Replace bare url.ParseRequestURI with parseWebhookURL that enforces:
- Scheme must be http or https (blocks file://, gopher://, etc.)
- Host must be non-empty
This provides actual SSRF protection at config load time. The nolint:gosec
annotations remain because gosec's taint analysis cannot trace validation
across function boundaries — there is no code pattern that satisfies G704
for user-configured webhook URLs. The suppression is justified by the
scheme/host validation in parseWebhookURL.
Replace DNSWATCHER_DOMAINS and DNSWATCHER_HOSTNAMES with a single
DNSWATCHER_TARGETS env var. Names are automatically classified as apex
domains or hostnames using the Public Suffix List
(golang.org/x/net/publicsuffix).
- ClassifyDNSName() uses EffectiveTLDPlusOne to determine type
- Public suffixes themselves (e.g. co.uk) are rejected with an error
- Old DOMAINS/HOSTNAMES vars removed entirely (pre-1.0, no compat needed)
- README updated with pre-1.0 warning
Closes#10
Full project structure following upaas conventions: uber/fx DI, go-chi
routing, slog logging, Viper config. State persisted as JSON file with
per-nameserver record tracking for inconsistency detection. Stub
implementations for resolver, portcheck, tlscheck, and watcher.
