checker: move hasPKIXUsage from report.go to rule.go

The observation timestamp is already managed by the core; there is no
need for the checker to record it separately.

checker/collect.go

@@ -8,7 +8,6 @@ import (
 	"sort"
 	"strconv"
 	"strings"
-	"time"
 
 	sdk "git.happydns.org/checker-sdk-go/checker"
 	tlscontract "git.happydns.org/checker-tls/contract"
@@ -192,9 +191,8 @@ func (p *daneProvider) Collect(ctx context.Context, opts sdk.CheckerOptions) (an
 	}
 
 	data := &DANEData{
-		Targets:     targets,
-		Invalid:     invalid,
-		CollectedAt: time.Now().UTC(),
+		Targets: targets,
+		Invalid: invalid,
 	}
 	if v, ok := opts[OptionDNSSECValidated]; ok {
 		if b, ok := v.(bool); ok {

checker/report.go

@@ -47,7 +47,6 @@ func (p *daneProvider) GetHTMLReport(ctx sdk.ReportContext) (string, error) {
 	}
 
 	view := reportView{
-		CollectedAt: data.CollectedAt.Format("2006-01-02 15:04 MST"),
 		TargetCount: len(data.Targets),
 		Diagnoses:   diagnose(data, probes),
 		Rows:        rows,
@@ -65,7 +64,6 @@ func (p *daneProvider) GetHTMLReport(ctx sdk.ReportContext) (string, error) {
 // the per-row status label/class and leaf string keeps the template free of
 // branching beyond simple range/if.
 type reportView struct {
-	CollectedAt string
 	TargetCount int
 	Diagnoses   []diagnosis
 	Rows        []reportRow
@@ -166,17 +164,6 @@ func sevRank(s string) int {
 	}
 }
 
-// hasPKIXUsage reports whether any TLSA record at this target demands PKIX
-// validation (usage 0 or 1).
-func hasPKIXUsage(t TargetResult) bool {
-	for _, r := range t.Records {
-		if r.Usage == UsagePKIXTA || r.Usage == UsagePKIXEE {
-			return true
-		}
-	}
-	return false
-}
-
 // proposedTLSA renders a ready-to-paste replacement RR computed from the
 // live chain. The (usage, selector, matching) triplet is taken from the
 // user's first existing record so the suggestion stays consistent with
@@ -246,7 +233,7 @@ var reportTemplate = template.Must(template.New("dane").Parse(`<!DOCTYPE html>
 </head>
 <body><main>
 <h1>DANE / TLSA</h1>
-<p class="meta">Collected {{.CollectedAt}} · {{.TargetCount}} endpoint(s).</p>
+<p class="meta">{{.TargetCount}} endpoint(s).</p>
 {{with .Diagnoses}}<section class="diagnosis">
 <h2>Action required</h2>
 {{range .}}<article class="finding sev-{{.Severity}}">

checker/rule.go

@@ -269,6 +269,17 @@ func indexProbes(related []sdk.RelatedObservation) map[string]*tls.TLSProbe {
 	return out
 }
 
+// hasPKIXUsage reports whether any TLSA record at this target demands PKIX
+// validation (usage 0 or 1).
+func hasPKIXUsage(t TargetResult) bool {
+	for _, r := range t.Records {
+		if r.Usage == UsagePKIXTA || r.Usage == UsagePKIXEE {
+			return true
+		}
+	}
+	return false
+}
+
 func truncHex(s string) string {
 	if len(s) > 12 {
 		return s[:12] + "…"

checker/types.go

@@ -18,8 +18,6 @@
 //     SHA-512) are matched against the chain slot implied by the usage.
 package checker
 
-import "time"
-
 // ObservationKeyDANE is the observation key this checker writes.
 const ObservationKeyDANE = "dane_checks"
 
@@ -89,8 +87,7 @@ type DANEData struct {
 	// records set the AD bit. Only populated by the standalone interactive
 	// flow (lookupTLSA); nil in managed mode where records come from the
 	// user's zone config and DNSSEC posture is checked elsewhere.
-	DNSSECValidated *bool     `json:"dnssec_validated,omitempty"`
-	CollectedAt     time.Time `json:"collected_at"`
+	DNSSECValidated *bool `json:"dnssec_validated,omitempty"`
 }
 
 // InvalidRecord describes a TLSA record dropped during Collect.