[pitboss] sweep after phase 04: 2 deferred items resolved

src/dynamic/repro.rs

@@ -655,6 +655,18 @@ fn create_symlink(_target: &Path, _link: &Path) -> std::io::Result<()> {
 
 #[cfg(test)]
 mod tests {
+    /// Process-global `NYX_REPRO_BASE` is mutated by several tests in
+    /// this module; without serialisation a parallel `cargo test`
+    /// invocation races on the global state and produces flakes that
+    /// vanish under `--test-threads=1`.  Every env-mutating test
+    /// acquires this guard for the duration of its body.
+    /// `unwrap_or_else(into_inner)` recovers from poisoning so a
+    /// failing test does not cascade-fail every later test.
+    fn env_lock() -> std::sync::MutexGuard<'static, ()> {
+        static LOCK: std::sync::Mutex<()> = std::sync::Mutex::new(());
+        LOCK.lock().unwrap_or_else(|e| e.into_inner())
+    }
+
     use super::*;
     use crate::dynamic::sandbox::SandboxBackend;
     use crate::dynamic::spec::{EntryKind, PayloadSlot};
@@ -722,6 +734,7 @@ mod tests {
 
     #[test]
     fn write_creates_expected_layout() {
+        let _env_guard = env_lock();
         let dir = TempDir::new().unwrap();
         unsafe { std::env::set_var("NYX_REPRO_BASE", dir.path().to_str().unwrap()) };
 
@@ -759,6 +772,7 @@ mod tests {
 
     #[test]
     fn toolchain_lock_records_expected_toolchain_and_hashes() {
+        let _env_guard = env_lock();
         let dir = TempDir::new().unwrap();
         unsafe { std::env::set_var("NYX_REPRO_BASE", dir.path().to_str().unwrap()) };
         let spec = make_spec();
@@ -831,6 +845,7 @@ mod tests {
 
     #[test]
     fn reproduce_sh_contains_toolchain_check_and_exit_codes() {
+        let _env_guard = env_lock();
         let dir = TempDir::new().unwrap();
         unsafe { std::env::set_var("NYX_REPRO_BASE", dir.path().to_str().unwrap()) };
         let artifact = write(
@@ -925,6 +940,7 @@ mod tests {
 
     #[test]
     fn bundle_root_for_honours_test_override() {
+        let _env_guard = env_lock();
         let dir = TempDir::new().unwrap();
         unsafe { std::env::set_var("NYX_REPRO_BASE", dir.path().to_str().unwrap()) };
         let root = bundle_root_for("cafe0001").unwrap();
@@ -934,6 +950,7 @@ mod tests {
 
     #[test]
     fn bundle_root_for_matches_write_output_under_override() {
+        let _env_guard = env_lock();
         // The path returned by `bundle_root_for` must equal the bundle path
         // that `write` produces — replay callers locate the bundle without
         // re-creating directories, so a drift between the two helpers would
@@ -955,6 +972,7 @@ mod tests {
 
     #[test]
     fn outcome_json_redacts_secrets() {
+        let _env_guard = env_lock();
         let dir = TempDir::new().unwrap();
         unsafe { std::env::set_var("NYX_REPRO_BASE", dir.path().to_str().unwrap()) };
 

src/dynamic/sandbox/process_macos.rs

@@ -431,6 +431,19 @@ pub fn wrap_plan(input: &WrapInput<'_>) -> WrapResult {
 mod tests {
     use super::*;
 
+    /// Process-global env vars (`NYX_SANDBOX_EXEC_BIN`,
+    /// `NYX_SB_DENY_DEFAULT`, `NYX_SB_SEED_DIR`) are mutated by several
+    /// tests in this module; without serialisation a parallel
+    /// `cargo test` invocation races on the global state and produces
+    /// flakes that vanish under `--test-threads=1`.  Every env-mutating
+    /// test acquires this guard for the duration of its body.
+    /// `unwrap_or_else(into_inner)` recovers from poisoning so a
+    /// failing test does not cascade-fail every later test.
+    fn env_lock() -> std::sync::MutexGuard<'static, ()> {
+        static LOCK: std::sync::Mutex<()> = std::sync::Mutex::new(());
+        LOCK.lock().unwrap_or_else(|e| e.into_inner())
+    }
+
     #[test]
     fn profile_for_caps_prefers_file_io() {
         const FILE_IO: u32 = 1 << 5;
@@ -534,6 +547,7 @@ mod tests {
 
     #[test]
     fn sandbox_exec_bin_honours_env_override() {
+        let _env_guard = env_lock();
         // SAFETY: tests are run serially with the macOS hardening suite;
         // resetting the env var below restores the default for subsequent
         // tests in the same process.
@@ -590,6 +604,7 @@ mod tests {
 
     #[test]
     fn deny_default_seed_for_returns_none_without_env_opt_in() {
+        let _env_guard = env_lock();
         // SAFETY: tests in this module mutate process-global env; the
         // macOS hardening integration suite serialises around the same
         // env vars so cargo nextest's per-test process isolation does not
@@ -601,6 +616,7 @@ mod tests {
 
     #[test]
     fn deny_default_seed_for_returns_some_when_env_set_and_seed_present() {
+        let _env_guard = env_lock();
         let tmp = std::env::temp_dir().join("nyx-sb-seed-test");
         let _ = std::fs::remove_dir_all(&tmp);
         std::fs::create_dir_all(&tmp).expect("create seed tempdir");
@@ -626,6 +642,7 @@ mod tests {
 
     #[test]
     fn wrap_plan_returns_none_when_sandbox_exec_missing() {
+        let _env_guard = env_lock();
         unsafe { std::env::set_var(SANDBOX_EXEC_BIN_ENV, "/nonexistent/sandbox-exec") };
         let input = WrapInput {
             cmd_path: Path::new("/usr/bin/true"),
@@ -643,6 +660,7 @@ mod tests {
     #[test]
     #[cfg(target_os = "macos")]
     fn wrap_plan_returns_sandboxed_when_sandbox_exec_present() {
+        let _env_guard = env_lock();
         // Skip when the host doesn't actually have /usr/bin/sandbox-exec
         // (e.g. someone reading SANDBOX_EXEC_BIN_ENV from a parent shell).
         unsafe { std::env::remove_var(SANDBOX_EXEC_BIN_ENV) };

src/dynamic/verify.rs

@@ -1264,6 +1264,19 @@ fn build_verdict(
 mod tests {
     use super::*;
 
+    /// Process-global env vars (`NYX_VERIFY_REPLAY_STABLE`,
+    /// `NYX_VERIFY_REPLAY_DOCKER`) are mutated by several tests in this
+    /// module; without serialisation a parallel `cargo test` invocation
+    /// races on the global state and produces flakes that vanish under
+    /// `--test-threads=1`.  Every env-mutating test acquires this guard
+    /// for the duration of its body.  `unwrap_or_else(into_inner)`
+    /// recovers from poisoning so a failing test does not cascade-fail
+    /// every later test in the suite.
+    fn env_lock() -> std::sync::MutexGuard<'static, ()> {
+        static LOCK: std::sync::Mutex<()> = std::sync::Mutex::new(());
+        LOCK.lock().unwrap_or_else(|e| e.into_inner())
+    }
+
     #[test]
     fn compute_entry_content_hash_stable_for_same_file() {
         let dir = tempfile::TempDir::new().unwrap();
@@ -1300,6 +1313,7 @@ mod tests {
 
     #[test]
     fn from_config_defaults_replay_stable_check_off() {
+        let _env_guard = env_lock();
         // Make sure the test is hermetic — `from_config` reads the env
         // var, so a stale process-wide setting could mask the default.
         unsafe { std::env::remove_var("NYX_VERIFY_REPLAY_STABLE") };
@@ -1313,6 +1327,7 @@ mod tests {
 
     #[test]
     fn from_config_picks_up_replay_stable_env_flag() {
+        let _env_guard = env_lock();
         unsafe { std::env::set_var("NYX_VERIFY_REPLAY_STABLE", "1") };
         let opts = VerifyOptions::from_config(&Config::default());
         assert!(opts.replay_stable_check);
@@ -1327,6 +1342,7 @@ mod tests {
 
     #[test]
     fn from_config_defaults_replay_use_docker_off() {
+        let _env_guard = env_lock();
         // Same hermeticity concern as `replay_stable_check`: clear any
         // stale process-wide setting so the default is observable.
         unsafe { std::env::remove_var("NYX_VERIFY_REPLAY_DOCKER") };
@@ -1340,6 +1356,7 @@ mod tests {
 
     #[test]
     fn from_config_picks_up_replay_docker_env_flag() {
+        let _env_guard = env_lock();
         unsafe { std::env::set_var("NYX_VERIFY_REPLAY_DOCKER", "1") };
         let opts = VerifyOptions::from_config(&Config::default());
         assert!(opts.replay_use_docker);