Add MCPServerEntry CRD types and MCPGroup status fields

[JAORMX]

Summary

VirtualMCPServer currently requires MCPRemoteProxy (which spawns proxy pods) to reach remote MCP servers. This forces OIDC auth on public remotes, creates dual auth boundary confusion, and wastes resources. RFC-55 introduces MCPServerEntry as a zero-infrastructure catalog entry — pure configuration telling vMCP where a remote server exists and how to authenticate.

This PR introduces the CRD types for MCPServerEntry and adds Entries/EntryCount tracking to MCPGroupStatus. It is the first of three PRs implementing #4656 (the controller and MCPGroup integration follow in subsequent PRs).

• Define MCPServerEntrySpec with remoteURL, transport, groupRef, externalAuthConfigRef, headerForward, and caBundleRef fields
• Define MCPServerEntryStatus with Valid/Pending/Failed phase model and GroupRefValid, AuthConfigValid, CABundleValid conditions (using "Valid" semantics since this is a configuration resource, not a workload)
• Add Entries and EntryCount fields to MCPGroupStatus for tracking MCPServerEntry membership
• Register MCPServerEntry in the CRD Helm wrapper feature flags map
• Generate CRD manifests, Helm templates, DeepCopy, and API reference docs

Refs #4656

Type of change

• New feature

Test plan

• Unit tests (task test) — operator unit tests pass
• Linting (task lint-fix) — 0 issues
• Code generation verified (task operator-generate, task operator-manifests, task crdref-gen)

Changes

File	Change
cmd/thv-operator/api/v1alpha1/mcpserverentry_types.go	New CRD types: spec, status, phase enum, condition constants
cmd/thv-operator/api/v1alpha1/mcpgroup_types.go	Add Entries/EntryCount status fields + printer column
deploy/charts/operator-crds/crd-helm-wrapper/main.go	Add mcpserverentries to feature flags map
cmd/thv-operator/api/v1alpha1/zz_generated.deepcopy.go	Generated DeepCopy methods
deploy/charts/operator-crds/files/crds/	Generated CRD manifests
deploy/charts/operator-crds/templates/	Generated Helm-wrapped CRD templates
docs/operator/crd-api.md	Regenerated API reference docs

Special notes for reviewers

• Phase uses Valid/Pending/Failed (not Ready) because MCPServerEntry is a configuration resource, not a workload. This follows the same pattern as MCPExternalAuthConfig and MCPOIDCConfig which use the shared ConditionTypeValid.
• The caBundleRef reuses the existing CABundleSource type from MCPServer (which wraps ConfigMapKeySelector inside configMapRef). The RFC examples show a flatter structure, but codebase consistency was prioritized.
• Annotation for HTTP override is toolhive.stacklok.dev/allow-insecure per RFC-55.
• No finalizer is needed since MCPServerEntry creates no infrastructure to clean up.
• The validation controller and MCPGroup integration will follow in the next PR.

Generated with Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 68.88%. Comparing base (22a4203) to head (6e230f8).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #4662   +/-   ##
=======================================
  Coverage   68.87%   68.88%           
=======================================
  Files         508      509    +1     
  Lines       52666    52668    +2     
=======================================
+ Hits        36275    36278    +3     
+ Misses      13590    13588    -2     
- Partials     2801     2802    +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[jhrozek]

Review of CRD types, cross-referenced with RFC-0055.

[jhrozek]

All review findings addressed. LGTM.

[ChrisJBurns]

Reviewed with PR Briefing.