feat: implement TLS certificate verification and add new flags

[Fine0830]

TLS certificate verification is now enforced for OAP connections. Added --sw-insecure flag to opt out (development/self-signed certs only).

• Sensitive fields (authorization, password, token, secret) are redacted in --log-command output.
• Environment variable references (${VAR}) in --sw-username/--sw-password now log a warning when the variable is not set, preventing silent unauthenticated requests.
• URL scheme validation rejects non-http/https OAP URLs.
• Regex patterns supplied to list_mqe_metrics are validated for complexity before compilation.
• Added --allowed-origins flag to sse and streamable transports for CORS/CSRF origin enforcement. Requests carrying an Origin header not in the allowlist receive 403 Forbidden. When unset, all origins are permitted (backward compatible).

Signed-off-by: Qiuxia Fan qiuxiafan@apache.org

[Copilot]

Pull request overview

This PR tightens security and input validation around SkyWalking OAP connectivity and HTTP transports, while adding operator-facing flags for controlled exceptions and origin enforcement.

Changes:

• Enforce (and optionally bypass via --sw-insecure) TLS certificate verification for OAP connections used by MQE’s direct HTTP GraphQL client; reject non-http/https OAP URL schemes.
• Add CORS/Origin enforcement (--allowed-origins) to SSE + Streamable transports via a shared middleware wrapper.
• Redact sensitive JSON fields in --log-command output; add warnings for unresolved ${ENV_VAR} credentials; add/adjust unit tests and docs.

Reviewed changes

Copilot reviewed 14 out of 14 changed files in this pull request and generated 11 comments.

Show a summary per file

File	Description
README.md	Documents new global and transport-specific flags and usage examples.
cmd/skywalking-mcp/main.go	Adds --sw-insecure flag and binds it into viper config.
internal/swmcp/server.go	Propagates insecure flag into request context; warns on missing env vars for credentials.
internal/tools/mqe.go	Adds URL scheme validation, TLS config behavior, and regex/layer validation for MQE tools.
internal/tools/common.go	Adds validateURLScheme helper for OAP URL scheme enforcement.
internal/tools/io.go	Adds sensitive-field redaction for --log-command stdin/stdout logging.
internal/swmcp/cors.go	Introduces CORS/origin enforcement middleware and allowlist parsing.
internal/swmcp/sse.go	Adds --allowed-origins and wraps SSE HTTP server with CORS middleware.
internal/swmcp/streamable.go	Adds --allowed-origins and wraps Streamable HTTP server with CORS middleware.
internal/swmcp/server_registry_test.go	Refactors registry tests to prefer public tool inventory APIs where available.
internal/tools/common_test.go	Adds unit tests for URL finalization, duration parsing, pagination, etc.
internal/tools/alarm_test.go	Adds tests around alarm query condition building/duration defaults.
CLAUDE.md	Updates developer documentation for TLS, origin enforcement, and MQE validation rules.
CHANGES.md	Adds 0.2.0 release notes entries for the new security/validation features.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.