doc: add AI guidance for security report triage#63038
doc: add AI guidance for security report triage#63038RafaelGSS wants to merge 1 commit intonodejs:mainfrom
Conversation
|
Review requested:
|
nodejs-github-bot
added
doc
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
RafaelGSS
force-pushed
the
add-agents-documents
branch
from
6453113 to
47b0436
Compare
| @@ -0,0 +1,35 @@ | |||
| # AI agent instructions for security reports | |||
There was a problem hiding this comment.
This will override any user setting.
I have an AGENTS.md locally. If we add this, it should include some more details about the project so that it can build/run it successfully.
There was a problem hiding this comment.
Note that there is not a uniformed way for people to build Node.js locally e.g. ninja vs make.
This file is currently too long. AI agents are known to disobey these instructions in the root files especially when they are long and the agents lose attention on them as they fill the context with other information. For telling them what NOT to do, these files are the wrong place.
Potentially a better solution might be to add an agent skill instead so that we can tell the humans to tell their agents to use the skill when finializing their security work (preferably at the end of their workflow to make sure agents obey). Agents will usually follow the skill better when it's a specific workflow. It also prevents interference with normal development flows.
|
Thanks Rafael, it'd be great to reduce the inflow of AI slop in all areas. Is it necessary to add several new files to the root directory of the repository? It's already quite bloated. (I'm honestly asking, I am not familiar with these conventions.) |
5 participants
As discussed in the Node.js Collaborator Summit. This is another attempt to reduce the AI-Sloop and reduce the amount of duplicate invalid reports we receive regularly (a more polite way to express what @panva said in the meeting 😄)
cc: @nodejs/security @nodejs/tsc