feat: publish tls.endpoint.v1 discovery entry to enable GetRelated

README.md

@@ -25,22 +25,11 @@ Identifiers" mapping.
    - compares the observed identifiers against the `issue` /
      `issuewild` allow list (or flags a `DisallowIssue` violation).
 
-## Observation payload
+## Rules
 
-This checker does not publish endpoints or add a new observation
+| Code               | Description                                                                                                          | Severity |
-schema. Under its own observation key `caa_policy` it returns a
+|--------------------|----------------------------------------------------------------------------------------------------------------------|----------|
-pass-through view of the zone-side CAA records:
+| `caa_compliance`   | Cross-references TLS certificates observed on the domain against its CAA `issue`/`issuewild` policy, mapping each observed issuer to its CCADB-published CAA identifier. | CRITICAL |
-
-```json
-{
-  "domain": "example.net",
-  "records": [
-    { "flag": 0, "tag": "issue",     "value": "letsencrypt.org" },
-    { "flag": 0, "tag": "issuewild", "value": ";" }
-  ],
-  "run_at": "2026-04-22T12:34:56Z"
-}
-```
 
 ## Rule outcomes
 

checker/discover.go

@@ -0,0 +1,26 @@
+package checker
+
+import (
+	sdk "git.happydns.org/checker-sdk-go/checker"
+	tlscontract "git.happydns.org/checker-tls/contract"
+)
+
+// DiscoverEntries publishes one tls.endpoint.v1 entry for the domain's HTTPS
+// endpoint so checker-tls probes it. Implements sdk.DiscoveryPublisher.
+// On the next checker-tls run the engine will store a DiscoveryObservationRef
+// linking its snapshot back to this checker; GetRelated("tls_probes") in the
+// rule will then return the observed certificates.
+func (p *caaProvider) DiscoverEntries(data any) ([]sdk.DiscoveryEntry, error) {
+	d, ok := data.(*CAAData)
+	if !ok || d == nil || d.Domain == "" {
+		return nil, nil
+	}
+	entry, err := tlscontract.NewEntry(tlscontract.TLSEndpoint{
+		Host: d.Domain,
+		Port: 443,
+	})
+	if err != nil {
+		return nil, err
+	}
+	return []sdk.DiscoveryEntry{entry}, nil
+}

go.mod

@@ -4,6 +4,7 @@ go 1.25.0
 
 require (
 	git.happydns.org/checker-sdk-go v1.5.0
+	git.happydns.org/checker-tls v0.6.2
 	github.com/miekg/dns v1.1.72
 )
 

go.sum

@@ -1,5 +1,7 @@
 git.happydns.org/checker-sdk-go v1.5.0 h1:5uD5Cm6xJ+lwnhbJ09iCXGHbYS9zRh+Yh0NeBHkAPBY=
 git.happydns.org/checker-sdk-go v1.5.0/go.mod h1:aNAcfYFfbhvH9kJhE0Njp5GX0dQbxdRB0rJ0KvSC5nI=
+git.happydns.org/checker-tls v0.6.2 h1:8oKia1XlD+tklyqrwzmUgFH1Kw8VLSLLF9suZ7Qr14E=
+git.happydns.org/checker-tls v0.6.2/go.mod h1:9tpnxg0iOwS+7If64DRG1jqYonUAgxOBuxwfF5mVkL4=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/miekg/dns v1.1.72 h1:vhmr+TF2A3tuoGNkLDFK9zi36F2LS+hKTRW0Uf8kbzI=