AGENTFORCE-30.1 ยท Context Window PII Poisoning (Graph)
๐ Enterprise Tier ยท ๐ด Critical ยท Category: Graph: PII Exfiltration Path
Detection Logicโ
Performs a 4-hop breadth-first traversal to prove that a compliance-classified field reaches the LLM context window. Standard SAST sees "Apex class returns String." This rule traces the full chain.
graph LR
CF["CustomField\n[complianceGroup=PII/PHI/GDPR]"]
OBJ["Object\n[e.g. Contact]"]
APEX["ApexClass\n[SOQL includes Object]"]
FN["GenAiFunc / ActionDef"]
PT["PromptTemplate\n[grounding data source]"]
CF -->|CONTAINS reverse| OBJ
OBJ -->|queried by| APEX
APEX -->|TARGETS| FN
FN -->|GROUNDS| PT
PT -->|"โ ๏ธ LLM context window"| PT
What Triggers Itโ
A violation is raised when all four hops resolve:
| Hop | Source | Edge | Target |
|---|---|---|---|
| 1 | CustomField with complianceGroup โ {PII,PHI,CCPA,GDPR,HIPAA,PCI} | reverse:CONTAINS | Object |
| 2 | Object | SOQL reference heuristic | ApexClass |
| 3 | ApexClass | TARGETS | GenAiFunc or ActionDef |
| 4 | GenAiFunc / ActionDef | GROUNDS or INVOKES | PromptTemplate |
Example Violation Outputโ
[Enterprise Graph] Regulated field 'Contact.SSN__c' (complianceGroup: PII) travels
through a 4-hop path into PromptTemplate 'CustomerSummary':
Contact.SSN__c โ ApexClass:ContactService โ GenAiFunc:GetCustomerDetails โ
PromptTemplate:CustomerSummary. This regulated data is transmitted to the external LLM.
Suggestion: Apply Einstein Trust Layer data masking for 'Contact.SSN__c'. Exclude
this field from PromptTemplate 'CustomerSummary' grounding data.
Remediationโ
- Einstein Trust Layer masking โ Enable field-level masking in the Trust Layer for PII/PHI fields before they enter prompt grounding queries.
- Restrict output schema โ Remove classified fields from the GenAiFunction's JSON output schema definition.
- Consent-gated boundary โ If the LLM genuinely needs the data, pass it through a consent-validated trust boundary and log the access event for compliance audit.
False Positive Guidanceโ
This rule uses a heuristic for Hop 2 (Apex-to-Object reference detection). If your Apex class contains string references that match the SObject name but don't actually query it, use --rules-exclude AGENTFORCE-30.1 for that path and file a suppression comment.