HistoryService: path traversal sanitization and exception resilience

[Copilot]

HistoryService used persisted WordBorderInfoFileName values directly in Path.Combine without sanitization, enabling path traversal. File delete and deserialization paths also had no error handling, meaning a corrupt/locked file could crash history operations.

Changes

• GetWordBorderInfosAsync: sanitize WordBorderInfoFileName via Path.GetFileName() and reject non-.json extensions before path combination; wrap sidecar file IO + deserialization in IOException/JsonException handlers with fallthrough to inline JSON; wrap inline JSON deserialization in JsonException handler returning []
• DeleteHistoryFile: wrap File.Delete in IOException/UnauthorizedAccessException — locked files log and continue instead of throwing
• DeleteUnusedWordBorderFiles: same per-iteration exception handling so one inaccessible sidecar doesn't abort cleanup of the rest

// Before — rooted or traversal path escapes history dir
string wordBorderInfoPath = Path.Combine(historyBasePath, history.WordBorderInfoFileName);

// After — sanitized + extension-validated
string sanitizedFileName = Path.GetFileName(history.WordBorderInfoFileName);
if (!string.IsNullOrWhiteSpace(sanitizedFileName)
    && string.Equals(Path.GetExtension(sanitizedFileName), ".json", StringComparison.OrdinalIgnoreCase))
{
    string wordBorderInfoPath = Path.Combine(historyBasePath, sanitizedFileName);
    ...
}

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.