fix(#277): MCP accept pins a routable peer + accept flags loopback-only reply path

[laulpogan]

What

Closes the operator-experience half of #277 (the code-routing half landed in #323). Two gaps in the bilateral-accept path:

1. MCP wire_accept wrote an unroutable pin

The MCP accept path still wrote the peer pin in the flat peers[h]={relay_url,slot_id,slot_token} shape that RFC-006 Part B (#268) no longer reads — so a peer accepted over MCP got an empty endpoints[] and wire send couldn't route to them at all. Now pins via endpoints::pin_peer_endpoints (the endpoints[] single source), matching the CLI path. (Another Part-B writer straggler, like the reader ones #323 fixed.)

2. Accept reported success on an unreachable reply path

Both wire accept (CLI) and MCP accept returned bilateral_accepted even when the peer advertised only loopback/same-host endpoints — exactly the #277 report: trust pinned, but the reply path can't reach a remote peer, and nothing said so.

New endpoints::endpoints_are_local_only drives a reply_path_reachable: false field on both paths + a remediation warning on the CLI. It infers reachability from the URL (not the advertised scope), so a loopback address mislabeled scope:"federation" — the exact #277 churn case — is still caught. Trust is still pinned (it's real); the link's reachability is just no longer silently overstated.

Tests

• endpoints_are_local_only_catches_loopback_pin_incl_mislabeled_scope (empty→false, mislabeled-loopback caught, federation ok, mixed ok, UDS local-only).
• 598 lib tests green; clippy -D warnings clean.

Stacks cleanly with #330 (SSO docs, no file overlap).

🤖 Generated with Claude Code

[cloudflare-workers-and-pages]

Deploying wireup-landing with    Cloudflare Pages

Latest commit:	a066cee
Status:	✅  Deploy successful!
Preview URL:	https://f3efcd79.wireup-landing.pages.dev
Branch Preview URL:	https://fix-277-accept-reachability.wireup-landing.pages.dev

View logs