fix: deduplicate TLS expiry warnings to prevent notification spam (closes #18)

checkTLSExpiry fired every monitoring cycle with no deduplication,
causing notification spam for expiring certificates. Added an
in-memory map tracking the last notification time per domain/IP
pair, suppressing re-notification within the TLS check interval.

Added TestTLSExpiryWarningDedup to verify deduplication works.

internal/watcher/watcher_test.go

@@ -506,6 +506,61 @@ func TestTLSExpiryWarning(t *testing.T) {
 	}
 }
 
+func TestTLSExpiryWarningDedup(t *testing.T) {
+	t.Parallel()
+
+	cfg := defaultTestConfig(t)
+	cfg.Hostnames = []string{"www.example.com"}
+	cfg.TLSInterval = 24 * time.Hour
+
+	w, deps := newTestWatcher(t, cfg)
+
+	deps.resolver.allRecords["www.example.com"] = map[string]map[string][]string{
+		"ns1.example.com.": {"A": {"1.2.3.4"}},
+	}
+	deps.resolver.ipAddresses["www.example.com"] = []string{
+		"1.2.3.4",
+	}
+	deps.portChecker.results["1.2.3.4:80"] = true
+	deps.portChecker.results["1.2.3.4:443"] = true
+	deps.tlsChecker.certs["1.2.3.4:www.example.com"] = &tlscheck.CertificateInfo{
+		CommonName: "www.example.com",
+		Issuer:     "DigiCert",
+		NotAfter:   time.Now().Add(3 * 24 * time.Hour),
+		SubjectAlternativeNames: []string{
+			"www.example.com",
+		},
+	}
+
+	ctx := t.Context()
+
+	// First run = baseline, no notifications
+	w.RunOnce(ctx)
+
+	// Second run should fire one expiry warning
+	w.RunOnce(ctx)
+
+	// Third run should NOT fire another warning (dedup)
+	w.RunOnce(ctx)
+
+	notifications := deps.notifier.getNotifications()
+
+	expiryCount := 0
+
+	for _, n := range notifications {
+		if n.Title == "TLS Expiry Warning: www.example.com" {
+			expiryCount++
+		}
+	}
+
+	if expiryCount != 1 {
+		t.Errorf(
+			"expected exactly 1 expiry warning (dedup), got %d",
+			expiryCount,
+		)
+	}
+}
+
 func TestGracefulShutdown(t *testing.T) {
 	t.Parallel()