security(test): add restricted-unpickler regression tests

[aviralgarg05]

Summary

Add regression tests for restricted pickle loading in semantic cache.

Why

The legacy pickle path includes a restricted unpickler; tests should verify malicious/global class loads are rejected.

Tasks

• Add tests for allowed builtins and disallowed classes in nexum_ai/tests/
• Confirm failures do not crash cache initialization
• Verify cache falls back to safe empty state on invalid payload

Acceptance Criteria

• Security-sensitive paths are covered by tests
• Invalid payloads do not execute arbitrary code
• CI passes on Python test suite

[coderabbitai]

🔗 Related PRs

#55 - feat: Implement semantic cache persistence to disk (#47) [merged]

---

📝 Issue Planner

_{Check the box below or use the @coderabbitai plan command to generate an implementation plan and prompts that you can use with your favorite coding assistant.}

• Create Plan

---

🧪 Issue enrichment is currently in open beta.

You can configure auto-planning by selecting labels in the issue_enrichment configuration.

To disable automatic issue enrichment, add the following to your .coderabbit.yaml:

issue_enrichment:
  auto_enrich:
    enabled: false

💬 Have feedback or questions? Drop into our discord!

[Subhayoni]

Hi! I’d like to work on this issue if it’s available.