AI across SFDT

AI in SFDT is optional, provider-agnostic, and pass-through. SFDT never ships its own model or API key — it shells out to a provider CLI you install and authenticate, using your account and your billing. With AI off, every command still runs (and sfdt explain falls back to heuristics).

Providers

You choose one provider in .sfdt/config.json (or during sfdt init):

Claude (default)


npm install -g @anthropic-ai/claude-code


{ "ai": { "provider": "claude" } }

Claude’s interactive mode can read your repository files directly with tool use.

Gemini


npm install -g @google/gemini-cli


{ "ai": { "provider": "gemini", "model": "" } }

OpenAI


npm install -g @openai/codex


{ "ai": { "provider": "openai", "model": "" } }

Disable everything with features.ai: false. Full details: CLI → AI providers.

Where AI shows up

Surface	AI-powered features
CLI	`explain`, `review`, `pr-description`, `release`, `changelog generate`, `quality --fix-plan`, `manifest --ai-cleanup`, `test --analyze`, `ai prompt`
Dashboard (`sfdt ui`)	The Review and Explain pages, plus a contextual Ask AI chat drawer on Review/Explain/Drift/Preflight
Chrome extension	The `ai-assistant` feature — token estimates, prompt templates, and answers about the current Flow (routed through the bridge to your provider)

The read-only safety sandbox

AI features see attacker-influenceable content: git diffs, org output, deployment logs, and — in the extension — Salesforce page context. To stop a prompt injection from driving destructive tool calls, SFDT sandboxes AI invocations to read-only tools by default.

Both the streaming dashboard chat and all non-streaming AI invocations (sfdt ai, pr-description, AI-assisted test, the GUI /api/ai/* endpoints) default the allowed tool set to Read,Grep,Glob across the Claude/Gemini/Codex providers — denying Bash/Write/Edit. Callers may pass an explicit allowedTools to override.

This is part of SFDT’s broader local-only, defense-in-depth posture — see Security & privacy.