@hasna/uptime 0.1.1 → 0.1.3

package/dist/cli/index.js

@@ -2573,7 +2573,8 @@ var chalkStderr = createChalk({ level: stderrColor ? stderrColor.level : 0 });
 var source_default = chalk;
 
 // src/cli/index.ts
-import { existsSync } from "fs";
+import { randomUUID as randomUUID4 } from "crypto";
+import { existsSync as existsSync2, readFileSync as readFileSync2, unlinkSync, writeFileSync } from "fs";
 
 // src/checks.ts
 import net from "net";
@@ -2583,7 +2584,11 @@ async function runMonitorCheck(monitor, options = {}) {
   }
   if (monitor.kind === "http")
     return runHttpCheck(monitor, options.fetch ?? fetch);
-  return runTcpCheck(monitor);
+  if (monitor.kind === "browser_page")
+    return runBrowserPageCheck(monitor, { fetch: options.fetch, runner: options.browserPage });
+  if (monitor.kind === "tcp")
+    return runTcpCheck(monitor);
+  return { status: "down", latencyMs: null, error: `unsupported monitor kind: ${monitor.kind ?? "unknown"}` };
 }
 async function runHttpCheck(monitor, fetchImpl = fetch) {
   if (!monitor.url)
@@ -2641,14 +2646,744 @@ async function runTcpCheck(monitor) {
     });
   });
 }
+async function runBrowserPageCheck(monitor, options = {}) {
+  if (!monitor.url)
+    return { status: "down", latencyMs: null, error: "missing url" };
+  validateBrowserPageUrl(monitor.url);
+  if (!options.runner) {
+    const evidence = normalizeBrowserEvidence(monitor.url, {
+      finalUrl: monitor.url,
+      navigationStatus: null,
+      pageErrors: ["browser_page checks require a configured browser runner"]
+    });
+    return {
+      status: "down",
+      latencyMs: null,
+      statusCode: null,
+      error: "browser_page checks require a configured browser runner",
+      evidence
+    };
+  }
+  const started = performance.now();
+  try {
+    const raw = await options.runner(monitor);
+    const latencyMs = raw.latencyMs ?? Math.round((performance.now() - started) * 100) / 100;
+    const evidence = normalizeBrowserEvidence(monitor.url, raw);
+    const statusCode = raw.navigationStatus ?? evidence.navigationStatus;
+    const statusOk = statusCode == null ? false : monitor.expectedStatus == null ? statusCode >= 200 && statusCode < 400 : statusCode === monitor.expectedStatus;
+    const browserFailures = evidence.consoleErrors.length + evidence.pageErrors.length + evidence.failedRequests.length;
+    return {
+      status: statusOk && browserFailures === 0 ? "up" : "down",
+      latencyMs,
+      statusCode,
+      error: statusOk ? browserFailures === 0 ? null : `browser page captured ${browserFailures} error signal${browserFailures === 1 ? "" : "s"}` : `unexpected navigation status ${statusCode ?? "unknown"}`,
+      evidence
+    };
+  } catch (error) {
+    const safeError = redactText(error instanceof Error ? error.message : String(error));
+    const evidence = normalizeBrowserEvidence(monitor.url, {
+      finalUrl: monitor.url,
+      navigationStatus: null,
+      pageErrors: [safeError]
+    });
+    return {
+      status: "down",
+      latencyMs: Math.round((performance.now() - started) * 100) / 100,
+      statusCode: null,
+      error: safeError,
+      evidence
+    };
+  }
+}
+function normalizeBrowserEvidence(sourceUrl, raw) {
+  return {
+    kind: "browser_page",
+    finalUrl: raw.finalUrl ? redactUrl(raw.finalUrl) : redactUrl(sourceUrl),
+    navigationStatus: raw.navigationStatus ?? null,
+    consoleErrors: sanitizeStrings(raw.consoleErrors ?? []),
+    pageErrors: sanitizeStrings(raw.pageErrors ?? []),
+    failedRequests: (raw.failedRequests ?? []).slice(0, 50).map((request) => ({
+      url: redactUrl(request.url),
+      statusCode: request.statusCode ?? null,
+      error: request.error ? redactText(request.error) : null
+    })),
+    screenshot: raw.screenshot ? sanitizeArtifact(raw.screenshot) : null,
+    artifacts: (raw.artifacts ?? []).slice(0, 20).map(sanitizeArtifact),
+    redacted: true,
+    redactionStatus: "redacted",
+    retentionClass: "short"
+  };
+}
+function validateBrowserPageUrl(value) {
+  const parsed = new URL(value);
+  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+    throw new Error("browser_page monitors require an http or https URL");
+  }
+  if (parsed.username || parsed.password) {
+    throw new Error("browser_page URLs must not contain userinfo");
+  }
+}
+function sanitizeStrings(values) {
+  return values.slice(0, 50).map(redactText).filter(Boolean);
+}
+function sanitizeArtifact(artifact) {
+  const ref = artifact.ref.trim();
+  if (artifact.path || ref.startsWith("/") || ref.toLowerCase().startsWith("file:")) {
+    throw new Error("browser evidence artifacts must use redacted artifact refs, not local paths");
+  }
+  if (!artifact.sha256 || !/^[a-f0-9]{64}$/i.test(artifact.sha256)) {
+    throw new Error("browser evidence artifacts require a sha256 checksum");
+  }
+  const bytes = artifact.bytes;
+  if (!Number.isInteger(bytes) || bytes == null || bytes < 0) {
+    throw new Error("browser evidence artifacts require a byte size");
+  }
+  return {
+    ref: redactText(ref),
+    sha256: artifact.sha256,
+    bytes,
+    contentType: redactText(artifact.contentType ?? "application/octet-stream") || "application/octet-stream",
+    retentionClass: "short"
+  };
+}
+function redactUrl(value) {
+  try {
+    const parsed = new URL(value);
+    if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+      return "[blocked-url]";
+    }
+    parsed.username = "";
+    parsed.password = "";
+    parsed.hash = "";
+    for (const key of parsed.searchParams.keys()) {
+      if (isSecretKey(key))
+        parsed.searchParams.set(key, "[redacted]");
+    }
+    return parsed.toString();
+  } catch {
+    return redactText(value);
+  }
+}
+function redactText(value) {
+  return value.replace(/\/(?:home|Users)\/[^\s"'<>]+/g, "[local-path]").replace(/Bearer\s+[A-Za-z0-9._~+/=-]+/gi, "Bearer [redacted]").replace(/((?:token|secret|password|passwd|api[_-]?key|access[_-]?token|auth|credential|session)[=:]\s*)[^\s&]+/gi, "$1[redacted]");
+}
+function isSecretKey(value) {
+  return /(token|secret|password|passwd|api[_-]?key|access[_-]?token|auth|credential|session)/i.test(value);
+}
 
 // src/service.ts
-import { randomUUID as randomUUID2 } from "crypto";
+import { createPublicKey, randomUUID as randomUUID3 } from "crypto";
 
-// src/store.ts
-import { mkdirSync as mkdirSync2 } from "fs";
-import { dirname } from "path";
+// src/imports.ts
 import { randomUUID } from "crypto";
+
+// src/limits.ts
+var MIN_INTERVAL_SECONDS = 1;
+var MAX_INTERVAL_SECONDS = 86400;
+var MIN_TIMEOUT_MS = 1;
+var MAX_TIMEOUT_MS = 60000;
+var MIN_RETRY_COUNT = 0;
+var MAX_RETRY_COUNT = 10;
+var MAX_RESULT_LIMIT = 1000;
+
+// src/target-policy.ts
+import net2 from "net";
+var SECRET_PARAM_PATTERN = /(token|secret|password|passwd|api[_-]?key|access[_-]?token|auth|credential|session)/i;
+function assertHostedTargetAllowed(target) {
+  if (target.kind === "http" || target.kind === "browser_page") {
+    if (!target.url)
+      throw new Error("HTTP monitors require url");
+    assertHostedHttpUrlAllowed(target.url);
+    return;
+  }
+  if (target.kind === "tcp") {
+    if (!target.host)
+      throw new Error("TCP monitors require host");
+    assertHostedHostAllowed(target.host, "TCP host");
+    if (!Number.isInteger(target.port) || target.port <= 0 || target.port > 65535) {
+      throw new Error("TCP monitors require a port from 1 to 65535");
+    }
+    return;
+  }
+  throw new Error("Monitor kind must be http, tcp, or browser_page");
+}
+function assertHostedHttpUrlAllowed(value) {
+  const parsed = new URL(value);
+  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+    throw new Error("HTTP monitor url must use http or https");
+  }
+  if (parsed.username || parsed.password) {
+    throw new Error("hosted target URLs must not contain userinfo");
+  }
+  for (const key of parsed.searchParams.keys()) {
+    if (SECRET_PARAM_PATTERN.test(key)) {
+      throw new Error(`hosted target URL query parameter is not allowed: ${key}`);
+    }
+  }
+  if (parsed.hash && SECRET_PARAM_PATTERN.test(parsed.hash)) {
+    throw new Error("hosted target URL fragment contains secret-like data");
+  }
+  assertHostedHostAllowed(parsed.hostname, "HTTP host");
+}
+function assertHostedHostAllowed(hostname, label = "host") {
+  const host = normalizeHost(hostname);
+  if (!host)
+    throw new Error(`${label} is required`);
+  if (host === "localhost" || host.endsWith(".localhost")) {
+    throw new Error(`${label} is not allowed in hosted mode: localhost`);
+  }
+  if (host.endsWith(".local") || host.endsWith(".internal")) {
+    throw new Error(`${label} is not allowed in hosted mode: private DNS name`);
+  }
+  const ipVersion = net2.isIP(host);
+  if (ipVersion === 4 && isDeniedIpv4(host)) {
+    throw new Error(`${label} is not allowed in hosted mode: private or reserved IPv4`);
+  }
+  if (ipVersion === 6 && isDeniedIpv6(host)) {
+    throw new Error(`${label} is not allowed in hosted mode: private or reserved IPv6`);
+  }
+}
+function normalizeHost(hostname) {
+  return hostname.trim().toLowerCase().replace(/^\[|\]$/g, "").replace(/\.$/, "");
+}
+function isDeniedIpv4(ip) {
+  const parts = ip.split(".").map((part) => Number(part));
+  if (parts.length !== 4 || parts.some((part) => !Number.isInteger(part) || part < 0 || part > 255)) {
+    return true;
+  }
+  const [a, b] = parts;
+  return a === 0 || a === 10 || a === 127 || a === 100 && b >= 64 && b <= 127 || a === 169 && b === 254 || a === 172 && b >= 16 && b <= 31 || a === 192 && b === 168 || a >= 224;
+}
+function isDeniedIpv6(ip) {
+  const normalized = ip.toLowerCase();
+  return normalized === "::" || normalized === "::1" || normalized.startsWith("fe80:") || normalized.startsWith("fc") || normalized.startsWith("fd") || normalized.startsWith("ff") || normalized.startsWith("::ffff:127.") || normalized.startsWith("::ffff:10.") || normalized.startsWith("::ffff:169.254.") || /^::ffff:172\.(1[6-9]|2\d|3[0-1])\./.test(normalized) || normalized.startsWith("::ffff:192.168.");
+}
+
+// src/imports.ts
+function previewImport(store, request) {
+  const source = normalizeSource(request.source);
+  const items = dedupePreviewItems(request.records.map((record) => previewRecord(store, source, record, request.defaults ?? {})));
+  return {
+    source,
+    generatedAt: new Date().toISOString(),
+    dryRun: true,
+    items,
+    totals: countActions(items)
+  };
+}
+function dedupePreviewItems(items) {
+  const seenSources = new Set;
+  const seenNames = new Set;
+  return items.map((item) => {
+    if (item.action === "blocked")
+      return item;
+    const sourceKey = `${item.candidate.source}:${item.candidate.sourceId}`;
+    const nameKey = item.candidate.name.toLowerCase();
+    if (seenSources.has(sourceKey) || seenNames.has(nameKey)) {
+      return {
+        ...item,
+        action: "conflict",
+        monitor: item.monitor,
+        warnings: [...item.warnings, "duplicate import candidate in request"],
+        reason: "duplicate import candidate in request"
+      };
+    }
+    seenSources.add(sourceKey);
+    seenNames.add(nameKey);
+    return item;
+  });
+}
+function applyImport(store, request) {
+  if (store.mode === "hosted") {
+    throw new Error("hosted import apply requires cloud import_batches and audit");
+  }
+  const execute = () => {
+    const preview = previewImport(store, request);
+    const appliedAt = new Date().toISOString();
+    const items = preview.items.map((item) => applyPreviewItem(store, item));
+    const batchId = `imp_${randomUUID().replace(/-/g, "").slice(0, 18)}`;
+    store.saveImportBatch({
+      id: batchId,
+      source: preview.source,
+      records: items.map((item) => ({
+        action: item.action,
+        sourceId: item.candidate.sourceId,
+        monitorId: item.after?.id ?? item.monitor?.id ?? item.before?.id ?? null,
+        before: item.before,
+        after: item.after,
+        candidate: item.candidate
+      }))
+    });
+    return { batchId, source: preview.source, appliedAt, items, totals: countActions(items) };
+  };
+  return store.runInTransaction ? store.runInTransaction(execute) : execute();
+}
+function rollbackImport(store, batchId) {
+  if (store.mode === "hosted") {
+    throw new Error("hosted import rollback requires cloud import_batches and audit");
+  }
+  const batch = store.getImportBatch(batchId);
+  if (!batch)
+    throw new Error(`Import batch not found: ${batchId}`);
+  if (batch.status === "rolled_back")
+    throw new Error(`Import batch already rolled back: ${batchId}`);
+  const items = [...batch.records].reverse().map((record) => rollbackRecord(store, record));
+  const rolledBack = store.markImportBatchRolledBack(batchId);
+  return {
+    batchId,
+    source: rolledBack.source,
+    rolledBackAt: rolledBack.rolledBackAt ?? new Date().toISOString(),
+    items
+  };
+}
+function previewRecord(store, source, record, defaults) {
+  const warnings = [];
+  let candidate;
+  try {
+    if (store.mode === "hosted")
+      assertHostedTargetAllowed(rawTargetForHostedPolicy(source, record, defaults));
+    candidate = normalizeCandidate(source, record, defaults);
+    validateCandidate(candidate);
+    if (store.mode === "hosted")
+      assertHostedTargetAllowed(candidate);
+  } catch (error) {
+    return {
+      candidate: fallbackCandidate(source, record),
+      action: "blocked",
+      monitor: null,
+      provenance: null,
+      warnings,
+      reason: error instanceof Error ? error.message : String(error)
+    };
+  }
+  const provenance = store.getProvenance(candidate.source, candidate.sourceId);
+  const monitor = provenance ? store.getMonitor(provenance.monitorId) : store.getMonitor(candidate.name);
+  if (provenance && !monitor) {
+    return { candidate, action: "create", monitor: null, provenance, warnings: ["source provenance points to a missing monitor"], reason: null };
+  }
+  if (provenance && monitor) {
+    const nameOwner = store.getMonitor(candidate.name);
+    if (nameOwner && nameOwner.id !== monitor.id) {
+      return {
+        candidate,
+        action: "conflict",
+        monitor,
+        provenance,
+        warnings,
+        reason: "monitor name already exists on another monitor"
+      };
+    }
+    return {
+      candidate,
+      action: sameTarget(monitor, candidate) ? "unchanged" : "update",
+      monitor,
+      provenance,
+      warnings,
+      reason: null
+    };
+  }
+  if (monitor) {
+    return {
+      candidate,
+      action: "conflict",
+      monitor,
+      provenance: null,
+      warnings,
+      reason: "monitor name already exists without matching source provenance"
+    };
+  }
+  return { candidate, action: "create", monitor: null, provenance: null, warnings, reason: null };
+}
+function applyPreviewItem(store, item) {
+  if (item.action === "blocked" || item.action === "conflict") {
+    return { ...item, before: item.monitor, after: item.monitor };
+  }
+  const input = candidateToMonitorInput(item.candidate);
+  const before = item.monitor;
+  const after = item.action === "create" ? store.createMonitor(input, { allowBrowserPage: true }) : item.action === "update" ? store.updateMonitor(item.monitor.id, input, { allowBrowserPage: true }) : item.monitor;
+  if (after) {
+    store.upsertMonitorProvenance({
+      monitorId: after.id,
+      source: item.candidate.source,
+      sourceId: item.candidate.sourceId,
+      sourceLabel: item.candidate.sourceLabel,
+      snapshot: item.candidate.snapshot
+    });
+  }
+  return { ...item, before, after };
+}
+function rollbackRecord(store, record) {
+  const value = asRecord(record);
+  const action = stringValue(value.action);
+  const monitorId = stringValue(value.monitorId);
+  const before = isMonitor(value.before) ? value.before : null;
+  const after = isMonitor(value.after) ? value.after : null;
+  const targetId = after?.id ?? before?.id ?? monitorId;
+  if (!targetId)
+    return { monitorId: null, action: "skipped", reason: "batch record has no monitor id" };
+  if (action === "create") {
+    const hasHistory = store.listResults({ monitorId: targetId, limit: 1 }).length > 0;
+    if (hasHistory) {
+      store.updateMonitor(targetId, { enabled: false }, { allowBrowserPage: true });
+      return { monitorId: targetId, action: "disabled", reason: "created monitor has check history, so rollback preserved history and disabled it" };
+    }
+    return { monitorId: targetId, action: store.deleteMonitor(targetId) ? "deleted" : "skipped", reason: null };
+  }
+  if (action === "update" && before) {
+    store.updateMonitor(targetId, monitorToUpdateInput(before), { allowBrowserPage: true });
+    return { monitorId: targetId, action: "restored", reason: null };
+  }
+  return { monitorId: targetId, action: "skipped", reason: `no rollback needed for ${action || "unknown"} action` };
+}
+function normalizeCandidate(source, record, defaults) {
+  const value = asRecord(record);
+  const monitor = asRecord(value.monitor);
+  const sourceId = sanitizeIdentity(stringValue(value.sourceId) ?? stringValue(value.id) ?? stringValue(value.slug) ?? stringValue(value.name));
+  let url = stringValue(monitor.url) ?? stringValue(value.url) ?? stringValue(value.healthUrl) ?? stringValue(value.homepageUrl) ?? stringValue(value.environmentUrl);
+  if (source === "domains" && !url && stringValue(value.domain)) {
+    url = `https://${stringValue(value.domain)}`;
+  }
+  const rawHost = stringValue(monitor.host) ?? stringValue(value.host) ?? stringValue(value.hostname);
+  const rawKind = stringValue(monitor.kind) ?? stringValue(value.kind) ?? (url ? "http" : "tcp");
+  const kind = normalizeKind(rawKind);
+  const normalizedUrl = normalizeCandidateUrl(url ?? defaults.url);
+  const normalizedHost = kind === "tcp" ? rawHost ?? defaults.host : undefined;
+  const port = numberValue(monitor.port) ?? numberValue(value.port) ?? defaults.port;
+  const normalizedTargetKey = sanitizeGeneratedTargetKey(kind, normalizedUrl, normalizedHost, port);
+  const normalizedSourceId = sourceId ?? `${source}:${normalizedTargetKey}`;
+  const name = stringValue(monitor.name) ?? stringValue(value.monitorName) ?? stringValue(value.name) ?? stringValue(value.slug) ?? (source === "domains" ? stringValue(value.domain) : undefined) ?? (kind === "tcp" ? stringValue(value.hostname) : undefined) ?? `${source}-${normalizedTargetKey}`;
+  const expectedStatus = firstDefined(nullableNumberValue(monitor.expectedStatus), nullableNumberValue(value.expectedStatus), defaults.expectedStatus);
+  const candidate = {
+    source,
+    sourceId: normalizedSourceId,
+    sourceLabel: sanitizeIdentity(stringValue(value.label) ?? stringValue(value.name) ?? stringValue(value.slug)) ?? null,
+    name: sanitizeIdentity(name) ?? name,
+    kind,
+    url: normalizedUrl,
+    host: normalizedHost,
+    port,
+    method: normalizeCandidateMethod(stringValue(monitor.method) ?? stringValue(value.method) ?? defaults.method),
+    expectedStatus,
+    intervalSeconds: numberValue(monitor.intervalSeconds) ?? numberValue(value.intervalSeconds) ?? defaults.intervalSeconds,
+    timeoutMs: numberValue(monitor.timeoutMs) ?? numberValue(value.timeoutMs) ?? defaults.timeoutMs,
+    retryCount: numberValue(monitor.retryCount) ?? numberValue(value.retryCount) ?? defaults.retryCount,
+    enabled: booleanValue(monitor.enabled) ?? booleanValue(value.enabled) ?? defaults.enabled,
+    snapshot: sanitizeSnapshot(record)
+  };
+  return candidate;
+}
+function rawTargetForHostedPolicy(source, record, defaults) {
+  const value = asRecord(record);
+  const monitor = asRecord(value.monitor);
+  let url = stringValue(monitor.url) ?? stringValue(value.url) ?? stringValue(value.healthUrl) ?? stringValue(value.homepageUrl) ?? stringValue(value.environmentUrl);
+  if (source === "domains" && !url && stringValue(value.domain)) {
+    url = `https://${stringValue(value.domain)}`;
+  }
+  const host = stringValue(monitor.host) ?? stringValue(value.host) ?? stringValue(value.hostname) ?? defaults.host;
+  const rawKind = stringValue(monitor.kind) ?? stringValue(value.kind) ?? (url ? "http" : "tcp");
+  const kind = normalizeKind(rawKind);
+  return {
+    kind,
+    url: url ?? defaults.url,
+    host: kind === "tcp" ? host : undefined,
+    port: numberValue(monitor.port) ?? numberValue(value.port) ?? defaults.port
+  };
+}
+function validateCandidate(candidate) {
+  if (!candidate.name.trim())
+    throw new Error("import candidate requires name");
+  rejectControlCharacters(candidate.name.trim(), "Monitor name");
+  if (candidate.method !== undefined && !/^[A-Z]+$/.test(candidate.method)) {
+    throw new Error("HTTP method must contain only letters");
+  }
+  if (candidate.expectedStatus !== undefined && candidate.expectedStatus !== null) {
+    if (!Number.isInteger(candidate.expectedStatus) || candidate.expectedStatus < 100 || candidate.expectedStatus > 599) {
+      throw new Error("expectedStatus must be an HTTP status from 100 to 599");
+    }
+  }
+  if (candidate.intervalSeconds !== undefined) {
+    boundedInteger(candidate.intervalSeconds, "intervalSeconds", MIN_INTERVAL_SECONDS, MAX_INTERVAL_SECONDS);
+  }
+  if (candidate.timeoutMs !== undefined) {
+    boundedInteger(candidate.timeoutMs, "timeoutMs", MIN_TIMEOUT_MS, MAX_TIMEOUT_MS);
+  }
+  if (candidate.retryCount !== undefined) {
+    boundedInteger(candidate.retryCount, "retryCount", MIN_RETRY_COUNT, MAX_RETRY_COUNT);
+  }
+  if (candidate.kind === "http" || candidate.kind === "browser_page") {
+    if (!candidate.url)
+      throw new Error(`${candidate.kind} import candidate requires url`);
+    const parsed = new URL(candidate.url);
+    if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+      throw new Error(`${candidate.kind} import candidate URL must use http or https`);
+    }
+    if (parsed.username || parsed.password)
+      throw new Error(`${candidate.kind} import candidate URL must not contain userinfo`);
+    return;
+  }
+  if (candidate.kind === "tcp") {
+    if (!candidate.host)
+      throw new Error("tcp import candidate requires host");
+    rejectControlCharacters(candidate.host, "TCP host");
+    if (!Number.isInteger(candidate.port) || candidate.port <= 0 || candidate.port > 65535) {
+      throw new Error("tcp import candidate requires a port from 1 to 65535");
+    }
+    return;
+  }
+  throw new Error(`unsupported import candidate kind: ${candidate.kind}`);
+}
+function candidateToMonitorInput(candidate) {
+  return {
+    name: candidate.name,
+    kind: candidate.kind,
+    url: candidate.url,
+    host: candidate.host,
+    port: candidate.port,
+    method: candidate.method,
+    expectedStatus: candidate.expectedStatus,
+    intervalSeconds: candidate.intervalSeconds,
+    timeoutMs: candidate.timeoutMs,
+    retryCount: candidate.retryCount,
+    enabled: candidate.enabled
+  };
+}
+function monitorToUpdateInput(monitor) {
+  return {
+    name: monitor.name,
+    kind: monitor.kind,
+    url: monitor.url ?? undefined,
+    host: monitor.host ?? undefined,
+    port: monitor.port ?? undefined,
+    method: monitor.method,
+    expectedStatus: monitor.expectedStatus,
+    intervalSeconds: monitor.intervalSeconds,
+    timeoutMs: monitor.timeoutMs,
+    retryCount: monitor.retryCount,
+    enabled: monitor.enabled
+  };
+}
+function sameTarget(monitor, candidate) {
+  return monitor.kind === candidate.kind && monitor.name === candidate.name && monitor.url === (candidate.url ?? null) && monitor.host === (candidate.host ?? null) && monitor.port === (candidate.port ?? null) && monitor.method === (candidate.method ?? monitor.method) && (candidate.expectedStatus === undefined || monitor.expectedStatus === candidate.expectedStatus) && monitor.intervalSeconds === (candidate.intervalSeconds ?? monitor.intervalSeconds) && monitor.timeoutMs === (candidate.timeoutMs ?? monitor.timeoutMs) && monitor.retryCount === (candidate.retryCount ?? monitor.retryCount) && monitor.enabled === (candidate.enabled ?? monitor.enabled);
+}
+function countActions(items) {
+  return {
+    create: items.filter((item) => item.action === "create").length,
+    update: items.filter((item) => item.action === "update").length,
+    unchanged: items.filter((item) => item.action === "unchanged").length,
+    blocked: items.filter((item) => item.action === "blocked").length,
+    conflict: items.filter((item) => item.action === "conflict").length
+  };
+}
+function normalizeSource(source) {
+  if (["manual", "projects", "servers", "domains", "deployment"].includes(source))
+    return source;
+  throw new Error(`unsupported import source: ${source}`);
+}
+function normalizeKind(value) {
+  if (value === "http" || value === "tcp" || value === "browser_page")
+    return value;
+  return value === "browser" || value === "page" ? "browser_page" : "http";
+}
+function targetKey(kind, url, host, port) {
+  return kind === "tcp" ? `${host ?? "host"}:${port ?? "port"}` : url ?? "url";
+}
+function sanitizeGeneratedTargetKey(kind, url, host, port) {
+  const key = targetKey(kind, url, host, port);
+  return kind === "tcp" ? key : sanitizeIdentity(key) ?? key;
+}
+function normalizeCandidateUrl(value) {
+  if (!value)
+    return;
+  try {
+    const parsed = new URL(value);
+    for (const key of [...parsed.searchParams.keys()]) {
+      if (isSecretKey2(key))
+        parsed.searchParams.set(key, "[redacted]");
+    }
+    parsed.hash = "";
+    return parsed.toString();
+  } catch {
+    return value;
+  }
+}
+function normalizeCandidateMethod(value) {
+  return value?.trim().toUpperCase();
+}
+function fallbackCandidate(source, record) {
+  const value = asRecord(record);
+  const monitor = asRecord(value.monitor);
+  const name = stringValue(monitor.name) ?? stringValue(value.name) ?? stringValue(value.domain) ?? "invalid import candidate";
+  const rawUrl = stringValue(monitor.url) ?? stringValue(value.url) ?? stringValue(value.domain);
+  const kind = normalizeKind(stringValue(monitor.kind) ?? stringValue(value.kind) ?? "http");
+  return {
+    source,
+    sourceId: sanitizeIdentity(stringValue(value.sourceId) ?? stringValue(value.id)) ?? `${source}:invalid`,
+    sourceLabel: sanitizeIdentity(stringValue(value.label)) ?? null,
+    name: sanitizeIdentity(name) ?? name,
+    kind,
+    url: redactUrlForDisplay(rawUrl),
+    host: kind === "tcp" ? sanitizeHost(stringValue(monitor.host) ?? stringValue(value.host) ?? stringValue(value.hostname)) : undefined,
+    port: numberValue(monitor.port) ?? numberValue(value.port),
+    snapshot: sanitizeSnapshot(record)
+  };
+}
+function asRecord(value) {
+  return value && typeof value === "object" && !Array.isArray(value) ? value : {};
+}
+function stringValue(value) {
+  return typeof value === "string" && value.trim() ? value.trim() : undefined;
+}
+function numberValue(value) {
+  return typeof value === "number" && Number.isFinite(value) ? value : undefined;
+}
+function nullableNumberValue(value) {
+  if (value === null)
+    return null;
+  return numberValue(value);
+}
+function booleanValue(value) {
+  return typeof value === "boolean" ? value : undefined;
+}
+function firstDefined(...values) {
+  return values.find((value) => value !== undefined);
+}
+function isMonitor(value) {
+  const row = asRecord(value);
+  return Boolean(stringValue(row.id) && stringValue(row.name) && stringValue(row.kind));
+}
+function sanitizeSnapshot(value) {
+  if (Array.isArray(value))
+    return value.map(sanitizeSnapshot);
+  if (!value || typeof value !== "object")
+    return sanitizeScalar(value);
+  const output = {};
+  for (const [key, entry] of Object.entries(value)) {
+    if (isSecretKey2(key))
+      output[key] = "[redacted]";
+    else
+      output[key] = sanitizeSnapshot(entry);
+  }
+  return output;
+}
+function sanitizeScalar(value) {
+  if (typeof value !== "string")
+    return value;
+  return value.replace(/\/(?:home|Users)\/[^\s"'<>]+/g, "[local-path]").replace(/\b(?:localhost|(?:[a-z0-9-]+\.)+(?:local|internal))\b/gi, "[private-host]").replace(/(https?:\/\/)[^/?#\s"'<>]+:[^@/?#\s"'<>]+@/gi, "$1[redacted]@").replace(/Bearer\s+[A-Za-z0-9._~+/=-]+/gi, "Bearer [redacted]").replace(/((?:token|secret|password|passwd|api[_-]?key|access[_-]?token|auth|credential|session)[=:]\s*)[^\s&]+/gi, "$1[redacted]");
+}
+function isSecretKey2(value) {
+  return /(token|secret|password|passwd|api[_-]?key|access[_-]?token|auth|credential|session)/i.test(value);
+}
+function rejectControlCharacters(value, label) {
+  if (/[\x00-\x1f\x7f-\x9f]/.test(value)) {
+    throw new Error(`${label} must not contain control characters`);
+  }
+}
+function boundedInteger(value, label, min, max) {
+  if (!Number.isInteger(value) || value < min || value > max) {
+    throw new Error(`${label} must be an integer from ${min} to ${max}`);
+  }
+  return value;
+}
+function redactUrlForDisplay(value) {
+  if (!value)
+    return;
+  try {
+    const parsed = new URL(value);
+    parsed.username = parsed.username ? "[redacted]" : "";
+    parsed.password = "";
+    for (const key of [...parsed.searchParams.keys()]) {
+      if (isSecretKey2(key))
+        parsed.searchParams.set(key, "[redacted]");
+    }
+    if (parsed.hash && isSecretKey2(parsed.hash))
+      parsed.hash = "#[redacted]";
+    return parsed.toString();
+  } catch {
+    return sanitizeScalar(value);
+  }
+}
+function sanitizeIdentity(value) {
+  if (!value)
+    return;
+  try {
+    const parsed = new URL(value);
+    parsed.username = parsed.username ? "[redacted]" : "";
+    parsed.password = "";
+    for (const key of [...parsed.searchParams.keys()]) {
+      if (isSecretKey2(key))
+        parsed.searchParams.set(key, "[redacted]");
+    }
+    parsed.hash = "";
+    return parsed.toString();
+  } catch {
+    return sanitizeScalar(value);
+  }
+}
+function sanitizeHost(value) {
+  if (!value)
+    return;
+  return sanitizeScalar(value);
+}
+
+// src/probes.ts
+import { createHash, generateKeyPairSync, sign, verify } from "crypto";
+function generateProbeKeyPair() {
+  const { publicKey, privateKey } = generateKeyPairSync("ed25519");
+  const publicKeyPem = publicKey.export({ format: "pem", type: "spki" }).toString();
+  const privateKeyPem = privateKey.export({ format: "pem", type: "pkcs8" }).toString();
+  return {
+    publicKeyPem,
+    privateKeyPem,
+    publicKeyFingerprint: probePublicKeyFingerprint(publicKeyPem)
+  };
+}
+function probePublicKeyFingerprint(publicKeyPem) {
+  return createHash("sha256").update(publicKeyPem.trim()).digest("hex");
+}
+function signProbeResult(input, privateKeyPem) {
+  return sign(null, Buffer.from(probeResultSigningPayload(input)), privateKeyPem).toString("base64url");
+}
+function verifyProbeResultSignature(input, publicKeyPem) {
+  try {
+    return verify(null, Buffer.from(probeResultSigningPayload(input)), publicKeyPem, Buffer.from(input.signature, "base64url"));
+  } catch {
+    return false;
+  }
+}
+function probeResultSigningPayload(input) {
+  return stableJson({
+    version: "open-uptime.probe-result.v1",
+    probeId: input.probeId,
+    jobId: input.jobId,
+    scheduleSlot: input.scheduleSlot,
+    fencingToken: input.fencingToken,
+    monitorId: input.monitorId,
+    nonce: input.nonce,
+    checkedAt: input.checkedAt,
+    status: input.status,
+    latencyMs: input.latencyMs,
+    statusCode: input.statusCode ?? null,
+    error: input.error ?? null,
+    attemptCount: input.attemptCount ?? 1,
+    monitorRevision: input.monitorRevision,
+    evidenceSha256: createHash("sha256").update(stableJson(input.evidence ?? null)).digest("hex")
+  });
+}
+function stableJson(value) {
+  if (value === undefined)
+    return "null";
+  if (value === null || typeof value !== "object")
+    return JSON.stringify(value);
+  if (Array.isArray(value))
+    return `[${value.map(stableJson).join(",")}]`;
+  const entries = Object.entries(value).filter(([, entryValue]) => entryValue !== undefined).sort(([left], [right]) => left.localeCompare(right));
+  return `{${entries.map(([key, entryValue]) => `${JSON.stringify(key)}:${stableJson(entryValue)}`).join(",")}}`;
+}
+
+// src/store.ts
+import { copyFileSync, existsSync, mkdirSync as mkdirSync2, statSync } from "fs";
+import { dirname, join as join2 } from "path";
+import { randomUUID as randomUUID2 } from "crypto";
 import { Database } from "bun:sqlite";
 
 // src/paths.ts
@@ -2661,22 +3396,21 @@ function uptimeHome() {
 function uptimeDbPath() {
   return process.env.HASNA_UPTIME_DB || join(uptimeHome(), "uptime.db");
 }
+function uptimeHostedFallbackDbPath() {
+  return process.env.HASNA_UPTIME_HOSTED_FALLBACK_DB || join(uptimeHome(), "hosted-fallback", "uptime.db");
+}
 function ensureUptimeHome() {
   const home = uptimeHome();
   mkdirSync(home, { recursive: true });
   return home;
 }
 
-// src/limits.ts
-var MIN_INTERVAL_SECONDS = 1;
-var MAX_INTERVAL_SECONDS = 86400;
-var MIN_TIMEOUT_MS = 1;
-var MAX_TIMEOUT_MS = 60000;
-var MIN_RETRY_COUNT = 0;
-var MAX_RETRY_COUNT = 10;
-var MAX_RESULT_LIMIT = 1000;
-
 // src/store.ts
+var SECRET_URL_PARAM_PATTERN = /(token|secret|password|passwd|api[_-]?key|access[_-]?token|auth|credential|session)/i;
+var REQUIRED_TABLES = ["schema_migrations", "monitors", "check_results", "incidents", "check_leases", "monitor_provenance", "import_batches", "probe_identities", "probe_check_jobs", "probe_submissions"];
+var PROBE_TABLES = new Set(["probe_identities", "probe_check_jobs", "probe_submissions"]);
+var CURRENT_SCHEMA_VERSION = "2";
+
 class StaleCheckResultError extends Error {
   constructor(message) {
     super(message);
@@ -2686,9 +3420,20 @@ class StaleCheckResultError extends Error {
 
 class UptimeStore {
   dbPath;
+  mode;
+  dataMode;
   db;
   constructor(options = {}) {
-    this.dbPath = options.dbPath ?? uptimeDbPath();
+    this.mode = resolveRuntimeMode(options.mode ?? "local");
+    const cloudDatabaseUrl = options.cloudDatabaseUrl ?? process.env.HASNA_UPTIME_DATABASE_URL;
+    if (this.mode === "hosted" && cloudDatabaseUrl) {
+      throw new Error("hosted cloud database adapter is not implemented yet");
+    }
+    if (this.mode === "hosted" && !allowHostedLocalStore(options.allowHostedLocalStore)) {
+      throw new Error("hosted mode requires a cloud data layer; set HASNA_UPTIME_ALLOW_HOSTED_LOCAL_STORE=1 only for explicit local fallback testing");
+    }
+    this.dataMode = this.mode === "hosted" ? "hosted-local-sqlite" : "local-sqlite";
+    this.dbPath = options.dbPath ?? (this.mode === "hosted" ? uptimeHostedFallbackDbPath() : uptimeDbPath());
     if (this.dbPath !== ":memory:") {
       mkdirSync2(dirname(this.dbPath), { recursive: true });
     }
@@ -2705,7 +3450,7 @@ class UptimeStore {
       CREATE TABLE IF NOT EXISTS monitors (
         id TEXT PRIMARY KEY,
         name TEXT NOT NULL UNIQUE,
-        kind TEXT NOT NULL CHECK (kind IN ('http', 'tcp')),
+        kind TEXT NOT NULL CHECK (kind IN ('http', 'tcp', 'browser_page')),
         url TEXT,
         host TEXT,
         port INTEGER,
@@ -2723,6 +3468,7 @@ class UptimeStore {
       )
     `);
     this.ensureColumn("monitors", "revision", "INTEGER NOT NULL DEFAULT 1");
+    this.ensureMonitorKindAllowsBrowserPage();
     this.db.run(`
       CREATE TABLE IF NOT EXISTS check_results (
         id TEXT PRIMARY KEY,
@@ -2732,9 +3478,11 @@ class UptimeStore {
         latency_ms REAL,
         status_code INTEGER,
         error TEXT,
-        attempt_count INTEGER NOT NULL DEFAULT 1
+        attempt_count INTEGER NOT NULL DEFAULT 1,
+        evidence_json TEXT
       )
     `);
+    this.ensureColumn("check_results", "evidence_json", "TEXT");
     this.db.run(`
       CREATE TABLE IF NOT EXISTS incidents (
         id TEXT PRIMARY KEY,
@@ -2748,6 +3496,71 @@ class UptimeStore {
         reason TEXT
       )
     `);
+    this.db.run(`
+      CREATE TABLE IF NOT EXISTS monitor_provenance (
+        monitor_id TEXT NOT NULL REFERENCES monitors(id) ON DELETE CASCADE,
+        source TEXT NOT NULL,
+        source_id TEXT NOT NULL,
+        source_label TEXT,
+        imported_at TEXT NOT NULL,
+        snapshot_json TEXT NOT NULL,
+        PRIMARY KEY (source, source_id)
+      )
+    `);
+    this.db.run(`
+      CREATE TABLE IF NOT EXISTS import_batches (
+        id TEXT PRIMARY KEY,
+        source TEXT NOT NULL,
+        status TEXT NOT NULL CHECK (status IN ('applied', 'rolled_back')),
+        created_at TEXT NOT NULL,
+        rolled_back_at TEXT,
+        records_json TEXT NOT NULL
+      )
+    `);
+    this.db.run(`
+      CREATE TABLE IF NOT EXISTS probe_identities (
+        id TEXT PRIMARY KEY,
+        name TEXT NOT NULL UNIQUE,
+        public_key_pem TEXT NOT NULL,
+        public_key_fingerprint TEXT NOT NULL UNIQUE,
+        enabled INTEGER NOT NULL DEFAULT 1,
+        created_at TEXT NOT NULL,
+        last_seen_at TEXT
+      )
+    `);
+    this.db.run(`
+      CREATE TABLE IF NOT EXISTS probe_submissions (
+        id TEXT PRIMARY KEY,
+        probe_id TEXT NOT NULL REFERENCES probe_identities(id) ON DELETE CASCADE,
+        job_id TEXT NOT NULL,
+        monitor_id TEXT NOT NULL REFERENCES monitors(id) ON DELETE CASCADE,
+        check_result_id TEXT NOT NULL REFERENCES check_results(id) ON DELETE CASCADE,
+        nonce TEXT NOT NULL,
+        checked_at TEXT NOT NULL,
+        submitted_at TEXT NOT NULL,
+        UNIQUE (probe_id, nonce)
+      )
+    `);
+    this.ensureColumn("probe_submissions", "job_id", "TEXT");
+    this.db.run(`
+      CREATE TABLE IF NOT EXISTS probe_check_jobs (
+        id TEXT PRIMARY KEY,
+        monitor_id TEXT NOT NULL REFERENCES monitors(id) ON DELETE CASCADE,
+        monitor_revision INTEGER NOT NULL DEFAULT 1,
+        schedule_slot TEXT NOT NULL,
+        status TEXT NOT NULL CHECK (status IN ('pending', 'claimed', 'submitted', 'expired', 'cancelled')),
+        claimed_by_probe_id TEXT REFERENCES probe_identities(id) ON DELETE SET NULL,
+        fencing_token TEXT,
+        due_at TEXT NOT NULL,
+        claimed_at TEXT,
+        lease_expires_at TEXT,
+        submitted_result_id TEXT REFERENCES check_results(id) ON DELETE SET NULL,
+        created_at TEXT NOT NULL,
+        updated_at TEXT NOT NULL,
+        UNIQUE (monitor_id, schedule_slot)
+      )
+    `);
+    this.ensureColumn("probe_check_jobs", "monitor_revision", "INTEGER NOT NULL DEFAULT 1");
     this.db.run(`
       CREATE TABLE IF NOT EXISTS check_leases (
         monitor_id TEXT PRIMARY KEY REFERENCES monitors(id) ON DELETE CASCADE,
@@ -2756,12 +3569,71 @@ class UptimeStore {
         acquired_at TEXT NOT NULL
       )
     `);
+    this.db.run(`
+      CREATE TABLE IF NOT EXISTS schema_migrations (
+        key TEXT PRIMARY KEY,
+        value TEXT NOT NULL,
+        updated_at TEXT NOT NULL
+      )
+    `);
+    this.db.query("INSERT OR REPLACE INTO schema_migrations (key, value, updated_at) VALUES ('schema_version', ?, ?)").run(CURRENT_SCHEMA_VERSION, new Date().toISOString());
     this.db.run("CREATE INDEX IF NOT EXISTS idx_results_monitor_time ON check_results(monitor_id, checked_at DESC)");
     this.db.run("CREATE INDEX IF NOT EXISTS idx_incidents_monitor_status ON incidents(monitor_id, status)");
     this.db.run("CREATE INDEX IF NOT EXISTS idx_check_leases_until ON check_leases(leased_until)");
+    this.db.run("CREATE INDEX IF NOT EXISTS idx_monitor_provenance_monitor ON monitor_provenance(monitor_id)");
+    this.db.run("CREATE INDEX IF NOT EXISTS idx_probe_jobs_status_due ON probe_check_jobs(status, due_at)");
+    this.db.run("CREATE INDEX IF NOT EXISTS idx_probe_jobs_probe_status ON probe_check_jobs(claimed_by_probe_id, status)");
+    this.db.run("CREATE INDEX IF NOT EXISTS idx_probe_submissions_probe_time ON probe_submissions(probe_id, submitted_at DESC)");
+    this.db.run("CREATE INDEX IF NOT EXISTS idx_probe_submissions_monitor_time ON probe_submissions(monitor_id, checked_at DESC)");
+    this.db.run("CREATE UNIQUE INDEX IF NOT EXISTS idx_probe_submissions_job ON probe_submissions(job_id) WHERE job_id IS NOT NULL AND job_id != ''");
   }
-  createMonitor(input) {
-    const normalized = normalizeCreateMonitor(input);
+  backup(destinationPath) {
+    if (this.dbPath === ":memory:" && !destinationPath) {
+      throw new Error("backup path is required for in-memory stores");
+    }
+    const createdAt = new Date().toISOString();
+    const backupPath = destinationPath ?? join2(dirname(this.dbPath), "backups", `uptime-${createdAt.replace(/[:.]/g, "-")}.db`);
+    mkdirSync2(dirname(backupPath), { recursive: true });
+    if (this.dbPath === ":memory:") {
+      this.vacuumInto(backupPath);
+    } else {
+      this.db.run("PRAGMA wal_checkpoint(TRUNCATE)");
+      copyFileSync(this.dbPath, backupPath);
+    }
+    const bytes = statSync(backupPath).size;
+    return { sourcePath: this.dbPath, backupPath, bytes, createdAt };
+  }
+  verifyBackup(backupPath) {
+    return verifyBackupFile(backupPath);
+  }
+  static verifyBackup(backupPath) {
+    return verifyBackupFile(backupPath);
+  }
+  static restoreBackup(backupPath, destinationPath = uptimeDbPath()) {
+    const check = verifyBackupFile(backupPath);
+    if (!check.ok)
+      throw new Error(`backup integrity check failed: ${check.integrity}`);
+    if (destinationPath === ":memory:")
+      throw new Error("cannot restore a backup to an in-memory store");
+    if (existsSync(destinationPath) || existsSync(`${destinationPath}-wal`) || existsSync(`${destinationPath}-shm`)) {
+      throw new Error("restore destination already exists or has SQLite sidecar files");
+    }
+    mkdirSync2(dirname(destinationPath), { recursive: true });
+    copyFileSync(backupPath, destinationPath);
+    const bytes = statSync(destinationPath).size;
+    return {
+      sourcePath: backupPath,
+      backupPath: destinationPath,
+      bytes,
+      createdAt: new Date().toISOString()
+    };
+  }
+  createMonitor(input, options = {}) {
+    if (this.mode === "hosted")
+      assertHostedTargetAllowed(input);
+    const normalized = normalizeCreateMonitor(input, options.allowBrowserPage === true);
+    if (this.mode === "hosted")
+      assertHostedTargetAllowed(normalized);
     const now = new Date().toISOString();
     const monitor = {
       id: newId("mon"),
@@ -2797,12 +3669,22 @@ class UptimeStore {
     const row = this.db.query("SELECT * FROM monitors WHERE id = ? OR name = ?").get(idOrName, idOrName);
     return row ? monitorFromRow(row) : null;
   }
-  updateMonitor(idOrName, input) {
+  updateMonitor(idOrName, input, options = {}) {
     const current = this.getMonitor(idOrName);
     if (!current)
       throw new Error(`Monitor not found: ${idOrName}`);
+    if (this.mode === "hosted") {
+      assertHostedTargetAllowed({
+        kind: input.kind ?? current.kind,
+        url: input.url ?? current.url ?? undefined,
+        host: input.host ?? current.host ?? undefined,
+        port: input.port ?? current.port ?? undefined
+      });
+    }
     const updatedAt = new Date().toISOString();
-    const next = normalizeUpdateMonitor(current, input, updatedAt);
+    const next = normalizeUpdateMonitor(current, input, updatedAt, options.allowBrowserPage === true);
+    if (this.mode === "hosted")
+      assertHostedTargetAllowed(next);
     this.db.query(`UPDATE monitors SET
           name = ?, kind = ?, url = ?, host = ?, port = ?, method = ?,
           expected_status = ?, interval_seconds = ?, timeout_ms = ?,
@@ -2821,6 +3703,185 @@ class UptimeStore {
     this.db.query("DELETE FROM monitors WHERE id = ?").run(current.id);
     return true;
   }
+  createProbeIdentity(input) {
+    const name = input.name.trim();
+    if (!name)
+      throw new Error("Probe name is required");
+    rejectControlCharacters2(name, "Probe name");
+    const now = new Date().toISOString();
+    const probe = {
+      id: newId("prb"),
+      name,
+      publicKeyPem: input.publicKeyPem.trim(),
+      publicKeyFingerprint: input.publicKeyFingerprint,
+      enabled: input.enabled ?? true,
+      createdAt: now,
+      lastSeenAt: null
+    };
+    if (!probe.publicKeyPem)
+      throw new Error("Probe public key is required");
+    this.db.query(`INSERT INTO probe_identities (
+          id, name, public_key_pem, public_key_fingerprint, enabled, created_at, last_seen_at
+        ) VALUES (?, ?, ?, ?, ?, ?, ?)`).run(probe.id, probe.name, probe.publicKeyPem, probe.publicKeyFingerprint, probe.enabled ? 1 : 0, probe.createdAt, probe.lastSeenAt);
+    return probe;
+  }
+  listProbeIdentities(options = {}) {
+    const rows = options.includeDisabled ? this.db.query("SELECT * FROM probe_identities ORDER BY name ASC").all() : this.db.query("SELECT * FROM probe_identities WHERE enabled = 1 ORDER BY name ASC").all();
+    return rows.map(probeIdentityFromRow);
+  }
+  getProbeIdentity(idOrName) {
+    const row = this.db.query("SELECT * FROM probe_identities WHERE id = ? OR name = ?").get(idOrName, idOrName);
+    return row ? probeIdentityFromRow(row) : null;
+  }
+  updateProbeIdentity(idOrName, input) {
+    const current = this.getProbeIdentity(idOrName);
+    if (!current)
+      throw new Error(`Probe not found: ${idOrName}`);
+    const name = input.name === undefined ? current.name : input.name.trim();
+    if (!name)
+      throw new Error("Probe name is required");
+    rejectControlCharacters2(name, "Probe name");
+    const enabled = input.enabled ?? current.enabled;
+    this.db.query("UPDATE probe_identities SET name = ?, enabled = ? WHERE id = ?").run(name, enabled ? 1 : 0, current.id);
+    return this.getProbeIdentity(current.id);
+  }
+  touchProbeIdentity(idOrName, seenAt = new Date().toISOString()) {
+    const probe = this.getProbeIdentity(idOrName);
+    if (!probe)
+      throw new Error(`Probe not found: ${idOrName}`);
+    this.db.query("UPDATE probe_identities SET last_seen_at = ? WHERE id = ?").run(seenAt, probe.id);
+  }
+  createProbeCheckJob(input) {
+    const monitor = this.getMonitor(input.monitorId);
+    if (!monitor)
+      throw new Error(`Monitor not found: ${input.monitorId}`);
+    if (!monitor.enabled)
+      throw new Error(`Monitor is disabled: ${monitor.name}`);
+    const scheduleSlot = normalizeScheduleSlot(input.scheduleSlot);
+    const dueAt = input.dueAt ?? new Date().toISOString();
+    assertIsoTimestamp(dueAt, "Probe job dueAt");
+    const now = new Date().toISOString();
+    const existing = this.db.query("SELECT * FROM probe_check_jobs WHERE monitor_id = ? AND schedule_slot = ?").get(monitor.id, scheduleSlot);
+    if (existing)
+      return probeCheckJobFromRow(existing);
+    const job = {
+      id: newId("job"),
+      monitorId: monitor.id,
+      monitorRevision: monitor.revision,
+      scheduleSlot,
+      status: "pending",
+      claimedByProbeId: null,
+      fencingToken: null,
+      dueAt,
+      claimedAt: null,
+      leaseExpiresAt: null,
+      submittedResultId: null,
+      createdAt: now,
+      updatedAt: now
+    };
+    this.db.query(`INSERT INTO probe_check_jobs (
+          id, monitor_id, monitor_revision, schedule_slot, status, claimed_by_probe_id, fencing_token,
+          due_at, claimed_at, lease_expires_at, submitted_result_id, created_at, updated_at
+        ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`).run(job.id, job.monitorId, job.monitorRevision, job.scheduleSlot, job.status, job.claimedByProbeId, job.fencingToken, job.dueAt, job.claimedAt, job.leaseExpiresAt, job.submittedResultId, job.createdAt, job.updatedAt);
+    return job;
+  }
+  getProbeCheckJob(id) {
+    const row = this.db.query("SELECT * FROM probe_check_jobs WHERE id = ?").get(id);
+    return row ? probeCheckJobFromRow(row) : null;
+  }
+  claimProbeCheckJob(input) {
+    const tx = this.db.transaction(() => {
+      const probe = this.getProbeIdentity(input.probeId);
+      if (!probe)
+        throw new Error(`Probe not found: ${input.probeId}`);
+      if (!probe.enabled)
+        throw new Error(`Probe is disabled: ${probe.name}`);
+      const current = this.getProbeCheckJob(input.jobId);
+      if (!current)
+        throw new Error(`Probe job not found: ${input.jobId}`);
+      const now = new Date;
+      const nowIso = now.toISOString();
+      if (current.status === "submitted")
+        throw new Error("Probe job already submitted");
+      if (current.status === "cancelled")
+        throw new Error("Probe job is cancelled");
+      if (current.dueAt > nowIso)
+        throw new Error("Probe job is not due yet");
+      const leaseExpired = Boolean(current.leaseExpiresAt && current.leaseExpiresAt <= nowIso);
+      if (current.status === "claimed" && !leaseExpired && current.claimedByProbeId !== probe.id) {
+        throw new Error("Probe job already claimed by another probe");
+      }
+      if (current.status !== "pending" && current.status !== "claimed" && current.status !== "expired") {
+        throw new Error(`Probe job is not claimable: ${current.status}`);
+      }
+      const leaseExpiresAt = new Date(now.getTime() + Math.max(1000, input.leaseTtlMs ?? 120000)).toISOString();
+      const fencingToken = newId("fence");
+      const update = this.db.query(`UPDATE probe_check_jobs
+           SET status = 'claimed', claimed_by_probe_id = ?, fencing_token = ?, claimed_at = ?, lease_expires_at = ?, updated_at = ?
+           WHERE id = ?
+             AND submitted_result_id IS NULL
+             AND (
+               status IN ('pending', 'expired')
+               OR (status = 'claimed' AND (claimed_by_probe_id = ? OR lease_expires_at <= ?))
+             )`).run(probe.id, fencingToken, nowIso, leaseExpiresAt, nowIso, current.id, probe.id, nowIso);
+      if (statementChanges(update) !== 1)
+        throw new Error("Probe job claim raced; retry");
+      this.touchProbeIdentity(probe.id, nowIso);
+      return this.getProbeCheckJob(current.id);
+    });
+    return tx();
+  }
+  completeProbeCheckJob(input) {
+    const job = this.getProbeCheckJob(input.jobId);
+    if (!job)
+      throw new Error(`Probe job not found: ${input.jobId}`);
+    const submittedAt = input.submittedAt ?? new Date().toISOString();
+    if (job.status !== "claimed")
+      throw new Error(`Probe job is not claimable for submission: ${job.status}`);
+    if (job.claimedByProbeId !== input.probeId)
+      throw new Error("Probe job was claimed by another probe");
+    if (job.fencingToken !== input.fencingToken)
+      throw new Error("Probe job fencing token is invalid");
+    if (!job.leaseExpiresAt || job.leaseExpiresAt <= submittedAt) {
+      this.expireProbeCheckJob(job.id, submittedAt);
+      throw new Error("Probe job lease expired");
+    }
+    const update = this.db.query(`UPDATE probe_check_jobs
+         SET status = 'submitted', submitted_result_id = ?, updated_at = ?
+         WHERE id = ?
+           AND status = 'claimed'
+           AND claimed_by_probe_id = ?
+           AND fencing_token = ?
+           AND lease_expires_at > ?
+           AND submitted_result_id IS NULL`).run(input.checkResultId, submittedAt, job.id, input.probeId, input.fencingToken, submittedAt);
+    if (statementChanges(update) !== 1)
+      throw new Error("Probe job submission raced; retry");
+    return this.getProbeCheckJob(job.id);
+  }
+  expireProbeCheckJob(jobId, updatedAt = new Date().toISOString()) {
+    this.db.query("UPDATE probe_check_jobs SET status = 'expired', updated_at = ? WHERE id = ? AND status != 'submitted'").run(updatedAt, jobId);
+  }
+  getProbeSubmission(probeId, nonce) {
+    const row = this.db.query("SELECT * FROM probe_submissions WHERE probe_id = ? AND nonce = ?").get(probeId, nonce);
+    return row ? probeSubmissionFromRow(row) : null;
+  }
+  recordProbeSubmission(input) {
+    const submittedAt = input.submittedAt ?? new Date().toISOString();
+    const receipt = {
+      id: newId("psb"),
+      probeId: input.probeId,
+      jobId: input.jobId,
+      monitorId: input.monitorId,
+      checkResultId: input.checkResultId,
+      nonce: input.nonce,
+      checkedAt: input.checkedAt,
+      submittedAt
+    };
+    this.db.query(`INSERT INTO probe_submissions (
+          id, probe_id, job_id, monitor_id, check_result_id, nonce, checked_at, submitted_at
+        ) VALUES (?, ?, ?, ?, ?, ?, ?, ?)`).run(receipt.id, receipt.probeId, receipt.jobId, receipt.monitorId, receipt.checkResultId, receipt.nonce, receipt.checkedAt, receipt.submittedAt);
+    return receipt;
+  }
   acquireCheckLease(monitorId, owner, ttlMs) {
     const now = new Date;
     const nowIso = now.toISOString();
@@ -2855,7 +3916,8 @@ class UptimeStore {
       latencyMs: input.latencyMs,
       statusCode: input.statusCode,
       error: input.error,
-      attemptCount: Math.max(1, input.attemptCount)
+      attemptCount: Math.max(1, input.attemptCount),
+      evidence: input.evidence ?? null
     };
     const tx = this.db.transaction(() => {
       const current = this.db.query("SELECT * FROM monitors WHERE id = ?").get(result.monitorId);
@@ -2868,19 +3930,59 @@ class UptimeStore {
         throw new StaleCheckResultError(`Monitor was disabled while check was in progress: ${current.name}`);
       }
       this.db.query(`INSERT INTO check_results (
-            id, monitor_id, checked_at, status, latency_ms, status_code, error, attempt_count
-          ) VALUES (?, ?, ?, ?, ?, ?, ?, ?)`).run(result.id, result.monitorId, result.checkedAt, result.status, result.latencyMs, result.statusCode, result.error, result.attemptCount);
+            id, monitor_id, checked_at, status, latency_ms, status_code, error, attempt_count, evidence_json
+          ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`).run(result.id, result.monitorId, result.checkedAt, result.status, result.latencyMs, result.statusCode, result.error, result.attemptCount, result.evidence ? JSON.stringify(result.evidence) : null);
       this.db.query("UPDATE monitors SET status = ?, last_checked_at = ?, updated_at = ? WHERE id = ?").run(result.status, result.checkedAt, result.checkedAt, result.monitorId);
       this.reconcileIncidentInTransaction(result);
     });
     tx();
     return result;
   }
+  getCheckResult(id) {
+    const row = this.db.query("SELECT * FROM check_results WHERE id = ?").get(id);
+    return row ? checkResultFromRow(row) : null;
+  }
   listResults(options = {}) {
     const limit = clampLimit(options.limit ?? 50);
     const rows = options.monitorId ? this.db.query("SELECT * FROM check_results WHERE monitor_id = ? ORDER BY checked_at DESC LIMIT ?").all(options.monitorId, limit) : this.db.query("SELECT * FROM check_results ORDER BY checked_at DESC LIMIT ?").all(limit);
     return rows.map(checkResultFromRow);
   }
+  getProvenance(source, sourceId) {
+    const row = this.db.query("SELECT * FROM monitor_provenance WHERE source = ? AND source_id = ?").get(source, sourceId);
+    return row ? provenanceFromRow(row) : null;
+  }
+  upsertMonitorProvenance(input) {
+    const importedAt = new Date().toISOString();
+    this.db.query(`INSERT INTO monitor_provenance (
+          monitor_id, source, source_id, source_label, imported_at, snapshot_json
+        ) VALUES (?, ?, ?, ?, ?, ?)
+        ON CONFLICT(source, source_id) DO UPDATE SET
+          monitor_id = excluded.monitor_id,
+          source_label = excluded.source_label,
+          imported_at = excluded.imported_at,
+          snapshot_json = excluded.snapshot_json`).run(input.monitorId, input.source, input.sourceId, input.sourceLabel ?? null, importedAt, JSON.stringify(input.snapshot));
+    return this.getProvenance(input.source, input.sourceId);
+  }
+  saveImportBatch(input) {
+    const createdAt = new Date().toISOString();
+    this.db.query("INSERT INTO import_batches (id, source, status, created_at, rolled_back_at, records_json) VALUES (?, ?, 'applied', ?, NULL, ?)").run(input.id, input.source, createdAt, JSON.stringify(input.records));
+    return this.getImportBatch(input.id);
+  }
+  getImportBatch(batchId) {
+    const row = this.db.query("SELECT * FROM import_batches WHERE id = ?").get(batchId);
+    return row ? importBatchFromRow(row) : null;
+  }
+  markImportBatchRolledBack(batchId) {
+    const rolledBackAt = new Date().toISOString();
+    this.db.query("UPDATE import_batches SET status = 'rolled_back', rolled_back_at = ? WHERE id = ?").run(rolledBackAt, batchId);
+    const batch = this.getImportBatch(batchId);
+    if (!batch)
+      throw new Error(`Import batch not found: ${batchId}`);
+    return batch;
+  }
+  runInTransaction(fn) {
+    return this.db.transaction(fn)();
+  }
   listIncidents(options = {}) {
     const clauses = [];
     const args = [];
@@ -2968,16 +4070,115 @@ class UptimeStore {
       this.db.run(`ALTER TABLE ${table} ADD COLUMN ${name} ${definition}`);
     }
   }
+  ensureMonitorKindAllowsBrowserPage() {
+    const row = this.db.query("SELECT sql FROM sqlite_master WHERE type = 'table' AND name = 'monitors'").get();
+    if (!row?.sql || row.sql.includes("browser_page"))
+      return;
+    this.db.run("PRAGMA foreign_keys = OFF");
+    this.db.run("PRAGMA legacy_alter_table = ON");
+    try {
+      const migrate = this.db.transaction(() => {
+        this.db.run("ALTER TABLE monitors RENAME TO monitors_old_kind");
+        this.db.run(`
+          CREATE TABLE monitors (
+            id TEXT PRIMARY KEY,
+            name TEXT NOT NULL UNIQUE,
+            kind TEXT NOT NULL CHECK (kind IN ('http', 'tcp', 'browser_page')),
+            url TEXT,
+            host TEXT,
+            port INTEGER,
+            method TEXT NOT NULL DEFAULT 'GET',
+            expected_status INTEGER,
+            interval_seconds INTEGER NOT NULL DEFAULT 60,
+            timeout_ms INTEGER NOT NULL DEFAULT 5000,
+            retry_count INTEGER NOT NULL DEFAULT 0,
+            enabled INTEGER NOT NULL DEFAULT 1,
+            status TEXT NOT NULL DEFAULT 'unknown',
+            last_checked_at TEXT,
+            revision INTEGER NOT NULL DEFAULT 1,
+            created_at TEXT NOT NULL,
+            updated_at TEXT NOT NULL
+          )
+        `);
+        this.db.run(`
+          INSERT INTO monitors (
+            id, name, kind, url, host, port, method, expected_status,
+            interval_seconds, timeout_ms, retry_count, enabled, status,
+            last_checked_at, revision, created_at, updated_at
+          )
+          SELECT
+            id, name, kind, url, host, port, method, expected_status,
+            interval_seconds, timeout_ms, retry_count, enabled, status,
+            last_checked_at, revision, created_at, updated_at
+          FROM monitors_old_kind
+        `);
+        this.db.run("DROP TABLE monitors_old_kind");
+      });
+      migrate();
+    } finally {
+      this.db.run("PRAGMA legacy_alter_table = OFF");
+      this.db.run("PRAGMA foreign_keys = ON");
+    }
+  }
+  vacuumInto(backupPath) {
+    const quoted = backupPath.replace(/'/g, "''");
+    this.db.run(`VACUUM INTO '${quoted}'`);
+  }
+}
+function resolveRuntimeMode(mode) {
+  const value = mode ?? process.env.HASNA_UPTIME_MODE ?? "local";
+  if (value === "local" || value === "hosted")
+    return value;
+  throw new Error("HASNA_UPTIME_MODE must be local or hosted");
+}
+function allowHostedLocalStore(value) {
+  return value === true || process.env.HASNA_UPTIME_ALLOW_HOSTED_LOCAL_STORE === "1";
+}
+function verifyBackupFile(backupPath) {
+  const db = new Database(backupPath, { readonly: true });
+  try {
+    const integrityRow = db.query("PRAGMA integrity_check").get();
+    const integrity = String(integrityRow?.integrity_check ?? "unknown");
+    const missingTables = REQUIRED_TABLES.filter((table) => !tableExists(db, table));
+    const schemaVersion = missingTables.includes("schema_migrations") ? null : db.query("SELECT value FROM schema_migrations WHERE key = 'schema_version'").get()?.value ?? null;
+    const currentOk = missingTables.length === 0 && schemaVersion === CURRENT_SCHEMA_VERSION;
+    const restorableV1 = schemaVersion === "1" && missingTables.every((table) => PROBE_TABLES.has(table));
+    return {
+      ok: integrity === "ok" && (currentOk || restorableV1),
+      backupPath,
+      integrity,
+      schemaVersion,
+      missingTables,
+      monitors: tableCount(db, "monitors"),
+      results: tableCount(db, "check_results"),
+      incidents: tableCount(db, "incidents")
+    };
+  } finally {
+    db.close();
+  }
+}
+function tableCount(db, table) {
+  if (!tableExists(db, table))
+    return 0;
+  const row = db.query(`SELECT COUNT(*) AS count FROM ${table}`).get();
+  return Number(row?.count ?? 0);
+}
+function tableExists(db, table) {
+  const row = db.query("SELECT COUNT(*) AS count FROM sqlite_master WHERE type = 'table' AND name = ?").get(table);
+  return Number(row?.count ?? 0) > 0;
 }
-function normalizeCreateMonitor(input) {
+function normalizeCreateMonitor(input, allowBrowserPage = false) {
   const name = input.name?.trim();
   if (!name)
     throw new Error("Monitor name is required");
-  rejectControlCharacters(name, "Monitor name");
+  rejectControlCharacters2(name, "Monitor name");
   const method = normalizeMethod(input.method ?? "GET");
   const expectedStatus = normalizeExpectedStatus(input.expectedStatus);
   const enabled = normalizeEnabled(input.enabled);
-  if (input.kind === "http") {
+  if (input.kind === "http" || input.kind === "browser_page") {
+    if (input.kind === "browser_page" && !allowBrowserPage) {
+      throw new Error("browser_page monitors must be imported with explicit browser evidence support");
+    }
     const url = normalizeHttpUrl(input.url);
     return {
       name,
@@ -2985,16 +4186,16 @@ function normalizeCreateMonitor(input) {
       url,
       method,
       expectedStatus,
-      intervalSeconds: boundedInteger(input.intervalSeconds ?? 60, "intervalSeconds", MIN_INTERVAL_SECONDS, MAX_INTERVAL_SECONDS),
-      timeoutMs: boundedInteger(input.timeoutMs ?? 5000, "timeoutMs", MIN_TIMEOUT_MS, MAX_TIMEOUT_MS),
-      retryCount: boundedInteger(input.retryCount ?? 0, "retryCount", MIN_RETRY_COUNT, MAX_RETRY_COUNT),
+      intervalSeconds: boundedInteger2(input.intervalSeconds ?? 60, "intervalSeconds", MIN_INTERVAL_SECONDS, MAX_INTERVAL_SECONDS),
+      timeoutMs: boundedInteger2(input.timeoutMs ?? 5000, "timeoutMs", MIN_TIMEOUT_MS, MAX_TIMEOUT_MS),
+      retryCount: boundedInteger2(input.retryCount ?? 0, "retryCount", MIN_RETRY_COUNT, MAX_RETRY_COUNT),
       enabled
     };
   } else if (input.kind === "tcp") {
     const host = input.host?.trim();
     if (!host)
       throw new Error("TCP monitors require host");
-    rejectControlCharacters(host, "TCP host");
+    rejectControlCharacters2(host, "TCP host");
     if (!Number.isInteger(input.port) || input.port <= 0 || input.port > 65535) {
       throw new Error("TCP monitors require a port from 1 to 65535");
     }
@@ -3005,19 +4206,19 @@ function normalizeCreateMonitor(input) {
       port: input.port,
       method,
       expectedStatus: null,
-      intervalSeconds: boundedInteger(input.intervalSeconds ?? 60, "intervalSeconds", MIN_INTERVAL_SECONDS, MAX_INTERVAL_SECONDS),
-      timeoutMs: boundedInteger(input.timeoutMs ?? 5000, "timeoutMs", MIN_TIMEOUT_MS, MAX_TIMEOUT_MS),
-      retryCount: boundedInteger(input.retryCount ?? 0, "retryCount", MIN_RETRY_COUNT, MAX_RETRY_COUNT),
+      intervalSeconds: boundedInteger2(input.intervalSeconds ?? 60, "intervalSeconds", MIN_INTERVAL_SECONDS, MAX_INTERVAL_SECONDS),
+      timeoutMs: boundedInteger2(input.timeoutMs ?? 5000, "timeoutMs", MIN_TIMEOUT_MS, MAX_TIMEOUT_MS),
+      retryCount: boundedInteger2(input.retryCount ?? 0, "retryCount", MIN_RETRY_COUNT, MAX_RETRY_COUNT),
       enabled
     };
   } else {
-    throw new Error("Monitor kind must be http or tcp");
+    throw new Error("Monitor kind must be http, tcp, or browser_page");
   }
 }
 function definitionChanged(current, next) {
   return next.kind !== current.kind || next.url !== current.url || next.host !== current.host || next.port !== current.port || next.method !== current.method || next.expectedStatus !== current.expectedStatus;
 }
-function normalizeUpdateMonitor(current, input, updatedAt) {
+function normalizeUpdateMonitor(current, input, updatedAt, allowBrowserPage = false) {
   const merged = {
     ...current,
     ...input,
@@ -3036,7 +4237,7 @@ function normalizeUpdateMonitor(current, input, updatedAt) {
     timeoutMs: merged.timeoutMs,
     retryCount: merged.retryCount,
     enabled: merged.enabled
-  });
+  }, allowBrowserPage || current.kind === "browser_page");
   const checkDefinitionChanged = normalized.kind !== current.kind || (normalized.url ?? null) !== current.url || (normalized.host ?? null) !== current.host || (normalized.port ?? null) !== current.port || normalized.method !== current.method || normalized.expectedStatus !== current.expectedStatus;
   const status = normalized.enabled ? checkDefinitionChanged || !current.enabled ? "unknown" : current.status : "paused";
   return {
@@ -3065,6 +4266,11 @@ function normalizeHttpUrl(value) {
   if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
     throw new Error("HTTP monitor url must use http or https");
   }
+  for (const key of [...parsed.searchParams.keys()]) {
+    if (SECRET_URL_PARAM_PATTERN.test(key))
+      parsed.searchParams.set(key, "[redacted]");
+  }
+  parsed.hash = "";
   return parsed.toString();
 }
 function normalizeMethod(value) {
@@ -3088,11 +4294,25 @@ function normalizeEnabled(value) {
     throw new Error("enabled must be a boolean");
   return value;
 }
-function rejectControlCharacters(value, label) {
+function rejectControlCharacters2(value, label) {
   if (/[\x00-\x1f\x7f-\x9f]/.test(value)) {
     throw new Error(`${label} must not contain control characters`);
   }
 }
+function normalizeScheduleSlot(value) {
+  const slot = value.trim();
+  if (!slot)
+    throw new Error("Probe job scheduleSlot is required");
+  if (slot.length > 128)
+    throw new Error("Probe job scheduleSlot is too long");
+  rejectControlCharacters2(slot, "Probe job scheduleSlot");
+  return slot;
+}
+function assertIsoTimestamp(value, label) {
+  if (!Number.isFinite(Date.parse(value))) {
+    throw new Error(`${label} must be an ISO timestamp`);
+  }
+}
 function monitorFromRow(row) {
   return {
     id: row.id,
@@ -3123,9 +4343,83 @@ function checkResultFromRow(row) {
     latencyMs: row.latency_ms,
     statusCode: row.status_code,
     error: row.error,
-    attemptCount: row.attempt_count
+    attemptCount: row.attempt_count,
+    evidence: parseEvidence(row.evidence_json)
+  };
+}
+function provenanceFromRow(row) {
+  return {
+    monitorId: row.monitor_id,
+    source: row.source,
+    sourceId: row.source_id,
+    sourceLabel: row.source_label,
+    importedAt: row.imported_at,
+    snapshot: parseJson(row.snapshot_json)
+  };
+}
+function importBatchFromRow(row) {
+  return {
+    id: row.id,
+    source: row.source,
+    status: row.status,
+    createdAt: row.created_at,
+    rolledBackAt: row.rolled_back_at,
+    records: Array.isArray(parseJson(row.records_json)) ? parseJson(row.records_json) : []
+  };
+}
+function probeIdentityFromRow(row) {
+  return {
+    id: row.id,
+    name: row.name,
+    publicKeyPem: row.public_key_pem,
+    publicKeyFingerprint: row.public_key_fingerprint,
+    enabled: Boolean(row.enabled),
+    createdAt: row.created_at,
+    lastSeenAt: row.last_seen_at
+  };
+}
+function probeSubmissionFromRow(row) {
+  return {
+    id: row.id,
+    probeId: row.probe_id,
+    jobId: row.job_id ?? "",
+    monitorId: row.monitor_id,
+    checkResultId: row.check_result_id,
+    nonce: row.nonce,
+    checkedAt: row.checked_at,
+    submittedAt: row.submitted_at
+  };
+}
+function probeCheckJobFromRow(row) {
+  return {
+    id: row.id,
+    monitorId: row.monitor_id,
+    monitorRevision: row.monitor_revision ?? 1,
+    scheduleSlot: row.schedule_slot,
+    status: row.status,
+    claimedByProbeId: row.claimed_by_probe_id,
+    fencingToken: row.fencing_token,
+    dueAt: row.due_at,
+    claimedAt: row.claimed_at,
+    leaseExpiresAt: row.lease_expires_at,
+    submittedResultId: row.submitted_result_id,
+    createdAt: row.created_at,
+    updatedAt: row.updated_at
   };
 }
+function parseEvidence(value) {
+  if (!value)
+    return null;
+  const parsed = parseJson(value);
+  return parsed && typeof parsed === "object" ? parsed : null;
+}
+function parseJson(value) {
+  try {
+    return JSON.parse(value);
+  } catch {
+    return null;
+  }
+}
 function incidentFromRow(row) {
   return {
     id: row.id,
@@ -3140,9 +4434,9 @@ function incidentFromRow(row) {
   };
 }
 function newId(prefix) {
-  return `${prefix}_${randomUUID().replace(/-/g, "").slice(0, 18)}`;
+  return `${prefix}_${randomUUID2().replace(/-/g, "").slice(0, 18)}`;
 }
-function boundedInteger(value, label, min, max) {
+function boundedInteger2(value, label, min, max) {
   if (!Number.isInteger(value) || value < min || value > max) {
     throw new Error(`${label} must be an integer from ${min} to ${max}`);
   }
@@ -3153,6 +4447,9 @@ function clampLimit(value) {
     return 50;
   return Math.max(1, Math.min(Math.floor(value), MAX_RESULT_LIMIT));
 }
+function statementChanges(result) {
+  return Number(result?.changes ?? 0);
+}
 function round(value, places) {
   const factor = 10 ** places;
   return Math.round(value * factor) / factor;
@@ -3227,7 +4524,7 @@ function renderMonitorLine(item) {
   return `- ${item.monitor.status.toUpperCase()} ${item.monitor.name} (${targetLabel(item)}): uptime ${uptime}, latency ${latency}${incident}`;
 }
 function targetLabel(item) {
-  return item.monitor.kind === "http" ? item.monitor.url ?? "" : `${item.monitor.host}:${item.monitor.port}`;
+  return item.monitor.kind === "tcp" ? `${item.monitor.host}:${item.monitor.port}` : item.monitor.url ?? "";
 }
 function resolveEmailTarget(value) {
   const target = typeof value === "boolean" ? {} : value;
@@ -3429,13 +4726,16 @@ function redactOptional(value, secrets) {
 }
 
 // src/service.ts
+var MAX_PROBE_RESULT_AGE_MS = 15 * 60000;
+var MAX_PROBE_RESULT_FUTURE_MS = 5 * 60000;
+
 class UptimeService {
   store;
   checkRunner;
-  leaseOwner = `svc_${randomUUID2().replace(/-/g, "").slice(0, 18)}`;
+  leaseOwner = `svc_${randomUUID3().replace(/-/g, "").slice(0, 18)}`;
   inFlightChecks = new Set;
   constructor(options = {}) {
-    this.store = options.store ?? new UptimeStore(options);
+    this.store = options.store ?? new UptimeStore({ mode: "local", ...options });
     this.checkRunner = options.checkRunner ?? runMonitorCheck;
   }
   close() {
@@ -3465,13 +4765,71 @@ class UptimeService {
   summary() {
     return this.store.summary();
   }
+  createProbe(input) {
+    const store = this.probeStore();
+    const publicKeyPem = input.publicKeyPem ? normalizeProbePublicKeyPem(input.publicKeyPem) : undefined;
+    const keyPair = publicKeyPem ? {
+      publicKeyPem,
+      privateKeyPem: undefined,
+      publicKeyFingerprint: probePublicKeyFingerprint(publicKeyPem)
+    } : generateProbeKeyPair();
+    const probe = store.createProbeIdentity({
+      name: input.name,
+      publicKeyPem: keyPair.publicKeyPem,
+      publicKeyFingerprint: keyPair.publicKeyFingerprint,
+      enabled: input.enabled
+    });
+    return { ...probe, privateKeyPem: keyPair.privateKeyPem };
+  }
+  listProbes(options = {}) {
+    return this.probeStore().listProbeIdentities(options);
+  }
+  getProbe(idOrName) {
+    return this.probeStore().getProbeIdentity(idOrName);
+  }
+  updateProbe(idOrName, input) {
+    return this.probeStore().updateProbeIdentity(idOrName, input);
+  }
+  createProbeCheckJob(input) {
+    return this.probeStore().createProbeCheckJob(input);
+  }
+  getProbeCheckJob(id) {
+    return this.probeStore().getProbeCheckJob(id);
+  }
+  claimProbeCheckJob(input) {
+    return this.probeStore().claimProbeCheckJob(input);
+  }
+  submitProbeResult(input) {
+    const execute = () => this.submitProbeResultInTransaction(input);
+    return this.store.runInTransaction ? this.store.runInTransaction(execute) : execute();
+  }
+  previewImport(request) {
+    return previewImport(this.store, request);
+  }
+  applyImport(request) {
+    return applyImport(this.store, request);
+  }
+  rollbackImport(batchId) {
+    return rollbackImport(this.store, batchId);
+  }
+  backup(destinationPath) {
+    return this.store.backup(destinationPath);
+  }
+  verifyBackup(backupPath) {
+    return this.store.verifyBackup(backupPath);
+  }
   buildReport(options = {}) {
     return buildUptimeReport(this.summary(), options);
   }
   async sendReport(options = {}) {
+    if (this.store.mode === "hosted" && (options.email || options.sms || options.logs)) {
+      throw new Error("hosted report delivery requires configured channel refs");
+    }
     return sendUptimeReport(this.summary(), options);
   }
   async checkMonitor(idOrName) {
+    if (this.store.mode === "hosted")
+      throw new Error("hosted checks require check_jobs and probes");
     const monitor = this.store.getMonitor(idOrName);
     if (!monitor)
       throw new Error(`Monitor not found: ${idOrName}`);
@@ -3500,6 +4858,7 @@ class UptimeService {
         latencyMs: last.latencyMs,
         statusCode: last.statusCode ?? null,
         error: last.error ?? null,
+        evidence: last.evidence ?? null,
         attemptCount,
         expectedMonitorRevision: monitor.revision
       });
@@ -3509,6 +4868,8 @@ class UptimeService {
     }
   }
   async checkAll() {
+    if (this.store.mode === "hosted")
+      throw new Error("hosted checks require check_jobs and probes");
     const monitors = this.store.listMonitors();
     const results = [];
     for (const monitor of monitors) {
@@ -3517,6 +4878,8 @@ class UptimeService {
     return results;
   }
   startScheduler(options = {}) {
+    if (this.store.mode === "hosted")
+      throw new Error("hosted scheduler requires check_jobs and probes");
     const tickMs = options.tickMs ?? 1000;
     const timer = setInterval(() => {
       this.runDueChecks().catch((error) => {
@@ -3528,6 +4891,8 @@ class UptimeService {
     };
   }
   async runDueChecks(now = new Date) {
+    if (this.store.mode === "hosted")
+      throw new Error("hosted checks require check_jobs and probes");
     const due = this.store.listMonitors().filter((monitor) => this.isDue(monitor, now));
     const results = [];
     for (const monitor of due) {
@@ -3554,6 +4919,113 @@ class UptimeService {
     const last = new Date(monitor.lastCheckedAt).getTime();
     return now.getTime() - last >= monitor.intervalSeconds * 1000;
   }
+  probeStore() {
+    if (this.store.mode === "hosted") {
+      throw new Error("hosted probe APIs require cloud check_jobs, workspace stores, and audit logging");
+    }
+    const store = this.store;
+    const required = [
+      "createProbeIdentity",
+      "listProbeIdentities",
+      "getProbeIdentity",
+      "updateProbeIdentity",
+      "touchProbeIdentity",
+      "createProbeCheckJob",
+      "getProbeCheckJob",
+      "claimProbeCheckJob",
+      "completeProbeCheckJob",
+      "getProbeSubmission",
+      "recordProbeSubmission"
+    ];
+    for (const method of required) {
+      if (typeof store[method] !== "function") {
+        throw new Error("probe support requires a probe-capable store");
+      }
+    }
+    return store;
+  }
+  submitProbeResultInTransaction(input) {
+    const store = this.probeStore();
+    const probe = store.getProbeIdentity(input.probeId);
+    if (!probe)
+      throw new Error(`Probe not found: ${input.probeId}`);
+    if (!probe.enabled)
+      throw new Error(`Probe is disabled: ${probe.name}`);
+    const monitor = this.store.getMonitor(input.monitorId);
+    if (!monitor)
+      throw new Error(`Monitor not found: ${input.monitorId}`);
+    if (!monitor.enabled)
+      throw new Error(`Monitor is disabled: ${monitor.name}`);
+    if (probe.id !== input.probeId)
+      throw new Error("Probe result must use canonical probe id");
+    if (monitor.id !== input.monitorId)
+      throw new Error("Probe result must use canonical monitor id");
+    validateProbeSubmission(input);
+    const job = store.getProbeCheckJob(input.jobId);
+    if (!job)
+      throw new Error(`Probe job not found: ${input.jobId}`);
+    if (job.monitorId !== monitor.id)
+      throw new Error("Probe job does not match monitor");
+    if (job.scheduleSlot !== input.scheduleSlot)
+      throw new Error("Probe job scheduleSlot does not match submission");
+    if (!verifyProbeResultSignature({ ...input, probeId: probe.id, monitorId: monitor.id }, probe.publicKeyPem)) {
+      throw new Error("Probe result signature is invalid");
+    }
+    const existingReceipt = store.getProbeSubmission(probe.id, input.nonce);
+    if (existingReceipt) {
+      if (existingReceipt.jobId !== input.jobId || existingReceipt.monitorId !== monitor.id || existingReceipt.checkedAt !== input.checkedAt) {
+        throw new Error("Probe nonce already submitted");
+      }
+      const existingResult = this.store.getCheckResult?.(existingReceipt.checkResultId);
+      if (!existingResult)
+        throw new Error("Probe nonce already submitted");
+      return { result: existingResult, receipt: existingReceipt };
+    }
+    if (job.monitorRevision !== input.monitorRevision)
+      throw new Error("Probe job monitorRevision does not match submission");
+    if (job.monitorRevision !== monitor.revision)
+      throw new StaleCheckResultError(`Monitor changed since probe job was created: ${monitor.name}`);
+    if (job.status === "submitted")
+      throw new Error("Probe job already submitted");
+    if (job.status === "cancelled")
+      throw new Error("Probe job is cancelled");
+    if (job.status !== "claimed")
+      throw new Error(`Probe job is not claimable for submission: ${job.status}`);
+    if (job.claimedByProbeId !== probe.id)
+      throw new Error("Probe job was claimed by another probe");
+    if (job.fencingToken !== input.fencingToken)
+      throw new Error("Probe job fencing token is invalid");
+    if (!job.leaseExpiresAt || job.leaseExpiresAt <= new Date().toISOString())
+      throw new Error("Probe job lease expired");
+    const result = this.store.recordCheckResult({
+      monitorId: monitor.id,
+      checkedAt: input.checkedAt,
+      status: input.status,
+      latencyMs: input.latencyMs,
+      statusCode: input.statusCode ?? null,
+      error: input.error ?? null,
+      evidence: input.evidence ?? null,
+      attemptCount: input.attemptCount ?? 1,
+      expectedMonitorRevision: input.monitorRevision
+    });
+    const receipt = store.recordProbeSubmission({
+      probeId: probe.id,
+      jobId: job.id,
+      monitorId: monitor.id,
+      checkResultId: result.id,
+      nonce: input.nonce,
+      checkedAt: input.checkedAt
+    });
+    store.completeProbeCheckJob({
+      jobId: job.id,
+      probeId: probe.id,
+      fencingToken: input.fencingToken,
+      checkResultId: result.id,
+      submittedAt: receipt.submittedAt
+    });
+    store.touchProbeIdentity(probe.id, receipt.submittedAt);
+    return { result, receipt };
+  }
 }
 class MonitorCheckBusyError extends Error {
   constructor(message) {
@@ -3561,16 +5033,68 @@ class MonitorCheckBusyError extends Error {
     this.name = "MonitorCheckBusyError";
   }
 }
+function validateProbeSubmission(input) {
+  if (!input.jobId.trim())
+    throw new Error("Probe submission jobId is required");
+  if (!input.scheduleSlot.trim())
+    throw new Error("Probe submission scheduleSlot is required");
+  if (!input.fencingToken.trim())
+    throw new Error("Probe submission fencingToken is required");
+  if (!input.nonce.trim())
+    throw new Error("Probe submission nonce is required");
+  if (input.nonce.length > 128)
+    throw new Error("Probe submission nonce is too long");
+  if (/[\x00-\x1f\x7f-\x9f]/.test(input.nonce))
+    throw new Error("Probe submission nonce must not contain control characters");
+  if (input.status !== "up" && input.status !== "down")
+    throw new Error("Probe result status must be up or down");
+  if (input.latencyMs !== null && (!Number.isFinite(input.latencyMs) || input.latencyMs < 0)) {
+    throw new Error("Probe result latencyMs must be null or a non-negative number");
+  }
+  if (input.statusCode !== undefined && input.statusCode !== null && (!Number.isInteger(input.statusCode) || input.statusCode < 100 || input.statusCode > 599)) {
+    throw new Error("Probe result statusCode must be an HTTP status from 100 to 599");
+  }
+  if (input.attemptCount !== undefined && (!Number.isInteger(input.attemptCount) || input.attemptCount < 1 || input.attemptCount > 20)) {
+    throw new Error("Probe result attemptCount must be an integer from 1 to 20");
+  }
+  const monitorRevision = input.monitorRevision;
+  if (!Number.isInteger(monitorRevision) || monitorRevision < 1) {
+    throw new Error("Probe result monitorRevision is required");
+  }
+  const checkedAtMs = Date.parse(input.checkedAt);
+  if (!Number.isFinite(checkedAtMs))
+    throw new Error("Probe result checkedAt must be an ISO timestamp");
+  const now = Date.now();
+  if (checkedAtMs > now + MAX_PROBE_RESULT_FUTURE_MS)
+    throw new Error("Probe result checkedAt is too far in the future");
+  if (checkedAtMs < now - MAX_PROBE_RESULT_AGE_MS)
+    throw new Error("Probe result checkedAt is too old");
+  if (!input.signature.trim())
+    throw new Error("Probe result signature is required");
+}
+function normalizeProbePublicKeyPem(publicKeyPem) {
+  try {
+    const key = createPublicKey(publicKeyPem);
+    if (key.asymmetricKeyType !== "ed25519") {
+      throw new Error("Probe public key must be an Ed25519 public key");
+    }
+    return key.export({ format: "pem", type: "spki" }).toString();
+  } catch (error) {
+    if (error instanceof Error && error.message.includes("Ed25519"))
+      throw error;
+    throw new Error("Probe public key must be a valid PEM Ed25519 public key");
+  }
+}
 
 // src/version.ts
 import { readFileSync } from "fs";
-import { dirname as dirname2, join as join2 } from "path";
+import { dirname as dirname2, join as join3 } from "path";
 import { fileURLToPath } from "url";
 function packageVersion() {
   const here = dirname2(fileURLToPath(import.meta.url));
   const candidates = [
-    join2(here, "..", "package.json"),
-    join2(here, "..", "..", "package.json")
+    join3(here, "..", "package.json"),
+    join3(here, "..", "..", "package.json")
   ];
   for (const candidate of candidates) {
     try {
@@ -3580,6 +5104,9 @@ function packageVersion() {
   return "0.0.0";
 }
 
+// src/api.ts
+import { timingSafeEqual } from "crypto";
+
 // src/dashboard.ts
 function dashboardHtml() {
   return `<!doctype html>
@@ -3796,7 +5323,7 @@ function dashboardHtml() {
       clear(root);
       for (const item of summary.monitors) {
         const m = item.monitor;
-        const target = m.kind === 'http' ? m.url : m.host + ':' + m.port;
+        const target = m.kind === 'tcp' ? m.host + ':' + m.port : m.url;
         const incident = item.openIncident ? 'open since ' + new Date(item.openIncident.openedAt).toLocaleString() : '-';
         const tr = document.createElement('tr');
         const name = document.createElement('td');
@@ -3932,82 +5459,54 @@ function dashboardHtml() {
 
 // src/api.ts
 function createApiHandler(service, options = {}) {
+  const mode = options.mode ? resolveRuntimeMode(options.mode) : service.store.mode;
+  if (mode !== service.store.mode) {
+    throw new Error(`API mode ${mode} does not match store mode ${service.store.mode}`);
+  }
   return async (request) => {
     const url = new URL(request.url);
     try {
-      validateLocalMutationRequest(request, url, options);
-      if (request.method === "GET" && url.pathname === "/") {
-        return html(dashboardHtml());
-      }
       if (request.method === "GET" && url.pathname === "/health") {
-        return json({ ok: true, service: "uptime" });
-      }
-      if (request.method === "GET" && url.pathname === "/api/summary") {
-        return json(service.summary());
+        return json({ ok: true, service: "uptime", mode, dataMode: service.store.dataMode });
       }
-      if (request.method === "GET" && url.pathname === "/api/report") {
-        return json(service.buildReport());
-      }
-      if (request.method === "POST" && url.pathname === "/api/report") {
-        const input = await jsonBody(request);
-        return json(await service.sendReport({ ...input, fetchImpl: options.fetchImpl }));
-      }
-      if (request.method === "GET" && url.pathname === "/api/monitors") {
-        return json(service.listMonitors({ includeDisabled: url.searchParams.get("includeDisabled") === "true" }));
-      }
-      if (request.method === "POST" && url.pathname === "/api/monitors") {
-        return json(service.createMonitor(await jsonBody(request)), 201);
-      }
-      if (request.method === "GET" && url.pathname === "/api/incidents") {
-        const status = url.searchParams.get("status");
-        return json(service.listIncidents({
-          status: status === "open" || status === "closed" ? status : undefined,
-          monitorId: url.searchParams.get("monitorId") ?? undefined,
-          limit: numericParam(url, "limit", 50)
-        }));
-      }
-      if (request.method === "GET" && url.pathname === "/api/results") {
-        return json(service.listResults({
-          monitorId: url.searchParams.get("monitorId") ?? undefined,
-          limit: numericParam(url, "limit", 50)
-        }));
-      }
-      if (request.method === "POST" && url.pathname === "/api/check-all") {
-        return json(await service.checkAll());
+      if (mode === "hosted") {
+        return await handleHostedRequest(service, request, url, options);
+      } else {
+        validateLocalMutationRequest(request, url, options);
       }
-      const monitorMatch = url.pathname.match(/^\/api\/monitors\/([^/]+)(?:\/(check))?$/);
-      if (monitorMatch) {
-        const id = decodeURIComponent(monitorMatch[1]);
-        if (request.method === "GET" && !monitorMatch[2]) {
-          const monitor = service.getMonitor(id);
-          return monitor ? json(monitor) : json({ error: "not found" }, 404);
-        }
-        if (request.method === "PATCH" && !monitorMatch[2]) {
-          return json(service.updateMonitor(id, await jsonBody(request)));
-        }
-        if (request.method === "DELETE" && !monitorMatch[2]) {
-          return json({ deleted: service.deleteMonitor(id) });
-        }
-        if (request.method === "POST" && monitorMatch[2] === "check") {
-          return json(await service.checkMonitor(id));
-        }
+      if (request.method === "GET" && url.pathname === "/") {
+        return html(dashboardHtml());
       }
-      return json({ error: "not found" }, 404);
+      return await handleApiRoute(service, request, url, url.pathname, options, false);
     } catch (error) {
       return json({ error: error instanceof Error ? error.message : String(error) }, error instanceof ApiError ? error.status : 400);
     }
   };
 }
 function serveUptime(options = {}) {
+  const requestedMode = options.mode ? resolveRuntimeMode(options.mode) : options.service?.store.mode ?? "local";
+  if (requestedMode === "hosted" && resolveHostedTokens(options).length === 0) {
+    throw new Error("hosted mode requires HASNA_UPTIME_HOSTED_TOKEN or --hosted-token");
+  }
   const service = options.service ?? new UptimeService(options);
+  const mode = service.store.mode;
+  if (mode !== requestedMode) {
+    throw new Error(`serve mode ${requestedMode} does not match store mode ${mode}`);
+  }
+  if (mode === "hosted" && options.check) {
+    throw new Error("hosted scheduler requires check_jobs and probes");
+  }
   const scheduler = options.check ? service.startScheduler() : undefined;
   const server = Bun.serve({
     hostname: options.host ?? "127.0.0.1",
     port: options.port ?? 3899,
     fetch: createApiHandler(service, {
       apiToken: options.apiToken,
+      hostedToken: options.hostedToken,
+      hostedTokens: options.hostedTokens,
       allowUnsafeRemoteMutations: options.allowUnsafeRemoteMutations,
-      trustedLoopback: isLoopbackHost(options.host ?? "127.0.0.1")
+      trustedLoopback: isLoopbackHost(options.host ?? "127.0.0.1"),
+      mode
     })
   });
   return { server, service, scheduler };
@@ -4039,7 +5538,7 @@ function numericParam(url, name, fallback) {
 function validateLocalMutationRequest(request, url, options) {
   if (!["POST", "PATCH", "DELETE"].includes(request.method))
     return;
-  const apiToken = options.apiToken ?? process.env.HASNA_UPTIME_API_TOKEN;
+  const apiToken = resolveApiToken(options.apiToken);
   const hasToken = apiToken ? hasValidApiToken(request, apiToken) : false;
   const allowUnsafeRemote = options.allowUnsafeRemoteMutations || process.env.HASNA_UPTIME_ALLOW_REMOTE_MUTATIONS === "1";
   const trustedLoopback = options.trustedLoopback ?? isLoopbackHost(url.hostname);
@@ -4051,15 +5550,203 @@ function validateLocalMutationRequest(request, url, options) {
     throw new ApiError("cross-origin mutation rejected", 403);
   }
 }
+async function handleHostedRequest(service, request, url, options) {
+  if (url.pathname === "/") {
+    requireHostedActor(request, url, options, "uptime:read");
+    throw new ApiError("hosted dashboard requires the cloud dashboard shell", 501);
+  }
+  if (!url.pathname.startsWith("/api/v1/")) {
+    requireHostedActor(request, url, options, "uptime:read");
+    return json({ error: "not found" }, 404);
+  }
+  const apiPath = `/api${url.pathname.slice("/api/v1".length)}`;
+  const scope = hostedScopeFor(request.method, apiPath);
+  requireHostedActor(request, url, options, scope);
+  if (["POST", "PATCH", "DELETE"].includes(request.method)) {
+    const origin = request.headers.get("origin");
+    if (origin && origin !== `${url.protocol}//${url.host}`) {
+      throw new ApiError("cross-origin mutation rejected", 403);
+    }
+  }
+  return handleApiRoute(service, request, url, apiPath, options, true);
+}
+async function handleApiRoute(service, request, url, apiPath, options, hosted) {
+  if (request.method === "GET" && apiPath === "/api/summary") {
+    return json(service.summary());
+  }
+  if (request.method === "GET" && apiPath === "/api/report") {
+    return json(service.buildReport());
+  }
+  if (request.method === "POST" && apiPath === "/api/report") {
+    if (hosted)
+      throw new ApiError("hosted report delivery requires configured channel refs", 501);
+    const input = await jsonBody(request);
+    return json(await service.sendReport({ ...input, fetchImpl: options.fetchImpl }));
+  }
+  if (hosted && apiPath.startsWith("/api/probes")) {
+    throw new ApiError("hosted probe APIs require cloud check_jobs, workspace stores, and audit logging", 501);
+  }
+  if (request.method === "GET" && apiPath === "/api/monitors") {
+    return json(service.listMonitors({ includeDisabled: url.searchParams.get("includeDisabled") === "true" }));
+  }
+  if (request.method === "POST" && apiPath === "/api/monitors") {
+    return json(service.createMonitor(await jsonBody(request)), 201);
+  }
+  if (request.method === "GET" && apiPath === "/api/incidents") {
+    const status = url.searchParams.get("status");
+    return json(service.listIncidents({
+      status: status === "open" || status === "closed" ? status : undefined,
+      monitorId: url.searchParams.get("monitorId") ?? undefined,
+      limit: numericParam(url, "limit", 50)
+    }));
+  }
+  if (request.method === "GET" && apiPath === "/api/results") {
+    return json(service.listResults({
+      monitorId: url.searchParams.get("monitorId") ?? undefined,
+      limit: numericParam(url, "limit", 50)
+    }));
+  }
+  if (request.method === "GET" && apiPath === "/api/probes") {
+    return json(service.listProbes({ includeDisabled: url.searchParams.get("includeDisabled") === "true" }));
+  }
+  if (request.method === "POST" && apiPath === "/api/probes") {
+    const input = await jsonBody(request);
+    if (!input.publicKeyPem)
+      throw new ApiError("API probe creation requires publicKeyPem; generate keys in the probe agent or CLI", 400);
+    return json(service.createProbe(input), 201);
+  }
+  if (request.method === "POST" && apiPath === "/api/probes/jobs") {
+    return json(service.createProbeCheckJob(await jsonBody(request)), 201);
+  }
+  const probeJobMatch = apiPath.match(/^\/api\/probes\/jobs\/([^/]+)$/);
+  if (probeJobMatch) {
+    const jobId = decodeURIComponent(probeJobMatch[1]);
+    if (request.method === "GET") {
+      const job = service.getProbeCheckJob(jobId);
+      return job ? json({ ...job, fencingToken: null }) : json({ error: "not found" }, 404);
+    }
+  }
+  const probeJobClaimMatch = apiPath.match(/^\/api\/probes\/jobs\/([^/]+)\/claim$/);
+  if (request.method === "POST" && probeJobClaimMatch) {
+    const input = await jsonBody(request);
+    return json(service.claimProbeCheckJob({
+      jobId: decodeURIComponent(probeJobClaimMatch[1]),
+      probeId: input.probeId,
+      leaseTtlMs: input.leaseTtlMs
+    }));
+  }
+  if (request.method === "POST" && apiPath === "/api/probes/results") {
+    return json(service.submitProbeResult(await jsonBody(request)), 201);
+  }
+  if (request.method === "POST" && apiPath === "/api/imports/preview") {
+    return json(service.previewImport(await jsonBody(request)));
+  }
+  if (request.method === "POST" && apiPath === "/api/imports/apply") {
+    if (hosted)
+      throw new ApiError("hosted import apply requires cloud import_batches and audit", 501);
+    return json(service.applyImport(await jsonBody(request)), 201);
+  }
+  const importRollbackMatch = apiPath.match(/^\/api\/imports\/([^/]+)\/rollback$/);
+  if (request.method === "POST" && importRollbackMatch) {
+    if (hosted)
+      throw new ApiError("hosted import rollback requires cloud import_batches and audit", 501);
+    return json(service.rollbackImport(decodeURIComponent(importRollbackMatch[1])));
+  }
+  if (request.method === "POST" && apiPath === "/api/check-all") {
+    if (hosted)
+      throw new ApiError("hosted checks require check_jobs and probes", 501);
+    return json(await service.checkAll());
+  }
+  const monitorMatch = apiPath.match(/^\/api\/monitors\/([^/]+)(?:\/(check))?$/);
+  if (monitorMatch) {
+    const id = decodeURIComponent(monitorMatch[1]);
+    if (request.method === "GET" && !monitorMatch[2]) {
+      const monitor = service.getMonitor(id);
+      return monitor ? json(monitor) : json({ error: "not found" }, 404);
+    }
+    if (request.method === "PATCH" && !monitorMatch[2]) {
+      return json(service.updateMonitor(id, await jsonBody(request)));
+    }
+    if (request.method === "DELETE" && !monitorMatch[2]) {
+      return json({ deleted: service.deleteMonitor(id) });
+    }
+    if (request.method === "POST" && monitorMatch[2] === "check") {
+      if (hosted)
+        throw new ApiError("hosted checks require check_jobs and probes", 501);
+      return json(await service.checkMonitor(id));
+    }
+  }
+  return json({ error: "not found" }, 404);
+}
+function hostedScopeFor(method, apiPath) {
+  if (method === "POST" && apiPath === "/api/report")
+    return "uptime:report";
+  if (apiPath.startsWith("/api/probes"))
+    return method === "GET" ? "uptime:read" : "uptime:probe";
+  if (method === "POST" && (apiPath === "/api/check-all" || /\/check$/.test(apiPath)))
+    return "uptime:probe";
+  if (method === "GET")
+    return "uptime:read";
+  if (method === "POST" || method === "PATCH" || method === "DELETE")
+    return "uptime:write";
+  return "uptime:read";
+}
+function requireHostedActor(request, url, options, scope) {
+  const tokens = resolveHostedTokens(options);
+  if (tokens.length === 0)
+    throw new ApiError("hosted auth token is not configured", 503);
+  const candidate = bearerToken(request) ?? request.headers.get("x-uptime-hosted-token")?.trim();
+  const token = candidate ? tokens.find((entry) => safeTokenEqual(candidate, entry.token)) : undefined;
+  if (!token)
+    throw new ApiError("authentication required", 401);
+  const scopes = new Set(token.scopes);
+  if (!scopes.has(scope) && !scopes.has("uptime:admin")) {
+    throw new ApiError("insufficient scope", 403);
+  }
+  const workspaceId = token.workspaceId ?? "default";
+  const requestedWorkspace = request.headers.get("x-uptime-workspace")?.trim() || url.searchParams.get("workspaceId")?.trim();
+  if (requestedWorkspace && requestedWorkspace !== workspaceId) {
+    throw new ApiError("workspace access denied", 403);
+  }
+  return { scopes, workspaceId };
+}
 function isLoopbackHost(hostname) {
   const host = hostname.toLowerCase().replace(/^\[|\]$/g, "");
   return host === "localhost" || host === "127.0.0.1" || host === "::1";
 }
 function hasValidApiToken(request, token) {
-  const authorization = request.headers.get("authorization") ?? "";
-  const bearer = authorization.match(/^Bearer\s+(.+)$/i)?.[1]?.trim();
+  const bearer = bearerToken(request);
   const headerToken = request.headers.get("x-uptime-token")?.trim();
-  return bearer === token || headerToken === token;
+  return safeTokenEqual(bearer, token) || safeTokenEqual(headerToken, token);
+}
+function bearerToken(request) {
+  const authorization = request.headers.get("authorization") ?? "";
+  return authorization.match(/^Bearer\s+(.+)$/i)?.[1]?.trim();
+}
+function resolveApiToken(token) {
+  const value = token ?? process.env.HASNA_UPTIME_API_TOKEN;
+  return value?.trim() || undefined;
+}
+function resolveHostedTokens(options) {
+  if (options.hostedTokens?.length)
+    return options.hostedTokens;
+  const token = options.hostedToken ?? process.env.HASNA_UPTIME_HOSTED_TOKEN;
+  if (!token?.trim())
+    return [];
+  return [{
+    token: token.trim(),
+    scopes: ["uptime:read", "uptime:write", "uptime:probe", "uptime:report"],
+    workspaceId: process.env.HASNA_UPTIME_WORKSPACE_ID ?? "default"
+  }];
+}
+function safeTokenEqual(candidate, expected) {
+  if (!candidate)
+    return false;
+  const candidateBytes = Buffer.from(candidate);
+  const expectedBytes = Buffer.from(expected);
+  if (candidateBytes.length !== expectedBytes.length)
+    return false;
+  return timingSafeEqual(candidateBytes, expectedBytes);
 }
 async function jsonBody(request) {
   const contentType = request.headers.get("content-type") ?? "";
@@ -4082,7 +5769,7 @@ class ApiError extends Error {
 var program2 = new Command;
 program2.name("uptime").description("Local-first uptime and downtime monitoring").version(packageVersion()).option("-j, --json", "print JSON");
 function service() {
-  return new UptimeService;
+  return new UptimeService({ mode: "local" });
 }
 function wantsJson(opts) {
   return Boolean(opts?.json || program2.opts().json);
@@ -4106,7 +5793,7 @@ program2.command("init").description("Initialize the local uptime store").option
     ensureUptimeHome();
     const svc = service();
     svc.close();
-    const data = { ok: true, home: uptimeHome(), dbPath: uptimeDbPath(), exists: existsSync(uptimeDbPath()) };
+    const data = { ok: true, home: uptimeHome(), dbPath: uptimeDbPath(), exists: existsSync2(uptimeDbPath()) };
     print(data, `Initialized ${data.dbPath}`, opts);
   } catch (error) {
     fail(error);
@@ -4319,16 +6006,179 @@ program2.command("incidents").description("List incidents").addOption(new Option
     fail(error);
   }
 });
-program2.command("serve").description("Serve the local API and dashboard").option("--host <host>", "host to bind", "127.0.0.1").option("--port <port>", "port", parseInteger, 3899).option("--check", "run the scheduler while serving").option("--api-token <token>", "token required for non-loopback mutation hosts").option("--allow-unsafe-remote-mutations", "allow state-changing requests from non-loopback hosts without a token").option("-j, --json", "print JSON").action((opts) => {
+var imports = program2.command("imports").description("Preview, apply, and rollback inventory imports");
+imports.command("preview").description("Preview monitor candidates from an import source without writing").requiredOption("--source <source>", "manual, projects, servers, domains, or deployment").option("--record <json>", "one JSON record").option("--file <path>", "JSON file containing an array or { records }").option("-j, --json", "print JSON").action((opts) => {
+  try {
+    const svc = service();
+    const preview = svc.previewImport(parseImportPayload(opts));
+    svc.close();
+    print(preview, renderImportPreview(preview), opts);
+  } catch (error) {
+    fail(error);
+  }
+});
+imports.command("apply").description("Apply monitor candidates from an import source idempotently").requiredOption("--source <source>", "manual, projects, servers, domains, or deployment").option("--record <json>", "one JSON record").option("--file <path>", "JSON file containing an array or { records }").option("-j, --json", "print JSON").action((opts) => {
+  try {
+    const svc = service();
+    const result = svc.applyImport(parseImportPayload(opts));
+    svc.close();
+    print(result, `Applied import batch ${result.batchId}: ${renderImportTotals(result.totals)}`, opts);
+  } catch (error) {
+    fail(error);
+  }
+});
+imports.command("rollback <batch-id>").description("Rollback config changes from an import batch while preserving check history").option("-j, --json", "print JSON").action((batchId, opts) => {
+  try {
+    const svc = service();
+    const result = svc.rollbackImport(batchId);
+    svc.close();
+    print(result, `Rolled back import batch ${result.batchId}`, opts);
+  } catch (error) {
+    fail(error);
+  }
+});
+var probes = program2.command("probes").description("Manage private probe identities and signed probe result submissions");
+probes.command("create <name>").description("Create a private probe identity; generates an Ed25519 keypair unless --public-key-file is provided").option("--public-key-file <path>", "PEM public key file for an externally managed probe key").option("--private-key-file <path>", "where to write a generated PEM private key; required unless --public-key-file is used").option("--disabled", "create the probe disabled").option("-j, --json", "print JSON").action((name, opts) => {
+  let generatedPrivateKeyFile;
+  let svc;
+  try {
+    if (opts.publicKeyFile && opts.privateKeyFile)
+      throw new Error("Choose either --public-key-file or --private-key-file, not both");
+    if (!opts.publicKeyFile && !opts.privateKeyFile)
+      throw new Error("generated probe keys require --private-key-file");
+    const generatedKeyPair = opts.publicKeyFile ? undefined : generateProbeKeyPair();
+    if (generatedKeyPair) {
+      writeFileSync(opts.privateKeyFile, generatedKeyPair.privateKeyPem, { mode: 384, flag: "wx" });
+      generatedPrivateKeyFile = opts.privateKeyFile;
+    }
+    svc = service();
+    const probe = svc.createProbe({
+      name,
+      publicKeyPem: opts.publicKeyFile ? readFileSync2(opts.publicKeyFile, "utf8") : generatedKeyPair?.publicKeyPem,
+      enabled: opts.disabled ? false : true
+    });
+    svc.close();
+    svc = undefined;
+    const output = generatedPrivateKeyFile ? { ...probe, privateKeyFile: generatedPrivateKeyFile } : probe;
+    print(output, `Created probe ${probe.name} (${probe.id})`, opts);
+  } catch (error) {
+    svc?.close();
+    if (generatedPrivateKeyFile) {
+      try {
+        unlinkSync(generatedPrivateKeyFile);
+      } catch {}
+    }
+    fail(error);
+  }
+});
+probes.command("list").description("List private probe identities").option("--all", "include disabled probes").option("-j, --json", "print JSON").action((opts) => {
+  try {
+    const svc = service();
+    const items = svc.listProbes({ includeDisabled: opts.all });
+    svc.close();
+    print(items, items.length ? items.map((item) => `${item.enabled ? "enabled " : "disabled"} ${item.id} ${sanitizeField(item.name)} ${item.lastSeenAt ?? "-"}`).join(`
+`) : "No probes", opts);
+  } catch (error) {
+    fail(error);
+  }
+});
+var probeJobs = probes.command("jobs").description("Create and claim private probe check jobs");
+probeJobs.command("create").description("Create a probe check job for one monitor and schedule slot").requiredOption("--monitor <id>", "monitor id").requiredOption("--schedule-slot <slot>", "unique schedule slot for this monitor").option("--due-at <iso>", "when the job is due", new Date().toISOString()).option("-j, --json", "print JSON").action((opts) => {
+  try {
+    const svc = service();
+    const job = svc.createProbeCheckJob({
+      monitorId: opts.monitor,
+      scheduleSlot: opts.scheduleSlot,
+      dueAt: opts.dueAt
+    });
+    svc.close();
+    print(job, `Created probe job ${job.id} for ${job.monitorId}`, opts);
+  } catch (error) {
+    fail(error);
+  }
+});
+probeJobs.command("claim <job-id>").description("Claim a probe check job and receive its fencing token").requiredOption("--probe <id>", "probe id").option("--lease-ms <ms>", "lease duration in milliseconds", parseInteger, 120000).option("-j, --json", "print JSON").action((jobId, opts) => {
+  try {
+    const svc = service();
+    const job = svc.claimProbeCheckJob({
+      jobId,
+      probeId: opts.probe,
+      leaseTtlMs: opts.leaseMs
+    });
+    svc.close();
+    print(job, `Claimed probe job ${job.id}`, opts);
+  } catch (error) {
+    fail(error);
+  }
+});
+probes.command("submit").description("Submit a signed probe result locally or to a remote Open Uptime API").requiredOption("--probe <id>", "probe id").requiredOption("--job <id>", "claimed probe job id").requiredOption("--schedule-slot <slot>", "schedule slot from the claimed job").requiredOption("--fencing-token <token>", "fencing token from the claimed job").requiredOption("--monitor <id>", "monitor id").requiredOption("--private-key-file <path>", "PEM private key file used to sign the result").addOption(new Option("--status <status>", "probe result status").choices(["up", "down"]).makeOptionMandatory()).option("--nonce <nonce>", "unique submission nonce").option("--checked-at <iso>", "check timestamp", new Date().toISOString()).option("--latency <ms>", "latency in milliseconds", parseNumber).option("--status-code <status>", "HTTP status code", parseInteger).option("--error <message>", "failure message").option("--attempts <count>", "attempt count", parseInteger, 1).requiredOption("--monitor-revision <revision>", "monitor revision observed by the probe", parseInteger).option("--api-url <url>", "remote Open Uptime base URL; submits to /api/probes/results unless the URL already ends in /api or /api/v1").option("--token <token>", "Bearer token for the remote hosted API").option("-j, --json", "print JSON").action(async (opts) => {
+  try {
+    const submission = buildProbeSubmission(opts);
+    if (opts.apiUrl) {
+      const response = await fetch(probeSubmitUrl(opts.apiUrl), {
+        method: "POST",
+        headers: {
+          "content-type": "application/json",
+          accept: "application/json",
+          ...opts.token ? { authorization: `Bearer ${opts.token}` } : {}
+        },
+        body: JSON.stringify(submission)
+      });
+      const body = await response.json();
+      print(body, response.ok ? `Submitted probe result for ${submission.monitorId}` : JSON.stringify(body), opts);
+      if (!response.ok)
+        process.exit(1);
+      return;
+    }
+    const svc = service();
+    const result = svc.submitProbeResult(submission);
+    svc.close();
+    print(result, `Submitted probe result for ${submission.monitorId}`, opts);
+  } catch (error) {
+    fail(error);
+  }
+});
+program2.command("backup [path]").description("Create and verify a local SQLite backup").option("-j, --json", "print JSON").action((path, opts) => {
+  try {
+    const svc = service();
+    const backup = svc.backup(path);
+    const check = svc.verifyBackup(backup.backupPath);
+    svc.close();
+    const data = { ok: check.ok, backup, check };
+    print(data, `Backed up ${backup.sourcePath} to ${backup.backupPath} (${backup.bytes} bytes)`, opts);
+    if (!check.ok)
+      process.exit(1);
+  } catch (error) {
+    fail(error);
+  }
+});
+program2.command("restore <backup-path>").description("Restore a verified local SQLite backup").option("--db <path>", "destination database path", uptimeDbPath()).option("--yes", "confirm overwrite of the destination database").option("-j, --json", "print JSON").action((backupPath, opts) => {
+  try {
+    if (!opts.yes)
+      throw new Error("restore requires --yes");
+    const restored = UptimeStore.restoreBackup(backupPath, opts.db);
+    const check = UptimeStore.verifyBackup(opts.db);
+    const data = { ok: check.ok, restored, check };
+    print(data, `Restored ${backupPath} to ${opts.db}`, opts);
+    if (!check.ok)
+      process.exit(1);
+  } catch (error) {
+    fail(error);
+  }
+});
+program2.command("serve").description("Serve the local API and dashboard").option("--host <host>", "host to bind", "127.0.0.1").option("--port <port>", "port", parseInteger, 3899).option("--check", "run the scheduler while serving").addOption(new Option("--mode <mode>", "runtime mode").choices(["local", "hosted"]).default("local")).option("--api-token <token>", "token required for non-loopback mutation hosts").option("--hosted-token <token>", "scoped hosted-mode token").option("--allow-hosted-local-store", "allow hosted mode to use local SQLite as an explicit fallback").option("--allow-unsafe-remote-mutations", "allow state-changing requests from non-loopback hosts without a token").option("-j, --json", "print JSON").action((opts) => {
   try {
     const { server } = serveUptime({
       host: opts.host,
       port: opts.port,
       check: opts.check,
+      mode: opts.mode,
       apiToken: opts.apiToken,
+      hostedToken: opts.hostedToken,
+      allowHostedLocalStore: opts.allowHostedLocalStore,
       allowUnsafeRemoteMutations: opts.allowUnsafeRemoteMutations
     });
-    const data = { ok: true, url: `http://${server.hostname}:${server.port}`, scheduler: Boolean(opts.check) };
+    const data = { ok: true, url: `http://${server.hostname}:${server.port}`, scheduler: Boolean(opts.check), mode: opts.mode };
     if (wantsJson(opts))
       console.log(JSON.stringify(data, null, 2));
     else
@@ -4343,18 +6193,54 @@ function parseInteger(value) {
     throw new Error(`Expected integer, got ${value}`);
   return parsed;
 }
+function parseNumber(value) {
+  const parsed = Number(value);
+  if (!Number.isFinite(parsed))
+    throw new Error(`Expected number, got ${value}`);
+  return parsed;
+}
+function buildProbeSubmission(opts) {
+  const input = {
+    probeId: opts.probe,
+    jobId: opts.job,
+    scheduleSlot: opts.scheduleSlot,
+    fencingToken: opts.fencingToken,
+    monitorId: opts.monitor,
+    nonce: opts.nonce ?? `cli_${randomUUID4()}`,
+    checkedAt: opts.checkedAt,
+    status: opts.status,
+    latencyMs: opts.latency ?? null,
+    statusCode: opts.statusCode,
+    error: opts.error,
+    attemptCount: opts.attempts,
+    monitorRevision: opts.monitorRevision,
+    evidence: null
+  };
+  return {
+    ...input,
+    signature: signProbeResult(input, readFileSync2(opts.privateKeyFile, "utf8"))
+  };
+}
+function probeSubmitUrl(apiUrl) {
+  const base = apiUrl.replace(/\/+$/, "");
+  if (/\/api\/v1$/.test(base))
+    return `${base}/probes/results`;
+  if (/\/api$/.test(base))
+    return `${base}/probes/results`;
+  return `${base}/api/probes/results`;
+}
 function renderMonitors(monitors) {
   if (monitors.length === 0)
     return "No monitors";
   return monitors.map((monitor) => {
-    const target = monitor.kind === "http" ? monitor.url : `${monitor.host}:${monitor.port}`;
+    const target = monitor.kind === "tcp" ? `${monitor.host}:${monitor.port}` : monitor.url;
     const status = renderStatus(monitor.status).padEnd(14);
     return `${status} ${sanitizeField(monitor.name).padEnd(24)} ${monitor.kind.padEnd(4)} ${sanitizeField(target ?? "")}`;
   }).join(`
 `);
 }
 function renderMonitorDetail(monitor) {
-  const target = monitor.kind === "http" ? monitor.url : `${monitor.host}:${monitor.port}`;
+  const target = monitor.kind === "tcp" ? `${monitor.host}:${monitor.port}` : monitor.url;
   return [
     `${source_default.bold(sanitizeField(monitor.name))} ${renderStatus(monitor.status)}`,
     `id: ${monitor.id}`,
@@ -4377,6 +6263,24 @@ function renderCheckResults(results) {
   }).join(`
 `);
 }
+function parseImportPayload(opts) {
+  if (opts.record && opts.file)
+    throw new Error("Choose either --record or --file, not both");
+  const raw = opts.record ?? (opts.file ? readFileSync2(opts.file, "utf8") : undefined);
+  if (!raw)
+    throw new Error("imports require --record or --file");
+  const parsed = JSON.parse(raw);
+  const records = Array.isArray(parsed) ? parsed : parsed && typeof parsed === "object" && Array.isArray(parsed.records) ? parsed.records : [parsed];
+  return { source: opts.source, records };
+}
+function renderImportPreview(preview) {
+  const rows = preview.items.map((item) => `${item.action.padEnd(9)} ${sanitizeField(item.candidate.name).padEnd(24)} ${item.candidate.kind}${item.reason ? ` ${sanitizeField(item.reason)}` : ""}`);
+  return [`Import preview: ${renderImportTotals(preview.totals)}`, ...rows].join(`
+`);
+}
+function renderImportTotals(totals) {
+  return Object.entries(totals).filter(([, count]) => count > 0).map(([action, count]) => `${action}=${count}`).join(" ") || "no changes";
+}
 function renderSummary(summary) {
   const lines = [
     `monitors: ${summary.totals.monitors}  up: ${summary.totals.up}  down: ${summary.totals.down}  open incidents: ${summary.totals.openIncidents}`