Security: safer CORS examples + avoid shell=True

[TheodorNEngoy]

This hardens a few high-signal footguns that show up in MCP / tool-server code:

• Examples: replace wildcard CORS (allow_origins=["*"]) with a localhost-only allow_origin_regex.
  This still supports browser-based clients during local dev while avoiding suggesting wildcard CORS as a default.
• URL elicitation client snippet: use webbrowser.open() instead of subprocess.run(..., shell=True) for cross-platform browser launch.
• Tests: make TestChildProcessCleanup less timing-sensitive by polling for file growth (reduces occasional Windows CI flakes) while keeping coverage at 100%.

[TheodorNEngoy]

All checks are green.

This keeps examples safer by default (no wildcard CORS; localhost-only regex) and avoids subprocess(..., shell=True) for opening a browser (uses webbrowser.open() instead). Happy to adjust the default allowlist/regex if you’d prefer a different local-dev story.

[TheodorNEngoy]

Closing to reduce review noise: this PR is now superseded by the split, narrower PRs:

• cli: avoid shell=True for npx/browser helpers #2014 (avoid shell=True in npx/browser helpers)
• Docs/examples: avoid wildcard CORS for StreamableHTTP #2015 (avoid wildcard CORS in StreamableHTTP docs/examples)

Happy to resurrect/port over the remaining stdio test flake/coverage tweaks as a separate PR if those are still useful.