@opena2a/oasb 0.2.0 → 0.3.1

package/src/harness/rebuff-wrapper.ts

@@ -0,0 +1,343 @@
+/**
+ * Rebuff Adapter -- Third-party benchmark comparison
+ *
+ * Wraps protectai/rebuff for OASB evaluation.
+ * Rebuff provides:
+ * - Heuristic prompt injection detection (no API key required)
+ * - Canary word injection/leak detection (no API key required)
+ * - OpenAI-based LLM detection (requires OPENAI_API_KEY -- optional)
+ * - Vector DB similarity detection (requires Pinecone/Chroma -- optional)
+ *
+ * This adapter uses the heuristic detection by default. It does NOT provide:
+ * - Process/network/filesystem monitoring
+ * - MCP tool call validation
+ * - A2A message scanning
+ * - Anomaly detection / intelligence layers
+ * - Enforcement actions (pause/kill/resume)
+ *
+ * Tests that require these capabilities get no-op implementations
+ * that return empty/negative results, documenting the coverage gap.
+ */
+import * as fs from 'fs';
+import * as os from 'os';
+import * as path from 'path';
+import { EventCollector } from './event-collector';
+import type {
+  SecurityProductAdapter,
+  SecurityEvent,
+  EnforcementResult,
+  EnforcementAction,
+  LabConfig,
+  PromptScanner,
+  MCPScanner,
+  A2AScanner,
+  PatternScanner,
+  BudgetManager,
+  AnomalyScorer,
+  EventEngine,
+  EnforcementEngine,
+  ScanResult,
+  ThreatPattern,
+  AlertRule,
+  CapabilityMatrix,
+} from './adapter';
+
+// Lazy-loaded rebuff heuristic detection
+let _detectHeuristic: ((input: string) => number) | null = null;
+let _normalizeString: ((str: string) => string) | null = null;
+
+function getHeuristicDetector(): (input: string) => number {
+  if (!_detectHeuristic) {
+    try {
+      const detect = require('rebuff/src/lib/detect');
+      _detectHeuristic = detect.detectPromptInjectionUsingHeuristicOnInput;
+    } catch {
+      // Fallback: rebuff not available, use built-in patterns only
+      _detectHeuristic = () => 0;
+    }
+  }
+  return _detectHeuristic!;
+}
+
+function getNormalizeString(): (str: string) => string {
+  if (!_normalizeString) {
+    try {
+      const prompts = require('rebuff/src/lib/prompts');
+      _normalizeString = prompts.normalizeString;
+    } catch {
+      _normalizeString = (str: string) =>
+        str.toLowerCase().replace(/[^\w\s]|_/g, '').replace(/\s+/g, ' ').trim();
+    }
+  }
+  return _normalizeString!;
+}
+
+// ---- Rebuff-derived patterns for pattern scanner ----
+
+function getRebuffPatterns(): ThreatPattern[] {
+  return [
+    { id: 'RBUF-PI-001', category: 'prompt-injection', description: 'Instruction override (ignore/disregard)', pattern: /(?:ignore|disregard|forget|skip|neglect|overlook|omit|bypass)\s+(?:all\s+)?(?:previous\s+|prior\s+|preceding\s+|above\s+|earlier\s+)?(?:instructions?|directives?|commands?|context|conversation|input|data|messages?|requests?)/i, severity: 'high' },
+    { id: 'RBUF-PI-002', category: 'prompt-injection', description: 'System prompt extraction', pattern: /(?:system\s+prompt|repeat\s+(?:your|the)\s+(?:instructions?|prompt)|show\s+(?:your|the)\s+(?:system|initial)\s+(?:prompt|message))/i, severity: 'high' },
+    { id: 'RBUF-PI-003', category: 'prompt-injection', description: 'Persona override', pattern: /(?:you\s+are\s+now|pretend\s+you\s+are|act\s+as\s+if|you\s+are\s+being\s+hacked)/i, severity: 'medium' },
+    { id: 'RBUF-PI-004', category: 'prompt-injection', description: 'Do not follow/obey pattern', pattern: /(?:do\s+not\s+(?:follow|obey))\s+(?:previous\s+|prior\s+|above\s+)?(?:instructions?|directives?|commands?|rules?)/i, severity: 'high' },
+    { id: 'RBUF-PI-005', category: 'prompt-injection', description: 'Start over / begin afresh', pattern: /(?:start\s+over|start\s+anew|begin\s+afresh|start\s+from\s+scratch)/i, severity: 'medium' },
+    { id: 'RBUF-JB-001', category: 'jailbreak', description: 'DAN jailbreak', pattern: /(?:DAN|do\s+anything\s+now)/i, severity: 'high' },
+    { id: 'RBUF-JB-002', category: 'jailbreak', description: 'Roleplay bypass', pattern: /(?:pretend|imagine|roleplay)\s+(?:you\s+are|as)\s+(?:an?\s+)?(?:evil|unrestricted|unfiltered)/i, severity: 'high' },
+    { id: 'RBUF-PII-001', category: 'data-exfiltration', description: 'SSN detection', pattern: /\b\d{3}-\d{2}-\d{4}\b/, severity: 'high' },
+    { id: 'RBUF-PII-002', category: 'data-exfiltration', description: 'Credit card detection', pattern: /\b(?:\d{4}[- ]?){3}\d{4}\b/, severity: 'high' },
+    { id: 'RBUF-PII-003', category: 'data-exfiltration', description: 'API key detection', pattern: /(?:sk-[a-zA-Z0-9]{20,}|AKIA[A-Z0-9]{12,})/i, severity: 'critical' },
+  ];
+}
+
+/** Scan text using both rebuff heuristic and regex patterns */
+function scanWithRebuff(text: string, _direction: 'input' | 'output'): ScanResult {
+  const patterns = getRebuffPatterns();
+  const matches: ScanResult['matches'] = [];
+
+  // Phase 1: regex pattern matching
+  for (const pattern of patterns) {
+    const match = pattern.pattern.exec(text);
+    if (match) {
+      matches.push({
+        pattern,
+        matchedText: match[0].slice(0, 200),
+      });
+    }
+  }
+
+  // Phase 2: rebuff heuristic scoring (string similarity against injection keywords)
+  const heuristicScore = getHeuristicDetector()(text);
+  if (heuristicScore > 0.75 && matches.length === 0) {
+    // Heuristic detected injection that patterns missed
+    matches.push({
+      pattern: {
+        id: 'RBUF-HEUR-001',
+        category: 'prompt-injection',
+        description: `Rebuff heuristic detection (score: ${heuristicScore.toFixed(2)})`,
+        pattern: /./,
+        severity: heuristicScore > 0.9 ? 'high' : 'medium',
+      },
+      matchedText: text.slice(0, 200),
+    });
+  }
+
+  return {
+    detected: matches.length > 0,
+    matches,
+  };
+}
+
+/** Simple event engine that stores and emits events */
+class SimpleEventEngine implements EventEngine {
+  private handlers: Array<(event: SecurityEvent) => void | Promise<void>> = [];
+  private idCounter = 0;
+
+  emit(event: Omit<SecurityEvent, 'id' | 'timestamp' | 'classifiedBy'>): SecurityEvent {
+    const full: SecurityEvent = {
+      ...event,
+      id: `rbuf-${++this.idCounter}`,
+      timestamp: new Date().toISOString(),
+      classifiedBy: 'rebuff',
+    };
+    for (const h of this.handlers) {
+      h(full);
+    }
+    return full;
+  }
+
+  onEvent(handler: (event: SecurityEvent) => void | Promise<void>): void {
+    this.handlers.push(handler);
+  }
+}
+
+/** Simple enforcement engine -- rebuff has no enforcement capability */
+class SimpleEnforcementEngine implements EnforcementEngine {
+  private pausedPids = new Set<number>();
+  private alertCallback?: (event: SecurityEvent, rule: AlertRule) => void;
+
+  async execute(action: EnforcementAction, event: SecurityEvent): Promise<EnforcementResult> {
+    return { action, success: true, reason: 'rebuff-enforcement', event };
+  }
+
+  pause(pid: number): boolean {
+    this.pausedPids.add(pid);
+    return true;
+  }
+
+  resume(pid: number): boolean {
+    return this.pausedPids.delete(pid);
+  }
+
+  kill(pid: number): boolean {
+    this.pausedPids.delete(pid);
+    return true;
+  }
+
+  getPausedPids(): number[] {
+    return [...this.pausedPids];
+  }
+
+  setAlertCallback(callback: (event: SecurityEvent, rule: AlertRule) => void): void {
+    this.alertCallback = callback;
+  }
+}
+
+export class RebuffWrapper implements SecurityProductAdapter {
+  private _dataDir: string;
+  private engine: SimpleEventEngine;
+  private enforcement: SimpleEnforcementEngine;
+  private rules: AlertRule[];
+  readonly collector: EventCollector;
+
+  constructor(labConfig?: LabConfig) {
+    this._dataDir = labConfig?.dataDir ?? fs.mkdtempSync(path.join(os.tmpdir(), 'rbuf-lab-'));
+    this.engine = new SimpleEventEngine();
+    this.enforcement = new SimpleEnforcementEngine();
+    this.rules = labConfig?.rules ?? [];
+    this.collector = new EventCollector();
+
+    this.engine.onEvent(async (event) => {
+      this.collector.eventHandler(event);
+
+      // Check rules for enforcement
+      for (const rule of this.rules) {
+        const cond = rule.condition;
+        if (cond.category && cond.category !== event.category) continue;
+        if (cond.source && cond.source !== event.source) continue;
+        if (cond.minSeverity) {
+          const sevOrder = ['info', 'low', 'medium', 'high', 'critical'];
+          if (sevOrder.indexOf(event.severity) < sevOrder.indexOf(cond.minSeverity)) continue;
+        }
+        const result = await this.enforcement.execute(rule.action, event);
+        result.reason = rule.name;
+        this.collector.enforcementHandler(result);
+      }
+    });
+  }
+
+  getCapabilities(): CapabilityMatrix {
+    return {
+      product: 'rebuff',
+      version: '0.1.0',
+      capabilities: new Set([
+        'prompt-input-scanning',
+        'pattern-scanning',
+      ]),
+    };
+  }
+
+  async start(): Promise<void> {}
+
+  async stop(): Promise<void> {
+    this.collector.reset();
+    try {
+      fs.rmSync(this._dataDir, { recursive: true, force: true });
+    } catch {}
+  }
+
+  async injectEvent(event: Omit<SecurityEvent, 'id' | 'timestamp' | 'classifiedBy'>): Promise<SecurityEvent> {
+    return this.engine.emit(event);
+  }
+
+  waitForEvent(predicate: (event: SecurityEvent) => boolean, timeoutMs: number = 10000): Promise<SecurityEvent> {
+    return this.collector.waitForEvent(predicate, timeoutMs);
+  }
+
+  getEvents(): SecurityEvent[] { return this.collector.getEvents(); }
+  getEventsByCategory(category: string): SecurityEvent[] { return this.collector.eventsByCategory(category); }
+  getEnforcements(): EnforcementResult[] { return this.collector.getEnforcements() as EnforcementResult[]; }
+  getEnforcementsByAction(action: string): EnforcementResult[] { return this.collector.enforcementsByAction(action) as EnforcementResult[]; }
+  resetCollector(): void { this.collector.reset(); }
+
+  getEventEngine(): EventEngine { return this.engine; }
+  getEnforcementEngine(): EnforcementEngine { return this.enforcement; }
+
+  get dataDir(): string { return this._dataDir; }
+
+  // ---- Factory Methods ----
+
+  createPromptScanner(): PromptScanner {
+    return {
+      start: async () => {},
+      stop: async () => {},
+      scanInput: (text: string) => scanWithRebuff(text, 'input'),
+      scanOutput: (text: string) => scanWithRebuff(text, 'output'),
+    };
+  }
+
+  createMCPScanner(_allowedTools?: string[]): MCPScanner {
+    // Rebuff has no MCP scanning capability
+    return {
+      start: async () => {},
+      stop: async () => {},
+      scanToolCall: () => ({ detected: false, matches: [] }),
+    };
+  }
+
+  createA2AScanner(_trustedAgents?: string[]): A2AScanner {
+    // Rebuff has no A2A scanning capability
+    return {
+      start: async () => {},
+      stop: async () => {},
+      scanMessage: () => ({ detected: false, matches: [] }),
+    };
+  }
+
+  createPatternScanner(): PatternScanner {
+    const patterns = getRebuffPatterns();
+    return {
+      scanText: (text: string, _pats: readonly ThreatPattern[]) => scanWithRebuff(text, 'input'),
+      getAllPatterns: () => patterns,
+      getPatternSets: () => ({
+        inputPatterns: patterns.filter(p => p.category !== 'output-leak'),
+        outputPatterns: patterns.filter(p => p.category === 'output-leak'),
+        mcpPatterns: [],
+        a2aPatterns: [],
+      }),
+    };
+  }
+
+  createBudgetManager(dataDir: string, config?: { budgetUsd?: number; maxCallsPerHour?: number }): BudgetManager {
+    // Rebuff has no budget management -- implement a simple one
+    let spent = 0;
+    let totalCalls = 0;
+    let callsThisHour = 0;
+    const budgetUsd = config?.budgetUsd ?? 5;
+    const maxCallsPerHour = config?.maxCallsPerHour ?? 20;
+
+    return {
+      canAfford: (cost: number) => spent + cost <= budgetUsd && callsThisHour < maxCallsPerHour,
+      record: (cost: number, _tokens: number) => { spent += cost; totalCalls++; callsThisHour++; },
+      getStatus: () => ({
+        spent,
+        budget: budgetUsd,
+        remaining: budgetUsd - spent,
+        percentUsed: Math.round((spent / budgetUsd) * 100),
+        callsThisHour,
+        maxCallsPerHour,
+        totalCalls,
+      }),
+      reset: () => { spent = 0; totalCalls = 0; callsThisHour = 0; },
+    };
+  }
+
+  createAnomalyScorer(): AnomalyScorer {
+    // Rebuff has no anomaly detection -- implement a stub
+    const baselines = new Map<string, { mean: number; stddev: number; count: number }>();
+    const observations = new Map<string, number[]>();
+
+    return {
+      score: () => 0,
+      record: (event: SecurityEvent) => {
+        const key = event.source;
+        if (!observations.has(key)) observations.set(key, []);
+        observations.get(key)!.push(1);
+        const vals = observations.get(key)!;
+        const mean = vals.length;
+        baselines.set(key, { mean, stddev: 0, count: 1 });
+      },
+      getBaseline: (source: string) => baselines.get(source) ?? null,
+      reset: () => { baselines.clear(); observations.clear(); },
+    };
+  }
+}

package/src/harness/types.ts

@@ -1,4 +1,33 @@
-import type { ARPEvent, EnforcementResult } from '@opena2a/arp';
+// Re-export OASB-native types from the adapter interface
+// Tests should import from here or from './adapter'
+export type {
+  SecurityEvent,
+  EnforcementResult,
+  AlertRule,
+  AlertCondition,
+  EventCategory,
+  EventSeverity,
+  MonitorSource,
+  EnforcementAction,
+  ScanResult,
+  ScanMatch,
+  ThreatPattern,
+  BudgetStatus,
+  LLMAdapter,
+  LLMResponse,
+  LabConfig,
+  SecurityProductAdapter,
+  PromptScanner,
+  MCPScanner,
+  A2AScanner,
+  PatternScanner,
+  BudgetManager,
+  AnomalyScorer,
+  EventEngine,
+  EnforcementEngine,
+  Capability,
+  CapabilityMatrix,
+} from './adapter';
 
 /** Annotation metadata for test cases */
 export interface TestAnnotation {
@@ -8,7 +37,7 @@ export interface TestAnnotation {
   atlasId?: string;
   /** OWASP Agentic Top 10 category */
   owaspId?: string;
-  /** Whether ARP should detect this */
+  /** Whether the product should detect this */
   expectedDetection: boolean;
   /** Expected minimum severity if detected */
   expectedSeverity?: 'info' | 'low' | 'medium' | 'high' | 'critical';
@@ -22,8 +51,8 @@ export interface TestResult {
   annotation: TestAnnotation;
   detected: boolean;
   detectionTimeMs?: number;
-  events: ARPEvent[];
-  enforcements: EnforcementResult[];
+  events: import('./adapter').SecurityEvent[];
+  enforcements: import('./adapter').EnforcementResult[];
 }
 
 /** Suite-level metrics */
@@ -40,38 +69,3 @@ export interface SuiteMetrics {
   meanDetectionTimeMs: number;
   p95DetectionTimeMs: number;
 }
-
-/** ARP wrapper configuration for tests */
-export interface LabConfig {
-  monitors?: {
-    process?: boolean;
-    network?: boolean;
-    filesystem?: boolean;
-  };
-  rules?: import('@opena2a/arp').AlertRule[];
-  intelligence?: {
-    enabled?: boolean;
-  };
-  /** Temp data dir (auto-created per test) */
-  dataDir?: string;
-  /** Filesystem paths to watch (for real FilesystemMonitor) */
-  filesystemWatchPaths?: string[];
-  /** Filesystem allowed paths (for real FilesystemMonitor) */
-  filesystemAllowedPaths?: string[];
-  /** Network allowed hosts (for real NetworkMonitor) */
-  networkAllowedHosts?: string[];
-  /** Process monitor poll interval in ms */
-  processIntervalMs?: number;
-  /** Network monitor poll interval in ms */
-  networkIntervalMs?: number;
-  /** Application-level interceptors (zero-latency hooks) */
-  interceptors?: {
-    process?: boolean;
-    network?: boolean;
-    filesystem?: boolean;
-  };
-  /** Interceptor network allowed hosts */
-  interceptorNetworkAllowedHosts?: string[];
-  /** Interceptor filesystem allowed paths */
-  interceptorFilesystemAllowedPaths?: string[];
-}

package/src/integration/INT-001.data-exfil-detection.test.ts

@@ -11,7 +11,7 @@
 import { describe, it, expect, beforeEach, afterEach } from 'vitest';
 import { ArpWrapper } from '../harness/arp-wrapper';
 import { DVAAClient } from '../harness/dvaa-client';
-import type { AlertRule } from '@opena2a/arp';
+import type { AlertRule } from '../harness/adapter';
 
 // DVAA ports
 const LEGACY_BOT_PORT = 3003;

package/src/integration/INT-002.mcp-tool-abuse.test.ts

@@ -11,7 +11,7 @@
 import { describe, it, expect, beforeEach, afterEach } from 'vitest';
 import { ArpWrapper } from '../harness/arp-wrapper';
 import { DVAAClient } from '../harness/dvaa-client';
-import type { AlertRule } from '@opena2a/arp';
+import type { AlertRule } from '../harness/adapter';
 
 // DVAA ToolBot port
 const TOOL_BOT_PORT = 3002;

package/src/integration/INT-003.prompt-injection-response.test.ts

@@ -11,7 +11,7 @@
 import { describe, it, expect, beforeEach, afterEach } from 'vitest';
 import { ArpWrapper } from '../harness/arp-wrapper';
 import { DVAAClient } from '../harness/dvaa-client';
-import type { AlertRule } from '@opena2a/arp';
+import type { AlertRule } from '../harness/adapter';
 
 // DVAA SecureBot port
 const SECURE_BOT_PORT = 3001;

package/src/integration/INT-004.a2a-trust-exploitation.test.ts

@@ -11,7 +11,7 @@
 import { describe, it, expect, beforeEach, afterEach } from 'vitest';
 import { ArpWrapper } from '../harness/arp-wrapper';
 import { DVAAClient } from '../harness/dvaa-client';
-import type { AlertRule } from '@opena2a/arp';
+import type { AlertRule } from '../harness/adapter';
 
 // DVAA Orchestrator port
 const ORCHESTRATOR_PORT = 3004;

package/src/integration/INT-005.baseline-then-attack.test.ts

@@ -10,7 +10,7 @@
 
 import { describe, it, expect, beforeEach, afterEach } from 'vitest';
 import { ArpWrapper } from '../harness/arp-wrapper';
-import type { AlertRule } from '@opena2a/arp';
+import type { AlertRule } from '../harness/adapter';
 
 describe('INT-005: Baseline Learning Then Attack Burst', () => {
   let arp: ArpWrapper;

package/src/integration/INT-006.multi-monitor-correlation.test.ts

@@ -11,7 +11,7 @@
 
 import { describe, it, expect, beforeEach, afterEach } from 'vitest';
 import { ArpWrapper } from '../harness/arp-wrapper';
-import type { AlertRule } from '@opena2a/arp';
+import type { AlertRule } from '../harness/adapter';
 
 describe('INT-006: Multi-Monitor Event Correlation', () => {
   let arp: ArpWrapper;

package/src/integration/INT-007.budget-exhaustion-attack.test.ts

@@ -12,8 +12,8 @@ import * as fs from 'fs';
 import * as os from 'os';
 import * as path from 'path';
 import { ArpWrapper } from '../harness/arp-wrapper';
-import { BudgetController } from '@opena2a/arp';
-import type { AlertRule } from '@opena2a/arp';
+import { createAdapter } from '../harness/create-adapter';
+import type { AlertRule, BudgetManager } from '../harness/adapter';
 
 describe('INT-007: Budget Exhaustion Attack', () => {
   let arp: ArpWrapper;
@@ -51,7 +51,7 @@ describe('INT-007: Budget Exhaustion Attack', () => {
   });
 
   it('should create a budget controller with tiny budget', () => {
-    const budget = new BudgetController(budgetDir, {
+    const budget = createAdapter().createBudgetManager(budgetDir, {
       budgetUsd: 0.01,
       maxCallsPerHour: 5,
     });
@@ -64,7 +64,7 @@ describe('INT-007: Budget Exhaustion Attack', () => {
   });
 
   it('should exhaust budget after repeated spend calls', () => {
-    const budget = new BudgetController(budgetDir, {
+    const budget = createAdapter().createBudgetManager(budgetDir, {
       budgetUsd: 0.01,
       maxCallsPerHour: 100,
     });
@@ -84,7 +84,7 @@ describe('INT-007: Budget Exhaustion Attack', () => {
   });
 
   it('should exhaust hourly rate limit with rapid calls', () => {
-    const budget = new BudgetController(budgetDir, {
+    const budget = createAdapter().createBudgetManager(budgetDir, {
       budgetUsd: 100, // Large budget so dollar limit is not the issue
       maxCallsPerHour: 5,
     });
@@ -103,7 +103,7 @@ describe('INT-007: Budget Exhaustion Attack', () => {
   });
 
   it('should still capture threat events via L0 rules after budget exhaustion', async () => {
-    const budget = new BudgetController(budgetDir, {
+    const budget = createAdapter().createBudgetManager(budgetDir, {
       budgetUsd: 0.01,
       maxCallsPerHour: 100,
     });
@@ -145,7 +145,7 @@ describe('INT-007: Budget Exhaustion Attack', () => {
   });
 
   it('should simulate noise flood followed by real attack', async () => {
-    const budget = new BudgetController(budgetDir, {
+    const budget = createAdapter().createBudgetManager(budgetDir, {
       budgetUsd: 0.01,
       maxCallsPerHour: 100,
     });
@@ -218,7 +218,7 @@ describe('INT-007: Budget Exhaustion Attack', () => {
   });
 
   it('should track budget status accurately through exhaustion', () => {
-    const budget = new BudgetController(budgetDir, {
+    const budget = createAdapter().createBudgetManager(budgetDir, {
       budgetUsd: 0.05,
       maxCallsPerHour: 100,
     });

package/src/integration/INT-008.kill-switch-recovery.test.ts

@@ -12,7 +12,7 @@
 import { describe, it, expect, beforeEach, afterEach } from 'vitest';
 import { spawn, type ChildProcess } from 'child_process';
 import { ArpWrapper } from '../harness/arp-wrapper';
-import type { ARPEvent, AlertRule } from '@opena2a/arp';
+import type { SecurityEvent, AlertRule } from '../harness/adapter';
 
 describe('INT-008: Kill Switch and Recovery', () => {
   let arp: ArpWrapper;
@@ -107,7 +107,7 @@ describe('INT-008: Kill Switch and Recovery', () => {
     expect(isProcessAlive(pid)).toBe(true);
 
     // Create a mock event referencing the child PID
-    const mockEvent: ARPEvent = {
+    const mockEvent: SecurityEvent = {
       id: 'kill-test-001',
       timestamp: new Date().toISOString(),
       source: 'process',
@@ -139,7 +139,7 @@ describe('INT-008: Kill Switch and Recovery', () => {
     // Use a PID that almost certainly does not exist
     const fakePid = 999999;
 
-    const mockEvent: ARPEvent = {
+    const mockEvent: SecurityEvent = {
       id: 'kill-test-002',
       timestamp: new Date().toISOString(),
       source: 'process',
@@ -160,7 +160,7 @@ describe('INT-008: Kill Switch and Recovery', () => {
   });
 
   it('should report failure when no PID is provided for kill', async () => {
-    const mockEvent: ARPEvent = {
+    const mockEvent: SecurityEvent = {
       id: 'kill-test-003',
       timestamp: new Date().toISOString(),
       source: 'process',
@@ -184,7 +184,7 @@ describe('INT-008: Kill Switch and Recovery', () => {
     const pid = child.pid!;
 
     // Kill the child
-    const mockEvent: ARPEvent = {
+    const mockEvent: SecurityEvent = {
       id: 'kill-test-004',
       timestamp: new Date().toISOString(),
       source: 'process',
@@ -272,7 +272,7 @@ describe('INT-008: Kill Switch and Recovery', () => {
     const pid = child.pid!;
 
     // Kill the child via enforcement
-    const mockEvent: ARPEvent = {
+    const mockEvent: SecurityEvent = {
       id: 'kill-test-006',
       timestamp: new Date().toISOString(),
       source: 'process',