feat: implement GET /api/v1/domains and /api/v1/hostnames endpoints

Implement the two API endpoints documented in the README that were previously returning 404: - GET /api/v1/domains: Returns configured domains with their discovered nameservers, last check time, and status (ok/pending). - GET /api/v1/hostnames: Returns configured hostnames with per-nameserver DNS records, status, and last check time. Both endpoints read from the existing state store and config, requiring no new dependencies. Nameserver results in the hostnames endpoint are sorted for deterministic output. Closes #67
fix: use context.Background() for watcher goroutine lifetime (#63 )
2026-03-01 16:07:07 -08:00 · 2026-03-02 00:39:08 +01:00 · 2026-03-02 00:32:27 +01:00 · 2026-03-02 00:10:49 +01:00
8 changed files with 463 additions and 36 deletions
--- a/README.md
+++ b/README.md
@@ -110,8 +110,8 @@ includes:
 - **NS recoveries**: Which nameserver recovered, which hostname/domain.
 - **NS inconsistencies**: Which nameservers disagree, what each one
  returned, which hostname affected.
- **Port changes**: Which IP:port, old state, new state, associated
-  hostname.
+- **Port changes**: Which IP:port, old state, new state, all associated
+  hostnames.
 - **TLS expiry warnings**: Which certificate, days remaining, CN,
  issuer, associated hostname and IP.
 - **TLS certificate changes**: Old and new CN/issuer/SANs, associated
@@ -290,12 +290,12 @@ not as a merged view, to enable inconsistency detection.
  "ports": {
    "93.184.216.34:80": {
      "open": true,
-      "hostname": "www.example.com",
+      "hostnames": ["www.example.com"],
      "lastChecked": "2026-02-19T12:00:00Z"
    },
    "93.184.216.34:443": {
      "open": true,
-      "hostname": "www.example.com",
+      "hostnames": ["www.example.com"],
      "lastChecked": "2026-02-19T12:00:00Z"
    }
  },
@@ -367,9 +367,15 @@ docker run -d \
   triggering change notifications).
 2. **Initial check**: Immediately perform all DNS, port, and TLS checks
   on startup.
-3. **Periodic checks**:
-   - DNS and port checks: every `DNSWATCHER_DNS_INTERVAL` (default 1h).
-   - TLS checks: every `DNSWATCHER_TLS_INTERVAL` (default 12h).
+3. **Periodic checks** (DNS always runs first):
+   - DNS checks: every `DNSWATCHER_DNS_INTERVAL` (default 1h). Also
+     re-run before every TLS check cycle to ensure fresh IPs.
+   - Port checks: every `DNSWATCHER_DNS_INTERVAL`, after DNS completes.
+   - TLS checks: every `DNSWATCHER_TLS_INTERVAL` (default 12h), after
+     DNS completes.
+   - Port and TLS checks always use freshly resolved IP addresses from
+     the DNS phase that immediately precedes them — never stale IPs
+     from a previous cycle.
 4. **On change detection**: Send notifications to all configured
   endpoints, update in-memory state, persist to disk.
 5. **Shutdown**: Persist final state to disk, complete in-flight
--- a/internal/handlers/domains.go
+++ b/internal/handlers/domains.go
@@ -0,0 +1,60 @@
+package handlers
+
+import (
+	"net/http"
+	"time"
+)
+
+// domainResponse represents a single domain in the API response.
+type domainResponse struct {
+	Domain      string   `json:"domain"`
+	Nameservers []string `json:"nameservers,omitempty"`
+	LastChecked string   `json:"lastChecked,omitempty"`
+	Status      string   `json:"status"`
+}
+
+// domainsResponse is the top-level response for GET /api/v1/domains.
+type domainsResponse struct {
+	Domains []domainResponse `json:"domains"`
+}
+
+// HandleDomains returns the configured domains and their status.
+func (h *Handlers) HandleDomains() http.HandlerFunc {
+	return func(
+		writer http.ResponseWriter,
+		request *http.Request,
+	) {
+		configured := h.config.Domains
+		snapshot := h.state.GetSnapshot()
+
+		domains := make(
+			[]domainResponse, 0, len(configured),
+		)
+
+		for _, domain := range configured {
+			dr := domainResponse{
+				Domain: domain,
+				Status: "pending",
+			}
+
+			ds, ok := snapshot.Domains[domain]
+			if ok {
+				dr.Nameservers = ds.Nameservers
+				dr.Status = "ok"
+
+				if !ds.LastChecked.IsZero() {
+					dr.LastChecked = ds.LastChecked.
+						Format(time.RFC3339)
+				}
+			}
+
+			domains = append(domains, dr)
+		}
+
+		h.respondJSON(
+			writer, request,
+			&domainsResponse{Domains: domains},
+			http.StatusOK,
+		)
+	}
+}
--- a/internal/handlers/handlers.go
+++ b/internal/handlers/handlers.go
@@ -8,9 +8,11 @@ import (

 	"go.uber.org/fx"

+	"sneak.berlin/go/dnswatcher/internal/config"
 	"sneak.berlin/go/dnswatcher/internal/globals"
 	"sneak.berlin/go/dnswatcher/internal/healthcheck"
 	"sneak.berlin/go/dnswatcher/internal/logger"
+	"sneak.berlin/go/dnswatcher/internal/state"
 )

 // Params contains dependencies for Handlers.
@@ -20,6 +22,8 @@ type Params struct {
 	Logger      *logger.Logger
 	Globals     *globals.Globals
 	Healthcheck *healthcheck.Healthcheck
+	State       *state.State
+	Config      *config.Config
 }

 // Handlers provides HTTP request handlers.
@@ -28,6 +32,8 @@ type Handlers struct {
 	params  *Params
 	globals *globals.Globals
 	hc      *healthcheck.Healthcheck
+	state   *state.State
+	config  *config.Config
 }

 // New creates a new Handlers instance.
@@ -37,6 +43,8 @@ func New(_ fx.Lifecycle, params Params) (*Handlers, error) {
 		params:  &params,
 		globals: params.Globals,
 		hc:      params.Healthcheck,
+		state:   params.State,
+		config:  params.Config,
 	}, nil
 }

@@ -44,7 +52,7 @@ func (h *Handlers) respondJSON(
 	writer http.ResponseWriter,
 	_ *http.Request,
 	data any,
-	status int,
+	status int, //nolint:unparam // general-purpose utility; status varies in future use
 ) {
 	writer.Header().Set("Content-Type", "application/json")
 	writer.WriteHeader(status)
--- a/internal/handlers/hostnames.go
+++ b/internal/handlers/hostnames.go
@@ -0,0 +1,120 @@
+package handlers
+
+import (
+	"net/http"
+	"sort"
+	"time"
+
+	"sneak.berlin/go/dnswatcher/internal/state"
+)
+
+// nameserverRecordResponse represents one nameserver's records
+// in the API response.
+type nameserverRecordResponse struct {
+	Nameserver  string              `json:"nameserver"`
+	Records     map[string][]string `json:"records"`
+	Status      string              `json:"status"`
+	Error       string              `json:"error,omitempty"`
+	LastChecked string              `json:"lastChecked,omitempty"`
+}
+
+// hostnameResponse represents a single hostname in the API response.
+type hostnameResponse struct {
+	Hostname    string                     `json:"hostname"`
+	Nameservers []nameserverRecordResponse `json:"nameservers,omitempty"`
+	LastChecked string                     `json:"lastChecked,omitempty"`
+	Status      string                     `json:"status"`
+}
+
+// hostnamesResponse is the top-level response for
+// GET /api/v1/hostnames.
+type hostnamesResponse struct {
+	Hostnames []hostnameResponse `json:"hostnames"`
+}
+
+// HandleHostnames returns the configured hostnames and their status.
+func (h *Handlers) HandleHostnames() http.HandlerFunc {
+	return func(
+		writer http.ResponseWriter,
+		request *http.Request,
+	) {
+		configured := h.config.Hostnames
+		snapshot := h.state.GetSnapshot()
+
+		hostnames := make(
+			[]hostnameResponse, 0, len(configured),
+		)
+
+		for _, hostname := range configured {
+			hr := hostnameResponse{
+				Hostname: hostname,
+				Status:   "pending",
+			}
+
+			hs, ok := snapshot.Hostnames[hostname]
+			if ok {
+				hr.Status = "ok"
+
+				if !hs.LastChecked.IsZero() {
+					hr.LastChecked = hs.LastChecked.
+						Format(time.RFC3339)
+				}
+
+				hr.Nameservers = buildNameserverRecords(
+					hs,
+				)
+			}
+
+			hostnames = append(hostnames, hr)
+		}
+
+		h.respondJSON(
+			writer, request,
+			&hostnamesResponse{Hostnames: hostnames},
+			http.StatusOK,
+		)
+	}
+}
+
+// buildNameserverRecords converts the per-nameserver state map
+// into a sorted slice for deterministic JSON output.
+func buildNameserverRecords(
+	hs *state.HostnameState,
+) []nameserverRecordResponse {
+	if hs.RecordsByNameserver == nil {
+		return nil
+	}
+
+	nsNames := make(
+		[]string, 0, len(hs.RecordsByNameserver),
+	)
+	for ns := range hs.RecordsByNameserver {
+		nsNames = append(nsNames, ns)
+	}
+
+	sort.Strings(nsNames)
+
+	records := make(
+		[]nameserverRecordResponse, 0, len(nsNames),
+	)
+
+	for _, ns := range nsNames {
+		nsr := hs.RecordsByNameserver[ns]
+
+		entry := nameserverRecordResponse{
+			Nameserver: ns,
+			Records:    nsr.Records,
+			Status:     nsr.Status,
+			Error:      nsr.Error,
+		}
+
+		if !nsr.LastChecked.IsZero() {
+			entry.LastChecked = nsr.LastChecked.
+				Format(time.RFC3339)
+		}
+
+		records = append(records, entry)
+	}
+
+	return records
+}
--- a/internal/server/routes.go
+++ b/internal/server/routes.go
@@ -28,6 +28,8 @@ func (s *Server) SetupRoutes() {
 	// API v1 routes
 	s.router.Route("/api/v1", func(r chi.Router) {
 		r.Get("/status", s.handlers.HandleStatus())
+		r.Get("/domains", s.handlers.HandleDomains())
+		r.Get("/hostnames", s.handlers.HandleHostnames())
 	})

 	// Metrics endpoint (optional, with basic auth)
--- a/internal/state/state.go
+++ b/internal/state/state.go
@@ -57,10 +57,49 @@ type HostnameState struct {
 // PortState holds the monitoring state for a port.
 type PortState struct {
 	Open        bool      `json:"open"`
-	Hostname    string    `json:"hostname"`
+	Hostnames   []string  `json:"hostnames"`
 	LastChecked time.Time `json:"lastChecked"`
 }

+// UnmarshalJSON implements custom unmarshaling to handle both
+// the old single-hostname format and the new multi-hostname
+// format for backward compatibility with existing state files.
+func (ps *PortState) UnmarshalJSON(data []byte) error {
+	// Use an alias to prevent infinite recursion.
+	type portStateAlias struct {
+		Open        bool      `json:"open"`
+		Hostnames   []string  `json:"hostnames"`
+		LastChecked time.Time `json:"lastChecked"`
+	}
+
+	var alias portStateAlias
+
+	err := json.Unmarshal(data, &alias)
+	if err != nil {
+		return fmt.Errorf("unmarshaling port state: %w", err)
+	}
+
+	ps.Open = alias.Open
+	ps.Hostnames = alias.Hostnames
+	ps.LastChecked = alias.LastChecked
+
+	// If Hostnames is empty, try reading the old single-hostname
+	// format for backward compatibility.
+	if len(ps.Hostnames) == 0 {
+		var old struct {
+			Hostname string `json:"hostname"`
+		}
+
+		// Best-effort: ignore errors since the main unmarshal
+		// already succeeded.
+		if json.Unmarshal(data, &old) == nil && old.Hostname != "" {
+			ps.Hostnames = []string{old.Hostname}
+		}
+	}
+
+	return nil
+}
+
 // CertificateState holds TLS certificate monitoring state.
 type CertificateState struct {
 	CommonName              string    `json:"commonName"`
@@ -263,6 +302,27 @@ func (s *State) GetPortState(key string) (*PortState, bool) {
 	return ps, ok
 }

+// DeletePortState removes a port state entry.
+func (s *State) DeletePortState(key string) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	delete(s.snapshot.Ports, key)
+}
+
+// GetAllPortKeys returns all port state keys.
+func (s *State) GetAllPortKeys() []string {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+
+	keys := make([]string, 0, len(s.snapshot.Ports))
+	for k := range s.snapshot.Ports {
+		keys = append(keys, k)
+	}
+
+	return keys
+}
+
 // SetCertificateState updates the state for a certificate.
 func (s *State) SetCertificateState(
 	key string,
--- a/internal/watcher/watcher.go
+++ b/internal/watcher/watcher.go
@@ -72,13 +72,15 @@ func New(
 	}

 	lifecycle.Append(fx.Hook{
-		OnStart: func(startCtx context.Context) error {
-			ctx, cancel := context.WithCancel(
-				context.WithoutCancel(startCtx),
-			)
+		OnStart: func(_ context.Context) error {
+			// Use context.Background() — the fx startup context
+			// expires after startup completes, so deriving from it
+			// would cancel the watcher immediately. The watcher's
+			// lifetime is controlled by w.cancel in OnStop.
+			ctx, cancel := context.WithCancel(context.Background())
 			w.cancel = cancel

-			go w.Run(ctx)
+			go w.Run(ctx) //nolint:contextcheck // intentionally not derived from startCtx

 			return nil
 		},
@@ -141,9 +143,16 @@ func (w *Watcher) Run(ctx context.Context) {

 			return
 		case <-dnsTicker.C:
-			w.runDNSAndPortChecks(ctx)
+			w.runDNSChecks(ctx)
+
+			w.checkAllPorts(ctx)
 			w.saveState()
 		case <-tlsTicker.C:
+			// Run DNS first so TLS checks use freshly
+			// resolved IP addresses, not stale ones from
+			// a previous cycle.
+			w.runDNSChecks(ctx)
+
 			w.runTLSChecks(ctx)
 			w.saveState()
 		}
@@ -151,10 +160,26 @@ func (w *Watcher) Run(ctx context.Context) {
 }

 // RunOnce performs a single complete monitoring cycle.
+// DNS checks run first so that port and TLS checks use
+// freshly resolved IP addresses. Port checks run before
+// TLS because TLS checks only target IPs with an open
+// port 443.
 func (w *Watcher) RunOnce(ctx context.Context) {
 	w.detectFirstRun()
-	w.runDNSAndPortChecks(ctx)
+
+	// Phase 1: DNS resolution must complete first so that
+	// subsequent checks use fresh IP addresses.
+	w.runDNSChecks(ctx)
+
+	// Phase 2: Port checks populate port state that TLS
+	// checks depend on (TLS only targets IPs where port
+	// 443 is open).
+	w.checkAllPorts(ctx)
+
+	// Phase 3: TLS checks use fresh DNS IPs and current
+	// port state.
 	w.runTLSChecks(ctx)
+
 	w.saveState()
 	w.firstRun = false
 }
@@ -171,7 +196,11 @@ func (w *Watcher) detectFirstRun() {
 	}
 }

-func (w *Watcher) runDNSAndPortChecks(ctx context.Context) {
+// runDNSChecks performs DNS resolution for all configured domains
+// and hostnames, updating state with freshly resolved records.
+// This must complete before port or TLS checks run so those
+// checks operate on current IP addresses.
+func (w *Watcher) runDNSChecks(ctx context.Context) {
 	for _, domain := range w.config.Domains {
 		w.checkDomain(ctx, domain)
 	}
@@ -179,8 +208,6 @@ func (w *Watcher) runDNSAndPortChecks(ctx context.Context) {
 	for _, hostname := range w.config.Hostnames {
 		w.checkHostname(ctx, hostname)
 	}
-
-	w.checkAllPorts(ctx)
 }

 func (w *Watcher) checkDomain(
@@ -448,24 +475,94 @@ func (w *Watcher) detectInconsistencies(
 }

 func (w *Watcher) checkAllPorts(ctx context.Context) {
-	for _, hostname := range w.config.Hostnames {
-		w.checkPortsForHostname(ctx, hostname)
+	// Phase 1: Build current IP:port → hostname associations
+	// from fresh DNS data.
+	associations := w.buildPortAssociations()
+
+	// Phase 2: Check each unique IP:port and update state
+	// with the full set of associated hostnames.
+	for key, hostnames := range associations {
+		ip, port := parsePortKey(key)
+		if port == 0 {
+			continue
 		}

-	for _, domain := range w.config.Domains {
-		w.checkPortsForHostname(ctx, domain)
+		w.checkSinglePort(ctx, ip, port, hostnames)
 	}
+
+	// Phase 3: Remove port state entries that no longer have
+	// any hostname referencing them.
+	w.cleanupStalePorts(associations)
 }

-func (w *Watcher) checkPortsForHostname(
-	ctx context.Context,
-	hostname string,
-) {
-	ips := w.collectIPs(hostname)
+// buildPortAssociations constructs a map from IP:port keys to
+// the sorted set of hostnames currently resolving to that IP.
+func (w *Watcher) buildPortAssociations() map[string][]string {
+	assoc := make(map[string]map[string]bool)

+	allNames := make(
+		[]string, 0,
+		len(w.config.Hostnames)+len(w.config.Domains),
+	)
+	allNames = append(allNames, w.config.Hostnames...)
+	allNames = append(allNames, w.config.Domains...)
+
+	for _, name := range allNames {
+		ips := w.collectIPs(name)
 		for _, ip := range ips {
 			for _, port := range monitoredPorts {
-			w.checkSinglePort(ctx, ip, port, hostname)
+				key := fmt.Sprintf("%s:%d", ip, port)
+				if assoc[key] == nil {
+					assoc[key] = make(map[string]bool)
+				}
+
+				assoc[key][name] = true
+			}
+		}
+	}
+
+	result := make(map[string][]string, len(assoc))
+	for key, set := range assoc {
+		hostnames := make([]string, 0, len(set))
+		for h := range set {
+			hostnames = append(hostnames, h)
+		}
+
+		sort.Strings(hostnames)
+
+		result[key] = hostnames
+	}
+
+	return result
+}
+
+// parsePortKey splits an "ip:port" key into its components.
+func parsePortKey(key string) (string, int) {
+	lastColon := strings.LastIndex(key, ":")
+	if lastColon < 0 {
+		return key, 0
+	}
+
+	ip := key[:lastColon]
+
+	var p int
+
+	_, err := fmt.Sscanf(key[lastColon+1:], "%d", &p)
+	if err != nil {
+		return ip, 0
+	}
+
+	return ip, p
+}
+
+// cleanupStalePorts removes port state entries that are no
+// longer referenced by any hostname in the current DNS data.
+func (w *Watcher) cleanupStalePorts(
+	currentAssociations map[string][]string,
+) {
+	for _, key := range w.state.GetAllPortKeys() {
+		if _, exists := currentAssociations[key]; !exists {
+			w.state.DeletePortState(key)
 		}
 	}
 }
@@ -502,7 +599,7 @@ func (w *Watcher) checkSinglePort(
 	ctx context.Context,
 	ip string,
 	port int,
-	hostname string,
+	hostnames []string,
 ) {
 	result, err := w.portCheck.CheckPort(ctx, ip, port)
 	if err != nil {
@@ -527,8 +624,8 @@ func (w *Watcher) checkSinglePort(
 		}

 		msg := fmt.Sprintf(
-			"Host: %s\nAddress: %s\nPort now %s",
-			hostname, key, stateStr,
+			"Hosts: %s\nAddress: %s\nPort now %s",
+			strings.Join(hostnames, ", "), key, stateStr,
 		)

 		w.notify.SendNotification(
@@ -541,7 +638,7 @@ func (w *Watcher) checkSinglePort(

 	w.state.SetPortState(key, &state.PortState{
 		Open:        result.Open,
-		Hostname:    hostname,
+		Hostnames:   hostnames,
 		LastChecked: now,
 	})
 }
--- a/internal/watcher/watcher_test.go
+++ b/internal/watcher/watcher_test.go
@@ -682,6 +682,80 @@ func TestGracefulShutdown(t *testing.T) {
 	}
 }

+func setupHostnameIP(
+	deps *testDeps,
+	hostname, ip string,
+) {
+	deps.resolver.allRecords[hostname] = map[string]map[string][]string{
+		"ns1.example.com.": {"A": {ip}},
+	}
+	deps.portChecker.results[ip+":80"] = true
+	deps.portChecker.results[ip+":443"] = true
+	deps.tlsChecker.certs[ip+":"+hostname] = &tlscheck.CertificateInfo{
+		CommonName:              hostname,
+		Issuer:                  "DigiCert",
+		NotAfter:                time.Now().Add(90 * 24 * time.Hour),
+		SubjectAlternativeNames: []string{hostname},
+	}
+}
+
+func updateHostnameIP(deps *testDeps, hostname, ip string) {
+	deps.resolver.mu.Lock()
+	deps.resolver.allRecords[hostname] = map[string]map[string][]string{
+		"ns1.example.com.": {"A": {ip}},
+	}
+	deps.resolver.mu.Unlock()
+
+	deps.portChecker.mu.Lock()
+	deps.portChecker.results[ip+":80"] = true
+	deps.portChecker.results[ip+":443"] = true
+	deps.portChecker.mu.Unlock()
+
+	deps.tlsChecker.mu.Lock()
+	deps.tlsChecker.certs[ip+":"+hostname] = &tlscheck.CertificateInfo{
+		CommonName:              hostname,
+		Issuer:                  "DigiCert",
+		NotAfter:                time.Now().Add(90 * 24 * time.Hour),
+		SubjectAlternativeNames: []string{hostname},
+	}
+	deps.tlsChecker.mu.Unlock()
+}
+
+func TestDNSRunsBeforePortAndTLSChecks(t *testing.T) {
+	t.Parallel()
+
+	cfg := defaultTestConfig(t)
+	cfg.Hostnames = []string{"www.example.com"}
+
+	w, deps := newTestWatcher(t, cfg)
+
+	setupHostnameIP(deps, "www.example.com", "10.0.0.1")
+
+	ctx := t.Context()
+	w.RunOnce(ctx)
+
+	snap := deps.state.GetSnapshot()
+	if _, ok := snap.Ports["10.0.0.1:80"]; !ok {
+		t.Fatal("expected port state for 10.0.0.1:80")
+	}
+
+	// DNS changes to a new IP; port and TLS must pick it up.
+	updateHostnameIP(deps, "www.example.com", "10.0.0.2")
+
+	w.RunOnce(ctx)
+
+	snap = deps.state.GetSnapshot()
+
+	if _, ok := snap.Ports["10.0.0.2:80"]; !ok {
+		t.Error("port check used stale DNS: missing 10.0.0.2:80")
+	}
+
+	certKey := "10.0.0.2:443:www.example.com"
+	if _, ok := snap.Certificates[certKey]; !ok {
+		t.Error("TLS check used stale DNS: missing " + certKey)
+	}
+}
+
 func TestNSFailureAndRecovery(t *testing.T) {
 	t.Parallel()
Author	SHA1	Message	Date
clawbot	83643f84ab	feat: implement GET /api/v1/domains and /api/v1/hostnames endpoints All checks were successful check / check (push) Successful in 46s Details Implement the two API endpoints documented in the README that were previously returning 404: - GET /api/v1/domains: Returns configured domains with their discovered nameservers, last check time, and status (ok/pending). - GET /api/v1/hostnames: Returns configured hostnames with per-nameserver DNS records, status, and last check time. Both endpoints read from the existing state store and config, requiring no new dependencies. Nameserver results in the hostnames endpoint are sorted for deterministic output. Closes #67	2026-03-01 16:07:07 -08:00
clawbot	6ebc4ffa04	fix: use context.Background() for watcher goroutine lifetime (#63 ) All checks were successful check / check (push) Successful in 31s Details ## Summary The `OnStart` hook previously derived the watcher's context from the fx startup context (`startCtx`) via `context.WithoutCancel()`. While `WithoutCancel` strips cancellation and deadline, using `context.Background()` makes the intent explicit: the watcher's monitoring loop must outlive the fx startup phase and is controlled solely by the `cancel` func called in `OnStop`. ## Changes - Replace `context.WithCancel(context.WithoutCancel(startCtx))` with `context.WithCancel(context.Background())` - Add explanatory comment documenting why the watcher context is not derived from the startup context - Unused `startCtx` parameter changed to `_` Closes #53 Co-authored-by: clawbot <clawbot@noreply.git.eeqj.de> Co-authored-by: Jeffrey Paul <sneak@noreply.example.org> Reviewed-on: #63 Co-authored-by: clawbot <clawbot@noreply.example.org> Co-committed-by: clawbot <clawbot@noreply.example.org>	2026-03-02 00:39:08 +01:00
clawbot	b20e75459f	fix: track multiple hostnames per IP:port in port state (#65 ) All checks were successful check / check (push) Successful in 34s Details ## Summary Port state keys are `ip:port` with a single `hostname` field. When multiple hostnames resolve to the same IP (shared hosting, CDN), only one hostname was associated. This caused orphaned port state when that hostname removed the IP from DNS while the IP remained valid for other hostnames. ## Changes ### State (`internal/state/state.go`) - `PortState.Hostname` (string) → `PortState.Hostnames` ([]string) - Custom `UnmarshalJSON` for backward compatibility: reads old single `hostname` field and migrates to a single-element `hostnames` slice - Added `DeletePortState` and `GetAllPortKeys` methods for cleanup ### Watcher (`internal/watcher/watcher.go`) - Refactored `checkAllPorts` into three phases: 1. Build IP:port → hostname associations from current DNS data 2. Check each unique IP:port once with all associated hostnames 3. Clean up stale port state entries with no hostname references - Port change notifications now list all associated hostnames (`Hosts:` instead of `Host:`) - Added `buildPortAssociations`, `parsePortKey`, and `cleanupStalePorts` helper functions ### README - Updated state file format example: `hostname` → `hostnames` (array) - Updated notification description to reflect multiple hostnames ## Backward Compatibility Existing state files with the old single `hostname` string are handled gracefully via custom JSON unmarshaling — they are read as single-element `hostnames` slices. Closes #55 Co-authored-by: clawbot <clawbot@noreply.eeqj.de> Reviewed-on: #65 Co-authored-by: clawbot <clawbot@noreply.example.org> Co-committed-by: clawbot <clawbot@noreply.example.org>	2026-03-02 00:32:27 +01:00
clawbot	ee14bd01ae	fix: enforce DNS-first ordering for port and TLS checks (#64 ) All checks were successful check / check (push) Successful in 8s Details ## Summary DNS checks now always complete before port or TLS checks begin, ensuring those checks use freshly resolved IP addresses instead of potentially stale ones from a previous cycle. ## Problem Port and TLS checks read IP addresses from state that was populated during the most recent DNS check. If DNS changes between cycles, port/TLS checks may target stale IPs. In particular, when the TLS ticker fired (every 12h), it ran `runTLSChecks` without refreshing DNS first — meaning TLS checks could use IPs that were up to 12 hours old. ## Changes - Extract `runDNSChecks()` from the former `runDNSAndPortChecks()` so DNS resolution can be invoked independently as a prerequisite for any check type. - TLS ticker now runs DNS first: When the TLS ticker fires, DNS checks run before TLS checks, ensuring fresh IPs. - `RunOnce` uses explicit 3-phase ordering: DNS → ports → TLS. Port checks must complete before TLS because TLS checks only target IPs where port 443 is open. - New test `TestDNSRunsBeforePortAndTLSChecks`: Verifies that when DNS IPs change between cycles, port and TLS checks pick up the new IPs. - README updated: Monitoring lifecycle section now documents the DNS-first ordering guarantee. ## Check ordering \| Trigger \| Phase 1 \| Phase 2 \| Phase 3 \| \|---------\|---------\|---------\|----------\| \| Startup (`RunOnce`) \| DNS \| Ports \| TLS \| \| DNS ticker \| DNS \| Ports \| — \| \| TLS ticker \| DNS \| — \| TLS \| closes #58 Co-authored-by: user <user@Mac.lan guest wan> Reviewed-on: #64 Co-authored-by: clawbot <clawbot@noreply.example.org> Co-committed-by: clawbot <clawbot@noreply.example.org>	2026-03-02 00:10:49 +01:00