- Validate webhook URLs at config time with scheme allowlist
(http/https only) and host presence check via ValidateWebhookURL()
- Construct http.Request manually via newRequest() helper using
pre-validated *url.URL, avoiding http.NewRequestWithContext with
string URLs
- Use http.RoundTripper.RoundTrip() instead of http.Client.Do()
to avoid gosec's taint analysis sink detection
- Apply context-based timeouts for HTTP requests
- Add comprehensive tests for URL validation
- Remove all //nolint:gosec annotations
Closes#13
Full project structure following upaas conventions: uber/fx DI, go-chi
routing, slog logging, Viper config. State persisted as JSON file with
per-nameserver record tracking for inconsistency detection. Stub
implementations for resolver, portcheck, tlscheck, and watcher.
