didericis
c94a2542bd
Add analysis of Google DeepMind's CaMeL (arXiv:2503.18813), which prevents prompt injections architecturally rather than detecting them. Key findings: - CaMeL operates at the agent execution layer (P-LLM/Q-LLM split + capability-based data flow tracking), not the network layer - Not a replacement for pipelock/DLP — different threat surface - Not viable today: research artifact, requires agent rearchitecture, doubles LLM costs, 7% utility loss on AgentDojo - Worth watching: its capability model could complement bot-bottle's network controls if it matures into production software Also clarifies pipelock's actual detection capabilities (no prompt injection detection) and adds naive detector sketch. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Docs
How this project records what it builds and why — and a guide to picking the right document for what you're capturing.
When to write which document
| Artifact | For |
|---|---|
PRD (docs/prds/) |
A feature: what to build, scope, success criteria. |
Research note (docs/research/) |
A landscape/tradeoff investigation. |
Decision record (docs/decisions/) |
A decision that isn't itself a feature — a policy, a convention, a "we will / won't do this," or a load-bearing choice made inside a larger PRD that deserves to be discoverable on its own. |
A decision that's fully specified by a PRD doesn't need duplicating in a decision record. Write one when the decision would otherwise be buried in prose, lost in an issue thread, or have no in-repo home at all (small requests that don't merit a PRD; non-feature choices like merge strategy or a trust posture).