Harden contract validation, STARTTLS edge cases, and rule output

checker/rules_protocol.go

@@ -4,6 +4,8 @@ import (
 	"context"
 	"crypto/tls"
 	"fmt"
+	"sort"
+	"strings"
 
 	sdk "git.happydns.org/checker-sdk-go/checker"
 )
@@ -81,25 +83,38 @@ func (r *cipherSuiteRule) Evaluate(ctx context.Context, obs sdk.ObservationGette
 		return []sdk.CheckState{emptyCaseState("tls.cipher_suite.no_endpoints")}
 	}
 
-	var out []sdk.CheckState
+	// Collapse per-endpoint cipher suites into a single info state. One
+	// row per endpoint drowns out actionable rules in the UI on domains
+	// with many endpoints; an aggregated list is enough for visibility.
+	suites := map[string]int{}
+	endpoints := map[string][]string{}
 	for _, ref := range sortedRefs(data) {
 		p := data.Probes[ref]
 		if p.CipherSuite == "" {
 			continue
 		}
-		out = append(out, sdk.CheckState{
-			Status:  sdk.StatusInfo,
-			Code:    "tls.cipher_suite.negotiated",
-			Subject: subjectOf(p),
-			Message: fmt.Sprintf("Cipher suite %s negotiated.", p.CipherSuite),
-			Meta:    metaOf(p),
-		})
+		suites[p.CipherSuite]++
+		endpoints[p.CipherSuite] = append(endpoints[p.CipherSuite], p.Endpoint)
 	}
-	if len(out) == 0 {
+	if len(suites) == 0 {
 		return []sdk.CheckState{unknownState(
 			"tls.cipher_suite.skipped",
 			"No endpoint completed a TLS handshake.",
 		)}
 	}
-	return out
+	names := make([]string, 0, len(suites))
+	for s := range suites {
+		names = append(names, s)
+	}
+	sort.Strings(names)
+	parts := make([]string, 0, len(names))
+	for _, n := range names {
+		parts = append(parts, fmt.Sprintf("%s (%d)", n, suites[n]))
+	}
+	return []sdk.CheckState{{
+		Status:  sdk.StatusInfo,
+		Code:    "tls.cipher_suite.negotiated",
+		Message: "Negotiated cipher suites: " + strings.Join(parts, ", "),
+		Meta:    map[string]any{"suites": endpoints},
+	}}
 }