refactor: harden WebSocket server and simplify MCP types
Security hardening for server-ws.cpp:
- Add payload size limit (10MB) to prevent DoS via huge allocations
- Add message buffer limit (100MB) for fragmented messages
- Add receive buffer limit (16MB)
- Add connection limit (1000) to prevent thread exhaustion
- Add socket timeout (30s) to prevent slow-loris attacks
- Validate RSV bits per RFC 6455
- Enforce client frame masking per RFC 6455
- Limit PONG response size to 125 bytes per spec
Code simplification:
- Remove dead code in server-mcp-bridge.cpp (if/else did same thing)
- Remove unused JSON-RPC types from server-mcp.h (~100 lines)
- Use SDK Tool type directly instead of custom McpTool
- Remove convertToolToMcpTool conversion function
- Clean up unused FE types in mcp.ts (~90 lines)
Net result: -172 lines while adding comprehensive security protections
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
