fix: task 7 — production hardening quick fixes

- Replace 4 bare `except:` with `except Exception:` (load_settings,
  get_txt, get_icon_idx_for_file, process_file cleanup block) so
  SystemExit and KeyboardInterrupt are no longer swallowed
- Replace 2 print() calls with logger.error() (__init__ MSAL init,
  ensure_valid_token) so errors appear in the configurable log output
- Sanitize item['name'] with os.path.basename() in on_download_clicked
  and _download_folder_recursive_sync to prevent path traversal from
  server-controlled filenames
- Add 8 new unit tests covering all Task 7 changes

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

tests/test_review_fixes.py

@@ -221,5 +221,64 @@ class TestIsBreakcrumbRemoved(unittest.TestCase):
         self.assertIn("tree_item", sig.parameters)
 
 
+# ---------------------------------------------------------------------------
+# Task 7: bare except → except Exception, print → logger, basename sanitization
+# ---------------------------------------------------------------------------
+
+class TestTask7BareExcept(unittest.TestCase):
+    """Verify that bare except: clauses have been replaced with except Exception:."""
+
+    def _get_source_lines(self):
+        return inspect.getsource(sb).splitlines()
+
+    def test_no_bare_except_in_load_settings(self):
+        """7a: load_settings() uses except Exception, not bare except."""
+        source = inspect.getsource(sb.load_settings)
+        self.assertNotIn("except:", source,
+            "load_settings still has a bare except:")
+
+    def test_no_bare_except_in_get_txt(self):
+        """7a: get_txt() uses except Exception, not bare except."""
+        source = inspect.getsource(sb.SharePointApp.get_txt)
+        self.assertNotIn("except:", source,
+            "get_txt still has a bare except:")
+
+    def test_no_bare_except_in_get_icon_idx(self):
+        """7a: get_icon_idx_for_file() uses except Exception, not bare except."""
+        source = inspect.getsource(sb.SharePointApp.get_icon_idx_for_file)
+        self.assertNotIn("except:", source,
+            "get_icon_idx_for_file still has a bare except:")
+
+    def test_no_bare_except_in_process_file(self):
+        """7a: process_file() cleanup block uses except Exception, not bare except."""
+        source = inspect.getsource(sb.SharePointApp.process_file)
+        self.assertNotIn("except:", source,
+            "process_file still has a bare except: in cleanup block")
+
+    def test_no_print_in_msal_init(self):
+        """7b: MSAL init error uses logger, not print()."""
+        source = inspect.getsource(sb.SharePointApp.__init__)
+        self.assertNotIn('print(f"MSAL Init Error', source,
+            "__init__ still uses print() for MSAL Init Error")
+
+    def test_no_print_in_ensure_valid_token(self):
+        """7b: ensure_valid_token() uses logger, not print()."""
+        source = inspect.getsource(sb.SharePointApp.ensure_valid_token)
+        self.assertNotIn('print(f"Token refresh error', source,
+            "ensure_valid_token still uses print() for token error")
+
+    def test_basename_in_download_folder_recursive(self):
+        """7c: _download_folder_recursive_sync uses os.path.basename on item name."""
+        source = inspect.getsource(sb.SharePointApp._download_folder_recursive_sync)
+        self.assertIn("os.path.basename", source,
+            "_download_folder_recursive_sync does not sanitize item['name'] with basename")
+
+    def test_basename_in_on_download_clicked(self):
+        """7c: on_download_clicked uses os.path.basename when building dest_path for folders."""
+        source = inspect.getsource(sb.SharePointApp.on_download_clicked)
+        self.assertIn("os.path.basename", source,
+            "on_download_clicked does not sanitize item['name'] with basename for folder downloads")
+
+
 if __name__ == "__main__":
     unittest.main(verbosity=2)