[UPDATE PRIMITIVE] Fix markdown injection and platform-dependent path tests in prompt handlers (#162)

* Initial plan

* Fix markdown injection and platform-dependent path tests in prompt handlers

- Add sanitizeForInlineCode() helper to escape backticks and newlines in user-supplied values embedded in markdown code spans
- Apply sanitizer to resolvePromptFilePath 'does not exist' warning (filePath and absolutePath)
- Apply sanitizer to formatValidationError issue.received display
- Fix POSIX path separator assumptions in tests: use basename only ('mydb', 'database')
- Rename createSafePromptHandler tests to clarify they validate the handler wrapper, not MCP SDK validation

Co-authored-by: data-douser <70299490+data-douser@users.noreply.github.com>
Agent-Logs-Url: https://github.com/advanced-security/codeql-development-mcp-server/sessions/2660567b-5822-4505-91c2-37fe3ef00f4e

* Replace sanitizeForInlineCode with CommonMark-compliant markdownInlineCode

- markdownInlineCode() uses a fence length = maxRun+1 per CommonMark spec,
  preserving the original string (no information loss from backtick→apostrophe)
- Normalises CR/CRLF to LF before wrapping (inline spans can't span lines)
- Export markdownInlineCode for testability
- Add 6 unit tests for markdownInlineCode (plain text, single/double backtick,
  CRLF normalisation, backtick-only values)
- Add regression test for formatValidationError with backtick in received value
- Add regression test for resolvePromptFilePath warning with backtick in path

Co-authored-by: data-douser <70299490+data-douser@users.noreply.github.com>
Agent-Logs-Url: https://github.com/advanced-security/codeql-development-mcp-server/sessions/ec7c534b-93ac-40e5-bcb6-023bc7496940

* Fix markdownInlineCode to replace newlines with spaces for single-line output

Replace \r\n, \r, and \n with a space (not just normalize CRLF to LF) so
the returned inline code span never contains a literal newline character.
Update docstring and test to reflect space-replacement behavior.

Co-authored-by: data-douser <70299490+data-douser@users.noreply.github.com>
Agent-Logs-Url: https://github.com/advanced-security/codeql-development-mcp-server/sessions/87cfd54e-9d66-4871-a581-601aff3c6c8d

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: data-douser <70299490+data-douser@users.noreply.github.com>

Author: Copilot

server/dist/codeql-development-mcp-server.js

@@ -64468,6 +64468,23 @@ var SUPPORTED_LANGUAGES = [
   "ruby",
   "swift"
 ];
+function markdownInlineCode(value) {
+  const normalized = value.replace(/\r\n|\r|\n/g, " ");
+  let maxRun = 0;
+  let currentRun = 0;
+  for (const ch of normalized) {
+    if (ch === "`") {
+      currentRun += 1;
+      if (currentRun > maxRun) {
+        maxRun = currentRun;
+      }
+    } else {
+      currentRun = 0;
+    }
+  }
+  const fence = "`".repeat(maxRun + 1);
+  return `${fence}${normalized}${fence}`;
+}
 async function resolvePromptFilePath(filePath, workspaceRoot) {
   if (!filePath || filePath.trim() === "") {
     return {
@@ -64503,7 +64520,7 @@ async function resolvePromptFilePath(filePath, workspaceRoot) {
   } catch {
     return {
       resolvedPath: absolutePath,
-      warning: `\u26A0 **File path** \`${filePath}\` **does not exist.** Resolved to: \`${absolutePath}\``
+      warning: `\u26A0 **File path** ${markdownInlineCode(filePath)} **does not exist.** Resolved to: ${markdownInlineCode(absolutePath)}`
     };
   }
   return { resolvedPath: absolutePath };
@@ -64599,7 +64616,7 @@ function formatValidationError(promptName, error2) {
     if (issue2.code === "invalid_enum_value" && "options" in issue2) {
       const opts = issue2.options.join(", ");
       lines.push(
-        `- **\`${field}\`**: received \`${String(issue2.received)}\` \u2014 must be one of: ${opts}`
+        `- **\`${field}\`**: received ${markdownInlineCode(String(issue2.received))} \u2014 must be one of: ${opts}`
       );
     } else if (issue2.code === "invalid_type") {
       lines.push(