Move require_run_user to lib.rs and make blacklist module private

tests/integration.rs

@@ -1,7 +1,6 @@
 use std::fs;
 use std::process::Command;
 
-use agent_sandbox::blacklist;
 use tempfile::TempDir;
 
 fn sandbox(extra_args: &[&str]) -> Command {
@@ -391,8 +390,8 @@ fn blacklist_run_dbus_socket_accessible() {
 
 #[test]
 fn blacklist_runuser_is_tmpfs() {
-    let ctx = blacklist::resolve_path_context().expect("failed to resolve path context");
-    let script = format!("ls -A {} | grep -v '^bus$'", ctx.run_user);
+    let run_user = agent_sandbox::require_run_user().expect("failed to determine XDG_RUNTIME_DIR");
+    let script = format!("ls -A {} | grep -v '^bus$'", run_user);
 
     let output = sandbox(&[])
         .args(["--", "bash", "-c", &script])
@@ -403,7 +402,7 @@ fn blacklist_runuser_is_tmpfs() {
     assert!(
         stdout.is_empty(),
         "expected only 'bus' (or empty) in {}, got unexpected entries: {stdout}",
-        ctx.run_user
+        run_user
     );
 }