scc-universal 1.1.0

package/skills/sf-quickstart/SKILL.md

@@ -0,0 +1,173 @@
+---
+name: sf-quickstart
+description: >-
+  Use when setting up SCC on a Salesforce project. Detect Apex, LWC, or mixed
+  project type, recommend configuration, install appropriate profile.
+origin: SCC
+user-invocable: true
+---
+
+# SCC Quickstart — Interactive Onboarding
+
+Interactive onboarding for Salesforce Claude Code. Detects your project setup and recommends the right SCC configuration.
+
+## When to Use
+
+- When setting up SCC for the first time on a Salesforce project
+- When onboarding a new developer to an existing Salesforce org or project
+- When you need to detect the project's tech stack and recommend the right SCC install profile
+- When verifying that SCC is properly installed and configured
+- When switching projects and need to reconfigure SCC for a different project type
+
+## Workflow
+
+### Step 1 — Detect Project Context
+
+Check for Salesforce project markers:
+
+```bash
+# Core project file (required for SF project)
+cat sfdx-project.json 2>/dev/null
+
+# Scratch org definition
+cat config/project-scratch-def.json 2>/dev/null
+
+# Deployment config
+cat .forceignore 2>/dev/null | head -5
+
+# Node.js tooling
+cat package.json 2>/dev/null | grep -A5 '"scripts"'
+
+# SF CLI version
+sf --version 2>/dev/null
+```
+
+If `sfdx-project.json` does not exist, this is not a Salesforce project. Report that and suggest running `/sf-help` for general SCC guidance.
+
+### Step 2 — Analyze Tech Stack
+
+Scan the project to detect what technologies are in use:
+
+```bash
+# Apex classes (not test classes)
+find force-app -name "*.cls" 2>/dev/null | grep -v -E '(Test\.cls$|_Test\.cls$|TestUtils|TestData|TestFactory|TestHelper)' | wc -l
+
+# Apex test classes
+find force-app -name "*.cls" 2>/dev/null | grep -E '(Test\.cls$|_Test\.cls$|TestUtils|TestData|TestFactory|TestHelper)' | wc -l
+
+# Apex triggers
+find force-app -name "*.trigger" 2>/dev/null | wc -l
+
+# LWC components
+find force-app -path "*/lwc/*" -name "*.js" -not -name "*.test.js" 2>/dev/null | wc -l
+
+# Aura components
+find force-app -path "*/aura/*" -name "*.cmp" 2>/dev/null | wc -l
+
+# Visualforce pages
+find force-app -name "*.page" 2>/dev/null | wc -l
+
+# Flows
+find force-app -name "*.flow-meta.xml" 2>/dev/null | wc -l
+
+# Custom objects
+find force-app -name "*.object-meta.xml" 2>/dev/null | wc -l
+```
+
+> Naive test detection with `find force-app -name "*Test.cls"` misses patterns like `*_Test.cls`, `TestUtils.cls`, `TestDataFactory.cls`, and `TestHelper.cls`. The commands above catch all standard patterns.
+
+### Step 3 — Recommend Install Profile
+
+Based on detection results, recommend the best SCC profile:
+
+| Detected Stack | Recommended Profile | Command |
+|---------------|--------------------|---------|
+| Apex + LWC + Flows + triggers | `all` | `npx scc install all` |
+| Primarily Apex (classes + triggers) | `apex` | `npx scc install apex` |
+| Primarily LWC with some Apex | `lwc` | `npx scc install lwc` |
+
+**Profile details:**
+
+| Profile | Agents | Skills (user-invocable) | Rules | Hooks |
+|---------|--------|------------------------|-------|-------|
+| `apex` | 12 | 22 (14) | common + apex + soql | all |
+| `lwc` | 10 | 18 (12) | common + lwc | all |
+| `all` | 27 | 45 (26) | all domains | all |
+
+### Step 4 — Suggest First Commands
+
+Based on the project state, suggest 3-5 commands to start with:
+
+| Project State | Suggested Action |
+|--------------|-----------------|
+| No test classes found | `sf-tdd-workflow` skill -- start writing tests |
+| Triggers without handler classes | `sf-trigger-frameworks` skill -- refactor to handler pattern |
+| Low test coverage | `sf-apex-testing` skill -- analyze gaps |
+| Deployment files present | `sf-deployment` skill -- pre-deployment check |
+| Security review needed | `sf-security` skill -- full security audit |
+| Build errors | `/sf-build-fix` -- fix build and deployment errors |
+| Any project | `/sf-help` -- browse all available commands and skills |
+
+### Step 5 — Verify SCC Installation
+
+Check that SCC is properly configured:
+
+```bash
+# Check hooks are loaded
+test -f .claude/hooks/hooks.json && echo "Hooks: ACTIVE" || echo "Hooks: MISSING (run npx scc install)"
+
+# Check hook profile
+echo "Hook Profile: ${SCC_HOOK_PROFILE:-standard (default)}"
+
+# Check for governor-check hook
+grep -q "governor-check" .claude/hooks/hooks.json 2>/dev/null && echo "Governor Check: ACTIVE" || echo "Governor Check: MISSING"
+
+# Check for quality-gate hook
+grep -q "quality-gate" .claude/hooks/hooks.json 2>/dev/null && echo "Quality Gate: ACTIVE" || echo "Quality Gate: MISSING"
+```
+
+### Step 6 — Report
+
+Present findings in this format:
+
+```text
+SCC Quickstart Report
+======================================
+
+Project: my-salesforce-app
+SF CLI:  @salesforce/cli/2.x.x
+
+Tech Stack Detected:
+  Apex Classes:    45 (32 test classes)
+  Apex Triggers:    8
+  LWC Components:  12
+  Aura Components:  3 (consider migration)
+  Flows:            6
+  Custom Objects:  15
+
+Recommended Profile: all
+  -> npx scc install all
+
+SCC Status:
+  Hooks:         ACTIVE (standard profile)
+  Governor Check: ACTIVE
+  Quality Gate:  ACTIVE
+
+Suggested Next Steps:
+  1. sf-trigger-frameworks skill -- 3 triggers without handler classes detected
+  2. sf-apex-testing skill -- Current coverage unknown, run analysis
+  3. sf-security skill -- Verify CRUD/FLS before next deployment
+  4. /sf-help -- Browse all available commands and skills
+```
+
+## Examples
+
+```
+sf-quickstart
+sf-quickstart Set up SCC for my new Salesforce DX project
+sf-quickstart What SCC profile should I use for an ISV package?
+```
+
+## Related
+
+- **Constraints**: (none -- this is an onboarding workflow)

package/skills/sf-security/SKILL.md

@@ -0,0 +1,334 @@
+---
+name: sf-security
+description: >-
+  Use when implementing Salesforce Apex security — CRUD/FLS enforcement,
+  sharing keywords, SOQL injection prevention, AppExchange review prep.
+  Do NOT use for general Apex or LWC patterns.
+origin: SCC
+user-invocable: false
+---
+
+# Salesforce Security
+
+Salesforce has a layered security model. Each layer must be respected in Apex code, SOQL queries, and UI components.
+
+@../_reference/SECURITY_PATTERNS.md
+@../_reference/SHARING_MODEL.md
+
+## When to Use
+
+- Preparing for a Salesforce security review or ISV managed package submission
+- Apex classes missing `with sharing` or using unexplained `without sharing`
+- SOQL queries using dynamic strings without bind variables
+- CRUD/FLS checks absent from controller or service classes
+- Running a security health check before a major deployment
+- A penetration test or AppExchange security review flags vulnerabilities
+
+## CRUD Enforcement in Apex
+
+### WITH USER_MODE / AccessLevel.USER_MODE (see @../_reference/API_VERSIONS.md for minimum version)
+
+The modern standard for CRUD + FLS enforcement. This replaces explicit CRUD checks and `Security.stripInaccessible` for most use cases.
+
+```apex
+// SOQL enforces both object CRUD and FLS for the running user
+List<Account> accounts = [SELECT Id, Name FROM Account WITH USER_MODE];
+
+// For DML, use Database methods with AccessLevel
+Database.insert(records, false, AccessLevel.USER_MODE);
+Database.update(records, false, AccessLevel.USER_MODE);
+Database.delete(records, false, AccessLevel.USER_MODE);
+```
+
+### When to Check CRUD
+
+| Context | Check CRUD? |
+|---|---|
+| Apex called from LWC/Aura/VF page | Yes |
+| Service layer called by user-facing code | Yes |
+| Internal utility called by system batch | Usually no — runs in system context |
+| Apex REST/SOAP API endpoint | Yes |
+| Scheduled/Batch internal processing | Usually no — document justification |
+
+---
+
+## Field-Level Security (FLS)
+
+### Security.stripInaccessible — Bulk FLS Enforcement
+
+`stripInaccessible()` silently removes fields the user cannot access. The returned records look normal but stripped fields are `null`. Check `getRemovedFields()` before passing records downstream.
+
+```apex
+public List<Account> getAccountsForDisplay() {
+    List<Account> accounts = [
+        SELECT Id, Name, AnnualRevenue, SSN__c, Internal_Notes__c
+        FROM Account WHERE Type = 'Customer'
+    ];
+
+    SObjectAccessDecision decision = Security.stripInaccessible(
+        AccessType.READABLE, accounts
+    );
+
+    Map<String, Set<String>> removed = decision.getRemovedFields();
+    if (removed.containsKey('Account')) {
+        System.debug(LoggingLevel.WARN, 'Stripped fields: ' + removed.get('Account'));
+    }
+
+    return decision.getRecords();
+}
+```
+
+### WITH USER_MODE for FLS in SOQL
+
+`WITH USER_MODE` throws a `QueryException` if the running user lacks field-level access to any field in the SELECT or WHERE clause. Use `Security.stripInaccessible()` when you need to silently remove inaccessible fields instead of throwing.
+
+```apex
+// Defensive approach: check accessibility first
+List<String> selectFields = new List<String>{ 'Id', 'Name' };
+if (Schema.SObjectType.Account.Fields.AnnualRevenue.getDescribe().isAccessible()) {
+    selectFields.add('AnnualRevenue');
+}
+// ... build and execute dynamic SOQL with validated fields
+```
+
+---
+
+## Sharing Keywords
+
+### with sharing (Default)
+
+```apex
+public with sharing class AccountsSelector {
+    public List<Account> selectAll() {
+        return [SELECT Id, Name FROM Account]; // Only returns records user can see
+    }
+}
+```
+
+### without sharing (Use Sparingly)
+
+```apex
+/**
+ * Batch processor for automated data enrichment.
+ * Uses without sharing because:
+ * 1. Runs as a system user (scheduled job)
+ * 2. Needs to process ALL accounts regardless of ownership
+ * 3. Sharing is irrelevant for automated system processing
+ */
+public without sharing class AccountEnrichmentBatch
+        implements Database.Batchable<SObject> {
+    // ...
+}
+```
+
+### inherited sharing
+
+```apex
+// Adopts the sharing mode of the calling class
+public inherited sharing class QueryHelper {
+    public List<Account> getAccountsForCaller() {
+        return [SELECT Id, Name FROM Account];
+        // If called by "with sharing" class: enforces sharing
+        // If called by "without sharing" class: bypasses sharing
+        // If top-level: defaults to "with sharing"
+    }
+}
+```
+
+### Decision Tree
+
+```
+User-facing (LWC, VF, Aura, REST API)?  → with sharing
+Utility that respects caller's context?  → inherited sharing
+Scheduled/batch as system user?          → without sharing (documented)
+Permission elevation utility?            → without sharing (narrow scope, documented)
+Unsure?                                  → with sharing
+```
+
+> Sharing context does NOT propagate to called classes. A `with sharing` class calling a `without sharing` class runs the called method **without sharing**.
+
+---
+
+## SOQL Injection Prevention
+
+### Static SOQL with Bind Variables (Preferred)
+
+```apex
+public List<Account> searchAccounts(String nameFilter) {
+    return [SELECT Id, Name FROM Account WHERE Name = :nameFilter WITH USER_MODE];
+}
+```
+
+### Database.queryWithBinds (For Dynamic SOQL)
+
+```apex
+public List<Account> searchAccounts(String nameFilter) {
+    Map<String, Object> binds = new Map<String, Object>{
+        'nameFilter' => nameFilter
+    };
+    return Database.queryWithBinds(
+        'SELECT Id, Name FROM Account WHERE Name = :nameFilter WITH USER_MODE',
+        binds, AccessLevel.USER_MODE
+    );
+}
+```
+
+### Safe Dynamic SOQL with Whitelist Validation
+
+```apex
+public class SafeDynamicQueryBuilder {
+    private static final Set<String> ALLOWED_SORT_FIELDS = new Set<String>{
+        'Name', 'CreatedDate', 'AnnualRevenue', 'Type'
+    };
+    private static final Set<String> ALLOWED_DIRECTIONS = new Set<String>{
+        'ASC', 'DESC'
+    };
+
+    public List<Account> getAccountsSorted(String sortField, String sortDirection) {
+        if (!ALLOWED_SORT_FIELDS.contains(sortField)) {
+            sortField = 'Name';
+        }
+        if (!ALLOWED_DIRECTIONS.contains(sortDirection?.toUpperCase())) {
+            sortDirection = 'ASC';
+        }
+
+        String query = 'SELECT Id, Name, AnnualRevenue, Type '
+                     + 'FROM Account WITH USER_MODE '
+                     + 'ORDER BY ' + sortField + ' ' + sortDirection
+                     + ' LIMIT 200';
+        return Database.query(query);
+    }
+}
+```
+
+---
+
+## XSS Prevention
+
+### Visualforce — Use Context-Appropriate Encoding
+
+```xml
+<!-- HTML body → HTMLENCODE -->
+<div>{!HTMLENCODE(accountDescription)}</div>
+
+<!-- JS string → JSENCODE -->
+<script>var accountName = '{!JSENCODE(account.Name)}';</script>
+
+<!-- JS in HTML attribute → JSINHTMLENCODE -->
+<div onclick="handleClick('{!JSINHTMLENCODE(account.Name)}')">Click</div>
+
+<!-- URL parameter → URLENCODE -->
+<a href="/mypage?name={!URLENCODE(account.Name)}">View</a>
+
+<!-- Safe by default -->
+<apex:outputField value="{!account.Name}" />
+<apex:outputText value="{!account.Description}" escape="true" />
+```
+
+### LWC — Safe by Default
+
+LWC templates auto-encode HTML. Avoid `innerHTML`:
+
+```javascript
+// Safe — LWC encodes the value as text content
+this.accountName = '<script>alert(1)</script>'; // Rendered as literal text
+
+// Use textContent, not innerHTML
+this.template.querySelector('.description').textContent = userProvidedContent;
+
+// For rich text, use lightning-formatted-rich-text (sanitizes automatically)
+```
+
+---
+
+## Named Credentials and External Credentials
+
+### Secure Callout Pattern
+
+```apex
+public class ERPIntegrationService {
+    public HttpResponse callERPEndpoint(String path, String method, String body) {
+        HttpRequest req = new HttpRequest();
+        req.setEndpoint('callout:ERP_System' + path);
+        req.setMethod(method);
+        req.setHeader('Content-Type', 'application/json');
+        if (String.isNotBlank(body)) {
+            req.setBody(body);
+        }
+        return new Http().send(req);
+    }
+}
+```
+
+### What Belongs in Named/External Credentials
+
+- OAuth client secrets, API keys, JWT private keys
+- Endpoint URLs (use Named Credentials, not hardcoded strings)
+- Per-user vs Named Principal authentication
+
+### Custom Metadata for Configuration
+
+```apex
+// No SOQL limits, deployable config
+Map<String, Service_Config__mdt> configs = new Map<String, Service_Config__mdt>();
+for (Service_Config__mdt config : Service_Config__mdt.getAll().values()) {
+    configs.put(config.DeveloperName, config);
+}
+```
+
+---
+
+## Enterprise Security Features
+
+### Shield Platform Encryption
+
+| Encryption Type | Query Support | Use Case |
+|---|---|---|
+| Deterministic | Exact match only in WHERE | SSN lookup, email search |
+| Probabilistic | No SOQL filtering | Health data, financial records |
+
+Encrypted fields cannot be used in ORDER BY, GROUP BY, or LIKE queries (probabilistic). Code must handle null returns when user lacks decryption permission.
+
+### Event Monitoring
+
+- **Login Events** — detect unauthorized access
+- **API Events** — detect data exfiltration
+- **Report Export Events** — data loss prevention
+
+### Transaction Security
+
+Real-time threat detection: block large data exports, enforce MFA for sensitive operations, block restricted locations.
+
+---
+
+## Common Security Review Failures
+
+| Failure | Fix |
+|---|---|
+| CRUD not checked before DML | Use `AccessLevel.USER_MODE` |
+| FLS not checked before field access | Use `WITH USER_MODE` or `stripInaccessible` |
+| Dynamic SOQL with string concatenation | Use bind variables or `queryWithBinds()` |
+| `without sharing` on user-facing class | Switch to `with sharing` |
+| Hardcoded credentials | Use Named/External Credentials |
+| Sensitive data in debug logs | Remove `System.debug` of PII |
+| Unrestricted SOQL rows | Add WHERE + LIMIT |
+| innerHTML with user input | Use textContent or sanitized components |
+
+---
+
+## Security Skills Cross-Reference
+
+Security guidance is distributed across multiple skills. Use this index to find the right skill:
+
+| Skill | Focus | Type |
+|---|---|---|
+| `sf-security` (this skill) | CRUD/FLS, sharing, injection, Named Credentials, AppExchange prep | Implementation guide |
+| `sf-security-constraints` | Hard never/always rules for security compliance | Constraint (auto-loaded) |
+| `sf-apex-constraints` | Apex-specific security: `with sharing`, bind variables, `without sharing` justification | Constraint (auto-loaded) |
+| `sf-soql-constraints` | SOQL injection prevention, selective queries, bind variables | Constraint (auto-loaded) |
+| `sf-lwc-constraints` | LWC XSS prevention, `lwc:dom="manual"` restrictions, CSP | Constraint (auto-loaded) |
+
+## Related
+
+- **Agent**: `sf-review-agent` — For interactive, in-depth guidance
+- **Constraints**: `sf-security-constraints` — Hard rules for security compliance

package/skills/sf-security-constraints/SKILL.md

@@ -0,0 +1,127 @@
+---
+name: sf-security-constraints
+description: "Enforce CRUD/FLS, sharing model, SOQL injection prevention, and XSS protection for Apex and LWC. Use when writing or reviewing ANY Apex, trigger, LWC, or VF page. Do NOT use for Flow-only configuration."
+origin: SCC
+user-invocable: false
+allowed-tools: Read, Grep, Glob
+---
+
+# Security Constraints for Salesforce Code
+
+## When to Use
+
+This skill auto-activates when writing, reviewing, or modifying any Apex class, trigger, LWC component, or Visualforce page. It enforces CRUD/FLS checks, sharing model compliance, SOQL injection prevention, and XSS protection for all Salesforce code.
+
+Hard rules that apply to every Apex class, trigger, LWC component, and Visualforce page. Violating any constraint below is a blocking issue that must be fixed before the code is considered complete.
+
+Reference: @../_reference/SECURITY_PATTERNS.md, @../_reference/SHARING_MODEL.md
+@../_reference/DEPRECATIONS.md
+
+---
+
+## Never Do
+
+| # | Constraint | Why |
+|---|---|---|
+| N1 | Skip CRUD/FLS checks on user-facing SOQL or DML | Exposes data the running user should not see or modify |
+| N2 | Use `without sharing` without a written justification comment | Silently bypasses record-level security for every query in the class |
+| N3 | Build SOQL with string concatenation of user input | SOQL injection -- attacker can read or modify arbitrary records |
+| N4 | Trust client-side input without server-side validation | Client payloads are trivially forgeable; all validation must repeat in Apex |
+| N5 | Use `element.innerHTML = userInput` in LWC | Direct XSS vector; LWC auto-encoding is bypassed |
+| N6 | Hardcode API keys, tokens, passwords, or record IDs in Apex | Credentials leak via source control; IDs differ across orgs |
+| N7 | Log sensitive field values with `System.debug` | Debug logs are accessible to admins and can be exported |
+| N8 | Omit the sharing keyword on a class entirely | Defaults to `without sharing` in most contexts -- an implicit security bypass |
+
+---
+
+## Always Do
+
+| # | Constraint | How |
+|---|---|---|
+| A1 | Enforce CRUD + FLS on user-facing queries | `WITH USER_MODE` in SOQL (see @../_reference/API_VERSIONS.md for minimum version) |
+| A2 | Enforce CRUD + FLS on user-facing DML | `Database.insert(records, false, AccessLevel.USER_MODE)` |
+| A3 | Use `with sharing` as the default class keyword | Switch to `inherited sharing` only for utility/helper classes |
+| A4 | Use bind variables for SOQL filter values | Static SOQL `:bindVar` or `Database.queryWithBinds()` |
+| A5 | Sanitize output in Visualforce | `HTMLENCODE`, `JSENCODE`, `JSINHTMLENCODE`, `URLENCODE` per context |
+| A6 | Use `textContent` or `<lightning-formatted-rich-text>` in LWC | Never assign user-controlled strings to `innerHTML` |
+| A7 | Store credentials in Named Credentials / External Credentials | Use `callout:NamedCredential` prefix in Apex HTTP requests |
+| A8 | Document every `without sharing` usage | Include: why sharing bypass is needed, who approved, date reviewed |
+| A9 | Whitelist-validate dynamic SOQL components | Sort fields, directions, object/field names must match a known-safe set |
+| A10 | Use `Security.stripInaccessible()` when silent field removal is acceptable | Always check `getRemovedFields()` to avoid downstream `NullPointerException` |
+
+---
+
+## Sharing Keyword Decision
+
+Apply the correct keyword on every class. Reference: @../_reference/SHARING_MODEL.md
+
+```
+User-facing code (LWC, VF, Aura, REST API)?     -->  with sharing
+Utility / helper called from mixed contexts?     -->  inherited sharing
+Scheduled batch / system-only processing?        -->  without sharing  (document justification)
+Trigger handler?                                 -->  with sharing  (call without sharing helper only if justified)
+Inner class?                                     -->  declare explicitly  (does NOT inherit outer class keyword)
+Omitted / unsure?                                -->  with sharing
+```
+
+Key rule: sharing context does **not** propagate to called classes. A `with sharing` class calling a `without sharing` class runs the called method **without sharing**.
+
+---
+
+## Anti-Pattern Table
+
+| Anti-Pattern | Security Impact | Correct Pattern |
+|---|---|---|
+| `Database.query('... WHERE Name = \'' + input + '\'')` | SOQL injection -- attacker reads/modifies arbitrary data | `[SELECT ... WHERE Name = :input WITH USER_MODE]` or `Database.queryWithBinds()` |
+| `public class FooController { ... }` (no sharing keyword) | Implicit `without sharing` -- returns all records | `public with sharing class FooController { ... }` |
+| `public without sharing class AccountCtrl` (user-facing) | All records visible regardless of OWD, role hierarchy, sharing rules | `public with sharing class AccountCtrl` |
+| `insert records;` in user-facing code | No CRUD/FLS enforcement | `Database.insert(records, false, AccessLevel.USER_MODE);` |
+| `element.innerHTML = serverData` in LWC | Stored/reflected XSS | `element.textContent = serverData` |
+| `req.setHeader('Authorization', 'Bearer ' + hardcodedToken)` | Credential in source code; leaks via SCM | `callout:Named_Credential` with External Credentials |
+| `{!rawMergeField}` in Visualforce | Reflected XSS | `{!HTMLENCODE(rawMergeField)}` or `<apex:outputText escape="true">` |
+| `System.debug('SSN: ' + contact.SSN__c)` | PII in debug logs | Remove sensitive field logging; use opaque identifiers |
+| `API_Keys__c.getOrgDefaults().Token__c` for auth | Secrets in queryable Custom Setting | External Credentials (see @../_reference/API_VERSIONS.md for minimum version) |
+| SOQL without `LIMIT` in user-facing context | Unbounded query; governor limit risk + data exposure | Add `LIMIT` clause; paginate with `OFFSET` or cursor |
+
+---
+
+## CRUD/FLS Enforcement Quick Reference
+
+Reference: @../_reference/SECURITY_PATTERNS.md
+
+| Approach | Min API | Enforces | On Violation |
+|---|---|---|---|
+| `WITH USER_MODE` (SOQL) | See @../_reference/API_VERSIONS.md | CRUD + FLS | Throws `QueryException` |
+| `AccessLevel.USER_MODE` (DML) | See @../_reference/API_VERSIONS.md | CRUD + FLS | Throws `DmlException` |
+| `WITH SECURITY_ENFORCED` (SOQL) | See @../_reference/API_VERSIONS.md | CRUD + FLS (reads) | Throws `QueryException` |
+| `Security.stripInaccessible()` | See @../_reference/API_VERSIONS.md | FLS only | Silently strips fields |
+| Manual `isAccessible()` / `isCreateable()` | All | CRUD only | Developer-controlled |
+
+Prefer `WITH USER_MODE` / `AccessLevel.USER_MODE` for all new code (see @../_reference/API_VERSIONS.md for minimum version). Fall back to `stripInaccessible` only when silent field removal is the desired behavior.
+
+---
+
+## Visualforce Encoding Quick Reference
+
+| Output Context | Encoding Function | Example |
+|---|---|---|
+| HTML body | `HTMLENCODE` | `{!HTMLENCODE(account.Description)}` |
+| HTML attribute | `HTMLENCODE` | `title="{!HTMLENCODE(account.Name)}"` |
+| JavaScript string | `JSENCODE` | `var x = '{!JSENCODE(account.Name)}'` |
+| JS in HTML attribute | `JSINHTMLENCODE` | `onclick="fn('{!JSINHTMLENCODE(val)}')"` |
+| URL parameter | `URLENCODE` | `href="/page?q={!URLENCODE(val)}"` |
+
+Use `<apex:outputField>` or `<apex:outputText escape="true">` where possible -- they handle encoding automatically.
+
+---
+
+## Enforcement Priority
+
+When reviewing or writing code, check constraints in this order:
+
+1. **Sharing keyword** declared on every class (N2, N8, A3)
+2. **CRUD/FLS** enforced on all user-facing SOQL and DML (N1, A1, A2)
+3. **SOQL injection** -- no string concatenation with user input (N3, A4, A9)
+4. **XSS** -- correct encoding in VF; no innerHTML in LWC (N5, A5, A6)
+5. **Credentials** -- no hardcoded secrets; use Named/External Credentials (N6, A7)
+6. **Logging** -- no sensitive data in debug statements (N7)