fix: Go 1.25 upgrade, codebase audit fixes, MCP server tests

Upgrade from Go 1.22 to 1.25 (minimum for MCP SDK, actively supported).
CI updated to match.

Codebase audit fixes:
- Local CA parseIP() now uses net.ParseIP — IP SANs no longer silently dropped
- Nil pointer guards in agent.go GetWorkWithTargets for target/cert enrichment
- MCP CreateCertificateInput marks owner_id/team_id as required
- NGINX connector uses CombinedOutput() — captures diagnostic output on failure
- Jobs handler validates JSON decode on rejection body — returns 400 on malformed
- CRL/OCSP handlers propagate requestID for error tracing

MCP server tests (26 tests):
- client_test.go: HTTP client coverage (GET/POST/PUT/DELETE, auth, 204, errors, binary)
- tools_test.go: tool registration, pagination, end-to-end flows with mock API

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/service/agent.go

@@ -439,7 +439,7 @@ func (s *AgentService) GetWorkWithTargets(agentID string) ([]domain.WorkItem, er
 		// Enrich with target details for deployment jobs
 		if j.TargetID != nil && *j.TargetID != "" {
 			target, err := s.targetRepo.Get(context.Background(), *j.TargetID)
-			if err == nil {
+			if err == nil && target != nil {
 				item.TargetType = string(target.Type)
 				item.TargetConfig = target.Config
 			}
@@ -448,7 +448,7 @@ func (s *AgentService) GetWorkWithTargets(agentID string) ([]domain.WorkItem, er
 		// Enrich with certificate details for AwaitingCSR jobs (agent needs CN + SANs for CSR)
 		if j.Status == domain.JobStatusAwaitingCSR {
 			cert, err := s.certRepo.Get(context.Background(), j.CertificateID)
-			if err == nil {
+			if err == nil && cert != nil {
 				item.CommonName = cert.CommonName
 				item.SANs = cert.SANs
 			}