feat: support snake_case MCP schema variants

[brandonwise]

Summary

• add snake_case schema support for MCP config discovery and server fields
• parse top-level/nested mcp_servers + contextServers variants in parse_config
• accept allowed_tools / tool_allowlist and allowed_directories aliases to prevent false positives for AW-007/AW-002
• add integration fixture (testdata/snake-case-mcp.json) and tests proving snake_case allowlist fields are honored

Why this matters

Recent MCP ecosystem telemetry shows teams mixing config schemas across tools and wrappers. Without alias support, users can get false positives even when they configured least-privilege allowlists correctly.

Validation evidence

All commands run from repo root.

1) Repo-level/full suite

• cargo test ✅ PASS (208 unit + 36 integration tests)

2) Targeted tests for changed modules

• cargo test config::tests::test_parse_snake_case_mcp_servers_and_fields ✅ PASS
• cargo test test_snake_case_allowlist_and_directories_are_respected ✅ PASS

3) Lint/type/build checks

• cargo clippy --all-targets --all-features -- -D warnings ✅ PASS
• cargo check ✅ PASS
• cargo build --release ✅ PASS

4) Smoke/integration check for changed behavior

• ./target/release/agentwise scan testdata/snake-case-mcp.json --format json | python3 -c 'import json,sys; d=json.load(sys.stdin); ids={f["rule_id"] for f in d.get("findings",[])}; banned={"AW-002","AW-007"}; bad=sorted(ids & banned); print("findings", len(d.get("findings",[])), "score", d.get("score")); print("banned_rules", bad if bad else "none"); sys.exit(1 if bad else 0)' ✅ PASS
  • output: findings 0 score 100, banned_rules none

Risk

Low. Backward-compatible parser aliases + tests only; no rule severity changes or output schema changes.