test(bug-detectors): cover code injection across Jest files

Run two fuzz files in one in-band Jest invocation and assert that both
report the same base canary name.

This proves the lazy vmContext install works across sequential files
without drifting to suffixed canaries.

Author: oetr

tests/bug-detectors/code-injection.test.js

@@ -15,6 +15,7 @@
  */
 
 const path = require("path");
+const { spawnSync } = require("child_process");
 
 const {
 	FuzzTestBuilder,
@@ -151,6 +152,36 @@ describe("CLI", () => {
 });
 
 describe("Jest", () => {
+	it("keeps the canary stable across sequential Jest files", () => {
+		const proc = spawnSync(
+			"npx",
+			[
+				"jest",
+				"--runInBand",
+				"--no-colors",
+				"--runTestsByPath",
+				"context-a.fuzz.js",
+				"context-b.fuzz.js",
+			],
+			{
+				cwd: bugDetectorDirectory,
+				env: { ...process.env },
+				shell: true,
+				stdio: "pipe",
+				windowsHide: true,
+			},
+		);
+
+		const output = proc.stdout.toString() + proc.stderr.toString();
+		expect(proc.status?.toString()).toBe(JestRegressionExitCode);
+		expect(output).toContain("context-a.fuzz.js");
+		expect(output).toContain("context-b.fuzz.js");
+		expect(output).not.toContain("accessed canary: jaz_zer_1");
+		expect(
+			(output.match(/accessed canary: jaz_zer/g) ?? []).length,
+		).toBeGreaterThanOrEqual(2);
+	});
+
 	it("reports potential access", () => {
 		const fuzzTest = fuzzTestBuilder
 			.dryRun(false)

tests/bug-detectors/code-injection/context-a.fuzz.js

@@ -0,0 +1,23 @@
+/*
+ * Copyright 2026 Code Intelligence GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+const tests = require("./fuzz");
+
+describe("context a", () => {
+	it.fuzz("Accesses canary", (data) => {
+		tests.evalAccessesCanary(data);
+	});
+});

tests/bug-detectors/code-injection/context-b.fuzz.js

@@ -0,0 +1,23 @@
+/*
+ * Copyright 2026 Code Intelligence GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+const tests = require("./fuzz");
+
+describe("context b", () => {
+	it.fuzz("Accesses canary", (data) => {
+		tests.evalAccessesCanary(data);
+	});
+});