21 changed files with 113 additions and 3873 deletions
--- a/.gitea/workflows/check.yml
+++ b/.gitea/workflows/check.yml
@ -1,26 +0,0 @@
-name: Check
-
-on:
-  push:
-    branches: [main]
-  pull_request:
-    branches: [main]
-
-jobs:
-  check:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
-
-      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
-        with:
-          go-version-file: go.mod
-
-      - name: Install golangci-lint
-        run: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@5d1e709b7be35cb2025444e19de266b056b7b7ee # v2.10.1
-
-      - name: Install goimports
-        run: go install golang.org/x/tools/cmd/goimports@009367f5c17a8d4c45a961a3a509277190a9a6f0 # v0.42.0
-
-      - name: Run make check
-        run: make check
--- a/README.md
+++ b/README.md
@ -376,13 +376,6 @@ docker run -d \

 ---

-## Planned Future Features (Post-1.0)
-
- **DNSSEC validation**: Validate the DNSSEC chain of trust during
-  iterative resolution and report DNSSEC failures as notifications.
-
---
-
 ## Project Structure

 Follows the conventions defined in `CONVENTIONS.md`, adapted from the
--- a/cmd/dnswatcher/main.go
+++ b/cmd/dnswatcher/main.go
@ -51,20 +51,6 @@ func main() {
 			handlers.New,
 			server.New,
 		),
-		fx.Provide(
-			func(r *resolver.Resolver) watcher.DNSResolver {
-				return r
-			},
-			func(p *portcheck.Checker) watcher.PortChecker {
-				return p
-			},
-			func(t *tlscheck.Checker) watcher.TLSChecker {
-				return t
-			},
-			func(n *notify.Service) watcher.Notifier {
-				return n
-			},
-		),
 		fx.Invoke(func(*server.Server, *watcher.Watcher) {}),
 	).Run()
 }
--- a/go.mod
+++ b/go.mod
@ -7,24 +7,19 @@ require (
 	github.com/go-chi/chi/v5 v5.2.5
 	github.com/go-chi/cors v1.2.2
 	github.com/joho/godotenv v1.5.1
-	github.com/miekg/dns v1.1.72
 	github.com/prometheus/client_golang v1.23.2
 	github.com/spf13/viper v1.21.0
-	github.com/stretchr/testify v1.11.1
 	go.uber.org/fx v1.24.0
 	golang.org/x/net v0.50.0
-	golang.org/x/sync v0.19.0
 )

 require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
 	github.com/prometheus/common v0.66.1 // indirect
 	github.com/prometheus/procfs v0.16.1 // indirect
@ -39,11 +34,7 @@ require (
 	go.uber.org/zap v1.26.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/mod v0.32.0 // indirect
-	golang.org/x/sync v0.19.0 // indirect
 	golang.org/x/sys v0.41.0 // indirect
 	golang.org/x/text v0.34.0 // indirect
-	golang.org/x/tools v0.41.0 // indirect
 	google.golang.org/protobuf v1.36.8 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
@ -28,8 +28,6 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
-github.com/miekg/dns v1.1.72 h1:vhmr+TF2A3tuoGNkLDFK9zi36F2LS+hKTRW0Uf8kbzI=
-github.com/miekg/dns v1.1.72/go.mod h1:+EuEPhdHOsfk6Wk5TT2CzssZdqkmFhf8r+aVyDEToIs=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
@ -76,18 +74,12 @@ go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
 go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
-golang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c=
-golang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU=
 golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60=
 golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM=
-golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
-golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
 golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
 golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
-golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc=
-golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg=
 google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
 google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
--- a/internal/notify/notify.go
+++ b/internal/notify/notify.go
@ -1,5 +1,4 @@
-// Package notify provides notification delivery to Slack,
-// Mattermost, and ntfy.
+// Package notify provides notification delivery to Slack, Mattermost, and ntfy.
 package notify

 import (
@ -8,7 +7,6 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"io"
 	"log/slog"
 	"net/http"
 	"net/url"
@ -36,66 +34,8 @@ var (
 	ErrMattermostFailed = errors.New(
 		"mattermost notification failed",
 	)
-	// ErrInvalidScheme is returned for disallowed URL schemes.
-	ErrInvalidScheme = errors.New("URL scheme not allowed")
-	// ErrMissingHost is returned when a URL has no host.
-	ErrMissingHost = errors.New("URL must have a host")
 )

-// IsAllowedScheme checks if the URL scheme is permitted.
-func IsAllowedScheme(scheme string) bool {
-	return scheme == "https" || scheme == "http"
-}
-
-// ValidateWebhookURL validates and sanitizes a webhook URL.
-// It ensures the URL has an allowed scheme (http/https),
-// a non-empty host, and returns a pre-parsed *url.URL
-// reconstructed from validated components.
-func ValidateWebhookURL(raw string) (*url.URL, error) {
-	u, err := url.ParseRequestURI(raw)
-	if err != nil {
-		return nil, fmt.Errorf("invalid URL: %w", err)
-	}
-
-	if !IsAllowedScheme(u.Scheme) {
-		return nil, fmt.Errorf(
-			"%w: %s", ErrInvalidScheme, u.Scheme,
-		)
-	}
-
-	if u.Host == "" {
-		return nil, fmt.Errorf("%w", ErrMissingHost)
-	}
-
-	// Reconstruct from parsed components.
-	clean := &url.URL{
-		Scheme:   u.Scheme,
-		Host:     u.Host,
-		Path:     u.Path,
-		RawQuery: u.RawQuery,
-	}
-
-	return clean, nil
-}
-
-// newRequest creates an http.Request from a pre-validated *url.URL.
-// This avoids passing URL strings to http.NewRequestWithContext,
-// which gosec flags as a potential SSRF vector.
-func newRequest(
-	ctx context.Context,
-	method string,
-	target *url.URL,
-	body io.Reader,
-) *http.Request {
-	return (&http.Request{
-		Method: method,
-		URL:    target,
-		Host:   target.Host,
-		Header: make(http.Header),
-		Body:   io.NopCloser(body),
-	}).WithContext(ctx)
-}
-
 // Params contains dependencies for Service.
 type Params struct {
 	fx.In
@ -107,7 +47,7 @@ type Params struct {
 // Service provides notification functionality.
 type Service struct {
 	log                  *slog.Logger
-	transport            http.RoundTripper
+	client               *http.Client
 	config               *config.Config
 	ntfyURL              *url.URL
 	slackWebhookURL      *url.URL
@ -121,40 +61,32 @@ func New(
 ) (*Service, error) {
 	svc := &Service{
 		log: params.Logger.Get(),
-		transport: http.DefaultTransport,
+		client: &http.Client{
+			Timeout: httpClientTimeout,
+		},
 		config: params.Config,
 	}

 	if params.Config.NtfyTopic != "" {
-		u, err := ValidateWebhookURL(
-			params.Config.NtfyTopic,
-		)
+		u, err := url.ParseRequestURI(params.Config.NtfyTopic)
 		if err != nil {
-			return nil, fmt.Errorf(
-				"invalid ntfy topic URL: %w", err,
-			)
+			return nil, fmt.Errorf("invalid ntfy topic URL: %w", err)
 		}

 		svc.ntfyURL = u
 	}

 	if params.Config.SlackWebhook != "" {
-		u, err := ValidateWebhookURL(
-			params.Config.SlackWebhook,
-		)
+		u, err := url.ParseRequestURI(params.Config.SlackWebhook)
 		if err != nil {
-			return nil, fmt.Errorf(
-				"invalid slack webhook URL: %w", err,
-			)
+			return nil, fmt.Errorf("invalid slack webhook URL: %w", err)
 		}

 		svc.slackWebhookURL = u
 	}

 	if params.Config.MattermostWebhook != "" {
-		u, err := ValidateWebhookURL(
-			params.Config.MattermostWebhook,
-		)
+		u, err := url.ParseRequestURI(params.Config.MattermostWebhook)
 		if err != nil {
 			return nil, fmt.Errorf(
 				"invalid mattermost webhook URL: %w", err,
@ -167,8 +99,7 @@ func New(
 	return svc, nil
 }

-// SendNotification sends a notification to all configured
-// endpoints.
+// SendNotification sends a notification to all configured endpoints.
 func (svc *Service) SendNotification(
 	ctx context.Context,
 	title, message, priority string,
@ -239,20 +170,20 @@ func (svc *Service) sendNtfy(
 		"title", title,
 	)

-	ctx, cancel := context.WithTimeout(
-		ctx, httpClientTimeout,
-	)
-	defer cancel()
-
-	body := bytes.NewBufferString(message)
-	request := newRequest(
-		ctx, http.MethodPost, topicURL, body,
+	request, err := http.NewRequestWithContext(
+		ctx,
+		http.MethodPost,
+		topicURL.String(),
+		bytes.NewBufferString(message),
 	)
+	if err != nil {
+		return fmt.Errorf("creating ntfy request: %w", err)
+	}

 	request.Header.Set("Title", title)
 	request.Header.Set("Priority", ntfyPriority(priority))

-	resp, err := svc.transport.RoundTrip(request)
+	resp, err := svc.client.Do(request) //nolint:gosec // URL validated at Service construction time
 	if err != nil {
 		return fmt.Errorf("sending ntfy request: %w", err)
 	}
@ -261,8 +192,7 @@ func (svc *Service) sendNtfy(

 	if resp.StatusCode >= httpStatusClientError {
 		return fmt.Errorf(
-			"%w: status %d",
-			ErrNtfyFailed, resp.StatusCode,
+			"%w: status %d", ErrNtfyFailed, resp.StatusCode,
 		)
 	}

@ -302,11 +232,6 @@ func (svc *Service) sendSlack(
 	webhookURL *url.URL,
 	title, message, priority string,
 ) error {
-	ctx, cancel := context.WithTimeout(
-		ctx, httpClientTimeout,
-	)
-	defer cancel()
-
 	svc.log.Debug(
 		"sending webhook notification",
 		"url", webhookURL.String(),
@ -325,19 +250,22 @@ func (svc *Service) sendSlack(

 	body, err := json.Marshal(payload)
 	if err != nil {
-		return fmt.Errorf(
-			"marshaling webhook payload: %w", err,
-		)
+		return fmt.Errorf("marshaling webhook payload: %w", err)
 	}

-	request := newRequest(
-		ctx, http.MethodPost, webhookURL,
+	request, err := http.NewRequestWithContext(
+		ctx,
+		http.MethodPost,
+		webhookURL.String(),
 		bytes.NewBuffer(body),
 	)
+	if err != nil {
+		return fmt.Errorf("creating webhook request: %w", err)
+	}

 	request.Header.Set("Content-Type", "application/json")

-	resp, err := svc.transport.RoundTrip(request)
+	resp, err := svc.client.Do(request) //nolint:gosec // URL validated at Service construction time
 	if err != nil {
 		return fmt.Errorf("sending webhook request: %w", err)
 	}
--- a/internal/notify/notify_test.go
+++ b/internal/notify/notify_test.go
@ -1,100 +0,0 @@
-package notify_test
-
-import (
-	"testing"
-
-	"sneak.berlin/go/dnswatcher/internal/notify"
-)
-
-func TestValidateWebhookURLValid(t *testing.T) {
-	t.Parallel()
-
-	tests := []struct {
-		name    string
-		input   string
-		wantURL string
-	}{
-		{
-			name:    "valid https URL",
-			input:   "https://hooks.slack.com/T00/B00",
-			wantURL: "https://hooks.slack.com/T00/B00",
-		},
-		{
-			name:    "valid http URL",
-			input:   "http://localhost:8080/webhook",
-			wantURL: "http://localhost:8080/webhook",
-		},
-		{
-			name:    "https with query",
-			input:   "https://ntfy.sh/topic?auth=tok",
-			wantURL: "https://ntfy.sh/topic?auth=tok",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			t.Parallel()
-
-			got, err := notify.ValidateWebhookURL(tt.input)
-			if err != nil {
-				t.Fatalf("unexpected error: %v", err)
-			}
-
-			if got.String() != tt.wantURL {
-				t.Errorf(
-					"got %q, want %q",
-					got.String(), tt.wantURL,
-				)
-			}
-		})
-	}
-}
-
-func TestValidateWebhookURLInvalid(t *testing.T) {
-	t.Parallel()
-
-	invalid := []struct {
-		name  string
-		input string
-	}{
-		{"ftp scheme", "ftp://example.com/file"},
-		{"file scheme", "file:///etc/passwd"},
-		{"empty string", ""},
-		{"no scheme", "example.com/webhook"},
-		{"no host", "https:///path"},
-	}
-
-	for _, tt := range invalid {
-		t.Run(tt.name, func(t *testing.T) {
-			t.Parallel()
-
-			got, err := notify.ValidateWebhookURL(tt.input)
-			if err == nil {
-				t.Errorf(
-					"expected error for %q, got %v",
-					tt.input, got,
-				)
-			}
-		})
-	}
-}
-
-func TestIsAllowedScheme(t *testing.T) {
-	t.Parallel()
-
-	if !notify.IsAllowedScheme("https") {
-		t.Error("https should be allowed")
-	}
-
-	if !notify.IsAllowedScheme("http") {
-		t.Error("http should be allowed")
-	}
-
-	if notify.IsAllowedScheme("ftp") {
-		t.Error("ftp should not be allowed")
-	}
-
-	if notify.IsAllowedScheme("") {
-		t.Error("empty scheme should not be allowed")
-	}
-}
--- a/internal/portcheck/portcheck.go
+++ b/internal/portcheck/portcheck.go
@ -4,39 +4,18 @@ package portcheck
 import (
 	"context"
 	"errors"
-	"fmt"
 	"log/slog"
-	"net"
-	"strconv"
-	"sync"
-	"time"

 	"go.uber.org/fx"
-	"golang.org/x/sync/errgroup"

 	"sneak.berlin/go/dnswatcher/internal/logger"
 )

-const (
-	minPort        = 1
-	maxPort        = 65535
-	defaultTimeout = 5 * time.Second
+// ErrNotImplemented indicates the port checker is not yet implemented.
+var ErrNotImplemented = errors.New(
+	"port checker not yet implemented",
 )

-// ErrInvalidPort is returned when a port number is outside
-// the valid TCP range (1–65535).
-var ErrInvalidPort = errors.New("invalid port number")
-
-// PortResult holds the outcome of a single TCP port check.
-type PortResult struct {
-	// Open indicates whether the port accepted a connection.
-	Open bool
-	// Error contains a description if the connection failed.
-	Error string
-	// Latency is the time taken for the TCP handshake.
-	Latency time.Duration
-}
-
 // Params contains dependencies for Checker.
 type Params struct {
 	fx.In
@ -59,145 +38,11 @@ func New(
 	}, nil
 }

-// NewStandalone creates a Checker without fx dependencies.
-func NewStandalone() *Checker {
-	return &Checker{
-		log: slog.Default(),
-	}
-}
-
-// validatePort checks that a port number is within the valid
-// TCP port range (1–65535).
-func validatePort(port int) error {
-	if port < minPort || port > maxPort {
-		return fmt.Errorf(
-			"%w: %d (must be between %d and %d)",
-			ErrInvalidPort, port, minPort, maxPort,
-		)
-	}
-
-	return nil
-}
-
 // CheckPort tests TCP connectivity to the given address and port.
-// It uses a 5-second timeout unless the context has an earlier
-// deadline.
 func (c *Checker) CheckPort(
-	ctx context.Context,
-	address string,
-	port int,
-) (*PortResult, error) {
-	err := validatePort(port)
-	if err != nil {
-		return nil, err
-	}
-
-	target := net.JoinHostPort(
-		address, strconv.Itoa(port),
-	)
-
-	timeout := defaultTimeout
-
-	deadline, hasDeadline := ctx.Deadline()
-	if hasDeadline {
-		remaining := time.Until(deadline)
-		if remaining < timeout {
-			timeout = remaining
-		}
-	}
-
-	return c.checkConnection(ctx, target, timeout), nil
-}
-
-// CheckPorts tests TCP connectivity to multiple ports on the
-// given address concurrently. It returns a map of port number
-// to result.
-func (c *Checker) CheckPorts(
-	ctx context.Context,
-	address string,
-	ports []int,
-) (map[int]*PortResult, error) {
-	for _, port := range ports {
-		err := validatePort(port)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	var mu sync.Mutex
-
-	results := make(map[int]*PortResult, len(ports))
-
-	g, ctx := errgroup.WithContext(ctx)
-
-	for _, port := range ports {
-		g.Go(func() error {
-			result, err := c.CheckPort(ctx, address, port)
-			if err != nil {
-				return fmt.Errorf(
-					"checking port %d: %w", port, err,
-				)
-			}
-
-			mu.Lock()
-			results[port] = result
-			mu.Unlock()
-
-			return nil
-		})
-	}
-
-	err := g.Wait()
-	if err != nil {
-		return nil, err
-	}
-
-	return results, nil
-}
-
-// checkConnection performs the TCP dial and returns a result.
-func (c *Checker) checkConnection(
-	ctx context.Context,
-	target string,
-	timeout time.Duration,
-) *PortResult {
-	dialer := &net.Dialer{Timeout: timeout}
-	start := time.Now()
-
-	conn, dialErr := dialer.DialContext(ctx, "tcp", target)
-	latency := time.Since(start)
-
-	if dialErr != nil {
-		c.log.Debug(
-			"port check failed",
-			"target", target,
-			"error", dialErr.Error(),
-		)
-
-		return &PortResult{
-			Open:    false,
-			Error:   dialErr.Error(),
-			Latency: latency,
-		}
-	}
-
-	closeErr := conn.Close()
-	if closeErr != nil {
-		c.log.Debug(
-			"closing connection",
-			"target", target,
-			"error", closeErr.Error(),
-		)
-	}
-
-	c.log.Debug(
-		"port check succeeded",
-		"target", target,
-		"latency", latency,
-	)
-
-	return &PortResult{
-		Open:    true,
-		Latency: latency,
-	}
+	_ context.Context,
+	_ string,
+	_ int,
+) (bool, error) {
+	return false, ErrNotImplemented
 }
--- a/internal/portcheck/portcheck_test.go
+++ b/internal/portcheck/portcheck_test.go
@ -1,211 +0,0 @@
-package portcheck_test
-
-import (
-	"context"
-	"net"
-	"testing"
-	"time"
-
-	"sneak.berlin/go/dnswatcher/internal/portcheck"
-)
-
-func listenTCP(
-	t *testing.T,
-) (net.Listener, int) {
-	t.Helper()
-
-	lc := &net.ListenConfig{}
-
-	ln, err := lc.Listen(
-		context.Background(), "tcp", "127.0.0.1:0",
-	)
-	if err != nil {
-		t.Fatalf("failed to start listener: %v", err)
-	}
-
-	addr, ok := ln.Addr().(*net.TCPAddr)
-	if !ok {
-		t.Fatal("unexpected address type")
-	}
-
-	return ln, addr.Port
-}
-
-func TestCheckPortOpen(t *testing.T) {
-	t.Parallel()
-
-	ln, port := listenTCP(t)
-
-	defer func() { _ = ln.Close() }()
-
-	checker := portcheck.NewStandalone()
-
-	result, err := checker.CheckPort(
-		context.Background(), "127.0.0.1", port,
-	)
-	if err != nil {
-		t.Fatalf("unexpected error: %v", err)
-	}
-
-	if !result.Open {
-		t.Error("expected port to be open")
-	}
-
-	if result.Error != "" {
-		t.Errorf("expected no error, got: %s", result.Error)
-	}
-
-	if result.Latency <= 0 {
-		t.Error("expected positive latency")
-	}
-}
-
-func TestCheckPortClosed(t *testing.T) {
-	t.Parallel()
-
-	ln, port := listenTCP(t)
-	_ = ln.Close()
-
-	checker := portcheck.NewStandalone()
-
-	result, err := checker.CheckPort(
-		context.Background(), "127.0.0.1", port,
-	)
-	if err != nil {
-		t.Fatalf("unexpected error: %v", err)
-	}
-
-	if result.Open {
-		t.Error("expected port to be closed")
-	}
-
-	if result.Error == "" {
-		t.Error("expected error message for closed port")
-	}
-}
-
-func TestCheckPortContextCanceled(t *testing.T) {
-	t.Parallel()
-
-	ctx, cancel := context.WithCancel(context.Background())
-	cancel()
-
-	checker := portcheck.NewStandalone()
-
-	result, err := checker.CheckPort(ctx, "127.0.0.1", 1)
-	if err != nil {
-		t.Fatalf("unexpected error: %v", err)
-	}
-
-	if result.Open {
-		t.Error("expected port to not be open")
-	}
-}
-
-func TestCheckPortsMultiple(t *testing.T) {
-	t.Parallel()
-
-	ln, openPort := listenTCP(t)
-
-	defer func() { _ = ln.Close() }()
-
-	ln2, closedPort := listenTCP(t)
-	_ = ln2.Close()
-
-	checker := portcheck.NewStandalone()
-
-	results, err := checker.CheckPorts(
-		context.Background(),
-		"127.0.0.1",
-		[]int{openPort, closedPort},
-	)
-	if err != nil {
-		t.Fatalf("unexpected error: %v", err)
-	}
-
-	if len(results) != 2 {
-		t.Fatalf(
-			"expected 2 results, got %d", len(results),
-		)
-	}
-
-	if !results[openPort].Open {
-		t.Error("expected open port to be open")
-	}
-
-	if results[closedPort].Open {
-		t.Error("expected closed port to be closed")
-	}
-}
-
-func TestCheckPortInvalidPorts(t *testing.T) {
-	t.Parallel()
-
-	checker := portcheck.NewStandalone()
-
-	cases := []struct {
-		name string
-		port int
-	}{
-		{"zero", 0},
-		{"negative", -1},
-		{"too high", 65536},
-		{"very negative", -1000},
-		{"very high", 100000},
-	}
-
-	for _, tc := range cases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			_, err := checker.CheckPort(
-				context.Background(), "127.0.0.1", tc.port,
-			)
-			if err == nil {
-				t.Errorf(
-					"expected error for port %d, got nil",
-					tc.port,
-				)
-			}
-		})
-	}
-}
-
-func TestCheckPortsInvalidPort(t *testing.T) {
-	t.Parallel()
-
-	checker := portcheck.NewStandalone()
-
-	_, err := checker.CheckPorts(
-		context.Background(),
-		"127.0.0.1",
-		[]int{80, 0, 443},
-	)
-	if err == nil {
-		t.Error("expected error for invalid port in list")
-	}
-}
-
-func TestCheckPortLatencyReasonable(t *testing.T) {
-	t.Parallel()
-
-	ln, port := listenTCP(t)
-
-	defer func() { _ = ln.Close() }()
-
-	checker := portcheck.NewStandalone()
-
-	result, err := checker.CheckPort(
-		context.Background(), "127.0.0.1", port,
-	)
-	if err != nil {
-		t.Fatalf("unexpected error: %v", err)
-	}
-
-	if result.Latency > time.Second {
-		t.Errorf(
-			"latency too high for localhost: %v",
-			result.Latency,
-		)
-	}
-}
--- a/internal/resolver/dns_client.go
+++ b/internal/resolver/dns_client.go
@ -1,48 +0,0 @@
-package resolver
-
-import (
-	"context"
-	"time"
-
-	"github.com/miekg/dns"
-)
-
-// DNSClient abstracts DNS wire-protocol exchanges so the resolver
-// can be tested without hitting real nameservers.
-type DNSClient interface {
-	ExchangeContext(
-		ctx context.Context,
-		msg *dns.Msg,
-		addr string,
-	) (*dns.Msg, time.Duration, error)
-}
-
-// udpClient wraps a real dns.Client for production use.
-type udpClient struct {
-	timeout time.Duration
-}
-
-func (c *udpClient) ExchangeContext(
-	ctx context.Context,
-	msg *dns.Msg,
-	addr string,
-) (*dns.Msg, time.Duration, error) {
-	cl := &dns.Client{Timeout: c.timeout}
-
-	return cl.ExchangeContext(ctx, msg, addr)
-}
-
-// tcpClient wraps a real dns.Client using TCP.
-type tcpClient struct {
-	timeout time.Duration
-}
-
-func (c *tcpClient) ExchangeContext(
-	ctx context.Context,
-	msg *dns.Msg,
-	addr string,
-) (*dns.Msg, time.Duration, error) {
-	cl := &dns.Client{Net: "tcp", Timeout: c.timeout}
-
-	return cl.ExchangeContext(ctx, msg, addr)
-}
--- a/internal/resolver/errors.go
+++ b/internal/resolver/errors.go
@ -1,27 +0,0 @@
-package resolver
-
-import "errors"
-
-// Sentinel errors returned by the resolver.
-var (
-	// ErrNotImplemented indicates a method is stubbed out.
-	ErrNotImplemented = errors.New(
-		"resolver not yet implemented",
-	)
-
-	// ErrNoNameservers is returned when no authoritative NS
-	// could be discovered for a domain.
-	ErrNoNameservers = errors.New(
-		"no authoritative nameservers found",
-	)
-
-	// ErrCNAMEDepthExceeded is returned when a CNAME chain
-	// exceeds MaxCNAMEDepth.
-	ErrCNAMEDepthExceeded = errors.New(
-		"CNAME chain depth exceeded",
-	)
-
-	// ErrContextCanceled wraps context cancellation for the
-	// resolver's iterative queries.
-	ErrContextCanceled = errors.New("context canceled")
-)
--- a/internal/resolver/iterative.go
+++ b/internal/resolver/iterative.go
@ -1,725 +0,0 @@
-package resolver
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"net"
-	"sort"
-	"strings"
-	"time"
-
-	"github.com/miekg/dns"
-)
-
-const (
-	queryTimeoutDuration = 5 * time.Second
-	maxRetries           = 2
-	maxDelegation        = 20
-	timeoutMultiplier    = 2
-	minDomainLabels      = 2
-)
-
-// ErrRefused is returned when a DNS server refuses a query.
-var ErrRefused = errors.New("dns query refused")
-
-func rootServerList() []string {
-	return []string{
-		"198.41.0.4",     // a.root-servers.net
-		"170.247.170.2",  // b
-		"192.33.4.12",    // c
-		"199.7.91.13",    // d
-		"192.203.230.10", // e
-		"192.5.5.241",    // f
-		"192.112.36.4",   // g
-		"198.97.190.53",  // h
-		"192.36.148.17",  // i
-		"192.58.128.30",  // j
-		"193.0.14.129",   // k
-		"199.7.83.42",    // l
-		"202.12.27.33",   // m
-	}
-}
-
-func checkCtx(ctx context.Context) error {
-	err := ctx.Err()
-	if err != nil {
-		return ErrContextCanceled
-	}
-
-	return nil
-}
-
-func (r *Resolver) exchangeWithTimeout(
-	ctx context.Context,
-	msg *dns.Msg,
-	addr string,
-	attempt int,
-) (*dns.Msg, error) {
-	_ = attempt // timeout escalation handled by client config
-
-	resp, _, err := r.client.ExchangeContext(ctx, msg, addr)
-
-	return resp, err
-}
-
-func (r *Resolver) tryExchange(
-	ctx context.Context,
-	msg *dns.Msg,
-	addr string,
-) (*dns.Msg, error) {
-	var resp *dns.Msg
-
-	var err error
-
-	for attempt := range maxRetries {
-		if checkCtx(ctx) != nil {
-			return nil, ErrContextCanceled
-		}
-
-		resp, err = r.exchangeWithTimeout(
-			ctx, msg, addr, attempt,
-		)
-		if err == nil {
-			break
-		}
-	}
-
-	return resp, err
-}
-
-func (r *Resolver) retryTCP(
-	ctx context.Context,
-	msg *dns.Msg,
-	addr string,
-	resp *dns.Msg,
-) *dns.Msg {
-	if !resp.Truncated {
-		return resp
-	}
-
-	tcpResp, _, tcpErr := r.tcp.ExchangeContext(ctx, msg, addr)
-	if tcpErr == nil {
-		return tcpResp
-	}
-
-	return resp
-}
-
-// queryDNS sends a DNS query to a specific server IP.
-// Tries non-recursive first, falls back to recursive on
-// REFUSED (handles DNS interception environments).
-func (r *Resolver) queryDNS(
-	ctx context.Context,
-	serverIP string,
-	name string,
-	qtype uint16,
-) (*dns.Msg, error) {
-	if checkCtx(ctx) != nil {
-		return nil, ErrContextCanceled
-	}
-
-	name = dns.Fqdn(name)
-	addr := net.JoinHostPort(serverIP, "53")
-
-	msg := new(dns.Msg)
-	msg.SetQuestion(name, qtype)
-	msg.RecursionDesired = false
-
-	resp, err := r.tryExchange(ctx, msg, addr)
-	if err != nil {
-		return nil, fmt.Errorf("query %s @%s: %w", name, serverIP, err)
-	}
-
-	if resp.Rcode == dns.RcodeRefused {
-		msg.RecursionDesired = true
-
-		resp, err = r.tryExchange(ctx, msg, addr)
-		if err != nil {
-			return nil, fmt.Errorf(
-				"query %s @%s: %w", name, serverIP, err,
-			)
-		}
-
-		if resp.Rcode == dns.RcodeRefused {
-			return nil, fmt.Errorf(
-				"query %s @%s: %w", name, serverIP, ErrRefused,
-			)
-		}
-	}
-
-	resp = r.retryTCP(ctx, msg, addr, resp)
-
-	return resp, nil
-}
-
-func extractNSSet(rrs []dns.RR) []string {
-	nsSet := make(map[string]bool)
-
-	for _, rr := range rrs {
-		if ns, ok := rr.(*dns.NS); ok {
-			nsSet[strings.ToLower(ns.Ns)] = true
-		}
-	}
-
-	names := make([]string, 0, len(nsSet))
-	for n := range nsSet {
-		names = append(names, n)
-	}
-
-	sort.Strings(names)
-
-	return names
-}
-
-func extractGlue(rrs []dns.RR) map[string][]net.IP {
-	glue := make(map[string][]net.IP)
-
-	for _, rr := range rrs {
-		switch r := rr.(type) {
-		case *dns.A:
-			name := strings.ToLower(r.Hdr.Name)
-			glue[name] = append(glue[name], r.A)
-		case *dns.AAAA:
-			name := strings.ToLower(r.Hdr.Name)
-			glue[name] = append(glue[name], r.AAAA)
-		}
-	}
-
-	return glue
-}
-
-func glueIPs(nsNames []string, glue map[string][]net.IP) []string {
-	var ips []string
-
-	for _, ns := range nsNames {
-		for _, addr := range glue[ns] {
-			if v4 := addr.To4(); v4 != nil {
-				ips = append(ips, v4.String())
-			}
-		}
-	}
-
-	return ips
-}
-
-func (r *Resolver) followDelegation(
-	ctx context.Context,
-	domain string,
-	servers []string,
-) ([]string, error) {
-	for range maxDelegation {
-		if checkCtx(ctx) != nil {
-			return nil, ErrContextCanceled
-		}
-
-		resp, err := r.queryServers(
-			ctx, servers, domain, dns.TypeNS,
-		)
-		if err != nil {
-			return nil, err
-		}
-
-		ansNS := extractNSSet(resp.Answer)
-		if len(ansNS) > 0 {
-			return ansNS, nil
-		}
-
-		authNS := extractNSSet(resp.Ns)
-		if len(authNS) == 0 {
-			return r.resolveNSRecursive(ctx, domain)
-		}
-
-		glue := extractGlue(resp.Extra)
-		nextServers := glueIPs(authNS, glue)
-
-		if len(nextServers) == 0 {
-			nextServers = r.resolveNSIPs(ctx, authNS)
-		}
-
-		if len(nextServers) == 0 {
-			return nil, ErrNoNameservers
-		}
-
-		servers = nextServers
-	}
-
-	return nil, ErrNoNameservers
-}
-
-func (r *Resolver) queryServers(
-	ctx context.Context,
-	servers []string,
-	name string,
-	qtype uint16,
-) (*dns.Msg, error) {
-	var lastErr error
-
-	for _, ip := range servers {
-		if checkCtx(ctx) != nil {
-			return nil, ErrContextCanceled
-		}
-
-		resp, err := r.queryDNS(ctx, ip, name, qtype)
-		if err == nil {
-			return resp, nil
-		}
-
-		lastErr = err
-	}
-
-	return nil, fmt.Errorf("all servers failed: %w", lastErr)
-}
-
-func (r *Resolver) resolveNSIPs(
-	ctx context.Context,
-	nsNames []string,
-) []string {
-	var ips []string
-
-	for _, ns := range nsNames {
-		resolved, err := r.resolveARecord(ctx, ns)
-		if err == nil {
-			ips = append(ips, resolved...)
-		}
-
-		if len(ips) > 0 {
-			break
-		}
-	}
-
-	return ips
-}
-
-// resolveNSRecursive queries for NS records using recursive
-// resolution as a fallback for intercepted environments.
-func (r *Resolver) resolveNSRecursive(
-	ctx context.Context,
-	domain string,
-) ([]string, error) {
-	domain = dns.Fqdn(domain)
-	msg := new(dns.Msg)
-	msg.SetQuestion(domain, dns.TypeNS)
-	msg.RecursionDesired = true
-
-	for _, ip := range rootServerList()[:3] {
-		if checkCtx(ctx) != nil {
-			return nil, ErrContextCanceled
-		}
-
-		addr := net.JoinHostPort(ip, "53")
-
-		resp, _, err := r.client.ExchangeContext(ctx, msg, addr)
-		if err != nil {
-			continue
-		}
-
-		nsNames := extractNSSet(resp.Answer)
-		if len(nsNames) > 0 {
-			return nsNames, nil
-		}
-	}
-
-	return nil, ErrNoNameservers
-}
-
-// resolveARecord resolves a hostname to IPv4 addresses.
-func (r *Resolver) resolveARecord(
-	ctx context.Context,
-	hostname string,
-) ([]string, error) {
-	hostname = dns.Fqdn(hostname)
-	msg := new(dns.Msg)
-	msg.SetQuestion(hostname, dns.TypeA)
-	msg.RecursionDesired = true
-
-	for _, ip := range rootServerList()[:3] {
-		if checkCtx(ctx) != nil {
-			return nil, ErrContextCanceled
-		}
-
-		addr := net.JoinHostPort(ip, "53")
-
-		resp, _, err := r.client.ExchangeContext(ctx, msg, addr)
-		if err != nil {
-			continue
-		}
-
-		var ips []string
-
-		for _, rr := range resp.Answer {
-			if a, ok := rr.(*dns.A); ok {
-				ips = append(ips, a.A.String())
-			}
-		}
-
-		if len(ips) > 0 {
-			return ips, nil
-		}
-	}
-
-	return nil, fmt.Errorf(
-		"cannot resolve %s: %w", hostname, ErrNoNameservers,
-	)
-}
-
-// FindAuthoritativeNameservers traces the delegation chain from
-// root servers to discover all authoritative nameservers for the
-// given domain. Walks up the label hierarchy for subdomains.
-func (r *Resolver) FindAuthoritativeNameservers(
-	ctx context.Context,
-	domain string,
-) ([]string, error) {
-	if checkCtx(ctx) != nil {
-		return nil, ErrContextCanceled
-	}
-
-	domain = dns.Fqdn(strings.ToLower(domain))
-	labels := dns.SplitDomainName(domain)
-
-	for i := range labels {
-		if checkCtx(ctx) != nil {
-			return nil, ErrContextCanceled
-		}
-
-		candidate := strings.Join(labels[i:], ".") + "."
-
-		nsNames, err := r.followDelegation(
-			ctx, candidate, rootServerList(),
-		)
-		if err == nil && len(nsNames) > 0 {
-			sort.Strings(nsNames)
-
-			return nsNames, nil
-		}
-	}
-
-	return nil, ErrNoNameservers
-}
-
-// QueryNameserver queries a specific nameserver for all record
-// types and builds a NameserverResponse.
-func (r *Resolver) QueryNameserver(
-	ctx context.Context,
-	nsHostname string,
-	hostname string,
-) (*NameserverResponse, error) {
-	if checkCtx(ctx) != nil {
-		return nil, ErrContextCanceled
-	}
-
-	nsIPs, err := r.resolveARecord(ctx, nsHostname)
-	if err != nil {
-		return nil, fmt.Errorf("resolving NS %s: %w", nsHostname, err)
-	}
-
-	hostname = dns.Fqdn(hostname)
-
-	return r.queryAllTypes(ctx, nsHostname, nsIPs[0], hostname)
-}
-
-func (r *Resolver) queryAllTypes(
-	ctx context.Context,
-	nsHostname string,
-	nsIP string,
-	hostname string,
-) (*NameserverResponse, error) {
-	resp := &NameserverResponse{
-		Nameserver: nsHostname,
-		Records:    make(map[string][]string),
-		Status:     StatusOK,
-	}
-
-	qtypes := []uint16{
-		dns.TypeA, dns.TypeAAAA, dns.TypeCNAME,
-		dns.TypeMX, dns.TypeTXT, dns.TypeSRV,
-		dns.TypeCAA, dns.TypeNS,
-	}
-
-	state := r.queryEachType(ctx, nsIP, hostname, qtypes, resp)
-	classifyResponse(resp, state)
-
-	return resp, nil
-}
-
-type queryState struct {
-	gotNXDomain bool
-	gotSERVFAIL bool
-	hasRecords  bool
-}
-
-func (r *Resolver) queryEachType(
-	ctx context.Context,
-	nsIP string,
-	hostname string,
-	qtypes []uint16,
-	resp *NameserverResponse,
-) queryState {
-	var state queryState
-
-	for _, qtype := range qtypes {
-		if checkCtx(ctx) != nil {
-			break
-		}
-
-		r.querySingleType(ctx, nsIP, hostname, qtype, resp, &state)
-	}
-
-	for k := range resp.Records {
-		sort.Strings(resp.Records[k])
-	}
-
-	return state
-}
-
-func (r *Resolver) querySingleType(
-	ctx context.Context,
-	nsIP string,
-	hostname string,
-	qtype uint16,
-	resp *NameserverResponse,
-	state *queryState,
-) {
-	msg, err := r.queryDNS(ctx, nsIP, hostname, qtype)
-	if err != nil {
-		return
-	}
-
-	if msg.Rcode == dns.RcodeNameError {
-		state.gotNXDomain = true
-
-		return
-	}
-
-	if msg.Rcode == dns.RcodeServerFailure {
-		state.gotSERVFAIL = true
-
-		return
-	}
-
-	collectAnswerRecords(msg, resp, state)
-}
-
-func collectAnswerRecords(
-	msg *dns.Msg,
-	resp *NameserverResponse,
-	state *queryState,
-) {
-	for _, rr := range msg.Answer {
-		val := extractRecordValue(rr)
-		if val == "" {
-			continue
-		}
-
-		typeName := dns.TypeToString[rr.Header().Rrtype]
-		resp.Records[typeName] = append(
-			resp.Records[typeName], val,
-		)
-		state.hasRecords = true
-	}
-}
-
-func classifyResponse(resp *NameserverResponse, state queryState) {
-	switch {
-	case state.gotNXDomain && !state.hasRecords:
-		resp.Status = StatusNXDomain
-	case state.gotSERVFAIL && !state.hasRecords:
-		resp.Status = StatusError
-	case !state.hasRecords && !state.gotNXDomain:
-		resp.Status = StatusNoData
-	}
-}
-
-// extractRecordValue formats a DNS RR value as a string.
-func extractRecordValue(rr dns.RR) string {
-	switch r := rr.(type) {
-	case *dns.A:
-		return r.A.String()
-	case *dns.AAAA:
-		return r.AAAA.String()
-	case *dns.CNAME:
-		return r.Target
-	case *dns.MX:
-		return fmt.Sprintf("%d %s", r.Preference, r.Mx)
-	case *dns.TXT:
-		return strings.Join(r.Txt, "")
-	case *dns.SRV:
-		return fmt.Sprintf(
-			"%d %d %d %s",
-			r.Priority, r.Weight, r.Port, r.Target,
-		)
-	case *dns.CAA:
-		return fmt.Sprintf(
-			"%d %s \"%s\"", r.Flag, r.Tag, r.Value,
-		)
-	case *dns.NS:
-		return r.Ns
-	default:
-		return ""
-	}
-}
-
-// parentDomain returns the registerable parent domain.
-func parentDomain(hostname string) string {
-	hostname = dns.Fqdn(strings.ToLower(hostname))
-	labels := dns.SplitDomainName(hostname)
-
-	if len(labels) <= minDomainLabels {
-		return strings.Join(labels, ".") + "."
-	}
-
-	return strings.Join(
-		labels[len(labels)-minDomainLabels:], ".",
-	) + "."
-}
-
-// QueryAllNameservers discovers auth NSes for the hostname's
-// parent domain, then queries each one independently.
-func (r *Resolver) QueryAllNameservers(
-	ctx context.Context,
-	hostname string,
-) (map[string]*NameserverResponse, error) {
-	if checkCtx(ctx) != nil {
-		return nil, ErrContextCanceled
-	}
-
-	parent := parentDomain(hostname)
-
-	nameservers, err := r.FindAuthoritativeNameservers(ctx, parent)
-	if err != nil {
-		return nil, err
-	}
-
-	return r.queryEachNS(ctx, nameservers, hostname)
-}
-
-func (r *Resolver) queryEachNS(
-	ctx context.Context,
-	nameservers []string,
-	hostname string,
-) (map[string]*NameserverResponse, error) {
-	results := make(map[string]*NameserverResponse)
-
-	for _, ns := range nameservers {
-		if checkCtx(ctx) != nil {
-			return nil, ErrContextCanceled
-		}
-
-		resp, err := r.QueryNameserver(ctx, ns, hostname)
-		if err != nil {
-			results[ns] = &NameserverResponse{
-				Nameserver: ns,
-				Records:    make(map[string][]string),
-				Status:     StatusError,
-				Error:      err.Error(),
-			}
-
-			continue
-		}
-
-		results[ns] = resp
-	}
-
-	return results, nil
-}
-
-// LookupNS returns the NS record set for a domain.
-func (r *Resolver) LookupNS(
-	ctx context.Context,
-	domain string,
-) ([]string, error) {
-	return r.FindAuthoritativeNameservers(ctx, domain)
-}
-
-// LookupAllRecords performs iterative resolution to find all DNS
-// records for the given hostname, keyed by authoritative nameserver.
-func (r *Resolver) LookupAllRecords(
-	ctx context.Context,
-	hostname string,
-) (map[string]map[string][]string, error) {
-	results, err := r.QueryAllNameservers(ctx, hostname)
-	if err != nil {
-		return nil, err
-	}
-
-	out := make(map[string]map[string][]string, len(results))
-	for ns, resp := range results {
-		out[ns] = resp.Records
-	}
-
-	return out, nil
-}
-
-// ResolveIPAddresses resolves a hostname to all IPv4 and IPv6
-// addresses, following CNAME chains up to MaxCNAMEDepth.
-func (r *Resolver) ResolveIPAddresses(
-	ctx context.Context,
-	hostname string,
-) ([]string, error) {
-	if checkCtx(ctx) != nil {
-		return nil, ErrContextCanceled
-	}
-
-	return r.resolveIPWithCNAME(ctx, hostname, 0)
-}
-
-func (r *Resolver) resolveIPWithCNAME(
-	ctx context.Context,
-	hostname string,
-	depth int,
-) ([]string, error) {
-	if depth > MaxCNAMEDepth {
-		return nil, ErrCNAMEDepthExceeded
-	}
-
-	results, err := r.QueryAllNameservers(ctx, hostname)
-	if err != nil {
-		return nil, err
-	}
-
-	ips, cnameTarget := collectIPs(results)
-
-	if len(ips) == 0 && cnameTarget != "" {
-		return r.resolveIPWithCNAME(ctx, cnameTarget, depth+1)
-	}
-
-	sort.Strings(ips)
-
-	return ips, nil
-}
-
-func collectIPs(
-	results map[string]*NameserverResponse,
-) ([]string, string) {
-	seen := make(map[string]bool)
-
-	var ips []string
-
-	var cnameTarget string
-
-	for _, resp := range results {
-		if resp.Status == StatusNXDomain {
-			continue
-		}
-
-		for _, ip := range resp.Records["A"] {
-			if !seen[ip] {
-				seen[ip] = true
-				ips = append(ips, ip)
-			}
-		}
-
-		for _, ip := range resp.Records["AAAA"] {
-			if !seen[ip] {
-				seen[ip] = true
-				ips = append(ips, ip)
-			}
-		}
-
-		if len(resp.Records["CNAME"]) > 0 && cnameTarget == "" {
-			cnameTarget = resp.Records["CNAME"][0]
-		}
-	}
-
-	return ips, cnameTarget
-}
--- a/internal/resolver/resolver.go
+++ b/internal/resolver/resolver.go
@ -1,9 +1,9 @@
 // Package resolver provides iterative DNS resolution from root nameservers.
-// It traces the full delegation chain from IANA root servers through TLD
-// and domain nameservers, never relying on upstream recursive resolvers.
 package resolver

 import (
+	"context"
+	"errors"
 	"log/slog"

 	"go.uber.org/fx"
@ -11,16 +11,8 @@ import (
 	"sneak.berlin/go/dnswatcher/internal/logger"
 )

-// Query status constants matching the state model.
-const (
-	StatusOK       = "ok"
-	StatusError    = "error"
-	StatusNXDomain = "nxdomain"
-	StatusNoData   = "nodata"
-)
-
-// MaxCNAMEDepth is the maximum CNAME chain depth to follow.
-const MaxCNAMEDepth = 10
+// ErrNotImplemented indicates the resolver is not yet implemented.
+var ErrNotImplemented = errors.New("resolver not yet implemented")

 // Params contains dependencies for Resolver.
 type Params struct {
@ -29,54 +21,44 @@ type Params struct {
 	Logger *logger.Logger
 }

-// NameserverResponse holds one nameserver's response for a query.
-type NameserverResponse struct {
-	Nameserver string
-	Records    map[string][]string
-	Status     string
-	Error      string
-}
-
 // Resolver performs iterative DNS resolution from root servers.
 type Resolver struct {
 	log *slog.Logger
-	client DNSClient
-	tcp    DNSClient
 }

-// New creates a new Resolver instance for use with uber/fx.
+// New creates a new Resolver instance.
 func New(
 	_ fx.Lifecycle,
 	params Params,
 ) (*Resolver, error) {
 	return &Resolver{
 		log: params.Logger.Get(),
-		client: &udpClient{timeout: queryTimeoutDuration},
-		tcp:    &tcpClient{timeout: queryTimeoutDuration},
 	}, nil
 }

-// NewFromLogger creates a Resolver directly from an slog.Logger,
-// useful for testing without the fx lifecycle.
-func NewFromLogger(log *slog.Logger) *Resolver {
-	return &Resolver{
-		log:    log,
-		client: &udpClient{timeout: queryTimeoutDuration},
-		tcp:    &tcpClient{timeout: queryTimeoutDuration},
-	}
+// LookupNS performs iterative resolution to find authoritative
+// nameservers for the given domain.
+func (r *Resolver) LookupNS(
+	_ context.Context,
+	_ string,
+) ([]string, error) {
+	return nil, ErrNotImplemented
 }

-// NewFromLoggerWithClient creates a Resolver with a custom DNS
-// client, useful for testing with mock DNS responses.
-func NewFromLoggerWithClient(
-	log *slog.Logger,
-	client DNSClient,
-) *Resolver {
-	return &Resolver{
-		log:    log,
-		client: client,
-		tcp:    client,
-	}
+// LookupAllRecords performs iterative resolution to find all DNS
+// records for the given hostname.
+func (r *Resolver) LookupAllRecords(
+	_ context.Context,
+	_ string,
+) (map[string][]string, error) {
+	return nil, ErrNotImplemented
 }

-// Method implementations are in iterative.go.
+// ResolveIPAddresses resolves a hostname to all IPv4 and IPv6
+// addresses, following CNAME chains.
+func (r *Resolver) ResolveIPAddresses(
+	_ context.Context,
+	_ string,
+) ([]string, error) {
+	return nil, ErrNotImplemented
+}
--- a/internal/resolver/resolver_test.go
+++ b/internal/resolver/resolver_test.go
@ -1,634 +0,0 @@
-package resolver_test
-
-import (
-	"context"
-	"log/slog"
-	"net"
-	"os"
-	"sort"
-	"strings"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"sneak.berlin/go/dnswatcher/internal/resolver"
-)
-
-// ----------------------------------------------------------------
-// Test helpers
-// ----------------------------------------------------------------
-
-func newTestResolver(t *testing.T) *resolver.Resolver {
-	t.Helper()
-
-	log := slog.New(slog.NewTextHandler(
-		os.Stderr,
-		&slog.HandlerOptions{Level: slog.LevelDebug},
-	))
-
-	return resolver.NewFromLogger(log)
-}
-
-func testContext(t *testing.T) context.Context {
-	t.Helper()
-
-	ctx, cancel := context.WithTimeout(
-		context.Background(), 60*time.Second,
-	)
-	t.Cleanup(cancel)
-
-	return ctx
-}
-
-func findOneNSForDomain(
-	t *testing.T,
-	r *resolver.Resolver,
-	ctx context.Context, //nolint:revive // test helper
-	domain string,
-) string {
-	t.Helper()
-
-	nameservers, err := r.FindAuthoritativeNameservers(
-		ctx, domain,
-	)
-	require.NoError(t, err)
-	require.NotEmpty(t, nameservers)
-
-	return nameservers[0]
-}
-
-// ----------------------------------------------------------------
-// FindAuthoritativeNameservers tests
-// ----------------------------------------------------------------
-
-func TestFindAuthoritativeNameservers_ValidDomain(
-	t *testing.T,
-) {
-	t.Parallel()
-
-	r := newTestResolver(t)
-	ctx := testContext(t)
-
-	nameservers, err := r.FindAuthoritativeNameservers(
-		ctx, "google.com",
-	)
-	require.NoError(t, err)
-	require.NotEmpty(t, nameservers)
-
-	hasGoogleNS := false
-
-	for _, ns := range nameservers {
-		if strings.Contains(ns, "google") {
-			hasGoogleNS = true
-
-			break
-		}
-	}
-
-	assert.True(t, hasGoogleNS,
-		"expected google nameservers, got: %v", nameservers,
-	)
-}
-
-func TestFindAuthoritativeNameservers_Subdomain(
-	t *testing.T,
-) {
-	t.Parallel()
-
-	r := newTestResolver(t)
-	ctx := testContext(t)
-
-	nameservers, err := r.FindAuthoritativeNameservers(
-		ctx, "www.google.com",
-	)
-	require.NoError(t, err)
-	require.NotEmpty(t, nameservers)
-}
-
-func TestFindAuthoritativeNameservers_ReturnsSorted(
-	t *testing.T,
-) {
-	t.Parallel()
-
-	r := newTestResolver(t)
-	ctx := testContext(t)
-
-	nameservers, err := r.FindAuthoritativeNameservers(
-		ctx, "google.com",
-	)
-	require.NoError(t, err)
-
-	assert.True(
-		t,
-		sort.StringsAreSorted(nameservers),
-		"nameservers should be sorted, got: %v", nameservers,
-	)
-}
-
-func TestFindAuthoritativeNameservers_Deterministic(
-	t *testing.T,
-) {
-	t.Parallel()
-
-	r := newTestResolver(t)
-	ctx := testContext(t)
-
-	first, err := r.FindAuthoritativeNameservers(
-		ctx, "google.com",
-	)
-	require.NoError(t, err)
-
-	second, err := r.FindAuthoritativeNameservers(
-		ctx, "google.com",
-	)
-	require.NoError(t, err)
-
-	assert.Equal(t, first, second)
-}
-
-func TestFindAuthoritativeNameservers_TrailingDot(
-	t *testing.T,
-) {
-	t.Parallel()
-
-	r := newTestResolver(t)
-	ctx := testContext(t)
-
-	ns1, err := r.FindAuthoritativeNameservers(
-		ctx, "google.com",
-	)
-	require.NoError(t, err)
-
-	ns2, err := r.FindAuthoritativeNameservers(
-		ctx, "google.com.",
-	)
-	require.NoError(t, err)
-
-	assert.Equal(t, ns1, ns2)
-}
-
-func TestFindAuthoritativeNameservers_CloudflareDomain(
-	t *testing.T,
-) {
-	t.Parallel()
-
-	r := newTestResolver(t)
-	ctx := testContext(t)
-
-	nameservers, err := r.FindAuthoritativeNameservers(
-		ctx, "cloudflare.com",
-	)
-	require.NoError(t, err)
-	require.NotEmpty(t, nameservers)
-
-	for _, ns := range nameservers {
-		assert.True(t, strings.HasSuffix(ns, "."),
-			"NS should be FQDN with trailing dot: %s", ns,
-		)
-	}
-}
-
-// ----------------------------------------------------------------
-// QueryNameserver tests
-// ----------------------------------------------------------------
-
-func TestQueryNameserver_BasicA(t *testing.T) {
-	t.Parallel()
-
-	r := newTestResolver(t)
-	ctx := testContext(t)
-	ns := findOneNSForDomain(t, r, ctx, "google.com")
-
-	resp, err := r.QueryNameserver(
-		ctx, ns, "www.google.com",
-	)
-	require.NoError(t, err)
-	require.NotNil(t, resp)
-
-	assert.Equal(t, resolver.StatusOK, resp.Status)
-	assert.Equal(t, ns, resp.Nameserver)
-
-	hasRecords := len(resp.Records["A"]) > 0 ||
-		len(resp.Records["CNAME"]) > 0
-	assert.True(t, hasRecords,
-		"expected A or CNAME records for www.google.com",
-	)
-}
-
-func TestQueryNameserver_AAAA(t *testing.T) {
-	t.Parallel()
-
-	r := newTestResolver(t)
-	ctx := testContext(t)
-	ns := findOneNSForDomain(t, r, ctx, "cloudflare.com")
-
-	resp, err := r.QueryNameserver(
-		ctx, ns, "cloudflare.com",
-	)
-	require.NoError(t, err)
-
-	aaaaRecords := resp.Records["AAAA"]
-	require.NotEmpty(t, aaaaRecords,
-		"cloudflare.com should have AAAA records",
-	)
-
-	for _, ip := range aaaaRecords {
-		parsed := net.ParseIP(ip)
-		require.NotNil(t, parsed,
-			"should be valid IP: %s", ip,
-		)
-	}
-}
-
-func TestQueryNameserver_MX(t *testing.T) {
-	t.Parallel()
-
-	r := newTestResolver(t)
-	ctx := testContext(t)
-	ns := findOneNSForDomain(t, r, ctx, "google.com")
-
-	resp, err := r.QueryNameserver(
-		ctx, ns, "google.com",
-	)
-	require.NoError(t, err)
-
-	mxRecords := resp.Records["MX"]
-	require.NotEmpty(t, mxRecords,
-		"google.com should have MX records",
-	)
-}
-
-func TestQueryNameserver_TXT(t *testing.T) {
-	t.Parallel()
-
-	r := newTestResolver(t)
-	ctx := testContext(t)
-	ns := findOneNSForDomain(t, r, ctx, "google.com")
-
-	resp, err := r.QueryNameserver(
-		ctx, ns, "google.com",
-	)
-	require.NoError(t, err)
-
-	txtRecords := resp.Records["TXT"]
-	require.NotEmpty(t, txtRecords,
-		"google.com should have TXT records",
-	)
-
-	hasSPF := false
-
-	for _, txt := range txtRecords {
-		if strings.Contains(txt, "v=spf1") {
-			hasSPF = true
-
-			break
-		}
-	}
-
-	assert.True(t, hasSPF,
-		"google.com should have SPF TXT record",
-	)
-}
-
-func TestQueryNameserver_NXDomain(t *testing.T) {
-	t.Parallel()
-
-	r := newTestResolver(t)
-	ctx := testContext(t)
-	ns := findOneNSForDomain(t, r, ctx, "google.com")
-
-	resp, err := r.QueryNameserver(
-		ctx, ns,
-		"this-surely-does-not-exist-xyz.google.com",
-	)
-	require.NoError(t, err)
-
-	assert.Equal(t, resolver.StatusNXDomain, resp.Status)
-}
-
-func TestQueryNameserver_RecordsSorted(t *testing.T) {
-	t.Parallel()
-
-	r := newTestResolver(t)
-	ctx := testContext(t)
-	ns := findOneNSForDomain(t, r, ctx, "google.com")
-
-	resp, err := r.QueryNameserver(
-		ctx, ns, "google.com",
-	)
-	require.NoError(t, err)
-
-	for recordType, values := range resp.Records {
-		assert.True(
-			t,
-			sort.StringsAreSorted(values),
-			"%s records should be sorted", recordType,
-		)
-	}
-}
-
-func TestQueryNameserver_ResponseIncludesNameserver(
-	t *testing.T,
-) {
-	t.Parallel()
-
-	r := newTestResolver(t)
-	ctx := testContext(t)
-	ns := findOneNSForDomain(t, r, ctx, "cloudflare.com")
-
-	resp, err := r.QueryNameserver(
-		ctx, ns, "cloudflare.com",
-	)
-	require.NoError(t, err)
-
-	assert.Equal(t, ns, resp.Nameserver)
-}
-
-func TestQueryNameserver_EmptyRecordsOnNXDomain(
-	t *testing.T,
-) {
-	t.Parallel()
-
-	r := newTestResolver(t)
-	ctx := testContext(t)
-	ns := findOneNSForDomain(t, r, ctx, "google.com")
-
-	resp, err := r.QueryNameserver(
-		ctx, ns,
-		"this-surely-does-not-exist-xyz.google.com",
-	)
-	require.NoError(t, err)
-
-	totalRecords := 0
-	for _, values := range resp.Records {
-		totalRecords += len(values)
-	}
-
-	assert.Zero(t, totalRecords)
-}
-
-func TestQueryNameserver_TrailingDotHandling(t *testing.T) {
-	t.Parallel()
-
-	r := newTestResolver(t)
-	ctx := testContext(t)
-	ns := findOneNSForDomain(t, r, ctx, "google.com")
-
-	resp1, err := r.QueryNameserver(
-		ctx, ns, "google.com",
-	)
-	require.NoError(t, err)
-
-	resp2, err := r.QueryNameserver(
-		ctx, ns, "google.com.",
-	)
-	require.NoError(t, err)
-
-	assert.Equal(t, resp1.Status, resp2.Status)
-}
-
-// ----------------------------------------------------------------
-// QueryAllNameservers tests
-// ----------------------------------------------------------------
-
-func TestQueryAllNameservers_ReturnsAllNS(t *testing.T) {
-	t.Parallel()
-
-	r := newTestResolver(t)
-	ctx := testContext(t)
-
-	results, err := r.QueryAllNameservers(
-		ctx, "google.com",
-	)
-	require.NoError(t, err)
-	require.NotEmpty(t, results)
-
-	assert.GreaterOrEqual(t, len(results), 2)
-
-	for ns, resp := range results {
-		assert.Equal(t, ns, resp.Nameserver)
-	}
-}
-
-func TestQueryAllNameservers_AllReturnOK(t *testing.T) {
-	t.Parallel()
-
-	r := newTestResolver(t)
-	ctx := testContext(t)
-
-	results, err := r.QueryAllNameservers(
-		ctx, "google.com",
-	)
-	require.NoError(t, err)
-
-	for ns, resp := range results {
-		assert.Equal(
-			t, resolver.StatusOK, resp.Status,
-			"NS %s should return OK", ns,
-		)
-	}
-}
-
-func TestQueryAllNameservers_NXDomainFromAllNS(
-	t *testing.T,
-) {
-	t.Parallel()
-
-	r := newTestResolver(t)
-	ctx := testContext(t)
-
-	results, err := r.QueryAllNameservers(
-		ctx,
-		"this-surely-does-not-exist-xyz.google.com",
-	)
-	require.NoError(t, err)
-
-	for ns, resp := range results {
-		assert.Equal(
-			t, resolver.StatusNXDomain, resp.Status,
-			"NS %s should return nxdomain", ns,
-		)
-	}
-}
-
-// ----------------------------------------------------------------
-// LookupNS tests
-// ----------------------------------------------------------------
-
-func TestLookupNS_ValidDomain(t *testing.T) {
-	t.Parallel()
-
-	r := newTestResolver(t)
-	ctx := testContext(t)
-
-	nameservers, err := r.LookupNS(ctx, "google.com")
-	require.NoError(t, err)
-	require.NotEmpty(t, nameservers)
-
-	for _, ns := range nameservers {
-		assert.True(t, strings.HasSuffix(ns, "."),
-			"NS should have trailing dot: %s", ns,
-		)
-	}
-}
-
-func TestLookupNS_Sorted(t *testing.T) {
-	t.Parallel()
-
-	r := newTestResolver(t)
-	ctx := testContext(t)
-
-	nameservers, err := r.LookupNS(ctx, "google.com")
-	require.NoError(t, err)
-
-	assert.True(t, sort.StringsAreSorted(nameservers))
-}
-
-func TestLookupNS_MatchesFindAuthoritative(t *testing.T) {
-	t.Parallel()
-
-	r := newTestResolver(t)
-	ctx := testContext(t)
-
-	fromLookup, err := r.LookupNS(ctx, "google.com")
-	require.NoError(t, err)
-
-	fromFind, err := r.FindAuthoritativeNameservers(
-		ctx, "google.com",
-	)
-	require.NoError(t, err)
-
-	assert.Equal(t, fromFind, fromLookup)
-}
-
-// ----------------------------------------------------------------
-// ResolveIPAddresses tests
-// ----------------------------------------------------------------
-
-func TestResolveIPAddresses_ReturnsIPs(t *testing.T) {
-	t.Parallel()
-
-	r := newTestResolver(t)
-	ctx := testContext(t)
-
-	ips, err := r.ResolveIPAddresses(ctx, "google.com")
-	require.NoError(t, err)
-	require.NotEmpty(t, ips)
-
-	for _, ip := range ips {
-		parsed := net.ParseIP(ip)
-		assert.NotNil(t, parsed,
-			"should be valid IP: %s", ip,
-		)
-	}
-}
-
-func TestResolveIPAddresses_Deduplicated(t *testing.T) {
-	t.Parallel()
-
-	r := newTestResolver(t)
-	ctx := testContext(t)
-
-	ips, err := r.ResolveIPAddresses(ctx, "google.com")
-	require.NoError(t, err)
-
-	seen := make(map[string]bool)
-
-	for _, ip := range ips {
-		assert.False(t, seen[ip], "duplicate IP: %s", ip)
-		seen[ip] = true
-	}
-}
-
-func TestResolveIPAddresses_Sorted(t *testing.T) {
-	t.Parallel()
-
-	r := newTestResolver(t)
-	ctx := testContext(t)
-
-	ips, err := r.ResolveIPAddresses(ctx, "google.com")
-	require.NoError(t, err)
-
-	assert.True(t, sort.StringsAreSorted(ips))
-}
-
-func TestResolveIPAddresses_NXDomainReturnsEmpty(
-	t *testing.T,
-) {
-	t.Parallel()
-
-	r := newTestResolver(t)
-	ctx := testContext(t)
-
-	ips, err := r.ResolveIPAddresses(
-		ctx,
-		"this-surely-does-not-exist-xyz.google.com",
-	)
-	require.NoError(t, err)
-	assert.Empty(t, ips)
-}
-
-func TestResolveIPAddresses_CloudflareDomain(t *testing.T) {
-	t.Parallel()
-
-	r := newTestResolver(t)
-	ctx := testContext(t)
-
-	ips, err := r.ResolveIPAddresses(ctx, "cloudflare.com")
-	require.NoError(t, err)
-	require.NotEmpty(t, ips)
-}
-
-// ----------------------------------------------------------------
-// Context cancellation tests
-// ----------------------------------------------------------------
-
-func TestFindAuthoritativeNameservers_ContextCanceled(
-	t *testing.T,
-) {
-	t.Parallel()
-
-	r := newTestResolver(t)
-	ctx, cancel := context.WithCancel(context.Background())
-	cancel()
-
-	_, err := r.FindAuthoritativeNameservers(ctx, "google.com")
-	assert.Error(t, err)
-}
-
-func TestQueryNameserver_ContextCanceled(t *testing.T) {
-	t.Parallel()
-
-	r := newTestResolver(t)
-	ctx, cancel := context.WithCancel(context.Background())
-	cancel()
-
-	_, err := r.QueryNameserver(
-		ctx, "ns1.google.com.", "google.com",
-	)
-	assert.Error(t, err)
-}
-
-func TestQueryAllNameservers_ContextCanceled(t *testing.T) {
-	t.Parallel()
-
-	r := newTestResolver(t)
-	ctx, cancel := context.WithCancel(context.Background())
-	cancel()
-
-	_, err := r.QueryAllNameservers(ctx, "google.com")
-	assert.Error(t, err)
-}
-
-func TestResolveIPAddresses_ContextCanceled(t *testing.T) {
-	t.Parallel()
-
-	r := newTestResolver(t)
-	ctx, cancel := context.WithCancel(context.Background())
-	cancel()
-
-	_, err := r.ResolveIPAddresses(ctx, "google.com")
-	assert.Error(t, err)
-}
--- a/internal/state/state_test_helper.go
+++ b/internal/state/state_test_helper.go
@ -1,22 +0,0 @@
-package state
-
-import (
-	"log/slog"
-
-	"sneak.berlin/go/dnswatcher/internal/config"
-)
-
-// NewForTest creates a State for unit testing with no persistence.
-func NewForTest() *State {
-	return &State{
-		log: slog.Default(),
-		snapshot: &Snapshot{
-			Version:      stateVersion,
-			Domains:      make(map[string]*DomainState),
-			Hostnames:    make(map[string]*HostnameState),
-			Ports:        make(map[string]*PortState),
-			Certificates: make(map[string]*CertificateState),
-		},
-		config: &config.Config{DataDir: ""},
-	}
-}
--- a/internal/tlscheck/extractcertinfo_test.go
+++ b/internal/tlscheck/extractcertinfo_test.go
@ -1,67 +0,0 @@
-package tlscheck_test
-
-import (
-	"context"
-	"crypto/tls"
-	"errors"
-	"net"
-	"testing"
-	"time"
-
-	"sneak.berlin/go/dnswatcher/internal/tlscheck"
-)
-
-func TestCheckCertificateNoPeerCerts(t *testing.T) {
-	t.Parallel()
-
-	lc := &net.ListenConfig{}
-
-	ln, err := lc.Listen(
-		context.Background(), "tcp", "127.0.0.1:0",
-	)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	defer func() { _ = ln.Close() }()
-
-	addr, ok := ln.Addr().(*net.TCPAddr)
-	if !ok {
-		t.Fatal("unexpected address type")
-	}
-
-	// Accept and immediately close to cause TLS handshake failure.
-	go func() {
-		conn, err := ln.Accept()
-		if err != nil {
-			return
-		}
-
-		_ = conn.Close()
-	}()
-
-	checker := tlscheck.NewStandalone(
-		tlscheck.WithTimeout(2*time.Second),
-		tlscheck.WithTLSConfig(&tls.Config{
-			InsecureSkipVerify: true, //nolint:gosec // test
-			MinVersion:         tls.VersionTLS12,
-		}),
-		tlscheck.WithPort(addr.Port),
-	)
-
-	_, err = checker.CheckCertificate(
-		context.Background(), "127.0.0.1", "localhost",
-	)
-	if err == nil {
-		t.Fatal("expected error when server presents no certs")
-	}
-}
-
-func TestErrNoPeerCertificatesIsSentinel(t *testing.T) {
-	t.Parallel()
-
-	err := tlscheck.ErrNoPeerCertificates
-	if !errors.Is(err, tlscheck.ErrNoPeerCertificates) {
-		t.Fatal("expected sentinel error to match")
-	}
-}
--- a/internal/tlscheck/tlscheck.go
+++ b/internal/tlscheck/tlscheck.go
@ -3,12 +3,8 @@ package tlscheck

 import (
 	"context"
-	"crypto/tls"
 	"errors"
-	"fmt"
 	"log/slog"
-	"net"
-	"strconv"
 	"time"

 	"go.uber.org/fx"
@ -16,56 +12,11 @@ import (
 	"sneak.berlin/go/dnswatcher/internal/logger"
 )

-const (
-	defaultTimeout = 10 * time.Second
-	defaultPort    = 443
+// ErrNotImplemented indicates the TLS checker is not yet implemented.
+var ErrNotImplemented = errors.New(
+	"tls checker not yet implemented",
 )

-// ErrUnexpectedConnType indicates the connection was not a TLS
-// connection.
-var ErrUnexpectedConnType = errors.New(
-	"unexpected connection type",
-)
-
-// ErrNoPeerCertificates indicates the TLS connection had no peer
-// certificates.
-var ErrNoPeerCertificates = errors.New(
-	"no peer certificates",
-)
-
-// CertificateInfo holds information about a TLS certificate.
-type CertificateInfo struct {
-	CommonName              string
-	Issuer                  string
-	NotAfter                time.Time
-	SubjectAlternativeNames []string
-	SerialNumber            string
-}
-
-// Option configures a Checker.
-type Option func(*Checker)
-
-// WithTimeout sets the connection timeout.
-func WithTimeout(d time.Duration) Option {
-	return func(c *Checker) {
-		c.timeout = d
-	}
-}
-
-// WithTLSConfig sets a custom TLS configuration.
-func WithTLSConfig(cfg *tls.Config) Option {
-	return func(c *Checker) {
-		c.tlsConfig = cfg
-	}
-}
-
-// WithPort sets the TLS port to connect to.
-func WithPort(port int) Option {
-	return func(c *Checker) {
-		c.port = port
-	}
-}
-
 // Params contains dependencies for Checker.
 type Params struct {
 	fx.In
@ -76,9 +27,14 @@ type Params struct {
 // Checker performs TLS certificate inspection.
 type Checker struct {
 	log *slog.Logger
-	timeout   time.Duration
-	tlsConfig *tls.Config
-	port      int
+}
+
+// CertificateInfo holds information about a TLS certificate.
+type CertificateInfo struct {
+	CommonName              string
+	Issuer                  string
+	NotAfter                time.Time
+	SubjectAlternativeNames []string
 }

 // New creates a new TLS Checker instance.
@ -88,109 +44,15 @@ func New(
 ) (*Checker, error) {
 	return &Checker{
 		log: params.Logger.Get(),
-		timeout: defaultTimeout,
-		port:    defaultPort,
 	}, nil
 }

-// NewStandalone creates a Checker without fx dependencies.
-func NewStandalone(opts ...Option) *Checker {
-	checker := &Checker{
-		log:     slog.Default(),
-		timeout: defaultTimeout,
-		port:    defaultPort,
-	}
-
-	for _, opt := range opts {
-		opt(checker)
-	}
-
-	return checker
-}
-
-// CheckCertificate connects to the given IP address using the
-// specified SNI hostname and returns certificate information.
+// CheckCertificate connects to the given IP:port using SNI and
+// returns certificate information.
 func (c *Checker) CheckCertificate(
-	ctx context.Context,
-	ipAddress string,
-	sniHostname string,
+	_ context.Context,
+	_ string,
+	_ string,
 ) (*CertificateInfo, error) {
-	target := net.JoinHostPort(
-		ipAddress, strconv.Itoa(c.port),
-	)
-
-	tlsCfg := c.buildTLSConfig(sniHostname)
-	dialer := &tls.Dialer{
-		NetDialer: &net.Dialer{Timeout: c.timeout},
-		Config:    tlsCfg,
-	}
-
-	conn, err := dialer.DialContext(ctx, "tcp", target)
-	if err != nil {
-		return nil, fmt.Errorf(
-			"TLS dial to %s: %w", target, err,
-		)
-	}
-
-	defer func() {
-		closeErr := conn.Close()
-		if closeErr != nil {
-			c.log.Debug(
-				"closing TLS connection",
-				"target", target,
-				"error", closeErr.Error(),
-			)
-		}
-	}()
-
-	tlsConn, ok := conn.(*tls.Conn)
-	if !ok {
-		return nil, fmt.Errorf(
-			"%s: %w", target, ErrUnexpectedConnType,
-		)
-	}
-
-	return c.extractCertInfo(tlsConn)
-}
-
-func (c *Checker) buildTLSConfig(
-	sniHostname string,
-) *tls.Config {
-	if c.tlsConfig != nil {
-		cfg := c.tlsConfig.Clone()
-		cfg.ServerName = sniHostname
-
-		return cfg
-	}
-
-	return &tls.Config{
-		ServerName: sniHostname,
-		MinVersion: tls.VersionTLS12,
-	}
-}
-
-func (c *Checker) extractCertInfo(
-	conn *tls.Conn,
-) (*CertificateInfo, error) {
-	state := conn.ConnectionState()
-	if len(state.PeerCertificates) == 0 {
-		return nil, ErrNoPeerCertificates
-	}
-
-	cert := state.PeerCertificates[0]
-
-	sans := make([]string, 0, len(cert.DNSNames)+len(cert.IPAddresses))
-	sans = append(sans, cert.DNSNames...)
-
-	for _, ip := range cert.IPAddresses {
-		sans = append(sans, ip.String())
-	}
-
-	return &CertificateInfo{
-		CommonName:              cert.Subject.CommonName,
-		Issuer:                  cert.Issuer.CommonName,
-		NotAfter:                cert.NotAfter,
-		SubjectAlternativeNames: sans,
-		SerialNumber:            cert.SerialNumber.String(),
-	}, nil
+	return nil, ErrNotImplemented
 }
--- a/internal/tlscheck/tlscheck_test.go
+++ b/internal/tlscheck/tlscheck_test.go
@ -1,169 +0,0 @@
-package tlscheck_test
-
-import (
-	"context"
-	"crypto/tls"
-	"net"
-	"net/http"
-	"net/http/httptest"
-	"testing"
-	"time"
-
-	"sneak.berlin/go/dnswatcher/internal/tlscheck"
-)
-
-func startTLSServer(
-	t *testing.T,
-) (*httptest.Server, string, int) {
-	t.Helper()
-
-	srv := httptest.NewTLSServer(
-		http.HandlerFunc(
-			func(w http.ResponseWriter, _ *http.Request) {
-				w.WriteHeader(http.StatusOK)
-			},
-		),
-	)
-
-	addr, ok := srv.Listener.Addr().(*net.TCPAddr)
-	if !ok {
-		t.Fatal("unexpected address type")
-	}
-
-	return srv, addr.IP.String(), addr.Port
-}
-
-func TestCheckCertificateValid(t *testing.T) {
-	t.Parallel()
-
-	srv, ip, port := startTLSServer(t)
-
-	defer srv.Close()
-
-	checker := tlscheck.NewStandalone(
-		tlscheck.WithTimeout(5*time.Second),
-		tlscheck.WithTLSConfig(&tls.Config{
-			//nolint:gosec // test uses self-signed cert
-			InsecureSkipVerify: true,
-		}),
-		tlscheck.WithPort(port),
-	)
-
-	info, err := checker.CheckCertificate(
-		context.Background(), ip, "localhost",
-	)
-	if err != nil {
-		t.Fatalf("unexpected error: %v", err)
-	}
-
-	if info == nil {
-		t.Fatal("expected non-nil CertificateInfo")
-	}
-
-	if info.NotAfter.IsZero() {
-		t.Error("expected non-zero NotAfter")
-	}
-
-	if info.SerialNumber == "" {
-		t.Error("expected non-empty SerialNumber")
-	}
-}
-
-func TestCheckCertificateConnectionRefused(t *testing.T) {
-	t.Parallel()
-
-	lc := &net.ListenConfig{}
-
-	ln, err := lc.Listen(
-		context.Background(), "tcp", "127.0.0.1:0",
-	)
-	if err != nil {
-		t.Fatalf("failed to listen: %v", err)
-	}
-
-	addr, ok := ln.Addr().(*net.TCPAddr)
-	if !ok {
-		t.Fatal("unexpected address type")
-	}
-
-	port := addr.Port
-
-	_ = ln.Close()
-
-	checker := tlscheck.NewStandalone(
-		tlscheck.WithTimeout(2*time.Second),
-		tlscheck.WithPort(port),
-	)
-
-	_, err = checker.CheckCertificate(
-		context.Background(), "127.0.0.1", "localhost",
-	)
-	if err == nil {
-		t.Fatal("expected error for connection refused")
-	}
-}
-
-func TestCheckCertificateContextCanceled(t *testing.T) {
-	t.Parallel()
-
-	ctx, cancel := context.WithCancel(context.Background())
-	cancel()
-
-	checker := tlscheck.NewStandalone(
-		tlscheck.WithTimeout(2*time.Second),
-		tlscheck.WithPort(1),
-	)
-
-	_, err := checker.CheckCertificate(
-		ctx, "127.0.0.1", "localhost",
-	)
-	if err == nil {
-		t.Fatal("expected error for canceled context")
-	}
-}
-
-func TestCheckCertificateTimeout(t *testing.T) {
-	t.Parallel()
-
-	checker := tlscheck.NewStandalone(
-		tlscheck.WithTimeout(1*time.Millisecond),
-		tlscheck.WithPort(1),
-	)
-
-	_, err := checker.CheckCertificate(
-		context.Background(),
-		"192.0.2.1",
-		"example.com",
-	)
-	if err == nil {
-		t.Fatal("expected error for timeout")
-	}
-}
-
-func TestCheckCertificateSANs(t *testing.T) {
-	t.Parallel()
-
-	srv, ip, port := startTLSServer(t)
-
-	defer srv.Close()
-
-	checker := tlscheck.NewStandalone(
-		tlscheck.WithTimeout(5*time.Second),
-		tlscheck.WithTLSConfig(&tls.Config{
-			//nolint:gosec // test uses self-signed cert
-			InsecureSkipVerify: true,
-		}),
-		tlscheck.WithPort(port),
-	)
-
-	info, err := checker.CheckCertificate(
-		context.Background(), ip, "localhost",
-	)
-	if err != nil {
-		t.Fatalf("unexpected error: %v", err)
-	}
-
-	if info.CommonName == "" && len(info.SubjectAlternativeNames) == 0 {
-		t.Error("expected CN or SANs to be populated")
-	}
-}
--- a/internal/watcher/interfaces.go
+++ b/internal/watcher/interfaces.go
@ -1,61 +0,0 @@
-// Package watcher provides the main monitoring orchestrator.
-package watcher
-
-import (
-	"context"
-
-	"sneak.berlin/go/dnswatcher/internal/portcheck"
-	"sneak.berlin/go/dnswatcher/internal/tlscheck"
-)
-
-// DNSResolver performs iterative DNS resolution.
-type DNSResolver interface {
-	// LookupNS discovers authoritative nameservers for a domain.
-	LookupNS(
-		ctx context.Context,
-		domain string,
-	) ([]string, error)
-
-	// LookupAllRecords queries all record types for a hostname,
-	// returning results keyed by nameserver then record type.
-	LookupAllRecords(
-		ctx context.Context,
-		hostname string,
-	) (map[string]map[string][]string, error)
-
-	// ResolveIPAddresses resolves a hostname to all IP addresses.
-	ResolveIPAddresses(
-		ctx context.Context,
-		hostname string,
-	) ([]string, error)
-}
-
-// PortChecker tests TCP port connectivity.
-type PortChecker interface {
-	// CheckPort tests TCP connectivity to an address and port.
-	CheckPort(
-		ctx context.Context,
-		address string,
-		port int,
-	) (*portcheck.PortResult, error)
-}
-
-// TLSChecker inspects TLS certificates.
-type TLSChecker interface {
-	// CheckCertificate connects via TLS and returns cert info.
-	CheckCertificate(
-		ctx context.Context,
-		ip string,
-		hostname string,
-	) (*tlscheck.CertificateInfo, error)
-}
-
-// Notifier delivers notifications to configured endpoints.
-type Notifier interface {
-	// SendNotification sends a notification with the given
-	// details.
-	SendNotification(
-		ctx context.Context,
-		title, message, priority string,
-	)
-}
--- a/internal/watcher/watcher.go
+++ b/internal/watcher/watcher.go
@ -1,30 +1,21 @@
+// Package watcher provides the main monitoring orchestrator and scheduler.
 package watcher

 import (
 	"context"
-	"fmt"
 	"log/slog"
-	"sort"
-	"strings"
-	"time"

 	"go.uber.org/fx"

 	"sneak.berlin/go/dnswatcher/internal/config"
 	"sneak.berlin/go/dnswatcher/internal/logger"
+	"sneak.berlin/go/dnswatcher/internal/notify"
+	"sneak.berlin/go/dnswatcher/internal/portcheck"
+	"sneak.berlin/go/dnswatcher/internal/resolver"
 	"sneak.berlin/go/dnswatcher/internal/state"
 	"sneak.berlin/go/dnswatcher/internal/tlscheck"
 )

-// monitoredPorts are the TCP ports checked for each IP address.
-var monitoredPorts = []int{80, 443} //nolint:gochecknoglobals
-
-// tlsPort is the port used for TLS certificate checks.
-const tlsPort = 443
-
-// hoursPerDay converts days to hours for duration calculations.
-const hoursPerDay = 24
-
 // Params contains dependencies for Watcher.
 type Params struct {
 	fx.In
@ -32,10 +23,10 @@ type Params struct {
 	Logger    *logger.Logger
 	Config    *config.Config
 	State     *state.State
-	Resolver  DNSResolver
-	PortCheck PortChecker
-	TLSCheck  TLSChecker
-	Notify    Notifier
+	Resolver  *resolver.Resolver
+	PortCheck *portcheck.Checker
+	TLSCheck  *tlscheck.Checker
+	Notify    *notify.Service
 }

 // Watcher orchestrates all monitoring checks on a schedule.
@ -43,20 +34,19 @@ type Watcher struct {
 	log       *slog.Logger
 	config    *config.Config
 	state     *state.State
-	resolver  DNSResolver
-	portCheck PortChecker
-	tlsCheck  TLSChecker
-	notify    Notifier
+	resolver  *resolver.Resolver
+	portCheck *portcheck.Checker
+	tlsCheck  *tlscheck.Checker
+	notify    *notify.Service
 	cancel    context.CancelFunc
-	firstRun  bool
 }

-// New creates a new Watcher instance wired into the fx lifecycle.
+// New creates a new Watcher instance.
 func New(
 	lifecycle fx.Lifecycle,
 	params Params,
 ) (*Watcher, error) {
-	w := &Watcher{
+	watcher := &Watcher{
 		log:       params.Logger.Get(),
 		config:    params.Config,
 		state:     params.State,
@ -64,54 +54,30 @@ func New(
 		portCheck: params.PortCheck,
 		tlsCheck:  params.TLSCheck,
 		notify:    params.Notify,
-		firstRun:  true,
 	}

 	lifecycle.Append(fx.Hook{
 		OnStart: func(startCtx context.Context) error {
-			ctx, cancel := context.WithCancel(
-				context.WithoutCancel(startCtx),
-			)
-			w.cancel = cancel
+			ctx, cancel := context.WithCancel(startCtx)
+			watcher.cancel = cancel

-			go w.Run(ctx)
+			go watcher.Run(ctx)

 			return nil
 		},
 		OnStop: func(_ context.Context) error {
-			if w.cancel != nil {
-				w.cancel()
+			if watcher.cancel != nil {
+				watcher.cancel()
 			}

 			return nil
 		},
 	})

-	return w, nil
+	return watcher, nil
 }

-// NewForTest creates a Watcher without fx for unit testing.
-func NewForTest(
-	cfg *config.Config,
-	st *state.State,
-	res DNSResolver,
-	pc PortChecker,
-	tc TLSChecker,
-	n Notifier,
-) *Watcher {
-	return &Watcher{
-		log:       slog.Default(),
-		config:    cfg,
-		state:     st,
-		resolver:  res,
-		portCheck: pc,
-		tlsCheck:  tc,
-		notify:    n,
-		firstRun:  true,
-	}
-}
-
-// Run starts the monitoring loop with periodic scheduling.
+// Run starts the monitoring loop.
 func (w *Watcher) Run(ctx context.Context) {
 	w.log.Info(
 		"watcher starting",
@ -121,646 +87,8 @@ func (w *Watcher) Run(ctx context.Context) {
 		"tlsInterval", w.config.TLSInterval,
 	)

-	w.RunOnce(ctx)
-
-	dnsTicker := time.NewTicker(w.config.DNSInterval)
-	tlsTicker := time.NewTicker(w.config.TLSInterval)
-
-	defer dnsTicker.Stop()
-	defer tlsTicker.Stop()
-
-	for {
-		select {
-		case <-ctx.Done():
+	// Stub: wait for context cancellation.
+	// Implementation will add initial check + periodic scheduling.
+	<-ctx.Done()
 	w.log.Info("watcher stopped")
-
-			return
-		case <-dnsTicker.C:
-			w.runDNSAndPortChecks(ctx)
-			w.saveState()
-		case <-tlsTicker.C:
-			w.runTLSChecks(ctx)
-			w.saveState()
-		}
-	}
-}
-
-// RunOnce performs a single complete monitoring cycle.
-func (w *Watcher) RunOnce(ctx context.Context) {
-	w.detectFirstRun()
-	w.runDNSAndPortChecks(ctx)
-	w.runTLSChecks(ctx)
-	w.saveState()
-	w.firstRun = false
-}
-
-func (w *Watcher) detectFirstRun() {
-	snap := w.state.GetSnapshot()
-	hasState := len(snap.Domains) > 0 ||
-		len(snap.Hostnames) > 0 ||
-		len(snap.Ports) > 0 ||
-		len(snap.Certificates) > 0
-
-	if hasState {
-		w.firstRun = false
-	}
-}
-
-func (w *Watcher) runDNSAndPortChecks(ctx context.Context) {
-	for _, domain := range w.config.Domains {
-		w.checkDomain(ctx, domain)
-	}
-
-	for _, hostname := range w.config.Hostnames {
-		w.checkHostname(ctx, hostname)
-	}
-
-	w.checkAllPorts(ctx)
-}
-
-func (w *Watcher) checkDomain(
-	ctx context.Context,
-	domain string,
-) {
-	nameservers, err := w.resolver.LookupNS(ctx, domain)
-	if err != nil {
-		w.log.Error(
-			"failed to lookup NS",
-			"domain", domain,
-			"error", err,
-		)
-
-		return
-	}
-
-	sort.Strings(nameservers)
-
-	now := time.Now().UTC()
-
-	prev, hasPrev := w.state.GetDomainState(domain)
-	if hasPrev && !w.firstRun {
-		w.detectNSChanges(ctx, domain, prev.Nameservers, nameservers)
-	}
-
-	w.state.SetDomainState(domain, &state.DomainState{
-		Nameservers: nameservers,
-		LastChecked: now,
-	})
-}
-
-func (w *Watcher) detectNSChanges(
-	ctx context.Context,
-	domain string,
-	oldNS, newNS []string,
-) {
-	oldSet := toSet(oldNS)
-	newSet := toSet(newNS)
-
-	var added, removed []string
-
-	for ns := range newSet {
-		if !oldSet[ns] {
-			added = append(added, ns)
-		}
-	}
-
-	for ns := range oldSet {
-		if !newSet[ns] {
-			removed = append(removed, ns)
-		}
-	}
-
-	if len(added) == 0 && len(removed) == 0 {
-		return
-	}
-
-	msg := fmt.Sprintf(
-		"Domain: %s\nAdded: %s\nRemoved: %s",
-		domain,
-		strings.Join(added, ", "),
-		strings.Join(removed, ", "),
-	)
-
-	w.notify.SendNotification(
-		ctx,
-		"NS Change: "+domain,
-		msg,
-		"warning",
-	)
-}
-
-func (w *Watcher) checkHostname(
-	ctx context.Context,
-	hostname string,
-) {
-	records, err := w.resolver.LookupAllRecords(ctx, hostname)
-	if err != nil {
-		w.log.Error(
-			"failed to lookup records",
-			"hostname", hostname,
-			"error", err,
-		)
-
-		return
-	}
-
-	now := time.Now().UTC()
-	prev, hasPrev := w.state.GetHostnameState(hostname)
-
-	if hasPrev && !w.firstRun {
-		w.detectHostnameChanges(ctx, hostname, prev, records)
-	}
-
-	newState := buildHostnameState(records, now)
-	w.state.SetHostnameState(hostname, newState)
-}
-
-func buildHostnameState(
-	records map[string]map[string][]string,
-	now time.Time,
-) *state.HostnameState {
-	hs := &state.HostnameState{
-		RecordsByNameserver: make(
-			map[string]*state.NameserverRecordState,
-		),
-		LastChecked: now,
-	}
-
-	for ns, recs := range records {
-		hs.RecordsByNameserver[ns] = &state.NameserverRecordState{
-			Records:     recs,
-			Status:      "ok",
-			LastChecked: now,
-		}
-	}
-
-	return hs
-}
-
-func (w *Watcher) detectHostnameChanges(
-	ctx context.Context,
-	hostname string,
-	prev *state.HostnameState,
-	current map[string]map[string][]string,
-) {
-	w.detectRecordChanges(ctx, hostname, prev, current)
-	w.detectNSDisappearances(ctx, hostname, prev, current)
-	w.detectInconsistencies(ctx, hostname, current)
-}
-
-func (w *Watcher) detectRecordChanges(
-	ctx context.Context,
-	hostname string,
-	prev *state.HostnameState,
-	current map[string]map[string][]string,
-) {
-	for ns, recs := range current {
-		prevNS, ok := prev.RecordsByNameserver[ns]
-		if !ok {
-			continue
-		}
-
-		if recordsEqual(prevNS.Records, recs) {
-			continue
-		}
-
-		msg := fmt.Sprintf(
-			"Hostname: %s\nNameserver: %s\n"+
-				"Old: %v\nNew: %v",
-			hostname, ns,
-			prevNS.Records, recs,
-		)
-
-		w.notify.SendNotification(
-			ctx,
-			"Record Change: "+hostname,
-			msg,
-			"warning",
-		)
-	}
-}
-
-func (w *Watcher) detectNSDisappearances(
-	ctx context.Context,
-	hostname string,
-	prev *state.HostnameState,
-	current map[string]map[string][]string,
-) {
-	for ns, prevNS := range prev.RecordsByNameserver {
-		if _, ok := current[ns]; ok || prevNS.Status != "ok" {
-			continue
-		}
-
-		msg := fmt.Sprintf(
-			"Hostname: %s\nNameserver: %s disappeared",
-			hostname, ns,
-		)
-
-		w.notify.SendNotification(
-			ctx,
-			"NS Failure: "+hostname,
-			msg,
-			"error",
-		)
-	}
-
-	for ns := range current {
-		prevNS, ok := prev.RecordsByNameserver[ns]
-		if !ok || prevNS.Status != "error" {
-			continue
-		}
-
-		msg := fmt.Sprintf(
-			"Hostname: %s\nNameserver: %s recovered",
-			hostname, ns,
-		)
-
-		w.notify.SendNotification(
-			ctx,
-			"NS Recovery: "+hostname,
-			msg,
-			"success",
-		)
-	}
-}
-
-func (w *Watcher) detectInconsistencies(
-	ctx context.Context,
-	hostname string,
-	current map[string]map[string][]string,
-) {
-	nameservers := make([]string, 0, len(current))
-	for ns := range current {
-		nameservers = append(nameservers, ns)
-	}
-
-	sort.Strings(nameservers)
-
-	for i := range len(nameservers) - 1 {
-		ns1 := nameservers[i]
-		ns2 := nameservers[i+1]
-
-		if recordsEqual(current[ns1], current[ns2]) {
-			continue
-		}
-
-		msg := fmt.Sprintf(
-			"Hostname: %s\n%s: %v\n%s: %v",
-			hostname,
-			ns1, current[ns1],
-			ns2, current[ns2],
-		)
-
-		w.notify.SendNotification(
-			ctx,
-			"Inconsistency: "+hostname,
-			msg,
-			"warning",
-		)
-	}
-}
-
-func (w *Watcher) checkAllPorts(ctx context.Context) {
-	for _, hostname := range w.config.Hostnames {
-		w.checkPortsForHostname(ctx, hostname)
-	}
-
-	for _, domain := range w.config.Domains {
-		w.checkPortsForHostname(ctx, domain)
-	}
-}
-
-func (w *Watcher) checkPortsForHostname(
-	ctx context.Context,
-	hostname string,
-) {
-	ips := w.collectIPs(hostname)
-
-	for _, ip := range ips {
-		for _, port := range monitoredPorts {
-			w.checkSinglePort(ctx, ip, port, hostname)
-		}
-	}
-}
-
-func (w *Watcher) collectIPs(hostname string) []string {
-	hs, ok := w.state.GetHostnameState(hostname)
-	if !ok {
-		return nil
-	}
-
-	ipSet := make(map[string]bool)
-
-	for _, nsState := range hs.RecordsByNameserver {
-		for _, ip := range nsState.Records["A"] {
-			ipSet[ip] = true
-		}
-
-		for _, ip := range nsState.Records["AAAA"] {
-			ipSet[ip] = true
-		}
-	}
-
-	result := make([]string, 0, len(ipSet))
-	for ip := range ipSet {
-		result = append(result, ip)
-	}
-
-	sort.Strings(result)
-
-	return result
-}
-
-func (w *Watcher) checkSinglePort(
-	ctx context.Context,
-	ip string,
-	port int,
-	hostname string,
-) {
-	result, err := w.portCheck.CheckPort(ctx, ip, port)
-	if err != nil {
-		w.log.Error(
-			"port check failed",
-			"ip", ip,
-			"port", port,
-			"error", err,
-		)
-
-		return
-	}
-
-	key := fmt.Sprintf("%s:%d", ip, port)
-	now := time.Now().UTC()
-	prev, hasPrev := w.state.GetPortState(key)
-
-	if hasPrev && !w.firstRun && prev.Open != result.Open {
-		stateStr := "closed"
-		if result.Open {
-			stateStr = "open"
-		}
-
-		msg := fmt.Sprintf(
-			"Host: %s\nAddress: %s\nPort now %s",
-			hostname, key, stateStr,
-		)
-
-		w.notify.SendNotification(
-			ctx,
-			"Port Change: "+key,
-			msg,
-			"warning",
-		)
-	}
-
-	w.state.SetPortState(key, &state.PortState{
-		Open:        result.Open,
-		Hostname:    hostname,
-		LastChecked: now,
-	})
-}
-
-func (w *Watcher) runTLSChecks(ctx context.Context) {
-	for _, hostname := range w.config.Hostnames {
-		w.checkTLSForHostname(ctx, hostname)
-	}
-
-	for _, domain := range w.config.Domains {
-		w.checkTLSForHostname(ctx, domain)
-	}
-}
-
-func (w *Watcher) checkTLSForHostname(
-	ctx context.Context,
-	hostname string,
-) {
-	ips := w.collectIPs(hostname)
-
-	for _, ip := range ips {
-		portKey := fmt.Sprintf("%s:%d", ip, tlsPort)
-
-		ps, ok := w.state.GetPortState(portKey)
-		if !ok || !ps.Open {
-			continue
-		}
-
-		w.checkTLSCert(ctx, ip, hostname)
-	}
-}
-
-func (w *Watcher) checkTLSCert(
-	ctx context.Context,
-	ip string,
-	hostname string,
-) {
-	cert, err := w.tlsCheck.CheckCertificate(ctx, ip, hostname)
-	certKey := fmt.Sprintf("%s:%d:%s", ip, tlsPort, hostname)
-	now := time.Now().UTC()
-	prev, hasPrev := w.state.GetCertificateState(certKey)
-
-	if err != nil {
-		w.handleTLSError(
-			ctx, certKey, hostname, ip,
-			hasPrev, prev, now, err,
-		)
-
-		return
-	}
-
-	w.handleTLSSuccess(
-		ctx, certKey, hostname, ip,
-		hasPrev, prev, now, cert,
-	)
-}
-
-func (w *Watcher) handleTLSError(
-	ctx context.Context,
-	certKey, hostname, ip string,
-	hasPrev bool,
-	prev *state.CertificateState,
-	now time.Time,
-	err error,
-) {
-	if hasPrev && !w.firstRun && prev.Status == "ok" {
-		msg := fmt.Sprintf(
-			"Host: %s\nIP: %s\nError: %s",
-			hostname, ip, err,
-		)
-
-		w.notify.SendNotification(
-			ctx,
-			"TLS Failure: "+hostname,
-			msg,
-			"error",
-		)
-	}
-
-	w.state.SetCertificateState(
-		certKey, &state.CertificateState{
-			Status:      "error",
-			Error:       err.Error(),
-			LastChecked: now,
-		},
-	)
-}
-
-func (w *Watcher) handleTLSSuccess(
-	ctx context.Context,
-	certKey, hostname, ip string,
-	hasPrev bool,
-	prev *state.CertificateState,
-	now time.Time,
-	cert *tlscheck.CertificateInfo,
-) {
-	if hasPrev && !w.firstRun {
-		w.detectTLSChanges(ctx, hostname, ip, prev, cert)
-	}
-
-	w.checkTLSExpiry(ctx, hostname, ip, cert)
-
-	w.state.SetCertificateState(
-		certKey, &state.CertificateState{
-			CommonName:              cert.CommonName,
-			Issuer:                  cert.Issuer,
-			NotAfter:                cert.NotAfter,
-			SubjectAlternativeNames: cert.SubjectAlternativeNames,
-			Status:                  "ok",
-			LastChecked:             now,
-		},
-	)
-}
-
-func (w *Watcher) detectTLSChanges(
-	ctx context.Context,
-	hostname, ip string,
-	prev *state.CertificateState,
-	cert *tlscheck.CertificateInfo,
-) {
-	if prev.Status == "error" {
-		msg := fmt.Sprintf(
-			"Host: %s\nIP: %s\nTLS recovered",
-			hostname, ip,
-		)
-
-		w.notify.SendNotification(
-			ctx,
-			"TLS Recovery: "+hostname,
-			msg,
-			"success",
-		)
-
-		return
-	}
-
-	changed := prev.CommonName != cert.CommonName ||
-		prev.Issuer != cert.Issuer ||
-		!sliceEqual(
-			prev.SubjectAlternativeNames,
-			cert.SubjectAlternativeNames,
-		)
-
-	if !changed {
-		return
-	}
-
-	msg := fmt.Sprintf(
-		"Host: %s\nIP: %s\n"+
-			"Old CN: %s, Issuer: %s\n"+
-			"New CN: %s, Issuer: %s",
-		hostname, ip,
-		prev.CommonName, prev.Issuer,
-		cert.CommonName, cert.Issuer,
-	)
-
-	w.notify.SendNotification(
-		ctx,
-		"TLS Certificate Change: "+hostname,
-		msg,
-		"warning",
-	)
-}
-
-func (w *Watcher) checkTLSExpiry(
-	ctx context.Context,
-	hostname, ip string,
-	cert *tlscheck.CertificateInfo,
-) {
-	daysLeft := time.Until(cert.NotAfter).Hours() / hoursPerDay
-	warningDays := float64(w.config.TLSExpiryWarning)
-
-	if daysLeft > warningDays {
-		return
-	}
-
-	msg := fmt.Sprintf(
-		"Host: %s\nIP: %s\nCN: %s\n"+
-			"Expires: %s (%.0f days)",
-		hostname, ip, cert.CommonName,
-		cert.NotAfter.Format(time.RFC3339),
-		daysLeft,
-	)
-
-	w.notify.SendNotification(
-		ctx,
-		"TLS Expiry Warning: "+hostname,
-		msg,
-		"warning",
-	)
-}
-
-func (w *Watcher) saveState() {
-	err := w.state.Save()
-	if err != nil {
-		w.log.Error("failed to save state", "error", err)
-	}
-}
-
-// --- Utility functions ---
-
-func toSet(items []string) map[string]bool {
-	set := make(map[string]bool, len(items))
-	for _, item := range items {
-		set[item] = true
-	}
-
-	return set
-}
-
-func recordsEqual(
-	a, b map[string][]string,
-) bool {
-	if len(a) != len(b) {
-		return false
-	}
-
-	for k, av := range a {
-		bv, ok := b[k]
-		if !ok || !sliceEqual(av, bv) {
-			return false
-		}
-	}
-
-	return true
-}
-
-func sliceEqual(a, b []string) bool {
-	if len(a) != len(b) {
-		return false
-	}
-
-	aSorted := make([]string, len(a))
-	bSorted := make([]string, len(b))
-
-	copy(aSorted, a)
-	copy(bSorted, b)
-
-	sort.Strings(aSorted)
-	sort.Strings(bSorted)
-
-	for i := range aSorted {
-		if aSorted[i] != bSorted[i] {
-			return false
-		}
-	}
-
-	return true
 }
--- a/internal/watcher/watcher_test.go
+++ b/internal/watcher/watcher_test.go
@ -1,577 +0,0 @@
-package watcher_test
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"sync"
-	"testing"
-	"time"
-
-	"sneak.berlin/go/dnswatcher/internal/config"
-	"sneak.berlin/go/dnswatcher/internal/portcheck"
-	"sneak.berlin/go/dnswatcher/internal/state"
-	"sneak.berlin/go/dnswatcher/internal/tlscheck"
-	"sneak.berlin/go/dnswatcher/internal/watcher"
-)
-
-// errNotFound is returned when mock data is missing.
-var errNotFound = errors.New("not found")
-
-// --- Mock implementations ---
-
-type mockResolver struct {
-	mu             sync.Mutex
-	nsRecords      map[string][]string
-	allRecords     map[string]map[string]map[string][]string
-	ipAddresses    map[string][]string
-	lookupNSErr    error
-	allRecordsErr  error
-	resolveIPErr   error
-	lookupNSCalls  int
-	allRecordCalls int
-}
-
-func (m *mockResolver) LookupNS(
-	_ context.Context,
-	domain string,
-) ([]string, error) {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-
-	m.lookupNSCalls++
-
-	if m.lookupNSErr != nil {
-		return nil, m.lookupNSErr
-	}
-
-	ns, ok := m.nsRecords[domain]
-	if !ok {
-		return nil, fmt.Errorf(
-			"%w: NS for %s", errNotFound, domain,
-		)
-	}
-
-	return ns, nil
-}
-
-func (m *mockResolver) LookupAllRecords(
-	_ context.Context,
-	hostname string,
-) (map[string]map[string][]string, error) {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-
-	m.allRecordCalls++
-
-	if m.allRecordsErr != nil {
-		return nil, m.allRecordsErr
-	}
-
-	recs, ok := m.allRecords[hostname]
-	if !ok {
-		return nil, fmt.Errorf(
-			"%w: records for %s", errNotFound, hostname,
-		)
-	}
-
-	return recs, nil
-}
-
-func (m *mockResolver) ResolveIPAddresses(
-	_ context.Context,
-	hostname string,
-) ([]string, error) {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-
-	if m.resolveIPErr != nil {
-		return nil, m.resolveIPErr
-	}
-
-	ips, ok := m.ipAddresses[hostname]
-	if !ok {
-		return nil, fmt.Errorf(
-			"%w: IPs for %s", errNotFound, hostname,
-		)
-	}
-
-	return ips, nil
-}
-
-type mockPortChecker struct {
-	mu      sync.Mutex
-	results map[string]bool
-	err     error
-	calls   int
-}
-
-func (m *mockPortChecker) CheckPort(
-	_ context.Context,
-	address string,
-	port int,
-) (*portcheck.PortResult, error) {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-
-	m.calls++
-
-	if m.err != nil {
-		return nil, m.err
-	}
-
-	key := fmt.Sprintf("%s:%d", address, port)
-	open := m.results[key]
-
-	return &portcheck.PortResult{Open: open}, nil
-}
-
-type mockTLSChecker struct {
-	mu    sync.Mutex
-	certs map[string]*tlscheck.CertificateInfo
-	err   error
-	calls int
-}
-
-func (m *mockTLSChecker) CheckCertificate(
-	_ context.Context,
-	ip string,
-	hostname string,
-) (*tlscheck.CertificateInfo, error) {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-
-	m.calls++
-
-	if m.err != nil {
-		return nil, m.err
-	}
-
-	key := fmt.Sprintf("%s:%s", ip, hostname)
-	cert, ok := m.certs[key]
-
-	if !ok {
-		return nil, fmt.Errorf(
-			"%w: cert for %s", errNotFound, key,
-		)
-	}
-
-	return cert, nil
-}
-
-type notification struct {
-	Title    string
-	Message  string
-	Priority string
-}
-
-type mockNotifier struct {
-	mu            sync.Mutex
-	notifications []notification
-}
-
-func (m *mockNotifier) SendNotification(
-	_ context.Context,
-	title, message, priority string,
-) {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-
-	m.notifications = append(m.notifications, notification{
-		Title:    title,
-		Message:  message,
-		Priority: priority,
-	})
-}
-
-func (m *mockNotifier) getNotifications() []notification {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-
-	result := make([]notification, len(m.notifications))
-	copy(result, m.notifications)
-
-	return result
-}
-
-// --- Helper to build a Watcher for testing ---
-
-type testDeps struct {
-	resolver    *mockResolver
-	portChecker *mockPortChecker
-	tlsChecker  *mockTLSChecker
-	notifier    *mockNotifier
-	state       *state.State
-	config      *config.Config
-}
-
-func newTestWatcher(
-	t *testing.T,
-	cfg *config.Config,
-) (*watcher.Watcher, *testDeps) {
-	t.Helper()
-
-	deps := &testDeps{
-		resolver: &mockResolver{
-			nsRecords:   make(map[string][]string),
-			allRecords:  make(map[string]map[string]map[string][]string),
-			ipAddresses: make(map[string][]string),
-		},
-		portChecker: &mockPortChecker{
-			results: make(map[string]bool),
-		},
-		tlsChecker: &mockTLSChecker{
-			certs: make(map[string]*tlscheck.CertificateInfo),
-		},
-		notifier: &mockNotifier{},
-		config:   cfg,
-	}
-
-	deps.state = state.NewForTest()
-
-	w := watcher.NewForTest(
-		deps.config,
-		deps.state,
-		deps.resolver,
-		deps.portChecker,
-		deps.tlsChecker,
-		deps.notifier,
-	)
-
-	return w, deps
-}
-
-func defaultTestConfig(t *testing.T) *config.Config {
-	t.Helper()
-
-	return &config.Config{
-		DNSInterval:      time.Hour,
-		TLSInterval:      12 * time.Hour,
-		TLSExpiryWarning: 7,
-		DataDir:          t.TempDir(),
-	}
-}
-
-func TestFirstRunBaseline(t *testing.T) {
-	t.Parallel()
-
-	cfg := defaultTestConfig(t)
-	cfg.Domains = []string{"example.com"}
-	cfg.Hostnames = []string{"www.example.com"}
-
-	w, deps := newTestWatcher(t, cfg)
-	setupBaselineMocks(deps)
-
-	w.RunOnce(t.Context())
-
-	assertNoNotifications(t, deps)
-	assertStatePopulated(t, deps)
-}
-
-func setupBaselineMocks(deps *testDeps) {
-	deps.resolver.nsRecords["example.com"] = []string{
-		"ns1.example.com.",
-		"ns2.example.com.",
-	}
-	deps.resolver.allRecords["www.example.com"] = map[string]map[string][]string{
-		"ns1.example.com.": {"A": {"93.184.216.34"}},
-		"ns2.example.com.": {"A": {"93.184.216.34"}},
-	}
-	deps.resolver.ipAddresses["www.example.com"] = []string{
-		"93.184.216.34",
-	}
-	deps.portChecker.results["93.184.216.34:80"] = true
-	deps.portChecker.results["93.184.216.34:443"] = true
-	deps.tlsChecker.certs["93.184.216.34:www.example.com"] = &tlscheck.CertificateInfo{
-		CommonName: "www.example.com",
-		Issuer:     "DigiCert",
-		NotAfter:   time.Now().Add(90 * 24 * time.Hour),
-		SubjectAlternativeNames: []string{
-			"www.example.com",
-		},
-	}
-}
-
-func assertNoNotifications(
-	t *testing.T,
-	deps *testDeps,
-) {
-	t.Helper()
-
-	notifications := deps.notifier.getNotifications()
-	if len(notifications) != 0 {
-		t.Errorf(
-			"expected 0 notifications on first run, got %d",
-			len(notifications),
-		)
-	}
-}
-
-func assertStatePopulated(
-	t *testing.T,
-	deps *testDeps,
-) {
-	t.Helper()
-
-	snap := deps.state.GetSnapshot()
-
-	if len(snap.Domains) != 1 {
-		t.Errorf(
-			"expected 1 domain in state, got %d",
-			len(snap.Domains),
-		)
-	}
-
-	if len(snap.Hostnames) != 1 {
-		t.Errorf(
-			"expected 1 hostname in state, got %d",
-			len(snap.Hostnames),
-		)
-	}
-}
-
-func TestNSChangeDetection(t *testing.T) {
-	t.Parallel()
-
-	cfg := defaultTestConfig(t)
-	cfg.Domains = []string{"example.com"}
-
-	w, deps := newTestWatcher(t, cfg)
-
-	deps.resolver.nsRecords["example.com"] = []string{
-		"ns1.example.com.",
-		"ns2.example.com.",
-	}
-
-	ctx := t.Context()
-	w.RunOnce(ctx)
-
-	deps.resolver.mu.Lock()
-	deps.resolver.nsRecords["example.com"] = []string{
-		"ns1.example.com.",
-		"ns3.example.com.",
-	}
-	deps.resolver.mu.Unlock()
-
-	w.RunOnce(ctx)
-
-	notifications := deps.notifier.getNotifications()
-	if len(notifications) == 0 {
-		t.Error("expected notification for NS change")
-	}
-
-	found := false
-
-	for _, n := range notifications {
-		if n.Priority == "warning" {
-			found = true
-		}
-	}
-
-	if !found {
-		t.Error("expected warning-priority NS change notification")
-	}
-}
-
-func TestRecordChangeDetection(t *testing.T) {
-	t.Parallel()
-
-	cfg := defaultTestConfig(t)
-	cfg.Hostnames = []string{"www.example.com"}
-
-	w, deps := newTestWatcher(t, cfg)
-
-	deps.resolver.allRecords["www.example.com"] = map[string]map[string][]string{
-		"ns1.example.com.": {"A": {"93.184.216.34"}},
-	}
-	deps.resolver.ipAddresses["www.example.com"] = []string{
-		"93.184.216.34",
-	}
-	deps.portChecker.results["93.184.216.34:80"] = false
-	deps.portChecker.results["93.184.216.34:443"] = false
-
-	ctx := t.Context()
-	w.RunOnce(ctx)
-
-	deps.resolver.mu.Lock()
-	deps.resolver.allRecords["www.example.com"] = map[string]map[string][]string{
-		"ns1.example.com.": {"A": {"93.184.216.35"}},
-	}
-	deps.resolver.ipAddresses["www.example.com"] = []string{
-		"93.184.216.35",
-	}
-	deps.resolver.mu.Unlock()
-
-	deps.portChecker.mu.Lock()
-	deps.portChecker.results["93.184.216.35:80"] = false
-	deps.portChecker.results["93.184.216.35:443"] = false
-	deps.portChecker.mu.Unlock()
-
-	w.RunOnce(ctx)
-
-	notifications := deps.notifier.getNotifications()
-	if len(notifications) == 0 {
-		t.Error("expected notification for record change")
-	}
-}
-
-func TestPortStateChange(t *testing.T) {
-	t.Parallel()
-
-	cfg := defaultTestConfig(t)
-	cfg.Hostnames = []string{"www.example.com"}
-
-	w, deps := newTestWatcher(t, cfg)
-
-	deps.resolver.allRecords["www.example.com"] = map[string]map[string][]string{
-		"ns1.example.com.": {"A": {"1.2.3.4"}},
-	}
-	deps.resolver.ipAddresses["www.example.com"] = []string{
-		"1.2.3.4",
-	}
-	deps.portChecker.results["1.2.3.4:80"] = true
-	deps.portChecker.results["1.2.3.4:443"] = true
-	deps.tlsChecker.certs["1.2.3.4:www.example.com"] = &tlscheck.CertificateInfo{
-		CommonName: "www.example.com",
-		Issuer:     "DigiCert",
-		NotAfter:   time.Now().Add(90 * 24 * time.Hour),
-		SubjectAlternativeNames: []string{
-			"www.example.com",
-		},
-	}
-
-	ctx := t.Context()
-	w.RunOnce(ctx)
-
-	deps.portChecker.mu.Lock()
-	deps.portChecker.results["1.2.3.4:443"] = false
-	deps.portChecker.mu.Unlock()
-
-	w.RunOnce(ctx)
-
-	notifications := deps.notifier.getNotifications()
-	if len(notifications) == 0 {
-		t.Error("expected notification for port state change")
-	}
-}
-
-func TestTLSExpiryWarning(t *testing.T) {
-	t.Parallel()
-
-	cfg := defaultTestConfig(t)
-	cfg.Hostnames = []string{"www.example.com"}
-
-	w, deps := newTestWatcher(t, cfg)
-
-	deps.resolver.allRecords["www.example.com"] = map[string]map[string][]string{
-		"ns1.example.com.": {"A": {"1.2.3.4"}},
-	}
-	deps.resolver.ipAddresses["www.example.com"] = []string{
-		"1.2.3.4",
-	}
-	deps.portChecker.results["1.2.3.4:80"] = true
-	deps.portChecker.results["1.2.3.4:443"] = true
-	deps.tlsChecker.certs["1.2.3.4:www.example.com"] = &tlscheck.CertificateInfo{
-		CommonName: "www.example.com",
-		Issuer:     "DigiCert",
-		NotAfter:   time.Now().Add(3 * 24 * time.Hour),
-		SubjectAlternativeNames: []string{
-			"www.example.com",
-		},
-	}
-
-	ctx := t.Context()
-
-	// First run = baseline
-	w.RunOnce(ctx)
-
-	// Second run should warn about expiry
-	w.RunOnce(ctx)
-
-	notifications := deps.notifier.getNotifications()
-
-	found := false
-
-	for _, n := range notifications {
-		if n.Priority == "warning" {
-			found = true
-		}
-	}
-
-	if !found {
-		t.Errorf(
-			"expected expiry warning, got: %v",
-			notifications,
-		)
-	}
-}
-
-func TestGracefulShutdown(t *testing.T) {
-	t.Parallel()
-
-	cfg := defaultTestConfig(t)
-	cfg.Domains = []string{"example.com"}
-	cfg.DNSInterval = 100 * time.Millisecond
-	cfg.TLSInterval = 100 * time.Millisecond
-
-	w, deps := newTestWatcher(t, cfg)
-
-	deps.resolver.nsRecords["example.com"] = []string{
-		"ns1.example.com.",
-	}
-
-	ctx, cancel := context.WithCancel(t.Context())
-
-	done := make(chan struct{})
-
-	go func() {
-		w.Run(ctx)
-		close(done)
-	}()
-
-	time.Sleep(250 * time.Millisecond)
-	cancel()
-
-	select {
-	case <-done:
-		// Shut down cleanly
-	case <-time.After(5 * time.Second):
-		t.Error("watcher did not shut down within timeout")
-	}
-}
-
-func TestNSFailureAndRecovery(t *testing.T) {
-	t.Parallel()
-
-	cfg := defaultTestConfig(t)
-	cfg.Hostnames = []string{"www.example.com"}
-
-	w, deps := newTestWatcher(t, cfg)
-
-	deps.resolver.allRecords["www.example.com"] = map[string]map[string][]string{
-		"ns1.example.com.": {"A": {"1.2.3.4"}},
-		"ns2.example.com.": {"A": {"1.2.3.4"}},
-	}
-	deps.resolver.ipAddresses["www.example.com"] = []string{
-		"1.2.3.4",
-	}
-	deps.portChecker.results["1.2.3.4:80"] = false
-	deps.portChecker.results["1.2.3.4:443"] = false
-
-	ctx := t.Context()
-
-	w.RunOnce(ctx)
-
-	deps.resolver.mu.Lock()
-	deps.resolver.allRecords["www.example.com"] = map[string]map[string][]string{
-		"ns1.example.com.": {"A": {"1.2.3.4"}},
-	}
-	deps.resolver.mu.Unlock()
-
-	w.RunOnce(ctx)
-
-	notifications := deps.notifier.getNotifications()
-	if len(notifications) == 0 {
-		t.Error("expected notification for NS disappearance")
-	}
-}