[PR] Add LLM safety checks, should_report handling, and dynamic model discovery [airflow]

Thu, 12 Mar 2026 05:38:19 -0700 


potiuk opened a new pull request, #63440:
URL: https://github.com/apache/airflow/pull/63440

   ## Summary
   
   - Handle `should_report` flag from LLM assessment for prompt injection, 
automated spam,
     and ToS violations. Potentially flagged PRs default to SKIP, appear first 
in review
     order (yellow), and downgrade to regular "flagged" when the user takes a 
non-skip action.
   - Add defense-in-depth LLM CLI safety: dangerous env var checks, Claude CLI 
hardened with
     `--permission-mode plan` + `--allowedTools` whitelist, Codex CLI with 
`--sandbox read-only`
     + `--ephemeral`. Interactive confirmation prompt (Y/n/q/d/a) with 
persistent "always" option.
   - Restrict GitHub MCP to read-only tools via 
`@modelcontextprotocol/server-github --tools`.
     Auto-detect `gh auth` status and offer to configure MCP interactively.
   - Validate trusted repository and safe `--answer-triage` values before 
starting LLM threads.
   - Rename `--check-mode ci` to `--check-mode api`. Display check mode and 
provider/model/version
     at startup.
   - Fetch available models from Anthropic/OpenAI APIs with 24h cache in 
`.build/llm_models_cache.json`.
   - Save LLM errors to temp files instead of printing verbose output inline.
   - Add "Potentially flagged for report" row (red) to summary table.
   
   ## Test plan
   
   - [ ] Run `breeze pr auto-triage --check-mode both` and verify LLM safety 
prompt appears
   - [ ] Verify `d` shows security details, `a` persists to 
`.build/llm_confirmed`
   - [ ] Test with `--check-mode api` to confirm LLM is skipped
   - [ ] Verify should_report PRs appear first in review order with yellow panel
   - [ ] Verify taking non-skip action on a report PR clears the report status
   - [ ] Check summary table shows red "Potentially flagged for report" count
   
   ---
   
   ##### Was generative AI tooling used to co-author this PR?
   
   - [X] Yes — Claude Opus 4.6
   
   Generated-by: Claude Opus 4.6 following [the 
guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions)
   
   🤖 Generated with [Claude Code](https://claude.com/claude-code)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to