@hasna/uptime 0.1.18 → 0.1.20

package/CHANGELOG.md

@@ -6,6 +6,36 @@ project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+## [0.1.20] - 2026-06-28
+
+### Added
+
+- Added hosted-token JSON descriptor parsing from
+  `HASNA_UPTIME_HOSTED_TOKENS` and JSON-compatible
+  `HASNA_UPTIME_HOSTED_TOKEN` values, allowing deployed secrets to provide
+  scoped workspace tokens instead of one broad raw token.
+
+### Changed
+
+- Updated hosted auth docs and AWS runbook guidance to prefer scoped static
+  operator tokens for zero-count smokes while keeping full production
+  identity/RBAC as a live gate.
+
+## [0.1.19] - 2026-06-28
+
+### Added
+
+- Added optional CloudFront origin verification header binding to the AWS
+  Terraform module. When enabled, CloudFront sends a private origin header and
+  the ALB listener returns `403` for direct origin requests that do not present
+  the matching value.
+
+### Changed
+
+- Updated AWS runbooks, deployment metadata, and cloud source-of-truth docs to
+  distinguish CloudFront prefix-list narrowing from distribution-bound origin
+  access.
+
 ## [0.1.18] - 2026-06-28
 
 ### Changed

package/README.md

@@ -93,6 +93,21 @@ non-loopback mutation hosts by default. For a trusted remote bind, set
 `Authorization: Bearer <token>` or `X-Uptime-Token: <token>`.
 Hosted mode additionally accepts comma-separated public origins from
 `HASNA_UPTIME_ALLOWED_ORIGINS` for deployments behind a TLS-terminating edge.
+Hosted tokens can be provided as a single legacy token through
+`HASNA_UPTIME_HOSTED_TOKEN`, or as scoped JSON through
+`HASNA_UPTIME_HOSTED_TOKENS`:
+
+```json
+{
+  "tokens": [
+    { "token": "read-token", "scopes": ["uptime:read"], "workspaceId": "default" },
+    { "token": "write-token", "scopes": ["uptime:write"], "workspaceId": "default" }
+  ]
+}
+```
+
+Use scoped JSON for hosted deployments. A single raw hosted token is kept only
+for local compatibility and expands to broad read/write/probe/report scopes.
 Endpoints that accept request bodies require `content-type: application/json`.
 
 ## Uptime Semantics

package/dist/api.js

@@ -4262,17 +4262,85 @@ function resolveApiToken(token) {
   return value?.trim() || undefined;
 }
 function resolveHostedTokens(options) {
-  if (options.hostedTokens?.length)
-    return options.hostedTokens;
+  const defaultWorkspaceId = process.env.HASNA_UPTIME_WORKSPACE_ID ?? "default";
+  if (options.hostedTokens?.length) {
+    return normalizeHostedTokenEntries(options.hostedTokens, defaultWorkspaceId);
+  }
+  const configuredTokens = process.env.HASNA_UPTIME_HOSTED_TOKENS;
+  if (configuredTokens?.trim()) {
+    return parseHostedTokensConfig(configuredTokens, defaultWorkspaceId, "HASNA_UPTIME_HOSTED_TOKENS");
+  }
   const token = options.hostedToken ?? process.env.HASNA_UPTIME_HOSTED_TOKEN;
   if (!token?.trim())
     return [];
+  return parseHostedTokenValue(token, defaultWorkspaceId, options.hostedToken ? "--hosted-token" : "HASNA_UPTIME_HOSTED_TOKEN");
+}
+var HOSTED_SCOPES = ["uptime:read", "uptime:write", "uptime:probe", "uptime:report", "uptime:admin"];
+var HOSTED_SCOPE_SET = new Set(HOSTED_SCOPES);
+var LEGACY_HOSTED_TOKEN_SCOPES = ["uptime:read", "uptime:write", "uptime:probe", "uptime:report"];
+function parseHostedTokenValue(value, defaultWorkspaceId, source) {
+  const trimmed = value.trim();
+  if (!trimmed)
+    return [];
+  if (trimmed.startsWith("{") || trimmed.startsWith("[")) {
+    return parseHostedTokensConfig(trimmed, defaultWorkspaceId, source);
+  }
+  if (isHostedProductionMode()) {
+    throw new ApiError(`${source} must be scoped hosted token JSON when HASNA_UPTIME_HOSTED_AUTH_MODE=production`, 500);
+  }
   return [{
-    token: token.trim(),
-    scopes: ["uptime:read", "uptime:write", "uptime:probe", "uptime:report"],
-    workspaceId: process.env.HASNA_UPTIME_WORKSPACE_ID ?? "default"
+    token: trimmed,
+    scopes: LEGACY_HOSTED_TOKEN_SCOPES,
+    workspaceId: defaultWorkspaceId
   }];
 }
+function parseHostedTokensConfig(value, defaultWorkspaceId, source) {
+  let parsed;
+  try {
+    parsed = JSON.parse(value);
+  } catch {
+    throw new ApiError(`${source} must be valid hosted token JSON`, 500);
+  }
+  const entries = Array.isArray(parsed) ? parsed : isRecord(parsed) && Array.isArray(parsed.tokens) ? parsed.tokens : isRecord(parsed) && typeof parsed.token === "string" ? [parsed] : undefined;
+  if (!entries)
+    throw new ApiError(`${source} must be a token object, token array, or object with tokens[]`, 500);
+  return normalizeHostedTokenEntries(entries, defaultWorkspaceId, source);
+}
+function normalizeHostedTokenEntries(entries, defaultWorkspaceId, source = "hostedTokens") {
+  const tokens = entries.map((entry, index) => normalizeHostedTokenEntry(entry, defaultWorkspaceId, `${source}[${index}]`));
+  if (tokens.length === 0)
+    throw new ApiError(`${source} must configure at least one hosted token`, 500);
+  return tokens;
+}
+function normalizeHostedTokenEntry(entry, defaultWorkspaceId, source) {
+  if (!isRecord(entry))
+    throw new ApiError(`${source} must be an object`, 500);
+  if (typeof entry.token !== "string" || !entry.token.trim()) {
+    throw new ApiError(`${source}.token is required`, 500);
+  }
+  const scopes = normalizeHostedScopes(entry.scopes, `${source}.scopes`);
+  const workspaceId = typeof entry.workspaceId === "string" && entry.workspaceId.trim() ? entry.workspaceId.trim() : defaultWorkspaceId;
+  return { token: entry.token.trim(), scopes, workspaceId };
+}
+function normalizeHostedScopes(value, source) {
+  if (!Array.isArray(value) || value.length === 0) {
+    throw new ApiError(`${source} must be a non-empty array`, 500);
+  }
+  const scopes = new Set;
+  for (const scope of value) {
+    if (typeof scope !== "string" || !HOSTED_SCOPE_SET.has(scope)) {
+      throw new ApiError(`${source} contains an invalid hosted scope`, 500);
+    }
+    scopes.add(scope);
+  }
+  return [...scopes];
+}
+function isRecord(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function isHostedProductionMode() {
+  return process.env.HASNA_UPTIME_HOSTED_AUTH_MODE === "production" || false;
+}
 function resolveHostedAllowedOrigins(options) {
   const configured = options.hostedAllowedOrigins ?? splitCsv(process.env.HASNA_UPTIME_ALLOWED_ORIGINS);
   return configured.map((origin) => normalizeAllowedOrigin(origin)).filter((origin) => Boolean(origin));

package/dist/cli/index.js

@@ -6856,17 +6856,85 @@ function resolveApiToken(token) {
   return value?.trim() || undefined;
 }
 function resolveHostedTokens(options) {
-  if (options.hostedTokens?.length)
-    return options.hostedTokens;
+  const defaultWorkspaceId = process.env.HASNA_UPTIME_WORKSPACE_ID ?? "default";
+  if (options.hostedTokens?.length) {
+    return normalizeHostedTokenEntries(options.hostedTokens, defaultWorkspaceId);
+  }
+  const configuredTokens = process.env.HASNA_UPTIME_HOSTED_TOKENS;
+  if (configuredTokens?.trim()) {
+    return parseHostedTokensConfig(configuredTokens, defaultWorkspaceId, "HASNA_UPTIME_HOSTED_TOKENS");
+  }
   const token = options.hostedToken ?? process.env.HASNA_UPTIME_HOSTED_TOKEN;
   if (!token?.trim())
     return [];
+  return parseHostedTokenValue(token, defaultWorkspaceId, options.hostedToken ? "--hosted-token" : "HASNA_UPTIME_HOSTED_TOKEN");
+}
+var HOSTED_SCOPES = ["uptime:read", "uptime:write", "uptime:probe", "uptime:report", "uptime:admin"];
+var HOSTED_SCOPE_SET = new Set(HOSTED_SCOPES);
+var LEGACY_HOSTED_TOKEN_SCOPES = ["uptime:read", "uptime:write", "uptime:probe", "uptime:report"];
+function parseHostedTokenValue(value, defaultWorkspaceId, source) {
+  const trimmed = value.trim();
+  if (!trimmed)
+    return [];
+  if (trimmed.startsWith("{") || trimmed.startsWith("[")) {
+    return parseHostedTokensConfig(trimmed, defaultWorkspaceId, source);
+  }
+  if (isHostedProductionMode()) {
+    throw new ApiError(`${source} must be scoped hosted token JSON when HASNA_UPTIME_HOSTED_AUTH_MODE=production`, 500);
+  }
   return [{
-    token: token.trim(),
-    scopes: ["uptime:read", "uptime:write", "uptime:probe", "uptime:report"],
-    workspaceId: process.env.HASNA_UPTIME_WORKSPACE_ID ?? "default"
+    token: trimmed,
+    scopes: LEGACY_HOSTED_TOKEN_SCOPES,
+    workspaceId: defaultWorkspaceId
   }];
 }
+function parseHostedTokensConfig(value, defaultWorkspaceId, source) {
+  let parsed;
+  try {
+    parsed = JSON.parse(value);
+  } catch {
+    throw new ApiError(`${source} must be valid hosted token JSON`, 500);
+  }
+  const entries = Array.isArray(parsed) ? parsed : isRecord(parsed) && Array.isArray(parsed.tokens) ? parsed.tokens : isRecord(parsed) && typeof parsed.token === "string" ? [parsed] : undefined;
+  if (!entries)
+    throw new ApiError(`${source} must be a token object, token array, or object with tokens[]`, 500);
+  return normalizeHostedTokenEntries(entries, defaultWorkspaceId, source);
+}
+function normalizeHostedTokenEntries(entries, defaultWorkspaceId, source = "hostedTokens") {
+  const tokens = entries.map((entry, index) => normalizeHostedTokenEntry(entry, defaultWorkspaceId, `${source}[${index}]`));
+  if (tokens.length === 0)
+    throw new ApiError(`${source} must configure at least one hosted token`, 500);
+  return tokens;
+}
+function normalizeHostedTokenEntry(entry, defaultWorkspaceId, source) {
+  if (!isRecord(entry))
+    throw new ApiError(`${source} must be an object`, 500);
+  if (typeof entry.token !== "string" || !entry.token.trim()) {
+    throw new ApiError(`${source}.token is required`, 500);
+  }
+  const scopes = normalizeHostedScopes(entry.scopes, `${source}.scopes`);
+  const workspaceId = typeof entry.workspaceId === "string" && entry.workspaceId.trim() ? entry.workspaceId.trim() : defaultWorkspaceId;
+  return { token: entry.token.trim(), scopes, workspaceId };
+}
+function normalizeHostedScopes(value, source) {
+  if (!Array.isArray(value) || value.length === 0) {
+    throw new ApiError(`${source} must be a non-empty array`, 500);
+  }
+  const scopes = new Set;
+  for (const scope of value) {
+    if (typeof scope !== "string" || !HOSTED_SCOPE_SET.has(scope)) {
+      throw new ApiError(`${source} contains an invalid hosted scope`, 500);
+    }
+    scopes.add(scope);
+  }
+  return [...scopes];
+}
+function isRecord(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function isHostedProductionMode() {
+  return process.env.HASNA_UPTIME_HOSTED_AUTH_MODE === "production" || false;
+}
 function resolveHostedAllowedOrigins(options) {
   const configured = options.hostedAllowedOrigins ?? splitCsv(process.env.HASNA_UPTIME_ALLOWED_ORIGINS);
   return configured.map((origin) => normalizeAllowedOrigin(origin)).filter((origin) => Boolean(origin));
@@ -6943,7 +7011,7 @@ function buildAwsDeploymentPlan(options = {}) {
   const image = clean(options.image, `${imageRepositoryUri}@sha256:<image-digest>`);
   const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
   const hostedSqliteDbPath = clean(options.hostedSqliteDbPath, DEFAULT_HOSTED_SQLITE_DB);
-  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.18");
+  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.20");
   const protectedAccessMode = options.protectedAccessMode ?? DEFAULT_PROTECTED_ACCESS_MODE;
   const protectedAccessUrl = protectedAccessMode === "cloudfront_default_domain" ? "https://<cloudfront-domain>" : `https://${hostname}`;
   const cluster = `${prefix}-${stage}`;
@@ -6986,7 +7054,7 @@ function buildAwsDeploymentPlan(options = {}) {
   ];
   return {
     kind: "open-uptime.aws-deployment-plan",
-    version: 3,
+    version: 4,
     generatedAt: new Date().toISOString(),
     status: "blocked",
     canApply: false,
@@ -7011,6 +7079,17 @@ function buildAwsDeploymentPlan(options = {}) {
       protectedAccessMode,
       edgeDistribution: protectedAccessMode === "cloudfront_default_domain" ? `${prefix}-${stage}-edge` : undefined,
       protectedAccessUrl,
+      originVerification: protectedAccessMode === "cloudfront_default_domain" ? {
+        mode: "cloudfront_origin_header",
+        requiredBeforeScaleUp: true,
+        headerName: "X-Open-Uptime-Origin-Verify",
+        valueStoredInTerraformState: true,
+        stateAccessWarning: "The origin verification header value is sensitive but is stored in encrypted Terraform state and CloudFront/ALB configuration; restrict state, plan, CloudFront distribution-read, and ELB rule-read access."
+      } : {
+        mode: "alb_tls",
+        requiredBeforeScaleUp: false,
+        valueStoredInTerraformState: false
+      },
       targetGroups: [`${prefix}-${stage}-web-tg`],
       securityGroups: [
         `${prefix}-${stage}-alb-sg`,
@@ -7058,7 +7137,7 @@ function buildAwsDeploymentPlan(options = {}) {
         `Infra PR must declare CodeBuild image builder ${prefix}-${stage}-image-builder for @hasna/uptime@${runtimePackageVersion}.`,
         `Infra PR must declare hardened S3 evidence bucket ${evidenceBucket} with KMS, versioning, lifecycle, and public access block.`,
         `Infra PR must declare encrypted EFS ${prefix}-${stage}-data with access point, mount targets, and AWS Backup plan.`,
-        protectedAccessMode === "cloudfront_default_domain" ? "Infra PR must declare CloudFront default-domain HTTPS edge, ALB HTTP listener restricted to CloudFront origin-facing ranges, ECS/Fargate cluster, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs." : `Infra PR must declare ECS/Fargate cluster ${cluster}, ALB HTTPS listener, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs.`,
+        protectedAccessMode === "cloudfront_default_domain" ? "Infra PR must declare CloudFront default-domain HTTPS edge, ALB HTTP listener restricted to CloudFront origin-facing ranges, CloudFront-only origin verification header binding, ECS/Fargate cluster, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs." : `Infra PR must declare ECS/Fargate cluster ${cluster}, ALB HTTPS listener, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs.`,
         "Only apply the infra plan from the approved infrastructure repository after review evidence is attached."
       ],
       deploy: [
@@ -7067,7 +7146,7 @@ function buildAwsDeploymentPlan(options = {}) {
         "For the EFS SQLite bridge, do not run migration, scheduler, public-probe, or reporter tasks; keep them at desired count 0 until Postgres and cloud leases exist.",
         `Register task definitions for ${services.map((service) => service.name).join(", ")} using valueFrom secrets.`,
         `Update ECS services in cluster ${cluster} one component at a time through the approved deploy pipeline.`,
-        protectedAccessMode === "cloudfront_default_domain" ? "Use the CloudFront default HTTPS domain for first protected access; add custom DNS/certificate only after edge ownership is approved." : `Create Route53/edge record for ${hostname} only after ALB health checks pass and auth denial smokes succeed.`
+        protectedAccessMode === "cloudfront_default_domain" ? "Use the CloudFront default HTTPS domain with origin verification header binding for first protected access; add custom DNS/certificate only after edge ownership is approved." : `Create Route53/edge record for ${hostname} only after ALB health checks pass and auth denial smokes succeed.`
       ],
       rollback: [
         "Keep previous task definition ARNs before each service update.",
@@ -7083,6 +7162,7 @@ function buildAwsDeploymentPlan(options = {}) {
     },
     blockers: [
       "The infrastructure owner repository was not found in this workspace.",
+      protectedAccessMode === "cloudfront_default_domain" ? "CloudFront origin verification header binding must be enabled and direct-origin denial must be proven before web desired count is raised above 0." : "ALB HTTPS ingress policy and auth-denial smokes must be proven before web desired count is raised above 0.",
       "The EFS SQLite bridge is single-writer only: web target desired count is 1 and scheduler/public-probe/reporter targets remain 0 until Postgres and cloud leases exist.",
       "Hosted production auth/RBAC must replace broad static hosted-token operation before exposure.",
       "Public probe execution still needs cloud check-job leases wired to runHostedHttpCheck and live policy-decision log evidence.",
@@ -7092,7 +7172,7 @@ function buildAwsDeploymentPlan(options = {}) {
       "Infrastructure PR/synth/plan from the approved infra repository.",
       "CodeBuild image-builder run, container smoke, and immutable image digest.",
       "ECS task definitions using secrets.valueFrom only.",
-      "CloudFront-default-domain or ALB TLS auth-denial smokes, direct-origin denial evidence, and web alarm checks.",
+      "CloudFront-default-domain origin-header config or ALB TLS auth-denial smokes, direct-origin denial evidence, and web alarm checks.",
       "Single-writer ECS evidence: one web task maximum and no scheduler/public-probe/reporter EFS mounts.",
       "EFS encryption, access point, mount-target, AWS Backup, and restore-drill evidence.",
       "S3 bucket KMS, versioning, lifecycle, and public-access-block evidence.",
@@ -7106,6 +7186,7 @@ function buildAwsDeploymentPlan(options = {}) {
         "This plan generator does not call AWS.",
         "Blocked plan output intentionally avoids copy-pastable AWS mutation commands.",
         "Default protected access uses CloudFront's HTTPS default domain so first deploy is not blocked on custom DNS or ACM.",
+        "CloudFront default-domain mode still requires origin verification header binding before live scale-up; the header value is sensitive state/config material, not public documentation.",
         "Hosted runtime uses explicit EFS-backed SQLite at HASNA_UPTIME_HOSTED_SQLITE_DB until the async Postgres adapter exists.",
         "Do not set HASNA_UPTIME_DATABASE_URL for hosted tasks until the Postgres adapter is implemented.",
         "Secrets are represented as secret names/refs and must be injected with valueFrom.",
@@ -7743,7 +7824,7 @@ program2.command("restore <backup-path>").description("Restore a verified local
     fail(error);
   }
 });
-program2.command("serve").description("Serve the local API and dashboard").option("--host <host>", "host to bind", "127.0.0.1").option("--port <port>", "port", parseInteger, 3899).option("--check", "run the scheduler while serving").addOption(new Option("--mode <mode>", "runtime mode").choices(["local", "hosted"]).default("local")).option("--api-token <token>", "token required for non-loopback mutation hosts").option("--hosted-token <token>", "scoped hosted-mode token").option("--hosted-sqlite-db <path>", "absolute SQLite database path on hosted cloud-mounted storage").option("--allow-hosted-local-store", "allow hosted mode to use local SQLite as an explicit fallback").option("--allow-unsafe-remote-mutations", "allow state-changing requests from non-loopback hosts without a token").option("-j, --json", "print JSON").action((opts) => {
+program2.command("serve").description("Serve the local API and dashboard").option("--host <host>", "host to bind", "127.0.0.1").option("--port <port>", "port", parseInteger, 3899).option("--check", "run the scheduler while serving").addOption(new Option("--mode <mode>", "runtime mode").choices(["local", "hosted"]).default("local")).option("--api-token <token>", "token required for non-loopback mutation hosts").option("--hosted-token <token>", "hosted-mode token for local/dev use; deployments should prefer scoped hosted-token JSON in secret env").option("--hosted-sqlite-db <path>", "absolute SQLite database path on hosted cloud-mounted storage").option("--allow-hosted-local-store", "allow hosted mode to use local SQLite as an explicit fallback").option("--allow-unsafe-remote-mutations", "allow state-changing requests from non-loopback hosts without a token").option("-j, --json", "print JSON").action((opts) => {
   try {
     const { server } = serveUptime({
       host: opts.host,

package/dist/cloud-plan.d.ts

@@ -24,7 +24,7 @@ export interface AwsDeploymentPlanOptions {
 }
 export interface AwsDeploymentPlan {
     kind: "open-uptime.aws-deployment-plan";
-    version: 3;
+    version: 4;
     generatedAt: string;
     status: "blocked";
     canApply: false;
@@ -49,6 +49,13 @@ export interface AwsDeploymentPlan {
         protectedAccessMode: "cloudfront_default_domain" | "alb_https_cert";
         edgeDistribution?: string;
         protectedAccessUrl: string;
+        originVerification: {
+            mode: "cloudfront_origin_header" | "alb_tls";
+            requiredBeforeScaleUp: boolean;
+            headerName?: string;
+            valueStoredInTerraformState: boolean;
+            stateAccessWarning?: string;
+        };
         targetGroups: string[];
         securityGroups: string[];
         secrets: Record<string, string>;

package/dist/cloud-plan.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cloud-plan.d.ts","sourceRoot":"","sources":["../src/cloud-plan.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,wBAAwB;IACvC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,mBAAmB,CAAC,EAAE,2BAA2B,GAAG,gBAAgB,CAAC;IACrE,wFAAwF;IACxF,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,wFAAwF;IACxF,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,iCAAiC,CAAC;IACxC,OAAO,EAAE,CAAC,CAAC;IACX,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,SAAS,CAAC;IAClB,QAAQ,EAAE,KAAK,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,QAAQ,CAAC;IACf,SAAS,EAAE;QACT,aAAa,EAAE,MAAM,CAAC;QACtB,YAAY,EAAE,MAAM,CAAC;QACrB,UAAU,EAAE,MAAM,CAAC;QACnB,QAAQ,EAAE,cAAc,EAAE,CAAC;QAC3B,KAAK,EAAE,MAAM,CAAC;QACd,aAAa,EAAE,MAAM,CAAC;QACtB,cAAc,EAAE,MAAM,CAAC;QACvB,kBAAkB,EAAE,MAAM,CAAC;QAC3B,cAAc,EAAE,MAAM,CAAC;QACvB,YAAY,EAAE,MAAM,CAAC;QACrB,mBAAmB,EAAE,2BAA2B,GAAG,gBAAgB,CAAC;QACpE,gBAAgB,CAAC,EAAE,MAAM,CAAC;QAC1B,kBAAkB,EAAE,MAAM,CAAC;QAC3B,YAAY,EAAE,MAAM,EAAE,CAAC;QACvB,cAAc,EAAE,MAAM,EAAE,CAAC;QACzB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAChC,SAAS,EAAE,MAAM,EAAE,CAAC;QACpB,MAAM,EAAE,MAAM,EAAE,CAAC;KAClB,CAAC;IACF,KAAK,EAAE;QACL,UAAU,EAAE,MAAM,CAAC;QACnB,GAAG,EAAE,MAAM,CAAC;QACZ,UAAU,EAAE,MAAM,CAAC;QACnB,YAAY,EAAE,MAAM,CAAC;QACrB,YAAY,EAAE,MAAM,EAAE,CAAC;KACxB,CAAC;IACF,KAAK,EAAE;QACL,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,EAAE,MAAM,CAAC;QACnB,WAAW,EAAE,MAAM,CAAC;QACpB,eAAe,EAAE,MAAM,CAAC;QACxB,WAAW,EAAE,MAAM,CAAC;QACpB,YAAY,EAAE,KAAK,CAAC;KACrB,CAAC;IACF,OAAO,EAAE;QACP,SAAS,EAAE,MAAM,EAAE,CAAC;QACpB,SAAS,EAAE,MAAM,EAAE,CAAC;QACpB,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,QAAQ,EAAE,MAAM,EAAE,CAAC;QACnB,YAAY,EAAE,MAAM,EAAE,CAAC;KACxB,CAAC;IACF,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,MAAM,EAAE;QACN,eAAe,EAAE,KAAK,CAAC;QACvB,gBAAgB,EAAE,KAAK,CAAC;QACxB,wBAAwB,EAAE,KAAK,CAAC;QAChC,KAAK,EAAE,MAAM,EAAE,CAAC;KACjB,CAAC;CACH;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,KAAK,GAAG,WAAW,GAAG,cAAc,GAAG,UAAU,GAAG,WAAW,CAAC;IACtE,YAAY,EAAE,MAAM,CAAC;IACrB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACpC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACjC;AAED,MAAM,WAAW,8BAA8B;IAC7C,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,uBAAuB;IACtC,IAAI,EAAE,wCAAwC,CAAC;IAC/C,OAAO,EAAE,CAAC,CAAC;IACX,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,SAAS,CAAC;IAClB,QAAQ,EAAE,KAAK,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,eAAe,CAAC;IACtB,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC5B,KAAK,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC9D,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,MAAM,EAAE;QACN,gBAAgB,EAAE,KAAK,CAAC;QACxB,WAAW,EAAE,KAAK,CAAC;QACnB,KAAK,EAAE,MAAM,EAAE,CAAC;KACjB,CAAC;CACH;AAYD,wBAAgB,sBAAsB,CAAC,OAAO,GAAE,wBAA6B,GAAG,iBAAiB,CA2LhG;AAED,wBAAgB,4BAA4B,CAAC,OAAO,GAAE,8BAAmC,GAAG,uBAAuB,CA2DlH;AAED,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,uBAAuB,GAAG,MAAM,CAS7E"}
+{"version":3,"file":"cloud-plan.d.ts","sourceRoot":"","sources":["../src/cloud-plan.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,wBAAwB;IACvC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,mBAAmB,CAAC,EAAE,2BAA2B,GAAG,gBAAgB,CAAC;IACrE,wFAAwF;IACxF,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,wFAAwF;IACxF,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,iCAAiC,CAAC;IACxC,OAAO,EAAE,CAAC,CAAC;IACX,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,SAAS,CAAC;IAClB,QAAQ,EAAE,KAAK,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,QAAQ,CAAC;IACf,SAAS,EAAE;QACT,aAAa,EAAE,MAAM,CAAC;QACtB,YAAY,EAAE,MAAM,CAAC;QACrB,UAAU,EAAE,MAAM,CAAC;QACnB,QAAQ,EAAE,cAAc,EAAE,CAAC;QAC3B,KAAK,EAAE,MAAM,CAAC;QACd,aAAa,EAAE,MAAM,CAAC;QACtB,cAAc,EAAE,MAAM,CAAC;QACvB,kBAAkB,EAAE,MAAM,CAAC;QAC3B,cAAc,EAAE,MAAM,CAAC;QACvB,YAAY,EAAE,MAAM,CAAC;QACrB,mBAAmB,EAAE,2BAA2B,GAAG,gBAAgB,CAAC;QACpE,gBAAgB,CAAC,EAAE,MAAM,CAAC;QAC1B,kBAAkB,EAAE,MAAM,CAAC;QAC3B,kBAAkB,EAAE;YAClB,IAAI,EAAE,0BAA0B,GAAG,SAAS,CAAC;YAC7C,qBAAqB,EAAE,OAAO,CAAC;YAC/B,UAAU,CAAC,EAAE,MAAM,CAAC;YACpB,2BAA2B,EAAE,OAAO,CAAC;YACrC,kBAAkB,CAAC,EAAE,MAAM,CAAC;SAC7B,CAAC;QACF,YAAY,EAAE,MAAM,EAAE,CAAC;QACvB,cAAc,EAAE,MAAM,EAAE,CAAC;QACzB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAChC,SAAS,EAAE,MAAM,EAAE,CAAC;QACpB,MAAM,EAAE,MAAM,EAAE,CAAC;KAClB,CAAC;IACF,KAAK,EAAE;QACL,UAAU,EAAE,MAAM,CAAC;QACnB,GAAG,EAAE,MAAM,CAAC;QACZ,UAAU,EAAE,MAAM,CAAC;QACnB,YAAY,EAAE,MAAM,CAAC;QACrB,YAAY,EAAE,MAAM,EAAE,CAAC;KACxB,CAAC;IACF,KAAK,EAAE;QACL,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,EAAE,MAAM,CAAC;QACnB,WAAW,EAAE,MAAM,CAAC;QACpB,eAAe,EAAE,MAAM,CAAC;QACxB,WAAW,EAAE,MAAM,CAAC;QACpB,YAAY,EAAE,KAAK,CAAC;KACrB,CAAC;IACF,OAAO,EAAE;QACP,SAAS,EAAE,MAAM,EAAE,CAAC;QACpB,SAAS,EAAE,MAAM,EAAE,CAAC;QACpB,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,QAAQ,EAAE,MAAM,EAAE,CAAC;QACnB,YAAY,EAAE,MAAM,EAAE,CAAC;KACxB,CAAC;IACF,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,MAAM,EAAE;QACN,eAAe,EAAE,KAAK,CAAC;QACvB,gBAAgB,EAAE,KAAK,CAAC;QACxB,wBAAwB,EAAE,KAAK,CAAC;QAChC,KAAK,EAAE,MAAM,EAAE,CAAC;KACjB,CAAC;CACH;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,KAAK,GAAG,WAAW,GAAG,cAAc,GAAG,UAAU,GAAG,WAAW,CAAC;IACtE,YAAY,EAAE,MAAM,CAAC;IACrB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACpC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACjC;AAED,MAAM,WAAW,8BAA8B;IAC7C,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,uBAAuB;IACtC,IAAI,EAAE,wCAAwC,CAAC;IAC/C,OAAO,EAAE,CAAC,CAAC;IACX,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,SAAS,CAAC;IAClB,QAAQ,EAAE,KAAK,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,eAAe,CAAC;IACtB,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC5B,KAAK,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC9D,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,MAAM,EAAE;QACN,gBAAgB,EAAE,KAAK,CAAC;QACxB,WAAW,EAAE,KAAK,CAAC;QACnB,KAAK,EAAE,MAAM,EAAE,CAAC;KACjB,CAAC;CACH;AAYD,wBAAgB,sBAAsB,CAAC,OAAO,GAAE,wBAA6B,GAAG,iBAAiB,CA4MhG;AAED,wBAAgB,4BAA4B,CAAC,OAAO,GAAE,8BAAmC,GAAG,uBAAuB,CA2DlH;AAED,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,uBAAuB,GAAG,MAAM,CAS7E"}

package/dist/cloud-plan.js

@@ -21,7 +21,7 @@ function buildAwsDeploymentPlan(options = {}) {
   const image = clean(options.image, `${imageRepositoryUri}@sha256:<image-digest>`);
   const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
   const hostedSqliteDbPath = clean(options.hostedSqliteDbPath, DEFAULT_HOSTED_SQLITE_DB);
-  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.18");
+  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.20");
   const protectedAccessMode = options.protectedAccessMode ?? DEFAULT_PROTECTED_ACCESS_MODE;
   const protectedAccessUrl = protectedAccessMode === "cloudfront_default_domain" ? "https://<cloudfront-domain>" : `https://${hostname}`;
   const cluster = `${prefix}-${stage}`;
@@ -64,7 +64,7 @@ function buildAwsDeploymentPlan(options = {}) {
   ];
   return {
     kind: "open-uptime.aws-deployment-plan",
-    version: 3,
+    version: 4,
     generatedAt: new Date().toISOString(),
     status: "blocked",
     canApply: false,
@@ -89,6 +89,17 @@ function buildAwsDeploymentPlan(options = {}) {
       protectedAccessMode,
       edgeDistribution: protectedAccessMode === "cloudfront_default_domain" ? `${prefix}-${stage}-edge` : undefined,
       protectedAccessUrl,
+      originVerification: protectedAccessMode === "cloudfront_default_domain" ? {
+        mode: "cloudfront_origin_header",
+        requiredBeforeScaleUp: true,
+        headerName: "X-Open-Uptime-Origin-Verify",
+        valueStoredInTerraformState: true,
+        stateAccessWarning: "The origin verification header value is sensitive but is stored in encrypted Terraform state and CloudFront/ALB configuration; restrict state, plan, CloudFront distribution-read, and ELB rule-read access."
+      } : {
+        mode: "alb_tls",
+        requiredBeforeScaleUp: false,
+        valueStoredInTerraformState: false
+      },
       targetGroups: [`${prefix}-${stage}-web-tg`],
       securityGroups: [
         `${prefix}-${stage}-alb-sg`,
@@ -136,7 +147,7 @@ function buildAwsDeploymentPlan(options = {}) {
         `Infra PR must declare CodeBuild image builder ${prefix}-${stage}-image-builder for @hasna/uptime@${runtimePackageVersion}.`,
         `Infra PR must declare hardened S3 evidence bucket ${evidenceBucket} with KMS, versioning, lifecycle, and public access block.`,
         `Infra PR must declare encrypted EFS ${prefix}-${stage}-data with access point, mount targets, and AWS Backup plan.`,
-        protectedAccessMode === "cloudfront_default_domain" ? "Infra PR must declare CloudFront default-domain HTTPS edge, ALB HTTP listener restricted to CloudFront origin-facing ranges, ECS/Fargate cluster, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs." : `Infra PR must declare ECS/Fargate cluster ${cluster}, ALB HTTPS listener, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs.`,
+        protectedAccessMode === "cloudfront_default_domain" ? "Infra PR must declare CloudFront default-domain HTTPS edge, ALB HTTP listener restricted to CloudFront origin-facing ranges, CloudFront-only origin verification header binding, ECS/Fargate cluster, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs." : `Infra PR must declare ECS/Fargate cluster ${cluster}, ALB HTTPS listener, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs.`,
         "Only apply the infra plan from the approved infrastructure repository after review evidence is attached."
       ],
       deploy: [
@@ -145,7 +156,7 @@ function buildAwsDeploymentPlan(options = {}) {
         "For the EFS SQLite bridge, do not run migration, scheduler, public-probe, or reporter tasks; keep them at desired count 0 until Postgres and cloud leases exist.",
         `Register task definitions for ${services.map((service) => service.name).join(", ")} using valueFrom secrets.`,
         `Update ECS services in cluster ${cluster} one component at a time through the approved deploy pipeline.`,
-        protectedAccessMode === "cloudfront_default_domain" ? "Use the CloudFront default HTTPS domain for first protected access; add custom DNS/certificate only after edge ownership is approved." : `Create Route53/edge record for ${hostname} only after ALB health checks pass and auth denial smokes succeed.`
+        protectedAccessMode === "cloudfront_default_domain" ? "Use the CloudFront default HTTPS domain with origin verification header binding for first protected access; add custom DNS/certificate only after edge ownership is approved." : `Create Route53/edge record for ${hostname} only after ALB health checks pass and auth denial smokes succeed.`
       ],
       rollback: [
         "Keep previous task definition ARNs before each service update.",
@@ -161,6 +172,7 @@ function buildAwsDeploymentPlan(options = {}) {
     },
     blockers: [
       "The infrastructure owner repository was not found in this workspace.",
+      protectedAccessMode === "cloudfront_default_domain" ? "CloudFront origin verification header binding must be enabled and direct-origin denial must be proven before web desired count is raised above 0." : "ALB HTTPS ingress policy and auth-denial smokes must be proven before web desired count is raised above 0.",
       "The EFS SQLite bridge is single-writer only: web target desired count is 1 and scheduler/public-probe/reporter targets remain 0 until Postgres and cloud leases exist.",
       "Hosted production auth/RBAC must replace broad static hosted-token operation before exposure.",
       "Public probe execution still needs cloud check-job leases wired to runHostedHttpCheck and live policy-decision log evidence.",
@@ -170,7 +182,7 @@ function buildAwsDeploymentPlan(options = {}) {
       "Infrastructure PR/synth/plan from the approved infra repository.",
       "CodeBuild image-builder run, container smoke, and immutable image digest.",
       "ECS task definitions using secrets.valueFrom only.",
-      "CloudFront-default-domain or ALB TLS auth-denial smokes, direct-origin denial evidence, and web alarm checks.",
+      "CloudFront-default-domain origin-header config or ALB TLS auth-denial smokes, direct-origin denial evidence, and web alarm checks.",
       "Single-writer ECS evidence: one web task maximum and no scheduler/public-probe/reporter EFS mounts.",
       "EFS encryption, access point, mount-target, AWS Backup, and restore-drill evidence.",
       "S3 bucket KMS, versioning, lifecycle, and public-access-block evidence.",
@@ -184,6 +196,7 @@ function buildAwsDeploymentPlan(options = {}) {
         "This plan generator does not call AWS.",
         "Blocked plan output intentionally avoids copy-pastable AWS mutation commands.",
         "Default protected access uses CloudFront's HTTPS default domain so first deploy is not blocked on custom DNS or ACM.",
+        "CloudFront default-domain mode still requires origin verification header binding before live scale-up; the header value is sensitive state/config material, not public documentation.",
         "Hosted runtime uses explicit EFS-backed SQLite at HASNA_UPTIME_HOSTED_SQLITE_DB until the async Postgres adapter exists.",
         "Do not set HASNA_UPTIME_DATABASE_URL for hosted tasks until the Postgres adapter is implemented.",
         "Secrets are represented as secret names/refs and must be injected with valueFrom.",

package/dist/index.js

@@ -4262,17 +4262,85 @@ function resolveApiToken(token) {
   return value?.trim() || undefined;
 }
 function resolveHostedTokens(options) {
-  if (options.hostedTokens?.length)
-    return options.hostedTokens;
+  const defaultWorkspaceId = process.env.HASNA_UPTIME_WORKSPACE_ID ?? "default";
+  if (options.hostedTokens?.length) {
+    return normalizeHostedTokenEntries(options.hostedTokens, defaultWorkspaceId);
+  }
+  const configuredTokens = process.env.HASNA_UPTIME_HOSTED_TOKENS;
+  if (configuredTokens?.trim()) {
+    return parseHostedTokensConfig(configuredTokens, defaultWorkspaceId, "HASNA_UPTIME_HOSTED_TOKENS");
+  }
   const token = options.hostedToken ?? process.env.HASNA_UPTIME_HOSTED_TOKEN;
   if (!token?.trim())
     return [];
+  return parseHostedTokenValue(token, defaultWorkspaceId, options.hostedToken ? "--hosted-token" : "HASNA_UPTIME_HOSTED_TOKEN");
+}
+var HOSTED_SCOPES = ["uptime:read", "uptime:write", "uptime:probe", "uptime:report", "uptime:admin"];
+var HOSTED_SCOPE_SET = new Set(HOSTED_SCOPES);
+var LEGACY_HOSTED_TOKEN_SCOPES = ["uptime:read", "uptime:write", "uptime:probe", "uptime:report"];
+function parseHostedTokenValue(value, defaultWorkspaceId, source) {
+  const trimmed = value.trim();
+  if (!trimmed)
+    return [];
+  if (trimmed.startsWith("{") || trimmed.startsWith("[")) {
+    return parseHostedTokensConfig(trimmed, defaultWorkspaceId, source);
+  }
+  if (isHostedProductionMode()) {
+    throw new ApiError(`${source} must be scoped hosted token JSON when HASNA_UPTIME_HOSTED_AUTH_MODE=production`, 500);
+  }
   return [{
-    token: token.trim(),
-    scopes: ["uptime:read", "uptime:write", "uptime:probe", "uptime:report"],
-    workspaceId: process.env.HASNA_UPTIME_WORKSPACE_ID ?? "default"
+    token: trimmed,
+    scopes: LEGACY_HOSTED_TOKEN_SCOPES,
+    workspaceId: defaultWorkspaceId
   }];
 }
+function parseHostedTokensConfig(value, defaultWorkspaceId, source) {
+  let parsed;
+  try {
+    parsed = JSON.parse(value);
+  } catch {
+    throw new ApiError(`${source} must be valid hosted token JSON`, 500);
+  }
+  const entries = Array.isArray(parsed) ? parsed : isRecord(parsed) && Array.isArray(parsed.tokens) ? parsed.tokens : isRecord(parsed) && typeof parsed.token === "string" ? [parsed] : undefined;
+  if (!entries)
+    throw new ApiError(`${source} must be a token object, token array, or object with tokens[]`, 500);
+  return normalizeHostedTokenEntries(entries, defaultWorkspaceId, source);
+}
+function normalizeHostedTokenEntries(entries, defaultWorkspaceId, source = "hostedTokens") {
+  const tokens = entries.map((entry, index) => normalizeHostedTokenEntry(entry, defaultWorkspaceId, `${source}[${index}]`));
+  if (tokens.length === 0)
+    throw new ApiError(`${source} must configure at least one hosted token`, 500);
+  return tokens;
+}
+function normalizeHostedTokenEntry(entry, defaultWorkspaceId, source) {
+  if (!isRecord(entry))
+    throw new ApiError(`${source} must be an object`, 500);
+  if (typeof entry.token !== "string" || !entry.token.trim()) {
+    throw new ApiError(`${source}.token is required`, 500);
+  }
+  const scopes = normalizeHostedScopes(entry.scopes, `${source}.scopes`);
+  const workspaceId = typeof entry.workspaceId === "string" && entry.workspaceId.trim() ? entry.workspaceId.trim() : defaultWorkspaceId;
+  return { token: entry.token.trim(), scopes, workspaceId };
+}
+function normalizeHostedScopes(value, source) {
+  if (!Array.isArray(value) || value.length === 0) {
+    throw new ApiError(`${source} must be a non-empty array`, 500);
+  }
+  const scopes = new Set;
+  for (const scope of value) {
+    if (typeof scope !== "string" || !HOSTED_SCOPE_SET.has(scope)) {
+      throw new ApiError(`${source} contains an invalid hosted scope`, 500);
+    }
+    scopes.add(scope);
+  }
+  return [...scopes];
+}
+function isRecord(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function isHostedProductionMode() {
+  return process.env.HASNA_UPTIME_HOSTED_AUTH_MODE === "production" || false;
+}
 function resolveHostedAllowedOrigins(options) {
   const configured = options.hostedAllowedOrigins ?? splitCsv(process.env.HASNA_UPTIME_ALLOWED_ORIGINS);
   return configured.map((origin) => normalizeAllowedOrigin(origin)).filter((origin) => Boolean(origin));
@@ -4349,7 +4417,7 @@ function buildAwsDeploymentPlan(options = {}) {
   const image = clean(options.image, `${imageRepositoryUri}@sha256:<image-digest>`);
   const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
   const hostedSqliteDbPath = clean(options.hostedSqliteDbPath, DEFAULT_HOSTED_SQLITE_DB);
-  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.18");
+  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.20");
   const protectedAccessMode = options.protectedAccessMode ?? DEFAULT_PROTECTED_ACCESS_MODE;
   const protectedAccessUrl = protectedAccessMode === "cloudfront_default_domain" ? "https://<cloudfront-domain>" : `https://${hostname}`;
   const cluster = `${prefix}-${stage}`;
@@ -4392,7 +4460,7 @@ function buildAwsDeploymentPlan(options = {}) {
   ];
   return {
     kind: "open-uptime.aws-deployment-plan",
-    version: 3,
+    version: 4,
     generatedAt: new Date().toISOString(),
     status: "blocked",
     canApply: false,
@@ -4417,6 +4485,17 @@ function buildAwsDeploymentPlan(options = {}) {
       protectedAccessMode,
       edgeDistribution: protectedAccessMode === "cloudfront_default_domain" ? `${prefix}-${stage}-edge` : undefined,
       protectedAccessUrl,
+      originVerification: protectedAccessMode === "cloudfront_default_domain" ? {
+        mode: "cloudfront_origin_header",
+        requiredBeforeScaleUp: true,
+        headerName: "X-Open-Uptime-Origin-Verify",
+        valueStoredInTerraformState: true,
+        stateAccessWarning: "The origin verification header value is sensitive but is stored in encrypted Terraform state and CloudFront/ALB configuration; restrict state, plan, CloudFront distribution-read, and ELB rule-read access."
+      } : {
+        mode: "alb_tls",
+        requiredBeforeScaleUp: false,
+        valueStoredInTerraformState: false
+      },
       targetGroups: [`${prefix}-${stage}-web-tg`],
       securityGroups: [
         `${prefix}-${stage}-alb-sg`,
@@ -4464,7 +4543,7 @@ function buildAwsDeploymentPlan(options = {}) {
         `Infra PR must declare CodeBuild image builder ${prefix}-${stage}-image-builder for @hasna/uptime@${runtimePackageVersion}.`,
         `Infra PR must declare hardened S3 evidence bucket ${evidenceBucket} with KMS, versioning, lifecycle, and public access block.`,
         `Infra PR must declare encrypted EFS ${prefix}-${stage}-data with access point, mount targets, and AWS Backup plan.`,
-        protectedAccessMode === "cloudfront_default_domain" ? "Infra PR must declare CloudFront default-domain HTTPS edge, ALB HTTP listener restricted to CloudFront origin-facing ranges, ECS/Fargate cluster, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs." : `Infra PR must declare ECS/Fargate cluster ${cluster}, ALB HTTPS listener, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs.`,
+        protectedAccessMode === "cloudfront_default_domain" ? "Infra PR must declare CloudFront default-domain HTTPS edge, ALB HTTP listener restricted to CloudFront origin-facing ranges, CloudFront-only origin verification header binding, ECS/Fargate cluster, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs." : `Infra PR must declare ECS/Fargate cluster ${cluster}, ALB HTTPS listener, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs.`,
         "Only apply the infra plan from the approved infrastructure repository after review evidence is attached."
       ],
       deploy: [
@@ -4473,7 +4552,7 @@ function buildAwsDeploymentPlan(options = {}) {
         "For the EFS SQLite bridge, do not run migration, scheduler, public-probe, or reporter tasks; keep them at desired count 0 until Postgres and cloud leases exist.",
         `Register task definitions for ${services.map((service) => service.name).join(", ")} using valueFrom secrets.`,
         `Update ECS services in cluster ${cluster} one component at a time through the approved deploy pipeline.`,
-        protectedAccessMode === "cloudfront_default_domain" ? "Use the CloudFront default HTTPS domain for first protected access; add custom DNS/certificate only after edge ownership is approved." : `Create Route53/edge record for ${hostname} only after ALB health checks pass and auth denial smokes succeed.`
+        protectedAccessMode === "cloudfront_default_domain" ? "Use the CloudFront default HTTPS domain with origin verification header binding for first protected access; add custom DNS/certificate only after edge ownership is approved." : `Create Route53/edge record for ${hostname} only after ALB health checks pass and auth denial smokes succeed.`
       ],
       rollback: [
         "Keep previous task definition ARNs before each service update.",
@@ -4489,6 +4568,7 @@ function buildAwsDeploymentPlan(options = {}) {
     },
     blockers: [
       "The infrastructure owner repository was not found in this workspace.",
+      protectedAccessMode === "cloudfront_default_domain" ? "CloudFront origin verification header binding must be enabled and direct-origin denial must be proven before web desired count is raised above 0." : "ALB HTTPS ingress policy and auth-denial smokes must be proven before web desired count is raised above 0.",
       "The EFS SQLite bridge is single-writer only: web target desired count is 1 and scheduler/public-probe/reporter targets remain 0 until Postgres and cloud leases exist.",
       "Hosted production auth/RBAC must replace broad static hosted-token operation before exposure.",
       "Public probe execution still needs cloud check-job leases wired to runHostedHttpCheck and live policy-decision log evidence.",
@@ -4498,7 +4578,7 @@ function buildAwsDeploymentPlan(options = {}) {
       "Infrastructure PR/synth/plan from the approved infra repository.",
       "CodeBuild image-builder run, container smoke, and immutable image digest.",
       "ECS task definitions using secrets.valueFrom only.",
-      "CloudFront-default-domain or ALB TLS auth-denial smokes, direct-origin denial evidence, and web alarm checks.",
+      "CloudFront-default-domain origin-header config or ALB TLS auth-denial smokes, direct-origin denial evidence, and web alarm checks.",
       "Single-writer ECS evidence: one web task maximum and no scheduler/public-probe/reporter EFS mounts.",
       "EFS encryption, access point, mount-target, AWS Backup, and restore-drill evidence.",
       "S3 bucket KMS, versioning, lifecycle, and public-access-block evidence.",
@@ -4512,6 +4592,7 @@ function buildAwsDeploymentPlan(options = {}) {
         "This plan generator does not call AWS.",
         "Blocked plan output intentionally avoids copy-pastable AWS mutation commands.",
         "Default protected access uses CloudFront's HTTPS default domain so first deploy is not blocked on custom DNS or ACM.",
+        "CloudFront default-domain mode still requires origin verification header binding before live scale-up; the header value is sensitive state/config material, not public documentation.",
         "Hosted runtime uses explicit EFS-backed SQLite at HASNA_UPTIME_HOSTED_SQLITE_DB until the async Postgres adapter exists.",
         "Do not set HASNA_UPTIME_DATABASE_URL for hosted tasks until the Postgres adapter is implemented.",
         "Secrets are represented as secret names/refs and must be injected with valueFrom.",

package/docs/aws-deployment-runbook.md

@@ -176,8 +176,8 @@ Before setting `desired_counts.web = 1`, verify:
 - the image is an immutable digest, not a mutable tag or placeholder;
 - required secrets have `AWSCURRENT` versions;
 - `HASNA_UPTIME_ALLOWED_ORIGINS` matches the public HTTPS edge origin;
-- CloudFront origin access is distribution-bound, not just narrowed to
-  CloudFront origin-facing ranges;
+- CloudFront origin access is distribution-bound with the CloudFront-only origin
+  verification header, not just narrowed to CloudFront origin-facing ranges;
 - web egress to ECR, Secrets Manager or SSM, CloudWatch Logs, S3, EFS, and any
   required endpoints has been proven from a real ECS task. Terraform endpoint
   ids, route tables, and security-group rules are creation evidence only; the
@@ -207,7 +207,7 @@ ids. Use a scoped hosted token only from the operator secret store.
 
 ```bash
 EDGE_URL="$(terraform -chdir="$TF_DIR" output -raw protected_access_url)"
-: "${HOSTED_TOKEN_FILE:?set HOSTED_TOKEN_FILE to a 0600 file containing the scoped hosted token}"
+: "${HOSTED_TOKEN_FILE:?set HOSTED_TOKEN_FILE to a 0600 file containing the scoped read hosted token}"
 HOSTED_TOKEN="$(tr -d '\n' < "$HOSTED_TOKEN_FILE")"
 
 curl -fsS "$EDGE_URL/health"
@@ -225,6 +225,22 @@ Expected results:
 - Direct ALB origin access is denied unless it is the approved CloudFront origin
   path.
 
+Hosted deployments should store scoped hosted-token JSON in Secrets Manager, not
+a single broad raw token. The runtime accepts `HASNA_UPTIME_HOSTED_TOKENS` JSON
+or JSON-compatible `HASNA_UPTIME_HOSTED_TOKEN` values shaped like:
+
+```json
+{
+  "tokens": [
+    { "token": "<read-token>", "scopes": ["uptime:read"], "workspaceId": "<workspace-id>" },
+    { "token": "<write-token>", "scopes": ["uptime:write"], "workspaceId": "<workspace-id>" }
+  ]
+}
+```
+
+Do not record token values in runbooks, logs, task overrides, or deployment
+evidence.
+
 ## Logs And Alarms
 
 Inspect recent web logs without printing secrets:
@@ -330,14 +346,21 @@ aws efs create-mount-target \
 ```
 
 Validate the restored `/data/uptime/uptime.db` from a staging host or task with
-read-only SQLite integrity checks. Capture only counts and integrity status, not
-monitor targets or secrets:
+read-only SQLite integrity checks. For a zero-count pre-production deployment
+where `uptime.db` does not exist yet, create a representative restore-drill DB
+with the same SQLite access path and record it separately. Capture only counts
+and integrity status, not monitor targets or secrets:
 
 ```bash
 sqlite3 /mnt/restore/uptime/uptime.db 'PRAGMA integrity_check;'
 sqlite3 /mnt/restore/uptime/uptime.db 'SELECT COUNT(*) FROM monitors;'
 ```
 
+Do not count a restore as complete if the task only proves that EFS mounted.
+The evidence must include the restored DB path, `PRAGMA integrity_check = ok`,
+schema version, sanitized table counts, and cleanup proof for the temporary
+mount target and file system.
+
 After evidence is recorded, delete the staging mount target and restored file
 system. Never mount the restored file system over production during a drill.
 
@@ -386,9 +409,11 @@ routes are backed by cloud check jobs and cloud audit rows.
 - Do not expose the ALB directly in CloudFront mode; ALB ingress must be limited
   to CloudFront origin-facing ranges.
 - Do not treat CloudFront prefix-list ingress as distribution-bound origin
-  protection. Before enabling the web task, add CloudFront VPC origin/private
-  ALB routing or require a CloudFront-only origin header whose secret value is
-  not stored in Terraform state.
+  protection. In `cloudfront_default_domain` mode, enable the module's
+  CloudFront-only origin verification header and keep its generated value out of
+  the public repo and shared logs. Terraform redacts the sensitive input in CLI
+  output, but the value is still stored in encrypted Terraform state, saved plan
+  files, and AWS CloudFront/ALB configuration; restrict access accordingly.
 - Do not treat local SQLite, local project DBs, or private-probe local state as cloud
   authority after cutover.
 - Do configure owner/project/environment/service/cost-center tags and AWS

package/infra/aws/README.md

@@ -42,9 +42,14 @@ HTTPS origin so hosted mutation CSRF checks still work through the private HTTP
 origin hop.
 
 CloudFront prefix-list ingress is only a network narrowing control; it is not
-bound to one distribution. Add CloudFront VPC origin/private ALB routing or an
-ALB origin-header rule with the secret value managed outside Terraform state
-before enabling the web task.
+bound to one distribution. Before enabling the web task, set
+`enable_cloudfront_origin_verify_header = true` and provide a high-entropy
+`cloudfront_origin_verify_header_value` from a private operator workflow. The
+module then configures CloudFront to send that header, makes the ALB default
+action return `403`, and forwards only requests with the matching header.
+Terraform marks the value sensitive, but it still lives in encrypted Terraform
+state and in CloudFront/ALB configuration; restrict state, saved plan,
+CloudFront distribution-read, and ELB listener-rule-read access accordingly.
 
 All module resources carry owner, project, environment, service, account, app
 type, and cost-center tags. Set `monthly_budget_limit_usd` plus

package/infra/aws/main.tf

@@ -26,6 +26,7 @@ locals {
   efs_enabled_services  = toset(["web"])
   use_alb_https         = var.protected_access_mode == "alb_https_cert"
   use_cloudfront        = var.protected_access_mode == "cloudfront_default_domain"
+  use_origin_verify     = local.use_cloudfront && var.enable_cloudfront_origin_verify_header
   services = {
     web = {
       desired_count = lookup(var.desired_counts, "web", 0)
@@ -900,10 +901,45 @@ resource "aws_lb_listener" "http_cloudfront" {
   protocol          = "HTTP"
   tags              = local.tags
 
-  default_action {
+  dynamic "default_action" {
+    for_each = local.use_origin_verify ? [] : [1]
+    content {
+      type             = "forward"
+      target_group_arn = aws_lb_target_group.web.arn
+    }
+  }
+
+  dynamic "default_action" {
+    for_each = local.use_origin_verify ? [1] : []
+    content {
+      type = "fixed-response"
+
+      fixed_response {
+        content_type = "text/plain"
+        message_body = "forbidden"
+        status_code  = "403"
+      }
+    }
+  }
+}
+
+resource "aws_lb_listener_rule" "http_cloudfront_origin_verify" {
+  count        = local.use_origin_verify ? 1 : 0
+  listener_arn = aws_lb_listener.http_cloudfront[0].arn
+  priority     = var.cloudfront_origin_verify_listener_rule_priority
+  tags         = local.tags
+
+  action {
     type             = "forward"
     target_group_arn = aws_lb_target_group.web.arn
   }
+
+  condition {
+    http_header {
+      http_header_name = var.cloudfront_origin_verify_header_name
+      values           = [var.cloudfront_origin_verify_header_value]
+    }
+  }
 }
 
 resource "aws_cloudfront_distribution" "open_uptime" {
@@ -918,6 +954,14 @@ resource "aws_cloudfront_distribution" "open_uptime" {
     domain_name = aws_lb.open_uptime.dns_name
     origin_id   = "${local.prefix}-alb"
 
+    dynamic "custom_header" {
+      for_each = local.use_origin_verify ? [1] : []
+      content {
+        name  = var.cloudfront_origin_verify_header_name
+        value = var.cloudfront_origin_verify_header_value
+      }
+    }
+
     custom_origin_config {
       http_port              = 80
       https_port             = 443
@@ -956,7 +1000,7 @@ resource "aws_cloudfront_distribution" "open_uptime" {
     cloudfront_default_certificate = true
   }
 
-  depends_on = [aws_lb_listener.http_cloudfront]
+  depends_on = [aws_lb_listener.http_cloudfront, aws_lb_listener_rule.http_cloudfront_origin_verify]
 }
 
 resource "aws_route53_record" "open_uptime" {
@@ -1109,6 +1153,7 @@ resource "aws_ecs_task_definition" "service" {
       }] : []
       environment = concat([
         { name = "HASNA_UPTIME_MODE", value = "hosted" },
+        { name = "HASNA_UPTIME_HOSTED_AUTH_MODE", value = "production" },
         { name = "HASNA_UPTIME_WORKSPACE_ID", value = var.workspace_id },
         { name = "HASNA_UPTIME_COMPONENT", value = each.key },
         { name = "HASNA_UPTIME_HOSTNAME", value = var.hostname },
@@ -1173,7 +1218,7 @@ resource "aws_ecs_service" "web" {
     container_port   = local.container_port
   }
 
-  depends_on = [aws_lb_listener.https, aws_lb_listener.http_cloudfront, aws_efs_mount_target.data]
+  depends_on = [aws_lb_listener.https, aws_lb_listener.http_cloudfront, aws_lb_listener_rule.http_cloudfront_origin_verify, aws_efs_mount_target.data]
 }
 
 resource "aws_ecs_service" "worker" {

package/infra/aws/outputs.tf

@@ -22,6 +22,14 @@ output "protected_access_url" {
   value = var.protected_access_mode == "cloudfront_default_domain" ? "https://${aws_cloudfront_distribution.open_uptime[0].domain_name}" : "https://${var.hostname}"
 }
 
+output "cloudfront_origin_verify_header_enabled" {
+  value = local.use_origin_verify
+}
+
+output "cloudfront_origin_verify_header_name" {
+  value = local.use_origin_verify ? var.cloudfront_origin_verify_header_name : null
+}
+
 output "evidence_bucket" {
   value = aws_s3_bucket.evidence.bucket
 }

package/infra/aws/terraform.tfvars.example

@@ -11,12 +11,15 @@ workspace_id             = "workspace-id"
 vpc_id                   = "vpc-xxxxxxxx"
 ecr_repository_name      = "open-uptime"
 protected_access_mode    = "cloudfront_default_domain"
+enable_cloudfront_origin_verify_header = false
+cloudfront_origin_verify_header_name   = "X-Open-Uptime-Origin-Verify"
+cloudfront_origin_verify_header_value  = null
 public_subnet_ids        = ["subnet-replace-public-a", "subnet-replace-public-b"]
 alb_ingress_cidr_blocks = []
 private_subnet_ids       = ["subnet-replace-private-a", "subnet-replace-private-b"]
 private_route_table_ids  = ["rtb-replace-private"]
 container_image          = "123456789012.dkr.ecr.us-east-1.amazonaws.com/open-uptime@sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-runtime_package_version  = "0.1.18"
+runtime_package_version  = "0.1.20"
 certificate_arn          = null
 hosted_zone_id           = null
 app_env_secret_arn       = "arn:aws:secretsmanager:us-east-1:123456789012:secret:open-uptime/prod/app/env"

package/infra/aws/variables.tf

@@ -87,6 +87,91 @@ variable "protected_access_mode" {
   }
 }
 
+variable "enable_cloudfront_origin_verify_header" {
+  description = "When true in cloudfront_default_domain mode, CloudFront sends a private origin header and the ALB listener rejects requests missing the matching value."
+  type        = bool
+  default     = false
+
+  validation {
+    condition     = !var.enable_cloudfront_origin_verify_header || var.protected_access_mode == "cloudfront_default_domain"
+    error_message = "enable_cloudfront_origin_verify_header can only be true when protected_access_mode is cloudfront_default_domain."
+  }
+}
+
+variable "cloudfront_origin_verify_header_name" {
+  description = "CloudFront-only origin verification header name used when enable_cloudfront_origin_verify_header is true."
+  type        = string
+  default     = "X-Open-Uptime-Origin-Verify"
+
+  validation {
+    condition = (
+      can(regex("^[A-Za-z0-9-]+$", var.cloudfront_origin_verify_header_name))
+      && !startswith(lower(var.cloudfront_origin_verify_header_name), "x-amz-")
+      && !startswith(lower(var.cloudfront_origin_verify_header_name), "x-edge-")
+      && !contains([
+        "authorization",
+        "cache-control",
+        "connection",
+        "content-length",
+        "content-type",
+        "cookie",
+        "host",
+        "if-match",
+        "if-modified-since",
+        "if-none-match",
+        "if-range",
+        "if-unmodified-since",
+        "max-forwards",
+        "origin",
+        "pragma",
+        "proxy-authenticate",
+        "proxy-authorization",
+        "proxy-connection",
+        "range",
+        "request-range",
+        "te",
+        "trailer",
+        "transfer-encoding",
+        "upgrade",
+        "via",
+        "x-real-ip",
+        "x-uptime-hosted-token",
+      ], lower(var.cloudfront_origin_verify_header_name))
+    )
+    error_message = "cloudfront_origin_verify_header_name must be a safe CloudFront custom origin header name and must not use reserved, app-forwarded, or viewer-controlled header names."
+  }
+}
+
+variable "cloudfront_origin_verify_header_value" {
+  description = "Sensitive CloudFront-only origin verification header value. Required when enable_cloudfront_origin_verify_header is true."
+  type        = string
+  default     = null
+  nullable    = true
+  sensitive   = true
+
+  validation {
+    condition = (
+      !(var.enable_cloudfront_origin_verify_header && var.protected_access_mode == "cloudfront_default_domain")
+      || (
+        var.cloudfront_origin_verify_header_value != null
+        && can(regex("^[A-Za-z0-9_-]{32,256}$", var.cloudfront_origin_verify_header_value))
+      )
+    )
+    error_message = "cloudfront_origin_verify_header_value is required when origin verification is enabled and must be 32-256 URL-safe characters."
+  }
+}
+
+variable "cloudfront_origin_verify_listener_rule_priority" {
+  description = "ALB listener rule priority for the CloudFront origin verification header rule."
+  type        = number
+  default     = 100
+
+  validation {
+    condition     = var.cloudfront_origin_verify_listener_rule_priority >= 1 && var.cloudfront_origin_verify_listener_rule_priority <= 50000
+    error_message = "cloudfront_origin_verify_listener_rule_priority must be between 1 and 50000."
+  }
+}
+
 variable "public_subnet_ids" {
   description = "Public subnets for the ALB."
   type        = list(string)
@@ -116,7 +201,7 @@ variable "container_image" {
 variable "runtime_package_version" {
   description = "Published @hasna/uptime package version that CodeBuild should build into the ECR image."
   type        = string
-  default     = "0.1.18"
+  default     = "0.1.20"
 
   validation {
     condition     = can(regex("^[0-9]+\\.[0-9]+\\.[0-9]+(-[0-9A-Za-z.-]+)?$", var.runtime_package_version))
@@ -157,7 +242,7 @@ variable "app_env_secret_arn" {
 }
 
 variable "hosted_token_secret_arn" {
-  description = "Secrets Manager/SSM ARN containing HASNA_UPTIME_HOSTED_TOKEN for hosted web auth bootstrap."
+  description = "Secrets Manager/SSM ARN injected as HASNA_UPTIME_HOSTED_TOKEN. Hosted deployments should store scoped hosted-token JSON descriptors here, not a single broad raw token."
   type        = string
 
   validation {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hasna/uptime",
-  "version": "0.1.18",
+  "version": "0.1.20",
   "description": "Local-first uptime and downtime monitoring service with CLI, MCP, SDK, SQLite persistence, and a dashboard.",
   "license": "Apache-2.0",
   "type": "module",