output_path traversal hardening for dump_chat_to_markdown

[kiki830621]

Problem

From verification of #13 by security reviewer (MEDIUM, pre-existing):
「parseDumpChatToMarkdownArgs accepts output_path as an arbitrary string with no path validation:

• No canonicalization of .. segments.
• No allowlist / sandbox root check.
• No prohibition of absolute paths, symlinks, or /etc/...-style writes.
• MarkdownExporter.validateOutputPath only checks that the parent directory exists and is writable; it does not constrain where that parent lives.

Risk model: This is an MCP tool invoked by a local LLM client on the user's own machine — the threat model is 『prompt-injected MCP caller asks the LLM to dump a chat to ~/.zshrc』. The markdown body is mostly user-controlled chat content that the attacker could shape, then have written to a shell-sourced location.」
— Source: team:security

這是 pre-existing confused-deputy 風險，不是 #13 引入的。但因為 dump_chat_to_markdown 把任意 chat content 寫到任意路徑，prompt injection scenario 下可變成 RCE 路徑。

Type

enhancement (security hardening)

Expected

• 設計 export root 機制：
  • 環境變數 CHE_TELEGRAM_EXPORT_ROOT 指定允許寫入的根目錄
  • parseDumpChatToMarkdownArgs 拒絕 .. segments after expansion
  • 拒絕非該 root 子目錄的 path（用 realpath 比較 prefix）
• 預設行為：若 env var 未設，使用 ~/Documents/telegram-exports/ 或類似 sandboxed location
• 或：完全拒絕 absolute path，要求 caller 給 relative path 並由 server side 加 prefix
• 補 test: testDumpRejectsTraversalPath, testDumpRespectsExportRoot

Code Reference

• Sources/CheTelegramAllMCPCore/HandlerArgs.swift:96 (output_path guard)
• Sources/TelegramAllLib/MarkdownExporter.swift (validateOutputPath, write logic)

Threat

local prompt-injection scenario; severity MEDIUM (confused-deputy, requires writable parent dir but no privilege escalation)

Related: #13