test: tests ACL para father-bot deny-by-default y multi-admin

Agrega dos tests nuevos al paquete pkg/security que verifican
escenarios especificos de father-bot:

- TestResolveACL_FatherBotDenyByDefault: cuando el grupo admins
  esta vacio, nadie puede interactuar con father-bot (deny-by-default)
- TestResolveACL_FatherBotMultipleAdmins: cuando hay multiples
  admins configurados, todos pueden interactuar; usuarios fuera
  del grupo no pueden

Estos tests complementan el existente TestResolveACL_PrivilegedVsGeneral
que ya cubria el caso basico de admin vs non-admin.

Issue: 0043

pkg/security/security_test.go

@@ -194,7 +194,91 @@ func TestResolveACL_PrivilegedVsGeneral(t *testing.T) {
 	}
 }
 
-// 2.8 — agente referenciado directamente por ID en AgentPolicy.AgentGroup → recibe permisos
+// 2.8 — father-bot deny-by-default: admin group empty → no one can interact
+func TestResolveACL_FatherBotDenyByDefault(t *testing.T) {
+	p := makePolicy(
+		[]security.UserGroup{
+			{Name: "admins", Members: []string{}}, // empty admin group
+			{Name: "everyone", Members: []string{"*"}},
+		},
+		[]security.AgentGroup{
+			{Name: "privileged", Agents: []string{"father-bot"}},
+			{Name: "general", Agents: []string{"assistant-bot"}},
+		},
+		[]security.AgentPolicy{
+			{
+				AgentGroup:  "privileged",
+				Permissions: []security.Permission{{UserGroup: "admins", Actions: []string{"*"}}},
+			},
+			{
+				AgentGroup: "general",
+				Permissions: []security.Permission{
+					{UserGroup: "everyone", Actions: []string{"*"}},
+				},
+			},
+		},
+	)
+
+	// father-bot: admin group empty → nobody can interact
+	fatherACL := security.ResolveACL("father-bot", p)
+	if fatherACL.Empty() {
+		t.Fatal("father-bot ACL should not be empty (it has a policy, just no members)")
+	}
+	if fatherACL.CanDo("@admin:matrix.example.com", "ask") {
+		t.Fatal("no one should be able to interact with father-bot when admin group is empty")
+	}
+	if fatherACL.CanDo("@random:matrix.example.com", "ask") {
+		t.Fatal("non-admin should NOT be able to interact with father-bot")
+	}
+
+	// assistant-bot: still accessible to everyone
+	assistantACL := security.ResolveACL("assistant-bot", p)
+	if !assistantACL.CanDo("@random:matrix.example.com", "ask") {
+		t.Fatal("everyone should still be able to interact with assistant-bot")
+	}
+}
+
+// 2.9 — father-bot: multiple admins, only they can interact
+func TestResolveACL_FatherBotMultipleAdmins(t *testing.T) {
+	p := makePolicy(
+		[]security.UserGroup{
+			{Name: "admins", Members: []string{
+				"@admin:matrix-af2f3d.organic-machine.com",
+				"@dev2:matrix-af2f3d.organic-machine.com",
+			}},
+			{Name: "everyone", Members: []string{"*"}},
+		},
+		[]security.AgentGroup{
+			{Name: "privileged", Agents: []string{"father-bot"}},
+		},
+		[]security.AgentPolicy{
+			{
+				AgentGroup:  "privileged",
+				Permissions: []security.Permission{{UserGroup: "admins", Actions: []string{"*"}}},
+			},
+		},
+	)
+
+	fatherACL := security.ResolveACL("father-bot", p)
+
+	// Both admins can interact
+	if !fatherACL.CanDo("@admin:matrix-af2f3d.organic-machine.com", "ask") {
+		t.Fatal("first admin should be able to interact with father-bot")
+	}
+	if !fatherACL.CanDo("@dev2:matrix-af2f3d.organic-machine.com", "ask") {
+		t.Fatal("second admin should be able to interact with father-bot")
+	}
+
+	// Non-admin cannot
+	if fatherACL.CanDo("@random:matrix.example.com", "ask") {
+		t.Fatal("non-admin should NOT be able to interact with father-bot")
+	}
+	if fatherACL.CanDo("@hacker:evil.com", "ask") {
+		t.Fatal("unknown user should NOT be able to interact with father-bot")
+	}
+}
+
+// 2.10 — agente referenciado directamente por ID en AgentPolicy.AgentGroup → recibe permisos
 func TestResolveACL_DirectAgentID(t *testing.T) {
 	p := makePolicy(
 		[]security.UserGroup{{Name: "admins", Members: []string{"@alice:matrix.org"}}},