From fb83ef1be27a98d0ffea7126c64e1da957a8b1a9 Mon Sep 17 00:00:00 2001
From: Jarek Potiuk <jarek@potiuk.com>
Date: Mon, 18 May 2026 00:47:40 +0200
Subject: [PATCH 1/2] Add AGENTS.md + SECURITY.md for scan-agent
 discoverability

Adds AGENTS.md + SECURITY.md so an automated scan agent can mechanically
discover the project's security model via the conventional
AGENTS.md -> SECURITY.md -> model URL chain. The chain terminates at the
existing https://spark.apache.org/docs/latest/security.html document.

Generated-by: Claude Code (Claude Opus 4.7)
---
 AGENTS.md   | 14 ++++++++++++++
 SECURITY.md | 27 +++++++++++++++++++++++++++
 2 files changed, 41 insertions(+)
 create mode 100644 AGENTS.md
 create mode 100644 SECURITY.md

diff --git a/AGENTS.md b/AGENTS.md
new file mode 100644
index 0000000..c106092
--- /dev/null
+++ b/AGENTS.md
@@ -0,0 +1,14 @@
+# Agent guidance
+
+This file is read by automated agents (security scanners, code
+analyzers, AI assistants) operating on this repository. It
+points them at the human-authored references they should
+consult before producing output.
+
+## Security
+
+Security model: [SECURITY.md](./SECURITY.md)
+
+Agents that scan this repository should consult `SECURITY.md`
+for the project's threat model, in-scope / out-of-scope
+declarations, and known non-findings before reporting issues.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..9742cb8
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,27 @@
+# Security policy
+
+## Reporting a vulnerability
+
+To report a security vulnerability in apache/spark-connect-rust,
+follow the ASF security process at
+<https://www.apache.org/security/>. Reports can be sent privately
+to security@apache.org or to security@spark.apache.org.
+
+## Threat model
+
+This repository implements the Rust client for the Spark Connect
+RPC protocol. Apache Spark's security guidance for operators is
+documented at:
+
+<https://spark.apache.org/docs/latest/security.html>
+
+That document covers authentication, encryption, access
+control, Kerberos integration, trust boundaries, environmental
+assumptions, security properties provided and not provided,
+and downstream operator responsibilities. The client-side
+trust assumptions for Spark Connect (RPC channel, credential
+material, TLS validation) inherit from that model.
+
+Automated security scanning agents should consult that
+document for the project's in-scope / out-of-scope
+declarations before reporting issues.

From 33d00476f47d2a1c63455149a4a371f242ad0181 Mon Sep 17 00:00:00 2001
From: Xiao Li <gatorsmile@gmail.com>
Date: Mon, 25 May 2026 18:59:53 -0700
Subject: [PATCH 2/2] Update security contact email for vulnerability reports

---
 SECURITY.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/SECURITY.md b/SECURITY.md
index 9742cb8..80e5325 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -5,7 +5,7 @@
 To report a security vulnerability in apache/spark-connect-rust,
 follow the ASF security process at
 <https://www.apache.org/security/>. Reports can be sent privately
-to security@apache.org or to security@spark.apache.org.
+to security@apache.org or to private@spark.apache.org.
 
 ## Threat model