apex-regex-and-pattern-matching
Use when writing Apex that validates, extracts, or transforms strings with Pattern/Matcher or String regex methods. Covers catastrophic backtracking, 1M char input cap, anchored vs unanchored matching, and replaceAll reserved `$`/`\` chars. NOT for SOQL LIKE queries, Flow formula REGEX, or client-side JavaScript regex.
Best use case
apex-regex-and-pattern-matching is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Use when writing Apex that validates, extracts, or transforms strings with Pattern/Matcher or String regex methods. Covers catastrophic backtracking, 1M char input cap, anchored vs unanchored matching, and replaceAll reserved `$`/`\` chars. NOT for SOQL LIKE queries, Flow formula REGEX, or client-side JavaScript regex.
Teams using apex-regex-and-pattern-matching should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/apex-regex-and-pattern-matching/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How apex-regex-and-pattern-matching Compares
| Feature / Agent | apex-regex-and-pattern-matching | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Use when writing Apex that validates, extracts, or transforms strings with Pattern/Matcher or String regex methods. Covers catastrophic backtracking, 1M char input cap, anchored vs unanchored matching, and replaceAll reserved `$`/`\` chars. NOT for SOQL LIKE queries, Flow formula REGEX, or client-side JavaScript regex.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Apex Regex And Pattern Matching
Activates when Apex code uses `Pattern`, `Matcher`, `String.replaceAll`, `String.replaceFirst`, `String.split`, or `String.matches`. Produces correct, performant, ReDoS-resistant regex with proper anchoring, escaping, and group handling.
---
## Before Starting
Gather this context before working on anything in this domain:
- Is the input user-controlled or trusted internal data? ReDoS only matters for adversarial input.
- Will the string exceed 1,000,000 characters? Apex regex throws `LimitException` past that limit.
- Is this `matches()` (whole string) or `find()` (any substring)? Anchoring behavior differs.
- Is the replacement passed to `replaceAll` or `replaceFirst`? `$` and `\` are reserved in the replacement.
- What pattern syntax is the practitioner borrowing from? Apex uses Java regex (java.util.regex), NOT JavaScript — no lookbehind in older API versions, different escape quirks.
---
## Core Concepts
### `matches()` vs `find()` — Anchored By Default Or Not
`String.matches(regex)` and `Matcher.matches()` require the pattern to match the **entire** string. `Matcher.find()` matches any substring. Practitioners coming from JavaScript often expect `matches()` to behave like `test()` and are surprised when `'abc123'.matches('\\d+')` returns `false` — it only returns `true` for `'.*\\d+.*'` or if the whole string is digits.
Use `matches()` for validation ("is this entire string a valid email?") and `find()` for extraction ("is there a token anywhere in this string?").
### Java-Flavored Regex, Double-Escaped In Apex Literals
Apex patterns are Java regex — `\d`, `\w`, `\s`, `[A-Z]`, `(?i)`, `(?m)`, `(?s)` all work. But Apex string literals require `\\` to produce a single backslash. So a digit class is written `'\\d+'`, not `'\d+'`. A literal backslash is `'\\\\'` (four chars in source, one in the pattern, zero in the matched text).
Lookbehind — supported via `(?<=...)` and `(?<!...)` — is fixed-length only in older Java versions; practitioners sometimes write variable-length lookbehind that compiles in online testers but fails in Apex.
### Replacement Strings Have Reserved Characters
`String.replaceAll(regex, replacement)` and `Matcher.replaceAll(replacement)` treat `$0`, `$1`, `$2` as backreferences to captured groups and treat `\\` as a literal backslash. This means a dollar sign or backslash in the *replacement* must be escaped with `\\$` or `\\\\`. Practitioners who want literal `$100` in output commonly get silent empty output or `IndexOutOfBoundsException`.
Use `Matcher.quoteReplacement(replacement)` to escape the replacement string safely when it's dynamic.
### Catastrophic Backtracking And The 1M Character Cap
Apex regex runs on the same engine that is vulnerable to ReDoS: patterns with nested quantifiers like `(a+)+`, `(a|a)+`, or `.*` followed by a specific suffix on a long string can cause CPU timeouts. Apex also throws `LimitException: regex too complicated` on strings over 1 million characters or on pathological patterns even on shorter inputs.
Default to atomic groups, possessive quantifiers where supported, bounded quantifiers (`{0,64}` instead of `*`), and explicit character classes (`[^@]+` instead of `.+`).
---
## Common Patterns
### Pattern 1: Validate A Whole-String Format
**When to use:** "Is this exact value a valid phone / email / Salesforce ID?"
**How it works:**
```apex
private static final Pattern E164 = Pattern.compile('^\\+[1-9]\\d{1,14}$');
public static Boolean isValidE164(String input) {
return input != null && E164.matcher(input).matches();
}
```
**Why not the alternative:** `input.matches('...')` compiles the pattern on every call. `Pattern.compile(...)` in a static final field compiles once per transaction and is reused. For hot loops this is a measurable CPU saving.
### Pattern 2: Extract One Or More Tokens From Free Text
**When to use:** Pulling order numbers, case references, or IDs from email bodies or notes.
**How it works:**
```apex
private static final Pattern ORDER_REF = Pattern.compile('ORD-\\d{6,10}');
public static List<String> extractOrderRefs(String body) {
List<String> hits = new List<String>();
if (body == null) return hits;
Matcher m = ORDER_REF.matcher(body);
while (m.find()) hits.add(m.group());
return hits;
}
```
**Why not the alternative:** `String.split` and manual index work is fragile and slow. `find()` in a loop handles all occurrences correctly.
### Pattern 3: Safe `replaceAll` With Dynamic Content
**When to use:** Replacing matches with content that may contain `$` or `\`.
**How it works:**
```apex
String safe = Matcher.quoteReplacement(userInput);
String result = original.replaceAll('\\{\\{token\\}\\}', safe);
```
**Why not the alternative:** Embedding `userInput` directly lets `$1` or `\\` in that input trigger backreference processing or throw `IndexOutOfBoundsException`.
---
## Decision Guidance
| Situation | Recommended Approach | Reason |
|---|---|---|
| Validate whole-string format | `Pattern.compile(...).matcher(s).matches()` with `^` and `$` optional | Matches is already anchored; explicit anchors make intent clear |
| Extract one substring | `find()` + `group()` on first hit | Simpler and avoids unnecessary loop |
| Extract many substrings | `while (find()) hits.add(group())` | Handles overlap correctly |
| Replace with dynamic content | `Matcher.quoteReplacement(value)` | Escapes `$` and `\` in the replacement |
| Hot loop, same pattern 100+ times | `private static final Pattern P = Pattern.compile(...)` | Compile once, reuse for transaction |
| Input may be 500KB+ | Pre-truncate or chunk | 1M cap throws `LimitException` |
| Input is adversarial (portal, webhook) | Use bounded quantifiers, avoid nested `+`/`*` | Defends against ReDoS |
---
## Recommended Workflow
1. Decide whether you are validating (whole string) or extracting (substring) — this picks `matches()` vs `find()`.
2. Write the pattern and test it with 3–5 representative strings AND 2–3 adversarial strings (very long, nested repetition, empty, unicode).
3. Double-escape all backslashes when moving from a regex tester into an Apex literal.
4. If the pattern is used in a loop, move it to a `private static final Pattern`.
5. For replacements, check whether the replacement value can contain `$` or `\`. If so, wrap with `Matcher.quoteReplacement`.
6. Add a unit test with at least one string at the expected upper size (a few KB) to catch surprise CPU usage.
7. For user-supplied input, guard the length before matching (`if (s.length() > 10000) ...`).
---
## Review Checklist
Run through these before marking work in this area complete:
- [ ] Anchors `^` and `$` are present if whole-string validation is intended.
- [ ] Every `\d`, `\w`, `\s`, `\b`, `\.` is written as `\\d`, `\\w`, `\\s`, `\\b`, `\\.` in the Apex literal.
- [ ] Hot-path regex is compiled once in a static final `Pattern`.
- [ ] Replacement strings that could contain `$` or `\` are wrapped in `Matcher.quoteReplacement`.
- [ ] No nested quantifiers (`(a+)+`, `(.*?)*`) on user-controlled input.
- [ ] Inputs over ~1MB are truncated or rejected before hitting the engine.
- [ ] Tests cover empty string, null, whitespace-only, and one oversize string.
---
## Salesforce-Specific Gotchas
Non-obvious platform behaviors that cause real production problems. See `references/gotchas.md` for the full list.
1. **`matches()` is anchored** — `'abc123'.matches('\\d+')` is `false`; use `find()` for substring matching.
2. **`$` in replacement is a backreference** — `'$9.99'.replaceAll('price', '$9.99')` throws; escape with `Matcher.quoteReplacement`.
3. **1M character hard cap** — strings over 1,000,000 chars throw `LimitException` before any match runs.
4. **Apex regex is Java, not JavaScript** — lookbehind is fixed-length, no named groups in very old API versions.
5. **Catastrophic backtracking stops the transaction** — `(a|aa)+` on adversarial input exhausts CPU.
---
## Output Artifacts
| Artifact | Description |
|---|---|
| `references/examples.md` | Realistic validation, extraction, and replacement examples |
| `references/gotchas.md` | Platform gotchas around anchors, escapes, and limits |
| `references/llm-anti-patterns.md` | Common LLM mistakes: single-backslash regex, unanchored `matches`, unsafe replace |
| `references/well-architected.md` | Performance/Security/Reliability framing |
| `scripts/check_apex_regex_and_pattern_matching.py` | Stdlib lint for Apex regex pitfalls |
---
## Related Skills
- **apex-security-patterns** — sanitizing user input before storing or rendering
- **apex-blob-and-content-version** — handling file metadata without abusing regex on bytes
- **apex-soql-basics** — prefer SOQL `LIKE` for database-side filtering over Apex regex on returned rowsRelated Skills
mfa-enforcement-patterns
Design MFA enforcement: auto-enablement, Salesforce Authenticator rollout, exceptions, service accounts, API-only users, SSO interop, and audit. Trigger keywords: MFA, multi-factor, two-factor, Salesforce Authenticator, MFA exception, MFA SSO, api-only MFA. Does NOT cover: end-user password policies, device-trust posture, or non-Salesforce IdP configuration.
encrypted-field-query-patterns
Design SOQL, filters, reporting, and indexes against Shield Platform Encryption fields. Trigger keywords: Shield Platform Encryption, encrypted field query, probabilistic vs deterministic encryption, encrypted SOQL filter, encrypted field index. Does NOT cover: Classic Encryption (deprecated), field-level security policy, or tenant secret key rotation.
apex-managed-sharing-patterns
Grant row-level access programmatically via __Share records when declarative sharing rules cannot express the policy. NOT for OWD, role hierarchy, or criteria-based sharing rule design.
omnistudio-testing-patterns
Use when testing or validating OmniStudio components — OmniScript preview, Integration Procedure step debugging, DataRaptor field-mapping validation, and end-to-end UTAM-based automation. NOT for Apex unit testing or standard Flow debugging.
omnistudio-error-handling-patterns
Use when designing fault behavior across Integration Procedures, DataRaptors, OmniScripts, and FlexCards — error routing, user-facing messaging, retry semantics, and idempotency. Triggers: 'omnistudio error', 'integration procedure fault', 'dataraptor error handling', 'omniscript retry', 'flexcard action failure'. NOT for general Apex exception design or Flow fault paths.
omnistudio-ci-cd-patterns
Use when designing or implementing CI/CD pipelines for OmniStudio components — DataPack export/import, versioning, environment promotion, and automated deployment. NOT for standard Salesforce metadata CI/CD or Apex-only pipelines.
omniscript-design-patterns
Use when designing or reviewing OmniScripts for guided experiences, step structure, branching, save/resume, and the boundary between OmniScript, Integration Procedures, DataRaptors, and custom LWCs. Triggers: 'omniscript design', 'too many steps in omniscript', 'save and resume omniscript', 'branching in omniscript', 'when should this be an integration procedure'. NOT for deep Integration Procedure or DataRaptor design when the guided interaction layer is not the main concern.
integration-procedure-cacheable-patterns
Use when designing Integration Procedures (IPs) with platform cache to cut latency and callout load. Covers cache key design, TTL selection, per-user vs org-wide partitions, invalidation on data changes, and safe fallback on cache miss/stale. Does NOT cover general IP authoring (see omnistudio-error-handling-patterns) or LWC client-side caching.
flexcard-design-patterns
Use when designing, building, or reviewing OmniStudio FlexCards — including data source selection, card states, actions, conditional visibility, flyout configuration, and child card iteration. Triggers: 'FlexCard', 'card template', 'flyout', 'card action', 'card state', 'data source', 'child card', 'conditional visibility'. NOT for OmniScript design, standalone LWC development, or Apex controller architecture outside the FlexCard context.
dataraptor-patterns
Use when designing or reviewing OmniStudio DataRaptors, especially Extract versus Turbo Extract versus Transform versus Load, field mapping strategy, performance tradeoffs, and when to move work into Integration Procedures or Apex. Triggers: 'DataRaptor Extract', 'Turbo Extract', 'DataRaptor Load', 'DataRaptor Transform', 'OmniStudio data mapping'. NOT for overall OmniScript journey design or Integration Procedure sequencing when the main question is not the DataRaptor shape itself.
wire-service-patterns
Use when designing or reviewing Lightning Web Components that use `@wire`, Lightning Data Service, UI API, or the GraphQL wire adapter, especially for reactive parameters, cache behavior, and refresh strategy. Triggers: 'wire service', 'refreshApex', 'reactive parameter', 'getRecord', 'wire vs imperative Apex'. NOT for component communication or generic lifecycle issues when data provisioning is not the main concern.
message-channel-patterns
Use when implementing Lightning Message Service (LMS) to enable cross-DOM communication between LWC, Aura, and Visualforce components on the same Lightning page, using message channels. Triggers: 'communicate between unrelated LWC components', 'send data between Visualforce and LWC', 'lightning message service not working', 'APPLICATION_SCOPE vs default scope', 'message channel metadata deployment'. NOT for parent-child component communication (use component-communication) or server-side events.