Add security threat model and wire AGENTS.md -> SECURITY.md -> THREAT_MODEL.md

**This is a v0 draft proposal for the Zeppelin PMC to review — please correct, reject, or discuss as needed.** The maintainer is the decision-maker; nothing here is a requirement. The threat model does not need to be "finished" for anything downstream — it just makes automated security review (and triage of inbound reports) far less noisy.

**Context.** The ASF Security team is preparing the project for an automated agentic security scan we're piloting. Those scans run against a threat model that tells the scanner what's in scope, what's by-design, and what counts as a real finding — without one, the output buries maintainers in noise. This PR proposes the discoverable model plus the wiring the scanner needs.

**What's in this PR:**
- **`THREAT_MODEL.md`** (new) — a v0 security threat model written from Zeppelin's public docs + codebase, following the [threat-model-producer rubric](https://gist.github.com/potiuk/da14a826283038ddfe38cc9fe6310573). Every claim carries a provenance tag: *(documented)* (from your docs/site) or *(inferred)* (our guess from code/docs, for you to confirm / correct / strike). Draft confidence ~18 documented / 24 inferred.
- **`SECURITY.md`** (was an empty file) — disclosure pointer + link to the threat model.
- **`AGENTS.md`** — a `## Security` section so the `AGENTS.md → SECURITY.md → THREAT_MODEL.md` chain resolves for automated tooling. The existing developer guidance is unchanged.

**The framing to sanity-check first:** Apache Zeppelin runs user notebook code by design, so RBAC (Shiro + notebook ACL + URL ACL + impersonation) is the boundary, **not a sandbox** — a `%sh` command from a run-capable user is the product working, not RCE. The model treats interpreter execution as in-scope only when it crosses an authn/authz or tenant boundary.

**What we'd need from the PMC:**
1. **§14 wave 1 (the important one):** rule on the insecure defaults — is anonymous-by-default / public-notebooks / impersonation-off the *supported production posture* (a report against it is `VALID`), or a dev-convenience operators are expected to change (`OUT-OF-MODEL: non-default-build`)? This reshapes the whole model.
2. Walk the §14 questions (waves 1–3) — a one-line confirm / correct / strike per question is enough; each *(inferred)* tag becomes *(maintainer)* as you answer.

If you'd rather own the drafting yourselves, close the PR and we'll wait — entirely your call.


Closes #5268 from potiuk/asf-security/threat-model-2026-06-05.

Signed-off-by: Jongyoul Lee <jongyoul@gmail.com>