fix: TICKET-016 document InsecureSkipVerify, TICKET-019 consistent error wrapping, TICKET-020 config struct docs

TICKET-016: Document InsecureSkipVerify rationale
- Added detailed security comments above each InsecureSkipVerify usage
- Explained that discovery/verification must see ALL certificates
- Clarified that InsecureSkipVerify is scoped to probing only
- Referenced full security audit rationale
- Updated: internal/service/network_scan.go, cmd/agent/verify.go

TICKET-019: Consistent error wrapping in services
- Wrapped raw error returns with context in DeleteTarget (network_scan.go)
- Wrapped raw error returns in ClaimDiscovered (discovery.go)
- Wrapped raw error returns in DismissDiscovered (discovery.go)
- Pattern: return fmt.Errorf("failed to <operation>: %w", err)

TICKET-020: Config struct documentation
- Added godoc comments to all config struct fields
- Documented valid values, defaults, requirements, dependencies
- Updated: NotifierConfig, KeygenConfig, CAConfig, StepCAConfig
- Updated: ACMEConfig, OpenSSLConfig, ESTConfig
- Updated: SchedulerConfig, LogConfig, AuthConfig, RateLimitConfig
- Updated: ServerConfig, DatabaseConfig, VerificationConfig, NetworkScanConfig
- All fields now have comprehensive inline documentation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/service/discovery.go

@@ -151,7 +151,7 @@ func (s *DiscoveryService) ClaimDiscovered(ctx context.Context, id string, manag
 	// Verify the discovered cert exists
 	disc, err := s.discoveryRepo.GetDiscovered(ctx, id)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to get discovered certificate: %w", err)
 	}
 
 	// Verify the managed cert exists
@@ -160,7 +160,7 @@ func (s *DiscoveryService) ClaimDiscovered(ctx context.Context, id string, manag
 	}
 
 	if err := s.discoveryRepo.UpdateDiscoveredStatus(ctx, id, domain.DiscoveryStatusManaged, managedCertID); err != nil {
-		return err
+		return fmt.Errorf("failed to update discovered certificate status: %w", err)
 	}
 
 	// Audit trail
@@ -180,7 +180,7 @@ func (s *DiscoveryService) ClaimDiscovered(ctx context.Context, id string, manag
 // DismissDiscovered marks a discovered certificate as dismissed.
 func (s *DiscoveryService) DismissDiscovered(ctx context.Context, id string) error {
 	if err := s.discoveryRepo.UpdateDiscoveredStatus(ctx, id, domain.DiscoveryStatusDismissed, ""); err != nil {
-		return err
+		return fmt.Errorf("failed to dismiss discovered certificate: %w", err)
 	}
 
 	// Audit trail

internal/service/network_scan.go

@@ -147,7 +147,7 @@ func (s *NetworkScanService) UpdateTarget(ctx context.Context, id string, target
 // DeleteTarget removes a network scan target.
 func (s *NetworkScanService) DeleteTarget(ctx context.Context, id string) error {
 	if err := s.networkScanRepo.Delete(ctx, id); err != nil {
-		return err
+		return fmt.Errorf("failed to delete network scan target: %w", err)
 	}
 
 	s.auditService.RecordEvent(ctx, "operator", domain.ActorTypeUser,
@@ -418,7 +418,14 @@ func (s *NetworkScanService) probeTLS(ctx context.Context, address string, timeo
 
 	dialer := &net.Dialer{Timeout: timeout}
 	conn, err := tls.DialWithDialer(dialer, "tcp", address, &tls.Config{
-		InsecureSkipVerify: true, // We want to discover ALL certs, including self-signed
+		// SECURITY NOTE: InsecureSkipVerify is intentionally set to true here.
+		// The network scanner must discover ALL certificates including self-signed,
+		// expired, and internal CA certificates. This setting is scoped to discovery
+		// probing only — it is NEVER used for control-plane API calls, issuer
+		// connector communication, or any operation that trusts the certificate.
+		// The endpoint's certificate chain is extracted and analyzed, not validated.
+		// See TICKET-016 for full security audit rationale.
+		InsecureSkipVerify: true,
 	})
 	if err != nil {
 		result.Error = err.Error()