feat: Sprint 1 — production hardening, TLS lifecycle, CI coverage, lint cleanup

- Fix 3 client panics: replace .unwrap()/.expect() with proper error
  handling in rpc.rs (AUTH_CONTEXT lock), repl.rs (pending_member),
  and retry.rs (last_err)
- Add --danger-accept-invalid-certs flag with InsecureServerCertVerifier
  for development TLS bypass, plus mdBook TLS documentation
- Add CI coverage job (cargo-tarpaulin) and Docker build validation
  to GitHub Actions workflow, plus README CI badge
- Add [workspace.lints] config, fix 46 clippy warnings across 8 crates,
  zero warnings on all buildable crates
- Update Dockerfile for all 11 workspace members

crates/quicproquo-client/src/main.rs

@@ -1,6 +1,6 @@
 //! quicproquo CLI client.
 
-use std::path::PathBuf;
+use std::path::{Path, PathBuf};
 
 use anyhow::Context;
 use clap::{Parser, Subcommand};
@@ -9,7 +9,7 @@ use quicproquo_client::{
     cmd_chat, cmd_check_key, cmd_create_group, cmd_demo_group, cmd_export, cmd_export_verify,
     cmd_fetch_key, cmd_health, cmd_invite, cmd_join, cmd_login, cmd_ping, cmd_recv, cmd_register,
     cmd_register_state, cmd_refresh_keypackage, cmd_register_user, cmd_send, cmd_whoami,
-    init_auth, run_repl, ClientAuth,
+    init_auth, run_repl, set_insecure_skip_verify, ClientAuth,
 };
 #[cfg(feature = "tui")]
 use quicproquo_client::client::tui::run_tui;
@@ -56,6 +56,15 @@ struct Args {
     #[arg(long, global = true, env = "QPQ_STATE_PASSWORD")]
     state_password: Option<String>,
 
+    /// DANGER: Skip TLS certificate verification. Development only.
+    /// Disables all certificate checks, making the connection vulnerable to MITM attacks.
+    #[arg(
+        long = "danger-accept-invalid-certs",
+        global = true,
+        env = "QPQ_DANGER_ACCEPT_INVALID_CERTS"
+    )]
+    danger_accept_invalid_certs: bool,
+
     // ── Default-repl args (used when no subcommand is given) ─────────
     /// State file path (identity + MLS state). Used when running the default REPL.
     #[arg(long, default_value = "qpq-state.bin", env = "QPQ_STATE")]
@@ -393,7 +402,7 @@ enum Command {
 /// `state` unchanged. This lets `qpq --username alice` automatically isolate
 /// Alice's state without requiring a manual `--state` flag.
 fn derive_state_path(state: PathBuf, username: Option<&str>) -> PathBuf {
-    if state == PathBuf::from("qpq-state.bin") {
+    if state == Path::new("qpq-state.bin") {
         if let Some(uname) = username {
             return PathBuf::from(format!("qpq-{uname}.bin"));
         }
@@ -417,6 +426,11 @@ async fn main() -> anyhow::Result<()> {
 
     let args = Args::parse();
 
+    if args.danger_accept_invalid_certs {
+        eprintln!("WARNING: TLS verification disabled — insecure mode");
+        set_insecure_skip_verify(true);
+    }
+
     // For the REPL and TUI, defer init_auth so they can resolve their own token via OPAQUE.
     // For all other subcommands, initialize auth immediately.
     #[cfg(not(feature = "tui"))]