Skip stdio config entries by default in bulk connect, add --stdio flag

[jancurn]

Summary

Isolated from #165 to make review and testing easier. This PR only contains the --stdio safety gate for bulk mcpc connect <config-file> operations. The auto-discovery feature (mcpc connect with no args) remains in #165 and can be merged separately.

Motivation

Stdio entries in MCP config files execute arbitrary local commands via child_process.spawn(). When connecting all servers from a config file at once, this is a supply-chain risk — a malicious or compromised config could silently execute code on connect, even if the MCP handshake later fails.

This PR defaults bulk connects to HTTP-only entries and requires an explicit --stdio opt-in to execute stdio entries.

Behavior

• mcpc connect <config-file> — stdio entries are skipped by default with a chalk.dim message listing what was skipped and how to include them. Pass --stdio to include stdio entries.
• mcpc connect file:entry — single-entry connects are not affected (explicit opt-in per entry).
• All-stdio config — if every entry in the config is stdio and --stdio is not passed, a clear error with remediation is shown.
• JSON output — skipped entries appear under skipped with reason: "stdio".

Changes

src/lib/config.ts

• Adds isStdioEntry(config, entryName) helper that returns true when the entry has a command field.

src/cli/commands/sessions.ts

• connectAllFromConfig() partitions server names into "to connect" and "stdio skipped" unless options.stdio is true, prints a dim skip summary in human mode, emits a skipped array with reason: "stdio" in JSON mode, and throws a clear error (with --stdio remediation) when every entry is stdio.

src/cli/index.ts

• Adds --stdio option to connect.
• Extends the Stdio servers help section to document the new default-skip behavior and the --stdio opt-in.
• Forwards opts.stdio to connectAllFromConfig().

test/unit/lib/config.test.ts

• Unit tests for isStdioEntry() covering command-only, url-only, missing, and mixed configs.

Test plan

• npm run lint passes
• npm run build passes
• npm run test:unit passes (559/559)
• Manual check: mcpc connect <config-with-mixed-entries> skips stdio by default
• Manual check: mcpc connect <config-with-mixed-entries> --stdio connects all
• Manual check: mcpc connect <stdio-only-config> errors with remediation
• Manual check: mcpc connect file:entry still works for stdio entries (no --stdio needed)
• Manual check: --json output includes skipped entries with reason: "stdio"

https://claude.ai/code/session_0138fCGaEqxPbT7y2hWFAAC1

---

Generated by Claude Code