ci: fix Phase 3 post-push CI failures (contextcheck + ST1021)

CI on commit 7e22204 (Phase 3 challenges) failed three lint checks under
golangci-lint. Two were contextcheck on internal/service/acme.go
RespondToChallenge, where the validator-pool dispatch deliberately
detached from the request ctx via 'context.Background()' so the async
WithinTx survives the HTTP handler returning. contextcheck rightly
flagged the non-inherited context — the canonical Go 1.21+ answer for
this exact pattern is context.WithoutCancel(ctx), which preserves
inherited values (logger, trace IDs, audit actor) but detaches
cancellation. Swapping that in clears both contextcheck hits.

The third was ST1021 on internal/api/acme/validators.go: a comment
intended for the (*Pool).Snapshot() method had landed above the
PoolSnapshot type by accident. Split the comment — one prose line
for the type, one for the method — so each exported symbol carries
its own properly-anchored doc.

Confirmed local 'go vet' clean and 'go test -short -count=1' green
across internal/service/ and internal/api/acme/ before commit.

internal/service/acme.go

@@ -1235,10 +1235,11 @@ func (s *ACMEService) RespondToChallenge(
 	}
 
 	// Submit to the pool. The onComplete callback persists the final
-	// challenge status + cascades the parent authz status. We use a
-	// fresh background context here so the callback's WithinTx isn't
-	// canceled when the originating HTTP request returns.
-	bgctx := context.Background()
+	// challenge status + cascades the parent authz status. We detach
+	// from the request context via context.WithoutCancel so the
+	// callback's WithinTx survives the HTTP handler returning, while
+	// preserving inherited values (logger, trace IDs, audit actor).
+	bgctx := context.WithoutCancel(ctx)
 	chSnapshot := *ch
 	authzSnapshot := *authz
 	identifier := authz.Identifier.Value