Restrict dev MCP server to loopback hosts

[2830500285]

Summary

• enable MCP SDK DNS rebinding protection for the dev MCP transport
• allow only loopback hosts (localhost, 127.0.0.1, [::1]) on the active dev-server port
• add unit coverage for the allowed host list when the dev server is bound to 0.0.0.0

Test Plan

• git diff --check -- packages/next/src/server/mcp/get-mcp-middleware.ts packages/next/src/server/mcp/get-mcp-middleware.test.ts
• Verified with a local next@16.3.0-canary.21 app started via next dev -H 0.0.0.0 -p 3100:
  • http://127.0.0.1:3100/_next/mcp still returns HTTP 200
  • http://192.168.188.88:3100/_next/mcp returns HTTP 403 Invalid Host header

Note: this sparse checkout does not have node_modules installed, so the Jest test could not be run locally here.

[2830500285]

Thanks for reviewing this PR. I have updated the branch and all commits are now verified. The completed checks are green; the remaining blockers appear to be maintainer approval for the pending workflows and a write-access review.

Could a maintainer please approve the pending workflows and take another look when possible? I would appreciate getting this merged if everything looks good.