[feat]: split MCP support out of the main library

[watford-ep]

Feature description

It appears recent releases of shadcn come with an MCP instance available, which became more apparent after the recent Dependabot alert we received. Software supply chains are hard enough to secure as-is, and the dependency sprawl of MCP seems a bit much.

Breaking out the MCP from the main shadcn library would benefit all comers, allowing faster iterations on the MCP for those who are willing to accept the risk, and allowing for a smaller more secure package for those who do not.

Affected component/components

MCP

Additional Context

Additional details here...

Before submitting

• I've made research efforts and searched the documentation
• I've searched for existing issues and PRs

[arolariu]

I'm curious to know how do you "trigger" this supposed CVE alert simply by using the unstyled components?

All you get are a bunch of .{ts,tsx} files that contain simple components or hooks.
Where is this supposed MCP instance at?

Are you perhaps installing the whole shadcn package instead? If so, why...?

[watford-ep]

We're working on a registry which seems to require bringing in the shadcn library as a dev dependency. The additional surface area from the MCP is undesirable. If it's possible to use the registry without a reliance on the package that would be ideal.