safer remote config and oracle requests, plus working tests

[mooncitydev]

This change set tightens a few places that talk to the network and makes the published test script something contributors can actually run.

Remote typus config (TypusConfig.default)

• Validates the branch argument before it is embedded in the GitHub raw URL (blocks .., %, and odd characters) so the path cannot be abused when a caller passes untrusted input.
• Checks response.ok before json() and throws a clear error on HTTP failures instead of silently parsing error pages.

Oracle price request

• Encodes the pair / tokenType query value with encodeURIComponent so struct tags cannot break out of the pair parameter.
• Adds a 30s axios timeout so clients do not hang forever on a stuck endpoint.

Tooling

• Adds npm overrides so @mysten/kiosk uses the same @mysten/sui as the package (matches the existing Yarn resolutions intent and fixes duplicate-Transaction type errors under npm).
• Replaces rm -rf in build with rimraf so npm run build works on Windows.
• Adds the missing Mocha/ts-mocha dev dependencies, src/* path mapping for ts-node, and test/test_smoke.ts with real unit coverage for the new branch helper and oracle parsing.
• Adjusts .gitignore so test/test_smoke.ts is not excluded by the broad test*.ts rule.

Summary: made by mooncitydev