From 03ec2013ef4b6fd4c4e07efbc66ac6e9885e0cf0 Mon Sep 17 00:00:00 2001
From: Mykhailo Chalyi <mike@chaliy.name>
Date: Thu, 26 Mar 2026 18:29:30 +0000
Subject: [PATCH] fix(js): update exec security test for sandbox-safe exec
 behavior

PR #815 made `exec cmd` run within VFS sandbox instead of blocking.
The JS security test still expected `exec ls` to fail, but `ls` is a
builtin that succeeds in the sandbox. Changed to test `exec /bin/bash`
which correctly fails (external binary not in VFS).
---
 crates/bashkit-js/__test__/security.spec.ts | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/crates/bashkit-js/__test__/security.spec.ts b/crates/bashkit-js/__test__/security.spec.ts
index 61e3e004..caa2707f 100644
--- a/crates/bashkit-js/__test__/security.spec.ts
+++ b/crates/bashkit-js/__test__/security.spec.ts
@@ -120,10 +120,11 @@ test("WB: stderr truncation on massive error output", (t) => {
 // 3. WHITE-BOX — Sandbox Escape Prevention (TM-ESC)
 // ============================================================================
 
-test("WB: exec builtin blocked (TM-ESC-001)", (t) => {
+test("WB: exec cannot escape sandbox (TM-ESC-001)", (t) => {
   const bash = new Bash();
-  const r = bash.executeSync("exec ls");
-  t.not(r.exitCode, 0, "exec must be blocked");
+  // exec runs commands within VFS sandbox — external binaries don't exist
+  const r = bash.executeSync("exec /bin/bash");
+  t.not(r.exitCode, 0, "exec of external binary must fail in sandbox");
 });
 
 test("WB: /proc filesystem not accessible (TM-ESC-003)", (t) => {