Adds MOCK_CLAUDE_SCENARIO=tool_result_injection. Emits a Bash tool_use
followed by a user-role tool_result whose content is a classic
DAN-style prompt-injection string. The warm TestSavantAI classifier
trips at 0.9999 on this text, reliably firing the tool-output BLOCK +
review flow for the full-stack E2E.
Stays alive up to 120s so a test has time to propagate the user's
review decision via /security-decision + the on-disk decision file.
SIGTERM exits 143 on user-confirmed block.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds browse/test/fixtures/mock-claude/claude — an executable bun script
that parses the --prompt flag, extracts the session canary via regex,
and emits stream-json NDJSON events that exercise specific sidebar-agent
code paths.
Controlled by MOCK_CLAUDE_SCENARIO env var:
* canary_leak_in_tool_arg — emits a tool_use with CANARY-XXX in a URL
arg. sidebar-agent's canary detector should fire and SIGTERM the
mock; the mock handles SIGTERM and exits 143.
* clean — emits benign tool_use + text response.
Used by security-e2e-fullstack.test.ts. PATH-prepended during the test so
the real sidebar-agent's spawn('claude', ...) picks up the mock without
any source change to sidebar-agent.ts.
Zero LLM cost, fully deterministic, <1s per scenario. Enables gate-tier
full-stack E2E testing of the security pipeline.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>