fix(scriptanalysis): M3.1 review — Pass 2 self-sufficient descent, pin nested-forbidden + nameof cases, drop dead code

tests/ZB.MOM.WW.ScadaBridge.ScriptAnalysis.Tests/ScriptTrustValidatorTests.cs

@@ -100,6 +100,53 @@ public class ScriptTrustValidatorTests
         Assert.NotEmpty(ScriptTrustValidator.FindViolations(code));
     }
 
+    [Fact]
+    public void Rejects_ForbiddenIo_NestedInAllowedTaskRunLambda()
+    {
+        // A forbidden System.IO reference buried inside an allowed Task.Run lambda.
+        // The allowed-exception prefix on the outer member access must NOT shadow
+        // the nested forbidden reference — Pass 2 must descend into the lambda.
+        var code = "await System.Threading.Tasks.Task.Run(() => System.IO.File.ReadAllText(\"x\"));";
+        Assert.NotEmpty(ScriptTrustValidator.FindViolations(code));
+    }
+
+    [Fact]
+    public void Rejects_ForbiddenMutex_AsGenericArg_UnderAllowedTasksPrefix()
+    {
+        // System.Threading.Mutex (forbidden) appears as a generic argument of an
+        // allowed System.Threading.Tasks.TaskCompletionSource<T>. The allowed
+        // outer name must not shadow the forbidden generic arg.
+        var code = "System.Threading.Tasks.TaskCompletionSource<System.Threading.Mutex> tcs = null;";
+        Assert.NotEmpty(ScriptTrustValidator.FindViolations(code));
+    }
+
+    [Fact]
+    public void Rejects_DirectThreadingMutex_NotThreadSleep()
+    {
+        // A direct forbidden System.Threading type (not Thread.Sleep) — pins that
+        // the broad System.Threading deny-list catches more than the one cased test.
+        var code = "var m = new System.Threading.Mutex();";
+        Assert.NotEmpty(ScriptTrustValidator.FindViolations(code));
+    }
+
+    [Fact]
+    public void Rejects_ForbiddenFileInfo_AsGenericArg()
+    {
+        // System.IO.FileInfo (forbidden) as a generic argument of an allowed
+        // System.Collections.Generic.List<T>.
+        var code = "System.Collections.Generic.List<System.IO.FileInfo> x = null;";
+        Assert.NotEmpty(ScriptTrustValidator.FindViolations(code));
+    }
+
+    [Fact]
+    public void Rejects_NameOf_ForbiddenType()
+    {
+        // Conservative fail-safe: naming a forbidden type inside nameof(...) is
+        // deliberately flagged (a script has no business naming it even there).
+        var code = "var s = nameof(System.IO.File);";
+        Assert.NotEmpty(ScriptTrustValidator.FindViolations(code));
+    }
+
     // ---- Clean (empty violations) -------------------------------------------
 
     [Fact]