feat(ssl): Add --only-failures and --summary flags for batch SSL checks

[scottsen]

Problem

When batch-checking SSL certificates with reveal --stdin --check, the output includes full details for every domain. For large scans (500+ domains), this creates verbose output that requires manual filtering with jq.

Current workflow requires complex pipelines:

reveal /etc/nginx/conf.d/*.conf | \
  grep -oE 'server_name patterns...' | \
  sed 's/^/ssl:\/\//' | \
  reveal --stdin --format=json | \
  jq 'select(.days_until_expiry < 7) | ...'

Proposed Solution

1. --only-failures flag

Filter out healthy certificates, show only problems:

cat domains.txt | sed 's/^/ssl:\/\//' | reveal --stdin --check --only-failures

2. --summary format

Aggregate results into counts:

cat domains.txt | sed 's/^/ssl:\/\//' | reveal --stdin --check --format=summary

# Output:
# SSL Audit: 540 domains
# ✅ Healthy (>30d): 250
# ⚠️  Warning (<30d): 45  
# 🔴 Critical (<7d): 28
# ❌ Expired: 87
# ⚪ DNS/unreachable: 130

3. --expiring-within=DAYS filter

reveal --stdin --check --expiring-within=7d  # Only show certs expiring in 7 days

Use Case

SSL certificate audits for SaaS platforms with hundreds of white-label domains. Need to quickly identify:

• Which certs are expired (immediate action)
• Which are expiring soon (preventive action)
• Which domains have DNS issues (cleanup)

Alternatives Considered

• Using jq for filtering - works but adds complexity and requires JSON knowledge
• Post-processing with shell scripts - verbose and error-prone