DX-119567: Fix security vulnerabilities in MCP Server (#105)

Addresses 57 Trivy-flagged CVEs (3 CRITICAL, 17 HIGH)  via
three tracks:

1. Delete src/dremioai/servers/frameworks/ (langchain + beeai)
   which is unused by the live dremio-mcp-server path. This drops
   langchain*, langgraph, and beeai-framework from the dependency
   tree, eliminating ~18 CVEs incl. CVE-2025-68664 (CRITICAL).

2. Remove litellm (no imports in codebase) to drop CVE-2026-35030
   (CRITICAL), CVE-2026-35029 (HIGH), and GHSA-69x8-hrgq-fjj8 (HIGH).

3. Bump direct and transitive dependencies to fixed versions:
   aiohttp, black, mcp, requests, starlette, pytest; plus lower
   bounds for h11 (CRITICAL CVE-2025-43859), python-multipart,
   orjson, setuptools, urllib3, cryptography, filelock,
   python-dotenv, and pygments.

Route regex fix in mcp.py:
The mcp upgrade (1.10 -> 1.27) tightened the streamable-HTTP route
to an exact match on "/mcp" (path_regex ^/mcp$). This broke the
project-id-prefixed URL pattern "/mcp/<project_id>/" that
ProjectIdMiddleware extracts and the e2e PAT tests rely on -- the
request 404'd before middleware could run. After registering
ProjectIdMiddleware, we loosen the Route's path_regex to also match
"/mcp/<project_id>/..." so the middleware has a chance to pull the
project id out of the URL. The middleware itself is unchanged.

Test plan:
- Ran `trivy filesystem .` after the changes and confirmed zero
  HIGH/CRITICAL findings remain in uv.lock (down from 57).
- Ran the full pytest suite: 341 passed, 0 failed.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

Author: ssaumitra

docs/frameworks.md

@@ -96,44 +96,6 @@ prometheus:
   token: <string> # Authentication token
 ```
 
-### LangChain Settings (Experimental)
-
-The Tools defined in the `tools` section can be used with LangChain if required as well. The LangChain integration depends on `openai` or `ollama` for LLM. The [src/dremoiai/servers/frameworks/langchain/server.py] supplies a command line interface showing the integration.
-
-```yaml
-langchain:
-  llm: <Model> # LLM type (ollama/openai)
-  openai:
-    api_key: <string> # OpenAI API key
-    model: <string> # Model name (default: gpt-4)
-    org: <string> # Optional: Organization ID
-  ollama:
-    model: <string> # Model name (default: llama3.1)
-```
-
-### BeeAI Settings (Experimental)
-
-[BeeAI](https://github.com/i-am-bee/beeai-framework) framework supports MCP as well as multiple LLM providers. The [src/dremoiai/servers/frameworks/beeai/server.py] supplies a command line interface showing this integration.
-
-```yaml
-beeai:
-  mcp_server:
-    command: "uv"
-    args:
-    - "run"
-    - "--directory"
-    - "<toplevel git directory>"
-    - "dremio-mcp-server"
-    - "run"
-  sliding_memory_size: <int> # Memory window size
-  anthropic:
-    api_key: <string> # Anthropic API key
-    chat_model: <string> # Chat model name
-  openai: <OpenAI> # OpenAI settings (same as LangChain)
-  ollama: <Ollama> # Ollama settings (same as LangChain)
-```
- 
-
 ## Configuration Methods
 
 ### File-based Configuration