feat(vex): support per-repository TLS configuration for VEX Hub

[knqyf263]

Summary

Add support for per-repository TLS configuration in the VEX Hub configuration file, starting with an insecure option to skip certificate verification for specific repositories.

Motivation

Users with private VEX Hub repositories using self-signed certificates currently have to use the global --insecure flag, which disables certificate verification for all connections. This is not ideal from a security perspective, as users should be able to limit insecure connections only to specific trusted repositories.

Proposed Solution

Add an insecure field to the repository configuration in the VEX Hub config file:

repositories:
  - name: private
    url: https://private-vexhub.example.com
    enabled: true
    insecure: true

This approach is consistent with how other tools handle per-resource TLS configuration (e.g., kubectl, Docker, containerd).

Future Considerations

Support for custom CA certificates (ca-cert or ca-bundle) can be considered in a separate issue if there is demand.

References

• Discussion: provide TLS configuration for VEX Hub repositories #9958