potiuk opened a new pull request, #1007: URL: https://github.com/apache/tomcat/pull/1007
**This is a proposal for the PMC to review — please correct, reject, or discuss as needed.** Nothing here is a requirement; the maintainer is the decision-maker. This PR adds two small files at the repo root — `AGENTS.md` and `SECURITY.md` — so an automated agent can mechanically discover the project's existing security model. Background: the ASF Security team is preparing Tomcat for a Glasswing agentic security scan. The scan refuses to run if the model isn't discoverable by the convention `AGENTS.md → SECURITY.md → model document`. Refusing upfront beats wasting PMC reviewer cycles on a noise-heavy run against a model the agent never found. Discoverability is the one hard gate; everything else is suggestion. Apache Tomcat already has a perfectly good security model at <https://tomcat.apache.org/security-model.html>. This PR just makes that page reachable by following the conventional in-repo chain. Both new files are pointers; nothing about the substantive content of the model itself changes. Adjustments welcome on wording, file placement, or section naming — happy to revise. If the PMC prefers different phrasing or wants to host the model in-repo instead of on the website, close this and we'll regroup. The Security team uses [`threat-model-producer`](https://github.com/apache/security/blob/main/.github/skills/threat-model-producer/SKILL.md) as the rubric for what a complete model looks like. A separate issue follows with completeness suggestions against that rubric (also proposals, not requirements). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
