chore(testbed): make smoke_edns.sh self-contained + verified end-to-end

- Pre-install tcpdump in agents/Dockerfile so smoke_edns.sh doesn't need
  external network access at runtime (the testbed agent containers are
  intentionally pinned to the internal DNS topology with no upstream
  resolver, so apt-get install at smoke time can't fetch packages).
- Update the smoke_edns.sh probe call to use the new v2 CLI flags
  (--realm / --transport / --min-trust / --intent-class / --parallelism
   / --deadline-ms), matching the two-axis selector taxonomy.
- Tighten the result-check shell logic so `set -euo pipefail` doesn't bail
  early when grep doesn't find the marker on a real failure.

End-to-end verified locally against bind-orga (stock BIND9 9.20). The
agent-hint OPT record (code 0xff96 = 65430) reaches the authoritative on
all three discovery query paths — index TXT, SVCB, capabilities TXT — and
the wire payload matches the design doc bit-for-bit:

  0xff96 (option-code)  0x002b (length=43)
  0x00 (VERSION) 0x06 (SELECTOR-COUNT)
  01 04 "prod"        realm
  02 03 "mcp"         transport
  04 06 "signed"      min_trust
  10 0a "invocation"  client_intent_class
  12 01 "4"           parallelism
  13 05 "30000"       deadline_ms

Stock BIND9 returns the answer set without an AgentHintEcho — correct
behaviour for an inert-to-the-option authoritative, and the client's
"no upstream filtering happened" fallback path engages cleanly.

Signed-off-by: Layer8 <NWillAU900@gmail.com>

Author: nicknacnic

tests/testbed/agents/Dockerfile

@@ -3,6 +3,7 @@ FROM python:3.12-slim@sha256:ec948fa5f90f4f8907e89f4800cfd2d2e91e391a4bce4a6afa7
 RUN apt-get update && apt-get install -y --no-install-recommends \
     dnsutils \
     curl \
+    tcpdump \
     && rm -rf /var/lib/apt/lists/*
 
 WORKDIR /app

tests/testbed/smoke_edns.sh

@@ -26,33 +26,37 @@ docker compose ps --status running | grep -q bind-orga || docker compose up -d b
 
 echo
 echo "--- [2] Start tcpdump on agent-a (background) ---"
-# 0xff96 in hex == 65430 decimal == AGENT_HINT_OPTION_CODE
-# Capturing for 5 seconds is plenty to see two probe calls.
+# 0xff96 in hex == 65430 decimal == AGENT_HINT_OPTION_CODE.
+# Capturing 20 packets is plenty to see one probe call's worth of queries.
+# tcpdump is pre-installed by the agent Dockerfile.
 docker exec -d agent-a bash -c \
-  'apt-get install -y -q tcpdump 2>/dev/null || true; tcpdump -i any -nn -X -c 20 host 172.28.0.10 and port 53 > /tmp/edns_capture.txt 2>&1 &'
+  'tcpdump -i any -nn -X -c 20 host 172.28.0.10 and port 53 > /tmp/edns_capture.txt 2>&1'
 sleep 1
 
 echo
 echo "--- [3] Run edns-probe with experimental flag on ---"
 docker exec -e DNS_AID_EXPERIMENTAL_EDNS_HINTS=1 agent-a \
   dns-aid edns-probe orga.test \
-  --capabilities=chat,code \
-  --intent=summarize \
-  --transport=mcp \
-  --auth-type=bearer \
+  --realm prod \
+  --transport mcp \
+  --min-trust signed \
+  --intent-class invocation \
+  --parallelism 4 \
+  --deadline-ms 30000 \
   --show-wire
 
 echo
 echo "--- [4] Capture results ---"
 sleep 2
-docker exec agent-a cat /tmp/edns_capture.txt 2>/dev/null | head -80 || \
-  echo "  (tcpdump may not have been installed; install it inside the agent-a container manually)"
+docker exec agent-a cat /tmp/edns_capture.txt 2>/dev/null | head -80 || true
 
 echo
 echo "--- [5] Look for the agent-hint option code (0xff96) in the capture ---"
-docker exec agent-a grep -i "ff96\|ff 96" /tmp/edns_capture.txt 2>/dev/null && \
-  echo "  ✓ agent-hint option code 0xff96 (=65430) appeared on the wire" || \
+if docker exec agent-a grep -qi "ff96\|ff 96" /tmp/edns_capture.txt; then
+  echo "  ✓ agent-hint option code 0xff96 (=65430) appeared on the wire"
+else
   echo "  ✗ option code not found in capture — feature flag set? tcpdump captured the right packets?"
+fi
 
 echo
 echo "=== smoke_edns.sh complete ==="