peaktwilight
diff --git a/‎README.md‎
Lines changed: 57 additions & 0 deletions b/‎README.md‎
Lines changed: 57 additions & 0 deletions
diff --git a/‎infomaniak_cli/__init__.py‎
Lines changed: 1 addition & 1 deletion b/‎infomaniak_cli/__init__.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎infomaniak_cli/cli.py‎
Lines changed: 30 additions & 0 deletions b/‎infomaniak_cli/cli.py‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎infomaniak_cli/commands/audit.py‎
Lines changed: 172 additions & 0 deletions b/‎infomaniak_cli/commands/audit.py‎
Lines changed: 172 additions & 0 deletions
diff --git a/‎infomaniak_cli/commands/domains.py‎
Lines changed: 80 additions & 0 deletions b/‎infomaniak_cli/commands/domains.py‎
Lines changed: 80 additions & 0 deletions
@@ -78,6 +78,18 @@ infomaniak dns sync example.com desired.json --dry-run    # Sync (terraform-styl
 infomaniak dns clone source.com target.com                # Clone between domains
 infomaniak dns search "76.76.21"                          # Search across all domains
 infomaniak dns backup                                     # Backup all domains
+infomaniak dns audit                                      # Audit all domains (SPF/DMARC/DKIM)
+infomaniak dns audit example.com                          # Audit single domain
+infomaniak dns zone example.com                           # Generate BIND zone file
+infomaniak dns propagation example.com                    # Check global DNS propagation
+infomaniak dns propagation example.com -n www -t CNAME    # Check specific record
+```
+
+### Domains
+
+```bash
+infomaniak domains                                        # List all domains with expiry dates
+infomaniak domains --warn 60                              # Warn if expiring within 60 days
 ```
 
 ### Account & Products
@@ -166,6 +178,51 @@ $ infomaniak dns sync example.com desired.json --dry-run
 
   Dry run — no changes applied.
 
+$ infomaniak dns audit
+
+  DNS Audit
+  ────────
+
+  Scanning 10 domain(s)...
+
+  ! No SPF record found — Email spoofing protection
+    → legacy-site.com
+
+  ! No DMARC record found — Email authentication policy
+    → legacy-site.com
+    → staging.org
+
+  Summary: 10 domains scanned
+    8 clean
+    2 with issues (3 total findings)
+
+$ infomaniak dns propagation example.com
+
+  DNS Propagation: A example.com
+
+  Resolver    IP              Result
+  ──────────  ──────────────  ───────────
+  Google      8.8.8.8         93.184.216.34
+  Cloudflare  1.1.1.1         93.184.216.34
+  Quad9       9.9.9.9         93.184.216.34
+  OpenDNS     208.67.222.222  93.184.216.34
+
+  All resolvers agree. DNS is fully propagated.
+
+$ infomaniak domains
+
+  Domains (3)
+
+  Domain           Expires     Days Left  Status
+  ───────────────  ──────────  ─────────  ────────
+  expiring.com     2026-04-01  17         expiring
+  example.com      2027-01-15  306        active
+  example.org      2027-06-20  462        active
+
+  Warning: 1 domain(s) expiring within 30 days:
+
+    ! expiring.com — 17 days remaining
+
 $ infomaniak status
 
   Service Status — 5 products
 
@@ -25,5 +25,5 @@
     infomaniak config show                                   # Show configuration
 """
 
-__version__ = "0.6.0"
+__version__ = "0.7.0"
 API_BASE = "https://api.infomaniak.com"
@@ -5,6 +5,7 @@
 
 from infomaniak_cli import __version__
 from infomaniak_cli.commands.account import cmd_account
+from infomaniak_cli.commands.audit import cmd_dns_audit
 from infomaniak_cli.commands.config import cmd_config_show
 from infomaniak_cli.commands.dns import (
     cmd_dns_add,
@@ -21,9 +22,12 @@
     cmd_dns_sync,
     cmd_dns_update,
 )
+from infomaniak_cli.commands.domains import cmd_domains
 from infomaniak_cli.commands.drive import cmd_drive_list
 from infomaniak_cli.commands.hosting import cmd_hosting_list
 from infomaniak_cli.commands.mail import cmd_mail_list, cmd_mail_mailboxes
+from infomaniak_cli.commands.propagation import cmd_dns_propagation
+from infomaniak_cli.commands.zone import cmd_dns_zone
 from infomaniak_cli.commands.products import cmd_products
 from infomaniak_cli.commands.setup import cmd_setup
 from infomaniak_cli.commands.status import cmd_status
@@ -142,6 +146,32 @@ def main():
     sp.add_argument("--yes", "-y", action="store_true", help="Skip confirmation")
     sp.set_defaults(func=cmd_dns_sync)
 
+    # dns audit
+    sp = dns_sub.add_parser("audit", help="Audit DNS for misconfigurations (SPF, DMARC, DKIM, etc.)")
+    sp.add_argument("domain", nargs="?", default=None, help="Domain to audit (default: all domains)")
+    sp.add_argument("--json", action="store_true", help="Output as JSON")
+    sp.set_defaults(func=cmd_dns_audit)
+
+    # dns zone
+    sp = dns_sub.add_parser("zone", help="Generate BIND-format zone file")
+    sp.add_argument("domain", help="Domain name")
+    sp.add_argument("--output", "-o", help="Output file path (default: stdout)")
+    sp.set_defaults(func=cmd_dns_zone)
+
+    # dns propagation
+    sp = dns_sub.add_parser("propagation", help="Check DNS propagation across public resolvers")
+    sp.add_argument("domain", help="Domain name")
+    sp.add_argument("--name", "-n", default="@", help="Record name (default: @ for root)")
+    sp.add_argument("--type", "-t", default="A", help="Record type (default: A)")
+    sp.add_argument("--json", action="store_true", help="Output as JSON")
+    sp.set_defaults(func=cmd_dns_propagation)
+
+    # ── domains ────────────────────────────────────────────────────────────
+    sp_domains = subparsers.add_parser("domains", help="List domains with expiry tracking")
+    sp_domains.add_argument("--warn", type=int, default=30, help="Warn if expiring within N days (default: 30)")
+    sp_domains.add_argument("--json", action="store_true", help="Output as JSON")
+    sp_domains.set_defaults(func=cmd_domains)
+
     # ── config ─────────────────────────────────────────────────────────────
     config_parser = subparsers.add_parser("config", help="View configuration")
     config_sub = config_parser.add_subparsers(dest="command")
 
@@ -0,0 +1,172 @@
+"""DNS audit — scan domains for common misconfigurations."""
+
+import sys
+
+from infomaniak_cli.api import api_request
+from infomaniak_cli.config import get_account_id, get_token
+from infomaniak_cli.output import bold, cyan, dim, green, output_json, red, yellow
+
+
+def _has_record(records, rtype, source=None, substring=None):
+    """Check if records contain a specific type/source/substring match."""
+    for r in records:
+        if r.get("type") != rtype:
+            continue
+        if source is not None:
+            rec_source = r.get("source", "@")
+            if rec_source == ".":
+                rec_source = "@"
+            if rec_source != source:
+                continue
+        if substring is not None and substring.lower() not in r.get("target", "").lower():
+            continue
+        return True
+    return False
+
+
+def _get_targets(records, rtype, source=None):
+    """Get all targets for a given type/source."""
+    targets = []
+    for r in records:
+        if r.get("type") != rtype:
+            continue
+        if source is not None:
+            rec_source = r.get("source", "@")
+            if rec_source == ".":
+                rec_source = "@"
+            if rec_source != source:
+                continue
+        targets.append(r.get("target", ""))
+    return targets
+
+
+def cmd_dns_audit(args):
+    """Audit DNS records across all domains for common issues."""
+    token = get_token()
+    account_id = get_account_id(token)
+
+    # Get all domains
+    data = api_request("GET", f"/1/domain/account/{account_id}", token)
+    domains = data.get("data", [])
+
+    if not domains:
+        print(f"  {dim('No domains found.')}")
+        return
+
+    domain_filter = args.domain if hasattr(args, "domain") and args.domain else None
+    if domain_filter:
+        domains = [d for d in domains if d.get("customer_name") == domain_filter]
+        if not domains:
+            print(f"  {red('Domain not found:')} {domain_filter}")
+            sys.exit(1)
+
+    all_issues = []
+    all_results = []
+    total_checked = 0
+
+    print(f"\n  {bold('DNS Audit')}")
+    print(f"  {dim('────────')}\n")
+    print(f"  Scanning {len(domains)} domain(s)...\n")
+
+    for d in domains:
+        domain_name = d.get("customer_name", "")
+        try:
+            rdata = api_request("GET", f"/2/zones/{domain_name}/records", token)
+        except SystemExit:
+            continue
+
+        records = rdata.get("data", [])
+        total_checked += 1
+        domain_issues = []
+
+        # Check 1: SPF record
+        spf_targets = _get_targets(records, "TXT", "@")
+        has_spf = any("v=spf1" in t.lower() for t in spf_targets)
+        if not has_spf:
+            domain_issues.append(("missing_spf", "No SPF record found", "Email spoofing protection"))
+
+        # Check 2: DMARC record
+        dmarc_sources = [r.get("source", "@") for r in records if r.get("type") == "TXT"]
+        has_dmarc = _has_record(records, "TXT", "_dmarc")
+        if not has_dmarc:
+            domain_issues.append(("missing_dmarc", "No DMARC record found", "Email authentication policy"))
+
+        # Check 3: DKIM (check common selectors)
+        has_dkim = False
+        for r in records:
+            source = r.get("source", "")
+            if r.get("type") == "TXT" and "._domainkey" in source:
+                has_dkim = True
+                break
+            if r.get("type") == "CNAME" and "._domainkey" in source:
+                has_dkim = True
+                break
+        if not has_dkim:
+            domain_issues.append(("missing_dkim", "No DKIM record found", "Email signing verification"))
+
+        # Check 4: MX record (if domain has mail hosting)
+        has_mx = _has_record(records, "MX")
+        a_targets = _get_targets(records, "A", "@")
+        if not has_mx and a_targets:
+            domain_issues.append(("missing_mx", "No MX record — mail won't be delivered", "Mail delivery"))
+
+        # Check 5: Multiple SPF records (invalid per RFC)
+        spf_count = sum(1 for t in spf_targets if "v=spf1" in t.lower())
+        if spf_count > 1:
+            domain_issues.append(("multiple_spf", f"Multiple SPF records found ({spf_count})", "RFC violation — only one SPF allowed"))
+
+        # Check 6: Low TTL on root records
+        for r in records:
+            source = r.get("source", "@")
+            if source in ("@", ".") and r.get("type") in ("A", "AAAA", "MX"):
+                ttl = r.get("ttl", 3600)
+                if ttl < 60:
+                    domain_issues.append(("low_ttl", f"Very low TTL ({ttl}s) on {r.get('type')} record", "May cause excessive DNS queries"))
+                    break
+
+        # Check 7: CNAME at root (invalid per RFC)
+        has_root_cname = _has_record(records, "CNAME", "@")
+        if has_root_cname:
+            domain_issues.append(("root_cname", "CNAME record at root (@)", "RFC violation — may break MX/NS"))
+
+        result = {
+            "domain": domain_name,
+            "records": len(records),
+            "issues": domain_issues,
+        }
+        all_results.append(result)
+
+        if domain_issues:
+            all_issues.extend([(domain_name, *issue) for issue in domain_issues])
+
+    if getattr(args, "json", False):
+        output_json(all_results)
+
+    # Summary
+    clean = sum(1 for r in all_results if not r["issues"])
+    with_issues = sum(1 for r in all_results if r["issues"])
+
+    if all_issues:
+        # Group by issue type
+        issue_types = {}
+        for domain_name, code, desc, hint in all_issues:
+            if code not in issue_types:
+                issue_types[code] = []
+            issue_types[code].append((domain_name, desc, hint))
+
+        for code, issues in sorted(issue_types.items()):
+            hint = issues[0][2]
+            desc = issues[0][1]
+            print(f"  {yellow('!')} {bold(desc)} {dim(f'— {hint}')}")
+            for domain_name, _, _ in issues:
+                print(f"    {dim('→')} {domain_name}")
+            print()
+
+    print(f"  {bold('Summary')}: {total_checked} domains scanned")
+    if clean:
+        print(f"    {green(str(clean))} clean")
+    if with_issues:
+        print(f"    {yellow(str(with_issues))} with issues ({len(all_issues)} total findings)")
+    if not all_issues:
+        print(f"    {green('All domains passed all checks.')}")
+    print()
@@ -0,0 +1,80 @@
+"""Domain overview with expiry tracking."""
+
+from datetime import datetime, timezone
+
+from infomaniak_cli.api import api_request_paginated
+from infomaniak_cli.config import get_account_id, get_token
+from infomaniak_cli.output import bold, cyan, dim, green, output_json, print_table, red, yellow
+
+
+def cmd_domains(args):
+    """List all domains with registration and expiry info."""
+    token = get_token()
+    account_id = get_account_id(token)
+
+    products = api_request_paginated(
+        "/1/products", token,
+        params={"account_id": account_id, "service_name": "domain"},
+    )
+
+    if getattr(args, "json", False):
+        output_json(products)
+
+    if not products:
+        print(f"  {dim('No domains found.')}")
+        return
+
+    now = datetime.now(timezone.utc)
+    warn_days = args.warn or 30
+
+    headers = ["Domain", "Expires", "Days Left", "Status"]
+    rows = []
+    expiring_soon = []
+
+    for p in products:
+        name = p.get("customer_name", "?")
+        expired_at = p.get("expired_at")
+
+        if expired_at:
+            try:
+                exp_date = datetime.fromtimestamp(int(expired_at), tz=timezone.utc)
+                days_left = (exp_date - now).days
+                exp_display = exp_date.strftime("%Y-%m-%d")
+
+                if days_left < 0:
+                    days_display = red(f"EXPIRED ({abs(days_left)}d ago)")
+                    status = red("expired")
+                    expiring_soon.append((name, days_left))
+                elif days_left <= warn_days:
+                    days_display = yellow(str(days_left))
+                    status = yellow("expiring")
+                    expiring_soon.append((name, days_left))
+                else:
+                    days_display = green(str(days_left))
+                    status = green("active")
+            except (ValueError, TypeError):
+                exp_display = dim("unknown")
+                days_display = dim("?")
+                status = dim("unknown")
+        else:
+            exp_display = dim("n/a")
+            days_display = dim("n/a")
+            status = green("active")
+
+        rows.append([name, exp_display, days_display, status])
+
+    # Sort by days left (soonest first)
+    rows.sort(key=lambda r: r[1])
+
+    print(f"\n  {bold(f'Domains ({len(rows)})')}\n")
+    print_table(headers, rows)
+
+    if expiring_soon:
+        print(f"\n  {yellow(f'Warning: {len(expiring_soon)} domain(s) expiring within {warn_days} days:')}\n")
+        for name, days in sorted(expiring_soon, key=lambda x: x[1]):
+            if days < 0:
+                print(f"    {red('!')} {bold(name)} — expired {abs(days)} days ago")
+            else:
+                print(f"    {yellow('!')} {bold(name)} — {days} days remaining")
+
+    print()