@hasna/uptime 0.1.24 → 0.1.26

package/infra/aws/main.tf

@@ -17,16 +17,21 @@ data "aws_caller_identity" "current" {}
 data "aws_partition" "current" {}
 
 locals {
-  prefix                = "${var.service_name}-${var.stage}"
-  container_port        = 3899
-  evidence_bucket       = "hasna-${var.stage}-${var.service_name}-evidence"
-  efs_uid               = 10001
-  efs_gid               = 10001
-  hosted_sqlite_db_path = "/data/uptime/uptime.db"
-  efs_enabled_services  = toset(["web"])
-  use_alb_https         = var.protected_access_mode == "alb_https_cert"
-  use_cloudfront        = var.protected_access_mode == "cloudfront_default_domain"
-  use_origin_verify     = local.use_cloudfront && var.enable_cloudfront_origin_verify_header
+  prefix                             = "${var.service_name}-${var.stage}"
+  container_port                     = 3899
+  evidence_bucket                    = "hasna-${var.stage}-${var.service_name}-evidence"
+  efs_uid                            = 10001
+  efs_gid                            = 10001
+  hosted_sqlite_db_path              = "/data/uptime/uptime.db"
+  efs_enabled_services               = toset(["web"])
+  expected_runtime_package_integrity = coalesce(var.runtime_package_integrity, "")
+  use_alb_https                      = var.protected_access_mode == "alb_https_cert"
+  use_cloudfront                     = var.protected_access_mode == "cloudfront_default_domain"
+  cloudfront_https_origin = (
+    local.use_cloudfront && var.cloudfront_origin_protocol_policy == "https-only"
+  )
+  alb_https_listener_enabled = local.use_alb_https || local.cloudfront_https_origin
+  use_origin_verify          = local.use_cloudfront && var.enable_cloudfront_origin_verify_header
   services = {
     web = {
       desired_count = lookup(var.desired_counts, "web", 0)
@@ -35,22 +40,22 @@ locals {
     }
     scheduler = {
       desired_count = lookup(var.desired_counts, "scheduler", 0)
-      command       = ["bun", "dist/cli/index.js", "cloud", "plan"]
+      command       = ["bun", "dist/cli/index.js", "cloud", "workers", "run", "--role", "scheduler"]
       secrets       = { APP_ENV = var.app_env_secret_arn }
     }
     "public-probe" = {
       desired_count = lookup(var.desired_counts, "public-probe", 0)
-      command       = ["bun", "dist/cli/index.js", "cloud", "plan"]
+      command       = ["bun", "dist/cli/index.js", "cloud", "workers", "run", "--role", "public-probe"]
       secrets       = { PROBE_CONFIG = var.public_probe_secret_arn }
     }
     reporter = {
       desired_count = lookup(var.desired_counts, "reporter", 0)
-      command       = ["bun", "dist/cli/index.js", "cloud", "plan"]
+      command       = ["bun", "dist/cli/index.js", "cloud", "workers", "run", "--role", "reporter"]
       secrets       = { REPORTING_CONFIG = var.reporting_secret_arn }
     }
     migration = {
       desired_count = lookup(var.desired_counts, "migration", 0)
-      command       = ["bun", "dist/cli/index.js", "cloud", "plan"]
+      command       = ["bun", "dist/cli/index.js", "cloud", "workers", "run", "--role", "migration"]
       secrets       = { APP_ENV = var.app_env_secret_arn }
     }
   }
@@ -89,28 +94,28 @@ locals {
       startPeriod = 30
     }
     scheduler = {
-      command     = ["CMD-SHELL", "bun -e \"process.exit(process.env.HASNA_UPTIME_MODE === 'hosted' && process.env.HASNA_UPTIME_COMPONENT === 'scheduler' ? 0 : 1)\""]
+      command     = ["CMD-SHELL", "bun dist/cli/index.js cloud workers preflight --role scheduler --healthcheck --json >/tmp/open-uptime-worker-preflight.json"]
       interval    = 30
       timeout     = 5
       retries     = 3
       startPeriod = 30
     }
     "public-probe" = {
-      command     = ["CMD-SHELL", "bun -e \"process.exit(process.env.HASNA_UPTIME_MODE === 'hosted' && process.env.HASNA_UPTIME_COMPONENT === 'public-probe' ? 0 : 1)\""]
+      command     = ["CMD-SHELL", "bun dist/cli/index.js cloud workers preflight --role public-probe --healthcheck --json >/tmp/open-uptime-worker-preflight.json"]
       interval    = 30
       timeout     = 5
       retries     = 3
       startPeriod = 30
     }
     reporter = {
-      command     = ["CMD-SHELL", "bun -e \"process.exit(process.env.HASNA_UPTIME_MODE === 'hosted' && process.env.HASNA_UPTIME_COMPONENT === 'reporter' ? 0 : 1)\""]
+      command     = ["CMD-SHELL", "bun dist/cli/index.js cloud workers preflight --role reporter --healthcheck --json >/tmp/open-uptime-worker-preflight.json"]
       interval    = 30
       timeout     = 5
       retries     = 3
       startPeriod = 30
     }
     migration = {
-      command     = ["CMD-SHELL", "bun -e \"process.exit(process.env.HASNA_UPTIME_MODE === 'hosted' && process.env.HASNA_UPTIME_COMPONENT === 'migration' ? 0 : 1)\""]
+      command     = ["CMD-SHELL", "bun dist/cli/index.js cloud workers preflight --role migration --healthcheck --json >/tmp/open-uptime-worker-preflight.json"]
       interval    = 30
       timeout     = 5
       retries     = 3
@@ -236,9 +241,18 @@ resource "aws_codebuild_project" "image_builder" {
             - aws ecr get-login-password --region ${var.region} | docker login --username AWS --password-stdin ${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com
         build:
           commands:
-            - npm pack @hasna/uptime@${var.runtime_package_version}
+            - EXPECTED_RUNTIME_PACKAGE_INTEGRITY='${local.expected_runtime_package_integrity}'
+            - PACKAGE_TARBALL=$(npm pack @hasna/uptime@${var.runtime_package_version} --silent)
+            - PACKAGE_INTEGRITY=$(npm view @hasna/uptime@${var.runtime_package_version} dist.integrity --json | tr -d '"')
+            - test -n "$PACKAGE_INTEGRITY"
+            - |
+              if [ -n "$EXPECTED_RUNTIME_PACKAGE_INTEGRITY" ] && [ "$PACKAGE_INTEGRITY" != "$EXPECTED_RUNTIME_PACKAGE_INTEGRITY" ]; then
+                echo "runtime package integrity mismatch" >&2
+                exit 1
+              fi
+            - printf 'runtime package integrity %s\n' "$PACKAGE_INTEGRITY"
             - mkdir package
-            - tar -xzf hasna-uptime-*.tgz -C package --strip-components=1
+            - tar -xzf "$PACKAGE_TARBALL" -C package --strip-components=1
             - cd package
             - docker build -f Dockerfile.package -t ${aws_ecr_repository.open_uptime.repository_url}:${var.runtime_package_version} .
             - docker push ${aws_ecr_repository.open_uptime.repository_url}:${var.runtime_package_version}
@@ -366,8 +380,19 @@ resource "aws_security_group_rule" "alb_https_ingress" {
   cidr_blocks       = var.alb_ingress_cidr_blocks
 }
 
+resource "aws_security_group_rule" "alb_https_from_cloudfront" {
+  count             = local.cloudfront_https_origin ? 1 : 0
+  type              = "ingress"
+  description       = "HTTPS from CloudFront origin-facing ranges"
+  security_group_id = aws_security_group.alb.id
+  from_port         = 443
+  to_port           = 443
+  protocol          = "tcp"
+  prefix_list_ids   = [data.aws_ec2_managed_prefix_list.cloudfront_origin_facing[0].id]
+}
+
 resource "aws_security_group_rule" "alb_http_from_cloudfront" {
-  count             = local.use_cloudfront ? 1 : 0
+  count             = local.use_cloudfront && !local.cloudfront_https_origin ? 1 : 0
   type              = "ingress"
   description       = "HTTP from CloudFront origin-facing ranges"
   security_group_id = aws_security_group.alb.id
@@ -881,21 +906,37 @@ resource "aws_lb_target_group" "web" {
 }
 
 resource "aws_lb_listener" "https" {
-  count             = local.use_alb_https ? 1 : 0
+  count             = local.alb_https_listener_enabled ? 1 : 0
   load_balancer_arn = aws_lb.open_uptime.arn
   port              = 443
   protocol          = "HTTPS"
   certificate_arn   = var.certificate_arn
   tags              = local.tags
 
-  default_action {
-    type             = "forward"
-    target_group_arn = aws_lb_target_group.web.arn
+  dynamic "default_action" {
+    for_each = local.cloudfront_https_origin && local.use_origin_verify ? [] : [1]
+    content {
+      type             = "forward"
+      target_group_arn = aws_lb_target_group.web.arn
+    }
+  }
+
+  dynamic "default_action" {
+    for_each = local.cloudfront_https_origin && local.use_origin_verify ? [1] : []
+    content {
+      type = "fixed-response"
+
+      fixed_response {
+        content_type = "text/plain"
+        message_body = "forbidden"
+        status_code  = "403"
+      }
+    }
   }
 }
 
 resource "aws_lb_listener" "http_cloudfront" {
-  count             = local.use_cloudfront ? 1 : 0
+  count             = local.use_cloudfront && !local.cloudfront_https_origin ? 1 : 0
   load_balancer_arn = aws_lb.open_uptime.arn
   port              = 80
   protocol          = "HTTP"
@@ -924,7 +965,7 @@ resource "aws_lb_listener" "http_cloudfront" {
 }
 
 resource "aws_lb_listener_rule" "http_cloudfront_origin_verify" {
-  count        = local.use_origin_verify ? 1 : 0
+  count        = local.use_origin_verify && !local.cloudfront_https_origin ? 1 : 0
   listener_arn = aws_lb_listener.http_cloudfront[0].arn
   priority     = var.cloudfront_origin_verify_listener_rule_priority
   tags         = local.tags
@@ -942,6 +983,25 @@ resource "aws_lb_listener_rule" "http_cloudfront_origin_verify" {
   }
 }
 
+resource "aws_lb_listener_rule" "https_cloudfront_origin_verify" {
+  count        = local.use_origin_verify && local.cloudfront_https_origin ? 1 : 0
+  listener_arn = aws_lb_listener.https[0].arn
+  priority     = var.cloudfront_origin_verify_listener_rule_priority
+  tags         = local.tags
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.web.arn
+  }
+
+  condition {
+    http_header {
+      http_header_name = var.cloudfront_origin_verify_header_name
+      values           = [var.cloudfront_origin_verify_header_value]
+    }
+  }
+}
+
 resource "aws_cloudfront_distribution" "open_uptime" {
   count           = local.use_cloudfront ? 1 : 0
   enabled         = true
@@ -951,7 +1011,7 @@ resource "aws_cloudfront_distribution" "open_uptime" {
   tags            = local.tags
 
   origin {
-    domain_name = aws_lb.open_uptime.dns_name
+    domain_name = local.cloudfront_https_origin ? var.cloudfront_origin_domain_name : aws_lb.open_uptime.dns_name
     origin_id   = "${local.prefix}-alb"
 
     dynamic "custom_header" {
@@ -965,7 +1025,7 @@ resource "aws_cloudfront_distribution" "open_uptime" {
     custom_origin_config {
       http_port              = 80
       https_port             = 443
-      origin_protocol_policy = "http-only"
+      origin_protocol_policy = var.cloudfront_origin_protocol_policy
       origin_ssl_protocols   = ["TLSv1.2"]
     }
   }
@@ -1000,7 +1060,12 @@ resource "aws_cloudfront_distribution" "open_uptime" {
     cloudfront_default_certificate = true
   }
 
-  depends_on = [aws_lb_listener.http_cloudfront, aws_lb_listener_rule.http_cloudfront_origin_verify]
+  depends_on = [
+    aws_lb_listener.http_cloudfront,
+    aws_lb_listener.https,
+    aws_lb_listener_rule.http_cloudfront_origin_verify,
+    aws_lb_listener_rule.https_cloudfront_origin_verify,
+  ]
 }
 
 resource "aws_route53_record" "open_uptime" {
@@ -1016,6 +1081,19 @@ resource "aws_route53_record" "open_uptime" {
   }
 }
 
+resource "aws_route53_record" "cloudfront_origin" {
+  count   = local.cloudfront_https_origin && var.hosted_zone_id != null ? 1 : 0
+  zone_id = var.hosted_zone_id
+  name    = var.cloudfront_origin_domain_name
+  type    = "A"
+
+  alias {
+    name                   = aws_lb.open_uptime.dns_name
+    zone_id                = aws_lb.open_uptime.zone_id
+    evaluate_target_health = true
+  }
+}
+
 data "aws_iam_policy_document" "ecs_assume_role" {
   statement {
     actions = ["sts:AssumeRole"]
@@ -1194,12 +1272,14 @@ resource "aws_ecs_task_definition" "service" {
 }
 
 resource "aws_ecs_service" "web" {
-  name            = "${local.prefix}-web"
-  cluster         = aws_ecs_cluster.open_uptime.id
-  task_definition = aws_ecs_task_definition.service["web"].arn
-  desired_count   = local.services.web.desired_count
-  launch_type     = "FARGATE"
-  tags            = local.tags
+  name                    = "${local.prefix}-web"
+  cluster                 = aws_ecs_cluster.open_uptime.id
+  task_definition         = aws_ecs_task_definition.service["web"].arn
+  desired_count           = local.services.web.desired_count
+  launch_type             = "FARGATE"
+  enable_ecs_managed_tags = true
+  propagate_tags          = "SERVICE"
+  tags                    = local.tags
 
   deployment_circuit_breaker {
     enable   = true
@@ -1226,12 +1306,14 @@ resource "aws_ecs_service" "worker" {
     for key, value in local.services : key => value if key != "web" && key != "migration"
   }
 
-  name            = "${local.prefix}-${each.key}"
-  cluster         = aws_ecs_cluster.open_uptime.id
-  task_definition = aws_ecs_task_definition.service[each.key].arn
-  desired_count   = each.value.desired_count
-  launch_type     = "FARGATE"
-  tags            = local.tags
+  name                    = "${local.prefix}-${each.key}"
+  cluster                 = aws_ecs_cluster.open_uptime.id
+  task_definition         = aws_ecs_task_definition.service[each.key].arn
+  desired_count           = each.value.desired_count
+  launch_type             = "FARGATE"
+  enable_ecs_managed_tags = true
+  propagate_tags          = "SERVICE"
+  tags                    = local.tags
 
   deployment_circuit_breaker {
     enable   = true

package/infra/aws/outputs.tf

@@ -18,6 +18,14 @@ output "cloudfront_domain_name" {
   value = try(aws_cloudfront_distribution.open_uptime[0].domain_name, null)
 }
 
+output "cloudfront_origin_protocol_policy" {
+  value = local.use_cloudfront ? var.cloudfront_origin_protocol_policy : null
+}
+
+output "cloudfront_origin_domain_name" {
+  value = local.use_cloudfront ? (local.cloudfront_https_origin ? var.cloudfront_origin_domain_name : aws_lb.open_uptime.dns_name) : null
+}
+
 output "protected_access_url" {
   value = var.protected_access_mode == "cloudfront_default_domain" ? "https://${aws_cloudfront_distribution.open_uptime[0].domain_name}" : "https://${var.hostname}"
 }

package/infra/aws/terraform.tfvars.example

@@ -11,6 +11,9 @@ workspace_id             = "workspace-id"
 vpc_id                   = "vpc-xxxxxxxx"
 ecr_repository_name      = "open-uptime"
 protected_access_mode    = "cloudfront_default_domain"
+cloudfront_origin_protocol_policy = "http-only"
+allow_cloudfront_http_origin_live_traffic = false
+cloudfront_origin_domain_name     = null
 enable_cloudfront_origin_verify_header = false
 cloudfront_origin_verify_header_name   = "X-Open-Uptime-Origin-Verify"
 cloudfront_origin_verify_header_value  = null
@@ -19,7 +22,8 @@ alb_ingress_cidr_blocks = []
 private_subnet_ids       = ["subnet-replace-private-a", "subnet-replace-private-b"]
 private_route_table_ids  = ["rtb-replace-private"]
 container_image          = "123456789012.dkr.ecr.us-east-1.amazonaws.com/open-uptime@sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-runtime_package_version  = "0.1.24"
+runtime_package_version   = "0.1.26"
+runtime_package_integrity = null
 certificate_arn          = null
 hosted_zone_id           = null
 app_env_secret_arn       = "arn:aws:secretsmanager:us-east-1:123456789012:secret:open-uptime/prod/app/env"

package/infra/aws/variables.tf

@@ -77,7 +77,7 @@ variable "ecr_repository_name" {
 }
 
 variable "protected_access_mode" {
-  description = "Protected web access mode. cloudfront_default_domain uses the CloudFront HTTPS default domain and restricts ALB HTTP to CloudFront origin-facing ranges. alb_https_cert uses an ALB HTTPS listener with certificate_arn."
+  description = "Protected web access mode. cloudfront_default_domain uses the CloudFront HTTPS default domain and restricts the ALB origin to CloudFront origin-facing ranges. alb_https_cert uses an ALB HTTPS listener with certificate_arn."
   type        = string
   default     = "cloudfront_default_domain"
 
@@ -87,6 +87,46 @@ variable "protected_access_mode" {
   }
 }
 
+variable "cloudfront_origin_protocol_policy" {
+  description = "CloudFront-to-ALB origin protocol policy. Keep http-only until an origin hostname and matching ACM certificate are approved; set https-only with cloudfront_origin_domain_name and certificate_arn before token-bearing live traffic."
+  type        = string
+  default     = "http-only"
+
+  validation {
+    condition     = contains(["http-only", "https-only"], var.cloudfront_origin_protocol_policy)
+    error_message = "cloudfront_origin_protocol_policy must be http-only or https-only."
+  }
+}
+
+variable "allow_cloudfront_http_origin_live_traffic" {
+  description = "Explicit risk acceptance for setting web desired count above 0 while CloudFront-to-ALB origin transport is http-only. Keep false unless a named operator accepts the temporary HTTP-origin bridge risk for a bounded smoke."
+  type        = bool
+  default     = false
+}
+
+variable "cloudfront_origin_domain_name" {
+  description = "DNS hostname CloudFront uses for the ALB custom origin when cloudfront_origin_protocol_policy is https-only. The hostname must resolve to the ALB and match certificate_arn. Leave null for the default HTTP-origin bridge."
+  type        = string
+  default     = null
+  nullable    = true
+
+  validation {
+    condition = (
+      var.cloudfront_origin_domain_name == null
+      || can(regex("^[A-Za-z0-9]([A-Za-z0-9-]{0,61}[A-Za-z0-9])?(\\.[A-Za-z0-9]([A-Za-z0-9-]{0,61}[A-Za-z0-9])?)+$", var.cloudfront_origin_domain_name))
+    )
+    error_message = "cloudfront_origin_domain_name must be null or a valid DNS hostname."
+  }
+
+  validation {
+    condition = (
+      !(var.protected_access_mode == "cloudfront_default_domain" && var.cloudfront_origin_protocol_policy == "https-only")
+      || var.cloudfront_origin_domain_name != null
+    )
+    error_message = "cloudfront_origin_domain_name is required when CloudFront HTTPS origin is enabled."
+  }
+}
+
 variable "enable_cloudfront_origin_verify_header" {
   description = "When true in cloudfront_default_domain mode, CloudFront sends a private origin header and the ALB listener rejects requests missing the matching value."
   type        = bool
@@ -201,7 +241,7 @@ variable "container_image" {
 variable "runtime_package_version" {
   description = "Published @hasna/uptime package version that CodeBuild should build into the ECR image."
   type        = string
-  default     = "0.1.24"
+  default     = "0.1.26"
 
   validation {
     condition     = can(regex("^[0-9]+\\.[0-9]+\\.[0-9]+(-[0-9A-Za-z.-]+)?$", var.runtime_package_version))
@@ -209,8 +249,20 @@ variable "runtime_package_version" {
   }
 }
 
+variable "runtime_package_integrity" {
+  description = "Optional expected npm dist.integrity value for @hasna/uptime@runtime_package_version. When set, CodeBuild verifies the registry tarball integrity before building the image."
+  type        = string
+  default     = null
+  nullable    = true
+
+  validation {
+    condition     = var.runtime_package_integrity == null || can(regex("^sha512-[A-Za-z0-9+/=]+$", var.runtime_package_integrity))
+    error_message = "runtime_package_integrity must be null or an npm sha512 integrity string."
+  }
+}
+
 variable "certificate_arn" {
-  description = "ACM certificate ARN for ALB HTTPS mode. Leave null when protected_access_mode is cloudfront_default_domain."
+  description = "ACM certificate ARN for ALB HTTPS mode or CloudFront HTTPS-origin mode. Leave null only when the ALB is not serving HTTPS."
   type        = string
   default     = null
 
@@ -220,8 +272,11 @@ variable "certificate_arn" {
   }
 
   validation {
-    condition     = var.protected_access_mode != "alb_https_cert" || var.certificate_arn != null
-    error_message = "certificate_arn is required when protected_access_mode is alb_https_cert."
+    condition = (
+      !(var.protected_access_mode == "alb_https_cert" || (var.protected_access_mode == "cloudfront_default_domain" && var.cloudfront_origin_protocol_policy == "https-only"))
+      || var.certificate_arn != null
+    )
+    error_message = "certificate_arn is required when protected_access_mode is alb_https_cert or CloudFront HTTPS origin is enabled."
   }
 }
 
@@ -298,6 +353,25 @@ variable "desired_counts" {
     ])
     error_message = "EFS SQLite bridge requires web desired count 0 or 1 and scheduler/public-probe/reporter/migration desired counts 0."
   }
+
+  validation {
+    condition = (
+      lookup(var.desired_counts, "web", 0) == 0
+      || var.protected_access_mode != "cloudfront_default_domain"
+      || var.enable_cloudfront_origin_verify_header
+    )
+    error_message = "web desired count above 0 in cloudfront_default_domain mode requires enable_cloudfront_origin_verify_header=true."
+  }
+
+  validation {
+    condition = (
+      lookup(var.desired_counts, "web", 0) == 0
+      || var.protected_access_mode != "cloudfront_default_domain"
+      || var.cloudfront_origin_protocol_policy == "https-only"
+      || var.allow_cloudfront_http_origin_live_traffic
+    )
+    error_message = "web desired count above 0 requires CloudFront HTTPS-origin mode, or explicit allow_cloudfront_http_origin_live_traffic=true risk acceptance for a bounded smoke."
+  }
 }
 
 variable "alarm_actions" {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hasna/uptime",
-  "version": "0.1.24",
+  "version": "0.1.26",
   "description": "Local-first uptime and downtime monitoring service with CLI, MCP, SDK, SQLite persistence, and a dashboard.",
   "license": "Apache-2.0",
   "type": "module",
@@ -26,6 +26,7 @@
     "Dockerfile",
     "Dockerfile.package",
     ".dockerignore",
+    "bun.lock",
     "infra/aws/README.md",
     "infra/aws/.terraform.lock.hcl",
     "infra/aws/*.tf",
@@ -68,10 +69,14 @@
     "./cloud-plan": {
       "types": "./dist/cloud-plan.d.ts",
       "import": "./dist/cloud-plan.js"
+    },
+    "./workers": {
+      "types": "./dist/workers.d.ts",
+      "import": "./dist/workers.js"
     }
   },
   "scripts": {
-    "build": "rm -rf dist && bun build src/cli/index.ts --outdir dist/cli --target bun --external @modelcontextprotocol/sdk && bun build src/mcp/index.ts --outdir dist/mcp --target bun --external @modelcontextprotocol/sdk && bun build src/index.ts src/api.ts src/service.ts src/store.ts src/checks.ts src/imports.ts src/report.ts src/probes.ts src/cloud-plan.ts src/types.ts src/paths.ts src/dashboard.ts src/version.ts --root src --outdir dist --target bun && tsc -p tsconfig.build.json --emitDeclarationOnly --outDir dist && chmod +x dist/cli/index.js dist/mcp/index.js",
+    "build": "rm -rf dist && bun build src/cli/index.ts --outdir dist/cli --target bun --external @modelcontextprotocol/sdk && bun build src/mcp/index.ts --outdir dist/mcp --target bun --external @modelcontextprotocol/sdk && bun build src/index.ts src/api.ts src/service.ts src/store.ts src/checks.ts src/imports.ts src/report.ts src/probes.ts src/cloud-plan.ts src/workers.ts src/types.ts src/paths.ts src/dashboard.ts src/version.ts --root src --outdir dist --target bun && tsc -p tsconfig.build.json --emitDeclarationOnly --outDir dist && chmod +x dist/cli/index.js dist/mcp/index.js",
     "typecheck": "tsc --noEmit",
     "test": "bun test ./tests",
     "dev:cli": "bun run src/cli/index.ts",