@hasna/uptime 0.1.10 → 0.1.11

package/CHANGELOG.md

@@ -6,6 +6,27 @@ project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+## [0.1.11] - 2026-06-28
+
+### Changed
+
+- Added Terraform outputs for log groups, web alarms, backup vault, and backup
+  plan, KMS key ARN, and secret refs so the AWS runbook can use output-driven
+  commands.
+- Expanded the AWS deployment runbook restore drill with AWS Backup restore-job,
+  polling, staging mount-target, validation, and cleanup steps.
+- Made the AWS runbook command blocks use explicit shell variables and
+  consistent Terraform working-directory flags.
+- Hardened hosted target policy to normalize IPv4-mapped IPv6 literals before
+  rejecting loopback, private, link-local, metadata, carrier-grade NAT,
+  unspecified, and multicast IPv4 ranges.
+- Hardened hosted target policy to reject the full IPv6 link-local `fe80::/10`
+  range.
+- Scoped hosted import preview lookups by workspace so preview responses cannot
+  reveal monitors from another hosted workspace.
+- Documented DNS resolution, redirect, and rebinding enforcement as required
+  gates before enabling hosted public probe execution.
+
 ## [0.1.10] - 2026-06-28
 
 ### Changed

package/dist/api.js

@@ -276,13 +276,74 @@ function isDeniedIpv4(ip) {
 }
 function isDeniedIpv6(ip) {
   const normalized = ip.toLowerCase();
-  return normalized === "::" || normalized === "::1" || normalized.startsWith("fe80:") || normalized.startsWith("fc") || normalized.startsWith("fd") || normalized.startsWith("ff") || normalized.startsWith("::ffff:127.") || normalized.startsWith("::ffff:10.") || normalized.startsWith("::ffff:169.254.") || /^::ffff:172\.(1[6-9]|2\d|3[0-1])\./.test(normalized) || normalized.startsWith("::ffff:192.168.");
+  const mappedIpv4 = ipv4FromMappedIpv6(normalized);
+  if (mappedIpv4)
+    return isDeniedIpv4(mappedIpv4);
+  const words = parseIpv6Words(normalized);
+  return normalized === "::" || normalized === "::1" || words !== null && (words[0] & 65472) === 65152 || normalized.startsWith("fc") || normalized.startsWith("fd") || normalized.startsWith("ff");
+}
+function ipv4FromMappedIpv6(ip) {
+  const words = parseIpv6Words(ip);
+  if (!words)
+    return null;
+  if (words[0] !== 0 || words[1] !== 0 || words[2] !== 0 || words[3] !== 0 || words[4] !== 0 || words[5] !== 65535) {
+    return null;
+  }
+  return [
+    words[6] >> 8,
+    words[6] & 255,
+    words[7] >> 8,
+    words[7] & 255
+  ].join(".");
+}
+function parseIpv6Words(value) {
+  let ip = value.toLowerCase();
+  const zoneIndex = ip.indexOf("%");
+  if (zoneIndex >= 0)
+    ip = ip.slice(0, zoneIndex);
+  if (ip.includes(".")) {
+    const lastColon = ip.lastIndexOf(":");
+    if (lastColon < 0)
+      return null;
+    const ipv4 = parseIpv4Words(ip.slice(lastColon + 1));
+    if (!ipv4)
+      return null;
+    ip = `${ip.slice(0, lastColon)}:${(ipv4[0] << 8 | ipv4[1]).toString(16)}:${(ipv4[2] << 8 | ipv4[3]).toString(16)}`;
+  }
+  const compressed = ip.split("::");
+  if (compressed.length > 2)
+    return null;
+  const left = parseIpv6Side(compressed[0]);
+  const right = compressed.length === 2 ? parseIpv6Side(compressed[1]) : [];
+  if (!left || !right)
+    return null;
+  if (compressed.length === 1)
+    return left.length === 8 ? left : null;
+  const missing = 8 - left.length - right.length;
+  if (missing < 1)
+    return null;
+  return [...left, ...Array(missing).fill(0), ...right];
+}
+function parseIpv6Side(value) {
+  if (!value)
+    return [];
+  const words = value.split(":");
+  if (words.some((word) => !/^[0-9a-f]{1,4}$/.test(word)))
+    return null;
+  return words.map((word) => Number.parseInt(word, 16));
+}
+function parseIpv4Words(value) {
+  const words = value.split(".").map((part) => Number(part));
+  if (words.length !== 4 || words.some((word) => !Number.isInteger(word) || word < 0 || word > 255)) {
+    return null;
+  }
+  return words;
 }
 
 // src/imports.ts
-function previewImport(store, request) {
+function previewImport(store, request, options = {}) {
   const source = normalizeSource(request.source);
-  const items = dedupePreviewItems(request.records.map((record) => previewRecord(store, source, record, request.defaults ?? {})));
+  const items = dedupePreviewItems(request.records.map((record) => previewRecord(store, source, record, request.defaults ?? {}, options)));
   return {
     source,
     generatedAt: new Date().toISOString(),
@@ -356,7 +417,7 @@ function rollbackImport(store, batchId) {
     items
   };
 }
-function previewRecord(store, source, record, defaults) {
+function previewRecord(store, source, record, defaults, options) {
   const warnings = [];
   let candidate;
   try {
@@ -376,13 +437,16 @@ function previewRecord(store, source, record, defaults) {
       reason: error instanceof Error ? error.message : String(error)
     };
   }
-  const provenance = store.getProvenance(candidate.source, candidate.sourceId);
-  const monitor = provenance ? store.getMonitor(provenance.monitorId) : store.getMonitor(candidate.name);
-  if (provenance && !monitor) {
+  const monitorOptions = options.workspaceId ? { workspaceId: options.workspaceId } : undefined;
+  const rawProvenance = store.getProvenance(candidate.source, candidate.sourceId);
+  const provenanceMonitor = rawProvenance ? store.getMonitor(rawProvenance.monitorId, monitorOptions) : null;
+  const provenance = provenanceMonitor ? rawProvenance : null;
+  const monitor = provenanceMonitor ?? store.getMonitor(candidate.name, monitorOptions);
+  if (rawProvenance && !provenanceMonitor && !options.workspaceId) {
     return { candidate, action: "create", monitor: null, provenance, warnings: ["source provenance points to a missing monitor"], reason: null };
   }
   if (provenance && monitor) {
-    const nameOwner = store.getMonitor(candidate.name);
+    const nameOwner = store.getMonitor(candidate.name, monitorOptions);
     if (nameOwner && nameOwner.id !== monitor.id) {
       return {
         candidate,
@@ -2729,8 +2793,8 @@ class UptimeService {
     const execute = () => this.submitProbeResultInTransaction(input);
     return this.store.runInTransaction ? this.store.runInTransaction(execute) : execute();
   }
-  previewImport(request) {
-    return previewImport(this.store, request);
+  previewImport(request, options = {}) {
+    return previewImport(this.store, request, options);
   }
   applyImport(request) {
     return applyImport(this.store, request);
@@ -3758,7 +3822,7 @@ async function handleApiRoute(service, request, url, apiPath, options, hosted, a
     return json(service.submitProbeResult(await jsonBody(request)), 201);
   }
   if (request.method === "POST" && apiPath === "/api/imports/preview") {
-    return json(service.previewImport(await jsonBody(request)));
+    return json(service.previewImport(await jsonBody(request), { workspaceId: actor?.workspaceId }));
   }
   if (request.method === "POST" && apiPath === "/api/imports/apply") {
     if (hosted)

package/dist/cli/index.js

@@ -2856,13 +2856,74 @@ function isDeniedIpv4(ip) {
 }
 function isDeniedIpv6(ip) {
   const normalized = ip.toLowerCase();
-  return normalized === "::" || normalized === "::1" || normalized.startsWith("fe80:") || normalized.startsWith("fc") || normalized.startsWith("fd") || normalized.startsWith("ff") || normalized.startsWith("::ffff:127.") || normalized.startsWith("::ffff:10.") || normalized.startsWith("::ffff:169.254.") || /^::ffff:172\.(1[6-9]|2\d|3[0-1])\./.test(normalized) || normalized.startsWith("::ffff:192.168.");
+  const mappedIpv4 = ipv4FromMappedIpv6(normalized);
+  if (mappedIpv4)
+    return isDeniedIpv4(mappedIpv4);
+  const words = parseIpv6Words(normalized);
+  return normalized === "::" || normalized === "::1" || words !== null && (words[0] & 65472) === 65152 || normalized.startsWith("fc") || normalized.startsWith("fd") || normalized.startsWith("ff");
+}
+function ipv4FromMappedIpv6(ip) {
+  const words = parseIpv6Words(ip);
+  if (!words)
+    return null;
+  if (words[0] !== 0 || words[1] !== 0 || words[2] !== 0 || words[3] !== 0 || words[4] !== 0 || words[5] !== 65535) {
+    return null;
+  }
+  return [
+    words[6] >> 8,
+    words[6] & 255,
+    words[7] >> 8,
+    words[7] & 255
+  ].join(".");
+}
+function parseIpv6Words(value) {
+  let ip = value.toLowerCase();
+  const zoneIndex = ip.indexOf("%");
+  if (zoneIndex >= 0)
+    ip = ip.slice(0, zoneIndex);
+  if (ip.includes(".")) {
+    const lastColon = ip.lastIndexOf(":");
+    if (lastColon < 0)
+      return null;
+    const ipv4 = parseIpv4Words(ip.slice(lastColon + 1));
+    if (!ipv4)
+      return null;
+    ip = `${ip.slice(0, lastColon)}:${(ipv4[0] << 8 | ipv4[1]).toString(16)}:${(ipv4[2] << 8 | ipv4[3]).toString(16)}`;
+  }
+  const compressed = ip.split("::");
+  if (compressed.length > 2)
+    return null;
+  const left = parseIpv6Side(compressed[0]);
+  const right = compressed.length === 2 ? parseIpv6Side(compressed[1]) : [];
+  if (!left || !right)
+    return null;
+  if (compressed.length === 1)
+    return left.length === 8 ? left : null;
+  const missing = 8 - left.length - right.length;
+  if (missing < 1)
+    return null;
+  return [...left, ...Array(missing).fill(0), ...right];
+}
+function parseIpv6Side(value) {
+  if (!value)
+    return [];
+  const words = value.split(":");
+  if (words.some((word) => !/^[0-9a-f]{1,4}$/.test(word)))
+    return null;
+  return words.map((word) => Number.parseInt(word, 16));
+}
+function parseIpv4Words(value) {
+  const words = value.split(".").map((part) => Number(part));
+  if (words.length !== 4 || words.some((word) => !Number.isInteger(word) || word < 0 || word > 255)) {
+    return null;
+  }
+  return words;
 }
 
 // src/imports.ts
-function previewImport(store, request) {
+function previewImport(store, request, options = {}) {
   const source = normalizeSource(request.source);
-  const items = dedupePreviewItems(request.records.map((record) => previewRecord(store, source, record, request.defaults ?? {})));
+  const items = dedupePreviewItems(request.records.map((record) => previewRecord(store, source, record, request.defaults ?? {}, options)));
   return {
     source,
     generatedAt: new Date().toISOString(),
@@ -2936,7 +2997,7 @@ function rollbackImport(store, batchId) {
     items
   };
 }
-function previewRecord(store, source, record, defaults) {
+function previewRecord(store, source, record, defaults, options) {
   const warnings = [];
   let candidate;
   try {
@@ -2956,13 +3017,16 @@ function previewRecord(store, source, record, defaults) {
       reason: error instanceof Error ? error.message : String(error)
     };
   }
-  const provenance = store.getProvenance(candidate.source, candidate.sourceId);
-  const monitor = provenance ? store.getMonitor(provenance.monitorId) : store.getMonitor(candidate.name);
-  if (provenance && !monitor) {
+  const monitorOptions = options.workspaceId ? { workspaceId: options.workspaceId } : undefined;
+  const rawProvenance = store.getProvenance(candidate.source, candidate.sourceId);
+  const provenanceMonitor = rawProvenance ? store.getMonitor(rawProvenance.monitorId, monitorOptions) : null;
+  const provenance = provenanceMonitor ? rawProvenance : null;
+  const monitor = provenanceMonitor ?? store.getMonitor(candidate.name, monitorOptions);
+  if (rawProvenance && !provenanceMonitor && !options.workspaceId) {
     return { candidate, action: "create", monitor: null, provenance, warnings: ["source provenance points to a missing monitor"], reason: null };
   }
   if (provenance && monitor) {
-    const nameOwner = store.getMonitor(candidate.name);
+    const nameOwner = store.getMonitor(candidate.name, monitorOptions);
     if (nameOwner && nameOwner.id !== monitor.id) {
       return {
         candidate,
@@ -5310,8 +5374,8 @@ class UptimeService {
     const execute = () => this.submitProbeResultInTransaction(input);
     return this.store.runInTransaction ? this.store.runInTransaction(execute) : execute();
   }
-  previewImport(request) {
-    return previewImport(this.store, request);
+  previewImport(request, options = {}) {
+    return previewImport(this.store, request, options);
   }
   applyImport(request) {
     return applyImport(this.store, request);
@@ -6355,7 +6419,7 @@ async function handleApiRoute(service, request, url, apiPath, options, hosted, a
     return json(service.submitProbeResult(await jsonBody(request)), 201);
   }
   if (request.method === "POST" && apiPath === "/api/imports/preview") {
-    return json(service.previewImport(await jsonBody(request)));
+    return json(service.previewImport(await jsonBody(request), { workspaceId: actor?.workspaceId }));
   }
   if (request.method === "POST" && apiPath === "/api/imports/apply") {
     if (hosted)
@@ -6535,7 +6599,7 @@ function buildAwsDeploymentPlan(options = {}) {
   const image = clean(options.image, `${imageRepositoryUri}@sha256:<image-digest>`);
   const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
   const hostedSqliteDbPath = clean(options.hostedSqliteDbPath, DEFAULT_HOSTED_SQLITE_DB);
-  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.10");
+  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.11");
   const protectedAccessMode = options.protectedAccessMode ?? DEFAULT_PROTECTED_ACCESS_MODE;
   const protectedAccessUrl = protectedAccessMode === "cloudfront_default_domain" ? "https://<cloudfront-domain>" : `https://${hostname}`;
   const cluster = `${prefix}-${stage}`;

package/dist/cloud-plan.js

@@ -21,7 +21,7 @@ function buildAwsDeploymentPlan(options = {}) {
   const image = clean(options.image, `${imageRepositoryUri}@sha256:<image-digest>`);
   const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
   const hostedSqliteDbPath = clean(options.hostedSqliteDbPath, DEFAULT_HOSTED_SQLITE_DB);
-  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.10");
+  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.11");
   const protectedAccessMode = options.protectedAccessMode ?? DEFAULT_PROTECTED_ACCESS_MODE;
   const protectedAccessUrl = protectedAccessMode === "cloudfront_default_domain" ? "https://<cloudfront-domain>" : `https://${hostname}`;
   const cluster = `${prefix}-${stage}`;

package/dist/imports.d.ts

@@ -71,7 +71,9 @@ export interface UptimeImportStore {
         allowBrowserPage?: boolean;
     }): Monitor;
     deleteMonitor(idOrName: string): boolean;
-    getMonitor(idOrName: string): Monitor | null;
+    getMonitor(idOrName: string, options?: {
+        workspaceId?: string;
+    }): Monitor | null;
     listResults(options?: ListResultsOptions): unknown[];
     getProvenance(source: string, sourceId: string): MonitorProvenance | null;
     upsertMonitorProvenance(input: UpsertMonitorProvenanceInput): MonitorProvenance;
@@ -84,7 +86,9 @@ export interface UptimeImportStore {
     markImportBatchRolledBack(batchId: string): StoredImportBatch;
     runInTransaction?<T>(fn: () => T): T;
 }
-export declare function previewImport(store: UptimeImportStore, request: ImportRequest): ImportPreview;
+export declare function previewImport(store: UptimeImportStore, request: ImportRequest, options?: {
+    workspaceId?: string;
+}): ImportPreview;
 export declare function applyImport(store: UptimeImportStore, request: ImportRequest): ImportApplyResult;
 export declare function rollbackImport(store: UptimeImportStore, batchId: string): ImportRollbackResult;
 //# sourceMappingURL=imports.d.ts.map

package/dist/imports.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"imports.d.ts","sourceRoot":"","sources":["../src/imports.ts"],"names":[],"mappings":"AAUA,OAAO,KAAK,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,4BAA4B,EAAE,MAAM,YAAY,CAAC;AACrG,OAAO,KAAK,EAAE,kBAAkB,EAAE,oBAAoB,EAAE,0BAA0B,EAAE,kBAAkB,EAAE,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAEjJ,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,UAAU,GAAG,SAAS,GAAG,SAAS,GAAG,YAAY,CAAC;AACxF,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,QAAQ,GAAG,WAAW,GAAG,SAAS,GAAG,UAAU,CAAC;AAEtF,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,YAAY,CAAC;IACrB,OAAO,EAAE,OAAO,EAAE,CAAC;IACnB,QAAQ,CAAC,EAAE,OAAO,CAAC,kBAAkB,CAAC,CAAC;CACxC;AAED,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,YAAY,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,WAAW,CAAC;IAClB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,cAAc,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,QAAQ,EAAE,OAAO,CAAC;CACnB;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,EAAE,eAAe,CAAC;IAC3B,MAAM,EAAE,YAAY,CAAC;IACrB,OAAO,EAAE,OAAO,GAAG,IAAI,CAAC;IACxB,UAAU,EAAE,iBAAiB,GAAG,IAAI,CAAC;IACrC,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;CACvB;AAED,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,YAAY,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,IAAI,CAAC;IACb,KAAK,EAAE,iBAAiB,EAAE,CAAC;IAC3B,MAAM,EAAE,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;CACtC;AAED,MAAM,WAAW,eAAgB,SAAQ,iBAAiB;IACxD,OAAO,EAAE,OAAO,GAAG,IAAI,CAAC;IACxB,MAAM,EAAE,OAAO,GAAG,IAAI,CAAC;IACvB,KAAK,EAAE,OAAO,GAAG,IAAI,CAAC;CACvB;AAED,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,YAAY,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,eAAe,EAAE,CAAC;IACzB,MAAM,EAAE,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;CACtC;AAED,MAAM,WAAW,kBAAkB;IACjC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,MAAM,EAAE,SAAS,GAAG,UAAU,GAAG,UAAU,GAAG,SAAS,CAAC;IACxD,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;CACvB;AAED,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,MAAM,CAAC;IACrB,KAAK,EAAE,kBAAkB,EAAE,CAAC;CAC7B;AAED,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,IAAI,EAAE,OAAO,GAAG,QAAQ,CAAC;IAClC,aAAa,CAAC,KAAK,EAAE,oBAAoB,EAAE,OAAO,CAAC,EAAE;QAAE,gBAAgB,CAAC,EAAE,OAAO,CAAA;KAAE,GAAG,OAAO,CAAC;IAC9F,aAAa,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,0BAA0B,EAAE,OAAO,CAAC,EAAE;QAAE,gBAAgB,CAAC,EAAE,OAAO,CAAA;KAAE,GAAG,OAAO,CAAC;IACtH,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC;IACzC,UAAU,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,GAAG,IAAI,CAAC;IAC7C,WAAW,CAAC,OAAO,CAAC,EAAE,kBAAkB,GAAG,OAAO,EAAE,CAAC;IACrD,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,iBAAiB,GAAG,IAAI,CAAC;IAC1E,uBAAuB,CAAC,KAAK,EAAE,4BAA4B,GAAG,iBAAiB,CAAC;IAChF,eAAe,CAAC,KAAK,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,OAAO,EAAE,CAAA;KAAE,GAAG,iBAAiB,CAAC;IAC9F,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,iBAAiB,GAAG,IAAI,CAAC;IAC1D,yBAAyB,CAAC,OAAO,EAAE,MAAM,GAAG,iBAAiB,CAAC;IAC9D,gBAAgB,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;CACtC;AAED,wBAAgB,aAAa,CAAC,KAAK,EAAE,iBAAiB,EAAE,OAAO,EAAE,aAAa,GAAG,aAAa,CAU7F;AAwBD,wBAAgB,WAAW,CAAC,KAAK,EAAE,iBAAiB,EAAE,OAAO,EAAE,aAAa,GAAG,iBAAiB,CAwB/F;AAED,wBAAgB,cAAc,CAAC,KAAK,EAAE,iBAAiB,EAAE,OAAO,EAAE,MAAM,GAAG,oBAAoB,CAe9F"}
+{"version":3,"file":"imports.d.ts","sourceRoot":"","sources":["../src/imports.ts"],"names":[],"mappings":"AAUA,OAAO,KAAK,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,4BAA4B,EAAE,MAAM,YAAY,CAAC;AACrG,OAAO,KAAK,EAAE,kBAAkB,EAAE,oBAAoB,EAAE,0BAA0B,EAAE,kBAAkB,EAAE,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAEjJ,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,UAAU,GAAG,SAAS,GAAG,SAAS,GAAG,YAAY,CAAC;AACxF,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,QAAQ,GAAG,WAAW,GAAG,SAAS,GAAG,UAAU,CAAC;AAEtF,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,YAAY,CAAC;IACrB,OAAO,EAAE,OAAO,EAAE,CAAC;IACnB,QAAQ,CAAC,EAAE,OAAO,CAAC,kBAAkB,CAAC,CAAC;CACxC;AAED,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,YAAY,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,WAAW,CAAC;IAClB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,cAAc,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,QAAQ,EAAE,OAAO,CAAC;CACnB;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,EAAE,eAAe,CAAC;IAC3B,MAAM,EAAE,YAAY,CAAC;IACrB,OAAO,EAAE,OAAO,GAAG,IAAI,CAAC;IACxB,UAAU,EAAE,iBAAiB,GAAG,IAAI,CAAC;IACrC,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;CACvB;AAED,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,YAAY,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,IAAI,CAAC;IACb,KAAK,EAAE,iBAAiB,EAAE,CAAC;IAC3B,MAAM,EAAE,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;CACtC;AAED,MAAM,WAAW,eAAgB,SAAQ,iBAAiB;IACxD,OAAO,EAAE,OAAO,GAAG,IAAI,CAAC;IACxB,MAAM,EAAE,OAAO,GAAG,IAAI,CAAC;IACvB,KAAK,EAAE,OAAO,GAAG,IAAI,CAAC;CACvB;AAED,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,YAAY,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,eAAe,EAAE,CAAC;IACzB,MAAM,EAAE,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;CACtC;AAED,MAAM,WAAW,kBAAkB;IACjC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,MAAM,EAAE,SAAS,GAAG,UAAU,GAAG,UAAU,GAAG,SAAS,CAAC;IACxD,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;CACvB;AAED,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,MAAM,CAAC;IACrB,KAAK,EAAE,kBAAkB,EAAE,CAAC;CAC7B;AAED,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,IAAI,EAAE,OAAO,GAAG,QAAQ,CAAC;IAClC,aAAa,CAAC,KAAK,EAAE,oBAAoB,EAAE,OAAO,CAAC,EAAE;QAAE,gBAAgB,CAAC,EAAE,OAAO,CAAA;KAAE,GAAG,OAAO,CAAC;IAC9F,aAAa,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,0BAA0B,EAAE,OAAO,CAAC,EAAE;QAAE,gBAAgB,CAAC,EAAE,OAAO,CAAA;KAAE,GAAG,OAAO,CAAC;IACtH,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC;IACzC,UAAU,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE;QAAE,WAAW,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,GAAG,IAAI,CAAC;IACjF,WAAW,CAAC,OAAO,CAAC,EAAE,kBAAkB,GAAG,OAAO,EAAE,CAAC;IACrD,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,iBAAiB,GAAG,IAAI,CAAC;IAC1E,uBAAuB,CAAC,KAAK,EAAE,4BAA4B,GAAG,iBAAiB,CAAC;IAChF,eAAe,CAAC,KAAK,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,OAAO,EAAE,CAAA;KAAE,GAAG,iBAAiB,CAAC;IAC9F,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,iBAAiB,GAAG,IAAI,CAAC;IAC1D,yBAAyB,CAAC,OAAO,EAAE,MAAM,GAAG,iBAAiB,CAAC;IAC9D,gBAAgB,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;CACtC;AAED,wBAAgB,aAAa,CAAC,KAAK,EAAE,iBAAiB,EAAE,OAAO,EAAE,aAAa,EAAE,OAAO,GAAE;IAAE,WAAW,CAAC,EAAE,MAAM,CAAA;CAAO,GAAG,aAAa,CAUrI;AAwBD,wBAAgB,WAAW,CAAC,KAAK,EAAE,iBAAiB,EAAE,OAAO,EAAE,aAAa,GAAG,iBAAiB,CAwB/F;AAED,wBAAgB,cAAc,CAAC,KAAK,EAAE,iBAAiB,EAAE,OAAO,EAAE,MAAM,GAAG,oBAAoB,CAe9F"}

package/dist/imports.js

@@ -81,13 +81,74 @@ function isDeniedIpv4(ip) {
 }
 function isDeniedIpv6(ip) {
   const normalized = ip.toLowerCase();
-  return normalized === "::" || normalized === "::1" || normalized.startsWith("fe80:") || normalized.startsWith("fc") || normalized.startsWith("fd") || normalized.startsWith("ff") || normalized.startsWith("::ffff:127.") || normalized.startsWith("::ffff:10.") || normalized.startsWith("::ffff:169.254.") || /^::ffff:172\.(1[6-9]|2\d|3[0-1])\./.test(normalized) || normalized.startsWith("::ffff:192.168.");
+  const mappedIpv4 = ipv4FromMappedIpv6(normalized);
+  if (mappedIpv4)
+    return isDeniedIpv4(mappedIpv4);
+  const words = parseIpv6Words(normalized);
+  return normalized === "::" || normalized === "::1" || words !== null && (words[0] & 65472) === 65152 || normalized.startsWith("fc") || normalized.startsWith("fd") || normalized.startsWith("ff");
+}
+function ipv4FromMappedIpv6(ip) {
+  const words = parseIpv6Words(ip);
+  if (!words)
+    return null;
+  if (words[0] !== 0 || words[1] !== 0 || words[2] !== 0 || words[3] !== 0 || words[4] !== 0 || words[5] !== 65535) {
+    return null;
+  }
+  return [
+    words[6] >> 8,
+    words[6] & 255,
+    words[7] >> 8,
+    words[7] & 255
+  ].join(".");
+}
+function parseIpv6Words(value) {
+  let ip = value.toLowerCase();
+  const zoneIndex = ip.indexOf("%");
+  if (zoneIndex >= 0)
+    ip = ip.slice(0, zoneIndex);
+  if (ip.includes(".")) {
+    const lastColon = ip.lastIndexOf(":");
+    if (lastColon < 0)
+      return null;
+    const ipv4 = parseIpv4Words(ip.slice(lastColon + 1));
+    if (!ipv4)
+      return null;
+    ip = `${ip.slice(0, lastColon)}:${(ipv4[0] << 8 | ipv4[1]).toString(16)}:${(ipv4[2] << 8 | ipv4[3]).toString(16)}`;
+  }
+  const compressed = ip.split("::");
+  if (compressed.length > 2)
+    return null;
+  const left = parseIpv6Side(compressed[0]);
+  const right = compressed.length === 2 ? parseIpv6Side(compressed[1]) : [];
+  if (!left || !right)
+    return null;
+  if (compressed.length === 1)
+    return left.length === 8 ? left : null;
+  const missing = 8 - left.length - right.length;
+  if (missing < 1)
+    return null;
+  return [...left, ...Array(missing).fill(0), ...right];
+}
+function parseIpv6Side(value) {
+  if (!value)
+    return [];
+  const words = value.split(":");
+  if (words.some((word) => !/^[0-9a-f]{1,4}$/.test(word)))
+    return null;
+  return words.map((word) => Number.parseInt(word, 16));
+}
+function parseIpv4Words(value) {
+  const words = value.split(".").map((part) => Number(part));
+  if (words.length !== 4 || words.some((word) => !Number.isInteger(word) || word < 0 || word > 255)) {
+    return null;
+  }
+  return words;
 }
 
 // src/imports.ts
-function previewImport(store, request) {
+function previewImport(store, request, options = {}) {
   const source = normalizeSource(request.source);
-  const items = dedupePreviewItems(request.records.map((record) => previewRecord(store, source, record, request.defaults ?? {})));
+  const items = dedupePreviewItems(request.records.map((record) => previewRecord(store, source, record, request.defaults ?? {}, options)));
   return {
     source,
     generatedAt: new Date().toISOString(),
@@ -161,7 +222,7 @@ function rollbackImport(store, batchId) {
     items
   };
 }
-function previewRecord(store, source, record, defaults) {
+function previewRecord(store, source, record, defaults, options) {
   const warnings = [];
   let candidate;
   try {
@@ -181,13 +242,16 @@ function previewRecord(store, source, record, defaults) {
       reason: error instanceof Error ? error.message : String(error)
     };
   }
-  const provenance = store.getProvenance(candidate.source, candidate.sourceId);
-  const monitor = provenance ? store.getMonitor(provenance.monitorId) : store.getMonitor(candidate.name);
-  if (provenance && !monitor) {
+  const monitorOptions = options.workspaceId ? { workspaceId: options.workspaceId } : undefined;
+  const rawProvenance = store.getProvenance(candidate.source, candidate.sourceId);
+  const provenanceMonitor = rawProvenance ? store.getMonitor(rawProvenance.monitorId, monitorOptions) : null;
+  const provenance = provenanceMonitor ? rawProvenance : null;
+  const monitor = provenanceMonitor ?? store.getMonitor(candidate.name, monitorOptions);
+  if (rawProvenance && !provenanceMonitor && !options.workspaceId) {
     return { candidate, action: "create", monitor: null, provenance, warnings: ["source provenance points to a missing monitor"], reason: null };
   }
   if (provenance && monitor) {
-    const nameOwner = store.getMonitor(candidate.name);
+    const nameOwner = store.getMonitor(candidate.name, monitorOptions);
     if (nameOwner && nameOwner.id !== monitor.id) {
       return {
         candidate,

package/dist/index.js

@@ -276,13 +276,74 @@ function isDeniedIpv4(ip) {
 }
 function isDeniedIpv6(ip) {
   const normalized = ip.toLowerCase();
-  return normalized === "::" || normalized === "::1" || normalized.startsWith("fe80:") || normalized.startsWith("fc") || normalized.startsWith("fd") || normalized.startsWith("ff") || normalized.startsWith("::ffff:127.") || normalized.startsWith("::ffff:10.") || normalized.startsWith("::ffff:169.254.") || /^::ffff:172\.(1[6-9]|2\d|3[0-1])\./.test(normalized) || normalized.startsWith("::ffff:192.168.");
+  const mappedIpv4 = ipv4FromMappedIpv6(normalized);
+  if (mappedIpv4)
+    return isDeniedIpv4(mappedIpv4);
+  const words = parseIpv6Words(normalized);
+  return normalized === "::" || normalized === "::1" || words !== null && (words[0] & 65472) === 65152 || normalized.startsWith("fc") || normalized.startsWith("fd") || normalized.startsWith("ff");
+}
+function ipv4FromMappedIpv6(ip) {
+  const words = parseIpv6Words(ip);
+  if (!words)
+    return null;
+  if (words[0] !== 0 || words[1] !== 0 || words[2] !== 0 || words[3] !== 0 || words[4] !== 0 || words[5] !== 65535) {
+    return null;
+  }
+  return [
+    words[6] >> 8,
+    words[6] & 255,
+    words[7] >> 8,
+    words[7] & 255
+  ].join(".");
+}
+function parseIpv6Words(value) {
+  let ip = value.toLowerCase();
+  const zoneIndex = ip.indexOf("%");
+  if (zoneIndex >= 0)
+    ip = ip.slice(0, zoneIndex);
+  if (ip.includes(".")) {
+    const lastColon = ip.lastIndexOf(":");
+    if (lastColon < 0)
+      return null;
+    const ipv4 = parseIpv4Words(ip.slice(lastColon + 1));
+    if (!ipv4)
+      return null;
+    ip = `${ip.slice(0, lastColon)}:${(ipv4[0] << 8 | ipv4[1]).toString(16)}:${(ipv4[2] << 8 | ipv4[3]).toString(16)}`;
+  }
+  const compressed = ip.split("::");
+  if (compressed.length > 2)
+    return null;
+  const left = parseIpv6Side(compressed[0]);
+  const right = compressed.length === 2 ? parseIpv6Side(compressed[1]) : [];
+  if (!left || !right)
+    return null;
+  if (compressed.length === 1)
+    return left.length === 8 ? left : null;
+  const missing = 8 - left.length - right.length;
+  if (missing < 1)
+    return null;
+  return [...left, ...Array(missing).fill(0), ...right];
+}
+function parseIpv6Side(value) {
+  if (!value)
+    return [];
+  const words = value.split(":");
+  if (words.some((word) => !/^[0-9a-f]{1,4}$/.test(word)))
+    return null;
+  return words.map((word) => Number.parseInt(word, 16));
+}
+function parseIpv4Words(value) {
+  const words = value.split(".").map((part) => Number(part));
+  if (words.length !== 4 || words.some((word) => !Number.isInteger(word) || word < 0 || word > 255)) {
+    return null;
+  }
+  return words;
 }
 
 // src/imports.ts
-function previewImport(store, request) {
+function previewImport(store, request, options = {}) {
   const source = normalizeSource(request.source);
-  const items = dedupePreviewItems(request.records.map((record) => previewRecord(store, source, record, request.defaults ?? {})));
+  const items = dedupePreviewItems(request.records.map((record) => previewRecord(store, source, record, request.defaults ?? {}, options)));
   return {
     source,
     generatedAt: new Date().toISOString(),
@@ -356,7 +417,7 @@ function rollbackImport(store, batchId) {
     items
   };
 }
-function previewRecord(store, source, record, defaults) {
+function previewRecord(store, source, record, defaults, options) {
   const warnings = [];
   let candidate;
   try {
@@ -376,13 +437,16 @@ function previewRecord(store, source, record, defaults) {
       reason: error instanceof Error ? error.message : String(error)
     };
   }
-  const provenance = store.getProvenance(candidate.source, candidate.sourceId);
-  const monitor = provenance ? store.getMonitor(provenance.monitorId) : store.getMonitor(candidate.name);
-  if (provenance && !monitor) {
+  const monitorOptions = options.workspaceId ? { workspaceId: options.workspaceId } : undefined;
+  const rawProvenance = store.getProvenance(candidate.source, candidate.sourceId);
+  const provenanceMonitor = rawProvenance ? store.getMonitor(rawProvenance.monitorId, monitorOptions) : null;
+  const provenance = provenanceMonitor ? rawProvenance : null;
+  const monitor = provenanceMonitor ?? store.getMonitor(candidate.name, monitorOptions);
+  if (rawProvenance && !provenanceMonitor && !options.workspaceId) {
     return { candidate, action: "create", monitor: null, provenance, warnings: ["source provenance points to a missing monitor"], reason: null };
   }
   if (provenance && monitor) {
-    const nameOwner = store.getMonitor(candidate.name);
+    const nameOwner = store.getMonitor(candidate.name, monitorOptions);
     if (nameOwner && nameOwner.id !== monitor.id) {
       return {
         candidate,
@@ -2729,8 +2793,8 @@ class UptimeService {
     const execute = () => this.submitProbeResultInTransaction(input);
     return this.store.runInTransaction ? this.store.runInTransaction(execute) : execute();
   }
-  previewImport(request) {
-    return previewImport(this.store, request);
+  previewImport(request, options = {}) {
+    return previewImport(this.store, request, options);
   }
   applyImport(request) {
     return applyImport(this.store, request);
@@ -3758,7 +3822,7 @@ async function handleApiRoute(service, request, url, apiPath, options, hosted, a
     return json(service.submitProbeResult(await jsonBody(request)), 201);
   }
   if (request.method === "POST" && apiPath === "/api/imports/preview") {
-    return json(service.previewImport(await jsonBody(request)));
+    return json(service.previewImport(await jsonBody(request), { workspaceId: actor?.workspaceId }));
   }
   if (request.method === "POST" && apiPath === "/api/imports/apply") {
     if (hosted)
@@ -3938,7 +4002,7 @@ function buildAwsDeploymentPlan(options = {}) {
   const image = clean(options.image, `${imageRepositoryUri}@sha256:<image-digest>`);
   const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
   const hostedSqliteDbPath = clean(options.hostedSqliteDbPath, DEFAULT_HOSTED_SQLITE_DB);
-  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.10");
+  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.11");
   const protectedAccessMode = options.protectedAccessMode ?? DEFAULT_PROTECTED_ACCESS_MODE;
   const protectedAccessUrl = protectedAccessMode === "cloudfront_default_domain" ? "https://<cloudfront-domain>" : `https://${hostname}`;
   const cluster = `${prefix}-${stage}`;