@hasna/uptime 0.1.4 → 0.1.5

package/CHANGELOG.md

@@ -6,6 +6,27 @@ project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+## [0.1.5] - 2026-06-28
+
+### Added
+
+- Dry-run AWS deployment plan generator for the `hasna-xyz-infra` target,
+  covering ECS/Fargate services, ECR image commands, ALB/RDS/S3/Secrets/Logs
+  resources, rollback steps, and safety assertions.
+- Spark01 cloud-primary private probe config generator with JSON and env-file
+  rendering.
+- CLI commands `uptime cloud plan` and `uptime cloud spark01-config`.
+- SDK export `@hasna/uptime/cloud-plan`.
+- Machine-readable `blocked`/`canApply:false` and `blocked`/`canStart:false`
+  gates plus blocker/evidence lists for AWS and Spark01 planning artifacts.
+
+### Security
+
+- Cloud planning artifacts contain secret names/refs and file paths only; they
+  do not inline AWS credentials, hosted tokens, or private probe key material.
+- Cloud plan generation is dry-run only and does not call AWS.
+- Dry-run AWS output avoids copy-pastable live AWS mutation commands.
+
 ## [0.1.4] - 2026-06-28
 
 ### Added

package/README.md

@@ -31,6 +31,8 @@ uptime report-schedules create ops --interval 3600 --email ops@example.com --fro
 uptime report-schedules run-due
 uptime report-schedules runs
 uptime audit
+uptime cloud plan --json
+uptime cloud spark01-config --probe-id prb_spark01 --env
 uptime incidents
 uptime serve --port 3899 --check
 ```
@@ -39,6 +41,11 @@ Scheduled reports persist endpoint and recipient configuration, but not send
 keys or API tokens. Configure `MAILERY_SEND_KEY`, `HASNA_MAILERY_SEND_KEY`,
 `HASNA_LOGS_API_TOKEN`, or the matching service env vars before scheduled runs.
 
+The `uptime cloud ...` commands generate dry-run AWS/Spark01 planning artifacts
+only. They do not call AWS, write secrets, or produce an approved deploy script;
+current output is intentionally blocked until the infra and cloud-store evidence
+in `docs/aws-deployment-runbook.md` is satisfied.
+
 Private/local probes can submit signed results from another machine:
 
 ```bash

package/dist/cli/index.js

@@ -6387,6 +6387,268 @@ class ApiError extends Error {
   }
 }
 
+// src/cloud-plan.ts
+var DEFAULT_ACCOUNT = "hasna-xyz-infra";
+var DEFAULT_REGION = "us-east-1";
+var DEFAULT_STAGE = "prod";
+var DEFAULT_PREFIX = "open-uptime";
+var DEFAULT_HOSTNAME = "uptime.hasna.xyz";
+var DEFAULT_WORKSPACE_ID = "wks_2tyysw05cwap";
+var DEFAULT_VPC_ID = "vpc-04c7f7abc1d3c3f56";
+var DEFAULT_RDS = "hasna-xyz-infra-apps-prod-postgres";
+function buildAwsDeploymentPlan(options = {}) {
+  const region = clean(options.region, DEFAULT_REGION);
+  const stage = clean(options.stage, DEFAULT_STAGE);
+  const prefix = clean(options.servicePrefix, DEFAULT_PREFIX);
+  const accountName = clean(options.accountName, DEFAULT_ACCOUNT);
+  const hostname = clean(options.hostname, DEFAULT_HOSTNAME);
+  const workspaceId = clean(options.workspaceId, DEFAULT_WORKSPACE_ID);
+  const ecrRepository = clean(options.ecrRepository, `hasna/opensource/${prefix}`);
+  const image = clean(options.image, `<account-id>.dkr.ecr.${region}.amazonaws.com/${ecrRepository}:<git-sha>`);
+  const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
+  const cluster = `${prefix}-${stage}`;
+  const secrets = {
+    database: clean(options.databaseSecretName, `hasna/xyz/opensource/uptime/${stage}/rds`),
+    appEnv: clean(options.appEnvSecretName, `hasna/xyz/opensource/uptime/${stage}/app/env`),
+    hostedToken: clean(options.hostedTokenSecretName, `hasna/xyz/opensource/uptime/${stage}/hosted-token`),
+    publicProbe: clean(options.publicProbeSecretName, `hasna/xyz/opensource/uptime/${stage}/probe/public`),
+    privateProbe: clean(options.privateProbeSecretName, `hasna/xyz/opensource/uptime/${stage}/probe/private`),
+    reporting: clean(options.reportingSecretName, `hasna/xyz/opensource/uptime/${stage}/reporting`)
+  };
+  const services = [
+    servicePlan(prefix, stage, "web", 2, image, workspaceId, secrets, {
+      HASNA_UPTIME_MODE: "hosted",
+      HASNA_UPTIME_WORKSPACE_ID: workspaceId,
+      HASNA_UPTIME_HOSTNAME: hostname
+    }),
+    servicePlan(prefix, stage, "scheduler", 1, image, workspaceId, secrets, {
+      HASNA_UPTIME_MODE: "hosted",
+      HASNA_UPTIME_WORKSPACE_ID: workspaceId,
+      HASNA_UPTIME_COMPONENT: "scheduler"
+    }),
+    servicePlan(prefix, stage, "public-probe", 1, image, workspaceId, secrets, {
+      HASNA_UPTIME_MODE: "hosted",
+      HASNA_UPTIME_WORKSPACE_ID: workspaceId,
+      HASNA_UPTIME_COMPONENT: "public-probe",
+      HASNA_UPTIME_PROBE_LOCATION: region
+    }),
+    servicePlan(prefix, stage, "reporter", 1, image, workspaceId, secrets, {
+      HASNA_UPTIME_MODE: "hosted",
+      HASNA_UPTIME_WORKSPACE_ID: workspaceId,
+      HASNA_UPTIME_COMPONENT: "reporter"
+    }),
+    servicePlan(prefix, stage, "migration", 0, image, workspaceId, secrets, {
+      HASNA_UPTIME_MODE: "hosted",
+      HASNA_UPTIME_WORKSPACE_ID: workspaceId,
+      HASNA_UPTIME_COMPONENT: "migration"
+    })
+  ];
+  return {
+    kind: "open-uptime.aws-deployment-plan",
+    version: 1,
+    generatedAt: new Date().toISOString(),
+    status: "blocked",
+    canApply: false,
+    accountName,
+    region,
+    stage,
+    servicePrefix: prefix,
+    hostname,
+    workspaceId,
+    mode: "hosted",
+    resources: {
+      ecrRepository,
+      ecsCluster: cluster,
+      services,
+      vpcId: clean(options.vpcId, DEFAULT_VPC_ID),
+      rdsInstanceId: clean(options.rdsInstanceId, DEFAULT_RDS),
+      evidenceBucket,
+      loadBalancer: `${prefix}-${stage}-alb`,
+      targetGroups: [`${prefix}-${stage}-web-tg`],
+      securityGroups: [
+        `${prefix}-${stage}-alb-sg`,
+        `${prefix}-${stage}-web-sg`,
+        `${prefix}-${stage}-scheduler-sg`,
+        `${prefix}-${stage}-public-probe-sg`,
+        `${prefix}-${stage}-rds-client-sg`
+      ],
+      secrets,
+      logGroups: services.map((service) => service.logGroup),
+      alarms: [
+        `${prefix}-${stage}-web-5xx`,
+        `${prefix}-${stage}-scheduler-stalled`,
+        `${prefix}-${stage}-probe-stale`,
+        `${prefix}-${stage}-report-delivery-failures`
+      ]
+    },
+    image: {
+      repository: ecrRepository,
+      uri: image,
+      buildCommand: "BLOCKED: add a reviewed Dockerfile/container build target before running docker build",
+      pushCommands: [
+        "BLOCKED: push only from approved CI/CD after the ECR repository and image digest policy exist",
+        "BLOCKED: deploy services by immutable image digest, not by mutable tags"
+      ]
+    },
+    runbook: {
+      preflight: [
+        `aws sts get-caller-identity --profile ${accountName}`,
+        `aws rds describe-db-instances --db-instance-identifier ${clean(options.rdsInstanceId, DEFAULT_RDS)} --region ${region}`,
+        `aws ec2 describe-vpcs --vpc-ids ${clean(options.vpcId, DEFAULT_VPC_ID)} --region ${region}`,
+        "Confirm the infra repository and Terraform/CloudFormation owner before live mutation."
+      ],
+      provision: [
+        `Infra PR must declare or update ECR repository ${ecrRepository}.`,
+        `Infra PR must declare hardened S3 evidence bucket ${evidenceBucket} with KMS, versioning, lifecycle, and public access block.`,
+        `Infra PR must declare ECS/Fargate cluster ${cluster}, ALB, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs.`,
+        "Only apply the infra plan from the approved infrastructure repository after review evidence is attached."
+      ],
+      deploy: [
+        "Build and publish the image only after the Dockerfile/container target is reviewed.",
+        "Run the migration task with the migrator role before web/scheduler/probe services.",
+        `Register task definitions for ${services.map((service) => service.name).join(", ")} using valueFrom secrets.`,
+        `Update ECS services in cluster ${cluster} one component at a time through the approved deploy pipeline.`,
+        `Create Route53/edge record for ${hostname} only after ALB health checks pass and auth denial smokes succeed.`
+      ],
+      rollback: [
+        "Keep previous task definition ARNs before each service update.",
+        "Rollback through the approved deploy pipeline to the previously recorded task definition ARNs.",
+        "Disable scheduler/reporter services before data rollback.",
+        "Restore RDS snapshot only after explicit operator approval and audit record."
+      ],
+      spark01: [
+        "Create a private probe identity with a caller-managed public key.",
+        "Install @hasna/uptime on Spark01 and write the generated env file with mode 0600.",
+        "Run the private probe against the hosted /api/v1 probe endpoint once it exists."
+      ]
+    },
+    blockers: [
+      "The hasna-xyz-infra infrastructure owner repository was not found in this workspace.",
+      "The repo has no reviewed Dockerfile/container build target for image build and publish automation.",
+      "Hosted Postgres storage adapter and migrations are not implemented.",
+      "Hosted production auth/RBAC must replace broad static hosted-token operation before exposure.",
+      "Public probe execution still needs DNS, redirect, and rebinding SSRF enforcement plus cloud check-job leases.",
+      "Spark01 hosted probe enrollment, claim, submit, heartbeat, revocation, and rotation are not cloud-backed yet."
+    ],
+    requiredEvidence: [
+      "Infrastructure PR/synth/plan from the approved infra repository.",
+      "Container build smoke and immutable image digest.",
+      "ECS task definitions using secrets.valueFrom only.",
+      "ALB/TLS/DNS/auth denial smokes.",
+      "RDS TLS, backups/PITR, scoped roles, and migration dry-run evidence.",
+      "S3 bucket KMS, versioning, lifecycle, and public-access-block evidence.",
+      "Spark01 private-probe registration, key-file mode, heartbeat, and revocation evidence."
+    ],
+    safety: {
+      liveAwsMutation: false,
+      plaintextSecrets: false,
+      hostedLocalSqliteAllowed: false,
+      notes: [
+        "This plan generator does not call AWS.",
+        "Hosted runtime must use Postgres; SQLite remains local/dev fallback only.",
+        "Secrets are represented as secret names/refs and must be injected with valueFrom.",
+        "Actual deploy belongs in the deploy_release_operate_final goal node after infra review."
+      ]
+    }
+  };
+}
+function buildSpark01CloudConfig(options = {}) {
+  const apiUrl = clean(options.apiUrl, `https://${DEFAULT_HOSTNAME}/api/v1`);
+  const workspaceId = clean(options.workspaceId, DEFAULT_WORKSPACE_ID);
+  const machineId = clean(options.machineId, "spark01");
+  const privateKeyFile = clean(options.probePrivateKeyFile, "~/.hasna/uptime/probes/spark01.key.pem");
+  const probeId = options.probeId?.trim();
+  const blockers = [
+    ...probeId ? [] : ["Cloud-registered private probe id is required before writing a sourceable env file."],
+    "Hosted probe claim and submit routes still fail closed until cloud check_jobs and workspace stores are implemented.",
+    "Spark01 enrollment, heartbeat, revocation, rotation, and bounded offline lease handling are not implemented yet."
+  ];
+  const env3 = {
+    HASNA_UPTIME_MODE: "hosted",
+    HASNA_UPTIME_API_URL: apiUrl,
+    HASNA_UPTIME_WORKSPACE_ID: workspaceId,
+    HASNA_UPTIME_MACHINE_ID: machineId,
+    HASNA_UPTIME_PRIVATE_PROBE_KEY_FILE: privateKeyFile,
+    HASNA_UPTIME_PROBE_CLASS: "private",
+    HASNA_UPTIME_LOG_LEVEL: clean(options.logLevel, "info")
+  };
+  if (probeId)
+    env3.HASNA_UPTIME_PRIVATE_PROBE_ID = probeId;
+  return {
+    kind: "open-uptime.spark01-cloud-config",
+    version: 1,
+    generatedAt: new Date().toISOString(),
+    status: "blocked",
+    canStart: false,
+    machineId,
+    mode: "private-probe",
+    env: env3,
+    files: [
+      {
+        path: privateKeyFile,
+        mode: "0600",
+        purpose: "Ed25519 private key generated on Spark01; never paste into cloud config."
+      },
+      {
+        path: "~/.hasna/uptime/cloud.env",
+        mode: "0600",
+        purpose: "Non-secret cloud/probe runtime environment; token values stay in the machine secret store."
+      }
+    ],
+    commands: [
+      "bun install -g @hasna/uptime@latest",
+      "Generate the Spark01 private key locally and register only its public key with the hosted control plane once registration exists.",
+      "Write ~/.hasna/uptime/cloud.env from this plan, then source it for the private probe service.",
+      "Start the private probe worker only after hosted /api/v1 probe claim/submit routes are backed by cloud jobs."
+    ],
+    blockers,
+    safety: {
+      privateKeyInline: false,
+      tokenInline: false,
+      notes: [
+        "This config is cloud-primary: Spark01 submits to hosted API state instead of local SQLite.",
+        "The private key file path is referenced, not embedded.",
+        "Hosted token or probe auth material must come from the machine secret store, not this generated config."
+      ]
+    }
+  };
+}
+function renderSpark01Env(config) {
+  const required = ["HASNA_UPTIME_PRIVATE_PROBE_ID"];
+  const missing = required.filter((key) => !config.env[key]);
+  if (missing.length > 0) {
+    throw new Error(`Spark01 env output requires ${missing.join(", ")}`);
+  }
+  return Object.entries(config.env).map(([key, value]) => `${key}=${shellEscape(value)}`).join(`
+`);
+}
+function servicePlan(prefix, stage, role, desiredCount, image, workspaceId, secrets, environment) {
+  const name = `${prefix}-${stage}-${role}`;
+  return {
+    name,
+    role,
+    desiredCount,
+    taskRole: `${name}-task-role`,
+    executionRole: `${prefix}-${stage}-execution-role`,
+    logGroup: `/ecs/${name}`,
+    healthCommand: role === "web" ? "GET /health" : undefined,
+    environment: {
+      HASNA_UPTIME_IMAGE: image,
+      ...environment
+    },
+    secrets: role === "public-probe" ? { DATABASE_URL: secrets.database, PROBE_CONFIG: secrets.publicProbe } : role === "reporter" ? { DATABASE_URL: secrets.database, REPORTING_CONFIG: secrets.reporting } : { DATABASE_URL: secrets.database, APP_ENV: secrets.appEnv }
+  };
+}
+function clean(value, fallback) {
+  const normalized = value?.trim();
+  return normalized || fallback;
+}
+function shellEscape(value) {
+  if (/^[A-Za-z0-9_./:@~-]+$/.test(value))
+    return value;
+  return `'${value.replace(/'/g, "'\\''")}'`;
+}
+
 // src/cli/index.ts
 var program2 = new Command;
 program2.name("uptime").description("Local-first uptime and downtime monitoring").version(packageVersion()).option("-j, --json", "print JSON");
@@ -6694,6 +6956,45 @@ program2.command("audit").description("List local audit events").option("--resou
     fail(error);
   }
 });
+var cloud = program2.command("cloud").description("Generate dry-run cloud deployment and Spark01 configuration artifacts");
+cloud.command("plan").description("Generate a dry-run AWS deployment plan for hasna-xyz-infra").option("--account <name>", "AWS account/profile label", "hasna-xyz-infra").option("--region <region>", "AWS region", "us-east-1").option("--stage <stage>", "deployment stage", "prod").option("--hostname <hostname>", "hosted Open Uptime hostname", "uptime.hasna.xyz").option("--workspace-id <id>", "workspace id", "wks_2tyysw05cwap").option("--vpc-id <id>", "target VPC id").option("--rds-instance-id <id>", "existing RDS instance id").option("--ecr-repository <name>", "ECR repository name").option("--image <uri>", "container image URI").option("--evidence-bucket <name>", "S3 evidence bucket name").option("-j, --json", "print JSON").action((opts) => {
+  try {
+    const plan = buildAwsDeploymentPlan({
+      accountName: opts.account,
+      region: opts.region,
+      stage: opts.stage,
+      hostname: opts.hostname,
+      workspaceId: opts.workspaceId,
+      vpcId: opts.vpcId,
+      rdsInstanceId: opts.rdsInstanceId,
+      ecrRepository: opts.ecrRepository,
+      image: opts.image,
+      evidenceBucket: opts.evidenceBucket
+    });
+    print(plan, renderCloudPlan(plan), opts);
+  } catch (error) {
+    fail(error);
+  }
+});
+cloud.command("spark01-config").description("Generate Spark01 cloud-primary private probe configuration").option("--api-url <url>", "hosted Open Uptime API URL", "https://uptime.hasna.xyz/api/v1").option("--workspace-id <id>", "workspace id", "wks_2tyysw05cwap").option("--probe-id <id>", "cloud registered private probe id").option("--private-key-file <path>", "Spark01 private probe key file", "~/.hasna/uptime/probes/spark01.key.pem").option("--machine-id <id>", "machine id", "spark01").option("--log-level <level>", "probe log level", "info").option("--env", "print shell env file instead of summary text").option("-j, --json", "print JSON").action((opts) => {
+  try {
+    const config = buildSpark01CloudConfig({
+      apiUrl: opts.apiUrl,
+      workspaceId: opts.workspaceId,
+      probeId: opts.probeId,
+      probePrivateKeyFile: opts.privateKeyFile,
+      machineId: opts.machineId,
+      logLevel: opts.logLevel
+    });
+    if (opts.env && !wantsJson(opts)) {
+      console.log(renderSpark01Env(config));
+      return;
+    }
+    print(config, renderSpark01Config(config), opts);
+  } catch (error) {
+    fail(error);
+  }
+});
 program2.command("results").description("List recent check results").option("--monitor <id>", "filter by monitor id").option("--limit <n>", "max rows", parseInteger, 20).option("-j, --json", "print JSON").action((opts) => {
   try {
     const svc = service();
@@ -7046,6 +7347,38 @@ function renderReportRuns(runs) {
   }).join(`
 `);
 }
+function renderCloudPlan(plan) {
+  return [
+    `${plan.servicePrefix} ${plan.stage} AWS plan (${plan.accountName}/${plan.region})`,
+    `status: ${plan.status}`,
+    `can apply: ${plan.canApply}`,
+    `host: ${plan.hostname}`,
+    `cluster: ${plan.resources.ecsCluster}`,
+    `image: ${plan.image.uri}`,
+    `vpc: ${plan.resources.vpcId}`,
+    `rds: ${plan.resources.rdsInstanceId}`,
+    `services: ${plan.resources.services.map((service2) => `${service2.name}:${service2.desiredCount}`).join(", ")}`,
+    `evidence bucket: ${plan.resources.evidenceBucket}`,
+    `blockers: ${plan.blockers.length}`,
+    "live AWS mutation: false"
+  ].join(`
+`);
+}
+function renderSpark01Config(config) {
+  return [
+    `${config.machineId} ${config.mode} config`,
+    `status: ${config.status}`,
+    `can start: ${config.canStart}`,
+    `api: ${config.env.HASNA_UPTIME_API_URL}`,
+    `workspace: ${config.env.HASNA_UPTIME_WORKSPACE_ID}`,
+    `probe: ${config.env.HASNA_UPTIME_PRIVATE_PROBE_ID ?? "<required>"}`,
+    `key file: ${config.env.HASNA_UPTIME_PRIVATE_PROBE_KEY_FILE}`,
+    `blockers: ${config.blockers.length}`,
+    "private key inline: false",
+    "token inline: false"
+  ].join(`
+`);
+}
 function renderDeliveries(deliveries) {
   if (deliveries.length === 0)
     return "No report deliveries requested";

package/dist/cloud-plan.d.ts

@@ -0,0 +1,113 @@
+export interface AwsDeploymentPlanOptions {
+    accountName?: string;
+    region?: string;
+    stage?: string;
+    servicePrefix?: string;
+    hostname?: string;
+    workspaceId?: string;
+    vpcId?: string;
+    rdsInstanceId?: string;
+    ecrRepository?: string;
+    image?: string;
+    evidenceBucket?: string;
+    hostedTokenSecretName?: string;
+    databaseSecretName?: string;
+    appEnvSecretName?: string;
+    publicProbeSecretName?: string;
+    privateProbeSecretName?: string;
+    reportingSecretName?: string;
+}
+export interface AwsDeploymentPlan {
+    kind: "open-uptime.aws-deployment-plan";
+    version: 1;
+    generatedAt: string;
+    status: "blocked";
+    canApply: false;
+    accountName: string;
+    region: string;
+    stage: string;
+    servicePrefix: string;
+    hostname: string;
+    workspaceId: string;
+    mode: "hosted";
+    resources: {
+        ecrRepository: string;
+        ecsCluster: string;
+        services: AwsServicePlan[];
+        vpcId: string;
+        rdsInstanceId: string;
+        evidenceBucket: string;
+        loadBalancer: string;
+        targetGroups: string[];
+        securityGroups: string[];
+        secrets: Record<string, string>;
+        logGroups: string[];
+        alarms: string[];
+    };
+    image: {
+        repository: string;
+        uri: string;
+        buildCommand: string;
+        pushCommands: string[];
+    };
+    runbook: {
+        preflight: string[];
+        provision: string[];
+        deploy: string[];
+        rollback: string[];
+        spark01: string[];
+    };
+    blockers: string[];
+    requiredEvidence: string[];
+    safety: {
+        liveAwsMutation: false;
+        plaintextSecrets: false;
+        hostedLocalSqliteAllowed: false;
+        notes: string[];
+    };
+}
+export interface AwsServicePlan {
+    name: string;
+    role: "web" | "scheduler" | "public-probe" | "reporter" | "migration";
+    desiredCount: number;
+    taskRole: string;
+    executionRole: string;
+    logGroup: string;
+    healthCommand?: string;
+    environment: Record<string, string>;
+    secrets: Record<string, string>;
+}
+export interface Spark01CloudConfigOptions {
+    apiUrl?: string;
+    workspaceId?: string;
+    probeId?: string;
+    probePrivateKeyFile?: string;
+    machineId?: string;
+    logLevel?: string;
+}
+export interface Spark01CloudConfig {
+    kind: "open-uptime.spark01-cloud-config";
+    version: 1;
+    generatedAt: string;
+    status: "blocked";
+    canStart: false;
+    machineId: string;
+    mode: "private-probe";
+    env: Record<string, string>;
+    files: Array<{
+        path: string;
+        mode: string;
+        purpose: string;
+    }>;
+    commands: string[];
+    blockers: string[];
+    safety: {
+        privateKeyInline: false;
+        tokenInline: false;
+        notes: string[];
+    };
+}
+export declare function buildAwsDeploymentPlan(options?: AwsDeploymentPlanOptions): AwsDeploymentPlan;
+export declare function buildSpark01CloudConfig(options?: Spark01CloudConfigOptions): Spark01CloudConfig;
+export declare function renderSpark01Env(config: Spark01CloudConfig): string;
+//# sourceMappingURL=cloud-plan.d.ts.map

package/dist/cloud-plan.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cloud-plan.d.ts","sourceRoot":"","sources":["../src/cloud-plan.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,wBAAwB;IACvC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,iCAAiC,CAAC;IACxC,OAAO,EAAE,CAAC,CAAC;IACX,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,SAAS,CAAC;IAClB,QAAQ,EAAE,KAAK,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,QAAQ,CAAC;IACf,SAAS,EAAE;QACT,aAAa,EAAE,MAAM,CAAC;QACtB,UAAU,EAAE,MAAM,CAAC;QACnB,QAAQ,EAAE,cAAc,EAAE,CAAC;QAC3B,KAAK,EAAE,MAAM,CAAC;QACd,aAAa,EAAE,MAAM,CAAC;QACtB,cAAc,EAAE,MAAM,CAAC;QACvB,YAAY,EAAE,MAAM,CAAC;QACrB,YAAY,EAAE,MAAM,EAAE,CAAC;QACvB,cAAc,EAAE,MAAM,EAAE,CAAC;QACzB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAChC,SAAS,EAAE,MAAM,EAAE,CAAC;QACpB,MAAM,EAAE,MAAM,EAAE,CAAC;KAClB,CAAC;IACF,KAAK,EAAE;QACL,UAAU,EAAE,MAAM,CAAC;QACnB,GAAG,EAAE,MAAM,CAAC;QACZ,YAAY,EAAE,MAAM,CAAC;QACrB,YAAY,EAAE,MAAM,EAAE,CAAC;KACxB,CAAC;IACF,OAAO,EAAE;QACP,SAAS,EAAE,MAAM,EAAE,CAAC;QACpB,SAAS,EAAE,MAAM,EAAE,CAAC;QACpB,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,QAAQ,EAAE,MAAM,EAAE,CAAC;QACnB,OAAO,EAAE,MAAM,EAAE,CAAC;KACnB,CAAC;IACF,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,MAAM,EAAE;QACN,eAAe,EAAE,KAAK,CAAC;QACvB,gBAAgB,EAAE,KAAK,CAAC;QACxB,wBAAwB,EAAE,KAAK,CAAC;QAChC,KAAK,EAAE,MAAM,EAAE,CAAC;KACjB,CAAC;CACH;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,KAAK,GAAG,WAAW,GAAG,cAAc,GAAG,UAAU,GAAG,WAAW,CAAC;IACtE,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACpC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACjC;AAED,MAAM,WAAW,yBAAyB;IACxC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,kCAAkC,CAAC;IACzC,OAAO,EAAE,CAAC,CAAC;IACX,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,SAAS,CAAC;IAClB,QAAQ,EAAE,KAAK,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,eAAe,CAAC;IACtB,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC5B,KAAK,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC9D,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,MAAM,EAAE;QACN,gBAAgB,EAAE,KAAK,CAAC;QACxB,WAAW,EAAE,KAAK,CAAC;QACnB,KAAK,EAAE,MAAM,EAAE,CAAC;KACjB,CAAC;CACH;AAWD,wBAAgB,sBAAsB,CAAC,OAAO,GAAE,wBAA6B,GAAG,iBAAiB,CA4JhG;AAED,wBAAgB,uBAAuB,CAAC,OAAO,GAAE,yBAA8B,GAAG,kBAAkB,CA2DnG;AAED,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,kBAAkB,GAAG,MAAM,CASnE"}

package/dist/cloud-plan.js

@@ -0,0 +1,267 @@
+// @bun
+// src/cloud-plan.ts
+var DEFAULT_ACCOUNT = "hasna-xyz-infra";
+var DEFAULT_REGION = "us-east-1";
+var DEFAULT_STAGE = "prod";
+var DEFAULT_PREFIX = "open-uptime";
+var DEFAULT_HOSTNAME = "uptime.hasna.xyz";
+var DEFAULT_WORKSPACE_ID = "wks_2tyysw05cwap";
+var DEFAULT_VPC_ID = "vpc-04c7f7abc1d3c3f56";
+var DEFAULT_RDS = "hasna-xyz-infra-apps-prod-postgres";
+function buildAwsDeploymentPlan(options = {}) {
+  const region = clean(options.region, DEFAULT_REGION);
+  const stage = clean(options.stage, DEFAULT_STAGE);
+  const prefix = clean(options.servicePrefix, DEFAULT_PREFIX);
+  const accountName = clean(options.accountName, DEFAULT_ACCOUNT);
+  const hostname = clean(options.hostname, DEFAULT_HOSTNAME);
+  const workspaceId = clean(options.workspaceId, DEFAULT_WORKSPACE_ID);
+  const ecrRepository = clean(options.ecrRepository, `hasna/opensource/${prefix}`);
+  const image = clean(options.image, `<account-id>.dkr.ecr.${region}.amazonaws.com/${ecrRepository}:<git-sha>`);
+  const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
+  const cluster = `${prefix}-${stage}`;
+  const secrets = {
+    database: clean(options.databaseSecretName, `hasna/xyz/opensource/uptime/${stage}/rds`),
+    appEnv: clean(options.appEnvSecretName, `hasna/xyz/opensource/uptime/${stage}/app/env`),
+    hostedToken: clean(options.hostedTokenSecretName, `hasna/xyz/opensource/uptime/${stage}/hosted-token`),
+    publicProbe: clean(options.publicProbeSecretName, `hasna/xyz/opensource/uptime/${stage}/probe/public`),
+    privateProbe: clean(options.privateProbeSecretName, `hasna/xyz/opensource/uptime/${stage}/probe/private`),
+    reporting: clean(options.reportingSecretName, `hasna/xyz/opensource/uptime/${stage}/reporting`)
+  };
+  const services = [
+    servicePlan(prefix, stage, "web", 2, image, workspaceId, secrets, {
+      HASNA_UPTIME_MODE: "hosted",
+      HASNA_UPTIME_WORKSPACE_ID: workspaceId,
+      HASNA_UPTIME_HOSTNAME: hostname
+    }),
+    servicePlan(prefix, stage, "scheduler", 1, image, workspaceId, secrets, {
+      HASNA_UPTIME_MODE: "hosted",
+      HASNA_UPTIME_WORKSPACE_ID: workspaceId,
+      HASNA_UPTIME_COMPONENT: "scheduler"
+    }),
+    servicePlan(prefix, stage, "public-probe", 1, image, workspaceId, secrets, {
+      HASNA_UPTIME_MODE: "hosted",
+      HASNA_UPTIME_WORKSPACE_ID: workspaceId,
+      HASNA_UPTIME_COMPONENT: "public-probe",
+      HASNA_UPTIME_PROBE_LOCATION: region
+    }),
+    servicePlan(prefix, stage, "reporter", 1, image, workspaceId, secrets, {
+      HASNA_UPTIME_MODE: "hosted",
+      HASNA_UPTIME_WORKSPACE_ID: workspaceId,
+      HASNA_UPTIME_COMPONENT: "reporter"
+    }),
+    servicePlan(prefix, stage, "migration", 0, image, workspaceId, secrets, {
+      HASNA_UPTIME_MODE: "hosted",
+      HASNA_UPTIME_WORKSPACE_ID: workspaceId,
+      HASNA_UPTIME_COMPONENT: "migration"
+    })
+  ];
+  return {
+    kind: "open-uptime.aws-deployment-plan",
+    version: 1,
+    generatedAt: new Date().toISOString(),
+    status: "blocked",
+    canApply: false,
+    accountName,
+    region,
+    stage,
+    servicePrefix: prefix,
+    hostname,
+    workspaceId,
+    mode: "hosted",
+    resources: {
+      ecrRepository,
+      ecsCluster: cluster,
+      services,
+      vpcId: clean(options.vpcId, DEFAULT_VPC_ID),
+      rdsInstanceId: clean(options.rdsInstanceId, DEFAULT_RDS),
+      evidenceBucket,
+      loadBalancer: `${prefix}-${stage}-alb`,
+      targetGroups: [`${prefix}-${stage}-web-tg`],
+      securityGroups: [
+        `${prefix}-${stage}-alb-sg`,
+        `${prefix}-${stage}-web-sg`,
+        `${prefix}-${stage}-scheduler-sg`,
+        `${prefix}-${stage}-public-probe-sg`,
+        `${prefix}-${stage}-rds-client-sg`
+      ],
+      secrets,
+      logGroups: services.map((service) => service.logGroup),
+      alarms: [
+        `${prefix}-${stage}-web-5xx`,
+        `${prefix}-${stage}-scheduler-stalled`,
+        `${prefix}-${stage}-probe-stale`,
+        `${prefix}-${stage}-report-delivery-failures`
+      ]
+    },
+    image: {
+      repository: ecrRepository,
+      uri: image,
+      buildCommand: "BLOCKED: add a reviewed Dockerfile/container build target before running docker build",
+      pushCommands: [
+        "BLOCKED: push only from approved CI/CD after the ECR repository and image digest policy exist",
+        "BLOCKED: deploy services by immutable image digest, not by mutable tags"
+      ]
+    },
+    runbook: {
+      preflight: [
+        `aws sts get-caller-identity --profile ${accountName}`,
+        `aws rds describe-db-instances --db-instance-identifier ${clean(options.rdsInstanceId, DEFAULT_RDS)} --region ${region}`,
+        `aws ec2 describe-vpcs --vpc-ids ${clean(options.vpcId, DEFAULT_VPC_ID)} --region ${region}`,
+        "Confirm the infra repository and Terraform/CloudFormation owner before live mutation."
+      ],
+      provision: [
+        `Infra PR must declare or update ECR repository ${ecrRepository}.`,
+        `Infra PR must declare hardened S3 evidence bucket ${evidenceBucket} with KMS, versioning, lifecycle, and public access block.`,
+        `Infra PR must declare ECS/Fargate cluster ${cluster}, ALB, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs.`,
+        "Only apply the infra plan from the approved infrastructure repository after review evidence is attached."
+      ],
+      deploy: [
+        "Build and publish the image only after the Dockerfile/container target is reviewed.",
+        "Run the migration task with the migrator role before web/scheduler/probe services.",
+        `Register task definitions for ${services.map((service) => service.name).join(", ")} using valueFrom secrets.`,
+        `Update ECS services in cluster ${cluster} one component at a time through the approved deploy pipeline.`,
+        `Create Route53/edge record for ${hostname} only after ALB health checks pass and auth denial smokes succeed.`
+      ],
+      rollback: [
+        "Keep previous task definition ARNs before each service update.",
+        "Rollback through the approved deploy pipeline to the previously recorded task definition ARNs.",
+        "Disable scheduler/reporter services before data rollback.",
+        "Restore RDS snapshot only after explicit operator approval and audit record."
+      ],
+      spark01: [
+        "Create a private probe identity with a caller-managed public key.",
+        "Install @hasna/uptime on Spark01 and write the generated env file with mode 0600.",
+        "Run the private probe against the hosted /api/v1 probe endpoint once it exists."
+      ]
+    },
+    blockers: [
+      "The hasna-xyz-infra infrastructure owner repository was not found in this workspace.",
+      "The repo has no reviewed Dockerfile/container build target for image build and publish automation.",
+      "Hosted Postgres storage adapter and migrations are not implemented.",
+      "Hosted production auth/RBAC must replace broad static hosted-token operation before exposure.",
+      "Public probe execution still needs DNS, redirect, and rebinding SSRF enforcement plus cloud check-job leases.",
+      "Spark01 hosted probe enrollment, claim, submit, heartbeat, revocation, and rotation are not cloud-backed yet."
+    ],
+    requiredEvidence: [
+      "Infrastructure PR/synth/plan from the approved infra repository.",
+      "Container build smoke and immutable image digest.",
+      "ECS task definitions using secrets.valueFrom only.",
+      "ALB/TLS/DNS/auth denial smokes.",
+      "RDS TLS, backups/PITR, scoped roles, and migration dry-run evidence.",
+      "S3 bucket KMS, versioning, lifecycle, and public-access-block evidence.",
+      "Spark01 private-probe registration, key-file mode, heartbeat, and revocation evidence."
+    ],
+    safety: {
+      liveAwsMutation: false,
+      plaintextSecrets: false,
+      hostedLocalSqliteAllowed: false,
+      notes: [
+        "This plan generator does not call AWS.",
+        "Hosted runtime must use Postgres; SQLite remains local/dev fallback only.",
+        "Secrets are represented as secret names/refs and must be injected with valueFrom.",
+        "Actual deploy belongs in the deploy_release_operate_final goal node after infra review."
+      ]
+    }
+  };
+}
+function buildSpark01CloudConfig(options = {}) {
+  const apiUrl = clean(options.apiUrl, `https://${DEFAULT_HOSTNAME}/api/v1`);
+  const workspaceId = clean(options.workspaceId, DEFAULT_WORKSPACE_ID);
+  const machineId = clean(options.machineId, "spark01");
+  const privateKeyFile = clean(options.probePrivateKeyFile, "~/.hasna/uptime/probes/spark01.key.pem");
+  const probeId = options.probeId?.trim();
+  const blockers = [
+    ...probeId ? [] : ["Cloud-registered private probe id is required before writing a sourceable env file."],
+    "Hosted probe claim and submit routes still fail closed until cloud check_jobs and workspace stores are implemented.",
+    "Spark01 enrollment, heartbeat, revocation, rotation, and bounded offline lease handling are not implemented yet."
+  ];
+  const env = {
+    HASNA_UPTIME_MODE: "hosted",
+    HASNA_UPTIME_API_URL: apiUrl,
+    HASNA_UPTIME_WORKSPACE_ID: workspaceId,
+    HASNA_UPTIME_MACHINE_ID: machineId,
+    HASNA_UPTIME_PRIVATE_PROBE_KEY_FILE: privateKeyFile,
+    HASNA_UPTIME_PROBE_CLASS: "private",
+    HASNA_UPTIME_LOG_LEVEL: clean(options.logLevel, "info")
+  };
+  if (probeId)
+    env.HASNA_UPTIME_PRIVATE_PROBE_ID = probeId;
+  return {
+    kind: "open-uptime.spark01-cloud-config",
+    version: 1,
+    generatedAt: new Date().toISOString(),
+    status: "blocked",
+    canStart: false,
+    machineId,
+    mode: "private-probe",
+    env,
+    files: [
+      {
+        path: privateKeyFile,
+        mode: "0600",
+        purpose: "Ed25519 private key generated on Spark01; never paste into cloud config."
+      },
+      {
+        path: "~/.hasna/uptime/cloud.env",
+        mode: "0600",
+        purpose: "Non-secret cloud/probe runtime environment; token values stay in the machine secret store."
+      }
+    ],
+    commands: [
+      "bun install -g @hasna/uptime@latest",
+      "Generate the Spark01 private key locally and register only its public key with the hosted control plane once registration exists.",
+      "Write ~/.hasna/uptime/cloud.env from this plan, then source it for the private probe service.",
+      "Start the private probe worker only after hosted /api/v1 probe claim/submit routes are backed by cloud jobs."
+    ],
+    blockers,
+    safety: {
+      privateKeyInline: false,
+      tokenInline: false,
+      notes: [
+        "This config is cloud-primary: Spark01 submits to hosted API state instead of local SQLite.",
+        "The private key file path is referenced, not embedded.",
+        "Hosted token or probe auth material must come from the machine secret store, not this generated config."
+      ]
+    }
+  };
+}
+function renderSpark01Env(config) {
+  const required = ["HASNA_UPTIME_PRIVATE_PROBE_ID"];
+  const missing = required.filter((key) => !config.env[key]);
+  if (missing.length > 0) {
+    throw new Error(`Spark01 env output requires ${missing.join(", ")}`);
+  }
+  return Object.entries(config.env).map(([key, value]) => `${key}=${shellEscape(value)}`).join(`
+`);
+}
+function servicePlan(prefix, stage, role, desiredCount, image, workspaceId, secrets, environment) {
+  const name = `${prefix}-${stage}-${role}`;
+  return {
+    name,
+    role,
+    desiredCount,
+    taskRole: `${name}-task-role`,
+    executionRole: `${prefix}-${stage}-execution-role`,
+    logGroup: `/ecs/${name}`,
+    healthCommand: role === "web" ? "GET /health" : undefined,
+    environment: {
+      HASNA_UPTIME_IMAGE: image,
+      ...environment
+    },
+    secrets: role === "public-probe" ? { DATABASE_URL: secrets.database, PROBE_CONFIG: secrets.publicProbe } : role === "reporter" ? { DATABASE_URL: secrets.database, REPORTING_CONFIG: secrets.reporting } : { DATABASE_URL: secrets.database, APP_ENV: secrets.appEnv }
+  };
+}
+function clean(value, fallback) {
+  const normalized = value?.trim();
+  return normalized || fallback;
+}
+function shellEscape(value) {
+  if (/^[A-Za-z0-9_./:@~-]+$/.test(value))
+    return value;
+  return `'${value.replace(/'/g, "'\\''")}'`;
+}
+export {
+  renderSpark01Env,
+  buildSpark01CloudConfig,
+  buildAwsDeploymentPlan
+};

package/dist/index.d.ts

@@ -5,11 +5,13 @@ export { createApiHandler, serveUptime } from "./api.js";
 export { applyImport, previewImport, rollbackImport } from "./imports.js";
 export { buildUptimeReport, sendUptimeReport } from "./report.js";
 export { generateProbeKeyPair, probePublicKeyFingerprint, probeResultSigningPayload, signProbeResult, verifyProbeResultSignature } from "./probes.js";
+export { buildAwsDeploymentPlan, buildSpark01CloudConfig, renderSpark01Env } from "./cloud-plan.js";
 export { uptimeHome, uptimeDbPath, uptimeHostedFallbackDbPath, ensureUptimeHome } from "./paths.js";
 export type { UptimeBackup, UptimeBackupCheck, UptimeRuntimeMode, UptimeStoreOptions, MonitorProvenance, SaveImportBatchInput, StoredImportBatch, UpsertMonitorProvenanceInput, } from "./store.js";
 export type { BrowserPageRunner, BrowserPageRunnerResult, FetchLike, } from "./checks.js";
 export type { ImportAction, ImportApplyItem, ImportApplyResult, ImportCandidate, ImportPreview, ImportPreviewItem, ImportRequest, ImportRollbackItem, ImportRollbackResult, ImportSource, } from "./imports.js";
 export type { BrowserFailedRequest, BrowserPageEvidence, AuditEvent, CheckAttemptResult, CheckEvidence, CheckResult, CheckStatus, CreateMonitorKind, CreateMonitorInput, CreateReportScheduleInput, ImportedMonitorInput, ImportedUpdateMonitorInput, EvidenceArtifact, Incident, IncidentStatus, ListAuditEventsOptions, ListReportRunsOptions, ListResultsOptions, Monitor, MonitorKind, MonitorStatus, MonitorSummary, ProbeCheckJob, ProbeCheckJobStatus, ProbeIdentity, ProbeResultSubmission, ProbeSubmissionReceipt, RecordAuditEventInput, ReportDeliveryChannel, ReportDeliveryRecord, ReportEmailChannelConfig, ReportLogsChannelConfig, ReportRun, ReportRunStatus, ReportSchedule, ReportScheduleChannels, ReportScheduleStatus, ReportSmsChannelConfig, SchedulerHandle, UpdateMonitorInput, UpdateReportScheduleInput, UptimeSummary, } from "./types.js";
 export type { ProbeKeyPair, ProbeSigningInput } from "./probes.js";
+export type { AwsDeploymentPlan, AwsDeploymentPlanOptions, AwsServicePlan, Spark01CloudConfig, Spark01CloudConfigOptions, } from "./cloud-plan.js";
 export type { BuildUptimeReportOptions, SendUptimeReportOptions, UptimeEmailReportTarget, UptimeLogsReportTarget, UptimeReport, UptimeReportDelivery, UptimeSmsReportTarget, } from "./report.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AACjE,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EAAE,mBAAmB,EAAE,eAAe,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC9F,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AACzD,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC1E,OAAO,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAClE,OAAO,EAAE,oBAAoB,EAAE,yBAAyB,EAAE,yBAAyB,EAAE,eAAe,EAAE,0BAA0B,EAAE,MAAM,aAAa,CAAC;AACtJ,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,0BAA0B,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AACpG,YAAY,EACV,YAAY,EACZ,iBAAiB,EACjB,iBAAiB,EACjB,kBAAkB,EAClB,iBAAiB,EACjB,oBAAoB,EACpB,iBAAiB,EACjB,4BAA4B,GAC7B,MAAM,YAAY,CAAC;AACpB,YAAY,EACV,iBAAiB,EACjB,uBAAuB,EACvB,SAAS,GACV,MAAM,aAAa,CAAC;AACrB,YAAY,EACV,YAAY,EACZ,eAAe,EACf,iBAAiB,EACjB,eAAe,EACf,aAAa,EACb,iBAAiB,EACjB,aAAa,EACb,kBAAkB,EAClB,oBAAoB,EACpB,YAAY,GACb,MAAM,cAAc,CAAC;AACtB,YAAY,EACV,oBAAoB,EACpB,mBAAmB,EACnB,UAAU,EACV,kBAAkB,EAClB,aAAa,EACb,WAAW,EACX,WAAW,EACX,iBAAiB,EACjB,kBAAkB,EAClB,yBAAyB,EACzB,oBAAoB,EACpB,0BAA0B,EAC1B,gBAAgB,EAChB,QAAQ,EACR,cAAc,EACd,sBAAsB,EACtB,qBAAqB,EACrB,kBAAkB,EAClB,OAAO,EACP,WAAW,EACX,aAAa,EACb,cAAc,EACd,aAAa,EACb,mBAAmB,EACnB,aAAa,EACb,qBAAqB,EACrB,sBAAsB,EACtB,qBAAqB,EACrB,qBAAqB,EACrB,oBAAoB,EACpB,wBAAwB,EACxB,uBAAuB,EACvB,SAAS,EACT,eAAe,EACf,cAAc,EACd,sBAAsB,EACtB,oBAAoB,EACpB,sBAAsB,EACtB,eAAe,EACf,kBAAkB,EAClB,yBAAyB,EACzB,aAAa,GACd,MAAM,YAAY,CAAC;AACpB,YAAY,EAAE,YAAY,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AACnE,YAAY,EACV,wBAAwB,EACxB,uBAAuB,EACvB,uBAAuB,EACvB,sBAAsB,EACtB,YAAY,EACZ,oBAAoB,EACpB,qBAAqB,GACtB,MAAM,aAAa,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AACjE,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EAAE,mBAAmB,EAAE,eAAe,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC9F,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AACzD,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC1E,OAAO,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAClE,OAAO,EAAE,oBAAoB,EAAE,yBAAyB,EAAE,yBAAyB,EAAE,eAAe,EAAE,0BAA0B,EAAE,MAAM,aAAa,CAAC;AACtJ,OAAO,EAAE,sBAAsB,EAAE,uBAAuB,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACpG,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,0BAA0B,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AACpG,YAAY,EACV,YAAY,EACZ,iBAAiB,EACjB,iBAAiB,EACjB,kBAAkB,EAClB,iBAAiB,EACjB,oBAAoB,EACpB,iBAAiB,EACjB,4BAA4B,GAC7B,MAAM,YAAY,CAAC;AACpB,YAAY,EACV,iBAAiB,EACjB,uBAAuB,EACvB,SAAS,GACV,MAAM,aAAa,CAAC;AACrB,YAAY,EACV,YAAY,EACZ,eAAe,EACf,iBAAiB,EACjB,eAAe,EACf,aAAa,EACb,iBAAiB,EACjB,aAAa,EACb,kBAAkB,EAClB,oBAAoB,EACpB,YAAY,GACb,MAAM,cAAc,CAAC;AACtB,YAAY,EACV,oBAAoB,EACpB,mBAAmB,EACnB,UAAU,EACV,kBAAkB,EAClB,aAAa,EACb,WAAW,EACX,WAAW,EACX,iBAAiB,EACjB,kBAAkB,EAClB,yBAAyB,EACzB,oBAAoB,EACpB,0BAA0B,EAC1B,gBAAgB,EAChB,QAAQ,EACR,cAAc,EACd,sBAAsB,EACtB,qBAAqB,EACrB,kBAAkB,EAClB,OAAO,EACP,WAAW,EACX,aAAa,EACb,cAAc,EACd,aAAa,EACb,mBAAmB,EACnB,aAAa,EACb,qBAAqB,EACrB,sBAAsB,EACtB,qBAAqB,EACrB,qBAAqB,EACrB,oBAAoB,EACpB,wBAAwB,EACxB,uBAAuB,EACvB,SAAS,EACT,eAAe,EACf,cAAc,EACd,sBAAsB,EACtB,oBAAoB,EACpB,sBAAsB,EACtB,eAAe,EACf,kBAAkB,EAClB,yBAAyB,EACzB,aAAa,GACd,MAAM,YAAY,CAAC;AACpB,YAAY,EAAE,YAAY,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AACnE,YAAY,EACV,iBAAiB,EACjB,wBAAwB,EACxB,cAAc,EACd,kBAAkB,EAClB,yBAAyB,GAC1B,MAAM,iBAAiB,CAAC;AACzB,YAAY,EACV,wBAAwB,EACxB,uBAAuB,EACvB,uBAAuB,EACvB,sBAAsB,EACtB,YAAY,EACZ,oBAAoB,EACpB,qBAAqB,GACtB,MAAM,aAAa,CAAC"}

package/dist/index.js

@@ -3789,6 +3789,268 @@ class ApiError extends Error {
     this.status = status;
   }
 }
+
+// src/cloud-plan.ts
+var DEFAULT_ACCOUNT = "hasna-xyz-infra";
+var DEFAULT_REGION = "us-east-1";
+var DEFAULT_STAGE = "prod";
+var DEFAULT_PREFIX = "open-uptime";
+var DEFAULT_HOSTNAME = "uptime.hasna.xyz";
+var DEFAULT_WORKSPACE_ID = "wks_2tyysw05cwap";
+var DEFAULT_VPC_ID = "vpc-04c7f7abc1d3c3f56";
+var DEFAULT_RDS = "hasna-xyz-infra-apps-prod-postgres";
+function buildAwsDeploymentPlan(options = {}) {
+  const region = clean(options.region, DEFAULT_REGION);
+  const stage = clean(options.stage, DEFAULT_STAGE);
+  const prefix = clean(options.servicePrefix, DEFAULT_PREFIX);
+  const accountName = clean(options.accountName, DEFAULT_ACCOUNT);
+  const hostname = clean(options.hostname, DEFAULT_HOSTNAME);
+  const workspaceId = clean(options.workspaceId, DEFAULT_WORKSPACE_ID);
+  const ecrRepository = clean(options.ecrRepository, `hasna/opensource/${prefix}`);
+  const image = clean(options.image, `<account-id>.dkr.ecr.${region}.amazonaws.com/${ecrRepository}:<git-sha>`);
+  const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
+  const cluster = `${prefix}-${stage}`;
+  const secrets = {
+    database: clean(options.databaseSecretName, `hasna/xyz/opensource/uptime/${stage}/rds`),
+    appEnv: clean(options.appEnvSecretName, `hasna/xyz/opensource/uptime/${stage}/app/env`),
+    hostedToken: clean(options.hostedTokenSecretName, `hasna/xyz/opensource/uptime/${stage}/hosted-token`),
+    publicProbe: clean(options.publicProbeSecretName, `hasna/xyz/opensource/uptime/${stage}/probe/public`),
+    privateProbe: clean(options.privateProbeSecretName, `hasna/xyz/opensource/uptime/${stage}/probe/private`),
+    reporting: clean(options.reportingSecretName, `hasna/xyz/opensource/uptime/${stage}/reporting`)
+  };
+  const services = [
+    servicePlan(prefix, stage, "web", 2, image, workspaceId, secrets, {
+      HASNA_UPTIME_MODE: "hosted",
+      HASNA_UPTIME_WORKSPACE_ID: workspaceId,
+      HASNA_UPTIME_HOSTNAME: hostname
+    }),
+    servicePlan(prefix, stage, "scheduler", 1, image, workspaceId, secrets, {
+      HASNA_UPTIME_MODE: "hosted",
+      HASNA_UPTIME_WORKSPACE_ID: workspaceId,
+      HASNA_UPTIME_COMPONENT: "scheduler"
+    }),
+    servicePlan(prefix, stage, "public-probe", 1, image, workspaceId, secrets, {
+      HASNA_UPTIME_MODE: "hosted",
+      HASNA_UPTIME_WORKSPACE_ID: workspaceId,
+      HASNA_UPTIME_COMPONENT: "public-probe",
+      HASNA_UPTIME_PROBE_LOCATION: region
+    }),
+    servicePlan(prefix, stage, "reporter", 1, image, workspaceId, secrets, {
+      HASNA_UPTIME_MODE: "hosted",
+      HASNA_UPTIME_WORKSPACE_ID: workspaceId,
+      HASNA_UPTIME_COMPONENT: "reporter"
+    }),
+    servicePlan(prefix, stage, "migration", 0, image, workspaceId, secrets, {
+      HASNA_UPTIME_MODE: "hosted",
+      HASNA_UPTIME_WORKSPACE_ID: workspaceId,
+      HASNA_UPTIME_COMPONENT: "migration"
+    })
+  ];
+  return {
+    kind: "open-uptime.aws-deployment-plan",
+    version: 1,
+    generatedAt: new Date().toISOString(),
+    status: "blocked",
+    canApply: false,
+    accountName,
+    region,
+    stage,
+    servicePrefix: prefix,
+    hostname,
+    workspaceId,
+    mode: "hosted",
+    resources: {
+      ecrRepository,
+      ecsCluster: cluster,
+      services,
+      vpcId: clean(options.vpcId, DEFAULT_VPC_ID),
+      rdsInstanceId: clean(options.rdsInstanceId, DEFAULT_RDS),
+      evidenceBucket,
+      loadBalancer: `${prefix}-${stage}-alb`,
+      targetGroups: [`${prefix}-${stage}-web-tg`],
+      securityGroups: [
+        `${prefix}-${stage}-alb-sg`,
+        `${prefix}-${stage}-web-sg`,
+        `${prefix}-${stage}-scheduler-sg`,
+        `${prefix}-${stage}-public-probe-sg`,
+        `${prefix}-${stage}-rds-client-sg`
+      ],
+      secrets,
+      logGroups: services.map((service) => service.logGroup),
+      alarms: [
+        `${prefix}-${stage}-web-5xx`,
+        `${prefix}-${stage}-scheduler-stalled`,
+        `${prefix}-${stage}-probe-stale`,
+        `${prefix}-${stage}-report-delivery-failures`
+      ]
+    },
+    image: {
+      repository: ecrRepository,
+      uri: image,
+      buildCommand: "BLOCKED: add a reviewed Dockerfile/container build target before running docker build",
+      pushCommands: [
+        "BLOCKED: push only from approved CI/CD after the ECR repository and image digest policy exist",
+        "BLOCKED: deploy services by immutable image digest, not by mutable tags"
+      ]
+    },
+    runbook: {
+      preflight: [
+        `aws sts get-caller-identity --profile ${accountName}`,
+        `aws rds describe-db-instances --db-instance-identifier ${clean(options.rdsInstanceId, DEFAULT_RDS)} --region ${region}`,
+        `aws ec2 describe-vpcs --vpc-ids ${clean(options.vpcId, DEFAULT_VPC_ID)} --region ${region}`,
+        "Confirm the infra repository and Terraform/CloudFormation owner before live mutation."
+      ],
+      provision: [
+        `Infra PR must declare or update ECR repository ${ecrRepository}.`,
+        `Infra PR must declare hardened S3 evidence bucket ${evidenceBucket} with KMS, versioning, lifecycle, and public access block.`,
+        `Infra PR must declare ECS/Fargate cluster ${cluster}, ALB, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs.`,
+        "Only apply the infra plan from the approved infrastructure repository after review evidence is attached."
+      ],
+      deploy: [
+        "Build and publish the image only after the Dockerfile/container target is reviewed.",
+        "Run the migration task with the migrator role before web/scheduler/probe services.",
+        `Register task definitions for ${services.map((service) => service.name).join(", ")} using valueFrom secrets.`,
+        `Update ECS services in cluster ${cluster} one component at a time through the approved deploy pipeline.`,
+        `Create Route53/edge record for ${hostname} only after ALB health checks pass and auth denial smokes succeed.`
+      ],
+      rollback: [
+        "Keep previous task definition ARNs before each service update.",
+        "Rollback through the approved deploy pipeline to the previously recorded task definition ARNs.",
+        "Disable scheduler/reporter services before data rollback.",
+        "Restore RDS snapshot only after explicit operator approval and audit record."
+      ],
+      spark01: [
+        "Create a private probe identity with a caller-managed public key.",
+        "Install @hasna/uptime on Spark01 and write the generated env file with mode 0600.",
+        "Run the private probe against the hosted /api/v1 probe endpoint once it exists."
+      ]
+    },
+    blockers: [
+      "The hasna-xyz-infra infrastructure owner repository was not found in this workspace.",
+      "The repo has no reviewed Dockerfile/container build target for image build and publish automation.",
+      "Hosted Postgres storage adapter and migrations are not implemented.",
+      "Hosted production auth/RBAC must replace broad static hosted-token operation before exposure.",
+      "Public probe execution still needs DNS, redirect, and rebinding SSRF enforcement plus cloud check-job leases.",
+      "Spark01 hosted probe enrollment, claim, submit, heartbeat, revocation, and rotation are not cloud-backed yet."
+    ],
+    requiredEvidence: [
+      "Infrastructure PR/synth/plan from the approved infra repository.",
+      "Container build smoke and immutable image digest.",
+      "ECS task definitions using secrets.valueFrom only.",
+      "ALB/TLS/DNS/auth denial smokes.",
+      "RDS TLS, backups/PITR, scoped roles, and migration dry-run evidence.",
+      "S3 bucket KMS, versioning, lifecycle, and public-access-block evidence.",
+      "Spark01 private-probe registration, key-file mode, heartbeat, and revocation evidence."
+    ],
+    safety: {
+      liveAwsMutation: false,
+      plaintextSecrets: false,
+      hostedLocalSqliteAllowed: false,
+      notes: [
+        "This plan generator does not call AWS.",
+        "Hosted runtime must use Postgres; SQLite remains local/dev fallback only.",
+        "Secrets are represented as secret names/refs and must be injected with valueFrom.",
+        "Actual deploy belongs in the deploy_release_operate_final goal node after infra review."
+      ]
+    }
+  };
+}
+function buildSpark01CloudConfig(options = {}) {
+  const apiUrl = clean(options.apiUrl, `https://${DEFAULT_HOSTNAME}/api/v1`);
+  const workspaceId = clean(options.workspaceId, DEFAULT_WORKSPACE_ID);
+  const machineId = clean(options.machineId, "spark01");
+  const privateKeyFile = clean(options.probePrivateKeyFile, "~/.hasna/uptime/probes/spark01.key.pem");
+  const probeId = options.probeId?.trim();
+  const blockers = [
+    ...probeId ? [] : ["Cloud-registered private probe id is required before writing a sourceable env file."],
+    "Hosted probe claim and submit routes still fail closed until cloud check_jobs and workspace stores are implemented.",
+    "Spark01 enrollment, heartbeat, revocation, rotation, and bounded offline lease handling are not implemented yet."
+  ];
+  const env2 = {
+    HASNA_UPTIME_MODE: "hosted",
+    HASNA_UPTIME_API_URL: apiUrl,
+    HASNA_UPTIME_WORKSPACE_ID: workspaceId,
+    HASNA_UPTIME_MACHINE_ID: machineId,
+    HASNA_UPTIME_PRIVATE_PROBE_KEY_FILE: privateKeyFile,
+    HASNA_UPTIME_PROBE_CLASS: "private",
+    HASNA_UPTIME_LOG_LEVEL: clean(options.logLevel, "info")
+  };
+  if (probeId)
+    env2.HASNA_UPTIME_PRIVATE_PROBE_ID = probeId;
+  return {
+    kind: "open-uptime.spark01-cloud-config",
+    version: 1,
+    generatedAt: new Date().toISOString(),
+    status: "blocked",
+    canStart: false,
+    machineId,
+    mode: "private-probe",
+    env: env2,
+    files: [
+      {
+        path: privateKeyFile,
+        mode: "0600",
+        purpose: "Ed25519 private key generated on Spark01; never paste into cloud config."
+      },
+      {
+        path: "~/.hasna/uptime/cloud.env",
+        mode: "0600",
+        purpose: "Non-secret cloud/probe runtime environment; token values stay in the machine secret store."
+      }
+    ],
+    commands: [
+      "bun install -g @hasna/uptime@latest",
+      "Generate the Spark01 private key locally and register only its public key with the hosted control plane once registration exists.",
+      "Write ~/.hasna/uptime/cloud.env from this plan, then source it for the private probe service.",
+      "Start the private probe worker only after hosted /api/v1 probe claim/submit routes are backed by cloud jobs."
+    ],
+    blockers,
+    safety: {
+      privateKeyInline: false,
+      tokenInline: false,
+      notes: [
+        "This config is cloud-primary: Spark01 submits to hosted API state instead of local SQLite.",
+        "The private key file path is referenced, not embedded.",
+        "Hosted token or probe auth material must come from the machine secret store, not this generated config."
+      ]
+    }
+  };
+}
+function renderSpark01Env(config) {
+  const required = ["HASNA_UPTIME_PRIVATE_PROBE_ID"];
+  const missing = required.filter((key) => !config.env[key]);
+  if (missing.length > 0) {
+    throw new Error(`Spark01 env output requires ${missing.join(", ")}`);
+  }
+  return Object.entries(config.env).map(([key, value]) => `${key}=${shellEscape(value)}`).join(`
+`);
+}
+function servicePlan(prefix, stage, role, desiredCount, image, workspaceId, secrets, environment) {
+  const name = `${prefix}-${stage}-${role}`;
+  return {
+    name,
+    role,
+    desiredCount,
+    taskRole: `${name}-task-role`,
+    executionRole: `${prefix}-${stage}-execution-role`,
+    logGroup: `/ecs/${name}`,
+    healthCommand: role === "web" ? "GET /health" : undefined,
+    environment: {
+      HASNA_UPTIME_IMAGE: image,
+      ...environment
+    },
+    secrets: role === "public-probe" ? { DATABASE_URL: secrets.database, PROBE_CONFIG: secrets.publicProbe } : role === "reporter" ? { DATABASE_URL: secrets.database, REPORTING_CONFIG: secrets.reporting } : { DATABASE_URL: secrets.database, APP_ENV: secrets.appEnv }
+  };
+}
+function clean(value, fallback) {
+  const normalized = value?.trim();
+  return normalized || fallback;
+}
+function shellEscape(value) {
+  if (/^[A-Za-z0-9_./:@~-]+$/.test(value))
+    return value;
+  return `'${value.replace(/'/g, "'\\''")}'`;
+}
 export {
   verifyProbeResultSignature,
   uptimeHostedFallbackDbPath,
@@ -3802,6 +4064,7 @@ export {
   runHttpCheck,
   runBrowserPageCheck,
   rollbackImport,
+  renderSpark01Env,
   probeResultSigningPayload,
   probePublicKeyFingerprint,
   previewImport,
@@ -3810,6 +4073,8 @@ export {
   createUptimeClient,
   createApiHandler,
   buildUptimeReport,
+  buildSpark01CloudConfig,
+  buildAwsDeploymentPlan,
   applyImport,
   UptimeStore,
   UptimeService

package/docs/aws-deployment-runbook.md

@@ -0,0 +1,92 @@
+# AWS Deployment Runbook
+
+This runbook is for the `hasna-xyz-infra` AWS account target. It is intentionally
+dry-run first: the local generator produces a plan and command list, but it does
+not call AWS or mutate infrastructure.
+
+## Generate The Plan
+
+```bash
+uptime cloud plan --json > open-uptime-aws-plan.json
+uptime cloud spark01-config --probe-id prb_spark01 --env > spark01-uptime.env
+```
+
+Defaults come from the current design inventory:
+
+- account/profile label: `hasna-xyz-infra`
+- region: `us-east-1`
+- VPC: `vpc-04c7f7abc1d3c3f56`
+- RDS instance: `hasna-xyz-infra-apps-prod-postgres`
+- hostname: `uptime.hasna.xyz`
+- workspace id: `wks_2tyysw05cwap`
+
+Override these with CLI flags if the infra owner chooses a different value.
+
+The generated AWS plan currently returns `status: "blocked"` and
+`canApply: false`. The generated Spark01 config returns `status: "blocked"` and
+`canStart: false`. Treat both as review/preflight artifacts until the blockers
+and required evidence in the JSON output are resolved.
+
+`uptime cloud spark01-config --env` requires a real `--probe-id`; it will not
+write a sourceable env file with a placeholder probe identity.
+
+## Preflight
+
+1. Locate the real `hasna-xyz-infra` infrastructure repository or create the
+   change in the approved owner repository.
+2. Confirm the AWS caller identity:
+
+   ```bash
+   aws sts get-caller-identity --profile hasna-xyz-infra
+   ```
+
+3. Confirm the target VPC and RDS instance still match the plan.
+4. Confirm Route53/edge ownership for the chosen hostname.
+5. Confirm the deployment role uses short-lived credentials or OIDC, not copied
+   access keys.
+
+## Required Resources
+
+The plan expects:
+
+- ECR repository for the Open Uptime image.
+- ECS/Fargate cluster with separate services for web, scheduler, public probe,
+  reporter, and one-off migrations.
+- ALB, TLS certificate, target group, and security groups.
+- Existing private Postgres instance with dedicated Uptime roles or database.
+- S3 bucket for redacted browser evidence and generated report artifacts.
+- Secrets Manager or SSM refs for database, app env, probe config, and
+  reporting channel refs.
+- CloudWatch log groups and alarms for web 5xx, scheduler stalls, stale probes,
+  and report delivery failures.
+
+Provision these through the approved infrastructure repository and reviewed
+plan/apply flow. The local `uptime cloud plan` output intentionally avoids
+copy-pastable AWS mutation commands.
+
+## Spark01
+
+Spark01 should be a private probe/operator machine, not the hosted source of
+truth. The generated env file points Spark01 at hosted `/api/v1` state and
+references a local private-key file path. It does not include private key or
+token contents.
+
+The private probe service should not be enabled until hosted probe claim/submit
+routes are backed by cloud check jobs and cloud audit rows.
+
+## Safety Rules
+
+- Do not deploy hosted mode with `HASNA_UPTIME_ALLOW_HOSTED_LOCAL_STORE=1`.
+- Do not inline AWS keys, hosted tokens, Mailery keys, Open Logs tokens, or
+  probe private keys in task definitions.
+- Do not run public probe workers against private targets.
+- Do not expose dashboard/API routes without hosted auth and workspace checks.
+- Do not treat local SQLite, local project DBs, or Spark01 local state as cloud
+  authority after cutover.
+
+## Rollback
+
+Before each service update, record the previous task definition ARN. Roll back
+by disabling scheduler/reporter work first, then restoring the previous web or
+worker task definition. RDS snapshot restore requires separate operator approval
+and an audit event.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hasna/uptime",
-  "version": "0.1.4",
+  "version": "0.1.5",
   "description": "Local-first uptime and downtime monitoring service with CLI, MCP, SDK, SQLite persistence, and a dashboard.",
   "license": "Apache-2.0",
   "type": "module",
@@ -23,6 +23,7 @@
   "files": [
     "dist",
     "README.md",
+    "docs/aws-deployment-runbook.md",
     "CHANGELOG.md",
     "LICENSE",
     "NOTICE",
@@ -55,10 +56,14 @@
     "./probes": {
       "types": "./dist/probes.d.ts",
       "import": "./dist/probes.js"
+    },
+    "./cloud-plan": {
+      "types": "./dist/cloud-plan.d.ts",
+      "import": "./dist/cloud-plan.js"
     }
   },
   "scripts": {
-    "build": "rm -rf dist && bun build src/cli/index.ts --outdir dist/cli --target bun --external @modelcontextprotocol/sdk && bun build src/mcp/index.ts --outdir dist/mcp --target bun --external @modelcontextprotocol/sdk && bun build src/index.ts src/api.ts src/service.ts src/store.ts src/checks.ts src/imports.ts src/report.ts src/probes.ts src/types.ts src/paths.ts src/dashboard.ts src/version.ts --root src --outdir dist --target bun && tsc -p tsconfig.build.json --emitDeclarationOnly --outDir dist && chmod +x dist/cli/index.js dist/mcp/index.js",
+    "build": "rm -rf dist && bun build src/cli/index.ts --outdir dist/cli --target bun --external @modelcontextprotocol/sdk && bun build src/mcp/index.ts --outdir dist/mcp --target bun --external @modelcontextprotocol/sdk && bun build src/index.ts src/api.ts src/service.ts src/store.ts src/checks.ts src/imports.ts src/report.ts src/probes.ts src/cloud-plan.ts src/types.ts src/paths.ts src/dashboard.ts src/version.ts --root src --outdir dist --target bun && tsc -p tsconfig.build.json --emitDeclarationOnly --outDir dist && chmod +x dist/cli/index.js dist/mcp/index.js",
     "typecheck": "tsc --noEmit",
     "test": "bun test ./tests",
     "dev:cli": "bun run src/cli/index.ts",