@hasna/uptime 0.1.23 → 0.1.25

package/dist/service.js

@@ -3150,12 +3150,18 @@ var MAX_PROBE_RESULT_FUTURE_MS = 5 * 60000;
 class UptimeService {
   store;
   checkRunner;
+  hostedResolveHost;
+  hostedHttpRequest;
+  hostedMaxRedirects;
   leaseOwner = `svc_${randomUUID3().replace(/-/g, "").slice(0, 18)}`;
   inFlightChecks = new Set;
   inFlightReportSchedules = new Set;
   constructor(options = {}) {
     this.store = options.store ?? new UptimeStore({ mode: "local", ...options });
     this.checkRunner = options.checkRunner ?? runMonitorCheck;
+    this.hostedResolveHost = options.hostedResolveHost;
+    this.hostedHttpRequest = options.hostedHttpRequest;
+    this.hostedMaxRedirects = options.hostedMaxRedirects;
   }
   close() {
     this.store.close();
@@ -3362,39 +3368,7 @@ class UptimeService {
     const monitor = this.store.getMonitor(idOrName);
     if (!monitor)
       throw new Error(`Monitor not found: ${idOrName}`);
-    if (!monitor.enabled)
-      throw new Error(`Monitor is disabled: ${monitor.name}`);
-    if (this.inFlightChecks.has(monitor.id))
-      throw new Error(`Monitor check already in progress: ${monitor.name}`);
-    const leaseTtlMs = Math.max(60000, (monitor.retryCount + 1) * monitor.timeoutMs + 1e4);
-    if (!this.store.acquireCheckLease(monitor.id, this.leaseOwner, leaseTtlMs)) {
-      throw new MonitorCheckBusyError(`Monitor check already in progress: ${monitor.name}`);
-    }
-    this.inFlightChecks.add(monitor.id);
-    try {
-      let attemptCount = 0;
-      let last = null;
-      const maxAttempts = Math.max(1, monitor.retryCount + 1);
-      while (attemptCount < maxAttempts) {
-        attemptCount += 1;
-        last = await this.checkRunner(monitor);
-        if (last.status === "up")
-          break;
-      }
-      return this.store.recordCheckResult({
-        monitorId: monitor.id,
-        status: last.status,
-        latencyMs: last.latencyMs,
-        statusCode: last.statusCode ?? null,
-        error: last.error ?? null,
-        evidence: last.evidence ?? null,
-        attemptCount,
-        expectedMonitorRevision: monitor.revision
-      });
-    } finally {
-      this.inFlightChecks.delete(monitor.id);
-      this.store.releaseCheckLease(monitor.id, this.leaseOwner);
-    }
+    return this.recordMonitorCheck(monitor, { hostedTargetPolicy: false });
   }
   async checkAll() {
     if (this.store.mode === "hosted")
@@ -3406,6 +3380,49 @@ class UptimeService {
     }
     return results;
   }
+  async checkHostedPublicMonitor(idOrName, options = {}) {
+    this.assertHostedPublicChecksEnabled();
+    const workspaceId = this.requireHostedWorkerWorkspaceId(options.workspaceId);
+    const monitor = this.store.getMonitor(idOrName, { workspaceId });
+    if (!monitor)
+      throw new Error(`Monitor not found: ${idOrName}`);
+    this.assertHostedPublicMonitor(monitor);
+    const result = await this.recordMonitorCheck(monitor, { hostedTargetPolicy: true });
+    this.auditStore().recordAuditEvent({
+      workspaceId,
+      action: "hosted_public_check.run",
+      resourceType: "monitor",
+      resourceId: monitor.id,
+      message: `Ran hosted public check for ${monitor.name}`,
+      metadata: {
+        checkResultId: result.id,
+        status: result.status,
+        monitorKind: monitor.kind,
+        operatorPath: "hosted_public_check"
+      },
+      actor: "hosted-public-check-worker"
+    });
+    return result;
+  }
+  async runDueHostedPublicChecks(now = new Date, options = {}) {
+    this.assertHostedPublicChecksEnabled();
+    const workspaceId = this.requireHostedWorkerWorkspaceId(options.workspaceId);
+    const due = this.store.listMonitors({ workspaceId }).filter((monitor) => this.isHostedPublicMonitor(monitor) && this.isDue(monitor, now));
+    const results = [];
+    for (const monitor of due) {
+      const current = this.store.getMonitor(monitor.id, { workspaceId });
+      if (!current || !this.isHostedPublicMonitor(current) || !this.isDue(current, now))
+        continue;
+      try {
+        results.push(await this.checkHostedPublicMonitor(current.id, { workspaceId }));
+      } catch (error) {
+        if (error instanceof MonitorCheckBusyError || error instanceof StaleCheckResultError)
+          continue;
+        throw error;
+      }
+    }
+    return results;
+  }
   startScheduler(options = {}) {
     if (this.store.mode === "hosted")
       throw new Error("hosted scheduler requires check_jobs and probes");
@@ -3451,6 +3468,67 @@ class UptimeService {
     const last = new Date(monitor.lastCheckedAt).getTime();
     return now.getTime() - last >= monitor.intervalSeconds * 1000;
   }
+  async recordMonitorCheck(monitor, options) {
+    if (!monitor.enabled)
+      throw new Error(`Monitor is disabled: ${monitor.name}`);
+    if (this.inFlightChecks.has(monitor.id))
+      throw new Error(`Monitor check already in progress: ${monitor.name}`);
+    const leaseTtlMs = Math.max(60000, (monitor.retryCount + 1) * monitor.timeoutMs + 1e4);
+    if (!this.store.acquireCheckLease(monitor.id, this.leaseOwner, leaseTtlMs)) {
+      throw new MonitorCheckBusyError(`Monitor check already in progress: ${monitor.name}`);
+    }
+    this.inFlightChecks.add(monitor.id);
+    try {
+      let attemptCount = 0;
+      let last = null;
+      const maxAttempts = Math.max(1, monitor.retryCount + 1);
+      while (attemptCount < maxAttempts) {
+        attemptCount += 1;
+        last = options.hostedTargetPolicy ? await this.runHostedPublicCheckAttempt(monitor) : await this.checkRunner(monitor);
+        if (last.status === "up")
+          break;
+      }
+      return this.store.recordCheckResult({
+        monitorId: monitor.id,
+        status: last.status,
+        latencyMs: last.latencyMs,
+        statusCode: last.statusCode ?? null,
+        error: last.error ?? null,
+        evidence: last.evidence ?? null,
+        attemptCount,
+        expectedMonitorRevision: monitor.revision
+      });
+    } finally {
+      this.inFlightChecks.delete(monitor.id);
+      this.store.releaseCheckLease(monitor.id, this.leaseOwner);
+    }
+  }
+  runHostedPublicCheckAttempt(monitor) {
+    return runMonitorCheck(monitor, {
+      hostedTargetPolicy: true,
+      resolveHost: this.hostedResolveHost,
+      hostedHttpRequest: this.hostedHttpRequest,
+      maxRedirects: this.hostedMaxRedirects
+    });
+  }
+  assertHostedPublicChecksEnabled() {
+    if (this.store.mode !== "hosted")
+      throw new Error("hosted public checks require hosted mode");
+  }
+  requireHostedWorkerWorkspaceId(workspaceId) {
+    const value = workspaceId?.trim() || process.env.HASNA_UPTIME_WORKSPACE_ID?.trim();
+    if (!value)
+      throw new Error("hosted public checks require a workspace id");
+    return value;
+  }
+  assertHostedPublicMonitor(monitor) {
+    if (!this.isHostedPublicMonitor(monitor)) {
+      throw new Error("hosted public checks support only HTTP and TCP monitors");
+    }
+  }
+  isHostedPublicMonitor(monitor) {
+    return monitor.kind === "http" || monitor.kind === "tcp";
+  }
   probeStore() {
     if (this.store.mode === "hosted") {
       throw new Error("hosted probe APIs require cloud check_jobs, workspace stores, and audit logging");

package/docs/aws-deployment-runbook.md

@@ -8,7 +8,8 @@ call AWS or mutate infrastructure.
 
 ```bash
 uptime cloud plan --json > open-uptime-aws-plan.json
-uptime cloud private-probe-config --probe-id prb_private_01 --machine-id private-probe-01 --env > private-probe-01-uptime.env
+uptime cloud private-probe-config --probe-id prb_private_01 --machine-id private-probe-01 --json > private-probe-01-preflight.json
+uptime cloud private-probe-config --probe-id prb_private_01 --machine-id private-probe-01 --env --allow-blocked-env > private-probe-01-review-only.env
 ```
 
 Public package defaults are placeholders:
@@ -33,8 +34,10 @@ The app repo includes a hosted runtime `Dockerfile` and Terraform/OpenTofu
 starter files in `infra/aws`. The plan output points to these files and keeps
 `applyAllowed: false`.
 
-`uptime cloud private-probe-config --env` requires a real `--probe-id`; it will not
-write a sourceable env file with a placeholder probe identity.
+`uptime cloud private-probe-config --env` is blocked by default while hosted
+probe routes remain fail-closed. It requires both a real `--probe-id` and the
+explicit `--allow-blocked-env` review override; do not use that env output to
+start a private probe until the JSON output says `canStart: true`.
 
 ## Preflight
 
@@ -57,9 +60,14 @@ write a sourceable env file with a placeholder probe identity.
 
 4. Confirm the target VPC, private subnets, KMS key, and EFS/Backup plan inputs
    still match the plan.
-5. Confirm the protected access mode. The first deploy can use the CloudFront
-   default HTTPS domain without custom DNS or ACM. Custom hostname deploys still
-   require Route53/edge ownership and an ACM certificate.
+5. Confirm the protected access mode. The first zero-count deploy can use the
+   CloudFront default HTTPS domain without custom DNS or ACM. Before
+   token-bearing live traffic, either set
+   `cloudfront_origin_protocol_policy = "https-only"` with a dedicated
+   `cloudfront_origin_domain_name` that resolves to the ALB and a matching ACM
+   `certificate_arn`, or record an explicit risk acceptance for the temporary
+   HTTP-origin bridge. Custom hostname deploys still require Route53/edge
+   ownership and an ACM certificate.
 6. Confirm the deployment role uses short-lived credentials or OIDC, not copied
    access keys.
 7. Create a private evidence directory outside the public repository. Store
@@ -74,9 +82,12 @@ The plan expects:
 - ECS/Fargate cluster with separate services for web, scheduler, public probe,
   reporter, and one-off migrations. In the current EFS SQLite bridge, only web
   may be enabled and it must run at desired count `0` or `1`.
-- CloudFront default-domain HTTPS edge plus ALB HTTP origin restricted to
-  CloudFront origin-facing ranges, or an ALB HTTPS listener with ACM certificate
-  when custom DNS is approved.
+- CloudFront default-domain HTTPS edge plus an ALB origin restricted to
+  CloudFront origin-facing ranges. The default zero-count bridge uses HTTP to
+  the origin; token-bearing live traffic should use the module's HTTPS-origin
+  mode with `cloudfront_origin_domain_name` plus `certificate_arn`, or a
+  documented risk acceptance. Direct ALB HTTPS mode also requires custom DNS and
+  an ACM certificate.
 - Encrypted EFS file system, access point, mount targets, and AWS Backup plan
   for `HASNA_UPTIME_HOSTED_SQLITE_DB=/data/uptime/uptime.db`.
 - S3 bucket for redacted browser evidence and generated report artifacts.
@@ -148,6 +159,12 @@ aws codebuild start-build \
   --project-name "$IMAGE_BUILDER_PROJECT"
 ```
 
+The private infra root should set `runtime_package_integrity` to the published
+npm `dist.integrity` value for the exact `runtime_package_version`. The image
+builder verifies that value before extracting the package. If the value is not
+set, record why the tarball is not integrity-pinned and keep the service
+not-live.
+
 Update the approved infra root so `container_image` is the immutable ECR digest,
 then re-plan with all services still at `0`.
 
@@ -176,6 +193,9 @@ Before setting `desired_counts.web = 1`, verify:
 - the image is an immutable digest, not a mutable tag or placeholder;
 - required secrets have `AWSCURRENT` versions;
 - `HASNA_UPTIME_ALLOWED_ORIGINS` matches the public HTTPS edge origin;
+- CloudFront-to-origin transport is either `https-only` with an origin hostname
+  whose certificate matches that hostname, or the HTTP-origin bridge has a
+  named risk owner and approval recorded in private evidence;
 - CloudFront origin access is distribution-bound with the CloudFront-only origin
   verification header, not just narrowed to CloudFront origin-facing ranges;
 - web egress to ECR, Secrets Manager or SSM, CloudWatch Logs, S3, EFS, and any
@@ -398,11 +418,13 @@ routes are backed by cloud check jobs and cloud audit rows.
   URLs, or probe private keys in task definitions. Use ECS `secrets.valueFrom`
   refs such as `HASNA_UPTIME_HOSTED_TOKEN`.
 - Do not run public probe workers against private targets.
-- Do not enable public probe workers until their cloud check-job path calls
-  `runHostedHttpCheck`, records target-policy decision evidence, and passes AWS
-  smokes for denied DNS answers, redirect-to-denied targets, and address
-  pinning. The SDK runner now handles execution-time DNS and redirect
-  enforcement, but it is not active until the worker is wired to it.
+- Do not enable public probe workers until their cloud check-job path calls the
+  hosted public-check runner, records target-policy decision evidence, and
+  passes AWS smokes for denied DNS answers, redirect-to-denied targets, and
+  address pinning. The SDK and `uptime cloud public-checks run-due` path now
+  handle execution-time DNS and redirect enforcement for bounded smokes, but a
+  sustained public-probe worker loop is not active until it is wired to cloud
+  leases.
 - Do not enable scheduler, public-probe, reporter, or migration workers against
   the EFS SQLite bridge; those services need Postgres/cloud leases first.
 - Do not expose dashboard/API routes without hosted auth and workspace checks.
@@ -414,6 +436,10 @@ routes are backed by cloud check jobs and cloud audit rows.
   the public repo and shared logs. Terraform redacts the sensitive input in CLI
   output, but the value is still stored in encrypted Terraform state, saved plan
   files, and AWS CloudFront/ALB configuration; restrict access accordingly.
+- Do not treat `cloudfront_origin_protocol_policy = "http-only"` as final for
+  token-bearing traffic. The module supports `https-only`, but that mode needs a
+  real origin DNS name and matching ACM certificate because CloudFront verifies
+  the custom-origin TLS certificate against the origin host.
 - Do not treat local SQLite, local project DBs, or private-probe local state as cloud
   authority after cutover.
 - Do configure owner/project/environment/service/cost-center tags, AWS Budgets

package/docs/aws-runtime-security.md

@@ -110,10 +110,12 @@ Target shape inside the approved VPC:
 
 Security groups:
 
-- `open-uptime-alb-sg`: in `cloudfront_default_domain` mode, inbound `80` only
-  from AWS's CloudFront origin-facing managed prefix list; in `alb_https_cert`
-  mode, inbound `443` only from the approved edge/source CIDR policy. Outbound
-  is only to the web target group.
+- `open-uptime-alb-sg`: in `cloudfront_default_domain` mode, inbound origin
+  traffic is limited to AWS's CloudFront origin-facing managed prefix list on
+  `80` for the temporary HTTP bridge or `443` when
+  `cloudfront_origin_protocol_policy = "https-only"`; in `alb_https_cert` mode,
+  inbound `443` is limited to the approved edge/source CIDR policy. Outbound is
+  only to the web target group.
 - `open-uptime-web-sg`: inbound only from ALB, outbound to RDS, S3 endpoint,
   Secrets Manager, Logs, and internal service endpoints.
 - `open-uptime-scheduler-sg`: no inbound, outbound to RDS, Logs, Secrets
@@ -136,10 +138,15 @@ infra PR.
 
 Public web exposure requires defense in depth:
 
-- first deployment may terminate viewer TLS at CloudFront's default HTTPS
-  domain, restrict ALB HTTP origin ingress to CloudFront origin-facing ranges,
+- first zero-count deployment may terminate viewer TLS at CloudFront's default
+  HTTPS domain, restrict ALB origin ingress to CloudFront origin-facing ranges,
   and require the module's CloudFront-only origin verification header at the ALB
   listener;
+- token-bearing live traffic should use CloudFront HTTPS-origin mode by setting
+  `cloudfront_origin_protocol_policy = "https-only"`, a dedicated
+  `cloudfront_origin_domain_name` that resolves to the ALB, and a matching ACM
+  `certificate_arn`. CloudFront validates the custom-origin certificate against
+  the origin hostname, so the ALB DNS name is not enough for this mode;
 - CloudFront prefix-list ingress is not distribution-bound by itself. In
   `cloudfront_default_domain` mode, set
   `enable_cloudfront_origin_verify_header = true` and provide a high-entropy
@@ -154,7 +161,7 @@ Public web exposure requires defense in depth:
   identity layer;
 - hosted web tasks must set `HASNA_UPTIME_ALLOWED_ORIGINS` to the public HTTPS
   edge origin so browser mutation checks do not compare CloudFront HTTPS origins
-  against the private HTTP ALB origin hop;
+  against the ALB origin hostname;
 - Open Uptime still enforces app-level auth and workspace RBAC on every route
   except `/health`;
 - `/health` returns only service liveness/readiness and no monitor data;
@@ -379,7 +386,9 @@ Minimum implementation path:
 
 1. review the repo-owned `Dockerfile` and package-image `Dockerfile.package`;
 2. add the ECR repository and CodeBuild package image builder;
-3. build the published npm package into ECR and record the immutable digest;
+3. build the published npm package into ECR, verify the expected npm
+   `dist.integrity` when `runtime_package_integrity` is set, install production
+   dependencies with the published `bun.lock`, and record the immutable digest;
 4. run typecheck, tests, package checks, and container smoke locally/CI;
 5. for the EFS bridge, keep the desired count at one web task maximum and zero
    scheduler/public-probe/reporter/migration tasks;
@@ -425,6 +434,11 @@ PR must include a rough monthly estimate for:
 Evidence retention and browser trace capture are the primary variable costs.
 Default retention must be short until usage is measured.
 
+ECS services must enable AWS-managed tags and `propagate_tags = "SERVICE"` so
+service-launched tasks retain cost allocation tags. One-off smoke tasks run
+outside ECS service propagation and must pass equivalent tags explicitly in the
+operator command/evidence.
+
 The AWS Terraform starter exposes optional AWS Budgets alerts through
 `monthly_budget_limit_usd` and `budget_alert_email_addresses`; the approved
 infra root must set real human/on-call notification targets and prove
@@ -438,8 +452,9 @@ required before browser evidence or public probe scale-out.
   evidence bucket, encrypted logs, Backup, EFS, and service secret containers.
   It is not live: services remain at desired count `0`, secrets have
   `AWSCURRENT` values, scoped hosted-token descriptors can be used for operator
-  smokes, and no ACM cert or Route53 record exists for a later custom-hostname
-  path. Full production identity/RBAC is still not implemented.
+  smokes, and the HTTPS-origin/custom-hostname path still needs an approved ACM
+  cert, DNS record, plan/apply, and edge smoke. Full production identity/RBAC is
+  still not implemented.
 - Open Uptime is still SQLite-only for this bridge; only one protected web task
   may write EFS until Postgres and cloud leases exist.
 - Hosted API/dashboard auth, workspace RBAC, target policy, and Postgres leases

package/docs/cloud-source-of-truth.md

@@ -122,11 +122,12 @@ or delete workspace B data.
 The target-state architecture uses one shared target policy at both
 configuration time and execution time. The current hosted API implements
 configuration-time checks for direct targets, and the SDK exposes
-`runHostedHttpCheck` for hosted public HTTP probes. That runner performs runtime
-DNS resolution, address pinning, redirect validation, DNS-rebinding protection,
-and decision-record evidence. Public probe execution stays disabled until cloud
-check-job leases and the public-probe worker are wired to that runner and
-validated in AWS.
+`runHostedHttpCheck` plus a bounded hosted public-check service/CLI path for
+workspace-scoped HTTP/TCP checks. Those paths perform runtime DNS resolution,
+address pinning, redirect validation, DNS-rebinding protection, and
+decision-record evidence. Long-running public probe execution stays disabled
+until cloud check-job leases and the public-probe worker loop are wired to that
+runner and validated in AWS.
 
 Public probes must deny:
 
@@ -428,8 +429,10 @@ ECS/API/RDS/S3/probe lag/job backlog/delivery failures, and rollback commands.
 - Hosted API reads are protected only by a broad bootstrap token, and the hosted
   dashboard shell still fails closed; production-grade identity/RBAC is not
   implemented yet.
-- Outbound target policy for hosted HTTP probes exists in the SDK, but the
-  cloud public-probe worker and lease path are not wired to it yet.
+- Outbound target policy for hosted HTTP/TCP checks exists in the SDK and the
+  `uptime cloud public-checks run-due` operator path. The cloud public-probe
+  worker loop, durable check-job lease path, and sustained ECS liveness are not
+  wired yet.
 - `@hasna/cloud` hybrid mode still returns SQLite, so it is not cloud-primary.
 - The local cloud config currently points at a stale/non-resolving database host.
 - Todos has unresolved conflicts that must be reconciled before cloud cutover.

package/docs/deployment-metadata.example.json

@@ -1,7 +1,7 @@
 {
   "service": "open-uptime",
   "package": "@hasna/uptime",
-  "intendedVersion": "0.1.23",
+  "intendedVersion": "0.1.25",
   "accountProfile": "<aws-profile>",
   "accountId": "<aws-account-id>",
   "region": "us-east-1",
@@ -18,7 +18,9 @@
     "mode": "cloudfront_default_domain",
     "url": "https://<cloudfront-domain>",
     "allowedOriginsEnv": "HASNA_UPTIME_ALLOWED_ORIGINS=https://<cloudfront-domain>",
-    "originPolicy": "ALB HTTP ingress restricted to CloudFront origin-facing ranges plus CloudFront-only origin verification header before scale-up",
+    "originPolicy": "ALB origin ingress restricted to CloudFront origin-facing ranges plus CloudFront-only origin verification header before scale-up; HTTPS-origin mode requires cloudfront_origin_domain_name plus matching certificate_arn",
+    "originProtocolPolicy": "http-only-or-https-only",
+    "originDomainName": "<alb-dns-name-or-approved-origin-hostname>",
     "originVerifyHeaderRequiredBeforeScaleUp": true,
     "originVerifyHeaderEnabled": "<true-after-private-root-apply>",
     "originVerifyHeaderName": "<private-header-name>",

package/infra/aws/README.md

@@ -31,31 +31,43 @@ adapter and cloud leases are implemented. Do not set
 
 The included CodeBuild project builds `@hasna/uptime` from npm with
 `Dockerfile.package` and pushes the resulting image to ECR. This avoids
-depending on a local Docker daemon for image publication.
+depending on a local Docker daemon for image publication. Set
+`runtime_package_integrity` in the private root after publish to make CodeBuild
+verify the npm tarball `dist.integrity` before extracting it. The package image
+also installs production dependencies from the published `bun.lock` with
+`--frozen-lockfile`.
 
 The default protected access mode is `cloudfront_default_domain`: CloudFront
-serves HTTPS on its default domain while the ALB origin accepts HTTP only from
-AWS's CloudFront origin-facing managed prefix list. Use `alb_https_cert` only
-after custom DNS and an ACM certificate are approved.
+serves HTTPS on its default domain while the ALB origin is limited to AWS's
+CloudFront origin-facing managed prefix list. The default origin protocol is the
+temporary `http-only` bridge. Before token-bearing live traffic, prefer setting
+`cloudfront_origin_protocol_policy = "https-only"` with a dedicated
+`cloudfront_origin_domain_name` that resolves to the ALB and a matching ACM
+`certificate_arn`. Use `alb_https_cert` only when bypassing CloudFront after
+custom DNS and an ACM certificate are approved.
 The web task receives `HASNA_UPTIME_ALLOWED_ORIGINS` for the selected public
-HTTPS origin so hosted mutation CSRF checks still work through the private HTTP
-origin hop.
+HTTPS origin so hosted mutation CSRF checks still work through the selected
+edge/origin path.
 
 CloudFront prefix-list ingress is only a network narrowing control; it is not
 bound to one distribution. Before enabling the web task, set
 `enable_cloudfront_origin_verify_header = true` and provide a high-entropy
 `cloudfront_origin_verify_header_value` from a private operator workflow. The
 module then configures CloudFront to send that header, makes the ALB default
-action return `403`, and forwards only requests with the matching header.
+action return `403`, and forwards only requests with the matching header on the
+selected HTTP or HTTPS origin listener.
 Terraform marks the value sensitive, but it still lives in encrypted Terraform
 state and in CloudFront/ALB configuration; restrict state, saved plan,
 CloudFront distribution-read, and ELB listener-rule-read access accordingly.
 
 All module resources carry owner, project, environment, service, account, app
-type, and cost-center tags. Set `monthly_budget_limit_usd` plus
-`budget_alert_email_addresses` in the approved infra root to create AWS Budgets
-forecasted and actual spend alerts. Leaving the email list empty skips budget
-creation and is not sufficient for live scale-out approval.
+type, and cost-center tags. ECS services enable AWS-managed tags and propagate
+service tags to launched tasks. Any one-off `run-task` smoke must pass the same
+tag set explicitly because it is outside service propagation. Set
+`monthly_budget_limit_usd` plus `budget_alert_email_addresses` in the approved
+infra root to create AWS Budgets forecasted and actual spend alerts. Leaving the
+email list empty skips budget creation and is not sufficient for live scale-out
+approval.
 
 Private AWS API egress can be pinned through opt-in VPC endpoints by setting
 `enable_private_vpc_endpoints = true` and passing `private_route_table_ids`.
@@ -92,6 +104,9 @@ Store instead of Secrets Manager, add `ssm` to
 ## Current Blockers
 
 - Hosted production auth/RBAC still needs scoped, revocable credentials.
+- The default `http-only` CloudFront origin bridge must be replaced with the
+  explicit HTTPS-origin mode or consciously accepted with documented risk before
+  token-bearing live traffic.
 - Public probe runtime has SDK-level hosted HTTP target-policy enforcement, but
   the public-probe worker and cloud check-job lease path are still disabled until
   they are wired to that runner and validated in AWS.