Add AGENTS.md + SECURITY.md pointing to the security model (scanner discoverability)

AGENTS.md

@@ -0,0 +1,7 @@
+# AGENTS.md
+
+## Security
+
+See the [Apache StormCrawler Security Model](https://stormcrawler.apache.org/security/) for the project's
+threat model, trust boundaries, in-scope / out-of-scope declarations, and known non-findings before
+reporting security issues. See also [SECURITY.md](SECURITY.md).

SECURITY.md

@@ -0,0 +1,10 @@
+# Security Policy
+
+For the assumptions, trust boundaries, scope, and what Apache StormCrawler considers a security
+vulnerability, see the **[Apache StormCrawler Security Model](https://stormcrawler.apache.org/security/)**.
+
+## Reporting a Vulnerability
+
+Please report security vulnerabilities privately following the
+[ASF security process](https://www.apache.org/security/) — email
+[security@apache.org](mailto:security@apache.org). Do not open public GitHub issues for security reports.

pom.xml

@@ -558,6 +558,8 @@ under the License.
                                 <exclude>NOTICE</exclude>
                                 <exclude>CONTRIBUTING.md</exclude>
                                 <exclude>RELEASING.md</exclude>
+                                <exclude>AGENTS.md</exclude>
+                                <exclude>SECURITY.md</exclude>
                                 <exclude>external/opensearch/dashboards/**</exclude>
                                 <exclude>external/solr/archetype/src/main/resources/archetype-resources/configsets/**</exclude>
                                 <exclude>THIRD-PARTY.properties</exclude>