fix: fill empty test body and use mktemp for paths

- Add actual X-RateLimit header assertions to the empty
  "should include X-RateLimit headers in responses" test
- Replace fixed /tmp/auth-* paths with mktemp -d to avoid
  conflicts between parallel test runs

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: Mossaka

tests/integration/api-proxy-rate-limit.test.ts

@@ -87,13 +87,19 @@ describe('API Proxy Rate Limiting', () => {
   }, 180000);
 
   test('should include X-RateLimit headers in responses', async () => {
-    // Make a single request and check for rate limit headers
+    // Use RPM=1 and make 2 requests — the second triggers 429 which always has rate limit headers
+    const script = [
+      `curl -s -X POST http://${API_PROXY_IP}:10001/v1/messages -H "Content-Type: application/json" -d "{\\"model\\":\\"test\\"}" > /dev/null`,
+      `curl -s -i -X POST http://${API_PROXY_IP}:10001/v1/messages -H "Content-Type: application/json" -d "{\\"model\\":\\"test\\"}"`,
+    ].join(' && ');
+
     const result = await runner.runWithSudo(
-      `bash -c "curl -s -i -X POST http://${API_PROXY_IP}:10001/v1/messages -H 'Content-Type: application/json' -d '{\"model\":\"test\"}'"`,
+      `bash -c '${script}'`,
       {
         allowDomains: ['api.anthropic.com'],
         enableApiProxy: true,
         buildLocal: true,
+        rateLimitRpm: 1,
         logLevel: 'debug',
         timeout: 120000,
         env: {
@@ -103,10 +109,10 @@ describe('API Proxy Rate Limiting', () => {
     );
 
     expect(result).toSucceed();
-    // Even non-429 responses from rate-limited requests should have rate limit headers.
-    // When rate limit IS triggered (429), headers are always present.
-    // For a single request at default limits, we might get the upstream response
-    // which won't have these headers. So use a low RPM and make 2 requests.
+    const lower = result.stdout.toLowerCase();
+    expect(lower).toContain('x-ratelimit-limit');
+    expect(lower).toContain('x-ratelimit-remaining');
+    expect(lower).toContain('x-ratelimit-reset');
   }, 180000);
 
   test('should include X-RateLimit headers in 429 response', async () => {

tests/integration/git-operations.test.ts

@@ -162,7 +162,7 @@ describe('Git Operations', () => {
 
       const result = await runner.runWithSudo(
         withGitAuth(
-          `git clone --depth 1 https://github.com/${TEST_REPO}.git /tmp/auth-clone && ls /tmp/auth-clone`
+          `TMPDIR=$(mktemp -d) && git clone --depth 1 https://github.com/${TEST_REPO}.git $TMPDIR/repo && ls $TMPDIR/repo`
         ),
         {
           allowDomains: ['github.com'],
@@ -183,8 +183,8 @@ describe('Git Operations', () => {
 
       const result = await runner.runWithSudo(
         withGitAuth(
-          `git clone --depth 1 https://github.com/${TEST_REPO}.git /tmp/auth-fetch && ` +
-          `cd /tmp/auth-fetch && git fetch origin`
+          `TMPDIR=$(mktemp -d) && git clone --depth 1 https://github.com/${TEST_REPO}.git $TMPDIR/repo && ` +
+          `cd $TMPDIR/repo && git fetch origin`
         ),
         {
           allowDomains: ['github.com'],
@@ -207,8 +207,8 @@ describe('Git Operations', () => {
       // Clone, create branch, commit, push, then delete the remote branch
       const result = await runner.runWithSudo(
         withGitAuth(
-          `git clone --depth 1 https://github.com/${TEST_REPO}.git /tmp/auth-push && ` +
-          `cd /tmp/auth-push && ` +
+          `TMPDIR=$(mktemp -d) && git clone --depth 1 https://github.com/${TEST_REPO}.git $TMPDIR/repo && ` +
+          `cd $TMPDIR/repo && ` +
           `git checkout -b ${branchName} && ` +
           `echo "awf-test-$(date +%s)" > awf-test-file.txt && ` +
           `git add awf-test-file.txt && ` +