storkit: merge 360_story_run_storkit_container_under_gvisor_runsc_runtime

server/src/rebuild.rs

@@ -189,6 +189,23 @@ mod tests {
     use crate::transport::MessageId;
     use std::sync::Mutex;
 
+    // ── AC: docker-compose.yml specifies runtime: runsc ──────────────────
+
+    // docker-compose.yml embedded at compile time for a hermetic test.
+    const DOCKER_COMPOSE_YML: &str =
+        include_str!(concat!(env!("CARGO_MANIFEST_DIR"), "/../docker/docker-compose.yml"));
+
+    /// The docker-compose.yml must opt the container into the gVisor runtime
+    /// so that all container syscalls are intercepted in userspace.
+    #[test]
+    fn docker_compose_specifies_runsc_runtime() {
+        assert!(
+            DOCKER_COMPOSE_YML.contains("runtime: runsc"),
+            "docker/docker-compose.yml must contain `runtime: runsc` \
+             to enable gVisor sandboxing"
+        );
+    }
+
     /// In-memory transport that records sent messages.
     struct CapturingTransport {
         sent: Mutex<Vec<(String, String)>>,