feat: enhance security measures for MCP server interactions

- Restricted CORS to localhost origins to prevent remote code execution (RCE) attacks.
- Updated MCP server configuration handling to enforce security warnings when adding or importing servers.
- Introduced a SecurityWarningDialog to inform users about potential risks associated with server commands and configurations.
- Ensured that only serverId is accepted for testing server connections, preventing arbitrary command execution.

These changes improve the overall security posture of the MCP server management and usage.

apps/ui/src/lib/http-api-client.ts

@@ -1141,6 +1141,8 @@ export class HttpApiClient implements ElectronAPI {
   };
 
   // MCP API - Test MCP server connections and list tools
+  // SECURITY: Only accepts serverId, not arbitrary serverConfig, to prevent
+  // drive-by command execution attacks. Servers must be saved first.
   mcp = {
     testServer: (
       serverId: string
@@ -1160,33 +1162,6 @@ export class HttpApiClient implements ElectronAPI {
       };
     }> => this.post('/api/mcp/test', { serverId }),
 
-    testServerConfig: (serverConfig: {
-      id: string;
-      name: string;
-      description?: string;
-      type?: 'stdio' | 'sse' | 'http';
-      command?: string;
-      args?: string[];
-      env?: Record<string, string>;
-      url?: string;
-      headers?: Record<string, string>;
-      enabled?: boolean;
-    }): Promise<{
-      success: boolean;
-      tools?: Array<{
-        name: string;
-        description?: string;
-        inputSchema?: Record<string, unknown>;
-        enabled: boolean;
-      }>;
-      error?: string;
-      connectionTime?: number;
-      serverInfo?: {
-        name?: string;
-        version?: string;
-      };
-    }> => this.post('/api/mcp/test', { serverConfig }),
-
     listTools: (
       serverId: string
     ): Promise<{