Upstream TLS validation and configurable connect timeout

- Add validation_context with trusted CA to all upstream TLS clusters in the Envoy template, fixing 503 errors in environments with TLS-intercepting proxies
- Increase default connect_timeout from 0.5s to 5s for upstream provider clusters to avoid failures behind VPNs/proxies (internal clusters stay at 0.5s)
- Add upstream_connect_timeout and upstream_tls_ca_path overrides in plano_config.yaml for user customization
- Fix missing common_tls_context on the Mistral cluster

cli/planoai/config_generator.py

@@ -460,6 +460,12 @@ def validate_and_render_schema():
 
     print("agent_orchestrator: ", agent_orchestrator)
 
+    overrides = config_yaml.get("overrides", {})
+    upstream_connect_timeout = overrides.get("upstream_connect_timeout", "5s")
+    upstream_tls_ca_path = overrides.get(
+        "upstream_tls_ca_path", "/etc/ssl/certs/ca-certificates.crt"
+    )
+
     data = {
         "prompt_gateway_listener": prompt_gateway,
         "llm_gateway_listener": llm_gateway,
@@ -471,6 +477,8 @@ def validate_and_render_schema():
         "local_llms": llms_with_endpoint,
         "agent_orchestrator": agent_orchestrator,
         "listeners": listeners,
+        "upstream_connect_timeout": upstream_connect_timeout,
+        "upstream_tls_ca_path": upstream_tls_ca_path,
     }
 
     rendered = template.render(data)

cli/uv.lock

@@ -337,7 +337,7 @@ wheels = [
 
 [[package]]
 name = "planoai"
-version = "0.4.6"
+version = "0.4.7"
 source = { editable = "." }
 dependencies = [
     { name = "click" },