We actively support the latest version of SFSpeckit. Security updates for older versions are not provided; please upgrade to the latest stable release to ensure you have the current security protections.

Please do not use GitHub Issues to report security vulnerabilities.

To report a vulnerability, please use the GitHub Private Security Advisory feature:

1. Navigate to the "Security" tab of the repository.
2. Select "Advisories" from the left sidebar.
3. Click "New draft security advisory" or use the "Report a vulnerability" button if available.

This ensures that vulnerabilities are disclosed responsibly and allows the maintainers to prepare a fix before the details are made public.

SFSpeckit is designed to be secure-by-default:

• Authentication: SFSpeckit does not store Salesforce credentials. It relies entirely on your local sf CLI (Salesforce CLI) configuration.
• External Requests: The toolkit does not make unauthorized external HTTP requests. All communication with Salesforce orgs is routed through the standard sf CLI commands.
• Data Privacy: No metadata or business data is transmitted to external servers beyond what is required for the LLM to process specific instructions (if you are using a cloud-based AI provider).

All code generated by SFSpeckit follows Article IV: Security-by-Default, which mandates:

• Mandatory use of with sharing or inherited sharing (never without sharing).
• Mandatory use of WITH USER_MODE for DML and SOQL.
• No hardcoded IDs or secrets.