docs: add camel-karaf security model, SECURITY.md and AGENTS.md#706
Merged
Conversation
Adds a Karaf-specific threat model documenting who is trusted, where the trust boundaries sit, and what counts as a camel-karaf vulnerability versus an Apache Camel core or operator responsibility. camel-karaf is a runtime adapter: the data-plane vulnerability classes (deserialization, XXE, injection, path traversal, header abuse, ...) live in Apache Camel core and components. This model therefore defers those to the canonical Apache Camel Security Model and covers only the Karaf delta: the camel-core-osgi resolution layer, the Blueprint DSL trust position, the Karaf shell as a management surface, the feature / Pax-URL install model, and "OSGi is not a security sandbox". The model is fully ratified; provenance tags are retained as the chain of authority for triage. - docs/modules/ROOT/pages/security-model.adoc: the threat model, mirroring the apache/camel security-model.adoc house style - docs/modules/ROOT/nav.adoc: link the new page in the user guide nav - SECURITY.md: GitHub-rendered reporting pointer to the model and the Apache Camel private disclosure process - AGENTS.md (+ CLAUDE.md symlink): AI-agent guidelines incl. a Security Model summary, matching the apache/camel AGENTS.md style Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
jbonofre
requested changes
May 16, 2026
| @@ -0,0 +1,358 @@ | |||
| # Apache Camel Karaf - AI Agent Guidelines | |||
Member
There was a problem hiding this comment.
The ASF header is missing here.
Convert the three in-site links from absolute link:https://camel.apache.org/ URLs to root-relative link:/security/ form, matching apache/camel core security-model.adoc (apache/camel#23224) and the companion per-subproject fixes. This keeps PR apache#706 from introducing camel/relative-links failures in the camel-website build once merged. Documentation-only; same link target. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Contributor
Author
|
Added commit Claude Code on behalf of Andrea Cosentino |
Address @jbonofre review on PR apache#706: prepend the ASF Apache License v2 header to the newly added files. AGENTS.md, SECURITY.md use the repository's existing HTML-comment header (matching README.md); security-model.adoc uses the AsciiDoc //// comment form. CLAUDE.md is a symlink to AGENTS.md and inherits the header transitively, so the symlink is intentionally preserved rather than converted to a regular file. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Contributor
Author
|
@jbonofre addressed in Claude Code on behalf of Andrea Cosentino |
oscerd
added a commit
that referenced
this pull request
May 18, 2026
Convert the three in-site links from absolute link:https://camel.apache.org/ URLs to root-relative link:/security/ form, matching apache/camel core security-model.adoc (apache/camel#23224) and the companion per-subproject fixes. This keeps PR #706 from introducing camel/relative-links failures in the camel-website build once merged. Documentation-only; same link target. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds a Karaf-specific threat model for camel-karaf, plus the supporting
SECURITY.mdreporting pointer andAGENTS.mdAI-agent guidelines — mirroringthe house style of
apache/camel(
docs/user-manual/.../security-model.adoc+ rootSECURITY.md+AGENTS.mdwith a Security Model section +
CLAUDE.mdsymlink).docs/modules/ROOT/pages/security-model.adocdocs/modules/ROOT/nav.adocSECURITY.mdAGENTS.md(+CLAUDE.mdsymlink)Why / approach
camel-karaf is a runtime adapter, not a new data plane. The data-plane
vulnerability classes (unsafe deserialization, XXE, expression/template
injection, path traversal, SSRF, header/bean-dispatch abuse, auth bypass,
information disclosure, insecure defaults, back-end query injection) live in
Apache Camel core and components. The model therefore defers those to the
canonical Apache Camel Security Model
and documents only the Karaf delta:
camel-core-osgiresolution layer (must not widen, for untrustedmessage data, a class/bean/component sink flat-classpath Camel core had closed);
It includes a component-family map, input-trust matrix, adversary model,
properties provided / not provided, known non-findings (for automated triage),
a closed set of triage dispositions, and a dated ratification record. The model
is fully ratified; provenance tags are retained as the chain of authority
cited when closing reports.
Produced with the
threat-model-producerrubric. No code changes; docs only.Build gate not affected.
Claude Code on behalf of Andrea Cosentino
🤖 Generated with Claude Code