@hasna/uptime 0.1.19 → 0.1.21

package/CHANGELOG.md

@@ -6,6 +6,34 @@ project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+## [0.1.21] - 2026-06-28
+
+### Fixed
+
+- Fixed hosted production auth mode detection in bundled package output so
+  `NODE_ENV=production` rejects legacy raw hosted tokens unless scoped hosted
+  token JSON is configured.
+
+### Changed
+
+- Included all cloud deployment docs in the npm package so package consumers
+  receive the runtime security, source-of-truth, metadata, and runbook context.
+
+## [0.1.20] - 2026-06-28
+
+### Added
+
+- Added hosted-token JSON descriptor parsing from
+  `HASNA_UPTIME_HOSTED_TOKENS` and JSON-compatible
+  `HASNA_UPTIME_HOSTED_TOKEN` values, allowing deployed secrets to provide
+  scoped workspace tokens instead of one broad raw token.
+
+### Changed
+
+- Updated hosted auth docs and AWS runbook guidance to prefer scoped static
+  operator tokens for zero-count smokes while keeping full production
+  identity/RBAC as a live gate.
+
 ## [0.1.19] - 2026-06-28
 
 ### Added

package/README.md

@@ -93,6 +93,21 @@ non-loopback mutation hosts by default. For a trusted remote bind, set
 `Authorization: Bearer <token>` or `X-Uptime-Token: <token>`.
 Hosted mode additionally accepts comma-separated public origins from
 `HASNA_UPTIME_ALLOWED_ORIGINS` for deployments behind a TLS-terminating edge.
+Hosted tokens can be provided as a single legacy token through
+`HASNA_UPTIME_HOSTED_TOKEN`, or as scoped JSON through
+`HASNA_UPTIME_HOSTED_TOKENS`:
+
+```json
+{
+  "tokens": [
+    { "token": "read-token", "scopes": ["uptime:read"], "workspaceId": "default" },
+    { "token": "write-token", "scopes": ["uptime:write"], "workspaceId": "default" }
+  ]
+}
+```
+
+Use scoped JSON for hosted deployments. A single raw hosted token is kept only
+for local compatibility and expands to broad read/write/probe/report scopes.
 Endpoints that accept request bodies require `content-type: application/json`.
 
 ## Uptime Semantics

package/dist/api.js

@@ -4262,17 +4262,88 @@ function resolveApiToken(token) {
   return value?.trim() || undefined;
 }
 function resolveHostedTokens(options) {
-  if (options.hostedTokens?.length)
-    return options.hostedTokens;
+  const defaultWorkspaceId = process.env.HASNA_UPTIME_WORKSPACE_ID ?? "default";
+  if (options.hostedTokens?.length) {
+    return normalizeHostedTokenEntries(options.hostedTokens, defaultWorkspaceId);
+  }
+  const configuredTokens = process.env.HASNA_UPTIME_HOSTED_TOKENS;
+  if (configuredTokens?.trim()) {
+    return parseHostedTokensConfig(configuredTokens, defaultWorkspaceId, "HASNA_UPTIME_HOSTED_TOKENS");
+  }
   const token = options.hostedToken ?? process.env.HASNA_UPTIME_HOSTED_TOKEN;
   if (!token?.trim())
     return [];
+  return parseHostedTokenValue(token, defaultWorkspaceId, options.hostedToken ? "--hosted-token" : "HASNA_UPTIME_HOSTED_TOKEN");
+}
+var HOSTED_SCOPES = ["uptime:read", "uptime:write", "uptime:probe", "uptime:report", "uptime:admin"];
+var HOSTED_SCOPE_SET = new Set(HOSTED_SCOPES);
+var LEGACY_HOSTED_TOKEN_SCOPES = ["uptime:read", "uptime:write", "uptime:probe", "uptime:report"];
+function parseHostedTokenValue(value, defaultWorkspaceId, source) {
+  const trimmed = value.trim();
+  if (!trimmed)
+    return [];
+  if (trimmed.startsWith("{") || trimmed.startsWith("[")) {
+    return parseHostedTokensConfig(trimmed, defaultWorkspaceId, source);
+  }
+  if (isHostedProductionMode()) {
+    throw new ApiError(`${source} must be scoped hosted token JSON when HASNA_UPTIME_HOSTED_AUTH_MODE=production`, 500);
+  }
   return [{
-    token: token.trim(),
-    scopes: ["uptime:read", "uptime:write", "uptime:probe", "uptime:report"],
-    workspaceId: process.env.HASNA_UPTIME_WORKSPACE_ID ?? "default"
+    token: trimmed,
+    scopes: LEGACY_HOSTED_TOKEN_SCOPES,
+    workspaceId: defaultWorkspaceId
   }];
 }
+function parseHostedTokensConfig(value, defaultWorkspaceId, source) {
+  let parsed;
+  try {
+    parsed = JSON.parse(value);
+  } catch {
+    throw new ApiError(`${source} must be valid hosted token JSON`, 500);
+  }
+  const entries = Array.isArray(parsed) ? parsed : isRecord(parsed) && Array.isArray(parsed.tokens) ? parsed.tokens : isRecord(parsed) && typeof parsed.token === "string" ? [parsed] : undefined;
+  if (!entries)
+    throw new ApiError(`${source} must be a token object, token array, or object with tokens[]`, 500);
+  return normalizeHostedTokenEntries(entries, defaultWorkspaceId, source);
+}
+function normalizeHostedTokenEntries(entries, defaultWorkspaceId, source = "hostedTokens") {
+  const tokens = entries.map((entry, index) => normalizeHostedTokenEntry(entry, defaultWorkspaceId, `${source}[${index}]`));
+  if (tokens.length === 0)
+    throw new ApiError(`${source} must configure at least one hosted token`, 500);
+  return tokens;
+}
+function normalizeHostedTokenEntry(entry, defaultWorkspaceId, source) {
+  if (!isRecord(entry))
+    throw new ApiError(`${source} must be an object`, 500);
+  if (typeof entry.token !== "string" || !entry.token.trim()) {
+    throw new ApiError(`${source}.token is required`, 500);
+  }
+  const scopes = normalizeHostedScopes(entry.scopes, `${source}.scopes`);
+  const workspaceId = typeof entry.workspaceId === "string" && entry.workspaceId.trim() ? entry.workspaceId.trim() : defaultWorkspaceId;
+  return { token: entry.token.trim(), scopes, workspaceId };
+}
+function normalizeHostedScopes(value, source) {
+  if (!Array.isArray(value) || value.length === 0) {
+    throw new ApiError(`${source} must be a non-empty array`, 500);
+  }
+  const scopes = new Set;
+  for (const scope of value) {
+    if (typeof scope !== "string" || !HOSTED_SCOPE_SET.has(scope)) {
+      throw new ApiError(`${source} contains an invalid hosted scope`, 500);
+    }
+    scopes.add(scope);
+  }
+  return [...scopes];
+}
+function isRecord(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function isHostedProductionMode() {
+  return runtimeEnv("HASNA_UPTIME_HOSTED_AUTH_MODE") === "production" || runtimeEnv("NODE_ENV") === "production";
+}
+function runtimeEnv(name) {
+  return process.env[name];
+}
 function resolveHostedAllowedOrigins(options) {
   const configured = options.hostedAllowedOrigins ?? splitCsv(process.env.HASNA_UPTIME_ALLOWED_ORIGINS);
   return configured.map((origin) => normalizeAllowedOrigin(origin)).filter((origin) => Boolean(origin));

package/dist/cli/index.js

@@ -6856,17 +6856,88 @@ function resolveApiToken(token) {
   return value?.trim() || undefined;
 }
 function resolveHostedTokens(options) {
-  if (options.hostedTokens?.length)
-    return options.hostedTokens;
+  const defaultWorkspaceId = process.env.HASNA_UPTIME_WORKSPACE_ID ?? "default";
+  if (options.hostedTokens?.length) {
+    return normalizeHostedTokenEntries(options.hostedTokens, defaultWorkspaceId);
+  }
+  const configuredTokens = process.env.HASNA_UPTIME_HOSTED_TOKENS;
+  if (configuredTokens?.trim()) {
+    return parseHostedTokensConfig(configuredTokens, defaultWorkspaceId, "HASNA_UPTIME_HOSTED_TOKENS");
+  }
   const token = options.hostedToken ?? process.env.HASNA_UPTIME_HOSTED_TOKEN;
   if (!token?.trim())
     return [];
+  return parseHostedTokenValue(token, defaultWorkspaceId, options.hostedToken ? "--hosted-token" : "HASNA_UPTIME_HOSTED_TOKEN");
+}
+var HOSTED_SCOPES = ["uptime:read", "uptime:write", "uptime:probe", "uptime:report", "uptime:admin"];
+var HOSTED_SCOPE_SET = new Set(HOSTED_SCOPES);
+var LEGACY_HOSTED_TOKEN_SCOPES = ["uptime:read", "uptime:write", "uptime:probe", "uptime:report"];
+function parseHostedTokenValue(value, defaultWorkspaceId, source) {
+  const trimmed = value.trim();
+  if (!trimmed)
+    return [];
+  if (trimmed.startsWith("{") || trimmed.startsWith("[")) {
+    return parseHostedTokensConfig(trimmed, defaultWorkspaceId, source);
+  }
+  if (isHostedProductionMode()) {
+    throw new ApiError(`${source} must be scoped hosted token JSON when HASNA_UPTIME_HOSTED_AUTH_MODE=production`, 500);
+  }
   return [{
-    token: token.trim(),
-    scopes: ["uptime:read", "uptime:write", "uptime:probe", "uptime:report"],
-    workspaceId: process.env.HASNA_UPTIME_WORKSPACE_ID ?? "default"
+    token: trimmed,
+    scopes: LEGACY_HOSTED_TOKEN_SCOPES,
+    workspaceId: defaultWorkspaceId
   }];
 }
+function parseHostedTokensConfig(value, defaultWorkspaceId, source) {
+  let parsed;
+  try {
+    parsed = JSON.parse(value);
+  } catch {
+    throw new ApiError(`${source} must be valid hosted token JSON`, 500);
+  }
+  const entries = Array.isArray(parsed) ? parsed : isRecord(parsed) && Array.isArray(parsed.tokens) ? parsed.tokens : isRecord(parsed) && typeof parsed.token === "string" ? [parsed] : undefined;
+  if (!entries)
+    throw new ApiError(`${source} must be a token object, token array, or object with tokens[]`, 500);
+  return normalizeHostedTokenEntries(entries, defaultWorkspaceId, source);
+}
+function normalizeHostedTokenEntries(entries, defaultWorkspaceId, source = "hostedTokens") {
+  const tokens = entries.map((entry, index) => normalizeHostedTokenEntry(entry, defaultWorkspaceId, `${source}[${index}]`));
+  if (tokens.length === 0)
+    throw new ApiError(`${source} must configure at least one hosted token`, 500);
+  return tokens;
+}
+function normalizeHostedTokenEntry(entry, defaultWorkspaceId, source) {
+  if (!isRecord(entry))
+    throw new ApiError(`${source} must be an object`, 500);
+  if (typeof entry.token !== "string" || !entry.token.trim()) {
+    throw new ApiError(`${source}.token is required`, 500);
+  }
+  const scopes = normalizeHostedScopes(entry.scopes, `${source}.scopes`);
+  const workspaceId = typeof entry.workspaceId === "string" && entry.workspaceId.trim() ? entry.workspaceId.trim() : defaultWorkspaceId;
+  return { token: entry.token.trim(), scopes, workspaceId };
+}
+function normalizeHostedScopes(value, source) {
+  if (!Array.isArray(value) || value.length === 0) {
+    throw new ApiError(`${source} must be a non-empty array`, 500);
+  }
+  const scopes = new Set;
+  for (const scope of value) {
+    if (typeof scope !== "string" || !HOSTED_SCOPE_SET.has(scope)) {
+      throw new ApiError(`${source} contains an invalid hosted scope`, 500);
+    }
+    scopes.add(scope);
+  }
+  return [...scopes];
+}
+function isRecord(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function isHostedProductionMode() {
+  return runtimeEnv("HASNA_UPTIME_HOSTED_AUTH_MODE") === "production" || runtimeEnv("NODE_ENV") === "production";
+}
+function runtimeEnv(name) {
+  return process.env[name];
+}
 function resolveHostedAllowedOrigins(options) {
   const configured = options.hostedAllowedOrigins ?? splitCsv(process.env.HASNA_UPTIME_ALLOWED_ORIGINS);
   return configured.map((origin) => normalizeAllowedOrigin(origin)).filter((origin) => Boolean(origin));
@@ -6943,7 +7014,7 @@ function buildAwsDeploymentPlan(options = {}) {
   const image = clean(options.image, `${imageRepositoryUri}@sha256:<image-digest>`);
   const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
   const hostedSqliteDbPath = clean(options.hostedSqliteDbPath, DEFAULT_HOSTED_SQLITE_DB);
-  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.19");
+  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.21");
   const protectedAccessMode = options.protectedAccessMode ?? DEFAULT_PROTECTED_ACCESS_MODE;
   const protectedAccessUrl = protectedAccessMode === "cloudfront_default_domain" ? "https://<cloudfront-domain>" : `https://${hostname}`;
   const cluster = `${prefix}-${stage}`;
@@ -7756,7 +7827,7 @@ program2.command("restore <backup-path>").description("Restore a verified local
     fail(error);
   }
 });
-program2.command("serve").description("Serve the local API and dashboard").option("--host <host>", "host to bind", "127.0.0.1").option("--port <port>", "port", parseInteger, 3899).option("--check", "run the scheduler while serving").addOption(new Option("--mode <mode>", "runtime mode").choices(["local", "hosted"]).default("local")).option("--api-token <token>", "token required for non-loopback mutation hosts").option("--hosted-token <token>", "scoped hosted-mode token").option("--hosted-sqlite-db <path>", "absolute SQLite database path on hosted cloud-mounted storage").option("--allow-hosted-local-store", "allow hosted mode to use local SQLite as an explicit fallback").option("--allow-unsafe-remote-mutations", "allow state-changing requests from non-loopback hosts without a token").option("-j, --json", "print JSON").action((opts) => {
+program2.command("serve").description("Serve the local API and dashboard").option("--host <host>", "host to bind", "127.0.0.1").option("--port <port>", "port", parseInteger, 3899).option("--check", "run the scheduler while serving").addOption(new Option("--mode <mode>", "runtime mode").choices(["local", "hosted"]).default("local")).option("--api-token <token>", "token required for non-loopback mutation hosts").option("--hosted-token <token>", "hosted-mode token for local/dev use; deployments should prefer scoped hosted-token JSON in secret env").option("--hosted-sqlite-db <path>", "absolute SQLite database path on hosted cloud-mounted storage").option("--allow-hosted-local-store", "allow hosted mode to use local SQLite as an explicit fallback").option("--allow-unsafe-remote-mutations", "allow state-changing requests from non-loopback hosts without a token").option("-j, --json", "print JSON").action((opts) => {
   try {
     const { server } = serveUptime({
       host: opts.host,

package/dist/cloud-plan.js

@@ -21,7 +21,7 @@ function buildAwsDeploymentPlan(options = {}) {
   const image = clean(options.image, `${imageRepositoryUri}@sha256:<image-digest>`);
   const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
   const hostedSqliteDbPath = clean(options.hostedSqliteDbPath, DEFAULT_HOSTED_SQLITE_DB);
-  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.19");
+  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.21");
   const protectedAccessMode = options.protectedAccessMode ?? DEFAULT_PROTECTED_ACCESS_MODE;
   const protectedAccessUrl = protectedAccessMode === "cloudfront_default_domain" ? "https://<cloudfront-domain>" : `https://${hostname}`;
   const cluster = `${prefix}-${stage}`;

package/dist/index.js

@@ -4262,17 +4262,88 @@ function resolveApiToken(token) {
   return value?.trim() || undefined;
 }
 function resolveHostedTokens(options) {
-  if (options.hostedTokens?.length)
-    return options.hostedTokens;
+  const defaultWorkspaceId = process.env.HASNA_UPTIME_WORKSPACE_ID ?? "default";
+  if (options.hostedTokens?.length) {
+    return normalizeHostedTokenEntries(options.hostedTokens, defaultWorkspaceId);
+  }
+  const configuredTokens = process.env.HASNA_UPTIME_HOSTED_TOKENS;
+  if (configuredTokens?.trim()) {
+    return parseHostedTokensConfig(configuredTokens, defaultWorkspaceId, "HASNA_UPTIME_HOSTED_TOKENS");
+  }
   const token = options.hostedToken ?? process.env.HASNA_UPTIME_HOSTED_TOKEN;
   if (!token?.trim())
     return [];
+  return parseHostedTokenValue(token, defaultWorkspaceId, options.hostedToken ? "--hosted-token" : "HASNA_UPTIME_HOSTED_TOKEN");
+}
+var HOSTED_SCOPES = ["uptime:read", "uptime:write", "uptime:probe", "uptime:report", "uptime:admin"];
+var HOSTED_SCOPE_SET = new Set(HOSTED_SCOPES);
+var LEGACY_HOSTED_TOKEN_SCOPES = ["uptime:read", "uptime:write", "uptime:probe", "uptime:report"];
+function parseHostedTokenValue(value, defaultWorkspaceId, source) {
+  const trimmed = value.trim();
+  if (!trimmed)
+    return [];
+  if (trimmed.startsWith("{") || trimmed.startsWith("[")) {
+    return parseHostedTokensConfig(trimmed, defaultWorkspaceId, source);
+  }
+  if (isHostedProductionMode()) {
+    throw new ApiError(`${source} must be scoped hosted token JSON when HASNA_UPTIME_HOSTED_AUTH_MODE=production`, 500);
+  }
   return [{
-    token: token.trim(),
-    scopes: ["uptime:read", "uptime:write", "uptime:probe", "uptime:report"],
-    workspaceId: process.env.HASNA_UPTIME_WORKSPACE_ID ?? "default"
+    token: trimmed,
+    scopes: LEGACY_HOSTED_TOKEN_SCOPES,
+    workspaceId: defaultWorkspaceId
   }];
 }
+function parseHostedTokensConfig(value, defaultWorkspaceId, source) {
+  let parsed;
+  try {
+    parsed = JSON.parse(value);
+  } catch {
+    throw new ApiError(`${source} must be valid hosted token JSON`, 500);
+  }
+  const entries = Array.isArray(parsed) ? parsed : isRecord(parsed) && Array.isArray(parsed.tokens) ? parsed.tokens : isRecord(parsed) && typeof parsed.token === "string" ? [parsed] : undefined;
+  if (!entries)
+    throw new ApiError(`${source} must be a token object, token array, or object with tokens[]`, 500);
+  return normalizeHostedTokenEntries(entries, defaultWorkspaceId, source);
+}
+function normalizeHostedTokenEntries(entries, defaultWorkspaceId, source = "hostedTokens") {
+  const tokens = entries.map((entry, index) => normalizeHostedTokenEntry(entry, defaultWorkspaceId, `${source}[${index}]`));
+  if (tokens.length === 0)
+    throw new ApiError(`${source} must configure at least one hosted token`, 500);
+  return tokens;
+}
+function normalizeHostedTokenEntry(entry, defaultWorkspaceId, source) {
+  if (!isRecord(entry))
+    throw new ApiError(`${source} must be an object`, 500);
+  if (typeof entry.token !== "string" || !entry.token.trim()) {
+    throw new ApiError(`${source}.token is required`, 500);
+  }
+  const scopes = normalizeHostedScopes(entry.scopes, `${source}.scopes`);
+  const workspaceId = typeof entry.workspaceId === "string" && entry.workspaceId.trim() ? entry.workspaceId.trim() : defaultWorkspaceId;
+  return { token: entry.token.trim(), scopes, workspaceId };
+}
+function normalizeHostedScopes(value, source) {
+  if (!Array.isArray(value) || value.length === 0) {
+    throw new ApiError(`${source} must be a non-empty array`, 500);
+  }
+  const scopes = new Set;
+  for (const scope of value) {
+    if (typeof scope !== "string" || !HOSTED_SCOPE_SET.has(scope)) {
+      throw new ApiError(`${source} contains an invalid hosted scope`, 500);
+    }
+    scopes.add(scope);
+  }
+  return [...scopes];
+}
+function isRecord(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function isHostedProductionMode() {
+  return runtimeEnv("HASNA_UPTIME_HOSTED_AUTH_MODE") === "production" || runtimeEnv("NODE_ENV") === "production";
+}
+function runtimeEnv(name) {
+  return process.env[name];
+}
 function resolveHostedAllowedOrigins(options) {
   const configured = options.hostedAllowedOrigins ?? splitCsv(process.env.HASNA_UPTIME_ALLOWED_ORIGINS);
   return configured.map((origin) => normalizeAllowedOrigin(origin)).filter((origin) => Boolean(origin));
@@ -4349,7 +4420,7 @@ function buildAwsDeploymentPlan(options = {}) {
   const image = clean(options.image, `${imageRepositoryUri}@sha256:<image-digest>`);
   const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
   const hostedSqliteDbPath = clean(options.hostedSqliteDbPath, DEFAULT_HOSTED_SQLITE_DB);
-  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.19");
+  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.21");
   const protectedAccessMode = options.protectedAccessMode ?? DEFAULT_PROTECTED_ACCESS_MODE;
   const protectedAccessUrl = protectedAccessMode === "cloudfront_default_domain" ? "https://<cloudfront-domain>" : `https://${hostname}`;
   const cluster = `${prefix}-${stage}`;

package/docs/architecture.md

@@ -0,0 +1,43 @@
+# Architecture
+
+Open Uptime has four public surfaces over one local service model:
+
+- SDK: `createUptimeClient()`
+- CLI: `uptime`
+- MCP: `uptime-mcp`
+- API/dashboard: `uptime serve`
+
+State is stored in SQLite through `UptimeStore`. `UptimeService` owns monitor
+checks, retry policy, incident reconciliation, scheduler ticks, and summaries.
+The CLI, MCP server, and API call the service rather than maintaining separate
+business logic.
+
+The local HTTP API is intended for same-origin dashboard use and local
+automation. State-changing API requests reject mismatched browser `Origin`
+headers, and JSON mutation endpoints require `content-type: application/json`.
+
+## Data Model
+
+- `monitors`: configured HTTP/TCP monitors and current status.
+- `check_results`: immutable check attempts after retry resolution.
+- `incidents`: open/closed downtime windows per monitor.
+
+## Check Semantics
+
+HTTP monitors are up when the request completes before timeout and the response
+status is either the configured `expectedStatus` or any 2xx/3xx status when no
+specific status is configured. TCP monitors are up when a connection can be
+opened before timeout.
+
+Retries happen before a result is recorded. One stored check result represents
+the final outcome for that scheduled check.
+
+Monitor interval, timeout, and retry settings are bounded in the store so every
+surface (SDK, CLI, API, and MCP) shares the same protection against runaway
+checks. MCP schemas mirror those bounds for earlier validation.
+
+`uptimePercent` is intentionally a check-count availability metric in the first
+release: up stored results divided by all stored results for that monitor. It is
+not elapsed-time SLA accounting. Incident windows are stored separately so a
+later report can add duration-based availability without changing the check
+history model.

package/docs/aws-deployment-runbook.md

@@ -207,7 +207,7 @@ ids. Use a scoped hosted token only from the operator secret store.
 
 ```bash
 EDGE_URL="$(terraform -chdir="$TF_DIR" output -raw protected_access_url)"
-: "${HOSTED_TOKEN_FILE:?set HOSTED_TOKEN_FILE to a 0600 file containing the scoped hosted token}"
+: "${HOSTED_TOKEN_FILE:?set HOSTED_TOKEN_FILE to a 0600 file containing the scoped read hosted token}"
 HOSTED_TOKEN="$(tr -d '\n' < "$HOSTED_TOKEN_FILE")"
 
 curl -fsS "$EDGE_URL/health"
@@ -225,6 +225,22 @@ Expected results:
 - Direct ALB origin access is denied unless it is the approved CloudFront origin
   path.
 
+Hosted deployments should store scoped hosted-token JSON in Secrets Manager, not
+a single broad raw token. The runtime accepts `HASNA_UPTIME_HOSTED_TOKENS` JSON
+or JSON-compatible `HASNA_UPTIME_HOSTED_TOKEN` values shaped like:
+
+```json
+{
+  "tokens": [
+    { "token": "<read-token>", "scopes": ["uptime:read"], "workspaceId": "<workspace-id>" },
+    { "token": "<write-token>", "scopes": ["uptime:write"], "workspaceId": "<workspace-id>" }
+  ]
+}
+```
+
+Do not record token values in runbooks, logs, task overrides, or deployment
+evidence.
+
 ## Logs And Alarms
 
 Inspect recent web logs without printing secrets:
@@ -330,14 +346,21 @@ aws efs create-mount-target \
 ```
 
 Validate the restored `/data/uptime/uptime.db` from a staging host or task with
-read-only SQLite integrity checks. Capture only counts and integrity status, not
-monitor targets or secrets:
+read-only SQLite integrity checks. For a zero-count pre-production deployment
+where `uptime.db` does not exist yet, create a representative restore-drill DB
+with the same SQLite access path and record it separately. Capture only counts
+and integrity status, not monitor targets or secrets:
 
 ```bash
 sqlite3 /mnt/restore/uptime/uptime.db 'PRAGMA integrity_check;'
 sqlite3 /mnt/restore/uptime/uptime.db 'SELECT COUNT(*) FROM monitors;'
 ```
 
+Do not count a restore as complete if the task only proves that EFS mounted.
+The evidence must include the restored DB path, `PRAGMA integrity_check = ok`,
+schema version, sanitized table counts, and cleanup proof for the temporary
+mount target and file system.
+
 After evidence is recorded, delete the staging mount target and restored file
 system. Never mount the restored file system over production during a drill.