v0.3.0: fix HTTP client leak, add tests and CI pipeline

Reuse a single long-poll HTTP client instead of creating one per
Events() call (~every 30s). Make TLS skip-verify configurable via
syncthing_insecure_tls. Log previously swallowed config errors.
Add unit tests for all monitor trackers, config, and state logic.
Add CI workflow (vet, golangci-lint, govulncheck, go test -race).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/config/config.go

@@ -2,6 +2,7 @@ package config
 
 import (
 	"encoding/json"
+	"log"
 	"os"
 	"sync"
 )
@@ -9,9 +10,10 @@ import (
 // Config holds SyncWarden configuration.
 type Config struct {
 	// Connection
-	SyncthingAddress string `json:"syncthing_address"`
-	SyncthingAPIKey  string `json:"syncthing_api_key"`
-	SyncthingUseTLS  bool   `json:"syncthing_use_tls"`
+	SyncthingAddress     string `json:"syncthing_address"`
+	SyncthingAPIKey      string `json:"syncthing_api_key"`
+	SyncthingUseTLS      bool   `json:"syncthing_use_tls"`
+	SyncthingInsecureTLS bool   `json:"syncthing_insecure_tls"`
 
 	// Feature toggles
 	EnableNotifications  bool `json:"enable_notifications"`
@@ -36,6 +38,7 @@ var defaults = Config{
 	SyncthingAddress:     "localhost:8384",
 	SyncthingAPIKey:      "",
 	SyncthingUseTLS:      false,
+	SyncthingInsecureTLS: true,
 	EnableNotifications:  true,
 	EnableRecentFiles:    true,
 	EnableConflictAlerts: true,
@@ -65,7 +68,9 @@ func Load() Config {
 	if err != nil {
 		return cfg
 	}
-	_ = json.Unmarshal(data, &cfg)
+	if err := json.Unmarshal(data, &cfg); err != nil {
+		log.Printf("config: parse error: %v", err)
+	}
 	cached = &cfg
 	return cfg
 }
@@ -75,7 +80,7 @@ func Save(cfg Config) error {
 	mu.Lock()
 	defer mu.Unlock()
 
-	dir := ConfigDir()
+	dir := configDir()
 	if err := os.MkdirAll(dir, 0o755); err != nil {
 		return err
 	}