Add mcp-safety-scanner CI (baseline)

[TheodorNEngoy]

Adds a lightweight MCP/tool-server safety scan in CI using TheodorNEngoy/mcp-safety-scanner@v0.

• Scans src for common footguns (CORS allow-all/reflect, eval/exec, etc.)
• Uses a committed baseline (.mcp-safety-baseline.json) to avoid noisy legacy findings
• CI fails only on high+ severity (medium/low show as annotations)

Refresh baseline (no Node required):
docker run --rm -v "/tmp/mcp-servers.2eGvhp:/repo" ghcr.io/theodornengoy/mcp-safety-scanner:v0 /repo/src --write-baseline /repo/.mcp-safety-baseline.json --fail-on=none

[TheodorNEngoy]

FYI: This adds an MCP security scan workflow using TheodorNEngoy/mcp-safety-scanner@v0 (no secrets). It runs against src/ with a checked-in baseline to avoid legacy noise, and fails CI only on new high-severity findings.\n\nHappy to adjust the baseline scope or pin to a specific tag if you prefer.

[TheodorNEngoy]

Update: I pinned the workflow to an immutable commit SHA for supply-chain safety (commented with the corresponding version), and set for a read-only token.

[TheodorNEngoy]

(clarification) Also set GitHub Actions workflow permissions to contents: read (read-only GITHUB_TOKEN).

[TheodorNEngoy]

FYI: I also opened #3303 to remove the current high-severity findings in the baseline (wildcard CORS in the Everything server HTTP transports). If/when that lands, we can regenerate the baseline to drop those entries (and likely keep only the remaining medium ones).

[TheodorNEngoy]

Update: bumped scanner pin to v0.4.9 (false-positive reductions) and regenerated .mcp-safety-baseline.json using baseline v2 fingerprints (includes line/column) to avoid over-suppressing future findings.