feat: Sprint 1 — production hardening, TLS lifecycle, CI coverage, lint cleanup

- Fix 3 client panics: replace .unwrap()/.expect() with proper error
  handling in rpc.rs (AUTH_CONTEXT lock), repl.rs (pending_member),
  and retry.rs (last_err)
- Add --danger-accept-invalid-certs flag with InsecureServerCertVerifier
  for development TLS bypass, plus mdBook TLS documentation
- Add CI coverage job (cargo-tarpaulin) and Docker build validation
  to GitHub Actions workflow, plus README CI badge
- Add [workspace.lints] config, fix 46 clippy warnings across 8 crates,
  zero warnings on all buildable crates
- Update Dockerfile for all 11 workspace members

crates/quicproquo-core/src/app_message.rs

@@ -145,10 +145,10 @@ pub fn parse(bytes: &[u8]) -> Result<(MessageType, AppMessage), CoreError> {
     }
     let version = bytes[0];
     if version != VERSION {
-        return Err(CoreError::AppMessage(format!("unsupported version {version}").into()));
+        return Err(CoreError::AppMessage(format!("unsupported version {version}")));
     }
     let msg_type = MessageType::from_byte(bytes[1])
-        .ok_or_else(|| CoreError::AppMessage(format!("unknown message type {}", bytes[1]).into()))?;
+        .ok_or_else(|| CoreError::AppMessage(format!("unknown message type {}", bytes[1])))?;
     let payload = &bytes[2..];
 
     let app = match msg_type {

crates/quicproquo-core/src/padding.rs

@@ -29,7 +29,7 @@ fn bucket_for(content_len: usize) -> usize {
         }
     }
     // Larger than biggest bucket: round up to nearest 16384-byte multiple.
-    ((total + 16383) / 16384) * 16384
+    total.div_ceil(16384) * 16384
 }
 
 /// Pad a payload to the next bucket boundary with cryptographic random bytes.