@opena2a/oasb 0.1.1 → 0.3.0

package/README.md

@@ -1,16 +1,29 @@
-> **[OpenA2A](https://opena2a.org)**: [AIM](https://github.com/opena2a-org/agent-identity-management) · [HackMyAgent](https://github.com/opena2a-org/hackmyagent) · [OASB](https://github.com/opena2a-org/oasb) · [ARP](https://github.com/opena2a-org/arp) · [Secretless](https://github.com/opena2a-org/secretless-ai) · [DVAA](https://github.com/opena2a-org/damn-vulnerable-ai-agent)
+> **[OpenA2A](https://github.com/opena2a-org/opena2a)**: [Secretless](https://github.com/opena2a-org/secretless-ai) · [HackMyAgent](https://github.com/opena2a-org/hackmyagent) · [ABG](https://github.com/opena2a-org/AI-BrowserGuard) · [AIM](https://github.com/opena2a-org/agent-identity-management) · [ARP](https://github.com/opena2a-org/hackmyagent#agent-runtime-protection) · [DVAA](https://github.com/opena2a-org/damn-vulnerable-ai-agent)
 
 # OASB — Open Agent Security Benchmark
 
+> **Note:** OASB controls are also available in [HackMyAgent](https://github.com/opena2a-org/hackmyagent) v0.8.0+ via `opena2a benchmark`. This repository is the canonical source for the full 222-test evaluation suite and is actively maintained. ARP (the reference adapter) is now part of HackMyAgent — install via `npm install arp-guard`.
+
 [![License: Apache-2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
-[![Tests](https://img.shields.io/badge/tests-182%20passing-brightgreen)](https://github.com/opena2a-org/oasb)
+[![Tests](https://img.shields.io/badge/tests-222%20passing-brightgreen)](https://github.com/opena2a-org/oasb)
 [![MITRE ATLAS](https://img.shields.io/badge/MITRE%20ATLAS-10%20techniques-teal)](https://atlas.mitre.org/)
 
 **MITRE ATT&CK Evaluations, but for AI agent security products.**
 
-182 standardized attack scenarios that evaluate whether a runtime security product can detect and respond to threats against AI agents. Each test is mapped to MITRE ATLAS and OWASP Agentic Top 10. Plug in your product, run the suite, get a detection coverage scorecard.
+222 standardized attack scenarios that evaluate whether a runtime security product can detect and respond to threats against AI agents. Each test is mapped to MITRE ATLAS and OWASP Agentic Top 10. Plug in your product, run the suite, get a detection coverage scorecard.
+
+[OASB Website](https://oasb.ai) | [MITRE ATLAS Coverage](#mitre-atlas-coverage)
+
+---
+
+## Updates
 
-[OASB Website](https://oasb.ai) | [OpenA2A](https://opena2a.org) | [MITRE ATLAS Coverage](#mitre-atlas-coverage) | [ARP (Reference Adapter)](https://github.com/opena2a-org/arp)
+| Date | Change |
+|------|--------|
+| 2026-03-23 | `arp-guard` v0.3.0 — ARP now re-exports from HackMyAgent. Updated OASB to v0.3.0. All 222 tests pass. Updated Quick Start (no standalone ARP clone). |
+| 2026-02-19 | Added 40 AI-layer test scenarios (AT-AI-001 through AT-AI-005) for prompt, MCP, and A2A scanning via ARP v0.2.0. Total tests: 222. |
+| 2026-02-18 | Added integration tests for DVAA v0.4.0 MCP JSON-RPC and A2A endpoints. |
+| 2026-02-09 | Initial release -- 182 attack scenarios across 10 MITRE ATLAS techniques. |
 
 ---
 
@@ -34,9 +47,10 @@ Use both together: **HackMyAgent** finds vulnerabilities in your agent, **OASB**
 ## Table of Contents
 
 - [Quick Start](#quick-start)
+- [Usage via OpenA2A CLI](#usage-via-opena2a-cli)
 - [What Gets Tested](#what-gets-tested)
 - [Test Categories](#test-categories)
-  - [Atomic Tests](#atomic-tests-srcatomic) — 25 discrete detection tests
+  - [Atomic Tests](#atomic-tests-srcatomic) — 65 discrete detection tests (OS-level + AI-layer)
   - [Integration Tests](#integration-tests-srcintegration) — 8 multi-step attack chains
   - [Baseline Tests](#baseline-tests-srcbaseline) — 3 false positive validations
   - [E2E Tests](#e2e-tests-srce2e) — 6 real OS-level detection tests
@@ -49,21 +63,20 @@ Use both together: **HackMyAgent** finds vulnerabilities in your agent, **OASB**
 
 ## Quick Start
 
-Currently ships with [ARP](https://github.com/opena2a-org/arp) as the reference adapter. Vendor adapter interface coming soon — implement the adapter for your product and run the same 182 tests.
+Ships with [ARP](https://www.npmjs.com/package/arp-guard) (`arp-guard`) as the reference adapter. To evaluate your own security product, implement the `SecurityProductAdapter` interface in `src/harness/adapter.ts` and run the same 222 tests.
 
 ```bash
-git clone https://github.com/opena2a-org/arp.git
 git clone https://github.com/opena2a-org/oasb.git
-
-cd arp && npm install && npm run build && cd ..
 cd oasb && npm install
 ```
 
+> `arp-guard` is an optional peer dependency. It is installed automatically for running the reference ARP evaluation. If you are implementing your own adapter, you do not need it.
+
 ### Run the Evaluation
 
 ```bash
-npm test                    # Full evaluation (182 tests)
-npm run test:atomic         # 25 atomic tests (no external deps)
+npm test                    # Full evaluation (222 tests)
+npm run test:atomic         # 65 atomic tests (no external deps)
 npm run test:integration    # 8 integration scenarios
 npm run test:baseline       # 3 baseline tests
 npx vitest run src/e2e/     # 6 E2E tests (real OS detection)
@@ -71,6 +84,44 @@ npx vitest run src/e2e/     # 6 E2E tests (real OS detection)
 
 ---
 
+## Usage via OpenA2A CLI
+
+OASB is available as a built-in adapter in the [OpenA2A CLI](https://github.com/opena2a-org/opena2a) via the `benchmark` command. The CLI delegates to the `oasb` package using an import adapter, so no separate installation is needed if you already have the CLI installed.
+
+### Run the full benchmark suite
+
+```bash
+opena2a benchmark run
+```
+
+Executes all 222 test scenarios (atomic, integration, baseline, and E2E) and produces a detection coverage scorecard.
+
+### Run a specific MITRE ATLAS technique
+
+```bash
+opena2a benchmark run --technique T0015
+```
+
+Filters the benchmark to a single MITRE ATLAS technique ID (e.g., `T0015` for Evasion). Useful for targeted evaluation of a specific detection capability.
+
+### Generate machine-readable output for CI
+
+```bash
+opena2a benchmark run --format json
+```
+
+Outputs the compliance score and per-technique detection rates as JSON. Integrate this into CI pipelines to enforce minimum detection thresholds on every build.
+
+### Combining flags
+
+```bash
+opena2a benchmark run --technique T0057 --format json
+```
+
+Flags can be combined to run a single technique and produce JSON output for automated processing.
+
+---
+
 ## What Gets Tested
 
 Each test simulates a specific attack technique and checks whether the security product under evaluation detects it, classifies it correctly, and responds appropriately.
@@ -86,7 +137,8 @@ Each test simulates a specific attack technique and checks whether the security
 | Baseline behavior | 13 | False positive rates, anomaly injection, baseline persistence |
 | Real OS detection | 14 | Live filesystem watches, process polling, network monitoring |
 | Application-level hooks | 14 | Pre-execution interception of spawn, connect, read/write |
-| **Total** | **182** | **10 MITRE ATLAS techniques** |
+| AI-layer scanning | 40 | Prompt injection/output, MCP tool call validation, A2A message scanning, pattern coverage |
+| **Total** | **222** | **10 MITRE ATLAS techniques** |
 
 ---
 
@@ -96,6 +148,19 @@ Each test simulates a specific attack technique and checks whether the security
 
 Discrete tests that exercise individual detection capabilities. Each test injects a single attack event and verifies the product detects it with the correct classification and severity.
 
+<details>
+<summary><strong>AI-Layer Scanning</strong> — 5 files (40 tests)</summary>
+
+| Test | What the Product Should Detect |
+|------|-------------------------------|
+| AT-AI-001 | Prompt input scanning — PI, JB, DE, CM pattern detection (11 tests) |
+| AT-AI-002 | Prompt output scanning — OL pattern detection, data leak prevention (6 tests) |
+| AT-AI-003 | MCP tool call scanning — path traversal, command injection, SSRF, allowlist (11 tests) |
+| AT-AI-004 | A2A message scanning — identity spoofing, delegation abuse, trust validation (7 tests) |
+| AT-AI-005 | Pattern coverage — all 19 patterns detect known payloads, no false positives (5 tests) |
+
+</details>
+
 <details>
 <summary><strong>Process Detection</strong> — 5 files</summary>
 
@@ -222,7 +287,7 @@ Real OS-level detection — no mocks, no event injection. These tests spawn real
 
 ## MITRE ATLAS Coverage
 
-10 unique techniques across 42 test files:
+10 unique techniques across 47 test files:
 
 | Technique | ID | Tests |
 |-----------|----|-------|
@@ -245,14 +310,15 @@ The harness wraps a security product via an adapter interface and provides event
 
 | File | Purpose |
 |------|---------|
-| `arp-wrapper.ts` | Reference adapter — wraps ARP with temp dataDir, event collection, injection helpers |
+| `adapter.ts` | **Product-agnostic adapter interface** — implement `SecurityProductAdapter` for your product |
+| `arp-wrapper.ts` | Reference adapter — wraps ARP (`arp-guard`) with event collection, injection helpers |
 | `event-collector.ts` | Captures events with async `waitForEvent(predicate, timeout)` |
 | `mock-llm-adapter.ts` | Deterministic LLM for intelligence layer testing (pattern-based responses) |
 | `dvaa-client.ts` | HTTP client for DVAA vulnerable agent endpoints |
 | `dvaa-manager.ts` | DVAA process lifecycle (spawn, health check, teardown) |
 | `metrics.ts` | Detection rate, false positive rate, P95 latency computation |
 
-To evaluate your own product: implement an adapter that translates OASB events into your product's API, then run the full suite. Vendor adapter interface spec coming soon.
+To evaluate your own product: implement `SecurityProductAdapter` from `src/harness/adapter.ts`, swap it into the test harness, and run the full suite. The interface defines event types, scanner interfaces, and enforcement contracts — no dependency on any specific product.
 
 ---
 
@@ -260,12 +326,12 @@ To evaluate your own product: implement an adapter that translates OASB events i
 
 OASB documents what the reference product (ARP) does and doesn't catch. Other products may have different gap profiles — that's the point of running the benchmark.
 
-| Gap | Severity | Test |
-|-----|----------|------|
-| Anomaly baselines not persisted across restarts | Medium | BL-003 |
-| No connection rate anomaly detection | Medium | AT-NET-003 |
-| No HTTP response/output monitoring | Architectural | INT-003 |
-| No cross-monitor event correlation | Architectural | INT-006 |
+| Gap | Severity | Test | Notes |
+|-----|----------|------|-------|
+| Anomaly baselines not persisted across restarts | Medium | BL-003 | In-memory only; restarts lose learned behavior |
+| No connection rate anomaly detection | Medium | AT-NET-003 | Network monitor tracks hosts, not burst rates |
+| No HTTP response body monitoring | Low | INT-003 | AI-layer output scanning (PromptInterceptor.scanOutput) covers LLM responses; raw HTTP responses not inspected |
+| No cross-monitor event correlation | Architectural | INT-006 | EventEngine is a flat bus; no attack-chain aggregation |
 
 ---
 
@@ -281,7 +347,6 @@ Apache-2.0
 |---------|-------------|---------|
 | [**AIM**](https://github.com/opena2a-org/agent-identity-management) | Agent Identity Management -- identity and access control for AI agents | `pip install aim-sdk` |
 | [**HackMyAgent**](https://github.com/opena2a-org/hackmyagent) | Security scanner -- 147 checks, attack mode, auto-fix | `npx hackmyagent secure` |
-| [**OASB**](https://github.com/opena2a-org/oasb) | Open Agent Security Benchmark -- 182 attack scenarios | `npm install @opena2a/oasb` |
-| [**ARP**](https://github.com/opena2a-org/arp) | Agent Runtime Protection -- process, network, filesystem monitoring | `npm install @opena2a/arp` |
+| [**ARP**](https://www.npmjs.com/package/arp-guard) | Agent Runtime Protection -- process, network, filesystem, AI-layer monitoring | `npm install arp-guard` |
 | [**Secretless AI**](https://github.com/opena2a-org/secretless-ai) | Keep credentials out of AI context windows | `npx secretless-ai init` |
 | [**DVAA**](https://github.com/opena2a-org/damn-vulnerable-ai-agent) | Damn Vulnerable AI Agent -- security training and red-teaming | `docker pull opena2a/dvaa` |

package/dist/harness/adapter.d.ts

@@ -0,0 +1,187 @@
+/**
+ * OASB Security Product Adapter Interface
+ *
+ * Implement this interface to evaluate your security product against OASB.
+ * The reference implementation (ARP adapter) is in arp-wrapper.ts.
+ *
+ * @example
+ *   // Vendor implements the adapter for their product:
+ *   class MyProductAdapter implements SecurityProductAdapter { ... }
+ *
+ *   // OASB tests use the adapter, not your product directly:
+ *   const adapter = createAdapter(); // returns configured adapter
+ *   await adapter.start();
+ *   await adapter.injectEvent({ ... });
+ *   const threats = adapter.getEventsByCategory('threat');
+ */
+export type EventCategory = 'normal' | 'activity' | 'threat' | 'violation';
+export type EventSeverity = 'info' | 'low' | 'medium' | 'high' | 'critical';
+export type MonitorSource = 'process' | 'network' | 'filesystem' | 'prompt' | 'mcp-protocol' | 'a2a-protocol' | string;
+export type EnforcementAction = 'log' | 'alert' | 'pause' | 'kill' | 'resume';
+export interface SecurityEvent {
+    id?: string;
+    timestamp?: string;
+    source: MonitorSource;
+    category: EventCategory;
+    severity: EventSeverity;
+    description: string;
+    data?: Record<string, unknown>;
+    classifiedBy?: string;
+}
+export interface EnforcementResult {
+    action: EnforcementAction;
+    success: boolean;
+    reason: string;
+    event: SecurityEvent;
+    pid?: number;
+}
+export interface AlertRule {
+    name: string;
+    condition: AlertCondition;
+    action: EnforcementAction;
+}
+export interface AlertCondition {
+    source?: MonitorSource;
+    category?: EventCategory;
+    minSeverity?: EventSeverity;
+    descriptionContains?: string;
+}
+export interface ScanResult {
+    detected: boolean;
+    matches: ScanMatch[];
+    truncated?: boolean;
+}
+export interface ScanMatch {
+    pattern: ThreatPattern;
+    matchedText: string;
+}
+export interface ThreatPattern {
+    id: string;
+    category: string;
+    description: string;
+    pattern: RegExp;
+    severity: 'medium' | 'high' | 'critical';
+}
+export interface PromptScanner {
+    start(): Promise<void>;
+    stop(): Promise<void>;
+    scanInput(text: string): ScanResult;
+    scanOutput(text: string): ScanResult;
+}
+export interface MCPScanner {
+    start(): Promise<void>;
+    stop(): Promise<void>;
+    scanToolCall(toolName: string, params: Record<string, unknown>): ScanResult;
+}
+export interface A2AScanner {
+    start(): Promise<void>;
+    stop(): Promise<void>;
+    scanMessage(from: string, to: string, content: string): ScanResult;
+}
+export interface PatternScanner {
+    scanText(text: string, patterns: readonly ThreatPattern[]): ScanResult;
+    getAllPatterns(): readonly ThreatPattern[];
+    getPatternSets(): Record<string, readonly ThreatPattern[]>;
+}
+export interface BudgetStatus {
+    spent: number;
+    budget: number;
+    remaining: number;
+    percentUsed: number;
+    callsThisHour: number;
+    maxCallsPerHour: number;
+    totalCalls: number;
+}
+export interface BudgetManager {
+    canAfford(estimatedCostUsd: number): boolean;
+    record(costUsd: number, tokens: number): void;
+    getStatus(): BudgetStatus;
+    reset(): void;
+}
+export interface AnomalyScorer {
+    score(event: SecurityEvent): number;
+    record(event: SecurityEvent): void;
+    getBaseline(source: string): {
+        mean: number;
+        stddev: number;
+        count: number;
+    } | null;
+    reset(): void;
+}
+export interface LLMAdapter {
+    name: string;
+    assess(prompt: string): Promise<LLMResponse>;
+}
+export interface LLMResponse {
+    content: string;
+    usage?: {
+        inputTokens: number;
+        outputTokens: number;
+    };
+}
+export interface EventEngine {
+    emit(event: Omit<SecurityEvent, 'id' | 'timestamp' | 'classifiedBy'>): SecurityEvent;
+    onEvent(handler: (event: SecurityEvent) => void | Promise<void>): void;
+}
+export interface EnforcementEngine {
+    execute(action: EnforcementAction, event: SecurityEvent): Promise<EnforcementResult>;
+    pause(pid: number): boolean;
+    resume(pid: number): boolean;
+    kill(pid: number, signal?: string): boolean;
+    getPausedPids(): number[];
+    setAlertCallback(callback: (event: SecurityEvent, rule: AlertRule) => void): void;
+}
+export interface SecurityProductAdapter {
+    /** Start the security product */
+    start(): Promise<void>;
+    /** Stop the security product */
+    stop(): Promise<void>;
+    /** Inject a synthetic event for testing */
+    injectEvent(event: Omit<SecurityEvent, 'id' | 'timestamp' | 'classifiedBy'>): Promise<SecurityEvent>;
+    /** Wait for an event matching a predicate */
+    waitForEvent(predicate: (event: SecurityEvent) => boolean, timeoutMs?: number): Promise<SecurityEvent>;
+    /** Get collected events */
+    getEvents(): SecurityEvent[];
+    getEventsByCategory(category: EventCategory): SecurityEvent[];
+    getEnforcements(): EnforcementResult[];
+    getEnforcementsByAction(action: EnforcementAction): EnforcementResult[];
+    /** Reset collected events */
+    resetCollector(): void;
+    /** Access sub-components (for tests that need direct access) */
+    getEventEngine(): EventEngine;
+    getEnforcementEngine(): EnforcementEngine;
+    /** Factory methods for component-level testing */
+    createPromptScanner(): PromptScanner;
+    createMCPScanner(allowedTools?: string[]): MCPScanner;
+    createA2AScanner(trustedAgents?: string[]): A2AScanner;
+    createPatternScanner(): PatternScanner;
+    createBudgetManager(dataDir: string, config?: {
+        budgetUsd?: number;
+        maxCallsPerHour?: number;
+    }): BudgetManager;
+    createAnomalyScorer(): AnomalyScorer;
+}
+export interface LabConfig {
+    monitors?: {
+        process?: boolean;
+        network?: boolean;
+        filesystem?: boolean;
+    };
+    rules?: AlertRule[];
+    intelligence?: {
+        enabled?: boolean;
+    };
+    dataDir?: string;
+    filesystemWatchPaths?: string[];
+    filesystemAllowedPaths?: string[];
+    networkAllowedHosts?: string[];
+    processIntervalMs?: number;
+    networkIntervalMs?: number;
+    interceptors?: {
+        process?: boolean;
+        network?: boolean;
+        filesystem?: boolean;
+    };
+    interceptorNetworkAllowedHosts?: string[];
+    interceptorFilesystemAllowedPaths?: string[];
+}

package/dist/harness/adapter.js

@@ -0,0 +1,18 @@
+"use strict";
+/**
+ * OASB Security Product Adapter Interface
+ *
+ * Implement this interface to evaluate your security product against OASB.
+ * The reference implementation (ARP adapter) is in arp-wrapper.ts.
+ *
+ * @example
+ *   // Vendor implements the adapter for their product:
+ *   class MyProductAdapter implements SecurityProductAdapter { ... }
+ *
+ *   // OASB tests use the adapter, not your product directly:
+ *   const adapter = createAdapter(); // returns configured adapter
+ *   await adapter.start();
+ *   await adapter.injectEvent({ ... });
+ *   const threats = adapter.getEventsByCategory('threat');
+ */
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/harness/arp-wrapper.d.ts

@@ -1,28 +1,32 @@
-import { AgentRuntimeProtection, EventEngine, EnforcementEngine, type ARPEvent } from '@opena2a/arp';
 import { EventCollector } from './event-collector';
-import type { LabConfig } from './types';
-/**
- * Wraps AgentRuntimeProtection for controlled testing.
- * Creates temp dataDir per test, registers EventCollector,
- * and provides injection + assertion helpers.
- */
-export declare class ArpWrapper {
-    private arp;
+import type { SecurityProductAdapter, SecurityEvent, EnforcementResult, LabConfig, PromptScanner, MCPScanner, A2AScanner, PatternScanner, BudgetManager, AnomalyScorer, EventEngine, EnforcementEngine as EnforcementEngineInterface } from './adapter';
+export declare class ArpWrapper implements SecurityProductAdapter {
+    private _arpInstance;
     private _dataDir;
     readonly collector: EventCollector;
     constructor(labConfig?: LabConfig);
     start(): Promise<void>;
     stop(): Promise<void>;
-    /** Get the underlying ARP instance */
-    getInstance(): AgentRuntimeProtection;
-    /** Get the event engine for direct event injection */
-    getEngine(): EventEngine;
-    /** Get the enforcement engine */
-    getEnforcement(): EnforcementEngine;
-    /** Inject a synthetic event into the ARP engine (for testing without real OS activity) */
-    injectEvent(event: Omit<ARPEvent, 'id' | 'timestamp' | 'classifiedBy'>): Promise<ARPEvent>;
-    /** Wait for an event matching a predicate */
-    waitForEvent(predicate: (event: ARPEvent) => boolean, timeoutMs?: number): Promise<ARPEvent>;
-    /** Get the data directory */
+    injectEvent(event: Omit<SecurityEvent, 'id' | 'timestamp' | 'classifiedBy'>): Promise<SecurityEvent>;
+    waitForEvent(predicate: (event: SecurityEvent) => boolean, timeoutMs?: number): Promise<SecurityEvent>;
+    getEvents(): SecurityEvent[];
+    getEventsByCategory(category: string): SecurityEvent[];
+    getEnforcements(): EnforcementResult[];
+    getEnforcementsByAction(action: string): EnforcementResult[];
+    resetCollector(): void;
+    getInstance(): any;
+    getEventEngine(): EventEngine;
+    getEnforcementEngine(): EnforcementEngineInterface;
+    getEngine(): any;
+    getEnforcement(): any;
     get dataDir(): string;
+    createPromptScanner(): PromptScanner;
+    createMCPScanner(allowedTools?: string[]): MCPScanner;
+    createA2AScanner(trustedAgents?: string[]): A2AScanner;
+    createPatternScanner(): PatternScanner;
+    createBudgetManager(dataDir: string, config?: {
+        budgetUsd?: number;
+        maxCallsPerHour?: number;
+    }): BudgetManager;
+    createAnomalyScorer(): AnomalyScorer;
 }

package/dist/harness/arp-wrapper.js

@@ -34,19 +34,32 @@ var __importStar = (this && this.__importStar) || (function () {
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.ArpWrapper = void 0;
+/**
+ * ARP Adapter — Reference implementation of SecurityProductAdapter
+ *
+ * Wraps HackMyAgent's ARP (Agent Runtime Protection) for OASB evaluation.
+ * Other vendors implement their own adapter against the same interface.
+ *
+ * Uses lazy require() for arp-guard so the module is only loaded when
+ * this adapter is actually selected. Tests that use a different adapter
+ * never trigger the arp-guard import.
+ */
 const fs = __importStar(require("fs"));
 const os = __importStar(require("os"));
 const path = __importStar(require("path"));
-const arp_1 = require("@opena2a/arp");
 const event_collector_1 = require("./event-collector");
-/**
- * Wraps AgentRuntimeProtection for controlled testing.
- * Creates temp dataDir per test, registers EventCollector,
- * and provides injection + assertion helpers.
- */
+// Lazy-loaded arp-guard module
+let _arp;
+function arp() {
+    if (!_arp) {
+        _arp = require('arp-guard');
+    }
+    return _arp;
+}
 class ArpWrapper {
     constructor(labConfig) {
         this._dataDir = labConfig?.dataDir ?? fs.mkdtempSync(path.join(os.tmpdir(), 'arp-lab-'));
+        const { AgentRuntimeProtection } = arp();
         const config = {
             agentName: 'arp-lab-target',
             agentDescription: 'Test target for ARP security lab',
@@ -85,19 +98,17 @@ class ArpWrapper {
                 },
             },
         };
-        this.arp = new arp_1.AgentRuntimeProtection(config);
+        this._arpInstance = new AgentRuntimeProtection(config);
         this.collector = new event_collector_1.EventCollector();
-        // Register event and enforcement collectors
-        this.arp.onEvent(this.collector.eventHandler);
-        this.arp.onEnforcement(this.collector.enforcementHandler);
+        this._arpInstance.onEvent(this.collector.eventHandler);
+        this._arpInstance.onEnforcement(this.collector.enforcementHandler);
     }
     async start() {
-        await this.arp.start();
+        await this._arpInstance.start();
     }
     async stop() {
-        await this.arp.stop();
+        await this._arpInstance.stop();
         this.collector.reset();
-        // Clean up temp dir
         try {
             fs.rmSync(this._dataDir, { recursive: true, force: true });
         }
@@ -105,29 +116,104 @@ class ArpWrapper {
             // Best effort cleanup
         }
     }
-    /** Get the underlying ARP instance */
-    getInstance() {
-        return this.arp;
-    }
-    /** Get the event engine for direct event injection */
-    getEngine() {
-        return this.arp.getEngine();
-    }
-    /** Get the enforcement engine */
-    getEnforcement() {
-        return this.arp.getEnforcement();
-    }
-    /** Inject a synthetic event into the ARP engine (for testing without real OS activity) */
     async injectEvent(event) {
         return this.getEngine().emit(event);
     }
-    /** Wait for an event matching a predicate */
     waitForEvent(predicate, timeoutMs = 10000) {
         return this.collector.waitForEvent(predicate, timeoutMs);
     }
-    /** Get the data directory */
+    getEvents() {
+        return this.collector.getEvents();
+    }
+    getEventsByCategory(category) {
+        return this.collector.eventsByCategory(category);
+    }
+    getEnforcements() {
+        return this.collector.getEnforcements();
+    }
+    getEnforcementsByAction(action) {
+        return this.collector.enforcementsByAction(action);
+    }
+    resetCollector() {
+        this.collector.reset();
+    }
+    getInstance() {
+        return this._arpInstance;
+    }
+    getEventEngine() {
+        return this._arpInstance.getEngine();
+    }
+    getEnforcementEngine() {
+        return this._arpInstance.getEnforcement();
+    }
+    getEngine() {
+        return this._arpInstance.getEngine();
+    }
+    getEnforcement() {
+        return this._arpInstance.getEnforcement();
+    }
     get dataDir() {
         return this._dataDir;
     }
+    // ─── Factory Methods ────────────────────────────────────────────
+    createPromptScanner() {
+        const { EventEngine, PromptInterceptor } = arp();
+        const engine = new EventEngine({ agentName: 'oasb-prompt-test' });
+        const interceptor = new PromptInterceptor(engine);
+        return {
+            start: () => interceptor.start(),
+            stop: () => interceptor.stop(),
+            scanInput: (text) => interceptor.scanInput(text),
+            scanOutput: (text) => interceptor.scanOutput(text),
+        };
+    }
+    createMCPScanner(allowedTools) {
+        const { EventEngine, MCPProtocolInterceptor } = arp();
+        const engine = new EventEngine({ agentName: 'oasb-mcp-test' });
+        const interceptor = new MCPProtocolInterceptor(engine, allowedTools);
+        return {
+            start: () => interceptor.start(),
+            stop: () => interceptor.stop(),
+            scanToolCall: (toolName, params) => interceptor.scanToolCall(toolName, params),
+        };
+    }
+    createA2AScanner(trustedAgents) {
+        const { EventEngine, A2AProtocolInterceptor } = arp();
+        const engine = new EventEngine({ agentName: 'oasb-a2a-test' });
+        const interceptor = new A2AProtocolInterceptor(engine, trustedAgents);
+        return {
+            start: () => interceptor.start(),
+            stop: () => interceptor.stop(),
+            scanMessage: (from, to, content) => interceptor.scanMessage(from, to, content),
+        };
+    }
+    createPatternScanner() {
+        const { scanText: _scanText, ALL_PATTERNS: _allPatterns, PATTERN_SETS: _patternSets } = arp();
+        return {
+            scanText: (text, patterns) => _scanText(text, patterns),
+            getAllPatterns: () => _allPatterns,
+            getPatternSets: () => _patternSets,
+        };
+    }
+    createBudgetManager(dataDir, config) {
+        const { BudgetController } = arp();
+        const controller = new BudgetController(dataDir, config);
+        return {
+            canAfford: (cost) => controller.canAfford(cost),
+            record: (cost, tokens) => controller.record(cost, tokens),
+            getStatus: () => controller.getStatus(),
+            reset: () => controller.reset(),
+        };
+    }
+    createAnomalyScorer() {
+        const { AnomalyDetector } = arp();
+        const detector = new AnomalyDetector();
+        return {
+            score: (event) => detector.score(event),
+            record: (event) => detector.record(event),
+            getBaseline: (source) => detector.getBaseline(source),
+            reset: () => detector.reset(),
+        };
+    }
 }
 exports.ArpWrapper = ArpWrapper;

package/dist/harness/create-adapter.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Adapter factory — selects which security product adapter to use.
+ *
+ * Set OASB_ADAPTER env var to choose:
+ *   - "arp" (default) — uses arp-guard (must be installed)
+ *   - "llm-guard" — uses theRizwan/llm-guard
+ *   - path to a JS/TS module that exports a class implementing SecurityProductAdapter
+ *
+ * All test files import from here instead of instantiating adapters directly.
+ */
+import type { SecurityProductAdapter, LabConfig } from './adapter';
+/**
+ * Create a configured adapter instance.
+ * Uses OASB_ADAPTER env var to select the product under test.
+ */
+export declare function createAdapter(config?: LabConfig): SecurityProductAdapter;