Migrate integration tests to exact MCP responses (#70)

* Refactor Python integration tests around golden tool results

Restructure the real-binary Python integration harness so each test calls the explicit MCP client methods and compares parsed tool responses against expected dictionaries built with small helpers. This keeps assertions on the public MCP result shape instead of regexing or loosely parsing response text.

Validation:
- python3 -m unittest tests/test_run_integration_tests.py
- cargo check
- cargo build
- python3 tests/run_integration_tests.py --binary target/debug/mcp-repl
- cargo clippy --all-targets --all-features -- -D warnings
- cargo test --quiet
- cargo +nightly fmt
- git diff --check

* Stabilize timeout-dependent integration checks

The timeout-dependent Python integration cases no longer assert exact output captured before a fixed one-second deadline. The interrupt case now polls busy responses until INTERRUPT_READY is observed, and the gated bundle case now checks stable busy/no-bundle facts plus final transcript contents.

Validation:
- python3 -m unittest tests/test_run_integration_tests.py
- python3 -m py_compile tests/run_integration_tests.py tests/test_run_integration_tests.py
- git diff --check
- python3 tests/run_integration_tests.py --binary target/debug/mcp-repl --case r-interrupt-restart-prefixes --case r-output-bundle-files
- cargo check
- cargo build
- python3 tests/run_integration_tests.py --binary target/debug/mcp-repl
- cargo clippy --all-targets --all-features -- -D warnings
- cargo test --quiet
- cargo +nightly fmt

Review finding addressed:
- [P2] Wait for interrupt readiness before exact checks — /Users/tomasz/github/posit-dev/mcp-repl/tests/run_integration_tests.py:576-577
  When this runs on a slower or loaded runner, the 1s timeout can expire before R has echoed all setup lines or printed `INTERRUPT_READY`; the previous helper polled up to 20s for that marker. The new exact assertion then fails even though the worker is correctly still busy, so keep the readiness polling or assert the exact response only after the marker is observed.
  Response: added busy-response polling for `INTERRUPT_READY` before sending the interrupt, with helper coverage for polling and early-finish failure.

Review finding addressed:
- [P2] Avoid pinning output split across timeout — /Users/tomasz/github/posit-dev/mcp-repl/tests/run_integration_tests.py:665-666
  When the gated bundle case runs on a slow runner, this 1s timeout can fire before or after a different amount of the pre-gate output has been captured. The exact assertion here, and the hard-coded poll preview below, then fail although the behavior is correct; assert stable facts like busy/no bundle and final transcript contents instead of requiring a fixed split across the timeout boundary.
  Response: replaced the timeout-bound exact setup and poll-preview assertions with success, busy/no-bundle, settled, and full-transcript content checks.

* Poll interrupt-prefix busy replies in public API runner

Handle transient busy responses after a Ctrl-C prefixed tail in the
r-interrupt-restart-prefixes public API case by polling until the expected
interrupt output settles. Add a Python regression test for the runner path that
returns busy for the Ctrl-C tail before producing interrupt received and
AFTER_INTERRUPT on the next empty poll.

Review finding:
- [P2] Poll after Ctrl-C busy replies -- /Users/tomasz/github/posit-dev/mcp-repl/tests/run_integration_tests.py:600-608
  When the Ctrl-C follow-up returns a transient busy response, this exact assertion fails immediately instead of draining until the worker settles. This scenario is already handled in the Windows-specific interrupt test by polling after `\u0003...`, and the Python public API suite runs on Windows CI, so `r-interrupt-restart-prefixes` can fail even though the worker later produces `interrupt received` and `AFTER_INTERRUPT`.

Addressed by polling after busy Ctrl-C-tail replies before asserting the settled public API output.

Validation:
- python3 -m unittest tests.test_run_integration_tests.RunIntegrationTestsCaseTests.test_r_interrupt_restart_prefixes_polls_after_transient_busy_interrupt
- python3 -m unittest tests.test_run_integration_tests
- cargo check
- cargo build
- python3 tests/run_integration_tests.py --binary target/debug/mcp-repl
- cargo clippy --all-targets --all-features -- -D warnings
- cargo test --quiet
- cargo +nightly fmt
- git diff --check

* Increase timeout duration in busy recovery test for improved stability

* Use dedent for long integration test strings

Format long R snippets and busy-response fixtures with textwrap.dedent() so expected test inputs stay indented with the surrounding Python code.

Validation:
- python3 tests/test_run_integration_tests.py
- cargo check
- cargo build
- python3 tests/run_integration_tests.py --binary target/debug/mcp-repl
- cargo clippy --all-targets --all-features -- -D warnings
- cargo test --quiet
- cargo +nightly fmt

* Enable sandbox coverage in integration tests

Stop hiding macOS sandbox availability behind CODEX_SANDBOX and probe sandbox-exec with a policy that can actually execute the test command. Convert the sandbox availability skips to assertions, remove the Codex full-access TUI env gate, and make Python/Codex outside-workspace probes target home-directory paths instead of temp paths that the sandbox intentionally permits.

Allow macOS sandboxed workers to write inherited stdout/stderr through /dev/stdout, /dev/stderr, and /dev/fd/[12], which surfaced once the default sandboxed test paths were enabled.

Validation:
- cargo +nightly fmt
- cargo check
- cargo build
- python3 tests/run_integration_tests.py --binary target/debug/mcp-repl
- cargo clippy --all-targets --all-features -- -D warnings
- cargo test --quiet
- MCP_REPL_CODEX_BACKEND=mock cargo test -j 1 --test codex_integration codex_exec_auto_backend_smoke -- --test-threads=1

* Prewarm reticulate JAX sandbox cache

Run the reticulate/keras JAX probe once on the host before entering the
network-disabled sandbox. If the host probe cannot materialize the backend
because Rscript, reticulate, keras3, or the backend cache/download setup is
unavailable, skip the sandbox test before the sandboxed assertion.

Reuse the same probe inside the sandbox so the test checks the cached backend
path without depending on network access inside the worker sandbox.

Also remove the macOS Seatbelt /dev/stdout, /dev/stderr, and /dev/fd alias
allowance from this PR. There is no real package or user workflow here that
justifies reopening inherited stdio by path, so keep that denied and make the
artificial direct-fd surface test skip when the sandbox rejects it.

Review finding:
[P2] Preserve skip for missing reticulate cache — /Users/tomasz/github/posit-dev/mcp-repl/tests/sandbox.rs:897-899
When `reticulate` and `keras3` are installed but the JAX backend is not already present in the reticulate/uv cache, this test now fails because the sandbox disables network and `use_backend("jax")` reports cache/download errors; those outcomes were previously skipped. Please keep detecting the offline-cache-missing case so `cargo test` does not depend on a prepopulated user cache.

Response:
The test now pre-populates the reticulate/keras JAX cache with a host-side
Rscript probe and skips before sandbox execution when that warm-up cannot
complete. The sandboxed test then validates the cached path with network access
disabled.

Validation:
- cargo test --test sandbox sandbox_reticulate_keras_backend -- --nocapture
- cargo test --test repl_surface direct_stdout_fd_write_falls_back_to_raw_stream -- --nocapture
- cargo +nightly fmt
- cargo check
- cargo build
- python3 tests/run_integration_tests.py --binary target/debug/mcp-repl
- cargo clippy --all-targets --all-features -- -D warnings
- cargo test --quiet

* Skip Python discovery sandbox test under override

Change python_discovery_keeps_venv_probe_inside_sandbox to skip when
MCP_REPL_PYTHON_EXECUTABLE is set, matching the adjacent Python discovery
tests. The explicit executable override bypasses discovery, so the sandbox
probe coverage is not meaningful in that environment.

Review finding:
- [P2] Skip discovery test under explicit Python override — /Users/tomasz/github/posit-dev/mcp-repl/tests/python_backend.rs:238-241
  When `MCP_REPL_PYTHON_EXECUTABLE` is set, this assertion makes `cargo test --test python_backend python_discovery_keeps_venv_probe_inside_sandbox` fail before exercising sandbox discovery. That variable is a supported override and the adjacent Python discovery tests still skip because it bypasses discovery, so this test should skip or clear the env for the spawned server instead of panicking.

Response:
- Replaced the assertion with an explicit skip when the supported Python executable override is present.

Validation:
- MCP_REPL_PYTHON_EXECUTABLE=/bin/false cargo test --test python_backend python_discovery_keeps_venv_probe_inside_sandbox -- --exact --nocapture
- cargo test --test python_backend python_discovery_keeps_venv_probe_inside_sandbox -- --exact --nocapture
- cargo +nightly fmt
- cargo check
- cargo build
- python3 tests/run_integration_tests.py --binary target/debug/mcp-repl
- cargo clippy --all-targets --all-features -- -D warnings
- cargo test --quiet

* Assert Python discovery sandbox write failure

Replace the passive outside-workspace marker probe with a fake venv Python that attempts the write from inside the sandbox and reports the caught exception through the public reply. Force discovery to use that fake candidate by clearing PATH to a temporary empty directory.

The test still verifies that the marker file was not created, but now also proves the sandboxed Python side observed the write denial.

Validation: cargo +nightly fmt; cargo check; cargo build; python3 tests/run_integration_tests.py --binary target/debug/mcp-repl; cargo clippy --all-targets --all-features -- -D warnings; cargo test --quiet

* Stabilize timeout spill tests

Replace sleep-based synchronization in the timeout spill and pager follow-up tests with host gate files and R-side marker files. This keeps the same public API coverage while making the macOS timing boundary deterministic under CI load.

Validation:
- cargo check
- cargo build
- python3 tests/run_integration_tests.py --binary target/debug/mcp-repl
- cargo clippy --all-targets --all-features -- -D warnings
- cargo test --quiet
- cargo +nightly fmt

* Use workspace-visible timeout test gates

* Stabilize idle protocol error test

* Gate output bundle cleanup tests

Author: t-kalinowski

src/sandbox/seatbelt_base_policy.sbpl

@@ -22,6 +22,8 @@
   (require-all
     (path "/dev/null")
     (vnode-type CHARACTER-DEVICE)))
+; Do not allow /dev/stdout, /dev/stderr, or /dev/fd aliases without a real
+; package or user workflow that requires reopening inherited stdio by path.
 ; Allow uv's SystemConfiguration probe to touch /dev/dtracehelper on macOS.
 (allow file-write-data
   (require-all

tests/codex_integration.rs

@@ -40,9 +40,6 @@ mod unix_impl {
     const MOCK_TOOL_INPUT: &str = "cat(\"CODEX_MOCK_MCP_OK\\n\")\n";
     const LIVE_FINAL_MARKER: &str = "CODEX_LIVE_DONE";
     const INSTALL_SCRIPTED_TOOL_CALL_MARKER: &str = "INSTALL_SCRIPTED_TOOL_CALL";
-    #[cfg(any(target_os = "macos", target_os = "linux"))]
-    const FULL_ACCESS_TEST_ENV: &str = "MCP_REPL_ENABLE_FULL_ACCESS_TUI_TEST";
-
     fn codex_exec_test_mutex() -> &'static tokio::sync::Mutex<()> {
         static TEST_MUTEX: OnceLock<tokio::sync::Mutex<()>> = OnceLock::new();
         TEST_MUTEX.get_or_init(|| tokio::sync::Mutex::new(()))
@@ -426,17 +423,10 @@ mod unix_impl {
     #[cfg(any(target_os = "macos", target_os = "linux"))]
     pub(super) async fn run_codex_tui_full_access_sandbox_update() -> TestResult<()> {
         const TEST_NAME: &str = "codex_tui_full_access_sandbox_update";
-        if !full_access_test_enabled() {
-            print_skip_banner(TEST_NAME, &format!("{FULL_ACCESS_TEST_ENV} is not set"));
-            return Ok(());
-        }
         if !codex_client_ready(TEST_NAME) {
             return Ok(());
         }
-        if !common::sandbox_exec_available() {
-            print_skip_banner(TEST_NAME, "sandbox-exec unavailable");
-            return Ok(());
-        }
+        assert!(common::sandbox_exec_available(), "sandbox-exec unavailable");
         if !loopback_bind_available().await {
             print_skip_banner(TEST_NAME, "loopback TCP bind unavailable");
             return Ok(());
@@ -459,34 +449,33 @@ mod unix_impl {
         driver.drain(Duration::from_millis(800));
         driver.ensure_running("after startup")?;
         driver.wait_for_warmup(Duration::from_secs(10))?;
-        wait_for_log_contains(&env.debug_dir, "workspace-write", Duration::from_secs(10))?;
 
         driver.send_line(&format!(
             "{FULL_ACCESS_MARKER}: probe write before full access"
         ))?;
         driver.wait_for_contains("WRITE_ERROR:", Duration::from_secs(20))?;
         driver.wait_for_contains("Tool call 1 completed", Duration::from_secs(20))?;
+        wait_for_log_contains(&env.debug_dir, "workspace-write", Duration::from_secs(10))?;
 
-        driver.send_line("/approvals")?;
+        driver.send_line("/permissions")?;
         driver.wait_for_contains("Update Model Permissions", Duration::from_secs(15))?;
         driver.send("3")?;
         driver.wait_for_contains(
             "Permissions updated to Full Access",
             Duration::from_secs(15),
         )?;
 
+        driver.send_line(&format!(
+            "{FULL_ACCESS_MARKER}: probe write after full access"
+        ))?;
+        driver.wait_for_contains("WRITE_OK", Duration::from_secs(20))?;
+        driver.wait_for_contains("Tool call 2 completed", Duration::from_secs(20))?;
         wait_for_log_contains(
             &env.debug_dir,
             "danger-full-access",
             Duration::from_secs(20),
         )?;
         wait_for_log_contains(&env.debug_dir, "tool-call-meta", Duration::from_secs(20))?;
-
-        driver.send_line(&format!(
-            "{FULL_ACCESS_MARKER}: probe write after full access"
-        ))?;
-        driver.wait_for_contains("WRITE_OK", Duration::from_secs(20))?;
-        driver.wait_for_contains("Tool call 2 completed", Duration::from_secs(20))?;
         driver.kill()?;
 
         let outputs = mock_server.function_call_outputs().await;
@@ -538,11 +527,6 @@ mod unix_impl {
         Ok(())
     }
 
-    #[cfg(any(target_os = "macos", target_os = "linux"))]
-    fn full_access_test_enabled() -> bool {
-        std::env::var_os(FULL_ACCESS_TEST_ENV).is_some()
-    }
-
     async fn loopback_bind_available() -> bool {
         TcpListener::bind("127.0.0.1:0").await.is_ok()
     }
@@ -1513,7 +1497,11 @@ trust_level = "trusted"
         let nanos = std::time::SystemTime::now()
             .duration_since(std::time::UNIX_EPOCH)?
             .as_nanos();
-        let target = std::env::temp_dir().join(format!("mcp-repl-codex-probe-{nanos}.txt"));
+        let home = std::env::var_os("HOME")
+            .or_else(|| std::env::var_os("USERPROFILE"))
+            .map(PathBuf::from)
+            .ok_or_else(|| "missing HOME/USERPROFILE for outside-workspace probe".to_string())?;
+        let target = home.join(format!(".mcp-repl-codex-probe-{nanos}.txt"));
         let target_literal = serde_json::to_string(&target.to_string_lossy().to_string())
             .map_err(|err| format!("failed to encode target path: {err}"))?;
         Ok(r#"target <- __TARGET__

tests/common/mod.rs

@@ -212,11 +212,13 @@ impl Drop for SuiteServerLockToken {
 pub fn sandbox_exec_available() -> bool {
     static AVAILABLE: OnceLock<bool> = OnceLock::new();
     *AVAILABLE.get_or_init(|| {
-        if std::env::var_os("CODEX_SANDBOX").is_some() {
-            return false;
-        }
         std::process::Command::new("/usr/bin/sandbox-exec")
-            .args(["-p", "(version 1)", "--", "/usr/bin/true"])
+            .args([
+                "-p",
+                "(version 1)(allow process-exec)(allow file-read*)",
+                "--",
+                "/usr/bin/true",
+            ])
             .stdin(std::process::Stdio::null())
             .stdout(std::process::Stdio::null())
             .stderr(std::process::Stdio::null())

tests/debug_repl_prompt.rs

@@ -12,11 +12,13 @@ type TestResult<T> = Result<T, Box<dyn std::error::Error + Send + Sync>>;
 #[cfg(target_os = "macos")]
 fn sandbox_exec_available() -> bool {
     // Mirror tests/common/mod.rs: sandbox-exec may exist but be unusable (status 71).
-    if std::env::var_os("CODEX_SANDBOX").is_some() {
-        return false;
-    }
     Command::new("/usr/bin/sandbox-exec")
-        .args(["-p", "(version 1)", "--", "/usr/bin/true"])
+        .args([
+            "-p",
+            "(version 1)(allow process-exec)(allow file-read*)",
+            "--",
+            "/usr/bin/true",
+        ])
         .stdin(Stdio::null())
         .stdout(Stdio::null())
         .stderr(Stdio::null())

tests/python_backend.rs

@@ -234,19 +234,26 @@ fn real_python_executable() -> TestResult<String> {
 async fn python_discovery_keeps_venv_probe_inside_sandbox() -> TestResult<()> {
     use std::os::unix::fs::PermissionsExt;
 
-    if !common::sandbox_exec_available() {
-        eprintln!("sandbox not available; skipping");
-        return Ok(());
-    }
     if std::env::var_os("MCP_REPL_PYTHON_EXECUTABLE").is_some() {
-        eprintln!("explicit Python executable set; skipping discovery test");
+        eprintln!("explicit Python executable set; skipping discovery sandbox coverage test");
         return Ok(());
     }
+    assert!(common::sandbox_exec_available(), "sandbox unavailable");
 
     let _guard = lock_test_mutex();
+    let real_python = real_python_executable()?;
     let workspace = tempdir()?;
-    let outside = tempdir()?;
-    let marker = outside.path().join("python-discovery-marker");
+    let empty_bin = workspace.path().join("empty-bin");
+    fs::create_dir_all(&empty_bin)?;
+    let home = std::env::var_os("HOME")
+        .or_else(|| std::env::var_os("USERPROFILE"))
+        .map(PathBuf::from)
+        .ok_or("missing HOME/USERPROFILE for Python discovery sandbox marker")?;
+    let marker = home.join(format!(
+        ".mcp-repl-python-discovery-marker-{}",
+        std::process::id()
+    ));
+    let _ = fs::remove_file(&marker);
     let marker_text = marker
         .to_str()
         .ok_or("marker path must be valid utf-8")?
@@ -256,7 +263,22 @@ async fn python_discovery_keeps_venv_probe_inside_sandbox() -> TestResult<()> {
     let shim = venv_bin.join("python");
     fs::write(
         &shim,
-        "#!/bin/sh\nprintf probe > \"$MCP_REPL_TEST_PYTHON_PROBE_MARKER\"\nexit 1\n",
+        concat!(
+            "#!/bin/sh\n",
+            "exec \"$MCP_REPL_REAL_PYTHON\" - <<'PY'\n",
+            "import os\n",
+            "import sys\n",
+            "from pathlib import Path\n",
+            "\n",
+            "try:\n",
+            "    Path(os.environ['MCP_REPL_TEST_PYTHON_PROBE_MARKER']).write_text('probe')\n",
+            "except Exception as err:\n",
+            "    print(f'MCP_REPL_TEST_PYTHON_PROBE_WRITE_ERROR:{type(err).__name__}', file=sys.stderr)\n",
+            "else:\n",
+            "    print('MCP_REPL_TEST_PYTHON_PROBE_WRITE_OK', file=sys.stderr)\n",
+            "raise SystemExit(1)\n",
+            "PY\n",
+        ),
     )?;
     let mut permissions = fs::metadata(&shim)?.permissions();
     permissions.set_mode(0o755);
@@ -269,16 +291,26 @@ async fn python_discovery_keeps_venv_probe_inside_sandbox() -> TestResult<()> {
             "--sandbox".to_string(),
             "read-only".to_string(),
         ],
-        vec![("MCP_REPL_TEST_PYTHON_PROBE_MARKER".to_string(), marker_text)],
+        vec![
+            ("PATH".to_string(), empty_bin.display().to_string()),
+            ("MCP_REPL_REAL_PYTHON".to_string(), real_python),
+            ("MCP_REPL_TEST_PYTHON_PROBE_MARKER".to_string(), marker_text),
+        ],
         Some(workspace.path().to_path_buf()),
     )
     .await?;
     let result = session.write_stdin_raw_with("1+1", Some(5.0)).await?;
     let text = result_text(&result);
     session.cancel().await?;
+    let marker_exists = marker.exists();
+    let _ = fs::remove_file(&marker);
 
     assert!(
-        !marker.exists(),
+        text.contains("MCP_REPL_TEST_PYTHON_PROBE_WRITE_ERROR:"),
+        "expected Python discovery probe write failure in reply, got: {text:?}"
+    );
+    assert!(
+        !marker_exists,
         "Python discovery probe wrote outside the sandbox; reply was: {text:?}"
     );
     Ok(())

tests/repl_surface.rs

@@ -336,10 +336,14 @@ async fn direct_stdout_fd_write_falls_back_to_raw_stream() -> TestResult<()> {
         "if (!file.exists('/dev/stdout')) { ",
         "cat('SKIP_DIRECT_FD\\n') ",
         "} else { ",
-        "con <- suppressWarnings(file('/dev/stdout', open = 'wb')); ",
+        "con <- tryCatch(suppressWarnings(file('/dev/stdout', open = 'wb')), error = function(e) NULL); ",
+        "if (is.null(con)) { ",
+        "cat('SKIP_DIRECT_FD\\n') ",
+        "} else { ",
         "writeBin(charToRaw('direct-fd\\n'), con); ",
         "flush(con); close(con); ",
         "cat('r-owned\\n') ",
+        "} ",
         "}",
     );
     let result = session.write_stdin_raw_with(input, Some(30.0)).await?;