feat: Sprint 1 — production hardening, TLS lifecycle, CI coverage, lint cleanup

- Fix 3 client panics: replace .unwrap()/.expect() with proper error
  handling in rpc.rs (AUTH_CONTEXT lock), repl.rs (pending_member),
  and retry.rs (last_err)
- Add --danger-accept-invalid-certs flag with InsecureServerCertVerifier
  for development TLS bypass, plus mdBook TLS documentation
- Add CI coverage job (cargo-tarpaulin) and Docker build validation
  to GitHub Actions workflow, plus README CI badge
- Add [workspace.lints] config, fix 46 clippy warnings across 8 crates,
  zero warnings on all buildable crates
- Update Dockerfile for all 11 workspace members

crates/quicproquo-server/src/config.rs

@@ -121,7 +121,7 @@ pub fn merge_config(args: &crate::Args, file: &FileConfig) -> EffectiveConfig {
         args.data_dir.clone()
     };
 
-    let tls_cert = if args.tls_cert == PathBuf::from(DEFAULT_TLS_CERT) {
+    let tls_cert = if args.tls_cert == Path::new(DEFAULT_TLS_CERT) {
         file.tls_cert
             .clone()
             .unwrap_or_else(|| PathBuf::from(DEFAULT_TLS_CERT))
@@ -129,7 +129,7 @@ pub fn merge_config(args: &crate::Args, file: &FileConfig) -> EffectiveConfig {
         args.tls_cert.clone()
     };
 
-    let tls_key = if args.tls_key == PathBuf::from(DEFAULT_TLS_KEY) {
+    let tls_key = if args.tls_key == Path::new(DEFAULT_TLS_KEY) {
         file.tls_key
             .clone()
             .unwrap_or_else(|| PathBuf::from(DEFAULT_TLS_KEY))
@@ -159,7 +159,7 @@ pub fn merge_config(args: &crate::Args, file: &FileConfig) -> EffectiveConfig {
         args.store_backend.clone()
     };
 
-    let db_path = if args.db_path == PathBuf::from(DEFAULT_DB_PATH) {
+    let db_path = if args.db_path == Path::new(DEFAULT_DB_PATH) {
         file.db_path
             .clone()
             .unwrap_or_else(|| PathBuf::from(DEFAULT_DB_PATH))