test(python): add missing security tests — VFS limits, arithmetic, injection, encoding

[chaliy]

Context

Node's security.spec.ts (99 tests) covers several threat scenarios that Python's security tests currently miss. Both bindings use the same Rust core, but each binding should independently verify the security guarantees are surfaced correctly at the binding level.

This is part of the Python ↔ Node binding parity effort (Phase 3 — Security Test Alignment).

What to implement

Add these tests to Python's test_security.py (after #1259 merge):

1. VFS resource limits (TM-DOS-005, TM-DOS-006, TM-DOS-012, TM-DOS-013)

# Large file write limited (TM-DOS-005) — write >10MB, verify rejection
# VFS file count limit (TM-DOS-006) — create many files, verify cap
# Deep directory nesting limited (TM-DOS-012) — mkdir -p with 100+ levels
# Long filename rejected (TM-DOS-013) — filename with 1000+ chars
# Long path rejected (TM-DOS-013) — path with many components

Node reference: security.spec.ts "WB: VFS file count limit", "WB: deep directory nesting limited", "WB: long filename rejected", "WB: long path rejected", "WB: large file write limited"

2. Arithmetic edge cases (TM-DOS-029)

# Arithmetic overflow does not crash
# Division by zero does not crash (returns error, not panic)
# Modulo by zero does not crash
# Negative exponent handled safely

Node reference: security.spec.ts "BB: arithmetic overflow", "BB: division by zero", "BB: modulo by zero", "BB: negative exponent"

3. Default memory limit without explicit max_memory

# Create Bash() with NO max_memory set
# Attempt exponential string doubling
# Verify it's capped by a default limit (doesn't OOM)

Node reference: security.spec.ts "WB: default memory limit prevents OOM without maxMemory"

4. Environment variable leak (TM-INF-002)

# Verify `env` or `printenv` does not show host env vars
# Verify PATH, HOME, etc. are sandboxed values

Node reference: security.spec.ts "WB: environment variables do not leak host info"

5. Process substitution blocked (TM-ESC-002)

# Verify process substitution <() is blocked or inert

Node reference: security.spec.ts "WB: no subprocess execution — process substitution"

6. Signal trap commands (TM-ESC-005)

# Verify `trap` command doesn't escape sandbox

Node reference: security.spec.ts "BB: signal trap commands"

7. Username/hostname injection

# Username containing shell metacharacters (;, $, `) stored literally
# Hostname with newlines stored literally, not executed
# Command-like username doesn't execute

Node reference: security.spec.ts "BB: username injection", "BB: hostname injection", "BB: username with newline"

8. Mounted files with crafted paths

# files dict with path traversal attempt (../../etc/passwd)
# files dict with null byte in path
# files dict with special characters in content
# files dict with empty content

Node reference: security.spec.ts "BB: mounted files with crafted paths", "BB: mounted file with null byte in path"

9. CRLF line endings in scripts

# Script with \r\n line endings executes correctly (no injection)

Node reference: security.spec.ts "BB: CRLF line endings in script"

10. Direct VFS API injection tests (after #1257)

# bash.read_file("../../etc/passwd") — path traversal via direct API
# bash.write_file("../../tmp/evil", "payload") — write traversal
# bash.ls("'; echo pwned") — injection via ls
# bash.glob("'; echo pwned") — injection via glob

Node reference: security.spec.ts "WB: direct VFS API" tests, "WB: Bash.ls() injection", "WB: Bash.glob() injection"

11. Error message safety (TM-INT-001, TM-INT-002)

# Error messages do not contain host filesystem paths
# Error messages do not contain memory addresses
# Error messages do not contain stack traces
# NAPI/PyO3 errors do not leak Rust internals

Node reference: security.spec.ts "WB: error messages do not leak host paths", "WB: error messages do not contain memory addresses"

12. Special variables

# $PID, $PPID, $UID return sandboxed values (not real host values)

Node reference: security.spec.ts "BB: special variables - PID, PPID, UID"

Acceptance criteria

• 25+ new tests added to test_security.py
• Tests use _tm_XXX_NNN_ naming convention where applicable (per test(python): add TM-* threat model references to security test names #1262)
• All new tests pass: pytest crates/bashkit-python/tests/test_security.py -v
• ruff check passes
• No existing tests broken
• Each test is self-contained (own Bash instance)

Depends on

• refactor(python): restructure tests to mirror Node test file layout #1259 (restructure tests first)
• test(python): add TM-* threat model references to security test names #1262 (naming convention — can be done in same PR)
• feat(python): add direct VFS convenience methods on Bash/BashTool #1257 (VFS convenience methods — section 10 depends on this)