Security: Remove Docker socket mounting to eliminate CVE-2025-9074 risk

- Replace Docker socket-based MCP status monitoring with HTTP health checks
- Remove Docker socket volume mount from docker-compose.yml (CVE-2025-9074 - CVSS 9.3)
- Add MCPMonitoringConfig for secure-by-default HTTP mode
- Make docker dependency optional in pyproject.toml
- Add ENABLE_DOCKER_SOCKET_MONITORING env var for backward compatibility
- Implement get_container_status_http() using httpx for health checks
- Add comprehensive test suite (13 tests, 100% passing)
- Update .env.example with security documentation

Security Benefits:
- Eliminates root-equivalent host access vulnerability
- Prevents container escape attacks
- Portable across Docker, Kubernetes, and bare metal
- Defaults to secure mode, legacy Docker mode optional

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

docker-compose.yml

@@ -33,7 +33,12 @@ services:
     networks:
       - app-network
     volumes:
-      - /var/run/docker.sock:/var/run/docker.sock # Docker socket for MCP container control
+      # SECURITY: Docker socket mounting removed (CVE-2025-9074 - CVSS 9.3)
+      # MCP status now monitored via HTTP health checks (secure, portable)
+      # To re-enable Docker socket mode (not recommended):
+      #   1. Set ENABLE_DOCKER_SOCKET_MONITORING=true in .env
+      #   2. Uncomment the line below
+      # - /var/run/docker.sock:/var/run/docker.sock # SECURITY RISK: root-equivalent host access
       - ./python/src:/app/src # Mount source code for hot reload
       - ./python/tests:/app/tests # Mount tests for UI test execution
       - ./migration:/app/migration # Mount migration files for version tracking