diff --git a/.github/workflows/sec-core-rpmbuild.yaml b/.github/workflows/sec-core-rpmbuild.yaml
index 54df05bf8..e924400e6 100644
--- a/.github/workflows/sec-core-rpmbuild.yaml
+++ b/.github/workflows/sec-core-rpmbuild.yaml
@@ -95,6 +95,13 @@ jobs:
           ls /usr/lib/systemd/user/agent-sec-core.service
           echo "=== Verify daemon binary ==="
           ls /usr/bin/agent-sec-daemon
+          echo "=== Verify codex plugin ==="
+          ls /opt/agent-sec/codex-plugin/
+          ls /opt/agent-sec/codex-plugin/hooks/
+          ls /opt/agent-sec/codex-plugin/hooks/code_scanner_hook.py
+          ls /opt/agent-sec/codex-plugin/hooks/skill_ledger_hook.py
+          ls /opt/agent-sec/codex-plugin/install.sh
+          ls /opt/agent-sec/codex-plugin/.agents/plugins/marketplace.json
           echo "=== Verify skills ==="
           ls /usr/share/anolisa/skills/
           echo "=== Verify component manifest ==="
diff --git a/scripts/rpm-build.sh b/scripts/rpm-build.sh
index 07dd583a4..eefc5f152 100755
--- a/scripts/rpm-build.sh
+++ b/scripts/rpm-build.sh
@@ -249,6 +249,12 @@ build_agent_sec_core() {
         --exclude='__pycache__' \
         hermes-plugin/src hermes-plugin/scripts | tar -xf - -C "$pkg_dir/"
 
+    # codex-plugin (hooks + install script + .agents registry, exclude __pycache__)
+    tar -cf - -C "${SEC_DIR}" \
+        --exclude='__pycache__' \
+        codex-plugin/hooks-plugin codex-plugin/install.sh codex-plugin/.agents | tar -xf - -C "$pkg_dir/"
+
+
     # Include agent-sec-cli source for maturin wheel build
     # Exclude development artifacts (.venv, target, __pycache__, .egg-info, dist)
     tar -cf - -C "${SEC_DIR}" \
diff --git a/src/agent-sec-core/Makefile b/src/agent-sec-core/Makefile
index be257fcc4..eeb98287d 100644
--- a/src/agent-sec-core/Makefile
+++ b/src/agent-sec-core/Makefile
@@ -195,6 +195,13 @@ build-hermes-plugin: ## Stage hermes-plugin Python sources to BUILD_DIR
 	cp -rp hermes-plugin/src/. $(BUILD_DIR)/hermes-plugin/src/
 	cp -rp hermes-plugin/scripts/. $(BUILD_DIR)/hermes-plugin/scripts/
 
+.PHONY: stage-codex-plugin
+stage-codex-plugin: ## Stage codex-plugin hooks and install script to BUILD_DIR
+	install -d -m 0755 $(BUILD_DIR)/codex-plugin
+	cp -rp codex-plugin/hooks-plugin/. $(BUILD_DIR)/codex-plugin/
+	cp -p codex-plugin/install.sh $(BUILD_DIR)/codex-plugin/
+	cp -rp codex-plugin/.agents $(BUILD_DIR)/codex-plugin/
+
 .PHONY: stage-cosh-extension
 stage-cosh-extension: ## Stage cosh-extension hooks to BUILD_DIR
 	install -d -m 0755 $(BUILD_DIR)/cosh-extension
@@ -232,7 +239,7 @@ stage-component-manifest: ## Stage component.toml into BUILD_DIR
 		$(BUILD_DIR)/share/anolisa/components/sec-core/component.toml
 
 .PHONY: build-all
-build-all: build-sandbox build-cli build-openclaw-plugin build-hermes-plugin stage-cosh-extension stage-skills stage-adapter-manifest stage-component-manifest ## Build all components
+build-all: build-sandbox build-cli build-openclaw-plugin build-hermes-plugin stage-codex-plugin stage-cosh-extension stage-skills stage-adapter-manifest stage-component-manifest ## Build all components
 	@echo "📦 All artifacts collected to $(BUILD_DIR)/"
 
 .PHONY: export-requirements
@@ -292,6 +299,7 @@ WHEEL_DIR           ?= $(LIBDIR)/wheels
 CLI_STAGED_SITE     ?= $(BUILD_DIR)/site-packages
 CLI_PRIVATE_SITE    ?= /opt/agent-sec/lib/python3.11/site-packages
 RPM_OPENCLAW_PLUGIN_DIR ?= /opt/agent-sec/openclaw-plugin
+RPM_CODEX_PLUGIN_DIR  ?= /opt/agent-sec/codex-plugin
 RPM_HERMES_PLUGIN_DIR ?= /opt/agent-sec/hermes-plugin
 SYSTEMD_USER_UNIT_DIR ?= /usr/lib/systemd/user
 SYSTEMD_USER_UNIT_SOURCE ?= agent-sec-cli/config/systemd/agent-sec-core.service
@@ -367,6 +375,11 @@ install-hermes-plugin: ## Install hermes-plugin to target directory
 	cp -rp $(BUILD_DIR)/hermes-plugin/scripts/. $(DESTDIR)$(HERMES_PLUGIN_DIR)/scripts/
 	chmod 0755 $(DESTDIR)$(HERMES_PLUGIN_DIR)/scripts/*.sh
 
+.PHONY: install-codex-plugin
+install-codex-plugin: ## Install codex-plugin hooks to RPM target
+	install -d -m 0755 $(DESTDIR)$(RPM_CODEX_PLUGIN_DIR)
+	cp -rp $(BUILD_DIR)/codex-plugin/. $(DESTDIR)$(RPM_CODEX_PLUGIN_DIR)/
+
 .PHONY: install-cosh-hook
 install-cosh-hook: ## Install cosh hooks (linux-sandbox + extension)
 	install -d -m 0755 $(DESTDIR)$(BINDIR)
@@ -407,7 +420,7 @@ install-all: install-cli-venv install-cosh-hook install-openclaw-plugin install-
 .PHONY: install-all-for-rpmbuild
 install-all-for-rpmbuild: OPENCLAW_PLUGIN_DIR := $(RPM_OPENCLAW_PLUGIN_DIR)
 install-all-for-rpmbuild: HERMES_PLUGIN_DIR := $(RPM_HERMES_PLUGIN_DIR)
-install-all-for-rpmbuild: install-cli-site install-cosh-hook install-openclaw-plugin install-hermes-plugin install-skills install-adapter-manifest install-component-manifest install-systemd-user ## Install all (RPM build)
+install-all-for-rpmbuild: install-cli-site install-cosh-hook install-codex-plugin install-openclaw-plugin install-hermes-plugin install-skills install-adapter-manifest install-component-manifest install-systemd-user ## Install all (RPM build)
 
 # =============================================================================
 # UNINSTALL
diff --git a/src/agent-sec-core/agent-sec-core.spec.in b/src/agent-sec-core/agent-sec-core.spec.in
index c7de4e95e..137192160 100644
--- a/src/agent-sec-core/agent-sec-core.spec.in
+++ b/src/agent-sec-core/agent-sec-core.spec.in
@@ -49,6 +49,7 @@ BuildRequires:  systemd-rpm-macros
 # Metapackage: pull all subpackages
 Requires:       agent-sec-cli = %{version}-%{release}
 Requires:       agent-sec-cosh-hook = %{version}-%{release}
+Requires:       agent-sec-codex-hook = %{version}-%{release}
 Requires:       agent-sec-openclaw-hook = %{version}-%{release}
 Requires:       agent-sec-hermes-hook = %{version}-%{release}
 Requires:       agent-sec-skills = %{version}-%{release}
@@ -179,6 +180,25 @@ Includes skill-ledger, code-scanner, prompt-scanner and related skill definition
 %{_datadir}/anolisa/skills/
 %license LICENSE
 
+# =============================================================================
+# Subpackage 6: agent-sec-codex-hook
+# =============================================================================
+%package -n agent-sec-codex-hook
+Summary:        Codex plugin security hooks
+Requires:       agent-sec-cli = %{version}-%{release}
+Requires:       python3 >= 3.11
+Requires:       python3 < 3.12
+
+%description -n agent-sec-codex-hook
+Codex security hooks providing code scanning, PII checking, prompt scanning
+and skill ledger verification for Codex agent.
+
+%files -n agent-sec-codex-hook
+%defattr(0644,root,root,0755)
+%attr(0755,root,root) /opt/agent-sec/codex-plugin/install.sh
+/opt/agent-sec/codex-plugin/
+%license LICENSE
+
 # =============================================================================
 # Main package has no files (metapackage)
 # =============================================================================