2e2d069530
Two diagnostics-and-confidence follow-ups to the loader-init-container pattern. 1) DockerRuntimeOrchestrator now captures the loader's last 50 lines of stdout/stderr (capped at 4096 chars, 5s timeout) before the finally-remove and appends them to the thrown RuntimeException as `. loader output: <text>`. Best-effort: log-capture failures are swallowed and never mask the original exit. Closes the visibility gap that turned a simple "wget: Permission denied" into the opaque "Loader exited 1". 2) New LoaderHardeningIT spins up a Testcontainers nginx serving a 1KB fixture, builds the loader image fresh from cameleer-runtime-loader/, and runs it under the exact baseHardenedHostConfig() shape (cap_drop ALL, readonly rootfs, /tmp tmpfs, no-new-privileges, apparmor=docker-default, pids=512) bound to a fresh named volume RW at /app/jars. Asserts exit 0. This would have caught the volume-permission regression in CI. GenericContainer + OneShotStartupCheckStrategy is used instead of raw docker-java waitContainerCmd because docker-java's unshaded api version in this project's pom and testcontainers' shaded copy disagree on WaitContainerCmd.getCondition() — going through GenericContainer keeps the call inside testcontainers' shaded executor. Rules doc updated to point at the captured-output behaviour and the IT. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>