Context
PR #721 added gosu-based gateway process isolation, which broke sandbox startup on Brev (and anywhere OpenShell manages containers) because OpenShell runs containers with --security-opt=no-new-privileges, blocking gosu's setuid syscall. This was fixed in PR #846 by adding a non-root fallback path.
The existing Brev E2E infrastructure (PR #813) did not catch this because there is no explicit test that verifies the sandbox container starts successfully under OpenShell's no-new-privileges security policy.
Ref: Slack thread — Aaron called out this gap.
Problem
- The gateway isolation E2E test (
test/e2e-gateway-isolation.sh) runs in CI on ubuntu-latest, where Docker runs containers as root — it never hits the no-new-privileges codepath.
brev-e2e.test.js bootstraps on Brev and runs test scripts, but does not explicitly assert that the sandbox container starts successfully after a fresh docker build under real OpenShell security constraints.
Proposed Solution
Add a test case to the Brev E2E suite (test/e2e/brev-e2e.test.js or a new script callable from it) that:
- Builds the Docker image on the Brev instance
- Verifies the container starts successfully under OpenShell's
no-new-privileges policy
- Asserts that the gateway process is running and reachable
- Verifies the non-root fallback message appears in logs (
"Running as non-root") when privilege separation is unavailable
This is a sandbox startup smoke test — the kind of test that would have prevented the #846 regression from shipping in #721.
Acceptance Criteria
Context
PR #721 added gosu-based gateway process isolation, which broke sandbox startup on Brev (and anywhere OpenShell manages containers) because OpenShell runs containers with
--security-opt=no-new-privileges, blocking gosu's setuid syscall. This was fixed in PR #846 by adding a non-root fallback path.The existing Brev E2E infrastructure (PR #813) did not catch this because there is no explicit test that verifies the sandbox container starts successfully under OpenShell's
no-new-privilegessecurity policy.Ref: Slack thread — Aaron called out this gap.
Problem
test/e2e-gateway-isolation.sh) runs in CI onubuntu-latest, where Docker runs containers as root — it never hits theno-new-privilegescodepath.brev-e2e.test.jsbootstraps on Brev and runs test scripts, but does not explicitly assert that the sandbox container starts successfully after a fresh docker build under real OpenShell security constraints.Proposed Solution
Add a test case to the Brev E2E suite (
test/e2e/brev-e2e.test.jsor a new script callable from it) that:no-new-privilegespolicy"Running as non-root") when privilege separation is unavailableThis is a sandbox startup smoke test — the kind of test that would have prevented the #846 regression from shipping in #721.
Acceptance Criteria
no-new-privilegesconstraint (on Brev)