@hasna/uptime 0.1.24 → 0.1.26

package/dist/index.js

@@ -4623,6 +4623,7 @@ var DEFAULT_WORKSPACE_ID = "workspace-id";
 var DEFAULT_VPC_ID = "vpc-xxxxxxxx";
 var DEFAULT_HOSTED_SQLITE_DB = "/data/uptime/uptime.db";
 var DEFAULT_PROTECTED_ACCESS_MODE = "cloudfront_default_domain";
+var DEFAULT_CLOUDFRONT_ORIGIN_PROTOCOL_POLICY = "http-only";
 function buildAwsDeploymentPlan(options = {}) {
   const region = clean(options.region, DEFAULT_REGION);
   const stage = clean(options.stage, DEFAULT_STAGE);
@@ -4635,8 +4636,11 @@ function buildAwsDeploymentPlan(options = {}) {
   const image = clean(options.image, `${imageRepositoryUri}@sha256:<image-digest>`);
   const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
   const hostedSqliteDbPath = clean(options.hostedSqliteDbPath, DEFAULT_HOSTED_SQLITE_DB);
-  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.24");
+  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.26");
+  const runtimePackageIntegrity = options.runtimePackageIntegrity?.trim() || undefined;
   const protectedAccessMode = options.protectedAccessMode ?? DEFAULT_PROTECTED_ACCESS_MODE;
+  const cloudfrontOriginProtocolPolicy = options.cloudfrontOriginProtocolPolicy ?? DEFAULT_CLOUDFRONT_ORIGIN_PROTOCOL_POLICY;
+  const cloudfrontOriginDomainName = clean(options.cloudfrontOriginDomainName, "<alb-dns-name>");
   const protectedAccessUrl = protectedAccessMode === "cloudfront_default_domain" ? "https://<cloudfront-domain>" : `https://${hostname}`;
   const cluster = `${prefix}-${stage}`;
   const secrets = {
@@ -4703,6 +4707,13 @@ function buildAwsDeploymentPlan(options = {}) {
       protectedAccessMode,
       edgeDistribution: protectedAccessMode === "cloudfront_default_domain" ? `${prefix}-${stage}-edge` : undefined,
       protectedAccessUrl,
+      cloudfrontOrigin: protectedAccessMode === "cloudfront_default_domain" ? {
+        protocolPolicy: cloudfrontOriginProtocolPolicy,
+        domainName: cloudfrontOriginProtocolPolicy === "https-only" ? cloudfrontOriginDomainName : "<alb-dns-name>",
+        requiresMatchingCertificate: cloudfrontOriginProtocolPolicy === "https-only",
+        liveTrafficApproved: false,
+        risk: cloudfrontOriginProtocolPolicy === "http-only" ? "Temporary HTTP-origin bridge: web scale-up requires allow_cloudfront_http_origin_live_traffic=true for bounded smokes, or switch to https-only with cloudfront_origin_domain_name plus certificate_arn." : "CloudFront HTTPS-origin mode requires the origin hostname to resolve to the ALB and match certificate_arn."
+      } : undefined,
       originVerification: protectedAccessMode === "cloudfront_default_domain" ? {
         mode: "cloudfront_origin_header",
         requiredBeforeScaleUp: true,
@@ -4735,6 +4746,7 @@ function buildAwsDeploymentPlan(options = {}) {
       repository: ecrRepository,
       uri: image,
       dockerfile: "Dockerfile.package",
+      expectedIntegrity: runtimePackageIntegrity,
       buildCommand: `BLOCKED: after infra approval, AWS CodeBuild builds Dockerfile.package from @hasna/uptime@${runtimePackageVersion} into ${imageRepositoryUri}`,
       pushCommands: [
         `BLOCKED: start ${prefix}-${stage}-image-builder only through the approved deploy pipeline after @hasna/uptime@${runtimePackageVersion} is published`,
@@ -4761,16 +4773,16 @@ function buildAwsDeploymentPlan(options = {}) {
         `Infra PR must declare CodeBuild image builder ${prefix}-${stage}-image-builder for @hasna/uptime@${runtimePackageVersion}.`,
         `Infra PR must declare hardened S3 evidence bucket ${evidenceBucket} with KMS, versioning, lifecycle, and public access block.`,
         `Infra PR must declare encrypted EFS ${prefix}-${stage}-data with access point, mount targets, and AWS Backup plan.`,
-        protectedAccessMode === "cloudfront_default_domain" ? "Infra PR must declare CloudFront default-domain HTTPS edge, ALB HTTP listener restricted to CloudFront origin-facing ranges, CloudFront-only origin verification header binding, ECS/Fargate cluster, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs." : `Infra PR must declare ECS/Fargate cluster ${cluster}, ALB HTTPS listener, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs.`,
+        protectedAccessMode === "cloudfront_default_domain" ? "Infra PR must declare CloudFront default-domain HTTPS edge, ALB origin listener restricted to CloudFront origin-facing ranges, CloudFront-only origin verification header binding, ECS/Fargate cluster, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs. Token-bearing live traffic must use cloudfront_origin_protocol_policy=https-only with a matching origin hostname/certificate, or carry explicit allow_cloudfront_http_origin_live_traffic=true bounded-smoke risk acceptance." : `Infra PR must declare ECS/Fargate cluster ${cluster}, ALB HTTPS listener, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs.`,
         "Only apply the infra plan from the approved infrastructure repository after review evidence is attached."
       ],
       deploy: [
         "Build and publish the image only after the Dockerfile/container target is reviewed.",
-        `Start the AWS image builder for @hasna/uptime@${runtimePackageVersion} and record the pushed image digest.`,
+        runtimePackageIntegrity ? `Start the AWS image builder for @hasna/uptime@${runtimePackageVersion}; it must verify npm dist.integrity ${runtimePackageIntegrity} before extracting the package, then record the pushed image digest.` : `Start the AWS image builder for @hasna/uptime@${runtimePackageVersion}; set runtime_package_integrity from npm dist.integrity before live use, then record the pushed image digest.`,
         "For the EFS SQLite bridge, do not run migration, scheduler, public-probe, or reporter tasks; keep them at desired count 0 until Postgres and cloud leases exist.",
         `Register task definitions for ${services.map((service) => service.name).join(", ")} using valueFrom secrets.`,
         `Update ECS services in cluster ${cluster} one component at a time through the approved deploy pipeline.`,
-        protectedAccessMode === "cloudfront_default_domain" ? "Use the CloudFront default HTTPS domain with origin verification header binding for first protected access; add custom DNS/certificate only after edge ownership is approved." : `Create Route53/edge record for ${hostname} only after ALB health checks pass and auth denial smokes succeed.`
+        protectedAccessMode === "cloudfront_default_domain" ? "Use the CloudFront default HTTPS domain with origin verification header binding for first protected access; before token-bearing live traffic, switch the origin to https-only with a matching origin hostname/certificate or set allow_cloudfront_http_origin_live_traffic=true only for a bounded approved smoke." : `Create Route53/edge record for ${hostname} only after ALB health checks pass and auth denial smokes succeed.`
       ],
       rollback: [
         "Keep previous task definition ARNs before each service update.",
@@ -4787,6 +4799,8 @@ function buildAwsDeploymentPlan(options = {}) {
     blockers: [
       "The infrastructure owner repository was not found in this workspace.",
       protectedAccessMode === "cloudfront_default_domain" ? "CloudFront origin verification header binding must be enabled and direct-origin denial must be proven before web desired count is raised above 0." : "ALB HTTPS ingress policy and auth-denial smokes must be proven before web desired count is raised above 0.",
+      ...protectedAccessMode === "cloudfront_default_domain" && cloudfrontOriginProtocolPolicy === "http-only" ? ["CloudFront-to-ALB origin transport is still http-only; web scale-up now requires explicit allow_cloudfront_http_origin_live_traffic=true risk acceptance, and token-bearing live traffic should use https-only origin mode."] : [],
+      ...protectedAccessMode === "cloudfront_default_domain" && cloudfrontOriginProtocolPolicy === "https-only" && cloudfrontOriginDomainName === "<alb-dns-name>" ? ["CloudFront https-only origin mode needs cloudfront_origin_domain_name that resolves to the ALB and matches certificate_arn."] : [],
       "The EFS SQLite bridge is single-writer only: web target desired count is 1 and scheduler/public-probe/reporter targets remain 0 until Postgres and cloud leases exist.",
       "Hosted production auth/RBAC must replace broad static hosted-token operation before exposure.",
       "Public probe execution still needs cloud check-job leases wired to runHostedHttpCheck and live policy-decision log evidence.",
@@ -4795,8 +4809,9 @@ function buildAwsDeploymentPlan(options = {}) {
     requiredEvidence: [
       "Infrastructure PR/synth/plan from the approved infra repository.",
       "CodeBuild image-builder run, container smoke, and immutable image digest.",
+      "Published package dist.integrity pinned in the private infra root or an explicit not-live exception.",
       "ECS task definitions using secrets.valueFrom only.",
-      "CloudFront-default-domain origin-header config or ALB TLS auth-denial smokes, direct-origin denial evidence, and web alarm checks.",
+      "CloudFront-default-domain origin-header config, origin transport decision, direct-origin denial evidence, auth-denial smokes, and web alarm checks.",
       "Single-writer ECS evidence: one web task maximum and no scheduler/public-probe/reporter EFS mounts.",
       "EFS encryption, access point, mount-target, AWS Backup, and restore-drill evidence.",
       "S3 bucket KMS, versioning, lifecycle, and public-access-block evidence.",
@@ -4809,11 +4824,13 @@ function buildAwsDeploymentPlan(options = {}) {
       notes: [
         "This plan generator does not call AWS.",
         "Blocked plan output intentionally avoids copy-pastable AWS mutation commands.",
-        "Default protected access uses CloudFront's HTTPS default domain so first deploy is not blocked on custom DNS or ACM.",
+        "Default protected access uses CloudFront's HTTPS default domain so first zero-count deploy is not blocked on custom DNS or ACM.",
         "CloudFront default-domain mode still requires origin verification header binding before live scale-up; the header value is sensitive state/config material, not public documentation.",
+        "CloudFront HTTPS-origin mode requires a dedicated origin DNS hostname and matching ACM certificate; do not assume the ALB DNS name can satisfy TLS verification.",
         "Hosted runtime uses explicit EFS-backed SQLite at HASNA_UPTIME_HOSTED_SQLITE_DB until the async Postgres adapter exists.",
         "Do not set HASNA_UPTIME_DATABASE_URL for hosted tasks until the Postgres adapter is implemented.",
         "Secrets are represented as secret names/refs and must be injected with valueFrom.",
+        "Set runtime_package_integrity in the approved infra root after publish so the AWS image builder verifies the npm tarball before ECR build.",
         "Actual deploy belongs in the deploy_release_operate_final goal node after infra review."
       ]
     }
@@ -4919,6 +4936,72 @@ function shellEscape(value) {
     return value;
   return `'${value.replace(/'/g, "'\\''")}'`;
 }
+
+// src/workers.ts
+var DEFAULT_INTERVAL_MS = 30000;
+async function runHostedPublicChecksWorker(options) {
+  const intervalMs = normalizePositiveInteger(options.intervalMs ?? DEFAULT_INTERVAL_MS, "intervalMs");
+  const maxRuntimeMs = options.maxRuntimeMs === undefined ? undefined : normalizePositiveInteger(options.maxRuntimeMs, "maxRuntimeMs");
+  const maxIterations = options.maxIterations === undefined ? undefined : normalizePositiveInteger(options.maxIterations, "maxIterations");
+  const clock = options.now ?? (() => new Date);
+  const sleep = options.sleep ?? abortableSleep;
+  const startedAtDate = clock();
+  const startedAt = startedAtDate.toISOString();
+  const deadline = maxRuntimeMs === undefined ? undefined : startedAtDate.getTime() + maxRuntimeMs;
+  let iterations = 0;
+  let checked = 0;
+  while (!options.signal?.aborted) {
+    if (maxIterations !== undefined && iterations >= maxIterations)
+      break;
+    const now = clock();
+    if (deadline !== undefined && now.getTime() >= deadline)
+      break;
+    const iteration = iterations + 1;
+    const iterationStartedAt = now.toISOString();
+    const results = await options.runner.runDueHostedPublicChecks(now, { workspaceId: options.workspaceId });
+    const finishedAt = clock().toISOString();
+    iterations = iteration;
+    checked += results.length;
+    options.onIteration?.({
+      iteration,
+      checked: results.length,
+      startedAt: iterationStartedAt,
+      finishedAt
+    });
+    if (maxIterations !== undefined && iterations >= maxIterations)
+      break;
+    if (deadline !== undefined && clock().getTime() >= deadline)
+      break;
+    await sleep(intervalMs, options.signal);
+  }
+  return {
+    kind: "open-uptime.hosted-public-checks-worker",
+    status: options.signal?.aborted ? "stopped" : "completed",
+    workspaceId: options.workspaceId?.trim() || null,
+    iterations,
+    checked,
+    startedAt,
+    finishedAt: clock().toISOString()
+  };
+}
+function normalizePositiveInteger(value, name) {
+  if (!Number.isInteger(value) || value <= 0)
+    throw new Error(`${name} must be a positive integer`);
+  return value;
+}
+function abortableSleep(ms, signal) {
+  if (signal?.aborted)
+    return Promise.resolve();
+  return new Promise((resolve) => {
+    const timer = setTimeout(done, ms);
+    function done() {
+      signal?.removeEventListener("abort", done);
+      clearTimeout(timer);
+      resolve();
+    }
+    signal?.addEventListener("abort", done, { once: true });
+  });
+}
 export {
   verifyProbeResultSignature,
   uptimeHostedFallbackDbPath,
@@ -4931,6 +5014,7 @@ export {
   runMonitorCheck,
   runHttpCheck,
   runHostedTcpCheck,
+  runHostedPublicChecksWorker,
   runHostedHttpCheck,
   runBrowserPageCheck,
   rollbackImport,

package/dist/workers.d.ts

@@ -0,0 +1,34 @@
+import type { CheckResult } from "./types.js";
+export interface HostedPublicCheckRunner {
+    runDueHostedPublicChecks(now?: Date, options?: {
+        workspaceId?: string;
+    }): Promise<CheckResult[]>;
+}
+export interface HostedPublicChecksWorkerOptions {
+    runner: HostedPublicCheckRunner;
+    workspaceId?: string;
+    intervalMs?: number;
+    maxRuntimeMs?: number;
+    maxIterations?: number;
+    signal?: AbortSignal;
+    now?: () => Date;
+    sleep?: (ms: number, signal?: AbortSignal) => Promise<void>;
+    onIteration?: (iteration: HostedPublicChecksWorkerIteration) => void;
+}
+export interface HostedPublicChecksWorkerIteration {
+    iteration: number;
+    checked: number;
+    startedAt: string;
+    finishedAt: string;
+}
+export interface HostedPublicChecksWorkerSummary {
+    kind: "open-uptime.hosted-public-checks-worker";
+    status: "completed" | "stopped";
+    workspaceId: string | null;
+    iterations: number;
+    checked: number;
+    startedAt: string;
+    finishedAt: string;
+}
+export declare function runHostedPublicChecksWorker(options: HostedPublicChecksWorkerOptions): Promise<HostedPublicChecksWorkerSummary>;
+//# sourceMappingURL=workers.d.ts.map

package/dist/workers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"workers.d.ts","sourceRoot":"","sources":["../src/workers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAE9C,MAAM,WAAW,uBAAuB;IACtC,wBAAwB,CAAC,GAAG,CAAC,EAAE,IAAI,EAAE,OAAO,CAAC,EAAE;QAAE,WAAW,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC;CAClG;AAED,MAAM,WAAW,+BAA+B;IAC9C,MAAM,EAAE,uBAAuB,CAAC;IAChC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,MAAM,CAAC,EAAE,WAAW,CAAC;IACrB,GAAG,CAAC,EAAE,MAAM,IAAI,CAAC;IACjB,KAAK,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,WAAW,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC5D,WAAW,CAAC,EAAE,CAAC,SAAS,EAAE,iCAAiC,KAAK,IAAI,CAAC;CACtE;AAED,MAAM,WAAW,iCAAiC;IAChD,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,+BAA+B;IAC9C,IAAI,EAAE,yCAAyC,CAAC;IAChD,MAAM,EAAE,WAAW,GAAG,SAAS,CAAC;IAChC,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;CACpB;AAID,wBAAsB,2BAA2B,CAAC,OAAO,EAAE,+BAA+B,GAAG,OAAO,CAAC,+BAA+B,CAAC,CA4CpI"}

package/dist/workers.js

@@ -0,0 +1,69 @@
+// @bun
+// src/workers.ts
+var DEFAULT_INTERVAL_MS = 30000;
+async function runHostedPublicChecksWorker(options) {
+  const intervalMs = normalizePositiveInteger(options.intervalMs ?? DEFAULT_INTERVAL_MS, "intervalMs");
+  const maxRuntimeMs = options.maxRuntimeMs === undefined ? undefined : normalizePositiveInteger(options.maxRuntimeMs, "maxRuntimeMs");
+  const maxIterations = options.maxIterations === undefined ? undefined : normalizePositiveInteger(options.maxIterations, "maxIterations");
+  const clock = options.now ?? (() => new Date);
+  const sleep = options.sleep ?? abortableSleep;
+  const startedAtDate = clock();
+  const startedAt = startedAtDate.toISOString();
+  const deadline = maxRuntimeMs === undefined ? undefined : startedAtDate.getTime() + maxRuntimeMs;
+  let iterations = 0;
+  let checked = 0;
+  while (!options.signal?.aborted) {
+    if (maxIterations !== undefined && iterations >= maxIterations)
+      break;
+    const now = clock();
+    if (deadline !== undefined && now.getTime() >= deadline)
+      break;
+    const iteration = iterations + 1;
+    const iterationStartedAt = now.toISOString();
+    const results = await options.runner.runDueHostedPublicChecks(now, { workspaceId: options.workspaceId });
+    const finishedAt = clock().toISOString();
+    iterations = iteration;
+    checked += results.length;
+    options.onIteration?.({
+      iteration,
+      checked: results.length,
+      startedAt: iterationStartedAt,
+      finishedAt
+    });
+    if (maxIterations !== undefined && iterations >= maxIterations)
+      break;
+    if (deadline !== undefined && clock().getTime() >= deadline)
+      break;
+    await sleep(intervalMs, options.signal);
+  }
+  return {
+    kind: "open-uptime.hosted-public-checks-worker",
+    status: options.signal?.aborted ? "stopped" : "completed",
+    workspaceId: options.workspaceId?.trim() || null,
+    iterations,
+    checked,
+    startedAt,
+    finishedAt: clock().toISOString()
+  };
+}
+function normalizePositiveInteger(value, name) {
+  if (!Number.isInteger(value) || value <= 0)
+    throw new Error(`${name} must be a positive integer`);
+  return value;
+}
+function abortableSleep(ms, signal) {
+  if (signal?.aborted)
+    return Promise.resolve();
+  return new Promise((resolve) => {
+    const timer = setTimeout(done, ms);
+    function done() {
+      signal?.removeEventListener("abort", done);
+      clearTimeout(timer);
+      resolve();
+    }
+    signal?.addEventListener("abort", done, { once: true });
+  });
+}
+export {
+  runHostedPublicChecksWorker
+};

package/docs/aws-deployment-runbook.md

@@ -60,9 +60,14 @@ start a private probe until the JSON output says `canStart: true`.
 
 4. Confirm the target VPC, private subnets, KMS key, and EFS/Backup plan inputs
    still match the plan.
-5. Confirm the protected access mode. The first deploy can use the CloudFront
-   default HTTPS domain without custom DNS or ACM. Custom hostname deploys still
-   require Route53/edge ownership and an ACM certificate.
+5. Confirm the protected access mode. The first zero-count deploy can use the
+   CloudFront default HTTPS domain without custom DNS or ACM. Before
+   token-bearing live traffic, either set
+   `cloudfront_origin_protocol_policy = "https-only"` with a dedicated
+   `cloudfront_origin_domain_name` that resolves to the ALB and a matching ACM
+   `certificate_arn`, or record an explicit risk acceptance for the temporary
+   HTTP-origin bridge. Custom hostname deploys still require Route53/edge
+   ownership and an ACM certificate.
 6. Confirm the deployment role uses short-lived credentials or OIDC, not copied
    access keys.
 7. Create a private evidence directory outside the public repository. Store
@@ -77,9 +82,12 @@ The plan expects:
 - ECS/Fargate cluster with separate services for web, scheduler, public probe,
   reporter, and one-off migrations. In the current EFS SQLite bridge, only web
   may be enabled and it must run at desired count `0` or `1`.
-- CloudFront default-domain HTTPS edge plus ALB HTTP origin restricted to
-  CloudFront origin-facing ranges, or an ALB HTTPS listener with ACM certificate
-  when custom DNS is approved.
+- CloudFront default-domain HTTPS edge plus an ALB origin restricted to
+  CloudFront origin-facing ranges. The default zero-count bridge uses HTTP to
+  the origin; token-bearing live traffic should use the module's HTTPS-origin
+  mode with `cloudfront_origin_domain_name` plus `certificate_arn`, or a
+  documented risk acceptance. Direct ALB HTTPS mode also requires custom DNS and
+  an ACM certificate.
 - Encrypted EFS file system, access point, mount targets, and AWS Backup plan
   for `HASNA_UPTIME_HOSTED_SQLITE_DB=/data/uptime/uptime.db`.
 - S3 bucket for redacted browser evidence and generated report artifacts.
@@ -151,6 +159,12 @@ aws codebuild start-build \
   --project-name "$IMAGE_BUILDER_PROJECT"
 ```
 
+The private infra root should set `runtime_package_integrity` to the published
+npm `dist.integrity` value for the exact `runtime_package_version`. The image
+builder verifies that value before extracting the package. If the value is not
+set, record why the tarball is not integrity-pinned and keep the service
+not-live.
+
 Update the approved infra root so `container_image` is the immutable ECR digest,
 then re-plan with all services still at `0`.
 
@@ -179,8 +193,13 @@ Before setting `desired_counts.web = 1`, verify:
 - the image is an immutable digest, not a mutable tag or placeholder;
 - required secrets have `AWSCURRENT` versions;
 - `HASNA_UPTIME_ALLOWED_ORIGINS` matches the public HTTPS edge origin;
+- CloudFront-to-origin transport is either `https-only` with an origin hostname
+  whose certificate matches that hostname, or the HTTP-origin bridge has a
+  named risk owner and approval recorded in private evidence by setting
+  `allow_cloudfront_http_origin_live_traffic = true`;
 - CloudFront origin access is distribution-bound with the CloudFront-only origin
-  verification header, not just narrowed to CloudFront origin-facing ranges;
+  verification header by setting `enable_cloudfront_origin_verify_header = true`,
+  not just narrowed to CloudFront origin-facing ranges;
 - web egress to ECR, Secrets Manager or SSM, CloudWatch Logs, S3, EFS, and any
   required endpoints has been proven from a real ECS task. Terraform endpoint
   ids, route tables, and security-group rules are creation evidence only; the
@@ -405,9 +424,10 @@ routes are backed by cloud check jobs and cloud audit rows.
   hosted public-check runner, records target-policy decision evidence, and
   passes AWS smokes for denied DNS answers, redirect-to-denied targets, and
   address pinning. The SDK and `uptime cloud public-checks run-due` path now
-  handle execution-time DNS and redirect enforcement for bounded smokes, but a
-  sustained public-probe worker loop is not active until it is wired to cloud
-  leases.
+  handle execution-time DNS and redirect enforcement for bounded smokes. The
+  `uptime cloud public-checks worker` command is an EFS SQLite bridge loop for
+  controlled smoke testing only; it is not the final cloud
+  `check_jobs`/lease/fencing protocol.
 - Do not enable scheduler, public-probe, reporter, or migration workers against
   the EFS SQLite bridge; those services need Postgres/cloud leases first.
 - Do not expose dashboard/API routes without hosted auth and workspace checks.
@@ -419,6 +439,10 @@ routes are backed by cloud check jobs and cloud audit rows.
   the public repo and shared logs. Terraform redacts the sensitive input in CLI
   output, but the value is still stored in encrypted Terraform state, saved plan
   files, and AWS CloudFront/ALB configuration; restrict access accordingly.
+- Do not treat `cloudfront_origin_protocol_policy = "http-only"` as final for
+  token-bearing traffic. The module supports `https-only`, but that mode needs a
+  real origin DNS name and matching ACM certificate because CloudFront verifies
+  the custom-origin TLS certificate against the origin host.
 - Do not treat local SQLite, local project DBs, or private-probe local state as cloud
   authority after cutover.
 - Do configure owner/project/environment/service/cost-center tags, AWS Budgets

package/docs/aws-runtime-security.md

@@ -110,10 +110,12 @@ Target shape inside the approved VPC:
 
 Security groups:
 
-- `open-uptime-alb-sg`: in `cloudfront_default_domain` mode, inbound `80` only
-  from AWS's CloudFront origin-facing managed prefix list; in `alb_https_cert`
-  mode, inbound `443` only from the approved edge/source CIDR policy. Outbound
-  is only to the web target group.
+- `open-uptime-alb-sg`: in `cloudfront_default_domain` mode, inbound origin
+  traffic is limited to AWS's CloudFront origin-facing managed prefix list on
+  `80` for the temporary HTTP bridge or `443` when
+  `cloudfront_origin_protocol_policy = "https-only"`; in `alb_https_cert` mode,
+  inbound `443` is limited to the approved edge/source CIDR policy. Outbound is
+  only to the web target group.
 - `open-uptime-web-sg`: inbound only from ALB, outbound to RDS, S3 endpoint,
   Secrets Manager, Logs, and internal service endpoints.
 - `open-uptime-scheduler-sg`: no inbound, outbound to RDS, Logs, Secrets
@@ -136,10 +138,15 @@ infra PR.
 
 Public web exposure requires defense in depth:
 
-- first deployment may terminate viewer TLS at CloudFront's default HTTPS
-  domain, restrict ALB HTTP origin ingress to CloudFront origin-facing ranges,
+- first zero-count deployment may terminate viewer TLS at CloudFront's default
+  HTTPS domain, restrict ALB origin ingress to CloudFront origin-facing ranges,
   and require the module's CloudFront-only origin verification header at the ALB
   listener;
+- token-bearing live traffic should use CloudFront HTTPS-origin mode by setting
+  `cloudfront_origin_protocol_policy = "https-only"`, a dedicated
+  `cloudfront_origin_domain_name` that resolves to the ALB, and a matching ACM
+  `certificate_arn`. CloudFront validates the custom-origin certificate against
+  the origin hostname, so the ALB DNS name is not enough for this mode;
 - CloudFront prefix-list ingress is not distribution-bound by itself. In
   `cloudfront_default_domain` mode, set
   `enable_cloudfront_origin_verify_header = true` and provide a high-entropy
@@ -154,7 +161,7 @@ Public web exposure requires defense in depth:
   identity layer;
 - hosted web tasks must set `HASNA_UPTIME_ALLOWED_ORIGINS` to the public HTTPS
   edge origin so browser mutation checks do not compare CloudFront HTTPS origins
-  against the private HTTP ALB origin hop;
+  against the ALB origin hostname;
 - Open Uptime still enforces app-level auth and workspace RBAC on every route
   except `/health`;
 - `/health` returns only service liveness/readiness and no monitor data;
@@ -379,7 +386,9 @@ Minimum implementation path:
 
 1. review the repo-owned `Dockerfile` and package-image `Dockerfile.package`;
 2. add the ECR repository and CodeBuild package image builder;
-3. build the published npm package into ECR and record the immutable digest;
+3. build the published npm package into ECR, verify the expected npm
+   `dist.integrity` when `runtime_package_integrity` is set, install production
+   dependencies with the published `bun.lock`, and record the immutable digest;
 4. run typecheck, tests, package checks, and container smoke locally/CI;
 5. for the EFS bridge, keep the desired count at one web task maximum and zero
    scheduler/public-probe/reporter/migration tasks;
@@ -425,6 +434,11 @@ PR must include a rough monthly estimate for:
 Evidence retention and browser trace capture are the primary variable costs.
 Default retention must be short until usage is measured.
 
+ECS services must enable AWS-managed tags and `propagate_tags = "SERVICE"` so
+service-launched tasks retain cost allocation tags. One-off smoke tasks run
+outside ECS service propagation and must pass equivalent tags explicitly in the
+operator command/evidence.
+
 The AWS Terraform starter exposes optional AWS Budgets alerts through
 `monthly_budget_limit_usd` and `budget_alert_email_addresses`; the approved
 infra root must set real human/on-call notification targets and prove
@@ -438,8 +452,12 @@ required before browser evidence or public probe scale-out.
   evidence bucket, encrypted logs, Backup, EFS, and service secret containers.
   It is not live: services remain at desired count `0`, secrets have
   `AWSCURRENT` values, scoped hosted-token descriptors can be used for operator
-  smokes, and no ACM cert or Route53 record exists for a later custom-hostname
-  path. Full production identity/RBAC is still not implemented.
+  smokes, and the HTTPS-origin/custom-hostname path still needs an approved ACM
+  cert, DNS record, plan/apply, and edge smoke. Terraform blocks
+  `desired_counts.web > 0` in CloudFront mode unless origin verification is
+  enabled and either HTTPS-origin mode is configured or
+  `allow_cloudfront_http_origin_live_traffic = true` records explicit bounded
+  smoke risk acceptance. Full production identity/RBAC is still not implemented.
 - Open Uptime is still SQLite-only for this bridge; only one protected web task
   may write EFS until Postgres and cloud leases exist.
 - Hosted API/dashboard auth, workspace RBAC, target policy, and Postgres leases
@@ -463,8 +481,12 @@ required before browser evidence or public probe scale-out.
   EFS SQLite bridge is explicitly temporary and not the target source of truth.
 - ECS task definitions use secret refs, not plaintext secret values.
 - ECS task definitions include explicit container health checks: web checks
-  `/health`, while disabled non-web roles use a hosted-environment sanity check
-  until their long-running worker commands are implemented.
+  `/health`, while disabled non-web roles run
+  `uptime cloud workers preflight --role <role> --healthcheck` and fail their
+  environment health check if hosted mode, component identity, or workspace env
+  is invalid. Their main commands call fail-closed
+  `uptime cloud workers run --role <role>` entrypoints until the real cloud data
+  paths are implemented.
 - Public probes cannot reach denied target classes; private monitors require
   private probes and approved inventory refs.
 - Backups, restore drill, rollback sequence, alarms, and cost estimate are

package/docs/cloud-source-of-truth.md

@@ -430,9 +430,10 @@ ECS/API/RDS/S3/probe lag/job backlog/delivery failures, and rollback commands.
   dashboard shell still fails closed; production-grade identity/RBAC is not
   implemented yet.
 - Outbound target policy for hosted HTTP/TCP checks exists in the SDK and the
-  `uptime cloud public-checks run-due` operator path. The cloud public-probe
-  worker loop, durable check-job lease path, and sustained ECS liveness are not
-  wired yet.
+  `uptime cloud public-checks run-due` operator path. A bounded
+  `uptime cloud public-checks worker` EFS SQLite bridge loop exists for
+  controlled smokes, but the cloud public-probe `check_jobs` lease/fencing path
+  and sustained ECS worker readiness are not wired yet.
 - `@hasna/cloud` hybrid mode still returns SQLite, so it is not cloud-primary.
 - The local cloud config currently points at a stale/non-resolving database host.
 - Todos has unresolved conflicts that must be reconciled before cloud cutover.
@@ -454,7 +455,10 @@ ECS/API/RDS/S3/probe lag/job backlog/delivery failures, and rollback commands.
   representative SQLite EFS backup/restore drill with integrity/count checks.
   It is not live: live scale-up is still blocked by edge/auth smokes, approved
   human/on-call SNS subscriptions and delivery smoke, and production auth
-  hardening beyond scoped static operator tokens.
+  hardening beyond scoped static operator tokens. Terraform now prevents
+  accidental `web > 0` promotion in CloudFront mode unless origin verification
+  is enabled and either HTTPS-origin mode or explicit HTTP-origin risk
+  acceptance is configured.
 - Projects per-project cloud stores do not exist yet; current local
   `project.db` stores are not enough for cloud-backed canvases or JSON Render.
 - Browser/page monitoring lacks the artifact, redaction, retention, and storage

package/docs/deployment-metadata.example.json

@@ -1,7 +1,7 @@
 {
   "service": "open-uptime",
   "package": "@hasna/uptime",
-  "intendedVersion": "0.1.24",
+  "intendedVersion": "0.1.26",
   "accountProfile": "<aws-profile>",
   "accountId": "<aws-account-id>",
   "region": "us-east-1",
@@ -18,7 +18,9 @@
     "mode": "cloudfront_default_domain",
     "url": "https://<cloudfront-domain>",
     "allowedOriginsEnv": "HASNA_UPTIME_ALLOWED_ORIGINS=https://<cloudfront-domain>",
-    "originPolicy": "ALB HTTP ingress restricted to CloudFront origin-facing ranges plus CloudFront-only origin verification header before scale-up",
+    "originPolicy": "ALB origin ingress restricted to CloudFront origin-facing ranges plus CloudFront-only origin verification header before scale-up; HTTPS-origin mode requires cloudfront_origin_domain_name plus matching certificate_arn",
+    "originProtocolPolicy": "http-only-or-https-only",
+    "originDomainName": "<alb-dns-name-or-approved-origin-hostname>",
     "originVerifyHeaderRequiredBeforeScaleUp": true,
     "originVerifyHeaderEnabled": "<true-after-private-root-apply>",
     "originVerifyHeaderName": "<private-header-name>",

package/infra/aws/README.md

@@ -31,31 +31,43 @@ adapter and cloud leases are implemented. Do not set
 
 The included CodeBuild project builds `@hasna/uptime` from npm with
 `Dockerfile.package` and pushes the resulting image to ECR. This avoids
-depending on a local Docker daemon for image publication.
+depending on a local Docker daemon for image publication. Set
+`runtime_package_integrity` in the private root after publish to make CodeBuild
+verify the npm tarball `dist.integrity` before extracting it. The package image
+also installs production dependencies from the published `bun.lock` with
+`--frozen-lockfile`.
 
 The default protected access mode is `cloudfront_default_domain`: CloudFront
-serves HTTPS on its default domain while the ALB origin accepts HTTP only from
-AWS's CloudFront origin-facing managed prefix list. Use `alb_https_cert` only
-after custom DNS and an ACM certificate are approved.
+serves HTTPS on its default domain while the ALB origin is limited to AWS's
+CloudFront origin-facing managed prefix list. The default origin protocol is the
+temporary `http-only` bridge. Before token-bearing live traffic, prefer setting
+`cloudfront_origin_protocol_policy = "https-only"` with a dedicated
+`cloudfront_origin_domain_name` that resolves to the ALB and a matching ACM
+`certificate_arn`. Use `alb_https_cert` only when bypassing CloudFront after
+custom DNS and an ACM certificate are approved.
 The web task receives `HASNA_UPTIME_ALLOWED_ORIGINS` for the selected public
-HTTPS origin so hosted mutation CSRF checks still work through the private HTTP
-origin hop.
+HTTPS origin so hosted mutation CSRF checks still work through the selected
+edge/origin path.
 
 CloudFront prefix-list ingress is only a network narrowing control; it is not
 bound to one distribution. Before enabling the web task, set
 `enable_cloudfront_origin_verify_header = true` and provide a high-entropy
 `cloudfront_origin_verify_header_value` from a private operator workflow. The
 module then configures CloudFront to send that header, makes the ALB default
-action return `403`, and forwards only requests with the matching header.
+action return `403`, and forwards only requests with the matching header on the
+selected HTTP or HTTPS origin listener.
 Terraform marks the value sensitive, but it still lives in encrypted Terraform
 state and in CloudFront/ALB configuration; restrict state, saved plan,
 CloudFront distribution-read, and ELB listener-rule-read access accordingly.
 
 All module resources carry owner, project, environment, service, account, app
-type, and cost-center tags. Set `monthly_budget_limit_usd` plus
-`budget_alert_email_addresses` in the approved infra root to create AWS Budgets
-forecasted and actual spend alerts. Leaving the email list empty skips budget
-creation and is not sufficient for live scale-out approval.
+type, and cost-center tags. ECS services enable AWS-managed tags and propagate
+service tags to launched tasks. Any one-off `run-task` smoke must pass the same
+tag set explicitly because it is outside service propagation. Set
+`monthly_budget_limit_usd` plus `budget_alert_email_addresses` in the approved
+infra root to create AWS Budgets forecasted and actual spend alerts. Leaving the
+email list empty skips budget creation and is not sufficient for live scale-out
+approval.
 
 Private AWS API egress can be pinned through opt-in VPC endpoints by setting
 `enable_private_vpc_endpoints = true` and passing `private_route_table_ids`.
@@ -78,9 +90,12 @@ delivery, S3 access, and EFS mount behavior.
 
 Every ECS task definition includes an explicit container health check. The web
 task checks `GET /health` through Bun's built-in `fetch`; disabled non-web roles
-currently run a hosted-environment sanity check so scheduler, public-probe,
-reporter, and migration tasks do not start from empty ECS health semantics when
-their long-running workers are later enabled.
+run `uptime cloud workers preflight --role <role> --healthcheck`, which verifies
+hosted mode, component identity, and workspace env before reporting blocked
+cloud prerequisites. Their main container commands call fail-closed
+`uptime cloud workers run --role <role>` entrypoints so scheduler,
+public-probe, reporter, and migration tasks no longer use `cloud plan` as a
+placeholder.
 
 Interface endpoint private DNS is VPC-wide. In shared VPCs, either keep endpoint
 creation in the approved networking root, or pass
@@ -92,9 +107,18 @@ Store instead of Secrets Manager, add `ssm` to
 ## Current Blockers
 
 - Hosted production auth/RBAC still needs scoped, revocable credentials.
+- The default `http-only` CloudFront origin bridge must be replaced with the
+  explicit HTTPS-origin mode or consciously accepted with documented risk before
+  token-bearing live traffic. The module blocks `desired_counts.web > 0` in
+  CloudFront mode unless origin verification is enabled, and it also requires
+  either `cloudfront_origin_protocol_policy = "https-only"` or explicit
+  `allow_cloudfront_http_origin_live_traffic = true` risk acceptance for bounded
+  smokes.
 - Public probe runtime has SDK-level hosted HTTP target-policy enforcement, but
-  the public-probe worker and cloud check-job lease path are still disabled until
-  they are wired to that runner and validated in AWS.
+  the public-probe cloud check-job lease path is still disabled until it is
+  wired to that runner and validated in AWS. The
+  `uptime cloud public-checks worker` command is an EFS SQLite bridge smoke loop,
+  not the final cloud worker protocol.
 - Hosted private-probe enrollment/heartbeat/revocation is still
   fail-closed.