15f0e0b507
Sandbox-escape couldn't run: its git-gate fixture had no host_key, so the preflight ssh-keyscanned the deliberately-unreachable upstream and die()d in setUpClass. Preset a throwaway host_key so the keyscan is skipped (the key is never used — the push is rejected by gitleaks first). That unblocked a second, pre-existing issue: the planted secrets weren't caught by gitleaks (the AWS example key is allowlisted; the others hit entropy/keyword gates in the keyword-free URL the attack embeds). Reshape the fixtures — three structural, high-entropy shapes gitleaks matches without a keyword (github / slack / gitlab) for the git-push attack, and a separate alphanumeric secret for the DNS attack (a gitleaks-matchable token carries separators that aren't valid DNS labels, so the two uses can't share one secret). All five sandbox-escape tests now pass. Add test_firecracker_launch: a launch smoke (exec + proxy env) gated on `FirecrackerBottleBackend.status() == 0` (the `backend status` result), skipping with setup instructions when the TAP pool / nft table aren't provisioned. The git-gate-only-matches-gitleaks-patterns asymmetry the reshape exposed is tracked separately (#346). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01WBMWTEtQdJ4W5UrWuLHCck