From a89004063ad9388f52a28a917a339daba8d50642 Mon Sep 17 00:00:00 2001
From: Jarek Potiuk <jarek@potiuk.com>
Date: Thu, 14 May 2026 23:55:20 +0200
Subject: [PATCH 1/2] Add AGENTS.md + SECURITY.md linking the project's
 security model

These two small files at the repo root let an automated agent
mechanically discover the project's existing security model
via the conventional AGENTS.md -> SECURITY.md chain. Both new
files are pointers; nothing about the substantive content of
the model at https://shiro.apache.org/security-model.html
changes.

Proposed by the ASF Security team while preparing the project
for an automated agentic security scan we're piloting. The
scan refuses to run if the model is not discoverable by that
path; refusing upfront beats wasting PMC reviewer cycles on a
noise-heavy run against a model the agent never found.
Discoverability is the only hard gate; everything else is
suggestion.

Generated-by: Claude Code (Claude Opus 4.7)
---
 AGENTS.md   | 17 +++++++++++++++++
 SECURITY.md | 16 ++++++++++++++++
 pom.xml     |  4 ++++
 3 files changed, 37 insertions(+)
 create mode 100644 AGENTS.md
 create mode 100644 SECURITY.md

diff --git a/AGENTS.md b/AGENTS.md
new file mode 100644
index 0000000000..544491c0e3
--- /dev/null
+++ b/AGENTS.md
@@ -0,0 +1,17 @@
+# Agent guidance
+
+This file is read by automated agents (security scanners, code
+analyzers, AI assistants) operating on this repository. It
+points them at the human-authored references they should
+consult before producing output.
+
+## Security
+
+Security model: [SECURITY.md](./SECURITY.md), which links to
+the canonical model document at
+<https://shiro.apache.org/security-model.html>.
+
+Agents that scan this repository should consult the linked
+security model for the project's threat model, in-scope /
+out-of-scope declarations, and known non-findings before
+reporting issues.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000000..424fd40076
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,16 @@
+# Security
+
+Apache Shiro's security model and disclosure process are
+published on the project website rather than in the repository:
+
+- **Threat model and security policy**:
+  <https://shiro.apache.org/security-model.html>
+- **Past security advisories and CVEs**:
+  <https://shiro.apache.org/security-reports.html>
+- **How to report a vulnerability**: see the Security section
+  of <https://shiro.apache.org/>.
+
+The project website is the authoritative source; this file
+exists so agents and tooling that look for `SECURITY.md` in
+the repository can mechanically follow the link to the
+canonical documents.
diff --git a/pom.xml b/pom.xml
index 66792eaa19..e4fc6008f9 100644
--- a/pom.xml
+++ b/pom.xml
@@ -359,6 +359,8 @@
                             <!-- Apparently some test in samples/spring-client generates velocity log - would better to reconfigure to output to target/ -->
                             <exclude>velocity.log</exclude>
                             <exclude>CONTRIBUTING.md</exclude>
+                            <exclude>AGENTS.md</exclude>
+                            <exclude>SECURITY.md</exclude>
                             <exclude>**/README.md</exclude>
                             <exclude>**/*.json</exclude>
                             <exclude>**/spring.factories</exclude>
@@ -1595,6 +1597,8 @@
                         <!-- Apparently some test in samples/spring-client generates velocity log - would better to reconfigure to output to target/ -->
                         <exclude>velocity.log</exclude>
                         <exclude>CONTRIBUTING.md</exclude>
+                        <exclude>AGENTS.md</exclude>
+                        <exclude>SECURITY.md</exclude>
                         <exclude>**/README.md</exclude>
                         <exclude>**/*.json</exclude>
                         <exclude>**/spring.factories</exclude>

From 2b9e8e0d975a87c95bfbfab3feb540d524b55f6d Mon Sep 17 00:00:00 2001
From: lprimak <lenny@flowlogix.com>
Date: Thu, 14 May 2026 18:43:33 -0500
Subject: [PATCH 2/2] minor fixes for SECURITY.md to reflect the true state of
 the docs

---
 SECURITY.md | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index 424fd40076..0be9170af5 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -3,12 +3,10 @@
 Apache Shiro's security model and disclosure process are
 published on the project website rather than in the repository:
 
-- **Threat model and security policy**:
+- **Threat and security model**:
   <https://shiro.apache.org/security-model.html>
-- **Past security advisories and CVEs**:
+- **Security policy, vulnerability reporting, past advisories and CVEs**:
   <https://shiro.apache.org/security-reports.html>
-- **How to report a vulnerability**: see the Security section
-  of <https://shiro.apache.org/>.
 
 The project website is the authoritative source; this file
 exists so agents and tooling that look for `SECURITY.md` in