(You’ve probably already done this but) I encourage you to talk with Jarek Potiuk, who has thought a LOT about this, and has a very elaborate setup over on Airflow to deal with this workflow.
> On May 12, 2026, at 1:23 PM, Joe Orton <[email protected]> wrote: > > One thing which has come out of discussions about stemming the tide of > LLM reports is having a security model written down which a) the LLMs > can read, and b) we can use when assessing poor/slop reports. > > Most importantly the "we" in (b) should include the [email protected] team > who can hopefully use it to filter out the slop before "we" (this > project's committers on [email protected]) see it. > > I find this task difficult to scope properly... it's hard to know what > should/should not be covered here. And there's probably an academic > discipline behind this topic of which I'm ignorant. Anyway I took a > first stab, attached, definitely a lot missing. > > I'm thinking we put this at ./docs/security-model.md or somewhere while > it's a WIP. Ideally I think it ends up in docs/manual too when we're > happy with it, but we probably need to keep a canonical version in > markdown for the LLMs, so there's another problem to solve. > > Thoughts? (I only started using RFC 2119-style MUST/SHOULD half way > through editing so it's not consistent on that style) > > Regards, Joe > <security-model.md> — Rich Bowen [email protected]
