Feat/mcp public mode (#82)

* feat(aimdb-mcp): add --public and --socket CLI flags

Add clap for CLI argument parsing with two new flags:

- --public: restricts the MCP server to 3 read-only tools
  (discover_instances, list_records, get_record) for use on
  untrusted/internet-facing endpoints. Non-public tools are
  excluded from tools/list and rejected in tools/call.

- --socket <PATH>: sets a default Unix socket path for all
  tool connections (equivalent to AIMDB_SOCKET env var).

Also provides --help and --version for free via clap.

Ref: design doc 007 (public MCP endpoint)

* chore: update rand dependency to version 0.10.1 across multiple Cargo.toml files

* fix: update ignore list for rustls-webpki CRL issue

* feat: replace rng.gen with rng.random for consistent random number generation

* feat(mcp): implement public mode restrictions and tests for tool access

* feat(mcp): refactor socket handling to use set_default_socket function

* feat(mcp): update MCP server configuration and enhance README for public mode

* feat(mcp): update changelogs to document public mode features and dependency upgrades

* feat(mcp): enhance public mode restrictions and update changelog for clarity

Author: lxsaah

.vscode/mcp.json

@@ -1,13 +1,8 @@
 {
     "servers": {
-        "aimdb": {
-            "type": "stdio",
-            "command": "/aimdb_ws/aimdb/target/release/aimdb-mcp",
-            "args": [],
-            "env": {
-                "RUST_LOG": "info",
-                "AIMDB_WORKSPACE": "${workspaceFolder}"
-            }
+        "aimdb-weather": {
+            "type": "http",
+            "url": "http://aimdb.dev/mcp"
         }
     }
 }

CHANGELOG.md

@@ -29,6 +29,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
+- **MCP public mode**: New `--public` flag restricts the MCP server to read-only tools for safe internet-facing deployments with SSRF protection ([tools/aimdb-mcp](tools/aimdb-mcp/CHANGELOG.md))
+- **MCP `--socket` flag**: Default socket path can be set at startup, simplifying single-instance workflows ([tools/aimdb-mcp](tools/aimdb-mcp/CHANGELOG.md))
 - **Context-Aware Deserializers (Design 026)**: Inbound connector deserializers can now receive a `RuntimeContext<R>` for platform-independent timestamps and logging
   - New `.with_deserializer(|ctx, bytes| ...)` API on `InboundConnectorBuilder` provides `RuntimeContext<R>` to deserialization closures
   - New `.with_deserializer_raw(|bytes| ...)` for plain bytes-only deserialization when context is unnecessary
@@ -50,6 +52,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - **aimdb-knx-connector**: Updated router dispatch for new `route()` signature; outbound publishers dispatch via `SerializerKind`
 - **aimdb-websocket-connector**: Updated router dispatch for new `route()` signature; outbound publishers dispatch via `SerializerKind`
 - All connector examples updated to use new `.with_deserializer(|_ctx, bytes| ...)` and `.with_serializer_raw(|value| ...)` signatures
+- **`rand` 0.8 → 0.10.1**: Upgraded across workspace (`aimdb-data-contracts`, `aimdb-embassy-adapter`, examples). Migrated API: `gen` → `random`, `SmallRng` seed size 16 → 32, added `RngExt` imports.
+- **README**: Reordered quickstart — remote MCP exploration (zero install) is now step 2, local Docker setup moved to step 3.
 
 ## [1.0.0] - 2026-03-16