Healthchecks heartbeats for compose-drift, komodo-hygiene, daily-report

Add endpoint-agnostic Healthchecks pings to the three remaining scheduled
host-audit jobs via an EXIT-trap merge (start + success/fail), so the body of
each script (incl. the 1400-line daily-status-report) stays untouched. Exit
0/1/2 = ran (ok/warning/critical); only rc>2 pings /fail. Capability URLs come
from per-job host secret files (healthchecks_<job>_url), never in the repo.
bash -n verified.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

services/posture-check/compose-runtime-drift.sh

@@ -11,7 +11,12 @@ TMP_DIR="${TMP_DIR:-/tmp/kallilab-compose-runtime-drift}"
 mkdir -p "$TMP_DIR"
 RESULTS_FILE="$TMP_DIR/results.$$"
 : > "$RESULTS_FILE"
-trap 'rm -f "$RESULTS_FILE"' EXIT
+# Healthchecks Heartbeat (endpoint-agnostisch; Capability-URL ist ein Secret, nie ins Repo)
+HC_URL_FILE="${HC_URL_FILE:-/mnt/user/appdata/secrets/healthchecks_compose_drift_url}"
+hc_url=""; [ -r "$HC_URL_FILE" ] && hc_url="$(tr -d '[:space:]' < "$HC_URL_FILE")"
+hc_ping() { [ -n "$hc_url" ] || return 0; curl -fsS -m 10 --retry 3 "${hc_url}${1:-}" >/dev/null 2>&1 || true; }
+trap 'hc_rc=$?; rm -f "$RESULTS_FILE"; [ "$hc_rc" -le 2 ] && hc_ping "" || hc_ping "/fail"' EXIT
+hc_ping "/start"
 
 json_escape() {
   sed -e 's/\\/\\\\/g' -e 's/"/\\"/g' -e 's/\t/\\t/g'

services/posture-check/daily-status-report.sh

@@ -55,7 +55,12 @@ SECTION_ERRORS_FILE="$TMP_DIR/section-errors.log"
 cleanup() {
   rm -rf "$TMP_DIR"
 }
-trap cleanup EXIT
+# Healthchecks Heartbeat (endpoint-agnostisch; Capability-URL ist ein Secret, nie ins Repo)
+HC_URL_FILE="${HC_URL_FILE:-/mnt/user/appdata/secrets/healthchecks_daily_report_url}"
+hc_url=""; [ -r "$HC_URL_FILE" ] && hc_url="$(tr -d '[:space:]' < "$HC_URL_FILE")"
+hc_ping() { [ -n "$hc_url" ] || return 0; curl -fsS -m 10 --retry 3 "${hc_url}${1:-}" >/dev/null 2>&1 || true; }
+trap 'hc_rc=$?; cleanup; [ "$hc_rc" -le 2 ] && hc_ping "" || hc_ping "/fail"' EXIT
+hc_ping "/start"
 
 append() {
   printf '%s\n' "$*" >> "$BODY_PATH"

services/posture-check/komodo-stack-hygiene.sh

@@ -33,7 +33,12 @@ mkdir -p "$TMP_DIR"
 RESULTS_FILE="$TMP_DIR/results.$$"
 STACKS_FILE="$TMP_DIR/stacks.$$.json"
 : > "$RESULTS_FILE"
-trap 'rm -f "$RESULTS_FILE" "$STACKS_FILE"' EXIT
+# Healthchecks Heartbeat (endpoint-agnostisch; Capability-URL ist ein Secret, nie ins Repo)
+HC_URL_FILE="${HC_URL_FILE:-/mnt/user/appdata/secrets/healthchecks_komodo_hygiene_url}"
+hc_url=""; [ -r "$HC_URL_FILE" ] && hc_url="$(tr -d '[:space:]' < "$HC_URL_FILE")"
+hc_ping() { [ -n "$hc_url" ] || return 0; curl -fsS -m 10 --retry 3 "${hc_url}${1:-}" >/dev/null 2>&1 || true; }
+trap 'hc_rc=$?; rm -f "$RESULTS_FILE" "$STACKS_FILE"; [ "$hc_rc" -le 2 ] && hc_ping "" || hc_ping "/fail"' EXIT
+hc_ping "/start"
 
 json_escape() {
   sed -e 's/\\/\\\\/g' -e 's/"/\\"/g' -e 's/\t/\\t/g'