feat: add crt.sh certificate transparency lookup plugin

Query CT logs via crt.sh to enumerate SSL certs for domains, report expired/valid counts, and flag live expired certs. Uses ThreadPoolExecutor(3) for blocking I/O on RPi5. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-15 00:56:55 +01:00
parent 118fbb75d1
commit ad18a902dd
5 changed files with 322 additions and 0 deletions
--- a/docs/USAGE.md
+++ b/docs/USAGE.md
@@ -51,6 +51,30 @@ level = "info"                # Logging level: debug, info, warning, error
 | `!help <cmd>` | Show help for a specific command |
 | `!version` | Show bot version |
 | `!echo <text>` | Echo back text (example plugin) |
+| `!cert <domain> [...]` | Lookup CT logs for up to 5 domains |
+
+### `!cert` -- Certificate Transparency Lookup
+
+Query [crt.sh](https://crt.sh) CT logs to enumerate SSL certificates for
+domains. Reports totals (expired/valid) and flags domains still serving
+expired certs.
+
+```
+!cert example.com
+!cert example.com badsite.com another.org
+```
+
+Output format:
+
+```
+example.com -- 127 certs (23 expired, 104 valid)
+badsite.com -- 45 certs (8 expired, 37 valid) | live cert EXPIRED
+broken.test -- error: timeout
+```
+
+- Max 5 domains per invocation
+- crt.sh can be slow; the bot confirms receipt before querying
+- Live cert check runs only when expired CT entries exist

 ## Writing Plugins