[pitboss] phase 09: Track D.1 + D.2 — Project dependency capture + workdir staging

tests/dynamic_fixtures/env_capture/flask_three_deps/app.py

@@ -0,0 +1,35 @@
+# Phase 09 fixture: Flask app with three deps.  The static engine
+# resolves the sink to `_execute` (helper) and the callgraph rewrite
+# resolves the entry to the Flask route handler `run_command`.
+# Phase 09's environment capture pass must:
+#   1. Resolve toolchain via .python-version / pyproject.toml.
+#   2. Extract flask + requests + jinja2 as direct deps.
+#   3. Detect Flask via the manifest in requirements.txt.
+#   4. Stage every file in the source closure of `_execute`.
+
+from flask import Flask, request
+import requests
+import jinja2
+
+app = Flask(__name__)
+
+
+def _execute(cmd):
+    import os
+    os.system(cmd)  # sink: command injection
+
+
+def _enrich(cmd):
+    # Cross-file helper consumer: forces the source closure walk to copy
+    # at least one extra file beyond `app.py` even when this fixture is
+    # collapsed into a single-file directory.
+    template = jinja2.Template("echo {{ value }}")
+    return template.render(value=cmd)
+
+
+@app.route("/run", methods=["POST"])
+def run_command():
+    raw = request.form.get("cmd", "")
+    cmd = _enrich(raw)
+    _execute(cmd)
+    return "ok"

tests/dynamic_fixtures/env_capture/flask_three_deps/config.yaml

@@ -0,0 +1,2 @@
+debug: true
+log_level: info

tests/dynamic_fixtures/env_capture/flask_three_deps/pyproject.toml

@@ -0,0 +1,5 @@
+[project]
+name = "flask_three_deps"
+version = "0.1.0"
+requires-python = ">=3.11"
+dependencies = ["Flask>=2.3", "requests>=2.30", "Jinja2>=3.1"]

tests/dynamic_fixtures/env_capture/flask_three_deps/requirements.txt

@@ -0,0 +1,3 @@
+Flask==2.3.0
+requests==2.31.0
+Jinja2==3.1.2