scc-universal 1.1.0

package/skills/sf-integration/SKILL.md

@@ -0,0 +1,483 @@
+---
+name: sf-integration
+description: >-
+  Use when building Salesforce Apex integrations — REST/SOAP callouts,
+  Named Credentials, inbound API, External Services.
+  Do NOT use for Platform Events or Flow-only automation.
+origin: SCC
+user-invocable: false
+---
+
+# Salesforce Integration Patterns
+
+Procedures for building integrations between Salesforce and external systems. Limits, auth protocols, and pattern decision matrices live in the reference file.
+
+@../_reference/INTEGRATION_PATTERNS.md
+
+## When to Use
+
+- Designing a new integration between Salesforce and an external system
+- Choosing between REST callout, SOAP callout, Bulk API, or Composite API
+- Implementing an inbound REST API endpoint in Salesforce
+- Configuring Named Credentials and External Credentials for authentication
+- Adding retry logic to callout classes for resilience
+- Migrating from Connected Apps to External Client Apps (Spring '26+)
+
+---
+
+## Outbound REST Callout — Complete Pattern
+
+```apex
+public with sharing class OrderManagementIntegration {
+
+    private static final String NAMED_CREDENTIAL = 'OrderManagementAPI';
+    private static final Integer TIMEOUT_MS       = 10000;
+    private static final Integer MAX_RETRIES      = 2;
+
+    public static OrderResponse createExternalOrder(OrderRequest orderData) {
+        HttpRequest req = new HttpRequest();
+        req.setEndpoint('callout:' + NAMED_CREDENTIAL + '/api/v2/orders');
+        req.setMethod('POST');
+        req.setHeader('Content-Type', 'application/json');
+        req.setHeader('Accept', 'application/json');
+        req.setTimeout(TIMEOUT_MS);
+        req.setBody(JSON.serialize(orderData));
+
+        return executeWithRetry(req, MAX_RETRIES);
+    }
+
+    public static OrderResponse getOrderStatus(String externalOrderId) {
+        HttpRequest req = new HttpRequest();
+        req.setEndpoint('callout:' + NAMED_CREDENTIAL +
+            '/api/v2/orders/' + EncodingUtil.urlEncode(externalOrderId, 'UTF-8'));
+        req.setMethod('GET');
+        req.setHeader('Accept', 'application/json');
+        req.setTimeout(TIMEOUT_MS);
+
+        return executeWithRetry(req, MAX_RETRIES);
+    }
+
+    /**
+     * In-transaction retry for transient network glitches.
+     * For true backoff, use Queueable chaining with
+     * AsyncOptions.minimumQueueableDelayInMinutes between attempts.
+     */
+    private static OrderResponse executeWithRetry(HttpRequest req, Integer retries) {
+        Http http = new Http();
+        HttpResponse res;
+        Exception lastException;
+
+        for (Integer attempt = 0; attempt <= retries; attempt++) {
+            try {
+                res = http.send(req);
+
+                if (res.getStatusCode() == 200 || res.getStatusCode() == 201) {
+                    return (OrderResponse) JSON.deserialize(
+                        res.getBody(), OrderResponse.class);
+                }
+
+                if (res.getStatusCode() == 429) {
+                    if (attempt == retries) {
+                        throw new IntegrationException(
+                            'Rate limited (429) after ' + (retries + 1) + ' attempts.');
+                    }
+                    continue;
+                }
+
+                if (res.getStatusCode() >= 500 && attempt < retries) continue;
+
+                throw new IntegrationException(
+                    'HTTP ' + res.getStatusCode() + ': ' + res.getBody());
+
+            } catch (System.CalloutException e) {
+                lastException = e;
+                if (attempt == retries) {
+                    throw new IntegrationException(
+                        'Callout failed after ' + (retries + 1) +
+                        ' attempts: ' + e.getMessage(), e);
+                }
+            }
+        }
+        throw new IntegrationException('Unexpected retry loop exit');
+    }
+
+    public class OrderRequest {
+        public String  externalAccountId;
+        public String  productCode;
+        public Integer quantity;
+        public Decimal unitPrice;
+        public String  currency_x;
+    }
+
+    public class OrderResponse {
+        public String orderId;
+        public String status;
+        public String message;
+        public String createdAt;
+    }
+
+    public class IntegrationException extends Exception {}
+}
+```
+
+---
+
+## Named Credentials Setup
+
+### Modern Model: External Credentials + Named Credentials (API 54.0+)
+
+**Step 1 -- Create External Credential** (Setup > Security > Named Credentials > External Credentials)
+
+- Principal type: `Named Principal` (shared credential) or `Per User` (each user authenticates separately)
+- Authentication Protocol: OAuth 2.0, JWT Token, Basic, Custom Header, etc.
+
+**Step 2 -- Create Named Credential** referencing the External Credential
+
+- Name: `OrderManagementAPI`
+- URL: `https://erp.example.com`
+- External Credential: select from Step 1
+
+**Step 3 -- Grant permission** via Permission Set on the External Credential Principal
+
+```apex
+// Usage in Apex — identical to legacy Named Credentials
+req.setEndpoint('callout:OrderManagementAPI/api/v2/orders');
+// Auth headers injected automatically
+```
+
+### Legacy Named Credentials
+
+Still valid for simpler use cases. Combine URL + auth in one config.
+
+```apex
+req.setEndpoint('callout:LegacyNamedCred/endpoint');
+```
+
+---
+
+## SOAP Callout via WSDL2Apex
+
+```bash
+# Generate Apex stub from WSDL
+sf generate apex from-wsdl \
+    --file path/to/service.wsdl \
+    --output-dir force-app/main/default/classes
+```
+
+### Manual SOAP Callout (when WSDL2Apex is impractical)
+
+```apex
+public with sharing class SoapIntegration {
+
+    private static final String SOAP_ENDPOINT = 'callout:LegacySoapService/service';
+
+    public static String invokeMethod(String accountNumber) {
+        String safeAccountNumber = escapeXml(accountNumber);
+
+        String soapBody =
+            '<?xml version="1.0" encoding="UTF-8"?>' +
+            '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"' +
+            '  xmlns:leg="http://legacy.example.com/service">' +
+            '  <soapenv:Header/>' +
+            '  <soapenv:Body>' +
+            '    <leg:GetAccountDetails>' +
+            '      <leg:AccountNumber>' + safeAccountNumber + '</leg:AccountNumber>' +
+            '    </leg:GetAccountDetails>' +
+            '  </soapenv:Body>' +
+            '</soapenv:Envelope>';
+
+        HttpRequest req = new HttpRequest();
+        req.setEndpoint(SOAP_ENDPOINT);
+        req.setMethod('POST');
+        req.setHeader('Content-Type', 'text/xml; charset=UTF-8');
+        req.setHeader('SOAPAction', '"GetAccountDetails"');
+        req.setBody(soapBody);
+        req.setTimeout(15000);
+
+        HttpResponse res = new Http().send(req);
+
+        if (res.getStatusCode() != 200) {
+            throw new CalloutException('SOAP error: ' + res.getStatus());
+        }
+
+        Dom.Document doc       = res.getBodyDocument();
+        Dom.XmlNode root       = doc.getRootElement();
+        Dom.XmlNode body       = root.getChildElement(
+            'Body', 'http://schemas.xmlsoap.org/soap/envelope/');
+        Dom.XmlNode responseEl = body.getChildElements()[0];
+        Dom.XmlNode result     = responseEl.getChildElement(
+            'Result', 'http://legacy.example.com/service');
+
+        return result != null ? result.getText() : null;
+    }
+
+    private static String escapeXml(String input) {
+        if (String.isBlank(input)) return input;
+        return input
+            .replace('&', '&amp;')
+            .replace('<', '&lt;')
+            .replace('>', '&gt;')
+            .replace('"', '&quot;')
+            .replace('\'', '&apos;');
+    }
+}
+```
+
+---
+
+## Inbound REST API
+
+```apex
+@RestResource(urlMapping='/v1/accounts/*')
+global with sharing class AccountRestService {
+
+    @HttpGet
+    global static AccountDTO getAccount() {
+        RestRequest  req = RestContext.request;
+        RestResponse res = RestContext.response;
+
+        String accountId = req.requestURI.substring(
+            req.requestURI.lastIndexOf('/') + 1);
+
+        if (String.isBlank(accountId)) {
+            res.statusCode = 400;
+            return new AccountDTO(null, null, 'Invalid Account ID');
+        }
+        try {
+            Id.valueOf(accountId);
+        } catch (StringException e) {
+            res.statusCode = 400;
+            return new AccountDTO(null, null, 'Invalid Account ID');
+        }
+
+        List<Account> accounts = [
+            SELECT Id, Name, Phone, BillingCity, BillingCountry
+            FROM Account WHERE Id = :accountId
+            WITH USER_MODE LIMIT 1
+        ];
+
+        if (accounts.isEmpty()) {
+            res.statusCode = 404;
+            return new AccountDTO(null, null, 'Account not found');
+        }
+
+        res.statusCode = 200;
+        return new AccountDTO(accounts[0].Id, accounts[0].Name, null);
+    }
+
+    @HttpPost
+    global static AccountDTO createAccount() {
+        RestRequest  req = RestContext.request;
+        RestResponse res = RestContext.response;
+
+        try {
+            Map<String, Object> body =
+                (Map<String, Object>) JSON.deserializeUntyped(
+                    req.requestBody.toString());
+
+            Account acc    = new Account();
+            acc.Name       = (String) body.get('name');
+            acc.Phone      = (String) body.get('phone');
+            acc.BillingCity = (String) body.get('billingCity');
+
+            if (String.isBlank(acc.Name)) {
+                res.statusCode = 400;
+                return new AccountDTO(null, null, 'Account name is required');
+            }
+
+            Database.insert(acc, AccessLevel.USER_MODE);
+            res.statusCode = 201;
+            return new AccountDTO(acc.Id, acc.Name, 'Account created');
+
+        } catch (DmlException e) {
+            res.statusCode = 400;
+            return new AccountDTO(null, null, 'DML error: ' + e.getDmlMessage(0));
+        } catch (JSONException e) {
+            res.statusCode = 400;
+            return new AccountDTO(null, null, 'Invalid JSON: ' + e.getMessage());
+        } catch (System.SecurityException e) {
+            res.statusCode = 403;
+            return new AccountDTO(null, null, 'Insufficient access: ' + e.getMessage());
+        }
+    }
+
+    global class AccountDTO {
+        global String id;
+        global String name;
+        global String message;
+
+        global AccountDTO(String id, String name, String message) {
+            this.id      = id;
+            this.name    = name;
+            this.message = message;
+        }
+    }
+}
+```
+
+---
+
+## HttpCalloutMock -- Testing Callouts
+
+### Single Endpoint Mock
+
+```apex
+@IsTest
+public class OrderIntegrationMock implements HttpCalloutMock {
+
+    private Integer statusCode;
+    private String  body;
+
+    public OrderIntegrationMock(Integer statusCode, String body) {
+        this.statusCode = statusCode;
+        this.body       = body;
+    }
+
+    public HttpResponse respond(HttpRequest req) {
+        HttpResponse res = new HttpResponse();
+        res.setStatusCode(statusCode);
+        res.setHeader('Content-Type', 'application/json');
+        res.setBody(body);
+        return res;
+    }
+}
+```
+
+### Multi-Endpoint Mock
+
+```apex
+@IsTest
+public class MultiRequestMock implements HttpCalloutMock {
+
+    private Map<String, HttpCalloutMock> mocks = new Map<String, HttpCalloutMock>();
+
+    public void addMock(String endpoint, HttpCalloutMock mock) {
+        mocks.put(endpoint, mock);
+    }
+
+    public HttpResponse respond(HttpRequest req) {
+        String endpoint = req.getEndpoint();
+        for (String key : mocks.keySet()) {
+            if (endpoint.contains(key)) {
+                return mocks.get(key).respond(req);
+            }
+        }
+        throw new IllegalArgumentException('Unexpected callout to: ' + endpoint);
+    }
+}
+```
+
+### Using Mocks in Tests
+
+```apex
+@IsTest
+static void testCreateOrder_success_returnsOrderId() {
+    String mockResponse =
+        '{"orderId":"ERP-001","status":"PENDING","message":"Order created"}';
+    Test.setMock(HttpCalloutMock.class,
+        new OrderIntegrationMock(201, mockResponse));
+
+    Test.startTest();
+    OrderManagementIntegration.OrderRequest req =
+        new OrderManagementIntegration.OrderRequest();
+    req.productCode = 'PROD-001';
+    req.quantity    = 5;
+    req.unitPrice   = 99.99;
+
+    OrderManagementIntegration.OrderResponse res =
+        OrderManagementIntegration.createExternalOrder(req);
+    Test.stopTest();
+
+    System.assertEquals('ERP-001', res.orderId);
+    System.assertEquals('PENDING', res.status);
+}
+```
+
+---
+
+## External Client Apps (Spring '26 GA)
+
+External Client Apps replace Connected Apps for new OAuth-based integrations.
+
+| Feature | Connected App | External Client App |
+|---------|--------------|---------------------|
+| Status | Existing -- maintain as-is | New standard for Spring '26+ |
+| Location | Setup > App Manager | Setup > External Client App Manager |
+| Metadata type | `ConnectedApp` | `ExternalClientApplication` |
+| Recommendation | Keep existing; do not migrate | Use for all new integrations |
+
+### Creating an External Client App (Metadata)
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<ExternalClientApplication xmlns="http://soap.sforce.com/2006/04/metadata">
+    <contactEmail>integrations@example.com</contactEmail>
+    <description>OAuth integration with Warehouse Management System</description>
+    <distributionState>Global</distributionState>
+    <label>Warehouse Integration</label>
+    <name>WarehouseIntegration</name>
+</ExternalClientApplication>
+```
+
+```bash
+sf project deploy start \
+    --metadata ExternalClientApplication:WarehouseIntegration \
+    --target-org Production
+```
+
+### Key Steps for New Integrations
+
+1. Create External Client App in Setup > External Client Apps
+2. Configure OAuth scopes and callback URLs
+3. Reference the External Client App in your Named Credential's External Credential
+4. Test OAuth flow in sandbox before production deployment
+
+---
+
+## Retry Pattern with Queueable
+
+For callouts with transient failures, implement a retry Queueable:
+
+```apex
+public class RetryCalloutQueueable implements Queueable, Database.AllowsCallouts {
+
+    private Id        recordId;
+    private Integer   attemptNumber;
+    private static final Integer MAX_ATTEMPTS = 3;
+
+    public RetryCalloutQueueable(Id recordId, Integer attemptNumber) {
+        this.recordId      = recordId;
+        this.attemptNumber = attemptNumber;
+    }
+
+    public void execute(QueueableContext ctx) {
+        try {
+            ExternalIntegration.sync(recordId);
+            update new MyRecord__c(
+                Id             = recordId,
+                Sync_Status__c = 'Success',
+                Last_Sync__c   = Datetime.now()
+            );
+        } catch (Exception e) {
+            if (attemptNumber < MAX_ATTEMPTS) {
+                System.enqueueJob(
+                    new RetryCalloutQueueable(recordId, attemptNumber + 1));
+            } else {
+                update new MyRecord__c(
+                    Id             = recordId,
+                    Sync_Status__c = 'Failed',
+                    Sync_Error__c  = e.getMessage()
+                );
+            }
+        }
+    }
+}
+```
+
+---
+
+## Related
+
+- Agent: `sf-integration-agent` -- for interactive, in-depth guidance
+- Constraints: sf-apex-constraints, sf-security-constraints
+- Reference: @../_reference/INTEGRATION_PATTERNS.md

package/skills/sf-lwc-constraints/SKILL.md

@@ -0,0 +1,130 @@
+---
+name: sf-lwc-constraints
+description: "Enforce LWC naming, security, accessibility, and performance rules. Use when writing or reviewing ANY LWC component, template, or JS controller. Do NOT use for Apex, Aura, Visualforce, or Flow."
+origin: SCC
+user-invocable: false
+allowed-tools: Read, Grep, Glob
+---
+
+# LWC Constraints
+
+## When to Use
+
+This skill auto-activates when writing, reviewing, or modifying any Lightning Web Component, template, or JavaScript controller. It enforces naming, security, accessibility, and performance rules for all LWC artifacts.
+
+Hard rules for Lightning Web Component development. Violations must be flagged
+or fixed before code is considered complete.
+
+For lifecycle hooks, reactive property rules, wire service rules, event
+propagation, and slot rules see @../_reference/LWC_PATTERNS.md.
+
+---
+
+## Naming Conventions
+
+| Element | Convention | Example |
+|---------|-----------|---------|
+| Component folder & files | camelCase | `accountList/accountList.js` |
+| HTML tag in markup | kebab-case with namespace | `<c-account-list>` |
+| Public properties (`@api`) | camelCase in JS, kebab-case in HTML | JS: `@api maxRecords` / HTML: `max-records="10"` |
+| Private fields | camelCase, prefix `_` for backing fields | `_wiredResult`, `isLoading` |
+| Custom events | lowercase, no spaces, hyphens allowed | `opportunityselect`, `row-action` |
+| CSS classes | SLDS utilities or BEM for custom | `slds-p-around_medium`, `card__title` |
+
+**Never** use PascalCase or UPPER_CASE for component folder names or file names.
+
+---
+
+## Never Do
+
+| Rule | Reason |
+|------|--------|
+| Direct DOM manipulation (`document.createElement`, `innerHTML`, `appendChild`) | Breaks Shadow DOM encapsulation and LWS security model. Use template directives (`lwc:if`, `for:each`) and reactive state instead. |
+| Imperative Apex when `@wire` works | Wire provides caching via LDS, automatic re-provisioning on param change, and offline support. Use imperative calls only for DML or non-cacheable operations. |
+| Inline styles (`style="color:red"`) | Violates SLDS theming, breaks dark mode (SLDS 2.0), and bypasses component-scoped CSS. Use SLDS utility classes or CSS custom properties. |
+| `querySelector('#id')` for shadow or slotted elements | Element IDs are transformed at render time. Use `this.template.querySelector('.class')` for shadow elements, `this.querySelector('.class')` for light DOM. |
+| Update `@wire` config inside `renderedCallback()` | Creates an infinite re-render loop: render -> renderedCallback -> wire config change -> re-provision -> re-render. |
+| Mutate `@wire` result data directly | Wire data is immutable (read-only). Shallow-copy (`{...data}` or `[...data]`) before mutating. |
+| Use deprecated `if:true` / `if:false` directives | Replaced by `lwc:if` / `lwc:elseif` / `lwc:else` (GA). Deprecated directives will be removed. |
+| Skip `super()` in `constructor()` | Required by the Custom Elements spec. Omitting it throws a runtime error. |
+| Access DOM in `constructor()` | Shadow DOM is not attached yet. No `this.template`, no child elements, no attributes. |
+| Dispatch events with `bubbles:true, composed:true` without namespacing | Composed events cross all shadow boundaries and become public API. Namespace the event name to avoid collisions. |
+| Use `localStorage`/`sessionStorage` without namespace awareness | Under LWS, storage is namespace-scoped. Keys that worked under Locker may behave differently. |
+| Heavy logic in `renderedCallback()` without a guard | Fires on every render cycle. Unguarded work causes performance degradation or infinite loops if it updates reactive state. |
+
+---
+
+## Always Do
+
+| Rule | Detail |
+|------|--------|
+| Use `@api` for all public properties and methods | Defines the component's contract. Without `@api`, properties are private and invisible to parent components and App Builder. |
+| Use kebab-case for component tags in HTML | `<c-account-list>`, never `<c-accountList>`. The framework maps kebab-case tags to camelCase folder names automatically. |
+| Use camelCase for JS properties | `@api maxRecords`, not `@api max_records`. Kebab-to-camelCase mapping applies when attributes are set in HTML. |
+| Provide `alternative-text` on `<lightning-spinner>` | Required for screen-reader accessibility. Omitting it is a WCAG violation. |
+| Provide `label` on all `<lightning-input>` elements | Required for accessibility. Use `variant="label-hidden"` if visual label must be hidden, but never omit `label` entirely. |
+| Set `key` on iterated elements | `for:each` requires a unique, stable `key` attribute (use record `Id`, not array index). Missing keys cause rendering bugs. |
+| Use `lwc:if` / `lwc:elseif` / `lwc:else` for conditionals | Modern directive (GA). Always prefer over deprecated `if:true`/`if:false`. |
+| Implement `errorCallback(error, stack)` or wrap with error boundary | Catches descendant lifecycle and render errors. Without it, a child error crashes the entire component tree. |
+| Clean up in `disconnectedCallback()` | Remove `window`/`document` event listeners, `unsubscribe()` from message channels, clear timers. Prevents memory leaks. |
+| Store bound references for event listeners | `this._boundHandler = this.handler.bind(this)` in constructor, so `removeEventListener` gets the same reference as `addEventListener`. |
+| Set `<apiVersion>66.0</apiVersion>` in `.js-meta.xml` | Target Spring '26. Older API versions miss LWS, SLDS 2.0 styling hooks, and new wire adapters. |
+| Use `WITH USER_MODE` in backing Apex SOQL | Enforces FLS/CRUD. Required for security review. The LWC itself does not bypass object permissions, but its Apex must not either. |
+| Prefer SLDS utility classes over custom CSS | Ensures dark mode compatibility (SLDS 2.0), consistent spacing, and responsive layout. |
+
+---
+
+## Anti-Pattern Table
+
+| Anti-Pattern | Correct Pattern | Why |
+|-------------|----------------|-----|
+| `document.querySelector('.my-class')` | `this.template.querySelector('.my-class')` | Shadow DOM scoping. `document` queries cannot reach inside shadow roots. |
+| `@track` on primitives or simple reassignments | Remove `@track`; all fields are reactive since Spring '20 | `@track` is only needed for deep observation of object/array mutations in place. Overuse adds confusion. |
+| Imperative Apex in `connectedCallback` for cacheable reads | `@wire(getRecord, ...)` or `@wire(apexMethod, ...)` | Wire caches via LDS, re-provisions automatically, and works offline. Imperative calls bypass the cache. |
+| `setTimeout` to wait for DOM | `renderedCallback()` with a guard flag | The DOM is guaranteed available in `renderedCallback`. `setTimeout` is fragile and race-prone. |
+| `event.target` inside shadow boundary listeners | `event.currentTarget` or `event.target.dataset.*` | `event.target` is retargeted at shadow boundaries. Use `currentTarget` for the element the listener is attached to. |
+| Hardcoded field API names as strings | Import from `@salesforce/schema` | Schema imports give compile-time validation, refactoring safety, and dependency tracking. |
+| `console.log` left in production code | Remove or guard with `IS_DEBUG` flag | Console output is visible to end users in browser dev tools and degrades performance at scale. |
+| Fetching all records then paginating client-side | Server-side pagination via `OFFSET`/`LIMIT` or SOQL cursors (v66.0+) | Client-side pagination loads all data upfront; breaks on large datasets. |
+| `if:true={property}` | `lwc:if={property}` | `if:true`/`if:false` are deprecated. `lwc:if` supports `elseif`/`else` chains and will be the only option going forward. |
+| Inline `style="width:100px"` | CSS class or SLDS utility `slds-size_full` | Inline styles bypass theming, break dark mode, and cannot be overridden by styling hooks. |
+| Missing `.js-meta.xml` `<targets>` | Declare all intended surfaces (`RecordPage`, `AppPage`, etc.) | Component will not appear in App Builder or Flow without explicit target declarations. |
+
+---
+
+## Wire Service Constraints
+
+1. **All** `$`-prefixed reactive params must be defined (non-`undefined`) before the wire adapter fires.
+2. Wire data arrives **non-deterministically** -- never assume it is available in `connectedCallback`.
+3. Wire chains (`$record.data.fieldName`) are valid but add latency; keep chains to two hops max.
+4. Use `refreshApex(wiredResult)` after imperative DML -- store the full wire result reference (`_wiredResult`) for this purpose.
+5. For `@wire` with Apex, the Apex method must be annotated `@AuraEnabled(cacheable=true)`.
+
+---
+
+## Event Constraints
+
+1. Default to `{ bubbles: false, composed: false }` for parent-child communication.
+2. Always use `CustomEvent` with a `detail` property for data payload -- never custom properties on the event object.
+3. Parent listens with `on{eventname}` (all lowercase, no hyphens in the `on` prefix).
+4. If `composed: true` is required, namespace the event name (e.g., `myns__recordupdate`) to prevent collisions.
+
+---
+
+## Accessibility Constraints
+
+1. Every interactive element must be keyboard-operable (focusable, activatable via Enter/Space).
+2. Every `<lightning-spinner>` must have `alternative-text`.
+3. Every `<lightning-input>` must have `label` (use `variant="label-hidden"` to visually hide).
+4. Every `<lightning-icon>` used as a meaningful indicator must have `alternative-text`; decorative icons should set `aria-hidden="true"`.
+5. Color must never be the sole indicator of state -- pair with text, icon, or ARIA attributes.
+6. Custom components exposing interactive regions should set appropriate `role` and `aria-*` attributes.
+
+---
+
+## Meta XML Constraints
+
+1. Always include `<apiVersion>66.0</apiVersion>` (Spring '26).
+2. Set `<isExposed>true</isExposed>` for any component intended for App Builder, Flow, or Experience Cloud.
+3. Declare every intended surface in `<targets>`.
+4. Expose configurable `@api` properties via `<targetConfigs>` with `label`, `type`, and `description`.