Cleanup capabilities

.sloptrap

@@ -1,4 +1,4 @@
 name=skz-sloptrap
-packages_extra=bash make shellcheck jq podman
+packages_extra=bash make shellcheck jq podman iproute2 strace
-capabilities=apt-install nested-podman packet-capture
+capabilities=
 allow_host_network=false

AGENTS.md

@@ -0,0 +1,22 @@
+# skz-sloptrap
+
+This workspace is the source code of `sloptrap`, eg. your own runtime.
+Your author, 'sk4nz', has ran the command `sloptrap path/to/skz-sloptrap` and you are living in your own reflection.
+
+# Keep Memory
+
+Future sloptrap instances should add short, useful, durable notes they learn during their session to this file.
+
+Only add high-signal information that is likely to help later runs.
+Keep additions brief.
+Do not remove existing instructions unless they are outdated or wrong.
+
+---
+# Session Memory
+
+- When runtime changes need a fresh sloptrap session to validate, ask sk4nz to restart you and give an exact prompt to continue from the current checkpoint.
+- Useful checks in the skz-sloptrap repo:
+  `shellcheck sloptrap`
+  `bash tests/run_tests.sh` (you can also run them separately)
+- When running tests from inside sloptrap, inherited `CODEX_HOME=/codex` plus `SLOPTRAP_PREFER_CODEX_HOME=1` can leak into host-style child launches; ignore that preference when `HOME` has been redirected elsewhere and the runtime hints still point into the inherited `/codex` tree.
+- Capability-enabled runs are Podman-only. `packet-capture` uses a dedicated helper container/pod, and host-network capture must prompt for an explicit acknowledgement on every runtime launch.

README.md

@@ -62,13 +62,13 @@ Supported keys when the manifest is present:
 | --- | --- | --- |
 | `name` | project directory name | Must match `^[A-Za-z0-9_.-]+$`. Used for image/container naming. |
 | `packages_extra` | *empty* | Additional Debian packages installed during `docker/podman build`. Tokens must be alphanumeric plus `+.-`. |
-| `capabilities` | *empty* | Optional privileged features. Supported values are `apt-install`, `packet-capture`, and `nested-podman`. |
+| `capabilities` | *empty* | Optional privileged features. Supported values are `apt-install` and `packet-capture`. Capability-enabled runs require Podman. When `packet-capture` is combined with `allow_host_network=true`, sloptrap shows a runtime warning with concrete consequences and requires an interactive acknowledgement on every run. |
 | `allow_host_network` | `false` | `true` opts into `--network host`; keep `false` unless the project absolutely requires direct access to host-local services. |
 
 Values containing `$`, `` ` ``, or newlines are rejected to prevent command injection. Setting illegal keys or malformed values aborts the run before containers start.
 sloptrap always runs Codex with `--sandbox danger-full-access --ask-for-approval never`. `codex_args` is deprecated and rejected if present.
 
-Capability trust is local state, not part of the repository. Builds for manifests that request capabilities require either an interactive trust confirmation or `--trust-capabilities`. Trusted capabilities can then be activated per run with `--enable-capability <name>`.
+Capability trust is local state, not part of the repository. Builds for manifests that request capabilities require either an interactive trust confirmation or `--trust-capabilities`. Once the current manifest is trusted, its requested capabilities are enabled automatically for that project configuration. The `allow_host_network=true` plus `packet-capture` combination still requires a separate interactive acknowledgement each time a runtime container is launched.
 
 ### `.sloptrapignore`
 
@@ -80,7 +80,7 @@ Capability trust is local state, not part of the repository. Builds for manifest
 ## CLI Reference
 
 ```
-./sloptrap [--dry-run] [--print-config] [--trust-capabilities] [--enable-capability <name> ...] <code-directory> [target ...]
+./sloptrap [--dry-run] [--print-config] [--trust-capabilities] <code-directory> [target ...]
 ```
 
 Options:
@@ -88,7 +88,6 @@ Options:
 - `--dry-run` &mdash; print the container/engine commands that would run without executing them.
 - `--print-config` &mdash; output the resolved manifest values, defaults, and ignore list.
 - `--trust-capabilities` &mdash; trust the manifest's requested capabilities for the current build flow.
-- `--enable-capability <name>` &mdash; enable a trusted runtime capability for this invocation. Repeat for multiple capabilities.
 - `-h, --help` &mdash; display usage.
 - `--` &mdash; stop option parsing; remaining arguments are treated as targets.
 
@@ -128,28 +127,27 @@ The launcher executes targets sequentially, so `./sloptrap repo build run` perfo
 
 ### Capability Helpers
 
-When a trusted capability is enabled for a run, the container includes helper commands:
+When the current manifest's capabilities are trusted and enabled, the container includes helper commands:
 
 - `slop-apt install <package...>` for session-scoped package installation.
-- `slopcap capture --interface <iface> [--filter <expr>] [--output <path>] [--stdout]` for packet capture.
+- `slopcap capture --interface <iface> [--filter <expr>] [--output <path>] [--stdout]` for non-promiscuous packet capture through a dedicated helper container. Host-network captures require an explicit acknowledgement each run.
-- `sloppodman <pull|build|tag|run|ps|logs|stop|rm|inspect> ...` for nested Podman workflows. `build` contexts and Dockerfiles must remain inside `/workspace`, and pushes are not supported.
 
 ## Execution Environment
 
-- Container engine: Podman or Docker with identical command lines. Podman uses `--userns=keep-id`; Docker receives the equivalent `--user UID:GID` for standard runs.
+- Container engine: Podman or Docker for standard runs. Capability-enabled runs require Podman. Podman uses `--userns=keep-id`; Docker receives the equivalent `--user UID:GID` for standard runs.
 - Filesystem view: the project directory mounts at `/workspace`; `${HOME}/.codex/sloptrap/state/<project-hash>` mounts at `/codex`; `${HOME}/.codex/auth.json` mounts at `/codex/auth.json`.
 - Ignore filter: `.sloptrapignore` entries are overlaid with tmpfs directories or empty bind mounts so data remains unavailable to Codex.
-- Network: isolated networking is used by default; `allow_host_network=true` opts into `--network host`.
+- Network: isolated networking is used by default; `allow_host_network=true` opts into `--network host`. When `packet-capture` is enabled, sloptrap starts a separate capture helper container in the same Podman pod so the main Codex container does not receive `NET_RAW`.
 - Process context: standard runs drop capabilities, set `no-new-privileges`, use a read-only root filesystem, and keep scratch paths (`/tmp`, `/run`, `/run/lock`) on tmpfs. Capability-enabled runs may selectively add the runtime options required for the requested capability.
-- Codex configuration: runtime flags are fixed to `--sandbox danger-full-access --ask-for-approval never`. Persistent Codex state is project-scoped under `${HOME}/.codex/sloptrap/state/`, while credentials are shared via `${HOME}/.codex/auth.json`.
+- Codex configuration: runtime flags are fixed to `--sandbox danger-full-access --ask-for-approval never`. Persistent Codex state is project-scoped under `${HOME}/.codex/sloptrap/state/`, while credentials are shared via `${HOME}/.codex/auth.json` and mounted read-only except during the `login` target.
 
 ## Threat Model and Limits
 
 - **Outbound disclosure**: prompts and referenced data travel from the container to the configured LLM endpoint. Any file content within `/workspace` or environment data exposed to the process can appear in that traffic.
 - **Shared storage**: `/workspace`, project-scoped `/codex`, and `/codex/auth.json` are host mounts. Files written to these locations become visible on the host and to the LLM provider through prompts.
 - **Environment surface**: the container receives a minimal fixed environment (HOME/XDG paths, `CODEX_HOME`). The manifest no longer allows injecting additional environment variables.
-- **Process isolation**: standard runs keep a read-only root filesystem and no extra Linux capabilities. Capability-enabled runs deliberately relax specific runtime controls for the enabled feature, so they should be treated as a stronger trust decision than a default session.
+- **Process isolation**: standard runs keep a read-only root filesystem and no extra Linux capabilities. Capability-enabled runs deliberately relax specific runtime controls for the enabled feature, so they should be treated as a stronger trust decision than a default session. `packet-capture` now runs in a dedicated helper container so the main Codex container does not hold raw-socket capability.
-- **Networking stance**: traffic is unrestricted once it leaves the container. sloptrap does not enforce an allowlist or DNS policy. Host networking is opt-in per manifest; if you require an offline or firewalled workflow, sloptrap is not an appropriate launcher.
+- **Networking stance**: traffic is unrestricted once it leaves the container. sloptrap does not enforce an allowlist or DNS policy. Host networking is opt-in per manifest; when it is combined with `packet-capture`, sloptrap warns and requires an explicit acknowledgement for each runtime launch because the capture helper will have raw packet access in the host namespace and may observe plaintext traffic or inject spoofed packets. If you require an offline or firewalled workflow, sloptrap is not an appropriate launcher.
 - **Persistence**: Codex history and logs accumulate per project under `${HOME}/.codex/sloptrap/state/`. Sensitive prompts recorded on disk remain on the host after the session. Because `.git/` is ignored inside the container, any historical secrets in Git objects stay outside the LLM context unless explicitly surfaced in the working tree.
 - **Codex cache hygiene**: per-project state mounts remain writable by the container and hold prompts/history/state, while `${HOME}/.codex/auth.json` holds shared credentials. Rotate credentials regularly and protect both locations.
 - **Secret scanning**: sloptrap does not perform secret discovery or redaction; any credentials present in the project remain available to Codex and the upstream provider.

tests/README.md

@@ -14,3 +14,4 @@ Current scenarios:
 - `auth_file_mount` — verifies `~/.codex/auth.json` is mounted directly into `/codex/auth.json`.
 - `project_state_isolation` — verifies different projects map `/codex` to different host state directories.
 - `auto_login_empty_auth` — verifies an empty `auth.json` still triggers automatic login before the main target.
+- `host_network_packet_capture/` — exercises the per-run acknowledgement path for host networking combined with `packet-capture`.

tests/capability_repo/.sloptrap

@@ -1,3 +1,3 @@
 name=capability-repo
-capabilities=apt-install packet-capture nested-podman
+capabilities=apt-install packet-capture
-allow_host_network=true
+allow_host_network=false

tests/host_network_packet_capture/.sloptrap

@@ -0,0 +1,3 @@
+name=host-network-packet-capture
+capabilities=packet-capture
+allow_host_network=true

tests/host_network_repo/.sloptrap

@@ -0,0 +1,3 @@
+name=host-network-repo
+capabilities=apt-install
+allow_host_network=true

tests/run_tests.sh

@@ -97,7 +97,52 @@ verify_secret_mounts() {
   return 0
 }
 
+maybe_create_helper_pidfile() {
+  local -a args=("$@")
+  local codex_source=""
+  local helper_dir=""
+  local idx=0
+  while (( idx < ${#args[@]} )); do
+    local arg=${args[$idx]}
+    case "$arg" in
+      -v)
+        idx=$((idx + 1))
+        if (( idx < ${#args[@]} )); then
+          local spec=${args[$idx]}
+          case "$spec" in
+            *:/codex|*:/codex:* )
+              codex_source=${spec%%:/codex*}
+              ;;
+          esac
+        fi
+        ;;
+      -e)
+        idx=$((idx + 1))
+        if (( idx < ${#args[@]} )); then
+          local envspec=${args[$idx]}
+          case "$envspec" in
+            SLOPTRAP_HELPER_DIR=*)
+              helper_dir=${envspec#SLOPTRAP_HELPER_DIR=}
+              ;;
+          esac
+        fi
+        ;;
+    esac
+    idx=$((idx + 1))
+  done
+  if [[ -z $codex_source || $helper_dir != /codex/* ]]; then
+    return 0
+  fi
+  local helper_host=${codex_source}/${helper_dir#/codex/}
+  mkdir -p "$helper_host"
+  printf '12345\n' >"$helper_host/helperd.pid"
+}
+
 if [[ ${1-} == "image" && ${2-} == "inspect" && ${FAKE_PODMAN_INSPECT_FAIL:-0} == 1 ]]; then
+  if [[ " $* " == *" --format "* ]]; then
+    printf 'fake-image-id\n'
+    exit 0
+  fi
   echo "FAKE PODMAN (fail): $*" >>"$FAKE_PODMAN_LOG"
   exit 1
 fi
@@ -109,10 +154,16 @@ if [[ ${SECRET_MASK_VERIFY:-0} == 1 && ${1-} == "run" ]]; then
   fi
 fi
 
+if [[ ${1-} == "run" ]]; then
+  maybe_create_helper_pidfile "$@"
+fi
+
 echo "FAKE PODMAN: $*" >>"$FAKE_PODMAN_LOG"
 exit 0
 EOF
   chmod +x "$STUB_BIN/podman"
+  cp "$STUB_BIN/podman" "$STUB_BIN/docker"
+  chmod +x "$STUB_BIN/docker"
   cat >"$STUB_BIN/curl" <<'EOF'
 #!/usr/bin/env bash
 set -euo pipefail
@@ -211,6 +262,33 @@ teardown_stub_env() {
   rm -f "${STUB_LOG:-}"
 }
 
+extract_embedded_helper() {
+  local helper=$1
+  local output=$2
+  if ! awk -v helper="$helper" '
+    $0 ~ "^[[:space:]]*" helper "\\)$" { state=1; next }
+    state == 1 && /cat <<'\''EOF'\''$/ { state=2; next }
+    state == 2 && /^EOF$/ { exit }
+    state == 2 { print }
+  ' "$SLOPTRAP_BIN" >"$output"; then
+    return 1
+  fi
+  chmod +x "$output"
+}
+
+wait_for_path() {
+  local path=$1
+  local attempts=${2:-100}
+  while (( attempts > 0 )); do
+    if [[ -e $path ]]; then
+      return 0
+    fi
+    sleep 0.1
+    ((attempts-=1))
+  done
+  return 1
+}
+
 record_failure() {
   failures+=("$1")
 }
@@ -302,6 +380,22 @@ run_secret_mask() {
   teardown_stub_env
 }
 
+run_git_ignore_mask() {
+  local scenario_dir="$ROOT_DIR"
+  printf '==> git_ignore_mask\n'
+  setup_stub_env
+  if ! PATH="$STUB_BIN:$PATH" HOME="$STUB_HOME" FAKE_PODMAN_LOG="$STUB_LOG" FAKE_PODMAN_INSPECT_FAIL=1 \
+    "$SLOPTRAP_BIN" --trust-capabilities "$scenario_dir" </dev/null >/dev/null 2>&1; then
+    record_failure "git_ignore_mask: sloptrap exited non-zero"
+    teardown_stub_env
+    return
+  fi
+  if ! grep -q -- "--mount type=tmpfs,target=/workspace/.git" "$STUB_LOG"; then
+    record_failure "git_ignore_mask: .git was not masked with tmpfs"
+  fi
+  teardown_stub_env
+}
+
 run_resume_target() {
   local scenario_dir="$TEST_ROOT/resume_target"
   printf '==> resume_target\n'
@@ -320,7 +414,7 @@ run_resume_target() {
 }
 
 run_runtime_context_prompt() {
-  local scenario_dir="$TEST_ROOT/capability_repo"
+  local scenario_dir="$TEST_ROOT/host_network_repo"
   printf '==> runtime_context_prompt\n'
   setup_stub_env
   if ! PATH="$STUB_BIN:$PATH" HOME="$STUB_HOME" FAKE_PODMAN_LOG="$STUB_LOG" FAKE_PODMAN_INSPECT_FAIL=1 \
@@ -335,10 +429,9 @@ run_runtime_context_prompt() {
   if [[ -z $run_line || $run_line != *"You are running inside sloptrap"* ]]; then
     record_failure "runtime_context_prompt: startup prompt missing from fresh run"
   fi
-  if ! grep -q -- "manifest_present=true" "$STUB_LOG" \
+  if ! grep -q -- "name=host-network-repo" "$STUB_LOG" \
-    || ! grep -q -- "manifest_capabilities=apt-install nested-podman packet-capture" "$STUB_LOG" \
+    || ! grep -q -- "enabled_capabilities=apt-install" "$STUB_LOG" \
-    || ! grep -q -- "trusted_capabilities=apt-install nested-podman packet-capture" "$STUB_LOG" \
+    || ! grep -q -- "network_mode=host" "$STUB_LOG"; then
-    || ! grep -q -- "enabled_capabilities=apt-install nested-podman packet-capture" "$STUB_LOG"; then
     record_failure "runtime_context_prompt: runtime summary missing manifest or capability state"
   fi
   if [[ -n $login_line && $login_line == *"You are running inside sloptrap"* ]]; then
@@ -348,7 +441,7 @@ run_runtime_context_prompt() {
 }
 
 run_sh_reexec() {
-  local scenario_dir="$TEST_ROOT/capability_repo"
+  local scenario_dir="$TEST_ROOT/host_network_repo"
   printf '==> sh_reexec\n'
   setup_stub_env
   if ! PATH="$STUB_BIN:$PATH" HOME="$STUB_HOME" FAKE_PODMAN_LOG="$STUB_LOG" FAKE_PODMAN_INSPECT_FAIL=1 \
@@ -364,7 +457,7 @@ run_sh_reexec() {
 }
 
 run_resume_omits_runtime_context() {
-  local scenario_dir="$TEST_ROOT/capability_repo"
+  local scenario_dir="$TEST_ROOT/host_network_repo"
   local session_id="019a81b7-32d2-7622-8639-6698c6579625"
   printf '==> resume_omits_runtime_context\n'
   setup_stub_env
@@ -396,8 +489,8 @@ run_auth_file_mount() {
     teardown_stub_env
     return
   fi
-  if ! grep -q -- "-v ${STUB_HOME}/.codex/auth.json:/codex/auth.json:Z" "$STUB_LOG"; then
+  if ! grep -q -- "-v ${STUB_HOME}/.codex/auth.json:/codex/auth.json:Z,ro" "$STUB_LOG"; then
-    record_failure "auth_file_mount: missing auth file bind mount"
+    record_failure "auth_file_mount: auth file should be mounted read-only for normal runs"
   fi
   if ! grep -q -- "-v ${STUB_HOME}/.codex/sloptrap/state/" "$STUB_LOG"; then
     record_failure "auth_file_mount: missing project state bind mount"
@@ -405,6 +498,59 @@ run_auth_file_mount() {
   teardown_stub_env
 }
 
+run_codex_home_override() {
+  local scenario_dir codex_root
+  scenario_dir=$(cd "$TEST_ROOT/resume_target" && pwd -P)
+  printf '==> codex_home_override\n'
+  setup_stub_env
+  codex_root="$STUB_HOME/codex-root"
+  mkdir -p "$codex_root"
+  printf '{"access_token":"test"}\n' >"$codex_root/auth.json"
+  if ! PATH="$STUB_BIN:$PATH" HOME="$STUB_HOME" CODEX_HOME="$codex_root" SLOPTRAP_PREFER_CODEX_HOME=1 \
+    FAKE_PODMAN_LOG="$STUB_LOG" FAKE_PODMAN_INSPECT_FAIL=1 \
+    "$SLOPTRAP_BIN" "$scenario_dir" </dev/null >/dev/null 2>&1; then
+    record_failure "codex_home_override: sloptrap exited non-zero"
+    teardown_stub_env
+    return
+  fi
+  if ! grep -q -- "-v ${codex_root}/auth.json:/codex/auth.json:Z,ro" "$STUB_LOG"; then
+    record_failure "codex_home_override: CODEX_HOME auth file should be mounted read-only for normal runs"
+  fi
+  if ! grep -q -- "-v ${codex_root}/sloptrap/state/" "$STUB_LOG"; then
+    record_failure "codex_home_override: missing CODEX_HOME project state bind mount"
+  fi
+  if grep -q -- "-v ${STUB_HOME}/.codex/auth.json:/codex/auth.json:Z" "$STUB_LOG"; then
+    record_failure "codex_home_override: should not fall back to HOME/.codex when CODEX_HOME is set"
+  fi
+  local first_run
+  first_run=$(grep "FAKE PODMAN: run " "$STUB_LOG" | head -n 1 || true)
+  if [[ -z $first_run || $first_run == *" login" ]]; then
+    record_failure "codex_home_override: existing CODEX_HOME auth should avoid login target"
+  fi
+  teardown_stub_env
+}
+
+run_removed_nested_podman_manifest() {
+  local scenario_dir output_log
+  scenario_dir=$(mktemp -d)
+  output_log=$(mktemp)
+  printf '==> removed_nested_podman_manifest\n'
+  cat >"$scenario_dir/.sloptrap" <<'EOF'
+name=removed-nested-podman
+capabilities=nested-podman
+EOF
+  if "$SLOPTRAP_BIN" --dry-run "$scenario_dir" >/dev/null 2>&1; then
+    record_failure "removed_nested_podman_manifest: expected nested-podman manifest rejection"
+  fi
+  if ! "$SLOPTRAP_BIN" --dry-run "$scenario_dir" >"$output_log" 2>&1; then
+    if ! grep -q -- "capability 'nested-podman' was removed" "$output_log"; then
+      record_failure "removed_nested_podman_manifest: missing explicit removal error"
+    fi
+  fi
+  rm -f "$output_log"
+  rm -rf "$scenario_dir"
+}
+
 run_project_state_isolation() {
   local scenario_a scenario_b
   scenario_a=$(cd "$TEST_ROOT/resume_target" && pwd -P)
@@ -465,8 +611,11 @@ run_auto_login_empty_auth() {
   if [[ -z $first_run || $first_run != *" login" ]]; then
     record_failure "auto_login_empty_auth: expected login before primary run"
   fi
-  if ! grep -q -- "-v ${STUB_HOME}/.codex/auth.json:/codex/auth.json:Z" "$STUB_LOG"; then
+  if [[ -z $first_run || $first_run != *"-v ${STUB_HOME}/.codex/auth.json:/codex/auth.json:Z "* ]]; then
-    record_failure "auto_login_empty_auth: missing auth file bind mount"
+    record_failure "auto_login_empty_auth: login target should keep auth file writable"
+  fi
+  if ! grep -q -- "-v ${STUB_HOME}/.codex/auth.json:/codex/auth.json:Z,ro" "$STUB_LOG"; then
+    record_failure "auto_login_empty_auth: post-login runtime should remount auth file read-only"
   fi
   teardown_stub_env
 }
@@ -588,6 +737,53 @@ run_invalid_allow_host_network() {
   fi
 }
 
+run_host_network_packet_capture_ack_required() {
+  local scenario_dir="$TEST_ROOT/host_network_packet_capture"
+  printf '==> host_network_packet_capture_ack_required\n'
+  local output_log
+  output_log=$(mktemp)
+  setup_stub_env
+  if PATH="$STUB_BIN:$PATH" HOME="$STUB_HOME" FAKE_PODMAN_LOG="$STUB_LOG" FAKE_PODMAN_INSPECT_FAIL=1 \
+    "$SLOPTRAP_BIN" --trust-capabilities "$scenario_dir" </dev/null >"$output_log" 2>&1; then
+    record_failure "host_network_packet_capture_ack_required: expected failure without interactive acknowledgement"
+  fi
+  if grep -q -- "FAKE PODMAN: run " "$STUB_LOG"; then
+    record_failure "host_network_packet_capture_ack_required: runtime container should not start without acknowledgement"
+  fi
+  teardown_stub_env
+  rm -f "$output_log"
+}
+
+run_host_network_packet_capture_ack_prompt() {
+  local scenario_dir="$TEST_ROOT/host_network_packet_capture"
+  printf '==> host_network_packet_capture_ack_prompt\n'
+  if ! can_run_script_pty; then
+    printf 'skipping host_network_packet_capture_ack_prompt: script PTY support not available\n'
+    return
+  fi
+  local output_log
+  output_log=$(mktemp)
+  setup_stub_env
+  if ! printf 'y\n' | script -q -c "env PATH=\"$STUB_BIN:$PATH\" HOME=\"$STUB_HOME\" FAKE_PODMAN_LOG=\"$STUB_LOG\" FAKE_PODMAN_INSPECT_FAIL=1 \"$SLOPTRAP_BIN\" --trust-capabilities \"$scenario_dir\"" "$output_log" >/dev/null 2>&1; then
+    record_failure "host_network_packet_capture_ack_prompt: interactive acknowledgement should allow the run"
+    teardown_stub_env
+    rm -f "$output_log"
+    return
+  fi
+  if [[ $(grep -c -- 'Continue with host-network packet capture for this run' "$output_log" || true) -ne 1 ]]; then
+    record_failure "host_network_packet_capture_ack_prompt: expected a single runtime acknowledgement prompt"
+  fi
+  if ! grep -q -- 'capture host-network traffic' "$output_log" \
+    || ! grep -q -- 'transmit spoofed packets' "$output_log"; then
+    record_failure "host_network_packet_capture_ack_prompt: warning should describe concrete consequences"
+  fi
+  if ! grep -q -- "--network host" "$STUB_LOG"; then
+    record_failure "host_network_packet_capture_ack_prompt: host networking run did not reach the container engine"
+  fi
+  teardown_stub_env
+  rm -f "$output_log"
+}
+
 run_wizard_create_manifest() {
   local scenario_dir="$TEST_ROOT/wizard_empty"
   printf '==> wizard_create_manifest\n'
@@ -637,7 +833,7 @@ run_wizard_existing_defaults() {
   if ! grep -qx "packages_extra=make git" "$scenario_dir/.sloptrap"; then
     record_failure "wizard_existing_defaults: packages_extra not preserved"
   fi
-  if ! grep -qx "capabilities=apt-install packet-capture" "$scenario_dir/.sloptrap"; then
+  if ! grep -qx "capabilities=apt-install" "$scenario_dir/.sloptrap"; then
     record_failure "wizard_existing_defaults: capabilities not preserved"
   fi
   if ! grep -qx "allow_host_network=true" "$scenario_dir/.sloptrap"; then
@@ -680,43 +876,281 @@ run_capability_trust_required() {
   teardown_stub_env
 }
 
+run_capabilities_require_podman() {
+  local scenario_dir="$TEST_ROOT/capability_repo"
+  printf '==> capabilities_require_podman\n'
+  local output_log
+  output_log=$(mktemp)
+  setup_stub_env
+  if PATH="$STUB_BIN:$PATH" HOME="$STUB_HOME" SLOPTRAP_CONTAINER_ENGINE=docker \
+    "$SLOPTRAP_BIN" --dry-run "$scenario_dir" >"$output_log" 2>&1; then
+    record_failure "capabilities_require_podman: expected docker capability run to be rejected"
+  elif ! grep -q -- 'capability-enabled runs require podman' "$output_log"; then
+    record_failure "capabilities_require_podman: missing explicit podman requirement"
+  fi
+  teardown_stub_env
+  rm -f "$output_log"
+}
+
 run_capability_profiles() {
   local scenario_dir="$TEST_ROOT/capability_repo"
   printf '==> capability_profiles\n'
   setup_stub_env
+  local main_lines capture_lines pod_lines
+  local expected_build_network="bridge"
+  if command -v slirp4netns >/dev/null 2>&1; then
+    expected_build_network="slirp4netns"
+  fi
   if ! PATH="$STUB_BIN:$PATH" HOME="$STUB_HOME" FAKE_PODMAN_LOG="$STUB_LOG" FAKE_PODMAN_INSPECT_FAIL=1 \
     "$SLOPTRAP_BIN" --trust-capabilities "$scenario_dir" </dev/null >/dev/null 2>&1; then
     record_failure "capability_profiles: sloptrap exited non-zero"
     teardown_stub_env
     return
   fi
-  if ! grep -q -- "CAPABILITY_PACKAGES=tcpdump podman fuse-overlayfs slirp4netns" "$STUB_LOG"; then
+  if ! grep -q -- "CAPABILITY_PACKAGES=tcpdump" "$STUB_LOG"; then
     record_failure "capability_profiles: build arg for capability packages missing"
   fi
-  if ! grep -q -- "--cap-add NET_RAW" "$STUB_LOG"; then
+  if ! grep -q -- "FAKE PODMAN: build --quiet -t capability-repo-sloptrap-image -f .* --network $expected_build_network " "$STUB_LOG"; then
-    record_failure "capability_profiles: NET_RAW capability missing"
+    record_failure "capability_profiles: build should stay on isolated networking"
   fi
-  if ! grep -q -- "--cap-add NET_ADMIN" "$STUB_LOG"; then
+  main_lines=$(grep "FAKE PODMAN: run " "$STUB_LOG" | grep -- "--name capability-repo-sloptrap-container" || true)
-    record_failure "capability_profiles: NET_ADMIN capability missing"
+  capture_lines=$(grep "FAKE PODMAN: run " "$STUB_LOG" | grep -- "--name capability-repo-sloptrap-capture" || true)
+  pod_lines=$(grep "FAKE PODMAN: pod create " "$STUB_LOG" | grep -- "--name capability-repo-sloptrap-pod" || true)
+  if [[ -z $main_lines ]]; then
+    record_failure "capability_profiles: main runtime container did not reach the container engine"
   fi
-  if ! grep -q -- "--device /dev/fuse" "$STUB_LOG"; then
+  if [[ -z $pod_lines ]]; then
-    record_failure "capability_profiles: /dev/fuse device missing"
+    record_failure "capability_profiles: packet capture should create a dedicated pod"
   fi
-  if grep -q -- "--read-only" "$STUB_LOG"; then
+  if [[ -z $capture_lines || $capture_lines != *"--cap-add NET_RAW"* ]]; then
+    record_failure "capability_profiles: capture sidecar should receive NET_RAW"
+  fi
+  if [[ -n $main_lines && $main_lines == *"--cap-add NET_RAW"* ]]; then
+    record_failure "capability_profiles: main container should not receive NET_RAW"
+  fi
+  if grep -q -- "--cap-add NET_ADMIN" <<<"$capture_lines"; then
+    record_failure "capability_profiles: NET_ADMIN should not be granted"
+  fi
+  if [[ -z $capture_lines || $capture_lines != *"--cap-add SETUID"* ]]; then
+    record_failure "capability_profiles: SETUID capability missing"
+  fi
+  if [[ -z $capture_lines || $capture_lines != *"--cap-add SETGID"* ]]; then
+    record_failure "capability_profiles: SETGID capability missing"
+  fi
+  if [[ -z $capture_lines || $capture_lines != *"--cap-add CHOWN"* ]]; then
+    record_failure "capability_profiles: CHOWN capability missing"
+  fi
+  if grep -q -- "--cap-add DAC_OVERRIDE" <<<"$capture_lines$main_lines"; then
+    record_failure "capability_profiles: DAC_OVERRIDE should not be granted"
+  fi
+  if grep -q -- "--cap-add FOWNER" <<<"$capture_lines$main_lines"; then
+    record_failure "capability_profiles: FOWNER should not be granted"
+  fi
+  if ! grep -q -- "--security-opt no-new-privileges" <<<"$capture_lines$main_lines"; then
+    record_failure "capability_profiles: no-new-privileges missing"
+  fi
+  if grep -q -- "--read-only" <<<"$main_lines"; then
     record_failure "capability_profiles: apt profile should disable read-only rootfs"
   fi
-  if grep -q -- "--user " "$STUB_LOG"; then
+  if grep -q -- "--user " <<<"$main_lines"; then
     record_failure "capability_profiles: capability-enabled run should not force --user"
   fi
-  if ! grep -q -- "SLOPTRAP_ACTIVE_CAPABILITIES=apt-install nested-podman packet-capture" "$STUB_LOG"; then
+  if ! grep -q -- "--userns=keep-id:uid=$(id -u),gid=$(id -g)" <<<"$capture_lines$main_lines"; then
-    record_failure "capability_profiles: active capability environment missing"
+    record_failure "capability_profiles: podman keep-id user namespace missing"
   fi
-  if ! grep -q -- "SLOPTRAP_INNER_PODMAN_HOST_NETWORK=1" "$STUB_LOG"; then
+  if ! grep -q -- "SLOPTRAP_ACTIVE_CAPABILITIES=apt-install" <<<"$main_lines"; then
-    record_failure "capability_profiles: inner podman host-network mirror flag missing"
+    record_failure "capability_profiles: main helper capability environment missing"
+  fi
+  if ! grep -q -- "SLOPTRAP_PACKET_CAPTURE_ENABLED=1" <<<"$main_lines"; then
+    record_failure "capability_profiles: main container should advertise packet capture availability"
+  fi
+  if ! grep -q -- "SLOPTRAP_HELPER_DIR=/codex/state/capture-helper" <<<"$capture_lines"; then
+    record_failure "capability_profiles: capture sidecar helper dir missing"
+  fi
+  if ! grep -q -- "SLOPTRAP_ACTIVE_CAPABILITIES=packet-capture" <<<"$capture_lines"; then
+    record_failure "capability_profiles: capture sidecar capability environment missing"
+  fi
+  if ! grep -q -- "SLOPTRAP_HOST_UID=$(id -u)" "$STUB_LOG"; then
+    record_failure "capability_profiles: host uid environment missing"
+  fi
+  if ! grep -q -- "SLOPTRAP_HOST_GID=$(id -g)" "$STUB_LOG"; then
+    record_failure "capability_profiles: host gid environment missing"
+  fi
+  if ! grep -q -- "SLOPTRAP_HOST_USER=$(id -un)" "$STUB_LOG"; then
+    record_failure "capability_profiles: host user environment missing"
+  fi
+  local state_root capability_dir
+  state_root="$STUB_HOME/.codex/sloptrap/state"
+  capability_dir=$(find "$state_root" -mindepth 2 -maxdepth 2 -type d -name capabilities | head -n 1 || true)
+  if [[ -z $capability_dir ]]; then
+    record_failure "capability_profiles: project capability state directory missing"
   fi
   teardown_stub_env
 }
 
+run_embedded_capability_helpers() {
+  printf '==> embedded_capability_helpers\n'
+  local temp_root helper_bin helper_dir workspace_dir capture_dir tool_log helper_pid
+  temp_root=$(mktemp -d)
+  helper_bin="$temp_root/bin"
+  helper_dir="$temp_root/helper"
+  workspace_dir="$temp_root/workspace"
+  capture_dir="$temp_root/captures"
+  tool_log="$temp_root/tool.log"
+  helper_pid=""
+  mkdir -p "$helper_bin" "$helper_dir/queue" "$workspace_dir/data" "$capture_dir"
+  : >"$tool_log"
+
+  if ! extract_embedded_helper "sloptrap-entrypoint" "$helper_bin/sloptrap-entrypoint" \
+    || ! extract_embedded_helper "sloptrap-helperd" "$helper_bin/sloptrap-helperd" \
+    || ! extract_embedded_helper "slop-apt" "$helper_bin/slop-apt" \
+    || ! extract_embedded_helper "slopcap" "$helper_bin/slopcap"; then
+    record_failure "embedded_capability_helpers: failed to extract embedded helper scripts"
+    rm -rf "$temp_root"
+    return
+  fi
+
+  cat >"$helper_bin/apt-get" <<'EOF'
+#!/usr/bin/env bash
+set -euo pipefail
+printf 'apt-get %s\n' "$*" >>"$TEST_TOOL_LOG"
+exit 0
+EOF
+  cat >"$helper_bin/tcpdump" <<'EOF'
+#!/usr/bin/env bash
+set -euo pipefail
+printf 'tcpdump %s\n' "$*" >>"$TEST_TOOL_LOG"
+output=""
+prev=""
+for arg in "$@"; do
+  if [[ $prev == "-w" ]]; then
+    output=$arg
+    break
+  fi
+  prev=$arg
+done
+if [[ -n $output ]]; then
+  mkdir -p "$(dirname "$output")"
+  : >"$output"
+fi
+exit 0
+EOF
+  cat >"$helper_bin/setpriv" <<'EOF'
+#!/usr/bin/env bash
+set -euo pipefail
+printf 'setpriv %s\n' "$*" >>"$TEST_TOOL_LOG"
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --reuid|--regid)
+      shift 2
+      ;;
+    --clear-groups)
+      shift
+      ;;
+    --)
+      shift
+      break
+      ;;
+    *)
+      break
+      ;;
+  esac
+done
+exec "$@"
+EOF
+  chmod +x "$helper_bin/apt-get" "$helper_bin/tcpdump" "$helper_bin/setpriv"
+
+  if ! grep -q "chmod 711 \"\\\$helper_dir\"" "$helper_bin/sloptrap-entrypoint" \
+    || ! grep -q "chmod 1733 \"\\\$queue_dir\"" "$helper_bin/sloptrap-entrypoint"; then
+    record_failure "embedded_capability_helpers: entrypoint did not expose helper queue to the dropped user"
+  fi
+
+  if grep -q -- "setpriv --reuid 0 --regid 0" "$helper_bin/slop-apt" \
+    || grep -q -- "setpriv --reuid 0 --regid 0" "$helper_bin/slopcap"; then
+    record_failure "embedded_capability_helpers: helper clients should not attempt to regain root"
+  fi
+  if TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" SLOPTRAP_HELPER_DIR="$temp_root/helper-missing" \
+    SLOPTRAP_ACTIVE_CAPABILITIES="apt-install packet-capture" \
+    SLOPTRAP_CAPTURE_DIR="$capture_dir" SLOPTRAP_WORKDIR="$workspace_dir" \
+    "$helper_bin/slop-apt" install jq >"$temp_root/missing-helper.out" 2>"$temp_root/missing-helper.err"; then
+    record_failure "embedded_capability_helpers: slop-apt should fail when the root helper is unavailable"
+  elif ! grep -q -- 'capability helper is unavailable' "$temp_root/missing-helper.err"; then
+    record_failure "embedded_capability_helpers: missing helper failure should explain the boundary"
+  fi
+
+  TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" SLOPTRAP_HELPER_DIR="$helper_dir" \
+    SLOPTRAP_ACTIVE_CAPABILITIES="apt-install packet-capture" \
+    SLOPTRAP_APT_GET_BIN="$helper_bin/apt-get" \
+    SLOPTRAP_TCPDUMP_BIN="$helper_bin/tcpdump" \
+    SLOPTRAP_CAPTURE_DIR="$capture_dir" SLOPTRAP_WORKDIR="$workspace_dir" \
+    SLOPTRAP_AUDIT_LOG="$temp_root/audit.log" "$helper_bin/sloptrap-helperd" >/dev/null 2>&1 &
+  helper_pid=$!
+  if ! wait_for_path "$helper_dir/helperd.pid"; then
+    record_failure "embedded_capability_helpers: helper daemon did not publish its pid file"
+  fi
+
+  if ! TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" SLOPTRAP_HELPER_DIR="$helper_dir" \
+    "$helper_bin/slop-apt" install jq >/dev/null 2>&1; then
+    record_failure "embedded_capability_helpers: slop-apt failed against the embedded helper daemon"
+  fi
+  if ! grep -q -- 'apt-get install -y --no-install-recommends jq' "$tool_log"; then
+    record_failure "embedded_capability_helpers: slop-apt did not reach apt-get install"
+  fi
+
+  local bad_apt_request
+  bad_apt_request=$(mktemp -d "$helper_dir/queue/request.XXXXXX.req")
+  printf 'apt-install\n' >"$bad_apt_request/op"
+  printf '%s\n' '--allow-unauthenticated' >"$bad_apt_request/packages"
+  if ! wait_for_path "$bad_apt_request/status"; then
+    record_failure "embedded_capability_helpers: helper daemon did not answer the invalid apt request"
+  elif [[ $(<"$bad_apt_request/status") != "2" ]]; then
+    record_failure "embedded_capability_helpers: invalid apt request returned the wrong status"
+  fi
+  if [[ -s "$bad_apt_request/stderr" ]] && ! grep -q -- 'invalid package name' "$bad_apt_request/stderr"; then
+    record_failure "embedded_capability_helpers: invalid apt request did not explain the rejection"
+  fi
+
+  if TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" SLOPTRAP_HELPER_DIR="$helper_dir" \
+    SLOPTRAP_CAPTURE_DIR="$capture_dir" SLOPTRAP_WORKDIR="$workspace_dir" \
+    SLOPTRAP_CAPTURE_HELPER_DIR="$helper_dir" SLOPTRAP_PACKET_CAPTURE_ENABLED=1 \
+    "$helper_bin/slopcap" capture --interface eth0 --output /tmp/escape.pcap >/dev/null 2>&1; then
+    record_failure "embedded_capability_helpers: slopcap accepted an out-of-bounds output path"
+  fi
+
+  if ! TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" SLOPTRAP_HELPER_DIR="$helper_dir" \
+    SLOPTRAP_CAPTURE_DIR="$capture_dir" SLOPTRAP_WORKDIR="$workspace_dir" \
+    SLOPTRAP_CAPTURE_HELPER_DIR="$helper_dir" SLOPTRAP_PACKET_CAPTURE_ENABLED=1 \
+    "$helper_bin/slopcap" capture --interface eth0 --filter 'tcp port 80' \
+    --output "$workspace_dir/capture.pcap" >/dev/null 2>&1; then
+    record_failure "embedded_capability_helpers: slopcap failed for a workspace-local capture file"
+  fi
+  if ! grep -q -- "tcpdump -p -i eth0 -w $workspace_dir/capture.pcap -- tcp port 80" "$tool_log"; then
+    record_failure "embedded_capability_helpers: slopcap did not invoke tcpdump with the expected guarded arguments"
+  fi
+
+  local bad_capture_request
+  bad_capture_request=$(mktemp -d "$helper_dir/queue/request.XXXXXX.req")
+  printf 'packet-capture\n' >"$bad_capture_request/op"
+  printf 'eth0\n' >"$bad_capture_request/interface"
+  printf '\n' >"$bad_capture_request/filter"
+  printf '/tmp/escape.pcap\n' >"$bad_capture_request/output"
+  printf '0\n' >"$bad_capture_request/stdout_mode"
+  if ! wait_for_path "$bad_capture_request/status"; then
+    record_failure "embedded_capability_helpers: helper daemon did not answer the invalid capture request"
+  elif [[ $(<"$bad_capture_request/status") != "2" ]]; then
+    record_failure "embedded_capability_helpers: invalid capture request returned the wrong status"
+  fi
+  if [[ -s "$bad_capture_request/stderr" ]] && ! grep -q -- 'output path must stay within' "$bad_capture_request/stderr"; then
+    record_failure "embedded_capability_helpers: invalid capture request did not explain the rejection"
+  fi
+
+  if [[ -n $helper_pid ]]; then
+    kill "$helper_pid" >/dev/null 2>&1 || true
+    wait "$helper_pid" >/dev/null 2>&1 || true
+  fi
+  rm -rf "$temp_root"
+}
+
 run_make_install_single_file() {
   local scenario_dir="$TEST_ROOT/resume_target"
   printf '==> make_install_single_file\n'
@@ -739,7 +1173,7 @@ run_make_install_single_file() {
     record_failure "make_install_single_file: installed launcher missing"
   fi
   local helper
-  for helper in sloptrap-entrypoint sloptrap-helperd slop-apt slopcap sloppodman; do
+  for helper in sloptrap-entrypoint sloptrap-helperd slop-apt slopcap; do
     if [[ -e $install_dir/$helper ]]; then
       record_failure "make_install_single_file: unexpected helper installed ($helper)"
     fi
@@ -768,11 +1202,13 @@ run_symlink_escape
 run_manifest_injection
 run_helper_symlink
 run_secret_mask
+run_git_ignore_mask
 run_resume_target
 run_runtime_context_prompt
 run_sh_reexec
 run_resume_omits_runtime_context
 run_auth_file_mount
+run_codex_home_override
 run_project_state_isolation
 run_auto_login_empty_auth
 run_codex_symlink_home
@@ -786,11 +1222,16 @@ run_invalid_manifest_sandbox
 run_invalid_manifest_packages
 run_invalid_manifest_capabilities
 run_invalid_allow_host_network
+run_host_network_packet_capture_ack_required
+run_host_network_packet_capture_ack_prompt
+run_removed_nested_podman_manifest
 run_wizard_create_manifest
 run_wizard_existing_defaults
 run_wizard_build_trigger
 run_capability_trust_required
+run_capabilities_require_podman
 run_capability_profiles
+run_embedded_capability_helpers
 run_make_install_single_file
 
 if [[ ${#failures[@]} -gt 0 ]]; then

tests/wizard_existing/.sloptrap

@@ -1,4 +1,4 @@
 name=custom-wizard
 packages_extra=make git
-capabilities=apt-install packet-capture
+capabilities=apt-install
 allow_host_network=true