Docs: warn that NEXT_DEVTOOLS_HOST env var can redirect MCP off localhost

[CommonHerb]

NEXT_DEVTOOLS_HOST silently overrides the localhost default in src/_internal/nextjs-runtime-manager.ts:39:

const MCP_HOST = process.env.NEXT_DEVTOOLS_HOST ?? "localhost"

…and is used to construct the fetch target at lines 68 and 306. But the README (checked in v0.3.10 and at HEAD on the default branch) has zero mentions of NEXT_DEVTOOLS_HOST, so nothing warns a developer that (a) the env var exists at all, or (b) pointing it at a non-local host would make next-devtools-mcp fetch that host's /_next/mcp endpoint.

Since Next.js 16+ enables /_next/mcp by default, a developer who exports NEXT_DEVTOOLS_HOST=my-prod-site.com in their shell — maybe thinking it's a dev-port tweak, or because they're debugging a remote dev environment — could inadvertently expose production runtime state (routes, errors, logs, app state) to a coding agent running on their laptop.

Suggested fix (docs-only)

Short addition near the existing localhost mentions, along the lines of:

Host override

The MCP server targets localhost by default. Set the NEXT_DEVTOOLS_HOST env var to override.

⚠️ Do not point NEXT_DEVTOOLS_HOST at a production host. The /_next/mcp endpoint exposes runtime internals (routes, errors, logs, application state) — expected in development, but a data-leak vector if the target is a live site. Next.js 16+ enables the endpoint by default, so production deployments may respond to this server.

Happy to open a PR if useful.