Extract dependency check logic to pure function, remove mock.module

linux-dependency-error.test.ts used mock.module() at module top-level to
replace generate-seccomp-filter.js. Bun's mock.module() is process-global
and is not undone by mock.restore(). On Linux CI, where filesystem readdir
order differs from macOS, this file loaded before integration.test.ts and
poisoned its static import of generateSeccompFilter, causing
assertPrecompiledBpfInUse() to receive null.

The test was mocking the module graph to control four booleans that feed
into ~18 lines of error/warning classification. Extract that classification
as dependencyStatusToCheck(status) and test it directly with plain inputs.
checkLinuxDependencies keeps its signature and now composes
getLinuxDependencyStatus with the pure mapper, also removing the
duplicated whichSync/getPreGeneratedBpfPath calls between the two
functions.

The deleted getLinuxDependencyStatus tests were verifying that
{x: f() !== null} returns true when f() is mocked non-null; the deleted
'uses custom seccomp paths' test's mock ignored the path argument and
asserted only Array.isArray on the result.

Author: dylan-conway

src/sandbox/linux-sandbox-utils.ts

@@ -392,28 +392,36 @@ export function getLinuxDependencyStatus(seccompConfig?: {
 }
 
 /**
- * Check sandbox dependencies and return structured result
+ * Pure mapping from dependency status to errors/warnings.
+ * Separated from getLinuxDependencyStatus so the classification logic
+ * can be unit-tested without mocking filesystem or binary lookups.
  */
-export function checkLinuxDependencies(seccompConfig?: {
-  bpfPath?: string
-  applyPath?: string
-}): SandboxDependencyCheck {
+export function dependencyStatusToCheck(
+  status: LinuxDependencyStatus,
+): SandboxDependencyCheck {
   const errors: string[] = []
   const warnings: string[] = []
 
-  if (whichSync('bwrap') === null)
-    errors.push('bubblewrap (bwrap) not installed')
-  if (whichSync('socat') === null) errors.push('socat not installed')
+  if (!status.hasBwrap) errors.push('bubblewrap (bwrap) not installed')
+  if (!status.hasSocat) errors.push('socat not installed')
 
-  const hasBpf = getPreGeneratedBpfPath(seccompConfig?.bpfPath) !== null
-  const hasApply = getApplySeccompBinaryPath(seccompConfig?.applyPath) !== null
-  if (!hasBpf || !hasApply) {
+  if (!status.hasSeccompBpf || !status.hasSeccompApply) {
     warnings.push('seccomp not available - unix socket access not restricted')
   }
 
   return { warnings, errors }
 }
 
+/**
+ * Check sandbox dependencies and return structured result
+ */
+export function checkLinuxDependencies(seccompConfig?: {
+  bpfPath?: string
+  applyPath?: string
+}): SandboxDependencyCheck {
+  return dependencyStatusToCheck(getLinuxDependencyStatus(seccompConfig))
+}
+
 /**
  * Initialize the Linux network bridge for sandbox networking
  *

test/sandbox/linux-dependency-error.test.ts

@@ -1,176 +1,94 @@
-import { describe, test, expect, beforeEach, afterAll, mock } from 'bun:test'
-
-// Mock state - these control what the mocked functions return
-let mockBwrapInstalled = true
-let mockSocatInstalled = true
-let mockBpfPath: string | null = null
-let mockApplyPath: string | null = null
-
-// Store original Bun.which to restore later
-const originalBunWhich = globalThis.Bun.which
-
-// Mock Bun.which directly - this avoids mock.module which affects other test files
-globalThis.Bun.which = ((bin: string): string | null => {
-  if (bin === 'bwrap') {
-    return mockBwrapInstalled ? '/usr/bin/bwrap' : null
-  }
-  if (bin === 'socat') {
-    return mockSocatInstalled ? '/usr/bin/socat' : null
-  }
-  // For other binaries, use the original implementation
-  return originalBunWhich(bin)
-}) as typeof globalThis.Bun.which
-
-// Mock seccomp path functions - controls whether seccomp binaries are "found"
-void mock.module('../../src/sandbox/generate-seccomp-filter.js', () => ({
-  getPreGeneratedBpfPath: () => mockBpfPath,
-  getApplySeccompBinaryPath: () => mockApplyPath,
-  generateSeccompFilter: () => null,
-  cleanupSeccompFilter: () => {},
-}))
-
-// Dynamic import AFTER mocking - this is required for mocks to take effect
-const { checkLinuxDependencies, getLinuxDependencyStatus } = await import(
-  '../../src/sandbox/linux-sandbox-utils.js'
-)
-
-// Restore original Bun.which and module mocks after all tests in this file
-afterAll(() => {
-  globalThis.Bun.which = originalBunWhich
-  mock.restore()
-})
-
-describe('checkLinuxDependencies', () => {
-  // Reset all mocks to "everything installed" state before each test
-  beforeEach(() => {
-    mockBwrapInstalled = true
-    mockSocatInstalled = true
-    mockBpfPath = '/path/to/filter.bpf'
-    mockApplyPath = '/path/to/apply-seccomp'
-  })
-
+import { describe, test, expect } from 'bun:test'
+import {
+  dependencyStatusToCheck,
+  type LinuxDependencyStatus,
+} from '../../src/sandbox/linux-sandbox-utils.js'
+
+const allPresent: LinuxDependencyStatus = {
+  hasBwrap: true,
+  hasSocat: true,
+  hasSeccompBpf: true,
+  hasSeccompApply: true,
+}
+
+describe('dependencyStatusToCheck', () => {
   test('returns no errors or warnings when all dependencies present', () => {
-    const result = checkLinuxDependencies()
+    const result = dependencyStatusToCheck(allPresent)
 
     expect(result.errors).toEqual([])
     expect(result.warnings).toEqual([])
   })
 
   test('returns error when bwrap missing', () => {
-    mockBwrapInstalled = false
-
-    const result = checkLinuxDependencies()
+    const result = dependencyStatusToCheck({ ...allPresent, hasBwrap: false })
 
-    expect(result.errors).toContain('bubblewrap (bwrap) not installed')
-    expect(result.errors.length).toBe(1)
+    expect(result.errors).toEqual(['bubblewrap (bwrap) not installed'])
+    expect(result.warnings).toEqual([])
   })
 
   test('returns error when socat missing', () => {
-    mockSocatInstalled = false
-
-    const result = checkLinuxDependencies()
+    const result = dependencyStatusToCheck({ ...allPresent, hasSocat: false })
 
-    expect(result.errors).toContain('socat not installed')
-    expect(result.errors.length).toBe(1)
+    expect(result.errors).toEqual(['socat not installed'])
+    expect(result.warnings).toEqual([])
   })
 
   test('returns multiple errors when both bwrap and socat missing', () => {
-    mockBwrapInstalled = false
-    mockSocatInstalled = false
-
-    const result = checkLinuxDependencies()
+    const result = dependencyStatusToCheck({
+      ...allPresent,
+      hasBwrap: false,
+      hasSocat: false,
+    })
 
     expect(result.errors).toContain('bubblewrap (bwrap) not installed')
     expect(result.errors).toContain('socat not installed')
     expect(result.errors.length).toBe(2)
   })
 
-  test('returns warning (not error) when seccomp missing', () => {
-    mockBpfPath = null
-    mockApplyPath = null
-
-    const result = checkLinuxDependencies()
+  test('returns warning (not error) when seccomp bpf missing', () => {
+    const result = dependencyStatusToCheck({
+      ...allPresent,
+      hasSeccompBpf: false,
+    })
 
-    expect(result.warnings).toContain(
+    expect(result.errors).toEqual([])
+    expect(result.warnings).toEqual([
       'seccomp not available - unix socket access not restricted',
-    )
+    ])
   })
 
-  test('returns warning when only bpf file present (no apply binary)', () => {
-    mockBpfPath = '/path/to/filter.bpf'
-    mockApplyPath = null
-
-    const result = checkLinuxDependencies()
+  test('returns warning when seccomp apply binary missing', () => {
+    const result = dependencyStatusToCheck({
+      ...allPresent,
+      hasSeccompApply: false,
+    })
 
     expect(result.errors).toEqual([])
-    expect(result.warnings.length).toBe(1)
+    expect(result.warnings).toEqual([
+      'seccomp not available - unix socket access not restricted',
+    ])
   })
 
-  // This verifies the config parameter is actually passed through
-  test('uses custom seccomp paths when provided', () => {
-    // Default paths return null (not found)
-    mockBpfPath = null
-    mockApplyPath = null
-
-    // But we're passing custom paths - the mock ignores them,
-    // so this still returns warnings. The point is it doesn't crash
-    // and the structure is correct. Real path validation happens in the mock.
-    const result = checkLinuxDependencies({
-      bpfPath: '/custom/path.bpf',
-      applyPath: '/custom/apply',
+  test('returns single warning when both seccomp pieces missing', () => {
+    const result = dependencyStatusToCheck({
+      ...allPresent,
+      hasSeccompBpf: false,
+      hasSeccompApply: false,
     })
 
-    expect(Array.isArray(result.errors)).toBe(true)
-    expect(Array.isArray(result.warnings)).toBe(true)
-  })
-})
-
-describe('getLinuxDependencyStatus', () => {
-  beforeEach(() => {
-    mockBwrapInstalled = true
-    mockSocatInstalled = true
-    mockBpfPath = '/path/to/filter.bpf'
-    mockApplyPath = '/path/to/apply-seccomp'
-  })
-
-  // All deps installed = all flags true
-  test('reports all available when everything installed', () => {
-    const status = getLinuxDependencyStatus()
-
-    expect(status.hasBwrap).toBe(true)
-    expect(status.hasSocat).toBe(true)
-    expect(status.hasSeccompBpf).toBe(true)
-    expect(status.hasSeccompApply).toBe(true)
-  })
-
-  // Each missing dep should show as false independently
-  test('reports bwrap unavailable when not installed', () => {
-    mockBwrapInstalled = false
-
-    const status = getLinuxDependencyStatus()
-
-    expect(status.hasBwrap).toBe(false)
-    expect(status.hasSocat).toBe(true) // others unaffected
-  })
-
-  test('reports socat unavailable when not installed', () => {
-    mockSocatInstalled = false
-
-    const status = getLinuxDependencyStatus()
-
-    expect(status.hasSocat).toBe(false)
-    expect(status.hasBwrap).toBe(true) // others unaffected
+    expect(result.errors).toEqual([])
+    expect(result.warnings.length).toBe(1)
   })
 
-  test('reports seccomp unavailable when files missing', () => {
-    mockBpfPath = null
-    mockApplyPath = null
-
-    const status = getLinuxDependencyStatus()
+  test('reports both errors and warnings when everything missing', () => {
+    const result = dependencyStatusToCheck({
+      hasBwrap: false,
+      hasSocat: false,
+      hasSeccompBpf: false,
+      hasSeccompApply: false,
+    })
 
-    expect(status.hasSeccompBpf).toBe(false)
-    expect(status.hasSeccompApply).toBe(false)
-    expect(status.hasBwrap).toBe(true) // others unaffected
-    expect(status.hasSocat).toBe(true)
+    expect(result.errors.length).toBe(2)
+    expect(result.warnings.length).toBe(1)
   })
 })