Wire integration tests into CI and add DinD sidecar

[james-in-a-box]

Summary

Wire full-stack integration tests into CI and add DinD sidecar support so
egg's own tester agent can run integration tests during the SDLC pipeline.

Phase 1 — CI integration: Add pull_request triggers to lint.yml,
test.yml, and test-integration.yml so all 91+ integration tests, unit
tests, and linting gate every PR. Fix test-integration.yml to build both
gateway and orchestrator images. Add concurrency groups and path filters
to avoid redundant runs.

Phase 2 — DinD sidecar: Add orchestrator/dind_manager.py with full
Docker-in-Docker lifecycle management (start, health check, image pre-load
via docker save | docker load, teardown). Modify container_spawner.py
and multi_agent.py to provision a DinD sidecar for tester agents when
integration_test_enabled is set, injecting DOCKER_HOST so the existing
integration tests work unmodified inside the sandbox.

Safety controls: 10-minute auto-kill watchdog on privileged DinD
containers. Structured exception handling ensures DinD cleanup on all error
paths (including GatewayError). Removed integration tests from autofix
watcher since Docker/compose failures are not autofix-able.

Test coverage: ~2,400 lines of new tests across 7 test files covering
DinD manager lifecycle, spawner DinD integration, multi-agent DinD
propagation, end-to-end DinD integration, and tester gap scenarios.

Documentation: New docs/guides/testing.md covering CI pipeline, local
testing, and DinD architecture. Updated CONTRIBUTING.md, STRUCTURE.md,
orchestrator/README.md, and docs/index.md.

Closes #647

Issue: #647

Test plan:

• Verify lint.yml, test.yml, and test-integration.yml trigger on PR events
• Run pytest orchestrator/tests/test_dind_manager.py — 24 unit tests pass
• Run pytest orchestrator/tests/test_container_spawner_dind.py — spawner DinD tests pass
• Run pytest orchestrator/tests/test_multi_agent_dind.py — multi-agent DinD tests pass
• Run pytest orchestrator/tests/test_tester_gaps.py — tester gap tests pass
• Confirm DinD watchdog triggers after timeout in test_dind_manager_gaps.py
• Review docs/guides/testing.md for accuracy

Authored-by: egg

[james-in-a-box]

Autofix: CI check failures resolved

Pushed 3 commits to fix all auto-fixable check failures:

Fixed: Mypy (Python lint)

• Added [[tool.mypy.overrides]] for egg_contracts.tests.* in pyproject.toml — these test files were never covered by the existing test overrides, causing 100+ no-untyped-def and arg-type errors
• Fixed plan_parser.py:106 — variable type narrowing issue after isinstance check
• Fixed dependency_graph.py:400 — added missing type parameter (list → list[Any])
• Fixed checkpoint_cli.py:108 — explicit type annotation to avoid no-any-return
• Fixed checkpoint_cli.py:481 — removed unused type: ignore comment
• Fixed gateway.py:1178 — added None guard for session.pipeline_id
• Fixed gateway.py:1830 — added str | None type annotation for checkpoint_id
• Fixed gateway.py:1878 — intermediate variable to avoid no-any-return

Fixed: Shellcheck (Shell lint)

• Removed unused CURRENT_SHA variable in create-release.sh (SC2034)
• Replaced single-item for loop with direct if in orchestrator/entrypoint.sh (SC2043)

Fixed: Actionlint (Actions lint)

• Added # shellcheck disable=SC2129 in on-review-feedback.yml and release-images.yml — the multiple echo >> $GITHUB_OUTPUT pattern is idiomatic GHA

Fixed: Custom Checks (hardcoded-ports)

• Added allowlist entries in check-hardcoded-ports.py for orchestrator, sandbox CLI, integration test compose files, and test fixtures that legitimately use port constants

Fixed: Unit Tests (test_models.py)

• Updated test_all_roles to include AgentRole.INSPECTOR and expect 16 roles instead of 15

Not fixed (pre-existing, not introduced by this PR)

These failures exist on main and were newly surfaced by adding pull_request triggers to lint.yml and test.yml:

• tests/scripts/test_checks.py — ModuleNotFoundError: No module named 'checks.base' — namespace collision between scripts/checks/ directory and a checks module at the top-level PYTHONPATH. Needs investigation into the test module structure.
• tests/sandbox/test_entrypoint.py — FileNotFoundError: /home/egg — tests assume the sandbox /home/egg directory exists, which CI runners don't have.
• orchestrator/tests/test_docker_client.py — Docker client tests assume no Docker daemon is available, but CI runners have Docker installed.

These are environment-dependent test issues that predate this PR.

— Authored by egg

[james-in-a-box]

Conflict Resolution Summary

Resolved merge conflicts with main:

File	Category	Resolution
.github/workflows/release-images.yml	Semantic (bugfix)	Took main's version — adds && -n "${MAJOR:-}" guard to prevent using unset MAJOR variable
gateway/gateway.py (line 1835)	Formatting	Kept PR's comment # guaranteed by the early return above on assert
gateway/gateway.py (line 1884)	Formatting	Took main's return str(session.last_repo_path) — more concise, same behavior
orchestrator/entrypoint.sh	Formatting	Kept PR's plural "mount points" in comment (multiple mount points are chowned below)
orchestrator/tests/test_models.py	Additive (dedup)	Removed duplicate assert AgentRole.INSPECTOR in roles (already asserted 6 lines above)
pyproject.toml	Additive	Included both sides' mypy overrides for egg_contracts.tests.*: PR's disallow_incomplete_defs/disable_error_code + main's ignore_missing_imports/follow_untyped_imports
scripts/check-hardcoded-ports.py	Additive (superset)	Kept PR's broader "tests/shared/" allowlist entry (covers main's two specific file entries)
shared/egg_contracts/dependency_graph.py	Semantic (type safety)	Took main's list[Phase] type annotation over PR's list[Any]; removed unused Any import
shared/egg_contracts/plan_parser.py	Semantic (completeness)	Took main's version which handles both str and list[str] dependency formats

Additional fix

orchestrator/tests/test_tester_gaps.py: Updated test_autofix_watcher_does_not_include_integration_tests → test_autofix_watcher_includes_integration_tests because main intentionally added "Integration Tests" to on-check-failure.yml autofix triggers (PR #882). The original test asserted the opposite.

Verification

• make lint — all checks pass
• make test — 6754 passed, 85 skipped, 0 failures

Please review: The plan_parser.py and dependency_graph.py resolutions chose main's versions for better type safety and completeness. The pyproject.toml resolution includes both sides' mypy settings which should be compatible.

— Authored by egg

[jwbron]

Pull in main and ensure the new integration test check has an autofixer like what was added in the last commit to main

[james-in-a-box]

Autofix tracking

{}

[james-in-a-box]

egg is investigating the Integration Tests check failure...

• Integration Tests

[james-in-a-box]

egg check fixer completed for Integration Tests. CI will re-run to verify. View run logs

— Authored by egg