This is an automated email from the ASF dual-hosted git repository.
cloud-fan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/spark-connect-rust.git
The following commit(s) were added to refs/heads/master by this push:
new 4f43dfa Add AGENTS.md + SECURITY.md for scan-agent discoverability
(#48)
4f43dfa is described below
commit 4f43dfa883fef0861c5c6b87e36320c1cafc4904
Author: Jarek Potiuk <[email protected]>
AuthorDate: Tue May 26 04:24:53 2026 +0200
Add AGENTS.md + SECURITY.md for scan-agent discoverability (#48)
* Add AGENTS.md + SECURITY.md for scan-agent discoverability
Adds AGENTS.md + SECURITY.md so an automated scan agent can mechanically
discover the project's security model via the conventional
AGENTS.md -> SECURITY.md -> model URL chain. The chain terminates at the
existing https://spark.apache.org/docs/latest/security.html document.
Generated-by: Claude Code (Claude Opus 4.7)
* Update security contact email for vulnerability reports
---------
Co-authored-by: Xiao Li <[email protected]>
---
AGENTS.md | 14 ++++++++++++++
SECURITY.md | 27 +++++++++++++++++++++++++++
2 files changed, 41 insertions(+)
diff --git a/AGENTS.md b/AGENTS.md
new file mode 100644
index 0000000..c106092
--- /dev/null
+++ b/AGENTS.md
@@ -0,0 +1,14 @@
+# Agent guidance
+
+This file is read by automated agents (security scanners, code
+analyzers, AI assistants) operating on this repository. It
+points them at the human-authored references they should
+consult before producing output.
+
+## Security
+
+Security model: [SECURITY.md](./SECURITY.md)
+
+Agents that scan this repository should consult `SECURITY.md`
+for the project's threat model, in-scope / out-of-scope
+declarations, and known non-findings before reporting issues.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..80e5325
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,27 @@
+# Security policy
+
+## Reporting a vulnerability
+
+To report a security vulnerability in apache/spark-connect-rust,
+follow the ASF security process at
+<https://www.apache.org/security/>. Reports can be sent privately
+to [email protected] or to [email protected].
+
+## Threat model
+
+This repository implements the Rust client for the Spark Connect
+RPC protocol. Apache Spark's security guidance for operators is
+documented at:
+
+<https://spark.apache.org/docs/latest/security.html>
+
+That document covers authentication, encryption, access
+control, Kerberos integration, trust boundaries, environmental
+assumptions, security properties provided and not provided,
+and downstream operator responsibilities. The client-side
+trust assumptions for Spark Connect (RPC channel, credential
+material, TLS validation) inherit from that model.
+
+Automated security scanning agents should consult that
+document for the project's in-scope / out-of-scope
+declarations before reporting issues.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
