sfdx-hardis 7.11.0 → 7.12.1

package/defaults/ci/.gitattributes

@@ -0,0 +1,20 @@
+# =============================================================
+# Salesforce CI/CD - Git attributes
+# Normalize line endings to LF on all platforms.
+# =============================================================
+
+# All text files: store as LF
+* text=auto eol=lf
+
+# Binary files - no diff, no merge
+*.png                       binary
+*.jpg                       binary
+*.jpeg                      binary
+*.gif                       binary
+*.ico                       binary
+*.svg                       binary
+*.zip                       binary
+*.jar                       binary
+*.pdf                       binary
+*.xlsx                      binary
+*.docx                      binary

package/defaults/ci/.github/workflows/check-deploy.yml

@@ -33,7 +33,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           persist-credentials: true
-          token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}
           fetch-depth: 0 # Fetch all branches
       # Setup node
       - name: Setup Node
@@ -73,7 +73,7 @@ jobs:
           ORG_ALIAS: ${{ github.event.pull_request.base.ref }} # Defines the target branch of the PR
           CONFIG_BRANCH: ${{ github.event.pull_request.base.ref }} # Defines the target branch of the PR
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          CI_SFDX_HARDIS_GITHUB_PUSH_TOKEN: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
+          CI_SFDX_HARDIS_GITHUB_PUSH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SLACK_TOKEN: ${{ secrets.SLACK_TOKEN }}
           SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }}
           SLACK_CHANNEL_ID_INTEGRATION: ${{ secrets.SLACK_CHANNEL_ID_INTEGRATION }}

package/defaults/ci/.github/workflows/megalinter.yml

@@ -66,7 +66,7 @@ jobs:
         if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && !contains(github.event.head_commit.message, 'skip fix')
         uses: peter-evans/create-pull-request@v6
         with:
-          token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: "[Mega-Linter] Apply linters automatic fixes"
           title: "[Mega-Linter] Apply linters automatic fixes"
           labels: bot

package/defaults/ci/.github/workflows/process-deploy.yml

@@ -32,7 +32,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           persist-credentials: true
-          token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}
           fetch-depth: 0
       # Setup node
       - name: Setup Node
@@ -75,7 +75,7 @@ jobs:
           ORG_ALIAS: ${{ env.BRANCH }} # Defines the target branch of the PR
           CONFIG_BRANCH: ${{ env.BRANCH }} # Defines the target branch of the PR
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          CI_SFDX_HARDIS_GITHUB_PUSH_TOKEN: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
+          CI_SFDX_HARDIS_GITHUB_PUSH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SLACK_TOKEN: ${{ secrets.SLACK_TOKEN }}
           SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }}
           NOTIF_EMAIL_ADDRESS: ${{ secrets.NOTIF_EMAIL_ADDRESS }}

package/defaults/ci/Jenkinsfile

@@ -1,153 +1,263 @@
- /* sfdx-hardis CI/CD Pipeline for Jenkins
+// Pipeline for Salesforce CI/CD using sfdx-hardis
+//
+// SETUP (do a CTRL+F on "MANUAL"):
+// 1. In Jenkins, create a Multibranch Pipeline pointing to this repository.
+//    Jenkins will automatically discover branches and create one sub-job per branch.
+//
+// 2. Add the following credentials in Jenkins (Manage Jenkins -> Credentials -> global):
+//    Required:
+//    - SFDX_CLIENT_ID_<BRANCH>  : Secret text - Connected App consumer key for each target org
+//    - SFDX_CLIENT_KEY_<BRANCH> : Secret text - Private key for each target org
+//    Optional - add only the ones you use (missing optional credentials are silently ignored):
+//    - SLACK_TOKEN, SLACK_CHANNEL_ID      : Slack notifications
+//    - NOTIF_EMAIL_ADDRESS                : Email notifications
+//    - JIRA_HOST, JIRA_EMAIL, JIRA_TOKEN, JIRA_PAT : JIRA integration
+//    - ANTHROPIC_API_KEY, OPENAI_API_KEY, GEMINI_API_KEY : AI auto-fix of deployment errors
+//    - GITHUB_TOKEN, CI_SFDX_HARDIS_GITLAB_TOKEN, CI_SFDX_HARDIS_BITBUCKET_TOKEN,
+//      CI_SFDX_HARDIS_AZURE_TOKEN         : Allow coding agents to push branches and create PRs
+//    - SFDX_AUTH_URL_TECHNICAL_ORG        : Auth URL for a technical org (e.g. DevHub)
+//    Optional credentials use `optional: true` (requires Credentials Binding Plugin >= 1.24).
+//    Missing optional credentials are silently ignored - the pipeline will NOT crash.
+//
+// 3. The Docker agent requires Docker to be available on the Jenkins node.
+//    The main agent uses hardisgroupcom/sfdx-hardis:latest.
+//    MegaLinter runs via `docker run` inside that agent (Docker socket must be mounted).
+//
+// Doc & support: https://sfdx-hardis.cloudity.com/salesforce-ci-cd-setup-integration-jenkins/
 
- You need to do a CTRL+F on "MANUAL" and add your variable instead of example variable
+// MANUAL: List every branch that triggers a real deployment to a Salesforce org
+def DEPLOYMENT_BRANCHES = [
+    'integration',  // Example
+    'uat',          // Example
+    'preprod',      // Example
+    'main',         // Example
+]
 
- */
 pipeline {
-    agent any
-    // MANUAL : Add Environment variable if necessary
+
+    agent {
+        docker {
+            // Use sfdx-hardis image - no install step needed
+            // If rate limits are reached, use: ghcr.io/hardisgroupcom/sfdx-hardis:latest
+            image 'hardisgroupcom/sfdx-hardis:latest'
+            // Mount Docker socket so MegaLinter can run as a sibling container
+            args '-v /var/run/docker.sock:/var/run/docker.sock --user root'
+        }
+    }
+
+    options {
+        timeout(time: 120, unit: 'MINUTES')
+        disableConcurrentBuilds()
+        // Keep build logs for 30 days
+        buildDiscarder(logRotator(daysToKeepStr: '30'))
+    }
+
     environment {
-        SFDX_CLIENT_ID_INTEGRATION = credentials('SFDX_CLIENT_ID_INTEGRATION') //Example
-        SFDX_CLIENT_KEY_INTEGRATION = credentials('SFDX_CLIENT_KEY_INTEGRATION') //Example
-        SFDX_CLIENT_ID_UAT = credentials('SFDX_CLIENT_ID_UAT') //Example
-        SFDX_CLIENT_KEY_UAT = credentials('SFDX_CLIENT_KEY_UAT') //Example
-        SFDX_CLIENT_ID_PREPROD = credentials('SFDX_CLIENT_ID_PREPROD') //Example
-        SFDX_CLIENT_KEY_PREPROD = credentials('SFDX_CLIENT_KEY_PREPROD') //Example
-        SFDX_CLIENT_ID_MAIN = credentials('SFDX_CLIENT_ID_MAIN') //Example
-        SFDX_CLIENT_KEY_MAIN = credentials('SFDX_CLIENT_KEY_MAIN') //Example
-        SFDX_AUTH_URL_TECHNICAL_ORG = credentials('SFDX_AUTH_URL_TECHNICAL_ORG')
-        SLACK_TOKEN = credentials('SLACK_TOKEN') // Remove if not used
-        SLACK_CHANNEL_ID = credentials('SLACK_CHANNEL_ID') // Remove if not used
-        NOTIF_EMAIL_ADDRESS = credentials('NOTIF_EMAIL_ADDRESS') // Remove if not used
-        JIRA_HOST = credentials('JIRA_HOST') // Remove if not used
-        JIRA_EMAIL = credentials('JIRA_EMAIL') // Remove if not used
-        JIRA_TOKEN = credentials('JIRA_TOKEN') // Remove if not used
-        JIRA_PAT = credentials('JIRA_PAT') // Remove if not used
-        // Uncomment to provide API keys for coding agent auto-fix of deployment errors
-        // ANTHROPIC_API_KEY = credentials('ANTHROPIC_API_KEY')
-        // OPENAI_API_KEY = credentials('OPENAI_API_KEY')
-        // GEMINI_API_KEY = credentials('GEMINI_API_KEY')
-        // Uncomment to customize coding agent behavior
-        // SFDX_HARDIS_CODING_AGENT_MODEL = "sonnet" // Override the model used by the agent
-        // SFDX_HARDIS_CODING_AGENT_MAX_TURNS = "30" // Limit the number of agentic turns
-        // Optional tokens to allow coding agents to git push and create PR/MR
-        // GITHUB_TOKEN = credentials('GITHUB_TOKEN')
-        // CI_SFDX_HARDIS_GITLAB_TOKEN = credentials('CI_SFDX_HARDIS_GITLAB_TOKEN')
-        // CI_SFDX_HARDIS_BITBUCKET_TOKEN = credentials('CI_SFDX_HARDIS_BITBUCKET_TOKEN')
-        // CI_SFDX_HARDIS_AZURE_TOKEN = credentials('CI_SFDX_HARDIS_AZURE_TOKEN')
-        CONFIG_BRANCH = "${GIT_BRANCH}"
-        CI_COMMIT_REF_NAME = "${GIT_BRANCH}"
-        ORG_ALIAS = "${GIT_BRANCH}"
-        SFDX_DISABLE_FLOW_DIFF = 'false' // Set to true to disable Flow doc during CI/CD setup
+        FORCE_COLOR = '1'
+        // Normalize branch name: strip the "origin/" prefix added by Jenkins
+        BRANCH_NAME_CLEAN = "${env.BRANCH_NAME ?: env.GIT_BRANCH?.replaceAll('^origin/', '')}"
+        CI_COMMIT_REF_NAME = "${BRANCH_NAME_CLEAN}"
+        CONFIG_BRANCH      = "${BRANCH_NAME_CLEAN}"
+        ORG_ALIAS          = "${BRANCH_NAME_CLEAN}"
+        // Set to true to disable Flow documentation generation during initial CI/CD setup
+        SFDX_DISABLE_FLOW_DIFF = 'false'
     }
 
-    //Stage of the job
     stages {
-        parallel {
-            //run megalinter
-            stage('MegaLinter') {
-                agent {
-                    docker {
-                        image 'oxsecurity/megalinter:latest'
-                        args "-u root -e VALIDATE_ALL_CODEBASE=true -v ${WORKSPACE}:/tmp/lint --entrypoint=''"
-                        reuseNode true
+
+        ///////////////////////////////////////////////////////////////////////////////
+        // Pull Request: run MegaLinter and Validation in parallel on every PR      //
+        ///////////////////////////////////////////////////////////////////////////////
+        stage('Pull Request Checks') {
+            when { changeRequest() }
+            parallel {
+
+                ////////////////////////////////////////////////////////////
+                // Run MegaLinter to detect quality and security issues   //
+                ////////////////////////////////////////////////////////////
+                stage('MegaLinter') {
+                    steps {
+                        withCredentials([
+                            // Optional API reporter credentials (omit if unused)
+                            string(credentialsId: 'NOTIF_API_URL',                         variable: 'NOTIF_API_URL',                         optional: true),
+                            string(credentialsId: 'NOTIF_API_BASIC_AUTH_USERNAME',         variable: 'NOTIF_API_BASIC_AUTH_USERNAME',         optional: true),
+                            string(credentialsId: 'NOTIF_API_BASIC_AUTH_PASSWORD',         variable: 'NOTIF_API_BASIC_AUTH_PASSWORD',         optional: true),
+                        ]) {
+                            // Run MegaLinter as a sibling container (Docker socket must be mounted in the agent)
+                            // All available variables: https://megalinter.io/latest/config-file/
+                            sh '''
+                                docker pull oxsecurity/megalinter-salesforce:latest
+                                docker run --rm \
+                                  -v "${WORKSPACE}:/tmp/lint" \
+                                  -e DEFAULT_WORKSPACE=/tmp/lint \
+                                  -e VALIDATE_ALL_CODEBASE=true \
+                                  -e API_REPORTER=true \
+                                  -e NOTIF_API_URL="${NOTIF_API_URL}" \
+                                  -e NOTIF_API_BASIC_AUTH_USERNAME="${NOTIF_API_BASIC_AUTH_USERNAME}" \
+                                  -e NOTIF_API_BASIC_AUTH_PASSWORD="${NOTIF_API_BASIC_AUTH_PASSWORD}" \
+                                  oxsecurity/megalinter-salesforce:latest || true
+                            '''
+                        }
                     }
-                }
-                when { changeRequest() }
-                steps {
-                    sh '/entrypoint.sh'
-                }
-                post {
-                    always {
-                        archiveArtifacts allowEmptyArchive: true, artifacts: 'mega-linter.log,megalinter-reports/**/*', defaultExcludes: false, followSymlinks: false
+                    post {
+                        always {
+                            archiveArtifacts allowEmptyArchive: true, artifacts: 'mega-linter.log,megalinter-reports/**/*', defaultExcludes: false, followSymlinks: false
+                        }
                     }
                 }
-            }
-            stage('Validation') {
-                agent {
-                    docker {
-                        // If rate limits reached, use ghcr.io/hardisgroupcom/sfdx-hardis:latest
-                        image 'hardisgroupcom/sfdx-hardis:latest' 
+
+                ///////////////////////////////////////////////////////////////////////
+                // Validate deployment on the target org (check-only, no side-effect) //
+                ///////////////////////////////////////////////////////////////////////
+                stage('Validation') {
+                    steps {
+                        script {
+                            def currentBranch = env.GIT_BRANCH?.replaceAll('^(refs/heads/|origin/)', '') ?: ''
+                            if (currentBranch.startsWith('auto-fix/')) {
+                                // Skip sf hardis commands on auto-fix branches to avoid recursive runs
+                                echo "[sfdx-hardis] Skipping sf hardis commands on auto-fix branch ${currentBranch}"
+                            } else {
+                                withCredentials([
+                                    // ----------------------------------------------------------------
+                                    // MANUAL: Add one pair of credentials per deployment org.
+                                    // The credential ID must match the variable name expected by sfdx-hardis.
+                                    // Examples - duplicate and adapt for each org:
+                                    //
+                                    // string(credentialsId: 'SFDX_CLIENT_ID_INTEGRATION',  variable: 'SFDX_CLIENT_ID_INTEGRATION'),
+                                    // string(credentialsId: 'SFDX_CLIENT_KEY_INTEGRATION', variable: 'SFDX_CLIENT_KEY_INTEGRATION'),
+                                    // string(credentialsId: 'SFDX_CLIENT_ID_UAT',          variable: 'SFDX_CLIENT_ID_UAT'),
+                                    // string(credentialsId: 'SFDX_CLIENT_KEY_UAT',         variable: 'SFDX_CLIENT_KEY_UAT'),
+                                    // string(credentialsId: 'SFDX_CLIENT_ID_PREPROD',      variable: 'SFDX_CLIENT_ID_PREPROD'),
+                                    // string(credentialsId: 'SFDX_CLIENT_KEY_PREPROD',     variable: 'SFDX_CLIENT_KEY_PREPROD'),
+                                    // string(credentialsId: 'SFDX_CLIENT_ID_MAIN',         variable: 'SFDX_CLIENT_ID_MAIN'),
+                                    // string(credentialsId: 'SFDX_CLIENT_KEY_MAIN',        variable: 'SFDX_CLIENT_KEY_MAIN'),
+                                    // ----------------------------------------------------------------
+                                    // Technical org auth URL (optional - used for DevHub or scratch org workflows)
+                                    string(credentialsId: 'SFDX_AUTH_URL_TECHNICAL_ORG',    variable: 'SFDX_AUTH_URL_TECHNICAL_ORG',    optional: true),
+                                    // Notification credentials (optional - pipeline will NOT crash if missing)
+                                    string(credentialsId: 'SLACK_TOKEN',                    variable: 'SLACK_TOKEN',                    optional: true),
+                                    string(credentialsId: 'SLACK_CHANNEL_ID',               variable: 'SLACK_CHANNEL_ID',               optional: true),
+                                    string(credentialsId: 'NOTIF_EMAIL_ADDRESS',            variable: 'NOTIF_EMAIL_ADDRESS',            optional: true),
+                                    // JIRA integration (optional)
+                                    string(credentialsId: 'JIRA_HOST',                      variable: 'JIRA_HOST',                      optional: true),
+                                    string(credentialsId: 'JIRA_EMAIL',                     variable: 'JIRA_EMAIL',                     optional: true),
+                                    string(credentialsId: 'JIRA_TOKEN',                     variable: 'JIRA_TOKEN',                     optional: true),
+                                    string(credentialsId: 'JIRA_PAT',                       variable: 'JIRA_PAT',                       optional: true),
+                                    // AI coding agent credentials (optional - auto-fix deployment errors)
+                                    string(credentialsId: 'ANTHROPIC_API_KEY',              variable: 'ANTHROPIC_API_KEY',              optional: true),
+                                    string(credentialsId: 'OPENAI_API_KEY',                 variable: 'OPENAI_API_KEY',                 optional: true),
+                                    string(credentialsId: 'GEMINI_API_KEY',                 variable: 'GEMINI_API_KEY',                 optional: true),
+                                    // Git provider tokens (optional - allow coding agents to push branches and open PRs)
+                                    string(credentialsId: 'GITHUB_TOKEN',                         variable: 'GITHUB_TOKEN',                         optional: true),
+                                    string(credentialsId: 'CI_SFDX_HARDIS_GITLAB_TOKEN',          variable: 'CI_SFDX_HARDIS_GITLAB_TOKEN',          optional: true),
+                                    string(credentialsId: 'CI_SFDX_HARDIS_BITBUCKET_TOKEN',       variable: 'CI_SFDX_HARDIS_BITBUCKET_TOKEN',       optional: true),
+                                    string(credentialsId: 'CI_SFDX_HARDIS_AZURE_TOKEN',           variable: 'CI_SFDX_HARDIS_AZURE_TOKEN',           optional: true),
+                                ]) {
+                                    sh '''
+                                        if [ -n "${GITHUB_TOKEN:-}" ] || [ -n "${CI_SFDX_HARDIS_GITLAB_TOKEN:-}" ] || [ -n "${CI_SFDX_HARDIS_BITBUCKET_TOKEN:-}" ] || [ -n "${CI_SFDX_HARDIS_AZURE_TOKEN:-}" ]; then
+                                            git config user.email "sfdx-hardis-bot@cloudity.com"
+                                            git config user.name "sfdx-hardis Bot"
+                                            echo "[sfdx-hardis] Coding-agent git auth prerequisites found"
+                                        else
+                                            echo "[sfdx-hardis] Skipping coding-agent git auth setup: no provider token variable is set"
+                                        fi
+                                    '''
+                                    sh 'sf hardis:auth:login'
+                                    sh 'sf hardis:project:deploy:smart --check'
+                                }
+                            }
+                        }
                     }
-                }
-                when { changeRequest() }
-                //Validation on the appropriate org
-                steps {
-                    script {
-                        sh '''
-CURRENT_BRANCH=$(echo "${GIT_BRANCH}" | sed -E 's#^refs/heads/##; s#^origin/##')
-if [ "${CURRENT_BRANCH#auto-fix/}" != "${CURRENT_BRANCH}" ]; then
-    echo "[sfdx-hardis] Skipping sf hardis commands on auto-fix branch ${CURRENT_BRANCH}"
-    exit 0
-fi
-'''
-                                                sh '''
-if [ -n "${GITHUB_TOKEN:-}" ] || [ -n "${CI_SFDX_HARDIS_GITLAB_TOKEN:-}" ] || [ -n "${CI_SFDX_HARDIS_BITBUCKET_TOKEN:-}" ] || [ -n "${CI_SFDX_HARDIS_AZURE_TOKEN:-}" ] || [ -n "${SYSTEM_ACCESSTOKEN:-}" ]; then
-    git config user.email "sfdx-hardis-bot@cloudity.com"
-    git config user.name "sfdx-hardis Bot"
-    echo "[sfdx-hardis] Coding-agent git auth prerequisites found"
-else
-    echo "[sfdx-hardis] Skipping coding-agent git auth setup: no provider token variable is set"
-fi
-'''
-                        sh 'sf hardis:auth:login'
-                        sh 'sf hardis:project:deploy:smart --check'
+                    post {
+                        always {
+                            archiveArtifacts allowEmptyArchive: true, artifacts: 'hardis-report/**', defaultExcludes: false, followSymlinks: false
+                        }
                     }
                 }
-                post {
-                    always {
-                        archiveArtifacts allowEmptyArchive: true, artifacts: 'hardis-report', defaultExcludes: false, followSymlinks: false
-                    }
+
+            } // end parallel Pull Request Checks
+        } // end Pull Request Checks
+
+        /////////////////////////////////////////////////////////////////////////////////
+        // Deploy to the target org when a commit lands on a deployment branch        //
+        /////////////////////////////////////////////////////////////////////////////////
+        stage('Deployment') {
+            when {
+                allOf {
+                    expression { DEPLOYMENT_BRANCHES.contains(env.BRANCH_NAME_CLEAN) }
+                    not { changeRequest() }
                 }
             }
-            stage('Deployment') {
-                agent {
-                    docker {
-                        // If rate limits reached, use ghcr.io/hardisgroupcom/sfdx-hardis:latest
-                        image 'hardisgroupcom/sfdx-hardis:latest'
-                    }
-                }
-                //MANUAL: add your major branch if necessary
-                when {
-                    allOf {
-                        anyOf {
-                            branch: 'integration' //Example
-                            branch: 'uat' //Example
-                            branch: 'preprod' //Example
-                            branch: 'main' //Example
-                        };
-                        not { changeRequest() }
-                    }
-                }
-                //deploy on the appropriate org
-                steps {
-                    script {
-                        sh '''
-CURRENT_BRANCH=$(echo "${GIT_BRANCH}" | sed -E 's#^refs/heads/##; s#^origin/##')
-if [ "${CURRENT_BRANCH#auto-fix/}" != "${CURRENT_BRANCH}" ]; then
-    echo "[sfdx-hardis] Skipping sf hardis commands on auto-fix branch ${CURRENT_BRANCH}"
-    exit 0
-fi
-'''
-                                                sh '''
-if [ -n "${GITHUB_TOKEN:-}" ] || [ -n "${CI_SFDX_HARDIS_GITLAB_TOKEN:-}" ] || [ -n "${CI_SFDX_HARDIS_BITBUCKET_TOKEN:-}" ] || [ -n "${CI_SFDX_HARDIS_AZURE_TOKEN:-}" ] || [ -n "${SYSTEM_ACCESSTOKEN:-}" ]; then
-    git config user.email "sfdx-hardis-bot@cloudity.com"
-    git config user.name "sfdx-hardis Bot"
-    echo "[sfdx-hardis] Coding-agent git auth prerequisites found"
-else
-    echo "[sfdx-hardis] Skipping coding-agent git auth setup: no provider token variable is set"
-fi
-'''
-                        sh 'sf hardis:auth:login'
-                        sh 'sf hardis:project:deploy:smart'
+            steps {
+                script {
+                    def currentBranch = env.GIT_BRANCH?.replaceAll('^(refs/heads/|origin/)', '') ?: ''
+                    if (currentBranch.startsWith('auto-fix/')) {
+                        // Skip sf hardis commands on auto-fix branches to avoid recursive runs
+                        echo "[sfdx-hardis] Skipping sf hardis commands on auto-fix branch ${currentBranch}"
+                    } else {
+                        withCredentials([
+                            // ----------------------------------------------------------------
+                            // MANUAL: Add one pair of credentials per deployment org.
+                            // Same credential pairs as in the Validation stage above.
+                            //
+                            // string(credentialsId: 'SFDX_CLIENT_ID_INTEGRATION',  variable: 'SFDX_CLIENT_ID_INTEGRATION'),
+                            // string(credentialsId: 'SFDX_CLIENT_KEY_INTEGRATION', variable: 'SFDX_CLIENT_KEY_INTEGRATION'),
+                            // string(credentialsId: 'SFDX_CLIENT_ID_UAT',          variable: 'SFDX_CLIENT_ID_UAT'),
+                            // string(credentialsId: 'SFDX_CLIENT_KEY_UAT',         variable: 'SFDX_CLIENT_KEY_UAT'),
+                            // string(credentialsId: 'SFDX_CLIENT_ID_PREPROD',      variable: 'SFDX_CLIENT_ID_PREPROD'),
+                            // string(credentialsId: 'SFDX_CLIENT_KEY_PREPROD',     variable: 'SFDX_CLIENT_KEY_PREPROD'),
+                            // string(credentialsId: 'SFDX_CLIENT_ID_MAIN',         variable: 'SFDX_CLIENT_ID_MAIN'),
+                            // string(credentialsId: 'SFDX_CLIENT_KEY_MAIN',        variable: 'SFDX_CLIENT_KEY_MAIN'),
+                            // ----------------------------------------------------------------
+                            // Technical org auth URL (optional - used for DevHub or scratch org workflows)
+                            string(credentialsId: 'SFDX_AUTH_URL_TECHNICAL_ORG',    variable: 'SFDX_AUTH_URL_TECHNICAL_ORG',    optional: true),
+                            // Notification credentials (optional - pipeline will NOT crash if missing)
+                            string(credentialsId: 'SLACK_TOKEN',                    variable: 'SLACK_TOKEN',                    optional: true),
+                            string(credentialsId: 'SLACK_CHANNEL_ID',               variable: 'SLACK_CHANNEL_ID',               optional: true),
+                            string(credentialsId: 'NOTIF_EMAIL_ADDRESS',            variable: 'NOTIF_EMAIL_ADDRESS',            optional: true),
+                            // JIRA integration (optional)
+                            string(credentialsId: 'JIRA_HOST',                      variable: 'JIRA_HOST',                      optional: true),
+                            string(credentialsId: 'JIRA_EMAIL',                     variable: 'JIRA_EMAIL',                     optional: true),
+                            string(credentialsId: 'JIRA_TOKEN',                     variable: 'JIRA_TOKEN',                     optional: true),
+                            string(credentialsId: 'JIRA_PAT',                       variable: 'JIRA_PAT',                       optional: true),
+                            // AI coding agent credentials (optional - auto-fix deployment errors)
+                            string(credentialsId: 'ANTHROPIC_API_KEY',              variable: 'ANTHROPIC_API_KEY',              optional: true),
+                            string(credentialsId: 'OPENAI_API_KEY',                 variable: 'OPENAI_API_KEY',                 optional: true),
+                            string(credentialsId: 'GEMINI_API_KEY',                 variable: 'GEMINI_API_KEY',                 optional: true),
+                            // Git provider tokens (optional - allow coding agents to push branches and open PRs)
+                            string(credentialsId: 'GITHUB_TOKEN',                         variable: 'GITHUB_TOKEN',                         optional: true),
+                            string(credentialsId: 'CI_SFDX_HARDIS_GITLAB_TOKEN',          variable: 'CI_SFDX_HARDIS_GITLAB_TOKEN',          optional: true),
+                            string(credentialsId: 'CI_SFDX_HARDIS_BITBUCKET_TOKEN',       variable: 'CI_SFDX_HARDIS_BITBUCKET_TOKEN',       optional: true),
+                            string(credentialsId: 'CI_SFDX_HARDIS_AZURE_TOKEN',           variable: 'CI_SFDX_HARDIS_AZURE_TOKEN',           optional: true),
+                        ]) {
+                            sh '''
+                                if [ -n "${GITHUB_TOKEN:-}" ] || [ -n "${CI_SFDX_HARDIS_GITLAB_TOKEN:-}" ] || [ -n "${CI_SFDX_HARDIS_BITBUCKET_TOKEN:-}" ] || [ -n "${CI_SFDX_HARDIS_AZURE_TOKEN:-}" ]; then
+                                    git config user.email "sfdx-hardis-bot@cloudity.com"
+                                    git config user.name "sfdx-hardis Bot"
+                                    echo "[sfdx-hardis] Coding-agent git auth prerequisites found"
+                                else
+                                    echo "[sfdx-hardis] Skipping coding-agent git auth setup: no provider token variable is set"
+                                fi
+                            '''
+                            sh 'sf hardis:auth:login'
+                            sh 'sf hardis:project:deploy:smart'
+                        }
                     }
                 }
-                post {
-                    always {
-                        archiveArtifacts allowEmptyArchive: true, artifacts: 'hardis-report', defaultExcludes: false, followSymlinks: false
-                    }
+            }
+            post {
+                always {
+                    archiveArtifacts allowEmptyArchive: true, artifacts: 'hardis-report/**', defaultExcludes: false, followSymlinks: false
                 }
             }
         }
+
+    } // end stages
+
+    post {
+        always {
+            cleanWs(cleanWhenAborted: true, cleanWhenFailure: true, cleanWhenSuccess: true)
+        }
     }
+
 }

package/defaults/ci/manifest/package-no-overwrite.xml

@@ -15,6 +15,11 @@
       <members>*</members>
       <name>ConnectedApp</name>
   </types>
+  <!-- External Client Apps (API 59.0+): OAuth consumer key and secret are org-specific and must never be overwritten -->
+  <types>
+      <members>*</members>
+      <name>ExtlClntAppGlobalOauthSettings</name>
+  </types>
   <types>
     <!-- Once a dashboard is published, it is always managed directly in production -->
     <members>*</members>
@@ -25,8 +30,13 @@
     <members>*</members>
     <name>FlowDefinition</name>
   </types>
+  <!-- External Credentials (Named Credentials v2, API 57.0+): auth protocol and named principals are org-specific -->
+  <types>
+      <members>*</members>
+      <name>ExternalCredential</name>
+  </types>
   <types>
-    <!-- Name Credentials can contain auth info that are different between dev, uat, preprod and prod: let's not overwrite them ! -->
+    <!-- Named Credentials can contain auth info that differs between dev, uat, preprod and prod: let's not overwrite them ! -->
     <members>*</members>
     <name>NamedCredential</name>
   </types>

package/defaults/monitoring/.gitattributes

@@ -0,0 +1,20 @@
+# =============================================================
+# Salesforce Monitoring - Git attributes
+# Normalize line endings to LF on all platforms.
+# =============================================================
+
+# All text files: store as LF
+* text=auto eol=lf
+
+# Binary files - no diff, no merge
+*.png                       binary
+*.jpg                       binary
+*.jpeg                      binary
+*.gif                       binary
+*.ico                       binary
+*.svg                       binary
+*.zip                       binary
+*.jar                       binary
+*.pdf                       binary
+*.xlsx                      binary
+*.docx                      binary