@hasna/uptime 0.1.25 → 0.1.26

package/CHANGELOG.md

@@ -6,6 +6,24 @@ project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+## [0.1.26] - 2026-06-29
+
+### Added
+
+- Added explicit hosted worker preflight and fail-closed run entrypoints for
+  scheduler, public-probe, reporter, and migration roles.
+- Added a bounded `uptime cloud public-checks worker` loop around the existing
+  hosted public-check smoke primitive for EFS SQLite bridge testing.
+
+### Changed
+
+- Updated AWS non-web task definitions to use explicit fail-closed worker
+  commands and environment-aware preflight health checks instead of the
+  placeholder `cloud plan` command.
+- Hardened Terraform scale-up validation so `web > 0` in CloudFront mode
+  requires origin verification and either HTTPS-origin mode or explicit
+  `allow_cloudfront_http_origin_live_traffic` risk acceptance.
+
 ## [0.1.25] - 2026-06-29
 
 ### Added

package/README.md

@@ -32,6 +32,8 @@ uptime report-schedules run-due
 uptime report-schedules runs
 uptime audit
 uptime cloud plan --json
+uptime cloud workers preflight --role public-probe --json
+uptime cloud public-checks worker --workspace-id ws_internal --max-iterations 1 --hosted-sqlite-db /data/uptime/uptime.db
 uptime cloud private-probe-config --probe-id prb_private_01 --machine-id private-probe-01 --json
 uptime cloud private-probe-config --probe-id prb_private_01 --machine-id private-probe-01 --env --allow-blocked-env
 uptime incidents
@@ -63,6 +65,12 @@ acceptance. Hosted AWS runtime state currently uses explicit EFS-backed SQLite v
 `HASNA_UPTIME_HOSTED_SQLITE_DB=/data/uptime/uptime.db` for one protected web
 task maximum; do not set `HASNA_UPTIME_DATABASE_URL` until the async Postgres
 adapter is implemented.
+`uptime cloud workers preflight --role <role>` reports why hosted scheduler,
+public-probe, reporter, and migration roles remain blocked. Their `run`
+entrypoints fail closed until Postgres, check jobs, channel refs, and migration
+plans exist. `uptime cloud public-checks worker` is only a bounded EFS SQLite
+bridge loop around hosted HTTP/TCP smoke checks; it is not the final cloud
+`check_jobs`/lease/fencing protocol.
 `Dockerfile.package` is used by the Terraform CodeBuild image builder to build
 the published npm package into ECR from inside AWS.
 
@@ -224,7 +232,7 @@ check jobs, workspace stores, and audit logging are implemented. Local job reads
 redact fencing tokens; the claim response is the only API response that returns
 the active fencing token.
 
-Hosted `/api/v1/report-schedules*`, `/api/v1/report-runs`, and
+Hosted `POST /api/v1/report`, `/api/v1/report-schedules*`, `/api/v1/report-runs`, and
 `/api/v1/audit-events` also fail closed until cloud channel refs, workspace
 stores, and cloud audit logging are implemented.
 

package/dist/cli/index.js

@@ -7230,7 +7230,7 @@ function buildAwsDeploymentPlan(options = {}) {
   const image = clean(options.image, `${imageRepositoryUri}@sha256:<image-digest>`);
   const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
   const hostedSqliteDbPath = clean(options.hostedSqliteDbPath, DEFAULT_HOSTED_SQLITE_DB);
-  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.25");
+  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.26");
   const runtimePackageIntegrity = options.runtimePackageIntegrity?.trim() || undefined;
   const protectedAccessMode = options.protectedAccessMode ?? DEFAULT_PROTECTED_ACCESS_MODE;
   const cloudfrontOriginProtocolPolicy = options.cloudfrontOriginProtocolPolicy ?? DEFAULT_CLOUDFRONT_ORIGIN_PROTOCOL_POLICY;
@@ -7306,7 +7306,7 @@ function buildAwsDeploymentPlan(options = {}) {
         domainName: cloudfrontOriginProtocolPolicy === "https-only" ? cloudfrontOriginDomainName : "<alb-dns-name>",
         requiresMatchingCertificate: cloudfrontOriginProtocolPolicy === "https-only",
         liveTrafficApproved: false,
-        risk: cloudfrontOriginProtocolPolicy === "http-only" ? "Temporary HTTP-origin bridge: do not use for token-bearing live traffic without explicit risk acceptance, or switch to https-only with cloudfront_origin_domain_name plus certificate_arn." : "CloudFront HTTPS-origin mode requires the origin hostname to resolve to the ALB and match certificate_arn."
+        risk: cloudfrontOriginProtocolPolicy === "http-only" ? "Temporary HTTP-origin bridge: web scale-up requires allow_cloudfront_http_origin_live_traffic=true for bounded smokes, or switch to https-only with cloudfront_origin_domain_name plus certificate_arn." : "CloudFront HTTPS-origin mode requires the origin hostname to resolve to the ALB and match certificate_arn."
       } : undefined,
       originVerification: protectedAccessMode === "cloudfront_default_domain" ? {
         mode: "cloudfront_origin_header",
@@ -7367,7 +7367,7 @@ function buildAwsDeploymentPlan(options = {}) {
         `Infra PR must declare CodeBuild image builder ${prefix}-${stage}-image-builder for @hasna/uptime@${runtimePackageVersion}.`,
         `Infra PR must declare hardened S3 evidence bucket ${evidenceBucket} with KMS, versioning, lifecycle, and public access block.`,
         `Infra PR must declare encrypted EFS ${prefix}-${stage}-data with access point, mount targets, and AWS Backup plan.`,
-        protectedAccessMode === "cloudfront_default_domain" ? "Infra PR must declare CloudFront default-domain HTTPS edge, ALB origin listener restricted to CloudFront origin-facing ranges, CloudFront-only origin verification header binding, ECS/Fargate cluster, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs. Token-bearing live traffic must use cloudfront_origin_protocol_policy=https-only with a matching origin hostname/certificate, or carry explicit HTTP-origin risk acceptance." : `Infra PR must declare ECS/Fargate cluster ${cluster}, ALB HTTPS listener, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs.`,
+        protectedAccessMode === "cloudfront_default_domain" ? "Infra PR must declare CloudFront default-domain HTTPS edge, ALB origin listener restricted to CloudFront origin-facing ranges, CloudFront-only origin verification header binding, ECS/Fargate cluster, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs. Token-bearing live traffic must use cloudfront_origin_protocol_policy=https-only with a matching origin hostname/certificate, or carry explicit allow_cloudfront_http_origin_live_traffic=true bounded-smoke risk acceptance." : `Infra PR must declare ECS/Fargate cluster ${cluster}, ALB HTTPS listener, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs.`,
         "Only apply the infra plan from the approved infrastructure repository after review evidence is attached."
       ],
       deploy: [
@@ -7376,7 +7376,7 @@ function buildAwsDeploymentPlan(options = {}) {
         "For the EFS SQLite bridge, do not run migration, scheduler, public-probe, or reporter tasks; keep them at desired count 0 until Postgres and cloud leases exist.",
         `Register task definitions for ${services.map((service) => service.name).join(", ")} using valueFrom secrets.`,
         `Update ECS services in cluster ${cluster} one component at a time through the approved deploy pipeline.`,
-        protectedAccessMode === "cloudfront_default_domain" ? "Use the CloudFront default HTTPS domain with origin verification header binding for first protected access; before token-bearing live traffic, switch the origin to https-only with a matching origin hostname/certificate or record explicit HTTP-origin risk acceptance." : `Create Route53/edge record for ${hostname} only after ALB health checks pass and auth denial smokes succeed.`
+        protectedAccessMode === "cloudfront_default_domain" ? "Use the CloudFront default HTTPS domain with origin verification header binding for first protected access; before token-bearing live traffic, switch the origin to https-only with a matching origin hostname/certificate or set allow_cloudfront_http_origin_live_traffic=true only for a bounded approved smoke." : `Create Route53/edge record for ${hostname} only after ALB health checks pass and auth denial smokes succeed.`
       ],
       rollback: [
         "Keep previous task definition ARNs before each service update.",
@@ -7393,7 +7393,7 @@ function buildAwsDeploymentPlan(options = {}) {
     blockers: [
       "The infrastructure owner repository was not found in this workspace.",
       protectedAccessMode === "cloudfront_default_domain" ? "CloudFront origin verification header binding must be enabled and direct-origin denial must be proven before web desired count is raised above 0." : "ALB HTTPS ingress policy and auth-denial smokes must be proven before web desired count is raised above 0.",
-      ...protectedAccessMode === "cloudfront_default_domain" && cloudfrontOriginProtocolPolicy === "http-only" ? ["CloudFront-to-ALB origin transport is still http-only; token-bearing live traffic needs https-only origin mode or explicit risk acceptance."] : [],
+      ...protectedAccessMode === "cloudfront_default_domain" && cloudfrontOriginProtocolPolicy === "http-only" ? ["CloudFront-to-ALB origin transport is still http-only; web scale-up now requires explicit allow_cloudfront_http_origin_live_traffic=true risk acceptance, and token-bearing live traffic should use https-only origin mode."] : [],
       ...protectedAccessMode === "cloudfront_default_domain" && cloudfrontOriginProtocolPolicy === "https-only" && cloudfrontOriginDomainName === "<alb-dns-name>" ? ["CloudFront https-only origin mode needs cloudfront_origin_domain_name that resolves to the ALB and matches certificate_arn."] : [],
       "The EFS SQLite bridge is single-writer only: web target desired count is 1 and scheduler/public-probe/reporter targets remain 0 until Postgres and cloud leases exist.",
       "Hosted production auth/RBAC must replace broad static hosted-token operation before exposure.",
@@ -7531,6 +7531,72 @@ function shellEscape(value) {
   return `'${value.replace(/'/g, "'\\''")}'`;
 }
 
+// src/workers.ts
+var DEFAULT_INTERVAL_MS = 30000;
+async function runHostedPublicChecksWorker(options) {
+  const intervalMs = normalizePositiveInteger(options.intervalMs ?? DEFAULT_INTERVAL_MS, "intervalMs");
+  const maxRuntimeMs = options.maxRuntimeMs === undefined ? undefined : normalizePositiveInteger(options.maxRuntimeMs, "maxRuntimeMs");
+  const maxIterations = options.maxIterations === undefined ? undefined : normalizePositiveInteger(options.maxIterations, "maxIterations");
+  const clock = options.now ?? (() => new Date);
+  const sleep = options.sleep ?? abortableSleep;
+  const startedAtDate = clock();
+  const startedAt = startedAtDate.toISOString();
+  const deadline = maxRuntimeMs === undefined ? undefined : startedAtDate.getTime() + maxRuntimeMs;
+  let iterations = 0;
+  let checked = 0;
+  while (!options.signal?.aborted) {
+    if (maxIterations !== undefined && iterations >= maxIterations)
+      break;
+    const now = clock();
+    if (deadline !== undefined && now.getTime() >= deadline)
+      break;
+    const iteration = iterations + 1;
+    const iterationStartedAt = now.toISOString();
+    const results = await options.runner.runDueHostedPublicChecks(now, { workspaceId: options.workspaceId });
+    const finishedAt = clock().toISOString();
+    iterations = iteration;
+    checked += results.length;
+    options.onIteration?.({
+      iteration,
+      checked: results.length,
+      startedAt: iterationStartedAt,
+      finishedAt
+    });
+    if (maxIterations !== undefined && iterations >= maxIterations)
+      break;
+    if (deadline !== undefined && clock().getTime() >= deadline)
+      break;
+    await sleep(intervalMs, options.signal);
+  }
+  return {
+    kind: "open-uptime.hosted-public-checks-worker",
+    status: options.signal?.aborted ? "stopped" : "completed",
+    workspaceId: options.workspaceId?.trim() || null,
+    iterations,
+    checked,
+    startedAt,
+    finishedAt: clock().toISOString()
+  };
+}
+function normalizePositiveInteger(value, name) {
+  if (!Number.isInteger(value) || value <= 0)
+    throw new Error(`${name} must be a positive integer`);
+  return value;
+}
+function abortableSleep(ms, signal) {
+  if (signal?.aborted)
+    return Promise.resolve();
+  return new Promise((resolve) => {
+    const timer = setTimeout(done, ms);
+    function done() {
+      signal?.removeEventListener("abort", done);
+      clearTimeout(timer);
+      resolve();
+    }
+    signal?.addEventListener("abort", done, { once: true });
+  });
+}
+
 // src/cli/index.ts
 var program2 = new Command;
 program2.name("uptime").description("Local-first uptime and downtime monitoring").version(packageVersion()).option("-j, --json", "print JSON");
@@ -7891,6 +7957,32 @@ cloud.command("private-probe-config").description("Generate hosted-targeted priv
     fail(error);
   }
 });
+var cloudWorkers = cloud.command("workers").description("Inspect and run hosted worker entrypoints");
+cloudWorkers.command("preflight").description("Check one hosted worker entrypoint without starting work").requiredOption("--role <role>", "scheduler, public-probe, reporter, or migration").option("--healthcheck", "exit non-zero when hosted mode, component, or workspace env is invalid").option("-j, --json", "print JSON").action((opts) => {
+  try {
+    const preflight = buildHostedWorkerPreflight(parseWorkerRole(opts.role));
+    print(preflight, renderHostedWorkerPreflight(preflight), opts);
+    if (opts.healthcheck && !hostedWorkerEnvironmentOk(preflight))
+      process.exit(1);
+  } catch (error) {
+    fail(error);
+  }
+});
+cloudWorkers.command("run").description("Run one hosted worker entrypoint; fails closed until cloud prerequisites exist").requiredOption("--role <role>", "scheduler, public-probe, reporter, or migration").option("-j, --json", "print JSON").action((opts) => {
+  try {
+    const preflight = buildHostedWorkerPreflight(parseWorkerRole(opts.role));
+    const error = `hosted ${preflight.role} worker runtime is blocked until cloud prerequisites exist`;
+    if (wantsJson(opts)) {
+      console.log(JSON.stringify({ ok: false, error, preflight }, null, 2));
+    } else {
+      console.error(source_default.red(sanitizeTerminal(error)));
+      console.error(renderHostedWorkerPreflight(preflight));
+    }
+    process.exit(1);
+  } catch (error) {
+    fail(error);
+  }
+});
 var cloudPublicChecks = cloud.command("public-checks").description("Run hosted public HTTP/TCP checks against the configured hosted store");
 cloudPublicChecks.command("run-due").description("Run due hosted public HTTP/TCP checks for one workspace").option("--workspace-id <id>", "workspace id; defaults to HASNA_UPTIME_WORKSPACE_ID").option("--now <iso>", "due timestamp", new Date().toISOString()).option("--hosted-sqlite-db <path>", "hosted SQLite path on cloud-mounted storage").option("--allow-hosted-local-store", "allow hosted mode to use local SQLite as an explicit fallback").option("-j, --json", "print JSON").action(async (opts) => {
   try {
@@ -7907,6 +7999,37 @@ cloudPublicChecks.command("run-due").description("Run due hosted public HTTP/TCP
     fail(error);
   }
 });
+cloudPublicChecks.command("worker").description("Run a bounded EFS SQLite bridge loop around hosted public checks").option("--workspace-id <id>", "workspace id; defaults to HASNA_UPTIME_WORKSPACE_ID").option("--interval-ms <ms>", "sleep interval between iterations", parseInteger, 30000).option("--max-runtime-ms <ms>", "stop after this many milliseconds", parseInteger).option("--max-iterations <n>", "stop after this many iterations", parseInteger).option("--hosted-sqlite-db <path>", "hosted SQLite path on cloud-mounted storage").option("--allow-hosted-local-store", "allow hosted mode to use local SQLite as an explicit fallback").option("-j, --json", "print JSON").action(async (opts) => {
+  const abortController = new AbortController;
+  const onSignal = () => abortController.abort();
+  process.once("SIGINT", onSignal);
+  process.once("SIGTERM", onSignal);
+  try {
+    const svc = hostedService({
+      hostedSqliteDb: opts.hostedSqliteDb,
+      allowHostedLocalStore: opts.allowHostedLocalStore
+    });
+    const workspaceId = opts.workspaceId || process.env.HASNA_UPTIME_WORKSPACE_ID;
+    const summary = await runHostedPublicChecksWorker({
+      runner: svc,
+      workspaceId,
+      intervalMs: opts.intervalMs,
+      maxRuntimeMs: opts.maxRuntimeMs,
+      maxIterations: opts.maxIterations,
+      signal: abortController.signal,
+      onIteration: wantsJson(opts) ? undefined : (iteration) => {
+        console.log(`iteration ${iteration.iteration}: checked ${iteration.checked}`);
+      }
+    });
+    svc.close();
+    print(summary, renderHostedPublicChecksWorkerSummary(summary), opts);
+  } catch (error) {
+    fail(error);
+  } finally {
+    process.removeListener("SIGINT", onSignal);
+    process.removeListener("SIGTERM", onSignal);
+  }
+});
 program2.command("results").description("List recent check results").option("--monitor <id>", "filter by monitor id").option("--limit <n>", "max rows", parseInteger, 20).option("-j, --json", "print JSON").action((opts) => {
   try {
     const svc = service();
@@ -8299,6 +8422,101 @@ function renderPrivateProbeConfig(config) {
   ].join(`
 `);
 }
+function renderHostedPublicChecksWorkerSummary(summary) {
+  return [
+    "hosted public checks worker",
+    `status: ${summary.status}`,
+    `workspace: ${summary.workspaceId ?? "<unset>"}`,
+    `iterations: ${summary.iterations}`,
+    `checked: ${summary.checked}`,
+    `started: ${summary.startedAt}`,
+    `finished: ${summary.finishedAt}`
+  ].join(`
+`);
+}
+function parseWorkerRole(value) {
+  if (value === "scheduler" || value === "public-probe" || value === "reporter" || value === "migration")
+    return value;
+  throw new Error(`Unknown hosted worker role: ${value}`);
+}
+function buildHostedWorkerPreflight(role) {
+  const mode = process.env.HASNA_UPTIME_MODE?.trim() || "";
+  const component = process.env.HASNA_UPTIME_COMPONENT?.trim() || "";
+  const workspaceId = process.env.HASNA_UPTIME_WORKSPACE_ID?.trim() || "";
+  const checks = [
+    { name: "hosted-mode", ok: mode === "hosted", detail: mode || "<unset>" },
+    { name: "component", ok: !component || component === role, detail: component || "<unset>" },
+    { name: "workspace", ok: Boolean(workspaceId), detail: workspaceId || "<unset>" },
+    { name: "postgres-adapter", ok: false, detail: "not implemented" },
+    { name: "cloud-worker-leases", ok: false, detail: "not implemented" }
+  ];
+  if (role === "reporter") {
+    checks.push({ name: "cloud-channel-refs", ok: false, detail: "not implemented" });
+  }
+  if (role === "public-probe") {
+    checks.push({ name: "public-probe-job-claims", ok: false, detail: "not implemented" });
+  }
+  if (role === "migration") {
+    checks.push({ name: "cloud-migration-plan", ok: false, detail: "not implemented" });
+  }
+  const blockers = checks.filter((check) => !check.ok).map((check) => `${check.name}: ${check.detail}`);
+  return {
+    kind: "open-uptime.hosted-worker-preflight",
+    role,
+    status: "blocked",
+    canStart: false,
+    mode: mode || "<unset>",
+    component: component || "<unset>",
+    workspaceId: workspaceId || null,
+    blockers,
+    checks,
+    nextActions: hostedWorkerNextActions(role)
+  };
+}
+function hostedWorkerNextActions(role) {
+  const shared = [
+    "Keep the ECS service desired count at 0 until this preflight reports canStart=true.",
+    "Move authoritative hosted state from the EFS SQLite bridge to the cloud store with transactional leases."
+  ];
+  if (role === "scheduler") {
+    return [
+      ...shared,
+      "Implement deterministic check_jobs creation with a scheduler lease and duplicate-slot protection."
+    ];
+  }
+  if (role === "public-probe") {
+    return [
+      ...shared,
+      "Implement cloud job claiming, fencing tokens, target-policy decision logs, and result ingestion for public HTTP/TCP checks."
+    ];
+  }
+  if (role === "reporter") {
+    return [
+      ...shared,
+      "Implement workspace-authorized report channel refs, idempotent delivery keys, retry/backoff, and delivery alarms."
+    ];
+  }
+  return [
+    ...shared,
+    "Implement reviewed cloud schema migrations with dry-run counts, backup evidence, and rollback instructions."
+  ];
+}
+function renderHostedWorkerPreflight(preflight) {
+  return [
+    `${preflight.role} hosted worker preflight`,
+    `status: ${preflight.status}`,
+    `can start: ${preflight.canStart}`,
+    `mode: ${sanitizeField(preflight.mode)}`,
+    `component: ${sanitizeField(preflight.component)}`,
+    `workspace: ${sanitizeField(preflight.workspaceId ?? "<unset>")}`,
+    `blockers: ${preflight.blockers.length}`,
+    ...preflight.blockers.map((blocker) => `- ${sanitizeField(blocker)}`)
+  ].join(`
+`);
+}
+function hostedWorkerEnvironmentOk(preflight) {
+  return preflight.checks.filter((check) => check.name === "hosted-mode" || check.name === "component" || check.name === "workspace").every((check) => check.ok);
+}
 function renderDeliveries(deliveries) {
   if (deliveries.length === 0)
     return "No report deliveries requested";

package/dist/cloud-plan.js

@@ -22,7 +22,7 @@ function buildAwsDeploymentPlan(options = {}) {
   const image = clean(options.image, `${imageRepositoryUri}@sha256:<image-digest>`);
   const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
   const hostedSqliteDbPath = clean(options.hostedSqliteDbPath, DEFAULT_HOSTED_SQLITE_DB);
-  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.25");
+  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.26");
   const runtimePackageIntegrity = options.runtimePackageIntegrity?.trim() || undefined;
   const protectedAccessMode = options.protectedAccessMode ?? DEFAULT_PROTECTED_ACCESS_MODE;
   const cloudfrontOriginProtocolPolicy = options.cloudfrontOriginProtocolPolicy ?? DEFAULT_CLOUDFRONT_ORIGIN_PROTOCOL_POLICY;
@@ -98,7 +98,7 @@ function buildAwsDeploymentPlan(options = {}) {
         domainName: cloudfrontOriginProtocolPolicy === "https-only" ? cloudfrontOriginDomainName : "<alb-dns-name>",
         requiresMatchingCertificate: cloudfrontOriginProtocolPolicy === "https-only",
         liveTrafficApproved: false,
-        risk: cloudfrontOriginProtocolPolicy === "http-only" ? "Temporary HTTP-origin bridge: do not use for token-bearing live traffic without explicit risk acceptance, or switch to https-only with cloudfront_origin_domain_name plus certificate_arn." : "CloudFront HTTPS-origin mode requires the origin hostname to resolve to the ALB and match certificate_arn."
+        risk: cloudfrontOriginProtocolPolicy === "http-only" ? "Temporary HTTP-origin bridge: web scale-up requires allow_cloudfront_http_origin_live_traffic=true for bounded smokes, or switch to https-only with cloudfront_origin_domain_name plus certificate_arn." : "CloudFront HTTPS-origin mode requires the origin hostname to resolve to the ALB and match certificate_arn."
       } : undefined,
       originVerification: protectedAccessMode === "cloudfront_default_domain" ? {
         mode: "cloudfront_origin_header",
@@ -159,7 +159,7 @@ function buildAwsDeploymentPlan(options = {}) {
         `Infra PR must declare CodeBuild image builder ${prefix}-${stage}-image-builder for @hasna/uptime@${runtimePackageVersion}.`,
         `Infra PR must declare hardened S3 evidence bucket ${evidenceBucket} with KMS, versioning, lifecycle, and public access block.`,
         `Infra PR must declare encrypted EFS ${prefix}-${stage}-data with access point, mount targets, and AWS Backup plan.`,
-        protectedAccessMode === "cloudfront_default_domain" ? "Infra PR must declare CloudFront default-domain HTTPS edge, ALB origin listener restricted to CloudFront origin-facing ranges, CloudFront-only origin verification header binding, ECS/Fargate cluster, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs. Token-bearing live traffic must use cloudfront_origin_protocol_policy=https-only with a matching origin hostname/certificate, or carry explicit HTTP-origin risk acceptance." : `Infra PR must declare ECS/Fargate cluster ${cluster}, ALB HTTPS listener, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs.`,
+        protectedAccessMode === "cloudfront_default_domain" ? "Infra PR must declare CloudFront default-domain HTTPS edge, ALB origin listener restricted to CloudFront origin-facing ranges, CloudFront-only origin verification header binding, ECS/Fargate cluster, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs. Token-bearing live traffic must use cloudfront_origin_protocol_policy=https-only with a matching origin hostname/certificate, or carry explicit allow_cloudfront_http_origin_live_traffic=true bounded-smoke risk acceptance." : `Infra PR must declare ECS/Fargate cluster ${cluster}, ALB HTTPS listener, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs.`,
         "Only apply the infra plan from the approved infrastructure repository after review evidence is attached."
       ],
       deploy: [
@@ -168,7 +168,7 @@ function buildAwsDeploymentPlan(options = {}) {
         "For the EFS SQLite bridge, do not run migration, scheduler, public-probe, or reporter tasks; keep them at desired count 0 until Postgres and cloud leases exist.",
         `Register task definitions for ${services.map((service) => service.name).join(", ")} using valueFrom secrets.`,
         `Update ECS services in cluster ${cluster} one component at a time through the approved deploy pipeline.`,
-        protectedAccessMode === "cloudfront_default_domain" ? "Use the CloudFront default HTTPS domain with origin verification header binding for first protected access; before token-bearing live traffic, switch the origin to https-only with a matching origin hostname/certificate or record explicit HTTP-origin risk acceptance." : `Create Route53/edge record for ${hostname} only after ALB health checks pass and auth denial smokes succeed.`
+        protectedAccessMode === "cloudfront_default_domain" ? "Use the CloudFront default HTTPS domain with origin verification header binding for first protected access; before token-bearing live traffic, switch the origin to https-only with a matching origin hostname/certificate or set allow_cloudfront_http_origin_live_traffic=true only for a bounded approved smoke." : `Create Route53/edge record for ${hostname} only after ALB health checks pass and auth denial smokes succeed.`
       ],
       rollback: [
         "Keep previous task definition ARNs before each service update.",
@@ -185,7 +185,7 @@ function buildAwsDeploymentPlan(options = {}) {
     blockers: [
       "The infrastructure owner repository was not found in this workspace.",
       protectedAccessMode === "cloudfront_default_domain" ? "CloudFront origin verification header binding must be enabled and direct-origin denial must be proven before web desired count is raised above 0." : "ALB HTTPS ingress policy and auth-denial smokes must be proven before web desired count is raised above 0.",
-      ...protectedAccessMode === "cloudfront_default_domain" && cloudfrontOriginProtocolPolicy === "http-only" ? ["CloudFront-to-ALB origin transport is still http-only; token-bearing live traffic needs https-only origin mode or explicit risk acceptance."] : [],
+      ...protectedAccessMode === "cloudfront_default_domain" && cloudfrontOriginProtocolPolicy === "http-only" ? ["CloudFront-to-ALB origin transport is still http-only; web scale-up now requires explicit allow_cloudfront_http_origin_live_traffic=true risk acceptance, and token-bearing live traffic should use https-only origin mode."] : [],
       ...protectedAccessMode === "cloudfront_default_domain" && cloudfrontOriginProtocolPolicy === "https-only" && cloudfrontOriginDomainName === "<alb-dns-name>" ? ["CloudFront https-only origin mode needs cloudfront_origin_domain_name that resolves to the ALB and matches certificate_arn."] : [],
       "The EFS SQLite bridge is single-writer only: web target desired count is 1 and scheduler/public-probe/reporter targets remain 0 until Postgres and cloud leases exist.",
       "Hosted production auth/RBAC must replace broad static hosted-token operation before exposure.",

package/dist/index.d.ts

@@ -6,6 +6,7 @@ export { applyImport, previewImport, rollbackImport } from "./imports.js";
 export { buildUptimeReport, sendUptimeReport } from "./report.js";
 export { generateProbeKeyPair, probePublicKeyFingerprint, probeResultSigningPayload, signProbeResult, verifyProbeResultSignature } from "./probes.js";
 export { buildAwsDeploymentPlan, buildPrivateProbeCloudConfig, renderPrivateProbeEnv } from "./cloud-plan.js";
+export { runHostedPublicChecksWorker } from "./workers.js";
 export { uptimeHome, uptimeDbPath, uptimeHostedFallbackDbPath, ensureUptimeHome } from "./paths.js";
 export type { UptimeBackup, UptimeBackupCheck, UptimeRuntimeMode, UptimeStoreOptions, MonitorProvenance, SaveImportBatchInput, StoredImportBatch, UpsertMonitorProvenanceInput, } from "./store.js";
 export type { BrowserPageRunner, BrowserPageRunnerResult, FetchLike, HostedDnsResolver, HostedHttpCheckOptions, HostedHttpRequestContext, HostedHttpRequestLike, HostedHttpResponse, HostedTcpCheckOptions, MonitorCheckOptions, } from "./checks.js";
@@ -13,5 +14,6 @@ export type { ImportAction, ImportApplyItem, ImportApplyResult, ImportCandidate,
 export type { BrowserFailedRequest, BrowserPageEvidence, AuditEvent, CheckAttemptResult, CheckEvidence, CheckResult, CheckStatus, CreateMonitorKind, CreateMonitorInput, CreateReportScheduleInput, ImportedMonitorInput, ImportedUpdateMonitorInput, EvidenceArtifact, HttpTargetPolicyDecision, HttpTargetPolicyEvidence, Incident, IncidentStatus, ListAuditEventsOptions, ListReportRunsOptions, ListResultsOptions, Monitor, MonitorKind, MonitorStatus, MonitorSummary, ProbeCheckJob, ProbeCheckJobStatus, ProbeIdentity, ProbeResultSubmission, ProbeSubmissionReceipt, RecordAuditEventInput, ReportDeliveryChannel, ReportDeliveryRecord, ReportEmailChannelConfig, ReportLogsChannelConfig, ReportRun, ReportRunStatus, ReportSchedule, ReportScheduleChannels, ReportScheduleStatus, ReportSmsChannelConfig, SchedulerHandle, UpdateMonitorInput, UpdateReportScheduleInput, UptimeSummary, } from "./types.js";
 export type { ProbeKeyPair, ProbeSigningInput } from "./probes.js";
 export type { AwsDeploymentPlan, AwsDeploymentPlanOptions, AwsServicePlan, PrivateProbeCloudConfig, PrivateProbeCloudConfigOptions, } from "./cloud-plan.js";
+export type { HostedPublicCheckRunner, HostedPublicChecksWorkerIteration, HostedPublicChecksWorkerOptions, HostedPublicChecksWorkerSummary, } from "./workers.js";
 export type { BuildUptimeReportOptions, SendUptimeReportOptions, UptimeEmailReportTarget, UptimeLogsReportTarget, UptimeReport, UptimeReportDelivery, UptimeSmsReportTarget, } from "./report.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AACjE,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EACL,qBAAqB,EACrB,0BAA0B,EAC1B,iCAAiC,EACjC,mBAAmB,EACnB,kBAAkB,EAClB,iBAAiB,EACjB,eAAe,EACf,YAAY,EACZ,WAAW,GACZ,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AACzD,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC1E,OAAO,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAClE,OAAO,EAAE,oBAAoB,EAAE,yBAAyB,EAAE,yBAAyB,EAAE,eAAe,EAAE,0BAA0B,EAAE,MAAM,aAAa,CAAC;AACtJ,OAAO,EAAE,sBAAsB,EAAE,4BAA4B,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AAC9G,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,0BAA0B,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AACpG,YAAY,EACV,YAAY,EACZ,iBAAiB,EACjB,iBAAiB,EACjB,kBAAkB,EAClB,iBAAiB,EACjB,oBAAoB,EACpB,iBAAiB,EACjB,4BAA4B,GAC7B,MAAM,YAAY,CAAC;AACpB,YAAY,EACV,iBAAiB,EACjB,uBAAuB,EACvB,SAAS,EACT,iBAAiB,EACjB,sBAAsB,EACtB,wBAAwB,EACxB,qBAAqB,EACrB,kBAAkB,EAClB,qBAAqB,EACrB,mBAAmB,GACpB,MAAM,aAAa,CAAC;AACrB,YAAY,EACV,YAAY,EACZ,eAAe,EACf,iBAAiB,EACjB,eAAe,EACf,aAAa,EACb,iBAAiB,EACjB,aAAa,EACb,kBAAkB,EAClB,oBAAoB,EACpB,YAAY,GACb,MAAM,cAAc,CAAC;AACtB,YAAY,EACV,oBAAoB,EACpB,mBAAmB,EACnB,UAAU,EACV,kBAAkB,EAClB,aAAa,EACb,WAAW,EACX,WAAW,EACX,iBAAiB,EACjB,kBAAkB,EAClB,yBAAyB,EACzB,oBAAoB,EACpB,0BAA0B,EAC1B,gBAAgB,EAChB,wBAAwB,EACxB,wBAAwB,EACxB,QAAQ,EACR,cAAc,EACd,sBAAsB,EACtB,qBAAqB,EACrB,kBAAkB,EAClB,OAAO,EACP,WAAW,EACX,aAAa,EACb,cAAc,EACd,aAAa,EACb,mBAAmB,EACnB,aAAa,EACb,qBAAqB,EACrB,sBAAsB,EACtB,qBAAqB,EACrB,qBAAqB,EACrB,oBAAoB,EACpB,wBAAwB,EACxB,uBAAuB,EACvB,SAAS,EACT,eAAe,EACf,cAAc,EACd,sBAAsB,EACtB,oBAAoB,EACpB,sBAAsB,EACtB,eAAe,EACf,kBAAkB,EAClB,yBAAyB,EACzB,aAAa,GACd,MAAM,YAAY,CAAC;AACpB,YAAY,EAAE,YAAY,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AACnE,YAAY,EACV,iBAAiB,EACjB,wBAAwB,EACxB,cAAc,EACd,uBAAuB,EACvB,8BAA8B,GAC/B,MAAM,iBAAiB,CAAC;AACzB,YAAY,EACV,wBAAwB,EACxB,uBAAuB,EACvB,uBAAuB,EACvB,sBAAsB,EACtB,YAAY,EACZ,oBAAoB,EACpB,qBAAqB,GACtB,MAAM,aAAa,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AACjE,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EACL,qBAAqB,EACrB,0BAA0B,EAC1B,iCAAiC,EACjC,mBAAmB,EACnB,kBAAkB,EAClB,iBAAiB,EACjB,eAAe,EACf,YAAY,EACZ,WAAW,GACZ,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AACzD,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC1E,OAAO,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAClE,OAAO,EAAE,oBAAoB,EAAE,yBAAyB,EAAE,yBAAyB,EAAE,eAAe,EAAE,0BAA0B,EAAE,MAAM,aAAa,CAAC;AACtJ,OAAO,EAAE,sBAAsB,EAAE,4BAA4B,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AAC9G,OAAO,EAAE,2BAA2B,EAAE,MAAM,cAAc,CAAC;AAC3D,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,0BAA0B,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AACpG,YAAY,EACV,YAAY,EACZ,iBAAiB,EACjB,iBAAiB,EACjB,kBAAkB,EAClB,iBAAiB,EACjB,oBAAoB,EACpB,iBAAiB,EACjB,4BAA4B,GAC7B,MAAM,YAAY,CAAC;AACpB,YAAY,EACV,iBAAiB,EACjB,uBAAuB,EACvB,SAAS,EACT,iBAAiB,EACjB,sBAAsB,EACtB,wBAAwB,EACxB,qBAAqB,EACrB,kBAAkB,EAClB,qBAAqB,EACrB,mBAAmB,GACpB,MAAM,aAAa,CAAC;AACrB,YAAY,EACV,YAAY,EACZ,eAAe,EACf,iBAAiB,EACjB,eAAe,EACf,aAAa,EACb,iBAAiB,EACjB,aAAa,EACb,kBAAkB,EAClB,oBAAoB,EACpB,YAAY,GACb,MAAM,cAAc,CAAC;AACtB,YAAY,EACV,oBAAoB,EACpB,mBAAmB,EACnB,UAAU,EACV,kBAAkB,EAClB,aAAa,EACb,WAAW,EACX,WAAW,EACX,iBAAiB,EACjB,kBAAkB,EAClB,yBAAyB,EACzB,oBAAoB,EACpB,0BAA0B,EAC1B,gBAAgB,EAChB,wBAAwB,EACxB,wBAAwB,EACxB,QAAQ,EACR,cAAc,EACd,sBAAsB,EACtB,qBAAqB,EACrB,kBAAkB,EAClB,OAAO,EACP,WAAW,EACX,aAAa,EACb,cAAc,EACd,aAAa,EACb,mBAAmB,EACnB,aAAa,EACb,qBAAqB,EACrB,sBAAsB,EACtB,qBAAqB,EACrB,qBAAqB,EACrB,oBAAoB,EACpB,wBAAwB,EACxB,uBAAuB,EACvB,SAAS,EACT,eAAe,EACf,cAAc,EACd,sBAAsB,EACtB,oBAAoB,EACpB,sBAAsB,EACtB,eAAe,EACf,kBAAkB,EAClB,yBAAyB,EACzB,aAAa,GACd,MAAM,YAAY,CAAC;AACpB,YAAY,EAAE,YAAY,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AACnE,YAAY,EACV,iBAAiB,EACjB,wBAAwB,EACxB,cAAc,EACd,uBAAuB,EACvB,8BAA8B,GAC/B,MAAM,iBAAiB,CAAC;AACzB,YAAY,EACV,uBAAuB,EACvB,iCAAiC,EACjC,+BAA+B,EAC/B,+BAA+B,GAChC,MAAM,cAAc,CAAC;AACtB,YAAY,EACV,wBAAwB,EACxB,uBAAuB,EACvB,uBAAuB,EACvB,sBAAsB,EACtB,YAAY,EACZ,oBAAoB,EACpB,qBAAqB,GACtB,MAAM,aAAa,CAAC"}

package/dist/index.js

@@ -4636,7 +4636,7 @@ function buildAwsDeploymentPlan(options = {}) {
   const image = clean(options.image, `${imageRepositoryUri}@sha256:<image-digest>`);
   const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
   const hostedSqliteDbPath = clean(options.hostedSqliteDbPath, DEFAULT_HOSTED_SQLITE_DB);
-  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.25");
+  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.26");
   const runtimePackageIntegrity = options.runtimePackageIntegrity?.trim() || undefined;
   const protectedAccessMode = options.protectedAccessMode ?? DEFAULT_PROTECTED_ACCESS_MODE;
   const cloudfrontOriginProtocolPolicy = options.cloudfrontOriginProtocolPolicy ?? DEFAULT_CLOUDFRONT_ORIGIN_PROTOCOL_POLICY;
@@ -4712,7 +4712,7 @@ function buildAwsDeploymentPlan(options = {}) {
         domainName: cloudfrontOriginProtocolPolicy === "https-only" ? cloudfrontOriginDomainName : "<alb-dns-name>",
         requiresMatchingCertificate: cloudfrontOriginProtocolPolicy === "https-only",
         liveTrafficApproved: false,
-        risk: cloudfrontOriginProtocolPolicy === "http-only" ? "Temporary HTTP-origin bridge: do not use for token-bearing live traffic without explicit risk acceptance, or switch to https-only with cloudfront_origin_domain_name plus certificate_arn." : "CloudFront HTTPS-origin mode requires the origin hostname to resolve to the ALB and match certificate_arn."
+        risk: cloudfrontOriginProtocolPolicy === "http-only" ? "Temporary HTTP-origin bridge: web scale-up requires allow_cloudfront_http_origin_live_traffic=true for bounded smokes, or switch to https-only with cloudfront_origin_domain_name plus certificate_arn." : "CloudFront HTTPS-origin mode requires the origin hostname to resolve to the ALB and match certificate_arn."
       } : undefined,
       originVerification: protectedAccessMode === "cloudfront_default_domain" ? {
         mode: "cloudfront_origin_header",
@@ -4773,7 +4773,7 @@ function buildAwsDeploymentPlan(options = {}) {
         `Infra PR must declare CodeBuild image builder ${prefix}-${stage}-image-builder for @hasna/uptime@${runtimePackageVersion}.`,
         `Infra PR must declare hardened S3 evidence bucket ${evidenceBucket} with KMS, versioning, lifecycle, and public access block.`,
         `Infra PR must declare encrypted EFS ${prefix}-${stage}-data with access point, mount targets, and AWS Backup plan.`,
-        protectedAccessMode === "cloudfront_default_domain" ? "Infra PR must declare CloudFront default-domain HTTPS edge, ALB origin listener restricted to CloudFront origin-facing ranges, CloudFront-only origin verification header binding, ECS/Fargate cluster, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs. Token-bearing live traffic must use cloudfront_origin_protocol_policy=https-only with a matching origin hostname/certificate, or carry explicit HTTP-origin risk acceptance." : `Infra PR must declare ECS/Fargate cluster ${cluster}, ALB HTTPS listener, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs.`,
+        protectedAccessMode === "cloudfront_default_domain" ? "Infra PR must declare CloudFront default-domain HTTPS edge, ALB origin listener restricted to CloudFront origin-facing ranges, CloudFront-only origin verification header binding, ECS/Fargate cluster, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs. Token-bearing live traffic must use cloudfront_origin_protocol_policy=https-only with a matching origin hostname/certificate, or carry explicit allow_cloudfront_http_origin_live_traffic=true bounded-smoke risk acceptance." : `Infra PR must declare ECS/Fargate cluster ${cluster}, ALB HTTPS listener, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs.`,
         "Only apply the infra plan from the approved infrastructure repository after review evidence is attached."
       ],
       deploy: [
@@ -4782,7 +4782,7 @@ function buildAwsDeploymentPlan(options = {}) {
         "For the EFS SQLite bridge, do not run migration, scheduler, public-probe, or reporter tasks; keep them at desired count 0 until Postgres and cloud leases exist.",
         `Register task definitions for ${services.map((service) => service.name).join(", ")} using valueFrom secrets.`,
         `Update ECS services in cluster ${cluster} one component at a time through the approved deploy pipeline.`,
-        protectedAccessMode === "cloudfront_default_domain" ? "Use the CloudFront default HTTPS domain with origin verification header binding for first protected access; before token-bearing live traffic, switch the origin to https-only with a matching origin hostname/certificate or record explicit HTTP-origin risk acceptance." : `Create Route53/edge record for ${hostname} only after ALB health checks pass and auth denial smokes succeed.`
+        protectedAccessMode === "cloudfront_default_domain" ? "Use the CloudFront default HTTPS domain with origin verification header binding for first protected access; before token-bearing live traffic, switch the origin to https-only with a matching origin hostname/certificate or set allow_cloudfront_http_origin_live_traffic=true only for a bounded approved smoke." : `Create Route53/edge record for ${hostname} only after ALB health checks pass and auth denial smokes succeed.`
       ],
       rollback: [
         "Keep previous task definition ARNs before each service update.",
@@ -4799,7 +4799,7 @@ function buildAwsDeploymentPlan(options = {}) {
     blockers: [
       "The infrastructure owner repository was not found in this workspace.",
       protectedAccessMode === "cloudfront_default_domain" ? "CloudFront origin verification header binding must be enabled and direct-origin denial must be proven before web desired count is raised above 0." : "ALB HTTPS ingress policy and auth-denial smokes must be proven before web desired count is raised above 0.",
-      ...protectedAccessMode === "cloudfront_default_domain" && cloudfrontOriginProtocolPolicy === "http-only" ? ["CloudFront-to-ALB origin transport is still http-only; token-bearing live traffic needs https-only origin mode or explicit risk acceptance."] : [],
+      ...protectedAccessMode === "cloudfront_default_domain" && cloudfrontOriginProtocolPolicy === "http-only" ? ["CloudFront-to-ALB origin transport is still http-only; web scale-up now requires explicit allow_cloudfront_http_origin_live_traffic=true risk acceptance, and token-bearing live traffic should use https-only origin mode."] : [],
       ...protectedAccessMode === "cloudfront_default_domain" && cloudfrontOriginProtocolPolicy === "https-only" && cloudfrontOriginDomainName === "<alb-dns-name>" ? ["CloudFront https-only origin mode needs cloudfront_origin_domain_name that resolves to the ALB and matches certificate_arn."] : [],
       "The EFS SQLite bridge is single-writer only: web target desired count is 1 and scheduler/public-probe/reporter targets remain 0 until Postgres and cloud leases exist.",
       "Hosted production auth/RBAC must replace broad static hosted-token operation before exposure.",
@@ -4936,6 +4936,72 @@ function shellEscape(value) {
     return value;
   return `'${value.replace(/'/g, "'\\''")}'`;
 }
+
+// src/workers.ts
+var DEFAULT_INTERVAL_MS = 30000;
+async function runHostedPublicChecksWorker(options) {
+  const intervalMs = normalizePositiveInteger(options.intervalMs ?? DEFAULT_INTERVAL_MS, "intervalMs");
+  const maxRuntimeMs = options.maxRuntimeMs === undefined ? undefined : normalizePositiveInteger(options.maxRuntimeMs, "maxRuntimeMs");
+  const maxIterations = options.maxIterations === undefined ? undefined : normalizePositiveInteger(options.maxIterations, "maxIterations");
+  const clock = options.now ?? (() => new Date);
+  const sleep = options.sleep ?? abortableSleep;
+  const startedAtDate = clock();
+  const startedAt = startedAtDate.toISOString();
+  const deadline = maxRuntimeMs === undefined ? undefined : startedAtDate.getTime() + maxRuntimeMs;
+  let iterations = 0;
+  let checked = 0;
+  while (!options.signal?.aborted) {
+    if (maxIterations !== undefined && iterations >= maxIterations)
+      break;
+    const now = clock();
+    if (deadline !== undefined && now.getTime() >= deadline)
+      break;
+    const iteration = iterations + 1;
+    const iterationStartedAt = now.toISOString();
+    const results = await options.runner.runDueHostedPublicChecks(now, { workspaceId: options.workspaceId });
+    const finishedAt = clock().toISOString();
+    iterations = iteration;
+    checked += results.length;
+    options.onIteration?.({
+      iteration,
+      checked: results.length,
+      startedAt: iterationStartedAt,
+      finishedAt
+    });
+    if (maxIterations !== undefined && iterations >= maxIterations)
+      break;
+    if (deadline !== undefined && clock().getTime() >= deadline)
+      break;
+    await sleep(intervalMs, options.signal);
+  }
+  return {
+    kind: "open-uptime.hosted-public-checks-worker",
+    status: options.signal?.aborted ? "stopped" : "completed",
+    workspaceId: options.workspaceId?.trim() || null,
+    iterations,
+    checked,
+    startedAt,
+    finishedAt: clock().toISOString()
+  };
+}
+function normalizePositiveInteger(value, name) {
+  if (!Number.isInteger(value) || value <= 0)
+    throw new Error(`${name} must be a positive integer`);
+  return value;
+}
+function abortableSleep(ms, signal) {
+  if (signal?.aborted)
+    return Promise.resolve();
+  return new Promise((resolve) => {
+    const timer = setTimeout(done, ms);
+    function done() {
+      signal?.removeEventListener("abort", done);
+      clearTimeout(timer);
+      resolve();
+    }
+    signal?.addEventListener("abort", done, { once: true });
+  });
+}
 export {
   verifyProbeResultSignature,
   uptimeHostedFallbackDbPath,
@@ -4948,6 +5014,7 @@ export {
   runMonitorCheck,
   runHttpCheck,
   runHostedTcpCheck,
+  runHostedPublicChecksWorker,
   runHostedHttpCheck,
   runBrowserPageCheck,
   rollbackImport,

package/dist/workers.d.ts

@@ -0,0 +1,34 @@
+import type { CheckResult } from "./types.js";
+export interface HostedPublicCheckRunner {
+    runDueHostedPublicChecks(now?: Date, options?: {
+        workspaceId?: string;
+    }): Promise<CheckResult[]>;
+}
+export interface HostedPublicChecksWorkerOptions {
+    runner: HostedPublicCheckRunner;
+    workspaceId?: string;
+    intervalMs?: number;
+    maxRuntimeMs?: number;
+    maxIterations?: number;
+    signal?: AbortSignal;
+    now?: () => Date;
+    sleep?: (ms: number, signal?: AbortSignal) => Promise<void>;
+    onIteration?: (iteration: HostedPublicChecksWorkerIteration) => void;
+}
+export interface HostedPublicChecksWorkerIteration {
+    iteration: number;
+    checked: number;
+    startedAt: string;
+    finishedAt: string;
+}
+export interface HostedPublicChecksWorkerSummary {
+    kind: "open-uptime.hosted-public-checks-worker";
+    status: "completed" | "stopped";
+    workspaceId: string | null;
+    iterations: number;
+    checked: number;
+    startedAt: string;
+    finishedAt: string;
+}
+export declare function runHostedPublicChecksWorker(options: HostedPublicChecksWorkerOptions): Promise<HostedPublicChecksWorkerSummary>;
+//# sourceMappingURL=workers.d.ts.map

package/dist/workers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"workers.d.ts","sourceRoot":"","sources":["../src/workers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAE9C,MAAM,WAAW,uBAAuB;IACtC,wBAAwB,CAAC,GAAG,CAAC,EAAE,IAAI,EAAE,OAAO,CAAC,EAAE;QAAE,WAAW,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC;CAClG;AAED,MAAM,WAAW,+BAA+B;IAC9C,MAAM,EAAE,uBAAuB,CAAC;IAChC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,MAAM,CAAC,EAAE,WAAW,CAAC;IACrB,GAAG,CAAC,EAAE,MAAM,IAAI,CAAC;IACjB,KAAK,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,WAAW,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC5D,WAAW,CAAC,EAAE,CAAC,SAAS,EAAE,iCAAiC,KAAK,IAAI,CAAC;CACtE;AAED,MAAM,WAAW,iCAAiC;IAChD,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,+BAA+B;IAC9C,IAAI,EAAE,yCAAyC,CAAC;IAChD,MAAM,EAAE,WAAW,GAAG,SAAS,CAAC;IAChC,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;CACpB;AAID,wBAAsB,2BAA2B,CAAC,OAAO,EAAE,+BAA+B,GAAG,OAAO,CAAC,+BAA+B,CAAC,CA4CpI"}

package/dist/workers.js

@@ -0,0 +1,69 @@
+// @bun
+// src/workers.ts
+var DEFAULT_INTERVAL_MS = 30000;
+async function runHostedPublicChecksWorker(options) {
+  const intervalMs = normalizePositiveInteger(options.intervalMs ?? DEFAULT_INTERVAL_MS, "intervalMs");
+  const maxRuntimeMs = options.maxRuntimeMs === undefined ? undefined : normalizePositiveInteger(options.maxRuntimeMs, "maxRuntimeMs");
+  const maxIterations = options.maxIterations === undefined ? undefined : normalizePositiveInteger(options.maxIterations, "maxIterations");
+  const clock = options.now ?? (() => new Date);
+  const sleep = options.sleep ?? abortableSleep;
+  const startedAtDate = clock();
+  const startedAt = startedAtDate.toISOString();
+  const deadline = maxRuntimeMs === undefined ? undefined : startedAtDate.getTime() + maxRuntimeMs;
+  let iterations = 0;
+  let checked = 0;
+  while (!options.signal?.aborted) {
+    if (maxIterations !== undefined && iterations >= maxIterations)
+      break;
+    const now = clock();
+    if (deadline !== undefined && now.getTime() >= deadline)
+      break;
+    const iteration = iterations + 1;
+    const iterationStartedAt = now.toISOString();
+    const results = await options.runner.runDueHostedPublicChecks(now, { workspaceId: options.workspaceId });
+    const finishedAt = clock().toISOString();
+    iterations = iteration;
+    checked += results.length;
+    options.onIteration?.({
+      iteration,
+      checked: results.length,
+      startedAt: iterationStartedAt,
+      finishedAt
+    });
+    if (maxIterations !== undefined && iterations >= maxIterations)
+      break;
+    if (deadline !== undefined && clock().getTime() >= deadline)
+      break;
+    await sleep(intervalMs, options.signal);
+  }
+  return {
+    kind: "open-uptime.hosted-public-checks-worker",
+    status: options.signal?.aborted ? "stopped" : "completed",
+    workspaceId: options.workspaceId?.trim() || null,
+    iterations,
+    checked,
+    startedAt,
+    finishedAt: clock().toISOString()
+  };
+}
+function normalizePositiveInteger(value, name) {
+  if (!Number.isInteger(value) || value <= 0)
+    throw new Error(`${name} must be a positive integer`);
+  return value;
+}
+function abortableSleep(ms, signal) {
+  if (signal?.aborted)
+    return Promise.resolve();
+  return new Promise((resolve) => {
+    const timer = setTimeout(done, ms);
+    function done() {
+      signal?.removeEventListener("abort", done);
+      clearTimeout(timer);
+      resolve();
+    }
+    signal?.addEventListener("abort", done, { once: true });
+  });
+}
+export {
+  runHostedPublicChecksWorker
+};

package/docs/aws-deployment-runbook.md

@@ -195,9 +195,11 @@ Before setting `desired_counts.web = 1`, verify:
 - `HASNA_UPTIME_ALLOWED_ORIGINS` matches the public HTTPS edge origin;
 - CloudFront-to-origin transport is either `https-only` with an origin hostname
   whose certificate matches that hostname, or the HTTP-origin bridge has a
-  named risk owner and approval recorded in private evidence;
+  named risk owner and approval recorded in private evidence by setting
+  `allow_cloudfront_http_origin_live_traffic = true`;
 - CloudFront origin access is distribution-bound with the CloudFront-only origin
-  verification header, not just narrowed to CloudFront origin-facing ranges;
+  verification header by setting `enable_cloudfront_origin_verify_header = true`,
+  not just narrowed to CloudFront origin-facing ranges;
 - web egress to ECR, Secrets Manager or SSM, CloudWatch Logs, S3, EFS, and any
   required endpoints has been proven from a real ECS task. Terraform endpoint
   ids, route tables, and security-group rules are creation evidence only; the
@@ -422,9 +424,10 @@ routes are backed by cloud check jobs and cloud audit rows.
   hosted public-check runner, records target-policy decision evidence, and
   passes AWS smokes for denied DNS answers, redirect-to-denied targets, and
   address pinning. The SDK and `uptime cloud public-checks run-due` path now
-  handle execution-time DNS and redirect enforcement for bounded smokes, but a
-  sustained public-probe worker loop is not active until it is wired to cloud
-  leases.
+  handle execution-time DNS and redirect enforcement for bounded smokes. The
+  `uptime cloud public-checks worker` command is an EFS SQLite bridge loop for
+  controlled smoke testing only; it is not the final cloud
+  `check_jobs`/lease/fencing protocol.
 - Do not enable scheduler, public-probe, reporter, or migration workers against
   the EFS SQLite bridge; those services need Postgres/cloud leases first.
 - Do not expose dashboard/API routes without hosted auth and workspace checks.

package/docs/aws-runtime-security.md

@@ -453,8 +453,11 @@ required before browser evidence or public probe scale-out.
   It is not live: services remain at desired count `0`, secrets have
   `AWSCURRENT` values, scoped hosted-token descriptors can be used for operator
   smokes, and the HTTPS-origin/custom-hostname path still needs an approved ACM
-  cert, DNS record, plan/apply, and edge smoke. Full production identity/RBAC is
-  still not implemented.
+  cert, DNS record, plan/apply, and edge smoke. Terraform blocks
+  `desired_counts.web > 0` in CloudFront mode unless origin verification is
+  enabled and either HTTPS-origin mode is configured or
+  `allow_cloudfront_http_origin_live_traffic = true` records explicit bounded
+  smoke risk acceptance. Full production identity/RBAC is still not implemented.
 - Open Uptime is still SQLite-only for this bridge; only one protected web task
   may write EFS until Postgres and cloud leases exist.
 - Hosted API/dashboard auth, workspace RBAC, target policy, and Postgres leases
@@ -478,8 +481,12 @@ required before browser evidence or public probe scale-out.
   EFS SQLite bridge is explicitly temporary and not the target source of truth.
 - ECS task definitions use secret refs, not plaintext secret values.
 - ECS task definitions include explicit container health checks: web checks
-  `/health`, while disabled non-web roles use a hosted-environment sanity check
-  until their long-running worker commands are implemented.
+  `/health`, while disabled non-web roles run
+  `uptime cloud workers preflight --role <role> --healthcheck` and fail their
+  environment health check if hosted mode, component identity, or workspace env
+  is invalid. Their main commands call fail-closed
+  `uptime cloud workers run --role <role>` entrypoints until the real cloud data
+  paths are implemented.
 - Public probes cannot reach denied target classes; private monitors require
   private probes and approved inventory refs.
 - Backups, restore drill, rollback sequence, alarms, and cost estimate are

package/docs/cloud-source-of-truth.md

@@ -430,9 +430,10 @@ ECS/API/RDS/S3/probe lag/job backlog/delivery failures, and rollback commands.
   dashboard shell still fails closed; production-grade identity/RBAC is not
   implemented yet.
 - Outbound target policy for hosted HTTP/TCP checks exists in the SDK and the
-  `uptime cloud public-checks run-due` operator path. The cloud public-probe
-  worker loop, durable check-job lease path, and sustained ECS liveness are not
-  wired yet.
+  `uptime cloud public-checks run-due` operator path. A bounded
+  `uptime cloud public-checks worker` EFS SQLite bridge loop exists for
+  controlled smokes, but the cloud public-probe `check_jobs` lease/fencing path
+  and sustained ECS worker readiness are not wired yet.
 - `@hasna/cloud` hybrid mode still returns SQLite, so it is not cloud-primary.
 - The local cloud config currently points at a stale/non-resolving database host.
 - Todos has unresolved conflicts that must be reconciled before cloud cutover.
@@ -454,7 +455,10 @@ ECS/API/RDS/S3/probe lag/job backlog/delivery failures, and rollback commands.
   representative SQLite EFS backup/restore drill with integrity/count checks.
   It is not live: live scale-up is still blocked by edge/auth smokes, approved
   human/on-call SNS subscriptions and delivery smoke, and production auth
-  hardening beyond scoped static operator tokens.
+  hardening beyond scoped static operator tokens. Terraform now prevents
+  accidental `web > 0` promotion in CloudFront mode unless origin verification
+  is enabled and either HTTPS-origin mode or explicit HTTP-origin risk
+  acceptance is configured.
 - Projects per-project cloud stores do not exist yet; current local
   `project.db` stores are not enough for cloud-backed canvases or JSON Render.
 - Browser/page monitoring lacks the artifact, redaction, retention, and storage

package/docs/deployment-metadata.example.json

@@ -1,7 +1,7 @@
 {
   "service": "open-uptime",
   "package": "@hasna/uptime",
-  "intendedVersion": "0.1.25",
+  "intendedVersion": "0.1.26",
   "accountProfile": "<aws-profile>",
   "accountId": "<aws-account-id>",
   "region": "us-east-1",

package/infra/aws/README.md

@@ -90,9 +90,12 @@ delivery, S3 access, and EFS mount behavior.
 
 Every ECS task definition includes an explicit container health check. The web
 task checks `GET /health` through Bun's built-in `fetch`; disabled non-web roles
-currently run a hosted-environment sanity check so scheduler, public-probe,
-reporter, and migration tasks do not start from empty ECS health semantics when
-their long-running workers are later enabled.
+run `uptime cloud workers preflight --role <role> --healthcheck`, which verifies
+hosted mode, component identity, and workspace env before reporting blocked
+cloud prerequisites. Their main container commands call fail-closed
+`uptime cloud workers run --role <role>` entrypoints so scheduler,
+public-probe, reporter, and migration tasks no longer use `cloud plan` as a
+placeholder.
 
 Interface endpoint private DNS is VPC-wide. In shared VPCs, either keep endpoint
 creation in the approved networking root, or pass
@@ -106,10 +109,16 @@ Store instead of Secrets Manager, add `ssm` to
 - Hosted production auth/RBAC still needs scoped, revocable credentials.
 - The default `http-only` CloudFront origin bridge must be replaced with the
   explicit HTTPS-origin mode or consciously accepted with documented risk before
-  token-bearing live traffic.
+  token-bearing live traffic. The module blocks `desired_counts.web > 0` in
+  CloudFront mode unless origin verification is enabled, and it also requires
+  either `cloudfront_origin_protocol_policy = "https-only"` or explicit
+  `allow_cloudfront_http_origin_live_traffic = true` risk acceptance for bounded
+  smokes.
 - Public probe runtime has SDK-level hosted HTTP target-policy enforcement, but
-  the public-probe worker and cloud check-job lease path are still disabled until
-  they are wired to that runner and validated in AWS.
+  the public-probe cloud check-job lease path is still disabled until it is
+  wired to that runner and validated in AWS. The
+  `uptime cloud public-checks worker` command is an EFS SQLite bridge smoke loop,
+  not the final cloud worker protocol.
 - Hosted private-probe enrollment/heartbeat/revocation is still
   fail-closed.
 

package/infra/aws/main.tf

@@ -40,22 +40,22 @@ locals {
     }
     scheduler = {
       desired_count = lookup(var.desired_counts, "scheduler", 0)
-      command       = ["bun", "dist/cli/index.js", "cloud", "plan"]
+      command       = ["bun", "dist/cli/index.js", "cloud", "workers", "run", "--role", "scheduler"]
       secrets       = { APP_ENV = var.app_env_secret_arn }
     }
     "public-probe" = {
       desired_count = lookup(var.desired_counts, "public-probe", 0)
-      command       = ["bun", "dist/cli/index.js", "cloud", "plan"]
+      command       = ["bun", "dist/cli/index.js", "cloud", "workers", "run", "--role", "public-probe"]
       secrets       = { PROBE_CONFIG = var.public_probe_secret_arn }
     }
     reporter = {
       desired_count = lookup(var.desired_counts, "reporter", 0)
-      command       = ["bun", "dist/cli/index.js", "cloud", "plan"]
+      command       = ["bun", "dist/cli/index.js", "cloud", "workers", "run", "--role", "reporter"]
       secrets       = { REPORTING_CONFIG = var.reporting_secret_arn }
     }
     migration = {
       desired_count = lookup(var.desired_counts, "migration", 0)
-      command       = ["bun", "dist/cli/index.js", "cloud", "plan"]
+      command       = ["bun", "dist/cli/index.js", "cloud", "workers", "run", "--role", "migration"]
       secrets       = { APP_ENV = var.app_env_secret_arn }
     }
   }
@@ -94,28 +94,28 @@ locals {
       startPeriod = 30
     }
     scheduler = {
-      command     = ["CMD-SHELL", "bun -e \"process.exit(process.env.HASNA_UPTIME_MODE === 'hosted' && process.env.HASNA_UPTIME_COMPONENT === 'scheduler' ? 0 : 1)\""]
+      command     = ["CMD-SHELL", "bun dist/cli/index.js cloud workers preflight --role scheduler --healthcheck --json >/tmp/open-uptime-worker-preflight.json"]
       interval    = 30
       timeout     = 5
       retries     = 3
       startPeriod = 30
     }
     "public-probe" = {
-      command     = ["CMD-SHELL", "bun -e \"process.exit(process.env.HASNA_UPTIME_MODE === 'hosted' && process.env.HASNA_UPTIME_COMPONENT === 'public-probe' ? 0 : 1)\""]
+      command     = ["CMD-SHELL", "bun dist/cli/index.js cloud workers preflight --role public-probe --healthcheck --json >/tmp/open-uptime-worker-preflight.json"]
       interval    = 30
       timeout     = 5
       retries     = 3
       startPeriod = 30
     }
     reporter = {
-      command     = ["CMD-SHELL", "bun -e \"process.exit(process.env.HASNA_UPTIME_MODE === 'hosted' && process.env.HASNA_UPTIME_COMPONENT === 'reporter' ? 0 : 1)\""]
+      command     = ["CMD-SHELL", "bun dist/cli/index.js cloud workers preflight --role reporter --healthcheck --json >/tmp/open-uptime-worker-preflight.json"]
       interval    = 30
       timeout     = 5
       retries     = 3
       startPeriod = 30
     }
     migration = {
-      command     = ["CMD-SHELL", "bun -e \"process.exit(process.env.HASNA_UPTIME_MODE === 'hosted' && process.env.HASNA_UPTIME_COMPONENT === 'migration' ? 0 : 1)\""]
+      command     = ["CMD-SHELL", "bun dist/cli/index.js cloud workers preflight --role migration --healthcheck --json >/tmp/open-uptime-worker-preflight.json"]
       interval    = 30
       timeout     = 5
       retries     = 3

package/infra/aws/terraform.tfvars.example

@@ -12,6 +12,7 @@ vpc_id                   = "vpc-xxxxxxxx"
 ecr_repository_name      = "open-uptime"
 protected_access_mode    = "cloudfront_default_domain"
 cloudfront_origin_protocol_policy = "http-only"
+allow_cloudfront_http_origin_live_traffic = false
 cloudfront_origin_domain_name     = null
 enable_cloudfront_origin_verify_header = false
 cloudfront_origin_verify_header_name   = "X-Open-Uptime-Origin-Verify"
@@ -21,7 +22,7 @@ alb_ingress_cidr_blocks = []
 private_subnet_ids       = ["subnet-replace-private-a", "subnet-replace-private-b"]
 private_route_table_ids  = ["rtb-replace-private"]
 container_image          = "123456789012.dkr.ecr.us-east-1.amazonaws.com/open-uptime@sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-runtime_package_version   = "0.1.25"
+runtime_package_version   = "0.1.26"
 runtime_package_integrity = null
 certificate_arn          = null
 hosted_zone_id           = null

package/infra/aws/variables.tf

@@ -98,6 +98,12 @@ variable "cloudfront_origin_protocol_policy" {
   }
 }
 
+variable "allow_cloudfront_http_origin_live_traffic" {
+  description = "Explicit risk acceptance for setting web desired count above 0 while CloudFront-to-ALB origin transport is http-only. Keep false unless a named operator accepts the temporary HTTP-origin bridge risk for a bounded smoke."
+  type        = bool
+  default     = false
+}
+
 variable "cloudfront_origin_domain_name" {
   description = "DNS hostname CloudFront uses for the ALB custom origin when cloudfront_origin_protocol_policy is https-only. The hostname must resolve to the ALB and match certificate_arn. Leave null for the default HTTP-origin bridge."
   type        = string
@@ -235,7 +241,7 @@ variable "container_image" {
 variable "runtime_package_version" {
   description = "Published @hasna/uptime package version that CodeBuild should build into the ECR image."
   type        = string
-  default     = "0.1.25"
+  default     = "0.1.26"
 
   validation {
     condition     = can(regex("^[0-9]+\\.[0-9]+\\.[0-9]+(-[0-9A-Za-z.-]+)?$", var.runtime_package_version))
@@ -347,6 +353,25 @@ variable "desired_counts" {
     ])
     error_message = "EFS SQLite bridge requires web desired count 0 or 1 and scheduler/public-probe/reporter/migration desired counts 0."
   }
+
+  validation {
+    condition = (
+      lookup(var.desired_counts, "web", 0) == 0
+      || var.protected_access_mode != "cloudfront_default_domain"
+      || var.enable_cloudfront_origin_verify_header
+    )
+    error_message = "web desired count above 0 in cloudfront_default_domain mode requires enable_cloudfront_origin_verify_header=true."
+  }
+
+  validation {
+    condition = (
+      lookup(var.desired_counts, "web", 0) == 0
+      || var.protected_access_mode != "cloudfront_default_domain"
+      || var.cloudfront_origin_protocol_policy == "https-only"
+      || var.allow_cloudfront_http_origin_live_traffic
+    )
+    error_message = "web desired count above 0 requires CloudFront HTTPS-origin mode, or explicit allow_cloudfront_http_origin_live_traffic=true risk acceptance for a bounded smoke."
+  }
 }
 
 variable "alarm_actions" {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hasna/uptime",
-  "version": "0.1.25",
+  "version": "0.1.26",
   "description": "Local-first uptime and downtime monitoring service with CLI, MCP, SDK, SQLite persistence, and a dashboard.",
   "license": "Apache-2.0",
   "type": "module",
@@ -69,10 +69,14 @@
     "./cloud-plan": {
       "types": "./dist/cloud-plan.d.ts",
       "import": "./dist/cloud-plan.js"
+    },
+    "./workers": {
+      "types": "./dist/workers.d.ts",
+      "import": "./dist/workers.js"
     }
   },
   "scripts": {
-    "build": "rm -rf dist && bun build src/cli/index.ts --outdir dist/cli --target bun --external @modelcontextprotocol/sdk && bun build src/mcp/index.ts --outdir dist/mcp --target bun --external @modelcontextprotocol/sdk && bun build src/index.ts src/api.ts src/service.ts src/store.ts src/checks.ts src/imports.ts src/report.ts src/probes.ts src/cloud-plan.ts src/types.ts src/paths.ts src/dashboard.ts src/version.ts --root src --outdir dist --target bun && tsc -p tsconfig.build.json --emitDeclarationOnly --outDir dist && chmod +x dist/cli/index.js dist/mcp/index.js",
+    "build": "rm -rf dist && bun build src/cli/index.ts --outdir dist/cli --target bun --external @modelcontextprotocol/sdk && bun build src/mcp/index.ts --outdir dist/mcp --target bun --external @modelcontextprotocol/sdk && bun build src/index.ts src/api.ts src/service.ts src/store.ts src/checks.ts src/imports.ts src/report.ts src/probes.ts src/cloud-plan.ts src/workers.ts src/types.ts src/paths.ts src/dashboard.ts src/version.ts --root src --outdir dist --target bun && tsc -p tsconfig.build.json --emitDeclarationOnly --outDir dist && chmod +x dist/cli/index.js dist/mcp/index.js",
     "typecheck": "tsc --noEmit",
     "test": "bun test ./tests",
     "dev:cli": "bun run src/cli/index.ts",