@hasna/uptime 0.1.6 → 0.1.8

package/.dockerignore

@@ -2,7 +2,6 @@
 .gitignore
 .project.json
 node_modules
-dist
 coverage
 *.tgz
 *.log

package/CHANGELOG.md

@@ -6,6 +6,40 @@ project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+## [0.1.8] - 2026-06-28
+
+### Added
+
+- CloudFront default-domain protected web access mode for first AWS deployment,
+  with ALB HTTP restricted to CloudFront origin-facing ranges.
+- Hosted public-origin allow-list support through
+  `HASNA_UPTIME_ALLOWED_ORIGINS`, wired by the AWS template for CloudFront and
+  custom HTTPS access modes.
+
+### Changed
+
+- AWS Terraform and cloud-plan defaults no longer require custom Route53/ACM
+  inputs for the first protected web deployment path.
+
+## [0.1.7] - 2026-06-28
+
+### Added
+
+- Explicit hosted EFS-backed SQLite runtime path with
+  `HASNA_UPTIME_HOSTED_SQLITE_DB` and `hosted-efs-sqlite` health metadata.
+- AWS Terraform EFS file system, access point, ECS volume mount, and AWS Backup
+  plan for the hosted SQLite data store.
+- `Dockerfile.package` plus AWS CodeBuild image-builder Terraform resources to
+  build the published npm package into ECR without relying on local Docker.
+
+### Changed
+
+- Hosted AWS deployment artifacts no longer inject `HASNA_UPTIME_DATABASE_URL`;
+  the async Postgres adapter remains future work.
+- The EFS-backed SQLite bridge is single-writer only: one web task maximum and
+  scheduler/public-probe/reporter services remain disabled until Postgres and
+  cloud leases exist.
+
 ## [0.1.6] - 2026-06-28
 
 ### Added
@@ -29,7 +63,7 @@ project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ### Added
 
-- Dry-run AWS deployment plan generator for the `hasna-xyz-infra` target,
+- Dry-run AWS deployment plan generator for a reviewed AWS target,
   covering ECS/Fargate services, ECR image commands, ALB/RDS/S3/Secrets/Logs
   resources, rollback steps, and safety assertions.
 - Spark01 hosted-targeted private probe preflight config generator with JSON and

package/Dockerfile

@@ -15,7 +15,8 @@ ENV NODE_ENV=production \
     HASNA_UPTIME_MODE=hosted
 WORKDIR /app
 
-RUN addgroup --system uptime && adduser --system --ingroup uptime uptime
+RUN addgroup --system --gid 10001 uptime \
+  && adduser --system --uid 10001 --ingroup uptime uptime
 
 COPY --from=build /app/package.json ./package.json
 COPY --from=build /app/node_modules ./node_modules

package/Dockerfile.package

@@ -0,0 +1,22 @@
+# syntax=docker/dockerfile:1
+
+FROM oven/bun:1.3.13-slim AS runtime
+ENV NODE_ENV=production \
+    HASNA_UPTIME_MODE=hosted
+WORKDIR /app
+
+RUN addgroup --system --gid 10001 uptime \
+  && adduser --system --uid 10001 --ingroup uptime uptime
+
+COPY package.json ./package.json
+COPY dist ./dist
+
+RUN bun install --production
+
+USER uptime
+EXPOSE 3899
+
+HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
+  CMD bun -e "const r = await fetch('http://127.0.0.1:3899/health'); process.exit(r.ok ? 0 : 1)"
+
+CMD ["bun", "dist/cli/index.js", "serve", "--mode", "hosted", "--host", "0.0.0.0", "--port", "3899"]

package/README.md

@@ -48,7 +48,17 @@ in `docs/aws-deployment-runbook.md` is satisfied.
 
 Deployment review artifacts live in `Dockerfile` and `infra/aws`. The Terraform
 desired counts default to zero, and `uptime cloud plan --json` exposes the
-format/init/validate/plan commands with `applyAllowed: false`.
+format/init/validate/plan commands with `applyAllowed: false`. The first
+protected access path uses the CloudFront default HTTPS domain with ALB origin
+ingress restricted to CloudFront. The hosted web task must set
+`HASNA_UPTIME_ALLOWED_ORIGINS` to the public HTTPS edge origin so same-origin
+browser mutations still pass when the private origin hop is HTTP. Hosted AWS
+runtime state currently uses explicit EFS-backed SQLite via
+`HASNA_UPTIME_HOSTED_SQLITE_DB=/data/uptime/uptime.db` for one protected web
+task maximum; do not set `HASNA_UPTIME_DATABASE_URL` until the async Postgres
+adapter is implemented.
+`Dockerfile.package` is used by the Terraform CodeBuild image builder to build
+the published npm package into ECR from inside AWS.
 
 Private/local probes can submit signed results from another machine:
 
@@ -81,6 +91,8 @@ State-changing API requests reject cross-origin browser requests and
 non-loopback mutation hosts by default. For a trusted remote bind, set
 `HASNA_UPTIME_API_TOKEN` or pass `uptime serve --api-token <token>` and send
 `Authorization: Bearer <token>` or `X-Uptime-Token: <token>`.
+Hosted mode additionally accepts comma-separated public origins from
+`HASNA_UPTIME_ALLOWED_ORIGINS` for deployments behind a TLS-terminating edge.
 Endpoints that accept request bodies require `content-type: application/json`.
 
 ## Uptime Semantics

package/dist/api.d.ts

@@ -9,12 +9,14 @@ export interface ServeOptions extends UptimeServiceOptions {
     apiToken?: string;
     hostedToken?: string;
     hostedTokens?: HostedToken[];
+    hostedAllowedOrigins?: string[];
     allowUnsafeRemoteMutations?: boolean;
 }
 export interface CreateApiHandlerOptions {
     apiToken?: string;
     hostedToken?: string;
     hostedTokens?: HostedToken[];
+    hostedAllowedOrigins?: string[];
     allowUnsafeRemoteMutations?: boolean;
     fetchImpl?: typeof fetch;
     trustedLoopback?: boolean;

package/dist/api.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"api.d.ts","sourceRoot":"","sources":["../src/api.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,aAAa,EAAE,KAAK,oBAAoB,EAAE,MAAM,cAAc,CAAC;AACxE,OAAO,EAAsB,KAAK,iBAAiB,EAAE,MAAM,YAAY,CAAC;AACxE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAElD,MAAM,WAAW,YAAa,SAAQ,oBAAoB;IACxD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,OAAO,CAAC,EAAE,aAAa,CAAC;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,WAAW,EAAE,CAAC;IAC7B,0BAA0B,CAAC,EAAE,OAAO,CAAC;CACtC;AAED,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,WAAW,EAAE,CAAC;IAC7B,0BAA0B,CAAC,EAAE,OAAO,CAAC;IACrC,SAAS,CAAC,EAAE,OAAO,KAAK,CAAC;IACzB,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,IAAI,CAAC,EAAE,iBAAiB,CAAC;CAC1B;AAED,MAAM,MAAM,WAAW,GAAG,aAAa,GAAG,cAAc,GAAG,cAAc,GAAG,eAAe,GAAG,cAAc,CAAC;AAE7G,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,WAAW,EAAE,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAOD,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,aAAa,EAAE,OAAO,GAAE,uBAA4B,GAAG,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CA2BvI;AAED,wBAAgB,WAAW,CAAC,OAAO,GAAE,YAAiB,GAAG;IAAE,MAAM,EAAE,UAAU,CAAC,OAAO,GAAG,CAAC,KAAK,CAAC,CAAC;IAAC,OAAO,EAAE,aAAa,CAAC;IAAC,SAAS,CAAC,EAAE,eAAe,CAAA;CAAE,CA2BrJ"}
+{"version":3,"file":"api.d.ts","sourceRoot":"","sources":["../src/api.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,aAAa,EAAE,KAAK,oBAAoB,EAAE,MAAM,cAAc,CAAC;AACxE,OAAO,EAAsB,KAAK,iBAAiB,EAAE,MAAM,YAAY,CAAC;AACxE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAElD,MAAM,WAAW,YAAa,SAAQ,oBAAoB;IACxD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,OAAO,CAAC,EAAE,aAAa,CAAC;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,WAAW,EAAE,CAAC;IAC7B,oBAAoB,CAAC,EAAE,MAAM,EAAE,CAAC;IAChC,0BAA0B,CAAC,EAAE,OAAO,CAAC;CACtC;AAED,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,WAAW,EAAE,CAAC;IAC7B,oBAAoB,CAAC,EAAE,MAAM,EAAE,CAAC;IAChC,0BAA0B,CAAC,EAAE,OAAO,CAAC;IACrC,SAAS,CAAC,EAAE,OAAO,KAAK,CAAC;IACzB,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,IAAI,CAAC,EAAE,iBAAiB,CAAC;CAC1B;AAED,MAAM,MAAM,WAAW,GAAG,aAAa,GAAG,cAAc,GAAG,cAAc,GAAG,eAAe,GAAG,cAAc,CAAC;AAE7G,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,WAAW,EAAE,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAOD,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,aAAa,EAAE,OAAO,GAAE,uBAA4B,GAAG,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CA2BvI;AAED,wBAAgB,WAAW,CAAC,OAAO,GAAE,YAAiB,GAAG;IAAE,MAAM,EAAE,UAAU,CAAC,OAAO,GAAG,CAAC,KAAK,CAAC,CAAC;IAAC,OAAO,EAAE,aAAa,CAAC;IAAC,SAAS,CAAC,EAAE,eAAe,CAAA;CAAE,CA4BrJ"}

package/dist/api.js

@@ -820,10 +820,12 @@ function ensureUptimeHome() {
 }
 
 // src/store.ts
-import { copyFileSync, existsSync, mkdirSync as mkdirSync2, statSync } from "fs";
+import { copyFileSync, existsSync, mkdirSync as mkdirSync2, statfsSync, statSync } from "fs";
 import { dirname, join as join2 } from "path";
 import { randomUUID as randomUUID2 } from "crypto";
 import { Database } from "bun:sqlite";
+var DEFAULT_HOSTED_SQLITE_DB_PATH = "/data/uptime/uptime.db";
+var NFS_SUPER_MAGIC = 26985;
 var SECRET_URL_PARAM_PATTERN = /(token|secret|password|passwd|api[_-]?key|access[_-]?token|auth|credential|session)/i;
 var REQUIRED_TABLES = [
   "schema_migrations",
@@ -860,18 +862,39 @@ class UptimeStore {
     this.mode = resolveRuntimeMode(options.mode ?? "local");
     const cloudDatabaseUrl = options.cloudDatabaseUrl ?? process.env.HASNA_UPTIME_DATABASE_URL;
     if (this.mode === "hosted" && cloudDatabaseUrl) {
-      throw new Error("hosted cloud database adapter is not implemented yet");
+      throw new Error("hosted Postgres adapter is not implemented yet; use HASNA_UPTIME_HOSTED_SQLITE_DB on cloud-mounted storage for the current hosted deployment path");
     }
-    if (this.mode === "hosted" && !allowHostedLocalStore(options.allowHostedLocalStore)) {
-      throw new Error("hosted mode requires a cloud data layer; set HASNA_UPTIME_ALLOW_HOSTED_LOCAL_STORE=1 only for explicit local fallback testing");
+    const hostedSqliteDbPath = options.hostedSqliteDbPath ?? process.env.HASNA_UPTIME_HOSTED_SQLITE_DB;
+    if (this.mode === "hosted" && hostedSqliteDbPath) {
+      if (hostedSqliteDbPath === ":memory:" || !hostedSqliteDbPath.startsWith("/")) {
+        throw new Error("HASNA_UPTIME_HOSTED_SQLITE_DB must be an absolute path on mounted cloud storage");
+      }
+      const approvedHostedPath = hostedSqliteDbPath === DEFAULT_HOSTED_SQLITE_DB_PATH;
+      if (!approvedHostedPath && !allowHostedLocalStore(options.allowHostedLocalStore)) {
+        throw new Error(`HASNA_UPTIME_HOSTED_SQLITE_DB must be ${DEFAULT_HOSTED_SQLITE_DB_PATH}; set HASNA_UPTIME_ALLOW_HOSTED_LOCAL_STORE=1 only for explicit local fallback testing`);
+      }
+      const verifiedCloudMount = approvedHostedPath && isNfsMount(dirname(hostedSqliteDbPath));
+      if (approvedHostedPath && !verifiedCloudMount && !allowHostedLocalStore(options.allowHostedLocalStore)) {
+        throw new Error(`${DEFAULT_HOSTED_SQLITE_DB_PATH} must be on a mounted EFS/NFS filesystem; refusing to create hosted task-local SQLite`);
+      }
+      this.dataMode = verifiedCloudMount ? "hosted-efs-sqlite" : "hosted-local-sqlite";
+      this.dbPath = hostedSqliteDbPath;
+    } else if (this.mode === "hosted") {
+      if (!allowHostedLocalStore(options.allowHostedLocalStore)) {
+        throw new Error("hosted mode requires HASNA_UPTIME_HOSTED_SQLITE_DB on mounted cloud storage; set HASNA_UPTIME_ALLOW_HOSTED_LOCAL_STORE=1 only for explicit local fallback testing");
+      }
+      this.dataMode = "hosted-local-sqlite";
+      this.dbPath = options.dbPath ?? uptimeHostedFallbackDbPath();
+    } else {
+      this.dataMode = "local-sqlite";
+      this.dbPath = options.dbPath ?? uptimeDbPath();
     }
-    this.dataMode = this.mode === "hosted" ? "hosted-local-sqlite" : "local-sqlite";
-    this.dbPath = options.dbPath ?? (this.mode === "hosted" ? uptimeHostedFallbackDbPath() : uptimeDbPath());
-    if (this.dbPath !== ":memory:") {
+    if (this.dbPath !== ":memory:" && this.dataMode !== "hosted-efs-sqlite") {
       mkdirSync2(dirname(this.dbPath), { recursive: true });
     }
     this.db = new Database(this.dbPath, { create: true });
-    this.db.run("PRAGMA journal_mode = WAL");
+    this.db.run(this.dataMode === "hosted-efs-sqlite" ? "PRAGMA journal_mode = DELETE" : "PRAGMA journal_mode = WAL");
+    this.db.run("PRAGMA busy_timeout = 5000");
     this.db.run("PRAGMA foreign_keys = ON");
     this.migrate();
   }
@@ -1751,6 +1774,13 @@ function resolveRuntimeMode(mode) {
 function allowHostedLocalStore(value) {
   return value === true || process.env.HASNA_UPTIME_ALLOW_HOSTED_LOCAL_STORE === "1";
 }
+function isNfsMount(path) {
+  try {
+    return statfsSync(path).type === NFS_SUPER_MAGIC;
+  } catch {
+    return false;
+  }
+}
 function verifyBackupFile(backupPath) {
   const db = new Database(backupPath, { readonly: true });
   try {
@@ -3480,6 +3510,7 @@ function serveUptime(options = {}) {
       apiToken: options.apiToken,
       hostedToken: options.hostedToken,
       hostedTokens: options.hostedTokens,
+      hostedAllowedOrigins: options.hostedAllowedOrigins,
       allowUnsafeRemoteMutations: options.allowUnsafeRemoteMutations,
       trustedLoopback: isLoopbackHost(options.host ?? "127.0.0.1"),
       mode
@@ -3539,13 +3570,23 @@ async function handleHostedRequest(service, request, url, options) {
   const scope = hostedScopeFor(request.method, apiPath);
   requireHostedActor(request, url, options, scope);
   if (["POST", "PATCH", "DELETE"].includes(request.method)) {
-    const origin = request.headers.get("origin");
-    if (origin && origin !== `${url.protocol}//${url.host}`) {
-      throw new ApiError("cross-origin mutation rejected", 403);
-    }
+    validateHostedMutationOrigin(request, url, options);
   }
   return handleApiRoute(service, request, url, apiPath, options, true);
 }
+function validateHostedMutationOrigin(request, url, options) {
+  const rawOrigin = request.headers.get("origin");
+  const origin = normalizeOrigin(rawOrigin);
+  if (rawOrigin && !origin) {
+    throw new ApiError("cross-origin mutation rejected", 403);
+  }
+  if (!origin)
+    return;
+  const allowedOrigins = new Set([`${url.protocol}//${url.host}`, ...resolveHostedAllowedOrigins(options)]);
+  if (!allowedOrigins.has(origin)) {
+    throw new ApiError("cross-origin mutation rejected", 403);
+  }
+}
 async function handleApiRoute(service, request, url, apiPath, options, hosted) {
   if (request.method === "GET" && apiPath === "/api/summary") {
     return json(service.summary());
@@ -3764,6 +3805,34 @@ function resolveHostedTokens(options) {
     workspaceId: process.env.HASNA_UPTIME_WORKSPACE_ID ?? "default"
   }];
 }
+function resolveHostedAllowedOrigins(options) {
+  const configured = options.hostedAllowedOrigins ?? splitCsv(process.env.HASNA_UPTIME_ALLOWED_ORIGINS);
+  return configured.map((origin) => normalizeAllowedOrigin(origin)).filter((origin) => Boolean(origin));
+}
+function splitCsv(value) {
+  if (!value)
+    return [];
+  return value.split(",").map((entry) => entry.trim()).filter(Boolean);
+}
+function normalizeAllowedOrigin(value) {
+  const origin = normalizeOrigin(value);
+  if (!origin) {
+    throw new ApiError(`invalid hosted allowed origin: ${value}`, 500);
+  }
+  return origin;
+}
+function normalizeOrigin(value) {
+  if (!value?.trim())
+    return;
+  try {
+    const parsed = new URL(value.trim());
+    if (parsed.protocol !== "http:" && parsed.protocol !== "https:")
+      return;
+    return `${parsed.protocol}//${parsed.host}`;
+  } catch {
+    return;
+  }
+}
 function safeTokenEqual(candidate, expected) {
   if (!candidate)
     return false;