@hasna/uptime 0.1.5 → 0.1.7

package/.dockerignore

@@ -0,0 +1,13 @@
+.git
+.gitignore
+.project.json
+node_modules
+coverage
+*.tgz
+*.log
+.env
+.env.*
+.hasna
+infra/**/.terraform
+infra/**/*.tfstate
+infra/**/*.tfstate.*

package/CHANGELOG.md

@@ -6,15 +6,53 @@ project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+## [0.1.7] - 2026-06-28
+
+### Added
+
+- Explicit hosted EFS-backed SQLite runtime path with
+  `HASNA_UPTIME_HOSTED_SQLITE_DB` and `hosted-efs-sqlite` health metadata.
+- AWS Terraform EFS file system, access point, ECS volume mount, and AWS Backup
+  plan for the hosted SQLite data store.
+- `Dockerfile.package` plus AWS CodeBuild image-builder Terraform resources to
+  build the published npm package into ECR without relying on local Docker.
+
+### Changed
+
+- Hosted AWS deployment artifacts no longer inject `HASNA_UPTIME_DATABASE_URL`;
+  the async Postgres adapter remains future work.
+- The EFS-backed SQLite bridge is single-writer only: one web task maximum and
+  scheduler/public-probe/reporter services remain disabled until Postgres and
+  cloud leases exist.
+
+## [0.1.6] - 2026-06-28
+
+### Added
+
+- Bun-based hosted runtime `Dockerfile` and `.dockerignore`.
+- Reviewable Terraform/OpenTofu AWS starter plan under `infra/aws` for ECR,
+  S3 evidence storage, ECS/Fargate services, ALB/TLS/DNS, task roles,
+  CloudWatch logs, security groups, and secret refs.
+- Cloud plan SDK/CLI fields that point to `Dockerfile` and `infra/aws` with
+  format/init/validate/plan commands while keeping apply disabled.
+
+### Security
+
+- AWS infra templates use secret ARNs/valueFrom references and example
+  placeholders only; no plaintext service tokens, database URLs, or private keys
+  are stored in the repo.
+- Terraform desired counts default to zero until hosted cloud-store/auth/probe
+  blockers are closed.
+
 ## [0.1.5] - 2026-06-28
 
 ### Added
 
-- Dry-run AWS deployment plan generator for the `hasna-xyz-infra` target,
+- Dry-run AWS deployment plan generator for a reviewed AWS target,
   covering ECS/Fargate services, ECR image commands, ALB/RDS/S3/Secrets/Logs
   resources, rollback steps, and safety assertions.
-- Spark01 cloud-primary private probe config generator with JSON and env-file
-  rendering.
+- Spark01 hosted-targeted private probe preflight config generator with JSON and
+  env-file rendering.
 - CLI commands `uptime cloud plan` and `uptime cloud spark01-config`.
 - SDK export `@hasna/uptime/cloud-plan`.
 - Machine-readable `blocked`/`canApply:false` and `blocked`/`canStart:false`

package/Dockerfile

@@ -0,0 +1,31 @@
+# syntax=docker/dockerfile:1
+
+FROM oven/bun:1.3.13-slim AS build
+WORKDIR /app
+
+COPY package.json bun.lock tsconfig.json tsconfig.build.json ./
+COPY src ./src
+
+RUN bun install --frozen-lockfile
+RUN bun run build
+RUN bun install --production --frozen-lockfile
+
+FROM oven/bun:1.3.13-slim AS runtime
+ENV NODE_ENV=production \
+    HASNA_UPTIME_MODE=hosted
+WORKDIR /app
+
+RUN addgroup --system --gid 10001 uptime \
+  && adduser --system --uid 10001 --ingroup uptime uptime
+
+COPY --from=build /app/package.json ./package.json
+COPY --from=build /app/node_modules ./node_modules
+COPY --from=build /app/dist ./dist
+
+USER uptime
+EXPOSE 3899
+
+HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
+  CMD bun -e "const r = await fetch('http://127.0.0.1:3899/health'); process.exit(r.ok ? 0 : 1)"
+
+CMD ["bun", "dist/cli/index.js", "serve", "--mode", "hosted", "--host", "0.0.0.0", "--port", "3899"]

package/Dockerfile.package

@@ -0,0 +1,22 @@
+# syntax=docker/dockerfile:1
+
+FROM oven/bun:1.3.13-slim AS runtime
+ENV NODE_ENV=production \
+    HASNA_UPTIME_MODE=hosted
+WORKDIR /app
+
+RUN addgroup --system --gid 10001 uptime \
+  && adduser --system --uid 10001 --ingroup uptime uptime
+
+COPY package.json ./package.json
+COPY dist ./dist
+
+RUN bun install --production
+
+USER uptime
+EXPOSE 3899
+
+HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
+  CMD bun -e "const r = await fetch('http://127.0.0.1:3899/health'); process.exit(r.ok ? 0 : 1)"
+
+CMD ["bun", "dist/cli/index.js", "serve", "--mode", "hosted", "--host", "0.0.0.0", "--port", "3899"]

package/README.md

@@ -46,6 +46,16 @@ only. They do not call AWS, write secrets, or produce an approved deploy script;
 current output is intentionally blocked until the infra and cloud-store evidence
 in `docs/aws-deployment-runbook.md` is satisfied.
 
+Deployment review artifacts live in `Dockerfile` and `infra/aws`. The Terraform
+desired counts default to zero, and `uptime cloud plan --json` exposes the
+format/init/validate/plan commands with `applyAllowed: false`. Hosted AWS
+runtime state currently uses explicit EFS-backed SQLite via
+`HASNA_UPTIME_HOSTED_SQLITE_DB=/data/uptime/uptime.db` for one protected web
+task maximum; do not set `HASNA_UPTIME_DATABASE_URL` until the async Postgres
+adapter is implemented.
+`Dockerfile.package` is used by the Terraform CodeBuild image builder to build
+the published npm package into ECR from inside AWS.
+
 Private/local probes can submit signed results from another machine:
 
 ```bash

package/dist/api.js

@@ -820,10 +820,12 @@ function ensureUptimeHome() {
 }
 
 // src/store.ts
-import { copyFileSync, existsSync, mkdirSync as mkdirSync2, statSync } from "fs";
+import { copyFileSync, existsSync, mkdirSync as mkdirSync2, statfsSync, statSync } from "fs";
 import { dirname, join as join2 } from "path";
 import { randomUUID as randomUUID2 } from "crypto";
 import { Database } from "bun:sqlite";
+var DEFAULT_HOSTED_SQLITE_DB_PATH = "/data/uptime/uptime.db";
+var NFS_SUPER_MAGIC = 26985;
 var SECRET_URL_PARAM_PATTERN = /(token|secret|password|passwd|api[_-]?key|access[_-]?token|auth|credential|session)/i;
 var REQUIRED_TABLES = [
   "schema_migrations",
@@ -860,18 +862,39 @@ class UptimeStore {
     this.mode = resolveRuntimeMode(options.mode ?? "local");
     const cloudDatabaseUrl = options.cloudDatabaseUrl ?? process.env.HASNA_UPTIME_DATABASE_URL;
     if (this.mode === "hosted" && cloudDatabaseUrl) {
-      throw new Error("hosted cloud database adapter is not implemented yet");
+      throw new Error("hosted Postgres adapter is not implemented yet; use HASNA_UPTIME_HOSTED_SQLITE_DB on cloud-mounted storage for the current hosted deployment path");
     }
-    if (this.mode === "hosted" && !allowHostedLocalStore(options.allowHostedLocalStore)) {
-      throw new Error("hosted mode requires a cloud data layer; set HASNA_UPTIME_ALLOW_HOSTED_LOCAL_STORE=1 only for explicit local fallback testing");
+    const hostedSqliteDbPath = options.hostedSqliteDbPath ?? process.env.HASNA_UPTIME_HOSTED_SQLITE_DB;
+    if (this.mode === "hosted" && hostedSqliteDbPath) {
+      if (hostedSqliteDbPath === ":memory:" || !hostedSqliteDbPath.startsWith("/")) {
+        throw new Error("HASNA_UPTIME_HOSTED_SQLITE_DB must be an absolute path on mounted cloud storage");
+      }
+      const approvedHostedPath = hostedSqliteDbPath === DEFAULT_HOSTED_SQLITE_DB_PATH;
+      if (!approvedHostedPath && !allowHostedLocalStore(options.allowHostedLocalStore)) {
+        throw new Error(`HASNA_UPTIME_HOSTED_SQLITE_DB must be ${DEFAULT_HOSTED_SQLITE_DB_PATH}; set HASNA_UPTIME_ALLOW_HOSTED_LOCAL_STORE=1 only for explicit local fallback testing`);
+      }
+      const verifiedCloudMount = approvedHostedPath && isNfsMount(dirname(hostedSqliteDbPath));
+      if (approvedHostedPath && !verifiedCloudMount && !allowHostedLocalStore(options.allowHostedLocalStore)) {
+        throw new Error(`${DEFAULT_HOSTED_SQLITE_DB_PATH} must be on a mounted EFS/NFS filesystem; refusing to create hosted task-local SQLite`);
+      }
+      this.dataMode = verifiedCloudMount ? "hosted-efs-sqlite" : "hosted-local-sqlite";
+      this.dbPath = hostedSqliteDbPath;
+    } else if (this.mode === "hosted") {
+      if (!allowHostedLocalStore(options.allowHostedLocalStore)) {
+        throw new Error("hosted mode requires HASNA_UPTIME_HOSTED_SQLITE_DB on mounted cloud storage; set HASNA_UPTIME_ALLOW_HOSTED_LOCAL_STORE=1 only for explicit local fallback testing");
+      }
+      this.dataMode = "hosted-local-sqlite";
+      this.dbPath = options.dbPath ?? uptimeHostedFallbackDbPath();
+    } else {
+      this.dataMode = "local-sqlite";
+      this.dbPath = options.dbPath ?? uptimeDbPath();
     }
-    this.dataMode = this.mode === "hosted" ? "hosted-local-sqlite" : "local-sqlite";
-    this.dbPath = options.dbPath ?? (this.mode === "hosted" ? uptimeHostedFallbackDbPath() : uptimeDbPath());
-    if (this.dbPath !== ":memory:") {
+    if (this.dbPath !== ":memory:" && this.dataMode !== "hosted-efs-sqlite") {
       mkdirSync2(dirname(this.dbPath), { recursive: true });
     }
     this.db = new Database(this.dbPath, { create: true });
-    this.db.run("PRAGMA journal_mode = WAL");
+    this.db.run(this.dataMode === "hosted-efs-sqlite" ? "PRAGMA journal_mode = DELETE" : "PRAGMA journal_mode = WAL");
+    this.db.run("PRAGMA busy_timeout = 5000");
     this.db.run("PRAGMA foreign_keys = ON");
     this.migrate();
   }
@@ -1751,6 +1774,13 @@ function resolveRuntimeMode(mode) {
 function allowHostedLocalStore(value) {
   return value === true || process.env.HASNA_UPTIME_ALLOW_HOSTED_LOCAL_STORE === "1";
 }
+function isNfsMount(path) {
+  try {
+    return statfsSync(path).type === NFS_SUPER_MAGIC;
+  } catch {
+    return false;
+  }
+}
 function verifyBackupFile(backupPath) {
   const db = new Database(backupPath, { readonly: true });
   try {

package/dist/cli/index.js

@@ -3381,7 +3381,7 @@ function stableJson(value) {
 }
 
 // src/store.ts
-import { copyFileSync, existsSync, mkdirSync as mkdirSync2, statSync } from "fs";
+import { copyFileSync, existsSync, mkdirSync as mkdirSync2, statfsSync, statSync } from "fs";
 import { dirname, join as join2 } from "path";
 import { randomUUID as randomUUID2 } from "crypto";
 import { Database } from "bun:sqlite";
@@ -3406,6 +3406,8 @@ function ensureUptimeHome() {
 }
 
 // src/store.ts
+var DEFAULT_HOSTED_SQLITE_DB_PATH = "/data/uptime/uptime.db";
+var NFS_SUPER_MAGIC = 26985;
 var SECRET_URL_PARAM_PATTERN = /(token|secret|password|passwd|api[_-]?key|access[_-]?token|auth|credential|session)/i;
 var REQUIRED_TABLES = [
   "schema_migrations",
@@ -3442,18 +3444,39 @@ class UptimeStore {
     this.mode = resolveRuntimeMode(options.mode ?? "local");
     const cloudDatabaseUrl = options.cloudDatabaseUrl ?? process.env.HASNA_UPTIME_DATABASE_URL;
     if (this.mode === "hosted" && cloudDatabaseUrl) {
-      throw new Error("hosted cloud database adapter is not implemented yet");
+      throw new Error("hosted Postgres adapter is not implemented yet; use HASNA_UPTIME_HOSTED_SQLITE_DB on cloud-mounted storage for the current hosted deployment path");
     }
-    if (this.mode === "hosted" && !allowHostedLocalStore(options.allowHostedLocalStore)) {
-      throw new Error("hosted mode requires a cloud data layer; set HASNA_UPTIME_ALLOW_HOSTED_LOCAL_STORE=1 only for explicit local fallback testing");
+    const hostedSqliteDbPath = options.hostedSqliteDbPath ?? process.env.HASNA_UPTIME_HOSTED_SQLITE_DB;
+    if (this.mode === "hosted" && hostedSqliteDbPath) {
+      if (hostedSqliteDbPath === ":memory:" || !hostedSqliteDbPath.startsWith("/")) {
+        throw new Error("HASNA_UPTIME_HOSTED_SQLITE_DB must be an absolute path on mounted cloud storage");
+      }
+      const approvedHostedPath = hostedSqliteDbPath === DEFAULT_HOSTED_SQLITE_DB_PATH;
+      if (!approvedHostedPath && !allowHostedLocalStore(options.allowHostedLocalStore)) {
+        throw new Error(`HASNA_UPTIME_HOSTED_SQLITE_DB must be ${DEFAULT_HOSTED_SQLITE_DB_PATH}; set HASNA_UPTIME_ALLOW_HOSTED_LOCAL_STORE=1 only for explicit local fallback testing`);
+      }
+      const verifiedCloudMount = approvedHostedPath && isNfsMount(dirname(hostedSqliteDbPath));
+      if (approvedHostedPath && !verifiedCloudMount && !allowHostedLocalStore(options.allowHostedLocalStore)) {
+        throw new Error(`${DEFAULT_HOSTED_SQLITE_DB_PATH} must be on a mounted EFS/NFS filesystem; refusing to create hosted task-local SQLite`);
+      }
+      this.dataMode = verifiedCloudMount ? "hosted-efs-sqlite" : "hosted-local-sqlite";
+      this.dbPath = hostedSqliteDbPath;
+    } else if (this.mode === "hosted") {
+      if (!allowHostedLocalStore(options.allowHostedLocalStore)) {
+        throw new Error("hosted mode requires HASNA_UPTIME_HOSTED_SQLITE_DB on mounted cloud storage; set HASNA_UPTIME_ALLOW_HOSTED_LOCAL_STORE=1 only for explicit local fallback testing");
+      }
+      this.dataMode = "hosted-local-sqlite";
+      this.dbPath = options.dbPath ?? uptimeHostedFallbackDbPath();
+    } else {
+      this.dataMode = "local-sqlite";
+      this.dbPath = options.dbPath ?? uptimeDbPath();
     }
-    this.dataMode = this.mode === "hosted" ? "hosted-local-sqlite" : "local-sqlite";
-    this.dbPath = options.dbPath ?? (this.mode === "hosted" ? uptimeHostedFallbackDbPath() : uptimeDbPath());
-    if (this.dbPath !== ":memory:") {
+    if (this.dbPath !== ":memory:" && this.dataMode !== "hosted-efs-sqlite") {
       mkdirSync2(dirname(this.dbPath), { recursive: true });
     }
     this.db = new Database(this.dbPath, { create: true });
-    this.db.run("PRAGMA journal_mode = WAL");
+    this.db.run(this.dataMode === "hosted-efs-sqlite" ? "PRAGMA journal_mode = DELETE" : "PRAGMA journal_mode = WAL");
+    this.db.run("PRAGMA busy_timeout = 5000");
     this.db.run("PRAGMA foreign_keys = ON");
     this.migrate();
   }
@@ -4333,6 +4356,13 @@ function resolveRuntimeMode(mode) {
 function allowHostedLocalStore(value) {
   return value === true || process.env.HASNA_UPTIME_ALLOW_HOSTED_LOCAL_STORE === "1";
 }
+function isNfsMount(path) {
+  try {
+    return statfsSync(path).type === NFS_SUPER_MAGIC;
+  } catch {
+    return false;
+  }
+}
 function verifyBackupFile(backupPath) {
   const db = new Database(backupPath, { readonly: true });
   try {
@@ -6388,14 +6418,14 @@ class ApiError extends Error {
 }
 
 // src/cloud-plan.ts
-var DEFAULT_ACCOUNT = "hasna-xyz-infra";
+var DEFAULT_ACCOUNT = "aws-profile";
 var DEFAULT_REGION = "us-east-1";
 var DEFAULT_STAGE = "prod";
 var DEFAULT_PREFIX = "open-uptime";
-var DEFAULT_HOSTNAME = "uptime.hasna.xyz";
-var DEFAULT_WORKSPACE_ID = "wks_2tyysw05cwap";
-var DEFAULT_VPC_ID = "vpc-04c7f7abc1d3c3f56";
-var DEFAULT_RDS = "hasna-xyz-infra-apps-prod-postgres";
+var DEFAULT_HOSTNAME = "uptime.example.com";
+var DEFAULT_WORKSPACE_ID = "workspace-id";
+var DEFAULT_VPC_ID = "vpc-xxxxxxxx";
+var DEFAULT_HOSTED_SQLITE_DB = "/data/uptime/uptime.db";
 function buildAwsDeploymentPlan(options = {}) {
   const region = clean(options.region, DEFAULT_REGION);
   const stage = clean(options.stage, DEFAULT_STAGE);
@@ -6403,36 +6433,39 @@ function buildAwsDeploymentPlan(options = {}) {
   const accountName = clean(options.accountName, DEFAULT_ACCOUNT);
   const hostname = clean(options.hostname, DEFAULT_HOSTNAME);
   const workspaceId = clean(options.workspaceId, DEFAULT_WORKSPACE_ID);
-  const ecrRepository = clean(options.ecrRepository, `hasna/opensource/${prefix}`);
-  const image = clean(options.image, `<account-id>.dkr.ecr.${region}.amazonaws.com/${ecrRepository}:<git-sha>`);
+  const ecrRepository = clean(options.ecrRepository, prefix);
+  const imageRepositoryUri = `<account-id>.dkr.ecr.${region}.amazonaws.com/${ecrRepository}`;
+  const image = clean(options.image, `${imageRepositoryUri}@sha256:<image-digest>`);
   const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
+  const hostedSqliteDbPath = clean(options.hostedSqliteDbPath, DEFAULT_HOSTED_SQLITE_DB);
+  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.7");
   const cluster = `${prefix}-${stage}`;
   const secrets = {
-    database: clean(options.databaseSecretName, `hasna/xyz/opensource/uptime/${stage}/rds`),
-    appEnv: clean(options.appEnvSecretName, `hasna/xyz/opensource/uptime/${stage}/app/env`),
-    hostedToken: clean(options.hostedTokenSecretName, `hasna/xyz/opensource/uptime/${stage}/hosted-token`),
-    publicProbe: clean(options.publicProbeSecretName, `hasna/xyz/opensource/uptime/${stage}/probe/public`),
-    privateProbe: clean(options.privateProbeSecretName, `hasna/xyz/opensource/uptime/${stage}/probe/private`),
-    reporting: clean(options.reportingSecretName, `hasna/xyz/opensource/uptime/${stage}/reporting`)
+    appEnv: clean(options.appEnvSecretName, `open-uptime/${stage}/app/env`),
+    hostedToken: clean(options.hostedTokenSecretName, `open-uptime/${stage}/hosted-token`),
+    publicProbe: clean(options.publicProbeSecretName, `open-uptime/${stage}/probe/public`),
+    privateProbe: clean(options.privateProbeSecretName, `open-uptime/${stage}/probe/private`),
+    reporting: clean(options.reportingSecretName, `open-uptime/${stage}/reporting`)
   };
   const services = [
-    servicePlan(prefix, stage, "web", 2, image, workspaceId, secrets, {
+    servicePlan(prefix, stage, "web", 1, image, workspaceId, secrets, {
       HASNA_UPTIME_MODE: "hosted",
+      HASNA_UPTIME_HOSTED_SQLITE_DB: hostedSqliteDbPath,
       HASNA_UPTIME_WORKSPACE_ID: workspaceId,
       HASNA_UPTIME_HOSTNAME: hostname
     }),
-    servicePlan(prefix, stage, "scheduler", 1, image, workspaceId, secrets, {
+    servicePlan(prefix, stage, "scheduler", 0, image, workspaceId, secrets, {
       HASNA_UPTIME_MODE: "hosted",
       HASNA_UPTIME_WORKSPACE_ID: workspaceId,
       HASNA_UPTIME_COMPONENT: "scheduler"
     }),
-    servicePlan(prefix, stage, "public-probe", 1, image, workspaceId, secrets, {
+    servicePlan(prefix, stage, "public-probe", 0, image, workspaceId, secrets, {
       HASNA_UPTIME_MODE: "hosted",
       HASNA_UPTIME_WORKSPACE_ID: workspaceId,
       HASNA_UPTIME_COMPONENT: "public-probe",
       HASNA_UPTIME_PROBE_LOCATION: region
     }),
-    servicePlan(prefix, stage, "reporter", 1, image, workspaceId, secrets, {
+    servicePlan(prefix, stage, "reporter", 0, image, workspaceId, secrets, {
       HASNA_UPTIME_MODE: "hosted",
       HASNA_UPTIME_WORKSPACE_ID: workspaceId,
       HASNA_UPTIME_COMPONENT: "reporter"
@@ -6445,7 +6478,7 @@ function buildAwsDeploymentPlan(options = {}) {
   ];
   return {
     kind: "open-uptime.aws-deployment-plan",
-    version: 1,
+    version: 2,
     generatedAt: new Date().toISOString(),
     status: "blocked",
     canApply: false,
@@ -6458,10 +6491,13 @@ function buildAwsDeploymentPlan(options = {}) {
     mode: "hosted",
     resources: {
       ecrRepository,
+      imageBuilder: `${prefix}-${stage}-image-builder`,
       ecsCluster: cluster,
       services,
       vpcId: clean(options.vpcId, DEFAULT_VPC_ID),
-      rdsInstanceId: clean(options.rdsInstanceId, DEFAULT_RDS),
+      efsFileSystem: `${prefix}-${stage}-data`,
+      efsAccessPoint: `${prefix}-${stage}-uptime`,
+      hostedSqliteDbPath,
       evidenceBucket,
       loadBalancer: `${prefix}-${stage}-alb`,
       targetGroups: [`${prefix}-${stage}-web-tg`],
@@ -6470,42 +6506,54 @@ function buildAwsDeploymentPlan(options = {}) {
         `${prefix}-${stage}-web-sg`,
         `${prefix}-${stage}-scheduler-sg`,
         `${prefix}-${stage}-public-probe-sg`,
-        `${prefix}-${stage}-rds-client-sg`
+        `${prefix}-${stage}-reporter-sg`,
+        `${prefix}-${stage}-migration-sg`,
+        `${prefix}-${stage}-efs-sg`
       ],
       secrets,
       logGroups: services.map((service) => service.logGroup),
       alarms: [
         `${prefix}-${stage}-web-5xx`,
-        `${prefix}-${stage}-scheduler-stalled`,
-        `${prefix}-${stage}-probe-stale`,
-        `${prefix}-${stage}-report-delivery-failures`
+        `${prefix}-${stage}-web-unhealthy`
       ]
     },
     image: {
       repository: ecrRepository,
       uri: image,
-      buildCommand: "BLOCKED: add a reviewed Dockerfile/container build target before running docker build",
+      dockerfile: "Dockerfile.package",
+      buildCommand: `BLOCKED: after infra approval, AWS CodeBuild builds Dockerfile.package from @hasna/uptime@${runtimePackageVersion} into ${imageRepositoryUri}`,
       pushCommands: [
-        "BLOCKED: push only from approved CI/CD after the ECR repository and image digest policy exist",
+        `BLOCKED: start ${prefix}-${stage}-image-builder only through the approved deploy pipeline after @hasna/uptime@${runtimePackageVersion} is published`,
         "BLOCKED: deploy services by immutable image digest, not by mutable tags"
       ]
     },
+    infra: {
+      path: "infra/aws",
+      fmtCommand: "terraform -chdir=infra/aws fmt -check",
+      initCommand: "terraform -chdir=infra/aws init -backend=false",
+      validateCommand: "terraform -chdir=infra/aws validate",
+      planCommand: "terraform -chdir=infra/aws plan -out open-uptime.tfplan",
+      applyAllowed: false
+    },
     runbook: {
       preflight: [
         `aws sts get-caller-identity --profile ${accountName}`,
-        `aws rds describe-db-instances --db-instance-identifier ${clean(options.rdsInstanceId, DEFAULT_RDS)} --region ${region}`,
         `aws ec2 describe-vpcs --vpc-ids ${clean(options.vpcId, DEFAULT_VPC_ID)} --region ${region}`,
+        `aws efs describe-file-systems --region ${region}`,
         "Confirm the infra repository and Terraform/CloudFormation owner before live mutation."
       ],
       provision: [
         `Infra PR must declare or update ECR repository ${ecrRepository}.`,
+        `Infra PR must declare CodeBuild image builder ${prefix}-${stage}-image-builder for @hasna/uptime@${runtimePackageVersion}.`,
         `Infra PR must declare hardened S3 evidence bucket ${evidenceBucket} with KMS, versioning, lifecycle, and public access block.`,
+        `Infra PR must declare encrypted EFS ${prefix}-${stage}-data with access point, mount targets, and AWS Backup plan.`,
         `Infra PR must declare ECS/Fargate cluster ${cluster}, ALB, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs.`,
         "Only apply the infra plan from the approved infrastructure repository after review evidence is attached."
       ],
       deploy: [
         "Build and publish the image only after the Dockerfile/container target is reviewed.",
-        "Run the migration task with the migrator role before web/scheduler/probe services.",
+        `Start the AWS image builder for @hasna/uptime@${runtimePackageVersion} and record the pushed image digest.`,
+        "For the EFS SQLite bridge, do not run migration, scheduler, public-probe, or reporter tasks; keep them at desired count 0 until Postgres and cloud leases exist.",
         `Register task definitions for ${services.map((service) => service.name).join(", ")} using valueFrom secrets.`,
         `Update ECS services in cluster ${cluster} one component at a time through the approved deploy pipeline.`,
         `Create Route53/edge record for ${hostname} only after ALB health checks pass and auth denial smokes succeed.`
@@ -6514,7 +6562,7 @@ function buildAwsDeploymentPlan(options = {}) {
         "Keep previous task definition ARNs before each service update.",
         "Rollback through the approved deploy pipeline to the previously recorded task definition ARNs.",
         "Disable scheduler/reporter services before data rollback.",
-        "Restore RDS snapshot only after explicit operator approval and audit record."
+        "Restore EFS backup recovery point only after explicit operator approval and audit record."
       ],
       spark01: [
         "Create a private probe identity with a caller-managed public key.",
@@ -6523,19 +6571,19 @@ function buildAwsDeploymentPlan(options = {}) {
       ]
     },
     blockers: [
-      "The hasna-xyz-infra infrastructure owner repository was not found in this workspace.",
-      "The repo has no reviewed Dockerfile/container build target for image build and publish automation.",
-      "Hosted Postgres storage adapter and migrations are not implemented.",
+      "The infrastructure owner repository was not found in this workspace.",
+      "The EFS SQLite bridge is single-writer only: web target desired count is 1 and scheduler/public-probe/reporter targets remain 0 until Postgres and cloud leases exist.",
       "Hosted production auth/RBAC must replace broad static hosted-token operation before exposure.",
       "Public probe execution still needs DNS, redirect, and rebinding SSRF enforcement plus cloud check-job leases.",
       "Spark01 hosted probe enrollment, claim, submit, heartbeat, revocation, and rotation are not cloud-backed yet."
     ],
     requiredEvidence: [
       "Infrastructure PR/synth/plan from the approved infra repository.",
-      "Container build smoke and immutable image digest.",
+      "CodeBuild image-builder run, container smoke, and immutable image digest.",
       "ECS task definitions using secrets.valueFrom only.",
-      "ALB/TLS/DNS/auth denial smokes.",
-      "RDS TLS, backups/PITR, scoped roles, and migration dry-run evidence.",
+      "ALB/TLS/DNS/auth denial smokes and web alarm checks.",
+      "Single-writer ECS evidence: one web task maximum and no scheduler/public-probe/reporter EFS mounts.",
+      "EFS encryption, access point, mount-target, AWS Backup, and restore-drill evidence.",
       "S3 bucket KMS, versioning, lifecycle, and public-access-block evidence.",
       "Spark01 private-probe registration, key-file mode, heartbeat, and revocation evidence."
     ],
@@ -6545,7 +6593,9 @@ function buildAwsDeploymentPlan(options = {}) {
       hostedLocalSqliteAllowed: false,
       notes: [
         "This plan generator does not call AWS.",
-        "Hosted runtime must use Postgres; SQLite remains local/dev fallback only.",
+        "Blocked plan output intentionally avoids copy-pastable AWS mutation commands.",
+        "Hosted runtime uses explicit EFS-backed SQLite at HASNA_UPTIME_HOSTED_SQLITE_DB until the async Postgres adapter exists.",
+        "Do not set HASNA_UPTIME_DATABASE_URL for hosted tasks until the Postgres adapter is implemented.",
         "Secrets are represented as secret names/refs and must be injected with valueFrom.",
         "Actual deploy belongs in the deploy_release_operate_final goal node after infra review."
       ]
@@ -6606,7 +6656,7 @@ function buildSpark01CloudConfig(options = {}) {
       privateKeyInline: false,
       tokenInline: false,
       notes: [
-        "This config is cloud-primary: Spark01 submits to hosted API state instead of local SQLite.",
+        "This config is hosted-targeted preflight: Spark01 must not start until cloud probe routes are backed by hosted state.",
         "The private key file path is referenced, not embedded.",
         "Hosted token or probe auth material must come from the machine secret store, not this generated config."
       ]
@@ -6627,7 +6677,8 @@ function servicePlan(prefix, stage, role, desiredCount, image, workspaceId, secr
   return {
     name,
     role,
-    desiredCount,
+    desiredCount: 0,
+    targetDesiredCount: desiredCount,
     taskRole: `${name}-task-role`,
     executionRole: `${prefix}-${stage}-execution-role`,
     logGroup: `/ecs/${name}`,
@@ -6636,7 +6687,7 @@ function servicePlan(prefix, stage, role, desiredCount, image, workspaceId, secr
       HASNA_UPTIME_IMAGE: image,
       ...environment
     },
-    secrets: role === "public-probe" ? { DATABASE_URL: secrets.database, PROBE_CONFIG: secrets.publicProbe } : role === "reporter" ? { DATABASE_URL: secrets.database, REPORTING_CONFIG: secrets.reporting } : { DATABASE_URL: secrets.database, APP_ENV: secrets.appEnv }
+    secrets: role === "web" ? { APP_ENV: secrets.appEnv, HASNA_UPTIME_HOSTED_TOKEN: secrets.hostedToken } : role === "public-probe" ? { PROBE_CONFIG: secrets.publicProbe } : role === "reporter" ? { REPORTING_CONFIG: secrets.reporting } : { APP_ENV: secrets.appEnv }
   };
 }
 function clean(value, fallback) {
@@ -6957,7 +7008,7 @@ program2.command("audit").description("List local audit events").option("--resou
   }
 });
 var cloud = program2.command("cloud").description("Generate dry-run cloud deployment and Spark01 configuration artifacts");
-cloud.command("plan").description("Generate a dry-run AWS deployment plan for hasna-xyz-infra").option("--account <name>", "AWS account/profile label", "hasna-xyz-infra").option("--region <region>", "AWS region", "us-east-1").option("--stage <stage>", "deployment stage", "prod").option("--hostname <hostname>", "hosted Open Uptime hostname", "uptime.hasna.xyz").option("--workspace-id <id>", "workspace id", "wks_2tyysw05cwap").option("--vpc-id <id>", "target VPC id").option("--rds-instance-id <id>", "existing RDS instance id").option("--ecr-repository <name>", "ECR repository name").option("--image <uri>", "container image URI").option("--evidence-bucket <name>", "S3 evidence bucket name").option("-j, --json", "print JSON").action((opts) => {
+cloud.command("plan").description("Generate a dry-run AWS deployment plan").option("--account <name>", "AWS account/profile label", "aws-profile").option("--region <region>", "AWS region", "us-east-1").option("--stage <stage>", "deployment stage", "prod").option("--hostname <hostname>", "hosted Open Uptime hostname", "uptime.example.com").option("--workspace-id <id>", "workspace id", "workspace-id").option("--vpc-id <id>", "target VPC id").option("--hosted-sqlite-db <path>", "hosted SQLite path on the EFS mount").option("--rds-instance-id <id>", "deprecated; ignored until the hosted Postgres adapter exists").option("--database-secret-name <name>", "deprecated; ignored until the hosted Postgres adapter exists").option("--ecr-repository <name>", "ECR repository name").option("--image <uri>", "container image URI").option("--runtime-package-version <version>", "published @hasna/uptime version for the AWS image builder").option("--evidence-bucket <name>", "S3 evidence bucket name").option("-j, --json", "print JSON").action((opts) => {
   try {
     const plan = buildAwsDeploymentPlan({
       accountName: opts.account,
@@ -6966,9 +7017,12 @@ cloud.command("plan").description("Generate a dry-run AWS deployment plan for ha
       hostname: opts.hostname,
       workspaceId: opts.workspaceId,
       vpcId: opts.vpcId,
+      hostedSqliteDbPath: opts.hostedSqliteDb,
       rdsInstanceId: opts.rdsInstanceId,
+      databaseSecretName: opts.databaseSecretName,
       ecrRepository: opts.ecrRepository,
       image: opts.image,
+      runtimePackageVersion: opts.runtimePackageVersion,
       evidenceBucket: opts.evidenceBucket
     });
     print(plan, renderCloudPlan(plan), opts);
@@ -6976,7 +7030,7 @@ cloud.command("plan").description("Generate a dry-run AWS deployment plan for ha
     fail(error);
   }
 });
-cloud.command("spark01-config").description("Generate Spark01 cloud-primary private probe configuration").option("--api-url <url>", "hosted Open Uptime API URL", "https://uptime.hasna.xyz/api/v1").option("--workspace-id <id>", "workspace id", "wks_2tyysw05cwap").option("--probe-id <id>", "cloud registered private probe id").option("--private-key-file <path>", "Spark01 private probe key file", "~/.hasna/uptime/probes/spark01.key.pem").option("--machine-id <id>", "machine id", "spark01").option("--log-level <level>", "probe log level", "info").option("--env", "print shell env file instead of summary text").option("-j, --json", "print JSON").action((opts) => {
+cloud.command("spark01-config").description("Generate Spark01 hosted-targeted private probe preflight configuration").option("--api-url <url>", "hosted Open Uptime API URL", "https://uptime.example.com/api/v1").option("--workspace-id <id>", "workspace id", "workspace-id").option("--probe-id <id>", "cloud registered private probe id").option("--private-key-file <path>", "Spark01 private probe key file", "~/.hasna/uptime/probes/spark01.key.pem").option("--machine-id <id>", "machine id", "spark01").option("--log-level <level>", "probe log level", "info").option("--env", "print shell env file instead of summary text").option("-j, --json", "print JSON").action((opts) => {
   try {
     const config = buildSpark01CloudConfig({
       apiUrl: opts.apiUrl,
@@ -7176,7 +7230,7 @@ program2.command("restore <backup-path>").description("Restore a verified local
     fail(error);
   }
 });
-program2.command("serve").description("Serve the local API and dashboard").option("--host <host>", "host to bind", "127.0.0.1").option("--port <port>", "port", parseInteger, 3899).option("--check", "run the scheduler while serving").addOption(new Option("--mode <mode>", "runtime mode").choices(["local", "hosted"]).default("local")).option("--api-token <token>", "token required for non-loopback mutation hosts").option("--hosted-token <token>", "scoped hosted-mode token").option("--allow-hosted-local-store", "allow hosted mode to use local SQLite as an explicit fallback").option("--allow-unsafe-remote-mutations", "allow state-changing requests from non-loopback hosts without a token").option("-j, --json", "print JSON").action((opts) => {
+program2.command("serve").description("Serve the local API and dashboard").option("--host <host>", "host to bind", "127.0.0.1").option("--port <port>", "port", parseInteger, 3899).option("--check", "run the scheduler while serving").addOption(new Option("--mode <mode>", "runtime mode").choices(["local", "hosted"]).default("local")).option("--api-token <token>", "token required for non-loopback mutation hosts").option("--hosted-token <token>", "scoped hosted-mode token").option("--hosted-sqlite-db <path>", "absolute SQLite database path on hosted cloud-mounted storage").option("--allow-hosted-local-store", "allow hosted mode to use local SQLite as an explicit fallback").option("--allow-unsafe-remote-mutations", "allow state-changing requests from non-loopback hosts without a token").option("-j, --json", "print JSON").action((opts) => {
   try {
     const { server } = serveUptime({
       host: opts.host,
@@ -7185,6 +7239,7 @@ program2.command("serve").description("Serve the local API and dashboard").optio
       mode: opts.mode,
       apiToken: opts.apiToken,
       hostedToken: opts.hostedToken,
+      hostedSqliteDbPath: opts.hostedSqliteDb,
       allowHostedLocalStore: opts.allowHostedLocalStore,
       allowUnsafeRemoteMutations: opts.allowUnsafeRemoteMutations
     });
@@ -7355,9 +7410,13 @@ function renderCloudPlan(plan) {
     `host: ${plan.hostname}`,
     `cluster: ${plan.resources.ecsCluster}`,
     `image: ${plan.image.uri}`,
+    `image builder: ${plan.resources.imageBuilder}`,
+    `dockerfile: ${plan.image.dockerfile}`,
+    `infra: ${plan.infra.path}`,
     `vpc: ${plan.resources.vpcId}`,
-    `rds: ${plan.resources.rdsInstanceId}`,
-    `services: ${plan.resources.services.map((service2) => `${service2.name}:${service2.desiredCount}`).join(", ")}`,
+    `efs: ${plan.resources.efsFileSystem}`,
+    `hosted sqlite: ${plan.resources.hostedSqliteDbPath}`,
+    `services: ${plan.resources.services.map((service2) => `${service2.name}:${service2.desiredCount}/${service2.targetDesiredCount}`).join(", ")}`,
     `evidence bucket: ${plan.resources.evidenceBucket}`,
     `blockers: ${plan.blockers.length}`,
     "live AWS mutation: false"