Keep anonymous MCP read-only when adding REST lazy registration

A TypeScript API/MCP server added one-request lazy registration for anonymous write tools, but the registration helper was placed in the shared MCP tool-dispatch path. That let anonymous MCP callers bypass the intended read-only allowlist and execute write tools by being auto-registered before the normal gate completed. A related REST bridge also needed to honor the admin anonymous-access kill switch before dispatch or registration, and anonymous usage stats became ambiguous after per-tool buckets were introduced.