Extract tool-firewall to standalone repo (SecAI-Hub/agent-tool-firewall)

SecAI-Hub · claude · SecAI-Hub · commit 8f93bc7aa64c · 2026-03-09T09:20:26.000-07:00
Build script now clones agent-tool-firewall from GitHub (same pattern as
gguf-guard) instead of building from the monorepo services/ directory.
Binary still installs to the same path so systemd units are unchanged.

Removed tool-firewall from CI matrix since it has its own CI now.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -26,7 +26,7 @@ jobs:
       contents: read
     strategy:
       matrix:
-        service: [registry, tool-firewall, airlock]
+        service: [registry, airlock]
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
diff --git a/files/scripts/build-services.sh b/files/scripts/build-services.sh
@@ -15,8 +15,8 @@ dnf install -y golang python3 python3-pip cmake gcc gcc-c++ 2>/dev/null || true
 
 mkdir -p "$INSTALL_DIR" "$SRC_DIR"
 
-# --- Go services ---
-for svc in registry tool-firewall airlock; do
+# --- Go services (built from monorepo) ---
+for svc in registry airlock; do
     echo "Building: $svc"
     cp -r /tmp/services/${svc} "${SRC_DIR}/${svc}"
     cd "${SRC_DIR}/${svc}"
@@ -30,6 +30,20 @@ cd "${SRC_DIR}/registry"
 CGO_ENABLED=0 go build -ldflags="-s -w" -o /usr/local/bin/securectl ./cmd/securectl/
 echo "  -> /usr/local/bin/securectl"
 
+# --- agent-tool-firewall (standalone: policy gateway for LLM tool calls) ---
+echo "Building: agent-tool-firewall"
+if [ -d "/tmp/agent-tool-firewall" ]; then
+    cp -r /tmp/agent-tool-firewall "${SRC_DIR}/agent-tool-firewall"
+else
+    git clone --depth 1 https://github.com/SecAI-Hub/agent-tool-firewall.git "${SRC_DIR}/agent-tool-firewall" 2>/dev/null || \
+        echo "WARNING: agent-tool-firewall clone failed — tool firewall will not be available"
+fi
+if [ -d "${SRC_DIR}/agent-tool-firewall" ]; then
+    cd "${SRC_DIR}/agent-tool-firewall"
+    CGO_ENABLED=0 go build -ldflags="-s -w" -o "${INSTALL_DIR}/tool-firewall" .
+    echo "  -> ${INSTALL_DIR}/tool-firewall"
+fi
+
 # --- gguf-guard (GGUF model integrity scanner) ---
 echo "Building: gguf-guard"
 if [ -d "/tmp/gguf-guard" ]; then
