Sanitize 403/401 upstream errors into user-friendly messages for LLM consumption

[makeavish]

Problem

When a user's API key has insufficient permissions (e.g., viewer trying to create a dashboard), the upstream SigNoz API returns a 403/401 response. Currently, this raw error is passed directly to the MCP client:

// handler.go - current pattern
return mcp.NewToolResultError(err.Error()), nil

The raw upstream error body may contain internal details (paths, stack traces, internal error codes) that are:

1. Not useful for LLMs — the LLM can't guide the user with a raw HTTP error body

Expected Behavior

When the upstream SigNoz API returns 401 or 403, the tool error returned to the MCP client should be a clear, actionable message like:

You don't have permission to create dashboards. Your API key has viewer-level access.
Contact your SigNoz admin for editor or admin access.

The full upstream error should still be logged server-side for debugging.

Suggested Approach

1. In client.go, detect 401/403 status codes and return typed errors (e.g., ErrUnauthorized, ErrForbidden) instead of generic error strings
2. In handler.go, map these typed errors to user-friendly messages per tool category:
   • Read operations (List*, Get*): "Your API key does not have access to this resource"
   • Write operations (Create*, Update*): "Your API key does not have permission to modify resources. Editor or admin access is required."
3. Log the full upstream error at Error level with tenant context for server-side debugging

Context

This is especially important for the remote multi-tenant MCP server (support-multitenancy branch) where:

• Multiple tenants with different permission levels share the same server
• Error responses are consumed by LLMs that need clear guidance to help users
• Raw upstream errors from one tenant's SigNoz deployment should not leak internal details