passed - [ ] Compliance verified - [ ] Risk assessment documented - [ ] Management approval obtained ## Completion Criteria - All security controls implemented - Vulnerabilities remediated - Documentation complete - Testing evidence collected - Compliance requirements met - Production readiness confirmed