Skip to content

feat(sec-core): support packaging codex-plugin into rpm #1138

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
yangdao479 merged 2 commits into from
Jun 26, 2026
Merged

feat(sec-core): support packaging codex-plugin into rpm #1138

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5951911
feat(sec-core): support packaging codex-plugin into rpm
moli0118 Jun 25, 2026
4caf59a
fix(sec-core): refine codex-plugin rpm build
moli0118 Jun 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions .github/workflows/sec-core-rpmbuild.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,13 @@ jobs:
ls /usr/lib/systemd/user/agent-sec-core.service
echo "=== Verify daemon binary ==="
ls /usr/bin/agent-sec-daemon
echo "=== Verify codex plugin ==="
ls /opt/agent-sec/codex-plugin/
ls /opt/agent-sec/codex-plugin/hooks/
ls /opt/agent-sec/codex-plugin/hooks/code_scanner_hook.py
ls /opt/agent-sec/codex-plugin/hooks/skill_ledger_hook.py
ls /opt/agent-sec/codex-plugin/install.sh
ls /opt/agent-sec/codex-plugin/.agents/plugins/marketplace.json
echo "=== Verify skills ==="
ls /usr/share/anolisa/skills/
echo "=== Verify component manifest ==="
Expand Down
6 changes: 6 additions & 0 deletions scripts/rpm-build.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -249,6 +249,12 @@ build_agent_sec_core() {
--exclude='__pycache__' \
hermes-plugin/src hermes-plugin/scripts | tar -xf - -C "$pkg_dir/"

# codex-plugin (hooks + install script + .agents registry, exclude __pycache__)
tar -cf - -C "${SEC_DIR}" \
--exclude='__pycache__' \
codex-plugin/hooks-plugin codex-plugin/install.sh codex-plugin/.agents | tar -xf - -C "$pkg_dir/"


# Include agent-sec-cli source for maturin wheel build
# Exclude development artifacts (.venv, target, __pycache__, .egg-info, dist)
tar -cf - -C "${SEC_DIR}" \
Expand Down
17 changes: 15 additions & 2 deletions src/agent-sec-core/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -195,6 +195,13 @@ build-hermes-plugin: ## Stage hermes-plugin Python sources to BUILD_DIR
cp -rp hermes-plugin/src/. $(BUILD_DIR)/hermes-plugin/src/
cp -rp hermes-plugin/scripts/. $(BUILD_DIR)/hermes-plugin/scripts/

.PHONY: stage-codex-plugin
stage-codex-plugin: ## Stage codex-plugin hooks and install script to BUILD_DIR
install -d -m 0755 $(BUILD_DIR)/codex-plugin
cp -rp codex-plugin/hooks-plugin/. $(BUILD_DIR)/codex-plugin/
Comment thread
edonyzpc marked this conversation as resolved.
cp -p codex-plugin/install.sh $(BUILD_DIR)/codex-plugin/
Comment thread
edonyzpc marked this conversation as resolved.
cp -rp codex-plugin/.agents $(BUILD_DIR)/codex-plugin/

.PHONY: stage-cosh-extension
stage-cosh-extension: ## Stage cosh-extension hooks to BUILD_DIR
install -d -m 0755 $(BUILD_DIR)/cosh-extension
Expand Down Expand Up @@ -232,7 +239,7 @@ stage-component-manifest: ## Stage component.toml into BUILD_DIR
$(BUILD_DIR)/share/anolisa/components/sec-core/component.toml

.PHONY: build-all
build-all: build-sandbox build-cli build-openclaw-plugin build-hermes-plugin stage-cosh-extension stage-skills stage-adapter-manifest stage-component-manifest ## Build all components
build-all: build-sandbox build-cli build-openclaw-plugin build-hermes-plugin stage-codex-plugin stage-cosh-extension stage-skills stage-adapter-manifest stage-component-manifest ## Build all components
@echo "📦 All artifacts collected to $(BUILD_DIR)/"

.PHONY: export-requirements
Expand Down Expand Up @@ -292,6 +299,7 @@ WHEEL_DIR ?= $(LIBDIR)/wheels
CLI_STAGED_SITE ?= $(BUILD_DIR)/site-packages
CLI_PRIVATE_SITE ?= /opt/agent-sec/lib/python3.11/site-packages
RPM_OPENCLAW_PLUGIN_DIR ?= /opt/agent-sec/openclaw-plugin
RPM_CODEX_PLUGIN_DIR ?= /opt/agent-sec/codex-plugin
RPM_HERMES_PLUGIN_DIR ?= /opt/agent-sec/hermes-plugin
SYSTEMD_USER_UNIT_DIR ?= /usr/lib/systemd/user
SYSTEMD_USER_UNIT_SOURCE ?= agent-sec-cli/config/systemd/agent-sec-core.service
Expand Down Expand Up @@ -367,6 +375,11 @@ install-hermes-plugin: ## Install hermes-plugin to target directory
cp -rp $(BUILD_DIR)/hermes-plugin/scripts/. $(DESTDIR)$(HERMES_PLUGIN_DIR)/scripts/
chmod 0755 $(DESTDIR)$(HERMES_PLUGIN_DIR)/scripts/*.sh

.PHONY: install-codex-plugin
install-codex-plugin: ## Install codex-plugin hooks to RPM target
install -d -m 0755 $(DESTDIR)$(RPM_CODEX_PLUGIN_DIR)
cp -rp $(BUILD_DIR)/codex-plugin/. $(DESTDIR)$(RPM_CODEX_PLUGIN_DIR)/

.PHONY: install-cosh-hook
install-cosh-hook: ## Install cosh hooks (linux-sandbox + extension)
install -d -m 0755 $(DESTDIR)$(BINDIR)
Expand Down Expand Up @@ -407,7 +420,7 @@ install-all: install-cli-venv install-cosh-hook install-openclaw-plugin install-
.PHONY: install-all-for-rpmbuild
install-all-for-rpmbuild: OPENCLAW_PLUGIN_DIR := $(RPM_OPENCLAW_PLUGIN_DIR)
install-all-for-rpmbuild: HERMES_PLUGIN_DIR := $(RPM_HERMES_PLUGIN_DIR)
install-all-for-rpmbuild: install-cli-site install-cosh-hook install-openclaw-plugin install-hermes-plugin install-skills install-adapter-manifest install-component-manifest install-systemd-user ## Install all (RPM build)
install-all-for-rpmbuild: install-cli-site install-cosh-hook install-codex-plugin install-openclaw-plugin install-hermes-plugin install-skills install-adapter-manifest install-component-manifest install-systemd-user ## Install all (RPM build)

# =============================================================================
# UNINSTALL
Expand Down
20 changes: 20 additions & 0 deletions src/agent-sec-core/agent-sec-core.spec.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ BuildRequires: systemd-rpm-macros
# Metapackage: pull all subpackages
Requires: agent-sec-cli = %{version}-%{release}
Requires: agent-sec-cosh-hook = %{version}-%{release}
Requires: agent-sec-codex-hook = %{version}-%{release}
Requires: agent-sec-openclaw-hook = %{version}-%{release}
Requires: agent-sec-hermes-hook = %{version}-%{release}
Requires: agent-sec-skills = %{version}-%{release}
Expand Down Expand Up @@ -179,6 +180,25 @@ Includes skill-ledger, code-scanner, prompt-scanner and related skill definition
%{_datadir}/anolisa/skills/
%license LICENSE

# =============================================================================
# Subpackage 6: agent-sec-codex-hook
# =============================================================================
%package -n agent-sec-codex-hook
Summary: Codex plugin security hooks
Requires: agent-sec-cli = %{version}-%{release}
Requires: python3 >= 3.11
Requires: python3 < 3.12

%description -n agent-sec-codex-hook
Codex security hooks providing code scanning, PII checking, prompt scanning
and skill ledger verification for Codex agent.

%files -n agent-sec-codex-hook
%defattr(0644,root,root,0755)
Comment thread
edonyzpc marked this conversation as resolved.
%attr(0755,root,root) /opt/agent-sec/codex-plugin/install.sh
/opt/agent-sec/codex-plugin/
%license LICENSE

# =============================================================================
# Main package has no files (metapackage)
# =============================================================================
Expand Down
Loading