fix: upgrade mcp-handler and SDK to patch cross-tenant response leak (CVE-2026-25536)

Upgrades mcp-handler from 1.0.2 to 1.1.0 and @modelcontextprotocol/sdk
from 1.15.1 to 1.29.0 to fix a high-severity vulnerability where
concurrent requests sharing the same StreamableHTTPServerTransport
singleton could have their responses routed to the wrong client.

Ref: GHSA-w2fm-25vw-vh7f, CVE-2026-25536
Made-with: Cursor

Author: masnwilliams