@hasna/uptime 0.1.10 → 0.1.12

package/dist/index.js

@@ -1,12 +1,239 @@
 // @bun
 // src/checks.ts
+import dns from "dns/promises";
+import http from "http";
+import https from "https";
+import net2 from "net";
+
+// src/target-policy.ts
 import net from "net";
+var SECRET_PARAM_PATTERN = /(token|secret|password|passwd|api[_-]?key|access[_-]?token|auth|credential|session)/i;
+var DENIED_IPV4_CIDRS = [
+  ["0.0.0.0", 8],
+  ["10.0.0.0", 8],
+  ["100.64.0.0", 10],
+  ["127.0.0.0", 8],
+  ["169.254.0.0", 16],
+  ["172.16.0.0", 12],
+  ["192.0.0.0", 24],
+  ["192.0.2.0", 24],
+  ["192.88.99.0", 24],
+  ["192.168.0.0", 16],
+  ["198.18.0.0", 15],
+  ["198.51.100.0", 24],
+  ["203.0.113.0", 24],
+  ["224.0.0.0", 4],
+  ["240.0.0.0", 4]
+];
+var DENIED_IPV6_CIDRS = [
+  ["::", 128],
+  ["::1", 128],
+  ["64:ff9b::", 96],
+  ["64:ff9b:1::", 48],
+  ["100::", 64],
+  ["100:0:0:1::", 64],
+  ["2001::", 23],
+  ["2001:db8::", 32],
+  ["2002::", 16],
+  ["2620:4f:8000::", 48],
+  ["3fff::", 20],
+  ["5f00::", 16],
+  ["fc00::", 7],
+  ["fe80::", 10],
+  ["ff00::", 8]
+];
+function assertHostedTargetAllowed(target) {
+  if (target.kind === "http" || target.kind === "browser_page") {
+    if (!target.url)
+      throw new Error("HTTP monitors require url");
+    assertHostedHttpUrlAllowed(target.url);
+    return;
+  }
+  if (target.kind === "tcp") {
+    if (!target.host)
+      throw new Error("TCP monitors require host");
+    assertHostedHostAllowed(target.host, "TCP host");
+    if (!Number.isInteger(target.port) || target.port <= 0 || target.port > 65535) {
+      throw new Error("TCP monitors require a port from 1 to 65535");
+    }
+    return;
+  }
+  throw new Error("Monitor kind must be http, tcp, or browser_page");
+}
+function assertHostedHttpUrlAllowed(value) {
+  const parsed = new URL(value);
+  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+    throw new Error("HTTP monitor url must use http or https");
+  }
+  if (parsed.username || parsed.password) {
+    throw new Error("hosted target URLs must not contain userinfo");
+  }
+  for (const key of parsed.searchParams.keys()) {
+    if (SECRET_PARAM_PATTERN.test(key)) {
+      throw new Error(`hosted target URL query parameter is not allowed: ${key}`);
+    }
+  }
+  if (parsed.hash && SECRET_PARAM_PATTERN.test(parsed.hash)) {
+    throw new Error("hosted target URL fragment contains secret-like data");
+  }
+  assertHostedHostAllowed(parsed.hostname, "HTTP host");
+}
+function assertHostedHostAllowed(hostname, label = "host") {
+  const host = normalizeHostedHost(hostname);
+  if (!host)
+    throw new Error(`${label} is required`);
+  if (host === "localhost" || host.endsWith(".localhost")) {
+    throw new Error(`${label} is not allowed in hosted mode: localhost`);
+  }
+  if (host.endsWith(".local") || host.endsWith(".internal")) {
+    throw new Error(`${label} is not allowed in hosted mode: private DNS name`);
+  }
+  const ipVersion = net.isIP(host);
+  if (ipVersion === 4 && isDeniedIpv4(host)) {
+    throw new Error(`${label} is not allowed in hosted mode: private or reserved IPv4`);
+  }
+  if (ipVersion === 6 && isDeniedIpv6(host)) {
+    throw new Error(`${label} is not allowed in hosted mode: private or reserved IPv6`);
+  }
+}
+function assertHostedResolvedAddressesAllowed(hostname, addresses, label = "resolved address") {
+  if (addresses.length === 0) {
+    throw new Error(`${label} is not allowed in hosted mode: DNS returned no addresses for ${normalizeHostedHost(hostname) || "host"}`);
+  }
+  for (const entry of addresses) {
+    assertHostedAddressAllowed(entry.address, label);
+  }
+}
+function assertHostedAddressAllowed(address, label = "resolved address") {
+  const host = normalizeHostedHost(address);
+  const ipVersion = net.isIP(host);
+  if (ipVersion === 4 && isDeniedIpv4(host)) {
+    throw new Error(`${label} is not allowed in hosted mode: private or reserved IPv4`);
+  }
+  if (ipVersion === 6 && isDeniedIpv6(host)) {
+    throw new Error(`${label} is not allowed in hosted mode: private or reserved IPv6`);
+  }
+  if (ipVersion === 0) {
+    throw new Error(`${label} is not allowed in hosted mode: DNS returned a non-IP address`);
+  }
+}
+function normalizeHostedHost(hostname) {
+  return hostname.trim().toLowerCase().replace(/^\[|\]$/g, "").replace(/\.$/, "");
+}
+function isDeniedIpv4(ip) {
+  const parts = parseIpv4Words(ip);
+  if (!parts)
+    return true;
+  return DENIED_IPV4_CIDRS.some(([base, prefix]) => ipv4MatchesCidr(parts, parseIpv4Words(base), prefix));
+}
+function isDeniedIpv6(ip) {
+  const normalized = ip.toLowerCase();
+  const words = parseIpv6Words(normalized);
+  if (!words)
+    return true;
+  const mappedIpv4 = ipv4FromMappedIpv6Words(words);
+  if (mappedIpv4)
+    return isDeniedIpv4(mappedIpv4);
+  return isIpv4CompatibleIpv6(words) || DENIED_IPV6_CIDRS.some(([base, prefix]) => ipv6MatchesCidr(words, parseIpv6Words(base), prefix));
+}
+function isIpv4CompatibleIpv6(words) {
+  if (!words)
+    return false;
+  if (!words.slice(0, 6).every((word) => word === 0))
+    return false;
+  if (words[6] === 0 && (words[7] === 0 || words[7] === 1))
+    return false;
+  return true;
+}
+function ipv4FromMappedIpv6Words(words) {
+  if (words[0] !== 0 || words[1] !== 0 || words[2] !== 0 || words[3] !== 0 || words[4] !== 0 || words[5] !== 65535) {
+    return null;
+  }
+  return ipv4FromWords(words[6], words[7]);
+}
+function ipv4FromWords(high, low) {
+  return [
+    high >> 8,
+    high & 255,
+    low >> 8,
+    low & 255
+  ].join(".");
+}
+function ipv4MatchesCidr(parts, base, prefix) {
+  const mask = prefix === 0 ? 0 : 4294967295 << 32 - prefix >>> 0;
+  return (ipv4ToNumber(parts) & mask) >>> 0 === (ipv4ToNumber(base) & mask) >>> 0;
+}
+function ipv4ToNumber(parts) {
+  return (parts[0] << 24 >>> 0 | parts[1] << 16 | parts[2] << 8 | parts[3]) >>> 0;
+}
+function ipv6MatchesCidr(words, base, prefix) {
+  const fullWords = Math.floor(prefix / 16);
+  for (let index = 0;index < fullWords; index += 1) {
+    if (words[index] !== base[index])
+      return false;
+  }
+  const remainingBits = prefix % 16;
+  if (remainingBits === 0)
+    return true;
+  const mask = 65535 << 16 - remainingBits & 65535;
+  return (words[fullWords] & mask) === (base[fullWords] & mask);
+}
+function parseIpv6Words(value) {
+  let ip = value.toLowerCase();
+  const zoneIndex = ip.indexOf("%");
+  if (zoneIndex >= 0)
+    ip = ip.slice(0, zoneIndex);
+  if (ip.includes(".")) {
+    const lastColon = ip.lastIndexOf(":");
+    if (lastColon < 0)
+      return null;
+    const ipv4 = parseIpv4Words(ip.slice(lastColon + 1));
+    if (!ipv4)
+      return null;
+    ip = `${ip.slice(0, lastColon)}:${(ipv4[0] << 8 | ipv4[1]).toString(16)}:${(ipv4[2] << 8 | ipv4[3]).toString(16)}`;
+  }
+  const compressed = ip.split("::");
+  if (compressed.length > 2)
+    return null;
+  const left = parseIpv6Side(compressed[0]);
+  const right = compressed.length === 2 ? parseIpv6Side(compressed[1]) : [];
+  if (!left || !right)
+    return null;
+  if (compressed.length === 1)
+    return left.length === 8 ? left : null;
+  const missing = 8 - left.length - right.length;
+  if (missing < 1)
+    return null;
+  return [...left, ...Array(missing).fill(0), ...right];
+}
+function parseIpv6Side(value) {
+  if (!value)
+    return [];
+  const words = value.split(":");
+  if (words.some((word) => !/^[0-9a-f]{1,4}$/.test(word)))
+    return null;
+  return words.map((word) => Number.parseInt(word, 16));
+}
+function parseIpv4Words(value) {
+  const words = value.split(".").map((part) => Number(part));
+  if (words.length !== 4 || words.some((word) => !Number.isInteger(word) || word < 0 || word > 255)) {
+    return null;
+  }
+  return words;
+}
+
+// src/checks.ts
 async function runMonitorCheck(monitor, options = {}) {
   if (!monitor.enabled) {
     return { status: "down", latencyMs: null, error: "monitor is disabled" };
   }
-  if (monitor.kind === "http")
-    return runHttpCheck(monitor, options.fetch ?? fetch);
+  if (monitor.kind === "http") {
+    return options.hostedTargetPolicy ? runHostedHttpCheck(monitor, {
+      resolveHost: options.resolveHost,
+      request: options.hostedHttpRequest,
+      maxRedirects: options.maxRedirects
+    }) : runHttpCheck(monitor, options.fetch ?? fetch);
+  }
   if (monitor.kind === "browser_page")
     return runBrowserPageCheck(monitor, { fetch: options.fetch, runner: options.browserPage });
   if (monitor.kind === "tcp")
@@ -44,12 +271,87 @@ async function runHttpCheck(monitor, fetchImpl = fetch) {
     clearTimeout(timeout);
   }
 }
+async function runHostedHttpCheck(monitor, options = {}) {
+  if (!monitor.url)
+    return { status: "down", latencyMs: null, error: "missing url" };
+  const resolver = options.resolveHost ?? resolveHostedHost;
+  const request = options.request ?? requestHostedHttpPinned;
+  const maxRedirects = options.maxRedirects ?? 5;
+  const controller = new AbortController;
+  const timeout = setTimeout(() => controller.abort(), monitor.timeoutMs);
+  const started = performance.now();
+  const decisions = [];
+  let currentUrl;
+  let redirectCount = 0;
+  try {
+    currentUrl = new URL(monitor.url);
+  } catch (error) {
+    clearTimeout(timeout);
+    return {
+      status: "down",
+      latencyMs: 0,
+      statusCode: null,
+      error: error instanceof Error ? error.message : String(error),
+      evidence: hostedHttpEvidence(null, redirectCount, decisions)
+    };
+  }
+  try {
+    while (true) {
+      throwIfAborted(controller.signal);
+      const stage = redirectCount === 0 ? "request" : "redirect";
+      const address = await resolveAndRecordHostedHttpDecision(currentUrl, stage, resolver, decisions);
+      const response = await request({
+        url: currentUrl,
+        method: monitor.method || "GET",
+        timeoutMs: monitor.timeoutMs,
+        address,
+        signal: controller.signal
+      });
+      const location = redirectLocation(response.headers);
+      if (isRedirectStatus(response.status) && location) {
+        if (redirectCount >= maxRedirects) {
+          const latencyMs2 = elapsed(started);
+          return {
+            status: "down",
+            latencyMs: latencyMs2,
+            statusCode: response.status,
+            error: `too many redirects after ${maxRedirects}`,
+            evidence: hostedHttpEvidence(currentUrl, redirectCount, decisions)
+          };
+        }
+        currentUrl = new URL(location, currentUrl);
+        redirectCount += 1;
+        continue;
+      }
+      const latencyMs = elapsed(started);
+      const ok = monitor.expectedStatus == null ? response.status >= 200 && response.status < 400 : response.status === monitor.expectedStatus;
+      return {
+        status: ok ? "up" : "down",
+        latencyMs,
+        statusCode: response.status,
+        error: ok ? null : `unexpected status ${response.status}`,
+        evidence: hostedHttpEvidence(currentUrl, redirectCount, decisions)
+      };
+    }
+  } catch (error) {
+    const latencyMs = elapsed(started);
+    return {
+      status: "down",
+      latencyMs,
+      statusCode: null,
+      error: error instanceof Error ? error.message : String(error),
+      evidence: hostedHttpEvidence(currentUrl, redirectCount, decisions)
+    };
+  } finally {
+    clearTimeout(timeout);
+  }
+}
 async function runTcpCheck(monitor) {
   if (!monitor.host || !monitor.port)
     return { status: "down", latencyMs: null, error: "missing host or port" };
   const started = performance.now();
   return new Promise((resolve) => {
-    const socket = net.createConnection({ host: monitor.host, port: monitor.port, timeout: monitor.timeoutMs });
+    const socket = net2.createConnection({ host: monitor.host, port: monitor.port, timeout: monitor.timeoutMs });
     let settled = false;
     const finish = (result) => {
       if (settled)
@@ -137,6 +439,43 @@ function normalizeBrowserEvidence(sourceUrl, raw) {
     retentionClass: "short"
   };
 }
+function normalizeHttpTargetPolicyEvidence(raw) {
+  if (!isHttpTargetPolicyEvidence(raw))
+    throw new Error("HTTP target-policy evidence is invalid");
+  return {
+    kind: "http_target_policy",
+    mode: "hosted",
+    finalUrl: raw.finalUrl ? redactUrl(raw.finalUrl) : null,
+    redirectCount: Math.max(0, Math.min(20, Math.trunc(raw.redirectCount))),
+    decisions: raw.decisions.slice(0, 20).map((decision) => ({
+      stage: decision.stage,
+      decision: decision.decision,
+      url: redactUrl(decision.url),
+      host: redactText(normalizeHostedHost(decision.host)),
+      targetClass: "public_http",
+      probeClass: "public",
+      protocol: decision.protocol,
+      resolvedAddresses: decision.resolvedAddresses.slice(0, 20).map((address) => ({
+        address: normalizeHostedHost(address.address),
+        family: address.family
+      })),
+      ruleId: redactText(decision.ruleId),
+      reason: decision.reason ? redactText(decision.reason) : null
+    })),
+    redacted: true,
+    redactionStatus: "redacted",
+    retentionClass: "short"
+  };
+}
+function isBrowserPageEvidence(value) {
+  return Boolean(value && typeof value === "object" && value.kind === "browser_page");
+}
+function isHttpTargetPolicyEvidence(value) {
+  if (!value || typeof value !== "object" || value.kind !== "http_target_policy")
+    return false;
+  const evidence = value;
+  return evidence.mode === "hosted" && (evidence.finalUrl === null || typeof evidence.finalUrl === "string") && Number.isInteger(evidence.redirectCount) && evidence.redacted === true && evidence.redactionStatus === "redacted" && evidence.retentionClass === "short" && Array.isArray(evidence.decisions) && evidence.decisions.every((decision) => decision && (decision.stage === "request" || decision.stage === "redirect") && (decision.decision === "allowed" || decision.decision === "blocked") && (decision.protocol === "http:" || decision.protocol === "https:") && decision.targetClass === "public_http" && decision.probeClass === "public" && typeof decision.url === "string" && typeof decision.host === "string" && typeof decision.ruleId === "string" && (decision.reason === null || typeof decision.reason === "string") && Array.isArray(decision.resolvedAddresses) && decision.resolvedAddresses.every((address) => address && typeof address.address === "string" && (address.family === 4 || address.family === 6)));
+}
 function validateBrowserPageUrl(value) {
   const parsed = new URL(value);
   if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
@@ -193,6 +532,130 @@ function redactText(value) {
 function isSecretKey(value) {
   return /(token|secret|password|passwd|api[_-]?key|access[_-]?token|auth|credential|session)/i.test(value);
 }
+async function resolveAndRecordHostedHttpDecision(url, stage, resolver, decisions) {
+  let addresses = [];
+  try {
+    assertHostedHttpUrlAllowed(url.toString());
+    addresses = normalizeResolvedAddresses(await resolver(normalizeHostedHost(url.hostname)));
+    assertHostedResolvedAddressesAllowed(url.hostname, addresses, "HTTP resolved address");
+    decisions.push({
+      stage,
+      decision: "allowed",
+      url: sanitizePolicyUrl(url),
+      host: normalizeHostedHost(url.hostname),
+      targetClass: "public_http",
+      probeClass: "public",
+      protocol: url.protocol,
+      resolvedAddresses: addresses,
+      ruleId: "hosted-http-runtime-target-policy",
+      reason: null
+    });
+    return addresses[0];
+  } catch (error) {
+    decisions.push({
+      stage,
+      decision: "blocked",
+      url: sanitizePolicyUrl(url),
+      host: normalizeHostedHost(url.hostname),
+      targetClass: "public_http",
+      probeClass: "public",
+      protocol: url.protocol === "http:" || url.protocol === "https:" ? url.protocol : "http:",
+      resolvedAddresses: addresses,
+      ruleId: "hosted-http-runtime-target-policy",
+      reason: error instanceof Error ? error.message : String(error)
+    });
+    throw error;
+  }
+}
+async function resolveHostedHost(hostname) {
+  const host = normalizeHostedHost(hostname);
+  const ipVersion = net2.isIP(host);
+  if (ipVersion === 4 || ipVersion === 6)
+    return [{ address: host, family: ipVersion }];
+  return dns.lookup(host, { all: true, verbatim: true });
+}
+function normalizeResolvedAddresses(addresses) {
+  return addresses.map((entry) => {
+    const address = normalizeHostedHost(entry.address);
+    const detected = net2.isIP(address);
+    const family = entry.family === 4 || entry.family === 6 ? entry.family : detected;
+    if (family !== 4 && family !== 6) {
+      throw new Error("HTTP resolved address is not allowed in hosted mode: DNS returned a non-IP address");
+    }
+    return { address, family };
+  });
+}
+function hostedHttpEvidence(finalUrl, redirectCount, decisions) {
+  return {
+    kind: "http_target_policy",
+    mode: "hosted",
+    finalUrl: finalUrl ? sanitizePolicyUrl(finalUrl) : null,
+    redirectCount,
+    decisions,
+    redacted: true,
+    redactionStatus: "redacted",
+    retentionClass: "short"
+  };
+}
+function sanitizePolicyUrl(url) {
+  const copy = new URL(url.toString());
+  copy.username = "";
+  copy.password = "";
+  copy.hash = "";
+  for (const key of copy.searchParams.keys()) {
+    if (isSecretKey(key))
+      copy.searchParams.set(key, "[redacted]");
+  }
+  return copy.toString();
+}
+function redirectLocation(headers) {
+  if (!headers)
+    return null;
+  if (headers instanceof Headers)
+    return headers.get("location");
+  const raw = headers.location ?? headers.Location;
+  if (Array.isArray(raw))
+    return raw[0] ?? null;
+  return raw ?? null;
+}
+function isRedirectStatus(status) {
+  return status === 301 || status === 302 || status === 303 || status === 307 || status === 308;
+}
+async function requestHostedHttpPinned(context) {
+  const lookup = (_hostname, _options, callback) => callback(null, context.address.address, context.address.family);
+  return context.url.protocol === "https:" ? requestWithClient(context, https, new https.Agent({ lookup })) : requestWithClient(context, http, new http.Agent({ lookup }));
+}
+function requestWithClient(context, client, agent) {
+  return new Promise((resolve, reject) => {
+    const req = client.request(context.url, {
+      method: context.method,
+      agent,
+      signal: context.signal,
+      timeout: context.timeoutMs
+    }, (response) => {
+      response.resume();
+      response.once("end", () => {
+        agent.destroy();
+        resolve({ status: response.statusCode ?? 0, headers: response.headers });
+      });
+    });
+    req.once("timeout", () => {
+      req.destroy(new Error("http timeout"));
+    });
+    req.once("error", (error) => {
+      agent.destroy();
+      reject(error);
+    });
+    req.end();
+  });
+}
+function throwIfAborted(signal) {
+  if (signal.aborted)
+    throw new Error("http timeout");
+}
+function elapsed(started) {
+  return Math.round((performance.now() - started) * 100) / 100;
+}
 
 // src/imports.ts
 import { randomUUID } from "crypto";
@@ -206,83 +669,10 @@ var MIN_RETRY_COUNT = 0;
 var MAX_RETRY_COUNT = 10;
 var MAX_RESULT_LIMIT = 1000;
 
-// src/target-policy.ts
-import net2 from "net";
-var SECRET_PARAM_PATTERN = /(token|secret|password|passwd|api[_-]?key|access[_-]?token|auth|credential|session)/i;
-function assertHostedTargetAllowed(target) {
-  if (target.kind === "http" || target.kind === "browser_page") {
-    if (!target.url)
-      throw new Error("HTTP monitors require url");
-    assertHostedHttpUrlAllowed(target.url);
-    return;
-  }
-  if (target.kind === "tcp") {
-    if (!target.host)
-      throw new Error("TCP monitors require host");
-    assertHostedHostAllowed(target.host, "TCP host");
-    if (!Number.isInteger(target.port) || target.port <= 0 || target.port > 65535) {
-      throw new Error("TCP monitors require a port from 1 to 65535");
-    }
-    return;
-  }
-  throw new Error("Monitor kind must be http, tcp, or browser_page");
-}
-function assertHostedHttpUrlAllowed(value) {
-  const parsed = new URL(value);
-  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
-    throw new Error("HTTP monitor url must use http or https");
-  }
-  if (parsed.username || parsed.password) {
-    throw new Error("hosted target URLs must not contain userinfo");
-  }
-  for (const key of parsed.searchParams.keys()) {
-    if (SECRET_PARAM_PATTERN.test(key)) {
-      throw new Error(`hosted target URL query parameter is not allowed: ${key}`);
-    }
-  }
-  if (parsed.hash && SECRET_PARAM_PATTERN.test(parsed.hash)) {
-    throw new Error("hosted target URL fragment contains secret-like data");
-  }
-  assertHostedHostAllowed(parsed.hostname, "HTTP host");
-}
-function assertHostedHostAllowed(hostname, label = "host") {
-  const host = normalizeHost(hostname);
-  if (!host)
-    throw new Error(`${label} is required`);
-  if (host === "localhost" || host.endsWith(".localhost")) {
-    throw new Error(`${label} is not allowed in hosted mode: localhost`);
-  }
-  if (host.endsWith(".local") || host.endsWith(".internal")) {
-    throw new Error(`${label} is not allowed in hosted mode: private DNS name`);
-  }
-  const ipVersion = net2.isIP(host);
-  if (ipVersion === 4 && isDeniedIpv4(host)) {
-    throw new Error(`${label} is not allowed in hosted mode: private or reserved IPv4`);
-  }
-  if (ipVersion === 6 && isDeniedIpv6(host)) {
-    throw new Error(`${label} is not allowed in hosted mode: private or reserved IPv6`);
-  }
-}
-function normalizeHost(hostname) {
-  return hostname.trim().toLowerCase().replace(/^\[|\]$/g, "").replace(/\.$/, "");
-}
-function isDeniedIpv4(ip) {
-  const parts = ip.split(".").map((part) => Number(part));
-  if (parts.length !== 4 || parts.some((part) => !Number.isInteger(part) || part < 0 || part > 255)) {
-    return true;
-  }
-  const [a, b] = parts;
-  return a === 0 || a === 10 || a === 127 || a === 100 && b >= 64 && b <= 127 || a === 169 && b === 254 || a === 172 && b >= 16 && b <= 31 || a === 192 && b === 168 || a >= 224;
-}
-function isDeniedIpv6(ip) {
-  const normalized = ip.toLowerCase();
-  return normalized === "::" || normalized === "::1" || normalized.startsWith("fe80:") || normalized.startsWith("fc") || normalized.startsWith("fd") || normalized.startsWith("ff") || normalized.startsWith("::ffff:127.") || normalized.startsWith("::ffff:10.") || normalized.startsWith("::ffff:169.254.") || /^::ffff:172\.(1[6-9]|2\d|3[0-1])\./.test(normalized) || normalized.startsWith("::ffff:192.168.");
-}
-
 // src/imports.ts
-function previewImport(store, request) {
+function previewImport(store, request, options = {}) {
   const source = normalizeSource(request.source);
-  const items = dedupePreviewItems(request.records.map((record) => previewRecord(store, source, record, request.defaults ?? {})));
+  const items = dedupePreviewItems(request.records.map((record) => previewRecord(store, source, record, request.defaults ?? {}, options)));
   return {
     source,
     generatedAt: new Date().toISOString(),
@@ -356,7 +746,7 @@ function rollbackImport(store, batchId) {
     items
   };
 }
-function previewRecord(store, source, record, defaults) {
+function previewRecord(store, source, record, defaults, options) {
   const warnings = [];
   let candidate;
   try {
@@ -376,13 +766,16 @@ function previewRecord(store, source, record, defaults) {
       reason: error instanceof Error ? error.message : String(error)
     };
   }
-  const provenance = store.getProvenance(candidate.source, candidate.sourceId);
-  const monitor = provenance ? store.getMonitor(provenance.monitorId) : store.getMonitor(candidate.name);
-  if (provenance && !monitor) {
+  const monitorOptions = options.workspaceId ? { workspaceId: options.workspaceId } : undefined;
+  const rawProvenance = store.getProvenance(candidate.source, candidate.sourceId);
+  const provenanceMonitor = rawProvenance ? store.getMonitor(rawProvenance.monitorId, monitorOptions) : null;
+  const provenance = provenanceMonitor ? rawProvenance : null;
+  const monitor = provenanceMonitor ?? store.getMonitor(candidate.name, monitorOptions);
+  if (rawProvenance && !provenanceMonitor && !options.workspaceId) {
     return { candidate, action: "create", monitor: null, provenance, warnings: ["source provenance points to a missing monitor"], reason: null };
   }
   if (provenance && monitor) {
-    const nameOwner = store.getMonitor(candidate.name);
+    const nameOwner = store.getMonitor(candidate.name, monitorOptions);
     if (nameOwner && nameOwner.id !== monitor.id) {
       return {
         candidate,
@@ -2729,8 +3122,8 @@ class UptimeService {
     const execute = () => this.submitProbeResultInTransaction(input);
     return this.store.runInTransaction ? this.store.runInTransaction(execute) : execute();
   }
-  previewImport(request) {
-    return previewImport(this.store, request);
+  previewImport(request, options = {}) {
+    return previewImport(this.store, request, options);
   }
   applyImport(request) {
     return applyImport(this.store, request);
@@ -3070,7 +3463,7 @@ class UptimeService {
       throw new Error("Probe job fencing token is invalid");
     if (!job.leaseExpiresAt || job.leaseExpiresAt <= new Date().toISOString())
       throw new Error("Probe job lease expired");
-    const evidence = input.evidence ? normalizeBrowserEvidence(monitor.url ?? monitor.host ?? "https://example.invalid", input.evidence) : null;
+    const evidence = input.evidence ? normalizeSubmittedEvidence(monitor.url ?? monitor.host ?? "https://example.invalid", input.evidence) : null;
     const result = this.store.recordCheckResult({
       monitorId: monitor.id,
       checkedAt: input.checkedAt,
@@ -3114,6 +3507,13 @@ class MonitorCheckBusyError extends Error {
 function enabledReportChannels(schedule) {
   return ["email", "sms", "logs"].filter((channel) => Boolean(schedule.channels[channel]));
 }
+function normalizeSubmittedEvidence(sourceUrl, evidence) {
+  if (evidence.kind === "browser_page")
+    return normalizeBrowserEvidence(sourceUrl, evidence);
+  if (evidence.kind === "http_target_policy")
+    return normalizeHttpTargetPolicyEvidence(evidence);
+  throw new Error("Unsupported probe evidence kind");
+}
 function validateProbeSubmission(input) {
   if (!input.jobId.trim())
     throw new Error("Probe submission jobId is required");
@@ -3758,7 +4158,7 @@ async function handleApiRoute(service, request, url, apiPath, options, hosted, a
     return json(service.submitProbeResult(await jsonBody(request)), 201);
   }
   if (request.method === "POST" && apiPath === "/api/imports/preview") {
-    return json(service.previewImport(await jsonBody(request)));
+    return json(service.previewImport(await jsonBody(request), { workspaceId: actor?.workspaceId }));
   }
   if (request.method === "POST" && apiPath === "/api/imports/apply") {
     if (hosted)
@@ -3938,7 +4338,7 @@ function buildAwsDeploymentPlan(options = {}) {
   const image = clean(options.image, `${imageRepositoryUri}@sha256:<image-digest>`);
   const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
   const hostedSqliteDbPath = clean(options.hostedSqliteDbPath, DEFAULT_HOSTED_SQLITE_DB);
-  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.10");
+  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.12");
   const protectedAccessMode = options.protectedAccessMode ?? DEFAULT_PROTECTED_ACCESS_MODE;
   const protectedAccessUrl = protectedAccessMode === "cloudfront_default_domain" ? "https://<cloudfront-domain>" : `https://${hostname}`;
   const cluster = `${prefix}-${stage}`;
@@ -4080,7 +4480,7 @@ function buildAwsDeploymentPlan(options = {}) {
       "The infrastructure owner repository was not found in this workspace.",
       "The EFS SQLite bridge is single-writer only: web target desired count is 1 and scheduler/public-probe/reporter targets remain 0 until Postgres and cloud leases exist.",
       "Hosted production auth/RBAC must replace broad static hosted-token operation before exposure.",
-      "Public probe execution still needs DNS, redirect, and rebinding SSRF enforcement plus cloud check-job leases.",
+      "Public probe execution still needs cloud check-job leases wired to runHostedHttpCheck and live policy-decision log evidence.",
       "Private probe enrollment, claim, submit, heartbeat, revocation, and rotation are not cloud-backed yet."
     ],
     requiredEvidence: [
@@ -4217,12 +4617,16 @@ export {
   runTcpCheck,
   runMonitorCheck,
   runHttpCheck,
+  runHostedHttpCheck,
   runBrowserPageCheck,
   rollbackImport,
   renderPrivateProbeEnv,
   probeResultSigningPayload,
   probePublicKeyFingerprint,
   previewImport,
+  normalizeHttpTargetPolicyEvidence,
+  isHttpTargetPolicyEvidence,
+  isBrowserPageEvidence,
   generateProbeKeyPair,
   ensureUptimeHome,
   createUptimeClient,