@hasna/uptime 0.1.19 → 0.1.20

package/CHANGELOG.md

@@ -6,6 +6,21 @@ project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+## [0.1.20] - 2026-06-28
+
+### Added
+
+- Added hosted-token JSON descriptor parsing from
+  `HASNA_UPTIME_HOSTED_TOKENS` and JSON-compatible
+  `HASNA_UPTIME_HOSTED_TOKEN` values, allowing deployed secrets to provide
+  scoped workspace tokens instead of one broad raw token.
+
+### Changed
+
+- Updated hosted auth docs and AWS runbook guidance to prefer scoped static
+  operator tokens for zero-count smokes while keeping full production
+  identity/RBAC as a live gate.
+
 ## [0.1.19] - 2026-06-28
 
 ### Added

package/README.md

@@ -93,6 +93,21 @@ non-loopback mutation hosts by default. For a trusted remote bind, set
 `Authorization: Bearer <token>` or `X-Uptime-Token: <token>`.
 Hosted mode additionally accepts comma-separated public origins from
 `HASNA_UPTIME_ALLOWED_ORIGINS` for deployments behind a TLS-terminating edge.
+Hosted tokens can be provided as a single legacy token through
+`HASNA_UPTIME_HOSTED_TOKEN`, or as scoped JSON through
+`HASNA_UPTIME_HOSTED_TOKENS`:
+
+```json
+{
+  "tokens": [
+    { "token": "read-token", "scopes": ["uptime:read"], "workspaceId": "default" },
+    { "token": "write-token", "scopes": ["uptime:write"], "workspaceId": "default" }
+  ]
+}
+```
+
+Use scoped JSON for hosted deployments. A single raw hosted token is kept only
+for local compatibility and expands to broad read/write/probe/report scopes.
 Endpoints that accept request bodies require `content-type: application/json`.
 
 ## Uptime Semantics

package/dist/api.js

@@ -4262,17 +4262,85 @@ function resolveApiToken(token) {
   return value?.trim() || undefined;
 }
 function resolveHostedTokens(options) {
-  if (options.hostedTokens?.length)
-    return options.hostedTokens;
+  const defaultWorkspaceId = process.env.HASNA_UPTIME_WORKSPACE_ID ?? "default";
+  if (options.hostedTokens?.length) {
+    return normalizeHostedTokenEntries(options.hostedTokens, defaultWorkspaceId);
+  }
+  const configuredTokens = process.env.HASNA_UPTIME_HOSTED_TOKENS;
+  if (configuredTokens?.trim()) {
+    return parseHostedTokensConfig(configuredTokens, defaultWorkspaceId, "HASNA_UPTIME_HOSTED_TOKENS");
+  }
   const token = options.hostedToken ?? process.env.HASNA_UPTIME_HOSTED_TOKEN;
   if (!token?.trim())
     return [];
+  return parseHostedTokenValue(token, defaultWorkspaceId, options.hostedToken ? "--hosted-token" : "HASNA_UPTIME_HOSTED_TOKEN");
+}
+var HOSTED_SCOPES = ["uptime:read", "uptime:write", "uptime:probe", "uptime:report", "uptime:admin"];
+var HOSTED_SCOPE_SET = new Set(HOSTED_SCOPES);
+var LEGACY_HOSTED_TOKEN_SCOPES = ["uptime:read", "uptime:write", "uptime:probe", "uptime:report"];
+function parseHostedTokenValue(value, defaultWorkspaceId, source) {
+  const trimmed = value.trim();
+  if (!trimmed)
+    return [];
+  if (trimmed.startsWith("{") || trimmed.startsWith("[")) {
+    return parseHostedTokensConfig(trimmed, defaultWorkspaceId, source);
+  }
+  if (isHostedProductionMode()) {
+    throw new ApiError(`${source} must be scoped hosted token JSON when HASNA_UPTIME_HOSTED_AUTH_MODE=production`, 500);
+  }
   return [{
-    token: token.trim(),
-    scopes: ["uptime:read", "uptime:write", "uptime:probe", "uptime:report"],
-    workspaceId: process.env.HASNA_UPTIME_WORKSPACE_ID ?? "default"
+    token: trimmed,
+    scopes: LEGACY_HOSTED_TOKEN_SCOPES,
+    workspaceId: defaultWorkspaceId
   }];
 }
+function parseHostedTokensConfig(value, defaultWorkspaceId, source) {
+  let parsed;
+  try {
+    parsed = JSON.parse(value);
+  } catch {
+    throw new ApiError(`${source} must be valid hosted token JSON`, 500);
+  }
+  const entries = Array.isArray(parsed) ? parsed : isRecord(parsed) && Array.isArray(parsed.tokens) ? parsed.tokens : isRecord(parsed) && typeof parsed.token === "string" ? [parsed] : undefined;
+  if (!entries)
+    throw new ApiError(`${source} must be a token object, token array, or object with tokens[]`, 500);
+  return normalizeHostedTokenEntries(entries, defaultWorkspaceId, source);
+}
+function normalizeHostedTokenEntries(entries, defaultWorkspaceId, source = "hostedTokens") {
+  const tokens = entries.map((entry, index) => normalizeHostedTokenEntry(entry, defaultWorkspaceId, `${source}[${index}]`));
+  if (tokens.length === 0)
+    throw new ApiError(`${source} must configure at least one hosted token`, 500);
+  return tokens;
+}
+function normalizeHostedTokenEntry(entry, defaultWorkspaceId, source) {
+  if (!isRecord(entry))
+    throw new ApiError(`${source} must be an object`, 500);
+  if (typeof entry.token !== "string" || !entry.token.trim()) {
+    throw new ApiError(`${source}.token is required`, 500);
+  }
+  const scopes = normalizeHostedScopes(entry.scopes, `${source}.scopes`);
+  const workspaceId = typeof entry.workspaceId === "string" && entry.workspaceId.trim() ? entry.workspaceId.trim() : defaultWorkspaceId;
+  return { token: entry.token.trim(), scopes, workspaceId };
+}
+function normalizeHostedScopes(value, source) {
+  if (!Array.isArray(value) || value.length === 0) {
+    throw new ApiError(`${source} must be a non-empty array`, 500);
+  }
+  const scopes = new Set;
+  for (const scope of value) {
+    if (typeof scope !== "string" || !HOSTED_SCOPE_SET.has(scope)) {
+      throw new ApiError(`${source} contains an invalid hosted scope`, 500);
+    }
+    scopes.add(scope);
+  }
+  return [...scopes];
+}
+function isRecord(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function isHostedProductionMode() {
+  return process.env.HASNA_UPTIME_HOSTED_AUTH_MODE === "production" || false;
+}
 function resolveHostedAllowedOrigins(options) {
   const configured = options.hostedAllowedOrigins ?? splitCsv(process.env.HASNA_UPTIME_ALLOWED_ORIGINS);
   return configured.map((origin) => normalizeAllowedOrigin(origin)).filter((origin) => Boolean(origin));

package/dist/cli/index.js

@@ -6856,17 +6856,85 @@ function resolveApiToken(token) {
   return value?.trim() || undefined;
 }
 function resolveHostedTokens(options) {
-  if (options.hostedTokens?.length)
-    return options.hostedTokens;
+  const defaultWorkspaceId = process.env.HASNA_UPTIME_WORKSPACE_ID ?? "default";
+  if (options.hostedTokens?.length) {
+    return normalizeHostedTokenEntries(options.hostedTokens, defaultWorkspaceId);
+  }
+  const configuredTokens = process.env.HASNA_UPTIME_HOSTED_TOKENS;
+  if (configuredTokens?.trim()) {
+    return parseHostedTokensConfig(configuredTokens, defaultWorkspaceId, "HASNA_UPTIME_HOSTED_TOKENS");
+  }
   const token = options.hostedToken ?? process.env.HASNA_UPTIME_HOSTED_TOKEN;
   if (!token?.trim())
     return [];
+  return parseHostedTokenValue(token, defaultWorkspaceId, options.hostedToken ? "--hosted-token" : "HASNA_UPTIME_HOSTED_TOKEN");
+}
+var HOSTED_SCOPES = ["uptime:read", "uptime:write", "uptime:probe", "uptime:report", "uptime:admin"];
+var HOSTED_SCOPE_SET = new Set(HOSTED_SCOPES);
+var LEGACY_HOSTED_TOKEN_SCOPES = ["uptime:read", "uptime:write", "uptime:probe", "uptime:report"];
+function parseHostedTokenValue(value, defaultWorkspaceId, source) {
+  const trimmed = value.trim();
+  if (!trimmed)
+    return [];
+  if (trimmed.startsWith("{") || trimmed.startsWith("[")) {
+    return parseHostedTokensConfig(trimmed, defaultWorkspaceId, source);
+  }
+  if (isHostedProductionMode()) {
+    throw new ApiError(`${source} must be scoped hosted token JSON when HASNA_UPTIME_HOSTED_AUTH_MODE=production`, 500);
+  }
   return [{
-    token: token.trim(),
-    scopes: ["uptime:read", "uptime:write", "uptime:probe", "uptime:report"],
-    workspaceId: process.env.HASNA_UPTIME_WORKSPACE_ID ?? "default"
+    token: trimmed,
+    scopes: LEGACY_HOSTED_TOKEN_SCOPES,
+    workspaceId: defaultWorkspaceId
   }];
 }
+function parseHostedTokensConfig(value, defaultWorkspaceId, source) {
+  let parsed;
+  try {
+    parsed = JSON.parse(value);
+  } catch {
+    throw new ApiError(`${source} must be valid hosted token JSON`, 500);
+  }
+  const entries = Array.isArray(parsed) ? parsed : isRecord(parsed) && Array.isArray(parsed.tokens) ? parsed.tokens : isRecord(parsed) && typeof parsed.token === "string" ? [parsed] : undefined;
+  if (!entries)
+    throw new ApiError(`${source} must be a token object, token array, or object with tokens[]`, 500);
+  return normalizeHostedTokenEntries(entries, defaultWorkspaceId, source);
+}
+function normalizeHostedTokenEntries(entries, defaultWorkspaceId, source = "hostedTokens") {
+  const tokens = entries.map((entry, index) => normalizeHostedTokenEntry(entry, defaultWorkspaceId, `${source}[${index}]`));
+  if (tokens.length === 0)
+    throw new ApiError(`${source} must configure at least one hosted token`, 500);
+  return tokens;
+}
+function normalizeHostedTokenEntry(entry, defaultWorkspaceId, source) {
+  if (!isRecord(entry))
+    throw new ApiError(`${source} must be an object`, 500);
+  if (typeof entry.token !== "string" || !entry.token.trim()) {
+    throw new ApiError(`${source}.token is required`, 500);
+  }
+  const scopes = normalizeHostedScopes(entry.scopes, `${source}.scopes`);
+  const workspaceId = typeof entry.workspaceId === "string" && entry.workspaceId.trim() ? entry.workspaceId.trim() : defaultWorkspaceId;
+  return { token: entry.token.trim(), scopes, workspaceId };
+}
+function normalizeHostedScopes(value, source) {
+  if (!Array.isArray(value) || value.length === 0) {
+    throw new ApiError(`${source} must be a non-empty array`, 500);
+  }
+  const scopes = new Set;
+  for (const scope of value) {
+    if (typeof scope !== "string" || !HOSTED_SCOPE_SET.has(scope)) {
+      throw new ApiError(`${source} contains an invalid hosted scope`, 500);
+    }
+    scopes.add(scope);
+  }
+  return [...scopes];
+}
+function isRecord(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function isHostedProductionMode() {
+  return process.env.HASNA_UPTIME_HOSTED_AUTH_MODE === "production" || false;
+}
 function resolveHostedAllowedOrigins(options) {
   const configured = options.hostedAllowedOrigins ?? splitCsv(process.env.HASNA_UPTIME_ALLOWED_ORIGINS);
   return configured.map((origin) => normalizeAllowedOrigin(origin)).filter((origin) => Boolean(origin));
@@ -6943,7 +7011,7 @@ function buildAwsDeploymentPlan(options = {}) {
   const image = clean(options.image, `${imageRepositoryUri}@sha256:<image-digest>`);
   const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
   const hostedSqliteDbPath = clean(options.hostedSqliteDbPath, DEFAULT_HOSTED_SQLITE_DB);
-  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.19");
+  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.20");
   const protectedAccessMode = options.protectedAccessMode ?? DEFAULT_PROTECTED_ACCESS_MODE;
   const protectedAccessUrl = protectedAccessMode === "cloudfront_default_domain" ? "https://<cloudfront-domain>" : `https://${hostname}`;
   const cluster = `${prefix}-${stage}`;
@@ -7756,7 +7824,7 @@ program2.command("restore <backup-path>").description("Restore a verified local
     fail(error);
   }
 });
-program2.command("serve").description("Serve the local API and dashboard").option("--host <host>", "host to bind", "127.0.0.1").option("--port <port>", "port", parseInteger, 3899).option("--check", "run the scheduler while serving").addOption(new Option("--mode <mode>", "runtime mode").choices(["local", "hosted"]).default("local")).option("--api-token <token>", "token required for non-loopback mutation hosts").option("--hosted-token <token>", "scoped hosted-mode token").option("--hosted-sqlite-db <path>", "absolute SQLite database path on hosted cloud-mounted storage").option("--allow-hosted-local-store", "allow hosted mode to use local SQLite as an explicit fallback").option("--allow-unsafe-remote-mutations", "allow state-changing requests from non-loopback hosts without a token").option("-j, --json", "print JSON").action((opts) => {
+program2.command("serve").description("Serve the local API and dashboard").option("--host <host>", "host to bind", "127.0.0.1").option("--port <port>", "port", parseInteger, 3899).option("--check", "run the scheduler while serving").addOption(new Option("--mode <mode>", "runtime mode").choices(["local", "hosted"]).default("local")).option("--api-token <token>", "token required for non-loopback mutation hosts").option("--hosted-token <token>", "hosted-mode token for local/dev use; deployments should prefer scoped hosted-token JSON in secret env").option("--hosted-sqlite-db <path>", "absolute SQLite database path on hosted cloud-mounted storage").option("--allow-hosted-local-store", "allow hosted mode to use local SQLite as an explicit fallback").option("--allow-unsafe-remote-mutations", "allow state-changing requests from non-loopback hosts without a token").option("-j, --json", "print JSON").action((opts) => {
   try {
     const { server } = serveUptime({
       host: opts.host,

package/dist/cloud-plan.js

@@ -21,7 +21,7 @@ function buildAwsDeploymentPlan(options = {}) {
   const image = clean(options.image, `${imageRepositoryUri}@sha256:<image-digest>`);
   const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
   const hostedSqliteDbPath = clean(options.hostedSqliteDbPath, DEFAULT_HOSTED_SQLITE_DB);
-  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.19");
+  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.20");
   const protectedAccessMode = options.protectedAccessMode ?? DEFAULT_PROTECTED_ACCESS_MODE;
   const protectedAccessUrl = protectedAccessMode === "cloudfront_default_domain" ? "https://<cloudfront-domain>" : `https://${hostname}`;
   const cluster = `${prefix}-${stage}`;

package/dist/index.js

@@ -4262,17 +4262,85 @@ function resolveApiToken(token) {
   return value?.trim() || undefined;
 }
 function resolveHostedTokens(options) {
-  if (options.hostedTokens?.length)
-    return options.hostedTokens;
+  const defaultWorkspaceId = process.env.HASNA_UPTIME_WORKSPACE_ID ?? "default";
+  if (options.hostedTokens?.length) {
+    return normalizeHostedTokenEntries(options.hostedTokens, defaultWorkspaceId);
+  }
+  const configuredTokens = process.env.HASNA_UPTIME_HOSTED_TOKENS;
+  if (configuredTokens?.trim()) {
+    return parseHostedTokensConfig(configuredTokens, defaultWorkspaceId, "HASNA_UPTIME_HOSTED_TOKENS");
+  }
   const token = options.hostedToken ?? process.env.HASNA_UPTIME_HOSTED_TOKEN;
   if (!token?.trim())
     return [];
+  return parseHostedTokenValue(token, defaultWorkspaceId, options.hostedToken ? "--hosted-token" : "HASNA_UPTIME_HOSTED_TOKEN");
+}
+var HOSTED_SCOPES = ["uptime:read", "uptime:write", "uptime:probe", "uptime:report", "uptime:admin"];
+var HOSTED_SCOPE_SET = new Set(HOSTED_SCOPES);
+var LEGACY_HOSTED_TOKEN_SCOPES = ["uptime:read", "uptime:write", "uptime:probe", "uptime:report"];
+function parseHostedTokenValue(value, defaultWorkspaceId, source) {
+  const trimmed = value.trim();
+  if (!trimmed)
+    return [];
+  if (trimmed.startsWith("{") || trimmed.startsWith("[")) {
+    return parseHostedTokensConfig(trimmed, defaultWorkspaceId, source);
+  }
+  if (isHostedProductionMode()) {
+    throw new ApiError(`${source} must be scoped hosted token JSON when HASNA_UPTIME_HOSTED_AUTH_MODE=production`, 500);
+  }
   return [{
-    token: token.trim(),
-    scopes: ["uptime:read", "uptime:write", "uptime:probe", "uptime:report"],
-    workspaceId: process.env.HASNA_UPTIME_WORKSPACE_ID ?? "default"
+    token: trimmed,
+    scopes: LEGACY_HOSTED_TOKEN_SCOPES,
+    workspaceId: defaultWorkspaceId
   }];
 }
+function parseHostedTokensConfig(value, defaultWorkspaceId, source) {
+  let parsed;
+  try {
+    parsed = JSON.parse(value);
+  } catch {
+    throw new ApiError(`${source} must be valid hosted token JSON`, 500);
+  }
+  const entries = Array.isArray(parsed) ? parsed : isRecord(parsed) && Array.isArray(parsed.tokens) ? parsed.tokens : isRecord(parsed) && typeof parsed.token === "string" ? [parsed] : undefined;
+  if (!entries)
+    throw new ApiError(`${source} must be a token object, token array, or object with tokens[]`, 500);
+  return normalizeHostedTokenEntries(entries, defaultWorkspaceId, source);
+}
+function normalizeHostedTokenEntries(entries, defaultWorkspaceId, source = "hostedTokens") {
+  const tokens = entries.map((entry, index) => normalizeHostedTokenEntry(entry, defaultWorkspaceId, `${source}[${index}]`));
+  if (tokens.length === 0)
+    throw new ApiError(`${source} must configure at least one hosted token`, 500);
+  return tokens;
+}
+function normalizeHostedTokenEntry(entry, defaultWorkspaceId, source) {
+  if (!isRecord(entry))
+    throw new ApiError(`${source} must be an object`, 500);
+  if (typeof entry.token !== "string" || !entry.token.trim()) {
+    throw new ApiError(`${source}.token is required`, 500);
+  }
+  const scopes = normalizeHostedScopes(entry.scopes, `${source}.scopes`);
+  const workspaceId = typeof entry.workspaceId === "string" && entry.workspaceId.trim() ? entry.workspaceId.trim() : defaultWorkspaceId;
+  return { token: entry.token.trim(), scopes, workspaceId };
+}
+function normalizeHostedScopes(value, source) {
+  if (!Array.isArray(value) || value.length === 0) {
+    throw new ApiError(`${source} must be a non-empty array`, 500);
+  }
+  const scopes = new Set;
+  for (const scope of value) {
+    if (typeof scope !== "string" || !HOSTED_SCOPE_SET.has(scope)) {
+      throw new ApiError(`${source} contains an invalid hosted scope`, 500);
+    }
+    scopes.add(scope);
+  }
+  return [...scopes];
+}
+function isRecord(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function isHostedProductionMode() {
+  return process.env.HASNA_UPTIME_HOSTED_AUTH_MODE === "production" || false;
+}
 function resolveHostedAllowedOrigins(options) {
   const configured = options.hostedAllowedOrigins ?? splitCsv(process.env.HASNA_UPTIME_ALLOWED_ORIGINS);
   return configured.map((origin) => normalizeAllowedOrigin(origin)).filter((origin) => Boolean(origin));
@@ -4349,7 +4417,7 @@ function buildAwsDeploymentPlan(options = {}) {
   const image = clean(options.image, `${imageRepositoryUri}@sha256:<image-digest>`);
   const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
   const hostedSqliteDbPath = clean(options.hostedSqliteDbPath, DEFAULT_HOSTED_SQLITE_DB);
-  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.19");
+  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.20");
   const protectedAccessMode = options.protectedAccessMode ?? DEFAULT_PROTECTED_ACCESS_MODE;
   const protectedAccessUrl = protectedAccessMode === "cloudfront_default_domain" ? "https://<cloudfront-domain>" : `https://${hostname}`;
   const cluster = `${prefix}-${stage}`;

package/docs/aws-deployment-runbook.md

@@ -207,7 +207,7 @@ ids. Use a scoped hosted token only from the operator secret store.
 
 ```bash
 EDGE_URL="$(terraform -chdir="$TF_DIR" output -raw protected_access_url)"
-: "${HOSTED_TOKEN_FILE:?set HOSTED_TOKEN_FILE to a 0600 file containing the scoped hosted token}"
+: "${HOSTED_TOKEN_FILE:?set HOSTED_TOKEN_FILE to a 0600 file containing the scoped read hosted token}"
 HOSTED_TOKEN="$(tr -d '\n' < "$HOSTED_TOKEN_FILE")"
 
 curl -fsS "$EDGE_URL/health"
@@ -225,6 +225,22 @@ Expected results:
 - Direct ALB origin access is denied unless it is the approved CloudFront origin
   path.
 
+Hosted deployments should store scoped hosted-token JSON in Secrets Manager, not
+a single broad raw token. The runtime accepts `HASNA_UPTIME_HOSTED_TOKENS` JSON
+or JSON-compatible `HASNA_UPTIME_HOSTED_TOKEN` values shaped like:
+
+```json
+{
+  "tokens": [
+    { "token": "<read-token>", "scopes": ["uptime:read"], "workspaceId": "<workspace-id>" },
+    { "token": "<write-token>", "scopes": ["uptime:write"], "workspaceId": "<workspace-id>" }
+  ]
+}
+```
+
+Do not record token values in runbooks, logs, task overrides, or deployment
+evidence.
+
 ## Logs And Alarms
 
 Inspect recent web logs without printing secrets:
@@ -330,14 +346,21 @@ aws efs create-mount-target \
 ```
 
 Validate the restored `/data/uptime/uptime.db` from a staging host or task with
-read-only SQLite integrity checks. Capture only counts and integrity status, not
-monitor targets or secrets:
+read-only SQLite integrity checks. For a zero-count pre-production deployment
+where `uptime.db` does not exist yet, create a representative restore-drill DB
+with the same SQLite access path and record it separately. Capture only counts
+and integrity status, not monitor targets or secrets:
 
 ```bash
 sqlite3 /mnt/restore/uptime/uptime.db 'PRAGMA integrity_check;'
 sqlite3 /mnt/restore/uptime/uptime.db 'SELECT COUNT(*) FROM monitors;'
 ```
 
+Do not count a restore as complete if the task only proves that EFS mounted.
+The evidence must include the restored DB path, `PRAGMA integrity_check = ok`,
+schema version, sanitized table counts, and cleanup proof for the temporary
+mount target and file system.
+
 After evidence is recorded, delete the staging mount target and restored file
 system. Never mount the restored file system over production during a drill.
 

package/infra/aws/main.tf

@@ -1153,6 +1153,7 @@ resource "aws_ecs_task_definition" "service" {
       }] : []
       environment = concat([
         { name = "HASNA_UPTIME_MODE", value = "hosted" },
+        { name = "HASNA_UPTIME_HOSTED_AUTH_MODE", value = "production" },
         { name = "HASNA_UPTIME_WORKSPACE_ID", value = var.workspace_id },
         { name = "HASNA_UPTIME_COMPONENT", value = each.key },
         { name = "HASNA_UPTIME_HOSTNAME", value = var.hostname },

package/infra/aws/terraform.tfvars.example

@@ -19,7 +19,7 @@ alb_ingress_cidr_blocks = []
 private_subnet_ids       = ["subnet-replace-private-a", "subnet-replace-private-b"]
 private_route_table_ids  = ["rtb-replace-private"]
 container_image          = "123456789012.dkr.ecr.us-east-1.amazonaws.com/open-uptime@sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-runtime_package_version  = "0.1.19"
+runtime_package_version  = "0.1.20"
 certificate_arn          = null
 hosted_zone_id           = null
 app_env_secret_arn       = "arn:aws:secretsmanager:us-east-1:123456789012:secret:open-uptime/prod/app/env"

package/infra/aws/variables.tf

@@ -201,7 +201,7 @@ variable "container_image" {
 variable "runtime_package_version" {
   description = "Published @hasna/uptime package version that CodeBuild should build into the ECR image."
   type        = string
-  default     = "0.1.19"
+  default     = "0.1.20"
 
   validation {
     condition     = can(regex("^[0-9]+\\.[0-9]+\\.[0-9]+(-[0-9A-Za-z.-]+)?$", var.runtime_package_version))
@@ -242,7 +242,7 @@ variable "app_env_secret_arn" {
 }
 
 variable "hosted_token_secret_arn" {
-  description = "Secrets Manager/SSM ARN containing HASNA_UPTIME_HOSTED_TOKEN for hosted web auth bootstrap."
+  description = "Secrets Manager/SSM ARN injected as HASNA_UPTIME_HOSTED_TOKEN. Hosted deployments should store scoped hosted-token JSON descriptors here, not a single broad raw token."
   type        = string
 
   validation {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hasna/uptime",
-  "version": "0.1.19",
+  "version": "0.1.20",
   "description": "Local-first uptime and downtime monitoring service with CLI, MCP, SDK, SQLite persistence, and a dashboard.",
   "license": "Apache-2.0",
   "type": "module",