potiuk opened a new pull request, #2775: URL: https://github.com/apache/apisix-ingress-controller/pull/2775
## Summary This PR adds the discoverability scaffold (`AGENTS.md` + `SECURITY.md`) so automated security scanners and AI assistants can mechanically locate the Apache APISIX project's security threat model from this repository. The threat model itself lives at [`apache/apisix:docs/en/latest/security-threat-model.md`](https://github.com/apache/apisix/blob/master/docs/en/latest/security-threat-model.md) (pending merge of [apache/apisix#TBD]). The §4.2 component- family table in that document covers this repository under the `apisix-ingress-controller` family. ## What apisix-ingress-controller-specific content is in the model Of particular relevance to this controller: - **§4.8 CRD-to-Admin-API fidelity invariant** — silent drop, injection, or rename between the Kubernetes `apisix.apache.org` CRD spec and the Admin API target is treated as a controller bug, not operator misconfiguration. The model recommends an e2e contract test enforcing this invariant. - **§4.3 cluster-RBAC boundary** — the controller's own RBAC requirements are documented in `apisix-ingress-controller/config/rbac/role.yaml`. Reports depending on the cluster operator granting over-broad RBAC beyond the documented set are out-of-model (operator-misconfig). ## What this PR does not change This PR is purely the discoverability scaffold — no code changes, no behavioural changes to the controller. Once it lands, automated scanners running against this repository can follow `AGENTS.md → SECURITY.md → threat model` to reach the authoritative document. The threat model itself was generated by an automated agentic security scan being piloted by the ASF Security team; the discoverability work is independent of any specific scan run. 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
