Replace bare url.ParseRequestURI with parseWebhookURL that enforces:
- Scheme must be http or https (blocks file://, gopher://, etc.)
- Host must be non-empty
This provides actual SSRF protection at config load time. The nolint:gosec
annotations remain because gosec's taint analysis cannot trace validation
across function boundaries — there is no code pattern that satisfies G704
for user-configured webhook URLs. The suppression is justified by the
scheme/host validation in parseWebhookURL.
Full project structure following upaas conventions: uber/fx DI, go-chi
routing, slog logging, Viper config. State persisted as JSON file with
per-nameserver record tracking for inconsistency detection. Stub
implementations for resolver, portcheck, tlscheck, and watcher.
