Stabilise the Ares 2 test suite and CI

.github/workflows/maven.yml

@@ -14,6 +14,10 @@ jobs:
 
     runs-on: ubuntu-22.04
 
+    # Fail fast and preserve the test log instead of letting the heavy suite run
+    # until the runner loses communication (~1h). Lets us see which test hangs.
+    timeout-minutes: 45
+
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v4

.gitignore

@@ -33,3 +33,11 @@ gradle-app.setting
 /build
 /.gradle
 
+# Safety net for the generated security-test scaffold, in case it is ever written
+# into the working directory instead of a temporary folder (see PrecompileTest).
+/PhobosCopyTool.sh
+/SpecificExercise.cfg
+/ares/
+/de/
+/resources/
+

AGENTS.md

@@ -0,0 +1,34 @@
+# AGENTS.md
+
+Repository conventions for automated agents and contributors working on Ares.
+
+## Testing network access (incoming and outgoing)
+
+A sandboxed test JVM must **never spin up its own server** (echo server, socket
+listener, etc.) to test incoming or outgoing connections.
+
+**Why:** Ares is the security boundary under test. Any server started inside the
+same JVM as the student code is itself subject to the active security policy, so
+Ares intercepts its thread, its `ServerSocket` bind and its `accept()`. A
+failure then cannot be attributed to the behaviour being tested (the student's
+client connection, or the student's own server) versus the test fixture failing
+to start. A fixture must live **outside** the boundary it helps test.
+
+**Rule:**
+
+- Outgoing-connection tests connect to an **external echo server** at a
+  configurable endpoint. The server runs as a separate process or CI service on
+  the loopback at the agreed port (currently `25565`). The test exercises only
+  the student's client behaviour.
+- If the external echo server is not reachable, the test **skips** (JUnit
+  `Assumptions.abort`) rather than fails. "Missing echo server" is an expected
+  environmental condition locally; CI provides the server.
+- An Ares `SecurityException` on an explicitly allowed connection is always a
+  real failure and must propagate (never skipped).
+- Do not hard-code a self-hosted listener as the connection counterpart. Port
+  `25565` (Minecraft's default) collides easily; an external service avoids the
+  in-JVM `BindException`/thread/lifecycle flakiness entirely.
+
+`NetworkUser` follows this rule: it no longer starts an in-process echo server;
+`connectLocallyAllowed` targets the external echo server and skips when it is
+absent.