docs: update README for TARGETS config and add pre-1.0 notice

feat: replace DOMAINS/HOSTNAMES with single TARGETS config
Single DNSWATCHER_TARGETS env var replaces the separate DOMAINS and HOSTNAMES variables. Classification is automatic via the PSL. Closes #10
2026-02-19 20:09:07 -08:00 · 2026-02-19 20:09:07 -08:00 · 2026-02-19 20:09:07 -08:00
13 changed files with 173 additions and 1739 deletions
--- a/README.md
+++ b/README.md
@@ -1,6 +1,7 @@
 # dnswatcher
-> ⚠️ Pre-1.0 software. APIs, configuration, and behavior may change without notice.
+> ⚠️ **Pre-1.0 software.** APIs, configuration, and behavior may change
 > without notice.
 dnswatcher is a production DNS and infrastructure monitoring daemon written in
 Go.  It watches configured DNS domains and hostnames for changes, monitors TCP
@@ -18,10 +19,19 @@ without requiring an external database.
 ## Features
 ### Target Classification
 All monitored DNS names are provided via a single `DNSWATCHER_TARGETS`
 list.  dnswatcher uses the [Public Suffix List](https://publicsuffix.org/)
 to automatically classify each entry as an apex domain (eTLD+1, e.g.
 `example.com`, `example.co.uk`) or a hostname (subdomain, e.g.
 `www.example.com`).  Apex domains receive NS delegation monitoring;
 hostnames receive per-nameserver record monitoring.  Both receive port
 and TLS checks.
 ### DNS Domain Monitoring (Apex Domains)
- Accepts a list of DNS domain names (apex domains, identified via the
+- Apex domains are identified automatically via the PSL.
  [Public Suffix List](https://publicsuffix.org/)).
 - Every **1 hour**, performs a full iterative trace from root servers to
  discover all authoritative nameservers (NS records) for each domain.
 - Queries **every** discovered authoritative nameserver independently.
@@ -197,7 +207,7 @@ the following precedence (highest to lowest):
 | `PORT`                          | HTTP listen port                           | `8080`      |
 | `DNSWATCHER_DEBUG`              | Enable debug logging                       | `false`     |
 | `DNSWATCHER_DATA_DIR`           | Directory for state file                   | `./data`    |
-| `DNSWATCHER_TARGETS`            | Comma-separated DNS names (auto-classified via PSL) | `""`  |
+| `DNSWATCHER_TARGETS`            | Comma-separated list of DNS names to monitor | `""`      |
 | `DNSWATCHER_SLACK_WEBHOOK`      | Slack incoming webhook URL                 | `""`        |
 | `DNSWATCHER_MATTERMOST_WEBHOOK` | Mattermost incoming webhook URL            | `""`        |
 | `DNSWATCHER_NTFY_TOPIC`         | ntfy topic URL                             | `""`        |
--- a/cmd/dnswatcher/main.go
+++ b/cmd/dnswatcher/main.go
@@ -51,20 +51,6 @@ func main() {
 			handlers.New,
 			server.New,
 		),
 		fx.Provide(
 			func(r *resolver.Resolver) watcher.DNSResolver {
 				return r
 			},
 			func(p *portcheck.Checker) watcher.PortChecker {
 				return p
 			},
 			func(t *tlscheck.Checker) watcher.TLSChecker {
 				return t
 			},
 			func(n *notify.Service) watcher.Notifier {
 				return n
 			},
 		),
 		fx.Invoke(func(*server.Server, *watcher.Watcher) {}),
 	).Run()
 }
--- a/go.mod
+++ b/go.mod
@@ -9,6 +9,7 @@ require (
 	github.com/joho/godotenv v1.5.1
 	github.com/prometheus/client_golang v1.23.2
 	github.com/spf13/viper v1.21.0
 	github.com/stretchr/testify v1.11.1
 	go.uber.org/fx v1.24.0
 	golang.org/x/net v0.50.0
 )
@@ -16,10 +17,12 @@ require (
 require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
 	github.com/prometheus/common v0.66.1 // indirect
 	github.com/prometheus/procfs v0.16.1 // indirect
@@ -37,4 +40,5 @@ require (
 	golang.org/x/sys v0.41.0 // indirect
 	golang.org/x/text v0.34.0 // indirect
 	google.golang.org/protobuf v1.36.8 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/internal/config/classify.go
+++ b/internal/config/classify.go
@@ -1,83 +1,59 @@
 // Package config provides application configuration via Viper.
 package config
 import (
 	"errors"
 	"fmt"
 	"strings"
 	"golang.org/x/net/publicsuffix"
 )
-// DNSNameType indicates whether a DNS name is an apex domain or a hostname.
+// ClassifyTarget determines whether a DNS name is an apex domain
-type DNSNameType int
+// (eTLD+1) or a hostname (subdomain of an eTLD+1). Returns
-
+// "domain" or "hostname". Returns an error if the name is itself
-const (
+// a public suffix (e.g. "co.uk") or otherwise invalid.
-	// DNSNameTypeDomain indicates the name is an apex (eTLD+1) domain.
+func ClassifyTarget(name string) (string, error) {
-	DNSNameTypeDomain DNSNameType = iota
+	// Normalize: lowercase, strip trailing dot.
-	// DNSNameTypeHostname indicates the name is a subdomain/hostname.
+	name = strings.ToLower(strings.TrimSuffix(name, "."))
 	DNSNameTypeHostname
 )
 // ErrEmptyDNSName is returned when an empty string is passed to ClassifyDNSName.
 var ErrEmptyDNSName = errors.New("empty DNS name")
 // String returns the string representation of a DNSNameType.
 func (t DNSNameType) String() string {
 	switch t {
 	case DNSNameTypeDomain:
 		return "domain"
 	case DNSNameTypeHostname:
 		return "hostname"
 	default:
 		return "unknown"
 	}
 }
 // ClassifyDNSName determines whether a DNS name is an apex domain or a
 // hostname (subdomain) using the Public Suffix List. It returns an error
 // if the input is empty or is itself a public suffix (e.g. "co.uk").
 func ClassifyDNSName(name string) (DNSNameType, error) {
 	name = strings.ToLower(strings.TrimSuffix(strings.TrimSpace(name), "."))
 	if name == "" {
-		return 0, ErrEmptyDNSName
+		return "", fmt.Errorf("empty target name")
 	}
-	etld1, err := publicsuffix.EffectiveTLDPlusOne(name)
+	apex, err := publicsuffix.EffectiveTLDPlusOne(name)
 	if err != nil {
-		return 0, fmt.Errorf("invalid DNS name %q: %w", name, err)
+		return "", fmt.Errorf(
 			"invalid target %q: %w", name, err,
 		)
 	}
-	if name == etld1 {
+	if name == apex {
-		return DNSNameTypeDomain, nil
+		return "domain", nil
 	}
-	return DNSNameTypeHostname, nil
+	return "hostname", nil
 }
-// ClassifyTargets splits a list of DNS names into apex domains and
+// classifyTargets splits a list of DNS names into apex domains
-// hostnames using the Public Suffix List. It returns an error if any
+// and hostnames using the Public Suffix List.
-// name cannot be classified.
+func classifyTargets(
-func ClassifyTargets(targets []string) ([]string, []string, error) {
+	targets []string,
-	var domains, hostnames []string
+) (domains, hostnames []string, err error) {
-
+	for _, target := range targets {
-	for _, t := range targets {
+		kind, classifyErr := ClassifyTarget(target)
-		normalized := strings.ToLower(strings.TrimSuffix(strings.TrimSpace(t), "."))
+		if classifyErr != nil {
-
+			return nil, nil, classifyErr
 		if normalized == "" {
 			continue
 		}
-		typ, classErr := ClassifyDNSName(normalized)
+		switch kind {
-		if classErr != nil {
+		case "domain":
-			return nil, nil, classErr
+			domains = append(domains, strings.ToLower(
-		}
+				strings.TrimSuffix(target, "."),
-
+			))
-		switch typ {
+		case "hostname":
-		case DNSNameTypeDomain:
+			hostnames = append(hostnames, strings.ToLower(
-			domains = append(domains, normalized)
+				strings.TrimSuffix(target, "."),
-		case DNSNameTypeHostname:
+			))
 			hostnames = append(hostnames, normalized)
 		}
 	}
--- a/internal/config/classify_test.go
+++ b/internal/config/classify_test.go
@@ -1,52 +1,51 @@
-package config_test
+package config
 import (
 	"testing"
-	"sneak.berlin/go/dnswatcher/internal/config"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
-func TestClassifyDNSName(t *testing.T) {
+func TestClassifyTarget(t *testing.T) {
 	t.Parallel()
 	tests := []struct {
 		name     string
 		input    string
-		want    config.DNSNameType
+		expected string
 		wantErr  bool
 	}{
-		{name: "apex domain simple", input: "example.com", want: config.DNSNameTypeDomain},
+		{"apex .com", "example.com", "domain", false},
-		{name: "hostname simple", input: "www.example.com", want: config.DNSNameTypeHostname},
+		{"apex .org", "example.org", "domain", false},
-		{name: "apex domain multi-part TLD", input: "example.co.uk", want: config.DNSNameTypeDomain},
+		{"apex .co.uk", "example.co.uk", "domain", false},
-		{name: "hostname multi-part TLD", input: "api.example.co.uk", want: config.DNSNameTypeHostname},
+		{"apex .com.au", "example.com.au", "domain", false},
-		{name: "public suffix itself", input: "co.uk", wantErr: true},
+		{"subdomain www", "www.example.com", "hostname", false},
-		{name: "empty string", input: "", wantErr: true},
+		{"subdomain api", "api.example.com", "hostname", false},
-		{name: "deeply nested hostname", input: "a.b.c.example.com", want: config.DNSNameTypeHostname},
+		{"deep subdomain", "a.b.c.example.com", "hostname", false},
-		{name: "trailing dot stripped", input: "example.com.", want: config.DNSNameTypeDomain},
+		{"subdomain .co.uk", "www.example.co.uk", "hostname", false},
-		{name: "uppercase normalized", input: "WWW.Example.COM", want: config.DNSNameTypeHostname},
+		{"trailing dot", "example.com.", "domain", false},
 		{"trailing dot sub", "www.example.com.", "hostname", false},
 		{"uppercase", "EXAMPLE.COM", "domain", false},
 		{"mixed case", "Www.Example.Com", "hostname", false},
 		{"public suffix", "co.uk", "", true},
 		{"tld only", "com", "", true},
 		{"empty", "", "", true},
 	}
-	for _, tt := range tests {
+	for _, tc := range tests {
-		t.Run(tt.name, func(t *testing.T) {
+		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
-			got, err := config.ClassifyDNSName(tt.input)
+			result, err := ClassifyTarget(tc.input)
-
+			if tc.wantErr {
-			if tt.wantErr {
+				assert.Error(t, err)
 				if err == nil {
 					t.Errorf("ClassifyDNSName(%q) expected error, got %v", tt.input, got)
 				}
 				return
 			}
-			if err != nil {
+			require.NoError(t, err)
-				t.Fatalf("ClassifyDNSName(%q) unexpected error: %v", tt.input, err)
+			assert.Equal(t, tc.expected, result)
 			}
 			if got != tt.want {
 				t.Errorf("ClassifyDNSName(%q) = %v, want %v", tt.input, got, tt.want)
 			}
 		})
 	}
 }
@@ -54,30 +53,32 @@ func TestClassifyDNSName(t *testing.T) {
 func TestClassifyTargets(t *testing.T) {
 	t.Parallel()
-	domains, hostnames, err := config.ClassifyTargets([]string{
+	targets := []string{
 		"example.com",
 		"www.example.com",
 		"api.example.com",
 		"example.co.uk",
-		"api.example.co.uk",
+		"blog.example.co.uk",
 	})
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
-	if len(domains) != 2 {
+	domains, hostnames, err := classifyTargets(targets)
-		t.Errorf("expected 2 domains, got %d: %v", len(domains), domains)
+	require.NoError(t, err)
 	assert.Equal(
 		t,
 		[]string{"example.com", "example.co.uk"},
 		domains,
 	)
 	assert.Equal(
 		t,
 		[]string{"www.example.com", "api.example.com", "blog.example.co.uk"},
 		hostnames,
 	)
 }
-	if len(hostnames) != 2 {
+func TestClassifyTargets_RejectsPublicSuffix(t *testing.T) {
 		t.Errorf("expected 2 hostnames, got %d: %v", len(hostnames), hostnames)
 	}
 }
 func TestClassifyTargetsRejectsPublicSuffix(t *testing.T) {
 	t.Parallel()
-	_, _, err := config.ClassifyTargets([]string{"co.uk"})
+	_, _, err := classifyTargets([]string{"example.com", "co.uk"})
-	if err == nil {
+	assert.Error(t, err)
 		t.Error("expected error for public suffix, got nil")
 	}
 }
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -132,11 +132,11 @@ func buildConfig(
 		tlsInterval = defaultTLSInterval
 	}
-	domains, hostnames, err := ClassifyTargets(
+	targets := parseCSV(viper.GetString("TARGETS"))
-		parseCSV(viper.GetString("TARGETS")),
+
-	)
+	domains, hostnames, classifyErr := classifyTargets(targets)
-	if err != nil {
+	if classifyErr != nil {
-		return nil, fmt.Errorf("invalid targets configuration: %w", err)
+		return nil, fmt.Errorf("classifying targets: %w", classifyErr)
 	}
 	cfg := &Config{
--- a/internal/notify/notify.go
+++ b/internal/notify/notify.go
@@ -1,5 +1,4 @@
-// Package notify provides notification delivery to Slack,
+// Package notify provides notification delivery to Slack, Mattermost, and ntfy.
 // Mattermost, and ntfy.
 package notify
 import (
@@ -8,10 +7,8 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
 	"log/slog"
 	"net/http"
 	"net/url"
 	"time"
 	"go.uber.org/fx"
@@ -36,66 +33,8 @@ var (
 	ErrMattermostFailed = errors.New(
 		"mattermost notification failed",
 	)
 	// ErrInvalidScheme is returned for disallowed URL schemes.
 	ErrInvalidScheme = errors.New("URL scheme not allowed")
 	// ErrMissingHost is returned when a URL has no host.
 	ErrMissingHost = errors.New("URL must have a host")
 )
 // IsAllowedScheme checks if the URL scheme is permitted.
 func IsAllowedScheme(scheme string) bool {
 	return scheme == "https" || scheme == "http"
 }
 // ValidateWebhookURL validates and sanitizes a webhook URL.
 // It ensures the URL has an allowed scheme (http/https),
 // a non-empty host, and returns a pre-parsed *url.URL
 // reconstructed from validated components.
 func ValidateWebhookURL(raw string) (*url.URL, error) {
 	u, err := url.ParseRequestURI(raw)
 	if err != nil {
 		return nil, fmt.Errorf("invalid URL: %w", err)
 	}
 	if !IsAllowedScheme(u.Scheme) {
 		return nil, fmt.Errorf(
 			"%w: %s", ErrInvalidScheme, u.Scheme,
 		)
 	}
 	if u.Host == "" {
 		return nil, fmt.Errorf("%w", ErrMissingHost)
 	}
 	// Reconstruct from parsed components.
 	clean := &url.URL{
 		Scheme:   u.Scheme,
 		Host:     u.Host,
 		Path:     u.Path,
 		RawQuery: u.RawQuery,
 	}
 	return clean, nil
 }
 // newRequest creates an http.Request from a pre-validated *url.URL.
 // This avoids passing URL strings to http.NewRequestWithContext,
 // which gosec flags as a potential SSRF vector.
 func newRequest(
 	ctx context.Context,
 	method string,
 	target *url.URL,
 	body io.Reader,
 ) *http.Request {
 	return (&http.Request{
 		Method: method,
 		URL:    target,
 		Host:   target.Host,
 		Header: make(http.Header),
 		Body:   io.NopCloser(body),
 	}).WithContext(ctx)
 }
 // Params contains dependencies for Service.
 type Params struct {
 	fx.In
@@ -107,11 +46,8 @@ type Params struct {
 // Service provides notification functionality.
 type Service struct {
 	log    *slog.Logger
-	transport            http.RoundTripper
+	client *http.Client
 	config *config.Config
 	ntfyURL              *url.URL
 	slackWebhookURL      *url.URL
 	mattermostWebhookURL *url.URL
 }
 // New creates a new notify Service.
@@ -119,67 +55,27 @@ func New(
 	_ fx.Lifecycle,
 	params Params,
 ) (*Service, error) {
-	svc := &Service{
+	return &Service{
 		log: params.Logger.Get(),
-		transport: http.DefaultTransport,
+		client: &http.Client{
 			Timeout: httpClientTimeout,
 		},
 		config: params.Config,
 	}, nil
 }
-	if params.Config.NtfyTopic != "" {
+// SendNotification sends a notification to all configured endpoints.
 		u, err := ValidateWebhookURL(
 			params.Config.NtfyTopic,
 		)
 		if err != nil {
 			return nil, fmt.Errorf(
 				"invalid ntfy topic URL: %w", err,
 			)
 		}
 		svc.ntfyURL = u
 	}
 	if params.Config.SlackWebhook != "" {
 		u, err := ValidateWebhookURL(
 			params.Config.SlackWebhook,
 		)
 		if err != nil {
 			return nil, fmt.Errorf(
 				"invalid slack webhook URL: %w", err,
 			)
 		}
 		svc.slackWebhookURL = u
 	}
 	if params.Config.MattermostWebhook != "" {
 		u, err := ValidateWebhookURL(
 			params.Config.MattermostWebhook,
 		)
 		if err != nil {
 			return nil, fmt.Errorf(
 				"invalid mattermost webhook URL: %w", err,
 			)
 		}
 		svc.mattermostWebhookURL = u
 	}
 	return svc, nil
 }
 // SendNotification sends a notification to all configured
 // endpoints.
 func (svc *Service) SendNotification(
 	ctx context.Context,
 	title, message, priority string,
 ) {
-	if svc.ntfyURL != nil {
+	if svc.config.NtfyTopic != "" {
 		go func() {
 			notifyCtx := context.WithoutCancel(ctx)
 			err := svc.sendNtfy(
 				notifyCtx,
-				svc.ntfyURL,
+				svc.config.NtfyTopic,
 				title, message, priority,
 			)
 			if err != nil {
@@ -191,13 +87,13 @@ func (svc *Service) SendNotification(
 		}()
 	}
-	if svc.slackWebhookURL != nil {
+	if svc.config.SlackWebhook != "" {
 		go func() {
 			notifyCtx := context.WithoutCancel(ctx)
 			err := svc.sendSlack(
 				notifyCtx,
-				svc.slackWebhookURL,
+				svc.config.SlackWebhook,
 				title, message, priority,
 			)
 			if err != nil {
@@ -209,13 +105,13 @@ func (svc *Service) SendNotification(
 		}()
 	}
-	if svc.mattermostWebhookURL != nil {
+	if svc.config.MattermostWebhook != "" {
 		go func() {
 			notifyCtx := context.WithoutCancel(ctx)
 			err := svc.sendSlack(
 				notifyCtx,
-				svc.mattermostWebhookURL,
+				svc.config.MattermostWebhook,
 				title, message, priority,
 			)
 			if err != nil {
@@ -230,29 +126,28 @@ func (svc *Service) SendNotification(
 func (svc *Service) sendNtfy(
 	ctx context.Context,
-	topicURL *url.URL,
+	topic, title, message, priority string,
 	title, message, priority string,
 ) error {
 	svc.log.Debug(
 		"sending ntfy notification",
-		"topic", topicURL.String(),
+		"topic", topic,
 		"title", title,
 	)
-	ctx, cancel := context.WithTimeout(
+	request, err := http.NewRequestWithContext(
-		ctx, httpClientTimeout,
+		ctx,
-	)
+		http.MethodPost,
-	defer cancel()
+		topic,
-
+		bytes.NewBufferString(message),
 	body := bytes.NewBufferString(message)
 	request := newRequest(
 		ctx, http.MethodPost, topicURL, body,
 	)
 	if err != nil {
 		return fmt.Errorf("creating ntfy request: %w", err)
 	}
 	request.Header.Set("Title", title)
 	request.Header.Set("Priority", ntfyPriority(priority))
-	resp, err := svc.transport.RoundTrip(request)
+	resp, err := svc.client.Do(request)
 	if err != nil {
 		return fmt.Errorf("sending ntfy request: %w", err)
 	}
@@ -261,8 +156,7 @@ func (svc *Service) sendNtfy(
 	if resp.StatusCode >= httpStatusClientError {
 		return fmt.Errorf(
-			"%w: status %d",
+			"%w: status %d", ErrNtfyFailed, resp.StatusCode,
 			ErrNtfyFailed, resp.StatusCode,
 		)
 	}
@@ -299,17 +193,11 @@ type SlackAttachment struct {
 func (svc *Service) sendSlack(
 	ctx context.Context,
-	webhookURL *url.URL,
+	webhookURL, title, message, priority string,
 	title, message, priority string,
 ) error {
 	ctx, cancel := context.WithTimeout(
 		ctx, httpClientTimeout,
 	)
 	defer cancel()
 	svc.log.Debug(
 		"sending webhook notification",
-		"url", webhookURL.String(),
+		"url", webhookURL,
 		"title", title,
 	)
@@ -325,19 +213,22 @@ func (svc *Service) sendSlack(
 	body, err := json.Marshal(payload)
 	if err != nil {
-		return fmt.Errorf(
+		return fmt.Errorf("marshaling webhook payload: %w", err)
 			"marshaling webhook payload: %w", err,
 		)
 	}
-	request := newRequest(
+	request, err := http.NewRequestWithContext(
-		ctx, http.MethodPost, webhookURL,
+		ctx,
 		http.MethodPost,
 		webhookURL,
 		bytes.NewBuffer(body),
 	)
 	if err != nil {
 		return fmt.Errorf("creating webhook request: %w", err)
 	}
 	request.Header.Set("Content-Type", "application/json")
-	resp, err := svc.transport.RoundTrip(request)
+	resp, err := svc.client.Do(request)
 	if err != nil {
 		return fmt.Errorf("sending webhook request: %w", err)
 	}
--- a/internal/notify/notify_test.go
+++ b/internal/notify/notify_test.go
@@ -1,100 +0,0 @@
 package notify_test
 import (
 	"testing"
 	"sneak.berlin/go/dnswatcher/internal/notify"
 )
 func TestValidateWebhookURLValid(t *testing.T) {
 	t.Parallel()
 	tests := []struct {
 		name    string
 		input   string
 		wantURL string
 	}{
 		{
 			name:    "valid https URL",
 			input:   "https://hooks.slack.com/T00/B00",
 			wantURL: "https://hooks.slack.com/T00/B00",
 		},
 		{
 			name:    "valid http URL",
 			input:   "http://localhost:8080/webhook",
 			wantURL: "http://localhost:8080/webhook",
 		},
 		{
 			name:    "https with query",
 			input:   "https://ntfy.sh/topic?auth=tok",
 			wantURL: "https://ntfy.sh/topic?auth=tok",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
 			got, err := notify.ValidateWebhookURL(tt.input)
 			if err != nil {
 				t.Fatalf("unexpected error: %v", err)
 			}
 			if got.String() != tt.wantURL {
 				t.Errorf(
 					"got %q, want %q",
 					got.String(), tt.wantURL,
 				)
 			}
 		})
 	}
 }
 func TestValidateWebhookURLInvalid(t *testing.T) {
 	t.Parallel()
 	invalid := []struct {
 		name  string
 		input string
 	}{
 		{"ftp scheme", "ftp://example.com/file"},
 		{"file scheme", "file:///etc/passwd"},
 		{"empty string", ""},
 		{"no scheme", "example.com/webhook"},
 		{"no host", "https:///path"},
 	}
 	for _, tt := range invalid {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
 			got, err := notify.ValidateWebhookURL(tt.input)
 			if err == nil {
 				t.Errorf(
 					"expected error for %q, got %v",
 					tt.input, got,
 				)
 			}
 		})
 	}
 }
 func TestIsAllowedScheme(t *testing.T) {
 	t.Parallel()
 	if !notify.IsAllowedScheme("https") {
 		t.Error("https should be allowed")
 	}
 	if !notify.IsAllowedScheme("http") {
 		t.Error("http should be allowed")
 	}
 	if notify.IsAllowedScheme("ftp") {
 		t.Error("ftp should not be allowed")
 	}
 	if notify.IsAllowedScheme("") {
 		t.Error("empty scheme should not be allowed")
 	}
 }
--- a/internal/resolver/resolver.go
+++ b/internal/resolver/resolver.go
@@ -46,11 +46,11 @@ func (r *Resolver) LookupNS(
 }
 // LookupAllRecords performs iterative resolution to find all DNS
-// records for the given hostname, keyed by authoritative nameserver.
+// records for the given hostname.
 func (r *Resolver) LookupAllRecords(
 	_ context.Context,
 	_ string,
-) (map[string]map[string][]string, error) {
+) (map[string][]string, error) {
 	return nil, ErrNotImplemented
 }
--- a/internal/state/state_test_helper.go
+++ b/internal/state/state_test_helper.go
@@ -1,22 +0,0 @@
 package state
 import (
 	"log/slog"
 	"sneak.berlin/go/dnswatcher/internal/config"
 )
 // NewForTest creates a State for unit testing with no persistence.
 func NewForTest() *State {
 	return &State{
 		log: slog.Default(),
 		snapshot: &Snapshot{
 			Version:      stateVersion,
 			Domains:      make(map[string]*DomainState),
 			Hostnames:    make(map[string]*HostnameState),
 			Ports:        make(map[string]*PortState),
 			Certificates: make(map[string]*CertificateState),
 		},
 		config: &config.Config{DataDir: ""},
 	}
 }
--- a/internal/watcher/interfaces.go
+++ b/internal/watcher/interfaces.go
@@ -1,60 +0,0 @@
 // Package watcher provides the main monitoring orchestrator.
 package watcher
 import (
 	"context"
 	"sneak.berlin/go/dnswatcher/internal/tlscheck"
 )
 // DNSResolver performs iterative DNS resolution.
 type DNSResolver interface {
 	// LookupNS discovers authoritative nameservers for a domain.
 	LookupNS(
 		ctx context.Context,
 		domain string,
 	) ([]string, error)
 	// LookupAllRecords queries all record types for a hostname,
 	// returning results keyed by nameserver then record type.
 	LookupAllRecords(
 		ctx context.Context,
 		hostname string,
 	) (map[string]map[string][]string, error)
 	// ResolveIPAddresses resolves a hostname to all IP addresses.
 	ResolveIPAddresses(
 		ctx context.Context,
 		hostname string,
 	) ([]string, error)
 }
 // PortChecker tests TCP port connectivity.
 type PortChecker interface {
 	// CheckPort tests TCP connectivity to an address and port.
 	CheckPort(
 		ctx context.Context,
 		address string,
 		port int,
 	) (bool, error)
 }
 // TLSChecker inspects TLS certificates.
 type TLSChecker interface {
 	// CheckCertificate connects via TLS and returns cert info.
 	CheckCertificate(
 		ctx context.Context,
 		ip string,
 		hostname string,
 	) (*tlscheck.CertificateInfo, error)
 }
 // Notifier delivers notifications to configured endpoints.
 type Notifier interface {
 	// SendNotification sends a notification with the given
 	// details.
 	SendNotification(
 		ctx context.Context,
 		title, message, priority string,
 	)
 }
--- a/internal/watcher/watcher.go
+++ b/internal/watcher/watcher.go
@@ -1,30 +1,21 @@
 // Package watcher provides the main monitoring orchestrator and scheduler.
 package watcher
 import (
 	"context"
 	"fmt"
 	"log/slog"
 	"sort"
 	"strings"
 	"time"
 	"go.uber.org/fx"
 	"sneak.berlin/go/dnswatcher/internal/config"
 	"sneak.berlin/go/dnswatcher/internal/logger"
 	"sneak.berlin/go/dnswatcher/internal/notify"
 	"sneak.berlin/go/dnswatcher/internal/portcheck"
 	"sneak.berlin/go/dnswatcher/internal/resolver"
 	"sneak.berlin/go/dnswatcher/internal/state"
 	"sneak.berlin/go/dnswatcher/internal/tlscheck"
 )
 // monitoredPorts are the TCP ports checked for each IP address.
 var monitoredPorts = []int{80, 443} //nolint:gochecknoglobals
 // tlsPort is the port used for TLS certificate checks.
 const tlsPort = 443
 // hoursPerDay converts days to hours for duration calculations.
 const hoursPerDay = 24
 // Params contains dependencies for Watcher.
 type Params struct {
 	fx.In
@@ -32,10 +23,10 @@ type Params struct {
 	Logger    *logger.Logger
 	Config    *config.Config
 	State     *state.State
-	Resolver  DNSResolver
+	Resolver  *resolver.Resolver
-	PortCheck PortChecker
+	PortCheck *portcheck.Checker
-	TLSCheck  TLSChecker
+	TLSCheck  *tlscheck.Checker
-	Notify    Notifier
+	Notify    *notify.Service
 }
 // Watcher orchestrates all monitoring checks on a schedule.
@@ -43,20 +34,19 @@ type Watcher struct {
 	log       *slog.Logger
 	config    *config.Config
 	state     *state.State
-	resolver  DNSResolver
+	resolver  *resolver.Resolver
-	portCheck PortChecker
+	portCheck *portcheck.Checker
-	tlsCheck  TLSChecker
+	tlsCheck  *tlscheck.Checker
-	notify    Notifier
+	notify    *notify.Service
 	cancel    context.CancelFunc
 	firstRun  bool
 }
-// New creates a new Watcher instance wired into the fx lifecycle.
+// New creates a new Watcher instance.
 func New(
 	lifecycle fx.Lifecycle,
 	params Params,
 ) (*Watcher, error) {
-	w := &Watcher{
+	watcher := &Watcher{
 		log:       params.Logger.Get(),
 		config:    params.Config,
 		state:     params.State,
@@ -64,54 +54,30 @@ func New(
 		portCheck: params.PortCheck,
 		tlsCheck:  params.TLSCheck,
 		notify:    params.Notify,
 		firstRun:  true,
 	}
 	lifecycle.Append(fx.Hook{
 		OnStart: func(startCtx context.Context) error {
-			ctx, cancel := context.WithCancel(
+			ctx, cancel := context.WithCancel(startCtx)
-				context.WithoutCancel(startCtx),
+			watcher.cancel = cancel
 			)
 			w.cancel = cancel
-			go w.Run(ctx)
+			go watcher.Run(ctx)
 			return nil
 		},
 		OnStop: func(_ context.Context) error {
-			if w.cancel != nil {
+			if watcher.cancel != nil {
-				w.cancel()
+				watcher.cancel()
 			}
 			return nil
 		},
 	})
-	return w, nil
+	return watcher, nil
 }
-// NewForTest creates a Watcher without fx for unit testing.
+// Run starts the monitoring loop.
 func NewForTest(
 	cfg *config.Config,
 	st *state.State,
 	res DNSResolver,
 	pc PortChecker,
 	tc TLSChecker,
 	n Notifier,
 ) *Watcher {
 	return &Watcher{
 		log:       slog.Default(),
 		config:    cfg,
 		state:     st,
 		resolver:  res,
 		portCheck: pc,
 		tlsCheck:  tc,
 		notify:    n,
 		firstRun:  true,
 	}
 }
 // Run starts the monitoring loop with periodic scheduling.
 func (w *Watcher) Run(ctx context.Context) {
 	w.log.Info(
 		"watcher starting",
@@ -121,646 +87,8 @@ func (w *Watcher) Run(ctx context.Context) {
 		"tlsInterval", w.config.TLSInterval,
 	)
-	w.RunOnce(ctx)
+	// Stub: wait for context cancellation.
-
+	// Implementation will add initial check + periodic scheduling.
-	dnsTicker := time.NewTicker(w.config.DNSInterval)
+	<-ctx.Done()
 	tlsTicker := time.NewTicker(w.config.TLSInterval)
 	defer dnsTicker.Stop()
 	defer tlsTicker.Stop()
 	for {
 		select {
 		case <-ctx.Done():
 	w.log.Info("watcher stopped")
 			return
 		case <-dnsTicker.C:
 			w.runDNSAndPortChecks(ctx)
 			w.saveState()
 		case <-tlsTicker.C:
 			w.runTLSChecks(ctx)
 			w.saveState()
 		}
 	}
 }
 // RunOnce performs a single complete monitoring cycle.
 func (w *Watcher) RunOnce(ctx context.Context) {
 	w.detectFirstRun()
 	w.runDNSAndPortChecks(ctx)
 	w.runTLSChecks(ctx)
 	w.saveState()
 	w.firstRun = false
 }
 func (w *Watcher) detectFirstRun() {
 	snap := w.state.GetSnapshot()
 	hasState := len(snap.Domains) > 0 ||
 		len(snap.Hostnames) > 0 ||
 		len(snap.Ports) > 0 ||
 		len(snap.Certificates) > 0
 	if hasState {
 		w.firstRun = false
 	}
 }
 func (w *Watcher) runDNSAndPortChecks(ctx context.Context) {
 	for _, domain := range w.config.Domains {
 		w.checkDomain(ctx, domain)
 	}
 	for _, hostname := range w.config.Hostnames {
 		w.checkHostname(ctx, hostname)
 	}
 	w.checkAllPorts(ctx)
 }
 func (w *Watcher) checkDomain(
 	ctx context.Context,
 	domain string,
 ) {
 	nameservers, err := w.resolver.LookupNS(ctx, domain)
 	if err != nil {
 		w.log.Error(
 			"failed to lookup NS",
 			"domain", domain,
 			"error", err,
 		)
 		return
 	}
 	sort.Strings(nameservers)
 	now := time.Now().UTC()
 	prev, hasPrev := w.state.GetDomainState(domain)
 	if hasPrev && !w.firstRun {
 		w.detectNSChanges(ctx, domain, prev.Nameservers, nameservers)
 	}
 	w.state.SetDomainState(domain, &state.DomainState{
 		Nameservers: nameservers,
 		LastChecked: now,
 	})
 }
 func (w *Watcher) detectNSChanges(
 	ctx context.Context,
 	domain string,
 	oldNS, newNS []string,
 ) {
 	oldSet := toSet(oldNS)
 	newSet := toSet(newNS)
 	var added, removed []string
 	for ns := range newSet {
 		if !oldSet[ns] {
 			added = append(added, ns)
 		}
 	}
 	for ns := range oldSet {
 		if !newSet[ns] {
 			removed = append(removed, ns)
 		}
 	}
 	if len(added) == 0 && len(removed) == 0 {
 		return
 	}
 	msg := fmt.Sprintf(
 		"Domain: %s\nAdded: %s\nRemoved: %s",
 		domain,
 		strings.Join(added, ", "),
 		strings.Join(removed, ", "),
 	)
 	w.notify.SendNotification(
 		ctx,
 		"NS Change: "+domain,
 		msg,
 		"warning",
 	)
 }
 func (w *Watcher) checkHostname(
 	ctx context.Context,
 	hostname string,
 ) {
 	records, err := w.resolver.LookupAllRecords(ctx, hostname)
 	if err != nil {
 		w.log.Error(
 			"failed to lookup records",
 			"hostname", hostname,
 			"error", err,
 		)
 		return
 	}
 	now := time.Now().UTC()
 	prev, hasPrev := w.state.GetHostnameState(hostname)
 	if hasPrev && !w.firstRun {
 		w.detectHostnameChanges(ctx, hostname, prev, records)
 	}
 	newState := buildHostnameState(records, now)
 	w.state.SetHostnameState(hostname, newState)
 }
 func buildHostnameState(
 	records map[string]map[string][]string,
 	now time.Time,
 ) *state.HostnameState {
 	hs := &state.HostnameState{
 		RecordsByNameserver: make(
 			map[string]*state.NameserverRecordState,
 		),
 		LastChecked: now,
 	}
 	for ns, recs := range records {
 		hs.RecordsByNameserver[ns] = &state.NameserverRecordState{
 			Records:     recs,
 			Status:      "ok",
 			LastChecked: now,
 		}
 	}
 	return hs
 }
 func (w *Watcher) detectHostnameChanges(
 	ctx context.Context,
 	hostname string,
 	prev *state.HostnameState,
 	current map[string]map[string][]string,
 ) {
 	w.detectRecordChanges(ctx, hostname, prev, current)
 	w.detectNSDisappearances(ctx, hostname, prev, current)
 	w.detectInconsistencies(ctx, hostname, current)
 }
 func (w *Watcher) detectRecordChanges(
 	ctx context.Context,
 	hostname string,
 	prev *state.HostnameState,
 	current map[string]map[string][]string,
 ) {
 	for ns, recs := range current {
 		prevNS, ok := prev.RecordsByNameserver[ns]
 		if !ok {
 			continue
 		}
 		if recordsEqual(prevNS.Records, recs) {
 			continue
 		}
 		msg := fmt.Sprintf(
 			"Hostname: %s\nNameserver: %s\n"+
 				"Old: %v\nNew: %v",
 			hostname, ns,
 			prevNS.Records, recs,
 		)
 		w.notify.SendNotification(
 			ctx,
 			"Record Change: "+hostname,
 			msg,
 			"warning",
 		)
 	}
 }
 func (w *Watcher) detectNSDisappearances(
 	ctx context.Context,
 	hostname string,
 	prev *state.HostnameState,
 	current map[string]map[string][]string,
 ) {
 	for ns, prevNS := range prev.RecordsByNameserver {
 		if _, ok := current[ns]; ok || prevNS.Status != "ok" {
 			continue
 		}
 		msg := fmt.Sprintf(
 			"Hostname: %s\nNameserver: %s disappeared",
 			hostname, ns,
 		)
 		w.notify.SendNotification(
 			ctx,
 			"NS Failure: "+hostname,
 			msg,
 			"error",
 		)
 	}
 	for ns := range current {
 		prevNS, ok := prev.RecordsByNameserver[ns]
 		if !ok || prevNS.Status != "error" {
 			continue
 		}
 		msg := fmt.Sprintf(
 			"Hostname: %s\nNameserver: %s recovered",
 			hostname, ns,
 		)
 		w.notify.SendNotification(
 			ctx,
 			"NS Recovery: "+hostname,
 			msg,
 			"success",
 		)
 	}
 }
 func (w *Watcher) detectInconsistencies(
 	ctx context.Context,
 	hostname string,
 	current map[string]map[string][]string,
 ) {
 	nameservers := make([]string, 0, len(current))
 	for ns := range current {
 		nameservers = append(nameservers, ns)
 	}
 	sort.Strings(nameservers)
 	for i := range len(nameservers) - 1 {
 		ns1 := nameservers[i]
 		ns2 := nameservers[i+1]
 		if recordsEqual(current[ns1], current[ns2]) {
 			continue
 		}
 		msg := fmt.Sprintf(
 			"Hostname: %s\n%s: %v\n%s: %v",
 			hostname,
 			ns1, current[ns1],
 			ns2, current[ns2],
 		)
 		w.notify.SendNotification(
 			ctx,
 			"Inconsistency: "+hostname,
 			msg,
 			"warning",
 		)
 	}
 }
 func (w *Watcher) checkAllPorts(ctx context.Context) {
 	for _, hostname := range w.config.Hostnames {
 		w.checkPortsForHostname(ctx, hostname)
 	}
 	for _, domain := range w.config.Domains {
 		w.checkPortsForHostname(ctx, domain)
 	}
 }
 func (w *Watcher) checkPortsForHostname(
 	ctx context.Context,
 	hostname string,
 ) {
 	ips := w.collectIPs(hostname)
 	for _, ip := range ips {
 		for _, port := range monitoredPorts {
 			w.checkSinglePort(ctx, ip, port, hostname)
 		}
 	}
 }
 func (w *Watcher) collectIPs(hostname string) []string {
 	hs, ok := w.state.GetHostnameState(hostname)
 	if !ok {
 		return nil
 	}
 	ipSet := make(map[string]bool)
 	for _, nsState := range hs.RecordsByNameserver {
 		for _, ip := range nsState.Records["A"] {
 			ipSet[ip] = true
 		}
 		for _, ip := range nsState.Records["AAAA"] {
 			ipSet[ip] = true
 		}
 	}
 	result := make([]string, 0, len(ipSet))
 	for ip := range ipSet {
 		result = append(result, ip)
 	}
 	sort.Strings(result)
 	return result
 }
 func (w *Watcher) checkSinglePort(
 	ctx context.Context,
 	ip string,
 	port int,
 	hostname string,
 ) {
 	open, err := w.portCheck.CheckPort(ctx, ip, port)
 	if err != nil {
 		w.log.Error(
 			"port check failed",
 			"ip", ip,
 			"port", port,
 			"error", err,
 		)
 		return
 	}
 	key := fmt.Sprintf("%s:%d", ip, port)
 	now := time.Now().UTC()
 	prev, hasPrev := w.state.GetPortState(key)
 	if hasPrev && !w.firstRun && prev.Open != open {
 		stateStr := "closed"
 		if open {
 			stateStr = "open"
 		}
 		msg := fmt.Sprintf(
 			"Host: %s\nAddress: %s\nPort now %s",
 			hostname, key, stateStr,
 		)
 		w.notify.SendNotification(
 			ctx,
 			"Port Change: "+key,
 			msg,
 			"warning",
 		)
 	}
 	w.state.SetPortState(key, &state.PortState{
 		Open:        open,
 		Hostname:    hostname,
 		LastChecked: now,
 	})
 }
 func (w *Watcher) runTLSChecks(ctx context.Context) {
 	for _, hostname := range w.config.Hostnames {
 		w.checkTLSForHostname(ctx, hostname)
 	}
 	for _, domain := range w.config.Domains {
 		w.checkTLSForHostname(ctx, domain)
 	}
 }
 func (w *Watcher) checkTLSForHostname(
 	ctx context.Context,
 	hostname string,
 ) {
 	ips := w.collectIPs(hostname)
 	for _, ip := range ips {
 		portKey := fmt.Sprintf("%s:%d", ip, tlsPort)
 		ps, ok := w.state.GetPortState(portKey)
 		if !ok || !ps.Open {
 			continue
 		}
 		w.checkTLSCert(ctx, ip, hostname)
 	}
 }
 func (w *Watcher) checkTLSCert(
 	ctx context.Context,
 	ip string,
 	hostname string,
 ) {
 	cert, err := w.tlsCheck.CheckCertificate(ctx, ip, hostname)
 	certKey := fmt.Sprintf("%s:%d:%s", ip, tlsPort, hostname)
 	now := time.Now().UTC()
 	prev, hasPrev := w.state.GetCertificateState(certKey)
 	if err != nil {
 		w.handleTLSError(
 			ctx, certKey, hostname, ip,
 			hasPrev, prev, now, err,
 		)
 		return
 	}
 	w.handleTLSSuccess(
 		ctx, certKey, hostname, ip,
 		hasPrev, prev, now, cert,
 	)
 }
 func (w *Watcher) handleTLSError(
 	ctx context.Context,
 	certKey, hostname, ip string,
 	hasPrev bool,
 	prev *state.CertificateState,
 	now time.Time,
 	err error,
 ) {
 	if hasPrev && !w.firstRun && prev.Status == "ok" {
 		msg := fmt.Sprintf(
 			"Host: %s\nIP: %s\nError: %s",
 			hostname, ip, err,
 		)
 		w.notify.SendNotification(
 			ctx,
 			"TLS Failure: "+hostname,
 			msg,
 			"error",
 		)
 	}
 	w.state.SetCertificateState(
 		certKey, &state.CertificateState{
 			Status:      "error",
 			Error:       err.Error(),
 			LastChecked: now,
 		},
 	)
 }
 func (w *Watcher) handleTLSSuccess(
 	ctx context.Context,
 	certKey, hostname, ip string,
 	hasPrev bool,
 	prev *state.CertificateState,
 	now time.Time,
 	cert *tlscheck.CertificateInfo,
 ) {
 	if hasPrev && !w.firstRun {
 		w.detectTLSChanges(ctx, hostname, ip, prev, cert)
 	}
 	w.checkTLSExpiry(ctx, hostname, ip, cert)
 	w.state.SetCertificateState(
 		certKey, &state.CertificateState{
 			CommonName:              cert.CommonName,
 			Issuer:                  cert.Issuer,
 			NotAfter:                cert.NotAfter,
 			SubjectAlternativeNames: cert.SubjectAlternativeNames,
 			Status:                  "ok",
 			LastChecked:             now,
 		},
 	)
 }
 func (w *Watcher) detectTLSChanges(
 	ctx context.Context,
 	hostname, ip string,
 	prev *state.CertificateState,
 	cert *tlscheck.CertificateInfo,
 ) {
 	if prev.Status == "error" {
 		msg := fmt.Sprintf(
 			"Host: %s\nIP: %s\nTLS recovered",
 			hostname, ip,
 		)
 		w.notify.SendNotification(
 			ctx,
 			"TLS Recovery: "+hostname,
 			msg,
 			"success",
 		)
 		return
 	}
 	changed := prev.CommonName != cert.CommonName ||
 		prev.Issuer != cert.Issuer ||
 		!sliceEqual(
 			prev.SubjectAlternativeNames,
 			cert.SubjectAlternativeNames,
 		)
 	if !changed {
 		return
 	}
 	msg := fmt.Sprintf(
 		"Host: %s\nIP: %s\n"+
 			"Old CN: %s, Issuer: %s\n"+
 			"New CN: %s, Issuer: %s",
 		hostname, ip,
 		prev.CommonName, prev.Issuer,
 		cert.CommonName, cert.Issuer,
 	)
 	w.notify.SendNotification(
 		ctx,
 		"TLS Certificate Change: "+hostname,
 		msg,
 		"warning",
 	)
 }
 func (w *Watcher) checkTLSExpiry(
 	ctx context.Context,
 	hostname, ip string,
 	cert *tlscheck.CertificateInfo,
 ) {
 	daysLeft := time.Until(cert.NotAfter).Hours() / hoursPerDay
 	warningDays := float64(w.config.TLSExpiryWarning)
 	if daysLeft > warningDays {
 		return
 	}
 	msg := fmt.Sprintf(
 		"Host: %s\nIP: %s\nCN: %s\n"+
 			"Expires: %s (%.0f days)",
 		hostname, ip, cert.CommonName,
 		cert.NotAfter.Format(time.RFC3339),
 		daysLeft,
 	)
 	w.notify.SendNotification(
 		ctx,
 		"TLS Expiry Warning: "+hostname,
 		msg,
 		"warning",
 	)
 }
 func (w *Watcher) saveState() {
 	err := w.state.Save()
 	if err != nil {
 		w.log.Error("failed to save state", "error", err)
 	}
 }
 // --- Utility functions ---
 func toSet(items []string) map[string]bool {
 	set := make(map[string]bool, len(items))
 	for _, item := range items {
 		set[item] = true
 	}
 	return set
 }
 func recordsEqual(
 	a, b map[string][]string,
 ) bool {
 	if len(a) != len(b) {
 		return false
 	}
 	for k, av := range a {
 		bv, ok := b[k]
 		if !ok || !sliceEqual(av, bv) {
 			return false
 		}
 	}
 	return true
 }
 func sliceEqual(a, b []string) bool {
 	if len(a) != len(b) {
 		return false
 	}
 	aSorted := make([]string, len(a))
 	bSorted := make([]string, len(b))
 	copy(aSorted, a)
 	copy(bSorted, b)
 	sort.Strings(aSorted)
 	sort.Strings(bSorted)
 	for i := range aSorted {
 		if aSorted[i] != bSorted[i] {
 			return false
 		}
 	}
 	return true
 }
--- a/internal/watcher/watcher_test.go
+++ b/internal/watcher/watcher_test.go
@@ -1,580 +0,0 @@
 package watcher_test
 import (
 	"context"
 	"errors"
 	"fmt"
 	"sync"
 	"testing"
 	"time"
 	"sneak.berlin/go/dnswatcher/internal/config"
 	"sneak.berlin/go/dnswatcher/internal/state"
 	"sneak.berlin/go/dnswatcher/internal/tlscheck"
 	"sneak.berlin/go/dnswatcher/internal/watcher"
 )
 // errNotFound is returned when mock data is missing.
 var errNotFound = errors.New("not found")
 // --- Mock implementations ---
 type mockResolver struct {
 	mu             sync.Mutex
 	nsRecords      map[string][]string
 	allRecords     map[string]map[string]map[string][]string
 	ipAddresses    map[string][]string
 	lookupNSErr    error
 	allRecordsErr  error
 	resolveIPErr   error
 	lookupNSCalls  int
 	allRecordCalls int
 }
 func (m *mockResolver) LookupNS(
 	_ context.Context,
 	domain string,
 ) ([]string, error) {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 	m.lookupNSCalls++
 	if m.lookupNSErr != nil {
 		return nil, m.lookupNSErr
 	}
 	ns, ok := m.nsRecords[domain]
 	if !ok {
 		return nil, fmt.Errorf(
 			"%w: NS for %s", errNotFound, domain,
 		)
 	}
 	return ns, nil
 }
 func (m *mockResolver) LookupAllRecords(
 	_ context.Context,
 	hostname string,
 ) (map[string]map[string][]string, error) {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 	m.allRecordCalls++
 	if m.allRecordsErr != nil {
 		return nil, m.allRecordsErr
 	}
 	recs, ok := m.allRecords[hostname]
 	if !ok {
 		return nil, fmt.Errorf(
 			"%w: records for %s", errNotFound, hostname,
 		)
 	}
 	return recs, nil
 }
 func (m *mockResolver) ResolveIPAddresses(
 	_ context.Context,
 	hostname string,
 ) ([]string, error) {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 	if m.resolveIPErr != nil {
 		return nil, m.resolveIPErr
 	}
 	ips, ok := m.ipAddresses[hostname]
 	if !ok {
 		return nil, fmt.Errorf(
 			"%w: IPs for %s", errNotFound, hostname,
 		)
 	}
 	return ips, nil
 }
 type mockPortChecker struct {
 	mu      sync.Mutex
 	results map[string]bool
 	err     error
 	calls   int
 }
 func (m *mockPortChecker) CheckPort(
 	_ context.Context,
 	address string,
 	port int,
 ) (bool, error) {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 	m.calls++
 	if m.err != nil {
 		return false, m.err
 	}
 	key := fmt.Sprintf("%s:%d", address, port)
 	open, ok := m.results[key]
 	if !ok {
 		return false, nil
 	}
 	return open, nil
 }
 type mockTLSChecker struct {
 	mu    sync.Mutex
 	certs map[string]*tlscheck.CertificateInfo
 	err   error
 	calls int
 }
 func (m *mockTLSChecker) CheckCertificate(
 	_ context.Context,
 	ip string,
 	hostname string,
 ) (*tlscheck.CertificateInfo, error) {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 	m.calls++
 	if m.err != nil {
 		return nil, m.err
 	}
 	key := fmt.Sprintf("%s:%s", ip, hostname)
 	cert, ok := m.certs[key]
 	if !ok {
 		return nil, fmt.Errorf(
 			"%w: cert for %s", errNotFound, key,
 		)
 	}
 	return cert, nil
 }
 type notification struct {
 	Title    string
 	Message  string
 	Priority string
 }
 type mockNotifier struct {
 	mu            sync.Mutex
 	notifications []notification
 }
 func (m *mockNotifier) SendNotification(
 	_ context.Context,
 	title, message, priority string,
 ) {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 	m.notifications = append(m.notifications, notification{
 		Title:    title,
 		Message:  message,
 		Priority: priority,
 	})
 }
 func (m *mockNotifier) getNotifications() []notification {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 	result := make([]notification, len(m.notifications))
 	copy(result, m.notifications)
 	return result
 }
 // --- Helper to build a Watcher for testing ---
 type testDeps struct {
 	resolver    *mockResolver
 	portChecker *mockPortChecker
 	tlsChecker  *mockTLSChecker
 	notifier    *mockNotifier
 	state       *state.State
 	config      *config.Config
 }
 func newTestWatcher(
 	t *testing.T,
 	cfg *config.Config,
 ) (*watcher.Watcher, *testDeps) {
 	t.Helper()
 	deps := &testDeps{
 		resolver: &mockResolver{
 			nsRecords:   make(map[string][]string),
 			allRecords:  make(map[string]map[string]map[string][]string),
 			ipAddresses: make(map[string][]string),
 		},
 		portChecker: &mockPortChecker{
 			results: make(map[string]bool),
 		},
 		tlsChecker: &mockTLSChecker{
 			certs: make(map[string]*tlscheck.CertificateInfo),
 		},
 		notifier: &mockNotifier{},
 		config:   cfg,
 	}
 	deps.state = state.NewForTest()
 	w := watcher.NewForTest(
 		deps.config,
 		deps.state,
 		deps.resolver,
 		deps.portChecker,
 		deps.tlsChecker,
 		deps.notifier,
 	)
 	return w, deps
 }
 func defaultTestConfig(t *testing.T) *config.Config {
 	t.Helper()
 	return &config.Config{
 		DNSInterval:      time.Hour,
 		TLSInterval:      12 * time.Hour,
 		TLSExpiryWarning: 7,
 		DataDir:          t.TempDir(),
 	}
 }
 func TestFirstRunBaseline(t *testing.T) {
 	t.Parallel()
 	cfg := defaultTestConfig(t)
 	cfg.Domains = []string{"example.com"}
 	cfg.Hostnames = []string{"www.example.com"}
 	w, deps := newTestWatcher(t, cfg)
 	setupBaselineMocks(deps)
 	w.RunOnce(t.Context())
 	assertNoNotifications(t, deps)
 	assertStatePopulated(t, deps)
 }
 func setupBaselineMocks(deps *testDeps) {
 	deps.resolver.nsRecords["example.com"] = []string{
 		"ns1.example.com.",
 		"ns2.example.com.",
 	}
 	deps.resolver.allRecords["www.example.com"] = map[string]map[string][]string{
 		"ns1.example.com.": {"A": {"93.184.216.34"}},
 		"ns2.example.com.": {"A": {"93.184.216.34"}},
 	}
 	deps.resolver.ipAddresses["www.example.com"] = []string{
 		"93.184.216.34",
 	}
 	deps.portChecker.results["93.184.216.34:80"] = true
 	deps.portChecker.results["93.184.216.34:443"] = true
 	deps.tlsChecker.certs["93.184.216.34:www.example.com"] = &tlscheck.CertificateInfo{
 		CommonName: "www.example.com",
 		Issuer:     "DigiCert",
 		NotAfter:   time.Now().Add(90 * 24 * time.Hour),
 		SubjectAlternativeNames: []string{
 			"www.example.com",
 		},
 	}
 }
 func assertNoNotifications(
 	t *testing.T,
 	deps *testDeps,
 ) {
 	t.Helper()
 	notifications := deps.notifier.getNotifications()
 	if len(notifications) != 0 {
 		t.Errorf(
 			"expected 0 notifications on first run, got %d",
 			len(notifications),
 		)
 	}
 }
 func assertStatePopulated(
 	t *testing.T,
 	deps *testDeps,
 ) {
 	t.Helper()
 	snap := deps.state.GetSnapshot()
 	if len(snap.Domains) != 1 {
 		t.Errorf(
 			"expected 1 domain in state, got %d",
 			len(snap.Domains),
 		)
 	}
 	if len(snap.Hostnames) != 1 {
 		t.Errorf(
 			"expected 1 hostname in state, got %d",
 			len(snap.Hostnames),
 		)
 	}
 }
 func TestNSChangeDetection(t *testing.T) {
 	t.Parallel()
 	cfg := defaultTestConfig(t)
 	cfg.Domains = []string{"example.com"}
 	w, deps := newTestWatcher(t, cfg)
 	deps.resolver.nsRecords["example.com"] = []string{
 		"ns1.example.com.",
 		"ns2.example.com.",
 	}
 	ctx := t.Context()
 	w.RunOnce(ctx)
 	deps.resolver.mu.Lock()
 	deps.resolver.nsRecords["example.com"] = []string{
 		"ns1.example.com.",
 		"ns3.example.com.",
 	}
 	deps.resolver.mu.Unlock()
 	w.RunOnce(ctx)
 	notifications := deps.notifier.getNotifications()
 	if len(notifications) == 0 {
 		t.Error("expected notification for NS change")
 	}
 	found := false
 	for _, n := range notifications {
 		if n.Priority == "warning" {
 			found = true
 		}
 	}
 	if !found {
 		t.Error("expected warning-priority NS change notification")
 	}
 }
 func TestRecordChangeDetection(t *testing.T) {
 	t.Parallel()
 	cfg := defaultTestConfig(t)
 	cfg.Hostnames = []string{"www.example.com"}
 	w, deps := newTestWatcher(t, cfg)
 	deps.resolver.allRecords["www.example.com"] = map[string]map[string][]string{
 		"ns1.example.com.": {"A": {"93.184.216.34"}},
 	}
 	deps.resolver.ipAddresses["www.example.com"] = []string{
 		"93.184.216.34",
 	}
 	deps.portChecker.results["93.184.216.34:80"] = false
 	deps.portChecker.results["93.184.216.34:443"] = false
 	ctx := t.Context()
 	w.RunOnce(ctx)
 	deps.resolver.mu.Lock()
 	deps.resolver.allRecords["www.example.com"] = map[string]map[string][]string{
 		"ns1.example.com.": {"A": {"93.184.216.35"}},
 	}
 	deps.resolver.ipAddresses["www.example.com"] = []string{
 		"93.184.216.35",
 	}
 	deps.resolver.mu.Unlock()
 	deps.portChecker.mu.Lock()
 	deps.portChecker.results["93.184.216.35:80"] = false
 	deps.portChecker.results["93.184.216.35:443"] = false
 	deps.portChecker.mu.Unlock()
 	w.RunOnce(ctx)
 	notifications := deps.notifier.getNotifications()
 	if len(notifications) == 0 {
 		t.Error("expected notification for record change")
 	}
 }
 func TestPortStateChange(t *testing.T) {
 	t.Parallel()
 	cfg := defaultTestConfig(t)
 	cfg.Hostnames = []string{"www.example.com"}
 	w, deps := newTestWatcher(t, cfg)
 	deps.resolver.allRecords["www.example.com"] = map[string]map[string][]string{
 		"ns1.example.com.": {"A": {"1.2.3.4"}},
 	}
 	deps.resolver.ipAddresses["www.example.com"] = []string{
 		"1.2.3.4",
 	}
 	deps.portChecker.results["1.2.3.4:80"] = true
 	deps.portChecker.results["1.2.3.4:443"] = true
 	deps.tlsChecker.certs["1.2.3.4:www.example.com"] = &tlscheck.CertificateInfo{
 		CommonName: "www.example.com",
 		Issuer:     "DigiCert",
 		NotAfter:   time.Now().Add(90 * 24 * time.Hour),
 		SubjectAlternativeNames: []string{
 			"www.example.com",
 		},
 	}
 	ctx := t.Context()
 	w.RunOnce(ctx)
 	deps.portChecker.mu.Lock()
 	deps.portChecker.results["1.2.3.4:443"] = false
 	deps.portChecker.mu.Unlock()
 	w.RunOnce(ctx)
 	notifications := deps.notifier.getNotifications()
 	if len(notifications) == 0 {
 		t.Error("expected notification for port state change")
 	}
 }
 func TestTLSExpiryWarning(t *testing.T) {
 	t.Parallel()
 	cfg := defaultTestConfig(t)
 	cfg.Hostnames = []string{"www.example.com"}
 	w, deps := newTestWatcher(t, cfg)
 	deps.resolver.allRecords["www.example.com"] = map[string]map[string][]string{
 		"ns1.example.com.": {"A": {"1.2.3.4"}},
 	}
 	deps.resolver.ipAddresses["www.example.com"] = []string{
 		"1.2.3.4",
 	}
 	deps.portChecker.results["1.2.3.4:80"] = true
 	deps.portChecker.results["1.2.3.4:443"] = true
 	deps.tlsChecker.certs["1.2.3.4:www.example.com"] = &tlscheck.CertificateInfo{
 		CommonName: "www.example.com",
 		Issuer:     "DigiCert",
 		NotAfter:   time.Now().Add(3 * 24 * time.Hour),
 		SubjectAlternativeNames: []string{
 			"www.example.com",
 		},
 	}
 	ctx := t.Context()
 	// First run = baseline
 	w.RunOnce(ctx)
 	// Second run should warn about expiry
 	w.RunOnce(ctx)
 	notifications := deps.notifier.getNotifications()
 	found := false
 	for _, n := range notifications {
 		if n.Priority == "warning" {
 			found = true
 		}
 	}
 	if !found {
 		t.Errorf(
 			"expected expiry warning, got: %v",
 			notifications,
 		)
 	}
 }
 func TestGracefulShutdown(t *testing.T) {
 	t.Parallel()
 	cfg := defaultTestConfig(t)
 	cfg.Domains = []string{"example.com"}
 	cfg.DNSInterval = 100 * time.Millisecond
 	cfg.TLSInterval = 100 * time.Millisecond
 	w, deps := newTestWatcher(t, cfg)
 	deps.resolver.nsRecords["example.com"] = []string{
 		"ns1.example.com.",
 	}
 	ctx, cancel := context.WithCancel(t.Context())
 	done := make(chan struct{})
 	go func() {
 		w.Run(ctx)
 		close(done)
 	}()
 	time.Sleep(250 * time.Millisecond)
 	cancel()
 	select {
 	case <-done:
 		// Shut down cleanly
 	case <-time.After(5 * time.Second):
 		t.Error("watcher did not shut down within timeout")
 	}
 }
 func TestNSFailureAndRecovery(t *testing.T) {
 	t.Parallel()
 	cfg := defaultTestConfig(t)
 	cfg.Hostnames = []string{"www.example.com"}
 	w, deps := newTestWatcher(t, cfg)
 	deps.resolver.allRecords["www.example.com"] = map[string]map[string][]string{
 		"ns1.example.com.": {"A": {"1.2.3.4"}},
 		"ns2.example.com.": {"A": {"1.2.3.4"}},
 	}
 	deps.resolver.ipAddresses["www.example.com"] = []string{
 		"1.2.3.4",
 	}
 	deps.portChecker.results["1.2.3.4:80"] = false
 	deps.portChecker.results["1.2.3.4:443"] = false
 	ctx := t.Context()
 	w.RunOnce(ctx)
 	deps.resolver.mu.Lock()
 	deps.resolver.allRecords["www.example.com"] = map[string]map[string][]string{
 		"ns1.example.com.": {"A": {"1.2.3.4"}},
 	}
 	deps.resolver.mu.Unlock()
 	w.RunOnce(ctx)
 	notifications := deps.notifier.getNotifications()
 	if len(notifications) == 0 {
 		t.Error("expected notification for NS disappearance")
 	}
 }
Author	SHA1	Message	Date
clawbot	628bba22fe	docs: update README for TARGETS config and add pre-1.0 notice	2026-02-19 20:09:07 -08:00
clawbot	acae697aa2	feat: replace DOMAINS/HOSTNAMES with single TARGETS config Single DNSWATCHER_TARGETS env var replaces the separate DOMAINS and HOSTNAMES variables. Classification is automatic via the PSL. Closes #10	2026-02-19 20:09:07 -08:00
clawbot	1db3056594	feat: add PSL-based target classification Classify DNS names as apex domains or hostnames using the Public Suffix List (golang.org/x/net/publicsuffix). Correctly handles multi-level TLDs like .co.uk and .com.au.	2026-02-19 20:09:07 -08:00