Add AGENTS.md + SECURITY.md linking the project's security model#2702
Open
potiuk wants to merge 2 commits into
Open
Add AGENTS.md + SECURITY.md linking the project's security model#2702potiuk wants to merge 2 commits into
potiuk wants to merge 2 commits into
Conversation
Contributor
|
Member
Author
ON IT :) |
These two small files at the repo root let an automated agent mechanically discover the project's existing security model via the conventional AGENTS.md -> SECURITY.md chain. Both new files are pointers; nothing about the substantive content of the model at https://shiro.apache.org/security-model.html changes. Proposed by the ASF Security team while preparing the project for an automated agentic security scan we're piloting. The scan refuses to run if the model is not discoverable by that path; refusing upfront beats wasting PMC reviewer cycles on a noise-heavy run against a model the agent never found. Discoverability is the only hard gate; everything else is suggestion. Generated-by: Claude Code (Claude Opus 4.7)
potiuk
force-pushed
the
asf-security/agents-md-security-link-2026-05-14
branch
from
d05ba00 to
a890040
Compare
lprimak
approved these changes
May 14, 2026
Contributor
|
@potiuk I made minor changes to SECURITY.md, can you double-check please? |
Member
Author
|
LGTM :) |
fpapon
approved these changes
May 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is a proposal for the PMC to review — please correct,
reject, or discuss as needed. Nothing here is a requirement;
the maintainer is the decision-maker.
This PR adds two small files at the repo root —
AGENTS.mdand
SECURITY.md— so an automated agent can mechanicallydiscover the project's existing security model.
Context: the ASF Security team is preparing Shiro for an
automated agentic security scan we're piloting. The scan
refuses to run if the model isn't discoverable by the
convention
AGENTS.md → SECURITY.md → model document.Refusing upfront beats wasting PMC reviewer cycles on a
noise-heavy run against a model the agent never found.
Discoverability is the one hard gate; everything else is
suggestion. The Security team has reached out separately on
the PMC's private list with the program details; this PR is
the public-facing repo piece.
Apache Shiro already has a good security model at
https://shiro.apache.org/security-model.html. This PR just
makes that page reachable by following the conventional
in-repo chain. Both new files are pointers; nothing about the
substantive content of the model itself changes.
Adjustments welcome on wording, file placement, or section
naming — happy to revise. If the PMC prefers different
phrasing or wants to host the model in-repo instead of on the
website, close this and we'll regroup.
The Security team uses
threat-model-produceras the rubric for what a complete model looks like. A separate
follow-up describes completeness suggestions against that
rubric (also proposals, not requirements).