Cert Health

@lint/cert-healthv2026.05.22.1· 1d agoMODELS·WORKFLOWS

01README

TLS-certificate expiry tracker — fetch NPM-managed cert inventory and probe public-facing hosts via openssl s_client, classified by days-until-expiry.

02Models1

@lint/cert-healthv2026.05.22.1cert-health.ts

Global Arguments

Argument	Type	Required	Description
npmBaseUrl	string	yes	NPM base URL, e.g. http://192.168.4.60:81 (no trailing slash)
npmEmail	string	yes	NPM admin email (vault-resolved)
npmPassword	string	yes	NPM admin password (vault-resolved)
warnThresholdDays	number	yes	Days-remaining below which a cert is `warn`
criticalThresholdDays	number	yes	Days-remaining below which a cert is `critical`
requestTimeoutSec	number	yes
probeTimeoutSec	number	yes

fn syncNpm()

Log into NPM, fetch /api/nginx/certificates, classify by days-until-expiry, write inventory + summary.

fn probe(hosts: array, defaultPort: number)

Open a TLS connection to each host (port 443 by default) via openssl s_client, extract the leaf cert, classify by days-until-expiry. Probes run in parallel.

Argument	Type	Required	Description
hosts	array	yes	Hostnames to probe. Use `host:port` to override the default port.
defaultPort	number	yes

Resources

npm_inventory(infinite)— Full list of NPM-managed certs with days-until-expiry.

npm_summary(infinite)— Counts + top-10 closest-to-expiry NPM certs.

probe_results(infinite)— Per-host TLS probe results from the last `probe` run.

probe_summary(infinite)— Counts + top-10 closest-to-expiry hosts from probe results.

sync_log(infinite)— Per-method audit (syncNpm, probe).

03Workflows1

@lint/cert-health-check

TLS cert health audit: cert-health.syncNpm → cert-health.probe (public hostnames from @lint/dns-policy) syncNpm pulls every cert NPM is managing; probe verifies the public end-to-end TLS path (CDN/proxy → NPM → backend) by handshaking against the hostnames the dns-policy publishes externally. Read-only telemetry; no reconciliation. Assumes a model instance named `cert-health` (of type @lint/cert-health) and a `dns-policy` instance (of type @lint/dns-policy) exist. If you don't run dns-policy,

auditPull NPM cert inventory and probe public-facing hosts

1.sync-npm-certscert-health.syncNpm— Log into NPM and fetch /api/nginx/certificates

2.probe-public-hostscert-health.probe— TLS-handshake every dns-policy publicVhost; record subject/issuer/notAfter

04Stats

100 / 100

Downloads

Archive size

10.7 KB

Has README or module doc2/2earned
README has a code example1/1earned
README is substantive1/1earned
Most symbols documented1/1earned
No slow types1/1earned
Dependencies pass trust audit2/2earned
Has description1/1earned
Platform support declared (or universal)2/2earned
License declared1/1earned
Verified public repository2/2earned

Repository

https://github.com/sock-lint/swamp-extensions

05Platforms

linux · x86_64 linux · aarch64 macOS · x86_64 macOS · aarch64

06Labels

#tls #certificates #monitoring #npm #homelab