fix: harden input handling in api client, mcp config, and yaml escape

- use null check instead of truthy for limit param (fixes limit=0 bug)
- encode url path segments to prevent path injection
- fix mcp config read/write key mismatch when both servers and mcpServers exist
- escape backslashes and newlines in yaml frontmatter

Constraint: all fixes are at API/output boundaries, no internal logic changes
Confidence: high
Scope-risk: narrow

Author: vildanbina

src/api/client.ts

@@ -149,12 +149,12 @@ export class YavyApiClient {
     async search(query: string, options?: { project?: string; limit?: number }): Promise<SearchResponse> {
         const params = new URLSearchParams({ query });
         if (options?.project) params.set('project', options.project);
-        if (options?.limit) params.set('limit', String(options.limit));
+        if (options?.limit != null) params.set('limit', String(options.limit));
         return this.request<SearchResponse>('GET', `/search?${params}`);
     }
 
     async downloadSkill(orgSlug: string, projectSlug: string): Promise<ArrayBuffer> {
-        const url = `${YAVY_BASE_URL}/api/v1/${orgSlug}/${projectSlug}/skill/download`;
+        const url = `${YAVY_BASE_URL}/api/v1/${encodeURIComponent(orgSlug)}/${encodeURIComponent(projectSlug)}/skill/download`;
 
         const response = await this.fetchWithRetry(url, {
             method: 'GET',

src/commands/init/configure-tool.ts

@@ -56,7 +56,7 @@ function buildMcpUrl(projects: ApiProject[]): string {
         );
     }
 
-    return `${YAVY_BASE_URL}/mcp/${orgSlugs[0]}`;
+    return `${YAVY_BASE_URL}/mcp/${encodeURIComponent(orgSlugs[0])}`;
 }
 
 function readJsonFile(configPath: string): Record<string, unknown> {
@@ -80,11 +80,10 @@ function writeJsonFile(configPath: string, data: Record<string, unknown>): void
 /** Standard MCP config: { servers: { yavy: { url, type } } } (Cursor, VS Code) */
 function mergeJsonMcpConfig(configPath: string, projects: ApiProject[]): void {
     const existing = readJsonFile(configPath);
-    const servers = (existing.servers ?? existing.mcpServers ?? {}) as Record<string, unknown>;
+    const serverKey = existing.mcpServers ? 'mcpServers' : 'servers';
+    const servers = (existing[serverKey] ?? {}) as Record<string, unknown>;
 
     servers['yavy'] = { url: buildMcpUrl(projects), type: 'sse' };
-
-    const serverKey = existing.mcpServers ? 'mcpServers' : 'servers';
     existing[serverKey] = servers;
     writeJsonFile(configPath, existing);
 }

src/commands/init/generate-skill.ts

@@ -150,5 +150,5 @@ function escapePipe(str: string): string {
 }
 
 function escapeYaml(str: string): string {
-    return str.replace(/"/g, '\\"');
+    return str.replace(/\\/g, '\\\\').replace(/\n/g, ' ').replace(/\r/g, '').replace(/"/g, '\\"');
 }