Initial scaffold with per-nameserver DNS monitoring model

Full project structure following upaas conventions: uber/fx DI, go-chi
routing, slog logging, Viper config. State persisted as JSON file with
per-nameserver record tracking for inconsistency detection. Stub
implementations for resolver, portcheck, tlscheck, and watcher.

internal/tlscheck/tlscheck.go

@@ -0,0 +1,58 @@
+// Package tlscheck provides TLS certificate inspection.
+package tlscheck
+
+import (
+	"context"
+	"errors"
+	"log/slog"
+	"time"
+
+	"go.uber.org/fx"
+
+	"sneak.berlin/go/dnswatcher/internal/logger"
+)
+
+// ErrNotImplemented indicates the TLS checker is not yet implemented.
+var ErrNotImplemented = errors.New(
+	"tls checker not yet implemented",
+)
+
+// Params contains dependencies for Checker.
+type Params struct {
+	fx.In
+
+	Logger *logger.Logger
+}
+
+// Checker performs TLS certificate inspection.
+type Checker struct {
+	log *slog.Logger
+}
+
+// CertificateInfo holds information about a TLS certificate.
+type CertificateInfo struct {
+	CommonName              string
+	Issuer                  string
+	NotAfter                time.Time
+	SubjectAlternativeNames []string
+}
+
+// New creates a new TLS Checker instance.
+func New(
+	_ fx.Lifecycle,
+	params Params,
+) (*Checker, error) {
+	return &Checker{
+		log: params.Logger.Get(),
+	}, nil
+}
+
+// CheckCertificate connects to the given IP:port using SNI and
+// returns certificate information.
+func (c *Checker) CheckCertificate(
+	_ context.Context,
+	_ string,
+	_ string,
+) (*CertificateInfo, error) {
+	return nil, ErrNotImplemented
+}