Add MDM non-security requirements regression

codex-rs/core/src/config_loader/tests.rs

@@ -622,6 +622,51 @@ personality = "bogus"
     Ok(())
 }
 
+#[cfg(target_os = "macos")]
+#[tokio::test]
+async fn managed_preferences_ignore_invalid_non_security_requirements_payload_without_security_entries()
+-> anyhow::Result<()> {
+    use base64::Engine;
+
+    let tmp = tempdir()?;
+
+    let state = load_config_layers_state(
+        tmp.path(),
+        Some(AbsolutePathBuf::try_from(tmp.path())?),
+        &[] as &[(String, TomlValue)],
+        LoaderOverrides {
+            managed_config_path: Some(tmp.path().join("managed_config.toml")),
+            managed_preferences_base64: Some(String::new()),
+            macos_managed_config_requirements_base64: Some(
+                base64::prelude::BASE64_STANDARD.encode(
+                    r#"
+[features]
+personality = "bogus"
+"#
+                    .as_bytes(),
+                ),
+            ),
+        },
+        CloudRequirementsLoader::default(),
+    )
+    .await?;
+
+    assert_eq!(
+        state.requirements_toml(),
+        &ConfigRequirementsToml::default()
+    );
+    assert_eq!(
+        state.requirements().approval_policy.value(),
+        AskForApproval::OnRequest
+    );
+    assert_eq!(
+        *state.requirements().sandbox_policy.get(),
+        SandboxPolicy::new_read_only_policy()
+    );
+
+    Ok(())
+}
+
 #[cfg(target_os = "macos")]
 #[tokio::test]
 async fn managed_preferences_requirements_are_applied() -> anyhow::Result<()> {