Skip to main content

Code reviews rule: Missing output assignment for Agentforce customer verification

Written by David Martin
Updated today

Missing output assignment for Agentforce customer verification

Why is this an issue?

The VerifyCustomer action in the SvcCopilotTmpl__ServiceCustomerVerification plugin produces two important outputs:

  • isVerified: Indicates whether the customer was successfully verified

  • customerId: The Contact ID of the verified customer

These variables enable downstream security controls. For example, customerId can be passed to downstream actions to ensure they operate on the correct record. isVerified can be used in filter conditions to restrict sensitive topics to verified customers only.

Without mapping these outputs to variables, the verification step provides no actual protection. Unverified guests could perform restricted actions or access records belonging to other customers.

Examples

Example of incorrect configuration, where the planner bundle is missing output mappings for isVerified and customerId:

<GenAiPlannerBundle xmlns="http://soap.sforce.com/2006/04/metadata">
    <attributeMappings>
        <attributeName>SvcCopilotTmpl__ServiceCustomerVerification.SvcCopilotTmpl__VerifyCustomer.authenticationKey</attributeName>
        <attributeType>StandardPluginFunctionInput</attributeType>
        <mappingTargetName>authenticationKey</mappingTargetName>
        <mappingType>Variable</mappingType>
    </attributeMappings>
    <!-- Missing: VerifyCustomer.isVerified output mapping -->
    <!-- Missing: VerifyCustomer.customerId output mapping -->
    ...
</GenAiPlannerBundle>

Example of correct configuration, where both outputs are mapped to variables:

<GenAiPlannerBundle xmlns="http://soap.sforce.com/2006/04/metadata">
    ...
    <attributeMappings>
        <attributeName>SvcCopilotTmpl__ServiceCustomerVerification.SvcCopilotTmpl__VerifyCustomer.isVerified</attributeName>
        <attributeType>StandardPluginFunctionOutput</attributeType>
        <mappingTargetName>isVerified</mappingTargetName>
        <mappingType>Variable</mappingType>
    </attributeMappings>
    <attributeMappings>
        <attributeName>SvcCopilotTmpl__ServiceCustomerVerification.SvcCopilotTmpl__VerifyCustomer.customerId</attributeName>
        <attributeType>StandardPluginFunctionOutput</attributeType>
        <mappingTargetName>VerifiedCustomerId</mappingTargetName>
        <mappingType>Variable</mappingType>
    </attributeMappings>
    ...
</GenAiPlannerBundle>

How can I fix violations?

Add attributeMappings entries for the missing outputs (isVerified and customerId) from the VerifyCustomer action, mapping them to variables. Once mapped, use these variables in filter conditions to ensure sensitive actions are only available to verified customers.

Resources

Related Articles
Troubleshooting Agentforce Planner Bundle Retrieval Issues
Code reviews rule: Untested Agentforce agent
Code reviews rule: Missing customer verification in Agentforce agent
Code reviews rule: Incorrect Agentforce settings
Code reviews rule: Untested Agentforce action
Did this answer your question?