fix(clickhouse): resolve security issues in TLS and ReadOnly configuration

- Fix insecure TLS configuration: only enable TLS when SSLMode is not "none" or "disable"
- Fix missing ReadOnly enforcement: set ClickHouse "readonly" setting when ReadOnly="enable"
- Ensure InsecureSkipVerify is only used for "relaxed" mode, not for "none"

Co-authored-by: Anguel <modelorona@users.noreply.github.com>

Author: claude[bot]

core/src/plugins/clickhouse/db.go

@@ -60,13 +60,21 @@ func (p *ClickHousePlugin) DB(config *engine.PluginConfig) (*gorm.DB, error) {
 	if connectionInput.Debug != "disable" {
 		options.Debug = true
 	}
+	// Configure settings based on ReadOnly mode
 	if connectionInput.ReadOnly == "disable" {
 		options.Settings = clickhouse.Settings{
 			"max_execution_time": 60,
 		}
+	} else if connectionInput.ReadOnly == "enable" {
+		options.Settings = clickhouse.Settings{
+			"readonly": 1,
+			"max_execution_time": 60,
+		}
 	}
-	if connectionInput.SSLMode != "disable" {
-		options.TLS = &tls.Config{InsecureSkipVerify: connectionInput.SSLMode == "relaxed" || connectionInput.SSLMode == "none"}
+
+	// Configure TLS - only enable when SSLMode is not "none" and not "disable"
+	if connectionInput.SSLMode != "disable" && connectionInput.SSLMode != "none" {
+		options.TLS = &tls.Config{InsecureSkipVerify: connectionInput.SSLMode == "relaxed"}
 	}
 
 	conn := clickhouse.OpenDB(options)