fix: restrict Streamlit MCP test subprocess env

[DavidJBianco]

Motivation

• Prevent leaking unrelated process/.env secrets to stdio MCP subprocesses invoked by the Streamlit "Test Connection" flow by avoiding copying the full os.environ into subprocess envs.
• Preserve explicit per-server MCP environment variables while limiting what platform defaults are forwarded to potentially untrusted MCP packages.

Description

• Add build_mcp_subprocess_env() that returns an allowlisted, minimal environment (e.g. PATH, HOME, temp vars, Windows command defaults) plus the explicit server env overlay.
• Replace the previous env = os.environ.copy() + env.update(server_config.env) in the Streamlit test_mcp_connection stdio branch with a call to build_mcp_subprocess_env(server_config.env).
• Update unit tests to assert that explicit server env values and safe defaults are present while unrelated process secrets are excluded.
• Clean up targeted lint issues in the edited module by removing unused imports and replacing a bare except with except Exception so the focused ruff check passes.

Testing

• Ran uv run --python 3.12 ruff check peak_assistant/streamlit/util/helpers.py tests/unit_tests/test_streamlit_helpers_mcp_bugs.py and the checks passed after the cleanup.
• Ran unit tests with uv run --python 3.12 pytest tests/unit_tests/test_streamlit_helpers_mcp_bugs.py -q and all tests passed (5 passed).
• Ran git diff --check (local check) to ensure no whitespace/diff issues were introduced and it reported no problems.

---

Codex Task