@hasna/uptime 0.1.24 → 0.1.25

package/dist/index.js

@@ -4623,6 +4623,7 @@ var DEFAULT_WORKSPACE_ID = "workspace-id";
 var DEFAULT_VPC_ID = "vpc-xxxxxxxx";
 var DEFAULT_HOSTED_SQLITE_DB = "/data/uptime/uptime.db";
 var DEFAULT_PROTECTED_ACCESS_MODE = "cloudfront_default_domain";
+var DEFAULT_CLOUDFRONT_ORIGIN_PROTOCOL_POLICY = "http-only";
 function buildAwsDeploymentPlan(options = {}) {
   const region = clean(options.region, DEFAULT_REGION);
   const stage = clean(options.stage, DEFAULT_STAGE);
@@ -4635,8 +4636,11 @@ function buildAwsDeploymentPlan(options = {}) {
   const image = clean(options.image, `${imageRepositoryUri}@sha256:<image-digest>`);
   const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
   const hostedSqliteDbPath = clean(options.hostedSqliteDbPath, DEFAULT_HOSTED_SQLITE_DB);
-  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.24");
+  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.25");
+  const runtimePackageIntegrity = options.runtimePackageIntegrity?.trim() || undefined;
   const protectedAccessMode = options.protectedAccessMode ?? DEFAULT_PROTECTED_ACCESS_MODE;
+  const cloudfrontOriginProtocolPolicy = options.cloudfrontOriginProtocolPolicy ?? DEFAULT_CLOUDFRONT_ORIGIN_PROTOCOL_POLICY;
+  const cloudfrontOriginDomainName = clean(options.cloudfrontOriginDomainName, "<alb-dns-name>");
   const protectedAccessUrl = protectedAccessMode === "cloudfront_default_domain" ? "https://<cloudfront-domain>" : `https://${hostname}`;
   const cluster = `${prefix}-${stage}`;
   const secrets = {
@@ -4703,6 +4707,13 @@ function buildAwsDeploymentPlan(options = {}) {
       protectedAccessMode,
       edgeDistribution: protectedAccessMode === "cloudfront_default_domain" ? `${prefix}-${stage}-edge` : undefined,
       protectedAccessUrl,
+      cloudfrontOrigin: protectedAccessMode === "cloudfront_default_domain" ? {
+        protocolPolicy: cloudfrontOriginProtocolPolicy,
+        domainName: cloudfrontOriginProtocolPolicy === "https-only" ? cloudfrontOriginDomainName : "<alb-dns-name>",
+        requiresMatchingCertificate: cloudfrontOriginProtocolPolicy === "https-only",
+        liveTrafficApproved: false,
+        risk: cloudfrontOriginProtocolPolicy === "http-only" ? "Temporary HTTP-origin bridge: do not use for token-bearing live traffic without explicit risk acceptance, or switch to https-only with cloudfront_origin_domain_name plus certificate_arn." : "CloudFront HTTPS-origin mode requires the origin hostname to resolve to the ALB and match certificate_arn."
+      } : undefined,
       originVerification: protectedAccessMode === "cloudfront_default_domain" ? {
         mode: "cloudfront_origin_header",
         requiredBeforeScaleUp: true,
@@ -4735,6 +4746,7 @@ function buildAwsDeploymentPlan(options = {}) {
       repository: ecrRepository,
       uri: image,
       dockerfile: "Dockerfile.package",
+      expectedIntegrity: runtimePackageIntegrity,
       buildCommand: `BLOCKED: after infra approval, AWS CodeBuild builds Dockerfile.package from @hasna/uptime@${runtimePackageVersion} into ${imageRepositoryUri}`,
       pushCommands: [
         `BLOCKED: start ${prefix}-${stage}-image-builder only through the approved deploy pipeline after @hasna/uptime@${runtimePackageVersion} is published`,
@@ -4761,16 +4773,16 @@ function buildAwsDeploymentPlan(options = {}) {
         `Infra PR must declare CodeBuild image builder ${prefix}-${stage}-image-builder for @hasna/uptime@${runtimePackageVersion}.`,
         `Infra PR must declare hardened S3 evidence bucket ${evidenceBucket} with KMS, versioning, lifecycle, and public access block.`,
         `Infra PR must declare encrypted EFS ${prefix}-${stage}-data with access point, mount targets, and AWS Backup plan.`,
-        protectedAccessMode === "cloudfront_default_domain" ? "Infra PR must declare CloudFront default-domain HTTPS edge, ALB HTTP listener restricted to CloudFront origin-facing ranges, CloudFront-only origin verification header binding, ECS/Fargate cluster, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs." : `Infra PR must declare ECS/Fargate cluster ${cluster}, ALB HTTPS listener, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs.`,
+        protectedAccessMode === "cloudfront_default_domain" ? "Infra PR must declare CloudFront default-domain HTTPS edge, ALB origin listener restricted to CloudFront origin-facing ranges, CloudFront-only origin verification header binding, ECS/Fargate cluster, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs. Token-bearing live traffic must use cloudfront_origin_protocol_policy=https-only with a matching origin hostname/certificate, or carry explicit HTTP-origin risk acceptance." : `Infra PR must declare ECS/Fargate cluster ${cluster}, ALB HTTPS listener, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs.`,
         "Only apply the infra plan from the approved infrastructure repository after review evidence is attached."
       ],
       deploy: [
         "Build and publish the image only after the Dockerfile/container target is reviewed.",
-        `Start the AWS image builder for @hasna/uptime@${runtimePackageVersion} and record the pushed image digest.`,
+        runtimePackageIntegrity ? `Start the AWS image builder for @hasna/uptime@${runtimePackageVersion}; it must verify npm dist.integrity ${runtimePackageIntegrity} before extracting the package, then record the pushed image digest.` : `Start the AWS image builder for @hasna/uptime@${runtimePackageVersion}; set runtime_package_integrity from npm dist.integrity before live use, then record the pushed image digest.`,
         "For the EFS SQLite bridge, do not run migration, scheduler, public-probe, or reporter tasks; keep them at desired count 0 until Postgres and cloud leases exist.",
         `Register task definitions for ${services.map((service) => service.name).join(", ")} using valueFrom secrets.`,
         `Update ECS services in cluster ${cluster} one component at a time through the approved deploy pipeline.`,
-        protectedAccessMode === "cloudfront_default_domain" ? "Use the CloudFront default HTTPS domain with origin verification header binding for first protected access; add custom DNS/certificate only after edge ownership is approved." : `Create Route53/edge record for ${hostname} only after ALB health checks pass and auth denial smokes succeed.`
+        protectedAccessMode === "cloudfront_default_domain" ? "Use the CloudFront default HTTPS domain with origin verification header binding for first protected access; before token-bearing live traffic, switch the origin to https-only with a matching origin hostname/certificate or record explicit HTTP-origin risk acceptance." : `Create Route53/edge record for ${hostname} only after ALB health checks pass and auth denial smokes succeed.`
       ],
       rollback: [
         "Keep previous task definition ARNs before each service update.",
@@ -4787,6 +4799,8 @@ function buildAwsDeploymentPlan(options = {}) {
     blockers: [
       "The infrastructure owner repository was not found in this workspace.",
       protectedAccessMode === "cloudfront_default_domain" ? "CloudFront origin verification header binding must be enabled and direct-origin denial must be proven before web desired count is raised above 0." : "ALB HTTPS ingress policy and auth-denial smokes must be proven before web desired count is raised above 0.",
+      ...protectedAccessMode === "cloudfront_default_domain" && cloudfrontOriginProtocolPolicy === "http-only" ? ["CloudFront-to-ALB origin transport is still http-only; token-bearing live traffic needs https-only origin mode or explicit risk acceptance."] : [],
+      ...protectedAccessMode === "cloudfront_default_domain" && cloudfrontOriginProtocolPolicy === "https-only" && cloudfrontOriginDomainName === "<alb-dns-name>" ? ["CloudFront https-only origin mode needs cloudfront_origin_domain_name that resolves to the ALB and matches certificate_arn."] : [],
       "The EFS SQLite bridge is single-writer only: web target desired count is 1 and scheduler/public-probe/reporter targets remain 0 until Postgres and cloud leases exist.",
       "Hosted production auth/RBAC must replace broad static hosted-token operation before exposure.",
       "Public probe execution still needs cloud check-job leases wired to runHostedHttpCheck and live policy-decision log evidence.",
@@ -4795,8 +4809,9 @@ function buildAwsDeploymentPlan(options = {}) {
     requiredEvidence: [
       "Infrastructure PR/synth/plan from the approved infra repository.",
       "CodeBuild image-builder run, container smoke, and immutable image digest.",
+      "Published package dist.integrity pinned in the private infra root or an explicit not-live exception.",
       "ECS task definitions using secrets.valueFrom only.",
-      "CloudFront-default-domain origin-header config or ALB TLS auth-denial smokes, direct-origin denial evidence, and web alarm checks.",
+      "CloudFront-default-domain origin-header config, origin transport decision, direct-origin denial evidence, auth-denial smokes, and web alarm checks.",
       "Single-writer ECS evidence: one web task maximum and no scheduler/public-probe/reporter EFS mounts.",
       "EFS encryption, access point, mount-target, AWS Backup, and restore-drill evidence.",
       "S3 bucket KMS, versioning, lifecycle, and public-access-block evidence.",
@@ -4809,11 +4824,13 @@ function buildAwsDeploymentPlan(options = {}) {
       notes: [
         "This plan generator does not call AWS.",
         "Blocked plan output intentionally avoids copy-pastable AWS mutation commands.",
-        "Default protected access uses CloudFront's HTTPS default domain so first deploy is not blocked on custom DNS or ACM.",
+        "Default protected access uses CloudFront's HTTPS default domain so first zero-count deploy is not blocked on custom DNS or ACM.",
         "CloudFront default-domain mode still requires origin verification header binding before live scale-up; the header value is sensitive state/config material, not public documentation.",
+        "CloudFront HTTPS-origin mode requires a dedicated origin DNS hostname and matching ACM certificate; do not assume the ALB DNS name can satisfy TLS verification.",
         "Hosted runtime uses explicit EFS-backed SQLite at HASNA_UPTIME_HOSTED_SQLITE_DB until the async Postgres adapter exists.",
         "Do not set HASNA_UPTIME_DATABASE_URL for hosted tasks until the Postgres adapter is implemented.",
         "Secrets are represented as secret names/refs and must be injected with valueFrom.",
+        "Set runtime_package_integrity in the approved infra root after publish so the AWS image builder verifies the npm tarball before ECR build.",
         "Actual deploy belongs in the deploy_release_operate_final goal node after infra review."
       ]
     }

package/docs/aws-deployment-runbook.md

@@ -60,9 +60,14 @@ start a private probe until the JSON output says `canStart: true`.
 
 4. Confirm the target VPC, private subnets, KMS key, and EFS/Backup plan inputs
    still match the plan.
-5. Confirm the protected access mode. The first deploy can use the CloudFront
-   default HTTPS domain without custom DNS or ACM. Custom hostname deploys still
-   require Route53/edge ownership and an ACM certificate.
+5. Confirm the protected access mode. The first zero-count deploy can use the
+   CloudFront default HTTPS domain without custom DNS or ACM. Before
+   token-bearing live traffic, either set
+   `cloudfront_origin_protocol_policy = "https-only"` with a dedicated
+   `cloudfront_origin_domain_name` that resolves to the ALB and a matching ACM
+   `certificate_arn`, or record an explicit risk acceptance for the temporary
+   HTTP-origin bridge. Custom hostname deploys still require Route53/edge
+   ownership and an ACM certificate.
 6. Confirm the deployment role uses short-lived credentials or OIDC, not copied
    access keys.
 7. Create a private evidence directory outside the public repository. Store
@@ -77,9 +82,12 @@ The plan expects:
 - ECS/Fargate cluster with separate services for web, scheduler, public probe,
   reporter, and one-off migrations. In the current EFS SQLite bridge, only web
   may be enabled and it must run at desired count `0` or `1`.
-- CloudFront default-domain HTTPS edge plus ALB HTTP origin restricted to
-  CloudFront origin-facing ranges, or an ALB HTTPS listener with ACM certificate
-  when custom DNS is approved.
+- CloudFront default-domain HTTPS edge plus an ALB origin restricted to
+  CloudFront origin-facing ranges. The default zero-count bridge uses HTTP to
+  the origin; token-bearing live traffic should use the module's HTTPS-origin
+  mode with `cloudfront_origin_domain_name` plus `certificate_arn`, or a
+  documented risk acceptance. Direct ALB HTTPS mode also requires custom DNS and
+  an ACM certificate.
 - Encrypted EFS file system, access point, mount targets, and AWS Backup plan
   for `HASNA_UPTIME_HOSTED_SQLITE_DB=/data/uptime/uptime.db`.
 - S3 bucket for redacted browser evidence and generated report artifacts.
@@ -151,6 +159,12 @@ aws codebuild start-build \
   --project-name "$IMAGE_BUILDER_PROJECT"
 ```
 
+The private infra root should set `runtime_package_integrity` to the published
+npm `dist.integrity` value for the exact `runtime_package_version`. The image
+builder verifies that value before extracting the package. If the value is not
+set, record why the tarball is not integrity-pinned and keep the service
+not-live.
+
 Update the approved infra root so `container_image` is the immutable ECR digest,
 then re-plan with all services still at `0`.
 
@@ -179,6 +193,9 @@ Before setting `desired_counts.web = 1`, verify:
 - the image is an immutable digest, not a mutable tag or placeholder;
 - required secrets have `AWSCURRENT` versions;
 - `HASNA_UPTIME_ALLOWED_ORIGINS` matches the public HTTPS edge origin;
+- CloudFront-to-origin transport is either `https-only` with an origin hostname
+  whose certificate matches that hostname, or the HTTP-origin bridge has a
+  named risk owner and approval recorded in private evidence;
 - CloudFront origin access is distribution-bound with the CloudFront-only origin
   verification header, not just narrowed to CloudFront origin-facing ranges;
 - web egress to ECR, Secrets Manager or SSM, CloudWatch Logs, S3, EFS, and any
@@ -419,6 +436,10 @@ routes are backed by cloud check jobs and cloud audit rows.
   the public repo and shared logs. Terraform redacts the sensitive input in CLI
   output, but the value is still stored in encrypted Terraform state, saved plan
   files, and AWS CloudFront/ALB configuration; restrict access accordingly.
+- Do not treat `cloudfront_origin_protocol_policy = "http-only"` as final for
+  token-bearing traffic. The module supports `https-only`, but that mode needs a
+  real origin DNS name and matching ACM certificate because CloudFront verifies
+  the custom-origin TLS certificate against the origin host.
 - Do not treat local SQLite, local project DBs, or private-probe local state as cloud
   authority after cutover.
 - Do configure owner/project/environment/service/cost-center tags, AWS Budgets

package/docs/aws-runtime-security.md

@@ -110,10 +110,12 @@ Target shape inside the approved VPC:
 
 Security groups:
 
-- `open-uptime-alb-sg`: in `cloudfront_default_domain` mode, inbound `80` only
-  from AWS's CloudFront origin-facing managed prefix list; in `alb_https_cert`
-  mode, inbound `443` only from the approved edge/source CIDR policy. Outbound
-  is only to the web target group.
+- `open-uptime-alb-sg`: in `cloudfront_default_domain` mode, inbound origin
+  traffic is limited to AWS's CloudFront origin-facing managed prefix list on
+  `80` for the temporary HTTP bridge or `443` when
+  `cloudfront_origin_protocol_policy = "https-only"`; in `alb_https_cert` mode,
+  inbound `443` is limited to the approved edge/source CIDR policy. Outbound is
+  only to the web target group.
 - `open-uptime-web-sg`: inbound only from ALB, outbound to RDS, S3 endpoint,
   Secrets Manager, Logs, and internal service endpoints.
 - `open-uptime-scheduler-sg`: no inbound, outbound to RDS, Logs, Secrets
@@ -136,10 +138,15 @@ infra PR.
 
 Public web exposure requires defense in depth:
 
-- first deployment may terminate viewer TLS at CloudFront's default HTTPS
-  domain, restrict ALB HTTP origin ingress to CloudFront origin-facing ranges,
+- first zero-count deployment may terminate viewer TLS at CloudFront's default
+  HTTPS domain, restrict ALB origin ingress to CloudFront origin-facing ranges,
   and require the module's CloudFront-only origin verification header at the ALB
   listener;
+- token-bearing live traffic should use CloudFront HTTPS-origin mode by setting
+  `cloudfront_origin_protocol_policy = "https-only"`, a dedicated
+  `cloudfront_origin_domain_name` that resolves to the ALB, and a matching ACM
+  `certificate_arn`. CloudFront validates the custom-origin certificate against
+  the origin hostname, so the ALB DNS name is not enough for this mode;
 - CloudFront prefix-list ingress is not distribution-bound by itself. In
   `cloudfront_default_domain` mode, set
   `enable_cloudfront_origin_verify_header = true` and provide a high-entropy
@@ -154,7 +161,7 @@ Public web exposure requires defense in depth:
   identity layer;
 - hosted web tasks must set `HASNA_UPTIME_ALLOWED_ORIGINS` to the public HTTPS
   edge origin so browser mutation checks do not compare CloudFront HTTPS origins
-  against the private HTTP ALB origin hop;
+  against the ALB origin hostname;
 - Open Uptime still enforces app-level auth and workspace RBAC on every route
   except `/health`;
 - `/health` returns only service liveness/readiness and no monitor data;
@@ -379,7 +386,9 @@ Minimum implementation path:
 
 1. review the repo-owned `Dockerfile` and package-image `Dockerfile.package`;
 2. add the ECR repository and CodeBuild package image builder;
-3. build the published npm package into ECR and record the immutable digest;
+3. build the published npm package into ECR, verify the expected npm
+   `dist.integrity` when `runtime_package_integrity` is set, install production
+   dependencies with the published `bun.lock`, and record the immutable digest;
 4. run typecheck, tests, package checks, and container smoke locally/CI;
 5. for the EFS bridge, keep the desired count at one web task maximum and zero
    scheduler/public-probe/reporter/migration tasks;
@@ -425,6 +434,11 @@ PR must include a rough monthly estimate for:
 Evidence retention and browser trace capture are the primary variable costs.
 Default retention must be short until usage is measured.
 
+ECS services must enable AWS-managed tags and `propagate_tags = "SERVICE"` so
+service-launched tasks retain cost allocation tags. One-off smoke tasks run
+outside ECS service propagation and must pass equivalent tags explicitly in the
+operator command/evidence.
+
 The AWS Terraform starter exposes optional AWS Budgets alerts through
 `monthly_budget_limit_usd` and `budget_alert_email_addresses`; the approved
 infra root must set real human/on-call notification targets and prove
@@ -438,8 +452,9 @@ required before browser evidence or public probe scale-out.
   evidence bucket, encrypted logs, Backup, EFS, and service secret containers.
   It is not live: services remain at desired count `0`, secrets have
   `AWSCURRENT` values, scoped hosted-token descriptors can be used for operator
-  smokes, and no ACM cert or Route53 record exists for a later custom-hostname
-  path. Full production identity/RBAC is still not implemented.
+  smokes, and the HTTPS-origin/custom-hostname path still needs an approved ACM
+  cert, DNS record, plan/apply, and edge smoke. Full production identity/RBAC is
+  still not implemented.
 - Open Uptime is still SQLite-only for this bridge; only one protected web task
   may write EFS until Postgres and cloud leases exist.
 - Hosted API/dashboard auth, workspace RBAC, target policy, and Postgres leases

package/docs/deployment-metadata.example.json

@@ -1,7 +1,7 @@
 {
   "service": "open-uptime",
   "package": "@hasna/uptime",
-  "intendedVersion": "0.1.24",
+  "intendedVersion": "0.1.25",
   "accountProfile": "<aws-profile>",
   "accountId": "<aws-account-id>",
   "region": "us-east-1",
@@ -18,7 +18,9 @@
     "mode": "cloudfront_default_domain",
     "url": "https://<cloudfront-domain>",
     "allowedOriginsEnv": "HASNA_UPTIME_ALLOWED_ORIGINS=https://<cloudfront-domain>",
-    "originPolicy": "ALB HTTP ingress restricted to CloudFront origin-facing ranges plus CloudFront-only origin verification header before scale-up",
+    "originPolicy": "ALB origin ingress restricted to CloudFront origin-facing ranges plus CloudFront-only origin verification header before scale-up; HTTPS-origin mode requires cloudfront_origin_domain_name plus matching certificate_arn",
+    "originProtocolPolicy": "http-only-or-https-only",
+    "originDomainName": "<alb-dns-name-or-approved-origin-hostname>",
     "originVerifyHeaderRequiredBeforeScaleUp": true,
     "originVerifyHeaderEnabled": "<true-after-private-root-apply>",
     "originVerifyHeaderName": "<private-header-name>",

package/infra/aws/README.md

@@ -31,31 +31,43 @@ adapter and cloud leases are implemented. Do not set
 
 The included CodeBuild project builds `@hasna/uptime` from npm with
 `Dockerfile.package` and pushes the resulting image to ECR. This avoids
-depending on a local Docker daemon for image publication.
+depending on a local Docker daemon for image publication. Set
+`runtime_package_integrity` in the private root after publish to make CodeBuild
+verify the npm tarball `dist.integrity` before extracting it. The package image
+also installs production dependencies from the published `bun.lock` with
+`--frozen-lockfile`.
 
 The default protected access mode is `cloudfront_default_domain`: CloudFront
-serves HTTPS on its default domain while the ALB origin accepts HTTP only from
-AWS's CloudFront origin-facing managed prefix list. Use `alb_https_cert` only
-after custom DNS and an ACM certificate are approved.
+serves HTTPS on its default domain while the ALB origin is limited to AWS's
+CloudFront origin-facing managed prefix list. The default origin protocol is the
+temporary `http-only` bridge. Before token-bearing live traffic, prefer setting
+`cloudfront_origin_protocol_policy = "https-only"` with a dedicated
+`cloudfront_origin_domain_name` that resolves to the ALB and a matching ACM
+`certificate_arn`. Use `alb_https_cert` only when bypassing CloudFront after
+custom DNS and an ACM certificate are approved.
 The web task receives `HASNA_UPTIME_ALLOWED_ORIGINS` for the selected public
-HTTPS origin so hosted mutation CSRF checks still work through the private HTTP
-origin hop.
+HTTPS origin so hosted mutation CSRF checks still work through the selected
+edge/origin path.
 
 CloudFront prefix-list ingress is only a network narrowing control; it is not
 bound to one distribution. Before enabling the web task, set
 `enable_cloudfront_origin_verify_header = true` and provide a high-entropy
 `cloudfront_origin_verify_header_value` from a private operator workflow. The
 module then configures CloudFront to send that header, makes the ALB default
-action return `403`, and forwards only requests with the matching header.
+action return `403`, and forwards only requests with the matching header on the
+selected HTTP or HTTPS origin listener.
 Terraform marks the value sensitive, but it still lives in encrypted Terraform
 state and in CloudFront/ALB configuration; restrict state, saved plan,
 CloudFront distribution-read, and ELB listener-rule-read access accordingly.
 
 All module resources carry owner, project, environment, service, account, app
-type, and cost-center tags. Set `monthly_budget_limit_usd` plus
-`budget_alert_email_addresses` in the approved infra root to create AWS Budgets
-forecasted and actual spend alerts. Leaving the email list empty skips budget
-creation and is not sufficient for live scale-out approval.
+type, and cost-center tags. ECS services enable AWS-managed tags and propagate
+service tags to launched tasks. Any one-off `run-task` smoke must pass the same
+tag set explicitly because it is outside service propagation. Set
+`monthly_budget_limit_usd` plus `budget_alert_email_addresses` in the approved
+infra root to create AWS Budgets forecasted and actual spend alerts. Leaving the
+email list empty skips budget creation and is not sufficient for live scale-out
+approval.
 
 Private AWS API egress can be pinned through opt-in VPC endpoints by setting
 `enable_private_vpc_endpoints = true` and passing `private_route_table_ids`.
@@ -92,6 +104,9 @@ Store instead of Secrets Manager, add `ssm` to
 ## Current Blockers
 
 - Hosted production auth/RBAC still needs scoped, revocable credentials.
+- The default `http-only` CloudFront origin bridge must be replaced with the
+  explicit HTTPS-origin mode or consciously accepted with documented risk before
+  token-bearing live traffic.
 - Public probe runtime has SDK-level hosted HTTP target-policy enforcement, but
   the public-probe worker and cloud check-job lease path are still disabled until
   they are wired to that runner and validated in AWS.

package/infra/aws/main.tf

@@ -17,16 +17,21 @@ data "aws_caller_identity" "current" {}
 data "aws_partition" "current" {}
 
 locals {
-  prefix                = "${var.service_name}-${var.stage}"
-  container_port        = 3899
-  evidence_bucket       = "hasna-${var.stage}-${var.service_name}-evidence"
-  efs_uid               = 10001
-  efs_gid               = 10001
-  hosted_sqlite_db_path = "/data/uptime/uptime.db"
-  efs_enabled_services  = toset(["web"])
-  use_alb_https         = var.protected_access_mode == "alb_https_cert"
-  use_cloudfront        = var.protected_access_mode == "cloudfront_default_domain"
-  use_origin_verify     = local.use_cloudfront && var.enable_cloudfront_origin_verify_header
+  prefix                             = "${var.service_name}-${var.stage}"
+  container_port                     = 3899
+  evidence_bucket                    = "hasna-${var.stage}-${var.service_name}-evidence"
+  efs_uid                            = 10001
+  efs_gid                            = 10001
+  hosted_sqlite_db_path              = "/data/uptime/uptime.db"
+  efs_enabled_services               = toset(["web"])
+  expected_runtime_package_integrity = coalesce(var.runtime_package_integrity, "")
+  use_alb_https                      = var.protected_access_mode == "alb_https_cert"
+  use_cloudfront                     = var.protected_access_mode == "cloudfront_default_domain"
+  cloudfront_https_origin = (
+    local.use_cloudfront && var.cloudfront_origin_protocol_policy == "https-only"
+  )
+  alb_https_listener_enabled = local.use_alb_https || local.cloudfront_https_origin
+  use_origin_verify          = local.use_cloudfront && var.enable_cloudfront_origin_verify_header
   services = {
     web = {
       desired_count = lookup(var.desired_counts, "web", 0)
@@ -236,9 +241,18 @@ resource "aws_codebuild_project" "image_builder" {
             - aws ecr get-login-password --region ${var.region} | docker login --username AWS --password-stdin ${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com
         build:
           commands:
-            - npm pack @hasna/uptime@${var.runtime_package_version}
+            - EXPECTED_RUNTIME_PACKAGE_INTEGRITY='${local.expected_runtime_package_integrity}'
+            - PACKAGE_TARBALL=$(npm pack @hasna/uptime@${var.runtime_package_version} --silent)
+            - PACKAGE_INTEGRITY=$(npm view @hasna/uptime@${var.runtime_package_version} dist.integrity --json | tr -d '"')
+            - test -n "$PACKAGE_INTEGRITY"
+            - |
+              if [ -n "$EXPECTED_RUNTIME_PACKAGE_INTEGRITY" ] && [ "$PACKAGE_INTEGRITY" != "$EXPECTED_RUNTIME_PACKAGE_INTEGRITY" ]; then
+                echo "runtime package integrity mismatch" >&2
+                exit 1
+              fi
+            - printf 'runtime package integrity %s\n' "$PACKAGE_INTEGRITY"
             - mkdir package
-            - tar -xzf hasna-uptime-*.tgz -C package --strip-components=1
+            - tar -xzf "$PACKAGE_TARBALL" -C package --strip-components=1
             - cd package
             - docker build -f Dockerfile.package -t ${aws_ecr_repository.open_uptime.repository_url}:${var.runtime_package_version} .
             - docker push ${aws_ecr_repository.open_uptime.repository_url}:${var.runtime_package_version}
@@ -366,8 +380,19 @@ resource "aws_security_group_rule" "alb_https_ingress" {
   cidr_blocks       = var.alb_ingress_cidr_blocks
 }
 
+resource "aws_security_group_rule" "alb_https_from_cloudfront" {
+  count             = local.cloudfront_https_origin ? 1 : 0
+  type              = "ingress"
+  description       = "HTTPS from CloudFront origin-facing ranges"
+  security_group_id = aws_security_group.alb.id
+  from_port         = 443
+  to_port           = 443
+  protocol          = "tcp"
+  prefix_list_ids   = [data.aws_ec2_managed_prefix_list.cloudfront_origin_facing[0].id]
+}
+
 resource "aws_security_group_rule" "alb_http_from_cloudfront" {
-  count             = local.use_cloudfront ? 1 : 0
+  count             = local.use_cloudfront && !local.cloudfront_https_origin ? 1 : 0
   type              = "ingress"
   description       = "HTTP from CloudFront origin-facing ranges"
   security_group_id = aws_security_group.alb.id
@@ -881,21 +906,37 @@ resource "aws_lb_target_group" "web" {
 }
 
 resource "aws_lb_listener" "https" {
-  count             = local.use_alb_https ? 1 : 0
+  count             = local.alb_https_listener_enabled ? 1 : 0
   load_balancer_arn = aws_lb.open_uptime.arn
   port              = 443
   protocol          = "HTTPS"
   certificate_arn   = var.certificate_arn
   tags              = local.tags
 
-  default_action {
-    type             = "forward"
-    target_group_arn = aws_lb_target_group.web.arn
+  dynamic "default_action" {
+    for_each = local.cloudfront_https_origin && local.use_origin_verify ? [] : [1]
+    content {
+      type             = "forward"
+      target_group_arn = aws_lb_target_group.web.arn
+    }
+  }
+
+  dynamic "default_action" {
+    for_each = local.cloudfront_https_origin && local.use_origin_verify ? [1] : []
+    content {
+      type = "fixed-response"
+
+      fixed_response {
+        content_type = "text/plain"
+        message_body = "forbidden"
+        status_code  = "403"
+      }
+    }
   }
 }
 
 resource "aws_lb_listener" "http_cloudfront" {
-  count             = local.use_cloudfront ? 1 : 0
+  count             = local.use_cloudfront && !local.cloudfront_https_origin ? 1 : 0
   load_balancer_arn = aws_lb.open_uptime.arn
   port              = 80
   protocol          = "HTTP"
@@ -924,7 +965,7 @@ resource "aws_lb_listener" "http_cloudfront" {
 }
 
 resource "aws_lb_listener_rule" "http_cloudfront_origin_verify" {
-  count        = local.use_origin_verify ? 1 : 0
+  count        = local.use_origin_verify && !local.cloudfront_https_origin ? 1 : 0
   listener_arn = aws_lb_listener.http_cloudfront[0].arn
   priority     = var.cloudfront_origin_verify_listener_rule_priority
   tags         = local.tags
@@ -942,6 +983,25 @@ resource "aws_lb_listener_rule" "http_cloudfront_origin_verify" {
   }
 }
 
+resource "aws_lb_listener_rule" "https_cloudfront_origin_verify" {
+  count        = local.use_origin_verify && local.cloudfront_https_origin ? 1 : 0
+  listener_arn = aws_lb_listener.https[0].arn
+  priority     = var.cloudfront_origin_verify_listener_rule_priority
+  tags         = local.tags
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.web.arn
+  }
+
+  condition {
+    http_header {
+      http_header_name = var.cloudfront_origin_verify_header_name
+      values           = [var.cloudfront_origin_verify_header_value]
+    }
+  }
+}
+
 resource "aws_cloudfront_distribution" "open_uptime" {
   count           = local.use_cloudfront ? 1 : 0
   enabled         = true
@@ -951,7 +1011,7 @@ resource "aws_cloudfront_distribution" "open_uptime" {
   tags            = local.tags
 
   origin {
-    domain_name = aws_lb.open_uptime.dns_name
+    domain_name = local.cloudfront_https_origin ? var.cloudfront_origin_domain_name : aws_lb.open_uptime.dns_name
     origin_id   = "${local.prefix}-alb"
 
     dynamic "custom_header" {
@@ -965,7 +1025,7 @@ resource "aws_cloudfront_distribution" "open_uptime" {
     custom_origin_config {
       http_port              = 80
       https_port             = 443
-      origin_protocol_policy = "http-only"
+      origin_protocol_policy = var.cloudfront_origin_protocol_policy
       origin_ssl_protocols   = ["TLSv1.2"]
     }
   }
@@ -1000,7 +1060,12 @@ resource "aws_cloudfront_distribution" "open_uptime" {
     cloudfront_default_certificate = true
   }
 
-  depends_on = [aws_lb_listener.http_cloudfront, aws_lb_listener_rule.http_cloudfront_origin_verify]
+  depends_on = [
+    aws_lb_listener.http_cloudfront,
+    aws_lb_listener.https,
+    aws_lb_listener_rule.http_cloudfront_origin_verify,
+    aws_lb_listener_rule.https_cloudfront_origin_verify,
+  ]
 }
 
 resource "aws_route53_record" "open_uptime" {
@@ -1016,6 +1081,19 @@ resource "aws_route53_record" "open_uptime" {
   }
 }
 
+resource "aws_route53_record" "cloudfront_origin" {
+  count   = local.cloudfront_https_origin && var.hosted_zone_id != null ? 1 : 0
+  zone_id = var.hosted_zone_id
+  name    = var.cloudfront_origin_domain_name
+  type    = "A"
+
+  alias {
+    name                   = aws_lb.open_uptime.dns_name
+    zone_id                = aws_lb.open_uptime.zone_id
+    evaluate_target_health = true
+  }
+}
+
 data "aws_iam_policy_document" "ecs_assume_role" {
   statement {
     actions = ["sts:AssumeRole"]
@@ -1194,12 +1272,14 @@ resource "aws_ecs_task_definition" "service" {
 }
 
 resource "aws_ecs_service" "web" {
-  name            = "${local.prefix}-web"
-  cluster         = aws_ecs_cluster.open_uptime.id
-  task_definition = aws_ecs_task_definition.service["web"].arn
-  desired_count   = local.services.web.desired_count
-  launch_type     = "FARGATE"
-  tags            = local.tags
+  name                    = "${local.prefix}-web"
+  cluster                 = aws_ecs_cluster.open_uptime.id
+  task_definition         = aws_ecs_task_definition.service["web"].arn
+  desired_count           = local.services.web.desired_count
+  launch_type             = "FARGATE"
+  enable_ecs_managed_tags = true
+  propagate_tags          = "SERVICE"
+  tags                    = local.tags
 
   deployment_circuit_breaker {
     enable   = true
@@ -1226,12 +1306,14 @@ resource "aws_ecs_service" "worker" {
     for key, value in local.services : key => value if key != "web" && key != "migration"
   }
 
-  name            = "${local.prefix}-${each.key}"
-  cluster         = aws_ecs_cluster.open_uptime.id
-  task_definition = aws_ecs_task_definition.service[each.key].arn
-  desired_count   = each.value.desired_count
-  launch_type     = "FARGATE"
-  tags            = local.tags
+  name                    = "${local.prefix}-${each.key}"
+  cluster                 = aws_ecs_cluster.open_uptime.id
+  task_definition         = aws_ecs_task_definition.service[each.key].arn
+  desired_count           = each.value.desired_count
+  launch_type             = "FARGATE"
+  enable_ecs_managed_tags = true
+  propagate_tags          = "SERVICE"
+  tags                    = local.tags
 
   deployment_circuit_breaker {
     enable   = true

package/infra/aws/outputs.tf

@@ -18,6 +18,14 @@ output "cloudfront_domain_name" {
   value = try(aws_cloudfront_distribution.open_uptime[0].domain_name, null)
 }
 
+output "cloudfront_origin_protocol_policy" {
+  value = local.use_cloudfront ? var.cloudfront_origin_protocol_policy : null
+}
+
+output "cloudfront_origin_domain_name" {
+  value = local.use_cloudfront ? (local.cloudfront_https_origin ? var.cloudfront_origin_domain_name : aws_lb.open_uptime.dns_name) : null
+}
+
 output "protected_access_url" {
   value = var.protected_access_mode == "cloudfront_default_domain" ? "https://${aws_cloudfront_distribution.open_uptime[0].domain_name}" : "https://${var.hostname}"
 }

package/infra/aws/terraform.tfvars.example

@@ -11,6 +11,8 @@ workspace_id             = "workspace-id"
 vpc_id                   = "vpc-xxxxxxxx"
 ecr_repository_name      = "open-uptime"
 protected_access_mode    = "cloudfront_default_domain"
+cloudfront_origin_protocol_policy = "http-only"
+cloudfront_origin_domain_name     = null
 enable_cloudfront_origin_verify_header = false
 cloudfront_origin_verify_header_name   = "X-Open-Uptime-Origin-Verify"
 cloudfront_origin_verify_header_value  = null
@@ -19,7 +21,8 @@ alb_ingress_cidr_blocks = []
 private_subnet_ids       = ["subnet-replace-private-a", "subnet-replace-private-b"]
 private_route_table_ids  = ["rtb-replace-private"]
 container_image          = "123456789012.dkr.ecr.us-east-1.amazonaws.com/open-uptime@sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-runtime_package_version  = "0.1.24"
+runtime_package_version   = "0.1.25"
+runtime_package_integrity = null
 certificate_arn          = null
 hosted_zone_id           = null
 app_env_secret_arn       = "arn:aws:secretsmanager:us-east-1:123456789012:secret:open-uptime/prod/app/env"