✨ MCP Server for Salesforce

Your AI assistant can operate Salesforce safely.

Read everything. Plan changes. Apply only with a locked plan hash. g-gremlin gives AI agents in Claude Desktop, Cursor, or Windsurf structured Salesforce access: SOQL queries, object introspection, deterministic snapshots, metadata deployment, drift detection, and report listing.

Every mutation requires a SHA-256 plan hash.

Public beta is live. Read tools work without a FoundryOps license (Salesforce auth still required). Start a 30-day trial to unlock licensed write and admin tools.

Start 30-Day Free Trial → See All 14 Tools

Open source on GitHub

Claude Desktop

You:

Describe the Lead object in my Salesforce org

Claude:

Running sfdc.describe with sobject="Lead"...

Lead Object Schema

72 fields · 18 custom · 5 required

Key fields: Id, Name, Email, Company, Status, OwnerId, LeadSource

Custom: Lead_Score__c, MQL_Date__c, Routing_Region__c...

How Writes Are Governed

Four layers between your AI assistant and your production org.

Default: read-only

8 read + 4 analyze tools are always available. No write tools are registered unless you opt in.

Writes require `--enable-writes`

Pass the flag on server startup to register the 2 write tools. Without it, they don't exist in the MCP tool list.

Mutations are plan → apply only

The plan tool previews changes and generates a SHA-256 plan_hash. No direct writes.

Apply rejects mismatched plan_hash

If the org drifts between plan and apply, the hash won't match and the operation is rejected.

What Salesforce Teams Actually Need

Every feature exists because someone hit a wall with existing tools.

🔍

SOQL access from your IDE

Ask Claude to query your org. Results come back as structured JSON, not screenshots.

📋

Schema introspection without Setup clicks

Full SObject descriptions: fields, types, picklist values, relationships — in seconds.

📸

Point-in-time snapshots

Deterministic exports with row hashes and field checksums. Compare any two snapshots.

🛡

Safe metadata deployments

Deploy Flows, Apex, LWC, Layouts, and more — with plan-hash verification on every apply.

🔄

Drift detection

Compare local metadata against the live org. See exactly what changed, by component.

📊

Manifest generation & report listing

Generate package.xml from source. List Salesforce reports via MCP; export reports via CLI.

14 MCP Tools

Tiered access control. Read and analyze tools always available. Write tools gated behind --enable-writes.

🔍 Read & Discover READ 8 tools

sfdc.whoami

Check auth, show org identity (username, org ID, instance URL)

sfdc.doctor

Health diagnostics (sf CLI version, auth status, API connectivity)

sfdc.query

Run a SOQL query and return structured rows

sfdc.describe

Full SObject schema (fields, types, picklist values, relationships)

sfdc.snapshot

Deterministic snapshot with row hashes and field checksums

sfdc.audit

Audit IDs in a CSV against live Salesforce records

sfdc.reports.list

List all Salesforce reports in the org

sfdc.manifest_generate

Generate package.xml from a local source directory

👁 Analyze & Plan ANALYZE 4 tools

sfdc.metadata_pack.plan

Plan metadata pack changes, lock baseline fingerprint

sfdc.metadata_pack.drift

Compare local metadata source against live org

sfdc.metadata_pack.verify

Run post-deploy smoke assertions on metadata

sfdc.pack.plan

Plan data pack updates against snapshot baseline

⚠ Mutate WRITE 2 tools · requires --enable-writes

sfdc.metadata_pack.apply

Deploy metadata changes (requires plan_hash from plan step)

sfdc.pack.apply

Apply data pack changes (requires plan_hash from plan step)

Two-Phase Safety on Every Mutation

Nothing writes to your org until you've reviewed the plan. Every mutation requires a cryptographic hash.

Plan (read-only)

Tool analyzes changes without modifying the org. Returns a full preview plus a SHA-256 plan_hash.

"components": 12,

"plan_hash": "sha256:b7d4e1f2...",

"changes": { "ApexClass": 3, "Flow": 2, "Layout": 1 }

Apply (explicit)

Caller passes the plan_hash. Mismatched or missing hash = rejected. Receipts captured.

"plan_hash": "sha256:b7d4e1f2...",

"ok": true, "deployed": 12,

"receipts": "./artifacts/20260221T.../receipts/"

Claude Desktop Configuration

Add this JSON block to your MCP client config.

Read-only (default)

{ "mcpServers": { "g-gremlin-sfdc": { "command": "g-gremlin", "args": ["mcp", "serve", "--provider", "sfdc"] } } }

With writes enabled

{ "mcpServers": { "g-gremlin-sfdc": { "command": "g-gremlin", "args": ["mcp", "serve", "--provider", "sfdc", "--enable-writes"] } } }

Built for Your Role

⚙️

Salesforce Admins

Ask Claude to describe objects, run SOQL, check org health, and preview metadata deployments — without clicking through Setup pages.

🛠️

Developers / Architects

14 MCP tools. SOQL from your IDE. Metadata deployment with plan-hash safety. Drift detection in CI/CD.

💡

AI-Curious Ops

You want AI to help with Salesforce work but need guardrails. This is the one that starts read-only and only writes when you say so.

PUBLIC BETA

Start Free Trial

Public beta is live. Start a 30-day free trial for full access.

Start 30-Day Free Trial →

Setup steps:

Install

pipx install 'g-gremlin[mcp]'

Authenticate with Salesforce

sf org login web --alias myorg

Add to your MCP client

Add the JSON config block to Claude Desktop, Cursor, or Windsurf settings.

❓ FAQ

Common Questions

Is it safe to let an AI write to my Salesforce org?

Yes. The server starts in read-only mode (8 read + 4 analyze tools). Write tools require --enable-writes on server startup. Every mutation is plan-then-apply: the plan step generates a SHA-256 plan_hash, and apply rejects any request with a mismatched or missing hash.

What Salesforce permissions does it need?

The MCP server uses your existing sf CLI authentication. It inherits whatever permissions your Salesforce user has. For read-only use, standard read access is sufficient. For metadata deployment, you need the appropriate deploy permissions in your org.

How is this different from querying Salesforce directly?

The MCP server adds safety layers that don't exist in raw API access: tiered tool registration (read vs write), plan-hash verification on mutations, deterministic snapshots for audit trails, and drift detection between plan and apply.

Which MCP clients are supported?

Claude Desktop, Cursor, Windsurf, and any MCP-compatible client that supports stdio transport.

Can I use it for metadata deployments?

Yes. The metadata_pack tools support Flow, FlexiPage, Layout, ApexClass, ApexTrigger, LightningComponentBundle (LWC), and RecordType. Plan generates a hash, drift checks for out-of-band changes, and apply requires the exact hash to proceed.

How do I install it?

pipx install 'g-gremlin[mcp]', authenticate with sf org login web, and add the server JSON block to your MCP client config. Requires the MCP-enabled g-gremlin build — check release notes for availability.

Your AI assistant just got safe Salesforce access.