@hasna/uptime 0.1.22 → 0.1.24

package/dist/index.js

@@ -236,8 +236,9 @@ async function runMonitorCheck(monitor, options = {}) {
   }
   if (monitor.kind === "browser_page")
     return runBrowserPageCheck(monitor, { fetch: options.fetch, runner: options.browserPage });
-  if (monitor.kind === "tcp")
-    return runTcpCheck(monitor);
+  if (monitor.kind === "tcp") {
+    return options.hostedTargetPolicy ? runHostedTcpCheck(monitor, { resolveHost: options.resolveHost }) : runTcpCheck(monitor);
+  }
   return { status: "down", latencyMs: null, error: `unsupported monitor kind: ${monitor.kind ?? "unknown"}` };
 }
 async function runHttpCheck(monitor, fetchImpl = fetch) {
@@ -349,9 +350,30 @@ async function runHostedHttpCheck(monitor, options = {}) {
 async function runTcpCheck(monitor) {
   if (!monitor.host || !monitor.port)
     return { status: "down", latencyMs: null, error: "missing host or port" };
+  return runTcpSocket(monitor.host, monitor.port, monitor.timeoutMs);
+}
+async function runHostedTcpCheck(monitor, options = {}) {
+  if (!monitor.host || !monitor.port)
+    return { status: "down", latencyMs: null, error: "missing host or port" };
+  const resolver = options.resolveHost ?? resolveHostedHost;
+  try {
+    const addresses = normalizeResolvedAddresses(await resolver(normalizeHostedHost(monitor.host)));
+    assertHostedResolvedAddressesAllowed(monitor.host, addresses, "TCP resolved address");
+    const address = addresses[0];
+    return runTcpSocket(address.address, monitor.port, monitor.timeoutMs, address.family);
+  } catch (error) {
+    return {
+      status: "down",
+      latencyMs: null,
+      statusCode: null,
+      error: error instanceof Error ? error.message : String(error)
+    };
+  }
+}
+async function runTcpSocket(host, port, timeoutMs, family) {
   const started = performance.now();
   return new Promise((resolve) => {
-    const socket = net2.createConnection({ host: monitor.host, port: monitor.port, timeout: monitor.timeoutMs });
+    const socket = net2.createConnection({ host, port, timeout: timeoutMs, family });
     let settled = false;
     const finish = (result) => {
       if (settled)
@@ -767,7 +789,7 @@ function previewRecord(store, source, record, defaults, options) {
     };
   }
   const monitorOptions = options.workspaceId ? { workspaceId: options.workspaceId } : undefined;
-  const rawProvenance = store.getProvenance(candidate.source, candidate.sourceId);
+  const rawProvenance = store.getProvenance(candidate.source, candidate.sourceId, monitorOptions);
   const provenanceMonitor = rawProvenance ? store.getMonitor(rawProvenance.monitorId, monitorOptions) : null;
   const provenance = provenanceMonitor ? rawProvenance : null;
   const monitor = provenanceMonitor ?? store.getMonitor(candidate.name, monitorOptions);
@@ -1237,7 +1259,7 @@ var REQUIRED_TABLES = [
 ];
 var PROBE_TABLES = new Set(["probe_identities", "probe_check_jobs", "probe_submissions"]);
 var REPORT_AUDIT_TABLES = new Set(["report_schedules", "report_runs", "audit_events"]);
-var CURRENT_SCHEMA_VERSION = "4";
+var CURRENT_SCHEMA_VERSION = "5";
 
 class StaleCheckResultError extends Error {
   constructor(message) {
@@ -1350,15 +1372,17 @@ class UptimeStore {
     `);
     this.db.run(`
       CREATE TABLE IF NOT EXISTS monitor_provenance (
+        workspace_id TEXT NOT NULL DEFAULT 'local',
         monitor_id TEXT NOT NULL REFERENCES monitors(id) ON DELETE CASCADE,
         source TEXT NOT NULL,
         source_id TEXT NOT NULL,
         source_label TEXT,
         imported_at TEXT NOT NULL,
         snapshot_json TEXT NOT NULL,
-        PRIMARY KEY (source, source_id)
+        PRIMARY KEY (workspace_id, source, source_id)
       )
     `);
+    this.ensureMonitorProvenanceWorkspaceScoped();
     this.db.run(`
       CREATE TABLE IF NOT EXISTS import_batches (
         id TEXT PRIMARY KEY,
@@ -1450,6 +1474,7 @@ class UptimeStore {
     this.db.run(`
       CREATE TABLE IF NOT EXISTS audit_events (
         id TEXT PRIMARY KEY,
+        workspace_id TEXT,
         action TEXT NOT NULL,
         resource_type TEXT,
         resource_id TEXT,
@@ -1459,6 +1484,7 @@ class UptimeStore {
         created_at TEXT NOT NULL
       )
     `);
+    this.ensureColumn("audit_events", "workspace_id", "TEXT");
     this.db.run(`
       CREATE TABLE IF NOT EXISTS schema_migrations (
         key TEXT PRIMARY KEY,
@@ -1472,6 +1498,7 @@ class UptimeStore {
     this.db.run("CREATE INDEX IF NOT EXISTS idx_incidents_monitor_status ON incidents(monitor_id, status)");
     this.db.run("CREATE INDEX IF NOT EXISTS idx_check_leases_until ON check_leases(leased_until)");
     this.db.run("CREATE INDEX IF NOT EXISTS idx_monitor_provenance_monitor ON monitor_provenance(monitor_id)");
+    this.db.run("CREATE INDEX IF NOT EXISTS idx_monitor_provenance_workspace_source ON monitor_provenance(workspace_id, source, source_id)");
     this.db.run("CREATE INDEX IF NOT EXISTS idx_probe_jobs_status_due ON probe_check_jobs(status, due_at)");
     this.db.run("CREATE INDEX IF NOT EXISTS idx_probe_jobs_probe_status ON probe_check_jobs(claimed_by_probe_id, status)");
     this.db.run("CREATE INDEX IF NOT EXISTS idx_probe_submissions_probe_time ON probe_submissions(probe_id, submitted_at DESC)");
@@ -1480,6 +1507,7 @@ class UptimeStore {
     this.db.run("CREATE INDEX IF NOT EXISTS idx_report_schedules_due ON report_schedules(enabled, next_run_at)");
     this.db.run("CREATE INDEX IF NOT EXISTS idx_report_runs_schedule_time ON report_runs(schedule_id, started_at DESC)");
     this.db.run("CREATE INDEX IF NOT EXISTS idx_audit_events_resource_time ON audit_events(resource_type, resource_id, created_at DESC)");
+    this.db.run("CREATE INDEX IF NOT EXISTS idx_audit_events_workspace_time ON audit_events(workspace_id, created_at DESC)");
     this.db.run("CREATE INDEX IF NOT EXISTS idx_audit_events_time ON audit_events(created_at DESC)");
   }
   backup(destinationPath) {
@@ -1529,6 +1557,9 @@ class UptimeStore {
     const normalized = normalizeCreateMonitor(input, options.allowBrowserPage === true);
     if (this.mode === "hosted")
       assertHostedTargetAllowed(normalized);
+    if (this.mode === "hosted" && normalized.kind === "browser_page" && normalized.enabled !== false) {
+      throw new Error("hosted browser_page monitors must remain disabled until browser evidence workers are configured");
+    }
     const now = new Date().toISOString();
     const workspaceId = normalizeWorkspaceId(options.workspaceId ?? input.workspaceId ?? "local");
     const monitor = {
@@ -1593,6 +1624,9 @@ class UptimeStore {
     const next = normalizeUpdateMonitor(current, input, updatedAt, options.allowBrowserPage === true);
     if (this.mode === "hosted")
       assertHostedTargetAllowed(next);
+    if (this.mode === "hosted" && next.kind === "browser_page" && next.enabled) {
+      throw new Error("hosted browser_page monitors must remain disabled until browser evidence workers are configured");
+    }
     this.db.query(`UPDATE monitors SET
           name = ?, kind = ?, url = ?, host = ?, port = ?, method = ?,
           expected_status = ?, interval_seconds = ?, timeout_ms = ?,
@@ -1889,8 +1923,10 @@ class UptimeStore {
     const action = normalizeAuditText(input.action, "Audit action", 160);
     const createdAt = input.createdAt ?? new Date().toISOString();
     assertIsoTimestamp(createdAt, "Audit event createdAt");
+    const workspaceId = input.workspaceId == null ? null : normalizeWorkspaceId(input.workspaceId);
     const event = {
       id: newId("aud"),
+      workspaceId,
       action,
       resourceType: normalizeNullableAuditText(input.resourceType, "Audit resourceType", 80),
       resourceId: normalizeNullableAuditText(input.resourceId, "Audit resourceId", 160),
@@ -1900,13 +1936,17 @@ class UptimeStore {
       createdAt
     };
     this.db.query(`INSERT INTO audit_events (
-          id, action, resource_type, resource_id, message, metadata_json, actor, created_at
-        ) VALUES (?, ?, ?, ?, ?, ?, ?, ?)`).run(event.id, event.action, event.resourceType, event.resourceId, event.message, JSON.stringify(event.metadata), event.actor, event.createdAt);
+          id, workspace_id, action, resource_type, resource_id, message, metadata_json, actor, created_at
+        ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`).run(event.id, event.workspaceId, event.action, event.resourceType, event.resourceId, event.message, JSON.stringify(event.metadata), event.actor, event.createdAt);
     return event;
   }
   listAuditEvents(options = {}) {
     const clauses = [];
     const args = [];
+    if (options.workspaceId) {
+      clauses.push("workspace_id = ?");
+      args.push(normalizeWorkspaceId(options.workspaceId));
+    }
     if (options.resourceType) {
       clauses.push("resource_type = ?");
       args.push(options.resourceType);
@@ -1998,21 +2038,24 @@ class UptimeStore {
     const rows = this.db.query(`SELECT check_results.* FROM check_results JOIN monitors ON monitors.id = check_results.monitor_id ${where} ORDER BY checked_at DESC LIMIT ?`).all(...args);
     return rows.map(checkResultFromRow);
   }
-  getProvenance(source, sourceId) {
-    const row = this.db.query("SELECT * FROM monitor_provenance WHERE source = ? AND source_id = ?").get(source, sourceId);
+  getProvenance(source, sourceId, options = {}) {
+    const workspaceId = options.workspaceId ? normalizeWorkspaceId(options.workspaceId) : undefined;
+    const row = workspaceId ? this.db.query("SELECT * FROM monitor_provenance WHERE workspace_id = ? AND source = ? AND source_id = ?").get(workspaceId, source, sourceId) : this.db.query("SELECT * FROM monitor_provenance WHERE source = ? AND source_id = ? ORDER BY imported_at DESC LIMIT 1").get(source, sourceId);
     return row ? provenanceFromRow(row) : null;
   }
   upsertMonitorProvenance(input) {
     const importedAt = new Date().toISOString();
+    const monitor = this.getMonitor(input.monitorId);
+    const workspaceId = normalizeWorkspaceId(input.workspaceId ?? monitor?.workspaceId ?? "local");
     this.db.query(`INSERT INTO monitor_provenance (
-          monitor_id, source, source_id, source_label, imported_at, snapshot_json
-        ) VALUES (?, ?, ?, ?, ?, ?)
-        ON CONFLICT(source, source_id) DO UPDATE SET
+          workspace_id, monitor_id, source, source_id, source_label, imported_at, snapshot_json
+        ) VALUES (?, ?, ?, ?, ?, ?, ?)
+        ON CONFLICT(workspace_id, source, source_id) DO UPDATE SET
           monitor_id = excluded.monitor_id,
           source_label = excluded.source_label,
           imported_at = excluded.imported_at,
-          snapshot_json = excluded.snapshot_json`).run(input.monitorId, input.source, input.sourceId, input.sourceLabel ?? null, importedAt, JSON.stringify(input.snapshot));
-    return this.getProvenance(input.source, input.sourceId);
+          snapshot_json = excluded.snapshot_json`).run(workspaceId, input.monitorId, input.source, input.sourceId, input.sourceLabel ?? null, importedAt, JSON.stringify(input.snapshot));
+    return this.getProvenance(input.source, input.sourceId, { workspaceId });
   }
   saveImportBatch(input) {
     const createdAt = new Date().toISOString();
@@ -2195,6 +2238,49 @@ class UptimeStore {
       this.db.run("PRAGMA foreign_keys = ON");
     }
   }
+  ensureMonitorProvenanceWorkspaceScoped() {
+    const row = this.db.query("SELECT sql FROM sqlite_master WHERE type = 'table' AND name = 'monitor_provenance'").get();
+    const columns = this.db.query("PRAGMA table_info(monitor_provenance)").all();
+    const hasWorkspaceId = columns.some((column) => column.name === "workspace_id");
+    const hasWorkspacePrimaryKey = Boolean(row?.sql?.includes("PRIMARY KEY (workspace_id, source, source_id)"));
+    if (hasWorkspaceId && hasWorkspacePrimaryKey)
+      return;
+    this.db.run("PRAGMA foreign_keys = OFF");
+    this.db.run("PRAGMA legacy_alter_table = ON");
+    try {
+      const migrate = this.db.transaction(() => {
+        this.db.run("ALTER TABLE monitor_provenance RENAME TO monitor_provenance_old_workspace");
+        this.db.run(`
+          CREATE TABLE monitor_provenance (
+            workspace_id TEXT NOT NULL DEFAULT 'local',
+            monitor_id TEXT NOT NULL REFERENCES monitors(id) ON DELETE CASCADE,
+            source TEXT NOT NULL,
+            source_id TEXT NOT NULL,
+            source_label TEXT,
+            imported_at TEXT NOT NULL,
+            snapshot_json TEXT NOT NULL,
+            PRIMARY KEY (workspace_id, source, source_id)
+          )
+        `);
+        const workspaceSelect = hasWorkspaceId ? "COALESCE(old.workspace_id, monitors.workspace_id, 'local')" : "COALESCE(monitors.workspace_id, 'local')";
+        this.db.run(`
+          INSERT OR REPLACE INTO monitor_provenance (
+            workspace_id, monitor_id, source, source_id, source_label, imported_at, snapshot_json
+          )
+          SELECT
+            ${workspaceSelect}, old.monitor_id, old.source, old.source_id, old.source_label,
+            old.imported_at, old.snapshot_json
+          FROM monitor_provenance_old_workspace old
+          LEFT JOIN monitors ON monitors.id = old.monitor_id
+        `);
+        this.db.run("DROP TABLE monitor_provenance_old_workspace");
+      });
+      migrate();
+    } finally {
+      this.db.run("PRAGMA legacy_alter_table = OFF");
+      this.db.run("PRAGMA foreign_keys = ON");
+    }
+  }
   vacuumInto(backupPath) {
     const quoted = backupPath.replace(/'/g, "''");
     this.db.run(`VACUUM INTO '${quoted}'`);
@@ -2224,10 +2310,11 @@ function verifyBackupFile(backupPath) {
     const missingTables = REQUIRED_TABLES.filter((table) => !tableExists(db, table));
     const schemaVersion = missingTables.includes("schema_migrations") ? null : db.query("SELECT value FROM schema_migrations WHERE key = 'schema_version'").get()?.value ?? null;
     const currentOk = missingTables.length === 0 && schemaVersion === CURRENT_SCHEMA_VERSION;
+    const restorableV4 = schemaVersion === "4" && missingTables.length === 0;
     const restorableV1 = schemaVersion === "1" && missingTables.every((table) => PROBE_TABLES.has(table) || REPORT_AUDIT_TABLES.has(table));
     const restorableV2 = schemaVersion === "2" && missingTables.every((table) => REPORT_AUDIT_TABLES.has(table));
     return {
-      ok: integrity === "ok" && (currentOk || restorableV1 || restorableV2),
+      ok: integrity === "ok" && (currentOk || restorableV4 || restorableV1 || restorableV2),
       backupPath,
       integrity,
       schemaVersion,
@@ -2612,6 +2699,7 @@ function checkResultFromRow(row) {
 }
 function provenanceFromRow(row) {
   return {
+    workspaceId: row.workspace_id,
     monitorId: row.monitor_id,
     source: row.source,
     sourceId: row.source_id,
@@ -2699,6 +2787,7 @@ function reportRunFromRow(row) {
 function auditEventFromRow(row) {
   return {
     id: row.id,
+    workspaceId: row.workspace_id,
     action: row.action,
     resourceType: row.resource_type,
     resourceId: row.resource_id,
@@ -3061,12 +3150,18 @@ var MAX_PROBE_RESULT_FUTURE_MS = 5 * 60000;
 class UptimeService {
   store;
   checkRunner;
+  hostedResolveHost;
+  hostedHttpRequest;
+  hostedMaxRedirects;
   leaseOwner = `svc_${randomUUID3().replace(/-/g, "").slice(0, 18)}`;
   inFlightChecks = new Set;
   inFlightReportSchedules = new Set;
   constructor(options = {}) {
     this.store = options.store ?? new UptimeStore({ mode: "local", ...options });
     this.checkRunner = options.checkRunner ?? runMonitorCheck;
+    this.hostedResolveHost = options.hostedResolveHost;
+    this.hostedHttpRequest = options.hostedHttpRequest;
+    this.hostedMaxRedirects = options.hostedMaxRedirects;
   }
   close() {
     this.store.close();
@@ -3201,10 +3296,10 @@ class UptimeService {
     return this.reportStore().listReportRuns(options);
   }
   listAuditEvents(options = {}) {
-    return this.reportStore().listAuditEvents(options);
+    return this.auditStore().listAuditEvents(options);
   }
   recordAuditEvent(input) {
-    return this.reportStore().recordAuditEvent(input);
+    return this.auditStore().recordAuditEvent(input);
   }
   async runReportSchedule(idOrName, options = {}) {
     const store = this.reportStore();
@@ -3273,39 +3368,7 @@ class UptimeService {
     const monitor = this.store.getMonitor(idOrName);
     if (!monitor)
       throw new Error(`Monitor not found: ${idOrName}`);
-    if (!monitor.enabled)
-      throw new Error(`Monitor is disabled: ${monitor.name}`);
-    if (this.inFlightChecks.has(monitor.id))
-      throw new Error(`Monitor check already in progress: ${monitor.name}`);
-    const leaseTtlMs = Math.max(60000, (monitor.retryCount + 1) * monitor.timeoutMs + 1e4);
-    if (!this.store.acquireCheckLease(monitor.id, this.leaseOwner, leaseTtlMs)) {
-      throw new MonitorCheckBusyError(`Monitor check already in progress: ${monitor.name}`);
-    }
-    this.inFlightChecks.add(monitor.id);
-    try {
-      let attemptCount = 0;
-      let last = null;
-      const maxAttempts = Math.max(1, monitor.retryCount + 1);
-      while (attemptCount < maxAttempts) {
-        attemptCount += 1;
-        last = await this.checkRunner(monitor);
-        if (last.status === "up")
-          break;
-      }
-      return this.store.recordCheckResult({
-        monitorId: monitor.id,
-        status: last.status,
-        latencyMs: last.latencyMs,
-        statusCode: last.statusCode ?? null,
-        error: last.error ?? null,
-        evidence: last.evidence ?? null,
-        attemptCount,
-        expectedMonitorRevision: monitor.revision
-      });
-    } finally {
-      this.inFlightChecks.delete(monitor.id);
-      this.store.releaseCheckLease(monitor.id, this.leaseOwner);
-    }
+    return this.recordMonitorCheck(monitor, { hostedTargetPolicy: false });
   }
   async checkAll() {
     if (this.store.mode === "hosted")
@@ -3317,6 +3380,49 @@ class UptimeService {
     }
     return results;
   }
+  async checkHostedPublicMonitor(idOrName, options = {}) {
+    this.assertHostedPublicChecksEnabled();
+    const workspaceId = this.requireHostedWorkerWorkspaceId(options.workspaceId);
+    const monitor = this.store.getMonitor(idOrName, { workspaceId });
+    if (!monitor)
+      throw new Error(`Monitor not found: ${idOrName}`);
+    this.assertHostedPublicMonitor(monitor);
+    const result = await this.recordMonitorCheck(monitor, { hostedTargetPolicy: true });
+    this.auditStore().recordAuditEvent({
+      workspaceId,
+      action: "hosted_public_check.run",
+      resourceType: "monitor",
+      resourceId: monitor.id,
+      message: `Ran hosted public check for ${monitor.name}`,
+      metadata: {
+        checkResultId: result.id,
+        status: result.status,
+        monitorKind: monitor.kind,
+        operatorPath: "hosted_public_check"
+      },
+      actor: "hosted-public-check-worker"
+    });
+    return result;
+  }
+  async runDueHostedPublicChecks(now = new Date, options = {}) {
+    this.assertHostedPublicChecksEnabled();
+    const workspaceId = this.requireHostedWorkerWorkspaceId(options.workspaceId);
+    const due = this.store.listMonitors({ workspaceId }).filter((monitor) => this.isHostedPublicMonitor(monitor) && this.isDue(monitor, now));
+    const results = [];
+    for (const monitor of due) {
+      const current = this.store.getMonitor(monitor.id, { workspaceId });
+      if (!current || !this.isHostedPublicMonitor(current) || !this.isDue(current, now))
+        continue;
+      try {
+        results.push(await this.checkHostedPublicMonitor(current.id, { workspaceId }));
+      } catch (error) {
+        if (error instanceof MonitorCheckBusyError || error instanceof StaleCheckResultError)
+          continue;
+        throw error;
+      }
+    }
+    return results;
+  }
   startScheduler(options = {}) {
     if (this.store.mode === "hosted")
       throw new Error("hosted scheduler requires check_jobs and probes");
@@ -3362,6 +3468,67 @@ class UptimeService {
     const last = new Date(monitor.lastCheckedAt).getTime();
     return now.getTime() - last >= monitor.intervalSeconds * 1000;
   }
+  async recordMonitorCheck(monitor, options) {
+    if (!monitor.enabled)
+      throw new Error(`Monitor is disabled: ${monitor.name}`);
+    if (this.inFlightChecks.has(monitor.id))
+      throw new Error(`Monitor check already in progress: ${monitor.name}`);
+    const leaseTtlMs = Math.max(60000, (monitor.retryCount + 1) * monitor.timeoutMs + 1e4);
+    if (!this.store.acquireCheckLease(monitor.id, this.leaseOwner, leaseTtlMs)) {
+      throw new MonitorCheckBusyError(`Monitor check already in progress: ${monitor.name}`);
+    }
+    this.inFlightChecks.add(monitor.id);
+    try {
+      let attemptCount = 0;
+      let last = null;
+      const maxAttempts = Math.max(1, monitor.retryCount + 1);
+      while (attemptCount < maxAttempts) {
+        attemptCount += 1;
+        last = options.hostedTargetPolicy ? await this.runHostedPublicCheckAttempt(monitor) : await this.checkRunner(monitor);
+        if (last.status === "up")
+          break;
+      }
+      return this.store.recordCheckResult({
+        monitorId: monitor.id,
+        status: last.status,
+        latencyMs: last.latencyMs,
+        statusCode: last.statusCode ?? null,
+        error: last.error ?? null,
+        evidence: last.evidence ?? null,
+        attemptCount,
+        expectedMonitorRevision: monitor.revision
+      });
+    } finally {
+      this.inFlightChecks.delete(monitor.id);
+      this.store.releaseCheckLease(monitor.id, this.leaseOwner);
+    }
+  }
+  runHostedPublicCheckAttempt(monitor) {
+    return runMonitorCheck(monitor, {
+      hostedTargetPolicy: true,
+      resolveHost: this.hostedResolveHost,
+      hostedHttpRequest: this.hostedHttpRequest,
+      maxRedirects: this.hostedMaxRedirects
+    });
+  }
+  assertHostedPublicChecksEnabled() {
+    if (this.store.mode !== "hosted")
+      throw new Error("hosted public checks require hosted mode");
+  }
+  requireHostedWorkerWorkspaceId(workspaceId) {
+    const value = workspaceId?.trim() || process.env.HASNA_UPTIME_WORKSPACE_ID?.trim();
+    if (!value)
+      throw new Error("hosted public checks require a workspace id");
+    return value;
+  }
+  assertHostedPublicMonitor(monitor) {
+    if (!this.isHostedPublicMonitor(monitor)) {
+      throw new Error("hosted public checks support only HTTP and TCP monitors");
+    }
+  }
+  isHostedPublicMonitor(monitor) {
+    return monitor.kind === "http" || monitor.kind === "tcp";
+  }
   probeStore() {
     if (this.store.mode === "hosted") {
       throw new Error("hosted probe APIs require cloud check_jobs, workspace stores, and audit logging");
@@ -3411,6 +3578,13 @@ class UptimeService {
     }
     return store;
   }
+  auditStore() {
+    const store = this.store;
+    if (typeof store.recordAuditEvent !== "function" || typeof store.listAuditEvents !== "function") {
+      throw new Error("audit logging requires an audit-capable store");
+    }
+    return store;
+  }
   audit(action, resourceType, resourceId, message, metadata) {
     this.reportStore().recordAuditEvent({
       action,
@@ -4118,7 +4292,10 @@ async function handleApiRoute(service, request, url, apiPath, options, hosted, a
     return json(service.listMonitors({ includeDisabled: url.searchParams.get("includeDisabled") === "true", workspaceId: actor?.workspaceId }));
   }
   if (request.method === "POST" && apiPath === "/api/monitors") {
-    return json(service.createMonitor(await jsonBody(request), { workspaceId: actor?.workspaceId }), 201);
+    const monitor = service.createMonitor(await jsonBody(request), { workspaceId: actor?.workspaceId });
+    if (hosted && actor)
+      recordHostedMonitorAudit(service, actor, "monitor.create", monitor, { method: request.method, apiPath });
+    return json(monitor, 201);
   }
   if (request.method === "GET" && apiPath === "/api/incidents") {
     const status = url.searchParams.get("status");
@@ -4195,10 +4372,25 @@ async function handleApiRoute(service, request, url, apiPath, options, hosted, a
       return monitor ? json(monitor) : json({ error: "not found" }, 404);
     }
     if (request.method === "PATCH" && !monitorMatch[2]) {
-      return json(service.updateMonitor(id, await jsonBody(request), { workspaceId: actor?.workspaceId }));
+      const before = hosted ? service.getMonitor(id, { workspaceId: actor?.workspaceId }) : null;
+      const monitor = service.updateMonitor(id, await jsonBody(request), { workspaceId: actor?.workspaceId });
+      if (hosted && actor) {
+        recordHostedMonitorAudit(service, actor, "monitor.update", monitor, {
+          method: request.method,
+          apiPath,
+          previousRevision: before?.revision ?? null,
+          nextRevision: monitor.revision
+        });
+      }
+      return json(monitor);
     }
     if (request.method === "DELETE" && !monitorMatch[2]) {
-      return json({ deleted: service.deleteMonitor(id, { workspaceId: actor?.workspaceId }) });
+      const before = hosted ? service.getMonitor(id, { workspaceId: actor?.workspaceId }) : null;
+      const deleted = service.deleteMonitor(id, { workspaceId: actor?.workspaceId });
+      if (hosted && actor && deleted && before) {
+        recordHostedMonitorAudit(service, actor, "monitor.delete", before, { method: request.method, apiPath });
+      }
+      return json({ deleted });
     }
     if (request.method === "POST" && monitorMatch[2] === "check") {
       if (hosted)
@@ -4242,7 +4434,29 @@ function requireHostedActor(request, url, options, scope) {
   if (requestedWorkspace && requestedWorkspace !== workspaceId) {
     throw new ApiError("workspace access denied", 403);
   }
-  return { scopes, workspaceId };
+  return {
+    scopes,
+    workspaceId,
+    actor: token.actor ?? `hosted-token:${workspaceId}:${[...scopes].sort().join(",")}`
+  };
+}
+function recordHostedMonitorAudit(service, actor, action, monitor, metadata) {
+  service.recordAuditEvent({
+    workspaceId: actor.workspaceId,
+    action,
+    actor: actor.actor,
+    resourceType: "monitor",
+    resourceId: monitor.id,
+    metadata: {
+      ...metadata,
+      monitorName: monitor.name,
+      monitorKind: monitor.kind,
+      monitorEnabled: monitor.enabled,
+      monitorRevision: monitor.revision,
+      workspaceId: monitor.workspaceId,
+      scopes: [...actor.scopes].sort()
+    }
+  });
 }
 function isLoopbackHost(hostname) {
   const host = hostname.toLowerCase().replace(/^\[|\]$/g, "");
@@ -4320,7 +4534,8 @@ function normalizeHostedTokenEntry(entry, defaultWorkspaceId, source) {
   }
   const scopes = normalizeHostedScopes(entry.scopes, `${source}.scopes`);
   const workspaceId = typeof entry.workspaceId === "string" && entry.workspaceId.trim() ? entry.workspaceId.trim() : defaultWorkspaceId;
-  return { token: entry.token.trim(), scopes, workspaceId };
+  const actor = typeof entry.actor === "string" && entry.actor.trim() ? entry.actor.trim() : typeof entry.subject === "string" && entry.subject.trim() ? entry.subject.trim() : typeof entry.id === "string" && entry.id.trim() ? entry.id.trim() : undefined;
+  return { token: entry.token.trim(), scopes, workspaceId, actor };
 }
 function normalizeHostedScopes(value, source) {
   if (!Array.isArray(value) || value.length === 0) {
@@ -4420,7 +4635,7 @@ function buildAwsDeploymentPlan(options = {}) {
   const image = clean(options.image, `${imageRepositoryUri}@sha256:<image-digest>`);
   const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
   const hostedSqliteDbPath = clean(options.hostedSqliteDbPath, DEFAULT_HOSTED_SQLITE_DB);
-  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.22");
+  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.24");
   const protectedAccessMode = options.protectedAccessMode ?? DEFAULT_PROTECTED_ACCESS_MODE;
   const protectedAccessUrl = protectedAccessMode === "cloudfront_default_domain" ? "https://<cloudfront-domain>" : `https://${hostname}`;
   const cluster = `${prefix}-${stage}`;
@@ -4665,7 +4880,10 @@ function buildPrivateProbeCloudConfig(options = {}) {
     }
   };
 }
-function renderPrivateProbeEnv(config) {
+function renderPrivateProbeEnv(config, options = {}) {
+  if (!options.allowBlocked && (!config.canStart || config.blockers.length > 0)) {
+    throw new Error("private probe env output is blocked until hosted probe routes and cloud jobs are implemented");
+  }
   const required = ["HASNA_UPTIME_PRIVATE_PROBE_ID"];
   const missing = required.filter((key) => !config.env[key]);
   if (missing.length > 0) {
@@ -4712,6 +4930,7 @@ export {
   runTcpCheck,
   runMonitorCheck,
   runHttpCheck,
+  runHostedTcpCheck,
   runHostedHttpCheck,
   runBrowserPageCheck,
   rollbackImport,