Changelog

All notable changes to SFHound are documented here. Format follows Keep a Changelog.

[Unreleased]

Collector

JWT Bearer OAuth authentication via Salesforce Connected App
config.yaml and full command-line override support
Extraction of Users, Profiles, Permission Sets, Permission Set Groups
Extraction of Role Hierarchy (roles and InheritsRole edges)
Extraction of Public Groups and Queues with nested membership resolution
Extraction of Object Permissions (CRUD, ViewAll, ModifyAll) per Profile/PermissionSet
Extraction of Field-Level Security (IsVisible, ReadOnly) per Profile/PermissionSet
Extraction of Connected Apps with CanAuthorize edge resolution
OWD (InternalSharingModel, ExternalSharingModel) capture on all SObjects
Aggregate PermissionSet placeholder hydration for 0PSG… IDs
BloodHound OpenGraph v2 output with full schema validation
Auto-ingest to BloodHound CE (upload, poll, status reporting)
Custom icon registration script (examples/post_custom_icons.py)

Graph model

11 node types with coloured icons
40+ typed edge types
Full edge context properties: General, AbuseInfo, RemediationInfo, OPSEC, References
MITRE ATT&CK mappings on all named system permission edges

Documentation

Collector setup guide (Connected App creation, JWT cert generation, minimum permissions)
Schema reference (all nodes, edges, properties)
Custom Cypher query library
Tier Zero Cypher rules for BloodHound CE
Design decisions document

System permissions modelled as typed edges to SFOrganization (not node properties)
CanOwnObject edges resolved via shared sobject_lookup (no dangling edges to virtual nodes)
Aggregate PermSet nodes materialised as minimal placeholder nodes post-extraction

See CONTRIBUTING for guidelines on submitting issues and pull requests.