Add capabilities at build

tests/capability_repo/.sloptrap

@@ -0,0 +1,3 @@
+name=capability-repo
+capabilities=apt-install packet-capture nested-podman
+allow_host_network=true

tests/invalid_manifest_capabilities/.sloptrap

@@ -0,0 +1,4 @@
+name=invalid-capabilities
+capabilities=packet-capture not-a-real-capability
+codex_args=--sandbox workspace-write --ask-for-approval never
+allow_host_network=false

tests/run_tests.sh

@@ -319,6 +319,51 @@ run_resume_target() {
   teardown_stub_env
 }
 
+run_runtime_context_prompt() {
+  local scenario_dir="$TEST_ROOT/capability_repo"
+  printf '==> runtime_context_prompt\n'
+  setup_stub_env
+  if ! PATH="$STUB_BIN:$PATH" HOME="$STUB_HOME" FAKE_PODMAN_LOG="$STUB_LOG" FAKE_PODMAN_INSPECT_FAIL=1 \
+    "$SLOPTRAP_BIN" --trust-capabilities "$scenario_dir" </dev/null >/dev/null 2>&1; then
+    record_failure "runtime_context_prompt: sloptrap exited non-zero"
+    teardown_stub_env
+    return
+  fi
+  local login_line run_line
+  login_line=$(grep "FAKE PODMAN: run " "$STUB_LOG" | head -n 1 || true)
+  run_line=$(grep "FAKE PODMAN: run " "$STUB_LOG" | tail -n 1 || true)
+  if [[ -z $run_line || $run_line != *"You are running inside sloptrap"* ]]; then
+    record_failure "runtime_context_prompt: startup prompt missing from fresh run"
+  fi
+  if ! grep -q -- "manifest_present=true" "$STUB_LOG" || ! grep -q -- "requested_capabilities=apt-install nested-podman packet-capture" "$STUB_LOG"; then
+    record_failure "runtime_context_prompt: runtime summary missing manifest or capability state"
+  fi
+  if [[ -n $login_line && $login_line == *"You are running inside sloptrap"* ]]; then
+    record_failure "runtime_context_prompt: login flow should not receive startup prompt"
+  fi
+  teardown_stub_env
+}
+
+run_resume_omits_runtime_context() {
+  local scenario_dir="$TEST_ROOT/capability_repo"
+  local session_id="019a81b7-32d2-7622-8639-6698c6579625"
+  printf '==> resume_omits_runtime_context\n'
+  setup_stub_env
+  if ! PATH="$STUB_BIN:$PATH" HOME="$STUB_HOME" FAKE_PODMAN_LOG="$STUB_LOG" FAKE_PODMAN_INSPECT_FAIL=1 \
+    "$SLOPTRAP_BIN" --trust-capabilities "$scenario_dir" resume "$session_id" </dev/null >/dev/null 2>&1; then
+    record_failure "resume_omits_runtime_context: sloptrap exited non-zero"
+    teardown_stub_env
+    return
+  fi
+  if grep -q -- "You are running inside sloptrap" "$STUB_LOG"; then
+    record_failure "resume_omits_runtime_context: resume should not receive startup prompt"
+  fi
+  if ! grep -q -- "codex --sandbox danger-full-access --ask-for-approval never resume $session_id" "$STUB_LOG"; then
+    record_failure "resume_omits_runtime_context: resume invocation missing"
+  fi
+  teardown_stub_env
+}
+
 run_auth_file_mount() {
   local scenario_dir
   scenario_dir=$(cd "$TEST_ROOT/resume_target" && pwd -P)
@@ -508,6 +553,14 @@ run_invalid_manifest_packages() {
   fi
 }
 
+run_invalid_manifest_capabilities() {
+  local scenario_dir="$TEST_ROOT/invalid_manifest_capabilities"
+  printf '==> invalid_manifest_capabilities\n'
+  if "$SLOPTRAP_BIN" --dry-run "$scenario_dir" </dev/null >/dev/null 2>&1; then
+    record_failure "invalid_manifest_capabilities: expected rejection for bad capabilities"
+  fi
+}
+
 run_invalid_allow_host_network() {
   local scenario_dir="$TEST_ROOT/invalid_allow_host_network"
   printf '==> invalid_allow_host_network\n'
@@ -539,9 +592,6 @@ run_wizzard_create_manifest() {
   if ! grep -qx "packages_extra=" "$scenario_dir/.sloptrap"; then
     record_failure "wizzard_create_manifest: packages_extra mismatch"
   fi
-  if ! grep -qx "codex_args=--sandbox danger-full-access --ask-for-approval never" "$scenario_dir/.sloptrap"; then
-    record_failure "wizzard_create_manifest: codex_args mismatch"
-  fi
   if ! grep -qx "allow_host_network=false" "$scenario_dir/.sloptrap"; then
     record_failure "wizzard_create_manifest: allow_host_network mismatch"
   fi
@@ -565,9 +615,6 @@ run_wizzard_existing_defaults() {
   if ! grep -qx "packages_extra=make git" "$scenario_dir/.sloptrap"; then
     record_failure "wizzard_existing_defaults: packages_extra not preserved"
   fi
-  if ! grep -qx "codex_args=--sandbox workspace-write --ask-for-approval on-request" "$scenario_dir/.sloptrap"; then
-    record_failure "wizzard_existing_defaults: codex_args not preserved"
-  fi
   if ! grep -qx "allow_host_network=true" "$scenario_dir/.sloptrap"; then
     record_failure "wizzard_existing_defaults: allow_host_network not preserved"
   fi
@@ -597,6 +644,56 @@ run_wizzard_build_trigger() {
   teardown_stub_env
 }
 
+run_capability_trust_required() {
+  local scenario_dir="$TEST_ROOT/capability_repo"
+  printf '==> capability_trust_required\n'
+  setup_stub_env
+  if PATH="$STUB_BIN:$PATH" HOME="$STUB_HOME" FAKE_PODMAN_LOG="$STUB_LOG" FAKE_PODMAN_INSPECT_FAIL=1 \
+    "$SLOPTRAP_BIN" --enable-capability apt-install "$scenario_dir" </dev/null >/dev/null 2>&1; then
+    record_failure "capability_trust_required: expected failure without trusted capabilities"
+  fi
+  teardown_stub_env
+}
+
+run_capability_profiles() {
+  local scenario_dir="$TEST_ROOT/capability_repo"
+  printf '==> capability_profiles\n'
+  setup_stub_env
+  if ! PATH="$STUB_BIN:$PATH" HOME="$STUB_HOME" FAKE_PODMAN_LOG="$STUB_LOG" FAKE_PODMAN_INSPECT_FAIL=1 \
+    "$SLOPTRAP_BIN" --trust-capabilities --enable-capability apt-install \
+    --enable-capability packet-capture --enable-capability nested-podman \
+    "$scenario_dir" </dev/null >/dev/null 2>&1; then
+    record_failure "capability_profiles: sloptrap exited non-zero"
+    teardown_stub_env
+    return
+  fi
+  if ! grep -q -- "CAPABILITY_PACKAGES=tcpdump podman fuse-overlayfs slirp4netns" "$STUB_LOG"; then
+    record_failure "capability_profiles: build arg for capability packages missing"
+  fi
+  if ! grep -q -- "--cap-add NET_RAW" "$STUB_LOG"; then
+    record_failure "capability_profiles: NET_RAW capability missing"
+  fi
+  if ! grep -q -- "--cap-add NET_ADMIN" "$STUB_LOG"; then
+    record_failure "capability_profiles: NET_ADMIN capability missing"
+  fi
+  if ! grep -q -- "--device /dev/fuse" "$STUB_LOG"; then
+    record_failure "capability_profiles: /dev/fuse device missing"
+  fi
+  if grep -q -- "--read-only" "$STUB_LOG"; then
+    record_failure "capability_profiles: apt profile should disable read-only rootfs"
+  fi
+  if grep -q -- "--user " "$STUB_LOG"; then
+    record_failure "capability_profiles: capability-enabled run should not force --user"
+  fi
+  if ! grep -q -- "SLOPTRAP_ACTIVE_CAPABILITIES=apt-install nested-podman packet-capture" "$STUB_LOG"; then
+    record_failure "capability_profiles: active capability environment missing"
+  fi
+  if ! grep -q -- "SLOPTRAP_INNER_PODMAN_HOST_NETWORK=1" "$STUB_LOG"; then
+    record_failure "capability_profiles: inner podman host-network mirror flag missing"
+  fi
+  teardown_stub_env
+}
+
 run_shellcheck
 run_mount_injection
 run_root_target
@@ -605,6 +702,8 @@ run_manifest_injection
 run_helper_symlink
 run_secret_mask
 run_resume_target
+run_runtime_context_prompt
+run_resume_omits_runtime_context
 run_auth_file_mount
 run_project_state_isolation
 run_auto_login_empty_auth
@@ -617,10 +716,13 @@ run_dotdot_ignore
 run_invalid_manifest_name
 run_invalid_manifest_sandbox
 run_invalid_manifest_packages
+run_invalid_manifest_capabilities
 run_invalid_allow_host_network
 run_wizzard_create_manifest
 run_wizzard_existing_defaults
 run_wizzard_build_trigger
+run_capability_trust_required
+run_capability_profiles
 
 if [[ ${#failures[@]} -gt 0 ]]; then
   printf '\nTest failures:\n'

tests/wizzard_build/.sloptrap

@@ -1,4 +1,3 @@
 name=wizzard_build
 packages_extra=
-codex_args=--sandbox danger-full-access --ask-for-approval never
 allow_host_network=false

tests/wizzard_empty/.sloptrap

@@ -1,4 +1,3 @@
 name=wizzard_empty
 packages_extra=
-codex_args=--sandbox danger-full-access --ask-for-approval never
 allow_host_network=false

tests/wizzard_existing/.sloptrap

@@ -1,4 +1,3 @@
 name=custom-wizzard
 packages_extra=make git
-codex_args=--sandbox workspace-write --ask-for-approval on-request
 allow_host_network=true