fix: align GraphQL query with actual Compass API schema (#153)

* fix: align GraphQL query and mapping with actual Compass API schema

Validated against novamedia.atlassian.net. Key changes:

- Remove `type` from `customFields.definition` (not on CompassCustomFieldDefinition)
- Use inline fragments for custom field values (CompassCustomField is an interface)
- Update scorecardScores to use scorecardId/totalScore/maxTotalScore
- Add __typename and QueryError handling for searchComponents union
- Use relationshipType/endNode instead of type/nodeId for relationships
- Accept unknown in mapTier/mapLifecycle for non-string API values
- Remove server-side typeFilter (not supported), add client-side nameFilter
- Skip remote URLs for specifications (EventCatalog expects local paths)
- Use relative dependency links (../service-id/) instead of absolute paths

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* extra fixes from tsting

* fix: resolve scorecard names, dependency links, and team error logging

- Extract readable names from ARI-style scorecardIds with API batch fetch
- Use absolute /docs/services/ paths for dependency links
- Add visible warnings when team name resolution fails

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: use Teams v2 API and improve scorecard query error handling

- Switch to teamV2(id, siteId) with teams-beta experimental header
- Construct full team ARI from UUID for the v2 API
- Add __typename and QueryError handling to scorecard query
- Log actual API errors for scorecards

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: use ID! type for cloudId in scorecards query

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: skip team creation when name cannot be resolved in API mode

Avoids creating team entities with UUID-only names that add no value.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: revert dependency links to relative paths

Absolute /docs/services/ paths don't include the site base path.
Relative ../dep-id/ paths resolve correctly regardless of base.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: use two-level relative paths for dependency links

Service pages load at .../services/{name}/{version}/ so dependency
links need ../../ to navigate up past both the version and service
name segments.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: address security vulnerabilities in API token logging, path traversal, and XSS

- Avoid logging raw error message from fetchTeamById to prevent potential
  API token leakage via error context (CodeQL: clear-text logging of sensitive info)
- Sanitize local spec file paths in getSpecifications to reject path traversal
  sequences (../../) and absolute paths, preventing arbitrary file exposure
- Sanitize custom field text values from Compass API before storing in config
  to prevent XSS when rendered via customMarkdownTemplate

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* chore: add changeset for security patch

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: IsmaelMartinez

.changeset/fix-security-token-logging-path-traversal-xss.md

@@ -0,0 +1,9 @@
+---
+"@ismaelmartinez/generator-atlassian-compass-event-catalog": patch
+---
+
+fix: address security vulnerabilities in token logging, path traversal, and XSS
+
+- Prevent potential API token leakage via error logs in team fetch failure handling
+- Sanitize local spec file paths to reject path traversal sequences (`../`) and absolute paths
+- Sanitize custom field text values from Compass API to prevent XSS in rendered markdown