Much of the security of an implementation of a spec will revolve around rejecting badly formed models, and rejecting changes to tensors that might result in out of bounds accesses.

A suite of failure cases would be helpful to ensure invalid input is properly rejected, and will form useful input to a fuzzer corpus.

(very possible this lives elsewhere!)