feat: gate create_silence behind --enable-silences flag

The create_silence tool is a write operation that can suppress alerts.
Disable it by default and require explicit opt-in via --enable-silences
CLI flag (or enableSilences NixOS option) as a safety measure.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

cmd/lab-monitoring/main.go

@@ -88,6 +88,10 @@ func serveCommand() *cli.Command {
 				Usage: "Session TTL for HTTP transport",
 				Value: 30 * time.Minute,
 			},
+			&cli.BoolFlag{
+				Name:  "enable-silences",
+				Usage: "Enable the create_silence tool (write operation, disabled by default)",
+			},
 		},
 		Action: func(c *cli.Context) error {
 			return runServe(c)
@@ -177,7 +181,10 @@ func runServe(c *cli.Context) error {
 	}
 
 	server := mcp.NewGenericServer(logger, config)
-	monitoring.RegisterHandlers(server, prom, am)
+	opts := monitoring.HandlerOptions{
+		EnableSilences: c.Bool("enable-silences"),
+	}
+	monitoring.RegisterHandlers(server, prom, am, opts)
 
 	transport := c.String("transport")
 	switch transport {