@hasna/uptime 0.1.5 → 0.1.6

package/.dockerignore

@@ -0,0 +1,14 @@
+.git
+.gitignore
+.project.json
+node_modules
+dist
+coverage
+*.tgz
+*.log
+.env
+.env.*
+.hasna
+infra/**/.terraform
+infra/**/*.tfstate
+infra/**/*.tfstate.*

package/CHANGELOG.md

@@ -6,6 +6,25 @@ project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+## [0.1.6] - 2026-06-28
+
+### Added
+
+- Bun-based hosted runtime `Dockerfile` and `.dockerignore`.
+- Reviewable Terraform/OpenTofu AWS starter plan under `infra/aws` for ECR,
+  S3 evidence storage, ECS/Fargate services, ALB/TLS/DNS, task roles,
+  CloudWatch logs, security groups, and secret refs.
+- Cloud plan SDK/CLI fields that point to `Dockerfile` and `infra/aws` with
+  format/init/validate/plan commands while keeping apply disabled.
+
+### Security
+
+- AWS infra templates use secret ARNs/valueFrom references and example
+  placeholders only; no plaintext service tokens, database URLs, or private keys
+  are stored in the repo.
+- Terraform desired counts default to zero until hosted cloud-store/auth/probe
+  blockers are closed.
+
 ## [0.1.5] - 2026-06-28
 
 ### Added
@@ -13,8 +32,8 @@ project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 - Dry-run AWS deployment plan generator for the `hasna-xyz-infra` target,
   covering ECS/Fargate services, ECR image commands, ALB/RDS/S3/Secrets/Logs
   resources, rollback steps, and safety assertions.
-- Spark01 cloud-primary private probe config generator with JSON and env-file
-  rendering.
+- Spark01 hosted-targeted private probe preflight config generator with JSON and
+  env-file rendering.
 - CLI commands `uptime cloud plan` and `uptime cloud spark01-config`.
 - SDK export `@hasna/uptime/cloud-plan`.
 - Machine-readable `blocked`/`canApply:false` and `blocked`/`canStart:false`

package/Dockerfile

@@ -0,0 +1,30 @@
+# syntax=docker/dockerfile:1
+
+FROM oven/bun:1.3.13-slim AS build
+WORKDIR /app
+
+COPY package.json bun.lock tsconfig.json tsconfig.build.json ./
+COPY src ./src
+
+RUN bun install --frozen-lockfile
+RUN bun run build
+RUN bun install --production --frozen-lockfile
+
+FROM oven/bun:1.3.13-slim AS runtime
+ENV NODE_ENV=production \
+    HASNA_UPTIME_MODE=hosted
+WORKDIR /app
+
+RUN addgroup --system uptime && adduser --system --ingroup uptime uptime
+
+COPY --from=build /app/package.json ./package.json
+COPY --from=build /app/node_modules ./node_modules
+COPY --from=build /app/dist ./dist
+
+USER uptime
+EXPOSE 3899
+
+HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
+  CMD bun -e "const r = await fetch('http://127.0.0.1:3899/health'); process.exit(r.ok ? 0 : 1)"
+
+CMD ["bun", "dist/cli/index.js", "serve", "--mode", "hosted", "--host", "0.0.0.0", "--port", "3899"]

package/README.md

@@ -46,6 +46,10 @@ only. They do not call AWS, write secrets, or produce an approved deploy script;
 current output is intentionally blocked until the infra and cloud-store evidence
 in `docs/aws-deployment-runbook.md` is satisfied.
 
+Deployment review artifacts live in `Dockerfile` and `infra/aws`. The Terraform
+desired counts default to zero, and `uptime cloud plan --json` exposes the
+format/init/validate/plan commands with `applyAllowed: false`.
+
 Private/local probes can submit signed results from another machine:
 
 ```bash

package/dist/cli/index.js

@@ -6404,7 +6404,8 @@ function buildAwsDeploymentPlan(options = {}) {
   const hostname = clean(options.hostname, DEFAULT_HOSTNAME);
   const workspaceId = clean(options.workspaceId, DEFAULT_WORKSPACE_ID);
   const ecrRepository = clean(options.ecrRepository, `hasna/opensource/${prefix}`);
-  const image = clean(options.image, `<account-id>.dkr.ecr.${region}.amazonaws.com/${ecrRepository}:<git-sha>`);
+  const imageRepositoryUri = `<account-id>.dkr.ecr.${region}.amazonaws.com/${ecrRepository}`;
+  const image = clean(options.image, `${imageRepositoryUri}@sha256:<image-digest>`);
   const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
   const cluster = `${prefix}-${stage}`;
   const secrets = {
@@ -6470,26 +6471,34 @@ function buildAwsDeploymentPlan(options = {}) {
         `${prefix}-${stage}-web-sg`,
         `${prefix}-${stage}-scheduler-sg`,
         `${prefix}-${stage}-public-probe-sg`,
-        `${prefix}-${stage}-rds-client-sg`
+        `${prefix}-${stage}-reporter-sg`,
+        `${prefix}-${stage}-migration-sg`
       ],
       secrets,
       logGroups: services.map((service) => service.logGroup),
       alarms: [
         `${prefix}-${stage}-web-5xx`,
-        `${prefix}-${stage}-scheduler-stalled`,
-        `${prefix}-${stage}-probe-stale`,
-        `${prefix}-${stage}-report-delivery-failures`
+        `${prefix}-${stage}-web-unhealthy`
       ]
     },
     image: {
       repository: ecrRepository,
       uri: image,
-      buildCommand: "BLOCKED: add a reviewed Dockerfile/container build target before running docker build",
+      dockerfile: "Dockerfile",
+      buildCommand: `docker build --pull -t ${imageRepositoryUri}:<git-sha> .`,
       pushCommands: [
         "BLOCKED: push only from approved CI/CD after the ECR repository and image digest policy exist",
         "BLOCKED: deploy services by immutable image digest, not by mutable tags"
       ]
     },
+    infra: {
+      path: "infra/aws",
+      fmtCommand: "terraform -chdir=infra/aws fmt -check",
+      initCommand: "terraform -chdir=infra/aws init -backend=false",
+      validateCommand: "terraform -chdir=infra/aws validate",
+      planCommand: "terraform -chdir=infra/aws plan -out open-uptime.tfplan",
+      applyAllowed: false
+    },
     runbook: {
       preflight: [
         `aws sts get-caller-identity --profile ${accountName}`,
@@ -6524,7 +6533,6 @@ function buildAwsDeploymentPlan(options = {}) {
     },
     blockers: [
       "The hasna-xyz-infra infrastructure owner repository was not found in this workspace.",
-      "The repo has no reviewed Dockerfile/container build target for image build and publish automation.",
       "Hosted Postgres storage adapter and migrations are not implemented.",
       "Hosted production auth/RBAC must replace broad static hosted-token operation before exposure.",
       "Public probe execution still needs DNS, redirect, and rebinding SSRF enforcement plus cloud check-job leases.",
@@ -6534,7 +6542,7 @@ function buildAwsDeploymentPlan(options = {}) {
       "Infrastructure PR/synth/plan from the approved infra repository.",
       "Container build smoke and immutable image digest.",
       "ECS task definitions using secrets.valueFrom only.",
-      "ALB/TLS/DNS/auth denial smokes.",
+      "ALB/TLS/DNS/auth denial smokes and web alarm checks.",
       "RDS TLS, backups/PITR, scoped roles, and migration dry-run evidence.",
       "S3 bucket KMS, versioning, lifecycle, and public-access-block evidence.",
       "Spark01 private-probe registration, key-file mode, heartbeat, and revocation evidence."
@@ -6606,7 +6614,7 @@ function buildSpark01CloudConfig(options = {}) {
       privateKeyInline: false,
       tokenInline: false,
       notes: [
-        "This config is cloud-primary: Spark01 submits to hosted API state instead of local SQLite.",
+        "This config is hosted-targeted preflight: Spark01 must not start until cloud probe routes are backed by hosted state.",
         "The private key file path is referenced, not embedded.",
         "Hosted token or probe auth material must come from the machine secret store, not this generated config."
       ]
@@ -6627,7 +6635,8 @@ function servicePlan(prefix, stage, role, desiredCount, image, workspaceId, secr
   return {
     name,
     role,
-    desiredCount,
+    desiredCount: 0,
+    targetDesiredCount: desiredCount,
     taskRole: `${name}-task-role`,
     executionRole: `${prefix}-${stage}-execution-role`,
     logGroup: `/ecs/${name}`,
@@ -6636,7 +6645,7 @@ function servicePlan(prefix, stage, role, desiredCount, image, workspaceId, secr
       HASNA_UPTIME_IMAGE: image,
       ...environment
     },
-    secrets: role === "public-probe" ? { DATABASE_URL: secrets.database, PROBE_CONFIG: secrets.publicProbe } : role === "reporter" ? { DATABASE_URL: secrets.database, REPORTING_CONFIG: secrets.reporting } : { DATABASE_URL: secrets.database, APP_ENV: secrets.appEnv }
+    secrets: role === "web" ? { HASNA_UPTIME_DATABASE_URL: secrets.database, APP_ENV: secrets.appEnv, HASNA_UPTIME_HOSTED_TOKEN: secrets.hostedToken } : role === "public-probe" ? { PROBE_CONFIG: secrets.publicProbe } : role === "reporter" ? { HASNA_UPTIME_DATABASE_URL: secrets.database, REPORTING_CONFIG: secrets.reporting } : { HASNA_UPTIME_DATABASE_URL: secrets.database, APP_ENV: secrets.appEnv }
   };
 }
 function clean(value, fallback) {
@@ -6976,7 +6985,7 @@ cloud.command("plan").description("Generate a dry-run AWS deployment plan for ha
     fail(error);
   }
 });
-cloud.command("spark01-config").description("Generate Spark01 cloud-primary private probe configuration").option("--api-url <url>", "hosted Open Uptime API URL", "https://uptime.hasna.xyz/api/v1").option("--workspace-id <id>", "workspace id", "wks_2tyysw05cwap").option("--probe-id <id>", "cloud registered private probe id").option("--private-key-file <path>", "Spark01 private probe key file", "~/.hasna/uptime/probes/spark01.key.pem").option("--machine-id <id>", "machine id", "spark01").option("--log-level <level>", "probe log level", "info").option("--env", "print shell env file instead of summary text").option("-j, --json", "print JSON").action((opts) => {
+cloud.command("spark01-config").description("Generate Spark01 hosted-targeted private probe preflight configuration").option("--api-url <url>", "hosted Open Uptime API URL", "https://uptime.hasna.xyz/api/v1").option("--workspace-id <id>", "workspace id", "wks_2tyysw05cwap").option("--probe-id <id>", "cloud registered private probe id").option("--private-key-file <path>", "Spark01 private probe key file", "~/.hasna/uptime/probes/spark01.key.pem").option("--machine-id <id>", "machine id", "spark01").option("--log-level <level>", "probe log level", "info").option("--env", "print shell env file instead of summary text").option("-j, --json", "print JSON").action((opts) => {
   try {
     const config = buildSpark01CloudConfig({
       apiUrl: opts.apiUrl,
@@ -7355,9 +7364,11 @@ function renderCloudPlan(plan) {
     `host: ${plan.hostname}`,
     `cluster: ${plan.resources.ecsCluster}`,
     `image: ${plan.image.uri}`,
+    `dockerfile: ${plan.image.dockerfile}`,
+    `infra: ${plan.infra.path}`,
     `vpc: ${plan.resources.vpcId}`,
     `rds: ${plan.resources.rdsInstanceId}`,
-    `services: ${plan.resources.services.map((service2) => `${service2.name}:${service2.desiredCount}`).join(", ")}`,
+    `services: ${plan.resources.services.map((service2) => `${service2.name}:${service2.desiredCount}/${service2.targetDesiredCount}`).join(", ")}`,
     `evidence bucket: ${plan.resources.evidenceBucket}`,
     `blockers: ${plan.blockers.length}`,
     "live AWS mutation: false"

package/dist/cloud-plan.d.ts

@@ -47,9 +47,18 @@ export interface AwsDeploymentPlan {
     image: {
         repository: string;
         uri: string;
+        dockerfile: string;
         buildCommand: string;
         pushCommands: string[];
     };
+    infra: {
+        path: string;
+        fmtCommand: string;
+        initCommand: string;
+        validateCommand: string;
+        planCommand: string;
+        applyAllowed: false;
+    };
     runbook: {
         preflight: string[];
         provision: string[];
@@ -70,6 +79,7 @@ export interface AwsServicePlan {
     name: string;
     role: "web" | "scheduler" | "public-probe" | "reporter" | "migration";
     desiredCount: number;
+    targetDesiredCount: number;
     taskRole: string;
     executionRole: string;
     logGroup: string;

package/dist/cloud-plan.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cloud-plan.d.ts","sourceRoot":"","sources":["../src/cloud-plan.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,wBAAwB;IACvC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,iCAAiC,CAAC;IACxC,OAAO,EAAE,CAAC,CAAC;IACX,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,SAAS,CAAC;IAClB,QAAQ,EAAE,KAAK,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,QAAQ,CAAC;IACf,SAAS,EAAE;QACT,aAAa,EAAE,MAAM,CAAC;QACtB,UAAU,EAAE,MAAM,CAAC;QACnB,QAAQ,EAAE,cAAc,EAAE,CAAC;QAC3B,KAAK,EAAE,MAAM,CAAC;QACd,aAAa,EAAE,MAAM,CAAC;QACtB,cAAc,EAAE,MAAM,CAAC;QACvB,YAAY,EAAE,MAAM,CAAC;QACrB,YAAY,EAAE,MAAM,EAAE,CAAC;QACvB,cAAc,EAAE,MAAM,EAAE,CAAC;QACzB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAChC,SAAS,EAAE,MAAM,EAAE,CAAC;QACpB,MAAM,EAAE,MAAM,EAAE,CAAC;KAClB,CAAC;IACF,KAAK,EAAE;QACL,UAAU,EAAE,MAAM,CAAC;QACnB,GAAG,EAAE,MAAM,CAAC;QACZ,YAAY,EAAE,MAAM,CAAC;QACrB,YAAY,EAAE,MAAM,EAAE,CAAC;KACxB,CAAC;IACF,OAAO,EAAE;QACP,SAAS,EAAE,MAAM,EAAE,CAAC;QACpB,SAAS,EAAE,MAAM,EAAE,CAAC;QACpB,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,QAAQ,EAAE,MAAM,EAAE,CAAC;QACnB,OAAO,EAAE,MAAM,EAAE,CAAC;KACnB,CAAC;IACF,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,MAAM,EAAE;QACN,eAAe,EAAE,KAAK,CAAC;QACvB,gBAAgB,EAAE,KAAK,CAAC;QACxB,wBAAwB,EAAE,KAAK,CAAC;QAChC,KAAK,EAAE,MAAM,EAAE,CAAC;KACjB,CAAC;CACH;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,KAAK,GAAG,WAAW,GAAG,cAAc,GAAG,UAAU,GAAG,WAAW,CAAC;IACtE,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACpC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACjC;AAED,MAAM,WAAW,yBAAyB;IACxC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,kCAAkC,CAAC;IACzC,OAAO,EAAE,CAAC,CAAC;IACX,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,SAAS,CAAC;IAClB,QAAQ,EAAE,KAAK,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,eAAe,CAAC;IACtB,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC5B,KAAK,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC9D,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,MAAM,EAAE;QACN,gBAAgB,EAAE,KAAK,CAAC;QACxB,WAAW,EAAE,KAAK,CAAC;QACnB,KAAK,EAAE,MAAM,EAAE,CAAC;KACjB,CAAC;CACH;AAWD,wBAAgB,sBAAsB,CAAC,OAAO,GAAE,wBAA6B,GAAG,iBAAiB,CA4JhG;AAED,wBAAgB,uBAAuB,CAAC,OAAO,GAAE,yBAA8B,GAAG,kBAAkB,CA2DnG;AAED,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,kBAAkB,GAAG,MAAM,CASnE"}
+{"version":3,"file":"cloud-plan.d.ts","sourceRoot":"","sources":["../src/cloud-plan.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,wBAAwB;IACvC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,iCAAiC,CAAC;IACxC,OAAO,EAAE,CAAC,CAAC;IACX,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,SAAS,CAAC;IAClB,QAAQ,EAAE,KAAK,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,QAAQ,CAAC;IACf,SAAS,EAAE;QACT,aAAa,EAAE,MAAM,CAAC;QACtB,UAAU,EAAE,MAAM,CAAC;QACnB,QAAQ,EAAE,cAAc,EAAE,CAAC;QAC3B,KAAK,EAAE,MAAM,CAAC;QACd,aAAa,EAAE,MAAM,CAAC;QACtB,cAAc,EAAE,MAAM,CAAC;QACvB,YAAY,EAAE,MAAM,CAAC;QACrB,YAAY,EAAE,MAAM,EAAE,CAAC;QACvB,cAAc,EAAE,MAAM,EAAE,CAAC;QACzB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAChC,SAAS,EAAE,MAAM,EAAE,CAAC;QACpB,MAAM,EAAE,MAAM,EAAE,CAAC;KAClB,CAAC;IACF,KAAK,EAAE;QACL,UAAU,EAAE,MAAM,CAAC;QACnB,GAAG,EAAE,MAAM,CAAC;QACZ,UAAU,EAAE,MAAM,CAAC;QACnB,YAAY,EAAE,MAAM,CAAC;QACrB,YAAY,EAAE,MAAM,EAAE,CAAC;KACxB,CAAC;IACF,KAAK,EAAE;QACL,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,EAAE,MAAM,CAAC;QACnB,WAAW,EAAE,MAAM,CAAC;QACpB,eAAe,EAAE,MAAM,CAAC;QACxB,WAAW,EAAE,MAAM,CAAC;QACpB,YAAY,EAAE,KAAK,CAAC;KACrB,CAAC;IACF,OAAO,EAAE;QACP,SAAS,EAAE,MAAM,EAAE,CAAC;QACpB,SAAS,EAAE,MAAM,EAAE,CAAC;QACpB,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,QAAQ,EAAE,MAAM,EAAE,CAAC;QACnB,OAAO,EAAE,MAAM,EAAE,CAAC;KACnB,CAAC;IACF,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,MAAM,EAAE;QACN,eAAe,EAAE,KAAK,CAAC;QACvB,gBAAgB,EAAE,KAAK,CAAC;QACxB,wBAAwB,EAAE,KAAK,CAAC;QAChC,KAAK,EAAE,MAAM,EAAE,CAAC;KACjB,CAAC;CACH;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,KAAK,GAAG,WAAW,GAAG,cAAc,GAAG,UAAU,GAAG,WAAW,CAAC;IACtE,YAAY,EAAE,MAAM,CAAC;IACrB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACpC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACjC;AAED,MAAM,WAAW,yBAAyB;IACxC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,kCAAkC,CAAC;IACzC,OAAO,EAAE,CAAC,CAAC;IACX,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,SAAS,CAAC;IAClB,QAAQ,EAAE,KAAK,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,eAAe,CAAC;IACtB,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC5B,KAAK,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC9D,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,MAAM,EAAE;QACN,gBAAgB,EAAE,KAAK,CAAC;QACxB,WAAW,EAAE,KAAK,CAAC;QACnB,KAAK,EAAE,MAAM,EAAE,CAAC;KACjB,CAAC;CACH;AAWD,wBAAgB,sBAAsB,CAAC,OAAO,GAAE,wBAA6B,GAAG,iBAAiB,CAoKhG;AAED,wBAAgB,uBAAuB,CAAC,OAAO,GAAE,yBAA8B,GAAG,kBAAkB,CA2DnG;AAED,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,kBAAkB,GAAG,MAAM,CASnE"}

package/dist/cloud-plan.js

@@ -16,7 +16,8 @@ function buildAwsDeploymentPlan(options = {}) {
   const hostname = clean(options.hostname, DEFAULT_HOSTNAME);
   const workspaceId = clean(options.workspaceId, DEFAULT_WORKSPACE_ID);
   const ecrRepository = clean(options.ecrRepository, `hasna/opensource/${prefix}`);
-  const image = clean(options.image, `<account-id>.dkr.ecr.${region}.amazonaws.com/${ecrRepository}:<git-sha>`);
+  const imageRepositoryUri = `<account-id>.dkr.ecr.${region}.amazonaws.com/${ecrRepository}`;
+  const image = clean(options.image, `${imageRepositoryUri}@sha256:<image-digest>`);
   const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
   const cluster = `${prefix}-${stage}`;
   const secrets = {
@@ -82,26 +83,34 @@ function buildAwsDeploymentPlan(options = {}) {
         `${prefix}-${stage}-web-sg`,
         `${prefix}-${stage}-scheduler-sg`,
         `${prefix}-${stage}-public-probe-sg`,
-        `${prefix}-${stage}-rds-client-sg`
+        `${prefix}-${stage}-reporter-sg`,
+        `${prefix}-${stage}-migration-sg`
       ],
       secrets,
       logGroups: services.map((service) => service.logGroup),
       alarms: [
         `${prefix}-${stage}-web-5xx`,
-        `${prefix}-${stage}-scheduler-stalled`,
-        `${prefix}-${stage}-probe-stale`,
-        `${prefix}-${stage}-report-delivery-failures`
+        `${prefix}-${stage}-web-unhealthy`
       ]
     },
     image: {
       repository: ecrRepository,
       uri: image,
-      buildCommand: "BLOCKED: add a reviewed Dockerfile/container build target before running docker build",
+      dockerfile: "Dockerfile",
+      buildCommand: `docker build --pull -t ${imageRepositoryUri}:<git-sha> .`,
       pushCommands: [
         "BLOCKED: push only from approved CI/CD after the ECR repository and image digest policy exist",
         "BLOCKED: deploy services by immutable image digest, not by mutable tags"
       ]
     },
+    infra: {
+      path: "infra/aws",
+      fmtCommand: "terraform -chdir=infra/aws fmt -check",
+      initCommand: "terraform -chdir=infra/aws init -backend=false",
+      validateCommand: "terraform -chdir=infra/aws validate",
+      planCommand: "terraform -chdir=infra/aws plan -out open-uptime.tfplan",
+      applyAllowed: false
+    },
     runbook: {
       preflight: [
         `aws sts get-caller-identity --profile ${accountName}`,
@@ -136,7 +145,6 @@ function buildAwsDeploymentPlan(options = {}) {
     },
     blockers: [
       "The hasna-xyz-infra infrastructure owner repository was not found in this workspace.",
-      "The repo has no reviewed Dockerfile/container build target for image build and publish automation.",
       "Hosted Postgres storage adapter and migrations are not implemented.",
       "Hosted production auth/RBAC must replace broad static hosted-token operation before exposure.",
       "Public probe execution still needs DNS, redirect, and rebinding SSRF enforcement plus cloud check-job leases.",
@@ -146,7 +154,7 @@ function buildAwsDeploymentPlan(options = {}) {
       "Infrastructure PR/synth/plan from the approved infra repository.",
       "Container build smoke and immutable image digest.",
       "ECS task definitions using secrets.valueFrom only.",
-      "ALB/TLS/DNS/auth denial smokes.",
+      "ALB/TLS/DNS/auth denial smokes and web alarm checks.",
       "RDS TLS, backups/PITR, scoped roles, and migration dry-run evidence.",
       "S3 bucket KMS, versioning, lifecycle, and public-access-block evidence.",
       "Spark01 private-probe registration, key-file mode, heartbeat, and revocation evidence."
@@ -218,7 +226,7 @@ function buildSpark01CloudConfig(options = {}) {
       privateKeyInline: false,
       tokenInline: false,
       notes: [
-        "This config is cloud-primary: Spark01 submits to hosted API state instead of local SQLite.",
+        "This config is hosted-targeted preflight: Spark01 must not start until cloud probe routes are backed by hosted state.",
         "The private key file path is referenced, not embedded.",
         "Hosted token or probe auth material must come from the machine secret store, not this generated config."
       ]
@@ -239,7 +247,8 @@ function servicePlan(prefix, stage, role, desiredCount, image, workspaceId, secr
   return {
     name,
     role,
-    desiredCount,
+    desiredCount: 0,
+    targetDesiredCount: desiredCount,
     taskRole: `${name}-task-role`,
     executionRole: `${prefix}-${stage}-execution-role`,
     logGroup: `/ecs/${name}`,
@@ -248,7 +257,7 @@ function servicePlan(prefix, stage, role, desiredCount, image, workspaceId, secr
       HASNA_UPTIME_IMAGE: image,
       ...environment
     },
-    secrets: role === "public-probe" ? { DATABASE_URL: secrets.database, PROBE_CONFIG: secrets.publicProbe } : role === "reporter" ? { DATABASE_URL: secrets.database, REPORTING_CONFIG: secrets.reporting } : { DATABASE_URL: secrets.database, APP_ENV: secrets.appEnv }
+    secrets: role === "web" ? { HASNA_UPTIME_DATABASE_URL: secrets.database, APP_ENV: secrets.appEnv, HASNA_UPTIME_HOSTED_TOKEN: secrets.hostedToken } : role === "public-probe" ? { PROBE_CONFIG: secrets.publicProbe } : role === "reporter" ? { HASNA_UPTIME_DATABASE_URL: secrets.database, REPORTING_CONFIG: secrets.reporting } : { HASNA_UPTIME_DATABASE_URL: secrets.database, APP_ENV: secrets.appEnv }
   };
 }
 function clean(value, fallback) {

package/dist/index.js

@@ -3807,7 +3807,8 @@ function buildAwsDeploymentPlan(options = {}) {
   const hostname = clean(options.hostname, DEFAULT_HOSTNAME);
   const workspaceId = clean(options.workspaceId, DEFAULT_WORKSPACE_ID);
   const ecrRepository = clean(options.ecrRepository, `hasna/opensource/${prefix}`);
-  const image = clean(options.image, `<account-id>.dkr.ecr.${region}.amazonaws.com/${ecrRepository}:<git-sha>`);
+  const imageRepositoryUri = `<account-id>.dkr.ecr.${region}.amazonaws.com/${ecrRepository}`;
+  const image = clean(options.image, `${imageRepositoryUri}@sha256:<image-digest>`);
   const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
   const cluster = `${prefix}-${stage}`;
   const secrets = {
@@ -3873,26 +3874,34 @@ function buildAwsDeploymentPlan(options = {}) {
         `${prefix}-${stage}-web-sg`,
         `${prefix}-${stage}-scheduler-sg`,
         `${prefix}-${stage}-public-probe-sg`,
-        `${prefix}-${stage}-rds-client-sg`
+        `${prefix}-${stage}-reporter-sg`,
+        `${prefix}-${stage}-migration-sg`
       ],
       secrets,
       logGroups: services.map((service) => service.logGroup),
       alarms: [
         `${prefix}-${stage}-web-5xx`,
-        `${prefix}-${stage}-scheduler-stalled`,
-        `${prefix}-${stage}-probe-stale`,
-        `${prefix}-${stage}-report-delivery-failures`
+        `${prefix}-${stage}-web-unhealthy`
       ]
     },
     image: {
       repository: ecrRepository,
       uri: image,
-      buildCommand: "BLOCKED: add a reviewed Dockerfile/container build target before running docker build",
+      dockerfile: "Dockerfile",
+      buildCommand: `docker build --pull -t ${imageRepositoryUri}:<git-sha> .`,
       pushCommands: [
         "BLOCKED: push only from approved CI/CD after the ECR repository and image digest policy exist",
         "BLOCKED: deploy services by immutable image digest, not by mutable tags"
       ]
     },
+    infra: {
+      path: "infra/aws",
+      fmtCommand: "terraform -chdir=infra/aws fmt -check",
+      initCommand: "terraform -chdir=infra/aws init -backend=false",
+      validateCommand: "terraform -chdir=infra/aws validate",
+      planCommand: "terraform -chdir=infra/aws plan -out open-uptime.tfplan",
+      applyAllowed: false
+    },
     runbook: {
       preflight: [
         `aws sts get-caller-identity --profile ${accountName}`,
@@ -3927,7 +3936,6 @@ function buildAwsDeploymentPlan(options = {}) {
     },
     blockers: [
       "The hasna-xyz-infra infrastructure owner repository was not found in this workspace.",
-      "The repo has no reviewed Dockerfile/container build target for image build and publish automation.",
       "Hosted Postgres storage adapter and migrations are not implemented.",
       "Hosted production auth/RBAC must replace broad static hosted-token operation before exposure.",
       "Public probe execution still needs DNS, redirect, and rebinding SSRF enforcement plus cloud check-job leases.",
@@ -3937,7 +3945,7 @@ function buildAwsDeploymentPlan(options = {}) {
       "Infrastructure PR/synth/plan from the approved infra repository.",
       "Container build smoke and immutable image digest.",
       "ECS task definitions using secrets.valueFrom only.",
-      "ALB/TLS/DNS/auth denial smokes.",
+      "ALB/TLS/DNS/auth denial smokes and web alarm checks.",
       "RDS TLS, backups/PITR, scoped roles, and migration dry-run evidence.",
       "S3 bucket KMS, versioning, lifecycle, and public-access-block evidence.",
       "Spark01 private-probe registration, key-file mode, heartbeat, and revocation evidence."
@@ -4009,7 +4017,7 @@ function buildSpark01CloudConfig(options = {}) {
       privateKeyInline: false,
       tokenInline: false,
       notes: [
-        "This config is cloud-primary: Spark01 submits to hosted API state instead of local SQLite.",
+        "This config is hosted-targeted preflight: Spark01 must not start until cloud probe routes are backed by hosted state.",
         "The private key file path is referenced, not embedded.",
         "Hosted token or probe auth material must come from the machine secret store, not this generated config."
       ]
@@ -4030,7 +4038,8 @@ function servicePlan(prefix, stage, role, desiredCount, image, workspaceId, secr
   return {
     name,
     role,
-    desiredCount,
+    desiredCount: 0,
+    targetDesiredCount: desiredCount,
     taskRole: `${name}-task-role`,
     executionRole: `${prefix}-${stage}-execution-role`,
     logGroup: `/ecs/${name}`,
@@ -4039,7 +4048,7 @@ function servicePlan(prefix, stage, role, desiredCount, image, workspaceId, secr
       HASNA_UPTIME_IMAGE: image,
       ...environment
     },
-    secrets: role === "public-probe" ? { DATABASE_URL: secrets.database, PROBE_CONFIG: secrets.publicProbe } : role === "reporter" ? { DATABASE_URL: secrets.database, REPORTING_CONFIG: secrets.reporting } : { DATABASE_URL: secrets.database, APP_ENV: secrets.appEnv }
+    secrets: role === "web" ? { HASNA_UPTIME_DATABASE_URL: secrets.database, APP_ENV: secrets.appEnv, HASNA_UPTIME_HOSTED_TOKEN: secrets.hostedToken } : role === "public-probe" ? { PROBE_CONFIG: secrets.publicProbe } : role === "reporter" ? { HASNA_UPTIME_DATABASE_URL: secrets.database, REPORTING_CONFIG: secrets.reporting } : { HASNA_UPTIME_DATABASE_URL: secrets.database, APP_ENV: secrets.appEnv }
   };
 }
 function clean(value, fallback) {

package/docs/aws-deployment-runbook.md

@@ -27,6 +27,10 @@ The generated AWS plan currently returns `status: "blocked"` and
 `canStart: false`. Treat both as review/preflight artifacts until the blockers
 and required evidence in the JSON output are resolved.
 
+The app repo includes a hosted runtime `Dockerfile` and Terraform/OpenTofu
+starter files in `infra/aws`. The plan output points to these files and keeps
+`applyAllowed: false`.
+
 `uptime cloud spark01-config --env` requires a real `--probe-id`; it will not
 write a sourceable env file with a placeholder probe identity.
 
@@ -57,13 +61,23 @@ The plan expects:
 - S3 bucket for redacted browser evidence and generated report artifacts.
 - Secrets Manager or SSM refs for database, app env, probe config, and
   reporting channel refs.
-- CloudWatch log groups and alarms for web 5xx, scheduler stalls, stale probes,
-  and report delivery failures.
+- CloudWatch log groups for every component plus initial web 5xx/unhealthy
+  alarms. Scheduler-stall, stale-probe, and report-delivery alarms remain
+  blocked until those workers emit cloud metrics.
 
 Provision these through the approved infrastructure repository and reviewed
 plan/apply flow. The local `uptime cloud plan` output intentionally avoids
 copy-pastable AWS mutation commands.
 
+Plan the included Terraform/OpenTofu starter without a backend:
+
+```bash
+terraform -chdir=infra/aws fmt -check
+terraform -chdir=infra/aws init -backend=false
+terraform -chdir=infra/aws validate
+terraform -chdir=infra/aws plan -out open-uptime.tfplan
+```
+
 ## Spark01
 
 Spark01 should be a private probe/operator machine, not the hosted source of
@@ -77,8 +91,9 @@ routes are backed by cloud check jobs and cloud audit rows.
 ## Safety Rules
 
 - Do not deploy hosted mode with `HASNA_UPTIME_ALLOW_HOSTED_LOCAL_STORE=1`.
-- Do not inline AWS keys, hosted tokens, Mailery keys, Open Logs tokens, or
-  probe private keys in task definitions.
+- Do not inline AWS keys, hosted tokens, Mailery keys, Open Logs tokens, database
+  URLs, or probe private keys in task definitions. Use ECS `secrets.valueFrom`
+  refs such as `HASNA_UPTIME_DATABASE_URL` and `HASNA_UPTIME_HOSTED_TOKEN`.
 - Do not run public probe workers against private targets.
 - Do not expose dashboard/API routes without hosted auth and workspace checks.
 - Do not treat local SQLite, local project DBs, or Spark01 local state as cloud

package/infra/aws/.terraform.lock.hcl

@@ -0,0 +1,25 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "5.100.0"
+  constraints = "~> 5.0"
+  hashes = [
+    "h1:wOhTPz6apLBuF7/FYZuCoXRK/MLgrNprZ3vXmq83g5k=",
+    "zh:054b8dd49f0549c9a7cc27d159e45327b7b65cf404da5e5a20da154b90b8a644",
+    "zh:0b97bf8d5e03d15d83cc40b0530a1f84b459354939ba6f135a0086c20ebbe6b2",
+    "zh:1589a2266af699cbd5d80737a0fe02e54ec9cf2ca54e7e00ac51c7359056f274",
+    "zh:6330766f1d85f01ae6ea90d1b214b8b74cc8c1badc4696b165b36ddd4cc15f7b",
+    "zh:7c8c2e30d8e55291b86fcb64bdf6c25489d538688545eb48fd74ad622e5d3862",
+    "zh:99b1003bd9bd32ee323544da897148f46a527f622dc3971af63ea3e251596342",
+    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+    "zh:9f8b909d3ec50ade83c8062290378b1ec553edef6a447c56dadc01a99f4eaa93",
+    "zh:aaef921ff9aabaf8b1869a86d692ebd24fbd4e12c21205034bb679b9caf883a2",
+    "zh:ac882313207aba00dd5a76dbd572a0ddc818bb9cbf5c9d61b28fe30efaec951e",
+    "zh:bb64e8aff37becab373a1a0cc1080990785304141af42ed6aa3dd4913b000421",
+    "zh:dfe495f6621df5540d9c92ad40b8067376350b005c637ea6efac5dc15028add4",
+    "zh:f0ddf0eaf052766cfe09dea8200a946519f653c384ab4336e2a4a64fdd6310e9",
+    "zh:f1b7e684f4c7ae1eed272b6de7d2049bb87a0275cb04dbb7cda6636f600699c9",
+    "zh:ff461571e3f233699bf690db319dfe46aec75e58726636a0d97dd9ac6e32fb70",
+  ]
+}

package/infra/aws/README.md

@@ -0,0 +1,32 @@
+# Open Uptime AWS Infra
+
+This directory is a reviewable Terraform/OpenTofu starting point for deploying
+Open Uptime in the `hasna-xyz-infra` AWS account. It is intentionally
+plan-first. Do not apply it directly from this app repo unless the infrastructure
+owner has approved this directory as the source of truth or has copied it into
+the approved infra repository.
+
+## Expected Flow
+
+```bash
+terraform -chdir=infra/aws fmt -check
+terraform -chdir=infra/aws init -backend=false
+terraform -chdir=infra/aws validate
+terraform -chdir=infra/aws plan -out open-uptime.tfplan
+```
+
+Required inputs are declared in `variables.tf` and illustrated in
+`terraform.tfvars.example`. Secrets are passed as Secrets Manager/SSM ARNs only;
+never place plaintext tokens, database URLs, private keys, or channel
+credentials in `.tfvars` files.
+
+## Current Blockers
+
+- Hosted Postgres adapter and migrations are not implemented in the app yet.
+- Hosted production auth/RBAC still needs scoped, revocable credentials.
+- Public probe runtime still needs execution-time DNS/redirect/rebinding SSRF
+  enforcement.
+- Spark01 hosted private-probe enrollment/heartbeat/revocation is still
+  fail-closed.
+
+Keep `desired_count` at `0` or plan-only until those blockers are closed.