feat: gate create_silence behind --enable-silences flag

The create_silence tool is a write operation that can suppress alerts.
Disable it by default and require explicit opt-in via --enable-silences
CLI flag (or enableSilences NixOS option) as a safety measure.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

nix/lab-monitoring-module.nix

@@ -33,6 +33,12 @@ in
       description = "Alertmanager base URL.";
     };
 
+    enableSilences = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "Enable the create_silence tool (write operation, disabled by default).";
+    };
+
     http = {
       address = lib.mkOption {
         type = lib.types.str;
@@ -102,8 +108,9 @@ in
 
       script = let
         httpFlags = mkHttpFlags cfg.http;
+        silenceFlag = lib.optionalString cfg.enableSilences "--enable-silences";
       in ''
-        exec ${cfg.package}/bin/lab-monitoring serve ${httpFlags}
+        exec ${cfg.package}/bin/lab-monitoring serve ${httpFlags} ${silenceFlag}
       '';
 
       serviceConfig = {