fix(ui): Normalize team_id whitespace checks across all edit functions and server-side visibility guard

[shoummu1]

📌 Summary

This PR contains two fixes:

1. Whitespace team_id visibility coercion

All 6 edit functions in the Admin UI (editTool, editGateway, editA2AAgent, editResource, editPrompt, editServer) were checking raw teamId truthiness to decide whether to coerce a public visibility record to team. A whitespace-only URL parameter (?team_id=%20) is truthy in JS, causing silent coercion while isTeamScopedView() — already trim-aware — correctly returned false. The Python server-side guard had the same gap. This fix makes all checks consistent.

2. Dead code removal in servers.js

serverDesc.textContent was assigned via decodeHtml() and then immediately overwritten with the raw value on the next line, making the decodeHtml call unreachable and causing HTML entities in server descriptions to render incorrectly.

🔗 Related Issue

Closes: #3338

🔁 Reproduction Steps

1. Set ALLOW_PUBLIC_VISIBILITY=false.
2. Navigate to the admin UI with ?team_id=%20 in the URL.
3. Open the edit modal for any tool, gateway, A2A agent, resource, prompt, or server that has public visibility.
4. Observe: the public radio button appears enabled (because isTeamScopedView() returns false), but the visibility is silently coerced to team on submit.

🐞 Root Cause

The effectiveVisibility ternary in each of the 6 edit functions used the raw URL-derived teamId/_teamId variable directly:

// Before — raw truthiness, no trim
teamId ? "team" : visibility

" " (whitespace) is truthy, so it triggered coercion. Meanwhile isTeamScopedView() in teams.js correctly trims before checking, returning false for whitespace-only values. The two code paths were inconsistent.

On the Python side, _check_public_visibility_allowed in admin.py had the same raw-truthiness check (and team_id).

💡 Fix Description

Fix 1 — Whitespace team_id coercion

• JS (6 files): Added isTeamScopedView to the import from ./teams.js in each affected module and replaced the raw teamId / _teamId condition in the effectiveVisibility ternary with isTeamScopedView(). For editResource, editPrompt, and editServer, the now-redundant local _teamId variable was also removed.
• Python (admin.py): Changed and team_id → and team_id and team_id.strip() in _check_public_visibility_allowed so both layers treat whitespace-only values as absent.

Fix 2 — Dead code removal (servers.js)

• Removed the redundant serverDesc.textContent = server.description line that immediately overwrote the decodeHtml() result, so HTML entities in server descriptions are now decoded correctly.
• Tests: Fixed the existing visibility-coercion test in prompts.test.js to include search in the mocked window.location (required since isTeamScopedView reads location.search, not href). Added a whitespace-only team_id test asserting no coercion occurs. Updated the teams.js mock in resources.test.js to export isTeamScopedView (previously missing, would throw at runtime in tests). Added 3 direct tests of _check_public_visibility_allowed in test_admin.py covering spaces-only, tab, and a real team_id to verify the team_id.strip() branch.

🧪 Verification

Check	Command	Status
Lint suite	make lint
Unit tests	make test
Coverage ≥ 90 %	make coverage
Manual regression no longer fails	Visit ?team_id=%20, open any edit modal with a public entity — coercion no longer occurs

📐 MCP Compliance (if relevant)

• Matches current MCP spec
• No breaking change to MCP clients

✅ Checklist

• Code formatted (make black isort pre-commit)
• No secrets/credentials committed