test(parser-vscode): make non-Windows server-dir test platform-independent

[JuliusGruber]

Problem

findVsCodeDirs() branches on process.platform — on win32 it reads the Code / Code - Insiders editions from %APPDATA% and skips the .vscode-server block entirely (VS Code Server doesn't run natively on Windows).

The test "includes server workspaceStorage paths on non-Windows hosts" builds a non-Windows layout (~/.config/Code/... + ~/.vscode-server/...) and asserts all four directories come back — but it never stubs process.platform. So it only passes when the test process itself runs on a non-Windows OS:

• ✅ Green on Linux CI
• ❌ Red for any Windows contributor running npm test locally — the function (correctly) returns [], so the assertion fails.

Fix

Pin process.platform to 'linux' for the duration of the test and restore it in the existing finally block. This makes the test deterministic across Windows, macOS, and Linux.

Test-only change — production behavior is unchanged (returning [] on real Windows is correct).

Verification

• Reproduced red → green on a Windows host: src/core/parser-vscode.test.ts 39/39 passing after the fix.
• tsc --noEmit clean.
• eslint src/core/parser-vscode.test.ts clean.

🤖 Generated with Claude Code

[san360]

@JuliusGruber Thanks for your PR, Please agree with contributor license agreement https://github.com/microsoft/ContributorLicenseAgreement

[san360]

Thanks for this thorough security hardening pass — great work! All 1063 tests pass, build is clean, and every change tightens an attack surface. A few notes:

Highlights:

• Prototype pollution guards in \setAtPath/\�ppendAtPath\ with \FORBIDDEN_KEYS\ — well done.
• \safeJoinUnder\ is a much stronger replacement for the ad-hoc ...\ substring checks.
• RPC dispatch hardening with \hasOwnProperty.call\ + \ ypeof handler === 'function'\ closes a real prototype-chain invocation vector.
• \isSafeExternalHttpsUrl\ and the sidebar command allowlist are clean, focused mitigations.
• The \�alanceTruncatedJson\ rewrite is more robust than the old 4-attempt approach.
• 
  eadTextWithByteLimit\ with streaming enforcement is a nice touch against response size bombs.

Two minor nits (non-blocking):

1. CHANGELOG.md — No entry was added for these changes. Consider adding a patch-level entry so users upgrading can see what changed.
2. *\setMatchesChar* in \safe-regex.ts\ — constructs a
   ew RegExp\ from extracted character class source. The try/catch fail-closed path handles it well, but a belt-and-suspenders length check on \source\ before construction could be a nice addition (low priority since outer pattern is already capped at 1000 chars).

LGTM — approving as-is. 🚀