fix(security): harden TLS, timeouts, validation, logging, and token generation

- Default TLS verification on, opt-in UPKEEP_INSECURE_SKIP_VERIFY
- Alert webhooks use 10s timeout client, close response bodies
- URL input validates http/https scheme for HTTP monitors
- Stdlib logs route to stderr instead of discard
- Panic on crypto/rand failure in token generation
- Cluster startup warnings for non-HTTPS and missing secret
- Replace demo SMTP creds with obvious placeholders
- Color-coded log entries and scroll hints in logs tab

internal/monitor/monitor.go

@@ -45,8 +45,14 @@ var (
 	// Global Switch for HA
 	isActive    = true
 	activeMutex sync.RWMutex
+
+	insecureSkipVerify bool
 )
 
+func SetInsecureSkipVerify(skip bool) {
+	insecureSkipVerify = skip
+}
+
 func SetEngineActive(active bool) {
 	activeMutex.Lock()
 	defer activeMutex.Unlock()
@@ -208,7 +214,7 @@ func checkPush(site models.Site) {
 
 func checkHTTP(site models.Site) {
 	start := time.Now()
-	client := &http.Client{Timeout: 5 * time.Second, Transport: &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}}
+	client := &http.Client{Timeout: 5 * time.Second, Transport: &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: insecureSkipVerify}}}
 	resp, err := client.Get(site.URL)
 	latency := time.Since(start)