fix(version): drop PKG_VERSION hardcode — second-pass audit M1

[heznpc]

Why this PR exists

The 2026-05-21 adversarial second-pass audit caught a Major drift point in this session's work that PR-5 (#40) shipped.

• src/index.ts:23 hardcoded const PKG_VERSION = "0.4.0"; and passed it to new McpServer({ name: "create-starter", version: PKG_VERSION }).
• src/cli.ts:105-114 already had a readVersion() helper that dynamically resolves package.json#version at runtime.
• Inconsistent. Next minor bump (0.5.0 release flow) would leave the MCP server's serverInfo.version stuck at 0.4.0 while CLI -v correctly reports 0.5.0.
• Neither scripts/bundle-mcpb.mjs nor any test gates this — PR-1 caught the same shape of drift in manifest.json but missed this one inside src/.

Fix

• New src/version.ts exports readVersion() — the same logic that was inline in cli.ts.
• src/index.ts calls readVersion() for the McpServer constructor.
• src/cli.ts imports the shared helper and drops the duplicate impl + the node:fs / node:path / node:url imports that supported it.

Smoke verification

MCP serverInfo: {"name":"create-starter","version":"0.4.0"}
CLI -v:         create-starter 0.4.0

Both come from the same package.json read now.

Why this works inside the .mcpb bundle

scripts/bundle-mcpb.mjs stages dist/ and package.json into the same staging-root. After install, dirname(import.meta.url) for dist/index.js resolves to <staging>/dist/, and ../package.json → <staging>/package.json — the bundled package's metadata. Same path resolution as the dev tree.

Test plan

• npm run build clean
• npm test — 85/85 pass (was 85; no new tests in this PR — covered by PR-44's contract test which now exists on main once that merges)
• MCP initialize returns serverInfo.version = 0.4.0
• CLI -v returns create-starter 0.4.0
• CI green

Note: this PR will need to update-branch after PR-44 (contract test) merges, since branch protection is strict: true.