Writing
Thoughts & technical notes.
Salesforce architecture, DevSecOps, release management, and application security - from the field.
Copilot Approval Guard: Auditing What Your AI Agent Can Run Without Asking
AI coding agents accumulate 'always allow' permissions silently over time. Copilot Approval Guard is a VS Code extension that surfaces every auto-approved terminal command, URL, and MCP tool call - with risk classification - so you can revoke what you no longer trust.
AWS Lambda Security Hardening: The Checklist Most Guides Skip
Lambda's serverless model removes server management but introduces its own attack surface. From execution role scoping to VPC placement and function URL controls, here's the complete hardening checklist.
API Gateway Throttling, Brute Force Protection, and the Limits of Edge Security
Rate limiting at the API Gateway level stops obvious brute force attacks, but it's not a substitute for authentication hardening. Here's a layered approach using APIGW throttles, CloudFront functions, Lambda authorizers, and Cost Anomaly Detection.
Dependency Confusion Attacks: How They Work and How to Prevent Them in 2026
Dependency confusion attacks exploit how package managers resolve package names between public and private registries. Several high-profile incidents in early 2026 show the pattern is still being abused. Here's the mechanics and the mitigations.
GitHub Advanced Security in 2026: Getting Real Value from CodeQL, Secret Scanning, and Dependabot
GitHub Advanced Security has matured significantly. Here's how to configure CodeQL, secret scanning, and Dependabot for signal over noise - and what the April 2026 updates change about the default setup.
Secrets in CI/CD: Why Environment Variables Aren't Enough
GitHub Secrets and environment variables are convenient but have real limitations - they can be printed, inherited by subprocesses, and live forever. Here's a tiered approach to secrets management in CI/CD pipelines.
CloudTrail Is Not Enough: Building Actionable AWS Security Monitoring
CloudTrail records every API call, but raw logs are not alerts. Here's how to layer CloudWatch alarms, Cost Anomaly Detection, and AWS Config rules to get signal you can actually act on - without a SIEM.
SLSA Level 3 in GitHub Actions: Build Provenance Without the Complexity
SLSA (Supply-chain Levels for Software Artifacts) Level 3 ensures your build outputs are traceable to a specific source commit and build environment. GitHub Actions makes it achievable without custom infrastructure.
Distroless Containers: Eliminating the OS Attack Surface in 2026
Standard base images ship hundreds of packages that your application never uses - each a potential CVE vector. Distroless images contain only your runtime and application. Here's how to migrate and what to watch out for.
Hardening a Real GitHub Actions Pipeline: SHA Pinning and Scoped Permissions
Walking through the exact changes made to pin every action to a commit SHA, set deny-by-default permissions, and scope id-token: write to only the job that needs it - with the diffs to prove it.
IaC Security Scanning with Trivy: Catching Misconfigurations Before They Reach AWS
Trivy scans Terraform, CloudFormation, Kubernetes manifests, and Dockerfiles for security misconfigurations in CI. Here's how to integrate it, tune the findings, and build a .trivyignore policy that doesn't become noise.
Salesforce Deployment Validation and Rollback: A Production Playbook
Salesforce deployments aren't transactional. Rolling back is manual, error-prone, and sometimes impossible. Here's how to validate before you commit, and what rollback actually looks like when you need it.
Migrating from sfdx to the sf CLI
sfdx reached end-of-life in December 2024. Here's everything you need to update your commands, flags, and CI pipelines to the modern sf CLI.
Agentforce Custom Actions: Connecting AI Agents to External Systems
Custom actions are how Agentforce agents do real work. Here's what the LLM needs from your @InvocableMethod, how to handle errors agents can reason about, and the security model.
Pinning GitHub Actions to Commit SHAs: Supply Chain Security That Actually Works
Version tags in GitHub Actions are mutable - a compromised action maintainer can push malicious code to v4 without changing the tag. SHA pinning prevents this. Here's how to do it at scale.
CI/CD Platform Decision in 2026: GitHub Actions vs AWS CodePipeline vs GitLab CI
CodePipeline v2 gained CloudWatch DORA metrics, pipeline-to-pipeline invocation, and enhanced debugging in 2025. GitHub Actions runners got sub-5-second starts. Here is an honest comparison for AWS-native teams deciding in 2026.
Testing Lightning Web Components with Jest
A practical guide to LWC Jest testing: wire adapter mocking, Apex call mocking, user events, and the snapshot trade-offs you need to know.
Data Cloud and Marketing Cloud Engagement: Integration Patterns
Data Cloud is the unified customer profile. Marketing Cloud is the activation channel. Here's the architecture for connecting them, the latency realities, and the Journey Builder patterns that work.
Named Credentials and External Credentials: The New Model
API 53 split Named Credentials into two objects. Here's why the old model was a security problem, how the new model works, and how to migrate legacy configurations.
Experience Cloud Site Security: Common Vulnerabilities and Fixes
Guest user permission creep, insecure Apex sharing, SOQL injection via search parameters - these are the vulnerabilities that compromise Experience Cloud sites. Here's how to find and fix them.
Apex Trigger Frameworks: Building a Scalable Handler Architecture
One trigger per object, a handler base class, and a registration pattern. Here's how to build a trigger framework that scales without fighting itself.
Scratch Org Pools for Faster Salesforce CI
Scratch org creation takes 3–7 minutes and serializes your pipeline. Pre-creating a pool of orgs and checking them out on demand cuts that wait to near zero.
OIDC in GitHub Actions: The Right Way to Authenticate to AWS in 2026
Long-lived AWS access keys in GitHub secrets are a supply chain risk waiting to happen. OIDC-based role assumption eliminates them entirely - here's how to set it up correctly and harden it against token abuse.
Salesforce Platform Cache: Eliminating Redundant SOQL
Platform Cache can slash SOQL usage in high-traffic orgs. Here's the partition setup, put/get patterns, TTL strategy, and what you should never cache.
Shift Smart, Not Just Shift Left: Rethinking Security Tooling in 2026
The Datadog DevSecOps 2026 Report shows 87% of organisations have exploitable vulnerabilities and dependency lag is getting worse. Shifting left alone is not working. Here is what shift smart looks like in practice.
Salesforce Flow Architecture at Scale: Patterns That Don't Break
Practical patterns for building maintainable, performant Salesforce Flows in large orgs - covering bulkification, error handling, sub-flows, and governor limit avoidance.
CVE-2025-29927: The Next.js Middleware Auth Bypass That Should Worry You
A critical vulnerability in Next.js allowed attackers to bypass middleware-based authentication entirely using a single request header. Here's what happened, who was affected, and how to fix it.
AI Code Review in the Pipeline: What GitHub Copilot Code Review Actually Catches
Copilot Code Review hit 60 million reviews by early 2026. That is enough real-world data to evaluate honestly. Here is what it catches, what it misses, and how to layer it correctly in a security-conscious pipeline.
Kubernetes v1.33-1.35: The Security Features That Actually Matter for Production
Bound ServiceAccount tokens with node binding, recursive read-only mounts, finer-grained RBAC via label selectors, anonymous request restrictions, and what is coming in v1.35 - the Kubernetes security improvements worth shipping in 2026.
Building payslip-parser: Extracting Structured Data from Payslip PDFs
How I built a Python CLI that uses coordinate-based PDF parsing to extract salary, tax, and NI data from payslip PDFs and writes a structured Excel workbook for financial tracking.
Building Expenses: An iOS Tracker That Categorises Itself with Claude AI
How I built a native iOS expense tracker in SwiftUI and SwiftData that listens to banking notifications, parses transactions automatically, uses Claude Haiku for AI categorisation, and syncs to Google Sheets.
Zero Static Credentials in CI/CD: SPIFFE, SPIRE, and OIDC Federation
GitHub Actions OIDC, AWS IAM OIDC federation, EKS Pod Identity, and SPIFFE/SPIRE now compose into a coherent architecture where no pipeline or workload holds a static credential. Here is how the pieces fit together.
OpenBao vs HashiCorp Vault: Making the Secrets Management Decision in 2026
HashiCorp's BSL licence shift in 2023 created a fork. OpenBao reached v2.5 in February 2026 under Linux Foundation governance. Here is a concrete decision framework for teams evaluating whether to stay on Vault, migrate to OpenBao, or move to a hosted alternative.
release-notes-generator: Structured Release Notes from Conventional Commits
A Python CLI that parses Conventional Commits history and generates Markdown, plain text, or JSON release notes - with GitHub Actions integration to auto-populate GitHub Releases on every tag.
IaC Security in 2026: Static Scanning, OpenTofu, and the Drift Problem
tfsec is dead, absorbed into Trivy. Checkov and Trivy are the real choice. But static scanning misses what someone changed in the console last Tuesday. Here is the full picture of IaC security in 2026, including runtime drift detection.
DevOps Center vs Copado in 2026: A Field Comparison
An honest side-by-side comparison of Salesforce DevOps Center and Copado for enterprise teams - covering branching, CI/CD integration, user story tracking, and the total cost picture.
aws-sfdc-event-bridge: Connecting Salesforce Platform Events to AWS
How I built a Terraform-managed bridge between Salesforce Platform Events and Amazon EventBridge - with HMAC webhook validation, fan-out to SQS/SNS/Step Functions, and zero long-lived credentials.
GitHub's 2026 Actions Security Roadmap: What It Means for CI/CD Teams
Workflow dependency locking, immutable releases, scoped credentials, and network egress controls - GitHub's 2026 roadmap is the most substantive security investment in Actions since its launch. Here is what is coming and what to prepare for.
CISA's 2025 SBOM Minimum Elements Raised the Bar: Are Your SBOMs Compliant?
The 2021 NTIA minimum elements defined the floor. CISA's 2025 revision adds Component Hash, License, Tool Name, and Generation Context as required fields. Here is what changed, what tooling meets the new bar, and how to integrate compliant SBOMs into your pipeline.
copado-pipeline-inspector: Visibility Into Your Copado Pipelines
A CLI to query Copado pipeline execution history, promotion success rates, and user story throughput directly via the Salesforce REST API - because Copado's built-in reporting isn't enough.
Agentforce in Production: What Actually Works in 2026
A practical look at deploying Salesforce Agentforce agents in enterprise environments - agent topics, actions, guardrails, testing, and the deployment patterns that hold up under real workloads.
SLSA Build Level 3 is Now Achievable Without a Platform Team
GitHub Artifact Attestations hit GA in January 2026 with SLSA Build Level 3 support. Here is a practical walkthrough of build provenance, SBOM attestation, and supply chain verification using only open-source tooling.
AWS re:Invent 2024: The Security Launches That Actually Change Deployment Architecture
Resource Control Policies, Declarative Policies, centralised root access management, and GuardDuty's extended threat detection are the five launches from re:Invent 2024 that require rethinking how you design secure AWS environments.
sf-metadata-delta: Cutting Salesforce Deployment Time by 95%
How I built a TypeScript CLI that generates a minimal package.xml from git diffs - deploying only changed Salesforce metadata instead of the full org, dropping build times from 60 minutes to under 5.
The tj-actions Attack Was Preventable: A Blueprint for GitHub Actions Hardening
CVE-2025-30066 compromised 23,000+ downstream workflows by redirecting mutable version tags. Here is what happened, why it worked, and the concrete steps that would have stopped it.
Building apex-security-scanner: OWASP Static Analysis for Salesforce
How I built a Python CLI that runs OWASP Top 10 checks against Salesforce Apex code - detecting SOQL injection, hardcoded credentials, missing CRUD/FLS checks, and unsafe DML patterns.
Building with Salesforce Data Cloud: A Practitioner's Architecture Guide
How to model, ingest, and activate customer data across Salesforce clouds using Data Cloud - including identity resolution, calculated insights, and real-time segmentation.
Salesforce Order Management: Implementation Patterns for Complex Fulfilment
Real-world patterns for implementing Salesforce OMS - from order lifecycle design and inventory allocation to fulfilment orchestration and post-order service flows.
API-Led Connectivity with MuleSoft and Salesforce: Patterns That Scale
How to apply the API-led connectivity pattern across a Salesforce-centred architecture - system, process, and experience API layers, error handling, and avoiding common anti-patterns.
Automating Salesforce Deployments with Copado and GitHub Actions
A practical guide to building a robust Salesforce CI/CD pipeline that combines Copado's native release management with GitHub Actions for full traceability and automation.
Salesforce Shield in Practice: Encryption, Event Monitoring, and Field Audit Trail
A practical guide to deploying Salesforce Shield - what each component actually protects, how encryption affects SOQL and reporting, and the field audit trail gotchas nobody warns you about.
OWASP Top 10 for Salesforce Developers
The OWASP Top 10 doesn't disappear just because you're on Salesforce. Here's how each category manifests in Apex and LWC - and how to fix them.
Salesforce Identity Deep Dive: SSO, OAuth 2.0, and SAML for Enterprise Architects
A practical guide to Salesforce identity and access management - choosing between SAML and OAuth, implementing named credentials, Connected App security, and service account patterns.
Advanced GitHub Actions Patterns for Salesforce CI/CD
Beyond the basics - reusable workflows, matrix deployments, dynamic environment routing, approval gates, and secrets management patterns for production-grade Salesforce CI/CD pipelines.
Multi-Cloud Salesforce Architecture: Making the Clouds Actually Talk
Lessons from designing and implementing multi-cloud Salesforce environments - Commerce Cloud, Sales Cloud, Service Cloud, Marketing Cloud - that work as a coherent system.
Copado vs Gearset vs Azure DevOps: Choosing Your Salesforce DevOps Platform
An honest comparison of the three dominant Salesforce DevOps platforms based on real implementation experience - where each one shines, where it struggles, and how to decide.
Shift-Left Security in Salesforce CI/CD Pipelines
How to move security checks earlier in the Salesforce development lifecycle - before code reaches a sandbox, before a reviewer sees it, before it can cause a problem.
Building Resilient Salesforce Integrations: Failure Modes and Recovery Patterns
How to design Salesforce integrations that survive network failures, API timeouts, governor limits, and partial failures - with concrete Apex patterns for retry, idempotency, and dead letter queues.
Terraform for Salesforce Infrastructure: Managing the Ecosystem Around Your Org
Your Salesforce org isn't an island. Here's how to use Terraform to manage the AWS infrastructure, Connected Apps, and integration layer that surrounds it.
Salesforce Einstein AI in Practice: What Actually Works and What Doesn't
A practitioner's guide to deploying Salesforce Einstein features - scoring models, generative AI with Prompt Builder, Einstein Copilot, and the honest trade-offs you won't find in the marketing material.
Salesforce Release Management: Branching Strategies That Actually Work
The branching model that balances parallel development, stable releases, and the reality of Salesforce sandbox limitations - for large teams running multiple concurrent projects.
Salesforce Performance Optimisation: From Slow Pages to Sub-Second Load Times
Practical techniques for diagnosing and fixing Salesforce performance problems - SOQL optimisation, LWC rendering, batch architecture, and the org-wide settings that silently kill performance.
From Org-Based to Package-Based Development: A Practical Migration Guide
Package-based development is the future of Salesforce development - but migrating from an org-based model is non-trivial. Here's a realistic path through it.
Zero-Trust Architecture in Salesforce Org Design
Applying zero-trust principles to Salesforce - never trust, always verify - from network access to data visibility to API integration.
Commerce Cloud B2B and B2C: Architecture Decisions for Hybrid Commerce
Key architectural decisions when running B2B and B2C commerce on Salesforce - shared infrastructure, divergent checkout flows, pricing models, and the account hierarchy patterns that make or break B2B.
DevSecOps in the Salesforce Ecosystem
Security can't be a final gate before production. Here's how to integrate it into every phase of the Salesforce development lifecycle without killing developer velocity.
The Apex Security Code Review Checklist
A practical checklist for security-focused Apex code reviews - the items that automated scanners miss and that matter most in production.
Salesforce Release Management at Scale: Patterns and Practices
What breaks when you scale Salesforce release management to large cross-functional teams - and the processes, tools, and habits that fix it.