Privacy-LLM configuration

May 4, 2026 · View on GitHub

This file declares which LLM endpoints this project's framework skills are allowed to route private data through, and which mailing lists count as private.

The contract behind these declarations lives in the framework at tools/privacy-llm/models.md; the per-variant setup recipes are at docs/setup/privacy-llm.md.

Currently configured LLM stack

  • Claude Code (the agent running framework skills)

Approved third-party endpoints (opt-in)

(none — Claude Code is the only LLM)

Private mailing lists for this project

  • <private-list>

Redaction configuration

These knobs tune how skills apply the PII redactor (per ../../tools/privacy-llm/wiring.md) when reading <security-list> content. Defaults are listed in parentheses; uncomment a row to override.

Collaborator source

# collaborator_source: <tracker>

(default: read from <project-config>/project.md → tracker_repo). The repository whose collaborator list is treated as "already public/known" and therefore NOT redacted. Override here if your project tracks security-team membership in a different repo (e.g. a parent-org roster repo).

Collaborator exemption

# collaborator_exemption: enabled

(default: enabled — collaborators are NOT redacted; their identity is already public via the tracker's collaborator list).

Set to disabled for a stricter posture: every non-reporter individual gets redacted, including collaborators. Use when your PMC has decided that even public collaborator identity should not flow through LLMs as a defence-in-depth measure.

Redaction field types

# redaction_field_types: name, email, phone, ip, handle, address

(default: all six types are redacted). Remove a type from this list to disable redaction for that field type. Rare — most projects keep all six on. Examples of when an adopter might narrow:

  • A project whose security reports never include phone numbers (and where redacting phone-shaped strings might cause false positives in code excerpts) might drop phone.
  • A project with a strict "treat public IPs as non-PII" policy might drop ip. The framework already excludes IPs that identify a vulnerable production server (see ../../tools/privacy-llm/pii.md) but this knob is the broader override.

How the knobs are applied

The redactor itself reads no config file — these knobs are applied by the skill at filter time (Step 3 of the redact-after-fetch protocol), before pii-redact --field arguments are constructed. A skill that does not respect a knob is a framework bug; report it on apache/airflow-steward.