Webhook verification
Stripe and GitHub Sponsors webhook routes are part of the implementation and should be tested with provider signatures.
Technical Due Diligence
A public diligence summary for AgentFlow Enterprise.
This page summarizes implementation status, security-conscious architecture, webhook handling, server-side AI calls, Supabase Auth, dashboard protection, test evidence, and known limitations.
Implementation status
Built surfaces, verification paths, and explicit non-claims.
The diligence posture is designed to help a buyer or senior developer review what exists without mistaking readiness for live customer proof.
Public SaaS pagesImplementedMarketing, demo, pricing, docs, trust, legal, and buyer review pages exist as public Next.js routes.
Supabase AuthImplementedAuth helpers and callback routes support protected dashboard flows and server-side session handling.
Dashboard protectionImplemented`proxy.ts` protects dashboard access and redirects unauthenticated users before private dashboard rendering.
Server-side AIImplementedOpenAI qualification calls are made from server routes, not from browser-exposed client code.
Provider webhooksImplementedStripe and GitHub Sponsors webhook support exists and should be verified against provider dashboards.
Commercial tractionNot claimedNo paying customers, revenue proof, enterprise adoption, or case-study results are claimed.
Architecture
Security-conscious by design, still audit-worthy before launch.
AgentFlow uses server-side provider calls, protected dashboard routing, Supabase Auth, webhook verification patterns, and buyer documentation as technical anchors.
Server-side AI calls
OpenAI credentials stay in server-side environment variables, with public demo boundaries separated from production writes.
Supabase Auth
Auth and session handling support protected workspace flows, backed by documentation for RLS and tenant review.
Dashboard protection
`proxy.ts` gates dashboard routes, while sensitive routes should continue to validate user and organization context server-side.
Evidence
Reviewable proof points before deeper audit.
The repository includes tests and documentation that give buyers something concrete to inspect before discussing acquisition or adoption.
Test coverage
Tests cover public demo validation, AI qualification, Stripe webhooks, and GitHub Sponsors webhook handling.
Documentation
Docs cover environment variables, API behavior, Stripe webhooks, Supabase schema/RLS, billing lifecycle, integrations, and runbooks.
Buyer-safe status
Known limitations are public so diligence can focus on real remaining work instead of marketing ambiguity.
Buyer checklist
Verification work still matters.
A buyer should use this checklist before relying on AgentFlow for real customers, paid onboarding, or acquisition valuation.
- Run lint, production build, and Node test suite from a clean checkout.
- Verify `/dashboard` redirects unauthenticated users and respects authenticated sessions.
- Test signup, login, checkout, webhook delivery, billing portal, and dashboard access in staging.
- Confirm Supabase RLS policies and tenant isolation with non-production test organizations.
- Verify Stripe live mode and webhook signing secrets before real commercial onboarding.
- Confirm Sentry staging capture, PII filtering, source maps, and alert routing.
- Validate optional HubSpot, Slack, outbound webhook, Google Calendar, and Google Sheets behavior only where implemented.
- Review public claims against actual deployment evidence before using the asset in a sale process.
Public docs
Useful review links.
These public pages provide deeper technical context without exposing private dashboards, customer data, provider secrets, or internal credentials.
/docs
Technical docs
Environment variables, API behavior, webhooks, billing, integrations, and troubleshooting.
/security
Security posture
Public-safe security language and operating boundaries for buyer review.
/business-trust
Business trust
Trust posture, crawlability boundaries, billing controls, tenant isolation, and monitoring readiness.
FAQ
Straight answers for technical buyers.
Each answer is written to preserve buyer confidence without inventing traction, certifications, or implementation proof that still needs verification.
Is AgentFlow Enterprise revenue validated?
No revenue validation is claimed. Buyers should treat it as a technical SaaS asset and validate the commercial motion separately.
Does the platform claim SOC 2 or ISO certification?
No. The architecture and documentation are security-conscious, but no SOC 2, ISO, penetration test, SLA, or certification claim is made.
Are Google Calendar and Google Sheets fully implemented?
They should be treated as readiness paths unless a target deployment adds and verifies full UI and provider workflows.
Review path
Start with docs, tests, and staging verification.
Serious adoption or acquisition should be based on the current evidence and the buyer's verification plan.