fix(security): disable mcp action apply writes

[JSONbored]

Summary

• removes write-capable MCP action apply from the advertised tool surface
• blocks cached/manual nightward_action_apply calls before action-registry dispatch
• updates MCP docs/site/threat model to state that MCP is read-only and can only list/preview actions

What changed

• nightward_action_apply is no longer returned by tools/list
• all advertised MCP tools are asserted read-only and non-destructive in tests
• direct/cached nightward_action_apply calls return an MCP tool-result error without accepting disclosure or writing local state
• docs contract expected tool count now matches the runtime registry

Why

• MCP client arguments are attacker-controlled and cannot serve as out-of-band local confirmation for destructive writes
• this closes the validated self-confirm path where an MCP client could accept disclosure and then execute registry actions like provider installs

Validation

• env PATH="$HOME/.cargo/bin:/opt/homebrew/bin:$PATH" cargo test -p nightward-core mcpserver::tests -- --nocapture
• real stdio MCP reproducer: self-accept disclosure and provider install calls return disabled in MCP and do not create settings/audit writes
• real stdio MCP reproducer after out-of-band disclosure: backup snapshot and provider install calls remain blocked and do not create snapshots
• node scripts/generate-reference-docs.mjs --check
• cd site && npm test
• make verify
• make test-security
• make fuzz-check skipped locally because cargo-fuzz is not installed
• git diff --check