feat: add PID/process tracking for network request attribution

[Copilot]

• Create src/pid-tracker.ts - PID correlation logic using /proc filesystem
• Create src/pid-tracker.test.ts - Unit tests for PID tracking (38 tests)
• Create containers/agent/pid-logger.sh - Shell-based alternative for container usage
• Add PID tracking types to src/types.ts (PidTrackResult, EnhancedLogEntry)
• Update containers/agent/Dockerfile to include pid-logger.sh
• Add real-time PID enrichment to awf logs -f with --with-pid flag
  • Added --with-pid option to CLI
  • Updated log-streamer to enrich entries with PID info
  • Updated log-formatter to display PID info in pretty and JSON formats
  • Added tests for PID enrichment in log formatter

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Security] No PID/command tracking - cannot correlate requests to processes</issue_title>
<issue_description>## Priority
P1 - High

Summary

AWF cannot correlate network requests to the specific commands or processes that made them. This significantly limits security auditing, incident response, and forensic capabilities.

Current Behavior

Squid logs show:

1703001234.567 172.30.0.20:45678 github.com 140.82.114.3:443 HTTP/1.1 CONNECT 200 TCP_TUNNEL:HIER_DIRECT github.com:443 "curl/7.88.1"

This shows the container IP (172.30.0.20), not which process inside the container made the request.

Security Impact

• Cannot answer: "Which command made this request?"
• Cannot identify: Which tool, script, or MCP server is making outbound connections
• Incident response limited: If data exfiltration detected, cannot trace to specific process
• Audit incomplete: Compliance requirements may mandate full request attribution

Proposed Solution

Implement PID Tracking via /proc filesystem

Approach:

1. Read /proc/net/tcp to find socket inode for source port
2. Scan /proc/[pid]/fd/ to find process owning the socket
3. Read /proc/[pid]/cmdline for full command line
4. Log correlation in structured format

Implementation sketch:

// src/pid-tracker.ts
export async function trackPidForPort(srcPort: number): Promise<{pid: number, cmdline: string}> {
  // Read /proc/net/tcp to find socket inode
  const tcpConnections = await readFile('/proc/net/tcp', 'utf-8');
  const inode = findInodeForPort(tcpConnections, srcPort);

  // Scan /proc/[pid]/fd/ to find process owning inode
  const pids = await readdir('/proc').filter(isNumeric);
  for (const pid of pids) {
    const fds = await readdir(`/proc/${pid}/fd`);
    for (const fd of fds) {
      const link = await readlink(`/proc/${pid}/fd/${fd}`);
      if (link.includes(`socket:[${inode}]`)) {
        const cmdline = await readFile(`/proc/${pid}/cmdline`, 'utf-8');
        return { pid: parseInt(pid), cmdline };
      }
    }
  }
  return { pid: -1, cmdline: 'unknown' };
}

Structured log output:

{
  "timestamp": "2024-01-01T00:00:00.000Z",
  "srcPort": 45678,
  "destDomain": "github.com",
  "destPort": 443,
  "pid": 12345,
  "cmdline": "curl https://github.com",
  "decision": "allowed"
}

Files to Create/Modify

• New: src/pid-tracker.ts - PID correlation logic
• New: containers/agent/pid-logger.sh - Shell-based alternative
• Modify: src/docker-manager.ts - Integrate PID tracking
• Modify: Squid log processing to include PID info

Testing

• Verify PID tracking shows correct process info
• Test with concurrent processes making requests
• Verify command line captured correctly
• Performance impact < 5% latency increase</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [Security] No PID/command tracking - cannot correlate requests to processes #128

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

💥 WHOOSH! Smoke Claude springs into action on this pull request! [Panel 1 begins...]

[github-actions]

Smoke Test Results

Last 2 Merged PRs:

• docs: streamline README for first-time visitors #111: docs: streamline README for first-time visitors
• feat: add install script with sha256 validation #108: feat: add install script with sha256 validation

Test Results:

• ✅ GitHub MCP Testing (retrieved PRs)
• ✅ File Writing Testing (created test file)
• ✅ Bash Tool Testing (verified file)

Status: PASS

📰 BREAKING: Report filed by Smoke Copilot fer issue #132 🗺️

[github-actions]

Smoke Test Results (Claude)

Last 2 Merged PRs:

• [WIP] Add tests for blocked domain detection in log parsers #119: [WIP] Add tests for blocked domain detection in log parsers
• docs: streamline README for first-time visitors #111: docs: streamline README for first-time visitors

Test Results:

• ✅ GitHub MCP: Successfully retrieved PR data
• ✅ File Writing: Created test file with timestamp
• ✅ Bash Tool: Verified file contents
• ❌ Playwright MCP: Page loaded but assets blocked (ERR_TUNNEL_CONNECTION_FAILED)

Overall Status: PARTIAL PASS (3/4 tests passed, Playwright connectivity issue)

💥 [THE END] — Illustrated by Smoke Claude fer issue #132 🗺️

[github-actions]

Test Coverage Report

Metric	Coverage	Covered/Total
Lines	70.88%	1076/1518
Statements	70.9%	1104/1557
Functions	69.54%	121/174
Branches	63.36%	358/565

Coverage Thresholds

The project has the following coverage thresholds configured:

• Lines: 38%
• Statements: 38%
• Functions: 35%
• Branches: 30%

---

Coverage report generated by `npm run test:coverage`

[Mossaka]

@copilot will this be able to integrated into the awf logs feature? so that the log file will have correlating PID

[Copilot]

@copilot will this be able to integrated into the awf logs feature? so that the log file will have correlating PID

The PID tracking can be integrated with awf logs for real-time log streaming (awf logs -f). The EnhancedLogEntry type (added in this PR) already extends ParsedLogEntry with pid, cmdline, comm, and inode fields.

However, there's an important limitation: PID tracking only works in real-time because:

• /proc reflects current process state - by the time logs are viewed, processes may have exited
• Socket inodes are ephemeral - gone once connections close

For historical log analysis, we'd need to capture PID info at request time and embed it in the log format itself (e.g., modifying Squid's log format or adding a companion log).

Would you like me to add real-time PID enrichment to awf logs -f in this PR, or should that be a follow-up?

[Mossaka]

@copilot please add real-time PID enrichment to awf logs -f in this PR

[Copilot]

@copilot please add real-time PID enrichment to awf logs -f in this PR

Added real-time PID enrichment to awf logs in commit 8686594.

Usage:

awf logs -f --with-pid

Pretty format output:

[2024-01-01 12:00:00.123] CONNECT api.github.com → 200 (ALLOWED) [curl/7.88.1] <PID:12345 curl>

JSON format output includes new fields:

{
  "timestamp": 1703001234.567,
  "domain": "github.com",
  "pid": 12345,
  "cmdline": "curl https://github.com",
  "comm": "curl",
  "inode": "123456"
}

Note: --with-pid only works with -f (follow mode) since PID tracking requires the process to still be running.