docs: add draft threat model + SECURITY.md/AGENTS.md discoverability

[potiuk]

What this is

A draft threat model for Apache Fory, proposed by the ASF Security team for the Fory PMC to review, correct, or reject. It is a starting point for discussion, not a finished document.

This PR:

• adds THREAT_MODEL.md — the draft model, following the ASF Security threat-model rubric;
• adds SECURITY.md — a short security policy that links the threat model;
• appends a ## Security section to AGENTS.md, so the chain AGENTS.md → SECURITY.md → THREAT_MODEL.md is mechanically discoverable by automated security scanners.

How to read it

Every claim is provenance-tagged: (documented) (from Fory's own docs/repo), (inferred) (reasoned from the architecture, not yet confirmed), (maintainer) (confirmed by the PMC). This v0 is ~20 documented / ~26 inferred. The §14 Open questions section collects every inferred claim into waves for the PMC to confirm or correct — that is where review time is best spent. The highest-impact ones:

• whether "under the default requireClassRegistration(true), only registered types are instantiated from untrusted bytes" is a committed property, and whether findings that require requireClassRegistration(false) are out-of-model / non-default (wave 1);
• per-language memory safety on malformed input — in particular the C++ decoder (wave 2);
• the cross-language (xlang) peer-trust assumption and the resource/DoS line beyond maxDepth (waves 2).

Nothing here is a requirement — the model is for the PMC to own. Comment inline, edit the branch, or reply on the email thread.

AI Usage Disclosure

• Substantial AI assistance: yes.
• What: THREAT_MODEL.md was drafted by the ASF Security team's threat-model tooling (Claude) from Apache Fory's public documentation and repository, following the Scovetta rubric. SECURITY.md and the AGENTS.md Security section are templated scaffolding.
• Review model: the document is deliberately presented as a draft for line-by-line maintainer review — every claim carries a provenance tag, and all unverified (inferred) claims are surfaced as explicit open questions (§14) for the PMC to ratify, correct, or strike. It is not offered as finished or authoritative content.
• Provenance / licensing: content is original to this engagement, carries the ASF license header, and is intended to comply with the ASF Generative Tooling Guidance.