@salesforce/afv-skills 1.8.0 → 1.9.0

package/skills/configuring-connected-apps/SKILL.md

@@ -0,0 +1,224 @@
+---
+name: configuring-connected-apps
+description: "Salesforce Connected Apps and External Client Apps OAuth configuration with 120-point scoring. Use this skill to configure OAuth flows, JWT bearer auth, Connected Apps, and External Client Apps in Salesforce. TRIGGER when: user configures OAuth flows, JWT bearer auth, Connected Apps, ECAs, or touches .connectedApp-meta.xml / .eca-meta.xml files. DO NOT TRIGGER when: configuring Named Credentials for callouts (use building-sf-integrations), reviewing permission policies (use deploying-metadata), or writing Apex token-handling code (use generating-apex)."
+license: MIT
+allowed-tools: Bash Read Write Edit Glob Grep WebFetch AskUserQuestion TodoWrite
+metadata:
+  version: "1.1"
+---
+
+# configuring-connected-apps: Salesforce Connected Apps & External Client Apps
+
+Use this skill when the user needs **OAuth app configuration** in Salesforce: Connected Apps, External Client Apps (ECAs), JWT bearer setup, PKCE decisions, scope design, or migration from older Connected App patterns to newer ECA patterns.
+
+## Scope
+
+**In scope:**
+- `.connectedApp-meta.xml` or `.eca-meta.xml` files
+- OAuth flow selection and callback / scope setup
+- JWT bearer auth, device flow, client credentials, or auth-code decisions
+- Connected App vs External Client App architecture choices
+- Consumer key / secret / certificate handling strategy
+
+**Out of scope — delegate elsewhere:**
+- Configuring Named Credentials or runtime callouts → [building-sf-integrations](../building-sf-integrations/SKILL.md)
+- Deploying metadata to orgs → [deploying-metadata](../deploying-metadata/SKILL.md)
+- Writing Apex token-handling code → [generating-apex](../generating-apex/SKILL.md)
+
+---
+
+## First Decision: Connected App or External Client App
+
+| If the need is... | Prefer |
+|---|---|
+| simple single-org OAuth app | Connected App |
+| new development with better secret handling | External Client App |
+| multi-org / packaging / stronger operational controls | External Client App |
+| straightforward legacy compatibility | Connected App |
+
+Default guidance:
+- Choose **ECA** for new regulated, packageable, or automation-heavy solutions.
+- Choose **Connected App** when simplicity and legacy compatibility matter more.
+- Spring '26 note: creation of new Connected Apps is disabled by default in orgs. For new integrations, prefer External Client Apps unless Connected App compatibility is explicitly required.
+
+---
+
+## Required Inputs
+
+Ask for or infer:
+- App type: Connected App or ECA
+- OAuth flow: auth code, PKCE, JWT bearer, device, client credentials
+- Client type: confidential vs public
+- Callback URLs / redirect surfaces
+- Required scopes
+- Distribution model: local org only vs packageable / multi-org
+- Whether certificates or secret rotation are required
+
+---
+
+## Workflow
+
+### 1. Choose the app model
+Decide whether a Connected App or ECA is the better long-term fit using the decision table above.
+
+### 2. Choose the OAuth flow
+
+| Use case | Default flow |
+|---|---|
+| backend web app | Authorization Code |
+| SPA / mobile / public client | Authorization Code + PKCE |
+| server-to-server / CI/CD | JWT Bearer |
+| device / CLI auth | Device Flow |
+| service account style app | Client Credentials (typically ECA) |
+
+### 3. Start from the right template
+Read the appropriate template before generating — do not build from scratch:
+
+| Template | Use case |
+|---|---|
+| `assets/connected-app-basic.xml` | Simple API integration, minimal OAuth |
+| `assets/connected-app-oauth.xml` | Web app with full OAuth 2.0 configuration |
+| `assets/connected-app-jwt.xml` | JWT bearer / server-to-server |
+| `assets/connected-app-canvas.xml` | Embedding external apps in Salesforce UI (Canvas) |
+| `assets/external-client-app.xml` | ECA header file — all new ECA builds start here |
+| `assets/eca-global-oauth.xml` | ECA global OAuth settings (scopes, PKCE, rotation) |
+| `assets/eca-oauth-settings.xml` | ECA per-app OAuth settings |
+| `assets/eca-policies.xml` | ECA configurable policies |
+
+If you need source-controlled ECA OAuth security metadata, retrieve it from an org first and treat the retrieved file as the schema source of truth:
+```
+sf project retrieve start --metadata ExtlClntAppOauthSecuritySettings:<AppName> --target-org <alias>
+```
+
+### 4. Apply security hardening
+Read `references/security-checklist.md` for the full 120-point security checklist. Favor:
+- Least-privilege scopes
+- Explicit callback URLs
+- PKCE for public clients
+- Certificate-based auth where appropriate
+- Rotation-ready secret / key handling
+- IP restrictions when realistic and maintainable
+
+### 5. Validate deployment readiness
+Read `references/testing-validation-guide.md` before handoff. Confirm:
+- Metadata file naming is correct (see Gotchas below)
+- Scopes are justified
+- Callback and auth model match the real client type
+- Secrets are not embedded in source
+
+### 6. Handle errors
+If deployment fails, check the error output for:
+- `DUPLICATE_VALUE` — a Connected App or ECA with this name already exists; rename or retrieve-then-update instead
+- `INVALID_CROSS_REFERENCE_KEY` — the `externalClientApplication` name in an ECA settings file doesn't match the `.eca-meta.xml` filename exactly
+- `INSUFFICIENT_ACCESS_OR_READONLY` — user lacks the "Manage Connected Apps" permission
+- If any step fails, do not proceed to the next step — surface the error to the user with the specific message above
+
+---
+
+## Rules / Constraints
+
+| Rule | Rationale |
+|---|---|
+| Never commit consumer secrets to source control | Credential exposure risk |
+| Never use `Full` scope by default | Unnecessary privilege; request only what the app needs |
+| Always use PKCE for public clients (mobile, SPA) | Prevents auth code interception |
+| Never use wildcard or overly broad callback URLs | Token interception risk |
+| ECA OAuth security settings must be retrieved from org before editing | File schema is not fully documented; retrieve-first ensures accuracy |
+| Use `<alias>` placeholders in CLI commands, never hardcoded org URLs | Org URLs vary per environment |
+| Detect actual `packageDirectory` from `sfdx-project.json` before writing files | Projects may not use the default `force-app/main/default/` layout |
+
+---
+
+## Metadata Notes That Matter
+
+### Connected App
+Default source location (verify via `sfdx-project.json → packageDirectories`):
+- `<packageDir>/connectedApps/`
+
+### External Client App
+ECA metadata spans multiple top-level source directories. Default locations (verify via `sfdx-project.json`):
+
+| Directory | Metadata type | File suffix |
+|---|---|---|
+| `<packageDir>/externalClientApps/` | `ExternalClientApplication` | `.eca-meta.xml` |
+| `<packageDir>/extlClntAppGlobalOauthSets/` | `ExtlClntAppGlobalOauthSettings` | `.ecaGlblOauth-meta.xml` |
+| `<packageDir>/extlClntAppOauthSettings/` | `ExtlClntAppOauthSettings` | `.ecaOauth-meta.xml` |
+| `<packageDir>/extlClntAppOauthSecuritySettings/` | `ExtlClntAppOauthSecuritySettings` | `.ecaOauthSecurity-meta.xml` |
+| `<packageDir>/extlClntAppOauthPolicies/` | `ExtlClntAppOauthConfigurablePolicies` | `.ecaOauthPlcy-meta.xml` |
+| `<packageDir>/extlClntAppPolicies/` | `ExtlClntAppConfigurablePolicies` | `.ecaPlcy-meta.xml` |
+
+---
+
+## Gotchas
+
+| Gotcha | Detail |
+|---|---|
+| `.ecaGlblOauth` not `.ecaGlobalOauth` | The global OAuth suffix is abbreviated — using the long form will break deployment |
+| `.ecaPlcy` not `.ecaPolicy` | Same abbreviation pattern — the general policy suffix is short form |
+| `.ecaOauthSecurity` for security settings | Use `.ecaOauthSecurity`, not `.ecaSecurity` |
+| ECA OAuth security settings are retrieve-only | Cannot be created from scratch in source — always retrieve from org first |
+| Spring '26: new Connected Apps disabled by default | New orgs block Connected App creation; use ECA unless explicitly required |
+| Consumer key is generated post-deploy | You cannot set the consumer key in metadata — retrieve it after first deployment |
+
+---
+
+## Output Expectations
+
+When finishing, confirm and report in this order:
+
+1. **App type chosen** — Connected App or External Client App
+2. **OAuth flow chosen**
+3. **Files created or updated** — list each metadata file path
+4. **Security decisions** — scopes, PKCE, certs, secrets, IP policy
+5. **Next deployment / testing step**
+
+Suggested output shape:
+```
+App: <name>
+Type: Connected App | External Client App
+Flow: <oauth flow>
+Files: <paths>
+Security: <scopes, PKCE, certs, secrets, IP policy>
+Next step: <deploy, retrieve consumer key, or test auth flow>
+Score: <x>/120
+```
+
+---
+
+## Cross-Skill Integration
+
+| Need | Delegate to | Reason |
+|---|---|---|
+| Named Credential / callout runtime config | [building-sf-integrations](../building-sf-integrations/SKILL.md) | runtime integration setup |
+| Deploy app metadata | [deploying-metadata](../deploying-metadata/SKILL.md) | org validation and deployment |
+| Apex token or refresh handling | [generating-apex](../generating-apex/SKILL.md) | implementation logic |
+
+---
+
+## Score Guide
+
+| Score | Meaning |
+|---|---|
+| 80+ | production-ready OAuth app config |
+| 54–79 | workable but needs hardening review |
+| < 54 | block deployment until fixed |
+
+---
+
+## Reference File Index
+
+| File | When to read |
+|---|---|
+| `assets/connected-app-basic.xml` | Step 3 — template for simple Connected App with minimal OAuth |
+| `assets/connected-app-oauth.xml` | Step 3 — template for full OAuth 2.0 Connected App |
+| `assets/connected-app-jwt.xml` | Step 3 — template for JWT bearer / server-to-server Connected App |
+| `assets/connected-app-canvas.xml` | Step 3 — template for Canvas app embedding in Salesforce UI |
+| `assets/external-client-app.xml` | Step 3 — ECA header file template |
+| `assets/eca-global-oauth.xml` | Step 3 — ECA global OAuth settings template (PKCE, rotation, callbacks) |
+| `assets/eca-oauth-settings.xml` | Step 3 — ECA per-app OAuth settings template |
+| `assets/eca-policies.xml` | Step 3 — ECA configurable policies template |
+| `references/oauth-flows-reference.md` | Step 2 — detailed OAuth flow comparison and decision guide |
+| `references/security-checklist.md` | Step 4 — full 120-point security scoring checklist |
+| `references/testing-validation-guide.md` | Step 5 — pre-deployment validation and testing guide |
+| `references/migration-guide.md` | When migrating from Connected App to ECA patterns |
+| `references/example-usage.md` | Full end-to-end examples for common OAuth scenarios |

package/skills/configuring-connected-apps/assets/connected-app-basic.xml

@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Template: Connected App - Basic
+  Use Case: Simple API integration with minimal OAuth configuration
+
+  Replace placeholders:
+  - {{APP_NAME}}: Application name (no spaces, alphanumeric + underscore)
+  - {{CONTACT_EMAIL}}: Administrator contact email
+  - {{DESCRIPTION}}: Brief description of the app's purpose
+  - {{CALLBACK_URL}}: OAuth callback URL (must be HTTPS in production)
+-->
+<ConnectedApp xmlns="http://soap.sforce.com/2006/04/metadata">
+    <label>{{APP_NAME}}</label>
+    <contactEmail>{{CONTACT_EMAIL}}</contactEmail>
+    <description>{{DESCRIPTION}}</description>
+
+    <oauthConfig>
+        <callbackUrl>{{CALLBACK_URL}}</callbackUrl>
+        <isAdminApproved>false</isAdminApproved>
+        <isConsumerSecretOptional>false</isConsumerSecretOptional>
+        <scopes>Api</scopes>
+        <scopes>RefreshToken</scopes>
+    </oauthConfig>
+
+    <oauthPolicy>
+        <ipRelaxation>ENFORCE</ipRelaxation>
+        <refreshTokenPolicy>infinite</refreshTokenPolicy>
+    </oauthPolicy>
+</ConnectedApp>

package/skills/configuring-connected-apps/assets/connected-app-canvas.xml

@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Template: Connected App - Canvas App
+  Use Case: Embedding external applications within Salesforce UI
+
+  Replace placeholders:
+  - {{APP_NAME}}: Application name (no spaces, alphanumeric + underscore)
+  - {{CONTACT_EMAIL}}: Administrator contact email
+  - {{DESCRIPTION}}: Brief description of the app's purpose
+  - {{CANVAS_URL}}: URL of your canvas application
+  - {{CALLBACK_URL}}: OAuth callback URL (must be HTTPS)
+
+  Canvas Access Methods:
+  - Chatter Feed: Embed in Chatter
+  - Chatter Tab: Add to Chatter tab
+  - Publisher: Add to publisher actions
+  - Visualforce Page: Embed via Visualforce
+  - Mobile Card: Show on mobile record pages
+  - OpenCTI: Use in Service Cloud CTI
+  - LayoutSection: Embed in page layouts
+-->
+<ConnectedApp xmlns="http://soap.sforce.com/2006/04/metadata">
+    <label>{{APP_NAME}}</label>
+    <contactEmail>{{CONTACT_EMAIL}}</contactEmail>
+    <description>{{DESCRIPTION}}</description>
+
+    <oauthConfig>
+        <callbackUrl>{{CALLBACK_URL}}</callbackUrl>
+        <isAdminApproved>true</isAdminApproved>
+        <isConsumerSecretOptional>false</isConsumerSecretOptional>
+        <scopes>Api</scopes>
+        <scopes>RefreshToken</scopes>
+    </oauthConfig>
+
+    <oauthPolicy>
+        <ipRelaxation>ENFORCE</ipRelaxation>
+        <refreshTokenPolicy>infinite</refreshTokenPolicy>
+    </oauthPolicy>
+
+    <!-- Canvas Configuration -->
+    <canvasConfig>
+        <canvasUrl>{{CANVAS_URL}}</canvasUrl>
+        <accessMethod>Get</accessMethod>
+
+        <!-- Canvas Locations - uncomment as needed -->
+        <locations>Chatter</locations>
+        <locations>Visualforce</locations>
+        <!-- <locations>ChatterFeed</locations> -->
+        <!-- <locations>Publisher</locations> -->
+        <!-- <locations>MobileNav</locations> -->
+        <!-- <locations>OpenCTI</locations> -->
+        <!-- <locations>LayoutSection</locations> -->
+
+        <!-- Canvas Options -->
+        <lifecycleClass></lifecycleClass>
+        <options>HideHeader</options>
+        <options>HideShare</options>
+
+        <!-- SAML Initiation Method -->
+        <samlInitiationMethod>None</samlInitiationMethod>
+    </canvasConfig>
+</ConnectedApp>

package/skills/configuring-connected-apps/assets/connected-app-jwt.xml

@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Template: Connected App - JWT Bearer Flow
+  Use Case: Server-to-server integration, CI/CD pipelines, headless automation
+
+  Replace placeholders:
+  - {{APP_NAME}}: Application name (no spaces, alphanumeric + underscore)
+  - {{CONTACT_EMAIL}}: Administrator contact email
+  - {{DESCRIPTION}}: Brief description of the app's purpose
+  - {{CERTIFICATE_NAME}}: Name of the certificate uploaded to Salesforce
+
+  Prerequisites:
+  1. Create a self-signed certificate or use CA-signed certificate
+  2. Upload certificate to Salesforce (Setup > Certificate and Key Management)
+  3. Use the certificate name (not file name) in this template
+
+  Note: No callback URL needed for JWT Bearer flow
+  Note: Consumer Secret is optional when using certificate authentication
+-->
+<ConnectedApp xmlns="http://soap.sforce.com/2006/04/metadata">
+    <label>{{APP_NAME}}</label>
+    <contactEmail>{{CONTACT_EMAIL}}</contactEmail>
+    <description>{{DESCRIPTION}} - JWT Bearer Authentication</description>
+
+    <oauthConfig>
+        <!-- JWT Bearer flow doesn't require callback URL, but Salesforce requires one -->
+        <callbackUrl>https://localhost/oauth/callback</callbackUrl>
+
+        <!-- Certificate for JWT signing -->
+        <certificate>{{CERTIFICATE_NAME}}</certificate>
+
+        <isAdminApproved>true</isAdminApproved>
+        <isConsumerSecretOptional>true</isConsumerSecretOptional>
+
+        <!-- API access scope - typically all that's needed for server-to-server -->
+        <scopes>Api</scopes>
+        <!-- RefreshToken not needed for JWT - each request gets new access token -->
+    </oauthConfig>
+
+    <oauthPolicy>
+        <ipRelaxation>ENFORCE</ipRelaxation>
+        <refreshTokenPolicy>zero</refreshTokenPolicy>
+    </oauthPolicy>
+
+    <!-- Require connected app to be assigned via permission sets or profiles -->
+    <permissionSetLicense>
+        <license>Salesforce</license>
+    </permissionSetLicense>
+</ConnectedApp>

package/skills/configuring-connected-apps/assets/connected-app-oauth.xml

@@ -0,0 +1,65 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Template: Connected App - Full OAuth
+  Use Case: Web application with complete OAuth 2.0 configuration
+
+  Replace placeholders:
+  - {{APP_NAME}}: Application name (no spaces, alphanumeric + underscore)
+  - {{CONTACT_EMAIL}}: Administrator contact email
+  - {{DESCRIPTION}}: Brief description of the app's purpose
+  - {{CALLBACK_URL}}: OAuth callback URL (must be HTTPS)
+  - {{LOGOUT_URL}}: URL to redirect after logout (optional)
+
+  OAuth Scopes (uncomment as needed):
+  - Api: REST/SOAP API access
+  - RefreshToken: Offline access via refresh token
+  - Full: Complete access (use sparingly)
+  - OpenID: OpenID Connect
+  - Web: Web browser access
+  - ChatterApi: Chatter REST API
+  - CustomPermissions: Custom permission access
+-->
+<ConnectedApp xmlns="http://soap.sforce.com/2006/04/metadata">
+    <label>{{APP_NAME}}</label>
+    <contactEmail>{{CONTACT_EMAIL}}</contactEmail>
+    <description>{{DESCRIPTION}}</description>
+
+    <oauthConfig>
+        <callbackUrl>{{CALLBACK_URL}}</callbackUrl>
+        <isAdminApproved>true</isAdminApproved>
+        <isConsumerSecretOptional>false</isConsumerSecretOptional>
+        <isIntrospectAllTokens>false</isIntrospectAllTokens>
+
+        <!-- Core API Access -->
+        <scopes>Api</scopes>
+        <scopes>RefreshToken</scopes>
+
+        <!-- OpenID Connect (for user identity) -->
+        <scopes>OpenID</scopes>
+        <scopes>Profile</scopes>
+        <scopes>Email</scopes>
+
+        <!-- Uncomment additional scopes as needed -->
+        <!-- <scopes>Web</scopes> -->
+        <!-- <scopes>ChatterApi</scopes> -->
+        <!-- <scopes>CustomPermissions</scopes> -->
+        <!-- <scopes>Wave</scopes> -->
+    </oauthConfig>
+
+    <oauthPolicy>
+        <ipRelaxation>ENFORCE</ipRelaxation>
+        <refreshTokenPolicy>infinite</refreshTokenPolicy>
+        <singleLogoutUrl>{{LOGOUT_URL}}</singleLogoutUrl>
+    </oauthPolicy>
+
+    <!--
+      NOTE: refreshTokenValidityPeriod requires specific element ordering per XSD.
+      For custom token lifetimes, configure via Setup UI after deployment.
+      Using refreshTokenPolicy=infinite is the safest metadata-deployable option.
+    -->
+
+    <!-- Session Policy -->
+    <sessionPolicy>
+        <sessionTimeout>120</sessionTimeout>
+    </sessionPolicy>
+</ConnectedApp>

package/skills/configuring-connected-apps/assets/eca-global-oauth.xml

@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Template: External Client App - Global OAuth Settings
+  Use Case: Configure OAuth settings that apply globally to the ECA
+
+  Replace placeholders:
+  - {{APP_NAME}}: The ExternalClientApplication API name (must match .eca file)
+  - {{LABEL}}: Display label for this global OAuth settings configuration
+  - {{CALLBACK_URL}}: OAuth callback URL (must be HTTPS for web, custom scheme for mobile)
+  - {{PKCE_REQUIRED}}: true for public clients (mobile, SPA), false for confidential
+  - {{SECRET_OPTIONAL}}: true for public clients using PKCE only
+  - {{SECRET_FOR_REFRESH}}: true to require secret for refresh token requests
+  - {{ROTATE_KEY}}: true to enable consumer key rotation (recommended for production)
+  - {{ROTATE_SECRET}}: true to enable consumer secret rotation (recommended for production)
+
+  Security Recommendations:
+  - PKCE: REQUIRED for mobile and SPA applications (public clients)
+  - Key/Secret Rotation: Enable for production apps (can be automated via API)
+  - Consumer Secret Optional: Only true when using PKCE exclusively
+  - Introspect All Tokens: Enable if you need to validate tokens programmatically
+
+  File Naming: [AppName].ecaGlblOauth-meta.xml
+
+  NOTE: The file suffix is .ecaGlblOauth (abbreviated), NOT .ecaGlobalOauth
+-->
+<ExtlClntAppGlobalOauthSettings xmlns="http://soap.sforce.com/2006/04/metadata">
+    <callbackUrl>{{CALLBACK_URL}}</callbackUrl>
+    <externalClientApplication>{{APP_NAME}}</externalClientApplication>
+    <isConsumerSecretOptional>{{SECRET_OPTIONAL}}</isConsumerSecretOptional>
+    <isIntrospectAllTokens>false</isIntrospectAllTokens>
+    <isPkceRequired>{{PKCE_REQUIRED}}</isPkceRequired>
+    <isSecretRequiredForRefreshToken>{{SECRET_FOR_REFRESH}}</isSecretRequiredForRefreshToken>
+    <label>{{LABEL}}</label>
+    <shouldRotateConsumerKey>{{ROTATE_KEY}}</shouldRotateConsumerKey>
+    <shouldRotateConsumerSecret>{{ROTATE_SECRET}}</shouldRotateConsumerSecret>
+</ExtlClntAppGlobalOauthSettings>

package/skills/configuring-connected-apps/assets/eca-oauth-settings.xml

@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Template: External Client App - Instance OAuth Settings
+  Use Case: Configure OAuth scopes for the ECA
+
+  Replace placeholders:
+  - {{APP_NAME}}: The ExternalClientApplication API name (must match .eca file)
+  - {{LABEL}}: Display label for this OAuth settings configuration
+  - {{SCOPES}}: Comma-separated OAuth scopes (e.g., "Api, RefreshToken, OpenID")
+
+  Common Scope Combinations:
+  - API Integration: Api, RefreshToken
+  - Web App with Identity: Api, RefreshToken, OpenID, Profile, Email
+  - Server-to-Server: Api
+  - Mobile App: Api, RefreshToken, OpenID
+
+  Available Scopes:
+  - Api: REST/SOAP API access
+  - RefreshToken: Offline access via refresh token
+  - OpenID: OpenID Connect (user identity)
+  - Profile: User profile information
+  - Email: User email address
+  - Web: Web browser access
+  - ChatterApi: Chatter REST API
+  - CustomPermissions: Custom permission access
+
+  IMPORTANT: OAuth flows (Authorization Code, Client Credentials, etc.) are
+  configured via the Admin UI or ExtlClntAppOauthConfigurablePolicies, NOT here.
+
+  File Naming: [AppName].ecaOauth-meta.xml
+-->
+<ExtlClntAppOauthSettings xmlns="http://soap.sforce.com/2006/04/metadata">
+    <commaSeparatedOauthScopes>{{SCOPES}}</commaSeparatedOauthScopes>
+    <externalClientApplication>{{APP_NAME}}</externalClientApplication>
+    <label>{{LABEL}}</label>
+</ExtlClntAppOauthSettings>

package/skills/configuring-connected-apps/assets/eca-policies.xml

@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Template: External Client App - Configurable Policies
+  Use Case: Admin-configurable security policies for the ECA
+
+  Note: This file is AUTO-GENERATED on first deployment.
+  Admins can modify these values in Setup UI or via Metadata API.
+
+  Replace placeholders:
+  - {{IP_RELAXATION}}: IP restriction policy
+  - {{REFRESH_TOKEN_POLICY}}: Refresh token lifetime policy
+  - {{SESSION_TIMEOUT}}: Session timeout in minutes
+
+  IP Relaxation Options:
+  - ENFORCE: Enforce IP restrictions (recommended)
+  - BYPASS: Bypass IP restrictions (use with caution)
+  - ENFORCE_ACTIVATED_USERS: Enforce for activated users only
+
+  Refresh Token Policies:
+  - infinite: Tokens never expire
+  - zero: No refresh tokens (use with JWT)
+  - specific_lifetime: Expire after specified period
+
+  File Naming: [AppName].ecaPlcy-meta.xml
+-->
+<ExtlClntAppConfigurablePolicies xmlns="http://soap.sforce.com/2006/04/metadata">
+    <!-- IP Restriction Policy -->
+    <ipRelaxation>{{IP_RELAXATION}}</ipRelaxation>
+
+    <!-- Refresh Token Lifetime -->
+    <refreshTokenPolicy>{{REFRESH_TOKEN_POLICY}}</refreshTokenPolicy>
+    <!-- <refreshTokenValidityPeriod>30</refreshTokenValidityPeriod> -->
+
+    <!-- Session Timeout (minutes) -->
+    <sessionTimeout>{{SESSION_TIMEOUT}}</sessionTimeout>
+</ExtlClntAppConfigurablePolicies>

package/skills/configuring-connected-apps/assets/external-client-app.xml

@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Template: External Client Application - Header File
+  Use Case: Modern OAuth app with enhanced security and metadata compliance
+
+  Replace placeholders:
+  - {{APP_NAME}}: Application name (no spaces, alphanumeric + underscore)
+  - {{CONTACT_EMAIL}}: Administrator contact email
+  - {{DESCRIPTION}}: Brief description of the app's purpose
+  - {{ICON_URL}}: URL to app icon (optional)
+  - {{LOGO_URL}}: URL to app logo (optional)
+  - {{DISTRIBUTION_STATE}}: Local or Packageable
+
+  Distribution States:
+  - Local: Available only in this org
+  - Packageable: Can be packaged and distributed via 2GP
+
+  Common Source Files for ECA:
+  1. externalClientApps/[AppName].eca-meta.xml (this file)
+  2. extlClntAppGlobalOauthSets/[AppName].ecaGlblOauth-meta.xml (global OAuth settings)
+  3. extlClntAppOauthSettings/[AppName].ecaOauth-meta.xml (OAuth scopes / parent link)
+  4. extlClntAppOauthSecuritySettings/[AppName].ecaOauthSecurity-meta.xml (optional, retrieve-first)
+  5. extlClntAppOauthPolicies/[AppName].ecaOauthPlcy-meta.xml or extlClntAppPolicies/[AppName].ecaPlcy-meta.xml (optional policy metadata)
+
+  Minimum API Version: 61.0
+-->
+<ExternalClientApplication xmlns="http://soap.sforce.com/2006/04/metadata">
+    <contactEmail>{{CONTACT_EMAIL}}</contactEmail>
+    <description>{{DESCRIPTION}}</description>
+    <distributionState>{{DISTRIBUTION_STATE}}</distributionState>
+    <iconUrl>{{ICON_URL}}</iconUrl>
+    <isProtected>false</isProtected>
+    <label>{{APP_NAME}}</label>
+    <logoUrl>{{LOGO_URL}}</logoUrl>
+</ExternalClientApplication>