Add blocklist for community registry MCP servers

[cutecatfann]

What I did

• Added --exclude flag to docker mcp catalog-next create for filtering servers when creating catalogs from a community registry
• The flag accepts server names (can be specified multiple times) and is only valid with --from-community-registry
• Excluded servers are tracked in the skip statistics and displayed in the stderr summary output
• Added test coverage for single-server exclusion, multi-server exclusion, and exclusion of non-existent names (no-op)

This is the mcp-gateway side of the server blocklist feature. The ai-mcp CI pipeline passes --exclude flags (derived from server-overrides.yaml) to this command when mirroring the community registry, allowing Docker to remove servers for takedown requests, security vulnerabilities, or policy violations.

The mcp-gateway changes must be merged and released first, since the ai-mcp CI workflow depends on the --exclude flag being available in docker mcp catalog-next create. The MCP_GATEWAY_VERSION in both workflow files is currently pinned to v0.40.0, that version needs to be bumped to whatever release includes the --exclude flag before the ai-mcp workflow changes will work end-to-end.

How to use

To block a server, add it to server-overrides.yaml in ai-mcp:

  some-vulnerable-server:
    blocked: true

The server will be excluded from all pipeline stages (build, generate, upload, catalog, community registry mirror) on the next CI run. See docs/runbook.md for full details including verification steps.

Testing

• go test ./pkg/catalog_next/ -run TestCreateFromCommunityRegistry -v all 5 community registry tests pass
• go test ./pkg/catalog_next/ -v full suite passes
• go vet ./... clean
• Verify --exclude without --from-community-registry returns an error
• Verify --exclude with --from-community-registry correctly omits named servers from the resulting catalog

[jchangx]

super nit: "blocked" is maybe more explicit