@checkstack/slo-backend 0.6.1 → 0.7.1

package/CHANGELOG.md

@@ -1,5 +1,151 @@
 # @checkstack/slo-backend
 
+## 0.7.1
+
+### Patch Changes
+
+- Updated dependencies [13373ce]
+  - @checkstack/common@0.14.0
+  - @checkstack/backend-api@0.21.1
+  - @checkstack/cache-api@0.3.10
+  - @checkstack/queue-api@0.3.10
+  - @checkstack/ai-backend@0.1.1
+  - @checkstack/automation-backend@0.5.1
+  - @checkstack/catalog-backend@1.4.1
+  - @checkstack/catalog-common@2.3.1
+  - @checkstack/command-backend@0.2.1
+  - @checkstack/dependency-common@1.2.1
+  - @checkstack/gitops-backend@0.5.1
+  - @checkstack/gitops-common@0.6.1
+  - @checkstack/healthcheck-backend@1.6.1
+  - @checkstack/healthcheck-common@1.5.1
+  - @checkstack/signal-common@0.2.7
+  - @checkstack/slo-common@0.5.1
+  - @checkstack/cache-utils@0.2.15
+
+## 0.7.0
+
+### Minor Changes
+
+- 9dcc848: Plugin-owned AI tools: every domain plugin contributes its own AI tools (chat assistant + automation AI action), and `ai-backend` is platform-only.
+
+  Every plugin-specific AI tool is owned by the plugin whose domain it acts on, registered via that plugin's own `aiToolExtensionPoint` / `aiToolProjectionExtensionPoint` from its init - the same path an external plugin author uses. `ai-backend` no longer imports or depends on any capability plugin's `*-common`; the dependency direction is strictly plugin -> ai-platform. Pure helpers (`computeFieldDiff`, capability-summary, `ScriptContextKind`) live in `@checkstack/ai-common`.
+
+  Tools shipped:
+
+  - Health checks and automations: full CRUD - `healthcheck.propose` / `automation.propose` and `*.update` (`mutate`, deep-validated) and `*.delete` (`destructive`, always confirm-gated). `healthcheck.propose`'s dry-run calls the new deep `validateConfiguration` so propose-time validation matches apply-time. Assertions are validated against the collector's result schema and the canonical operator vocabulary. Capability-catalog tools (`ai.listCapabilities`, `ai.getCapabilitySchema`), script context tools (`ai.getScriptContext`, `ai.testScript`), and notify-subscriber tools (`healthcheck.notifySystemSubscribers` / `...GroupSubscribers`).
+  - Catalog: `catalog.createSystem` / `updateSystem` / `createGroup` / `updateGroup` (`mutate`), `catalog.deleteSystem` / `deleteGroup` (`destructive`), membership tools (`mutate`), plus `catalog.listSystems` / `listGroups` read projections.
+  - Incident: `incident.create` / `update` / `addUpdate` / `resolve` / `addLink` (`mutate`), `incident.delete` / `removeLink` (`destructive`), and `incident.get` / `incident.list` read projections.
+  - Maintenance: `maintenance.create` / `update` / `addUpdate` / `close` / `addLink` (`mutate`), `maintenance.delete` / `removeLink` (`destructive`), and `maintenance.list` / `get` read projections.
+  - Read projections for SLO (`slo.listObjectives`), dependency (`dependency.list`), incident (`incident.list`), healthcheck (`healthcheck.status`), and anomaly (`anomaly.explain`), each gated by the source procedure's own access rule and routed as the principal.
+  - Documentation grounding: `ai.searchDocs` / `ai.getDoc` over a build-time bundled docs index (BM25-ish ranking), so the assistant grounds how-to answers in Checkstack's own docs offline.
+  - URL introspection: `ai.probeUrl`, an SSRF-guarded read tool the assistant uses to inspect a real endpoint before drafting a health check. Update tools compute a before -> after field diff rendered on the confirm card (approve mode) or an "Applied" card (auto mode), so a change is never silent.
+
+  `ai_analyze` automation action (automation-backend, with an editor connection picker + audited tool calls): runs a bounded AI agent on the run context as the automation's `runAs` service account, so it can never exceed that identity's permissions; destructive tools are never offered; mutating tools auto-apply through the service account's client. Produces an `automation.analysis` artifact downstream actions can branch on. The agent loop is exposed as a headless `aiAgentRunnerRef` service so automation-backend can drive it without depending on ai-backend.
+
+  `notification.notifyForSubscription` is now callable by user / application principals holding `notification.send` (previously service-only). Every tool routes through the user-scoped client, so handler-side authorization is enforced exactly as a direct UI/RPC action; the resolver gate plus the propose/apply re-check at propose AND apply are the additional authority. A systemic authz regression test asserts every registered tool falls into exactly one safe authorization category.
+
+  A new `ai_transport` enum value `automation` records the AI action's tool calls in the `ai_tool_calls` audit log. No new durable state beyond that; each tool is a thin, deterministic wrapper over an existing RPC, so every pod behaves identically.
+
+  This is a beta minor.
+
+- 9dcc848: Make SLO downtime robust against a drifted event log (fixes "100% available yet degraded" and "ongoing downtime while every check is healthy").
+
+  SLO downtime was stored as edge-triggered open/close interval rows, so a single missed/out-of-order transition left an event open forever and read as ongoing downtime even when healthy. The fix makes live health authoritative:
+
+  - `computeStatus` is now live-health-authoritative and side-effect-free: a stored open event counts toward availability/error-budget and sets `hasOpenDowntime` only when the system is actually down right now (verified via the health callback, checked only when open events exist). A healthy system can no longer read breaching/degraded from a stale row, and this stays pure so the reactive `slo` entity can keep reading through it.
+  - Window accounting is fixed: `getDowntimeForWindow` counts the in-window portion of every overlapping interval (clamped to the window; open events run to "now" only when included), via a pure `downtime-window` helper, so an outage that began before the window is no longer dropped.
+  - Missed-recovery orphans are voided: the daily job deletes open events on currently-healthy systems (their true recovery time was never recorded). The edge-triggered close still records real downtime on normal recoveries.
+
+  Regression tests cover the window-overlap math, the live-health authority, the no-open-event fast path, and orphan voiding.
+
+  This is a beta minor.
+
+- 9dcc848: Align workspace dependency versions and migrate React Router to v7.
+
+  BREAKING CHANGES (React Router v7): All frontend packages now depend on `react-router-dom@^7.16.0`. Previously the workspace declared four divergent ranges (`^6.20.0`, `^6.22.0`, `^7.1.1`, `^7.14.2`), which resolved both `react-router@6` and `react-router@7` into a single bundle. Everything is now unified on v7. The public imports the app uses (`BrowserRouter`, `Routes`, `Route`, `Link`, `NavLink`, `MemoryRouter`, `useNavigate`, `useParams`, `useSearchParams`, `useLocation`) are unchanged between v6 and v7, so no source rewrites were required - but any out-of-tree plugin still on react-router v6 should upgrade to v7 (see the React Router v6 -> v7 upgrade guide) to share the host's single router instance via the import map.
+
+  Other unified ranges (no API change): `react` -> `^18.3.1`, the `@orpc/*` family (`contract`, `server`, `client`, `tanstack-query`, `openapi`, `zod`) -> `^1.14.4`, and `better-auth` -> `^1.6.13`.
+
+  Removed the pre-rename `@orpc/react-query` leftover from `@checkstack/frontend-api`; its `createRouterUtils` / `RouterUtils` / `ProcedureUtils` now come from `@orpc/tanstack-query` (the package already in use).
+
+  Stale in-range runtime deps pulled up to current published versions: `hono` `^4.12.23`, `@tanstack/react-query` (+devtools) `^5.100.14`, `date-fns` `^4.4.0`, `jose` `^6.2.3`, `tar` `^7.5.16`, `semver` `^7.8.1`, `@xyflow/react` `^12.11.0`.
+
+### Patch Changes
+
+- 9dcc848: Write-path hardening: post-commit side effects can no longer fail a committed write, multi-row mutations are now atomic, and retry-duplication is blocked at the database.
+
+  **Platform-level (automatic for all current and future plugins):**
+
+  - signal-backend: `SignalService` (broadcast / sendToUser / sendToUsers / sendToAuthorizedUsers) is now resilient by construction - a transient event-bus/queue failure is caught and logged instead of thrown. Real-time signals are best-effort UI nudges; the authoritative data is already committed by the time a mutation broadcasts, so a signal-transport blip must never turn a successful write into a client-visible error. Every plugin's broadcasts inherit this without per-call-site `try/catch` (which would inevitably be forgotten and regress). This mirrors `createCachedScope`, which already makes cache invalidation non-throwing - so the cache + signal halves of the "post-commit side effect fails the response" class are both closed at the platform seam. Durable side effects (events/hooks that drive automations, queue jobs) intentionally still surface failures. Documented in `developer-guide/backend/signals.md`.
+
+  **Atomic multi-write mutations (each previously committed row-by-row in autocommit, so a mid-sequence failure left partial/orphaned state):**
+
+  - slo-backend: `createObjective` now inserts the objective and its 1:1 streak row in one transaction; the post-create reconcile/status/notify steps are best-effort and can no longer fail the (committed) create.
+  - incident-backend: `createIncident`, `updateIncident`, `addUpdate`, and `resolveIncident` wrap their row + system-link + timeline writes in a transaction (no more wiped system associations on a failed re-insert, or status flips with no matching timeline entry).
+  - maintenance-backend: same for `createMaintenance`, `updateMaintenance`, `addUpdate`, `closeMaintenance`.
+  - automation-backend: `cancelRun` marks the run cancelled and tears down its wait locks + durable state in one transaction - previously a failure after the status update could leave a wait lock behind, letting a later trigger event resume an already-cancelled run.
+  - healthcheck-backend: `ingestSatelliteResult` commits the run row and its hourly-aggregate increment together (no orphaned run, no aggregate without a backing run). NOTE: this guarantees run/aggregate consistency but does not yet make a _duplicate satellite delivery_ idempotent - that needs a dedupe key on the high-volume runs table and is tracked as a follow-up.
+
+  **Retry-duplication blocked at the DB (paired with the SQLSTATE 23505 -> 409 mapping shipped separately):**
+
+  - catalog-backend: new unique indexes on `groups.name`, `environments.name` (consistent with `systems.name`), on `system_links (system_id, url)`, and on `system_contacts (system_id, user_id)` + `(system_id, email)` (NULLs are distinct, so user vs mailbox contacts don't interfere). Name uniqueness is CASE-INSENSITIVE: the three name indexes are functional `lower(name)` indexes (the existing `systems.name` index is rebuilt this way too), so "Api" and "api" collide while the stored value keeps its original casing. The systems pre-write name check (`getSystemByName`) is case-folded to match. Migration `0005` de-dupes any pre-existing rows first - names are preserved by suffixing later case-insensitive duplicates (" (2)", " (3)", ...), redundant contact/link rows are removed keeping the earliest. (Link URLs stay case-sensitive - URL paths are; contact emails are deduped exact-match.)
+  - incident-backend / maintenance-backend: unique index on `incident_links (incident_id, url)` / `maintenance_links (maintenance_id, url)`, with a de-dupe step in the migration.
+
+    **Behavior change:** creating a group/environment with a duplicate name, or attaching a duplicate contact/link, now returns `409 Conflict` instead of silently creating a duplicate. The migrations resolve existing duplicates on upgrade.
+
+  This is a beta patch.
+
+- 9dcc848: Input-validation and error-mapping hardening found by a fuzzing pass against the built container.
+
+  - backend: a Postgres driver error caused by bad client input no longer surfaces as a `500`. The `/api` and `/rest` dispatchers now map the relevant SQLSTATE classes to the correct status - `22P02`/`22003`/`22001`/`22007` (malformed/out-of-range/over-long/bad-date value), `23502`/`23503`/`23514` (missing/dangling/check-failed) to `400`, and `23505` (unique violation) to `409` - and log them at `warn` (client mistake), not `error`. The client-facing message is generic so column/constraint names are never leaked; genuine unknown faults still log at `error` and 500. Previously a `where id = $1` with a non-uuid `$1` (or an over-long string, or a foreign-key miss in `addSystemToGroup`) reached the driver and 500'd, making routine probing look like a server outage and burying real 500s.
+  - slo-common: **fixes a stored cluster-wide DoS.** `windowDays` was accepted up to `2^53`, but the SLO engine derives window boundaries with `Date(now - windowDays * 86_400_000)` - a large value overflows past the max representable `Date` and yields `Invalid Date`. That objective committed fine, then every subsequent read of the system's objectives threw `RangeError: Invalid time value` during serialization (a 500 readable by anyone with SLO read access, on any pod). `windowDays` is now bounded to 1..3650 days at the contract, the GitOps `kind: SLO` spec, and the update path via a single shared `SloWindowDaysSchema`, so the poison row can never be created.
+  - slo-common + healthcheck-common: SLO `getDailySnapshots` and the healthcheck history endpoints (`getHistory`, `getDetailedHistory`, `getAggregatedHistory`, `getDetailedAggregatedHistory`, `getRunsForAnalysis`) declared their `startDate`/`endDate` params as `z.date()`, which a `/rest/...` string param can never satisfy - so those endpoints 400'd on the entire REST surface. They now use `z.coerce.date()`, accepting both the REST string shape and the native RPC `Date`.
+  - healthcheck-common: `intervalSeconds` was `z.number().min(1)` with no `.int()` and no upper bound, so a fractional or out-of-range value reached the DB and failed at insert (the column is a 32-bit int). It is now `.int().min(1).max(2_592_000)` (1 second .. 30 days), applied to both create and update (the update schema is the create partial).
+  - catalog-common: system/group/environment names were bare `z.string()` (environment was `.min(1)` only), so empty, whitespace-only, and 100KB+ names reached the DB - the huge ones surfaced as 500s when parameter binding blew up. Names are now `trim().min(1).max(200)` via a shared schema.
+
+    **BREAKING:** `getSystemContacts` is now `userType: "authenticated"` (was `"public"`). System contacts carry PII (user id, name, email); the public read leaked them to anonymous status-page visitors. Anonymous callers now receive `401` for this one endpoint; the system detail page already renders "No contacts assigned" for anonymous viewers, so the UI degrades gracefully. All other catalog reads remain public.
+
+  - catalog-frontend: the system detail page skips the `getSystemContacts` request entirely for anonymous viewers (it would now `401`) and falls back to the empty state.
+
+  This is a beta release: the breaking contact-visibility change ships as a minor bump per the beta versioning policy, not a major.
+
+- Updated dependencies [9dcc848]
+- Updated dependencies [9dcc848]
+- Updated dependencies [9dcc848]
+- Updated dependencies [9dcc848]
+- Updated dependencies [9dcc848]
+- Updated dependencies [9dcc848]
+- Updated dependencies [9dcc848]
+- Updated dependencies [9dcc848]
+- Updated dependencies [9dcc848]
+- Updated dependencies [9dcc848]
+- Updated dependencies [9dcc848]
+- Updated dependencies [9dcc848]
+- Updated dependencies [9dcc848]
+- Updated dependencies [9dcc848]
+- Updated dependencies [9dcc848]
+- Updated dependencies [9dcc848]
+- Updated dependencies [9dcc848]
+- Updated dependencies [9dcc848]
+  - @checkstack/ai-backend@0.1.0
+  - @checkstack/backend-api@0.21.0
+  - @checkstack/healthcheck-backend@1.6.0
+  - @checkstack/healthcheck-common@1.5.0
+  - @checkstack/automation-backend@0.5.0
+  - @checkstack/catalog-backend@1.4.0
+  - @checkstack/catalog-common@2.3.0
+  - @checkstack/common@0.13.0
+  - @checkstack/slo-common@0.5.0
+  - @checkstack/command-backend@0.2.0
+  - @checkstack/dependency-common@1.2.0
+  - @checkstack/gitops-backend@0.5.0
+  - @checkstack/gitops-common@0.6.0
+  - @checkstack/cache-api@0.3.9
+  - @checkstack/queue-api@0.3.9
+  - @checkstack/signal-common@0.2.6
+  - @checkstack/cache-utils@0.2.14
+
 ## 0.6.1
 
 ### Patch Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@checkstack/slo-backend",
-  "version": "0.6.1",
+  "version": "0.7.1",
   "license": "Elastic-2.0",
   "type": "module",
   "main": "src/index.ts",
@@ -11,33 +11,36 @@
     "typecheck": "tsgo -b",
     "generate": "drizzle-kit generate",
     "lint": "bun run lint:code",
-    "lint:code": "eslint . --max-warnings 0"
+    "lint:code": "eslint . --max-warnings 0",
+    "test": "bun test"
   },
   "dependencies": {
-    "@checkstack/backend-api": "0.18.0",
-    "@checkstack/cache-api": "0.3.6",
-    "@checkstack/cache-utils": "0.2.11",
-    "@checkstack/slo-common": "0.4.2",
-    "@checkstack/healthcheck-common": "1.3.0",
-    "@checkstack/healthcheck-backend": "1.3.0",
-    "@checkstack/dependency-common": "1.1.3",
-    "@checkstack/catalog-common": "2.2.3",
-    "@checkstack/catalog-backend": "1.2.0",
-    "@checkstack/command-backend": "0.1.31",
-    "@checkstack/signal-common": "0.2.5",
-    "@checkstack/automation-backend": "0.2.0",
-    "@checkstack/gitops-backend": "0.3.7",
-    "@checkstack/gitops-common": "0.4.2",
-    "@checkstack/common": "0.12.0",
-    "@checkstack/queue-api": "0.3.6",
+    "@checkstack/backend-api": "0.21.0",
+    "@checkstack/ai-backend": "0.1.0",
+    "@checkstack/cache-api": "0.3.9",
+    "@checkstack/cache-utils": "0.2.14",
+    "@checkstack/slo-common": "0.5.0",
+    "@checkstack/healthcheck-common": "1.5.0",
+    "@checkstack/healthcheck-backend": "1.6.0",
+    "@checkstack/dependency-common": "1.2.0",
+    "@checkstack/catalog-common": "2.3.0",
+    "@checkstack/catalog-backend": "1.4.0",
+    "@checkstack/command-backend": "0.2.0",
+    "@checkstack/signal-common": "0.2.6",
+    "@checkstack/automation-backend": "0.5.0",
+    "@checkstack/gitops-backend": "0.5.0",
+    "@checkstack/gitops-common": "0.6.0",
+    "@checkstack/common": "0.13.0",
+    "@checkstack/queue-api": "0.3.9",
     "drizzle-orm": "^0.45.0",
     "zod": "^4.2.1",
-    "@orpc/server": "^1.13.2"
+    "@orpc/contract": "^1.14.4",
+    "@orpc/server": "^1.14.4"
   },
   "devDependencies": {
     "@checkstack/drizzle-helper": "0.0.5",
-    "@checkstack/scripts": "0.3.4",
-    "@checkstack/test-utils-backend": "0.1.31",
+    "@checkstack/scripts": "0.4.0",
+    "@checkstack/test-utils-backend": "0.1.34",
     "@checkstack/tsconfig": "0.0.7",
     "@types/bun": "^1.0.0",
     "drizzle-kit": "^0.31.10",

package/src/ai/slo.projection.test.ts

@@ -0,0 +1,36 @@
+import { describe, expect, test } from "bun:test";
+import {
+  buildProjectedTool,
+  deferredProjectionExecute,
+} from "@checkstack/ai-backend";
+import { sloContract, pluginMetadata } from "@checkstack/slo-common";
+
+// Build the projected tool with the SAME inputs the plugin exposes via
+// aiToolProjectionExtensionPoint in `index.ts`, and assert the resulting tool
+// carries the source procedure's contract access rules - NOT the chat
+// transport's `ai.chat.read` gate.
+describe("slo.listObjectives projection", () => {
+  const tool = buildProjectedTool({
+    procedure: sloContract.listObjectives,
+    sourcePluginMetadata: pluginMetadata,
+    procedureKey: "listObjectives",
+    name: "slo.listObjectives",
+    description:
+      "List service-level objectives with their current status and error budget. Read-only.",
+    effect: "read",
+    execute: deferredProjectionExecute,
+  });
+
+  test("uses the overridden tool name", () => {
+    expect(tool.name).toBe("slo.listObjectives");
+  });
+
+  test("is classified as a read-only effect", () => {
+    expect(tool.effect).toBe("read");
+  });
+
+  test("inherits the source procedure's qualified read access rule", () => {
+    // qualifyAccessRuleId: `${pluginId}.${rule.id}` where rule.id = `slo.read`.
+    expect(tool.requiredAccessRules).toEqual(["slo.slo.read"]);
+  });
+});

package/src/downtime-window.test.ts

@@ -0,0 +1,143 @@
+import { describe, it, expect } from "bun:test";
+import {
+  eventWindowSeconds,
+  aggregateWindowedDowntime,
+  type WindowedEventInput,
+} from "./downtime-window";
+
+const HOUR = 60 * 60 * 1000;
+const DAY = 24 * HOUR;
+
+// A fixed "now" and a 30-day window ending at now.
+const now = new Date("2026-06-04T00:00:00.000Z");
+const windowEnd = now;
+const windowStart = new Date(now.getTime() - 30 * DAY);
+
+const selfEvent = (
+  overrides: Partial<WindowedEventInput> = {},
+): WindowedEventInput => ({
+  startTime: new Date(now.getTime() - DAY),
+  endTime: null,
+  attributionType: "self",
+  upstreamSystemId: null,
+  upstreamSystemName: null,
+  ...overrides,
+});
+
+describe("eventWindowSeconds", () => {
+  it("counts the full window for an OPEN event that started before the window (the bug)", () => {
+    // Started 60 days ago, still ongoing. Its in-window portion is the WHOLE
+    // 30-day window - it must not be dropped just because it started earlier.
+    const seconds = eventWindowSeconds({
+      startTime: new Date(now.getTime() - 60 * DAY),
+      endTime: null,
+      windowStart,
+      windowEnd,
+      now,
+    });
+    expect(seconds).toBe((30 * DAY) / 1000);
+  });
+
+  it("counts an open event from its start when it started inside the window", () => {
+    const seconds = eventWindowSeconds({
+      startTime: new Date(now.getTime() - 2 * HOUR),
+      endTime: null,
+      windowStart,
+      windowEnd,
+      now,
+    });
+    expect(seconds).toBe((2 * HOUR) / 1000);
+  });
+
+  it("returns 0 for a closed event entirely before the window", () => {
+    const seconds = eventWindowSeconds({
+      startTime: new Date(now.getTime() - 40 * DAY),
+      endTime: new Date(now.getTime() - 35 * DAY),
+      windowStart,
+      windowEnd,
+      now,
+    });
+    expect(seconds).toBe(0);
+  });
+
+  it("clamps an event that started before the window but ended inside it", () => {
+    // Started 31 days ago, ended 29 days ago → only 1 day falls in the window.
+    const seconds = eventWindowSeconds({
+      startTime: new Date(now.getTime() - 31 * DAY),
+      endTime: new Date(now.getTime() - 29 * DAY),
+      windowStart,
+      windowEnd,
+      now,
+    });
+    expect(seconds).toBe(DAY / 1000);
+  });
+
+  it("counts the full duration of an event fully inside the window", () => {
+    const seconds = eventWindowSeconds({
+      startTime: new Date(now.getTime() - 5 * DAY),
+      endTime: new Date(now.getTime() - 5 * DAY + 3 * HOUR),
+      windowStart,
+      windowEnd,
+      now,
+    });
+    expect(seconds).toBe((3 * HOUR) / 1000);
+  });
+});
+
+describe("aggregateWindowedDowntime", () => {
+  it("regression: an open self outage from before the window consumes the whole window", () => {
+    // This is the exact dashboard bug: a 'Self/Ongoing' event from ~2 months
+    // ago must NOT yield ~0 consumed minutes (which rendered as 100% available
+    // while still flagged degraded).
+    const result = aggregateWindowedDowntime({
+      events: [
+        selfEvent({ startTime: new Date(now.getTime() - 60 * DAY) }),
+      ],
+      windowStart,
+      windowEnd,
+      now,
+    });
+    expect(result.selfMinutes).toBe((30 * DAY) / 1000 / 60);
+    expect(result.totalMinutes).toBe((30 * DAY) / 1000 / 60);
+  });
+
+  it("splits self vs upstream and clamps each to the window", () => {
+    const result = aggregateWindowedDowntime({
+      events: [
+        selfEvent({
+          startTime: new Date(now.getTime() - 2 * HOUR),
+          endTime: new Date(now.getTime() - 1 * HOUR),
+        }),
+        {
+          startTime: new Date(now.getTime() - 3 * HOUR),
+          endTime: new Date(now.getTime() - 2 * HOUR),
+          attributionType: "upstream",
+          upstreamSystemId: "up-1",
+          upstreamSystemName: "Upstream",
+        },
+      ],
+      windowStart,
+      windowEnd,
+      now,
+    });
+    expect(result.selfMinutes).toBe(60);
+    expect(result.upstreamMinutes).toBe(60);
+    expect(result.totalMinutes).toBe(120);
+    expect(result.entries).toHaveLength(2);
+  });
+
+  it("ignores events fully outside the window", () => {
+    const result = aggregateWindowedDowntime({
+      events: [
+        selfEvent({
+          startTime: new Date(now.getTime() - 40 * DAY),
+          endTime: new Date(now.getTime() - 35 * DAY),
+        }),
+      ],
+      windowStart,
+      windowEnd,
+      now,
+    });
+    expect(result.totalMinutes).toBe(0);
+  });
+});

package/src/downtime-window.ts

@@ -0,0 +1,130 @@
+/**
+ * Pure window-overlap math for SLO downtime accounting.
+ *
+ * A downtime event contributes to an SLO window only for the portion of its
+ * duration that falls inside `[windowStart, windowEnd]`. Open (ongoing) events
+ * have no `endTime` and run until `now`. This is deliberately separate from any
+ * stored `durationSeconds` cache, which is not window-aware: a long outage that
+ * began before the window (the dashboard "100% available + degraded" bug) must
+ * still consume its in-window portion, and an event that straddles a window edge
+ * must be clamped, not counted in full.
+ */
+
+export interface WindowedEventInput {
+  startTime: Date;
+  endTime: Date | null;
+  attributionType: string;
+  upstreamSystemId: string | null;
+  upstreamSystemName: string | null;
+}
+
+export interface WindowedDowntime {
+  totalMinutes: number;
+  selfMinutes: number;
+  upstreamMinutes: number;
+  entries: Array<{
+    attributionType: string;
+    upstreamSystemId: string | null;
+    upstreamSystemName: string | null;
+    totalMinutes: number;
+  }>;
+}
+
+/**
+ * Seconds of a single event that fall inside the window. Open events (no
+ * `endTime`) run to `now`. Returns 0 when the event does not overlap the window.
+ */
+export function eventWindowSeconds({
+  startTime,
+  endTime,
+  windowStart,
+  windowEnd,
+  now,
+}: {
+  startTime: Date;
+  endTime: Date | null;
+  windowStart: Date;
+  windowEnd: Date;
+  now: Date;
+}): number {
+  const end = endTime ?? now;
+  const effectiveStart = Math.max(startTime.getTime(), windowStart.getTime());
+  const effectiveEnd = Math.min(end.getTime(), windowEnd.getTime());
+  const seconds = (effectiveEnd - effectiveStart) / 1000;
+  return Math.max(0, seconds);
+}
+
+/**
+ * Aggregate the in-window downtime across many events, split by attribution and
+ * grouped per source (self, or one bucket per upstream system).
+ */
+export function aggregateWindowedDowntime({
+  events,
+  windowStart,
+  windowEnd,
+  now,
+}: {
+  events: WindowedEventInput[];
+  windowStart: Date;
+  windowEnd: Date;
+  now: Date;
+}): WindowedDowntime {
+  let totalSeconds = 0;
+  let selfSeconds = 0;
+  let upstreamSeconds = 0;
+  const bySource = new Map<
+    string,
+    {
+      attributionType: string;
+      upstreamSystemId: string | null;
+      upstreamSystemName: string | null;
+      totalSeconds: number;
+    }
+  >();
+
+  for (const event of events) {
+    const duration = eventWindowSeconds({
+      startTime: event.startTime,
+      endTime: event.endTime,
+      windowStart,
+      windowEnd,
+      now,
+    });
+    if (duration <= 0) continue;
+
+    totalSeconds += duration;
+    if (event.attributionType === "self") {
+      selfSeconds += duration;
+    } else {
+      upstreamSeconds += duration;
+    }
+
+    const key =
+      event.attributionType === "self"
+        ? "self"
+        : `upstream:${event.upstreamSystemId}`;
+    const existing = bySource.get(key);
+    if (existing) {
+      existing.totalSeconds += duration;
+    } else {
+      bySource.set(key, {
+        attributionType: event.attributionType,
+        upstreamSystemId: event.upstreamSystemId,
+        upstreamSystemName: event.upstreamSystemName,
+        totalSeconds: duration,
+      });
+    }
+  }
+
+  return {
+    totalMinutes: totalSeconds / 60,
+    selfMinutes: selfSeconds / 60,
+    upstreamMinutes: upstreamSeconds / 60,
+    entries: [...bySource.values()].map((e) => ({
+      attributionType: e.attributionType,
+      upstreamSystemId: e.upstreamSystemId,
+      upstreamSystemName: e.upstreamSystemName,
+      totalMinutes: e.totalSeconds / 60,
+    })),
+  };
+}

package/src/index.ts

@@ -1,6 +1,10 @@
 import * as schema from "./schema";
 import type { SafeDatabase } from "@checkstack/backend-api";
 import { z } from "zod";
+import {
+  aiToolProjectionExtensionPoint,
+  deferredProjectionExecute,
+} from "@checkstack/ai-backend";
 import {
   sloAccessRules,
   sloAccess,
@@ -200,6 +204,20 @@ export default createBackendPlugin({
       },
     });
 
+    // Expose this plugin's read-only AI projection (`slo.listObjectives`) via
+    // the AI projection extension point. ai-backend collects its routing in
+    // afterPluginsReady and never imports slo-common.
+    env.getExtensionPoint(aiToolProjectionExtensionPoint).expose({
+      procedure: sloContract.listObjectives,
+      sourcePluginMetadata: pluginMetadata,
+      procedureKey: "listObjectives",
+      name: "slo.listObjectives",
+      description:
+        "List service-level objectives with their current status and error budget. Read-only.",
+      effect: "read",
+      execute: deferredProjectionExecute,
+    });
+
     env.registerInit({
       schema,
       deps: {

package/src/router.ts

@@ -110,25 +110,38 @@ export function createRouter({
     ),
 
     createObjective: os.createObjective.handler(
-      async ({ input }) => {
+      async ({ input, context }) => {
+        // The objective (+ its streak row) is committed atomically here. Once it
+        // returns, the write is durable and the create has SUCCEEDED - the
+        // post-commit steps below are best-effort enrichment/notification and
+        // must never turn a committed create into a client-visible error.
         const objective = await service.createObjective({ input });
 
-        // Reconcile initial state: if system is already down,
-        // open an initial downtime event immediately
-        await engine.reconcileObjective({ objective });
-
-        const status = await engine.computeStatus({ objective });
         // Mutation invariant: db.write → cache.invalidate (await) → signals.emit.
-        await cache.invalidateForMutation({
-          objectiveId: objective.id,
-          systemId: objective.systemId,
-        });
-        await signalService.broadcast(SLO_STATUS_CHANGED, {
-          systemId: objective.systemId,
-          objectiveId: objective.id,
-          budgetRemainingPercent: status.errorBudgetRemainingPercent,
-          isBreaching: status.isBreaching,
-        });
+        // cache.invalidate* and signalService.* are already non-throwing by
+        // platform contract; reconcile/computeStatus are guarded here so a
+        // transient health-read failure can't fail the (already committed) create.
+        try {
+          // Reconcile initial state: if system is already down, open an initial
+          // downtime event immediately.
+          await engine.reconcileObjective({ objective });
+          const status = await engine.computeStatus({ objective });
+          await cache.invalidateForMutation({
+            objectiveId: objective.id,
+            systemId: objective.systemId,
+          });
+          await signalService.broadcast(SLO_STATUS_CHANGED, {
+            systemId: objective.systemId,
+            objectiveId: objective.id,
+            budgetRemainingPercent: status.errorBudgetRemainingPercent,
+            isBreaching: status.isBreaching,
+          });
+        } catch (error) {
+          context.logger.warn(
+            `createObjective: objective ${objective.id} committed, but post-create reconcile/notify failed`,
+            { error },
+          );
+        }
 
         return objective;
       },

package/src/service.ts

@@ -1,6 +1,7 @@
-import { eq, and, isNull, desc, gte, lte } from "drizzle-orm";
+import { eq, and, isNull, desc, gte, lte, or } from "drizzle-orm";
 import type { SafeDatabase } from "@checkstack/backend-api";
 import * as schema from "./schema";
+import { aggregateWindowedDowntime } from "./downtime-window";
 import {
   sloObjectives,
   sloDowntimeEvents,
@@ -69,29 +70,35 @@ export class SloService {
     const id = generateId();
     const now = new Date();
 
-    await this.db.insert(sloObjectives).values({
-      id,
-      systemId: input.systemId,
-       
-      healthCheckConfigurationId: input.healthCheckConfigurationId ?? null,
-      target: input.target,
-      windowDays: input.windowDays,
-      dependencyExclusion: input.dependencyExclusion ?? "strict",
-      excludedDependencyIds: input.excludedDependencyIds ?? [],
-      burnRateWarningPercent: input.burnRateThresholds?.warningPercent ?? 50,
-      burnRateCriticalPercent: input.burnRateThresholds?.criticalPercent ?? 80,
-      burnRateFastBurnMultiplier:
-        input.burnRateThresholds?.fastBurnMultiplier ?? 5,
-      createdAt: now,
-      updatedAt: now,
-    });
-
-    // Create initial streak record
-    await this.db.insert(sloStreaks).values({
-      objectiveId: id,
-      systemId: input.systemId,
-      currentStreak: 0,
-      bestStreak: 0,
+    // Atomic: the objective row and its 1:1 streak row must commit together.
+    // Without the transaction a failure on the streak insert left a committed
+    // objective with no streak (and the client saw an error for a write that
+    // partially succeeded).
+    await this.db.transaction(async (tx) => {
+      await tx.insert(sloObjectives).values({
+        id,
+        systemId: input.systemId,
+
+        healthCheckConfigurationId: input.healthCheckConfigurationId ?? null,
+        target: input.target,
+        windowDays: input.windowDays,
+        dependencyExclusion: input.dependencyExclusion ?? "strict",
+        excludedDependencyIds: input.excludedDependencyIds ?? [],
+        burnRateWarningPercent: input.burnRateThresholds?.warningPercent ?? 50,
+        burnRateCriticalPercent: input.burnRateThresholds?.criticalPercent ?? 80,
+        burnRateFastBurnMultiplier:
+          input.burnRateThresholds?.fastBurnMultiplier ?? 5,
+        createdAt: now,
+        updatedAt: now,
+      });
+
+      // Create initial streak record
+      await tx.insert(sloStreaks).values({
+        objectiveId: id,
+        systemId: input.systemId,
+        currentStreak: 0,
+        bestStreak: 0,
+      });
     });
 
     return (await this.getObjective({ id }))!;
@@ -306,10 +313,19 @@ export class SloService {
     objectiveId,
     windowStart,
     windowEnd,
+    includeOpen,
   }: {
     objectiveId: string;
     windowStart: Date;
     windowEnd: Date;
+    /**
+     * Whether to count still-open events as ongoing downtime (clamped to `now`).
+     * The caller decides this from the system's LIVE health: an open event is
+     * only real ongoing downtime if the system is currently down. When false,
+     * only closed intervals are counted, so a stale/orphaned open event (a
+     * missed-recovery row) has zero effect on the budget.
+     */
+    includeOpen: boolean;
   }): Promise<{
     totalMinutes: number;
     selfMinutes: number;
@@ -321,71 +337,53 @@ export class SloService {
       totalMinutes: number;
     }>;
   }> {
-    // Get closed events within the window
-    const closedEvents = await this.db
-      .select()
-      .from(sloDowntimeEvents)
-      .where(
-        and(
-          eq(sloDowntimeEvents.objectiveId, objectiveId),
-          gte(sloDowntimeEvents.startTime, windowStart),
-          lte(sloDowntimeEvents.startTime, windowEnd),
-        ),
-      );
-
-    // Also include open events (use current time as endTime for running duration)
+    // Closed intervals that OVERLAP the window: started on/before the window end
+    // AND ended on/after the window start. (`endTime >= windowStart` excludes
+    // NULL end times, i.e. open events, in SQL.) An ongoing outage that began
+    // before `windowStart` still consumes its in-window portion - it is not
+    // dropped just because it started earlier.
     const now = new Date();
-    let totalSeconds = 0;
-    let selfSeconds = 0;
-    let upstreamSeconds = 0;
-    const bySource = new Map<
-      string,
-      {
-        attributionType: string;
-        upstreamSystemId: string | null;
-        upstreamSystemName: string | null;
-        totalSeconds: number;
-      }
-    >();
-
-    for (const event of closedEvents) {
-      const duration =
-        event.durationSeconds ??
-        (((event.endTime ?? now).getTime() - event.startTime.getTime()) / 1000);
-
-      totalSeconds += duration;
-      if (event.attributionType === "self") {
-        selfSeconds += duration;
-      } else {
-        upstreamSeconds += duration;
-      }
-
-      const key =
-        event.attributionType === "self"
-          ? "self"
-          : `upstream:${event.upstreamSystemId}`;
-      const existing = bySource.get(key);
-      if (existing) {
-        existing.totalSeconds += duration;
-      } else {
-        bySource.set(key, {
-          attributionType: event.attributionType,
-          upstreamSystemId: event.upstreamSystemId,
-          upstreamSystemName: event.upstreamSystemName,
-          totalSeconds: duration,
-        });
-      }
-    }
-
-    return {
-      totalMinutes: totalSeconds / 60,
-      selfMinutes: selfSeconds / 60,
-      upstreamMinutes: upstreamSeconds / 60,
-      entries: [...bySource.values()].map((e) => ({
-        ...e,
-        totalMinutes: e.totalSeconds / 60,
+    const startBound = lte(sloDowntimeEvents.startTime, windowEnd);
+    const closedOverlap = gte(sloDowntimeEvents.endTime, windowStart);
+    const where = includeOpen
+      ? and(
+          eq(sloDowntimeEvents.objectiveId, objectiveId),
+          startBound,
+          or(closedOverlap, isNull(sloDowntimeEvents.endTime)),
+        )
+      : and(
+          eq(sloDowntimeEvents.objectiveId, objectiveId),
+          startBound,
+          closedOverlap,
+        );
+
+    const events = await this.db.select().from(sloDowntimeEvents).where(where);
+
+    // Clamp each event to the window (open events run to `now`) and aggregate.
+    return aggregateWindowedDowntime({
+      events: events.map((event) => ({
+        startTime: event.startTime,
+        endTime: event.endTime,
+        attributionType: event.attributionType,
+        upstreamSystemId: event.upstreamSystemId,
+        upstreamSystemName: event.upstreamSystemName,
       })),
-    };
+      windowStart,
+      windowEnd,
+      now,
+    });
+  }
+
+  /**
+   * Hard-delete a downtime event. Used to VOID a missed-recovery orphan: an
+   * open event on a system that is currently healthy, whose true recovery time
+   * was never recorded. We do not know the real downtime, the system is healthy,
+   * so the unprovable row is removed rather than counted.
+   */
+  async deleteDowntimeEvent({ id }: { id: string }): Promise<void> {
+    await this.db
+      .delete(sloDowntimeEvents)
+      .where(eq(sloDowntimeEvents.id, id));
   }
 
   async getRecentDowntimeEvents({

package/src/slo-engine.test.ts

@@ -99,6 +99,7 @@ function createMockService(
     closeDowntimeEvent: mock(() =>
       Promise.resolve(createDowntimeEvent({ endTime: new Date(), durationSeconds: 60 })),
     ),
+    deleteDowntimeEvent: mock(() => Promise.resolve()),
     getDowntimeForWindow: mock(() =>
       Promise.resolve({
         totalMinutes: 0,
@@ -565,6 +566,230 @@ describe("SloEngine", () => {
 
       expect(status.isBreaching).toBe(true);
     });
+
+    it("should NOT flag hasOpenDowntime for an open upstream event in self-only mode", async () => {
+      // Regression: an open upstream event must not flip a self-only objective
+      // to "degraded" when no self downtime is counted — otherwise the SLO
+      // reads 100% available + degraded at the same time, which must not happen.
+      const objective = createObjective({
+        target: 99.9,
+        windowDays: 30,
+        dependencyExclusion: "self-only",
+      });
+      const openUpstream = createDowntimeEvent({
+        attributionType: "upstream",
+        upstreamSystemId: "up-1",
+      });
+      mockService = createMockService({
+        objectives: [objective],
+        openEvents: [openUpstream],
+      });
+      mockSignalService = createMockSignalService();
+      mockLogger = createMockLogger();
+
+      engine = new SloEngine({
+        service: mockService,
+        signalService: mockSignalService as never,
+        logger: mockLogger as never,
+      });
+
+      const status = await engine.computeStatus({ objective });
+
+      expect(status.currentAvailability).toBe(100);
+      expect(status.errorBudgetRemainingPercent).toBe(100);
+      // Self-only: an upstream-attributed open event is excluded from budget,
+      // so it must not report open (budget-relevant) downtime.
+      expect(status.hasOpenDowntime).toBe(false);
+    });
+
+    it("should flag hasOpenDowntime for an open self event in self-only mode", async () => {
+      const objective = createObjective({ dependencyExclusion: "self-only" });
+      const openSelf = createDowntimeEvent({ attributionType: "self" });
+      mockService = createMockService({
+        objectives: [objective],
+        openEvents: [openSelf],
+      });
+      mockSignalService = createMockSignalService();
+      mockLogger = createMockLogger();
+
+      engine = new SloEngine({
+        service: mockService,
+        signalService: mockSignalService as never,
+        logger: mockLogger as never,
+      });
+
+      const status = await engine.computeStatus({ objective });
+
+      expect(status.hasOpenDowntime).toBe(true);
+    });
+
+    it("should flag hasOpenDowntime for any open event in strict mode", async () => {
+      const objective = createObjective({ dependencyExclusion: "strict" });
+      const openUpstream = createDowntimeEvent({
+        attributionType: "upstream",
+        upstreamSystemId: "up-1",
+      });
+      mockService = createMockService({
+        objectives: [objective],
+        openEvents: [openUpstream],
+      });
+      mockSignalService = createMockSignalService();
+      mockLogger = createMockLogger();
+
+      engine = new SloEngine({
+        service: mockService,
+        signalService: mockSignalService as never,
+        logger: mockLogger as never,
+      });
+
+      const status = await engine.computeStatus({ objective });
+
+      expect(status.hasOpenDowntime).toBe(true);
+    });
+
+    it("live health is authoritative: a HEALTHY system with an open event is not degraded and excludes it from the budget", async () => {
+      // The dashboard "ongoing while healthy" regression: an orphaned open
+      // event (missed recovery) must not flip a currently-healthy SLO to
+      // degraded/breaching. computeStatus must ask the open path NOT to count
+      // open downtime when the system is healthy.
+      const objective = createObjective({ dependencyExclusion: "self-only" });
+      const openSelf = createDowntimeEvent({ attributionType: "self" });
+      mockService = createMockService({
+        objectives: [objective],
+        openEvents: [openSelf],
+      });
+      mockSignalService = createMockSignalService();
+      mockLogger = createMockLogger();
+
+      engine = new SloEngine({
+        service: mockService,
+        signalService: mockSignalService as never,
+        logger: mockLogger as never,
+      });
+      engine.setHealthStatusCallback(async () => ({ isHealthy: true }));
+
+      const status = await engine.computeStatus({ objective });
+
+      expect(status.hasOpenDowntime).toBe(false);
+      expect(mockService.getDowntimeForWindow).toHaveBeenCalledWith(
+        expect.objectContaining({ includeOpen: false }),
+      );
+    });
+
+    it("live health is authoritative: a DOWN system with an open event counts it and is degraded", async () => {
+      const objective = createObjective({ dependencyExclusion: "self-only" });
+      const openSelf = createDowntimeEvent({ attributionType: "self" });
+      mockService = createMockService({
+        objectives: [objective],
+        openEvents: [openSelf],
+      });
+      mockSignalService = createMockSignalService();
+      mockLogger = createMockLogger();
+
+      engine = new SloEngine({
+        service: mockService,
+        signalService: mockSignalService as never,
+        logger: mockLogger as never,
+      });
+      engine.setHealthStatusCallback(async () => ({ isHealthy: false }));
+
+      const status = await engine.computeStatus({ objective });
+
+      expect(status.hasOpenDowntime).toBe(true);
+      expect(mockService.getDowntimeForWindow).toHaveBeenCalledWith(
+        expect.objectContaining({ includeOpen: true }),
+      );
+    });
+
+    it("skips the health check entirely when there are no open events", async () => {
+      const objective = createObjective();
+      mockService = createMockService({ objectives: [objective] });
+      mockSignalService = createMockSignalService();
+      mockLogger = createMockLogger();
+
+      const healthCallback = mock(async () => ({ isHealthy: true }));
+      engine = new SloEngine({
+        service: mockService,
+        signalService: mockSignalService as never,
+        logger: mockLogger as never,
+      });
+      engine.setHealthStatusCallback(healthCallback);
+
+      await engine.computeStatus({ objective });
+
+      expect(healthCallback).not.toHaveBeenCalled();
+      expect(mockService.getDowntimeForWindow).toHaveBeenCalledWith(
+        expect.objectContaining({ includeOpen: false }),
+      );
+    });
+  });
+
+  describe("voidOrphanedDowntime", () => {
+    it("voids open events when the system is currently healthy (missed-recovery orphan)", async () => {
+      const objective = createObjective();
+      const orphan = createDowntimeEvent({ id: "orphan-1" });
+      mockService = createMockService({
+        objectives: [objective],
+        openEvents: [orphan],
+      });
+      mockSignalService = createMockSignalService();
+      mockLogger = createMockLogger();
+
+      engine = new SloEngine({
+        service: mockService,
+        signalService: mockSignalService as never,
+        logger: mockLogger as never,
+      });
+      engine.setHealthStatusCallback(async () => ({ isHealthy: true }));
+
+      await engine.voidOrphanedDowntime({ objective });
+
+      expect(mockService.deleteDowntimeEvent).toHaveBeenCalledWith({
+        id: "orphan-1",
+      });
+    });
+
+    it("keeps open events when the system is genuinely down", async () => {
+      const objective = createObjective();
+      const openEvent = createDowntimeEvent({ id: "evt-1" });
+      mockService = createMockService({
+        objectives: [objective],
+        openEvents: [openEvent],
+      });
+      mockSignalService = createMockSignalService();
+      mockLogger = createMockLogger();
+
+      engine = new SloEngine({
+        service: mockService,
+        signalService: mockSignalService as never,
+        logger: mockLogger as never,
+      });
+      engine.setHealthStatusCallback(async () => ({ isHealthy: false }));
+
+      await engine.voidOrphanedDowntime({ objective });
+
+      expect(mockService.deleteDowntimeEvent).not.toHaveBeenCalled();
+    });
+
+    it("does nothing when there are no open events", async () => {
+      const objective = createObjective();
+      mockService = createMockService({ objectives: [objective] });
+      mockSignalService = createMockSignalService();
+      mockLogger = createMockLogger();
+
+      const healthCallback = mock(async () => ({ isHealthy: true }));
+      engine = new SloEngine({
+        service: mockService,
+        signalService: mockSignalService as never,
+        logger: mockLogger as never,
+      });
+      engine.setHealthStatusCallback(healthCallback);
+
+      await engine.voidOrphanedDowntime({ objective });
+
+      expect(healthCallback).not.toHaveBeenCalled();
+      expect(mockService.deleteDowntimeEvent).not.toHaveBeenCalled();
+    });
   });
 
   describe("reconcileObjective", () => {

package/src/slo-engine.ts

@@ -83,6 +83,42 @@ export class SloEngine {
     );
   }
 
+  /**
+   * Void missed-recovery orphans: open downtime events on a system that is
+   * currently healthy. The edge-triggered close (on the health recovery
+   * transition) records real downtime accurately; this is the safety net for
+   * when that transition was never delivered (restart, dropped change, recovery
+   * before the SLO close path existed), which would otherwise leave an event
+   * open forever. `computeStatus` already ignores such rows for the budget
+   * (live health is authoritative), so this is row hygiene: it clears the stale
+   * "ongoing" event so it stops showing in history. We delete rather than close
+   * because the true recovery time is unknown and the system is healthy, so the
+   * unprovable downtime must not be counted.
+   *
+   * Runs in a write context (the daily job), never from a read accessor.
+   */
+  async voidOrphanedDowntime({
+    objective,
+  }: {
+    objective: { id: string; systemId: string };
+  }): Promise<void> {
+    const openEvents = await this.service.getOpenDowntimeEventsForObjective({
+      objectiveId: objective.id,
+    });
+    if (openEvents.length === 0) return;
+    if (!this._getSystemHealthStatus) return;
+
+    const health = await this._getSystemHealthStatus(objective.systemId);
+    if (!health.isHealthy) return; // genuinely down — the open event is real
+
+    for (const event of openEvents) {
+      await this.service.deleteDowntimeEvent({ id: event.id });
+    }
+    this.logger.info(
+      `SLO ${objective.id}: voided ${openEvents.length} orphaned open downtime event(s) — system is healthy but a recovery transition was missed`,
+    );
+  }
+
   // ===========================================================================
   // PERSPECTIVE 1: This system's own SLOs
   // ===========================================================================
@@ -300,10 +336,34 @@ export class SloEngine {
       now.getTime() - objective.windowDays * 24 * 60 * 60 * 1000,
     );
 
+    // LIVE HEALTH IS AUTHORITATIVE for "currently down". A stored open downtime
+    // event is only real ongoing downtime if the system is actually down right
+    // now - never trusted on its own. This makes the SLO numbers immune to a
+    // drifted/orphaned event log: a healthy system can never read breaching or
+    // degraded from a stale open row, by construction. The health check is
+    // gated on there being open events at all, so the common (no-open-event)
+    // path does no extra work. This method stays side-effect-free (the reactive
+    // `slo` entity reads through it); orphan rows are voided by the daily job.
+    const openEvents = await this.service.getOpenDowntimeEventsForObjective({
+      objectiveId: objective.id,
+    });
+    let currentlyDown: boolean;
+    if (openEvents.length === 0) {
+      currentlyDown = false;
+    } else if (this._getSystemHealthStatus) {
+      const health = await this._getSystemHealthStatus(objective.systemId);
+      currentlyDown = !health.isHealthy;
+    } else {
+      // Before afterPluginsReady wires the health callback, fall back to
+      // trusting the stored open state (best effort).
+      currentlyDown = true;
+    }
+
     const downtime = await this.service.getDowntimeForWindow({
       objectiveId: objective.id,
       windowStart,
       windowEnd: now,
+      includeOpen: currentlyDown,
     });
 
     const totalWindowMinutes = objective.windowDays * 24 * 60;
@@ -345,10 +405,16 @@ export class SloEngine {
        
       expectedConsumption > 0 ? consumedMinutes / expectedConsumption : null;
 
-    // Check for open downtime events
-    const openEvents = await this.service.getOpenDowntimeEventsForObjective({
-      objectiveId: objective.id,
-    });
+    // "Degraded" (open downtime) requires BOTH that the system is currently
+    // down AND that an open event counts toward this objective's budget. In
+    // self-only mode an open upstream outage is excluded; and a stale open event
+    // on a now-healthy system (currentlyDown === false) never counts - so the
+    // SLO can never read available-and-degraded at once.
+    const budgetRelevantOpenEvents = currentlyDown
+      ? objective.dependencyExclusion === "strict"
+        ? openEvents
+        : openEvents.filter((event) => event.attributionType === "self")
+      : [];
 
     // Build attribution breakdown
     const attribution = downtime.entries.map((entry) => ({
@@ -376,7 +442,7 @@ export class SloEngine {
       burnRate,
       dependencyExclusion: objective.dependencyExclusion,
       isBreaching: effectiveAvailability !== null && effectiveAvailability < objective.target,
-      hasOpenDowntime: openEvents.length > 0,
+      hasOpenDowntime: budgetRelevantOpenEvents.length > 0,
       attribution,
     };
   }

package/src/slo-gitops-kinds.ts

@@ -9,6 +9,7 @@ import {
 import {
   DependencyExclusionModeSchema,
   BurnRateThresholdsSchema,
+  SloWindowDaysSchema,
 } from "@checkstack/slo-common";
 import type { SloService } from "./service";
 
@@ -30,7 +31,7 @@ const sloSpecSchema = z.object({
   systemRef: entityRefSchema,
   healthcheckRef: entityRefSchema.optional(),
   target: z.number().min(0).max(100),
-  windowDays: z.number().int().positive(),
+  windowDays: SloWindowDaysSchema,
   dependencyExclusion: DependencyExclusionModeSchema.optional(),
   excludedDependencyRefs: z.array(entityRefSchema).optional(),
   burnRateThresholds: BurnRateThresholdsSchema.optional(),

package/src/streak-calculator.ts

@@ -75,6 +75,11 @@ export async function runDailySnapshotJob(deps: {
 
   for (const objective of objectives) {
     try {
+      // Hygiene: clear missed-recovery orphans (open events on healthy systems)
+      // before snapshotting, so the trend reflects reality. computeStatus is
+      // already immune to such rows, but this stops them lingering in history.
+      await engine.voidOrphanedDowntime({ objective });
+
       const status = await engine.computeStatus({ objective });
 
       // 1. Persist daily snapshot

package/tsconfig.json

@@ -4,6 +4,9 @@
     "src"
   ],
   "references": [
+    {
+      "path": "../ai-backend"
+    },
     {
       "path": "../automation-backend"
     },