fix: Go 1.25 upgrade, codebase audit fixes, MCP server tests

Upgrade from Go 1.22 to 1.25 (minimum for MCP SDK, actively supported).
CI updated to match.

Codebase audit fixes:
- Local CA parseIP() now uses net.ParseIP — IP SANs no longer silently dropped
- Nil pointer guards in agent.go GetWorkWithTargets for target/cert enrichment
- MCP CreateCertificateInput marks owner_id/team_id as required
- NGINX connector uses CombinedOutput() — captures diagnostic output on failure
- Jobs handler validates JSON decode on rejection body — returns 400 on malformed
- CRL/OCSP handlers propagate requestID for error tracing

MCP server tests (26 tests):
- client_test.go: HTTP client coverage (GET/POST/PUT/DELETE, auth, 204, errors, binary)
- tools_test.go: tool registration, pagination, end-to-end flows with mock API

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/connector/issuer/local/local.go

@@ -15,6 +15,7 @@ import (
 	"fmt"
 	"log/slog"
 	"math/big"
+	"net"
 	"os"
 	"sync"
 	"time"
@@ -558,9 +559,15 @@ func parseIP(s string) []byte {
 	if s == "localhost" {
 		return []byte{127, 0, 0, 1}
 	}
-	// In production, use net.ParseIP for proper parsing.
-	// For now, return nil for non-localhost IPs.
-	return nil
+	ip := net.ParseIP(s)
+	if ip == nil {
+		return nil
+	}
+	// Prefer 4-byte representation for IPv4
+	if v4 := ip.To4(); v4 != nil {
+		return v4
+	}
+	return ip
 }
 
 // isEmail checks if a string looks like an email address.