fix: default HASHLOCK_ENDPOINT -> /graphql (was /api/graphql cookie proxy)

/api/graphql is the browser-only Next.js SSR proxy — it reads the httpOnly
api-token cookie set by /sign/login and ignores the Authorization header.
External MCP clients (Claude Desktop, Cursor, Windsurf, Raycast, etc.) do
not set cookies, so every call returned

  {"errors":[{"message":"Unauthorized - missing api-token"}]}

with HTTP 401. Meanwhile the SDK (@hashlock-tech/sdk) has always sent
Authorization: Bearer ${accessToken} correctly.

/graphql is served directly by the Apollo gateway, accepts Bearer, and
is what every integrator expects per the README, ai-plugin.json, MCP
registry manifest, and llms.txt on hashlock.markets.

Bumps @hashlock-tech/sdk dep to ^0.1.4 which fixes a parallel issue
where SDK MAINNET_ENDPOINT was hardcoded to a compromised old droplet IP.

Ship as @hashlock-tech/mcp@0.1.8. 0.1.7 deprecated with migration note.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: BarisSozen