From e8088f624e27e3b3341ec32498031ae04b93293d Mon Sep 17 00:00:00 2001
From: Lawyered <ethlawyer1@gmail.com>
Date: Mon, 16 Feb 2026 22:34:39 -0500
Subject: [PATCH] test(security): cover background-chain validation path

---
 src/security/policy.rs | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/security/policy.rs b/src/security/policy.rs
index be70110..14cd4f7 100644
--- a/src/security/policy.rs
+++ b/src/security/policy.rs
@@ -725,6 +725,14 @@ mod tests {
         assert!(result.unwrap_err().contains("high-risk"));
     }
 
+    #[test]
+    fn validate_command_rejects_background_chain_bypass() {
+        let p = default_policy();
+        let result = p.validate_command_execution("ls & python3 -c 'print(1)'", false);
+        assert!(result.is_err());
+        assert!(result.unwrap_err().contains("not allowed"));
+    }
+
     // ── is_path_allowed ─────────────────────────────────────
 
     #[test]