[improve][misc] Add AGENTS.md and split contributor/coding/architecture/security docs, with .agents skills

[lhotari]

Motivation

The repository had GitHub Copilot review instructions (.github/copilot-instructions.md) but no
top-level guide for general AI coding agents (Claude Code, Cursor, Gemini, Codex, Aider, …), and no
single, concise contributor reference for the build / test / contribution workflow after the
Maven→Gradle migration (PIP-463).

This PR adds that guidance and — following review feedback on the first iteration — structures it the
way apache/groovy and apache/grails organize theirs:
human-facing split docs at the repository root, a concise AGENTS.md index, and per-task skills under
.agents/skills/ that are loaded on demand so agents don't pull every instruction into context (a
token-economy concern for contributors on metered plans). The coding/contribution conventions were
distilled from recurring guidance in past apache/pulsar PR reviews.

Important

New logging convention — please confirm the direction. The coding guidelines document a
preference for the slog structured-logging library via Lombok
@CustomLog, with SLF4J treated as deprecated for new code, structured attributes + lazy
evaluation instead of isDebugEnabled() guards, and defaulting new logs to TRACE/DEBUG. slog is
already wired into the build; this PR is the first time the preference is written down.

Modifications

Root docs (human-facing, the source of truth) + an AGENTS.md index + .agents/skills/:

• AGENTS.md — concise router/index: a "Licensing and provenance (read first)" section (ASF
  Generative Tooling guidance: human-in-the-loop
  accountability, provenance/licensing, attribution), a canonical-docs table, a skills table, critical
  rules, and where to ask.
• ARCHITECTURE.md (new) — module map, the Gradle build infrastructure, the
  module-name-vs-directory gotcha, the pip/ proposals, the (undocumented) concurrency model and
  backpressure.
• CODING.md (new) — style, data types, async/CompletableFuture, concurrency + Java Memory
  Model, logging (slog), resource/memory management, performance, dependencies, backward compatibility
  (incl. plugin/SPI extension points), testing conventions, and the review checklist.
• CONTRIBUTING.md — expanded from a website-pointer stub into the local dev workflow: build,
  lint, --tests-scoped runs, test groups, integration tests, Personal CI, PR conventions, scope &
  branches/backports, security reporting.
• SECURITY.md — reporting, disclosure hygiene, the (informal) security model & threat scope, and
  checking exposure to an already-public CVE.
• .agents/skills/ (new) — lean, on-demand guardrail skills (pulsar-build, pulsar-tests,
  pulsar-pr-workflow, pulsar-security) that cite the canonical docs rather than restating them,
  plus a README.md index.
• CLAUDE.md and .github/copilot-instructions.md are now symlinks to AGENTS.md.
• .github/PULL_REQUEST_TEMPLATE.md — Closes #xyz accepted alongside Fixes #xyz; notes the
  CI-enforced title prefixes and that Motivation/Modifications are required.
• README.md — a short note on checking exposure to an already-public CVE.

Note

.github/copilot-instructions.md becoming a symlink to AGENTS.md means Copilot's detailed review
guidance now lives in CODING.md (which AGENTS.md links to). If Copilot doesn't follow the symlink
or traverse to CODING.md, its in-review guidance is thinner than before — worth confirming. (Done
per the review suggestion to symlink the per-tool files to AGENTS.md.)

Verifying this change

• Make sure that the change passes the CI checks.

This change is a trivial rework / code cleanup without any test coverage. It is documentation-only
(Markdown, plus two symlinks); all changed paths are excluded from RAT / Checkstyle / Spotless.

Does this pull request potentially affect one of the following parts:

If the box was checked, please highlight the changes

• Dependencies (add or upgrade a dependency)
• The public API
• The schema
• The default values of configurations
• The threading model
• The binary protocol
• The REST endpoints
• The admin CLI options
• The metrics
• Anything that affects deployment

[asafm]

@lhotari Couple of high level notes first:

1. From what I know, it's best to have a dedicated folder for agent documentation (e.g. .ai) and place any LLM agent instructions there.
2. Once you have (1), you can split the context per what is needed - everything related to contributing (setting up local dev env, rules for PR creation ,etc) goes to CONTRIBUTING.md; Architecture and how Pulsar works can go to ARCHITECTURE.md, and coding guidelines and best practices can go to CODING.md.
3. Once you have (2) AGENTS.md is effectively an index - describing the different LLM doc files you created in (2), and where they are located.
4. Once you have (3), all is left is to have the files for other LLMs be a symlink to AGENTS.md so , github-instructions.md and CLAUDE.md is just symlink.

[lhotari]

@lhotari Couple of high level notes first:

1. From what I know, it's best to have a dedicated folder for agent documentation (e.g. .ai) and place any LLM agent instructions there.
2. Once you have (1), you can split the context per what is needed - everything related to contributing (setting up local dev env, rules for PR creation ,etc) goes to CONTRIBUTING.md; Architecture and how Pulsar works can go to ARCHITECTURE.md, and coding guidelines and best practices can go to CODING.md.
3. Once you have (2) AGENTS.md is effectively an index - describing the different LLM doc files you created in (2), and where they are located.
4. Once you have (3), all is left is to have the files for other LLMs be a symlink to AGENTS.md so , github-instructions.md and CLAUDE.md is just symlink.

@asafm thanks for the suggestions. I guess we can iterate on this in further PRs. I won't have time to make such improvements at this time. Would you like to take over the restructuring after this PR has been merged?

btw. Some repositories provide skills for AI agents for performing specific tasks in the repository. example: https://github.com/apache/grails-core/blob/7.0.x/AGENTS.md#available-skills . I guess such a solution could save tokens so that the agent doesn't always pull in all information in AGENTS.md and referenced files into the context.

[lhotari]

This seems to be a good example where CONTRIBUTING.md and ARCHITECTURE.md are referenced:
https://github.com/apache/groovy/blob/master/AGENTS.md
There's also a good amount of skills to be used by agents (or humans driving an agent):
https://github.com/apache/groovy/blob/master/AGENTS.md#skills

[lhotari]

I guess I could use an agent (Claude Code) to restructure according to a similar approach that is used in apache/groovy or apache/grails.

[lhotari]

@asafm I have addressed your feedback about splitting into multiple files. PTAL