Warn when non-default TUF mirror URL is configured

[vdemeester]

Summary

When signers.x509.tuf.mirror.url is set to a non-default value, Chains should log a prominent warning that the trust boundary has been expanded. This setting controls where the TUF root metadata (root.json) is fetched from — effectively a trust-root selector.

The setting exists for legitimate air-gapped deployments with local Fulcio + TUF mirrors, but operators should be aware of the security implications.

Proposal

1. Log a warning at startup when signers.x509.tuf.mirror.url is non-default — e.g.: "Custom TUF mirror URL configured. The TUF root will be fetched from [URL]. This setting is intended for air-gapped environments with a local Fulcio deployment and TUF mirror."
2. Add URL parsing / sanity checks — reject obviously invalid URLs, log scheme/host for visibility
3. Document in the security/trust model docs that this setting expands the trust boundary and is meant for air-gapped environments only

Context

Reported via GHSA-jqc2-g622-rrfg. The setting passes the URL to http.Get() without validation (pkg/chains/signing/x509/x509.go:169). While exploitation requires write access to the chains-config ConfigMap (which already grants broad control over Chains behavior), surfacing a warning makes misconfiguration or compromise more visible to operators.

Related: #1661 (trust model documentation)

/kind feature