# arcline-audit — Full Site Health Auditor

One command, full picture. SSL, HTTP headers, DNS, redirects, open ports.
Useful for onboarding new Arcline customers and diagnosing issues.

## Stack
- Language: Go
- Distribution: single static binary
- No runtime dependencies

## Checks
### SSL / TLS
- [ ] Certificate validity (not expired, not self-signed)
- [ ] Expiry date + days remaining
- [ ] Certificate chain completeness
- [ ] TLS version (flag TLS 1.0/1.1 as insecure)
- [ ] Cipher suite warnings

### HTTP
- [ ] Redirect chain (301/302 hops, detect loops)
- [ ] Final URL after redirects
- [ ] Security headers: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
- [ ] Server header disclosure
- [ ] Response time (ms)

### DNS
- [ ] A / AAAA records
- [ ] MX records present
- [ ] SPF, DKIM, DMARC records
- [ ] DNSSEC enabled
- [ ] PTR / rDNS match

### Infrastructure
- [ ] IP → ASN / org (via arcline-check internals)
- [ ] CDN detection (reuse arcline-check logic)
- [ ] Common ports: 80, 443, 22, 3306, 5432 (report open/closed, don't scan)

## CLI interface
```
arcline-audit example.com
arcline-audit example.com --checks ssl,dns,headers
arcline-audit example.com --json
arcline-audit example.com --out report.txt
```

## Output format
```
$ arcline-audit example.com

  ── SSL ────────────────────────────────────────────────
  [OK]  valid certificate
  [OK]  expires in 84 days (2026-06-01)
  [OK]  TLS 1.3
  [WARN] no HSTS header

  ── HTTP ───────────────────────────────────────────────
  [OK]  redirects http → https (1 hop)
  [OK]  response time 42ms
  [WARN] Server header disclosed: Apache/2.4.58

  ── DNS ────────────────────────────────────────────────
  [OK]  A record: 203.0.113.42
  [OK]  MX records present (2)
  [OK]  SPF record found
  [WARN] no DMARC record

  ── Infrastructure ─────────────────────────────────────
  [OK]  not behind a CDN
  [OK]  ASN: AS64496 Example ISP
```

## Tasks
- [ ] Project scaffold + shared internal packages (reuse arcline-check logic)
- [ ] SSL checker module
- [ ] HTTP header fetcher + security header grader
- [ ] Redirect chain follower
- [ ] DNS checker module (A, MX, SPF, DKIM, DMARC, DNSSEC)
- [ ] Report renderer (terminal + JSON + plain text)
- [ ] --checks filter flag
- [ ] Cross-compile Makefile
- [ ] README
- [ ] GitLab CI release