fix: whitelist /rpc endpoint for server-scoped tokens

[shoummu1]

🐛 Bug-fix PR

📌 Summary

Server-scoped tokens cannot access the /rpc endpoint, preventing SSE transport and WebSocket relay from functioning. This PR adds /rpc to the general endpoints whitelist to allow server-scoped tokens to make MCP protocol requests.

🔗 Related Issue

Closes #2192

🐞 Root Cause

In mcpgateway/middleware/token_scoping.py, the _check_server_restriction function:

1. Checks if /rpc matches any server path pattern → NO
2. Checks if /rpc is in general_endpoints → NO (not listed)
3. Returns False → HTTP 403

The /rpc endpoint is a core JSON-RPC endpoint used for:

• Direct POST requests for MCP operations
• WebSocket relay (proxies requests to /rpc)
• Internal RPC handling

Without /rpc in the whitelist, server-scoped tokens are denied access despite needing it for MCP protocol operations.

💡 Fix Description

Added /rpc to the general_endpoints list in mcpgateway/middleware/token_scoping.py (line 328):

general_endpoints = ["/health", "/metrics", "/openapi.json", "/docs", "/redoc", "/rpc"]

[crivetimihai]

Clean one-liner fix with a test. Server-scoped tokens need /rpc access for MCP protocol operations. CI is all green.

LGTM — ready to merge.