fix(mcp): disable dns rebinding protection

disable dns rebinding protection in transport settings and simplify host/origin config.
remove unused os import and update comment to note that jwt auth middleware provides the primary security gate.

this reduces brittle host/origin allowlists and avoids relying on dns rebinding checks while keeping jwt-based authentication as the protection mechanism.

Author: mujtabaidrees94

src/plurality_mcp_server/app.py

@@ -1,33 +1,21 @@
 import asyncio
-import os
 
 from mcp.server.fastmcp import FastMCP
 from mcp.server.transport_security import TransportSecuritySettings
 from plurality_mcp_server.auth import JWTAuthMiddleware, prewarm_jwks
 from plurality_mcp_server.tools import register_tools
 
 # ── MCP app ──
-# host="0.0.0.0" for container networking; transport_security allows the
-# public domain forwarded by the reverse proxy (Traefik).
-_mcp_resource_url = os.getenv("MCP_RESOURCE_URL", "http://localhost:5051")
+# host="0.0.0.0" for container networking; DNS rebinding protection is
+# disabled because JWT auth middleware is the real security gate.
 mcp_app = FastMCP(
     name="mcp",
     stateless_http=True,
     json_response=True,
     host="0.0.0.0",
     port=5051,
     transport_security=TransportSecuritySettings(
-        enable_dns_rebinding_protection=True,
-        allowed_hosts=[
-            "localhost:*",
-            "127.0.0.1:*",
-            _mcp_resource_url.split("//")[-1],  # e.g. "dev.plurality.network"
-        ],
-        allowed_origins=[
-            "http://localhost:*",
-            "http://127.0.0.1:*",
-            _mcp_resource_url,                   # e.g. "https://dev.plurality.network"
-        ],
+        enable_dns_rebinding_protection=False,
     ),
 )
 register_tools(mcp_app)