@oneuptime/common 10.4.12 → 10.4.14

package/Server/Services/DockerHostService.ts

@@ -132,6 +132,7 @@ export class Service extends DatabaseService<Model> {
     extra?: {
       osType?: string | undefined;
       osVersion?: string | undefined;
+      agentVersion?: string | undefined;
     },
   ): Promise<void> {
     const cacheKey: string = hostId.toString();
@@ -141,6 +142,7 @@ export class Service extends DatabaseService<Model> {
         JSON.stringify({
           osType: extra?.osType ?? null,
           osVersion: extra?.osVersion ?? null,
+          agentVersion: extra?.agentVersion ?? null,
         }),
       )
       .digest("hex");
@@ -173,6 +175,9 @@ export class Service extends DatabaseService<Model> {
     if (extra?.osVersion) {
       data.osVersion = extra.osVersion;
     }
+    if (extra?.agentVersion) {
+      data.agentVersion = extra.agentVersion;
+    }
 
     await this.updateOneById({
       id: hostId,

package/Server/Services/HostService.ts

@@ -135,6 +135,7 @@ export class Service extends DatabaseService<Model> {
       containerRuntime?: string | undefined;
       dockerHostId?: ObjectID | undefined;
       kubernetesClusterId?: ObjectID | undefined;
+      agentVersion?: string | undefined;
     },
   ): Promise<void> {
     /*
@@ -204,6 +205,9 @@ export class Service extends DatabaseService<Model> {
     if (extra?.kubernetesClusterId) {
       data.kubernetesClusterId = extra.kubernetesClusterId;
     }
+    if (extra?.agentVersion) {
+      data.agentVersion = extra.agentVersion;
+    }
 
     await this.updateOneById({
       id: hostId,
@@ -227,6 +231,7 @@ export class Service extends DatabaseService<Model> {
     containerRuntime?: string | undefined;
     dockerHostId?: ObjectID | undefined;
     kubernetesClusterId?: ObjectID | undefined;
+    agentVersion?: string | undefined;
   }): string {
     const normalized: Record<string, string | number | null> = {
       osType: extra?.osType ?? null,
@@ -241,6 +246,7 @@ export class Service extends DatabaseService<Model> {
       containerRuntime: extra?.containerRuntime ?? null,
       dockerHostId: extra?.dockerHostId?.toString() ?? null,
       kubernetesClusterId: extra?.kubernetesClusterId?.toString() ?? null,
+      agentVersion: extra?.agentVersion ?? null,
     };
 
     return crypto

package/Server/Services/KubernetesClusterService.ts

@@ -127,28 +127,51 @@ export class Service extends DatabaseService<Model> {
   }
 
   @CaptureSpan()
-  public async updateLastSeen(clusterId: ObjectID): Promise<void> {
+  public async updateLastSeen(
+    clusterId: ObjectID,
+    extra?: {
+      agentVersion?: string | undefined;
+    },
+  ): Promise<void> {
     const cacheKey: string = clusterId.toString();
+    const extrasFingerprint: string = crypto
+      .createHash("sha1")
+      .update(
+        JSON.stringify({
+          agentVersion: extra?.agentVersion ?? null,
+        }),
+      )
+      .digest("hex");
 
     const cached: string | null = await GlobalCache.getString(
       LAST_SEEN_CACHE_NAMESPACE,
       cacheKey,
     );
 
-    if (cached) {
-      return; // another pod already updated recently
+    if (cached === extrasFingerprint) {
+      return; // same data was written recently
     }
 
-    await GlobalCache.setString(LAST_SEEN_CACHE_NAMESPACE, cacheKey, "1", {
-      expiresInSeconds: LAST_SEEN_THROTTLE_SECONDS,
-    });
+    await GlobalCache.setString(
+      LAST_SEEN_CACHE_NAMESPACE,
+      cacheKey,
+      extrasFingerprint,
+      { expiresInSeconds: LAST_SEEN_THROTTLE_SECONDS },
+    );
+
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const data: any = {
+      lastSeenAt: OneUptimeDate.getCurrentDate(),
+      otelCollectorStatus: "connected",
+    };
+
+    if (extra?.agentVersion) {
+      data.agentVersion = extra.agentVersion;
+    }
 
     await this.updateOneById({
       id: clusterId,
-      data: {
-        lastSeenAt: OneUptimeDate.getCurrentDate(),
-        otelCollectorStatus: "connected",
-      },
+      data: data,
       props: {
         isRoot: true,
       },

package/Server/Services/MonitorService.ts

@@ -1563,9 +1563,16 @@ ${createdItem.description?.trim() || "No description provided."}
       return;
     }
 
-    for (const monitorProbe of monitorProbes) {
-      await this.refreshMonitorProbeStatus(monitorProbe.monitorId!);
-    }
+    /*
+     * Each monitor appears at most once for a given probeId (composite
+     * unique on MonitorProbe), so concurrent refreshes operate on
+     * disjoint rows and are safe to run in parallel.
+     */
+    await Promise.all(
+      monitorProbes.map((monitorProbe: MonitorProbe) => {
+        return this.refreshMonitorProbeStatus(monitorProbe.monitorId!);
+      }),
+    );
   }
 
   @CaptureSpan()

package/Server/Services/ProjectService.ts

@@ -82,6 +82,7 @@ import DatabaseConfig from "../DatabaseConfig";
 import DatabaseCommonInteractionProps from "../../Types/BaseDatabase/DatabaseCommonInteractionProps";
 import PositiveNumber from "../../Types/PositiveNumber";
 import Semaphore, { SemaphoreMutex } from "../Infrastructure/Semaphore";
+import InMemoryTTLCache from "../Infrastructure/InMemoryTTLCache";
 
 export interface CurrentPlan {
   plan: PlanType | null;
@@ -89,6 +90,20 @@ export interface CurrentPlan {
 }
 
 export class ProjectService extends DatabaseService<Model> {
+  /*
+   * Suppresses repeated `lastActive` UPDATEs from a single API node. 60s of
+   * staleness on "last seen" is acceptable; an UPDATE per request is not.
+   */
+  private lastActiveCache: InMemoryTTLCache<true> = new InMemoryTTLCache(
+    10_000,
+  );
+  /*
+   * Caches the `requireSsoForLogin` flag per project so middleware can skip a
+   * Postgres findOneById on every authenticated request.
+   */
+  private requireSsoForLoginCache: InMemoryTTLCache<boolean> =
+    new InMemoryTTLCache(10_000);
+
   public constructor() {
     super(Model);
   }
@@ -318,6 +333,14 @@ export class ProjectService extends DatabaseService<Model> {
   protected override async onBeforeUpdate(
     updateBy: UpdateBy<Model>,
   ): Promise<OnUpdate<Model>> {
+    /*
+     * Any project field could have changed; invalidate the in-process cache
+     * of the SSO flag. Cheap to refetch on the next request.
+     */
+    if (updateBy.data.requireSsoForLogin !== undefined) {
+      this.requireSsoForLoginCache.clear();
+    }
+
     if (IsBillingEnabled) {
       if (
         updateBy.data.businessDetails ||
@@ -1251,7 +1274,21 @@ export class ProjectService extends DatabaseService<Model> {
 
   @CaptureSpan()
   public async updateLastActive(projectId: ObjectID): Promise<void> {
-    await this.updateOneById({
+    const key: string = projectId.toString();
+    if (this.lastActiveCache.has(key)) {
+      return;
+    }
+    /*
+     * Set BEFORE the await so a burst of concurrent requests collapses to one
+     * UPDATE per node per 60s window instead of all firing in parallel.
+     */
+    this.lastActiveCache.set(key, true, 60_000);
+
+    /*
+     * Fire-and-forget — `lastActive` is a soft-real-time field and the
+     * caller (auth middleware) shouldn't pay a Postgres round-trip for it.
+     */
+    void this.updateOneById({
       id: projectId,
       data: {
         lastActive: OneUptimeDate.getCurrentDate(),
@@ -1259,9 +1296,43 @@ export class ProjectService extends DatabaseService<Model> {
       props: {
         isRoot: true,
       },
+    }).catch((err: Error) => {
+      // Drop the cache entry so a retry can fire within the same TTL window.
+      this.lastActiveCache.delete(key);
+      logger.error(
+        `Failed to update Project.lastActive for ${key}: ${err.message}`,
+      );
     });
   }
 
+  /**
+   * Returns whether the given project requires SSO for login. Cached for
+   * 60s in-process — middleware calls this on every authenticated request.
+   */
+  @CaptureSpan()
+  public async getRequireSsoForLogin(projectId: ObjectID): Promise<boolean> {
+    const key: string = projectId.toString();
+    const cached: boolean | undefined = this.requireSsoForLoginCache.get(key);
+    if (cached !== undefined) {
+      return cached;
+    }
+
+    const project: Model | null = await this.findOneById({
+      id: projectId,
+      select: { requireSsoForLogin: true },
+      props: { isRoot: true },
+    });
+
+    if (!project) {
+      // Don't cache "not found" — let the caller decide how to handle it.
+      throw new BadDataException("Project not found");
+    }
+
+    const value: boolean = Boolean(project.requireSsoForLogin);
+    this.requireSsoForLoginCache.set(key, value, 60_000);
+    return value;
+  }
+
   @CaptureSpan()
   public async getOwners(projectId: ObjectID): Promise<Array<User>> {
     if (!projectId) {

package/Server/Services/TeamMemberService.ts

@@ -37,8 +37,19 @@ import User from "../../Models/DatabaseModels/User";
 import OnCallDutyPolicyTimeLogService from "./OnCallDutyPolicyTimeLogService";
 import OneUptimeDate from "../../Types/Date";
 import ProjectSCIMService from "./ProjectSCIMService";
+import InMemoryTTLCache from "../Infrastructure/InMemoryTTLCache";
 
 export class TeamMemberService extends DatabaseService<TeamMember> {
+  /*
+   * Caches the user's accepted team memberships per project. Auth middleware
+   * calls this on every authenticated request to evaluate the `Owned`
+   * permission scope; without the cache it's a Postgres findBy per request.
+   * 60s of staleness on team membership changes is acceptable; we also
+   * invalidate proactively when team membership writes happen.
+   */
+  private teamIdsForUserCache: InMemoryTTLCache<Array<string>> =
+    new InMemoryTTLCache(10_000);
+
   public constructor() {
     super(TeamMember);
   }
@@ -215,6 +226,14 @@ export class TeamMemberService extends DatabaseService<TeamMember> {
     userId: ObjectID,
     projectId: ObjectID,
   ): Promise<void> {
+    /*
+     * Invalidate the in-process cache of this user's team memberships in
+     * this project — membership just changed.
+     */
+    this.teamIdsForUserCache.delete(
+      `${userId.toString()}:${projectId.toString()}`,
+    );
+
     /// Refresh tokens.
     await AccessTokenService.refreshUserGlobalAccessPermission(userId);
 
@@ -545,6 +564,15 @@ export class TeamMemberService extends DatabaseService<TeamMember> {
     userId: ObjectID,
     projectId: ObjectID,
   ): Promise<Array<ObjectID>> {
+    const cacheKey: string = `${userId.toString()}:${projectId.toString()}`;
+    const cached: Array<string> | undefined =
+      this.teamIdsForUserCache.get(cacheKey);
+    if (cached !== undefined) {
+      return cached.map((id: string) => {
+        return new ObjectID(id);
+      });
+    }
+
     const members: Array<TeamMember> = await this.findBy({
       query: {
         userId: userId,
@@ -570,6 +598,14 @@ export class TeamMemberService extends DatabaseService<TeamMember> {
         teamIds.push(id);
       }
     }
+
+    this.teamIdsForUserCache.set(
+      cacheKey,
+      teamIds.map((id: ObjectID) => {
+        return id.toString();
+      }),
+      60_000,
+    );
     return teamIds;
   }
 }

package/Server/Services/UserService.ts

@@ -39,12 +39,50 @@ import BadDataException from "../../Types/Exception/BadDataException";
 import Name from "../../Types/Name";
 import CaptureSpan from "../Utils/Telemetry/CaptureSpan";
 import Timezone from "../../Types/Timezone";
+import InMemoryTTLCache from "../Infrastructure/InMemoryTTLCache";
 
 export class Service extends DatabaseService<Model> {
+  /*
+   * Suppresses repeated `lastActive` UPDATEs from a single API node. 60s of
+   * staleness on "last seen" is acceptable; an UPDATE per request is not.
+   */
+  private lastActiveCache: InMemoryTTLCache<true> = new InMemoryTTLCache(
+    10_000,
+  );
+
   public constructor() {
     super(Model);
   }
 
+  /**
+   * Debounced fire-and-forget update of `User.lastActive`. The auth
+   * middleware calls this on every authenticated request; without the cache
+   * we'd issue one Postgres UPDATE per request per user.
+   */
+  @CaptureSpan()
+  public async updateLastActive(userId: ObjectID): Promise<void> {
+    const key: string = userId.toString();
+    if (this.lastActiveCache.has(key)) {
+      return;
+    }
+    /*
+     * Set BEFORE the await so a burst of concurrent requests collapses to one
+     * UPDATE per node per 60s window.
+     */
+    this.lastActiveCache.set(key, true, 60_000);
+
+    void this.updateOneById({
+      id: userId,
+      data: { lastActive: OneUptimeDate.getCurrentDate() },
+      props: { isRoot: true },
+    }).catch((err: Error) => {
+      this.lastActiveCache.delete(key);
+      logger.error(
+        `Failed to update User.lastActive for ${key}: ${err.message}`,
+      );
+    });
+  }
+
   @CaptureSpan()
   public async getUserMarkdownString(data: {
     userId: ObjectID;

package/Server/Utils/Monitor/Criteria/DnssecMonitorCriteria.ts

@@ -0,0 +1,108 @@
+import DataToProcess from "../DataToProcess";
+import CompareCriteria from "./CompareCriteria";
+import {
+  CheckOn,
+  CriteriaFilter,
+  FilterType,
+} from "../../../../Types/Monitor/CriteriaFilter";
+import DnssecMonitorResponse from "../../../../Types/Monitor/DnssecMonitor/DnssecMonitorResponse";
+import ProbeMonitorResponse from "../../../../Types/Probe/ProbeMonitorResponse";
+import CaptureSpan from "../../Telemetry/CaptureSpan";
+
+export default class DnssecMonitorCriteria {
+  @CaptureSpan()
+  public static async isMonitorInstanceCriteriaFilterMet(input: {
+    dataToProcess: DataToProcess;
+    criteriaFilter: CriteriaFilter;
+  }): Promise<string | null> {
+    const dataToProcess: ProbeMonitorResponse =
+      input.dataToProcess as ProbeMonitorResponse;
+
+    const dnssecResponse: DnssecMonitorResponse | undefined =
+      dataToProcess.dnssecResponse;
+
+    if (!dnssecResponse) {
+      return null;
+    }
+
+    const isTrue: boolean = input.criteriaFilter.filterType === FilterType.True;
+    const isFalse: boolean =
+      input.criteriaFilter.filterType === FilterType.False;
+
+    if (input.criteriaFilter.checkOn === CheckOn.DnssecChainValid) {
+      if (dnssecResponse.isChainValid && isTrue) {
+        return `DNSSEC chain is valid for ${dnssecResponse.domainName}.`;
+      }
+      if (!dnssecResponse.isChainValid && isFalse) {
+        return `DNSSEC chain validation failed for ${dnssecResponse.domainName}.`;
+      }
+      return null;
+    }
+
+    if (input.criteriaFilter.checkOn === CheckOn.DnssecDnskeyExists) {
+      const exists: boolean = dnssecResponse.dnskeys.length > 0;
+      if (exists && isTrue) {
+        return `DNSKEY records present for ${dnssecResponse.domainName}.`;
+      }
+      if (!exists && isFalse) {
+        return `No DNSKEY records found for ${dnssecResponse.domainName}.`;
+      }
+      return null;
+    }
+
+    if (input.criteriaFilter.checkOn === CheckOn.DnssecDsExists) {
+      const exists: boolean = dnssecResponse.isParentDsPresent;
+      if (exists && isTrue) {
+        return `DS records present at parent zone for ${dnssecResponse.domainName}.`;
+      }
+      if (!exists && isFalse) {
+        return `No DS records found at the parent zone for ${dnssecResponse.domainName}.`;
+      }
+      return null;
+    }
+
+    if (input.criteriaFilter.checkOn === CheckOn.DnssecResolverConsensus) {
+      const consensus: boolean = dnssecResponse.resolverConsensusAd;
+      if (consensus && isTrue) {
+        return `All resolvers report DNSSEC-valid (AD flag) for ${dnssecResponse.domainName}.`;
+      }
+      if (!consensus && isFalse) {
+        return `Resolvers do not agree on DNSSEC validity for ${dnssecResponse.domainName}.`;
+      }
+      return null;
+    }
+
+    if (input.criteriaFilter.checkOn === CheckOn.DnssecNameserverConsistent) {
+      const consistent: boolean = dnssecResponse.isNameserverConsistent;
+      if (consistent && isTrue) {
+        return `Authoritative nameservers are consistent for ${dnssecResponse.domainName}.`;
+      }
+      if (!consistent && isFalse) {
+        return `Authoritative nameservers are inconsistent for ${dnssecResponse.domainName}.`;
+      }
+      return null;
+    }
+
+    if (input.criteriaFilter.checkOn === CheckOn.DnssecSignatureExpiresInDays) {
+      const threshold: number | null = CompareCriteria.convertToNumber(
+        input.criteriaFilter.value,
+      );
+
+      if (threshold === null || threshold === undefined) {
+        return null;
+      }
+
+      if (dnssecResponse.daysUntilSignatureExpiry === undefined) {
+        return null;
+      }
+
+      return CompareCriteria.compareCriteriaNumbers({
+        value: dnssecResponse.daysUntilSignatureExpiry,
+        threshold: threshold,
+        criteriaFilter: input.criteriaFilter,
+      });
+    }
+
+    return null;
+  }
+}

package/Server/Utils/Monitor/MonitorCriteriaEvaluator.ts

@@ -18,6 +18,7 @@ import ProfileMonitorCriteria from "./Criteria/ProfileMonitorCriteria";
 import SnmpMonitorCriteria from "./Criteria/SnmpMonitorCriteria";
 import DnsMonitorCriteria from "./Criteria/DnsMonitorCriteria";
 import DomainMonitorCriteria from "./Criteria/DomainMonitorCriteria";
+import DnssecMonitorCriteria from "./Criteria/DnssecMonitorCriteria";
 import ExternalStatusPageMonitorCriteria from "./Criteria/ExternalStatusPageMonitorCriteria";
 import MonitorCriteriaMessageBuilder from "./MonitorCriteriaMessageBuilder";
 import MonitorCriteriaDataExtractor from "./MonitorCriteriaDataExtractor";
@@ -761,6 +762,18 @@ ${contextBlock}
       }
     }
 
+    if (input.monitor.monitorType === MonitorType.DNSSEC) {
+      const dnssecMonitorResult: string | null =
+        await DnssecMonitorCriteria.isMonitorInstanceCriteriaFilterMet({
+          dataToProcess: input.dataToProcess,
+          criteriaFilter: input.criteriaFilter,
+        });
+
+      if (dnssecMonitorResult) {
+        return dnssecMonitorResult;
+      }
+    }
+
     if (input.monitor.monitorType === MonitorType.ExternalStatusPage) {
       const externalStatusPageResult: string | null =
         await ExternalStatusPageMonitorCriteria.isMonitorInstanceCriteriaFilterMet(

package/Server/Utils/Monitor/MonitorTemplateUtil.ts

@@ -19,6 +19,7 @@ import DnsMonitorResponse, {
   DnsRecordResponse,
 } from "../../../Types/Monitor/DnsMonitor/DnsMonitorResponse";
 import DomainMonitorResponse from "../../../Types/Monitor/DomainMonitor/DomainMonitorResponse";
+import DnssecMonitorResponse from "../../../Types/Monitor/DnssecMonitor/DnssecMonitorResponse";
 import ExternalStatusPageMonitorResponse, {
   ExternalStatusPageComponentStatus,
 } from "../../../Types/Monitor/ExternalStatusPageMonitor/ExternalStatusPageMonitorResponse";
@@ -332,6 +333,30 @@ export default class MonitorTemplateUtil {
         } as JSONObject;
       }
 
+      if (data.monitorType === MonitorType.DNSSEC) {
+        const dnssecResponse: DnssecMonitorResponse | undefined = (
+          data.dataToProcess as ProbeMonitorResponse
+        ).dnssecResponse;
+
+        storageMap = {
+          isOnline: (data.dataToProcess as ProbeMonitorResponse).isOnline,
+          responseTimeInMs: dnssecResponse?.responseTimeInMs,
+          failureCause: dnssecResponse?.failureCause,
+          domainName: dnssecResponse?.domainName,
+          isZoneSigned: dnssecResponse?.isZoneSigned,
+          isParentDsPresent: dnssecResponse?.isParentDsPresent,
+          isChainValid: dnssecResponse?.isChainValid,
+          resolverConsensusAd: dnssecResponse?.resolverConsensusAd,
+          isNameserverConsistent: dnssecResponse?.isNameserverConsistent,
+          earliestSignatureExpiration:
+            dnssecResponse?.earliestSignatureExpiration,
+          daysUntilSignatureExpiry: dnssecResponse?.daysUntilSignatureExpiry,
+          dnskeyCount: dnssecResponse?.dnskeys?.length,
+          dsRecordCount: dnssecResponse?.parentDsRecords?.length,
+          rrsigCount: dnssecResponse?.rrsigs?.length,
+        } as JSONObject;
+      }
+
       if (
         data.monitorType === MonitorType.Metrics ||
         data.monitorType === MonitorType.Kubernetes ||

package/Types/Monitor/CriteriaFilter.ts

@@ -84,6 +84,14 @@ export enum CheckOn {
   DomainStatusCode = "Domain Status Code",
   DomainIsExpired = "Domain Is Expired",
 
+  // DNSSEC monitors.
+  DnssecChainValid = "DNSSEC Chain Is Valid",
+  DnssecDnskeyExists = "DNSSEC DNSKEY Record Exists",
+  DnssecDsExists = "DNSSEC DS Record Exists At Parent",
+  DnssecSignatureExpiresInDays = "DNSSEC Signature Expires In Days",
+  DnssecResolverConsensus = "DNSSEC Resolver Consensus (AD Flag)",
+  DnssecNameserverConsistent = "DNSSEC Nameservers Are Consistent",
+
   // External Status Page monitors.
   ExternalStatusPageIsOnline = "External Status Page Is Online",
   ExternalStatusPageOverallStatus = "External Status Page Overall Status",
@@ -279,6 +287,11 @@ export class CriteriaFilterUtil {
       checkOn === CheckOn.SnmpIsOnline ||
       checkOn === CheckOn.DnsIsOnline ||
       checkOn === CheckOn.DomainIsExpired ||
+      checkOn === CheckOn.DnssecChainValid ||
+      checkOn === CheckOn.DnssecDnskeyExists ||
+      checkOn === CheckOn.DnssecDsExists ||
+      checkOn === CheckOn.DnssecResolverConsensus ||
+      checkOn === CheckOn.DnssecNameserverConsistent ||
       checkOn === CheckOn.ExternalStatusPageIsOnline
     ) {
       return false;

package/Types/Monitor/DnssecMonitor/DnssecMonitorResponse.ts

@@ -0,0 +1,69 @@
+export interface DnssecKeyRecord {
+  flags: number;
+  algorithm: number;
+  keyTag?: number | undefined;
+}
+
+export interface DnssecDsRecord {
+  keyTag: number;
+  algorithm: number;
+  digestType: number;
+  digest: string;
+}
+
+export interface DnssecRrsigRecord {
+  typeCovered: string;
+  algorithm: number;
+  signerName: string;
+  keyTag: number;
+  inception?: string | undefined;
+  expiration?: string | undefined;
+}
+
+export interface DnssecResolverCheck {
+  resolver: string;
+  adFlag: boolean;
+  servfailWhenValidating: boolean;
+  error?: string | undefined;
+}
+
+export interface DnssecNameserverCheck {
+  nameServer: string;
+  soaSerial?: string | undefined;
+  rrsigExpiration?: string | undefined;
+  error?: string | undefined;
+}
+
+export default interface DnssecMonitorResponse {
+  isOnline: boolean;
+  responseTimeInMs: number;
+  failureCause: string;
+  domainName: string;
+  isTimeout?: boolean | undefined;
+
+  // Zone signed?
+  isZoneSigned: boolean;
+
+  // DNSKEY presence
+  dnskeys: Array<DnssecKeyRecord>;
+
+  // DS at parent
+  parentDsRecords: Array<DnssecDsRecord>;
+  isParentDsPresent: boolean;
+
+  // RRSIG over the A record (zone apex by default)
+  rrsigs: Array<DnssecRrsigRecord>;
+  earliestSignatureExpiration?: string | undefined;
+  daysUntilSignatureExpiry?: number | undefined;
+
+  // Resolver consensus (AD flag + CD-bit SERVFAIL test)
+  resolverChecks: Array<DnssecResolverCheck>;
+  resolverConsensusAd: boolean;
+
+  // Primary/secondary nameserver consistency
+  nameserverChecks: Array<DnssecNameserverCheck>;
+  isNameserverConsistent: boolean;
+
+  // Overall chain validity (DNSKEY exists, DS exists, RRSIG valid, AD across resolvers)
+  isChainValid: boolean;
+}