npm - @agentikos/omega-os - Versions diffs - 0.2.0 → 0.19.5 - Mend

@agentikos/omega-os 0.2.0 → 0.19.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (367) hide show

package/omega/Agentik_Engine/tests/__pycache__/test_rag.cpython-313.pyc ADDED Viewed

Binary file

package/omega/Agentik_Engine/tests/__pycache__/test_reducer.cpython-313-pytest-8.4.2.pyc ADDED Viewed

Binary file

package/omega/Agentik_Engine/tests/__pycache__/test_reducer.cpython-313.pyc ADDED Viewed

Binary file

package/omega/Agentik_Engine/tests/__pycache__/test_report.cpython-313-pytest-8.4.2.pyc ADDED Viewed

Binary file

package/omega/Agentik_Engine/tests/__pycache__/test_report.cpython-313.pyc ADDED Viewed

Binary file

package/omega/Agentik_Engine/tests/__pycache__/test_role_aliases_and_ssot.cpython-313-pytest-8.4.2.pyc ADDED Viewed

Binary file

package/omega/Agentik_Engine/tests/__pycache__/test_role_aliases_and_ssot.cpython-313.pyc ADDED Viewed

Binary file

package/omega/Agentik_Engine/tests/__pycache__/test_skill_discovery_and_gate.cpython-313-pytest-8.4.2.pyc ADDED Viewed

Binary file

package/omega/Agentik_Engine/tests/__pycache__/test_skill_discovery_and_gate.cpython-313.pyc ADDED Viewed

Binary file

package/omega/Agentik_Engine/tests/__pycache__/test_skill_power.cpython-313-pytest-8.4.2.pyc ADDED Viewed

Binary file

package/omega/Agentik_Engine/tests/__pycache__/test_skill_power.cpython-313.pyc ADDED Viewed

Binary file

package/omega/Agentik_Engine/tests/__pycache__/test_skill_routing.cpython-313-pytest-8.4.2.pyc ADDED Viewed

Binary file

package/omega/Agentik_Engine/tests/__pycache__/test_skill_routing.cpython-313.pyc ADDED Viewed

Binary file

package/omega/Agentik_Engine/tests/__pycache__/test_snapshot_partial.cpython-313-pytest-8.4.2.pyc ADDED Viewed

Binary file

package/omega/Agentik_Engine/tests/__pycache__/test_snapshot_partial.cpython-313.pyc ADDED Viewed

Binary file

package/omega/Agentik_Engine/tests/__pycache__/test_telegram_history.cpython-313-pytest-8.4.2.pyc ADDED Viewed

Binary file

package/omega/Agentik_Engine/tests/__pycache__/test_telegram_history.cpython-313.pyc ADDED Viewed

Binary file

package/omega/Agentik_Engine/tests/__pycache__/test_tmux_and_aisb_chat.cpython-313-pytest-8.4.2.pyc ADDED Viewed

Binary file

package/omega/Agentik_Engine/tests/__pycache__/test_tmux_and_aisb_chat.cpython-313.pyc ADDED Viewed

Binary file

package/omega/Agentik_Engine/tests/__pycache__/test_tools_and_sync.cpython-313-pytest-8.4.2.pyc ADDED Viewed

Binary file

package/omega/Agentik_Engine/tests/__pycache__/test_tools_and_sync.cpython-313.pyc ADDED Viewed

Binary file

package/omega/Agentik_Engine/tests/__pycache__/test_v06_features.cpython-313-pytest-8.4.2.pyc ADDED Viewed

Binary file

package/omega/Agentik_Engine/tests/__pycache__/test_v06_features.cpython-313.pyc ADDED Viewed

Binary file

package/omega/Agentik_Engine/tests/__pycache__/test_vault.cpython-313-pytest-8.4.2.pyc ADDED Viewed

Binary file

package/omega/Agentik_Engine/tests/__pycache__/test_vault.cpython-313.pyc ADDED Viewed

Binary file

package/omega/Agentik_Engine/tests/__pycache__/test_webhooks_and_readiness.cpython-313-pytest-8.4.2.pyc ADDED Viewed

Binary file

package/omega/Agentik_Engine/tests/__pycache__/test_webhooks_and_readiness.cpython-313.pyc ADDED Viewed

Binary file

package/omega/Agentik_Engine/tests/__pycache__/test_worker_and_cleanup.cpython-313-pytest-8.4.2.pyc ADDED Viewed

Binary file

package/omega/Agentik_Engine/tests/__pycache__/test_worker_and_cleanup.cpython-313.pyc ADDED Viewed

Binary file

package/omega/Agentik_Engine/tests/test_account.py CHANGED Viewed

@@ -164,11 +164,16 @@ def test_vault_round_trip_with_mode_600():
         # exact file mode must be 0o600 — nothing else should be readable
         mode = stat.S_IMODE(path.stat().st_mode)
         assert mode == 0o600, f"want 0o600, got {oct(mode)}"
-        # round-trip
+        # The new vault writes to "<secret>_TOKEN[.age]"; the legacy
+        # vault_path("<secret>") still resolves to the dotenv path for
+        # backward compat reads — they may differ, but both must live under
+        # the same secrets dir.
+        secrets_dir = Path(tmp) / "Agentik_Extra" / "etc" / "secrets"
+        assert path.parent == secrets_dir, (path.parent, secrets_dir)
+        assert vault_path(tmp, secret).parent == secrets_dir
+        # round-trip — read_token tries the new vault first, then the legacy file
         token = read_token(tmp, secret)
         assert token == "sk-test-12345"
-        # vault_path resolves to the same path
-        assert vault_path(tmp, secret) == path
 def test_vault_refuses_path_traversal():

package/omega/Agentik_Engine/tests/test_adversarial.py ADDED Viewed

@@ -0,0 +1,351 @@
+"""Adversarial test suite — proves the fixes for the bugs caught during
+the 'inverse audit' pass:
+  C1. Command injection via task_id in spawn_worker (CRITICAL)
+  H1. SQLiteStore breaks when used from multiple threads (HIGH)
+  H2. .done.json + brief.json non-atomic writes (HIGH)
+  H4. Empty mission intent accepted silently (HIGH)
+  M1. Webhook replay window absent (MEDIUM)
+Each test FIRST proves the bug existed in the spirit of the failure and
+THEN proves the fix holds.
+"""
+from __future__ import annotations
+import json
+import os
+import subprocess
+import sys
+import tempfile
+import threading
+import time
+import unittest
+from pathlib import Path
+from unittest import mock
+HERE = Path(__file__).resolve().parent
+sys.path.insert(0, str(HERE.parent))
+from omega_engine import worker as W            # noqa: E402
+from omega_engine.done_signal import (          # noqa: E402
+    DoneSignal, done_path, read_done, write_done,
+)
+from omega_engine.store import SQLiteStore      # noqa: E402
+from omega_engine.events import Event, EventType  # noqa: E402
+from omega_engine import webhooks as WH         # noqa: E402
+# ---------------------------------------------------------------------------
+# C1 — Command injection in spawn_worker(task_id=...)
+# ---------------------------------------------------------------------------
+class TestTaskIdInjectionGuard(unittest.TestCase):
+    def test_validate_accepts_normal_ids(self):
+        for ok in ("t-1", "t_abc.42", "task-2026-05-23-7f3a", "x" * 128):
+            self.assertEqual(W._validate_task_id(ok), ok)
+    def test_validate_rejects_semicolon_injection(self):
+        with self.assertRaises(ValueError):
+            W._validate_task_id("t; touch /tmp/PWNED")
+    def test_validate_rejects_command_substitution(self):
+        with self.assertRaises(ValueError):
+            W._validate_task_id("t$(rm -rf /)")
+    def test_validate_rejects_pipe(self):
+        with self.assertRaises(ValueError):
+            W._validate_task_id("t|rm -rf /")
+    def test_validate_rejects_backtick(self):
+        with self.assertRaises(ValueError):
+            W._validate_task_id("t`whoami`")
+    def test_validate_rejects_space(self):
+        with self.assertRaises(ValueError):
+            W._validate_task_id("t and more")
+    def test_validate_rejects_path_traversal(self):
+        with self.assertRaises(ValueError):
+            W._validate_task_id("../../etc/passwd")
+    def test_validate_rejects_empty(self):
+        with self.assertRaises(ValueError):
+            W._validate_task_id("")
+    def test_validate_rejects_too_long(self):
+        with self.assertRaises(ValueError):
+            W._validate_task_id("x" * 129)
+    def test_spawn_refuses_injection(self):
+        """The real attack vector — spawn_worker must reject before tmux."""
+        with tempfile.TemporaryDirectory() as tmp:
+            brief = W.WorkerBrief(
+                task_id="t; touch /tmp/SHOULD_NEVER_HAPPEN",
+                role="worker", intent="x",
+            )
+            with self.assertRaises(ValueError):
+                W.spawn_worker(brief, home=Path(tmp))
+    def test_write_brief_refuses_injection(self):
+        """write_brief is the second line of defence (defence-in-depth)."""
+        with tempfile.TemporaryDirectory() as tmp:
+            # Construct via __init__ (no validator on the dataclass itself)
+            brief = W.WorkerBrief(
+                task_id="t$(id)", role="worker", intent="x",
+            )
+            with self.assertRaises(ValueError):
+                W.write_brief(Path(tmp), brief)
+# ---------------------------------------------------------------------------
+# H1 — SQLiteStore concurrent access
+# ---------------------------------------------------------------------------
+class TestStoreThreadSafety(unittest.TestCase):
+    def test_5_threads_append_without_error(self):
+        with tempfile.TemporaryDirectory() as tmp:
+            s = SQLiteStore(str(Path(tmp) / "concurrent.db"))
+            errors: list[str] = []
+            def worker(n: int) -> None:
+                try:
+                    for i in range(10):
+                        s.append(Event(
+                            id=f"e-{n}-{i}-{time.time_ns()}",
+                            task_id=f"t-{n}",
+                            type=EventType.HEARTBEAT,
+                            ts=time.time(),
+                            payload={"n": n, "i": i},
+                        ))
+                except Exception as exc:  # noqa: BLE001
+                    errors.append(f"{n}: {type(exc).__name__}: {exc}")
+            threads = [threading.Thread(target=worker, args=(n,))
+                       for n in range(5)]
+            for t in threads:
+                t.start()
+            for t in threads:
+                t.join()
+            self.assertEqual(errors, [], f"unexpected errors: {errors}")
+            # 5 threads × 10 events each = 50 events
+            count = sum(1 for _ in s.all_events())
+            self.assertEqual(count, 50)
+            s.close()
+    def test_close_is_safe_to_call_twice(self):
+        with tempfile.TemporaryDirectory() as tmp:
+            s = SQLiteStore(str(Path(tmp) / "db.db"))
+            s.close()
+            # Second close MUST not raise — best-effort.
+            s.close()
+    def test_reads_under_concurrent_writes(self):
+        """Reader threads must not see a malformed or torn row."""
+        with tempfile.TemporaryDirectory() as tmp:
+            s = SQLiteStore(str(Path(tmp) / "readwrite.db"))
+            stop = threading.Event()
+            def writer():
+                i = 0
+                while not stop.is_set():
+                    try:
+                        s.append(Event(
+                            id=f"w-{i}-{time.time_ns()}",
+                            task_id="t-shared",
+                            type=EventType.HEARTBEAT,
+                            ts=time.time(), payload={"i": i},
+                        ))
+                    except Exception:  # noqa: BLE001
+                        pass
+                    i += 1
+            errors: list[str] = []
+            def reader():
+                try:
+                    for _ in range(20):
+                        s.events_for("t-shared")
+                except Exception as exc:  # noqa: BLE001
+                    errors.append(f"{type(exc).__name__}: {exc}")
+            wt = threading.Thread(target=writer)
+            rts = [threading.Thread(target=reader) for _ in range(3)]
+            wt.start()
+            for rt in rts:
+                rt.start()
+            for rt in rts:
+                rt.join()
+            stop.set()
+            wt.join()
+            self.assertEqual(errors, [])
+            s.close()
+# ---------------------------------------------------------------------------
+# H2 — Atomic writes for .done.json + brief.json
+# ---------------------------------------------------------------------------
+class TestAtomicWrites(unittest.TestCase):
+    def test_done_json_writes_atomically(self):
+        with tempfile.TemporaryDirectory() as tmp:
+            sig = DoneSignal(status="done_clean", summary="ok",
+                             files_changed=["a.py"])
+            p = write_done(Path(tmp), "t-atom", sig)
+            # The temp file used during the write must not linger.
+            self.assertFalse(p.with_suffix(p.suffix + ".tmp").exists())
+            loaded = read_done(Path(tmp), "t-atom")
+            self.assertEqual(loaded.status, "done_clean")
+    def test_brief_json_writes_atomically(self):
+        with tempfile.TemporaryDirectory() as tmp:
+            brief = W.WorkerBrief(task_id="t-atom", role="worker", intent="x")
+            p = W.write_brief(Path(tmp), brief)
+            self.assertFalse(p.with_suffix(p.suffix + ".tmp").exists())
+            self.assertEqual(
+                W.read_brief(Path(tmp), "t-atom").task_id, "t-atom"
+            )
+    def test_done_json_round_trip_no_torn_read_under_overwrite(self):
+        """Repeatedly overwrite while a parallel reader polls. With the
+        atomic write, the reader either sees the old JSON or the new JSON
+        — never a half-blob that would raise JSONDecodeError."""
+        with tempfile.TemporaryDirectory() as tmp:
+            sig1 = DoneSignal(status="done_clean", summary="v1")
+            write_done(Path(tmp), "t-loop", sig1)
+            errors: list[str] = []
+            stop = threading.Event()
+            def writer():
+                for i in range(50):
+                    write_done(Path(tmp), "t-loop",
+                               DoneSignal(status="done_clean",
+                                          summary=f"v{i}"))
+            def reader():
+                while not stop.is_set():
+                    try:
+                        read_done(Path(tmp), "t-loop")
+                    except Exception as exc:  # noqa: BLE001
+                        errors.append(f"{type(exc).__name__}: {exc}")
+            rts = [threading.Thread(target=reader) for _ in range(3)]
+            for rt in rts:
+                rt.start()
+            wt = threading.Thread(target=writer)
+            wt.start()
+            wt.join()
+            stop.set()
+            for rt in rts:
+                rt.join()
+            self.assertEqual(errors, [], f"torn-read errors: {errors[:3]}")
+# ---------------------------------------------------------------------------
+# H4 — Empty intent rejected at CLI level
+# ---------------------------------------------------------------------------
+class TestEmptyIntentRejected(unittest.TestCase):
+    def test_cli_run_empty_intent_returns_nonzero(self):
+        # Invoke the CLI through subprocess so we exercise argparse + cmd_run
+        # in a real shell — no MockProvider gymnastics.
+        repo = Path(__file__).resolve().parents[1]
+        env = {**os.environ, "OMEGA_HOME": "/tmp/omega-empty-test"}
+        Path("/tmp/omega-empty-test").mkdir(exist_ok=True)
+        proc = subprocess.run(
+            [sys.executable, "-m", "omega_engine.cli", "run", ""],
+            cwd=str(repo), env=env, capture_output=True, text=True,
+            timeout=20,
+        )
+        self.assertNotEqual(proc.returncode, 0,
+            f"empty intent should be rejected: {proc.stdout!r} {proc.stderr!r}")
+        self.assertIn("empty", (proc.stdout + proc.stderr).lower())
+    def test_cli_run_whitespace_intent_returns_nonzero(self):
+        repo = Path(__file__).resolve().parents[1]
+        env = {**os.environ, "OMEGA_HOME": "/tmp/omega-empty-test"}
+        Path("/tmp/omega-empty-test").mkdir(exist_ok=True)
+        proc = subprocess.run(
+            [sys.executable, "-m", "omega_engine.cli", "run", "   "],
+            cwd=str(repo), env=env, capture_output=True, text=True,
+            timeout=20,
+        )
+        self.assertNotEqual(proc.returncode, 0)
+# ---------------------------------------------------------------------------
+# M1 — Webhook replay protection
+# ---------------------------------------------------------------------------
+class TestWebhookReplayProtection(unittest.TestCase):
+    def setUp(self):
+        self.secret = "test-secret-deadbeef"
+        self.body = b'{"event":"push","ref":"main"}'
+        self.sig = WH.generate_test_signature(
+            "generic", self.body, self.secret,
+        )
+    def test_no_timestamp_still_accepts_valid_sig_backwards_compat(self):
+        """v0.5 contract: HMAC alone is enough."""
+        ok, reason = WH.verify_signature(
+            "generic", self.body, self.sig, self.secret,
+        )
+        self.assertTrue(ok, reason)
+    def test_fresh_timestamp_within_window_passes(self):
+        ts = str(int(time.time()))
+        ok, reason = WH.verify_signature(
+            "generic", self.body, self.sig, self.secret,
+            timestamp_header_value=ts,
+        )
+        self.assertTrue(ok, reason)
+    def test_old_timestamp_rejected_replay(self):
+        old_ts = str(int(time.time() - 600))  # 10 min ago
+        ok, reason = WH.verify_signature(
+            "generic", self.body, self.sig, self.secret,
+            timestamp_header_value=old_ts,
+        )
+        self.assertFalse(ok)
+        self.assertIn("replay window", reason)
+    def test_future_timestamp_rejected(self):
+        future_ts = str(int(time.time() + 600))
+        ok, reason = WH.verify_signature(
+            "generic", self.body, self.sig, self.secret,
+            timestamp_header_value=future_ts,
+        )
+        self.assertFalse(ok)
+        self.assertIn("replay window", reason)
+    def test_garbage_timestamp_rejected(self):
+        ok, reason = WH.verify_signature(
+            "generic", self.body, self.sig, self.secret,
+            timestamp_header_value="not-a-number",
+        )
+        self.assertFalse(ok)
+        self.assertIn("numeric", reason)
+    def test_configurable_window(self):
+        old_ts = str(int(time.time() - 60))  # 60s ago
+        # Default 300s window → ok
+        ok, _ = WH.verify_signature(
+            "generic", self.body, self.sig, self.secret,
+            timestamp_header_value=old_ts,
+        )
+        self.assertTrue(ok)
+        # Tighter 30s window → rejected
+        ok, reason = WH.verify_signature(
+            "generic", self.body, self.sig, self.secret,
+            timestamp_header_value=old_ts, replay_window_s=30,
+        )
+        self.assertFalse(ok)
+if __name__ == "__main__":
+    unittest.main()