Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
5b9a7ff
fix(sight): mask payload_len for BPF verifier on older kernels
chengshuyi May 11, 2026
3329cbe
ci(sec-core): add python code style check
yangdao479 May 11, 2026
820a0b6
chore(sec-core): add AGENTS.md for sec-core
yangdao479 May 11, 2026
45dcd09
fix(sec-core): fix reviewer comments
yangdao479 May 12, 2026
21d1b7a
fix(sec-core): detect unsigned skill files
1570005763 May 11, 2026
ba9d0cd
fix(sec-core): align skill signing paths
1570005763 May 12, 2026
5f07e72
feat(sight): add uid field to SLS logs with OnceLock cache and startu…
chengshuyi May 12, 2026
01a375a
fix(sight): handle Node.js process.title change in OpenClaw matcher
chengshuyi May 12, 2026
cb4820f
feat(cosh): expose run_id in HookInput for per-run event correlation
kongche-jbw May 11, 2026
16f17e5
fix(sight): adapt skill extraction for Hermes agent architecture
Daydreamer-Li May 13, 2026
f80fe2b
fix(sec-core): limit skill-ledger hook scope
1570005763 May 12, 2026
06fe804
fix(tokenless): add activation onCapabilities hook for openclaw plugi…
shiloong May 10, 2026
987ee32
chore(tokenless): bump to v0.3.1
shiloong May 10, 2026
e912e31
feat(sec-core): support build all for sec-core
yangdao479 May 13, 2026
3f22286
ci(sec-core): add source build ci
yangdao479 May 13, 2026
5aec5cf
ci(sec-core): check cosh python deps in ci
yangdao479 May 13, 2026
5bdc220
fix(sec-core): support installed skill signing paths
1570005763 May 13, 2026
716db92
test(sec-core): run skill signing e2e in ci
1570005763 May 13, 2026
b2e7943
test(sec-core): cover legacy skill signing ci call
1570005763 May 13, 2026
ec1073a
fix(sec-core): decouple skill signing path detection
1570005763 May 13, 2026
d93e544
feat(sec-core): install in local space for build-all
yangdao479 May 14, 2026
79cf23c
chore(sec-core): remove sign-skill tool
yangdao479 May 14, 2026
2b2eb12
chore(sec-core): fix comments
yangdao479 May 14, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 27 additions & 0 deletions .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -280,6 +280,33 @@ jobs:
fi
echo "Code style check passed."

- name: Lint check (incremental)
if: github.event_name == 'pull_request'
run: |
cd src/agent-sec-core
uv run --project agent-sec-cli ruff check --config agent-sec-cli/pyproject.toml --output-format=concise . > ruff_report.txt || true
# Prefix paths to match git-diff repo-root-relative paths
sed -i 's|^\([^: ]*\.py\)|src/agent-sec-core/\1|' ruff_report.txt
cd "$GITHUB_WORKSPACE"
LINT_OUTPUT=$(diff-quality --violations=flake8 --fail-under=100 src/agent-sec-core/ruff_report.txt 2>&1) || true
rm -f src/agent-sec-core/ruff_report.txt
echo "$LINT_OUTPUT"
# Extract violation count from diff-quality output
if echo "$LINT_OUTPUT" | grep -q "Failure"; then
{
echo "### ⚠️ agent-sec-core Lint Warnings (incremental)"
echo ""
echo '以下为 PR 变更行中的 ruff lint 违规(不卡点,仅提示):'
echo ""
echo '```'
echo "$LINT_OUTPUT"
echo '```'
} >> "$GITHUB_STEP_SUMMARY"
echo "::warning::Lint violations found in changed lines. See step summary for details."
else
echo "### ✅ agent-sec-core Lint Check Passed" >> "$GITHUB_STEP_SUMMARY"
fi

- name: Run Python tests with coverage
run: |
cd src/agent-sec-core
Expand Down
55 changes: 52 additions & 3 deletions .github/workflows/sec-core-rpmbuild.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,21 @@ jobs:
run: |
dnf makecache
dnf install -y scripts/rpmbuild/RPMS/**/*.rpm
echo "=== Verify CLI ==="
agent-sec-cli --help
echo "=== Verify sandbox ==="
linux-sandbox --help
echo "=== Verify site-packages ==="
ls /opt/agent-sec/lib/python3.11/site-packages/agent_sec_cli/
echo "=== Verify cosh extension ==="
ls /usr/share/anolisa/extensions/agent-sec-core/
ls /usr/share/anolisa/extensions/agent-sec-core/hooks/
echo "=== Verify openclaw plugin ==="
ls /opt/agent-sec/openclaw-plugin/
ls /opt/agent-sec/openclaw-plugin/dist/
ls /opt/agent-sec/openclaw-plugin/scripts/deploy.sh
echo "=== Verify skills ==="
ls /usr/share/anolisa/skills/

- name: Verify Python dependencies match requirements.txt
run: |
Expand Down Expand Up @@ -106,7 +120,7 @@ jobs:
print(f'All {len(reqs) - skipped} dependencies verified ({skipped} skipped due to platform markers).')
PYEOF

- name: Verify all Python imports
- name: Verify cli Python imports
run: |
export PYTHONPATH=/opt/agent-sec/lib/python3.11/site-packages${PYTHONPATH:+:$PYTHONPATH}
python3 << 'PYEOF'
Expand Down Expand Up @@ -145,8 +159,43 @@ jobs:
print('All modules imported successfully')
PYEOF

- name: Install E2E test dependencies
run: dnf install -y jq
- name: Verify cosh hook Python imports
run: |
python3 << 'PYEOF'
import importlib.util, pathlib, sys

hooks_dir = pathlib.Path('/usr/share/anolisa/extensions/agent-sec-core/hooks')
print(f'Hooks directory: {hooks_dir.resolve()}')

py_files = sorted(hooks_dir.glob('*.py'))
if not py_files:
print('ERROR: no hook .py files found', file=sys.stderr)
sys.exit(1)

failed = []
for pyfile in py_files:
mod_name = pyfile.stem.replace('-', '_')
spec = importlib.util.spec_from_file_location(mod_name, pyfile)
if spec is None:
print(f' {pyfile.name} ... FAILED: cannot create module spec')
failed.append((pyfile.name, 'cannot create module spec'))
continue
try:
mod = importlib.util.module_from_spec(spec)
spec.loader.exec_module(mod)
print(f' {pyfile.name} ... OK')
except Exception as e:
print(f' {pyfile.name} ... FAILED: {e}')
failed.append((pyfile.name, str(e)))

print(f'\nTotal: {len(py_files)} hooks, {len(failed)} failed')
if failed:
print('\nFailed hooks:', file=sys.stderr)
for name, err in failed:
print(f' - {name}: {err}', file=sys.stderr)
sys.exit(1)
print('All hook scripts imported successfully')
PYEOF

- name: Uninstall skills package before E2E tests
run: rpm -e agent-sec-skills --nodeps
Expand Down
71 changes: 71 additions & 0 deletions .github/workflows/sec-core-source-code-build.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
name: sec-core-source-code-build

on:
pull_request:
branches:
- main
- 'release/agent-sec-core/**'
paths:
- 'src/agent-sec-core/**'
- 'scripts/build-all.sh'
- '.github/workflows/sec-core-source-code-build.yaml'
workflow_dispatch:

permissions:
contents: read

jobs:
build:
strategy:
fail-fast: false
matrix:
include:
- name: Ubuntu 22.04
runner: ubuntu-22.04
container: ''
- name: Alinux4
runner: ubuntu-22.04
container: alibaba-cloud-linux-4-registry.cn-hangzhou.cr.aliyuncs.com/alinux4/alinux4:latest
name: Source Build (${{ matrix.name }})
runs-on: ${{ matrix.runner }}
container: ${{ matrix.container || '' }}
steps:
- name: Configure mirrors and install base tools (Alinux4)
if: matrix.container != ''
run: |
sed -i -e "s/cloud.aliyuncs/aliyun/g" /etc/yum.repos.d/*.repo
dnf install -y tar git sudo
# Fix sudo PAM in container: replace with permissive config
cat > /etc/pam.d/sudo <<'EOF'
#%PAM-1.0
auth sufficient pam_rootok.so
account sufficient pam_permit.so
session sufficient pam_permit.so
EOF
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@1.93.0
with:
components: clippy, rustfmt, rust-src
- name: Build and install
run: ./scripts/build-all.sh --component sec-core
- name: Verify CLI
run: |
agent-sec-cli --version
agent-sec-cli --help
- name: Verify sandbox
run: linux-sandbox --help
- name: Verify deployment
run: |
echo "=== Skills ==="
ls ~/.copilot-shell/skills/
echo "=== Cosh Extension ==="
ls ~/.copilot-shell/extensions/agent-sec-core/
ls ~/.copilot-shell/extensions/agent-sec-core/hooks/
echo "=== OpenClaw Plugin ==="
ls ~/.local/lib/anolisa/sec-core/openclaw-plugin/
ls ~/.local/lib/anolisa/sec-core/openclaw-plugin/dist/
ls ~/.local/lib/anolisa/sec-core/openclaw-plugin/scripts/
echo "=== CLI venv ==="
ls ~/.local/lib/anolisa/sec-core/venv/bin/agent-sec-cli
- name: Run E2E tests
run: make -C src/agent-sec-core test-e2e-source-build
64 changes: 45 additions & 19 deletions scripts/build-all.sh
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
# Components (build order):
# cosh copilot-shell (Node.js / TypeScript)
# skills os-skills (Markdown skill definitions, no compilation)
# sec-core agent-sec-core (Rust sandbox, Linux only)
# sec-core agent-sec-core (Security CLI + sandbox + hooks)
# sight agentsight (eBPF / Rust, Linux only, NOT built by default)
# tokenless tokenless (Rust compression library, cross-platform)
# ──────────────────────────────────────────────────────────────────
Expand Down Expand Up @@ -642,6 +642,8 @@ do_install_deps() {
fi

if want_component sec-core; then
install_node # openclaw-plugin needs Node.js
install_build_tools # gcc + make
install_uv
fi

Expand Down Expand Up @@ -702,26 +704,35 @@ build_skills() {
}

build_sec_core() {
step "Building agent-sec-core (linux-sandbox)"
step "Building agent-sec-core"
local dir="$PROJECT_ROOT/src/agent-sec-core"
[[ -d "$dir" ]] || die "Directory not found: $dir"
cd "$dir"

info "cargo build --release (linux-sandbox) ..."
if [[ -f Makefile ]] && grep -q 'build-sandbox' Makefile; then
make build-sandbox
else
cd linux-sandbox && cargo build --release && cd ..
fi
# build-all = build-sandbox + build-cli + build-openclaw-plugin
info "make build-all ..."
make build-all

local bin="linux-sandbox/target/release/linux-sandbox"
if [[ -f "$bin" ]]; then
ARTIFACT_NAMES+=("agent-sec-core")
ARTIFACT_PATHS+=("src/agent-sec-core/$bin")
ok "agent-sec-core built successfully"
else
warn "Expected artifact $bin not found"
# Track artifacts from BUILD_DIR (default: target)
local build_dir="target"
local sandbox_bin="$build_dir/linux-sandbox"
local wheel
wheel=$(ls "$build_dir"/wheels/agent_sec_cli-*.whl 2>/dev/null | head -1)
local plugin_entry="$build_dir/openclaw-plugin/dist/index.js"

[[ -f "$sandbox_bin" ]] && ARTIFACT_NAMES+=("linux-sandbox") && ARTIFACT_PATHS+=("src/agent-sec-core/$sandbox_bin")
[[ -n "$wheel" ]] && ARTIFACT_NAMES+=("agent-sec-cli") && ARTIFACT_PATHS+=("src/agent-sec-core/$wheel")
[[ -f "$plugin_entry" ]] && ARTIFACT_NAMES+=("openclaw-plugin") && ARTIFACT_PATHS+=("src/agent-sec-core/$build_dir/openclaw-plugin/")

# Verify all expected artifacts exist
local missing=()
[[ -f "$sandbox_bin" ]] || missing+=("linux-sandbox")
[[ -n "$wheel" ]] || missing+=("agent-sec-cli wheel")
[[ -f "$plugin_entry" ]] || missing+=("openclaw-plugin")
if (( ${#missing[@]} > 0 )); then
die "Build artifacts missing: ${missing[*]}"
fi
ok "agent-sec-core built successfully"
}

build_sight() {
Expand Down Expand Up @@ -814,9 +825,24 @@ install_sec_core() {
[[ -d "$dir" ]] || die "Directory not found: $dir"
cd "$dir"

info "sudo make install-sandbox ..."
sudo make install-sandbox
ok "agent-sec-core (linux-sandbox) installed to /usr/local/bin/"
# Install all components using user profile (no sudo, paths under ~/.local/)
info "make install-all INSTALL_PROFILE=user ..."
make install-all INSTALL_PROFILE=user
ok "agent-sec-core installed (user profile: ~/.local/ + ~/.copilot-shell/)"

# Runtime dependencies (system packages, require sudo)
if ! cmd_exists bwrap; then
info "Installing runtime dependency: bubblewrap ..."
sudo $PKG_INSTALL bubblewrap || warn "bubblewrap not installed (linux-sandbox runtime dep)"
fi
if ! cmd_exists gpg && ! cmd_exists gpg2; then
info "Installing runtime dependency: gnupg2 ..."
sudo $PKG_INSTALL gnupg2 || warn "gnupg2 not installed (skill signature verification)"
fi
if ! cmd_exists jq; then
info "Installing runtime dependency: jq ..."
sudo $PKG_INSTALL jq || warn "jq not installed (openclaw-plugin deploy)"
fi
}

install_sight() {
Expand Down Expand Up @@ -906,7 +932,7 @@ $(echo -e "${BOLD}Examples:${NC}")
$(echo -e "${BOLD}Components:${NC}")
cosh copilot-shell Node.js / TypeScript AI terminal assistant [default]
skills os-skills Markdown skill definitions (deploy only) [default]
sec-core agent-sec-core Rust secure sandbox (Linux only) [default]
sec-core agent-sec-core Security CLI + sandbox + hooks [default]
sight agentsight eBPF observability/audit agent (Linux only) [optional]
tokenless tokenless Rust token compression library (cross-platform) [default]

Expand Down
3 changes: 2 additions & 1 deletion scripts/rpm-build.sh
Original file line number Diff line number Diff line change
Expand Up @@ -209,14 +209,15 @@ build_agent_sec_core() {
local tmp_dir
tmp_dir=$(mktemp -d)
local pkg_dir="${tmp_dir}/${pkg_name}-${version}"
mkdir -p "$pkg_dir"/{skills,linux-sandbox,agent-sec-cli,cosh-extension,openclaw-plugin,scripts}
mkdir -p "$pkg_dir"/{skills,linux-sandbox,agent-sec-cli,cosh-extension,openclaw-plugin,scripts,tools}

# skills: use cp -rp dir/. to include hidden files/directories
cp -rp "${SEC_DIR}/skills/." "$pkg_dir/skills/"
cp -rp "${SEC_DIR}/linux-sandbox/"* "$pkg_dir/linux-sandbox/"
rm -f "$pkg_dir/linux-sandbox/rust-toolchain.toml"
cp -rp "${SEC_DIR}/cosh-extension/"* "$pkg_dir/cosh-extension/"
cp -p "${SEC_DIR}/scripts/agent-sec-cli-wrapper.sh" "$pkg_dir/scripts/"
cp -p "${SEC_DIR}/tools/sign-skill.sh" "$pkg_dir/tools/"
cp "${SEC_DIR}/Makefile" "$pkg_dir/"
[ -f "${SEC_DIR}/LICENSE" ] && cp "${SEC_DIR}/LICENSE" "$pkg_dir/"
[ -f "${SEC_DIR}/README.md" ] && cp "${SEC_DIR}/README.md" "$pkg_dir/"
Expand Down
Loading
Loading