diff --git a/tests/integration/harness-cred-inject.test.ts b/tests/integration/harness-cred-inject.test.ts
index 7549e7c..2db107d 100644
--- a/tests/integration/harness-cred-inject.test.ts
+++ b/tests/integration/harness-cred-inject.test.ts
@@ -132,7 +132,7 @@ describe("harness cred_inject mechanism (live integration)", () => {
         // CA-bundle + echo-proxy bring-up. ~5s worst-case extra.
         const curlCmd = [
           "curl",
-          "-sf",
+          "-sSf",
           "--retry",
           "5",
           "--retry-all-errors",
diff --git a/tests/integration/openrouter-opencode-cred-inject.test.ts b/tests/integration/openrouter-opencode-cred-inject.test.ts
index fe0d033..e128271 100644
--- a/tests/integration/openrouter-opencode-cred-inject.test.ts
+++ b/tests/integration/openrouter-opencode-cred-inject.test.ts
@@ -132,7 +132,7 @@ describe("openrouter cred_inject mechanism (live integration)", () => {
         // CA-bundle + echo-proxy bring-up. ~5s worst-case extra.
         const curlCmd = [
           "curl",
-          "-sf",
+          "-sSf",
           "--retry",
           "5",
           "--retry-all-errors",
diff --git a/tests/integration/post-create-exec-proxy.test.ts b/tests/integration/post-create-exec-proxy.test.ts
index f4b6b1e..30ee10e 100644
--- a/tests/integration/post-create-exec-proxy.test.ts
+++ b/tests/integration/post-create-exec-proxy.test.ts
@@ -185,9 +185,22 @@ describe("post-create harness exec routes via proxy (openlock-hnp)", () => {
         // If openlock-hnp regressed (raw podman exec), curl would talk to
         // mock.opencode.test directly, fail DNS or be denied, and no echo
         // JSON would come back.
+        // --retry 5 + --retry-all-errors absorbs the transient TLS/recv race
+        // (curl exit 35/56) when the FIRST post-create egress beats the
+        // supervisor's CA-bundle + echo-proxy bring-up. waitForSandboxReady
+        // only proves /bin/true execs — NOT that egress is wired — so the
+        // first proxied request can still race. -S surfaces curl's real error
+        // if all retries are exhausted (so a true failure is no longer blind).
+        // Matches the sibling foreground tests (harness-cred-inject,
+        // openrouter-opencode-cred-inject). bd openlock-eh8.
         const curlArgv = [
           "curl",
-          "-sf",
+          "-sSf",
+          "--retry",
+          "5",
+          "--retry-all-errors",
+          "--retry-delay",
+          "1",
           "-H",
           "X-Original-Header: original-value",
           "https://mock.opencode.test:8443/",