Harden artifact download path validation

[danmoseley]

Note

This PR description was drafted with GitHub Copilot assistance.

Fixes #1181

Clarify and harden path validation for pipelines_download_artifact.

The tool rejects absolute destinationPath values, but agents primarily see runtime MCP tool descriptions rather than repository docs. In Copilot CLI I got

Tool: ado-dnceng-public-pipelines_download_artifact
Args: { "project": "public", "buildId": 1395596, "artifactName": "Windows_NT_Libraries Test Run release coreclr windows x86 Release_Attempt1", "destinationPath": "C:\\temp\\runtime-127406-testresults" }
Result: Invalid destinationPath: absolute paths and path traversals are not allowed.

This PR makes the relative-only requirement visible in both the top-level tool description and the destinationPath parameter description.

It also strengthens validation by treating artifactName as a name rather than a path and rejecting path separators, absolute paths, drive-letter syntax, and ./.. path segments.

GitHub issue number

#1181

Associated Risks

This intentionally keeps absolute destinationPath values rejected to avoid arbitrary local write locations. Agents that currently pass absolute paths will receive a clearer pre-call schema description and a clearer validation error.

✅ PR Checklist

• I have read the contribution guidelines
• I have read the code of conduct guidelines
• Title of the pull request is clear and informative.
• 👌 Code hygiene
• 🔭 Telemetry added, updated, or N/A
• 📄 Documentation added, updated, or N/A
• 🛡️ Automated tests added, or N/A

🧪 How did you test it?

• npm test -- --runTestsByPath test/src/tools/pipelines.test.ts --runInBand
• npm run validate-tools

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (main@546e37d). Learn more about missing BASE report.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1185   +/-   ##
=======================================
  Coverage        ?   90.26%           
=======================================
  Files           ?       19           
  Lines           ?     2126           
  Branches        ?      498           
=======================================
  Hits            ?     1919           
  Misses          ?      111           
  Partials        ?       96           

Flag	Coverage Δ
unittests	90.26% <100.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.