fix(security): harden TLS, timeouts, validation, logging, and token generation

- Default TLS verification on, opt-in UPKEEP_INSECURE_SKIP_VERIFY
- Alert webhooks use 10s timeout client, close response bodies
- URL input validates http/https scheme for HTTP monitors
- Stdlib logs route to stderr instead of discard
- Panic on crypto/rand failure in token generation
- Cluster startup warnings for non-HTTPS and missing secret
- Replace demo SMTP creds with obvious placeholders
- Color-coded log entries and scroll hints in logs tab

internal/tui/tab_sites.go

@@ -5,6 +5,7 @@ import (
 	"go-upkeep/internal/models"
 	"go-upkeep/internal/monitor"
 	"go-upkeep/internal/store"
+	"net/url"
 	"strconv"
 	"strings"
 	"time"
@@ -317,7 +318,26 @@ func (m *Model) initSiteHuhForm() tea.Cmd {
 			huh.NewInput().Title("URL").
 				Placeholder("https://example.com").
 				Description("Required for HTTP monitors").
-				Value(&m.siteFormData.URL),
+				Value(&m.siteFormData.URL).
+				Validate(func(s string) error {
+					if m.siteFormData.SiteType == "push" {
+						return nil
+					}
+					if s == "" {
+						return fmt.Errorf("URL is required for HTTP monitors")
+					}
+					u, err := url.Parse(s)
+					if err != nil {
+						return fmt.Errorf("invalid URL")
+					}
+					if u.Scheme != "http" && u.Scheme != "https" {
+						return fmt.Errorf("URL must start with http:// or https://")
+					}
+					if u.Host == "" {
+						return fmt.Errorf("URL must include a host")
+					}
+					return nil
+				}),
 			huh.NewInput().Title("Check Interval (seconds)").
 				Placeholder("60").
 				Value(&m.siteFormData.Interval),