← All stories

BRANCH · ef-092-salesforce-connection

Salesforce connection

EF-092Persona: OrganizerRoots in: event-setupMatrix: Partial

Organizer connects a Salesforce sandbox org through OAuth2, sees persisted connection state, and can recover when credentials expire or are revoked. The matrix marks this partial because sandbox credentials and customer round-trip proof are incomplete. Tier-3 tightening: Salesforce authorization now references ui-oauth-connection-card for the OAuth connection UX.

Happy path

  1. Open Integrations from Event Setup and choose Salesforce.

    The connection panel shows the disconnected state and a primary Connect Salesforce CTA.

  2. Complete OAuth2 consent against the sandbox org.

    The callback persists the connection, masks secrets, and returns to the setup hub.

  3. Verify status.

    A ui-status-pill moves through syncing to connected and shows last verified time.

Failure modes

Expired token refresh

Expired Salesforce access token silently refreshes, the original status request retries once, and the connection remains connected.

Rate limit backoff

Salesforce 429 responses use exponential backoff with jitter and do not multiply delays across independent syncs.

OAuth callback replay

Repeated callback delivery with the same state/code cannot create duplicate connection rows.

Schema drift

Unknown org fields are ignored and missing optional fields default in the connection summary.

Missing credential

Missing client credentials render a friendly setup-required panel with re-auth CTA and no stack trace.

Sandbox isolation

Sandbox credentials cannot load production org data and fixture mode is enforced.

Audit per sync

Every connection status check writes one audit row with Salesforce transaction id, status, and row counts.

Partial import rollback

Connection verification that fails mid-probe rolls back transient connection state or shows per-step outcomes.

Revoked token reconnect

Revoked refresh token changes the status pill to disconnected and offers reconnect without losing mapping drafts.

State mismatch

OAuth state mismatch rejects the callback and keeps the existing connection unchanged.

Duplicate org connect

Connecting the same org updates the existing row rather than creating duplicate active connections.

Parity gap

A visible gap panel remains until sandbox credentials and customer round-trip proof are configured.

Stable test attributes

Visibility teeth. Active attributes must be visible to the agent probes and not hidden behind transient hover-only UI.

data-testWherePurpose
salesforce-connection-panelintegration settingsconnection surface
salesforce-connect-ctaintegration settingsOAuth start
salesforce-status-pillintegration settingsconnected/syncing/disconnected state
salesforce-reauth-ctaerror panelcredential recovery
salesforce-gap-panelintegration settingspartial capability marker
salesforce-audit-log-rowaudit drawersync audit evidence

Agent test plan

- salesforce-connection-opens
- salesforce-oauth-callback-persists
- oauth-refresh-on-expired-token
- rate-limit-backoff
- webhook-replay-idempotent
- schema-drift-degrades-gracefully
- missing-credential-graceful-error
- sandbox-vs-prod-isolation
- audit-log-row-per-sync
- partial-import-rollback
- revoked-token-reconnect
- oauth-state-mismatch
- duplicate-org-upsert
- salesforce-connection-gap-probe