@hasna/uptime 0.1.11 → 0.1.12

package/dist/checks.d.ts

@@ -1,8 +1,39 @@
-import type { BrowserFailedRequest, BrowserPageEvidence, CheckAttemptResult, EvidenceArtifact, Monitor } from "./types.js";
+import { type IncomingHttpHeaders } from "node:http";
+import { type HostedResolvedAddress } from "./target-policy.js";
+import type { BrowserFailedRequest, BrowserPageEvidence, CheckAttemptResult, EvidenceArtifact, HttpTargetPolicyEvidence, Monitor } from "./types.js";
 export type FetchLike = (input: string, init: RequestInit) => Promise<{
     status: number;
 }>;
 export type BrowserPageRunner = (monitor: Monitor) => Promise<BrowserPageRunnerResult>;
+export type HostedDnsResolver = (hostname: string) => Promise<HostedResolvedAddress[]>;
+export type HostedHttpRequestLike = (context: HostedHttpRequestContext) => Promise<HostedHttpResponse>;
+export interface MonitorCheckOptions {
+    fetch?: FetchLike;
+    browserPage?: BrowserPageRunner;
+    hostedTargetPolicy?: boolean;
+    resolveHost?: HostedDnsResolver;
+    hostedHttpRequest?: HostedHttpRequestLike;
+    maxRedirects?: number;
+}
+export interface HostedHttpCheckOptions {
+    resolveHost?: HostedDnsResolver;
+    request?: HostedHttpRequestLike;
+    maxRedirects?: number;
+}
+export interface HostedHttpRequestContext {
+    url: URL;
+    method: string;
+    timeoutMs: number;
+    address: {
+        address: string;
+        family: 4 | 6;
+    };
+    signal: AbortSignal;
+}
+export interface HostedHttpResponse {
+    status: number;
+    headers?: Headers | IncomingHttpHeaders | Record<string, string | string[] | undefined>;
+}
 export interface BrowserPageRunnerResult {
     finalUrl?: string | null;
     navigationStatus?: number | null;
@@ -19,15 +50,16 @@ export interface BrowserPageRunnerResult {
     }>;
     latencyMs?: number | null;
 }
-export declare function runMonitorCheck(monitor: Monitor, options?: {
-    fetch?: FetchLike;
-    browserPage?: BrowserPageRunner;
-}): Promise<CheckAttemptResult>;
+export declare function runMonitorCheck(monitor: Monitor, options?: MonitorCheckOptions): Promise<CheckAttemptResult>;
 export declare function runHttpCheck(monitor: Monitor, fetchImpl?: FetchLike): Promise<CheckAttemptResult>;
+export declare function runHostedHttpCheck(monitor: Monitor, options?: HostedHttpCheckOptions): Promise<CheckAttemptResult>;
 export declare function runTcpCheck(monitor: Monitor): Promise<CheckAttemptResult>;
 export declare function runBrowserPageCheck(monitor: Monitor, options?: {
     fetch?: FetchLike;
     runner?: BrowserPageRunner;
 }): Promise<CheckAttemptResult>;
 export declare function normalizeBrowserEvidence(sourceUrl: string, raw: BrowserPageRunnerResult): BrowserPageEvidence;
+export declare function normalizeHttpTargetPolicyEvidence(raw: HttpTargetPolicyEvidence): HttpTargetPolicyEvidence;
+export declare function isBrowserPageEvidence(value: unknown): value is BrowserPageEvidence;
+export declare function isHttpTargetPolicyEvidence(value: unknown): value is HttpTargetPolicyEvidence;
 //# sourceMappingURL=checks.d.ts.map

package/dist/checks.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"checks.d.ts","sourceRoot":"","sources":["../src/checks.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAE3H,MAAM,MAAM,SAAS,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,WAAW,KAAK,OAAO,CAAC;IAAE,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,CAAC;AAC1F,MAAM,MAAM,iBAAiB,GAAG,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,uBAAuB,CAAC,CAAC;AAEvF,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IACzB,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,cAAc,CAAC,EAAE,oBAAoB,EAAE,CAAC;IACxC,UAAU,CAAC,EAAE,CAAC,OAAO,CAAC,gBAAgB,CAAC,GAAG;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,GAAG,IAAI,CAAC;IACjF,SAAS,CAAC,EAAE,KAAK,CAAC,OAAO,CAAC,gBAAgB,CAAC,GAAG;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC9E,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B;AAED,wBAAsB,eAAe,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,GAAE;IAAE,KAAK,CAAC,EAAE,SAAS,CAAC;IAAC,WAAW,CAAC,EAAE,iBAAiB,CAAA;CAAO,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAQzJ;AAED,wBAAsB,YAAY,CAAC,OAAO,EAAE,OAAO,EAAE,SAAS,GAAE,SAAiB,GAAG,OAAO,CAAC,kBAAkB,CAAC,CA+B9G;AAED,wBAAsB,WAAW,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAsB/E;AAED,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,OAAO,EAChB,OAAO,GAAE;IAAE,KAAK,CAAC,EAAE,SAAS,CAAC;IAAC,MAAM,CAAC,EAAE,iBAAiB,CAAA;CAAO,GAC9D,OAAO,CAAC,kBAAkB,CAAC,CAqD7B;AAED,wBAAgB,wBAAwB,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,uBAAuB,GAAG,mBAAmB,CAkB7G"}
+{"version":3,"file":"checks.d.ts","sourceRoot":"","sources":["../src/checks.ts"],"names":[],"mappings":"AACA,OAAa,EAAE,KAAK,mBAAmB,EAAE,MAAM,WAAW,CAAC;AAG3D,OAAO,EAAyF,KAAK,qBAAqB,EAAE,MAAM,oBAAoB,CAAC;AACvJ,OAAO,KAAK,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,gBAAgB,EAA4B,wBAAwB,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAE/K,MAAM,MAAM,SAAS,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,WAAW,KAAK,OAAO,CAAC;IAAE,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,CAAC;AAC1F,MAAM,MAAM,iBAAiB,GAAG,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,uBAAuB,CAAC,CAAC;AACvF,MAAM,MAAM,iBAAiB,GAAG,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,qBAAqB,EAAE,CAAC,CAAC;AACvF,MAAM,MAAM,qBAAqB,GAAG,CAAC,OAAO,EAAE,wBAAwB,KAAK,OAAO,CAAC,kBAAkB,CAAC,CAAC;AAEvG,MAAM,WAAW,mBAAmB;IAClC,KAAK,CAAC,EAAE,SAAS,CAAC;IAClB,WAAW,CAAC,EAAE,iBAAiB,CAAC;IAChC,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,WAAW,CAAC,EAAE,iBAAiB,CAAC;IAChC,iBAAiB,CAAC,EAAE,qBAAqB,CAAC;IAC1C,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,sBAAsB;IACrC,WAAW,CAAC,EAAE,iBAAiB,CAAC;IAChC,OAAO,CAAC,EAAE,qBAAqB,CAAC;IAChC,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,wBAAwB;IACvC,GAAG,EAAE,GAAG,CAAC;IACT,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE;QACP,OAAO,EAAE,MAAM,CAAC;QAChB,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC;KACf,CAAC;IACF,MAAM,EAAE,WAAW,CAAC;CACrB;AAED,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,OAAO,GAAG,mBAAmB,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,CAAC;CACzF;AAED,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IACzB,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,cAAc,CAAC,EAAE,oBAAoB,EAAE,CAAC;IACxC,UAAU,CAAC,EAAE,CAAC,OAAO,CAAC,gBAAgB,CAAC,GAAG;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,GAAG,IAAI,CAAC;IACjF,SAAS,CAAC,EAAE,KAAK,CAAC,OAAO,CAAC,gBAAgB,CAAC,GAAG;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC9E,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B;AAED,wBAAsB,eAAe,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,GAAE,mBAAwB,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAgBtH;AAED,wBAAsB,YAAY,CAAC,OAAO,EAAE,OAAO,EAAE,SAAS,GAAE,SAAiB,GAAG,OAAO,CAAC,kBAAkB,CAAC,CA+B9G;AAED,wBAAsB,kBAAkB,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,GAAE,sBAA2B,GAAG,OAAO,CAAC,kBAAkB,CAAC,CA8E5H;AAED,wBAAsB,WAAW,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAsB/E;AAED,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,OAAO,EAChB,OAAO,GAAE;IAAE,KAAK,CAAC,EAAE,SAAS,CAAC;IAAC,MAAM,CAAC,EAAE,iBAAiB,CAAA;CAAO,GAC9D,OAAO,CAAC,kBAAkB,CAAC,CAqD7B;AAED,wBAAgB,wBAAwB,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,uBAAuB,GAAG,mBAAmB,CAkB7G;AAED,wBAAgB,iCAAiC,CAAC,GAAG,EAAE,wBAAwB,GAAG,wBAAwB,CA0BzG;AAED,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,mBAAmB,CAElF;AAED,wBAAgB,0BAA0B,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,wBAAwB,CAwB5F"}

package/dist/checks.js

@@ -1,12 +1,239 @@
 // @bun
 // src/checks.ts
+import dns from "dns/promises";
+import http from "http";
+import https from "https";
+import net2 from "net";
+
+// src/target-policy.ts
 import net from "net";
+var SECRET_PARAM_PATTERN = /(token|secret|password|passwd|api[_-]?key|access[_-]?token|auth|credential|session)/i;
+var DENIED_IPV4_CIDRS = [
+  ["0.0.0.0", 8],
+  ["10.0.0.0", 8],
+  ["100.64.0.0", 10],
+  ["127.0.0.0", 8],
+  ["169.254.0.0", 16],
+  ["172.16.0.0", 12],
+  ["192.0.0.0", 24],
+  ["192.0.2.0", 24],
+  ["192.88.99.0", 24],
+  ["192.168.0.0", 16],
+  ["198.18.0.0", 15],
+  ["198.51.100.0", 24],
+  ["203.0.113.0", 24],
+  ["224.0.0.0", 4],
+  ["240.0.0.0", 4]
+];
+var DENIED_IPV6_CIDRS = [
+  ["::", 128],
+  ["::1", 128],
+  ["64:ff9b::", 96],
+  ["64:ff9b:1::", 48],
+  ["100::", 64],
+  ["100:0:0:1::", 64],
+  ["2001::", 23],
+  ["2001:db8::", 32],
+  ["2002::", 16],
+  ["2620:4f:8000::", 48],
+  ["3fff::", 20],
+  ["5f00::", 16],
+  ["fc00::", 7],
+  ["fe80::", 10],
+  ["ff00::", 8]
+];
+function assertHostedTargetAllowed(target) {
+  if (target.kind === "http" || target.kind === "browser_page") {
+    if (!target.url)
+      throw new Error("HTTP monitors require url");
+    assertHostedHttpUrlAllowed(target.url);
+    return;
+  }
+  if (target.kind === "tcp") {
+    if (!target.host)
+      throw new Error("TCP monitors require host");
+    assertHostedHostAllowed(target.host, "TCP host");
+    if (!Number.isInteger(target.port) || target.port <= 0 || target.port > 65535) {
+      throw new Error("TCP monitors require a port from 1 to 65535");
+    }
+    return;
+  }
+  throw new Error("Monitor kind must be http, tcp, or browser_page");
+}
+function assertHostedHttpUrlAllowed(value) {
+  const parsed = new URL(value);
+  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+    throw new Error("HTTP monitor url must use http or https");
+  }
+  if (parsed.username || parsed.password) {
+    throw new Error("hosted target URLs must not contain userinfo");
+  }
+  for (const key of parsed.searchParams.keys()) {
+    if (SECRET_PARAM_PATTERN.test(key)) {
+      throw new Error(`hosted target URL query parameter is not allowed: ${key}`);
+    }
+  }
+  if (parsed.hash && SECRET_PARAM_PATTERN.test(parsed.hash)) {
+    throw new Error("hosted target URL fragment contains secret-like data");
+  }
+  assertHostedHostAllowed(parsed.hostname, "HTTP host");
+}
+function assertHostedHostAllowed(hostname, label = "host") {
+  const host = normalizeHostedHost(hostname);
+  if (!host)
+    throw new Error(`${label} is required`);
+  if (host === "localhost" || host.endsWith(".localhost")) {
+    throw new Error(`${label} is not allowed in hosted mode: localhost`);
+  }
+  if (host.endsWith(".local") || host.endsWith(".internal")) {
+    throw new Error(`${label} is not allowed in hosted mode: private DNS name`);
+  }
+  const ipVersion = net.isIP(host);
+  if (ipVersion === 4 && isDeniedIpv4(host)) {
+    throw new Error(`${label} is not allowed in hosted mode: private or reserved IPv4`);
+  }
+  if (ipVersion === 6 && isDeniedIpv6(host)) {
+    throw new Error(`${label} is not allowed in hosted mode: private or reserved IPv6`);
+  }
+}
+function assertHostedResolvedAddressesAllowed(hostname, addresses, label = "resolved address") {
+  if (addresses.length === 0) {
+    throw new Error(`${label} is not allowed in hosted mode: DNS returned no addresses for ${normalizeHostedHost(hostname) || "host"}`);
+  }
+  for (const entry of addresses) {
+    assertHostedAddressAllowed(entry.address, label);
+  }
+}
+function assertHostedAddressAllowed(address, label = "resolved address") {
+  const host = normalizeHostedHost(address);
+  const ipVersion = net.isIP(host);
+  if (ipVersion === 4 && isDeniedIpv4(host)) {
+    throw new Error(`${label} is not allowed in hosted mode: private or reserved IPv4`);
+  }
+  if (ipVersion === 6 && isDeniedIpv6(host)) {
+    throw new Error(`${label} is not allowed in hosted mode: private or reserved IPv6`);
+  }
+  if (ipVersion === 0) {
+    throw new Error(`${label} is not allowed in hosted mode: DNS returned a non-IP address`);
+  }
+}
+function normalizeHostedHost(hostname) {
+  return hostname.trim().toLowerCase().replace(/^\[|\]$/g, "").replace(/\.$/, "");
+}
+function isDeniedIpv4(ip) {
+  const parts = parseIpv4Words(ip);
+  if (!parts)
+    return true;
+  return DENIED_IPV4_CIDRS.some(([base, prefix]) => ipv4MatchesCidr(parts, parseIpv4Words(base), prefix));
+}
+function isDeniedIpv6(ip) {
+  const normalized = ip.toLowerCase();
+  const words = parseIpv6Words(normalized);
+  if (!words)
+    return true;
+  const mappedIpv4 = ipv4FromMappedIpv6Words(words);
+  if (mappedIpv4)
+    return isDeniedIpv4(mappedIpv4);
+  return isIpv4CompatibleIpv6(words) || DENIED_IPV6_CIDRS.some(([base, prefix]) => ipv6MatchesCidr(words, parseIpv6Words(base), prefix));
+}
+function isIpv4CompatibleIpv6(words) {
+  if (!words)
+    return false;
+  if (!words.slice(0, 6).every((word) => word === 0))
+    return false;
+  if (words[6] === 0 && (words[7] === 0 || words[7] === 1))
+    return false;
+  return true;
+}
+function ipv4FromMappedIpv6Words(words) {
+  if (words[0] !== 0 || words[1] !== 0 || words[2] !== 0 || words[3] !== 0 || words[4] !== 0 || words[5] !== 65535) {
+    return null;
+  }
+  return ipv4FromWords(words[6], words[7]);
+}
+function ipv4FromWords(high, low) {
+  return [
+    high >> 8,
+    high & 255,
+    low >> 8,
+    low & 255
+  ].join(".");
+}
+function ipv4MatchesCidr(parts, base, prefix) {
+  const mask = prefix === 0 ? 0 : 4294967295 << 32 - prefix >>> 0;
+  return (ipv4ToNumber(parts) & mask) >>> 0 === (ipv4ToNumber(base) & mask) >>> 0;
+}
+function ipv4ToNumber(parts) {
+  return (parts[0] << 24 >>> 0 | parts[1] << 16 | parts[2] << 8 | parts[3]) >>> 0;
+}
+function ipv6MatchesCidr(words, base, prefix) {
+  const fullWords = Math.floor(prefix / 16);
+  for (let index = 0;index < fullWords; index += 1) {
+    if (words[index] !== base[index])
+      return false;
+  }
+  const remainingBits = prefix % 16;
+  if (remainingBits === 0)
+    return true;
+  const mask = 65535 << 16 - remainingBits & 65535;
+  return (words[fullWords] & mask) === (base[fullWords] & mask);
+}
+function parseIpv6Words(value) {
+  let ip = value.toLowerCase();
+  const zoneIndex = ip.indexOf("%");
+  if (zoneIndex >= 0)
+    ip = ip.slice(0, zoneIndex);
+  if (ip.includes(".")) {
+    const lastColon = ip.lastIndexOf(":");
+    if (lastColon < 0)
+      return null;
+    const ipv4 = parseIpv4Words(ip.slice(lastColon + 1));
+    if (!ipv4)
+      return null;
+    ip = `${ip.slice(0, lastColon)}:${(ipv4[0] << 8 | ipv4[1]).toString(16)}:${(ipv4[2] << 8 | ipv4[3]).toString(16)}`;
+  }
+  const compressed = ip.split("::");
+  if (compressed.length > 2)
+    return null;
+  const left = parseIpv6Side(compressed[0]);
+  const right = compressed.length === 2 ? parseIpv6Side(compressed[1]) : [];
+  if (!left || !right)
+    return null;
+  if (compressed.length === 1)
+    return left.length === 8 ? left : null;
+  const missing = 8 - left.length - right.length;
+  if (missing < 1)
+    return null;
+  return [...left, ...Array(missing).fill(0), ...right];
+}
+function parseIpv6Side(value) {
+  if (!value)
+    return [];
+  const words = value.split(":");
+  if (words.some((word) => !/^[0-9a-f]{1,4}$/.test(word)))
+    return null;
+  return words.map((word) => Number.parseInt(word, 16));
+}
+function parseIpv4Words(value) {
+  const words = value.split(".").map((part) => Number(part));
+  if (words.length !== 4 || words.some((word) => !Number.isInteger(word) || word < 0 || word > 255)) {
+    return null;
+  }
+  return words;
+}
+
+// src/checks.ts
 async function runMonitorCheck(monitor, options = {}) {
   if (!monitor.enabled) {
     return { status: "down", latencyMs: null, error: "monitor is disabled" };
   }
-  if (monitor.kind === "http")
-    return runHttpCheck(monitor, options.fetch ?? fetch);
+  if (monitor.kind === "http") {
+    return options.hostedTargetPolicy ? runHostedHttpCheck(monitor, {
+      resolveHost: options.resolveHost,
+      request: options.hostedHttpRequest,
+      maxRedirects: options.maxRedirects
+    }) : runHttpCheck(monitor, options.fetch ?? fetch);
+  }
   if (monitor.kind === "browser_page")
     return runBrowserPageCheck(monitor, { fetch: options.fetch, runner: options.browserPage });
   if (monitor.kind === "tcp")
@@ -44,12 +271,87 @@ async function runHttpCheck(monitor, fetchImpl = fetch) {
     clearTimeout(timeout);
   }
 }
+async function runHostedHttpCheck(monitor, options = {}) {
+  if (!monitor.url)
+    return { status: "down", latencyMs: null, error: "missing url" };
+  const resolver = options.resolveHost ?? resolveHostedHost;
+  const request = options.request ?? requestHostedHttpPinned;
+  const maxRedirects = options.maxRedirects ?? 5;
+  const controller = new AbortController;
+  const timeout = setTimeout(() => controller.abort(), monitor.timeoutMs);
+  const started = performance.now();
+  const decisions = [];
+  let currentUrl;
+  let redirectCount = 0;
+  try {
+    currentUrl = new URL(monitor.url);
+  } catch (error) {
+    clearTimeout(timeout);
+    return {
+      status: "down",
+      latencyMs: 0,
+      statusCode: null,
+      error: error instanceof Error ? error.message : String(error),
+      evidence: hostedHttpEvidence(null, redirectCount, decisions)
+    };
+  }
+  try {
+    while (true) {
+      throwIfAborted(controller.signal);
+      const stage = redirectCount === 0 ? "request" : "redirect";
+      const address = await resolveAndRecordHostedHttpDecision(currentUrl, stage, resolver, decisions);
+      const response = await request({
+        url: currentUrl,
+        method: monitor.method || "GET",
+        timeoutMs: monitor.timeoutMs,
+        address,
+        signal: controller.signal
+      });
+      const location = redirectLocation(response.headers);
+      if (isRedirectStatus(response.status) && location) {
+        if (redirectCount >= maxRedirects) {
+          const latencyMs2 = elapsed(started);
+          return {
+            status: "down",
+            latencyMs: latencyMs2,
+            statusCode: response.status,
+            error: `too many redirects after ${maxRedirects}`,
+            evidence: hostedHttpEvidence(currentUrl, redirectCount, decisions)
+          };
+        }
+        currentUrl = new URL(location, currentUrl);
+        redirectCount += 1;
+        continue;
+      }
+      const latencyMs = elapsed(started);
+      const ok = monitor.expectedStatus == null ? response.status >= 200 && response.status < 400 : response.status === monitor.expectedStatus;
+      return {
+        status: ok ? "up" : "down",
+        latencyMs,
+        statusCode: response.status,
+        error: ok ? null : `unexpected status ${response.status}`,
+        evidence: hostedHttpEvidence(currentUrl, redirectCount, decisions)
+      };
+    }
+  } catch (error) {
+    const latencyMs = elapsed(started);
+    return {
+      status: "down",
+      latencyMs,
+      statusCode: null,
+      error: error instanceof Error ? error.message : String(error),
+      evidence: hostedHttpEvidence(currentUrl, redirectCount, decisions)
+    };
+  } finally {
+    clearTimeout(timeout);
+  }
+}
 async function runTcpCheck(monitor) {
   if (!monitor.host || !monitor.port)
     return { status: "down", latencyMs: null, error: "missing host or port" };
   const started = performance.now();
   return new Promise((resolve) => {
-    const socket = net.createConnection({ host: monitor.host, port: monitor.port, timeout: monitor.timeoutMs });
+    const socket = net2.createConnection({ host: monitor.host, port: monitor.port, timeout: monitor.timeoutMs });
     let settled = false;
     const finish = (result) => {
       if (settled)
@@ -137,6 +439,43 @@ function normalizeBrowserEvidence(sourceUrl, raw) {
     retentionClass: "short"
   };
 }
+function normalizeHttpTargetPolicyEvidence(raw) {
+  if (!isHttpTargetPolicyEvidence(raw))
+    throw new Error("HTTP target-policy evidence is invalid");
+  return {
+    kind: "http_target_policy",
+    mode: "hosted",
+    finalUrl: raw.finalUrl ? redactUrl(raw.finalUrl) : null,
+    redirectCount: Math.max(0, Math.min(20, Math.trunc(raw.redirectCount))),
+    decisions: raw.decisions.slice(0, 20).map((decision) => ({
+      stage: decision.stage,
+      decision: decision.decision,
+      url: redactUrl(decision.url),
+      host: redactText(normalizeHostedHost(decision.host)),
+      targetClass: "public_http",
+      probeClass: "public",
+      protocol: decision.protocol,
+      resolvedAddresses: decision.resolvedAddresses.slice(0, 20).map((address) => ({
+        address: normalizeHostedHost(address.address),
+        family: address.family
+      })),
+      ruleId: redactText(decision.ruleId),
+      reason: decision.reason ? redactText(decision.reason) : null
+    })),
+    redacted: true,
+    redactionStatus: "redacted",
+    retentionClass: "short"
+  };
+}
+function isBrowserPageEvidence(value) {
+  return Boolean(value && typeof value === "object" && value.kind === "browser_page");
+}
+function isHttpTargetPolicyEvidence(value) {
+  if (!value || typeof value !== "object" || value.kind !== "http_target_policy")
+    return false;
+  const evidence = value;
+  return evidence.mode === "hosted" && (evidence.finalUrl === null || typeof evidence.finalUrl === "string") && Number.isInteger(evidence.redirectCount) && evidence.redacted === true && evidence.redactionStatus === "redacted" && evidence.retentionClass === "short" && Array.isArray(evidence.decisions) && evidence.decisions.every((decision) => decision && (decision.stage === "request" || decision.stage === "redirect") && (decision.decision === "allowed" || decision.decision === "blocked") && (decision.protocol === "http:" || decision.protocol === "https:") && decision.targetClass === "public_http" && decision.probeClass === "public" && typeof decision.url === "string" && typeof decision.host === "string" && typeof decision.ruleId === "string" && (decision.reason === null || typeof decision.reason === "string") && Array.isArray(decision.resolvedAddresses) && decision.resolvedAddresses.every((address) => address && typeof address.address === "string" && (address.family === 4 || address.family === 6)));
+}
 function validateBrowserPageUrl(value) {
   const parsed = new URL(value);
   if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
@@ -193,10 +532,138 @@ function redactText(value) {
 function isSecretKey(value) {
   return /(token|secret|password|passwd|api[_-]?key|access[_-]?token|auth|credential|session)/i.test(value);
 }
+async function resolveAndRecordHostedHttpDecision(url, stage, resolver, decisions) {
+  let addresses = [];
+  try {
+    assertHostedHttpUrlAllowed(url.toString());
+    addresses = normalizeResolvedAddresses(await resolver(normalizeHostedHost(url.hostname)));
+    assertHostedResolvedAddressesAllowed(url.hostname, addresses, "HTTP resolved address");
+    decisions.push({
+      stage,
+      decision: "allowed",
+      url: sanitizePolicyUrl(url),
+      host: normalizeHostedHost(url.hostname),
+      targetClass: "public_http",
+      probeClass: "public",
+      protocol: url.protocol,
+      resolvedAddresses: addresses,
+      ruleId: "hosted-http-runtime-target-policy",
+      reason: null
+    });
+    return addresses[0];
+  } catch (error) {
+    decisions.push({
+      stage,
+      decision: "blocked",
+      url: sanitizePolicyUrl(url),
+      host: normalizeHostedHost(url.hostname),
+      targetClass: "public_http",
+      probeClass: "public",
+      protocol: url.protocol === "http:" || url.protocol === "https:" ? url.protocol : "http:",
+      resolvedAddresses: addresses,
+      ruleId: "hosted-http-runtime-target-policy",
+      reason: error instanceof Error ? error.message : String(error)
+    });
+    throw error;
+  }
+}
+async function resolveHostedHost(hostname) {
+  const host = normalizeHostedHost(hostname);
+  const ipVersion = net2.isIP(host);
+  if (ipVersion === 4 || ipVersion === 6)
+    return [{ address: host, family: ipVersion }];
+  return dns.lookup(host, { all: true, verbatim: true });
+}
+function normalizeResolvedAddresses(addresses) {
+  return addresses.map((entry) => {
+    const address = normalizeHostedHost(entry.address);
+    const detected = net2.isIP(address);
+    const family = entry.family === 4 || entry.family === 6 ? entry.family : detected;
+    if (family !== 4 && family !== 6) {
+      throw new Error("HTTP resolved address is not allowed in hosted mode: DNS returned a non-IP address");
+    }
+    return { address, family };
+  });
+}
+function hostedHttpEvidence(finalUrl, redirectCount, decisions) {
+  return {
+    kind: "http_target_policy",
+    mode: "hosted",
+    finalUrl: finalUrl ? sanitizePolicyUrl(finalUrl) : null,
+    redirectCount,
+    decisions,
+    redacted: true,
+    redactionStatus: "redacted",
+    retentionClass: "short"
+  };
+}
+function sanitizePolicyUrl(url) {
+  const copy = new URL(url.toString());
+  copy.username = "";
+  copy.password = "";
+  copy.hash = "";
+  for (const key of copy.searchParams.keys()) {
+    if (isSecretKey(key))
+      copy.searchParams.set(key, "[redacted]");
+  }
+  return copy.toString();
+}
+function redirectLocation(headers) {
+  if (!headers)
+    return null;
+  if (headers instanceof Headers)
+    return headers.get("location");
+  const raw = headers.location ?? headers.Location;
+  if (Array.isArray(raw))
+    return raw[0] ?? null;
+  return raw ?? null;
+}
+function isRedirectStatus(status) {
+  return status === 301 || status === 302 || status === 303 || status === 307 || status === 308;
+}
+async function requestHostedHttpPinned(context) {
+  const lookup = (_hostname, _options, callback) => callback(null, context.address.address, context.address.family);
+  return context.url.protocol === "https:" ? requestWithClient(context, https, new https.Agent({ lookup })) : requestWithClient(context, http, new http.Agent({ lookup }));
+}
+function requestWithClient(context, client, agent) {
+  return new Promise((resolve, reject) => {
+    const req = client.request(context.url, {
+      method: context.method,
+      agent,
+      signal: context.signal,
+      timeout: context.timeoutMs
+    }, (response) => {
+      response.resume();
+      response.once("end", () => {
+        agent.destroy();
+        resolve({ status: response.statusCode ?? 0, headers: response.headers });
+      });
+    });
+    req.once("timeout", () => {
+      req.destroy(new Error("http timeout"));
+    });
+    req.once("error", (error) => {
+      agent.destroy();
+      reject(error);
+    });
+    req.end();
+  });
+}
+function throwIfAborted(signal) {
+  if (signal.aborted)
+    throw new Error("http timeout");
+}
+function elapsed(started) {
+  return Math.round((performance.now() - started) * 100) / 100;
+}
 export {
   runTcpCheck,
   runMonitorCheck,
   runHttpCheck,
+  runHostedHttpCheck,
   runBrowserPageCheck,
-  normalizeBrowserEvidence
+  normalizeHttpTargetPolicyEvidence,
+  normalizeBrowserEvidence,
+  isHttpTargetPolicyEvidence,
+  isBrowserPageEvidence
 };