The webhook/ntfy URLs come from validated application configuration,
not user input. gosec G704 (new in gosec 2.23.0) taint analysis
cannot distinguish config-provided URLs from user-controlled input.
Full project structure following upaas conventions: uber/fx DI, go-chi
routing, slog logging, Viper config. State persisted as JSON file with
per-nameserver record tracking for inconsistency detection. Stub
implementations for resolver, portcheck, tlscheck, and watcher.
