feat: Sprint 1 — production hardening, TLS lifecycle, CI coverage, lint cleanup

- Fix 3 client panics: replace .unwrap()/.expect() with proper error
  handling in rpc.rs (AUTH_CONTEXT lock), repl.rs (pending_member),
  and retry.rs (last_err)
- Add --danger-accept-invalid-certs flag with InsecureServerCertVerifier
  for development TLS bypass, plus mdBook TLS documentation
- Add CI coverage job (cargo-tarpaulin) and Docker build validation
  to GitHub Actions workflow, plus README CI badge
- Add [workspace.lints] config, fix 46 clippy warnings across 8 crates,
  zero warnings on all buildable crates
- Update Dockerfile for all 11 workspace members

crates/quicproquo-server/src/auth.rs

@@ -178,7 +178,7 @@ pub fn validate_auth_context(
     Err(crate::error_codes::coded_error(E003_INVALID_TOKEN, "invalid accessToken"))
 }
 
-pub fn require_identity<'a>(auth_ctx: &'a AuthContext) -> Result<&'a [u8], capnp::Error> {
+pub fn require_identity(auth_ctx: &AuthContext) -> Result<&[u8], capnp::Error> {
     match auth_ctx.identity_key.as_deref() {
         Some(ik) => Ok(ik),
         None => Err(crate::error_codes::coded_error(