Skip to main content

The project changeset

Every edit you make in AI Studio — to a workflow, an app, an entity schema, an integration config, a webhook, or a setting — becomes part of the project’s pending changeset. The changeset is implicit: everything in the project that has been edited since the last release. You make changes; the project’s draft accumulates them. When you’re ready, a single Release publishes everything.

Release semantics

PropertyBehavior
AtomicAll draft changes publish simultaneously. You cannot cherry-pick individual resources.
All-or-nothingIf the release fails (e.g., a migration fails), nothing publishes. The project remains on the prior version.
RollbackRolling back a release returns the entire project to the prior published state. Per-resource rollback is not supported.
In-flight executionsA workflow execution that started before the release finishes on its starting contract version. New executions start on the new version.

The release UI

Clicking Release opens the release panel:
  1. Summary — A plain-language description of what this release does, auto-generated by the system. Editable before you confirm. This summary becomes the immutable changelog entry once published.
  2. Per-resource diff — Every changed resource with field-level changes highlighted.
  3. Migration impact — If entity schema changes are part of the release: “The risk_level field will default to null on 847 existing patient records.”
  4. Approval status — If approvals are required: who has approved, who can still approve, what’s blocking.
Confirm the summary, review the diff, and click Publish.

Release request lifecycle

When approval gates are configured, releasing creates a release request rather than publishing immediately: 
Draft  →  Release Requested (snapshot + soft-lock)  →  Approved  →  Published
                                                    →  Cancelled  →  Draft
When a release request is pending:
  • The project is soft-locked: no new draft changes are accepted.
  • If you need to make additional changes, cancel the pending request, edit, and re-request.
  • There is no time-based expiration. Pending requests sit indefinitely until manually approved or cancelled.

Approval gates

Approval gates are configured at two levels: org → project.
LevelDefaultConfigurable by
Org floor0 approversOrg admins
ProjectInherits org floorProject owners (can only increase, not decrease below org floor)
Key rules:
  • Default is 0: new projects require no approvals. Direct publish is the default.
  • Author cannot self-approve: when N>0 approvers are required, the release author is excluded from the approver pool for their own release.
  • Any project member with release-approval permission can approve by default.
  • No per-resource gates: different approval rules for different resources means different projects.
For HIPAA, HITRUST, or SOC 2 compliance, set the org floor to 1 or 2 to enforce separation of duties on all releases across the org.

Sandbox

Sandbox is a project-level twin of production. It uses the same contracts, the same entities (with separate data), and the same runtime — but integration calls are edge-sandboxed.

Edge-sandboxing

In sandbox mode, outbound integration calls are never made to real external systems. Each integration adapter declares a response schema; the sandbox runtime:
  1. Renders the exact payload that would have been sent.
  2. Produces a schema-derived mock response.
Trace view shows side-effect markers as “would have sent email to [email protected] in sandbox, and “sent email to [email protected] in production. This design trades response fidelity for universality and safety. You never accidentally contaminate a real system from sandbox. The mock-response layer is designed to minimize the fidelity gap — workflows that depend on real provider response data may behave differently in production, but the vast majority of authoring and testing works accurately in sandbox.

When to use sandbox

  • Always use sandbox for initial authoring and iteration.
  • Use sandbox for testing schema changes before they affect production data.
  • Use sandbox when sharing test access with colleagues who shouldn’t touch production.

Switching to production mode

The center pane (live app or test/run console) has a Sandbox / Production toggle. Switching to production mode routes real app traffic and workflow executions to production data and makes real integration calls. The toggle is clearly labeled and requires confirmation when switching to production.

Entity migrations in releases

Schema changes are part of the changeset. When a release includes entity schema changes:
  1. Before publish: the system shows the migration impact — affected record count, default value strategy, field disposition.
  2. On publish: the migration executes atomically with the rest of the changeset.
  3. Failure: if the migration fails, the entire release fails and the project stays on the prior version.
Entity schema evolution mechanics (rename, remove, type change, backfill strategies) follow the platform’s schema evolution model. The release UI surfaces migration details so you can confirm the impact before committing.