feat(agent-sec-core)!: add security middleware framework with unified CLI entry point

[RemindD]

Description

Introduce a layered security middleware architecture that routes all agent-sec-core operations through a unified agent-sec-cli.py entry point, ensuring every security action is logged as a structured JSONL event.

Key additions:

• security_events: structured JSONL event logging with auto-rotation, thread-safe writes, and configurable log paths
• security_middleware: pluggable backend framework with request context, lifecycle hooks (pre/post/error), and lazy-loaded action→backend router
• agent-sec-cli.py: single CLI entry point for harden, verify, and summary commands — direct loongshield seharden calls are now prohibited
• sandbox-guard.py: integrated middleware prehook logging for block and sandbox decisions (fail-safe, never affects hook behavior)

Backends:

• hardening: wraps loongshield seharden with ANSI stripping and structured summary parsing
• asset_verify: wraps verifier.py for single-skill and full-scan modes
• sandbox: captures prehook decisions (allow/block/sandbox)
• summary: aggregates events with time-window filtering and dedup
• intent: stub for future intent classification

Includes comprehensive unit tests for all new modules and updated skill documentation to enforce routing through agent-sec-cli.py.

Related Issue

closes #108

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Refactoring (no functional change)
• Performance improvement
• CI/CD or build changes

Scope

• cosh (copilot-shell)
• agent-sec-core
• os-skills
• agentsight
• Multiple / Project-wide

Checklist

• I have read the Contributing Guide
• My code follows the project's code style
• I have added tests that prove my fix is effective or that my feature works
• I have updated the documentation accordingly
• For cosh: Lint passes, type check passes, and tests pass
• For agent-sec-core (Rust): cargo clippy -- -D warnings and cargo fmt --check pass
• For agent-sec-core (Python): Ruff format and pytest pass
• For os-skills: Skill directory structure is valid and shell scripts pass syntax check
• Lock files are up to date (package-lock.json / Cargo.lock)

Testing

python unit tests added and passed. Manually ran sec-core and found below records in the log file:

{"event_id": "c7dc49a7-3dba-4cd9-8350-9a27f48dbea2", "event_type": "sandbox_prehook", "category": "sandbox", "timestamp": "2026-04-07T03:06:15.543623+00:00", "trace_id": "2d9f2bc3-8069-4de9-a033-a7e2984abc20", "pid": 218434, "uid": 0, "session_id": null, "details": {"request": {"decision": "sandbox", "command": "rm -rf /root/working/anolisa/a.txt", "reasons": "递归/强制删除", "network_policy": "restricted", "cwd": "/root/working/anolisa"}, "result": {"decision": "sandbox", "command": "rm -rf /root/working/anolisa/a.txt", "reasons": "递归/强制删除", "network_policy": "restricted", "cwd": "/root/working/anolisa"}}}

{"event_id": "2452dc63-6e7f-4a64-8999-88d5b360edc6", "event_type": "verify", "category": "asset_verify", "timestamp": "2026-04-07T02:07:59.634517+00:00", "trace_id": "4ec0bac1-38ee-4632-b863-665b3552a9c9", "pid": 205806, "uid": 0, "session_id": null, "details": {"request": {"skill": null}, "result": {"passed": 0, "failed": 0}}}

{"event_id": "6fe3b1ef-b6fd-454a-b915-bccf243c0e0f", "event_type": "harden", "category": "hardening", "timestamp": "2026-04-09T04:54:14.330033+00:00", "trace_id": "43a8dc1d-4191-4998-a4ab-762597428f0d", "pid": 240596, "uid": 0, "session_id": null, "details": {"request": {"mode": "scan", "config": "agentos_baseline"}, "result": {"mode": "scan", "config": "agentos_baseline", "failures": [{"rule_id": "fs.shm_noexec", "status": "FAIL", "message": "/dev/shm must be mounted noexec to prevent in-memory code execution - Reason: /dev/shm is not mounted with noexec. (actual: --"}], "fixed_items": [], "passed": 22, "fixed": 0, "failed": 1, "manual": 0, "dry_run_pending": 0, "total": 23}}}
{"event_id": "90b55581-c1ed-4ac7-b3a9-8159206bcdf2", "event_type": "harden", "category": "hardening", "timestamp": "2026-04-09T04:54:27.836636+00:00", "trace_id": "d82d1d99-9921-4bf5-bd17-5bb65005e13a", "pid": 240799, "uid": 0, "session_id": null, "details": {"request": {"mode": "reinforce", "config": "agentos_baseline"}, "result": {"mode": "reinforce", "config": "agentos_baseline", "failures": [], "fixed_items": [{"rule_id": "fs.shm_noexec", "status": "FAIL", "message": "/dev/shm must be mounted noexec to prevent in-memory code execution - Reason: /dev/shm is not mounted with noexec. (actual: --"}], "passed": 22, "fixed": 1, "failed": 0, "manual": 0, "dry_run_pending": 0, "total": 23}}}

Additional Notes

[edonyzpc]

[NIT] 其他模块e2e测试也要有，需要模块owner补充（重要不紧急）

[edonyzpc]

unify-cli还要考虑一个场景支持（可以后续PR）：

• 支撑cosh/openclaw等agent的时候涉及到hook管理、安装，这里我们需要考虑提供不同agent的安装命令行。
• 同时考虑tracing agent sec core的记录hook安装调用记录

[yangdao479]

我觉得可以趁这次pr把开发规范定义一下。

1. 我们主要的cli是python语言，考虑引入uv进行整体的项目管理, 并维护一份uv.lock。
2. 从模块的引用方式上，考虑统一采用绝对路径引用，内部不使用相对路径，也不建议使用动态引用。
3. 每个method需要尽量定义typehint
   @edonyzpc @kid9 欢迎补充。

[kid9]

我觉得可以趁这次pr把开发规范定义一下。

1. 我们主要的cli是python语言，考虑引入uv进行整体的项目管理, 并维护一份uv.lock。
2. 从模块的引用方式上，考虑统一采用绝对路径引用，内部不使用相对路径。
3. 每个method需要尽量定义typehint
   @edonyzpc @kid9 欢迎补充。

我觉得你说的非常对（不愧是做过python代码分析踩过坑的） 。。

[chenzongyao200127]

Hi, thanks for the excellent contribution so far! As we refine this, I have a few thoughts:

1. Could we implement a check to detect if specific submodules (like loongshield) are present? This is crucial for compatibility with various dependency-based OS setups.
2. I noticed the command for agent-sec-core is missing the --config agentos_baseline flag, which is required for Agentic-OS support.
3. Reflecting on these requirements, I wonder if binding commands directly in the backends is sustainable long-term. With loongshield separating its components, this approach might introduce redundancy. It might be worth rethinking the design to avoid duplicate logic.

[edonyzpc]

我觉得可以趁这次pr把开发规范定义一下。

1. 我们主要的cli是python语言，考虑引入uv进行整体的项目管理, 并维护一份uv.lock。
2. 从模块的引用方式上，考虑统一采用绝对路径引用，内部不使用相对路径。
3. 每个method需要尽量定义typehint
   @edonyzpc @kid9 欢迎补充。

@yangdao479 这个你来给出 draft 吧， @RemindD 先不关注工程类问题

[yangdao479]

我觉得可以趁这次pr把开发规范定义一下。

1. 我们主要的cli是python语言，考虑引入uv进行整体的项目管理, 并维护一份uv.lock。
2. 从模块的引用方式上，考虑统一采用绝对路径引用，内部不使用相对路径。
3. 每个method需要尽量定义typehint
   @edonyzpc @kid9 欢迎补充。

@yangdao479 这个你来给出 draft 吧， @RemindD 先不关注工程类问题

那么这个pr在功能性上没有其他问题后，可以先合入，我后续再提交一些refactor的pr

[1570005763]

The asset_verify refactoring looks good to me.

[edonyzpc]

LGTM