From 53d0a5f6bdcea52aaf72193872a4fa829936c3d1 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 25 Mar 2026 00:17:53 +0000
Subject: [PATCH] docs: add agent -> detection -> safe-outputs mermaid diagram
 and security architecture link to index

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/342cf57d-e7c2-4203-b991-4836cc9c1c00
---
 docs/src/content/docs/index.mdx | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/docs/src/content/docs/index.mdx b/docs/src/content/docs/index.mdx
index 304cf244955..315f15ed774 100644
--- a/docs/src/content/docs/index.mdx
+++ b/docs/src/content/docs/index.mdx
@@ -59,6 +59,15 @@ Developed by GitHub Next and Microsoft Research, workflows run with added guardr
 
 Workflows run with read-only permissions by default. Write operations require explicit approval through sanitized [safe outputs](/gh-aw/reference/glossary/#safe-outputs) (pre-approved GitHub operations), with sandboxed execution, tool allowlisting, and network isolation ensuring AI agents operate within controlled boundaries.
 
+Every workflow runs through a three-stage security pipeline before any write operation can occur:
+
+```mermaid
+flowchart LR
+    Agent["🤖 Agent"] --> Detection["🔍 Detection"] --> SafeOutputs["✅ Safe Outputs"]
+```
+
+See the [Security Architecture](/gh-aw/introduction/architecture/) for a full breakdown of the layered defense-in-depth model.
+
 ## Example: Daily Issues Report
 
 Here's a simple workflow that runs daily to create an upbeat status report: