feat: add e2e container test harness

Implements spec docs/specs/2026-03-30-e2e-container-tests.md:
- 5 Containerfiles (ubuntu, debian, fedora, alpine, arch)
- test/e2e.sh runner with --runtime, --rebuild, single-distro mode
- tmux-based interactive tests (full accept, safety gate decline,
  signing generate, signing skip)
- All scripts pass shellcheck

Closes: #18, #19, #20

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

test/interactive/helpers.sh

@@ -0,0 +1,91 @@
+#!/usr/bin/env bash
+# Shared helpers for interactive tmux-driven tests
+
+set -o errexit
+set -o nounset
+set -o pipefail
+IFS=$'\n\t'
+
+readonly TMUX_SESSION="test"
+readonly SCRIPT_PATH="${HOME}/git-harden.sh"
+
+# Colors
+if [ -t 2 ]; then
+    readonly C_RED='\033[0;31m'
+    readonly C_GREEN='\033[0;32m'
+    readonly C_RESET='\033[0m'
+else
+    readonly C_RED=''
+    readonly C_GREEN=''
+    readonly C_RESET=''
+fi
+
+# Wait for a string to appear in the tmux pane.
+# Polls every 0.2s, times out after $2 seconds (default 10).
+wait_for() {
+    local pattern="$1"
+    local timeout="${2:-10}"
+    local elapsed=0
+    while ! tmux capture-pane -t "$TMUX_SESSION" -p | grep -qF "$pattern"; do
+        sleep 0.2
+        elapsed=$(( elapsed + 1 ))
+        if (( elapsed > timeout * 5 )); then
+            printf 'TIMEOUT waiting for: %s\n' "$pattern" >&2
+            printf 'Current pane content:\n' >&2
+            tmux capture-pane -t "$TMUX_SESSION" -p >&2
+            return 1
+        fi
+    done
+}
+
+# Send keys to the tmux session
+send() {
+    tmux send-keys -t "$TMUX_SESSION" "$@"
+}
+
+# Start git-harden.sh in a tmux session
+start_session() {
+    tmux kill-session -t "$TMUX_SESSION" 2>/dev/null || true
+    tmux new-session -d -s "$TMUX_SESSION" "bash ${SCRIPT_PATH}"
+}
+
+# Wait for the script to exit and capture final output
+capture_output() {
+    # Wait for the shell to become available (script exited)
+    local timeout=30
+    local elapsed=0
+    while tmux list-panes -t "$TMUX_SESSION" -F '#{pane_dead}' 2>/dev/null | grep -q '^0$'; do
+        sleep 0.5
+        elapsed=$(( elapsed + 1 ))
+        if (( elapsed > timeout * 2 )); then
+            printf 'TIMEOUT waiting for script to exit\n' >&2
+            tmux capture-pane -t "$TMUX_SESSION" -p >&2
+            return 1
+        fi
+    done
+    tmux capture-pane -t "$TMUX_SESSION" -p
+}
+
+# Clean up
+cleanup() {
+    tmux kill-session -t "$TMUX_SESSION" 2>/dev/null || true
+}
+
+# Assert helper
+assert_contains() {
+    local haystack="$1"
+    local needle="$2"
+    if printf '%s' "$haystack" | grep -qF "$needle"; then
+        return 0
+    fi
+    printf '%bFAIL:%b expected output to contain: %s\n' "$C_RED" "$C_RESET" "$needle" >&2
+    return 1
+}
+
+pass() {
+    printf '%b  PASS:%b %s\n' "$C_GREEN" "$C_RESET" "$1" >&2
+}
+
+fail() {
+    printf '%b  FAIL:%b %s\n' "$C_RED" "$C_RESET" "$1" >&2
+}

test/interactive/run-all.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+# Run all interactive tmux-driven tests
+# Intended to be run inside a container (with tmux installed)
+
+set -o nounset
+set -o pipefail
+IFS=$'\n\t'
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+
+passed=0
+failed=0
+total=0
+
+for test_script in "${SCRIPT_DIR}"/test-*.sh; do
+    [ -f "$test_script" ] || continue
+    total=$((total + 1))
+    printf '\n── %s ──\n' "$(basename "$test_script")" >&2
+    if bash "$test_script"; then
+        passed=$((passed + 1))
+    else
+        failed=$((failed + 1))
+    fi
+done
+
+printf '\n── Interactive tests: %d passed, %d failed, %d total ──\n' "$passed" "$failed" "$total" >&2
+
+if [ "$failed" -gt 0 ]; then
+    exit 1
+fi

test/interactive/test-full-accept.sh

@@ -0,0 +1,60 @@
+#!/usr/bin/env bash
+# Interactive test: accept all prompts (safety gate + hardening + signing skip)
+# Verifies: all settings applied, re-audit exits 0
+
+set -o errexit
+set -o nounset
+set -o pipefail
+IFS=$'\n\t'
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+# shellcheck source=helpers.sh
+source "${SCRIPT_DIR}/helpers.sh"
+
+main() {
+    trap cleanup EXIT
+
+    printf 'Test: Full interactive apply (accept all)\n' >&2
+
+    start_session
+
+    # Safety review gate — answer yes
+    wait_for "reviewed this script"
+    send "y" Enter
+
+    # Proceed with hardening — answer yes
+    wait_for "Proceed with hardening"
+    send "y" Enter
+
+    # Accept each setting prompt by sending "y" + Enter repeatedly
+    local pane_content
+    for _ in $(seq 1 30); do
+        sleep 0.3
+        pane_content="$(tmux capture-pane -t "$TMUX_SESSION" -p 2>/dev/null || true)"
+        if printf '%s' "$pane_content" | grep -qF "Signing key options"; then
+            break
+        fi
+        if printf '%s' "$pane_content" | grep -qF "Hardening complete"; then
+            break
+        fi
+        send "y" Enter
+    done
+
+    # Signing wizard — skip
+    wait_for "Signing key options" 15
+    send "s" Enter
+
+    # Wait for completion
+    sleep 2
+    capture_output >/dev/null 2>&1 || true
+
+    # Verify: re-run audit — signing won't pass (skipped) but git config should
+    if git config --global --get transfer.fsckObjects | grep -q true; then
+        pass "Full accept: git config settings applied (signing skipped as expected)"
+    else
+        fail "Full accept: settings not applied"
+        exit 1
+    fi
+}
+
+main

test/interactive/test-safety-gate-decline.sh

@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+# Interactive test: decline safety review gate
+# Verifies: script exits 0, prints AI review instructions, no config changes
+
+set -o errexit
+set -o nounset
+set -o pipefail
+IFS=$'\n\t'
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+# shellcheck source=helpers.sh
+source "${SCRIPT_DIR}/helpers.sh"
+
+main() {
+    trap cleanup EXIT
+
+    printf 'Test: Safety gate decline\n' >&2
+
+    # Snapshot current config
+    local config_before
+    config_before="$(git config --global --list 2>/dev/null || true)"
+
+    start_session
+
+    # Safety review gate — answer no (default)
+    wait_for "reviewed this script"
+    send "n" Enter
+
+    # Wait for exit
+    sleep 2
+    local output
+    output="$(capture_output)"
+
+    # Verify: output contains AI review instructions
+    assert_contains "$output" "claude"
+    assert_contains "$output" "gemini"
+
+    # Verify: no config changes
+    local config_after
+    config_after="$(git config --global --list 2>/dev/null || true)"
+    if [ "$config_before" = "$config_after" ]; then
+        pass "Safety gate decline: no config changes, instructions shown"
+    else
+        fail "Safety gate decline: config was modified"
+        exit 1
+    fi
+}
+
+main

test/interactive/test-signing-generate.sh

@@ -0,0 +1,89 @@
+#!/usr/bin/env bash
+# Interactive test: generate ed25519 key via signing wizard
+# Verifies: key created, user.signingkey configured, commit.gpgsign=true
+
+set -o errexit
+set -o nounset
+set -o pipefail
+IFS=$'\n\t'
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+# shellcheck source=helpers.sh
+source "${SCRIPT_DIR}/helpers.sh"
+
+main() {
+    trap cleanup EXIT
+
+    printf 'Test: Signing wizard - generate ed25519 key\n' >&2
+
+    # Ensure no existing keys
+    rm -f "${HOME}/.ssh/id_ed25519" "${HOME}/.ssh/id_ed25519.pub"
+
+    start_session
+
+    # Safety review gate
+    wait_for "reviewed this script"
+    send "y" Enter
+
+    # Proceed with hardening
+    wait_for "Proceed with hardening"
+    send "y" Enter
+
+    # Accept settings until signing wizard
+    local pane_content
+    for _ in $(seq 1 30); do
+        sleep 0.3
+        pane_content="$(tmux capture-pane -t "$TMUX_SESSION" -p 2>/dev/null || true)"
+        if printf '%s' "$pane_content" | grep -qF "Signing key options"; then
+            break
+        fi
+        if printf '%s' "$pane_content" | grep -qF "Hardening complete"; then
+            break
+        fi
+        send "y" Enter
+    done
+
+    # Signing wizard — option 1: generate ed25519
+    wait_for "Signing key options" 15
+    send "1" Enter
+
+    # ssh-keygen prompts for passphrase — enter empty twice
+    wait_for "Enter passphrase" 10
+    send "" Enter
+    wait_for "Enter same passphrase" 10
+    send "" Enter
+
+    # Wait for completion
+    sleep 3
+    capture_output >/dev/null 2>&1 || true
+
+    # Verify key exists
+    if [ -f "${HOME}/.ssh/id_ed25519.pub" ]; then
+        pass "Key generated: ~/.ssh/id_ed25519.pub exists"
+    else
+        fail "Key not generated"
+        exit 1
+    fi
+
+    # Verify signing key configured
+    local signing_key
+    signing_key="$(git config --global --get user.signingkey 2>/dev/null || true)"
+    if [ -n "$signing_key" ]; then
+        pass "user.signingkey configured: ${signing_key}"
+    else
+        fail "user.signingkey not configured"
+        exit 1
+    fi
+
+    # Verify gpgsign enabled
+    local gpgsign
+    gpgsign="$(git config --global --get commit.gpgsign 2>/dev/null || true)"
+    if [ "$gpgsign" = "true" ]; then
+        pass "commit.gpgsign=true"
+    else
+        fail "commit.gpgsign not set"
+        exit 1
+    fi
+}
+
+main

test/interactive/test-signing-skip.sh

@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+# Interactive test: skip signing wizard
+# Verifies: no signing key configured, commit.gpgsign not set
+
+set -o errexit
+set -o nounset
+set -o pipefail
+IFS=$'\n\t'
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+# shellcheck source=helpers.sh
+source "${SCRIPT_DIR}/helpers.sh"
+
+main() {
+    trap cleanup EXIT
+
+    printf 'Test: Signing wizard - skip\n' >&2
+
+    start_session
+
+    # Safety review gate
+    wait_for "reviewed this script"
+    send "y" Enter
+
+    # Proceed with hardening
+    wait_for "Proceed with hardening"
+    send "y" Enter
+
+    # Accept settings until signing wizard
+    local pane_content
+    for _ in $(seq 1 30); do
+        sleep 0.3
+        pane_content="$(tmux capture-pane -t "$TMUX_SESSION" -p 2>/dev/null || true)"
+        if printf '%s' "$pane_content" | grep -qF "Signing key options"; then
+            break
+        fi
+        if printf '%s' "$pane_content" | grep -qF "Hardening complete"; then
+            break
+        fi
+        send "y" Enter
+    done
+
+    # Signing wizard — skip
+    wait_for "Signing key options" 15
+    send "s" Enter
+
+    # Wait for completion
+    sleep 2
+    capture_output >/dev/null 2>&1 || true
+
+    # Verify: no signing key
+    local signing_key
+    signing_key="$(git config --global --get user.signingkey 2>/dev/null || true)"
+    if [ -z "$signing_key" ]; then
+        pass "Signing skip: user.signingkey not set"
+    else
+        fail "Signing skip: user.signingkey was set unexpectedly: ${signing_key}"
+        exit 1
+    fi
+
+    # Verify: commit.gpgsign not set
+    local gpgsign
+    gpgsign="$(git config --global --get commit.gpgsign 2>/dev/null || true)"
+    if [ -z "$gpgsign" ]; then
+        pass "Signing skip: commit.gpgsign not set"
+    else
+        fail "Signing skip: commit.gpgsign was set unexpectedly: ${gpgsign}"
+        exit 1
+    fi
+}
+
+main