refactor(llm-security): parameterize buildSandboxedWorker with workerPath

plugins/llm-security/tests/scanners/vsix-sandbox.test.mjs

@@ -11,6 +11,9 @@ import {
   buildBwrapArgs,
   buildSandboxedWorker,
   runVsixWorker,
+  runPluginWorker,
+  DEFAULT_VSIX_WORKER_PATH,
+  DEFAULT_JETBRAINS_WORKER_PATH,
   __testing,
 } from '../../scanners/lib/vsix-sandbox.mjs';
 
@@ -69,6 +72,34 @@ describe('vsix-sandbox — buildSandboxedWorker', () => {
     assert.match(joined, /--url https:\/\/example\//);
     assert.match(joined, /--tmpdir \/tmp/);
   });
+
+  it('honors explicit workerPath parameter (Step 10 generalization)', () => {
+    const custom = '/path/to/other-worker.mjs';
+    const { args } = buildSandboxedWorker('/tmp', ['--foo'], custom);
+    const joined = args.join(' ');
+    // Must contain the custom path, and NOT the default VSIX worker.
+    assert.ok(joined.includes(custom), `expected custom worker in args: ${joined}`);
+    assert.ok(!joined.includes('vsix-fetch-worker.mjs'),
+      `custom worker should have replaced default: ${joined}`);
+    assert.match(joined, /--foo/);
+  });
+
+  it('defaults to DEFAULT_VSIX_WORKER_PATH when workerPath omitted', () => {
+    const { args } = buildSandboxedWorker('/tmp', ['--url', 'https://x/', '--tmpdir', '/tmp']);
+    assert.ok(args.some((a) => a === DEFAULT_VSIX_WORKER_PATH),
+      `expected DEFAULT_VSIX_WORKER_PATH in args: ${args.join(' ')}`);
+  });
+
+  it('exports DEFAULT_JETBRAINS_WORKER_PATH (Step 10 constant for Step 12)', () => {
+    assert.ok(typeof DEFAULT_JETBRAINS_WORKER_PATH === 'string');
+    assert.match(DEFAULT_JETBRAINS_WORKER_PATH, /jetbrains-fetch-worker\.mjs$/);
+  });
+});
+
+describe('vsix-sandbox — runPluginWorker (generalized runner)', () => {
+  it('is exported as a function', () => {
+    assert.equal(typeof runPluginWorker, 'function');
+  });
 });
 
 describe('vsix-sandbox — runVsixWorker (live worker, no network)', () => {