jiten-singh-shahi/sf-apex-constraints

Apex Constraints

When to Use

This skill auto-activates when writing, reviewing, or modifying any Apex class, trigger, or batch job. It enforces governor limits, naming conventions, bulkification rules, and security requirements for all Apex artifacts.

Hard rules that every Apex class, trigger, and batch job must satisfy. Violations here cause governor failures, security review rejections, or production incidents. Reference files contain the full data; this skill contains only the enforcement rules.

Core Rules

@../_reference/GOVERNOR_LIMITS.md @../_reference/NAMING_CONVENTIONS.md @../_reference/SECURITY_PATTERNS.md @../_reference/DEPRECATIONS.md

Apex-Specific Rules

Never Do

• SOQL inside a loop — exceeds the per-transaction SOQL query limit (see @../_reference/GOVERNOR_LIMITS.md); query once outside the loop, store in Map
• DML inside a loop — exceeds the per-transaction DML limit (see @../_reference/GOVERNOR_LIMITS.md); collect records in a List, single DML after loop
• Catch generic Exception — masks programming bugs (NullPointerException, TypeException); catch specific types only
• Omit sharing keyword — classes without a sharing keyword default to without sharing; always declare with sharing, without sharing, or inherited sharing explicitly
• Use without sharing on user-facing classes — bypasses record-level security; must be with sharing
• Hardcode Record IDs — IDs differ per org/sandbox; use SOQL, Custom Metadata, or Custom Settings
• Hardcode credentials or endpoint URLs — use Named Credentials / External Credentials
• Use global access modifier — locks managed package API surface; use public unless building a package API
• Leave System.debug in production code — fills debug logs, can expose sensitive data
• Use string concatenation in dynamic SOQL — SOQL injection risk; use bind variables or Database.queryWithBinds()
• Ignore Database.SaveResult — partial-success DML silently drops failures; always inspect every result
• Use element.innerHTML = userInput — XSS vulnerability; use textContent or sanitized components
• Write methods longer than 50 lines — extract private helper methods for testability
• Use List<sObject> as a parameter type — loses type information; use concrete types like List<Account>
• Use Hungarian notation (strName, lstAccounts) — use descriptive camelCase names instead

Always Do

• Declare with sharing by default — only use without sharing with a documented justification
• Enforce CRUD/FLS — use WITH USER_MODE for SOQL, AccessLevel.USER_MODE for DML on user-facing operations
• Bulkify all triggers — test with 200 records (standard trigger batch size); no per-record SOQL/DML
• One trigger per object — delegate all logic to a handler class ({Object}TriggerHandler)
• Use PascalCase for classes, camelCase for methods/variables, UPPER_SNAKE_CASE for constants
• Suffix classes by role — Service, Selector, TriggerHandler, Batch, Job, Scheduler, Controller, Test, Exception
• Suffix test classes with Test (not prefix) — AccountServiceTest, not TestAccountService
• Name test methods as test{Method}_{scenario}_{expectedResult}
• Create domain-specific exception classes — not generic Exception throws
• Check limits programmatically before expensive operations — use Limits.getQueries(), Limits.getCpuTime(), etc.
• Use Map/Set for lookups — O(1) vs O(n) nested loops; prevents CPU time exhaustion
• Use String.join() for string building — not concatenation in loops (heap + CPU cost)
• Null-check before dereferencing — use ?. (null-safe navigation) for parent relationship fields
• Offload to async when processing >200 records or when CPU exceeds 8,000ms threshold
• Organize class members in order: constants, static variables, instance variables, constructors, public methods, private methods, inner classes

Anti-Pattern Reference

| Anti-Pattern | Problem | Correct Pattern | |---|---|---| | SOQL in loop | Exceeds per-transaction SOQL limit (see @../_reference/GOVERNOR_LIMITS.md) | Query once, store in Map | | DML in loop | Exceeds per-transaction DML limit (see @../_reference/GOVERNOR_LIMITS.md) | Collect records, single DML after loop | | Nested loops for matching | CPU time exhaustion (O(n^2)) | Map/Set lookup (O(1)) | | String concat in loop | Heap growth + CPU waste | List<String> + String.join() | | SELECT * (all fields) | Heap exhaustion | SELECT only required fields | | No sharing keyword | Silent without sharing default | Explicit with sharing declaration | | Missing CRUD/FLS check | Security review failure | WITH USER_MODE / AccessLevel.USER_MODE | | Dynamic SOQL via concat | SOQL injection | Bind variables / queryWithBinds() | | Catching Exception | Masks real bugs | Catch specific exception types | | Ignoring SaveResult | Silent data loss | Inspect every Database.SaveResult | | Hardcoded IDs | Breaks across orgs | SOQL / Custom Metadata lookup |

Related

• Pattern skill: sf-apex-best-practices — implementation examples for the rules above (class organization, error handling, collection patterns)
• Reference files: @../_reference/GOVERNOR_LIMITS.md, @../_reference/NAMING_CONVENTIONS.md, @../_reference/SECURITY_PATTERNS.md