1 files changed, 16 insertions, 1 deletions

diff --git a/crates/phone-opus/tests/mcp_hardening.rs b/crates/phone-opus/tests/mcp_hardening.rs
index 918c3c4..e9ee06b 100644
--- a/crates/phone-opus/tests/mcp_hardening.rs
+++ b/crates/phone-opus/tests/mcp_hardening.rs
@@ -13,6 +13,13 @@ use serde_json::{Value, json};
 use thiserror as _;
 use uuid as _;
 
+use phone_opus_test_support::PROMPT_PREFIX;
+
+mod phone_opus_test_support {
+    pub(super) const PROMPT_PREFIX: &str =
+        "You are being invoked in a read-only consultation mode by another model.";
+}
+
 type TestResult<T = ()> = Result<T, Box<dyn std::error::Error>>;
 
 fn must<T, E: std::fmt::Display, C: std::fmt::Display>(
@@ -305,6 +312,10 @@ fn consult_can_resume_a_prior_session_with_read_only_toolset_and_requested_worki
         Some(resumed_session)
     );
     assert_eq!(
+        tool_content(&consult)["prompt_prefix_injected"].as_bool(),
+        Some(true)
+    );
+    assert_eq!(
         tool_content(&consult)["cwd"].as_str(),
         Some(sandbox.display().to_string().as_str())
     );
@@ -339,7 +350,11 @@ fn consult_can_resume_a_prior_session_with_read_only_toolset_and_requested_worki
     assert!(lines.contains(&resumed_session));
     assert!(lines.contains(&"--max-turns"));
     assert!(lines.contains(&"7"));
-    assert_eq!(lines.last().copied(), Some("say oracle"));
+    assert!(args.contains(PROMPT_PREFIX));
+    assert!(args.contains("The real prompt follows."));
+    let prefix_index = must_some(args.find(PROMPT_PREFIX), "prefixed consult prompt")?;
+    let user_prompt_index = must_some(args.find("say oracle"), "user prompt inside args")?;
+    assert!(prefix_index < user_prompt_index);
 
     let telemetry = harness.call_tool(4, "telemetry_snapshot", json!({}))?;
     assert_tool_ok(&telemetry);