{"kind":"Skill","metadata":{"namespace":"community","name":"salesforce-component-standards","version":"0.1.0"},"spec":{"description":"Quality standards for Salesforce Lightning Web Components (LWC), Aura components, and Visualforce pages. Covers SLDS 2 compliance, accessibility (WCAG 2.1 AA), data access pattern selection, component communication rules, XSS prevention, CSRF enforcement, FLS/CRUD in AuraEnabled methods, view state management, and Jest test requirements. Use this skill when building or reviewing any Salesforce UI component to enforce platform-specific security and quality standards.","files":{"SKILL.md":"---\nname: salesforce-component-standards\ndescription: 'Quality standards for Salesforce Lightning Web Components (LWC), Aura components, and Visualforce pages. Covers SLDS 2 compliance, accessibility (WCAG 2.1 AA), data access pattern selection, component communication rules, XSS prevention, CSRF enforcement, FLS/CRUD in AuraEnabled methods, view state management, and Jest test requirements. Use this skill when building or reviewing any Salesforce UI component to enforce platform-specific security and quality standards.'\n---\n\n# Salesforce Component Quality Standards\n\nApply these checks to every LWC, Aura component, and Visualforce page you write or review.\n\n## Section 1 — LWC Quality Standards\n\n### 1.1 Data Access Pattern Selection\n\nChoose the right data access pattern before writing JavaScript controller code:\n\n| Use case | Pattern | Why |\n|---|---|---|\n| Read a single record reactively (follows navigation) | `@wire(getRecord, { recordId, fields })` | Lightning Data Service — cached, reactive |\n| Standard CRUD form for a single object | `\u003clightning-record-form\u003e` or `\u003clightning-record-edit-form\u003e` | Built-in FLS, CRUD, and accessibility |\n| Complex server query or filtered list | `@wire(apexMethodName, { param })` on a `cacheable=true` method | Allows caching; wire re-fires on param change |\n| User-triggered action, DML, or non-cacheable server call | Imperative `apexMethodName(params).then(...).catch(...)` | Required for DML — wired methods cannot be `@AuraEnabled` without `cacheable=true` |\n| Cross-component communication (no shared parent) | Lightning Message Service (LMS) | Decoupled, works across DOM boundaries |\n| Multi-object graph relationships | GraphQL `@wire(gql, { query, variables })` | Single round-trip for complex related data |\n\n### 1.2 Security Rules\n\n| Rule | Enforcement |\n|---|---|\n| No raw user data in `innerHTML` | Use `{expression}` binding in the template — the framework auto-escapes. Never use `this.template.querySelector('.el').innerHTML = userValue` |\n| Apex `@AuraEnabled` methods enforce CRUD/FLS | Use `WITH USER_MODE` in SOQL or explicit `Schema.sObjectType` checks |\n| No hardcoded org-specific IDs in component JavaScript | Query or pass as a prop — never embed record IDs in source |\n| `@api` properties from parent: validate before use | A parent can pass anything — validate type and range before using as a query parameter |\n\n### 1.3 SLDS 2 and Styling Standards\n\n- **Never** hardcode colours: `color: #FF3366` → use `color: var(--slds-c-button-brand-color-background)` or a semantic SLDS token.\n- **Never** override SLDS classes with `!important` — compose with custom CSS properties.\n- Use `\u003clightning-*\u003e` base components wherever they exist: `lightning-button`, `lightning-input`, `lightning-datatable`, `lightning-card`, etc.\n- Base components include built-in SLDS 2, dark mode, and accessibility — avoid reimplementing their behaviour.\n- If using custom CSS, test in both **light mode** and **dark mode** before declaring done.\n\n### 1.4 Accessibility Requirements (WCAG 2.1 AA)\n\nEvery LWC component must pass all of these before it is considered done:\n\n- [ ] All form inputs have `\u003clabel\u003e` or `aria-label` — never use placeholder as the only label\n- [ ] All icon-only buttons have `alternative-text` or `aria-label` describing the action\n- [ ] All interactive elements are reachable and operable by keyboard (Tab, Enter, Space, Escape)\n- [ ] Colour is not the only means of conveying status — pair with text, icon, or `aria-*` attributes\n- [ ] Error messages are associated with their input via `aria-describedby`\n- [ ] Focus management is correct in modals — focus moves into the modal on open and back on close\n\n### 1.5 Component Communication Rules\n\n| Direction | Mechanism |\n|---|---|\n| Parent → Child | `@api` property or calling a `@api` method |\n| Child → Parent | `CustomEvent` — `this.dispatchEvent(new CustomEvent('eventname', { detail: data }))` |\n| Sibling / unrelated components | Lightning Message Service (LMS) |\n| Never use | `document.querySelector`, `window.*`, or Pub/Sub libraries |\n\nFor Flow screen components:\n- Events that need to reach the Flow runtime must set `bubbles: true` and `composed: true`.\n- Expose `@api value` for two-way binding with the Flow variable.\n\n### 1.6 JavaScript Performance Rules\n\n- **No side effects in `connectedCallback`**: it runs on every DOM attach — avoid DML, heavy computation, or rendering state mutations here.\n- **Guard `renderedCallback`**: always use a boolean guard to prevent infinite render loops.\n- **Avoid reactive property traps**: setting a reactive property inside `renderedCallback` causes a re-render — use it only when necessary and guarded.\n- **Do not store large datasets in component state** — paginate or stream large results instead.\n\n### 1.7 Jest Test Requirements\n\nEvery component that handles user interaction or retrieves Apex data must have a Jest test:\n\n```javascript\n// Minimum test coverage expectations\nit('renders the component with correct title', async () =\u003e { ... });\nit('calls apex method and displays results', async () =\u003e { ... });  // Wire mock\nit('dispatches event when button is clicked', async () =\u003e { ... });\nit('shows error state when apex call fails', async () =\u003e { ... }); // Error path\n```\n\nUse `@salesforce/sfdx-lwc-jest` mocking utilities:\n- `wire` adapter mocking: `setImmediate` + `emit({ data, error })`\n- Apex method mocking: `jest.mock('@salesforce/apex/MyClass.myMethod', ...)`\n\n---\n\n## Section 2 — Aura Component Standards\n\n### 2.1 When to Use Aura vs LWC\n\n- **New components: always LWC** unless the target context is Aura-only (e.g. extending `force:appPage`, using Aura-specific events in a legacy managed package).\n- **Migrating Aura to LWC**: prefer LWC, migrate component-by-component; LWC can be embedded inside Aura components.\n\n### 2.2 Aura Security Rules\n\n- `@AuraEnabled` controller methods must declare `with sharing` and enforce CRUD/FLS — Aura does **not** enforce them automatically.\n- Never use `{!v.something}` with unescaped user data in `\u003cdiv\u003e` unbound helpers — use `\u003cui:outputText value=\"{!v.text}\" /\u003e` or `\u003cc:something\u003e` to escape.\n- Validate all inputs from component attributes before using them in SOQL / Apex logic.\n\n### 2.3 Aura Event Design\n\n- **Component events** for parent-child communication — lowest scope.\n- **Application events** only when component events cannot reach the target — they broadcast to the entire app and can be a performance and maintenance problem.\n- For hybrid LWC + Aura stacks: use Lightning Message Service to decouple communication — do not rely on Aura application events reaching LWC components.\n\n---\n\n## Section 3 — Visualforce Security Standards\n\n### 3.1 XSS Prevention\n\n```xml\n\u003c!-- ❌ NEVER — renders raw user input as HTML --\u003e\n\u003capex:outputText value=\"{!userInput}\" escape=\"false\" /\u003e\n\n\u003c!-- ✅ ALWAYS — auto-escaping on --\u003e\n\u003capex:outputText value=\"{!userInput}\" /\u003e\n\u003c!-- Default escape=\"true\" — platform HTML-encodes the output --\u003e\n```\n\nRule: `escape=\"false\"` is never acceptable for user-controlled data. If rich text must be rendered, sanitise server-side with a whitelist before output.\n\n### 3.2 CSRF Protection\n\nUse `\u003capex:form\u003e` for all postback actions — the platform injects a CSRF token automatically into the form. Do **not** use raw `\u003cform method=\"POST\"\u003e` HTML elements, which bypass CSRF protection.\n\n### 3.3 SOQL Injection Prevention in Controllers\n\n```apex\n// ❌ NEVER\nString soql = 'SELECT Id FROM Account WHERE Name = \\'' + ApexPages.currentPage().getParameters().get('name') + '\\'';\nList\u003cAccount\u003e results = Database.query(soql);\n\n// ✅ ALWAYS — bind variable\nString nameParam = ApexPages.currentPage().getParameters().get('name');\nList\u003cAccount\u003e results = [SELECT Id FROM Account WHERE Name = :nameParam];\n```\n\n### 3.4 View State Management Checklist\n\n- [ ] View state is under 135 KB (check in browser developer tools or the Salesforce View State tab)\n- [ ] Fields used only for server-side calculations are declared `transient`\n- [ ] Large collections are not persisted across postbacks unnecessarily\n- [ ] `readonly=\"true\"` is set on `\u003capex:page\u003e` for read-only pages to skip view-state serialisation\n\n### 3.5 FLS / CRUD in Visualforce Controllers\n\n```apex\n// Before reading a field\nif (!Schema.sObjectType.Account.fields.Revenue__c.isAccessible()) {\n    ApexPages.addMessage(new ApexPages.Message(ApexPages.Severity.ERROR, 'You do not have access to this field.'));\n    return null;\n}\n\n// Before performing DML\nif (!Schema.sObjectType.Account.isDeletable()) {\n    throw new System.NoAccessException();\n}\n```\n\nStandard controllers enforce FLS for bound fields automatically. **Custom controllers do not** — FLS must be enforced manually.\n\n---\n\n## Quick Reference — Component Anti-Patterns Summary\n\n| Anti-pattern | Technology | Risk | Fix |\n|---|---|---|---|\n| `innerHTML` with user data | LWC | XSS | Use template bindings `{expression}` |\n| Hardcoded hex colours | LWC/Aura | Dark-mode / SLDS 2 break | Use SLDS CSS custom properties |\n| Missing `aria-label` on icon buttons | LWC/Aura/VF | Accessibility failure | Add `alternative-text` or `aria-label` |\n| No guard in `renderedCallback` | LWC | Infinite rerender loop | Add `hasRendered` boolean guard |\n| Application event for parent-child | Aura | Unnecessary broadcast scope | Use component event instead |\n| `escape=\"false\"` on user data | Visualforce | XSS | Remove — use default escaping |\n| Raw `\u003cform\u003e` postback | Visualforce | CSRF vulnerability | Use `\u003capex:form\u003e` |\n| No `with sharing` on custom controller | VF / Apex | Data exposure | Add `with sharing` declaration |\n| FLS not checked in custom controller | VF / Apex | Privilege escalation | Add `Schema.sObjectType` checks |\n| SOQL concatenated with URL param | VF / Apex | SOQL injection | Use bind variables |\n"},"import":{"commit_sha":"541b7819d8c3545c6df122491af4fa1eae415779","imported_at":"2026-05-18T20:05:35Z","license_text":"MIT License\n\nCopyright GitHub, Inc.\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.","owner":"github","repo":"github/awesome-copilot","source_url":"https://github.com/github/awesome-copilot/tree/541b7819d8c3545c6df122491af4fa1eae415779/plugins/salesforce-development/skills/salesforce-component-standards"}},"content_hash":[98,170,28,228,34,167,131,158,167,180,40,185,219,103,16,103,135,35,55,5,143,82,175,19,109,194,110,230,47,159,56,68],"trust_level":"unsigned","yanked":false}