All Articles
Salesforce March 11, 2026

Sprinting to Success: Building a Secure Non-profit MVP in Two Days

Sprinting to Success: Building a Secure Non-profit MVP in Two Days

TL;DR: Maximising Community Sprint Impact

  • The Sprint Challenge: Delivering a secure, fully documented Salesforce MVP for non-profits during the two-day SFDO Community Sprint (Feb 23-24, 2026).
  • Agentic Supercharging: Leveraging agentic assisted coding to compress months of development into the 48-hour window of a volunteer sprint event.
  • Maximising Volunteer Value: Because AI handled the boilerplate, our sprint team could dedicate our limited time to high-value architecture, security decisions, and visual documentation.
  • Open Source Excellence: Speed didn’t compromise quality; we delivered a well tested, working solution - complete with design specs, user guides, and DevX tooling.

At the recent Salesforce Non Profit Community Sprint on February 23-24, 2026, we faced a familiar challenge: how do you deliver a truly impactful, secure, and maintainable solution in just two days of volunteer time?

Traditionally, community sprints are incredible for ideation and prototyping, but turning those ideas into a production-ready Minimum Viable Product (MVP) often takes months of post-sprint follow-up. This year, we changed the playbook.

By leveraging agentic assisted coding, our sprint team super-fast-tracked the AU Credential Check project - a Salesforce-native system for volunteer compliance (Police Checks, Working with Children Checks). We moved from a blank repository at the kickoff to a fully working, secure, and documented open-source solution by the closing presentation.

This wasn’t just a prototype; it was a demonstration of a 10x efficiency shift in how we build for the non-profit sector.

The Sprint Paradigm: From Planning to Proving

In a traditional development cycle, teams spend weeks in requirements gathering to avoid the high cost of building the wrong thing. In a community sprint, time is your most scarce resource. You can’t afford analysis paralysis.

Agentic assisted coding fundamentally changes the economics of volunteer innovation. When you can materialise a concept into a secure, working artifact in a matter of hours, you can afford to “build to show.” Instead of spending our entire two days debating abstract requirements, our team built the solution and used the working artifact as the basis for rapid refinement. We failed fast, learned instantly, and scaled successful solutions in real-time.

The Commodity of Code: Where Sprint Volunteers Add Value

When AI can synthesise boilerplate, complex logic, and unit tests in seconds, code becomes a commodity. In the context of a community sprint, this is a massive advantage. It means the highly skilled Salesforce professionals in the room don’t need to waste time writing basic loops. Instead, our collective value shifted to orchestration:

  • Solutioning & Architecture: Designing systems that remain secure and sustainable for resource-strapped non-profits.
  • High-Stakes Decision Making: Choosing patterns that prevent future technical debt.
  • Strategic Guidance: Ensuring the MVP isn’t a technical dead end but a foundation for the Open Source Commons roadmap.

From Blueprint to Build: Evidence of Quality

To ensure this project was genuinely useful to the community, we built with all artifacts in mind. We didn’t want to hand over a “hacky” codebase; we wanted to provide a gold standard.

1. Visualizing the Process Flow

Before writing a single line of Apex, we mapped out the data journey. Visual documentation allowed the sprint stakeholders to approve the logic before it was codified.

Artifact (docs/architecture.md):

graph TD
    A[Admin: Create Credential Request] --> B[Flow: Generate UUID Token]
    B --> C[Email Link to Volunteer]
    C --> D[Volunteer: Submit Form + File]
    D --> E[Credential Request: Status = Pending Review]
    E --> F{Admin: Review & Approve?}
    F -- Yes --> G[Flow: Promote Data to Credential Record]
    F -- No --> H[Status: Rejected]
    G --> I[Credential: Status = Active]

2. The Architecture Decision Record (ADR)

We didn’t iterate blindly. We documented our design choices during the sprint to ensure alignment and security. For example, we strategically chose GUID tokens over record IDs to eliminate IDOR vulnerabilities.

Artifact (docs/decisions/use-guid-token-for-access-control.md):

# Decision: Use GUID Token for Submission Link Access Control

## Context: Volunteers receive unique URLs. Predictable IDs would create security risks.

## Decision: Option B - Use cryptographically random GUIDs. Brute-force enumeration is computationally infeasible.

3. Secure Security Logic (Apex)

We used agentic tools to generate the “how” while our sprint team focused on the “what” and “why.” To generate cryptographic randomness for our access tokens, we built a lean, bulk-safe utility.

Artifact (force-app/main/default/classes/GenerateUUID.cls):

public with sharing class GenerateUUID {
    @InvocableMethod(label='Generate UUID')
    public static List<Result> generate(List<String> input) {
        List<Result> results = new List<Result>();
        for (String s : input) {
            Blob randomBytes = Crypto.generateAesKey(128); // 128-bit randomness
            String hex = EncodingUtil.convertToHex(randomBytes);
            // Formatted as standard UUID...
        }
        return results;
    }
}

4. The Power of the Pivot (Screen Flow to LWC)

The true power of AI assistance is the ability to change directions without losing momentum. During the build, we initially attempted to use a declarative Screen Flow for the volunteer document upload UI. When we hit a technical roadblock, what would normally be a sprint-derailing setback became a minor detour. Using agentic AI, we instantly pivoted to build a fully custom Lightning Web Component (LWC) in record time.

We deliberately left the original Screen Flow in the repository - serving as a foundation for future iterations if a non-profit explicitly requires a low-code configuration option.

Developer Experience (DevX) as a Standard

To ensure the project is easily maintainable by future Open Source Commons contributors, we included professional tooling - Prettier, ESLint, and Husky pre-commit hooks - as part of the sprint deliverable. We also provided a fully working project-scratch-def.json.

In open-source Salesforce projects, the “works on my org” problem is a massive barrier to entry. By explicitly defining the required features, limits, and metadata settings in this configuration file, we made the solution instantly reproducible. Any volunteer can fork the repository, run a single command, and spin up an identical, fully configured Scratch Org in minutes - eliminating manual setup steps and accelerating their time to first commit.

The Outcome: High-Velocity Delivery

By the end of the two-day sprint, we delivered a fully working solution featuring:

  • Staging Object Architecture: A “Review Gate” ensuring unverified volunteer data remains isolated until admin approval.
  • Dual Intake Layer: A high-performance Lightning Web Component (LWC) born from our mid-sprint pivot, alongside our initial Screen Flow, preserved for future low-code iterations.
  • Automated Status Promotion: A record-triggered flow that copies verified data to authoritative records only after admin sign-off.
  • Zero-Permission Guest Access: An architecture that removes all object permissions from the Guest User Profile, relying exclusively on System Mode execution to prevent data leakage on the public-facing Experience Cloud site.
  • Cryptographic Access Tokens: 128-bit AES-generated GUID tokens that replace predictable Salesforce Record IDs in submission URLs, completely eliminating IDOR vulnerabilities.
  • Time-Bound Access Controls: Enforced link expiry logic that naturally invalidates volunteer upload URLs after a securely defined time window.

Looking Ahead: The Roadmap

By establishing a clean, scalable architecture during the sprint, the foundation is now primed for sophisticated features in future iterations:

  • AI Verification: Layering Agentforce to extract data from uploaded documents automatically.
  • Agency API Integration: Verifying credentials at the source for zero-trust compliance.

Conclusion: Giving Back at Scale

The AU Credential Check project is now completely open source under the BSD 3-Clause License as part of the SFDO Community Sprints program. We have demonstrated that a secure, documented, and fully working solution is possible in just 48 hours when you combine community collaboration with agentic tools.

Stop planning for months. Start building together.

Explore the repository on GitHub: SFDO-Community-Sprints/au-credential-check

If you have a similar credentials check need, want to leverage this solution, add more features, or just want to see first hand how fast we can sprint together, contact me to talk.

Share this article

Twitter LinkedIn Email

Continue Reading

Packaging External Client Apps in 2GP: A Complete How-To Guide
Mar 25, 2026

Packaging External Client Apps in 2GP: A Complete How-To Guide

Why Flow is Dead: Agentic AI is Ending the 'Clicks Not Code' era
Mar 14, 2026

Why Flow is Dead: Agentic AI is Ending the 'Clicks Not Code' era

Salesforce Email: Mandatory Domain Verification
Mar 8, 2026

Salesforce Email: Mandatory Domain Verification