Appendix A: Recommended LLM Tools and Platforms

LLM tools change quickly, so this appendix uses tool categories rather than a fixed ranked list. Treat named tools as examples current as of May 2026, and re-check local institutional policies before using them with private, clinical, or controlled-access data.

Tool names and capabilities change quickly. Re-check institutional policy, data-use restrictions, and current tool settings before using any LLM with private, clinical, or controlled-access data.

Conversational LLMs

Use conversational tools for planning, explaining code, brainstorming edge cases, drafting documentation, and red teaming methodology. Examples include ChatGPT, Claude, Gemini, and similar hosted assistants. They are useful when you want to think through a problem before editing files.

Best fit:

  • Drafting project plans and prompts.
  • Asking conceptual or statistical-methods questions.
  • Explaining code snippets.
  • Generating documentation drafts that you will review.

Do not paste individual-level records, PHI, PII, controlled-access genomic data, credentials, unpublished private data, sensitive small-cell outputs, or full proprietary repositories into general conversational tools. Treat that as prohibited for the default workflows in this guide because it can violate institutional policy, data-use agreements, IRB expectations, HIPAA rules, or other hard requirements [NIH genomic data guidance], [45 CFR 164.514]. Use schemas, code snippets, aggregate results approved for sharing, and synthetic examples instead.

Repo-Native Coding Agents

Coding agents such as Codex, GitHub Copilot coding agent, Claude Code, and similar tools can inspect a repository, edit files, run commands, and summarize changes. These tools work best when the repository contains stable instructions such as AGENTS.md, .github/copilot-instructions.md, or tool-specific guidance files, plus explicit test/build commands [GitHub Copilot agent best practices], [Claude Code best practices], [OpenAI code generation guide], [Linux Foundation agentic AI announcement].

Best fit:

  • Implementing focused changes in a working repository.
  • Refactoring code to match a lab template.
  • Running smoke tests, linters, and documentation builds.
  • Preparing pull requests that humans will review.

Use them with scoped permissions in a code-only workspace. Keep the codebase separate from protected data, do not mount PHI/PII directories or secrets into an agent session, and synchronize code through GitHub only in the approved direction so sensitive data and outputs do not flow back into the LLM-accessible repository. Be especially cautious with internet access, package installation, MCP servers, secrets, and file paths that contain sensitive data [Codex internet access docs], [MCP security best practices], [OWASP LLM Top 10].

IDE Assistants

Autocomplete and chat tools embedded in IDEs are useful for small edits and local iteration. GitHub Copilot is available in many development environments, and Posit documents an opt-in RStudio integration for compatible RStudio versions [Posit RStudio Copilot docs]. These tools are convenient for R scripts, Quarto documents, and package development, but they still require review, testing, and privacy checks. Do not enable an IDE assistant in a workspace that contains protected datasets, private extracts, credentials, or sensitive generated outputs unless that environment has been explicitly approved for GenAI use.

Best fit:

  • Completing repetitive code.
  • Writing small helper functions.
  • Drafting comments or roxygen documentation.
  • Asking local questions while editing.

R-Native LLM Packages

R packages can help you call LLMs from reproducible workflows. For example, ellmer supports multiple providers, streaming, asynchronous calls, tool/function calling, and structured data extraction [ellmer]. These packages are useful when the LLM interaction itself is part of a reproducible pipeline, such as extracting structured metadata from text or evaluating generated summaries.

Use R-native packages only after deciding how prompts, outputs, costs, credentials, privacy controls, and validation will be recorded. Do not call hosted LLM APIs from an R session that can read protected PHI, PII, controlled-access data, or private data stores unless explicitly authorized.

Structured-Output and API Workflows

APIs that support JSON schema or structured output are useful when an LLM response must feed another program. They can reduce parsing errors and missing fields, but they do not guarantee that values are scientifically correct [OpenAI structured outputs], [Gemini structured output]. Always validate structured output against your schema, domain rules, and test cases.

Choose the tool category by the job and the risk: brainstorming, repository editing, IDE completion, reproducible R workflows, and schema-constrained APIs need different review and permission practices.