feat: publish tls.endpoint.v1 discovery entry to enable GetRelated

2026-05-15 18:44:21 +08:00 · 2026-05-15 18:44:21 +08:00 · c6400c7773
commit c6400c7773
parent 97b2545e2d
4 changed files with 34 additions and 16 deletions
--- a/README.md
+++ b/README.md
@ -25,22 +25,11 @@ Identifiers" mapping.
   - compares the observed identifiers against the `issue` /
     `issuewild` allow list (or flags a `DisallowIssue` violation).

-## Observation payload
+## Rules

-This checker does not publish endpoints or add a new observation
-schema. Under its own observation key `caa_policy` it returns a
-pass-through view of the zone-side CAA records:
-
-```json
-{
-  "domain": "example.net",
-  "records": [
-    { "flag": 0, "tag": "issue",     "value": "letsencrypt.org" },
-    { "flag": 0, "tag": "issuewild", "value": ";" }
-  ],
-  "run_at": "2026-04-22T12:34:56Z"
-}
-```
+| Code               | Description                                                                                                          | Severity |
+|--------------------|----------------------------------------------------------------------------------------------------------------------|----------|
+| `caa_compliance`   | Cross-references TLS certificates observed on the domain against its CAA `issue`/`issuewild` policy, mapping each observed issuer to its CCADB-published CAA identifier. | CRITICAL |

 ## Rule outcomes