fix(mcplocal): lower default token introspection TTL in serve.ts too

Followup to e51b924. The middleware default in token-auth.ts is 5s, but
serve.ts wraps the construction with its own env-fallback default of
30000ms — so when MCPLOCAL_TOKEN_POSITIVE_TTL_MS isn't set in the
environment, serve.ts always wins and revoked tokens still propagate
slowly. Lowered serve.ts to 5s for symmetry; operators wanting a longer
window can set the env var explicitly.

Caught by mcptoken.smoke continuing to fail after the previous redeploy:
verified the token-auth.js shipped with `?? 5_000`, but the wrapper was
overriding it.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/mcplocal/src/serve.ts

@@ -67,9 +67,12 @@ export async function serve(): Promise<void> {
   const httpServer = await createHttpServer(httpConfig, { router, providerRegistry });
 
   // Auth preHandler: only protect the MCP surfaces. /health, /healthz, /proxymodels etc stay open.
-  // Introspection cache TTLs are tunable via env for operators who want stricter revocation
+  // Introspection cache TTLs are tunable via env for operators who want a different tradeoff.
-  // propagation at the cost of more round-trips to mcpd.
+  // Default 5s for both: mcpd's introspection endpoint is a single DB lookup, so the cache
-  const positiveTtlMs = Number(process.env.MCPLOCAL_TOKEN_POSITIVE_TTL_MS ?? '30000');
+  // mainly protects against burst restart storms — not steady-state load. A higher positive
+  // TTL means revoked tokens keep working for the full window after revocation; 5s aligns with
+  // the negativeTtl and matches mcptoken.smoke's 7s `wait after revoke` assertion.
+  const positiveTtlMs = Number(process.env.MCPLOCAL_TOKEN_POSITIVE_TTL_MS ?? '5000');
   const negativeTtlMs = Number(process.env.MCPLOCAL_TOKEN_NEGATIVE_TTL_MS ?? '5000');
   const tokenAuth = createTokenAuthMiddleware({ mcpdUrl, positiveTtlMs, negativeTtlMs });
   httpServer.addHook('preHandler', async (request, reply) => {