Integration Test Map¶

Generated: 2026-04-05 07:31 UTC

151 tests across 9 directories

`allow_deny/`¶

Tests for the allow/deny workflow: adding IPs to the allow set, verifying traffic passes, RFC1918 whitelisting, and the full allow → deny cycle via API and CLI.

Test	Class	CI Tier	Markers
`test_cli_allow`	`TestAllowDenyCLI`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_cli_deny`	`TestAllowDenyCLI`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_elements_appear_in_set`	`TestAddElementsLive`	podman	`needs_internet`, `needs_podman`
`test_multiple_elements`	`TestAddElementsLive`	podman	`needs_internet`, `needs_podman`
`test_shield_allow_deny_cycle`	`TestAllowDenyAPI`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_shield_allow_ip`	`TestAllowDenyAPI`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_allow_then_block_different_targets`	`TestFirewallAllowing`	podman	`needs_internet`, `needs_podman`
`test_allowed_ip_reachable_http`	`TestFirewallAllowing`	podman	`needs_internet`, `needs_podman`
`test_allowed_ip_reachable_https`	`TestFirewallAllowing`	podman	`needs_internet`, `needs_podman`
`test_non_allowed_ip_still_blocked`	`TestFirewallAllowing`	podman	`needs_internet`, `needs_podman`
`test_rfc1918_allowed_when_whitelisted`	`TestRFC1918Allow`	podman	`needs_internet`, `needs_podman`

`blocking/`¶

Tests for default-deny behavior: HTTP/HTTPS blocking, IPv6 drop, RFC1918 reject rules, reject-vs-drop timing, and ICMP probe detection.

Test	Class	CI Tier	Markers
`test_traffic_blocked_by_default`	`TestDefaultDenyAPI`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_http_blocked_after_ruleset`	`TestFirewallBlocking`	podman	`needs_internet`, `needs_podman`
`test_https_blocked_after_ruleset`	`TestFirewallBlocking`	podman	`needs_internet`, `needs_podman`
`test_reject_is_fast_not_timeout`	`TestFirewallBlocking`	podman	`needs_internet`, `needs_podman`
`test_rfc1918_still_blocked_when_not_whitelisted`	`TestFirewallBlocking`	podman	`needs_internet`, `needs_podman`
`test_ipv6_dns_blocked`	`TestFirewallBlockingIPv6`	podman	`needs_internet`, `needs_podman`
`test_ipv6_http_blocked`	`TestFirewallBlockingIPv6`	podman	`needs_internet`, `needs_podman`
`test_ipv6_https_blocked`	`TestFirewallBlockingIPv6`	podman	`needs_internet`, `needs_podman`
`test_ipv6_icmp_blocked`	`TestFirewallBlockingIPv6`	podman	`needs_internet`, `needs_podman`
`test_ipv6_ruleset_has_dual_stack_sets`	`TestFirewallBlockingIPv6`	podman	`needs_internet`, `needs_podman`
`test_open_port_on_localhost`	`TestProbeRealSocket`	host	`needs_host_features`
`test_port_unreachable_on_localhost`	`TestProbeRealSocket`	host	`needs_host_features`
`test_admin_prohibited_detected`	`TestShieldProbe`	podman	`needs_internet`, `needs_podman`
`test_allowed_ip_is_open`	`TestShieldProbe`	podman	`needs_internet`, `needs_podman`

`bypass/`¶

Tests for the manual bypass toggle that temporarily switches a container from deny-all to accept-all+log mode for traffic discovery. ## Stories | File | What it tests | |------|---------------| | test_state.py | shield_state() detection: UP, DOWN, DOWN_ALL, INACTIVE | | test_traffic.py | Network behavior in bypass: traffic flows, RFC1918 protection, IPv6 drop | | test_cli.py | CLI down, up, rules --state, preview --down commands | | test_lifecycle.py | Full E2E lifecycle: state transitions, idempotency, IP restoration, audit trail |

Test	Class	CI Tier	Markers
`test_cli_down`	`TestBypassCLI`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_cli_down_all`	`TestBypassCLI`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_cli_down_then_traffic`	`TestBypassCLI`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_cli_rules_shows_state`	`TestBypassCLI`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_cli_up`	`TestBypassCLI`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_preview_all_without_down_fails`	`TestBypassPreviewCLI`	host	`needs_host_features`
`test_preview_down`	`TestBypassPreviewCLI`	host	`needs_host_features`
`test_preview_down_all`	`TestBypassPreviewCLI`	host	`needs_host_features`
`test_down_all_logs_detail`	`TestBypassAuditTrail`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_down_up_audit_events`	`TestBypassAuditTrail`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_up_down_all_up_cycle`	`TestBypassBasicLifecycle`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_up_down_up_cycle`	`TestBypassBasicLifecycle`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_allow_before_and_after_bypass`	`TestBypassFullE2E`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_discovery_workflow`	`TestBypassFullE2E`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_rapid_toggle`	`TestBypassFullE2E`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_cached_ips_restored_on_shield_up`	`TestBypassIPRestoration`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_down_twice_stays_down`	`TestBypassIdempotency`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_up_twice_stays_up`	`TestBypassIdempotency`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_up_without_prior_down`	`TestBypassIdempotency`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_down_all_to_down`	`TestBypassModeSwitch`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_down_to_down_all`	`TestBypassModeSwitch`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_allow_during_bypass_persists_via_live_allowed`	`TestBypassWithAllowDeny`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_deny_during_bypass_has_no_traffic_effect`	`TestBypassWithAllowDeny`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_state_down_after_shield_down`	`TestShieldState`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_state_down_all_after_shield_down_all`	`TestShieldState`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_state_up_after_setup`	`TestShieldState`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_state_up_after_shield_up`	`TestShieldState`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_state_inactive_for_bare_container`	`TestShieldStateInactive`	podman	`needs_podman`
`test_state_inactive_for_stopped_container`	`TestShieldStateInactive`	podman	`needs_podman`
`test_ipv6_private_rules_absent_in_allow_all_bypass`	`TestBypassIPv6Private`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_ipv6_private_rules_present_in_default_bypass`	`TestBypassIPv6Private`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_rfc1918_reject_is_fast_in_bypass`	`TestBypassRFC1918`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_rfc1918_rules_absent_in_allow_all_bypass`	`TestBypassRFC1918`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_rfc1918_rules_present_in_default_bypass`	`TestBypassRFC1918`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_bypass_ruleset_has_accept_policy`	`TestBypassRuleset`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_bypass_ruleset_has_log_prefix`	`TestBypassRuleset`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_allowed_target_reachable_in_bypass`	`TestBypassTrafficAllowed`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_dns_blocked_again_after_up`	`TestBypassTrafficDNS`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_dns_connectable_in_bypass`	`TestBypassTrafficDNS`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_http_blocked_again_after_up`	`TestBypassTrafficHTTP`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_http_reachable_in_bypass`	`TestBypassTrafficHTTP`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_https_blocked_again_after_up`	`TestBypassTrafficHTTPS`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_https_reachable_in_bypass`	`TestBypassTrafficHTTPS`	podman	`needs_hooks`, `needs_internet`, `needs_podman`

`cli/`¶

Tests for CLI parsing and help output that don't require containers or network access.

Test	Class	CI Tier	Markers
`test_cli_no_args_exits_zero`	`TestCLIHelp`	host	`needs_host_features`

`dns/`¶

Tests for DNS resolution: live dig resolution, resolve-and-cache pipeline, shield_resolve() API, CLI resolve, and the full profile → DNS → cache pipeline.

Test	Class	CI Tier	Markers
`test_cli_resolve`	`TestCLIResolve`	network	`needs_internet`
`test_resolve_creates_cache`	`TestShieldResolve`	network	`needs_internet`
`test_resolve_force_bypasses_cache`	`TestShieldResolve`	network	`needs_internet`
`test_resolve_returns_ips`	`TestShieldResolve`	network	`needs_internet`
`test_check_environment_reports_tier`	`TestDnsTierDetection`	podman	`needs_podman`
`test_detect_tier_matches_host`	`TestDnsTierDetection`	podman	`needs_podman`
`test_config_written_to_state_dir`	`TestDnsmasqConfigGeneration`	host
`test_generate_config_with_real_domains`	`TestDnsmasqConfigGeneration`	host
`test_nftset_entry_format`	`TestDnsmasqConfigGeneration`	host
`test_allowed_domain_resolves_and_is_reachable`	`TestDnsmasqInContainer`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_blocked_target_is_denied`	`TestDnsmasqInContainer`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_dnsmasq_config_exists`	`TestDnsmasqInContainer`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_dnsmasq_pid_file_exists`	`TestDnsmasqInContainer`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_nft_sets_have_timeout`	`TestDnsmasqInContainer`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_poststop_kills_dnsmasq`	`TestDnsmasqInContainer`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_resolv_conf_points_to_dnsmasq`	`TestDnsmasqInContainer`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_upstream_dns_persisted`	`TestDnsmasqInContainer`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_pre_start_without_dnsmasq`	`TestGracefulDegradation`	podman	`needs_internet`, `needs_podman`
`test_allow_domain_populates_nft_set`	`TestLiveDomainAllowDeny`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_allow_domain_updates_live_domains`	`TestLiveDomainAllowDeny`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_deny_domain_adds_to_denied_domains`	`TestLiveDomainAllowDeny`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_pre_start_mounts_resolv_conf`	`TestPreStartDnsmasqTier`	podman	`needs_podman`
`test_pre_start_sets_dns_tier_annotation`	`TestPreStartDnsmasqTier`	podman	`needs_podman`
`test_pre_start_writes_profile_domains`	`TestPreStartDnsmasqTier`	podman	`needs_podman`
`test_dnsmasq_restarts_cleanly_on_reuse`	`TestRestartWithReusedStateDir`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_base_profile_resolves`	`TestProfileResolvePipeline`	network	`needs_internet`
`test_dev_standard_resolves_github`	`TestProfileResolvePipeline`	network	`needs_internet`
`test_user_profile_override`	`TestProfileResolvePipeline`	network	`needs_internet`
`test_cache_roundtrip`	`TestResolveAndCacheLive`	network	`needs_internet`
`test_mixed_entries`	`TestResolveAndCacheLive`	network	`needs_internet`
`test_multiple_domains`	`TestResolveLive`	network	`needs_internet`
`test_resolves_known_domain`	`TestResolveLive`	network	`needs_internet`
`test_unresolvable_domain_returns_empty`	`TestResolveLive`	network	`needs_internet`

`launch/`¶

Tests for the container launch workflow: shield_pre_start, nft ruleset application via nsenter, apply_hook, and hook_main end-to-end.

Test	Class	CI Tier	Markers
`test_full_story_hook_applies_ruleset_and_discovers_gateway`	`TestHookEntrypointStory`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_hook_entrypoint_is_stdlib_only`	`TestHookEntrypointStory`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_pre_start_writes_ruleset_nft`	`TestHookEntrypointStory`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_full_lifecycle`	`TestAPILifecycle`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_apply_and_list`	`TestHookApply`	podman	`needs_podman`
`test_flush_and_reapply`	`TestHookApply`	podman	`needs_podman`
`test_policy_drop_enforced`	`TestHookApply`	podman	`needs_podman`
`test_rfc1918_blocked`	`TestHookApply`	podman	`needs_podman`
`test_verify_applied_ruleset`	`TestHookApply`	podman	`needs_podman`
`test_firewall_applied_via_hook`	`TestFirewallApplied`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_pre_start_resolves_dns`	`TestShieldPreStart`	podman	`needs_internet`, `needs_podman`
`test_pre_start_returns_podman_args`	`TestShieldPreStart`	podman	`needs_internet`, `needs_podman`
`test_shield_lifecycle_with_restart`	`TestRestartPersistence`	podman	`needs_hooks`, `needs_podman`

`observability/`¶

Tests for status, rules inspection, audit logging, and log viewing via both the public API and CLI.

Test	Class	CI Tier	Markers
`test_jsonl_format`	`TestAuditLive`	host	`needs_host_features`
`test_log_and_tail`	`TestAuditLive`	host	`needs_host_features`
`test_tail_empty_returns_no_events`	`TestAuditLive`	host	`needs_host_features`
`test_cli_logs`	`TestLogsCLI`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_shield_rules_returns_ruleset`	`TestRulesAPI`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_rules_contain_bypass_prefix`	`TestRulesBypassAPI`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_rules_restored_after_up`	`TestRulesBypassAPI`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_cli_rules`	`TestRulesCLI`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_cli_rules_shows_state_down`	`TestRulesCLI`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_cli_rules_shows_state_up`	`TestRulesCLI`	podman	`needs_hooks`, `needs_internet`, `needs_podman`
`test_cli_status`	`TestCLIStatus`	host	`needs_host_features`
`test_status_returns_dict`	`TestShieldStatus`	host	`needs_host_features`

`safety/`¶

Tests for fail-closed error paths: CLI error handling when containers are missing or unreachable.

Test	Class	CI Tier	Markers
`test_cli_allow_bad_container`	`TestCLIErrors`	podman	`needs_podman`
`test_cli_down_bad_container`	`TestCLIErrors`	podman	`needs_podman`
`test_cli_up_bad_container`	`TestCLIErrors`	podman	`needs_podman`

`setup/`¶

Tests for hook installation, config path resolution, profile loading, and auto-detection. Covers the initial setup workflow before any container is started.

Test	Class	CI Tier	Markers
`test_at_least_hook_with_nft`	`TestAutoDetect`	podman	`needs_podman`
`test_returns_valid_mode`	`TestAutoDetect`	podman	`needs_podman`
`test_config_root_with_xdg`	`TestPathResolution`	host	`needs_host_features`
`test_ensure_state_dirs_creates_tree`	`TestPathResolution`	host	`needs_host_features`
`test_explicit_overrides_xdg`	`TestPathResolution`	host	`needs_host_features`
`test_state_root_with_xdg`	`TestPathResolution`	host	`needs_host_features`
`test_has_global_hooks_after_setup`	`TestGlobalHooksSetup`	host	`needs_host_features`
`test_setup_idempotent`	`TestGlobalHooksSetup`	host	`needs_host_features`
`test_setup_user_hooks`	`TestGlobalHooksSetup`	host	`needs_host_features`
`test_pre_start_raises_shield_needs_setup`	`TestHooklessErrorPath`	podman	`needs_podman`
`test_check_environment_returns_valid_result`	`TestPodmanInfoDetection`	host	`needs_host_features`
`test_hooks_dir_detection`	`TestPodmanInfoDetection`	host	`needs_host_features`
`test_parse_real_podman_info`	`TestPodmanInfoDetection`	host	`needs_host_features`
`test_result_is_stable`	`TestFindNft`	host	`needs_host_features`
`test_returned_path_is_executable`	`TestFindNft`	host	`needs_host_features`
`test_returns_absolute_path`	`TestFindNft`	host	`needs_host_features`
`test_pre_start_creates_hook_files`	`TestHookInstall`	podman	`needs_podman`
`test_pre_start_idempotent`	`TestHookInstall`	podman	`needs_podman`
`test_all_bundled_profiles_load`	`TestProfilesLive`	host	`needs_host_features`
`test_base_profile_entries`	`TestProfilesLive`	host	`needs_host_features`
`test_compose_deduplicates`	`TestProfilesLive`	host	`needs_host_features`

Integration Test Map¶

allow_deny/¶

blocking/¶

bypass/¶

cli/¶

dns/¶

launch/¶

observability/¶

safety/¶

setup/¶