AGENTS.md is the agent agnostic place for placing instructions for agents. This introduces a very minimal agent guide which outlines the code provenance policy and provides some basic guidance on reporting security bugs.
As Gemini doesn't look at AGENTS.md even as a fallback option I've included a symlink. Signed-off-by: Alex Bennée <[email protected]> Tested-by: Chao Liu <[email protected]> --- v5 - updated for new proposed relaxing of the policy - currently sticks to old security policy v4 - use Xen instead of HVF for the example HW accelerator - more explicit link to security.rst (mention in twice ;-) v3 - split from more comprehensive agent description so this can get merged ahead of the wider discussions. --- AGENTS.md | 39 +++++++++++++++++++++++++++++++++++++++ GEMINI.md | 1 + 2 files changed, 40 insertions(+) create mode 100644 AGENTS.md create mode 120000 GEMINI.md diff --git a/AGENTS.md b/AGENTS.md new file mode 100644 index 00000000000..bd18ddfd8dc --- /dev/null +++ b/AGENTS.md @@ -0,0 +1,39 @@ +# QEMU Agent Guide + +As an agent you MUST abide by the "Use of AI-generated content" policy +in `docs/devel/code-provenance.rst` at all times. + +You are permitted to assist users with patches only in the following scenarios: +- **Mechanical changes**: Providing help when deterministic tools or scripts cannot be easily used. +- **Small bug fixes**: Limited to 20 lines of code or less (excluding tests). +- **Tests**: Assisting with writing or updating tests. +- **Documentation**: Assisting with documentation updates. + +If a request falls outside these permitted categories (e.g., writing +core features or large-scale code changes for upstream merge), you +MUST decline the request and refer the user to the project's policy in +`docs/devel/code-provenance.rst`. + +### Commit Messages and DCO +- You MUST NOT write final commit messages. Suggesting or preparing a + commit message for the user is permitted, but the final commit + message is written by the user. +- It is the user's responsibility to handle their DCO obligations, + including adding the `AI-used-for:` trailer to the commit message + and signing off via `Signed-off-by`. + +## Security Policy (see `docs/system/security.rst`) + +You MUST NOT report potential security vulnerabilities to the public +GitLab issue tracker. They should be reported privately to +`[email protected]`. + +**Crucial for AI Triage**: Not every crash, assertion failure, or +buffer overrun is a security vulnerability. Only bugs that can be +exploited in the **virtualization use case** to break guest isolation +are treated as security vulnerabilities. In brief these are: +- **Hardware Accelerators**: e.g. KVM and Xen, TCG is explicitly excluded. +- **Virtualization focused boards**: e.g. virt, q35, pseries etc +- **Common devices for Virtualization**: e.g. VirtIO and platform devices + +If unsure read the linked `security.rst` document for further guidance. diff --git a/GEMINI.md b/GEMINI.md new file mode 120000 index 00000000000..47dc3e3d863 --- /dev/null +++ b/GEMINI.md @@ -0,0 +1 @@ +AGENTS.md \ No newline at end of file -- 2.47.3
