Harden HTTP transport configuration

[ryderstorm]

Summary

Implement secure HTTP transport defaults for the SDD MCP server so browser-based MCP clients can connect without workarounds.

Tasks

• Add fastmcp.json profiles for stdio, development HTTP, and production HTTP transports
• Expose host, port, and CORS configuration via environment variables in mcp_server/config.py
• Apply CORS middleware in mcp_server/__init__.py when HTTP transport is enabled
• Document the transport configuration knobs in docs/operations.md and README.md

Acceptance Criteria

• Browser-based clients (e.g., Claude Desktop web) can invoke prompts without CORS failures
• SDD_HTTP_HOST and SDD_HTTP_PORT control bind address and port with sensible defaults
• CORS origins, headers, and methods are overridable via environment variables with secure defaults
• fastmcp run --transport http uses the hardened configuration described in documentation