feat(endpoint): warn when added security item's option toggle is disabled (DX-5701)

[johnpmitsch]

Summary

Items added under a disabled security option are not enforced and don't appear in list output until the option is enabled via set-options — so a plain success message made them look like they silently vanished:

❯ qn endpoint security referrer add ep-1 foo.com
✓ Whitelisted referrer "foo.com" on ep-1
# referrers toggle is disabled → the referrer has no effect and doesn't list

After every toggle-governed add/set (token create, referrer add, ip add, jwt add, domain-mask add, request-filter create, ip-header set), the CLI now makes one best-effort GET /endpoints/{id}/security_options and, if the governing option is disabled, warns on stderr with the exact enable command:

✓ Whitelisted referrer "foo.com" on ep-1
⚠ The 'referrers' security option is disabled on ep-1 —
  this referrer will have no effect until you enable it:
    qn endpoint security set-options --referrers enabled ep-1

The check never blocks: a failed lookup is swallowed (the add already succeeded, exit 0 either way), and --quiet skips the extra request entirely. Adds OutputCtx::warn for advisory stderr messages alongside note.

Closes DX-5701

Test plan

• endpoint_security_referrer_add_warns_when_option_disabled — add + options GET both hit, exit 0
• endpoint_security_referrer_add_skips_options_check_when_quiet — options GET .expect(0) under --quiet
• endpoint_security_referrer_add_succeeds_when_options_check_fails — options GET 500 → still exit 0
• endpoint_security_domain_mask_add_checks_options — second-command coverage
• Subprocess stderr tests: disabled → warning text + enable hint present; enabled → ✓ note only, no ⚠
• cargo test (all suites green), cargo clippy --all-targets -- -D warnings, cargo fmt --check