Follow-up from #89 (Scoped credentials for outgoing HTTP).
Existing tests cover some leakage paths: resolver_failure_surfaces_as_error asserts the failure diagnostic does not leak, and isolated_registries_across_sandboxes proves cross-sandbox isolation.
However, there is no positive test that runs a guest with a known sentinel token value and scans stdout / stderr / every error payload to assert the sentinel string is absent from every guest-visible output. Add such a canary sweep test.
Follow-up from #89 (Scoped credentials for outgoing HTTP).
Existing tests cover some leakage paths:
resolver_failure_surfaces_as_errorasserts the failure diagnostic does not leak, andisolated_registries_across_sandboxesproves cross-sandbox isolation.However, there is no positive test that runs a guest with a known sentinel token value and scans
stdout/stderr/ every error payload to assert the sentinel string is absent from every guest-visible output. Add such a canary sweep test.