fix: handle Lua nil as locked OTP and add SSRF check to MCP env resolution

- Treat Redis Lua nil return (expired/deleted key) as 'locked' instead
  of silently treating it as a successful increment
- Add validateMcpServerSsrf to MCP service resolveConfigEnvVars so
  env-var URLs are SSRF-validated after resolution at execution time

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: waleedlatif1

apps/sim/lib/mcp/service.ts

@@ -10,7 +10,7 @@ import { isTest } from '@/lib/core/config/feature-flags'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { McpClient } from '@/lib/mcp/client'
 import { mcpConnectionManager } from '@/lib/mcp/connection-manager'
-import { isMcpDomainAllowed, validateMcpDomain } from '@/lib/mcp/domain-check'
+import { isMcpDomainAllowed, validateMcpDomain, validateMcpServerSsrf } from '@/lib/mcp/domain-check'
 import { resolveMcpConfigEnvVars } from '@/lib/mcp/resolve-config'
 import {
   createMcpCacheAdapter,
@@ -68,6 +68,7 @@ class McpService {
       strict: true,
     })
     validateMcpDomain(resolvedConfig.url)
+    await validateMcpServerSsrf(resolvedConfig.url)
     return resolvedConfig
   }