test: enforce strict replay sandboxing in e2e fixtures

[sohankshirsagar]

Summary

Require strict replay sandboxing across the Docker-based e2e fixtures and update the test containers so the sandbox can actually start during replay. This also fixes a few compose files where the initial bulk edit misplaced build.args.

Changes

• Set replay.sandbox.mode: strict in all e2e .tusk/config.yaml files so replay fails instead of silently falling back to unsandboxed execution.
• Install socat and bubblewrap in all Docker-based e2e Dockerfiles, since those binaries are required for Linux replay sandboxing.
• Add cap_add: [SYS_ADMIN] plus security_opt overrides (seccomp=unconfined, apparmor=unconfined) to each e2e docker-compose.yml app service.
  • Docker’s default seccomp/AppArmor restrictions were blocking bubblewrap from creating the namespaces it needs, which caused strict sandbox startup to fail with Operation not permitted.

[tusk-dev]

PR identified as a refactor

Tip

New to Tusk Unit Tests? Learn more here.

View check history

Commit	Status	Output	Created (UTC)
ec86df6	PR identified as a refactor	Output	Mar 16, 2026 11:18PM

[cubic-dev-ai]

No issues found across 90 files

Note: This PR contains a large number of files. cubic only reviews up to 75 files per PR, so some files may not have been reviewed.

[sohil-kshirsagar]

nice! worth updating the e2e testing docs explaining this?