Initial commit

CalDAV and CardDAV checkers sharing a single Go module. Discovery follows
RFC 6764 (/.well-known + SRV/TXT), authenticated probes cover principal,
home-set, collections and a minimal REPORT query on top of go-webdav.
Common shape in internal/dav/; CalDAV adds a scheduling rule.

Surfaces its context URL (and each secure-SRV target) as TLS endpoints via
the EndpointDiscoverer interface, so the dedicated TLS checker can pick
them up without re-parsing observations.

HTML report foregrounds common misconfigs (well-known returning 200,
missing SRV, plaintext-only SRV, missing DAV capability, skipped auth
phase) as action-item callouts before the full phase breakdown.

README.md

@@ -0,0 +1,75 @@
+# checker-dav
+
+happyDomain checkers for **CalDAV** (RFC 4791) and **CardDAV** (RFC 6352)
+servers. Discovery (RFC 6764) + OPTIONS + authenticated PROPFIND/REPORT
+probes, with an opinionated HTML report that foregrounds common misconfigs.
+
+Two binaries are produced from this module:
+
+| Binary           | Checker ID | Entrypoint                      |
+|------------------|------------|---------------------------------|
+| `checker-caldav` | `caldav`   | `./cmd/checker-caldav`          |
+| `checker-carddav`| `carddav`  | `./cmd/checker-carddav`         |
+
+Shared code lives in `internal/dav/`: discovery, OPTIONS parsing, raw-XML
+PROPFIND helpers, the rule set, and the HTML template.
+
+## Build
+
+```
+make                   # builds both binaries
+make checker-caldav    # one binary
+make plugin            # .so plugins for in-process loading
+make docker            # both Docker images
+make test              # unit tests
+```
+
+## Run
+
+```
+./checker-caldav -listen :8080
+```
+
+The SDK exposes `/definition`, `/collect`, `/evaluate`, `/report`, and
+`/health` as usual. Pass `Accept: text/html` on `/report` to get the HTML
+view; the default is a JSON metrics dump.
+
+## Options
+
+Both checkers accept the same options:
+
+- `domain_name` (auto-filled): required
+- `username`, `password`: optional Basic credentials; unlock authenticated
+  checks (principal, home-set, collections, REPORT probe)
+- `context_url`: optional explicit override, bypasses `/.well-known` + SRV
+- `timeout_seconds`: per-request HTTP timeout, default 10
+
+## What is checked
+
+1. **Discovery**: `/.well-known/{caldav,carddav}` (must 3xx, not 200),
+   `_caldavs._tcp` / `_carddavs._tcp` SRV, TXT `path=` hint.
+2. **Transport**: HTTPS reachable. TLS certificate validation is
+   deliberately out of scope; a dedicated TLS checker covers that.
+3. **OPTIONS**: `DAV:` advertises `calendar-access` or `addressbook`; Allow
+   includes `PROPFIND` and `REPORT`; auth schemes captured for info.
+4. **Principal**: PROPFIND `current-user-principal` (auth required).
+5. **Home-set**: `calendar-home-set` / `addressbook-home-set`.
+6. **Collections**: enumerate, record properties (`supported-calendar-component-set`,
+   `supported-address-data`, display name, description, max size).
+7. **REPORT probe**: issue a minimal `calendar-query` / `addressbook-query`
+   against the first collection.
+8. **Scheduling** (CalDAV only): if `calendar-schedule` is advertised,
+   verify `schedule-inbox-URL` and `schedule-outbox-URL` on the principal.
+
+The HTML report surfaces the most common failures at the top as callouts:
+
+- `/.well-known` returns 200 instead of 301/302
+- No SRV and no well-known → service unreachable
+- Plaintext SRV record without secure counterpart
+- Server does not advertise the required DAV class (wrong endpoint or stripping proxy)
+- No credentials supplied → authenticated phase skipped
+
+## Dependencies
+
+- [`github.com/emersion/go-webdav`](https://github.com/emersion/go-webdav): CalDAV/CardDAV client
+- [`git.happydns.org/checker-sdk-go`](https://git.happydns.org/happyDomain/checker-sdk-go): checker SDK