checker: add domain length validation and refactor rules into per-concern checks

checker/tls_related.go

@@ -98,6 +98,9 @@ func tlsIssuesFromRelated(related []sdk.RelatedObservation) []Issue {
 				if code == "" {
 					code = "tls.unknown"
 				}
+				// Strip a leading "tls." prefix to avoid the double-prefix
+				// "xmpp.tls.tls.*" when the TLS checker already uses that namespace.
+				code = strings.TrimPrefix(code, "tls.")
 				out = append(out, Issue{
 					Code:     "xmpp.tls." + code,
 					Severity: sev,
@@ -135,25 +138,10 @@ func tlsIssuesFromRelated(related []sdk.RelatedObservation) []Issue {
 	return out
 }
 
-// worstSeverity returns "crit" > "warn" > "info" across the TLS issues.
+// worstSeverity synthesises a severity from the structured flags on the probe.
+// It is only called from the flag-only path in tlsIssuesFromRelated (when
+// v.Issues is empty), so there is no issue list to iterate over.
 func (v *tlsProbeView) worstSeverity() string {
-	worst := ""
-	for _, is := range v.Issues {
-		switch strings.ToLower(is.Severity) {
-		case SeverityCrit:
-			return SeverityCrit
-		case SeverityWarn:
-			if worst != SeverityCrit {
-				worst = SeverityWarn
-			}
-		case SeverityInfo:
-			if worst == "" {
-				worst = SeverityInfo
-			}
-		}
-	}
-	// Synthesize a worst severity from structured flags if no explicit
-	// issues list was given (defensive against minimalist TLS checkers).
 	if v.ChainValid != nil && !*v.ChainValid {
 		return SeverityCrit
 	}
@@ -164,9 +152,7 @@ func (v *tlsProbeView) worstSeverity() string {
 		return SeverityCrit
 	}
 	if !v.NotAfter.IsZero() && time.Until(v.NotAfter) < 14*24*time.Hour {
-		if worst != SeverityCrit {
-			return SeverityWarn
-		}
+		return SeverityWarn
 	}
-	return worst
+	return ""
 }