From de465996440537a0633f1e2376e1a9d529eb98f9 Mon Sep 17 00:00:00 2001
From: Jarek Potiuk <jarek@potiuk.com>
Date: Fri, 29 May 2026 20:46:43 +0200
Subject: [PATCH] Add AGENTS.md with security-model link for agent
 discoverability

This adds an AGENTS.md to apache/airflow-client-python so an
automated scan agent can mechanically discover the project's
security model via the conventional AGENTS.md -> model chain.
The client library currently has no in-repo security-discovery
file, so an agent has no way to find the authoritative Airflow
security model without out-of-band knowledge.

The pointer chains the client to the main Apache Airflow
security model (the same one apache/airflow's AGENTS.md
points at).

Generated-by: Claude Code (Claude Opus 4.7)
---
 AGENTS.md | 45 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 AGENTS.md

diff --git a/AGENTS.md b/AGENTS.md
new file mode 100644
index 0000000..a87a2c6
--- /dev/null
+++ b/AGENTS.md
@@ -0,0 +1,45 @@
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied.  See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+
+# Apache Airflow Python Client — Agent Instructions
+
+This file is read by automated agents (security scanners, code
+analyzers, AI assistants) operating on this repository. It
+points them at the human-authored references they should
+consult before producing output.
+
+## Security Model
+
+The authoritative security reference for this client is the
+Apache Airflow Security Model:
+
+  https://airflow.apache.org/docs/apache-airflow/stable/security/security_model.html
+
+(Repo source: [`apache/airflow:airflow-core/docs/security/security_model.rst`](https://github.com/apache/airflow/blob/main/airflow-core/docs/security/security_model.rst).)
+
+This client library inherits Apache Airflow's security model.
+In particular, the *"What is NOT considered a security
+vulnerability"* section enumerates recurring non-findings —
+agents should consult it before reporting issues against the
+Airflow API surface this client wraps.
+
+Client-specific concerns (TLS configuration, token handling,
+retry/backoff behaviour, connection lifecycle) follow the
+guidance in the upstream Airflow model unless explicitly
+documented otherwise in this repository.