Feat/sec core/update rpm

.github/CODEOWNERS

@@ -21,11 +21,18 @@
 /src/copilot-shell/                     @kongche-jbw @samchu-zsl    # auto-label: component:cosh
 /src/agentsight/                        @chengshuyi                 # auto-label: component:sight
 /src/agent-sec-core/                    @edonyzpc @kid9             # auto-label: component:sec-core
-/src/agent-sec-core/linux-sandbox/      @yanrong-hsr                # auto-label: component:sec-core
+/src/agent-sec-core/agent-sec-cli/      @RemindD @edonyzpc                  # auto-label: component:sec-core
+/src/agent-sec-core/cosh-extension/     @yangdao479                 # auto-label: component:sec-core
+/src/agent-sec-core/linux-sandbox/      @haosanzi                   # auto-label: component:sec-core
+/src/agent-sec-core/openclaw-plugin/    @RemindD                    # auto-label: component:sec-core
+/src/agent-sec-core/skills/             @1570005763                 # auto-label: component:sec-core
+/src/agent-sec-core/Makefile             @yangdao479                 # auto-label: component:sec-core
+/src/agent-sec-core/*.spec.in            @yangdao479                 # auto-label: component:sec-core
 /src/os-skills/                         @Ziqi002                    # auto-label: component:skill
 /src/ws-ckpt/                           @Ziqi002                    # auto-label: component:ckpt
 /src/osbase/                            @casparant                  # auto-label: component:osbase
 /src/tokenless/                         @Forrest-ly @shiloong       # auto-label: component:tokenless
+/src/agent-memory/                      @shiloong                   # auto-label: component:memory
 
 # ---------------------------------------------------------------------------
 # Scope paths

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -20,6 +20,7 @@ body:
         - sight
         - tokenless
         - ckpt
+        - memory
         - other
     validations:
       required: true

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -21,6 +21,7 @@ body:
         - sight
         - tokenless
         - ckpt
+        - memory
         - other
     validations:
       required: true

.github/ISSUE_TEMPLATE/question.yml

@@ -20,6 +20,7 @@ body:
         - sight
         - tokenless
         - ckpt
+        - memory
         - other
   - type: textarea
     id: question

.github/actions/package-source/action.yaml

@@ -52,6 +52,7 @@ runs:
           tokenless)     SRC_DIR="src/tokenless" ;;
           os-skills)      SRC_DIR="src/os-skills" ;;
           ws-ckpt)        SRC_DIR="src/ws-ckpt" ;;
+          agent-memory)   SRC_DIR="src/agent-memory" ;;
           *)
             echo "ERROR: Unknown component: $COMPONENT"
             exit 1
@@ -100,7 +101,7 @@ runs:
         echo "LICENSE_BUILD_TARGET=${LICENSE_BUILD_TARGET}" >> $GITHUB_ENV
 
     # -----------------------------------------------------------------
-    # Step 3: Create source archive
+    # Step 3.1: Create source archive
     #
     # If Step 2 detected a LICENSE path reference, the resolved real
     # file is copied into the build tree before packaging so the archive
@@ -144,6 +145,49 @@ runs:
           cp -p "${LICENSE_REAL_PATH}" "/tmp/build/${ARCHIVE_NAME}/${LICENSE_BUILD_TARGET}"
         fi
 
+    # -----------------------------------------------------------------
+    # Step 3.2: Install plugin npm dependencies (ws-ckpt only)
+    #
+    # The source archive for ws-ckpt ships pre-installed node_modules
+    # so downstream consumers can use plugins without running npm.
+    # -----------------------------------------------------------------
+    - name: Setup Node.js (ws-ckpt)
+      if: inputs.component == 'ws-ckpt'
+      uses: actions/setup-node@v4
+      with:
+        node-version: '20'
+
+    - name: Install plugin npm dependencies (ws-ckpt)
+      if: inputs.component == 'ws-ckpt'
+      shell: bash
+      run: |
+        found=0
+        while IFS= read -r pkg; do
+          plugin_dir=$(dirname "$pkg")
+          echo "::group::npm install: ${plugin_dir#/tmp/build/${ARCHIVE_NAME}/}"
+          cd "$plugin_dir"
+          if [ -f package-lock.json ]; then
+            npm ci --ignore-scripts --omit=peer
+          else
+            npm install --ignore-scripts --omit=peer
+          fi
+          echo "::endgroup::"
+          found=$((found + 1))
+          cd /tmp/build/${ARCHIVE_NAME}
+        done < <(find /tmp/build/${ARCHIVE_NAME}/src/plugins -name 'package.json' -not -path '*/node_modules/*' 2>/dev/null)
+
+        if [ "$found" -eq 0 ]; then
+          echo "::warning::No plugin package.json found under src/plugins/"
+        else
+          echo "Installed npm dependencies for $found plugin(s)"
+        fi
+
+    # -----------------------------------------------------------------
+    # Step 3.3: Continue Create source archive
+    # -----------------------------------------------------------------
+    - name: Create source archive (tar)
+      shell: bash
+      run: |
         mkdir -p /tmp/archives
         tar -czf "/tmp/archives/${ARCHIVE_FILE}" \
           -C /tmp/build "${ARCHIVE_NAME}"

.github/commitlint.config.json

@@ -13,6 +13,7 @@
         "sight",
         "tokenless",
         "ckpt",
+        "memory",
         "deps",
         "ci",
         "docs",

.github/dependabot.yml

@@ -85,6 +85,26 @@ updates:
       - "deps"
       - "tokenless"
 
+  # agent-memory (cargo)
+  - package-ecosystem: "cargo"
+    directory: "/src/agent-memory"
+    schedule:
+      interval: "weekly"
+    target-branch: "main"
+    open-pull-requests-limit: 0   # ← Toggle: 0 = off, 1 = on
+    commit-message:
+      prefix: "chore(deps)"
+      include: "scope"
+    groups:
+      cargo-minor-patch:
+        applies-to: "version-updates"
+        update-types:
+          - "minor"
+          - "patch"
+    labels:
+      - "deps"
+      - "agent-memory"
+
 
   # GitHub Actions
   - package-ecosystem: "github-actions"

.github/maintainers.json

@@ -74,6 +74,14 @@
                     "github": "Ziqi002"
                 }
             ]
+        },
+        {
+            "label": "component:memory",
+            "maintainers": [
+                {
+                    "github": "shiloong"
+                }
+            ]
         }
     ],
     "default": {

.github/pull_request_template.md

@@ -39,6 +39,7 @@ closes #
 - [ ] `skill` (os-skills)
 - [ ] `sight` (agentsight)
 - [ ] `tokenless` (tokenless)
+- [ ] `memory` (agent-memory)
 - [ ] Multiple / Project-wide
 
 ## Checklist
@@ -55,6 +56,7 @@ closes #
 - [ ] For `skill`: Skill directory structure is valid and shell scripts pass syntax check
 - [ ] For `sight`: `cargo clippy -- -D warnings` and `cargo fmt --check` pass
 - [ ] For `tokenless`: `cargo clippy -- -D warnings` and `cargo fmt --check` pass
+- [ ] For `memory` (Linux only): `cargo clippy --all-targets -- -D warnings`, `cargo fmt --check`, and `cargo test` pass
 - [ ] Lock files are up to date (`package-lock.json` / `Cargo.lock`)
 
 ## Testing

.github/workflows/_rpm-build.yaml

@@ -4,7 +4,7 @@ on:
   workflow_call:
     inputs:
       component:
-        description: "Component to build (copilot-shell, agent-sec-core, agentsight, os-skills)"
+        description: "Component to build (copilot-shell, agent-sec-core, agentsight, os-skills, tokenless, ws-ckpt, agent-memory)"
         required: true
         type: string
       version:
@@ -62,6 +62,12 @@ jobs:
             ws-ckpt)
               dnf install -y rust cargo btrfs-progs rsync systemd-rpm-macros
               ;;
+            agent-memory)
+              # rusqlite (bundled) + git2 (vendored libgit2) need a C toolchain
+              # and cmake; systemd-devel provides libsystemd headers for the
+              # journald fan-out feature.
+              dnf install -y rust cargo cmake systemd-devel
+              ;;
             os-skills)
               # noarch, no extra build deps
               ;;

.github/workflows/ci.yaml

@@ -32,6 +32,11 @@ on:
         required: false
         type: boolean
         default: false
+      run_agent_memory:
+        description: 'Force run agent-memory tests (ignore change detection)'
+        required: false
+        type: boolean
+        default: false
 
 permissions:
   contents: read
@@ -49,6 +54,7 @@ jobs:
       agentsight: ${{ steps.changes.outputs.agentsight }}
       tokenless: ${{ steps.changes.outputs.tokenless }}
       ws_ckpt: ${{ steps.changes.outputs.ws_ckpt }}
+      agent_memory: ${{ steps.changes.outputs.agent_memory }}
     steps:
       - uses: actions/checkout@v4
         with:
@@ -74,6 +80,7 @@ jobs:
           AGENTSIGHT=false
           TOKENLESS=false
           WS_CKPT=false
+          AGENT_MEMORY=false
 
           # Path-based detection
           if echo "$CHANGED" | grep -q "^src/copilot-shell/"; then
@@ -91,6 +98,9 @@ jobs:
           if echo "$CHANGED" | grep -q "^src/ws-ckpt/"; then
             WS_CKPT=true
           fi
+          if echo "$CHANGED" | grep -q "^src/agent-memory/"; then
+            AGENT_MEMORY=true
+          fi
 
           # Manual override via workflow_dispatch
           if [[ "${{ inputs.run_copilot_shell }}" == "true" ]]; then
@@ -108,12 +118,16 @@ jobs:
           if [[ "${{ inputs.run_ws_ckpt }}" == "true" ]]; then
             WS_CKPT=true
           fi
+          if [[ "${{ inputs.run_agent_memory }}" == "true" ]]; then
+            AGENT_MEMORY=true
+          fi
 
           echo "copilot_shell=$COPILOT_SHELL" >> $GITHUB_OUTPUT
           echo "agent_sec_core=$AGENT_SEC" >> $GITHUB_OUTPUT
           echo "agentsight=$AGENTSIGHT" >> $GITHUB_OUTPUT
           echo "tokenless=$TOKENLESS" >> $GITHUB_OUTPUT
           echo "ws_ckpt=$WS_CKPT" >> $GITHUB_OUTPUT
+          echo "agent_memory=$AGENT_MEMORY" >> $GITHUB_OUTPUT
 
           echo "### Change Detection Results" >> $GITHUB_STEP_SUMMARY
           echo "| Component | Changed |" >> $GITHUB_STEP_SUMMARY
@@ -123,6 +137,7 @@ jobs:
           echo "| agentsight | $AGENTSIGHT |" >> $GITHUB_STEP_SUMMARY
           echo "| tokenless | $TOKENLESS |" >> $GITHUB_STEP_SUMMARY
           echo "| ws-ckpt | $WS_CKPT |" >> $GITHUB_STEP_SUMMARY
+          echo "| agent-memory | $AGENT_MEMORY |" >> $GITHUB_STEP_SUMMARY
 
   # =========================================================================
   # Step 2: Build & Lint copilot-shell
@@ -280,6 +295,33 @@ jobs:
           fi
           echo "Code style check passed."
 
+      - name: Lint check (incremental)
+        if: github.event_name == 'pull_request'
+        run: |
+          cd src/agent-sec-core
+          uv run --project agent-sec-cli ruff check --config agent-sec-cli/pyproject.toml --output-format=concise . > ruff_report.txt || true
+          # Prefix paths to match git-diff repo-root-relative paths
+          sed -i 's|^\([^: ]*\.py\)|src/agent-sec-core/\1|' ruff_report.txt
+          cd "$GITHUB_WORKSPACE"
+          LINT_OUTPUT=$(diff-quality --violations=flake8 --fail-under=100 src/agent-sec-core/ruff_report.txt 2>&1) || true
+          rm -f src/agent-sec-core/ruff_report.txt
+          echo "$LINT_OUTPUT"
+          # Extract violation count from diff-quality output
+          if echo "$LINT_OUTPUT" | grep -q "Failure"; then
+            {
+              echo "### ⚠️ agent-sec-core Lint Warnings (incremental)"
+              echo ""
+              echo '以下为 PR 变更行中的 ruff lint 违规（不卡点，仅提示）：'
+              echo ""
+              echo '```'
+              echo "$LINT_OUTPUT"
+              echo '```'
+            } >> "$GITHUB_STEP_SUMMARY"
+            echo "::warning::Lint violations found in changed lines. See step summary for details."
+          else
+            echo "### ✅ agent-sec-core Lint Check Passed" >> "$GITHUB_STEP_SUMMARY"
+          fi
+
       - name: Run Python tests with coverage
         run: |
           cd src/agent-sec-core
@@ -522,7 +564,7 @@ jobs:
 
       - uses: dtolnay/rust-toolchain@stable
         with:
-          toolchain: '1.85.0'
+          toolchain: '1.89.0'
           components: 'rustfmt, clippy'
 
       - uses: Swatinem/rust-cache@v2
@@ -532,17 +574,17 @@ jobs:
       - name: Check formatting
         run: |
           cd src/tokenless
-          cargo fmt --all --check
+          cargo fmt -p tokenless-cli -p tokenless-schema -p tokenless-stats -- --check
 
       - name: Lint
         run: |
           cd src/tokenless
-          cargo clippy --workspace -- -D warnings
+          cargo clippy -p tokenless-cli -p tokenless-schema -p tokenless-stats -- -D warnings
 
       - name: Run tests
         run: |
           cd src/tokenless
-          cargo test --workspace
+          cargo test -p tokenless-cli -p tokenless-schema -p tokenless-stats
 
   # =========================================================================
   # Step 7: Test ws-ckpt
@@ -582,3 +624,43 @@ jobs:
         run: |
           cd src/ws-ckpt/src
           cargo test --workspace
+
+  # =========================================================================
+  # Step 8: Test agent-memory (Linux-only Rust crate)
+  # =========================================================================
+  test-agent-memory:
+    name: Test agent-memory
+    needs: detect-changes
+    if: needs.detect-changes.outputs.agent_memory == 'true'
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: dtolnay/rust-toolchain@stable
+        with:
+          toolchain: '1.89.0'
+          components: 'rustfmt, clippy'
+
+      - uses: Swatinem/rust-cache@v2
+        with:
+          workspaces: src/agent-memory
+
+      - name: Install system dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y libsystemd-dev cmake
+
+      - name: Check formatting
+        run: |
+          cd src/agent-memory
+          cargo fmt --all --check
+
+      - name: Lint
+        run: |
+          cd src/agent-memory
+          cargo clippy --all-targets --locked -- -D warnings
+
+      - name: Run tests
+        run: |
+          cd src/agent-memory
+          cargo test --locked