The packaging and business orgs continue to pass the Salesforce Security Health Check following each major release, with a score of 80% or above. New subscriber orgs are reviewed with the Salesforce Optimizer before launch. ^(TBD)

Once the new increment is deployed, update the change log to list any new components (classes, fields, and so forth) being added to the version, by using a Javascript macro to scrape the package details page.

(sf) When creating a transient branch, a new trial template is provisioned to represent the new version. ^(TBD)

(sf) At the end of the sprint, a new development TSO templates is provisioned, in case it is needed for patch development. ^(TBD)

^{(sf) On merge to develop, the updated develop branch is validated (checkOnly) with the packaging org or production branch. (TBD)}

New reporting examples are included with new features, as appropriate, and distributed through Direct Deployment. ^(TBD)

(sf) User access to new components is handled through permission sets and an optional stub profile. For MPs, updating customer permsets or profiles is handled through Direct Deployment. ^(TBD)

(sf) External IDs are included with standard and custom objects to support capabilities like data conversion, sample data import, and staging refresh. (This item does not include implementing the capabilities, only the External ID fields.) ^(TBD)

(sf) IDEs can be attached to development environments without cloning the Git repository to a local workstation. The native developer UIs can also be used to make changes to be placed under version control. ^(TBD)

Document the set of conventions about how to write code for your project. It is much easier to understand a large codebase when all of its code is presented in a consistent style. ^(TBD)

(sf) Issues found by failing Apex Unit tests or Selenium tests are posted to cloud-based logging systems, just like production errors and messages. ^(TBD)

(sf) Subscriber Apex tests are run periodically to detect any new failures.  ^(TBD)

(sf) The AppExchange entry is updated to the latest version for each new GA major version, without concern of prompting a security review.  ^(TBD)

(sf) To track additional detail about subscriber orgs, a custom object in the business org is linked to the LMA and the subscribers Account object. The org details aggregates the API applications installed for each subscriber, the instance, the my domain name, the production org ID, as well as the staging/preview sandbox IDs, and refresh history. Ideally, an automation posts an alert whenever a new org is added, to queue followup actions. ^(TBD)

(sf) Global components are stable with a low regression rate, including behaviors of Global Apex class methods and variables, Apex triggers, custom metadata, custom objects, fields, validations, and workflows. ^(TBD)

(sf) Any upgrade steps are automated or optional and can be invoked by subscribers. ^(TBD)

Direct deployment leverages a connected application (and user credentials are not required). ^(TBD)

(sf) For managed packages using Proxy Base, a new version is automatically uploaded and installed into an integration or development environment, after every change to the mainline or on a nightly basis. ^(TBD)

(sf) DX Scratch Orgs are used, or spurious metadata is scrubbed from other development environments, so that the environment only contains components found in the target package. ^(TBD)

(sf) For consultants, developer sandboxes are provisioned and populated with a scrubbed subset of the customer's production data, and a full sandbox is used to integrate changes for customer acceptance testing. ^(TBD)

(sf) For managed packages, Trialforce is used to create new environments from on a secure Visualforce page, or DX is used at the command line by Platform Developers. ^(TBD)

(sf) When to use an unmanaged or managed package is clearly defined by a decision tree or matrix. When to submit a package for security review is also supported by a decision tree. ^(TBD)

(sf) To provide longterm support, subscriber metadata is kept under version control, so that post-launch changes can be reviewed. ^(TBD)

(sf) Application error emails are forwarded to an inbound email service in the business org. ^(TBD)

(sf) FeatureSetupAuditTrail for subscribers are aggregated as part of Push Metrics. (Needs to be considered in the context of the Feature Management pilot.) ^(TBD)

(sf) Using a secure Salesforce app in our business org, any certified version can be pushed to subscriber staging or production orgs, individually or in groups, typically with the latest features disabled, and other needed updates automatically applied. ^(TBD)

(sf) The full set of Apex tests on the task branch is automatically validated (checkOnly) against the packaging org or production org when the pull request is created. ^(TBD)

(sf) Error alerts raised by email are captured in a business org object for analysis, reporting, and followup action. ^(TBD)