fix: resolve all markdownlint errors across skills and reference files

Auto-fix bare URLs, blanks around fences/lists/tables/headings in
skills and _reference markdown files. Rebuild Cursor adapters.

Author: jiten-singh-shahi

.cursor/agents/deep-researcher.md

@@ -127,6 +127,7 @@ Salesforce releases 3x/year: Spring (Feb), Summer (Jun), Winter (Oct).
 ## Escalation
 
 Stop and ask the human before:
+
 - Writing research reports to files the user did not explicitly request
 - Making conclusions or recommendations when fewer than 3 independent sources support them
 - Presenting pilot/beta features as production-ready without a clear caveat

.cursor/agents/doc-updater.md

@@ -117,6 +117,7 @@ docs/
 ## Escalation
 
 Stop and ask the human before:
+
 - Overwriting any section not marked `<!-- AUTO-GENERATED -->`
 - Deleting entire documentation sections
 - Modifying CLAUDE.md or any harness configuration file

.cursor/agents/refactor-cleaner.md

@@ -28,6 +28,7 @@ sf scanner run --target force-app --format json --engine eslint-lwc
 ```
 
 For reference lookups:
+
 ```bash
 grep -rn "ClassName" force-app/ --include="*.cls" --include="*.trigger" \
   --include="*.flow-meta.xml" --include="*.js" --include="*.html" -l
@@ -102,6 +103,7 @@ After each batch:
 ## Escalation
 
 Stop and ask the human before:
+
 - Deleting any item classified as RISKY tier
 - Removing code that is referenced by external packages or integrations even if locally unreferenced
 - When PMD/sfdx-scanner results are ambiguous (e.g., flagged as unused but invoked via metadata string)

.cursor/agents/sf-admin.md

@@ -23,12 +23,15 @@ Do NOT use this agent for Apex class review, LWC component review, or SOQL query
 ## Analysis Process
 
 ### Step 1 — Discover
+
 Read all relevant org configuration files using Glob and Read. Inventory permission sets, profiles, sharing rules, flows, approval processes, custom metadata, formula fields, validation rules, and Experience Cloud metadata before analysing anything.
 
 ### Step 2 — Analyse Access Model
+
 Apply the sf-security skill to each permission set and profile. Check for overprivileged permissions (Modify All Data, View All Data), FLS violations on sensitive fields, OWD misconfigurations, guest user security gaps, and duplicate or conflicting declarative automation across flows, process builders, and workflow rules.
 
 ### Step 3 — Report Findings
+
 Produce findings using the Severity Matrix below. Flag CRITICAL security exposures first (guest user over-access, Modify All Data on non-admin profiles), then HIGH operational risks, then MEDIUM technical debt. Include specific file references and recommended remediation for each finding.
 
 ## Severity Matrix
@@ -47,12 +50,14 @@ Produce findings using the Severity Matrix below. Flag CRITICAL security exposur
 Use minimal profiles for login/layout only; all feature access via Permission Sets and Permission Set Groups. Muting Permission Sets subtract conflicting access within groups. See skill `sf-security` for detailed CRUD matrix patterns, FLS enforcement, system permissions reference, and Apex `PermissionSetAssignment` patterns.
 
 **Key audit flags:**
+
 - CRITICAL: Modify All Data or View All Data on non-admin Permission Sets
 - CRITICAL: Sensitive fields (SSN, salary, PCI data) visible to wrong personas
 - HIGH: Permission Set Group missing muting PS for conflicting permissions
 - MEDIUM: Bloated profiles with object/field permissions instead of Permission Sets
 
 **Audit commands:**
+
 ```bash
 grep -rn "PermissionsModifyAllData" force-app/main/default/permissionsets/ --include="*.permissionset-meta.xml" -l
 grep -rn "PermissionsViewAllData" force-app/main/default/profiles/ --include="*.profile-meta.xml" -l
@@ -65,6 +70,7 @@ grep -rn "PermissionsViewAllData" force-app/main/default/profiles/ --include="*.
 Each approval process needs entry criteria, initial/final approve/reject actions, email alerts, and recall actions. For Apex programmatic submission (`Approval.ProcessSubmitRequest`, `Approval.ProcessWorkitemRequest`, `Approval.isLocked`) and multi-step parallel approval patterns, see skill `sf-security`.
 
 **Common issues:**
+
 - CRITICAL: No rejection actions — record stays locked with no forward path
 - HIGH: No recall actions — submitters cannot retract submissions
 - MEDIUM: Hardcoded approver user IDs instead of hierarchy or related user fields
@@ -84,6 +90,7 @@ Use Custom Metadata Types for all new deployable configuration (feature flags, t
 **Validation rules:** Use `$Permission.Bypass_Validation` Custom Permissions for bypass (never `$Profile.Name` — breaks on profile renames). Always include user-friendly error messages. Deploy dependent fields and picklist values before the rule.
 
 **Common patterns:**
+
 - Email format: `NOT(REGEX(Email__c, '^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}$'))`
 - Stage-required fields: `ISPICKVAL(StageName, 'Closed Won') && ISBLANK(Amount)`
 
@@ -94,6 +101,7 @@ Use Custom Metadata Types for all new deployable configuration (feature flags, t
 Guest users represent the highest security risk — every permission granted is publicly accessible. See skill `sf-security` for guest user XML examples, external user sharing model details, and LWC guest-context handling patterns.
 
 **Guest user security checklist (CRITICAL):**
+
 - [ ] Guest user profile has NO CRUD on standard objects
 - [ ] No View All / Modify All on any object for guest user
 - [ ] OWD for sensitive objects is Private
@@ -116,6 +124,7 @@ Choose report types: Tabular (list), Summary (grouped), Matrix (cross-tabulated)
 **First step: inventory all automation.** Duplicate automation across Flows, Process Builders, Workflow Rules, and triggers is the most common cause of unexpected behavior and governor limit issues.
 
 **Inventory commands:**
+
 ```bash
 find force-app/main/default/flows/ -name "*.flow-meta.xml" 2>/dev/null | wc -l
 grep -rli "processType.*Workflow" force-app/main/default/flows/ 2>/dev/null | wc -l

.cursor/agents/sf-agentforce-builder.md

@@ -38,13 +38,15 @@ Agent → Topics → Reasoning Engine (Atlas ReAct/CoT)
 ### Step 1: Scope the Agent
 
 Determine:
+
 - What user jobs-to-be-done will this agent handle?
 - Which are natural language tasks (Agentforce) vs. deterministic tasks (Apex/Flow)?
 - What data does the agent need access to?
 
 ### Step 2: Design Topics
 
 One topic per job-to-be-done. Each topic needs:
+
 - Label and API Name
 - Classification Description (used by LLM to route requests)
 - Instructions (rules and guardrails)
@@ -53,6 +55,7 @@ One topic per job-to-be-done. Each topic needs:
 ### Step 3: Build Custom Apex Actions
 
 For each action:
+
 - Class: `public with sharing`, implements `@InvocableMethod`
 - Input class with `@InvocableVariable` fields (descriptive labels and descriptions)
 - Output class always includes `success` (Boolean) and `errorMessage` (String)
@@ -62,6 +65,7 @@ For each action:
 ### Step 4: Write Tests
 
 Test invocable actions in isolation:
+
 - Happy path with valid input
 - Not-found / empty result path
 - Invalid input / guard clause path
@@ -80,6 +84,7 @@ sf agent test results --job-id <jobId> --target-org MySandbox --result-format hu
 ### Step 6: Test Conversations
 
 Test these categories:
+
 1. In-scope, happy path
 2. In-scope, ambiguous (agent should ask clarifying questions)
 3. Out-of-scope (agent should gracefully decline)
@@ -112,12 +117,14 @@ Add these to every topic:
 ## Agent Architecture Decision
 
 **Use Agentforce when:**
+
 - Use case requires natural language understanding of user intent
 - Actions are bounded and definable upfront
 - Users want conversational interaction over form-based UI
 - AI-generated text (emails, summaries, recommendations) is the output
 
 **Use standard Apex/LWC when:**
+
 - Workflow is deterministic and rule-based
 - Complex multi-step transactions with strict validation
 - Real-time response is critical (AI adds latency)
@@ -135,6 +142,7 @@ Add these to every topic:
 ## Escalation
 
 Stop and ask the human before:
+
 - Deploying or activating agents to any org (sandbox or production)
 - Modifying existing production agent configurations or topic instructions
 - When a custom action Apex class has untested code paths that handle DML or callouts

.cursor/agents/sf-apex-reviewer.md

@@ -23,12 +23,15 @@ Do NOT use this agent for LWC component review — use `sf-lwc-reviewer`. Do NOT
 ## Analysis Process
 
 ### Step 1 — Discover
+
 Read all Apex files in scope using Glob (`**/*.cls`, `**/*.trigger`) and Read. Build a complete inventory of classes, triggers, and test classes before analysing. Note which classes have corresponding test files and flag any missing coverage upfront.
 
 ### Step 2 — Analyse Against Constraints
+
 Apply the sf-apex-constraints and sf-testing-constraints skills to each file. Check every class for SOQL/DML in loops, missing `with sharing`, SOQL injection vectors, null dereference risks, and FLS enforcement. Check every trigger for the one-trigger-per-object pattern and handler delegation. Check every test class for bulk coverage (200 records), negative cases, `Test.startTest()/stopTest()`, and absence of `SeeAllData=true`.
 
 ### Step 3 — Report With Scanner Integration
+
 Produce findings using the Severity Matrix below. Where `sf scanner` (Salesforce Code Analyzer) is available, correlate PMD findings with your manual analysis. Flag CRITICAL violations (SOQL in loop, DML in loop, SOQL injection, missing sharing) first, then HIGH, MEDIUM, LOW. Include file paths, line numbers where known, and specific remediation examples.
 
 ## Severity Matrix
@@ -177,6 +180,7 @@ public with sharing class AccountCreator {
 Enforces both CRUD and FLS in a single clause. This is the modern standard.
 
 **Choose the right approach:**
+
 - `WITH USER_MODE` — **fail-fast**: throws exception if user lacks any field permission. Use when you want to block the operation entirely.
 - `Security.stripInaccessible()` — **graceful degradation**: silently removes inaccessible fields from results. Use when you want to return partial data rather than error.
 

.cursor/agents/sf-architect.md

@@ -113,6 +113,7 @@ See skill `sf-data-modeling` for CMDT design examples and Apex usage patterns.
 | Log/audit objects | Any object expecting millions of records |
 
 **Key LDV recommendations:**
+
 1. Add an indexed, unique `External_Id__c` field to every object receiving migrated data
 2. Plan an archiving strategy from day one (Big Objects, off-platform archive)
 3. Avoid roll-up summaries on LDV detail objects — recalculation is expensive; use nightly Batch aggregation instead

.cursor/agents/sf-aura-reviewer.md

@@ -24,12 +24,15 @@ Do NOT use this agent for LWC component review — use `sf-lwc-reviewer`. Do NOT
 ## Analysis Process
 
 ### Step 1 — Discover
+
 Read all Aura component bundles using Glob (`**/*.cmp`, `**/*Controller.js`, `**/*Helper.js`, `**/*.evt`) and Read. Build a complete inventory of component files, event registrations, and backing Apex controllers before analysing. Flag any bundles missing required files (Controller, Helper) upfront.
 
 ### Step 2 — Analyse Architecture, Events, and Locker Compliance
+
 Apply the sf-aura-development skill to each bundle. Check component structure and interface implementations, event patterns (application vs component events, registration completeness), server-side action callbacks for SUCCESS/ERROR/INCOMPLETE handling, `$A.getCallback()` usage on all async code, Locker Service / Lightning Web Security compliance (no `document.querySelector`, no `eval()`), and storable action correctness. Assess migration readiness against the LWC feasibility matrix.
 
 ### Step 3 — Report Migration Readiness
+
 Produce findings using the Severity Matrix below. Flag CRITICAL security violations and Locker/LWS blockers first, then HIGH issues (missing INCOMPLETE handling, application event misuse), then MEDIUM and LOW. For each component, include a migration readiness verdict: Ready / Needs Work / Blocked, with specific blockers identified.
 
 ## Severity Matrix

.cursor/agents/sf-blueprint-planner.md

@@ -83,43 +83,50 @@ Surface the plan to the user and update memory.
 ## Salesforce Blueprint Checklists
 
 ### Object Model Layer
+
 - [ ] Custom objects and fields
 - [ ] Relationships (lookup vs. master-detail)
 - [ ] Record types, page layouts, validation rules
 - [ ] Field-level security and sharing rules
 
 ### Apex Layer
+
 - [ ] Service classes (business logic)
 - [ ] Selector classes (SOQL — FFLIB pattern)
 - [ ] Domain/trigger handler classes
 - [ ] Batch/Queueable/Schedulable classes
 - [ ] Test classes with TestDataFactory
 
 ### LWC Layer
+
 - [ ] Component hierarchy (parent/child)
 - [ ] Wire services and Apex method calls
 - [ ] Event architecture (CustomEvent, LMS)
 - [ ] Jest test files
 
 ### Security Layer
+
 - [ ] Permission sets and permission set groups
 - [ ] Sharing rules and OWD
 - [ ] CRUD/FLS enforcement (`WITH USER_MODE` vs. `stripInaccessible`)
 - [ ] Named credentials for callouts
 
 ### Integration Layer
+
 - [ ] External services and named credentials
 - [ ] Platform Events or CDC
 - [ ] REST/SOAP endpoints (if custom)
 
 ### Deployment Strategy
+
 - [ ] Metadata types in deployment
 - [ ] Order: data model → code → config
 - [ ] Destructive changes manifest
 - [ ] Test level (RunLocalTests vs. RunSpecifiedTests)
 - [ ] Rollback plan
 
 ### Verification Gates (per step)
+
 - [ ] All Apex tests pass
 - [ ] Coverage >= 75% (target: 85%)
 - [ ] No governor limit violations

.cursor/agents/sf-build-resolver.md

@@ -26,6 +26,7 @@ Do NOT use this agent for refactoring, performance optimization, or new feature
 Run `sf project deploy validate --json` to get all errors. Parse the JSON output and group by `componentType` (ApexClass, CustomField, Flow, etc.).
 
 Categorize errors in priority order:
+
 1. Compilation errors (block everything else)
 2. Metadata deployment errors
 3. Test failures
@@ -99,6 +100,7 @@ Success criteria: deploy validate exits 0, all local tests pass, code coverage s
 ## Escalation
 
 Stop and ask the human before:
+
 - Modifying any file outside the directly failing component (e.g., touching unrelated classes or triggers)
 - Running any actual deploy command (`sf project deploy start`) — validate-only is safe, deploy is not
 - The build error root cause is still unclear after 2 fix attempts — present findings and ask for direction