On 5/12/26 7:23 PM, Joe Orton wrote:
> One thing which has come out of discussions about stemming the tide of
> LLM reports is having a security model written down which a) the LLMs
> can read, and b) we can use when assessing poor/slop reports.
>
> Most importantly the "we" in (b) should include the [email protected] team
> who can hopefully use it to filter out the slop before "we" (this
> project's committers on [email protected]) see it.
>
> I find this task difficult to scope properly... it's hard to know what
> should/should not be covered here. And there's probably an academic
> discipline behind this topic of which I'm ignorant. Anyway I took a
> first stab, attached, definitely a lot missing.
Thank you for starting it.
>
> I'm thinking we put this at ./docs/security-model.md or somewhere while
What is the best location for a LLM that scans the repo to pick it up
automatically?
Is there any generic LLM model agnostic default location / filename?
> it's a WIP. Ideally I think it ends up in docs/manual too when we're
> happy with it, but we probably need to keep a canonical version in
> markdown for the LLMs, so there's another problem to solve.
I think for now we should focus on the LLM's usability. We can try to tackle
the docs/ issue later.
>
> Thoughts? (I only started using RFC 2119-style MUST/SHOULD half way
> through editing so it's not consistent on that style)
Looks already pretty good from my point of view.
Regards
RĂ¼diger
