chore: align agent-core GitHub security with probe-core

.github/dependabot.yml

@@ -1,3 +1,5 @@
+# Dependabot version updates for fluid-pub/agent-core.
+# Security alerts are configured separately in repository settings.
 version: 2
 updates:
   - package-ecosystem: gomod
@@ -6,6 +8,9 @@ updates:
       interval: weekly
       day: monday
     target-branch: develop
+    assignees:
+      - "fuse"
+    open-pull-requests-limit: 5
     commit-message:
       prefix: chore(deps)
     labels:
@@ -18,8 +23,15 @@ updates:
       interval: weekly
       day: monday
     target-branch: develop
+    assignees:
+      - "fuse"
+    open-pull-requests-limit: 5
     commit-message:
       prefix: chore(deps)
     labels:
       - dependencies
       - github-actions
+    groups:
+      github-actions:
+        patterns:
+          - "*"

.github/workflows/codeql.yml

@@ -1,3 +1,4 @@
+# CodeQL analysis for Go (fluid-pub/agent-core).
 name: CodeQL
 
 on:

CHANGELOG.md

@@ -11,6 +11,7 @@ Downstream agents should note **agent-core** upgrades in their own changelogs.
 
 ### Security
 
+- Repository security aligned with **probe-core**: `SECURITY.md`, Dependabot assignees and grouped GitHub Actions updates, private vulnerability reporting and push protection enabled on GitHub.
 - **execution**: validate `fluid_log_path` before `os.Stat` / `os.ReadFile` (CodeQL `go/path-injection`); only absolute paths under `/tmp/fluid/`.
 - **execution**: expand `safeFluidLogPath` test coverage (valid/invalid paths, prefix attacks, `startFileLogForwarder` rejection).
 

SECURITY.md

@@ -0,0 +1,27 @@
+# Security policy
+
+## Supported versions
+
+Security fixes are applied on the latest release line published from this repository (semver tags on `develop` / GitHub Releases). Older tags are not maintained unless stated in a release advisory.
+
+## Reporting a vulnerability
+
+**Do not** open a public GitHub issue for security vulnerabilities.
+
+Preferred channels:
+
+1. **Private vulnerability reporting** (when enabled): use **Security → Advisories → Report a vulnerability** on GitHub.
+2. **GitHub Security Advisories** for this repository: [fluid-pub/agent-core security advisories](https://github.com/fluid-pub/agent-core/security/advisories).
+3. If neither channel is available, contact the Fluid maintainers through your usual Fluid support or security contact path.
+
+Include enough detail to reproduce the issue (affected version, configuration, steps, impact). We aim to acknowledge reports within a few business days and will coordinate disclosure once a fix is available.
+
+## What to expect
+
+- Confirmed issues are tracked as security advisories or private reports until a fix is released.
+- Credit is given to reporters when they agree, unless anonymity is requested.
+- Dependabot and CodeQL may open pull requests for dependency or static-analysis findings; those are handled like other contributions via `develop`.
+
+## Scope
+
+This policy covers the **agent-core** Go library published from this repository and consumed as the `core/` submodule by public Fluid execution agents. It does not cover downstream agent images, operator deployments, or third-party services you integrate with agents.