test: merge shell payload plan checks

src/node-host/invoke-system-run-plan.test.ts

@@ -921,36 +921,31 @@ describe("hardenApprovedExecutionPaths", () => {
     }
   });
 
-  it("keeps fail-closed behavior for shell payloads that invoke mutable script files", () => {
+  it("keeps fail-closed behavior for mutable or ambiguous shell payload files", () => {
-    expectShellPayloadApprovalDenied({
+    for (const testCase of [
-      tmpPrefix: "openclaw-shell-script-binding-",
+      {
-      fileName: "run.sh",
+        tmpPrefix: "openclaw-shell-script-binding-",
-      body: "#!/bin/sh\necho SAFE\n",
+        fileName: "run.sh",
-    });
+        body: "#!/bin/sh\necho SAFE\n",
-  });
+      },
-
+      {
-  it("keeps fail-closed behavior for empty shell payload files", () => {
+        tmpPrefix: "openclaw-shell-empty-binding-",
-    expectShellPayloadApprovalDenied({
+        fileName: "empty",
-      tmpPrefix: "openclaw-shell-empty-binding-",
+        body: "",
-      fileName: "empty",
+      },
-      body: "",
+      {
-    });
+        tmpPrefix: "openclaw-shell-mz-text-binding-",
-  });
+        fileName: "mz-script",
-
+        body: "MZ not really a PE file\n",
-  it("does not treat weak MZ text headers as native binaries", () => {
+      },
-    expectShellPayloadApprovalDenied({
+      {
-      tmpPrefix: "openclaw-shell-mz-text-binding-",
+        tmpPrefix: "openclaw-shell-nul-header-binding-",
-      fileName: "mz-script",
+        fileName: "nul-script",
-      body: "MZ not really a PE file\n",
+        body: "SAFE\u0000maybe-binary\n",
-    });
+      },
-  });
+    ]) {
-
+      expectShellPayloadApprovalDenied(testCase);
-  it("keeps fail-closed behavior for unknown NUL-bearing headers", () => {
+    }
-    expectShellPayloadApprovalDenied({
-      tmpPrefix: "openclaw-shell-nul-header-binding-",
-      fileName: "nul-script",
-      body: "SAFE\u0000maybe-binary\n",
-    });
   });
 
   it("keeps fail-closed behavior when the shell payload probe stops seeing a file", () => {