scc-universal 1.1.0

package/examples/scratch-org-setup/README.md

@@ -0,0 +1,138 @@
+# Scratch Org Setup Example
+
+Complete scratch org configuration with definition file, setup scripts, and sample data.
+
+## Structure
+
+```text
+config/
+  project-scratch-def.json    # Scratch org definition
+scripts/
+  setup-scratch-org.sh        # Automated setup script
+data/
+  sample-accounts.json        # Sample data for development
+sfdx-project.json             # Project configuration
+```
+
+## Scratch Org Definition
+
+```json
+{
+  "orgName": "SCC Dev Scratch Org",
+  "edition": "Developer",
+  "features": [
+    "EnableSetPasswordInApi",
+    "Communities",
+    "ServiceCloud",
+    "LightningSalesConsole"
+  ],
+  "settings": {
+    "lightningExperienceSettings": {
+      "enableS1DesktopEnabled": true
+    },
+    "securitySettings": {
+      "passwordPolicies": {
+        "enableSetPasswordInApi": true
+      }
+    },
+    "mobileSettings": {
+      "enableS1EncryptedStoragePref2": false
+    }
+  }
+}
+```
+
+## Project Configuration (sfdx-project.json)
+
+```json
+{
+  "packageDirectories": [
+    {
+      "path": "force-app",
+      "default": true
+    }
+  ],
+  "namespace": "",
+  "sfdcLoginUrl": "https://login.salesforce.com",
+  "sourceApiVersion": "66.0"
+}
+```
+
+## Setup Script
+
+```bash
+#!/bin/bash
+set -e
+
+ORG_ALIAS=${1:-dev-scratch}
+DURATION=${2:-7}
+
+echo "Creating scratch org: $ORG_ALIAS (${DURATION} days)"
+sf org create scratch \
+  --definition-file config/project-scratch-def.json \
+  --alias "$ORG_ALIAS" \
+  --duration-days "$DURATION" \
+  --set-default \
+  --wait 15
+
+echo "Deploying source..."
+sf project deploy start --target-org "$ORG_ALIAS"
+
+echo "Assigning permission sets..."
+sf org assign permset --name SCC_Admin --target-org "$ORG_ALIAS" || true
+
+echo "Importing sample data..."
+sf data import tree --files data/sample-accounts.json --target-org "$ORG_ALIAS" || true
+
+echo "Running tests..."
+sf apex run test --test-level RunLocalTests --target-org "$ORG_ALIAS" --result-format human
+
+echo "Opening org..."
+sf org open --target-org "$ORG_ALIAS"
+
+echo "Scratch org $ORG_ALIAS is ready!"
+```
+
+## Sample Data
+
+```json
+{
+  "records": [
+    {
+      "attributes": { "type": "Account", "referenceId": "AccRef1" },
+      "Name": "Acme Corporation",
+      "Industry": "Technology",
+      "AnnualRevenue": 5000000,
+      "NumberOfEmployees": 250
+    },
+    {
+      "attributes": { "type": "Account", "referenceId": "AccRef2" },
+      "Name": "Global Industries",
+      "Industry": "Manufacturing",
+      "AnnualRevenue": 12000000,
+      "NumberOfEmployees": 1500
+    }
+  ]
+}
+```
+
+## Lifecycle Commands
+
+```bash
+# Create
+sf org create scratch -f config/project-scratch-def.json -a my-scratch -d 7
+
+# Develop
+sf project deploy start          # Push source
+sf project retrieve start        # Pull changes from org
+
+# Test
+sf apex run test --test-level RunLocalTests
+
+# Inspect
+sf org display                   # Show org details
+sf org open                      # Open in browser
+
+# Cleanup
+sf org delete scratch -o my-scratch --no-prompt
+```

package/examples/security-audit/README.md

@@ -0,0 +1,244 @@
+# Security Audit Walkthrough
+
+Step-by-step security audit for Salesforce Apex code covering CRUD/FLS, SOQL injection, sharing model, and static analysis. Patterns verified for API version 66.0 (Spring '26).
+
+## When to Use This Pattern
+
+- Before deploying Apex code to production
+- During security reviews or AppExchange security submissions
+- When refactoring legacy code that bypasses security controls
+- After a Salesforce security health check flags issues
+
+## CRUD/FLS Enforcement
+
+### Before (Insecure)
+
+```apex
+// BAD: No CRUD or FLS checks — any user can read/update regardless of permissions
+public class AccountService {
+    public static List<Account> getAccounts() {
+        return [SELECT Id, Name, AnnualRevenue, Phone FROM Account];
+    }
+
+    public static void updateRevenue(Id accountId, Decimal newRevenue) {
+        Account acc = new Account(Id = accountId, AnnualRevenue = newRevenue);
+        update acc;
+    }
+}
+```
+
+### After (Secure — WITH SECURITY_ENFORCED)
+
+```apex
+// GOOD: CRUD/FLS enforced at the query level
+public with sharing class AccountService {
+    public static List<Account> getAccounts() {
+        return [
+            SELECT Id, Name, AnnualRevenue, Phone
+            FROM Account
+            WITH SECURITY_ENFORCED
+        ];
+    }
+
+    public static void updateRevenue(Id accountId, Decimal newRevenue) {
+        // Check field-level access before DML
+        if (!Schema.sObjectType.Account.fields.AnnualRevenue.isUpdateable()) {
+            throw new SecurityException('Insufficient access to update AnnualRevenue');
+        }
+
+        Account acc = new Account(Id = accountId, AnnualRevenue = newRevenue);
+        update acc;
+    }
+
+    public class SecurityException extends Exception {}
+}
+```
+
+### After (Secure — stripInaccessible)
+
+```apex
+// GOOD: stripInaccessible silently removes inaccessible fields instead of throwing
+public with sharing class AccountService {
+    public static List<Account> getAccounts() {
+        List<Account> accounts = [SELECT Id, Name, AnnualRevenue, Phone FROM Account];
+        SObjectAccessDecision decision = Security.stripInaccessible(AccessType.READABLE, accounts);
+        return (List<Account>) decision.getRecords();
+    }
+
+    public static void updateRevenue(Id accountId, Decimal newRevenue) {
+        List<Account> toUpdate = new List<Account>{
+            new Account(Id = accountId, AnnualRevenue = newRevenue)
+        };
+        SObjectAccessDecision decision = Security.stripInaccessible(AccessType.UPDATABLE, toUpdate);
+        update decision.getRecords();
+    }
+}
+```
+
+## SOQL Injection Prevention
+
+### Before (Vulnerable)
+
+```apex
+// BAD: User input concatenated directly into query string
+public class AccountSearch {
+    @AuraEnabled
+    public static List<Account> search(String searchTerm) {
+        String query = 'SELECT Id, Name FROM Account WHERE Name LIKE \'%' + searchTerm + '%\'';
+        return Database.query(query);
+    }
+}
+```
+
+### After (Safe — Bind Variables)
+
+```apex
+// GOOD: Bind variable prevents injection
+public with sharing class AccountSearch {
+    @AuraEnabled(cacheable=true)
+    public static List<Account> search(String searchTerm) {
+        String safeTerm = '%' + String.escapeSingleQuotes(searchTerm) + '%';
+        return [
+            SELECT Id, Name
+            FROM Account
+            WHERE Name LIKE :safeTerm
+            WITH SECURITY_ENFORCED
+            LIMIT 50
+        ];
+    }
+}
+```
+
+### After (Safe — Dynamic Query with Escaping)
+
+```apex
+// GOOD: When dynamic SOQL is unavoidable, escape input and enforce CRUD/FLS
+public with sharing class AccountSearch {
+    @AuraEnabled(cacheable=true)
+    public static List<Account> search(String searchTerm, String sortField) {
+        // Whitelist allowed sort fields
+        Set<String> allowedSortFields = new Set<String>{ 'Name', 'CreatedDate', 'AnnualRevenue' };
+        if (!allowedSortFields.contains(sortField)) {
+            sortField = 'Name';
+        }
+
+        String safeTerm = '%' + String.escapeSingleQuotes(searchTerm) + '%';
+        String query = 'SELECT Id, Name FROM Account'
+            + ' WHERE Name LIKE :safeTerm'
+            + ' WITH SECURITY_ENFORCED'
+            + ' ORDER BY ' + sortField
+            + ' LIMIT 50';
+        return Database.query(query);
+    }
+}
+```
+
+## Sharing Model Review
+
+```apex
+// with sharing — enforces the running user's sharing rules (default for most classes)
+public with sharing class OpportunityService {
+    public List<Opportunity> getMyOpportunities() {
+        return [SELECT Id, Name, Amount FROM Opportunity WITH SECURITY_ENFORCED];
+    }
+}
+
+// without sharing — intentional escalation (document WHY)
+// Use case: Background process that needs org-wide visibility
+public without sharing class OpportunityRollupService {
+    /**
+     * Runs in system context because rollup calculations require
+     * access to all child records regardless of the triggering user's
+     * sharing rules. Called only from a trusted trigger handler.
+     */
+    public static void recalculateRollups(Set<Id> accountIds) {
+        // System-level aggregation
+        List<AggregateResult> results = [
+            SELECT AccountId, SUM(Amount) totalAmount
+            FROM Opportunity
+            WHERE AccountId IN :accountIds AND IsClosed = true AND IsWon = true
+            GROUP BY AccountId
+        ];
+        // ... update accounts with rollup values
+    }
+}
+
+// inherited sharing — inherits context from the caller
+// Use case: Utility classes that should respect whatever context invokes them
+public inherited sharing class QueryHelper {
+    public static List<SObject> queryWithLimit(String objectName, Integer recordLimit) {
+        String safeObject = String.escapeSingleQuotes(objectName);
+        return Database.query(
+            'SELECT Id, Name FROM ' + safeObject + ' WITH SECURITY_ENFORCED LIMIT :recordLimit'
+        );
+    }
+}
+```
+
+## Running SFDX Scanner
+
+```bash
+# Install the scanner plugin (one-time setup)
+sf plugins install @salesforce/sfdx-scanner
+
+# Scan all Apex classes for security issues
+sf scanner run --target "force-app/main/default/classes/**/*.cls" \
+    --category "Security" \
+    --format table
+
+# Scan with PMD rules and generate a report
+sf scanner run --target "force-app/main/default/classes/**/*.cls" \
+    --engine pmd \
+    --format csv \
+    --outfile scanner-results.csv
+
+# Scan for specific security rules
+sf scanner run --target "force-app/main/default/classes/AccountService.cls" \
+    --category "Security,Best Practices" \
+    --format table \
+    --severity-threshold 2
+
+# Run the full AppExchange-style security review
+sf scanner run --target "force-app/" \
+    --category "Security" \
+    --engine "pmd,retire-js" \
+    --format html \
+    --outfile security-report.html
+```
+
+## Security Checklist
+
+| Check | Status | How to Verify |
+|-------|--------|---------------|
+| All classes use `with sharing` or document why not | | Search for `without sharing` and verify justification |
+| SOQL uses `WITH SECURITY_ENFORCED` or `stripInaccessible` | | Search for `Database.query` and `[SELECT` without enforcement |
+| No raw user input in SOQL/SOSL strings | | Search for string concatenation in queries |
+| DML operations check field-level access | | Check `isCreateable()`, `isUpdateable()`, `stripInaccessible` |
+| `@AuraEnabled` methods validate input parameters | | Review all `@AuraEnabled` methods |
+| No hardcoded credentials or secrets | | Search for passwords, tokens, API keys in source |
+| Named Credentials used for external callouts | | Search for `HttpRequest` and verify endpoint source |
+| CSRF tokens on Visualforce pages | | Ensure forms are not using `GET` actions with state changes |
+| Guest user profiles have minimal permissions | | Review site guest user profile in Setup |
+| Sensitive data not logged or exposed in debug | | Search for `System.debug` with sensitive field names |
+
+## Key Principles
+
+- Default to `with sharing` on every class; only use `without sharing` with documented justification
+- Prefer `WITH SECURITY_ENFORCED` for reads and `stripInaccessible` when you need graceful degradation
+- Never concatenate user input into SOQL/SOSL; use bind variables or `String.escapeSingleQuotes`
+- Whitelist dynamic field/object names rather than relying solely on escaping
+- Run SFDX Scanner in CI to catch regressions before deployment
+
+## Common Pitfalls
+
+- Assuming `with sharing` enforces FLS (it only enforces record-level sharing rules, not field access)
+- Using `String.escapeSingleQuotes` alone without also whitelisting dynamic identifiers
+- Forgetting to add `WITH SECURITY_ENFORCED` to SOQL inside batch/schedulable classes
+- Marking utility classes as `without sharing` out of convenience
+- Not testing with a non-admin user profile to catch missing permissions
+
+## SCC Skills
+
+- `/sf-security` -- run a comprehensive security audit on your codebase
+- `/sf-apex-best-practices` -- review Apex code including security best practices
+- `/sf-governor-limits` -- check for governor limit issues (overlaps with security for SOQL)

package/examples/visualforce-migration/README.md

@@ -0,0 +1,314 @@
+# Migrating Visualforce to LWC
+
+Side-by-side examples showing how to convert a Visualforce page with an Apex controller to a Lightning Web Component using modern patterns.
+
+## When to Use This Pattern
+
+- Modernizing legacy Visualforce pages to Lightning Experience
+- Converting controller-based pages to wire-service LWC components
+- Replacing `apex:form` with `lightning-record-edit-form`
+- Migrating page navigation from `PageReference` to `NavigationMixin`
+- Preparing for retirement of Visualforce in Lightning-only orgs
+
+## Original Visualforce Page
+
+### Visualforce Markup
+
+```html
+<!-- AccountEditor.page -->
+<apex:page controller="AccountEditorController" lightningStylesheets="true">
+    <apex:form>
+        <apex:pageBlock title="Edit Account" mode="edit">
+            <apex:pageMessages />
+
+            <apex:pageBlockButtons>
+                <apex:commandButton action="{!save}" value="Save" />
+                <apex:commandButton action="{!cancel}" value="Cancel" immediate="true" />
+            </apex:pageBlockButtons>
+
+            <apex:pageBlockSection columns="2">
+                <apex:inputField value="{!account.Name}" required="true" />
+                <apex:inputField value="{!account.Industry}" />
+                <apex:inputField value="{!account.Phone}" />
+                <apex:inputField value="{!account.Website}" />
+                <apex:inputField value="{!account.AnnualRevenue}" />
+                <apex:inputField value="{!account.Description}" />
+            </apex:pageBlockSection>
+
+            <apex:pageBlockSection title="Related Contacts" columns="1">
+                <apex:pageBlockTable value="{!contacts}" var="c">
+                    <apex:column value="{!c.Name}" />
+                    <apex:column value="{!c.Email}" />
+                    <apex:column value="{!c.Phone}" />
+                </apex:pageBlockTable>
+            </apex:pageBlockSection>
+        </apex:pageBlock>
+    </apex:form>
+</apex:page>
+```
+
+### Visualforce Controller
+
+```apex
+public with sharing class AccountEditorController {
+    public Account account { get; set; }
+    public List<Contact> contacts { get; set; }
+
+    public AccountEditorController() {
+        Id accountId = ApexPages.currentPage().getParameters().get('id');
+        if (accountId != null) {
+            account = [
+                SELECT Id, Name, Industry, Phone, Website, AnnualRevenue, Description
+                FROM Account WHERE Id = :accountId
+            ];
+            contacts = [
+                SELECT Id, Name, Email, Phone
+                FROM Contact WHERE AccountId = :accountId
+                ORDER BY Name
+            ];
+        } else {
+            account = new Account();
+            contacts = new List<Contact>();
+        }
+    }
+
+    public PageReference save() {
+        try {
+            upsert account;
+            return new PageReference('/' + account.Id);
+        } catch (DmlException e) {
+            ApexPages.addMessages(e);
+            return null;
+        }
+    }
+
+    public PageReference cancel() {
+        if (account.Id != null) {
+            return new PageReference('/' + account.Id);
+        }
+        return new PageReference('/001'); // Account list view
+    }
+}
+```
+
+## Equivalent LWC Component
+
+### LWC HTML
+
+```html
+<!-- accountEditor.html -->
+<template>
+    <lightning-card title="Edit Account" icon-name="standard:account">
+        <!-- Record Edit Form replaces apex:form + apex:inputField -->
+        <lightning-record-edit-form
+            record-id={recordId}
+            object-api-name="Account"
+            onsuccess={handleSuccess}
+            onerror={handleError}>
+
+            <lightning-messages></lightning-messages>
+
+            <div class="slds-grid slds-wrap slds-gutters">
+                <div class="slds-col slds-size_1-of-2 slds-p-around_small">
+                    <lightning-input-field field-name="Name" required></lightning-input-field>
+                </div>
+                <div class="slds-col slds-size_1-of-2 slds-p-around_small">
+                    <lightning-input-field field-name="Industry"></lightning-input-field>
+                </div>
+                <div class="slds-col slds-size_1-of-2 slds-p-around_small">
+                    <lightning-input-field field-name="Phone"></lightning-input-field>
+                </div>
+                <div class="slds-col slds-size_1-of-2 slds-p-around_small">
+                    <lightning-input-field field-name="Website"></lightning-input-field>
+                </div>
+                <div class="slds-col slds-size_1-of-2 slds-p-around_small">
+                    <lightning-input-field field-name="AnnualRevenue"></lightning-input-field>
+                </div>
+                <div class="slds-col slds-size_1-of-1 slds-p-around_small">
+                    <lightning-input-field field-name="Description"></lightning-input-field>
+                </div>
+            </div>
+
+            <div class="slds-m-top_medium slds-p-around_small">
+                <lightning-button variant="brand" type="submit" label="Save"></lightning-button>
+                <lightning-button label="Cancel" onclick={handleCancel} class="slds-m-left_x-small"></lightning-button>
+            </div>
+        </lightning-record-edit-form>
+
+        <!-- Related Contacts section -->
+        <template if:true={contacts.data}>
+            <div class="slds-p-around_small slds-m-top_medium">
+                <h2 class="slds-text-heading_small slds-m-bottom_small">Related Contacts</h2>
+                <lightning-datatable
+                    key-field="Id"
+                    data={contacts.data}
+                    columns={contactColumns}
+                    hide-checkbox-column>
+                </lightning-datatable>
+            </div>
+        </template>
+    </lightning-card>
+</template>
+```
+
+### LWC JavaScript
+
+```javascript
+// accountEditor.js
+import { LightningElement, api, wire } from 'lwc';
+import { NavigationMixin } from 'lightning/navigation';
+import { ShowToastEvent } from 'lightning/platformShowToastEvent';
+import getRelatedContacts from '@salesforce/apex/AccountEditorLwcController.getRelatedContacts';
+
+const CONTACT_COLUMNS = [
+    { label: 'Name', fieldName: 'Name', type: 'text' },
+    { label: 'Email', fieldName: 'Email', type: 'email' },
+    { label: 'Phone', fieldName: 'Phone', type: 'phone' }
+];
+
+export default class AccountEditor extends NavigationMixin(LightningElement) {
+    @api recordId;
+    contactColumns = CONTACT_COLUMNS;
+
+    @wire(getRelatedContacts, { accountId: '$recordId' })
+    contacts;
+
+    handleSuccess(event) {
+        this.dispatchEvent(
+            new ShowToastEvent({
+                title: 'Success',
+                message: 'Account saved successfully',
+                variant: 'success'
+            })
+        );
+
+        // Navigate to the record page (replaces PageReference)
+        this[NavigationMixin.Navigate]({
+            type: 'standard__recordPage',
+            attributes: {
+                recordId: event.detail.id,
+                objectApiName: 'Account',
+                actionName: 'view'
+            }
+        });
+    }
+
+    handleError(event) {
+        this.dispatchEvent(
+            new ShowToastEvent({
+                title: 'Error',
+                message: event.detail.message,
+                variant: 'error'
+            })
+        );
+    }
+
+    handleCancel() {
+        if (this.recordId) {
+            // Navigate back to the record (replaces PageReference)
+            this[NavigationMixin.Navigate]({
+                type: 'standard__recordPage',
+                attributes: {
+                    recordId: this.recordId,
+                    objectApiName: 'Account',
+                    actionName: 'view'
+                }
+            });
+        } else {
+            // Navigate to the Account list view (replaces PageReference('/001'))
+            this[NavigationMixin.Navigate]({
+                type: 'standard__objectPage',
+                attributes: {
+                    objectApiName: 'Account',
+                    actionName: 'list'
+                },
+                state: {
+                    filterName: 'Recent'
+                }
+            });
+        }
+    }
+}
+```
+
+### LWC Metadata
+
+```xml
+<!-- accountEditor.js-meta.xml -->
+<?xml version="1.0" encoding="UTF-8"?>
+<LightningComponentBundle xmlns="http://soap.sforce.com/2006/04/metadata">
+    <apiVersion>66.0</apiVersion>
+    <isExposed>true</isExposed>
+    <targets>
+        <target>lightning__RecordPage</target>
+        <target>lightning__AppPage</target>
+    </targets>
+    <targetConfigs>
+        <targetConfig targets="lightning__RecordPage">
+            <objects>
+                <object>Account</object>
+            </objects>
+        </targetConfig>
+    </targetConfigs>
+</LightningComponentBundle>
+```
+
+### Apex Controller (Simplified)
+
+```apex
+public with sharing class AccountEditorLwcController {
+    @AuraEnabled(cacheable=true)
+    public static List<Contact> getRelatedContacts(Id accountId) {
+        return [
+            SELECT Id, Name, Email, Phone
+            FROM Contact
+            WHERE AccountId = :accountId
+            WITH SECURITY_ENFORCED
+            ORDER BY Name
+            LIMIT 100
+        ];
+    }
+}
+```
+
+## Migration Mapping Reference
+
+| Visualforce | LWC Equivalent |
+|-------------|----------------|
+| `apex:page` | LWC component with `lightning-card` |
+| `apex:form` | `lightning-record-edit-form` |
+| `apex:inputField` | `lightning-input-field` |
+| `apex:commandButton action="{!save}"` | `lightning-button type="submit"` |
+| `apex:pageMessages` | `lightning-messages` |
+| `apex:pageBlockTable` | `lightning-datatable` |
+| `ApexPages.addMessages(e)` | `ShowToastEvent` |
+| `new PageReference('/id')` | `NavigationMixin.Navigate` |
+| Controller constructor query | `@wire` with `@AuraEnabled(cacheable=true)` |
+| `ApexPages.currentPage().getParameters().get('id')` | `@api recordId` |
+| `apex:outputPanel rendered="{!condition}"` | `template if:true={condition}` |
+| `apex:repeat` | `template for:each={items}` |
+| `apex:actionFunction` | Imperative Apex call |
+
+## Key Principles
+
+- Use `lightning-record-edit-form` instead of custom save logic when editing standard/custom object fields
+- Replace all `PageReference` navigation with `NavigationMixin` for Lightning Experience compatibility
+- Use `@wire` for read operations and imperative calls for mutations
+- Move field-level rendering logic from controller to reactive properties in JS
+- LWC automatically handles CRUD/FLS when using `lightning-record-edit-form`
+
+## Common Pitfalls
+
+- Forgetting to extend `NavigationMixin(LightningElement)` before calling Navigate
+- Using imperative Apex for cacheable reads instead of `@wire` (loses caching and reactivity)
+- Not adding `WITH SECURITY_ENFORCED` in the LWC controller Apex methods
+- Trying to replicate the exact VF layout instead of adopting SLDS grid patterns
+- Hardcoding record type IDs or key prefixes (like `/001`) that were common in VF pages
+- Missing the `isExposed` and `targets` configuration in the meta XML
+
+## SCC Skills
+
+- `/sf-visualforce-development` -- audit a Visualforce page for migration readiness
+- `/sf-lwc-development` -- review the migrated LWC component for best practices
+- `/sf-apex-best-practices` -- review the simplified Apex controller
+- `/sf-security` -- verify security enforcement in the new component