fix(server-info): trust installed metadata over foreign pyproject + version guard

[heznpc]

What

Make distribution identity (dist name + version) a single source of truth in the package root (`my_mcp_server/init.py`) and route the `server-info` MCP resource through it.

Resolution order (now metadata-first)

1. `importlib.metadata` — authoritative for an installed distribution (wheel or `pip install -e .`). This is what the running server actually is, regardless of files on disk above it.
2. The package's own `pyproject.toml` — dev fallback for a source checkout, accepted only when `[project].name` matches `DIST_NAME`. A foreign / monorepo-parent `pyproject.toml` found on the walk-up is skipped (the version guard), so a parent project can never masquerade as this server's identity.
3. `FALLBACK_VERSION` (`0.0.0`) — last resort (renamed clone, neither source usable).

Why

Previously `server_info.py` re-derived identity on its own, pyproject-first and unguarded: a monorepo-parent `pyproject.toml` encountered on the walk-up would be served as this server's version. It also duplicated the name/version logic, so the two could drift. Now `server_info` consumes `resolve_version()` / `DIST_NAME` from the package root — the reported version can't drift from what the package is, and the foreign-pyproject case is correctly skipped.

`PKG_NAME` is retained in `server_info` as a back-compat alias of `DIST_NAME`.

Tests

• New `tests/test_version_resolution.py` covers each resolution branch, with explicit cases for the guard (foreign pyproject nearer on the walk-up is skipped; foreign-only walk exhausts to `None`; `[project]` without a `name` is skipped).
• `tests/test_server_info.py` reworked to assert the resource consumes the single source of truth.
• Local: ruff check + format, mypy `src/`, 33/33 pytest. Coverage 79.56% -> 97.17% (`init.py` 32% -> 100%).