fix(js): update exec security test for sandbox-safe exec behavior

PR #815 made `exec cmd` run within VFS sandbox instead of blocking.
The JS security test still expected `exec ls` to fail, but `ls` is a
builtin that succeeds in the sandbox. Changed to test `exec /bin/bash`
which correctly fails (external binary not in VFS).

Author: chaliy

crates/bashkit-js/__test__/security.spec.ts

@@ -120,10 +120,11 @@ test("WB: stderr truncation on massive error output", (t) => {
 // 3. WHITE-BOX — Sandbox Escape Prevention (TM-ESC)
 // ============================================================================
 
-test("WB: exec builtin blocked (TM-ESC-001)", (t) => {
+test("WB: exec cannot escape sandbox (TM-ESC-001)", (t) => {
   const bash = new Bash();
-  const r = bash.executeSync("exec ls");
-  t.not(r.exitCode, 0, "exec must be blocked");
+  // exec runs commands within VFS sandbox — external binaries don't exist
+  const r = bash.executeSync("exec /bin/bash");
+  t.not(r.exitCode, 0, "exec of external binary must fail in sandbox");
 });
 
 test("WB: /proc filesystem not accessible (TM-ESC-003)", (t) => {