Disable external process commands in remote (http)

[anuchandy]

What does this PR do?

External process commands (like azqr) use IExternalProcessService to spawn local processes. In remote (HTTP) mode, this is a security risk: processes run under the server's host identity (not the OBO user's context), and malicious requests could exhaust server resources.

• Add IsHttpMode() method to ServiceStartOptions
• Conditionally exclude AzqrCommand registration in ExtensionSetup

Fixes #1521

[Any additional context, screenshots, or information that helps reviewers]

GitHub issue number?

[Link to the GitHub issue this PR addresses]

Pre-merge Checklist

• Required for All PRs
  • Read contribution guidelines
  • PR title clearly describes the change
  • Commit history is clean with descriptive messages (cleanup guide)
  • Added comprehensive tests for new/modified functionality
  • Updated servers/Azure.Mcp.Server/CHANGELOG.md and/or servers/Fabric.Mcp.Server/CHANGELOG.md for product changes (features, bug fixes, UI/UX, updated dependencies)
• For MCP tool changes:
  • One tool per PR: This PR adds or modifies only one MCP tool for faster review cycles
  • Updated servers/Azure.Mcp.Server/README.md and/or servers/Fabric.Mcp.Server/README.md documentation
  • Validate README.md changes using script at eng/scripts/Process-PackageReadMe.ps1. See Package README
  • Updated command list in /servers/Azure.Mcp.Server/docs/azmcp-commands.md and/or /docs/fabric-commands.md
  • Run .\eng\scripts\Update-AzCommandsMetadata.ps1 to update tool metadata in azmcp-commands.md (required for CI)
  • For new or modified tool descriptions, ran ToolDescriptionEvaluator and obtained a score of 0.4 or more and a top 3 ranking for all related test prompts
  • For tools with new names, including new tools or renamed tools, update consolidated-tools.json
  • For new tools associated with Azure services or publicly available tools/APIs/products, add URL to documentation in the PR description
• Extra steps for Azure MCP Server tool changes:
  • Updated test prompts in /servers/Azure.Mcp.Server/docs/e2eTestPrompts.md
  • 👉 For Community (non-Microsoft team member) PRs:
    • Security review: Reviewed code for security vulnerabilities, malicious code, or suspicious activities before running tests (crypto mining, spam, data exfiltration, etc.)
    • Manual tests run: added comment /azp run mcp - pullrequest - live to run Live Test Pipeline

[Copilot]

Pull request overview

This PR implements a security enhancement to disable external process commands (specifically azqr) when the MCP server is running in HTTP mode with On-Behalf-Of authentication. This prevents security risks where spawned processes would execute under the server's host identity rather than the user's context.

Changes:

• Added IsHttpOnBehalfOfMode() helper method to ServiceStartOptions to detect HTTP + OBO mode
• Implemented conditional registration logic in ExtensionSetup to exclude AzqrCommand in HTTP + OBO scenarios
• Updated changelog to document the security enhancement

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
core/Azure.Mcp.Core/src/Areas/Server/Options/ServiceStartOptions.cs	Adds helper method to detect HTTP + On-Behalf-Of mode
tools/Azure.Mcp.Tools.Extension/src/ExtensionSetup.cs	Implements conditional registration to exclude azqr command in HTTP + OBO mode
servers/Azure.Mcp.Server/changelog-entries/1768876346795.yaml	Documents the security feature addition