@hasna/uptime 0.1.1 → 0.1.3

package/dist/store.js

@@ -9,6 +9,9 @@ function uptimeHome() {
 function uptimeDbPath() {
   return process.env.HASNA_UPTIME_DB || join(uptimeHome(), "uptime.db");
 }
+function uptimeHostedFallbackDbPath() {
+  return process.env.HASNA_UPTIME_HOSTED_FALLBACK_DB || join(uptimeHome(), "hosted-fallback", "uptime.db");
+}
 function ensureUptimeHome() {
   const home = uptimeHome();
   mkdirSync(home, { recursive: true });
@@ -16,11 +19,84 @@ function ensureUptimeHome() {
 }
 
 // src/store.ts
-import { mkdirSync as mkdirSync2 } from "fs";
-import { dirname } from "path";
+import { copyFileSync, existsSync, mkdirSync as mkdirSync2, statSync } from "fs";
+import { dirname, join as join2 } from "path";
 import { randomUUID } from "crypto";
 import { Database } from "bun:sqlite";
 
+// src/target-policy.ts
+import net from "net";
+var SECRET_PARAM_PATTERN = /(token|secret|password|passwd|api[_-]?key|access[_-]?token|auth|credential|session)/i;
+function assertHostedTargetAllowed(target) {
+  if (target.kind === "http" || target.kind === "browser_page") {
+    if (!target.url)
+      throw new Error("HTTP monitors require url");
+    assertHostedHttpUrlAllowed(target.url);
+    return;
+  }
+  if (target.kind === "tcp") {
+    if (!target.host)
+      throw new Error("TCP monitors require host");
+    assertHostedHostAllowed(target.host, "TCP host");
+    if (!Number.isInteger(target.port) || target.port <= 0 || target.port > 65535) {
+      throw new Error("TCP monitors require a port from 1 to 65535");
+    }
+    return;
+  }
+  throw new Error("Monitor kind must be http, tcp, or browser_page");
+}
+function assertHostedHttpUrlAllowed(value) {
+  const parsed = new URL(value);
+  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+    throw new Error("HTTP monitor url must use http or https");
+  }
+  if (parsed.username || parsed.password) {
+    throw new Error("hosted target URLs must not contain userinfo");
+  }
+  for (const key of parsed.searchParams.keys()) {
+    if (SECRET_PARAM_PATTERN.test(key)) {
+      throw new Error(`hosted target URL query parameter is not allowed: ${key}`);
+    }
+  }
+  if (parsed.hash && SECRET_PARAM_PATTERN.test(parsed.hash)) {
+    throw new Error("hosted target URL fragment contains secret-like data");
+  }
+  assertHostedHostAllowed(parsed.hostname, "HTTP host");
+}
+function assertHostedHostAllowed(hostname, label = "host") {
+  const host = normalizeHost(hostname);
+  if (!host)
+    throw new Error(`${label} is required`);
+  if (host === "localhost" || host.endsWith(".localhost")) {
+    throw new Error(`${label} is not allowed in hosted mode: localhost`);
+  }
+  if (host.endsWith(".local") || host.endsWith(".internal")) {
+    throw new Error(`${label} is not allowed in hosted mode: private DNS name`);
+  }
+  const ipVersion = net.isIP(host);
+  if (ipVersion === 4 && isDeniedIpv4(host)) {
+    throw new Error(`${label} is not allowed in hosted mode: private or reserved IPv4`);
+  }
+  if (ipVersion === 6 && isDeniedIpv6(host)) {
+    throw new Error(`${label} is not allowed in hosted mode: private or reserved IPv6`);
+  }
+}
+function normalizeHost(hostname) {
+  return hostname.trim().toLowerCase().replace(/^\[|\]$/g, "").replace(/\.$/, "");
+}
+function isDeniedIpv4(ip) {
+  const parts = ip.split(".").map((part) => Number(part));
+  if (parts.length !== 4 || parts.some((part) => !Number.isInteger(part) || part < 0 || part > 255)) {
+    return true;
+  }
+  const [a, b] = parts;
+  return a === 0 || a === 10 || a === 127 || a === 100 && b >= 64 && b <= 127 || a === 169 && b === 254 || a === 172 && b >= 16 && b <= 31 || a === 192 && b === 168 || a >= 224;
+}
+function isDeniedIpv6(ip) {
+  const normalized = ip.toLowerCase();
+  return normalized === "::" || normalized === "::1" || normalized.startsWith("fe80:") || normalized.startsWith("fc") || normalized.startsWith("fd") || normalized.startsWith("ff") || normalized.startsWith("::ffff:127.") || normalized.startsWith("::ffff:10.") || normalized.startsWith("::ffff:169.254.") || /^::ffff:172\.(1[6-9]|2\d|3[0-1])\./.test(normalized) || normalized.startsWith("::ffff:192.168.");
+}
+
 // src/limits.ts
 var MIN_INTERVAL_SECONDS = 1;
 var MAX_INTERVAL_SECONDS = 86400;
@@ -31,6 +107,11 @@ var MAX_RETRY_COUNT = 10;
 var MAX_RESULT_LIMIT = 1000;
 
 // src/store.ts
+var SECRET_URL_PARAM_PATTERN = /(token|secret|password|passwd|api[_-]?key|access[_-]?token|auth|credential|session)/i;
+var REQUIRED_TABLES = ["schema_migrations", "monitors", "check_results", "incidents", "check_leases", "monitor_provenance", "import_batches", "probe_identities", "probe_check_jobs", "probe_submissions"];
+var PROBE_TABLES = new Set(["probe_identities", "probe_check_jobs", "probe_submissions"]);
+var CURRENT_SCHEMA_VERSION = "2";
+
 class StaleCheckResultError extends Error {
   constructor(message) {
     super(message);
@@ -40,9 +121,20 @@ class StaleCheckResultError extends Error {
 
 class UptimeStore {
   dbPath;
+  mode;
+  dataMode;
   db;
   constructor(options = {}) {
-    this.dbPath = options.dbPath ?? uptimeDbPath();
+    this.mode = resolveRuntimeMode(options.mode ?? "local");
+    const cloudDatabaseUrl = options.cloudDatabaseUrl ?? process.env.HASNA_UPTIME_DATABASE_URL;
+    if (this.mode === "hosted" && cloudDatabaseUrl) {
+      throw new Error("hosted cloud database adapter is not implemented yet");
+    }
+    if (this.mode === "hosted" && !allowHostedLocalStore(options.allowHostedLocalStore)) {
+      throw new Error("hosted mode requires a cloud data layer; set HASNA_UPTIME_ALLOW_HOSTED_LOCAL_STORE=1 only for explicit local fallback testing");
+    }
+    this.dataMode = this.mode === "hosted" ? "hosted-local-sqlite" : "local-sqlite";
+    this.dbPath = options.dbPath ?? (this.mode === "hosted" ? uptimeHostedFallbackDbPath() : uptimeDbPath());
     if (this.dbPath !== ":memory:") {
       mkdirSync2(dirname(this.dbPath), { recursive: true });
     }
@@ -59,7 +151,7 @@ class UptimeStore {
       CREATE TABLE IF NOT EXISTS monitors (
         id TEXT PRIMARY KEY,
         name TEXT NOT NULL UNIQUE,
-        kind TEXT NOT NULL CHECK (kind IN ('http', 'tcp')),
+        kind TEXT NOT NULL CHECK (kind IN ('http', 'tcp', 'browser_page')),
         url TEXT,
         host TEXT,
         port INTEGER,
@@ -77,6 +169,7 @@ class UptimeStore {
       )
     `);
     this.ensureColumn("monitors", "revision", "INTEGER NOT NULL DEFAULT 1");
+    this.ensureMonitorKindAllowsBrowserPage();
     this.db.run(`
       CREATE TABLE IF NOT EXISTS check_results (
         id TEXT PRIMARY KEY,
@@ -86,9 +179,11 @@ class UptimeStore {
         latency_ms REAL,
         status_code INTEGER,
         error TEXT,
-        attempt_count INTEGER NOT NULL DEFAULT 1
+        attempt_count INTEGER NOT NULL DEFAULT 1,
+        evidence_json TEXT
       )
     `);
+    this.ensureColumn("check_results", "evidence_json", "TEXT");
     this.db.run(`
       CREATE TABLE IF NOT EXISTS incidents (
         id TEXT PRIMARY KEY,
@@ -102,6 +197,71 @@ class UptimeStore {
         reason TEXT
       )
     `);
+    this.db.run(`
+      CREATE TABLE IF NOT EXISTS monitor_provenance (
+        monitor_id TEXT NOT NULL REFERENCES monitors(id) ON DELETE CASCADE,
+        source TEXT NOT NULL,
+        source_id TEXT NOT NULL,
+        source_label TEXT,
+        imported_at TEXT NOT NULL,
+        snapshot_json TEXT NOT NULL,
+        PRIMARY KEY (source, source_id)
+      )
+    `);
+    this.db.run(`
+      CREATE TABLE IF NOT EXISTS import_batches (
+        id TEXT PRIMARY KEY,
+        source TEXT NOT NULL,
+        status TEXT NOT NULL CHECK (status IN ('applied', 'rolled_back')),
+        created_at TEXT NOT NULL,
+        rolled_back_at TEXT,
+        records_json TEXT NOT NULL
+      )
+    `);
+    this.db.run(`
+      CREATE TABLE IF NOT EXISTS probe_identities (
+        id TEXT PRIMARY KEY,
+        name TEXT NOT NULL UNIQUE,
+        public_key_pem TEXT NOT NULL,
+        public_key_fingerprint TEXT NOT NULL UNIQUE,
+        enabled INTEGER NOT NULL DEFAULT 1,
+        created_at TEXT NOT NULL,
+        last_seen_at TEXT
+      )
+    `);
+    this.db.run(`
+      CREATE TABLE IF NOT EXISTS probe_submissions (
+        id TEXT PRIMARY KEY,
+        probe_id TEXT NOT NULL REFERENCES probe_identities(id) ON DELETE CASCADE,
+        job_id TEXT NOT NULL,
+        monitor_id TEXT NOT NULL REFERENCES monitors(id) ON DELETE CASCADE,
+        check_result_id TEXT NOT NULL REFERENCES check_results(id) ON DELETE CASCADE,
+        nonce TEXT NOT NULL,
+        checked_at TEXT NOT NULL,
+        submitted_at TEXT NOT NULL,
+        UNIQUE (probe_id, nonce)
+      )
+    `);
+    this.ensureColumn("probe_submissions", "job_id", "TEXT");
+    this.db.run(`
+      CREATE TABLE IF NOT EXISTS probe_check_jobs (
+        id TEXT PRIMARY KEY,
+        monitor_id TEXT NOT NULL REFERENCES monitors(id) ON DELETE CASCADE,
+        monitor_revision INTEGER NOT NULL DEFAULT 1,
+        schedule_slot TEXT NOT NULL,
+        status TEXT NOT NULL CHECK (status IN ('pending', 'claimed', 'submitted', 'expired', 'cancelled')),
+        claimed_by_probe_id TEXT REFERENCES probe_identities(id) ON DELETE SET NULL,
+        fencing_token TEXT,
+        due_at TEXT NOT NULL,
+        claimed_at TEXT,
+        lease_expires_at TEXT,
+        submitted_result_id TEXT REFERENCES check_results(id) ON DELETE SET NULL,
+        created_at TEXT NOT NULL,
+        updated_at TEXT NOT NULL,
+        UNIQUE (monitor_id, schedule_slot)
+      )
+    `);
+    this.ensureColumn("probe_check_jobs", "monitor_revision", "INTEGER NOT NULL DEFAULT 1");
     this.db.run(`
       CREATE TABLE IF NOT EXISTS check_leases (
         monitor_id TEXT PRIMARY KEY REFERENCES monitors(id) ON DELETE CASCADE,
@@ -110,12 +270,71 @@ class UptimeStore {
         acquired_at TEXT NOT NULL
       )
     `);
+    this.db.run(`
+      CREATE TABLE IF NOT EXISTS schema_migrations (
+        key TEXT PRIMARY KEY,
+        value TEXT NOT NULL,
+        updated_at TEXT NOT NULL
+      )
+    `);
+    this.db.query("INSERT OR REPLACE INTO schema_migrations (key, value, updated_at) VALUES ('schema_version', ?, ?)").run(CURRENT_SCHEMA_VERSION, new Date().toISOString());
     this.db.run("CREATE INDEX IF NOT EXISTS idx_results_monitor_time ON check_results(monitor_id, checked_at DESC)");
     this.db.run("CREATE INDEX IF NOT EXISTS idx_incidents_monitor_status ON incidents(monitor_id, status)");
     this.db.run("CREATE INDEX IF NOT EXISTS idx_check_leases_until ON check_leases(leased_until)");
+    this.db.run("CREATE INDEX IF NOT EXISTS idx_monitor_provenance_monitor ON monitor_provenance(monitor_id)");
+    this.db.run("CREATE INDEX IF NOT EXISTS idx_probe_jobs_status_due ON probe_check_jobs(status, due_at)");
+    this.db.run("CREATE INDEX IF NOT EXISTS idx_probe_jobs_probe_status ON probe_check_jobs(claimed_by_probe_id, status)");
+    this.db.run("CREATE INDEX IF NOT EXISTS idx_probe_submissions_probe_time ON probe_submissions(probe_id, submitted_at DESC)");
+    this.db.run("CREATE INDEX IF NOT EXISTS idx_probe_submissions_monitor_time ON probe_submissions(monitor_id, checked_at DESC)");
+    this.db.run("CREATE UNIQUE INDEX IF NOT EXISTS idx_probe_submissions_job ON probe_submissions(job_id) WHERE job_id IS NOT NULL AND job_id != ''");
   }
-  createMonitor(input) {
-    const normalized = normalizeCreateMonitor(input);
+  backup(destinationPath) {
+    if (this.dbPath === ":memory:" && !destinationPath) {
+      throw new Error("backup path is required for in-memory stores");
+    }
+    const createdAt = new Date().toISOString();
+    const backupPath = destinationPath ?? join2(dirname(this.dbPath), "backups", `uptime-${createdAt.replace(/[:.]/g, "-")}.db`);
+    mkdirSync2(dirname(backupPath), { recursive: true });
+    if (this.dbPath === ":memory:") {
+      this.vacuumInto(backupPath);
+    } else {
+      this.db.run("PRAGMA wal_checkpoint(TRUNCATE)");
+      copyFileSync(this.dbPath, backupPath);
+    }
+    const bytes = statSync(backupPath).size;
+    return { sourcePath: this.dbPath, backupPath, bytes, createdAt };
+  }
+  verifyBackup(backupPath) {
+    return verifyBackupFile(backupPath);
+  }
+  static verifyBackup(backupPath) {
+    return verifyBackupFile(backupPath);
+  }
+  static restoreBackup(backupPath, destinationPath = uptimeDbPath()) {
+    const check = verifyBackupFile(backupPath);
+    if (!check.ok)
+      throw new Error(`backup integrity check failed: ${check.integrity}`);
+    if (destinationPath === ":memory:")
+      throw new Error("cannot restore a backup to an in-memory store");
+    if (existsSync(destinationPath) || existsSync(`${destinationPath}-wal`) || existsSync(`${destinationPath}-shm`)) {
+      throw new Error("restore destination already exists or has SQLite sidecar files");
+    }
+    mkdirSync2(dirname(destinationPath), { recursive: true });
+    copyFileSync(backupPath, destinationPath);
+    const bytes = statSync(destinationPath).size;
+    return {
+      sourcePath: backupPath,
+      backupPath: destinationPath,
+      bytes,
+      createdAt: new Date().toISOString()
+    };
+  }
+  createMonitor(input, options = {}) {
+    if (this.mode === "hosted")
+      assertHostedTargetAllowed(input);
+    const normalized = normalizeCreateMonitor(input, options.allowBrowserPage === true);
+    if (this.mode === "hosted")
+      assertHostedTargetAllowed(normalized);
     const now = new Date().toISOString();
     const monitor = {
       id: newId("mon"),
@@ -151,12 +370,22 @@ class UptimeStore {
     const row = this.db.query("SELECT * FROM monitors WHERE id = ? OR name = ?").get(idOrName, idOrName);
     return row ? monitorFromRow(row) : null;
   }
-  updateMonitor(idOrName, input) {
+  updateMonitor(idOrName, input, options = {}) {
     const current = this.getMonitor(idOrName);
     if (!current)
       throw new Error(`Monitor not found: ${idOrName}`);
+    if (this.mode === "hosted") {
+      assertHostedTargetAllowed({
+        kind: input.kind ?? current.kind,
+        url: input.url ?? current.url ?? undefined,
+        host: input.host ?? current.host ?? undefined,
+        port: input.port ?? current.port ?? undefined
+      });
+    }
     const updatedAt = new Date().toISOString();
-    const next = normalizeUpdateMonitor(current, input, updatedAt);
+    const next = normalizeUpdateMonitor(current, input, updatedAt, options.allowBrowserPage === true);
+    if (this.mode === "hosted")
+      assertHostedTargetAllowed(next);
     this.db.query(`UPDATE monitors SET
           name = ?, kind = ?, url = ?, host = ?, port = ?, method = ?,
           expected_status = ?, interval_seconds = ?, timeout_ms = ?,
@@ -175,6 +404,185 @@ class UptimeStore {
     this.db.query("DELETE FROM monitors WHERE id = ?").run(current.id);
     return true;
   }
+  createProbeIdentity(input) {
+    const name = input.name.trim();
+    if (!name)
+      throw new Error("Probe name is required");
+    rejectControlCharacters(name, "Probe name");
+    const now = new Date().toISOString();
+    const probe = {
+      id: newId("prb"),
+      name,
+      publicKeyPem: input.publicKeyPem.trim(),
+      publicKeyFingerprint: input.publicKeyFingerprint,
+      enabled: input.enabled ?? true,
+      createdAt: now,
+      lastSeenAt: null
+    };
+    if (!probe.publicKeyPem)
+      throw new Error("Probe public key is required");
+    this.db.query(`INSERT INTO probe_identities (
+          id, name, public_key_pem, public_key_fingerprint, enabled, created_at, last_seen_at
+        ) VALUES (?, ?, ?, ?, ?, ?, ?)`).run(probe.id, probe.name, probe.publicKeyPem, probe.publicKeyFingerprint, probe.enabled ? 1 : 0, probe.createdAt, probe.lastSeenAt);
+    return probe;
+  }
+  listProbeIdentities(options = {}) {
+    const rows = options.includeDisabled ? this.db.query("SELECT * FROM probe_identities ORDER BY name ASC").all() : this.db.query("SELECT * FROM probe_identities WHERE enabled = 1 ORDER BY name ASC").all();
+    return rows.map(probeIdentityFromRow);
+  }
+  getProbeIdentity(idOrName) {
+    const row = this.db.query("SELECT * FROM probe_identities WHERE id = ? OR name = ?").get(idOrName, idOrName);
+    return row ? probeIdentityFromRow(row) : null;
+  }
+  updateProbeIdentity(idOrName, input) {
+    const current = this.getProbeIdentity(idOrName);
+    if (!current)
+      throw new Error(`Probe not found: ${idOrName}`);
+    const name = input.name === undefined ? current.name : input.name.trim();
+    if (!name)
+      throw new Error("Probe name is required");
+    rejectControlCharacters(name, "Probe name");
+    const enabled = input.enabled ?? current.enabled;
+    this.db.query("UPDATE probe_identities SET name = ?, enabled = ? WHERE id = ?").run(name, enabled ? 1 : 0, current.id);
+    return this.getProbeIdentity(current.id);
+  }
+  touchProbeIdentity(idOrName, seenAt = new Date().toISOString()) {
+    const probe = this.getProbeIdentity(idOrName);
+    if (!probe)
+      throw new Error(`Probe not found: ${idOrName}`);
+    this.db.query("UPDATE probe_identities SET last_seen_at = ? WHERE id = ?").run(seenAt, probe.id);
+  }
+  createProbeCheckJob(input) {
+    const monitor = this.getMonitor(input.monitorId);
+    if (!monitor)
+      throw new Error(`Monitor not found: ${input.monitorId}`);
+    if (!monitor.enabled)
+      throw new Error(`Monitor is disabled: ${monitor.name}`);
+    const scheduleSlot = normalizeScheduleSlot(input.scheduleSlot);
+    const dueAt = input.dueAt ?? new Date().toISOString();
+    assertIsoTimestamp(dueAt, "Probe job dueAt");
+    const now = new Date().toISOString();
+    const existing = this.db.query("SELECT * FROM probe_check_jobs WHERE monitor_id = ? AND schedule_slot = ?").get(monitor.id, scheduleSlot);
+    if (existing)
+      return probeCheckJobFromRow(existing);
+    const job = {
+      id: newId("job"),
+      monitorId: monitor.id,
+      monitorRevision: monitor.revision,
+      scheduleSlot,
+      status: "pending",
+      claimedByProbeId: null,
+      fencingToken: null,
+      dueAt,
+      claimedAt: null,
+      leaseExpiresAt: null,
+      submittedResultId: null,
+      createdAt: now,
+      updatedAt: now
+    };
+    this.db.query(`INSERT INTO probe_check_jobs (
+          id, monitor_id, monitor_revision, schedule_slot, status, claimed_by_probe_id, fencing_token,
+          due_at, claimed_at, lease_expires_at, submitted_result_id, created_at, updated_at
+        ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`).run(job.id, job.monitorId, job.monitorRevision, job.scheduleSlot, job.status, job.claimedByProbeId, job.fencingToken, job.dueAt, job.claimedAt, job.leaseExpiresAt, job.submittedResultId, job.createdAt, job.updatedAt);
+    return job;
+  }
+  getProbeCheckJob(id) {
+    const row = this.db.query("SELECT * FROM probe_check_jobs WHERE id = ?").get(id);
+    return row ? probeCheckJobFromRow(row) : null;
+  }
+  claimProbeCheckJob(input) {
+    const tx = this.db.transaction(() => {
+      const probe = this.getProbeIdentity(input.probeId);
+      if (!probe)
+        throw new Error(`Probe not found: ${input.probeId}`);
+      if (!probe.enabled)
+        throw new Error(`Probe is disabled: ${probe.name}`);
+      const current = this.getProbeCheckJob(input.jobId);
+      if (!current)
+        throw new Error(`Probe job not found: ${input.jobId}`);
+      const now = new Date;
+      const nowIso = now.toISOString();
+      if (current.status === "submitted")
+        throw new Error("Probe job already submitted");
+      if (current.status === "cancelled")
+        throw new Error("Probe job is cancelled");
+      if (current.dueAt > nowIso)
+        throw new Error("Probe job is not due yet");
+      const leaseExpired = Boolean(current.leaseExpiresAt && current.leaseExpiresAt <= nowIso);
+      if (current.status === "claimed" && !leaseExpired && current.claimedByProbeId !== probe.id) {
+        throw new Error("Probe job already claimed by another probe");
+      }
+      if (current.status !== "pending" && current.status !== "claimed" && current.status !== "expired") {
+        throw new Error(`Probe job is not claimable: ${current.status}`);
+      }
+      const leaseExpiresAt = new Date(now.getTime() + Math.max(1000, input.leaseTtlMs ?? 120000)).toISOString();
+      const fencingToken = newId("fence");
+      const update = this.db.query(`UPDATE probe_check_jobs
+           SET status = 'claimed', claimed_by_probe_id = ?, fencing_token = ?, claimed_at = ?, lease_expires_at = ?, updated_at = ?
+           WHERE id = ?
+             AND submitted_result_id IS NULL
+             AND (
+               status IN ('pending', 'expired')
+               OR (status = 'claimed' AND (claimed_by_probe_id = ? OR lease_expires_at <= ?))
+             )`).run(probe.id, fencingToken, nowIso, leaseExpiresAt, nowIso, current.id, probe.id, nowIso);
+      if (statementChanges(update) !== 1)
+        throw new Error("Probe job claim raced; retry");
+      this.touchProbeIdentity(probe.id, nowIso);
+      return this.getProbeCheckJob(current.id);
+    });
+    return tx();
+  }
+  completeProbeCheckJob(input) {
+    const job = this.getProbeCheckJob(input.jobId);
+    if (!job)
+      throw new Error(`Probe job not found: ${input.jobId}`);
+    const submittedAt = input.submittedAt ?? new Date().toISOString();
+    if (job.status !== "claimed")
+      throw new Error(`Probe job is not claimable for submission: ${job.status}`);
+    if (job.claimedByProbeId !== input.probeId)
+      throw new Error("Probe job was claimed by another probe");
+    if (job.fencingToken !== input.fencingToken)
+      throw new Error("Probe job fencing token is invalid");
+    if (!job.leaseExpiresAt || job.leaseExpiresAt <= submittedAt) {
+      this.expireProbeCheckJob(job.id, submittedAt);
+      throw new Error("Probe job lease expired");
+    }
+    const update = this.db.query(`UPDATE probe_check_jobs
+         SET status = 'submitted', submitted_result_id = ?, updated_at = ?
+         WHERE id = ?
+           AND status = 'claimed'
+           AND claimed_by_probe_id = ?
+           AND fencing_token = ?
+           AND lease_expires_at > ?
+           AND submitted_result_id IS NULL`).run(input.checkResultId, submittedAt, job.id, input.probeId, input.fencingToken, submittedAt);
+    if (statementChanges(update) !== 1)
+      throw new Error("Probe job submission raced; retry");
+    return this.getProbeCheckJob(job.id);
+  }
+  expireProbeCheckJob(jobId, updatedAt = new Date().toISOString()) {
+    this.db.query("UPDATE probe_check_jobs SET status = 'expired', updated_at = ? WHERE id = ? AND status != 'submitted'").run(updatedAt, jobId);
+  }
+  getProbeSubmission(probeId, nonce) {
+    const row = this.db.query("SELECT * FROM probe_submissions WHERE probe_id = ? AND nonce = ?").get(probeId, nonce);
+    return row ? probeSubmissionFromRow(row) : null;
+  }
+  recordProbeSubmission(input) {
+    const submittedAt = input.submittedAt ?? new Date().toISOString();
+    const receipt = {
+      id: newId("psb"),
+      probeId: input.probeId,
+      jobId: input.jobId,
+      monitorId: input.monitorId,
+      checkResultId: input.checkResultId,
+      nonce: input.nonce,
+      checkedAt: input.checkedAt,
+      submittedAt
+    };
+    this.db.query(`INSERT INTO probe_submissions (
+          id, probe_id, job_id, monitor_id, check_result_id, nonce, checked_at, submitted_at
+        ) VALUES (?, ?, ?, ?, ?, ?, ?, ?)`).run(receipt.id, receipt.probeId, receipt.jobId, receipt.monitorId, receipt.checkResultId, receipt.nonce, receipt.checkedAt, receipt.submittedAt);
+    return receipt;
+  }
   acquireCheckLease(monitorId, owner, ttlMs) {
     const now = new Date;
     const nowIso = now.toISOString();
@@ -209,7 +617,8 @@ class UptimeStore {
       latencyMs: input.latencyMs,
       statusCode: input.statusCode,
       error: input.error,
-      attemptCount: Math.max(1, input.attemptCount)
+      attemptCount: Math.max(1, input.attemptCount),
+      evidence: input.evidence ?? null
     };
     const tx = this.db.transaction(() => {
       const current = this.db.query("SELECT * FROM monitors WHERE id = ?").get(result.monitorId);
@@ -222,19 +631,59 @@ class UptimeStore {
         throw new StaleCheckResultError(`Monitor was disabled while check was in progress: ${current.name}`);
       }
       this.db.query(`INSERT INTO check_results (
-            id, monitor_id, checked_at, status, latency_ms, status_code, error, attempt_count
-          ) VALUES (?, ?, ?, ?, ?, ?, ?, ?)`).run(result.id, result.monitorId, result.checkedAt, result.status, result.latencyMs, result.statusCode, result.error, result.attemptCount);
+            id, monitor_id, checked_at, status, latency_ms, status_code, error, attempt_count, evidence_json
+          ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`).run(result.id, result.monitorId, result.checkedAt, result.status, result.latencyMs, result.statusCode, result.error, result.attemptCount, result.evidence ? JSON.stringify(result.evidence) : null);
       this.db.query("UPDATE monitors SET status = ?, last_checked_at = ?, updated_at = ? WHERE id = ?").run(result.status, result.checkedAt, result.checkedAt, result.monitorId);
       this.reconcileIncidentInTransaction(result);
     });
     tx();
     return result;
   }
+  getCheckResult(id) {
+    const row = this.db.query("SELECT * FROM check_results WHERE id = ?").get(id);
+    return row ? checkResultFromRow(row) : null;
+  }
   listResults(options = {}) {
     const limit = clampLimit(options.limit ?? 50);
     const rows = options.monitorId ? this.db.query("SELECT * FROM check_results WHERE monitor_id = ? ORDER BY checked_at DESC LIMIT ?").all(options.monitorId, limit) : this.db.query("SELECT * FROM check_results ORDER BY checked_at DESC LIMIT ?").all(limit);
     return rows.map(checkResultFromRow);
   }
+  getProvenance(source, sourceId) {
+    const row = this.db.query("SELECT * FROM monitor_provenance WHERE source = ? AND source_id = ?").get(source, sourceId);
+    return row ? provenanceFromRow(row) : null;
+  }
+  upsertMonitorProvenance(input) {
+    const importedAt = new Date().toISOString();
+    this.db.query(`INSERT INTO monitor_provenance (
+          monitor_id, source, source_id, source_label, imported_at, snapshot_json
+        ) VALUES (?, ?, ?, ?, ?, ?)
+        ON CONFLICT(source, source_id) DO UPDATE SET
+          monitor_id = excluded.monitor_id,
+          source_label = excluded.source_label,
+          imported_at = excluded.imported_at,
+          snapshot_json = excluded.snapshot_json`).run(input.monitorId, input.source, input.sourceId, input.sourceLabel ?? null, importedAt, JSON.stringify(input.snapshot));
+    return this.getProvenance(input.source, input.sourceId);
+  }
+  saveImportBatch(input) {
+    const createdAt = new Date().toISOString();
+    this.db.query("INSERT INTO import_batches (id, source, status, created_at, rolled_back_at, records_json) VALUES (?, ?, 'applied', ?, NULL, ?)").run(input.id, input.source, createdAt, JSON.stringify(input.records));
+    return this.getImportBatch(input.id);
+  }
+  getImportBatch(batchId) {
+    const row = this.db.query("SELECT * FROM import_batches WHERE id = ?").get(batchId);
+    return row ? importBatchFromRow(row) : null;
+  }
+  markImportBatchRolledBack(batchId) {
+    const rolledBackAt = new Date().toISOString();
+    this.db.query("UPDATE import_batches SET status = 'rolled_back', rolled_back_at = ? WHERE id = ?").run(rolledBackAt, batchId);
+    const batch = this.getImportBatch(batchId);
+    if (!batch)
+      throw new Error(`Import batch not found: ${batchId}`);
+    return batch;
+  }
+  runInTransaction(fn) {
+    return this.db.transaction(fn)();
+  }
   listIncidents(options = {}) {
     const clauses = [];
     const args = [];
@@ -322,8 +771,104 @@ class UptimeStore {
       this.db.run(`ALTER TABLE ${table} ADD COLUMN ${name} ${definition}`);
     }
   }
+  ensureMonitorKindAllowsBrowserPage() {
+    const row = this.db.query("SELECT sql FROM sqlite_master WHERE type = 'table' AND name = 'monitors'").get();
+    if (!row?.sql || row.sql.includes("browser_page"))
+      return;
+    this.db.run("PRAGMA foreign_keys = OFF");
+    this.db.run("PRAGMA legacy_alter_table = ON");
+    try {
+      const migrate = this.db.transaction(() => {
+        this.db.run("ALTER TABLE monitors RENAME TO monitors_old_kind");
+        this.db.run(`
+          CREATE TABLE monitors (
+            id TEXT PRIMARY KEY,
+            name TEXT NOT NULL UNIQUE,
+            kind TEXT NOT NULL CHECK (kind IN ('http', 'tcp', 'browser_page')),
+            url TEXT,
+            host TEXT,
+            port INTEGER,
+            method TEXT NOT NULL DEFAULT 'GET',
+            expected_status INTEGER,
+            interval_seconds INTEGER NOT NULL DEFAULT 60,
+            timeout_ms INTEGER NOT NULL DEFAULT 5000,
+            retry_count INTEGER NOT NULL DEFAULT 0,
+            enabled INTEGER NOT NULL DEFAULT 1,
+            status TEXT NOT NULL DEFAULT 'unknown',
+            last_checked_at TEXT,
+            revision INTEGER NOT NULL DEFAULT 1,
+            created_at TEXT NOT NULL,
+            updated_at TEXT NOT NULL
+          )
+        `);
+        this.db.run(`
+          INSERT INTO monitors (
+            id, name, kind, url, host, port, method, expected_status,
+            interval_seconds, timeout_ms, retry_count, enabled, status,
+            last_checked_at, revision, created_at, updated_at
+          )
+          SELECT
+            id, name, kind, url, host, port, method, expected_status,
+            interval_seconds, timeout_ms, retry_count, enabled, status,
+            last_checked_at, revision, created_at, updated_at
+          FROM monitors_old_kind
+        `);
+        this.db.run("DROP TABLE monitors_old_kind");
+      });
+      migrate();
+    } finally {
+      this.db.run("PRAGMA legacy_alter_table = OFF");
+      this.db.run("PRAGMA foreign_keys = ON");
+    }
+  }
+  vacuumInto(backupPath) {
+    const quoted = backupPath.replace(/'/g, "''");
+    this.db.run(`VACUUM INTO '${quoted}'`);
+  }
+}
+function resolveRuntimeMode(mode) {
+  const value = mode ?? process.env.HASNA_UPTIME_MODE ?? "local";
+  if (value === "local" || value === "hosted")
+    return value;
+  throw new Error("HASNA_UPTIME_MODE must be local or hosted");
+}
+function allowHostedLocalStore(value) {
+  return value === true || process.env.HASNA_UPTIME_ALLOW_HOSTED_LOCAL_STORE === "1";
+}
+function verifyBackupFile(backupPath) {
+  const db = new Database(backupPath, { readonly: true });
+  try {
+    const integrityRow = db.query("PRAGMA integrity_check").get();
+    const integrity = String(integrityRow?.integrity_check ?? "unknown");
+    const missingTables = REQUIRED_TABLES.filter((table) => !tableExists(db, table));
+    const schemaVersion = missingTables.includes("schema_migrations") ? null : db.query("SELECT value FROM schema_migrations WHERE key = 'schema_version'").get()?.value ?? null;
+    const currentOk = missingTables.length === 0 && schemaVersion === CURRENT_SCHEMA_VERSION;
+    const restorableV1 = schemaVersion === "1" && missingTables.every((table) => PROBE_TABLES.has(table));
+    return {
+      ok: integrity === "ok" && (currentOk || restorableV1),
+      backupPath,
+      integrity,
+      schemaVersion,
+      missingTables,
+      monitors: tableCount(db, "monitors"),
+      results: tableCount(db, "check_results"),
+      incidents: tableCount(db, "incidents")
+    };
+  } finally {
+    db.close();
+  }
+}
+function tableCount(db, table) {
+  if (!tableExists(db, table))
+    return 0;
+  const row = db.query(`SELECT COUNT(*) AS count FROM ${table}`).get();
+  return Number(row?.count ?? 0);
 }
-function normalizeCreateMonitor(input) {
+function tableExists(db, table) {
+  const row = db.query("SELECT COUNT(*) AS count FROM sqlite_master WHERE type = 'table' AND name = ?").get(table);
+  return Number(row?.count ?? 0) > 0;
+}
+function normalizeCreateMonitor(input, allowBrowserPage = false) {
   const name = input.name?.trim();
   if (!name)
     throw new Error("Monitor name is required");
@@ -331,7 +876,10 @@ function normalizeCreateMonitor(input) {
   const method = normalizeMethod(input.method ?? "GET");
   const expectedStatus = normalizeExpectedStatus(input.expectedStatus);
   const enabled = normalizeEnabled(input.enabled);
-  if (input.kind === "http") {
+  if (input.kind === "http" || input.kind === "browser_page") {
+    if (input.kind === "browser_page" && !allowBrowserPage) {
+      throw new Error("browser_page monitors must be imported with explicit browser evidence support");
+    }
     const url = normalizeHttpUrl(input.url);
     return {
       name,
@@ -365,13 +913,13 @@ function normalizeCreateMonitor(input) {
       enabled
     };
   } else {
-    throw new Error("Monitor kind must be http or tcp");
+    throw new Error("Monitor kind must be http, tcp, or browser_page");
   }
 }
 function definitionChanged(current, next) {
   return next.kind !== current.kind || next.url !== current.url || next.host !== current.host || next.port !== current.port || next.method !== current.method || next.expectedStatus !== current.expectedStatus;
 }
-function normalizeUpdateMonitor(current, input, updatedAt) {
+function normalizeUpdateMonitor(current, input, updatedAt, allowBrowserPage = false) {
   const merged = {
     ...current,
     ...input,
@@ -390,7 +938,7 @@ function normalizeUpdateMonitor(current, input, updatedAt) {
     timeoutMs: merged.timeoutMs,
     retryCount: merged.retryCount,
     enabled: merged.enabled
-  });
+  }, allowBrowserPage || current.kind === "browser_page");
   const checkDefinitionChanged = normalized.kind !== current.kind || (normalized.url ?? null) !== current.url || (normalized.host ?? null) !== current.host || (normalized.port ?? null) !== current.port || normalized.method !== current.method || normalized.expectedStatus !== current.expectedStatus;
   const status = normalized.enabled ? checkDefinitionChanged || !current.enabled ? "unknown" : current.status : "paused";
   return {
@@ -419,6 +967,11 @@ function normalizeHttpUrl(value) {
   if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
     throw new Error("HTTP monitor url must use http or https");
   }
+  for (const key of [...parsed.searchParams.keys()]) {
+    if (SECRET_URL_PARAM_PATTERN.test(key))
+      parsed.searchParams.set(key, "[redacted]");
+  }
+  parsed.hash = "";
   return parsed.toString();
 }
 function normalizeMethod(value) {
@@ -447,6 +1000,20 @@ function rejectControlCharacters(value, label) {
     throw new Error(`${label} must not contain control characters`);
   }
 }
+function normalizeScheduleSlot(value) {
+  const slot = value.trim();
+  if (!slot)
+    throw new Error("Probe job scheduleSlot is required");
+  if (slot.length > 128)
+    throw new Error("Probe job scheduleSlot is too long");
+  rejectControlCharacters(slot, "Probe job scheduleSlot");
+  return slot;
+}
+function assertIsoTimestamp(value, label) {
+  if (!Number.isFinite(Date.parse(value))) {
+    throw new Error(`${label} must be an ISO timestamp`);
+  }
+}
 function monitorFromRow(row) {
   return {
     id: row.id,
@@ -477,9 +1044,83 @@ function checkResultFromRow(row) {
     latencyMs: row.latency_ms,
     statusCode: row.status_code,
     error: row.error,
-    attemptCount: row.attempt_count
+    attemptCount: row.attempt_count,
+    evidence: parseEvidence(row.evidence_json)
+  };
+}
+function provenanceFromRow(row) {
+  return {
+    monitorId: row.monitor_id,
+    source: row.source,
+    sourceId: row.source_id,
+    sourceLabel: row.source_label,
+    importedAt: row.imported_at,
+    snapshot: parseJson(row.snapshot_json)
+  };
+}
+function importBatchFromRow(row) {
+  return {
+    id: row.id,
+    source: row.source,
+    status: row.status,
+    createdAt: row.created_at,
+    rolledBackAt: row.rolled_back_at,
+    records: Array.isArray(parseJson(row.records_json)) ? parseJson(row.records_json) : []
+  };
+}
+function probeIdentityFromRow(row) {
+  return {
+    id: row.id,
+    name: row.name,
+    publicKeyPem: row.public_key_pem,
+    publicKeyFingerprint: row.public_key_fingerprint,
+    enabled: Boolean(row.enabled),
+    createdAt: row.created_at,
+    lastSeenAt: row.last_seen_at
   };
 }
+function probeSubmissionFromRow(row) {
+  return {
+    id: row.id,
+    probeId: row.probe_id,
+    jobId: row.job_id ?? "",
+    monitorId: row.monitor_id,
+    checkResultId: row.check_result_id,
+    nonce: row.nonce,
+    checkedAt: row.checked_at,
+    submittedAt: row.submitted_at
+  };
+}
+function probeCheckJobFromRow(row) {
+  return {
+    id: row.id,
+    monitorId: row.monitor_id,
+    monitorRevision: row.monitor_revision ?? 1,
+    scheduleSlot: row.schedule_slot,
+    status: row.status,
+    claimedByProbeId: row.claimed_by_probe_id,
+    fencingToken: row.fencing_token,
+    dueAt: row.due_at,
+    claimedAt: row.claimed_at,
+    leaseExpiresAt: row.lease_expires_at,
+    submittedResultId: row.submitted_result_id,
+    createdAt: row.created_at,
+    updatedAt: row.updated_at
+  };
+}
+function parseEvidence(value) {
+  if (!value)
+    return null;
+  const parsed = parseJson(value);
+  return parsed && typeof parsed === "object" ? parsed : null;
+}
+function parseJson(value) {
+  try {
+    return JSON.parse(value);
+  } catch {
+    return null;
+  }
+}
 function incidentFromRow(row) {
   return {
     id: row.id,
@@ -507,11 +1148,15 @@ function clampLimit(value) {
     return 50;
   return Math.max(1, Math.min(Math.floor(value), MAX_RESULT_LIMIT));
 }
+function statementChanges(result) {
+  return Number(result?.changes ?? 0);
+}
 function round(value, places) {
   const factor = 10 ** places;
   return Math.round(value * factor) / factor;
 }
 export {
+  resolveRuntimeMode,
   UptimeStore,
   StaleCheckResultError
 };