Initial commit

CalDAV and CardDAV checkers sharing a single Go module. Discovery follows
RFC 6764 (/.well-known + SRV/TXT), authenticated probes cover principal,
home-set, collections and a minimal REPORT query on top of go-webdav.
Common shape in internal/dav/; CalDAV adds a scheduling rule.

Surfaces its context URL (and each secure-SRV target) as TLS endpoints via
the EndpointDiscoverer interface, so the dedicated TLS checker can pick
them up without re-parsing observations.

HTML report foregrounds common misconfigs (well-known returning 200,
missing SRV, plaintext-only SRV, missing DAV capability, skipped auth
phase) as action-item callouts before the full phase breakdown.

internal/dav/client.go

@@ -0,0 +1,47 @@
+package dav
+
+import (
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+)
+
+// NewHTTPClient uses Go's default TLS validation; cert correctness is the
+// dedicated TLS checker's job, not ours.
+func NewHTTPClient(timeout time.Duration) *http.Client {
+	return &http.Client{
+		Timeout: timeout,
+	}
+}
+
+// basicAuthRoundTripper scopes Basic auth to a single host, so a redirect
+// to a different host won't leak credentials to a third party. Matches
+// curl's behaviour without --location-trusted.
+type basicAuthRoundTripper struct {
+	user, pass string
+	host       string
+	next       http.RoundTripper
+}
+
+func (b *basicAuthRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	if strings.EqualFold(req.URL.Host, b.host) {
+		req.SetBasicAuth(b.user, b.pass)
+	}
+	return b.next.RoundTrip(req)
+}
+
+// WithBasicAuth attaches credentials scoped to the host of contextURL.
+func WithBasicAuth(c *http.Client, contextURL, user, pass string) *http.Client {
+	nc := *c
+	base := c.Transport
+	if base == nil {
+		base = http.DefaultTransport
+	}
+	host := ""
+	if u, err := url.Parse(contextURL); err == nil {
+		host = u.Host
+	}
+	nc.Transport = &basicAuthRoundTripper{user: user, pass: pass, host: host, next: base}
+	return &nc
+}