CM-61587 MCP scan improvements

[omerr-cycode]

Scan by path — no more inline file contents
All four scan tools (cycode_secret_scan, cycode_sca_scan, cycode_iac_scan, cycode_sast_scan) now accept a paths parameter: a list of file or directory paths that exist on disk.

# Before — AI had to read every file and serialize it
cycode_sast_scan(files={"src/app.py": "<full content>", ...})

# Now — just point to a directory
cycode_sast_scan(paths=["./src"])

Directories are scanned recursively. The Cycode engine handles file discovery and filtering internally, exactly as cycode scan -t sast path ./src does from the CLI. This eliminates token overhead and the previous hard limit on large files like package-lock.json. The files parameter still works as a fallback for in-memory content not yet saved to disk.

Scan results include a plain-English summary
Every successful scan response now includes a "summary" field at the top level:

{
  "summary": "Cycode found 3 violations: 1 CRITICAL, 2 HIGH.",
  "detections": [...],
  ...
}

No parsing required to answer "did anything fail?" — the AI client and the human reading the output both get an immediate answer. Severity counts are ordered CRITICAL → HIGH → MEDIUM → LOW.

Pre-authorize tools for subagent use (Claude Code)
Scans launched inside Claude Code subagents (parallel background tasks) were failing because interactive permission prompts can't be shown in that context. The fix is a one-time addition to ~/.claude/settings.json:

  {
    "allowedTools": [
      "mcp__cycode__cycode_secret_scan",
      "mcp__cycode__cycode_sca_scan",
      "mcp__cycode__cycode_iac_scan",
      "mcp__cycode__cycode_sast_scan",
      "mcp__cycode__cycode_status"
    ]
  }

Once set, all Cycode tools work in foreground and background subagent contexts without re-prompting.