Why: automated security reviews need a shared proof standard so
hardening opportunities are not over-stated as confirmed vulnerabilities.
Impact: contributor-facing guidance now distinguishes confirmed issues,
potential issues, hardening, and invalid findings before severity or CWE
language is used.
Before/After: agent guidance pointed at documentation structure, but did
not define a security-finding evidence bar; the new rubric documents the
required source, reachability, sink, missing guard, and impact checks.
Technical Overview:
Add doc/ai/security_triage_rubric.md with classification, proof, CWE,
severity, rsyslog-specific, test, wording, and inline-comment guidance.
Link the rubric from the root AGENTS.md and doc/ai AGENTS.md files.
List the new file in doc/ai/README.md and doc/Makefile.am so it is easy
to discover and packaged with the documentation support files.
With the help of AI-Agents: Codex
