cert-token-check: Healthchecks heartbeat; document internal ping URLs

Add the same endpoint-agnostic Healthchecks ping wrapper to cert-token-check.sh
(daily) as in posture-check.sh; capability URL from host secret file
healthchecks_cert_token_url. SECRETS_MAP: document the per-job internal ping
URL files. MASTER_TODO: posture-check + cert-token-check wired and verified
(status up); project KalliLab CORE + ntfy integration created.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

services/posture-check/cert-token-check.sh

@@ -137,8 +137,26 @@ write_json() {
   fi
 }
 
-for domain in $DOMAINS; do
-  check_cert "$domain"
-done
-check_cloudflare_token
-write_json
+# --- Healthchecks Heartbeat (endpoint-agnostisch; Capability-URL ist ein Secret, nie ins Repo) ---
+HEALTHCHECKS_CERT_TOKEN_URL="${HEALTHCHECKS_CERT_TOKEN_URL:-}"
+HEALTHCHECKS_CERT_TOKEN_URL_FILE="${HEALTHCHECKS_CERT_TOKEN_URL_FILE:-/mnt/user/appdata/secrets/healthchecks_cert_token_url}"
+if [ -z "$HEALTHCHECKS_CERT_TOKEN_URL" ] && [ -r "$HEALTHCHECKS_CERT_TOKEN_URL_FILE" ]; then
+  HEALTHCHECKS_CERT_TOKEN_URL="$(tr -d '[:space:]' < "$HEALTHCHECKS_CERT_TOKEN_URL_FILE")"
+fi
+hc_ping() {
+  [ -n "$HEALTHCHECKS_CERT_TOKEN_URL" ] || return 0
+  curl -fsS -m 10 --retry 3 "${HEALTHCHECKS_CERT_TOKEN_URL}${1:-}" >/dev/null 2>&1 || true
+}
+
+hc_ping "/start"
+rc=0
+{
+  for domain in $DOMAINS; do
+    check_cert "$domain"
+  done
+  check_cloudflare_token
+  write_json
+} || rc=$?
+# 0/1/2 = ok/warning/critical: der Check LIEF (Alarme laufen separat via ntfy); nur rc>2 -> /fail
+if [ "$rc" -le 2 ]; then hc_ping ""; else hc_ping "/fail"; fi
+exit "$rc"