Governance & AI safety
Letting an AI draft Salesforce changes only works if a human is always the last word and every action is auditable. Here's how FlowSprite enforces that.
The three approval gates
Pull-request gate
Every AI-drafted change opens a PR. Nothing deploys until a configured approver merges it.
Sandbox gate
Merged PRs deploy to sandbox first. Promotion to UAT/staging/production requires explicit promotion events.
Production gate
Production promotions require multi-approver sign-off on Pro and Enterprise tiers.
Permission boundaries
FlowSprite operates with a connected app permission set you control. You can scope it to allow only metadata changes — never data, never user management, never license assignments. Tighten or relax per environment.
Audit log
Every AI-drafted change is attributed in three places: the GitHub PR (with the prompt), the Git commit (signed by the FlowSprite app), and the deploy event. Three independent records, all queryable, all immutable.
AI hallucination handling
The agent does not edit metadata it can't parse. If a change request requires modifying a metadata type the agent isn't confident about, it stops and asks. The PR is opened with the gap noted, not silently filled with guesses.
Rollback is a Git revert + redeploy. There's no special "undo" feature because the underlying primitive is Git, and Git already solved this in 2005.
See the audit trail in your repo
Connect a sandbox, ship one change, look at the PR + commit + deploy events.
Start free in 2 minutes