fix(admin): address Copilot review feedback

- Escape the row class attribute: replace the inline ternary that
  conditionally injected ` class="disabled"` with a computed
  `$row_class` string echoed through esc_attr(). Resolves the
  WordPress.Security.EscapeOutput risk Copilot flagged at line 204.
- wp_die() in render_page() now passes response code 403 + back_link
  so automated clients and access logs reflect the authorization
  failure correctly instead of falling back to a generic error.

Both changes are local to includes/Admin/SettingsPage.php. No behavior
change beyond the response code; the same denial still blocks the
render path when current_user_can( manage_options ) is false.

Refs Copilot review on PR #184.

Co-authored-by: webmyc <urbankidro@git.wordpress.org>

Author: webmyc

includes/Admin/SettingsPage.php

@@ -157,7 +157,14 @@ public function discover_abilities(): array {
 	 */
 	public function render_page(): void {
 		if ( ! current_user_can( self::CAPABILITY ) ) {
-			wp_die( esc_html__( 'You do not have permission to access this page.', 'mcp-adapter' ) );
+			wp_die(
+				esc_html__( 'You do not have permission to access this page.', 'mcp-adapter' ),
+				esc_html__( 'Permission denied', 'mcp-adapter' ),
+				array(
+					'response'  => 403,
+					'back_link' => true,
+				)
+			);
 		}
 
 		$abilities = $this->discover_abilities();
@@ -201,7 +208,8 @@ public function render_page(): void {
 						</thead>
 						<tbody>
 							<?php foreach ( $abilities as $name => $info ) : ?>
-								<tr<?php echo $info['managed'] ? ' class="disabled"' : ''; ?>>
+								<?php $row_class = $info['managed'] ? 'disabled' : ''; ?>
+								<tr class="<?php echo esc_attr( $row_class ); ?>">
 									<td>
 										<?php if ( $info['managed'] ) : ?>
 											<input type="checkbox" disabled aria-label="<?php echo esc_attr( sprintf( /* translators: %s: ability name. */ __( 'Managed by adapter: %s', 'mcp-adapter' ), $name ) ); ?>" />