Trust and Verification

Agentforce Vibes acts directly in your workspace—creating files, modifying code, and running commands. This topic covers how to verify agent-generated Apex and LWC output.

The agent produces code quickly. That speed is only valuable if you verify the output.

  • Bulkification—are SOQL (Salesforce Object Query Language) queries and DML (Data Manipulation Language) statements outside of loops? Does the code handle collections rather than single records?
  • Governor limits—are there queries inside triggers that could hit the 100 SOQL limit in bulk operations?
  • Null safety—does the code check for null before accessing object properties or list elements?
  • Test coverage—do tests address positive, negative, and bulk scenarios? Are assertions meaningful (not just System.assertNotEquals(null, result))?
  • Error handling—are exceptions caught at appropriate levels? Are error messages useful for debugging?
  • Reactivity—are reactive properties decorated with @track or using @wire correctly? Does the component re-render when data changes?
  • Event handling—are custom events named correctly (lowercase, no camelCase)? Do event boundaries stay within the shadow DOM unless composed: true is set?
  • Apex integration—do @wire adapters reference real Apex methods with correct parameters? Are imperative calls handling errors?
  • Accessibility—are interactive elements keyboard-accessible? Do images have alt text? Are ARIA attributes used correctly?
  • Completeness—are all referenced fields, objects, and record types included in the metadata changes?
  • Dependencies—does the deployment succeed, or are there missing references to objects and fields that don’t exist yet?
  • Permissions—are new fields and objects added to the relevant permission sets or profiles?

Permission modes control what the agent can do without asking you first. Use them to match your current trust level.

Starting out (low trust):

  • Set Default Session Mode to “Ask every time.”
  • Enable safety guardrails.
  • Keep the command allowlist minimal.

Building confidence (medium trust):

  • Move to “Run safe defaults” for session mode.
  • Add commonly approved commands to the allowlist (read operations, test runs, lint checks).

High confidence (established trust):

  • Expand the command allowlist to include build and deploy commands.
  • Enable Auto-approve Salesforce MCP write tools for non-destructive MCP operations.
  • Keep safety guardrails enabled. They prevent destructive actions regardless of session mode.

You can always tighten permissions again. The progression isn’t one-directional.

  • The agent doesn’t guarantee correctness. Output is nondeterministic. The same prompt can produce different results across sessions. Always verify.
  • Permission modes don’t replace code review. Even with restrictive permissions, the agent can produce code that compiles but has logic errors. Permission modes protect your filesystem. Code review protects your application.
  • Trust is context-dependent. You might trust the agent completely for boilerplate test classes but still want line-by-line review for security-critical code. That differentiation is the right approach, and it’s a sign of mature adoption.