Kern 1.1.0-11

[1.1.0-11] — 2026-06-15

Subscriber package version id: 04tfj000000KesXAAS

First release of the Kern 1.1 line. Headlines: the Data Masking Advisor (a console to review, test, and deploy masking coverage), stronger payment-card masking via the new Mask Payment Card Numbers rule (it takes over from the original credit-card rule on framework objects automatically — see the upgrade notes), Change Data Capture and post-trigger actions in the trigger framework, a hardened Streaming Event Monitor, typed date functions in the query builder, Summer '26 (API 67.0) platform support, and a hosted documentation site. For the full capability tour with upgrade notes, see Release Notes — Kern 1.1.

Release notes

Full subscriber-facing release notes: Release Notes — Kern 1.1

Install

Subscriber package version: 04tfj000000KesXAAS

See Installation.md for prerequisites + scratch-org guidance.

KernDX Pipeline v0.3.0

[v0.3.0] — 2026-06-15

Distribution: KernDX-1.1.0-11-pipeline.zip. Ships alongside the framework as pipeline-v0.3.0 against framework release v1.1.0-11.

This release adds committed-secret scanning, surfaces every security-bypass call site for review, and teaches doctor to catch silent PMD-for-Apex version drift.

Added

• secret-scan — committed-credential detection, wired as a CI gate. A new kerndx secret-scan command scans changed files for credentials that should never reach a repository, with patterns tuned for Salesforce: SFDX auth URLs (force://…), session/access tokens and OAuth refresh tokens, connected-app consumer secrets, Salesforce credential environment variables assigned a literal value, PEM private keys, and prefixed cloud keys (AWS, GitHub, Slack, Google). Detection is tiered: unambiguous credential shapes fail the PR's Secret Scan status check, while keyword-anchored assignments, JWTs, and generic credential literals are reported as advisories that flag a likely leak without blocking CI. It is deliberately quiet on look-alikes — bare org and record IDs, 18-character API names, UUIDs, hashes, and ${{ secrets.X }} templating are never flagged. kerndx init scaffolds the Secret Scan workflow, and preflight runs the same scan locally (advisory) before every push. Pairs with — does not replace — your Git host's native push protection.
• KernSecurityBypassCallSite PMD rule (informational) — inventories every security-bypass call site (withSystemMode, bypassSharing, withoutSecurity, validation- and trigger-action bypasses) so a pull request that introduces a new bypass surfaces during review. Acknowledge expected call sites with @SuppressWarnings('PMD.KernSecurityBypassCallSite') or an inline // NOPMD comment stating the reason.

Changed

• preflight now also runs secret-scan — the pre-push sequence is scan + secret-scan + naming (previously scan + naming).
• doctor catches PMD-for-Apex version drift. doctor --verbose now surfaces the PMD Apex module version bundled inside Salesforce Code Analyzer — previously undetectable — and doctor warns when that bundled version moves past the version this pipeline has validated against, so a silent Code Analyzer upgrade can't change how your scans behave without telling you.

Install

unzip KernDX-1.1.0-11-pipeline.zip -d .kerndx-pipeline
(cd .kerndx-pipeline/pipeline && npm ci --omit=dev)
./.kerndx-pipeline/bin/kerndx init

See pipeline/INSTALL-PIPELINE.md in the bundle for the full guide (SHA verification, ESLint wire-up, upgrade flow).

Kern 1.0.0-121

[1.0.0-121] — 2026-05-22 (first public release)

Subscriber package version id: 04tfj000000JN0vAAG

Initial publicly-tagged release. Every framework module, every Strategic Guide, every Fast Start, the full API reference, and the pipeline distribution flavor ship at this version. For a capability-by-capability tour of what's in v1.0, see Release Notes — Kern 1.0.

Install

Subscriber package version: 04tfj000000JN0vAAG

See docs/Installation.md for prerequisites + scratch-org guidance.