@hasna/uptime 0.1.4 → 0.1.6

package/.dockerignore

@@ -0,0 +1,14 @@
+.git
+.gitignore
+.project.json
+node_modules
+dist
+coverage
+*.tgz
+*.log
+.env
+.env.*
+.hasna
+infra/**/.terraform
+infra/**/*.tfstate
+infra/**/*.tfstate.*

package/CHANGELOG.md

@@ -6,6 +6,46 @@ project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+## [0.1.6] - 2026-06-28
+
+### Added
+
+- Bun-based hosted runtime `Dockerfile` and `.dockerignore`.
+- Reviewable Terraform/OpenTofu AWS starter plan under `infra/aws` for ECR,
+  S3 evidence storage, ECS/Fargate services, ALB/TLS/DNS, task roles,
+  CloudWatch logs, security groups, and secret refs.
+- Cloud plan SDK/CLI fields that point to `Dockerfile` and `infra/aws` with
+  format/init/validate/plan commands while keeping apply disabled.
+
+### Security
+
+- AWS infra templates use secret ARNs/valueFrom references and example
+  placeholders only; no plaintext service tokens, database URLs, or private keys
+  are stored in the repo.
+- Terraform desired counts default to zero until hosted cloud-store/auth/probe
+  blockers are closed.
+
+## [0.1.5] - 2026-06-28
+
+### Added
+
+- Dry-run AWS deployment plan generator for the `hasna-xyz-infra` target,
+  covering ECS/Fargate services, ECR image commands, ALB/RDS/S3/Secrets/Logs
+  resources, rollback steps, and safety assertions.
+- Spark01 hosted-targeted private probe preflight config generator with JSON and
+  env-file rendering.
+- CLI commands `uptime cloud plan` and `uptime cloud spark01-config`.
+- SDK export `@hasna/uptime/cloud-plan`.
+- Machine-readable `blocked`/`canApply:false` and `blocked`/`canStart:false`
+  gates plus blocker/evidence lists for AWS and Spark01 planning artifacts.
+
+### Security
+
+- Cloud planning artifacts contain secret names/refs and file paths only; they
+  do not inline AWS credentials, hosted tokens, or private probe key material.
+- Cloud plan generation is dry-run only and does not call AWS.
+- Dry-run AWS output avoids copy-pastable live AWS mutation commands.
+
 ## [0.1.4] - 2026-06-28
 
 ### Added

package/Dockerfile

@@ -0,0 +1,30 @@
+# syntax=docker/dockerfile:1
+
+FROM oven/bun:1.3.13-slim AS build
+WORKDIR /app
+
+COPY package.json bun.lock tsconfig.json tsconfig.build.json ./
+COPY src ./src
+
+RUN bun install --frozen-lockfile
+RUN bun run build
+RUN bun install --production --frozen-lockfile
+
+FROM oven/bun:1.3.13-slim AS runtime
+ENV NODE_ENV=production \
+    HASNA_UPTIME_MODE=hosted
+WORKDIR /app
+
+RUN addgroup --system uptime && adduser --system --ingroup uptime uptime
+
+COPY --from=build /app/package.json ./package.json
+COPY --from=build /app/node_modules ./node_modules
+COPY --from=build /app/dist ./dist
+
+USER uptime
+EXPOSE 3899
+
+HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
+  CMD bun -e "const r = await fetch('http://127.0.0.1:3899/health'); process.exit(r.ok ? 0 : 1)"
+
+CMD ["bun", "dist/cli/index.js", "serve", "--mode", "hosted", "--host", "0.0.0.0", "--port", "3899"]

package/README.md

@@ -31,6 +31,8 @@ uptime report-schedules create ops --interval 3600 --email ops@example.com --fro
 uptime report-schedules run-due
 uptime report-schedules runs
 uptime audit
+uptime cloud plan --json
+uptime cloud spark01-config --probe-id prb_spark01 --env
 uptime incidents
 uptime serve --port 3899 --check
 ```
@@ -39,6 +41,15 @@ Scheduled reports persist endpoint and recipient configuration, but not send
 keys or API tokens. Configure `MAILERY_SEND_KEY`, `HASNA_MAILERY_SEND_KEY`,
 `HASNA_LOGS_API_TOKEN`, or the matching service env vars before scheduled runs.
 
+The `uptime cloud ...` commands generate dry-run AWS/Spark01 planning artifacts
+only. They do not call AWS, write secrets, or produce an approved deploy script;
+current output is intentionally blocked until the infra and cloud-store evidence
+in `docs/aws-deployment-runbook.md` is satisfied.
+
+Deployment review artifacts live in `Dockerfile` and `infra/aws`. The Terraform
+desired counts default to zero, and `uptime cloud plan --json` exposes the
+format/init/validate/plan commands with `applyAllowed: false`.
+
 Private/local probes can submit signed results from another machine:
 
 ```bash

package/dist/cli/index.js

@@ -6387,6 +6387,277 @@ class ApiError extends Error {
   }
 }
 
+// src/cloud-plan.ts
+var DEFAULT_ACCOUNT = "hasna-xyz-infra";
+var DEFAULT_REGION = "us-east-1";
+var DEFAULT_STAGE = "prod";
+var DEFAULT_PREFIX = "open-uptime";
+var DEFAULT_HOSTNAME = "uptime.hasna.xyz";
+var DEFAULT_WORKSPACE_ID = "wks_2tyysw05cwap";
+var DEFAULT_VPC_ID = "vpc-04c7f7abc1d3c3f56";
+var DEFAULT_RDS = "hasna-xyz-infra-apps-prod-postgres";
+function buildAwsDeploymentPlan(options = {}) {
+  const region = clean(options.region, DEFAULT_REGION);
+  const stage = clean(options.stage, DEFAULT_STAGE);
+  const prefix = clean(options.servicePrefix, DEFAULT_PREFIX);
+  const accountName = clean(options.accountName, DEFAULT_ACCOUNT);
+  const hostname = clean(options.hostname, DEFAULT_HOSTNAME);
+  const workspaceId = clean(options.workspaceId, DEFAULT_WORKSPACE_ID);
+  const ecrRepository = clean(options.ecrRepository, `hasna/opensource/${prefix}`);
+  const imageRepositoryUri = `<account-id>.dkr.ecr.${region}.amazonaws.com/${ecrRepository}`;
+  const image = clean(options.image, `${imageRepositoryUri}@sha256:<image-digest>`);
+  const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
+  const cluster = `${prefix}-${stage}`;
+  const secrets = {
+    database: clean(options.databaseSecretName, `hasna/xyz/opensource/uptime/${stage}/rds`),
+    appEnv: clean(options.appEnvSecretName, `hasna/xyz/opensource/uptime/${stage}/app/env`),
+    hostedToken: clean(options.hostedTokenSecretName, `hasna/xyz/opensource/uptime/${stage}/hosted-token`),
+    publicProbe: clean(options.publicProbeSecretName, `hasna/xyz/opensource/uptime/${stage}/probe/public`),
+    privateProbe: clean(options.privateProbeSecretName, `hasna/xyz/opensource/uptime/${stage}/probe/private`),
+    reporting: clean(options.reportingSecretName, `hasna/xyz/opensource/uptime/${stage}/reporting`)
+  };
+  const services = [
+    servicePlan(prefix, stage, "web", 2, image, workspaceId, secrets, {
+      HASNA_UPTIME_MODE: "hosted",
+      HASNA_UPTIME_WORKSPACE_ID: workspaceId,
+      HASNA_UPTIME_HOSTNAME: hostname
+    }),
+    servicePlan(prefix, stage, "scheduler", 1, image, workspaceId, secrets, {
+      HASNA_UPTIME_MODE: "hosted",
+      HASNA_UPTIME_WORKSPACE_ID: workspaceId,
+      HASNA_UPTIME_COMPONENT: "scheduler"
+    }),
+    servicePlan(prefix, stage, "public-probe", 1, image, workspaceId, secrets, {
+      HASNA_UPTIME_MODE: "hosted",
+      HASNA_UPTIME_WORKSPACE_ID: workspaceId,
+      HASNA_UPTIME_COMPONENT: "public-probe",
+      HASNA_UPTIME_PROBE_LOCATION: region
+    }),
+    servicePlan(prefix, stage, "reporter", 1, image, workspaceId, secrets, {
+      HASNA_UPTIME_MODE: "hosted",
+      HASNA_UPTIME_WORKSPACE_ID: workspaceId,
+      HASNA_UPTIME_COMPONENT: "reporter"
+    }),
+    servicePlan(prefix, stage, "migration", 0, image, workspaceId, secrets, {
+      HASNA_UPTIME_MODE: "hosted",
+      HASNA_UPTIME_WORKSPACE_ID: workspaceId,
+      HASNA_UPTIME_COMPONENT: "migration"
+    })
+  ];
+  return {
+    kind: "open-uptime.aws-deployment-plan",
+    version: 1,
+    generatedAt: new Date().toISOString(),
+    status: "blocked",
+    canApply: false,
+    accountName,
+    region,
+    stage,
+    servicePrefix: prefix,
+    hostname,
+    workspaceId,
+    mode: "hosted",
+    resources: {
+      ecrRepository,
+      ecsCluster: cluster,
+      services,
+      vpcId: clean(options.vpcId, DEFAULT_VPC_ID),
+      rdsInstanceId: clean(options.rdsInstanceId, DEFAULT_RDS),
+      evidenceBucket,
+      loadBalancer: `${prefix}-${stage}-alb`,
+      targetGroups: [`${prefix}-${stage}-web-tg`],
+      securityGroups: [
+        `${prefix}-${stage}-alb-sg`,
+        `${prefix}-${stage}-web-sg`,
+        `${prefix}-${stage}-scheduler-sg`,
+        `${prefix}-${stage}-public-probe-sg`,
+        `${prefix}-${stage}-reporter-sg`,
+        `${prefix}-${stage}-migration-sg`
+      ],
+      secrets,
+      logGroups: services.map((service) => service.logGroup),
+      alarms: [
+        `${prefix}-${stage}-web-5xx`,
+        `${prefix}-${stage}-web-unhealthy`
+      ]
+    },
+    image: {
+      repository: ecrRepository,
+      uri: image,
+      dockerfile: "Dockerfile",
+      buildCommand: `docker build --pull -t ${imageRepositoryUri}:<git-sha> .`,
+      pushCommands: [
+        "BLOCKED: push only from approved CI/CD after the ECR repository and image digest policy exist",
+        "BLOCKED: deploy services by immutable image digest, not by mutable tags"
+      ]
+    },
+    infra: {
+      path: "infra/aws",
+      fmtCommand: "terraform -chdir=infra/aws fmt -check",
+      initCommand: "terraform -chdir=infra/aws init -backend=false",
+      validateCommand: "terraform -chdir=infra/aws validate",
+      planCommand: "terraform -chdir=infra/aws plan -out open-uptime.tfplan",
+      applyAllowed: false
+    },
+    runbook: {
+      preflight: [
+        `aws sts get-caller-identity --profile ${accountName}`,
+        `aws rds describe-db-instances --db-instance-identifier ${clean(options.rdsInstanceId, DEFAULT_RDS)} --region ${region}`,
+        `aws ec2 describe-vpcs --vpc-ids ${clean(options.vpcId, DEFAULT_VPC_ID)} --region ${region}`,
+        "Confirm the infra repository and Terraform/CloudFormation owner before live mutation."
+      ],
+      provision: [
+        `Infra PR must declare or update ECR repository ${ecrRepository}.`,
+        `Infra PR must declare hardened S3 evidence bucket ${evidenceBucket} with KMS, versioning, lifecycle, and public access block.`,
+        `Infra PR must declare ECS/Fargate cluster ${cluster}, ALB, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs.`,
+        "Only apply the infra plan from the approved infrastructure repository after review evidence is attached."
+      ],
+      deploy: [
+        "Build and publish the image only after the Dockerfile/container target is reviewed.",
+        "Run the migration task with the migrator role before web/scheduler/probe services.",
+        `Register task definitions for ${services.map((service) => service.name).join(", ")} using valueFrom secrets.`,
+        `Update ECS services in cluster ${cluster} one component at a time through the approved deploy pipeline.`,
+        `Create Route53/edge record for ${hostname} only after ALB health checks pass and auth denial smokes succeed.`
+      ],
+      rollback: [
+        "Keep previous task definition ARNs before each service update.",
+        "Rollback through the approved deploy pipeline to the previously recorded task definition ARNs.",
+        "Disable scheduler/reporter services before data rollback.",
+        "Restore RDS snapshot only after explicit operator approval and audit record."
+      ],
+      spark01: [
+        "Create a private probe identity with a caller-managed public key.",
+        "Install @hasna/uptime on Spark01 and write the generated env file with mode 0600.",
+        "Run the private probe against the hosted /api/v1 probe endpoint once it exists."
+      ]
+    },
+    blockers: [
+      "The hasna-xyz-infra infrastructure owner repository was not found in this workspace.",
+      "Hosted Postgres storage adapter and migrations are not implemented.",
+      "Hosted production auth/RBAC must replace broad static hosted-token operation before exposure.",
+      "Public probe execution still needs DNS, redirect, and rebinding SSRF enforcement plus cloud check-job leases.",
+      "Spark01 hosted probe enrollment, claim, submit, heartbeat, revocation, and rotation are not cloud-backed yet."
+    ],
+    requiredEvidence: [
+      "Infrastructure PR/synth/plan from the approved infra repository.",
+      "Container build smoke and immutable image digest.",
+      "ECS task definitions using secrets.valueFrom only.",
+      "ALB/TLS/DNS/auth denial smokes and web alarm checks.",
+      "RDS TLS, backups/PITR, scoped roles, and migration dry-run evidence.",
+      "S3 bucket KMS, versioning, lifecycle, and public-access-block evidence.",
+      "Spark01 private-probe registration, key-file mode, heartbeat, and revocation evidence."
+    ],
+    safety: {
+      liveAwsMutation: false,
+      plaintextSecrets: false,
+      hostedLocalSqliteAllowed: false,
+      notes: [
+        "This plan generator does not call AWS.",
+        "Hosted runtime must use Postgres; SQLite remains local/dev fallback only.",
+        "Secrets are represented as secret names/refs and must be injected with valueFrom.",
+        "Actual deploy belongs in the deploy_release_operate_final goal node after infra review."
+      ]
+    }
+  };
+}
+function buildSpark01CloudConfig(options = {}) {
+  const apiUrl = clean(options.apiUrl, `https://${DEFAULT_HOSTNAME}/api/v1`);
+  const workspaceId = clean(options.workspaceId, DEFAULT_WORKSPACE_ID);
+  const machineId = clean(options.machineId, "spark01");
+  const privateKeyFile = clean(options.probePrivateKeyFile, "~/.hasna/uptime/probes/spark01.key.pem");
+  const probeId = options.probeId?.trim();
+  const blockers = [
+    ...probeId ? [] : ["Cloud-registered private probe id is required before writing a sourceable env file."],
+    "Hosted probe claim and submit routes still fail closed until cloud check_jobs and workspace stores are implemented.",
+    "Spark01 enrollment, heartbeat, revocation, rotation, and bounded offline lease handling are not implemented yet."
+  ];
+  const env3 = {
+    HASNA_UPTIME_MODE: "hosted",
+    HASNA_UPTIME_API_URL: apiUrl,
+    HASNA_UPTIME_WORKSPACE_ID: workspaceId,
+    HASNA_UPTIME_MACHINE_ID: machineId,
+    HASNA_UPTIME_PRIVATE_PROBE_KEY_FILE: privateKeyFile,
+    HASNA_UPTIME_PROBE_CLASS: "private",
+    HASNA_UPTIME_LOG_LEVEL: clean(options.logLevel, "info")
+  };
+  if (probeId)
+    env3.HASNA_UPTIME_PRIVATE_PROBE_ID = probeId;
+  return {
+    kind: "open-uptime.spark01-cloud-config",
+    version: 1,
+    generatedAt: new Date().toISOString(),
+    status: "blocked",
+    canStart: false,
+    machineId,
+    mode: "private-probe",
+    env: env3,
+    files: [
+      {
+        path: privateKeyFile,
+        mode: "0600",
+        purpose: "Ed25519 private key generated on Spark01; never paste into cloud config."
+      },
+      {
+        path: "~/.hasna/uptime/cloud.env",
+        mode: "0600",
+        purpose: "Non-secret cloud/probe runtime environment; token values stay in the machine secret store."
+      }
+    ],
+    commands: [
+      "bun install -g @hasna/uptime@latest",
+      "Generate the Spark01 private key locally and register only its public key with the hosted control plane once registration exists.",
+      "Write ~/.hasna/uptime/cloud.env from this plan, then source it for the private probe service.",
+      "Start the private probe worker only after hosted /api/v1 probe claim/submit routes are backed by cloud jobs."
+    ],
+    blockers,
+    safety: {
+      privateKeyInline: false,
+      tokenInline: false,
+      notes: [
+        "This config is hosted-targeted preflight: Spark01 must not start until cloud probe routes are backed by hosted state.",
+        "The private key file path is referenced, not embedded.",
+        "Hosted token or probe auth material must come from the machine secret store, not this generated config."
+      ]
+    }
+  };
+}
+function renderSpark01Env(config) {
+  const required = ["HASNA_UPTIME_PRIVATE_PROBE_ID"];
+  const missing = required.filter((key) => !config.env[key]);
+  if (missing.length > 0) {
+    throw new Error(`Spark01 env output requires ${missing.join(", ")}`);
+  }
+  return Object.entries(config.env).map(([key, value]) => `${key}=${shellEscape(value)}`).join(`
+`);
+}
+function servicePlan(prefix, stage, role, desiredCount, image, workspaceId, secrets, environment) {
+  const name = `${prefix}-${stage}-${role}`;
+  return {
+    name,
+    role,
+    desiredCount: 0,
+    targetDesiredCount: desiredCount,
+    taskRole: `${name}-task-role`,
+    executionRole: `${prefix}-${stage}-execution-role`,
+    logGroup: `/ecs/${name}`,
+    healthCommand: role === "web" ? "GET /health" : undefined,
+    environment: {
+      HASNA_UPTIME_IMAGE: image,
+      ...environment
+    },
+    secrets: role === "web" ? { HASNA_UPTIME_DATABASE_URL: secrets.database, APP_ENV: secrets.appEnv, HASNA_UPTIME_HOSTED_TOKEN: secrets.hostedToken } : role === "public-probe" ? { PROBE_CONFIG: secrets.publicProbe } : role === "reporter" ? { HASNA_UPTIME_DATABASE_URL: secrets.database, REPORTING_CONFIG: secrets.reporting } : { HASNA_UPTIME_DATABASE_URL: secrets.database, APP_ENV: secrets.appEnv }
+  };
+}
+function clean(value, fallback) {
+  const normalized = value?.trim();
+  return normalized || fallback;
+}
+function shellEscape(value) {
+  if (/^[A-Za-z0-9_./:@~-]+$/.test(value))
+    return value;
+  return `'${value.replace(/'/g, "'\\''")}'`;
+}
+
 // src/cli/index.ts
 var program2 = new Command;
 program2.name("uptime").description("Local-first uptime and downtime monitoring").version(packageVersion()).option("-j, --json", "print JSON");
@@ -6694,6 +6965,45 @@ program2.command("audit").description("List local audit events").option("--resou
     fail(error);
   }
 });
+var cloud = program2.command("cloud").description("Generate dry-run cloud deployment and Spark01 configuration artifacts");
+cloud.command("plan").description("Generate a dry-run AWS deployment plan for hasna-xyz-infra").option("--account <name>", "AWS account/profile label", "hasna-xyz-infra").option("--region <region>", "AWS region", "us-east-1").option("--stage <stage>", "deployment stage", "prod").option("--hostname <hostname>", "hosted Open Uptime hostname", "uptime.hasna.xyz").option("--workspace-id <id>", "workspace id", "wks_2tyysw05cwap").option("--vpc-id <id>", "target VPC id").option("--rds-instance-id <id>", "existing RDS instance id").option("--ecr-repository <name>", "ECR repository name").option("--image <uri>", "container image URI").option("--evidence-bucket <name>", "S3 evidence bucket name").option("-j, --json", "print JSON").action((opts) => {
+  try {
+    const plan = buildAwsDeploymentPlan({
+      accountName: opts.account,
+      region: opts.region,
+      stage: opts.stage,
+      hostname: opts.hostname,
+      workspaceId: opts.workspaceId,
+      vpcId: opts.vpcId,
+      rdsInstanceId: opts.rdsInstanceId,
+      ecrRepository: opts.ecrRepository,
+      image: opts.image,
+      evidenceBucket: opts.evidenceBucket
+    });
+    print(plan, renderCloudPlan(plan), opts);
+  } catch (error) {
+    fail(error);
+  }
+});
+cloud.command("spark01-config").description("Generate Spark01 hosted-targeted private probe preflight configuration").option("--api-url <url>", "hosted Open Uptime API URL", "https://uptime.hasna.xyz/api/v1").option("--workspace-id <id>", "workspace id", "wks_2tyysw05cwap").option("--probe-id <id>", "cloud registered private probe id").option("--private-key-file <path>", "Spark01 private probe key file", "~/.hasna/uptime/probes/spark01.key.pem").option("--machine-id <id>", "machine id", "spark01").option("--log-level <level>", "probe log level", "info").option("--env", "print shell env file instead of summary text").option("-j, --json", "print JSON").action((opts) => {
+  try {
+    const config = buildSpark01CloudConfig({
+      apiUrl: opts.apiUrl,
+      workspaceId: opts.workspaceId,
+      probeId: opts.probeId,
+      probePrivateKeyFile: opts.privateKeyFile,
+      machineId: opts.machineId,
+      logLevel: opts.logLevel
+    });
+    if (opts.env && !wantsJson(opts)) {
+      console.log(renderSpark01Env(config));
+      return;
+    }
+    print(config, renderSpark01Config(config), opts);
+  } catch (error) {
+    fail(error);
+  }
+});
 program2.command("results").description("List recent check results").option("--monitor <id>", "filter by monitor id").option("--limit <n>", "max rows", parseInteger, 20).option("-j, --json", "print JSON").action((opts) => {
   try {
     const svc = service();
@@ -7046,6 +7356,40 @@ function renderReportRuns(runs) {
   }).join(`
 `);
 }
+function renderCloudPlan(plan) {
+  return [
+    `${plan.servicePrefix} ${plan.stage} AWS plan (${plan.accountName}/${plan.region})`,
+    `status: ${plan.status}`,
+    `can apply: ${plan.canApply}`,
+    `host: ${plan.hostname}`,
+    `cluster: ${plan.resources.ecsCluster}`,
+    `image: ${plan.image.uri}`,
+    `dockerfile: ${plan.image.dockerfile}`,
+    `infra: ${plan.infra.path}`,
+    `vpc: ${plan.resources.vpcId}`,
+    `rds: ${plan.resources.rdsInstanceId}`,
+    `services: ${plan.resources.services.map((service2) => `${service2.name}:${service2.desiredCount}/${service2.targetDesiredCount}`).join(", ")}`,
+    `evidence bucket: ${plan.resources.evidenceBucket}`,
+    `blockers: ${plan.blockers.length}`,
+    "live AWS mutation: false"
+  ].join(`
+`);
+}
+function renderSpark01Config(config) {
+  return [
+    `${config.machineId} ${config.mode} config`,
+    `status: ${config.status}`,
+    `can start: ${config.canStart}`,
+    `api: ${config.env.HASNA_UPTIME_API_URL}`,
+    `workspace: ${config.env.HASNA_UPTIME_WORKSPACE_ID}`,
+    `probe: ${config.env.HASNA_UPTIME_PRIVATE_PROBE_ID ?? "<required>"}`,
+    `key file: ${config.env.HASNA_UPTIME_PRIVATE_PROBE_KEY_FILE}`,
+    `blockers: ${config.blockers.length}`,
+    "private key inline: false",
+    "token inline: false"
+  ].join(`
+`);
+}
 function renderDeliveries(deliveries) {
   if (deliveries.length === 0)
     return "No report deliveries requested";

package/dist/cloud-plan.d.ts

@@ -0,0 +1,123 @@
+export interface AwsDeploymentPlanOptions {
+    accountName?: string;
+    region?: string;
+    stage?: string;
+    servicePrefix?: string;
+    hostname?: string;
+    workspaceId?: string;
+    vpcId?: string;
+    rdsInstanceId?: string;
+    ecrRepository?: string;
+    image?: string;
+    evidenceBucket?: string;
+    hostedTokenSecretName?: string;
+    databaseSecretName?: string;
+    appEnvSecretName?: string;
+    publicProbeSecretName?: string;
+    privateProbeSecretName?: string;
+    reportingSecretName?: string;
+}
+export interface AwsDeploymentPlan {
+    kind: "open-uptime.aws-deployment-plan";
+    version: 1;
+    generatedAt: string;
+    status: "blocked";
+    canApply: false;
+    accountName: string;
+    region: string;
+    stage: string;
+    servicePrefix: string;
+    hostname: string;
+    workspaceId: string;
+    mode: "hosted";
+    resources: {
+        ecrRepository: string;
+        ecsCluster: string;
+        services: AwsServicePlan[];
+        vpcId: string;
+        rdsInstanceId: string;
+        evidenceBucket: string;
+        loadBalancer: string;
+        targetGroups: string[];
+        securityGroups: string[];
+        secrets: Record<string, string>;
+        logGroups: string[];
+        alarms: string[];
+    };
+    image: {
+        repository: string;
+        uri: string;
+        dockerfile: string;
+        buildCommand: string;
+        pushCommands: string[];
+    };
+    infra: {
+        path: string;
+        fmtCommand: string;
+        initCommand: string;
+        validateCommand: string;
+        planCommand: string;
+        applyAllowed: false;
+    };
+    runbook: {
+        preflight: string[];
+        provision: string[];
+        deploy: string[];
+        rollback: string[];
+        spark01: string[];
+    };
+    blockers: string[];
+    requiredEvidence: string[];
+    safety: {
+        liveAwsMutation: false;
+        plaintextSecrets: false;
+        hostedLocalSqliteAllowed: false;
+        notes: string[];
+    };
+}
+export interface AwsServicePlan {
+    name: string;
+    role: "web" | "scheduler" | "public-probe" | "reporter" | "migration";
+    desiredCount: number;
+    targetDesiredCount: number;
+    taskRole: string;
+    executionRole: string;
+    logGroup: string;
+    healthCommand?: string;
+    environment: Record<string, string>;
+    secrets: Record<string, string>;
+}
+export interface Spark01CloudConfigOptions {
+    apiUrl?: string;
+    workspaceId?: string;
+    probeId?: string;
+    probePrivateKeyFile?: string;
+    machineId?: string;
+    logLevel?: string;
+}
+export interface Spark01CloudConfig {
+    kind: "open-uptime.spark01-cloud-config";
+    version: 1;
+    generatedAt: string;
+    status: "blocked";
+    canStart: false;
+    machineId: string;
+    mode: "private-probe";
+    env: Record<string, string>;
+    files: Array<{
+        path: string;
+        mode: string;
+        purpose: string;
+    }>;
+    commands: string[];
+    blockers: string[];
+    safety: {
+        privateKeyInline: false;
+        tokenInline: false;
+        notes: string[];
+    };
+}
+export declare function buildAwsDeploymentPlan(options?: AwsDeploymentPlanOptions): AwsDeploymentPlan;
+export declare function buildSpark01CloudConfig(options?: Spark01CloudConfigOptions): Spark01CloudConfig;
+export declare function renderSpark01Env(config: Spark01CloudConfig): string;
+//# sourceMappingURL=cloud-plan.d.ts.map

package/dist/cloud-plan.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cloud-plan.d.ts","sourceRoot":"","sources":["../src/cloud-plan.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,wBAAwB;IACvC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,iCAAiC,CAAC;IACxC,OAAO,EAAE,CAAC,CAAC;IACX,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,SAAS,CAAC;IAClB,QAAQ,EAAE,KAAK,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,QAAQ,CAAC;IACf,SAAS,EAAE;QACT,aAAa,EAAE,MAAM,CAAC;QACtB,UAAU,EAAE,MAAM,CAAC;QACnB,QAAQ,EAAE,cAAc,EAAE,CAAC;QAC3B,KAAK,EAAE,MAAM,CAAC;QACd,aAAa,EAAE,MAAM,CAAC;QACtB,cAAc,EAAE,MAAM,CAAC;QACvB,YAAY,EAAE,MAAM,CAAC;QACrB,YAAY,EAAE,MAAM,EAAE,CAAC;QACvB,cAAc,EAAE,MAAM,EAAE,CAAC;QACzB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAChC,SAAS,EAAE,MAAM,EAAE,CAAC;QACpB,MAAM,EAAE,MAAM,EAAE,CAAC;KAClB,CAAC;IACF,KAAK,EAAE;QACL,UAAU,EAAE,MAAM,CAAC;QACnB,GAAG,EAAE,MAAM,CAAC;QACZ,UAAU,EAAE,MAAM,CAAC;QACnB,YAAY,EAAE,MAAM,CAAC;QACrB,YAAY,EAAE,MAAM,EAAE,CAAC;KACxB,CAAC;IACF,KAAK,EAAE;QACL,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,EAAE,MAAM,CAAC;QACnB,WAAW,EAAE,MAAM,CAAC;QACpB,eAAe,EAAE,MAAM,CAAC;QACxB,WAAW,EAAE,MAAM,CAAC;QACpB,YAAY,EAAE,KAAK,CAAC;KACrB,CAAC;IACF,OAAO,EAAE;QACP,SAAS,EAAE,MAAM,EAAE,CAAC;QACpB,SAAS,EAAE,MAAM,EAAE,CAAC;QACpB,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,QAAQ,EAAE,MAAM,EAAE,CAAC;QACnB,OAAO,EAAE,MAAM,EAAE,CAAC;KACnB,CAAC;IACF,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,MAAM,EAAE;QACN,eAAe,EAAE,KAAK,CAAC;QACvB,gBAAgB,EAAE,KAAK,CAAC;QACxB,wBAAwB,EAAE,KAAK,CAAC;QAChC,KAAK,EAAE,MAAM,EAAE,CAAC;KACjB,CAAC;CACH;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,KAAK,GAAG,WAAW,GAAG,cAAc,GAAG,UAAU,GAAG,WAAW,CAAC;IACtE,YAAY,EAAE,MAAM,CAAC;IACrB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACpC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACjC;AAED,MAAM,WAAW,yBAAyB;IACxC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,kCAAkC,CAAC;IACzC,OAAO,EAAE,CAAC,CAAC;IACX,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,SAAS,CAAC;IAClB,QAAQ,EAAE,KAAK,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,eAAe,CAAC;IACtB,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC5B,KAAK,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC9D,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,MAAM,EAAE;QACN,gBAAgB,EAAE,KAAK,CAAC;QACxB,WAAW,EAAE,KAAK,CAAC;QACnB,KAAK,EAAE,MAAM,EAAE,CAAC;KACjB,CAAC;CACH;AAWD,wBAAgB,sBAAsB,CAAC,OAAO,GAAE,wBAA6B,GAAG,iBAAiB,CAoKhG;AAED,wBAAgB,uBAAuB,CAAC,OAAO,GAAE,yBAA8B,GAAG,kBAAkB,CA2DnG;AAED,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,kBAAkB,GAAG,MAAM,CASnE"}