← Home

AppExchange readiness

AppExchange Readiness Checklist

Use this checklist and the referenced docs before submitting Sylo products for Security Review and listing.

See also:

Where we stand (repo snapshot)

| Pillar | Status | | :----- | :----- | | Static analysis (Code Analyzer) | Configured and documented. Run and attach the HTML report at submit time. | | Policy / guide docs | Present under docs/. Legal templates finalized with Sylo LLC branding. Website live at mysylo.ai. | | In-app Help / Support | Rollups, Lookup, and Scheduler LWCs use mysylo.ai/support. AppExchange listing IDs are still TODO in all three LISTING_CONFIG blocks. | | Apex tests | Substantially expanded for Base, Scheduler, Lookup, and Rollups. Additional coverage for RollupService.aggregateInMemory, hierarchy edge cases, and LookupController health/support paths. Measure in the submission org. | | Partner portal / Checkmarx / Checklist Builder | You complete per Salesforce process (not automatable in repo). |

Completed in this repo

| Area | What’s done | | :--- | :---------- | | Code Analyzer v5 | code-analyzer.yml at repo root; npm run security:appexchange (HTML) and npm run security:scan (table). Targets: Rollups, Base, Scheduler, Lookup main/default. Selectors: AppExchange + Recommended:Security. PMD issues from earlier passes addressed; SyloSession.page retagged in config — still disclose server-side-only session use in the Security Review questionnaire. | | Authoring documentation | SECURITY_AND_DATA_HANDLING.md (full suite: Base, Rollups, Scheduler, Lookup, Connect summary), ADMIN_USER_GUIDE.md, PRIVACY_POLICY.md, TERMS_OF_USE.md under docs/. Legal templates finalized with Sylo LLC, support@mysylo.ai, Tennessee jurisdiction. | | Security Review §2 repo artifacts | PUBLIC_DOCUMENTATION.md — suggested HTTPS paths and publish checklist; APPEXCHANGE_FEATURE_LIST.md — paste-ready feature bullets. | | Rollups — Help / Support | rollupList LISTING_CONFIG: helpUrl and supportUrlhttps://mysylo.ai/support. | | Lookup — Help / Support | lookupDashboard: same support base URL and Help tab alignment with Rollups. | | Scheduler — Help / Support | schedulerDashboard: same LISTING_CONFIG pattern. appExchangeUrl still TODO_SYLO_SCHEDULER until the live listing exists (same as Rollups / Lookup). |

Apex tests (progress — re-verify before submit)

Security Review expects sufficient Apex test coverage for the code you submit (often cited: ≥75% org-wide for the upload, with weak or untested security-sensitive classes called out). Coverage depends on org metadata (e.g. CMT rows) and which test classes you run together.

By package

| Package | Main test classes / focus | Typical gaps to confirm in your org | | :------ | :------------------------ | :---------------------------------- | | Sylo Base | SyloFilterServiceTest, SyloMetadataServiceTest, SyloSessionHelperTest | — | | Sylo Scheduler | SchedulerControllerTest, SchedulerServiceTest; SchedulerBatchWrapper (no-arg + meta). Schedule/unschedule, executeNow (batch + Schedulable wrapper), dependency checks. | — | | Sylo Lookup | LookupControllerTest (large), LookupServiceTest, LookupInvocableActionTest, LookupBatchJobTest, LookupTriggerHandlerTest, LookupLicenseServiceTest. Added health double-row, health-report mixed-log, markObjectTriggerDeployed no-row, settings default, and inactive-issue tests. | Re-verify LookupController in the submission org. | | Sylo Rollups | RollupServiceTest, RollupFilterBuilderTest (~98% on filter builder), RollupControllerTest, batch/schedulable/handler tests. Added aggregateInMemory direct tests (SUM, AVG, AVG+nulls, COUNT_DISTINCT, MIN/MAX date/string, CONCAT, FIRST/LAST, empty list, unknown function, zero-as-null), hierarchy blank-field error, grandchild LAST, COUNT no-children=0, and all-skipped overwrite info log. | Re-verify RollupService in the submission org. | | Sylo Connect | Multiple test classes exist. | Not in scope for this submission (admin suite only). |

Before submission: run tests in a clean scratch org (or the exact package set you upload). Record coverage from the Salesforce UI or sf apex run test --code-coverage. Fix or document classes Security Review is likely to flag.

Still required (before or during submission)

1. Security & packaging

| Done | Task | Notes | | :---: | :--- | :--- | | ☐ | Attach Code Analyzer HTML to the Security Review Wizard | Run from repo root; upload the generated file. | | ☐ | Complete Checklist Builder | For your solution (managed package, external callouts, etc.). | | ☐ | Partner Security Portal (Checkmarx) | Partner Security Portal — attach results per Salesforce instructions. | | ☐ | (Optional) Uninstall legacy scanner | After you rely only on v5: sf plugins uninstall @salesforce/sfdx-scanner. |

Commands (Code Analyzer HTML):

npm run security:appexchange

Equivalent:

sf code-analyzer run --workspace . \
  --target force-app/main/default --target force-app-base/main/default \
  --target force-app-scheduler/main/default --target force-app-lookup/main/default \
  --rule-selector AppExchange --rule-selector Recommended:Security \
  --output-file security-review-report.html

Fix what you can; document false positives or accepted risks (including SyloSession / SyloSessionHelper if asked).

2. Required materials (Security Review)

Done in repo

| Item | Location | | :--- | :------- | | Data-flow / security narrative (suite-wide) | SECURITY_AND_DATA_HANDLING.md | | Usage documentation (Rollups, Scheduler, Lookup, Base, uninstall, tests) | ADMIN_USER_GUIDE.md | | Suggested public paths + publish steps | PUBLIC_DOCUMENTATION.md | | Optional feature list (wizard / composite) | APPEXCHANGE_FEATURE_LIST.md |

You complete (hosting & submission)

| Done | Task | | :---: | :--- | | ☐ | Stable public URLs — Use the live https://mysylo.ai doc URLs from PUBLIC_DOCUMENTATION.md (or deploy the website/ app first). Enter the URLs you use in the Security Review wizard and Listing Builder. | | ☐ | Usage alignment — After hosting ADMIN_USER_GUIDE.md, set in-app helpUrl / listing links to that URL if it is not the same as https://mysylo.ai/support (currently all three apps use the support URL for Help). | | ☐ | Feature list — Copy from APPEXCHANGE_FEATURE_LIST.md into the submission field if Salesforce requests it (trim per package if needed). |

3. Listing assets

| Done | Task | | :---: | :--- | | ☐ | Privacy Policy — Publish from PRIVACY_POLICY.md; add URL in Listing Builder. | | ☐ | Terms of Use — Publish from TERMS_OF_USE.md; add URL in Listing Builder. | | ☐ | Listing Support URL — Matches in-app supportUrl. | | ☐ | AppExchange listing IDs — Replace placeholders in LISTING_CONFIG (see table below). |

Files to update when listings exist:

| Product | File | | :------ | :--- | | Rollups | force-app/main/default/lwc/rollupList/rollupList.js | | Lookup | force-app-lookup/main/default/lwc/lookupDashboard/lookupDashboard.js | | Scheduler | force-app-scheduler/main/default/lwc/schedulerDashboard/schedulerDashboard.js |

Replace TODO_SYLO_ROLLUPS, TODO_SYLO_LOOKUP, and TODO_SYLO_SCHEDULER with real appxListingDetail URLs (one per product if listed separately).

4. In-app config (before publish)

| Setting | Status | | :------ | :----- | | appExchangeUrl | Still needs the real listing URL in rollupList.js, lookupDashboard.js, and schedulerDashboard.js. | | helpUrl / supportUrl | Set to https://mysylo.ai/support for all three; change if your public guide lives elsewhere. |

5. Test coverage

| Done | Task | | :---: | :--- | | ☐ | Measured ≥75% (or Salesforce’s current threshold) in the org / upload used for Security Review — after installing the same package versions you will submit. | | ☐ | Per-product spot-check — Rollups: calculate, save definition, license. Lookup: controller + LookupService, batch, invocable, trigger handler, license. Scheduler: controller + service, schedule/run. Confirm coverage % on the largest classes. | | ☐ | Gaps to watchLookupController and RollupService had additional tests added (aggregateInMemory suite, hierarchy edge cases, health report paths). Re-measure in the submission org. Connect is not in scope. |

6. Post-approval

| Done | Task | | :---: | :--- | | ☐ | Re-run npm run security:appexchange (or security:scan) after major changes and before new package versions. | | ☐ | Keep SECURITY_AND_DATA_HANDLING.md updated when data flows or integrations change. |