@hasna/uptime 0.1.2 → 0.1.4

package/dist/store.js

@@ -9,6 +9,9 @@ function uptimeHome() {
 function uptimeDbPath() {
   return process.env.HASNA_UPTIME_DB || join(uptimeHome(), "uptime.db");
 }
+function uptimeHostedFallbackDbPath() {
+  return process.env.HASNA_UPTIME_HOSTED_FALLBACK_DB || join(uptimeHome(), "hosted-fallback", "uptime.db");
+}
 function ensureUptimeHome() {
   const home = uptimeHome();
   mkdirSync(home, { recursive: true });
@@ -16,11 +19,84 @@ function ensureUptimeHome() {
 }
 
 // src/store.ts
-import { mkdirSync as mkdirSync2 } from "fs";
-import { dirname } from "path";
+import { copyFileSync, existsSync, mkdirSync as mkdirSync2, statSync } from "fs";
+import { dirname, join as join2 } from "path";
 import { randomUUID } from "crypto";
 import { Database } from "bun:sqlite";
 
+// src/target-policy.ts
+import net from "net";
+var SECRET_PARAM_PATTERN = /(token|secret|password|passwd|api[_-]?key|access[_-]?token|auth|credential|session)/i;
+function assertHostedTargetAllowed(target) {
+  if (target.kind === "http" || target.kind === "browser_page") {
+    if (!target.url)
+      throw new Error("HTTP monitors require url");
+    assertHostedHttpUrlAllowed(target.url);
+    return;
+  }
+  if (target.kind === "tcp") {
+    if (!target.host)
+      throw new Error("TCP monitors require host");
+    assertHostedHostAllowed(target.host, "TCP host");
+    if (!Number.isInteger(target.port) || target.port <= 0 || target.port > 65535) {
+      throw new Error("TCP monitors require a port from 1 to 65535");
+    }
+    return;
+  }
+  throw new Error("Monitor kind must be http, tcp, or browser_page");
+}
+function assertHostedHttpUrlAllowed(value) {
+  const parsed = new URL(value);
+  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+    throw new Error("HTTP monitor url must use http or https");
+  }
+  if (parsed.username || parsed.password) {
+    throw new Error("hosted target URLs must not contain userinfo");
+  }
+  for (const key of parsed.searchParams.keys()) {
+    if (SECRET_PARAM_PATTERN.test(key)) {
+      throw new Error(`hosted target URL query parameter is not allowed: ${key}`);
+    }
+  }
+  if (parsed.hash && SECRET_PARAM_PATTERN.test(parsed.hash)) {
+    throw new Error("hosted target URL fragment contains secret-like data");
+  }
+  assertHostedHostAllowed(parsed.hostname, "HTTP host");
+}
+function assertHostedHostAllowed(hostname, label = "host") {
+  const host = normalizeHost(hostname);
+  if (!host)
+    throw new Error(`${label} is required`);
+  if (host === "localhost" || host.endsWith(".localhost")) {
+    throw new Error(`${label} is not allowed in hosted mode: localhost`);
+  }
+  if (host.endsWith(".local") || host.endsWith(".internal")) {
+    throw new Error(`${label} is not allowed in hosted mode: private DNS name`);
+  }
+  const ipVersion = net.isIP(host);
+  if (ipVersion === 4 && isDeniedIpv4(host)) {
+    throw new Error(`${label} is not allowed in hosted mode: private or reserved IPv4`);
+  }
+  if (ipVersion === 6 && isDeniedIpv6(host)) {
+    throw new Error(`${label} is not allowed in hosted mode: private or reserved IPv6`);
+  }
+}
+function normalizeHost(hostname) {
+  return hostname.trim().toLowerCase().replace(/^\[|\]$/g, "").replace(/\.$/, "");
+}
+function isDeniedIpv4(ip) {
+  const parts = ip.split(".").map((part) => Number(part));
+  if (parts.length !== 4 || parts.some((part) => !Number.isInteger(part) || part < 0 || part > 255)) {
+    return true;
+  }
+  const [a, b] = parts;
+  return a === 0 || a === 10 || a === 127 || a === 100 && b >= 64 && b <= 127 || a === 169 && b === 254 || a === 172 && b >= 16 && b <= 31 || a === 192 && b === 168 || a >= 224;
+}
+function isDeniedIpv6(ip) {
+  const normalized = ip.toLowerCase();
+  return normalized === "::" || normalized === "::1" || normalized.startsWith("fe80:") || normalized.startsWith("fc") || normalized.startsWith("fd") || normalized.startsWith("ff") || normalized.startsWith("::ffff:127.") || normalized.startsWith("::ffff:10.") || normalized.startsWith("::ffff:169.254.") || /^::ffff:172\.(1[6-9]|2\d|3[0-1])\./.test(normalized) || normalized.startsWith("::ffff:192.168.");
+}
+
 // src/limits.ts
 var MIN_INTERVAL_SECONDS = 1;
 var MAX_INTERVAL_SECONDS = 86400;
@@ -31,6 +107,26 @@ var MAX_RETRY_COUNT = 10;
 var MAX_RESULT_LIMIT = 1000;
 
 // src/store.ts
+var SECRET_URL_PARAM_PATTERN = /(token|secret|password|passwd|api[_-]?key|access[_-]?token|auth|credential|session)/i;
+var REQUIRED_TABLES = [
+  "schema_migrations",
+  "monitors",
+  "check_results",
+  "incidents",
+  "check_leases",
+  "monitor_provenance",
+  "import_batches",
+  "probe_identities",
+  "probe_check_jobs",
+  "probe_submissions",
+  "report_schedules",
+  "report_runs",
+  "audit_events"
+];
+var PROBE_TABLES = new Set(["probe_identities", "probe_check_jobs", "probe_submissions"]);
+var REPORT_AUDIT_TABLES = new Set(["report_schedules", "report_runs", "audit_events"]);
+var CURRENT_SCHEMA_VERSION = "3";
+
 class StaleCheckResultError extends Error {
   constructor(message) {
     super(message);
@@ -40,9 +136,20 @@ class StaleCheckResultError extends Error {
 
 class UptimeStore {
   dbPath;
+  mode;
+  dataMode;
   db;
   constructor(options = {}) {
-    this.dbPath = options.dbPath ?? uptimeDbPath();
+    this.mode = resolveRuntimeMode(options.mode ?? "local");
+    const cloudDatabaseUrl = options.cloudDatabaseUrl ?? process.env.HASNA_UPTIME_DATABASE_URL;
+    if (this.mode === "hosted" && cloudDatabaseUrl) {
+      throw new Error("hosted cloud database adapter is not implemented yet");
+    }
+    if (this.mode === "hosted" && !allowHostedLocalStore(options.allowHostedLocalStore)) {
+      throw new Error("hosted mode requires a cloud data layer; set HASNA_UPTIME_ALLOW_HOSTED_LOCAL_STORE=1 only for explicit local fallback testing");
+    }
+    this.dataMode = this.mode === "hosted" ? "hosted-local-sqlite" : "local-sqlite";
+    this.dbPath = options.dbPath ?? (this.mode === "hosted" ? uptimeHostedFallbackDbPath() : uptimeDbPath());
     if (this.dbPath !== ":memory:") {
       mkdirSync2(dirname(this.dbPath), { recursive: true });
     }
@@ -59,7 +166,7 @@ class UptimeStore {
       CREATE TABLE IF NOT EXISTS monitors (
         id TEXT PRIMARY KEY,
         name TEXT NOT NULL UNIQUE,
-        kind TEXT NOT NULL CHECK (kind IN ('http', 'tcp')),
+        kind TEXT NOT NULL CHECK (kind IN ('http', 'tcp', 'browser_page')),
         url TEXT,
         host TEXT,
         port INTEGER,
@@ -77,6 +184,7 @@ class UptimeStore {
       )
     `);
     this.ensureColumn("monitors", "revision", "INTEGER NOT NULL DEFAULT 1");
+    this.ensureMonitorKindAllowsBrowserPage();
     this.db.run(`
       CREATE TABLE IF NOT EXISTS check_results (
         id TEXT PRIMARY KEY,
@@ -86,9 +194,11 @@ class UptimeStore {
         latency_ms REAL,
         status_code INTEGER,
         error TEXT,
-        attempt_count INTEGER NOT NULL DEFAULT 1
+        attempt_count INTEGER NOT NULL DEFAULT 1,
+        evidence_json TEXT
       )
     `);
+    this.ensureColumn("check_results", "evidence_json", "TEXT");
     this.db.run(`
       CREATE TABLE IF NOT EXISTS incidents (
         id TEXT PRIMARY KEY,
@@ -102,6 +212,71 @@ class UptimeStore {
         reason TEXT
       )
     `);
+    this.db.run(`
+      CREATE TABLE IF NOT EXISTS monitor_provenance (
+        monitor_id TEXT NOT NULL REFERENCES monitors(id) ON DELETE CASCADE,
+        source TEXT NOT NULL,
+        source_id TEXT NOT NULL,
+        source_label TEXT,
+        imported_at TEXT NOT NULL,
+        snapshot_json TEXT NOT NULL,
+        PRIMARY KEY (source, source_id)
+      )
+    `);
+    this.db.run(`
+      CREATE TABLE IF NOT EXISTS import_batches (
+        id TEXT PRIMARY KEY,
+        source TEXT NOT NULL,
+        status TEXT NOT NULL CHECK (status IN ('applied', 'rolled_back')),
+        created_at TEXT NOT NULL,
+        rolled_back_at TEXT,
+        records_json TEXT NOT NULL
+      )
+    `);
+    this.db.run(`
+      CREATE TABLE IF NOT EXISTS probe_identities (
+        id TEXT PRIMARY KEY,
+        name TEXT NOT NULL UNIQUE,
+        public_key_pem TEXT NOT NULL,
+        public_key_fingerprint TEXT NOT NULL UNIQUE,
+        enabled INTEGER NOT NULL DEFAULT 1,
+        created_at TEXT NOT NULL,
+        last_seen_at TEXT
+      )
+    `);
+    this.db.run(`
+      CREATE TABLE IF NOT EXISTS probe_submissions (
+        id TEXT PRIMARY KEY,
+        probe_id TEXT NOT NULL REFERENCES probe_identities(id) ON DELETE CASCADE,
+        job_id TEXT NOT NULL,
+        monitor_id TEXT NOT NULL REFERENCES monitors(id) ON DELETE CASCADE,
+        check_result_id TEXT NOT NULL REFERENCES check_results(id) ON DELETE CASCADE,
+        nonce TEXT NOT NULL,
+        checked_at TEXT NOT NULL,
+        submitted_at TEXT NOT NULL,
+        UNIQUE (probe_id, nonce)
+      )
+    `);
+    this.ensureColumn("probe_submissions", "job_id", "TEXT");
+    this.db.run(`
+      CREATE TABLE IF NOT EXISTS probe_check_jobs (
+        id TEXT PRIMARY KEY,
+        monitor_id TEXT NOT NULL REFERENCES monitors(id) ON DELETE CASCADE,
+        monitor_revision INTEGER NOT NULL DEFAULT 1,
+        schedule_slot TEXT NOT NULL,
+        status TEXT NOT NULL CHECK (status IN ('pending', 'claimed', 'submitted', 'expired', 'cancelled')),
+        claimed_by_probe_id TEXT REFERENCES probe_identities(id) ON DELETE SET NULL,
+        fencing_token TEXT,
+        due_at TEXT NOT NULL,
+        claimed_at TEXT,
+        lease_expires_at TEXT,
+        submitted_result_id TEXT REFERENCES check_results(id) ON DELETE SET NULL,
+        created_at TEXT NOT NULL,
+        updated_at TEXT NOT NULL,
+        UNIQUE (monitor_id, schedule_slot)
+      )
+    `);
+    this.ensureColumn("probe_check_jobs", "monitor_revision", "INTEGER NOT NULL DEFAULT 1");
     this.db.run(`
       CREATE TABLE IF NOT EXISTS check_leases (
         monitor_id TEXT PRIMARY KEY REFERENCES monitors(id) ON DELETE CASCADE,
@@ -110,12 +285,113 @@ class UptimeStore {
         acquired_at TEXT NOT NULL
       )
     `);
+    this.db.run(`
+      CREATE TABLE IF NOT EXISTS report_schedules (
+        id TEXT PRIMARY KEY,
+        name TEXT NOT NULL UNIQUE,
+        enabled INTEGER NOT NULL DEFAULT 1,
+        interval_seconds INTEGER NOT NULL,
+        next_run_at TEXT NOT NULL,
+        last_run_at TEXT,
+        subject TEXT,
+        channels_json TEXT NOT NULL,
+        created_at TEXT NOT NULL,
+        updated_at TEXT NOT NULL
+      )
+    `);
+    this.db.run(`
+      CREATE TABLE IF NOT EXISTS report_runs (
+        id TEXT PRIMARY KEY,
+        schedule_id TEXT REFERENCES report_schedules(id) ON DELETE SET NULL,
+        status TEXT NOT NULL CHECK (status IN ('success', 'failed')),
+        started_at TEXT NOT NULL,
+        finished_at TEXT NOT NULL,
+        deliveries_json TEXT NOT NULL,
+        error TEXT,
+        report_json TEXT
+      )
+    `);
+    this.db.run(`
+      CREATE TABLE IF NOT EXISTS audit_events (
+        id TEXT PRIMARY KEY,
+        action TEXT NOT NULL,
+        resource_type TEXT,
+        resource_id TEXT,
+        message TEXT,
+        metadata_json TEXT NOT NULL DEFAULT '{}',
+        actor TEXT,
+        created_at TEXT NOT NULL
+      )
+    `);
+    this.db.run(`
+      CREATE TABLE IF NOT EXISTS schema_migrations (
+        key TEXT PRIMARY KEY,
+        value TEXT NOT NULL,
+        updated_at TEXT NOT NULL
+      )
+    `);
+    this.db.query("INSERT OR REPLACE INTO schema_migrations (key, value, updated_at) VALUES ('schema_version', ?, ?)").run(CURRENT_SCHEMA_VERSION, new Date().toISOString());
     this.db.run("CREATE INDEX IF NOT EXISTS idx_results_monitor_time ON check_results(monitor_id, checked_at DESC)");
     this.db.run("CREATE INDEX IF NOT EXISTS idx_incidents_monitor_status ON incidents(monitor_id, status)");
     this.db.run("CREATE INDEX IF NOT EXISTS idx_check_leases_until ON check_leases(leased_until)");
+    this.db.run("CREATE INDEX IF NOT EXISTS idx_monitor_provenance_monitor ON monitor_provenance(monitor_id)");
+    this.db.run("CREATE INDEX IF NOT EXISTS idx_probe_jobs_status_due ON probe_check_jobs(status, due_at)");
+    this.db.run("CREATE INDEX IF NOT EXISTS idx_probe_jobs_probe_status ON probe_check_jobs(claimed_by_probe_id, status)");
+    this.db.run("CREATE INDEX IF NOT EXISTS idx_probe_submissions_probe_time ON probe_submissions(probe_id, submitted_at DESC)");
+    this.db.run("CREATE INDEX IF NOT EXISTS idx_probe_submissions_monitor_time ON probe_submissions(monitor_id, checked_at DESC)");
+    this.db.run("CREATE UNIQUE INDEX IF NOT EXISTS idx_probe_submissions_job ON probe_submissions(job_id) WHERE job_id IS NOT NULL AND job_id != ''");
+    this.db.run("CREATE INDEX IF NOT EXISTS idx_report_schedules_due ON report_schedules(enabled, next_run_at)");
+    this.db.run("CREATE INDEX IF NOT EXISTS idx_report_runs_schedule_time ON report_runs(schedule_id, started_at DESC)");
+    this.db.run("CREATE INDEX IF NOT EXISTS idx_audit_events_resource_time ON audit_events(resource_type, resource_id, created_at DESC)");
+    this.db.run("CREATE INDEX IF NOT EXISTS idx_audit_events_time ON audit_events(created_at DESC)");
+  }
+  backup(destinationPath) {
+    if (this.dbPath === ":memory:" && !destinationPath) {
+      throw new Error("backup path is required for in-memory stores");
+    }
+    const createdAt = new Date().toISOString();
+    const backupPath = destinationPath ?? join2(dirname(this.dbPath), "backups", `uptime-${createdAt.replace(/[:.]/g, "-")}.db`);
+    mkdirSync2(dirname(backupPath), { recursive: true });
+    if (this.dbPath === ":memory:") {
+      this.vacuumInto(backupPath);
+    } else {
+      this.db.run("PRAGMA wal_checkpoint(TRUNCATE)");
+      copyFileSync(this.dbPath, backupPath);
+    }
+    const bytes = statSync(backupPath).size;
+    return { sourcePath: this.dbPath, backupPath, bytes, createdAt };
   }
-  createMonitor(input) {
-    const normalized = normalizeCreateMonitor(input);
+  verifyBackup(backupPath) {
+    return verifyBackupFile(backupPath);
+  }
+  static verifyBackup(backupPath) {
+    return verifyBackupFile(backupPath);
+  }
+  static restoreBackup(backupPath, destinationPath = uptimeDbPath()) {
+    const check = verifyBackupFile(backupPath);
+    if (!check.ok)
+      throw new Error(`backup integrity check failed: ${check.integrity}`);
+    if (destinationPath === ":memory:")
+      throw new Error("cannot restore a backup to an in-memory store");
+    if (existsSync(destinationPath) || existsSync(`${destinationPath}-wal`) || existsSync(`${destinationPath}-shm`)) {
+      throw new Error("restore destination already exists or has SQLite sidecar files");
+    }
+    mkdirSync2(dirname(destinationPath), { recursive: true });
+    copyFileSync(backupPath, destinationPath);
+    const bytes = statSync(destinationPath).size;
+    return {
+      sourcePath: backupPath,
+      backupPath: destinationPath,
+      bytes,
+      createdAt: new Date().toISOString()
+    };
+  }
+  createMonitor(input, options = {}) {
+    if (this.mode === "hosted")
+      assertHostedTargetAllowed(input);
+    const normalized = normalizeCreateMonitor(input, options.allowBrowserPage === true);
+    if (this.mode === "hosted")
+      assertHostedTargetAllowed(normalized);
     const now = new Date().toISOString();
     const monitor = {
       id: newId("mon"),
@@ -151,12 +427,22 @@ class UptimeStore {
     const row = this.db.query("SELECT * FROM monitors WHERE id = ? OR name = ?").get(idOrName, idOrName);
     return row ? monitorFromRow(row) : null;
   }
-  updateMonitor(idOrName, input) {
+  updateMonitor(idOrName, input, options = {}) {
     const current = this.getMonitor(idOrName);
     if (!current)
       throw new Error(`Monitor not found: ${idOrName}`);
+    if (this.mode === "hosted") {
+      assertHostedTargetAllowed({
+        kind: input.kind ?? current.kind,
+        url: input.url ?? current.url ?? undefined,
+        host: input.host ?? current.host ?? undefined,
+        port: input.port ?? current.port ?? undefined
+      });
+    }
     const updatedAt = new Date().toISOString();
-    const next = normalizeUpdateMonitor(current, input, updatedAt);
+    const next = normalizeUpdateMonitor(current, input, updatedAt, options.allowBrowserPage === true);
+    if (this.mode === "hosted")
+      assertHostedTargetAllowed(next);
     this.db.query(`UPDATE monitors SET
           name = ?, kind = ?, url = ?, host = ?, port = ?, method = ?,
           expected_status = ?, interval_seconds = ?, timeout_ms = ?,
@@ -175,6 +461,315 @@ class UptimeStore {
     this.db.query("DELETE FROM monitors WHERE id = ?").run(current.id);
     return true;
   }
+  createProbeIdentity(input) {
+    const name = input.name.trim();
+    if (!name)
+      throw new Error("Probe name is required");
+    rejectControlCharacters(name, "Probe name");
+    const now = new Date().toISOString();
+    const probe = {
+      id: newId("prb"),
+      name,
+      publicKeyPem: input.publicKeyPem.trim(),
+      publicKeyFingerprint: input.publicKeyFingerprint,
+      enabled: input.enabled ?? true,
+      createdAt: now,
+      lastSeenAt: null
+    };
+    if (!probe.publicKeyPem)
+      throw new Error("Probe public key is required");
+    this.db.query(`INSERT INTO probe_identities (
+          id, name, public_key_pem, public_key_fingerprint, enabled, created_at, last_seen_at
+        ) VALUES (?, ?, ?, ?, ?, ?, ?)`).run(probe.id, probe.name, probe.publicKeyPem, probe.publicKeyFingerprint, probe.enabled ? 1 : 0, probe.createdAt, probe.lastSeenAt);
+    return probe;
+  }
+  listProbeIdentities(options = {}) {
+    const rows = options.includeDisabled ? this.db.query("SELECT * FROM probe_identities ORDER BY name ASC").all() : this.db.query("SELECT * FROM probe_identities WHERE enabled = 1 ORDER BY name ASC").all();
+    return rows.map(probeIdentityFromRow);
+  }
+  getProbeIdentity(idOrName) {
+    const row = this.db.query("SELECT * FROM probe_identities WHERE id = ? OR name = ?").get(idOrName, idOrName);
+    return row ? probeIdentityFromRow(row) : null;
+  }
+  updateProbeIdentity(idOrName, input) {
+    const current = this.getProbeIdentity(idOrName);
+    if (!current)
+      throw new Error(`Probe not found: ${idOrName}`);
+    const name = input.name === undefined ? current.name : input.name.trim();
+    if (!name)
+      throw new Error("Probe name is required");
+    rejectControlCharacters(name, "Probe name");
+    const enabled = input.enabled ?? current.enabled;
+    this.db.query("UPDATE probe_identities SET name = ?, enabled = ? WHERE id = ?").run(name, enabled ? 1 : 0, current.id);
+    return this.getProbeIdentity(current.id);
+  }
+  touchProbeIdentity(idOrName, seenAt = new Date().toISOString()) {
+    const probe = this.getProbeIdentity(idOrName);
+    if (!probe)
+      throw new Error(`Probe not found: ${idOrName}`);
+    this.db.query("UPDATE probe_identities SET last_seen_at = ? WHERE id = ?").run(seenAt, probe.id);
+  }
+  createProbeCheckJob(input) {
+    const monitor = this.getMonitor(input.monitorId);
+    if (!monitor)
+      throw new Error(`Monitor not found: ${input.monitorId}`);
+    if (!monitor.enabled)
+      throw new Error(`Monitor is disabled: ${monitor.name}`);
+    const scheduleSlot = normalizeScheduleSlot(input.scheduleSlot);
+    const dueAt = input.dueAt ?? new Date().toISOString();
+    assertIsoTimestamp(dueAt, "Probe job dueAt");
+    const now = new Date().toISOString();
+    const existing = this.db.query("SELECT * FROM probe_check_jobs WHERE monitor_id = ? AND schedule_slot = ?").get(monitor.id, scheduleSlot);
+    if (existing)
+      return probeCheckJobFromRow(existing);
+    const job = {
+      id: newId("job"),
+      monitorId: monitor.id,
+      monitorRevision: monitor.revision,
+      scheduleSlot,
+      status: "pending",
+      claimedByProbeId: null,
+      fencingToken: null,
+      dueAt,
+      claimedAt: null,
+      leaseExpiresAt: null,
+      submittedResultId: null,
+      createdAt: now,
+      updatedAt: now
+    };
+    this.db.query(`INSERT INTO probe_check_jobs (
+          id, monitor_id, monitor_revision, schedule_slot, status, claimed_by_probe_id, fencing_token,
+          due_at, claimed_at, lease_expires_at, submitted_result_id, created_at, updated_at
+        ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`).run(job.id, job.monitorId, job.monitorRevision, job.scheduleSlot, job.status, job.claimedByProbeId, job.fencingToken, job.dueAt, job.claimedAt, job.leaseExpiresAt, job.submittedResultId, job.createdAt, job.updatedAt);
+    return job;
+  }
+  getProbeCheckJob(id) {
+    const row = this.db.query("SELECT * FROM probe_check_jobs WHERE id = ?").get(id);
+    return row ? probeCheckJobFromRow(row) : null;
+  }
+  claimProbeCheckJob(input) {
+    const tx = this.db.transaction(() => {
+      const probe = this.getProbeIdentity(input.probeId);
+      if (!probe)
+        throw new Error(`Probe not found: ${input.probeId}`);
+      if (!probe.enabled)
+        throw new Error(`Probe is disabled: ${probe.name}`);
+      const current = this.getProbeCheckJob(input.jobId);
+      if (!current)
+        throw new Error(`Probe job not found: ${input.jobId}`);
+      const now = new Date;
+      const nowIso = now.toISOString();
+      if (current.status === "submitted")
+        throw new Error("Probe job already submitted");
+      if (current.status === "cancelled")
+        throw new Error("Probe job is cancelled");
+      if (current.dueAt > nowIso)
+        throw new Error("Probe job is not due yet");
+      const leaseExpired = Boolean(current.leaseExpiresAt && current.leaseExpiresAt <= nowIso);
+      if (current.status === "claimed" && !leaseExpired && current.claimedByProbeId !== probe.id) {
+        throw new Error("Probe job already claimed by another probe");
+      }
+      if (current.status !== "pending" && current.status !== "claimed" && current.status !== "expired") {
+        throw new Error(`Probe job is not claimable: ${current.status}`);
+      }
+      const leaseExpiresAt = new Date(now.getTime() + Math.max(1000, input.leaseTtlMs ?? 120000)).toISOString();
+      const fencingToken = newId("fence");
+      const update = this.db.query(`UPDATE probe_check_jobs
+           SET status = 'claimed', claimed_by_probe_id = ?, fencing_token = ?, claimed_at = ?, lease_expires_at = ?, updated_at = ?
+           WHERE id = ?
+             AND submitted_result_id IS NULL
+             AND (
+               status IN ('pending', 'expired')
+               OR (status = 'claimed' AND (claimed_by_probe_id = ? OR lease_expires_at <= ?))
+             )`).run(probe.id, fencingToken, nowIso, leaseExpiresAt, nowIso, current.id, probe.id, nowIso);
+      if (statementChanges(update) !== 1)
+        throw new Error("Probe job claim raced; retry");
+      this.touchProbeIdentity(probe.id, nowIso);
+      return this.getProbeCheckJob(current.id);
+    });
+    return tx();
+  }
+  completeProbeCheckJob(input) {
+    const job = this.getProbeCheckJob(input.jobId);
+    if (!job)
+      throw new Error(`Probe job not found: ${input.jobId}`);
+    const submittedAt = input.submittedAt ?? new Date().toISOString();
+    if (job.status !== "claimed")
+      throw new Error(`Probe job is not claimable for submission: ${job.status}`);
+    if (job.claimedByProbeId !== input.probeId)
+      throw new Error("Probe job was claimed by another probe");
+    if (job.fencingToken !== input.fencingToken)
+      throw new Error("Probe job fencing token is invalid");
+    if (!job.leaseExpiresAt || job.leaseExpiresAt <= submittedAt) {
+      this.expireProbeCheckJob(job.id, submittedAt);
+      throw new Error("Probe job lease expired");
+    }
+    const update = this.db.query(`UPDATE probe_check_jobs
+         SET status = 'submitted', submitted_result_id = ?, updated_at = ?
+         WHERE id = ?
+           AND status = 'claimed'
+           AND claimed_by_probe_id = ?
+           AND fencing_token = ?
+           AND lease_expires_at > ?
+           AND submitted_result_id IS NULL`).run(input.checkResultId, submittedAt, job.id, input.probeId, input.fencingToken, submittedAt);
+    if (statementChanges(update) !== 1)
+      throw new Error("Probe job submission raced; retry");
+    return this.getProbeCheckJob(job.id);
+  }
+  expireProbeCheckJob(jobId, updatedAt = new Date().toISOString()) {
+    this.db.query("UPDATE probe_check_jobs SET status = 'expired', updated_at = ? WHERE id = ? AND status != 'submitted'").run(updatedAt, jobId);
+  }
+  getProbeSubmission(probeId, nonce) {
+    const row = this.db.query("SELECT * FROM probe_submissions WHERE probe_id = ? AND nonce = ?").get(probeId, nonce);
+    return row ? probeSubmissionFromRow(row) : null;
+  }
+  recordProbeSubmission(input) {
+    const submittedAt = input.submittedAt ?? new Date().toISOString();
+    const receipt = {
+      id: newId("psb"),
+      probeId: input.probeId,
+      jobId: input.jobId,
+      monitorId: input.monitorId,
+      checkResultId: input.checkResultId,
+      nonce: input.nonce,
+      checkedAt: input.checkedAt,
+      submittedAt
+    };
+    this.db.query(`INSERT INTO probe_submissions (
+          id, probe_id, job_id, monitor_id, check_result_id, nonce, checked_at, submitted_at
+        ) VALUES (?, ?, ?, ?, ?, ?, ?, ?)`).run(receipt.id, receipt.probeId, receipt.jobId, receipt.monitorId, receipt.checkResultId, receipt.nonce, receipt.checkedAt, receipt.submittedAt);
+    return receipt;
+  }
+  createReportSchedule(input) {
+    const normalized = normalizeReportScheduleInput(input);
+    const now = new Date().toISOString();
+    const schedule = {
+      id: newId("rps"),
+      name: normalized.name,
+      enabled: normalized.enabled,
+      intervalSeconds: normalized.intervalSeconds,
+      nextRunAt: normalized.nextRunAt,
+      lastRunAt: null,
+      subject: normalized.subject,
+      channels: normalized.channels,
+      createdAt: now,
+      updatedAt: now
+    };
+    this.db.query(`INSERT INTO report_schedules (
+          id, name, enabled, interval_seconds, next_run_at, last_run_at,
+          subject, channels_json, created_at, updated_at
+        ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`).run(schedule.id, schedule.name, schedule.enabled ? 1 : 0, schedule.intervalSeconds, schedule.nextRunAt, schedule.lastRunAt, schedule.subject, JSON.stringify(schedule.channels), schedule.createdAt, schedule.updatedAt);
+    return schedule;
+  }
+  listReportSchedules(options = {}) {
+    const rows = options.includeDisabled ? this.db.query("SELECT * FROM report_schedules ORDER BY name ASC").all() : this.db.query("SELECT * FROM report_schedules WHERE enabled = 1 ORDER BY name ASC").all();
+    return rows.map(reportScheduleFromRow);
+  }
+  listDueReportSchedules(nowIso = new Date().toISOString()) {
+    assertIsoTimestamp(nowIso, "Report schedule due timestamp");
+    const rows = this.db.query("SELECT * FROM report_schedules WHERE enabled = 1 AND next_run_at <= ? ORDER BY next_run_at ASC, name ASC").all(nowIso);
+    return rows.map(reportScheduleFromRow);
+  }
+  getReportSchedule(idOrName) {
+    const row = this.db.query("SELECT * FROM report_schedules WHERE id = ? OR name = ?").get(idOrName, idOrName);
+    return row ? reportScheduleFromRow(row) : null;
+  }
+  updateReportSchedule(idOrName, input) {
+    const current = this.getReportSchedule(idOrName);
+    if (!current)
+      throw new Error(`Report schedule not found: ${idOrName}`);
+    const normalized = normalizeReportScheduleInput({
+      name: input.name ?? current.name,
+      intervalSeconds: input.intervalSeconds ?? current.intervalSeconds,
+      nextRunAt: input.nextRunAt ?? current.nextRunAt,
+      enabled: input.enabled ?? current.enabled,
+      subject: input.subject === undefined ? current.subject : input.subject,
+      channels: input.channels ?? current.channels
+    });
+    const updatedAt = new Date().toISOString();
+    this.db.query(`UPDATE report_schedules SET
+          name = ?, enabled = ?, interval_seconds = ?, next_run_at = ?,
+          subject = ?, channels_json = ?, updated_at = ?
+        WHERE id = ?`).run(normalized.name, normalized.enabled ? 1 : 0, normalized.intervalSeconds, normalized.nextRunAt, normalized.subject, JSON.stringify(normalized.channels), updatedAt, current.id);
+    return this.getReportSchedule(current.id);
+  }
+  deleteReportSchedule(idOrName) {
+    const current = this.getReportSchedule(idOrName);
+    if (!current)
+      return false;
+    this.db.query("DELETE FROM report_schedules WHERE id = ?").run(current.id);
+    return true;
+  }
+  recordReportRun(input) {
+    const startedAt = input.startedAt ?? new Date().toISOString();
+    const finishedAt = input.finishedAt ?? new Date().toISOString();
+    assertIsoTimestamp(startedAt, "Report run startedAt");
+    assertIsoTimestamp(finishedAt, "Report run finishedAt");
+    if (input.status !== "success" && input.status !== "failed") {
+      throw new Error("Report run status must be success or failed");
+    }
+    if (input.scheduleId && !this.getReportSchedule(input.scheduleId)) {
+      throw new Error(`Report schedule not found: ${input.scheduleId}`);
+    }
+    const run = {
+      id: newId("rpr"),
+      scheduleId: input.scheduleId ?? null,
+      status: input.status,
+      startedAt,
+      finishedAt,
+      deliveries: normalizeReportDeliveries(input.deliveries ?? []),
+      error: normalizeNullableRedactedText(input.error, "Report run error", 1000),
+      reportJson: input.reportJson ?? null
+    };
+    this.db.query(`INSERT INTO report_runs (
+          id, schedule_id, status, started_at, finished_at, deliveries_json,
+          error, report_json
+        ) VALUES (?, ?, ?, ?, ?, ?, ?, ?)`).run(run.id, run.scheduleId, run.status, run.startedAt, run.finishedAt, JSON.stringify(run.deliveries), run.error, run.reportJson ? JSON.stringify(run.reportJson) : null);
+    if (run.scheduleId) {
+      this.advanceReportSchedule(run.scheduleId, run.finishedAt);
+    }
+    return run;
+  }
+  listReportRuns(options = {}) {
+    const limit = clampLimit(options.limit ?? 50);
+    const rows = options.scheduleId ? this.db.query("SELECT * FROM report_runs WHERE schedule_id = ? ORDER BY started_at DESC, id DESC LIMIT ?").all(options.scheduleId, limit) : this.db.query("SELECT * FROM report_runs ORDER BY started_at DESC, id DESC LIMIT ?").all(limit);
+    return rows.map(reportRunFromRow);
+  }
+  recordAuditEvent(input) {
+    const action = normalizeAuditText(input.action, "Audit action", 160);
+    const createdAt = input.createdAt ?? new Date().toISOString();
+    assertIsoTimestamp(createdAt, "Audit event createdAt");
+    const event = {
+      id: newId("aud"),
+      action,
+      resourceType: normalizeNullableAuditText(input.resourceType, "Audit resourceType", 80),
+      resourceId: normalizeNullableAuditText(input.resourceId, "Audit resourceId", 160),
+      message: normalizeNullableAuditText(input.message, "Audit message", 500),
+      metadata: normalizeAuditMetadata(input.metadata ?? {}),
+      actor: normalizeNullableAuditText(input.actor, "Audit actor", 160),
+      createdAt
+    };
+    this.db.query(`INSERT INTO audit_events (
+          id, action, resource_type, resource_id, message, metadata_json, actor, created_at
+        ) VALUES (?, ?, ?, ?, ?, ?, ?, ?)`).run(event.id, event.action, event.resourceType, event.resourceId, event.message, JSON.stringify(event.metadata), event.actor, event.createdAt);
+    return event;
+  }
+  listAuditEvents(options = {}) {
+    const clauses = [];
+    const args = [];
+    if (options.resourceType) {
+      clauses.push("resource_type = ?");
+      args.push(options.resourceType);
+    }
+    if (options.resourceId) {
+      clauses.push("resource_id = ?");
+      args.push(options.resourceId);
+    }
+    const where = clauses.length ? `WHERE ${clauses.join(" AND ")}` : "";
+    args.push(clampLimit(options.limit ?? 50));
+    const rows = this.db.query(`SELECT * FROM audit_events ${where} ORDER BY created_at DESC, id DESC LIMIT ?`).all(...args);
+    return rows.map(auditEventFromRow);
+  }
   acquireCheckLease(monitorId, owner, ttlMs) {
     const now = new Date;
     const nowIso = now.toISOString();
@@ -209,7 +804,8 @@ class UptimeStore {
       latencyMs: input.latencyMs,
       statusCode: input.statusCode,
       error: input.error,
-      attemptCount: Math.max(1, input.attemptCount)
+      attemptCount: Math.max(1, input.attemptCount),
+      evidence: input.evidence ?? null
     };
     const tx = this.db.transaction(() => {
       const current = this.db.query("SELECT * FROM monitors WHERE id = ?").get(result.monitorId);
@@ -222,19 +818,59 @@ class UptimeStore {
         throw new StaleCheckResultError(`Monitor was disabled while check was in progress: ${current.name}`);
       }
       this.db.query(`INSERT INTO check_results (
-            id, monitor_id, checked_at, status, latency_ms, status_code, error, attempt_count
-          ) VALUES (?, ?, ?, ?, ?, ?, ?, ?)`).run(result.id, result.monitorId, result.checkedAt, result.status, result.latencyMs, result.statusCode, result.error, result.attemptCount);
+            id, monitor_id, checked_at, status, latency_ms, status_code, error, attempt_count, evidence_json
+          ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`).run(result.id, result.monitorId, result.checkedAt, result.status, result.latencyMs, result.statusCode, result.error, result.attemptCount, result.evidence ? JSON.stringify(result.evidence) : null);
       this.db.query("UPDATE monitors SET status = ?, last_checked_at = ?, updated_at = ? WHERE id = ?").run(result.status, result.checkedAt, result.checkedAt, result.monitorId);
       this.reconcileIncidentInTransaction(result);
     });
     tx();
     return result;
   }
+  getCheckResult(id) {
+    const row = this.db.query("SELECT * FROM check_results WHERE id = ?").get(id);
+    return row ? checkResultFromRow(row) : null;
+  }
   listResults(options = {}) {
     const limit = clampLimit(options.limit ?? 50);
     const rows = options.monitorId ? this.db.query("SELECT * FROM check_results WHERE monitor_id = ? ORDER BY checked_at DESC LIMIT ?").all(options.monitorId, limit) : this.db.query("SELECT * FROM check_results ORDER BY checked_at DESC LIMIT ?").all(limit);
     return rows.map(checkResultFromRow);
   }
+  getProvenance(source, sourceId) {
+    const row = this.db.query("SELECT * FROM monitor_provenance WHERE source = ? AND source_id = ?").get(source, sourceId);
+    return row ? provenanceFromRow(row) : null;
+  }
+  upsertMonitorProvenance(input) {
+    const importedAt = new Date().toISOString();
+    this.db.query(`INSERT INTO monitor_provenance (
+          monitor_id, source, source_id, source_label, imported_at, snapshot_json
+        ) VALUES (?, ?, ?, ?, ?, ?)
+        ON CONFLICT(source, source_id) DO UPDATE SET
+          monitor_id = excluded.monitor_id,
+          source_label = excluded.source_label,
+          imported_at = excluded.imported_at,
+          snapshot_json = excluded.snapshot_json`).run(input.monitorId, input.source, input.sourceId, input.sourceLabel ?? null, importedAt, JSON.stringify(input.snapshot));
+    return this.getProvenance(input.source, input.sourceId);
+  }
+  saveImportBatch(input) {
+    const createdAt = new Date().toISOString();
+    this.db.query("INSERT INTO import_batches (id, source, status, created_at, rolled_back_at, records_json) VALUES (?, ?, 'applied', ?, NULL, ?)").run(input.id, input.source, createdAt, JSON.stringify(input.records));
+    return this.getImportBatch(input.id);
+  }
+  getImportBatch(batchId) {
+    const row = this.db.query("SELECT * FROM import_batches WHERE id = ?").get(batchId);
+    return row ? importBatchFromRow(row) : null;
+  }
+  markImportBatchRolledBack(batchId) {
+    const rolledBackAt = new Date().toISOString();
+    this.db.query("UPDATE import_batches SET status = 'rolled_back', rolled_back_at = ? WHERE id = ?").run(rolledBackAt, batchId);
+    const batch = this.getImportBatch(batchId);
+    if (!batch)
+      throw new Error(`Import batch not found: ${batchId}`);
+    return batch;
+  }
+  runInTransaction(fn) {
+    return this.db.transaction(fn)();
+  }
   listIncidents(options = {}) {
     const clauses = [];
     const args = [];
@@ -316,14 +952,123 @@ class UptimeStore {
   closeOpenIncident(monitorId, closedAt) {
     this.db.query("UPDATE incidents SET status = 'closed', closed_at = ? WHERE monitor_id = ? AND status = 'open'").run(closedAt, monitorId);
   }
+  advanceReportSchedule(scheduleId, finishedAt) {
+    const schedule = this.getReportSchedule(scheduleId);
+    if (!schedule)
+      throw new Error(`Report schedule not found: ${scheduleId}`);
+    const finishedMs = Date.parse(finishedAt);
+    let nextMs = Math.max(Date.parse(schedule.nextRunAt), finishedMs);
+    do {
+      nextMs += schedule.intervalSeconds * 1000;
+    } while (nextMs <= finishedMs);
+    const nextRunAt = new Date(nextMs).toISOString();
+    this.db.query("UPDATE report_schedules SET last_run_at = ?, next_run_at = ?, updated_at = ? WHERE id = ?").run(finishedAt, nextRunAt, finishedAt, schedule.id);
+  }
   ensureColumn(table, name, definition) {
     const columns = this.db.query(`PRAGMA table_info(${table})`).all();
     if (!columns.some((column) => column.name === name)) {
       this.db.run(`ALTER TABLE ${table} ADD COLUMN ${name} ${definition}`);
     }
   }
+  ensureMonitorKindAllowsBrowserPage() {
+    const row = this.db.query("SELECT sql FROM sqlite_master WHERE type = 'table' AND name = 'monitors'").get();
+    if (!row?.sql || row.sql.includes("browser_page"))
+      return;
+    this.db.run("PRAGMA foreign_keys = OFF");
+    this.db.run("PRAGMA legacy_alter_table = ON");
+    try {
+      const migrate = this.db.transaction(() => {
+        this.db.run("ALTER TABLE monitors RENAME TO monitors_old_kind");
+        this.db.run(`
+          CREATE TABLE monitors (
+            id TEXT PRIMARY KEY,
+            name TEXT NOT NULL UNIQUE,
+            kind TEXT NOT NULL CHECK (kind IN ('http', 'tcp', 'browser_page')),
+            url TEXT,
+            host TEXT,
+            port INTEGER,
+            method TEXT NOT NULL DEFAULT 'GET',
+            expected_status INTEGER,
+            interval_seconds INTEGER NOT NULL DEFAULT 60,
+            timeout_ms INTEGER NOT NULL DEFAULT 5000,
+            retry_count INTEGER NOT NULL DEFAULT 0,
+            enabled INTEGER NOT NULL DEFAULT 1,
+            status TEXT NOT NULL DEFAULT 'unknown',
+            last_checked_at TEXT,
+            revision INTEGER NOT NULL DEFAULT 1,
+            created_at TEXT NOT NULL,
+            updated_at TEXT NOT NULL
+          )
+        `);
+        this.db.run(`
+          INSERT INTO monitors (
+            id, name, kind, url, host, port, method, expected_status,
+            interval_seconds, timeout_ms, retry_count, enabled, status,
+            last_checked_at, revision, created_at, updated_at
+          )
+          SELECT
+            id, name, kind, url, host, port, method, expected_status,
+            interval_seconds, timeout_ms, retry_count, enabled, status,
+            last_checked_at, revision, created_at, updated_at
+          FROM monitors_old_kind
+        `);
+        this.db.run("DROP TABLE monitors_old_kind");
+      });
+      migrate();
+    } finally {
+      this.db.run("PRAGMA legacy_alter_table = OFF");
+      this.db.run("PRAGMA foreign_keys = ON");
+    }
+  }
+  vacuumInto(backupPath) {
+    const quoted = backupPath.replace(/'/g, "''");
+    this.db.run(`VACUUM INTO '${quoted}'`);
+  }
+}
+function resolveRuntimeMode(mode) {
+  const value = mode ?? process.env.HASNA_UPTIME_MODE ?? "local";
+  if (value === "local" || value === "hosted")
+    return value;
+  throw new Error("HASNA_UPTIME_MODE must be local or hosted");
+}
+function allowHostedLocalStore(value) {
+  return value === true || process.env.HASNA_UPTIME_ALLOW_HOSTED_LOCAL_STORE === "1";
+}
+function verifyBackupFile(backupPath) {
+  const db = new Database(backupPath, { readonly: true });
+  try {
+    const integrityRow = db.query("PRAGMA integrity_check").get();
+    const integrity = String(integrityRow?.integrity_check ?? "unknown");
+    const missingTables = REQUIRED_TABLES.filter((table) => !tableExists(db, table));
+    const schemaVersion = missingTables.includes("schema_migrations") ? null : db.query("SELECT value FROM schema_migrations WHERE key = 'schema_version'").get()?.value ?? null;
+    const currentOk = missingTables.length === 0 && schemaVersion === CURRENT_SCHEMA_VERSION;
+    const restorableV1 = schemaVersion === "1" && missingTables.every((table) => PROBE_TABLES.has(table) || REPORT_AUDIT_TABLES.has(table));
+    const restorableV2 = schemaVersion === "2" && missingTables.every((table) => REPORT_AUDIT_TABLES.has(table));
+    return {
+      ok: integrity === "ok" && (currentOk || restorableV1 || restorableV2),
+      backupPath,
+      integrity,
+      schemaVersion,
+      missingTables,
+      monitors: tableCount(db, "monitors"),
+      results: tableCount(db, "check_results"),
+      incidents: tableCount(db, "incidents")
+    };
+  } finally {
+    db.close();
+  }
+}
+function tableCount(db, table) {
+  if (!tableExists(db, table))
+    return 0;
+  const row = db.query(`SELECT COUNT(*) AS count FROM ${table}`).get();
+  return Number(row?.count ?? 0);
+}
+function tableExists(db, table) {
+  const row = db.query("SELECT COUNT(*) AS count FROM sqlite_master WHERE type = 'table' AND name = ?").get(table);
+  return Number(row?.count ?? 0) > 0;
 }
-function normalizeCreateMonitor(input) {
+function normalizeCreateMonitor(input, allowBrowserPage = false) {
   const name = input.name?.trim();
   if (!name)
     throw new Error("Monitor name is required");
@@ -331,7 +1076,10 @@ function normalizeCreateMonitor(input) {
   const method = normalizeMethod(input.method ?? "GET");
   const expectedStatus = normalizeExpectedStatus(input.expectedStatus);
   const enabled = normalizeEnabled(input.enabled);
-  if (input.kind === "http") {
+  if (input.kind === "http" || input.kind === "browser_page") {
+    if (input.kind === "browser_page" && !allowBrowserPage) {
+      throw new Error("browser_page monitors must be imported with explicit browser evidence support");
+    }
     const url = normalizeHttpUrl(input.url);
     return {
       name,
@@ -365,13 +1113,13 @@ function normalizeCreateMonitor(input) {
       enabled
     };
   } else {
-    throw new Error("Monitor kind must be http or tcp");
+    throw new Error("Monitor kind must be http, tcp, or browser_page");
   }
 }
 function definitionChanged(current, next) {
   return next.kind !== current.kind || next.url !== current.url || next.host !== current.host || next.port !== current.port || next.method !== current.method || next.expectedStatus !== current.expectedStatus;
 }
-function normalizeUpdateMonitor(current, input, updatedAt) {
+function normalizeUpdateMonitor(current, input, updatedAt, allowBrowserPage = false) {
   const merged = {
     ...current,
     ...input,
@@ -390,7 +1138,7 @@ function normalizeUpdateMonitor(current, input, updatedAt) {
     timeoutMs: merged.timeoutMs,
     retryCount: merged.retryCount,
     enabled: merged.enabled
-  });
+  }, allowBrowserPage || current.kind === "browser_page");
   const checkDefinitionChanged = normalized.kind !== current.kind || (normalized.url ?? null) !== current.url || (normalized.host ?? null) !== current.host || (normalized.port ?? null) !== current.port || normalized.method !== current.method || normalized.expectedStatus !== current.expectedStatus;
   const status = normalized.enabled ? checkDefinitionChanged || !current.enabled ? "unknown" : current.status : "paused";
   return {
@@ -419,6 +1167,11 @@ function normalizeHttpUrl(value) {
   if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
     throw new Error("HTTP monitor url must use http or https");
   }
+  for (const key of [...parsed.searchParams.keys()]) {
+    if (SECRET_URL_PARAM_PATTERN.test(key))
+      parsed.searchParams.set(key, "[redacted]");
+  }
+  parsed.hash = "";
   return parsed.toString();
 }
 function normalizeMethod(value) {
@@ -447,6 +1200,189 @@ function rejectControlCharacters(value, label) {
     throw new Error(`${label} must not contain control characters`);
   }
 }
+function normalizeScheduleSlot(value) {
+  const slot = value.trim();
+  if (!slot)
+    throw new Error("Probe job scheduleSlot is required");
+  if (slot.length > 128)
+    throw new Error("Probe job scheduleSlot is too long");
+  rejectControlCharacters(slot, "Probe job scheduleSlot");
+  return slot;
+}
+function normalizeReportScheduleInput(input) {
+  const name = input.name?.trim();
+  if (!name)
+    throw new Error("Report schedule name is required");
+  rejectControlCharacters(name, "Report schedule name");
+  const intervalSeconds = boundedInteger(input.intervalSeconds, "intervalSeconds", MIN_INTERVAL_SECONDS, MAX_INTERVAL_SECONDS);
+  const nextRunAt = input.nextRunAt ?? new Date().toISOString();
+  assertIsoTimestamp(nextRunAt, "Report schedule nextRunAt");
+  const enabled = normalizeEnabled(input.enabled);
+  const subject = normalizeNullableBoundedText(input.subject, "Report schedule subject", 200);
+  const channels = normalizeReportChannels(input.channels);
+  return { name, intervalSeconds, nextRunAt, enabled, subject, channels };
+}
+function normalizeReportChannels(channels) {
+  if (!channels || typeof channels !== "object")
+    throw new Error("Report schedule channels are required");
+  const normalized = {};
+  if (channels.email !== undefined)
+    normalized.email = normalizeChannelTarget(channels.email, "email", ["apiUrl", "from", "to", "subject", "providerId"]);
+  if (channels.sms !== undefined)
+    normalized.sms = normalizeChannelTarget(channels.sms, "sms", ["apiUrl", "from", "to"]);
+  if (channels.logs !== undefined)
+    normalized.logs = normalizeChannelTarget(channels.logs, "logs", ["apiUrl", "projectId", "environment", "service"]);
+  if (!normalized.email && !normalized.sms && !normalized.logs) {
+    throw new Error("Report schedule requires at least one channel");
+  }
+  return normalized;
+}
+function normalizeChannelTarget(value, channel, allowedKeys) {
+  if (value === false || value == null)
+    return false;
+  if (value === true)
+    return true;
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    throw new Error(`Report schedule ${channel} channel must be true or an object`);
+  }
+  const record = value;
+  const normalized = {};
+  for (const [key, rawValue] of Object.entries(record)) {
+    if (!allowedKeys.includes(key)) {
+      if (/key|token|secret|password|credential|auth/i.test(key)) {
+        throw new Error("Report schedules must not persist API keys or tokens; use environment variables or cloud channel refs");
+      }
+      throw new Error(`Unsupported report schedule ${channel} channel field: ${key}`);
+    }
+    if (rawValue === undefined || rawValue === null || rawValue === "")
+      continue;
+    if (key === "apiUrl" && Array.isArray(rawValue)) {
+      throw new Error(`Report schedule ${channel}.${key} must be a string`);
+    }
+    if (Array.isArray(rawValue)) {
+      const items = rawValue.map((item) => normalizeBoundedText(String(item), `Report schedule ${channel}.${key}`, 300));
+      if (items.length > 0)
+        normalized[key] = items;
+    } else if (typeof rawValue === "string" || typeof rawValue === "number") {
+      normalized[key] = key === "apiUrl" ? normalizeHttpIntegrationUrl(String(rawValue)) : normalizeBoundedText(String(rawValue), `Report schedule ${channel}.${key}`, 500);
+    } else {
+      throw new Error(`Report schedule ${channel}.${key} must be a string or string array`);
+    }
+  }
+  return Object.keys(normalized).length > 0 ? normalized : true;
+}
+function normalizeHttpIntegrationUrl(value) {
+  const parsed = new URL(value.trim());
+  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+    throw new Error("Report schedule integration API URL must use http or https");
+  }
+  if (parsed.username || parsed.password) {
+    throw new Error("Report schedule integration API URL must not include credentials");
+  }
+  for (const key of parsed.searchParams.keys()) {
+    if (SECRET_URL_PARAM_PATTERN.test(key)) {
+      throw new Error("Report schedule integration API URL must not include secret query parameters");
+    }
+  }
+  parsed.hash = "";
+  return parsed.toString();
+}
+function normalizeReportDeliveries(deliveries) {
+  return deliveries.map((delivery) => {
+    if (delivery.channel !== "email" && delivery.channel !== "sms" && delivery.channel !== "logs") {
+      throw new Error("Report delivery channel must be email, sms, or logs");
+    }
+    return {
+      channel: delivery.channel,
+      ok: Boolean(delivery.ok),
+      status: delivery.status,
+      id: delivery.id === undefined ? undefined : normalizeRedactedText(String(delivery.id), "Report delivery id", 300),
+      error: delivery.error === undefined ? undefined : normalizeRedactedText(String(delivery.error), "Report delivery error", 1000)
+    };
+  });
+}
+function normalizeAuditText(value, label, maxLength) {
+  return normalizeBoundedText(value ?? "", label, maxLength);
+}
+function normalizeNullableAuditText(value, label, maxLength) {
+  return normalizeNullableBoundedText(value, label, maxLength);
+}
+function normalizeNullableBoundedText(value, label, maxLength) {
+  if (value == null)
+    return null;
+  const normalized = normalizeRedactedText(value, label, maxLength);
+  return normalized || null;
+}
+function normalizeBoundedText(value, label, maxLength) {
+  const normalized = value.trim();
+  rejectControlCharacters(normalized, label);
+  if (normalized.length > maxLength)
+    throw new Error(`${label} is too long`);
+  return normalized;
+}
+function normalizeNullableRedactedText(value, label, maxLength) {
+  if (value == null)
+    return null;
+  const normalized = normalizeRedactedText(value, label, maxLength);
+  return normalized || null;
+}
+function normalizeRedactedText(value, label, maxLength) {
+  return normalizeBoundedText(redactSecretString(value), label, maxLength);
+}
+function normalizeAuditMetadata(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    throw new Error("Audit metadata must be an object");
+  }
+  return redactAuditSecrets(JSON.parse(JSON.stringify(value)));
+}
+function redactAuditSecrets(value) {
+  if (Array.isArray(value))
+    return value.map(redactAuditSecrets);
+  if (typeof value === "string")
+    return redactSecretString(value);
+  if (!value || typeof value !== "object")
+    return value;
+  const output = {};
+  for (const [key, nested] of Object.entries(value)) {
+    output[key] = /key|token|secret|password|credential|auth/i.test(key) ? "[REDACTED]" : redactAuditSecrets(nested);
+  }
+  return output;
+}
+function redactSecretString(value) {
+  let output = value.replace(/\bBearer\s+[A-Za-z0-9._~+/=-]+/gi, "Bearer [REDACTED]");
+  output = output.replace(/https?:\/\/[^\s"'<>]+/gi, (match) => redactUrlString(match));
+  if (!/^[a-z][a-z0-9+.-]*:\/\//i.test(output))
+    return output;
+  return redactUrlString(output);
+}
+function redactUrlString(value) {
+  let trailing = "";
+  let candidate = value;
+  while (/[),.;\]]$/.test(candidate)) {
+    trailing = `${candidate.slice(-1)}${trailing}`;
+    candidate = candidate.slice(0, -1);
+  }
+  try {
+    const parsed = new URL(candidate);
+    if (parsed.username)
+      parsed.username = "[REDACTED]";
+    if (parsed.password)
+      parsed.password = "[REDACTED]";
+    for (const key of [...parsed.searchParams.keys()]) {
+      if (SECRET_URL_PARAM_PATTERN.test(key))
+        parsed.searchParams.set(key, "[REDACTED]");
+    }
+    parsed.hash = "";
+    return `${parsed.toString()}${trailing}`;
+  } catch {
+    return value;
+  }
+}
+function assertIsoTimestamp(value, label) {
+  if (!Number.isFinite(Date.parse(value))) {
+    throw new Error(`${label} must be an ISO timestamp`);
+  }
+}
 function monitorFromRow(row) {
   return {
     id: row.id,
@@ -477,9 +1413,137 @@ function checkResultFromRow(row) {
     latencyMs: row.latency_ms,
     statusCode: row.status_code,
     error: row.error,
-    attemptCount: row.attempt_count
+    attemptCount: row.attempt_count,
+    evidence: parseEvidence(row.evidence_json)
+  };
+}
+function provenanceFromRow(row) {
+  return {
+    monitorId: row.monitor_id,
+    source: row.source,
+    sourceId: row.source_id,
+    sourceLabel: row.source_label,
+    importedAt: row.imported_at,
+    snapshot: parseJson(row.snapshot_json)
+  };
+}
+function importBatchFromRow(row) {
+  return {
+    id: row.id,
+    source: row.source,
+    status: row.status,
+    createdAt: row.created_at,
+    rolledBackAt: row.rolled_back_at,
+    records: Array.isArray(parseJson(row.records_json)) ? parseJson(row.records_json) : []
+  };
+}
+function probeIdentityFromRow(row) {
+  return {
+    id: row.id,
+    name: row.name,
+    publicKeyPem: row.public_key_pem,
+    publicKeyFingerprint: row.public_key_fingerprint,
+    enabled: Boolean(row.enabled),
+    createdAt: row.created_at,
+    lastSeenAt: row.last_seen_at
   };
 }
+function probeSubmissionFromRow(row) {
+  return {
+    id: row.id,
+    probeId: row.probe_id,
+    jobId: row.job_id ?? "",
+    monitorId: row.monitor_id,
+    checkResultId: row.check_result_id,
+    nonce: row.nonce,
+    checkedAt: row.checked_at,
+    submittedAt: row.submitted_at
+  };
+}
+function probeCheckJobFromRow(row) {
+  return {
+    id: row.id,
+    monitorId: row.monitor_id,
+    monitorRevision: row.monitor_revision ?? 1,
+    scheduleSlot: row.schedule_slot,
+    status: row.status,
+    claimedByProbeId: row.claimed_by_probe_id,
+    fencingToken: row.fencing_token,
+    dueAt: row.due_at,
+    claimedAt: row.claimed_at,
+    leaseExpiresAt: row.lease_expires_at,
+    submittedResultId: row.submitted_result_id,
+    createdAt: row.created_at,
+    updatedAt: row.updated_at
+  };
+}
+function reportScheduleFromRow(row) {
+  return {
+    id: row.id,
+    name: row.name,
+    enabled: Boolean(row.enabled),
+    intervalSeconds: row.interval_seconds,
+    nextRunAt: row.next_run_at,
+    lastRunAt: row.last_run_at,
+    subject: row.subject,
+    channels: parseReportChannels(row.channels_json),
+    createdAt: row.created_at,
+    updatedAt: row.updated_at
+  };
+}
+function reportRunFromRow(row) {
+  return {
+    id: row.id,
+    scheduleId: row.schedule_id,
+    status: row.status,
+    startedAt: row.started_at,
+    finishedAt: row.finished_at,
+    deliveries: parseReportDeliveries(row.deliveries_json),
+    error: row.error,
+    reportJson: parseRecord(row.report_json)
+  };
+}
+function auditEventFromRow(row) {
+  return {
+    id: row.id,
+    action: row.action,
+    resourceType: row.resource_type,
+    resourceId: row.resource_id,
+    message: row.message,
+    metadata: parseRecord(row.metadata_json) ?? {},
+    actor: row.actor,
+    createdAt: row.created_at
+  };
+}
+function parseEvidence(value) {
+  if (!value)
+    return null;
+  const parsed = parseJson(value);
+  return parsed && typeof parsed === "object" ? parsed : null;
+}
+function parseReportChannels(value) {
+  const parsed = parseJson(value);
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed))
+    return {};
+  return parsed;
+}
+function parseReportDeliveries(value) {
+  const parsed = parseJson(value);
+  return Array.isArray(parsed) ? parsed : [];
+}
+function parseRecord(value) {
+  if (!value)
+    return null;
+  const parsed = parseJson(value);
+  return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
+}
+function parseJson(value) {
+  try {
+    return JSON.parse(value);
+  } catch {
+    return null;
+  }
+}
 function incidentFromRow(row) {
   return {
     id: row.id,
@@ -507,11 +1571,15 @@ function clampLimit(value) {
     return 50;
   return Math.max(1, Math.min(Math.floor(value), MAX_RESULT_LIMIT));
 }
+function statementChanges(result) {
+  return Number(result?.changes ?? 0);
+}
 function round(value, places) {
   const factor = 10 ** places;
   return Math.round(value * factor) / factor;
 }
 export {
+  resolveRuntimeMode,
   UptimeStore,
   StaleCheckResultError
 };