Security — SF-Intel Studio

Overview

SF-Intel Studio runs entirely inside your browser. It connects directly to your Salesforce org using your existing authenticated session — there is no intermediary server, no cloud backend, and no data pipeline between your browser and a third party.

The extension does not collect telemetry, usage analytics, or error reports. It does not store your Salesforce password. It does not load remote scripts at runtime.

Data Handling

Session credentials

When you open the IDE on a Salesforce page, the extension reads the sid cookie from your active session. This token is used in-memory to authenticate API calls directly to Salesforce. It is never written to disk or transmitted to any other destination.

Source code and metadata

Apex classes, triggers, LWC, and Aura components are fetched on demand and held in memory. Modified code is sent back to Salesforce only when you explicitly deploy.

Record data

Query results from the SOQL Runner are displayed in the UI and discarded on close. Exported files are saved locally through Chrome's downloads API.

Saved queries

Saved SOQL queries are stored in your browser's localStorage. This data stays on your machine.

Network Activity

The extension communicates exclusively with Salesforce. Chrome's host permissions restrict it to these domains:

*.salesforce.com
*.force.com
*.visualforce.com
*.salesforce-setup.com

No other network requests are made.

Permissions

Permission	Purpose
`activeTab`	Detect whether the current page is a Salesforce org.
`tabs`	Open the IDE window and refresh preview tabs.
`cookies`	Read the session cookie to authenticate API requests.
`downloads`	Save exported data and metadata packages.

Content script

A minimal content script runs on Salesforce pages. In this release it performs no DOM manipulation and collects no data.

Dependencies

All dependencies are bundled in the extension package. Nothing is loaded from a CDN at runtime.

Library	Purpose
Monaco Editor	Code editor
React	UI rendering

Risk Assessment

Area	Assessment
Data exfiltration	Low — traffic restricted to Salesforce domains.
Privilege scope	Medium — inherits the logged-in user's permissions.
Supply chain	Low — standard bundled dependencies, no remote code execution.

Enterprise Deployment

No server infrastructure, local binaries, or elevated privileges required. Operates over HTTPS to Salesforce domains only.