Add AI security considerations in documentation

hardisgroupcom · Jan 12, 2025 · e62c66a · e62c66a
1 parent 1255afe
commit e62c66a
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,8 @@
 
 Note: Can be used with `sfdx plugins:install sfdx-hardis@beta` and docker image `hardisgroupcom/sfdx-hardis@beta`
 
+- Add AI security considerations in documentation
+
 ## [5.15.1] 2025-01-12
 
 - Improve prompt templates

diff --git a/docs/salesforce-ai-setup.md b/docs/salesforce-ai-setup.md
@@ -6,6 +6,16 @@ description: Learn how to use AI to supercharge sfdx-hardis deployments
 
 # Setup AI for sfdx-hardis
 
+## Security considerations
+
+sfdx-hardis uses **prompt via API** to collect analysis: only **Metadata XML** or **JSON deployment errors** are sent in the prompts.
+
+If you follow Flows best practices and **do not hardcode credentials / tokens in variables**, there is no serious risk to send metadata XML to an external LLM (**but be aware that you do !**)
+
+You can see the prompts content if you set env variable `DEBUG_PROMPTS=true`.
+
+The list of prompts used by sfdx-hardis is defined in [this source file](https://github.com/hardisgroupcom/sfdx-hardis/blob/main/src/common/aiProvider/promptTemplates.ts).
+
 ## Main configuration
 
 You need to define at least env variable OPENAI_API_KEY and make it available to your CI/CD workflow.