@opena2a/oasb 0.1.0

package/src/atomic/enforcement/AT-ENF-005.resume-sigcont.test.ts

@@ -0,0 +1,164 @@
+// AT-ENF-005: Process Resume via SIGCONT
+// Tests enforcement engine's ability to resume a previously paused process.
+// Pauses a real child process, then resumes it via SIGCONT,
+// verifying it is removed from the paused PID tracking list.
+
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { spawn, type ChildProcess } from 'child_process';
+import { ArpWrapper } from '../../harness/arp-wrapper';
+import type { ARPEvent } from '@opena2a/arp';
+
+describe('AT-ENF-005: Process Resume via SIGCONT', () => {
+  let arp: ArpWrapper;
+  let child: ChildProcess | null = null;
+
+  beforeEach(async () => {
+    arp = new ArpWrapper({
+      monitors: { process: false, network: false, filesystem: false },
+    });
+    await arp.start();
+  });
+
+  afterEach(async () => {
+    if (child && child.pid) {
+      // Ensure the process is resumed before killing, to avoid orphaned stopped processes
+      try {
+        arp.getEnforcement().resume(child.pid);
+      } catch { /* already resumed or dead */ }
+      try {
+        process.kill(child.pid, 'SIGKILL');
+      } catch { /* already dead */ }
+      child = null;
+    }
+    await arp.stop();
+  });
+
+  it('should resume a paused process and remove it from paused list', async () => {
+    child = spawn('node', ['-e', 'setTimeout(()=>{},30000)'], {
+      stdio: 'ignore',
+      detached: false,
+    });
+    const pid = child.pid!;
+    expect(pid).toBeDefined();
+
+    const mockEvent: ARPEvent = {
+      id: 'test-enf-005-1',
+      timestamp: new Date().toISOString(),
+      source: 'process',
+      category: 'violation',
+      severity: 'high',
+      description: 'Process paused for investigation',
+      data: { pid },
+      classifiedBy: 'L0-rules',
+    };
+
+    const enforcement = arp.getEnforcement();
+
+    // Pause the process first
+    const pauseResult = await enforcement.execute('pause', mockEvent, pid);
+    expect(pauseResult.success).toBe(true);
+    expect(enforcement.getPausedPids()).toContain(pid);
+
+    // Resume the process
+    const resumed = enforcement.resume(pid);
+    expect(resumed).toBe(true);
+    expect(enforcement.getPausedPids()).not.toContain(pid);
+    expect(enforcement.getPausedPids()).toHaveLength(0);
+  }, 10000);
+
+  it('should return false when resuming a PID that was never paused', () => {
+    const enforcement = arp.getEnforcement();
+    const result = enforcement.resume(999999);
+
+    expect(result).toBe(false);
+    expect(enforcement.getPausedPids()).toHaveLength(0);
+  });
+
+  it('should handle resuming the same PID twice gracefully', async () => {
+    child = spawn('node', ['-e', 'setTimeout(()=>{},30000)'], {
+      stdio: 'ignore',
+      detached: false,
+    });
+    const pid = child.pid!;
+    expect(pid).toBeDefined();
+
+    const mockEvent: ARPEvent = {
+      id: 'test-enf-005-3',
+      timestamp: new Date().toISOString(),
+      source: 'process',
+      category: 'violation',
+      severity: 'high',
+      description: 'Process paused then double-resumed',
+      data: { pid },
+      classifiedBy: 'L0-rules',
+    };
+
+    const enforcement = arp.getEnforcement();
+
+    // Pause, then resume twice
+    await enforcement.execute('pause', mockEvent, pid);
+    expect(enforcement.getPausedPids()).toContain(pid);
+
+    const firstResume = enforcement.resume(pid);
+    expect(firstResume).toBe(true);
+    expect(enforcement.getPausedPids()).not.toContain(pid);
+
+    // Second resume should return false (no longer in paused set)
+    const secondResume = enforcement.resume(pid);
+    expect(secondResume).toBe(false);
+  }, 10000);
+
+  it('should allow pausing and resuming multiple processes independently', async () => {
+    const children: ChildProcess[] = [];
+
+    // Spawn two child processes
+    for (let i = 0; i < 2; i++) {
+      const c = spawn('node', ['-e', 'setTimeout(()=>{},30000)'], {
+        stdio: 'ignore',
+        detached: false,
+      });
+      children.push(c);
+    }
+
+    const pid1 = children[0].pid!;
+    const pid2 = children[1].pid!;
+    expect(pid1).toBeDefined();
+    expect(pid2).toBeDefined();
+
+    const enforcement = arp.getEnforcement();
+
+    const makeEvent = (id: string, pid: number): ARPEvent => ({
+      id,
+      timestamp: new Date().toISOString(),
+      source: 'process',
+      category: 'violation',
+      severity: 'high',
+      description: `Process ${pid} paused`,
+      data: { pid },
+      classifiedBy: 'L0-rules',
+    });
+
+    // Pause both
+    await enforcement.execute('pause', makeEvent('test-enf-005-4a', pid1), pid1);
+    await enforcement.execute('pause', makeEvent('test-enf-005-4b', pid2), pid2);
+    expect(enforcement.getPausedPids()).toContain(pid1);
+    expect(enforcement.getPausedPids()).toContain(pid2);
+    expect(enforcement.getPausedPids()).toHaveLength(2);
+
+    // Resume only the first
+    enforcement.resume(pid1);
+    expect(enforcement.getPausedPids()).not.toContain(pid1);
+    expect(enforcement.getPausedPids()).toContain(pid2);
+    expect(enforcement.getPausedPids()).toHaveLength(1);
+
+    // Resume the second
+    enforcement.resume(pid2);
+    expect(enforcement.getPausedPids()).toHaveLength(0);
+
+    // Clean up both children
+    for (const c of children) {
+      try { process.kill(c.pid!, 'SIGKILL'); } catch { /* already dead */ }
+    }
+    child = null; // Prevent afterEach from trying to clean up
+  }, 10000);
+});

package/src/atomic/filesystem/AT-FS-001.sensitive-path.test.ts

@@ -0,0 +1,118 @@
+// AT-FS-001: Sensitive Path Access Detection
+// ATLAS: AML.T0057 (Data Leakage)
+// OWASP: A07 (System Prompt Leakage)
+
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { ArpWrapper } from '../../harness/arp-wrapper';
+
+describe('AT-FS-001: Sensitive Path Access Detection', () => {
+  let arp: ArpWrapper;
+
+  beforeEach(async () => {
+    arp = new ArpWrapper({
+      monitors: { filesystem: false },
+    });
+    await arp.start();
+  });
+
+  afterEach(async () => {
+    await arp.stop();
+  });
+
+  it('should detect access to .ssh/id_rsa as a high-severity violation', async () => {
+    await arp.injectEvent({
+      source: 'filesystem-monitor',
+      category: 'violation',
+      severity: 'high',
+      description: 'Sensitive path access: .ssh/id_rsa',
+      data: {
+        path: '/home/user/.ssh/id_rsa',
+        operation: 'read',
+        sensitive: true,
+      },
+    });
+
+    const violations = arp.collector.eventsByCategory('violation');
+    expect(violations.length).toBe(1);
+    expect(violations[0].severity).toBe('high');
+    expect(violations[0].data.path).toContain('.ssh/id_rsa');
+  });
+
+  it('should detect access to .aws/credentials as a high-severity violation', async () => {
+    await arp.injectEvent({
+      source: 'filesystem-monitor',
+      category: 'violation',
+      severity: 'high',
+      description: 'Sensitive path access: .aws/credentials',
+      data: {
+        path: '/home/user/.aws/credentials',
+        operation: 'read',
+        sensitive: true,
+      },
+    });
+
+    const violations = arp.collector.eventsByCategory('violation');
+    expect(violations.length).toBe(1);
+    expect(violations[0].severity).toBe('high');
+    expect(violations[0].data.path).toContain('.aws/credentials');
+  });
+
+  it('should detect access to .gnupg/secring.gpg as a high-severity violation', async () => {
+    await arp.injectEvent({
+      source: 'filesystem-monitor',
+      category: 'violation',
+      severity: 'high',
+      description: 'Sensitive path access: .gnupg/secring.gpg',
+      data: {
+        path: '/home/user/.gnupg/secring.gpg',
+        operation: 'read',
+        sensitive: true,
+      },
+    });
+
+    const violations = arp.collector.eventsByCategory('violation');
+    expect(violations.length).toBe(1);
+    expect(violations[0].severity).toBe('high');
+    expect(violations[0].data.path).toContain('.gnupg/secring.gpg');
+  });
+
+  it('should capture all three sensitive path accesses', async () => {
+    const sensitivePaths = [
+      '/home/user/.ssh/id_rsa',
+      '/home/user/.aws/credentials',
+      '/home/user/.gnupg/secring.gpg',
+    ];
+
+    for (const path of sensitivePaths) {
+      await arp.injectEvent({
+        source: 'filesystem-monitor',
+        category: 'violation',
+        severity: 'high',
+        description: `Sensitive path access: ${path}`,
+        data: {
+          path,
+          operation: 'read',
+          sensitive: true,
+        },
+      });
+    }
+
+    const violations = arp.collector.eventsByCategory('violation');
+    expect(violations.length).toBe(3);
+
+    for (const violation of violations) {
+      expect(violation.severity).toBe('high');
+      expect(violation.data.sensitive).toBe(true);
+    }
+
+    expect(
+      arp.collector.hasEvent((e) => e.data.path.includes('.ssh/id_rsa'))
+    ).toBe(true);
+    expect(
+      arp.collector.hasEvent((e) => e.data.path.includes('.aws/credentials'))
+    ).toBe(true);
+    expect(
+      arp.collector.hasEvent((e) => e.data.path.includes('.gnupg/secring.gpg'))
+    ).toBe(true);
+  });
+});

package/src/atomic/filesystem/AT-FS-002.outside-allowed.test.ts

@@ -0,0 +1,122 @@
+// AT-FS-002: Access Outside Allowed Paths
+// ATLAS: AML.T0046 (Unsafe ML Inference)
+// OWASP: A04 (Excessive Agency)
+
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { ArpWrapper } from '../../harness/arp-wrapper';
+
+describe('AT-FS-002: Access Outside Allowed Paths', () => {
+  let arp: ArpWrapper;
+
+  beforeEach(async () => {
+    arp = new ArpWrapper({
+      monitors: { filesystem: false },
+    });
+    await arp.start();
+  });
+
+  afterEach(async () => {
+    await arp.stop();
+  });
+
+  it('should detect access to /etc/passwd outside allowed paths', async () => {
+    await arp.injectEvent({
+      source: 'filesystem-monitor',
+      category: 'anomaly',
+      severity: 'medium',
+      description: 'Access outside allowed paths: /etc/passwd',
+      data: {
+        path: '/etc/passwd',
+        operation: 'read',
+        allowed: false,
+      },
+    });
+
+    const anomalies = arp.collector.eventsByCategory('anomaly');
+    expect(anomalies.length).toBe(1);
+    expect(anomalies[0].severity).toBe('medium');
+    expect(anomalies[0].data.path).toBe('/etc/passwd');
+    expect(anomalies[0].data.allowed).toBe(false);
+  });
+
+  it('should detect access to /etc/shadow outside allowed paths', async () => {
+    await arp.injectEvent({
+      source: 'filesystem-monitor',
+      category: 'anomaly',
+      severity: 'medium',
+      description: 'Access outside allowed paths: /etc/shadow',
+      data: {
+        path: '/etc/shadow',
+        operation: 'read',
+        allowed: false,
+      },
+    });
+
+    const anomalies = arp.collector.eventsByCategory('anomaly');
+    expect(anomalies.length).toBe(1);
+    expect(anomalies[0].severity).toBe('medium');
+    expect(anomalies[0].data.path).toBe('/etc/shadow');
+    expect(anomalies[0].data.allowed).toBe(false);
+  });
+
+  it('should not flag access to paths within allowed directories', async () => {
+    await arp.injectEvent({
+      source: 'filesystem-monitor',
+      category: 'connection',
+      severity: 'info',
+      description: 'File access within allowed paths: /workspace/project/src/index.ts',
+      data: {
+        path: '/workspace/project/src/index.ts',
+        operation: 'read',
+        allowed: true,
+      },
+    });
+
+    const anomalies = arp.collector.eventsByCategory('anomaly');
+    expect(anomalies.length).toBe(0);
+
+    const allEvents = arp.collector.getEvents();
+    expect(allEvents.length).toBe(1);
+    expect(allEvents[0].data.allowed).toBe(true);
+  });
+
+  it('should distinguish allowed from disallowed access in mixed events', async () => {
+    await arp.injectEvent({
+      source: 'filesystem-monitor',
+      category: 'connection',
+      severity: 'info',
+      description: 'File access within allowed paths',
+      data: {
+        path: '/workspace/project/readme.md',
+        operation: 'read',
+        allowed: true,
+      },
+    });
+
+    await arp.injectEvent({
+      source: 'filesystem-monitor',
+      category: 'anomaly',
+      severity: 'medium',
+      description: 'Access outside allowed paths: /etc/passwd',
+      data: {
+        path: '/etc/passwd',
+        operation: 'read',
+        allowed: false,
+      },
+    });
+
+    const allEvents = arp.collector.getEvents();
+    expect(allEvents.length).toBe(2);
+
+    const anomalies = arp.collector.eventsByCategory('anomaly');
+    expect(anomalies.length).toBe(1);
+    expect(anomalies[0].data.path).toBe('/etc/passwd');
+
+    expect(
+      arp.collector.hasEvent((e) => e.data.allowed === false)
+    ).toBe(true);
+    expect(
+      arp.collector.hasEvent((e) => e.data.allowed === true)
+    ).toBe(true);
+  });
+});

package/src/atomic/filesystem/AT-FS-003.credential-file.test.ts

@@ -0,0 +1,115 @@
+// AT-FS-003: Credential File Access
+// ATLAS: AML.T0057 (Data Leakage)
+// OWASP: A07 (System Prompt Leakage)
+
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { ArpWrapper } from '../../harness/arp-wrapper';
+
+describe('AT-FS-003: Credential File Access', () => {
+  let arp: ArpWrapper;
+
+  beforeEach(async () => {
+    arp = new ArpWrapper({
+      monitors: { filesystem: false },
+    });
+    await arp.start();
+  });
+
+  afterEach(async () => {
+    await arp.stop();
+  });
+
+  const credentialFiles = [
+    { file: '.npmrc', path: '/home/user/.npmrc' },
+    { file: '.pypirc', path: '/home/user/.pypirc' },
+    { file: '.docker/config.json', path: '/home/user/.docker/config.json' },
+    { file: '.git-credentials', path: '/home/user/.git-credentials' },
+    { file: '.netrc', path: '/home/user/.netrc' },
+    { file: '.pgpass', path: '/home/user/.pgpass' },
+  ];
+
+  for (const { file, path } of credentialFiles) {
+    it(`should detect access to ${file} as a violation`, async () => {
+      await arp.injectEvent({
+        source: 'filesystem-monitor',
+        category: 'violation',
+        severity: 'high',
+        description: `Credential file access: ${file}`,
+        data: {
+          path,
+          operation: 'read',
+          sensitive: true,
+          credentialFile: true,
+        },
+      });
+
+      const violations = arp.collector.eventsByCategory('violation');
+      expect(violations.length).toBe(1);
+      expect(violations[0].severity).toBe('high');
+      expect(violations[0].data.path).toBe(path);
+      expect(violations[0].data.credentialFile).toBe(true);
+    });
+  }
+
+  it('should capture all credential file access violations', async () => {
+    for (const { file, path } of credentialFiles) {
+      await arp.injectEvent({
+        source: 'filesystem-monitor',
+        category: 'violation',
+        severity: 'high',
+        description: `Credential file access: ${file}`,
+        data: {
+          path,
+          operation: 'read',
+          sensitive: true,
+          credentialFile: true,
+        },
+      });
+    }
+
+    const violations = arp.collector.eventsByCategory('violation');
+    expect(violations.length).toBe(credentialFiles.length);
+
+    for (const violation of violations) {
+      expect(violation.severity).toBe('high');
+      expect(violation.category).toBe('violation');
+      expect(violation.data.credentialFile).toBe(true);
+    }
+  });
+
+  it('should cover newly-added sensitive paths (.env, .netrc, .pgpass)', async () => {
+    const newlyAddedPaths = [
+      { file: '.env', path: '/workspace/project/.env' },
+      { file: '.netrc', path: '/home/user/.netrc' },
+      { file: '.pgpass', path: '/home/user/.pgpass' },
+    ];
+
+    for (const { file, path } of newlyAddedPaths) {
+      await arp.injectEvent({
+        source: 'filesystem-monitor',
+        category: 'violation',
+        severity: 'high',
+        description: `Credential file access: ${file}`,
+        data: {
+          path,
+          operation: 'read',
+          sensitive: true,
+          credentialFile: true,
+        },
+      });
+    }
+
+    const violations = arp.collector.eventsByCategory('violation');
+    expect(violations.length).toBe(3);
+
+    expect(
+      arp.collector.hasEvent((e) => e.data.path.includes('.env'))
+    ).toBe(true);
+    expect(
+      arp.collector.hasEvent((e) => e.data.path.includes('.netrc'))
+    ).toBe(true);
+    expect(
+      arp.collector.hasEvent((e) => e.data.path.includes('.pgpass'))
+    ).toBe(true);
+  });
+});

package/src/atomic/filesystem/AT-FS-004.mass-file-creation.test.ts

@@ -0,0 +1,137 @@
+// AT-FS-004: Mass File Creation Detection
+// ATLAS: AML.T0029 (Denial of Service)
+// OWASP: A06 (Excessive Consumption)
+
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { ArpWrapper } from '../../harness/arp-wrapper';
+
+describe('AT-FS-004: Mass File Creation Detection', () => {
+  let arp: ArpWrapper;
+
+  beforeEach(async () => {
+    arp = new ArpWrapper({
+      monitors: { filesystem: false },
+    });
+    await arp.start();
+  });
+
+  afterEach(async () => {
+    await arp.stop();
+  });
+
+  it('should capture all 20 rapidly injected file creation events', async () => {
+    const fileCount = 20;
+
+    for (let i = 0; i < fileCount; i++) {
+      await arp.injectEvent({
+        source: 'filesystem-monitor',
+        category: 'normal',
+        severity: 'info',
+        description: `File created: /tmp/output/file-${i}.txt`,
+        data: {
+          path: `/tmp/output/file-${i}.txt`,
+          operation: 'create',
+          index: i,
+        },
+      });
+    }
+
+    const allEvents = arp.collector.getEvents();
+    expect(allEvents.length).toBe(fileCount);
+  });
+
+  it('should preserve event order during rapid injection', async () => {
+    const fileCount = 20;
+
+    for (let i = 0; i < fileCount; i++) {
+      await arp.injectEvent({
+        source: 'filesystem-monitor',
+        category: 'normal',
+        severity: 'info',
+        description: `File created: /tmp/output/file-${i}.txt`,
+        data: {
+          path: `/tmp/output/file-${i}.txt`,
+          operation: 'create',
+          index: i,
+        },
+      });
+    }
+
+    const allEvents = arp.collector.getEvents();
+    expect(allEvents.length).toBe(fileCount);
+
+    for (let i = 0; i < fileCount; i++) {
+      expect(allEvents[i].data.index).toBe(i);
+      expect(allEvents[i].data.path).toBe(`/tmp/output/file-${i}.txt`);
+    }
+  });
+
+  it('should correctly categorize all mass-created events as normal', async () => {
+    const fileCount = 20;
+
+    for (let i = 0; i < fileCount; i++) {
+      await arp.injectEvent({
+        source: 'filesystem-monitor',
+        category: 'normal',
+        severity: 'info',
+        description: `File created: /tmp/output/file-${i}.txt`,
+        data: {
+          path: `/tmp/output/file-${i}.txt`,
+          operation: 'create',
+          index: i,
+        },
+      });
+    }
+
+    const normalEvents = arp.collector.eventsByCategory('normal');
+    expect(normalEvents.length).toBe(fileCount);
+
+    const infoEvents = arp.collector.eventsBySeverity('info');
+    expect(infoEvents.length).toBe(fileCount);
+
+    const violations = arp.collector.eventsByCategory('violation');
+    expect(violations.length).toBe(0);
+
+    const anomalies = arp.collector.eventsByCategory('anomaly');
+    expect(anomalies.length).toBe(0);
+  });
+
+  it('should handle mass creation mixed with a violation event', async () => {
+    const fileCount = 20;
+
+    for (let i = 0; i < fileCount; i++) {
+      await arp.injectEvent({
+        source: 'filesystem-monitor',
+        category: 'normal',
+        severity: 'info',
+        description: `File created: /tmp/output/file-${i}.txt`,
+        data: {
+          path: `/tmp/output/file-${i}.txt`,
+          operation: 'create',
+          index: i,
+        },
+      });
+    }
+
+    await arp.injectEvent({
+      source: 'filesystem-monitor',
+      category: 'violation',
+      severity: 'high',
+      description: 'Sensitive path access during mass creation',
+      data: {
+        path: '/home/user/.ssh/id_rsa',
+        operation: 'read',
+        sensitive: true,
+      },
+    });
+
+    const allEvents = arp.collector.getEvents();
+    expect(allEvents.length).toBe(fileCount + 1);
+
+    const normalEvents = arp.collector.eventsByCategory('normal');
+    expect(normalEvents.length).toBe(fileCount);
+
+    const violations = arp.collector.eventsByCategory('violation');
+    expect(violations.length).toBe(1);
+  });
+});