LINEPDF SECURITY ONE-PAGER · 2026-06
What this package can and cannot do.
This is the document to have open when you install. It's written for the admin who has to say yes, and for the security reviewer behind them. Print it, file it, forward it to your CISO.
01Architecture: native Apex, nothing else
LinePDF is a 2GP managed package containing Apex classes, three custom objects, and one Visualforce render page. Document generation runs entirely on the Salesforce platform, in your org, under the running user's session. There is no middleware, no rendering farm, no ShareCo-hosted anything in the data path. The architecture isn't “secured”; it's shaped so the dangerous paths don't exist.
02Zero callouts, zero OAuth, zero connected apps
These are verifiable claims, not marketing. Search the package source for HttpRequest: zero occurrences. Check Setup → Connected Apps after install: nothing added. Check OAuth policies: no scopes requested, because there is no app to request them. After the 2025 Drift incident exfiltrated 700+ orgs through one third-party OAuth integration, we think this is the only acceptable design for software that touches your financial documents.
03What it can access
- +Read the parent record and child line records named by the template (e.g. Quote and QuoteLineItems), under the running user's permissions
- +Read its own objects: templates, themes, and generation logs
- +Write one thing: the generated PDF, as a ContentVersion (a file) linked to the source record
- +Run as an invocable from Flow, Apex REST within your org, or an Agentforce action
04What it cannot access or do
- ×Make any external callout. There is no HTTP request in the codebase; the package manifest declares no remote site settings and no named credentials
- ×Request or hold OAuth tokens. No connected app exists; there is nothing to grant and nothing to leak
- ×See data the running user can't. Rendering enforces CRUD and FLS via Security.stripInaccessible; with-sharing classes respect record access
- ×Phone home. No telemetry, no license-check callout, no usage beacon. ShareCo cannot tell when you generate a document, and that's the point
- ×Execute script. Template HTML is sanitized against an allowlist; script, iframe, object, and event-handler attributes are stripped before render
05Template sanitization
Templates are user-editable HTML, which is a real attack surface, so we treat it like one. Before any render, the template body passes through an allowlist sanitizer: only layout and text tags survive; script, iframe, embedded objects, and on* event attributes are stripped, not escaped, stripped. Merge fields resolve through the field map declared on the template, never by evaluating arbitrary expressions, and every resolved value is encoded for the output context. A template can make an ugly document. It cannot run code.
06Install footprint
The complete inventory of what installation adds to your org. Nothing here is a trigger on your standard objects; nothing modifies existing automation.
| TYPE | NAME | PURPOSE |
|---|---|---|
| Object | LinePDF_Template__c | Template body (plain HTML + merge syntax), object binding, column spec |
| Object | LinePDF_Theme__c | Brand tokens: logo file reference, colors, fonts, footer text |
| Object | LinePDF_Generation_Log__c | In-org audit trail: who generated what, when, from which record |
| Apex | LinePdfRenderController | Visualforce controller for the render page |
| Apex | LineTableEngine | The line-item math: per-line tax, discount, grouping, totals (integer cents) |
| Apex | LinePdfTemplateSanitizer | HTML allowlist enforcement before any render |
| Apex | LinePdfFlowAction | Flow invocable entry point |
| Apex | LinePdfRestService | Apex REST endpoint (/services/apexrest/linepdf/v1/render) |
| Apex | LinePdfAgentAction | Agentforce-registered invocable |
| VF Page | LinePDF_Render | The renderAs="pdf" page the engine drives |
| Permission Set | LinePDF_User / LinePDF_Admin | Generate documents / manage templates and themes |
07About the install warning
Until a package clears Salesforce's AppExchange security review, every direct-URL install shows an “unauthorized package” warning. Ours currently does. The package is in security review for the AppExchange listing now (the queue runs weeks, with a resubmission cycle roughly half of all packages go through, and we will not promise you a date we don't control). What we recommend until it clears: install into your sandbox first, with this document open, and promote to production only after your own inspection. A warning you can verify against the source line-by-line is a footnote. We'd be suspicious of any vendor who waved it away.
Questions a reviewer would ask, answered by the founder directly: hello@shareco.ca. ShareCo Development Inc., a Canadian corporation.