UNPKG

sf-agent-framework

Version:

AI Agent Orchestration Framework for Salesforce Development - Two-phase architecture with 70% context reduction

github.com/kripaSFDC/sf-agent-framework

kripaSFDC/sf-agent-framework

307 lines (224 loc) 8.44 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
# Security Review Checklist This comprehensive multi-level checklist ensures thorough security validation for Salesforce implementations. ## Access Control Review ### Level 1: Profile Security - [ ] System Administrator profile usage minimized (<5% of users) - [ ] Standard profiles cloned and customized (not modified directly) - [ ] Minimum access principle applied to all profiles - [ ] Guest user profile permissions reviewed and restricted - [ ] Login hours configured where appropriate ### Level 2: Permission Set Architecture - [ ] Permission sets used for additional access (not baseline) - [ ] Permission set groups utilized for role-based access - [ ] No "Modify All Data" in permission sets (except justified) - [ ] No "View All Data" in permission sets (except justified) - [ ] API Enabled permission tracked and audited ### Level 3: Role Hierarchy - [ ] Role hierarchy matches organizational structure - [ ] No circular references in hierarchy - [ ] Portal roles properly positioned - [ ] Grant access checkboxes used appropriately - [ ] Role-based sharing rules documented ### Level 4: Field-Level Security - [ ] Sensitive fields marked as encrypted - [ ] PII fields have restricted visibility - [ ] Financial fields protected appropriately - [ ] Compliance fields (GDPR, HIPAA) secured - [ ] Field audit trail enabled for critical fields ## Authentication Security ### Level 1: Password Policies - [ ] Minimum password length ≥ 12 characters - [ ] Password complexity requirements enabled - [ ] Password history ≥ 10 passwords - [ ] Password expiration ≤ 90 days - [ ] Account lockout after ≤ 5 attempts ### Level 2: Multi-Factor Authentication - [ ] MFA enabled for all administrators - [ ] MFA enabled for privileged users - [ ] MFA required for API access where applicable - [ ] High assurance sessions configured - [ ] Device activation policies set ### Level 3: Single Sign-On - [ ] SSO configured with approved provider - [ ] SAML assertions validated - [ ] Just-in-time provisioning secured - [ ] SSO bypass procedures documented - [ ] Certificate expiration monitoring enabled ### Level 4: Session Security - [ ] Session timeout ≤ 2 hours - [ ] Lock sessions to IP address enabled - [ ] Require secure connections (HTTPS) enabled - [ ] Clickjack protection enabled - [ ] Cross-site request forgery protection enabled ## Data Security ### Level 1: Encryption - [ ] Platform Encryption evaluated and implemented if needed - [ ] Classic Encryption used for specific fields - [ ] Encryption key management documented - [ ] Data masking implemented for sandboxes - [ ] File encryption configured ### Level 2: Sharing Model - [ ] Organization-wide defaults set to most restrictive - [ ] Sharing rules documented and justified - [ ] Manual sharing guidelines established - [ ] Apex sharing reasons created - [ ] Portal user sharing validated ### Level 3: Data Export Controls - [ ] Data export permissions restricted - [ ] Weekly export access limited - [ ] Report export controls configured - [ ] API data access monitored - [ ] Bulk API usage tracked ### Level 4: Data Classification - [ ] Data classification policy implemented - [ ] Fields tagged with classification levels - [ ] Retention policies defined - [ ] Deletion procedures documented - [ ] Archive strategy implemented ## Application Security ### Level 1: Apex Security - [ ] All classes use "with sharing" (or justified exception) - [ ] SOQL injection prevention implemented - [ ] CRUD/FLS checks enforced - [ ] No hardcoded credentials - [ ] Sensitive data not logged ### Level 2: Lightning Security - [ ] Lightning Locker Service enabled - [ ] CSP (Content Security Policy) configured - [ ] No use of eval() or similar functions - [ ] DOM manipulation done safely - [ ] Third-party libraries vetted ### Level 3: Visualforce Security - [ ] Escape functions used for output - [ ] ViewState encryption enabled - [ ] CSRF protection enabled - [ ] No use of actionFunction without protection - [ ] JavaScript remoting secured ### Level 4: Flow Security - [ ] Flows run in system or user context appropriately - [ ] Input validation implemented - [ ] Error handling doesn't expose sensitive data - [ ] Record access validated in flows - [ ] Bulk-safe patterns used ## Integration Security ### Level 1: API Security - [ ] Named Credentials used for callouts - [ ] OAuth 2.0 implemented where possible - [ ] API versions up to date - [ ] Remote site settings minimized - [ ] Certificate validation enabled ### Level 2: Connected Apps - [ ] OAuth scopes minimized - [ ] Refresh token policies configured - [ ] IP restrictions enabled - [ ] User restrictions applied - [ ] Admin approval required ### Level 3: Data Integration - [ ] Data in transit encrypted (TLS 1.2+) - [ ] Authentication tokens rotated regularly - [ ] Integration user permissions minimized - [ ] Error messages sanitized - [ ] Retry logic implements backoff ### Level 4: Middleware Security - [ ] Middleware connections encrypted - [ ] Service accounts properly secured - [ ] Audit logging enabled - [ ] Data transformation rules validated - [ ] Queue security configured ## Compliance & Audit ### Level 1: Audit Trail - [ ] Setup Audit Trail monitored regularly - [ ] Field History Tracking enabled - [ ] Login History reviewed - [ ] API usage tracked - [ ] Report export tracked ### Level 2: Compliance Controls - [ ] GDPR requirements addressed - [ ] HIPAA controls implemented (if applicable) - [ ] PCI DSS requirements met (if applicable) - [ ] SOC 2 controls validated - [ ] Industry-specific compliance verified ### Level 3: Data Privacy - [ ] Privacy settings configured - [ ] Data retention policies enforced - [ ] Right to erasure implemented - [ ] Consent management configured - [ ] Data portability enabled ### Level 4: Monitoring - [ ] Security monitoring dashboards created - [ ] Anomaly detection configured - [ ] Alert thresholds set - [ ] Incident response plan documented - [ ] Regular security reviews scheduled ## Network Security ### Level 1: IP Restrictions - [ ] Login IP ranges configured for sensitive profiles - [ ] Trusted IP ranges defined - [ ] Network access controls documented - [ ] VPN requirements defined - [ ] Mobile access policies set ### Level 2: Email Security - [ ] Email relay restrictions configured - [ ] SPF records configured - [ ] DKIM enabled - [ ] Email authentication configured - [ ] Bounce handling implemented ### Level 3: Domain Security - [ ] My Domain deployed and enforced - [ ] HTTPS enforced - [ ] HSTS enabled - [ ] Content Security Policy configured - [ ] Cookie settings secured ## Mobile Security ### Level 1: Mobile App Security - [ ] Mobile app PIN/biometric required - [ ] Offline data access restricted - [ ] Screen capture disabled for sensitive data - [ ] Copy/paste restrictions configured - [ ] App timeout configured ### Level 2: Device Management - [ ] MDM policies defined - [ ] Device compliance requirements set - [ ] Remote wipe capability enabled - [ ] Jailbreak/root detection enabled - [ ] App wrapping configured ## Security Testing ### Level 1: Vulnerability Assessment - [ ] SAST (Static Analysis) completed - [ ] DAST (Dynamic Analysis) performed - [ ] Dependency scanning done - [ ] Security unit tests written - [ ] Penetration testing scheduled ### Level 2: Security Code Review - [ ] Peer review includes security focus - [ ] Automated security scanning in CI/CD - [ ] Third-party code reviewed - [ ] Security champions identified - [ ] Review findings tracked ## Incident Response ### Level 1: Preparation - [ ] Incident response plan documented - [ ] Contact list maintained - [ ] Escalation procedures defined - [ ] Communication templates prepared - [ ] Legal/compliance contacts identified ### Level 2: Response Procedures - [ ] Detection mechanisms in place - [ ] Containment procedures defined - [ ] Evidence preservation process - [ ] Recovery procedures documented - [ ] Lessons learned process defined ## Final Validation ### Security Sign-off - [ ] Security team approval obtained - [ ] Risk assessment completed - [ ] Exceptions documented and approved - [ ] Remediation plan for findings - [ ] Ongoing monitoring confirmed ### Documentation - [ ] Security architecture documented - [ ] Runbooks updated - [ ] Training materials created - [ ] Security policies updated - [ ] Knowledge base articles written