diff --git a/services/posture-check/posture-check.sh b/services/posture-check/posture-check.sh
index 5a43d95..b0abb4e 100755
--- a/services/posture-check/posture-check.sh
+++ b/services/posture-check/posture-check.sh
@@ -429,4 +429,21 @@ main() {
   write_json
 }
 
-main "$@"
+# --- Healthchecks Heartbeat (endpoint-agnostisch; Capability-URL ist ein Secret, nie ins Repo) ---
+HEALTHCHECKS_POSTURE_URL="${HEALTHCHECKS_POSTURE_URL:-}"
+HEALTHCHECKS_POSTURE_URL_FILE="${HEALTHCHECKS_POSTURE_URL_FILE:-/mnt/user/appdata/secrets/healthchecks_posture_url}"
+if [ -z "$HEALTHCHECKS_POSTURE_URL" ] && [ -r "$HEALTHCHECKS_POSTURE_URL_FILE" ]; then
+  HEALTHCHECKS_POSTURE_URL="$(tr -d '[:space:]' < "$HEALTHCHECKS_POSTURE_URL_FILE")"
+fi
+hc_ping() {
+  [ -n "$HEALTHCHECKS_POSTURE_URL" ] || return 0
+  curl -fsS -m 10 --retry 3 "${HEALTHCHECKS_POSTURE_URL}${1:-}" >/dev/null 2>&1 || true
+}
+
+hc_ping "/start"
+rc=0
+main "$@" || rc=$?
+# Exit 0/1/2 = ok/warning/critical: der Monitor LIEF (Posture-Alarme laufen separat via ntfy).
+# Nur ein echter Abbruch (rc>2) ist ein Job-Fehler -> /fail.
+if [ "$rc" -le 2 ]; then hc_ping ""; else hc_ping "/fail"; fi
+exit "$rc"