chore(release): v0.8.1

[m1ngshum]

Release prep for v0.8.1 (patch). Bumps the version + banners + CLAUDE.md, adds the CHANGELOG entry. No source changes beyond the version string.

After this merges, pushing the v0.8.1 tag triggers publish.yml (typecheck/build/test → pnpm publish --provenance to npm + auto GitHub release).

Release contents (since 0.8.0)

• Added — mcpm_up MCP tool now exposed via mcpm serve (9 tools) (fix(server): register the mcpm_up MCP tool so mcpm serve exposes it #64)
• Security — MCP .env lockdown, mcpm_up hard trust floor, symlink containment, http→loopback-only remote URLs, runtime-arg .. rejection, honest keychain notice (fix(security): close MCP-surface secret-leak gaps from post-ship review (H1/M1/M3/L1) #65, fix(security): harden remote-URL & runtime-arg validation; honest keychain notice (M4/M5/I1) #66); hono + semver dep bumps clear all Dependabot alerts (fix(deps): bump hono override to ^4.12.21 to clear 4 Dependabot alerts #62, chore(deps): bump semver from 7.8.1 to 7.8.2 #61)
• Fixed — mcpm_up failure reporting, empty-string env values (fix(security): close MCP-surface secret-leak gaps from post-ship review (H1/M1/M3/L1) #65)
• Docs — architecture diagrams + doc-drift pass (docs: add rendered architecture diagrams (Mermaid) #63)

Verified locally: mcpm -V → 0.8.1, build + full suite (1,302) green, and a sandboxed dogfood of every command (incl. the hardened serve/mcpm_up surface).