fix: bump mcp/fastmcp minimums for CVEs

[zerone0x]

Summary\n- bump mcp to >=2.0.0,<3\n- bump fastmcp to >=2.14.0,<3 to avoid critical CVEs\n\nFixes #139\n\n## Test plan\n- not run (dependency version change only)\n\n🤖 Generated with Claude Code

[tirth8205]

Closing as duplicate of #143 (same change from the same author). We'll merge #143 instead. Thanks!

[tirth8205]

This PR addresses the fastmcp CVE dependency issue (#139) which is still not resolved in main. The current pyproject.toml still has mcp>=1.0.0,<2 which may resolve to vulnerable fastmcp versions. Worth reviving — it's a 2-line change to update dependency constraints.

[tirth8205]

Thank you for this @zerone0x — closing as superseded by PR #222, which bumps `fastmcp` to `>=2.14.0,<3`. That PR covers the same CVE fix plus the transitive `fakeredis` breakage (#195), the Windows event-loop hang (#46 / #136), and several unrelated fixes. Verified locally: all 24 tools register on fastmcp 2.14.6, all 695 tests pass, coverage 73.6%.

Really appreciate you flagging this — you were first on the CVE and your PR pushed the conversation forward. #222 will ship in the next release (v2.2.4) once Windows testing lands.