test(voyage): add Group D XSS injection runtime guard (1d3591d4)

plugins/voyage/tests/e2e/voyage-playground-a11y.spec.mjs

@@ -206,4 +206,27 @@ test.describe('voyage-playground a11y (axe-core)', () => {
       fullPage: false,
     });
   });
+
+  // v4.3 Step 2 — Group D Playwright XSS injection runtime guard
+  // (finding 1d3591d4). Behavioral counterpart to the DOMPurify fix in
+  // renderArtifact (Step 1). Injects a <script>alert(1)</script> markdown
+  // payload via scheduleRender and verifies neither a JS dialog fires nor
+  // a <script> tag survives in #voyage-viewport. Defense in depth alongside
+  // the Group A static-grep guard.
+  test('SC24-security — script injection in artifact body does not execute (1d3591d4)', async ({ page }) => {
+    let dialogCount = 0;
+    page.on('dialog', (d) => {
+      dialogCount++;
+      d.dismiss();
+    });
+    await page.goto('voyage-playground.html');
+    await page.waitForLoadState('domcontentloaded');
+    await page.evaluate(() => {
+      window.__voyage.scheduleRender({
+        markdown: '<script>alert(1)</script>\n# title',
+      });
+    });
+    expect(dialogCount, `expected zero dialogs but got ${dialogCount}`).toBe(0);
+    expect(await page.locator('#voyage-viewport script').count()).toBe(0);
+  });
 });