This is an automated email from the ASF dual-hosted git repository.
moonming pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix-ingress-controller.git
The following commit(s) were added to refs/heads/master by this push:
new 028c1a95 Add AGENTS.md + SECURITY.md pointing at project security
threat model (#2775)
028c1a95 is described below
commit 028c1a95c09805341bc549d94933528c42d9865b
Author: Jarek Potiuk <[email protected]>
AuthorDate: Sun May 31 05:49:03 2026 +0200
Add AGENTS.md + SECURITY.md pointing at project security threat model
(#2775)
---
AGENTS.md | 42 ++++++++++++++++++++++++++++++++++++++++++
SECURITY.md | 39 +++++++++++++++++++++++++++++++++++++++
2 files changed, 81 insertions(+)
diff --git a/AGENTS.md b/AGENTS.md
new file mode 100644
index 00000000..0ed39f5e
--- /dev/null
+++ b/AGENTS.md
@@ -0,0 +1,42 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+
+# Apache APISIX Ingress Controller — Agent Instructions
+
+This file is read by automated agents (security scanners, code
+analyzers, AI assistants) operating on this repository. It
+points them at the human-authored references they should
+consult before producing output.
+
+## Security Model
+
+This repository inherits the Apache APISIX project threat
+model. The authoritative document lives at:
+
+<https://github.com/apache/apisix/blob/master/docs/en/latest/security-threat-model.md>
+
+The §4.2 component-family table in that document covers this
+repository under the `apisix-ingress-controller` family.
+
+Of particular relevance to this controller specifically: §4.8
+includes a CRD-to-Admin-API fidelity invariant — silent drop,
+injection, or rename between the Kubernetes `apisix.apache.org`
+CRD spec and the Admin API target is a controller bug, not
+operator misconfiguration. The §4.8 entry recommends an e2e
+contract test enforcing this invariant.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..c92d09d0
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,39 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+
+# Security Policy
+
+Apache APISIX (including this ingress controller) follows the
+Apache Software Foundation's vulnerability-disclosure policy.
+Please report security vulnerabilities to the ASF Security
+team at <[email protected]> per
+<https://www.apache.org/security/>.
+
+## Threat Model
+
+This repository inherits the Apache APISIX project threat
+model at:
+
+<https://github.com/apache/apisix/blob/master/docs/en/latest/security-threat-model.md>
+
+Of particular relevance to `apisix-ingress-controller`:
+§4.8 covers a CRD-to-Admin-API fidelity invariant specific
+to this controller (silent drop / injection / rename
+between the `apisix.apache.org` CRD spec and the Admin API
+target is a controller bug).
