Fix #2834: Add Kamelet Catalog security model, SECURITY.md and AGENTS.md#2835
Merged
Conversation
Adds a security model for the Kamelet Catalog that specialises the Apache Camel Security Model for Kamelets (PMC-authored route templates), mirroring the apache/camel house style: - docs/modules/ROOT/pages/security-model.adoc: trust roles, component families, in/out-of-scope vulnerability classes, false-friend properties, downstream responsibilities, closed triage-disposition set, and a maintainer-ratification record (Camel PMC, 2026-05-15). - SECURITY.md: root reporting pointer to the Apache Camel ASF process. - AGENTS.md (+ CLAUDE.md symlink): AI agent guidelines with the Kamelet-specific Security Model section, mirroring apache/camel. Documentation only; no code or runtime change. nav.adoc is generated, so the page is reached via the SECURITY.md / AGENTS.md xrefs. AI-assisted (Claude Code) on behalf of Andrea Cosentino. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
oscerd
added a commit
that referenced
this pull request
May 15, 2026
The Kamelet Catalog security model page (added in #2835, issue #2834) uses Kamelet property-placeholder syntax {{property}} and Camel simple syntax ${body} as literal text in inline prose and tables. Asciidoctor parses the inner {property} / {body} as attribute references, cannot resolve them, and emits 'skipping reference to missing attribute' warnings. camel-website's strict production Antora build (build:antora-perf) aggregates this page from apache/camel-kamelets main and fails on those warnings, which turns every camel-website pull request red regardless of its content. Escape the inner attribute reference with a backslash ({\{property}}, $\{body}); Asciidoctor consumes the backslash and renders the literal {{property}} / ${body} unchanged, with no attribute resolution and no warning. Documentation-only change; no rendered-output difference. Signed-off-by: Andrea Cosentino <ancosen@gmail.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #2834
What
Adds a security model for the Kamelet Catalog, mirroring the
apache/camelhouse style (asecurity-model.adocpage + rootSECURITY.mdpointer +AGENTS.mdwith a Security Model section +CLAUDE.mdsymlink).docs/modules/ROOT/pages/security-model.adoc— specialises the Apache Camel Security Model for Kamelets. A Kamelet is PMC-authored route code, so the trusted-template author is the catalog itself; the Kamelet runtime (kamelet:component,{{property}}binding,kamelets.utils.*) lives inapache/camel, not here. Covers: trust roles, component families, in/out-of-scope vulnerability classes, false-friend properties, downstream responsibilities, a closed triage-disposition set, and a maintainer-ratification record (Camel PMC, 2026-05-15).SECURITY.md— root reporting pointer to the Apache Camel ASF process.AGENTS.md(+CLAUDE.mdsymlink) — AI agent guidelines with the Kamelet-specific Security Model section, matchingapache/camel.Why
The Kamelet Catalog had no documented security model, despite Kamelets having trust nuances distinct from core Camel. This gives the PMC and triagers (and scanners/AI review) an authoritative scope statement that defers to, and specialises, the parent Camel model.
Notes
nav.adocis generated; the page is reached via theSECURITY.md/AGENTS.mdxrefs.private-security@camel.apache.org/ the Camel ASF process); this only documents scope.Test plan
mvn verify(docs/model only; no functional change).camel-kameletsmodule; internalxref:links resolve to existing pages (development.adoc,apis/spec.adoc).Authored with Claude Code on behalf of Andrea Cosentino (AI-assisted). The security model content was reviewed and ratified by the Camel PMC as recorded in the document.