@hasna/uptime 0.1.6 → 0.1.8

package/dist/cloud-plan.js

@@ -1,13 +1,14 @@
 // @bun
 // src/cloud-plan.ts
-var DEFAULT_ACCOUNT = "hasna-xyz-infra";
+var DEFAULT_ACCOUNT = "aws-profile";
 var DEFAULT_REGION = "us-east-1";
 var DEFAULT_STAGE = "prod";
 var DEFAULT_PREFIX = "open-uptime";
-var DEFAULT_HOSTNAME = "uptime.hasna.xyz";
-var DEFAULT_WORKSPACE_ID = "wks_2tyysw05cwap";
-var DEFAULT_VPC_ID = "vpc-04c7f7abc1d3c3f56";
-var DEFAULT_RDS = "hasna-xyz-infra-apps-prod-postgres";
+var DEFAULT_HOSTNAME = "uptime.example.com";
+var DEFAULT_WORKSPACE_ID = "workspace-id";
+var DEFAULT_VPC_ID = "vpc-xxxxxxxx";
+var DEFAULT_HOSTED_SQLITE_DB = "/data/uptime/uptime.db";
+var DEFAULT_PROTECTED_ACCESS_MODE = "cloudfront_default_domain";
 function buildAwsDeploymentPlan(options = {}) {
   const region = clean(options.region, DEFAULT_REGION);
   const stage = clean(options.stage, DEFAULT_STAGE);
@@ -15,37 +16,42 @@ function buildAwsDeploymentPlan(options = {}) {
   const accountName = clean(options.accountName, DEFAULT_ACCOUNT);
   const hostname = clean(options.hostname, DEFAULT_HOSTNAME);
   const workspaceId = clean(options.workspaceId, DEFAULT_WORKSPACE_ID);
-  const ecrRepository = clean(options.ecrRepository, `hasna/opensource/${prefix}`);
+  const ecrRepository = clean(options.ecrRepository, prefix);
   const imageRepositoryUri = `<account-id>.dkr.ecr.${region}.amazonaws.com/${ecrRepository}`;
   const image = clean(options.image, `${imageRepositoryUri}@sha256:<image-digest>`);
   const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
+  const hostedSqliteDbPath = clean(options.hostedSqliteDbPath, DEFAULT_HOSTED_SQLITE_DB);
+  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.8");
+  const protectedAccessMode = options.protectedAccessMode ?? DEFAULT_PROTECTED_ACCESS_MODE;
+  const protectedAccessUrl = protectedAccessMode === "cloudfront_default_domain" ? "https://<cloudfront-domain>" : `https://${hostname}`;
   const cluster = `${prefix}-${stage}`;
   const secrets = {
-    database: clean(options.databaseSecretName, `hasna/xyz/opensource/uptime/${stage}/rds`),
-    appEnv: clean(options.appEnvSecretName, `hasna/xyz/opensource/uptime/${stage}/app/env`),
-    hostedToken: clean(options.hostedTokenSecretName, `hasna/xyz/opensource/uptime/${stage}/hosted-token`),
-    publicProbe: clean(options.publicProbeSecretName, `hasna/xyz/opensource/uptime/${stage}/probe/public`),
-    privateProbe: clean(options.privateProbeSecretName, `hasna/xyz/opensource/uptime/${stage}/probe/private`),
-    reporting: clean(options.reportingSecretName, `hasna/xyz/opensource/uptime/${stage}/reporting`)
+    appEnv: clean(options.appEnvSecretName, `open-uptime/${stage}/app/env`),
+    hostedToken: clean(options.hostedTokenSecretName, `open-uptime/${stage}/hosted-token`),
+    publicProbe: clean(options.publicProbeSecretName, `open-uptime/${stage}/probe/public`),
+    privateProbe: clean(options.privateProbeSecretName, `open-uptime/${stage}/probe/private`),
+    reporting: clean(options.reportingSecretName, `open-uptime/${stage}/reporting`)
   };
   const services = [
-    servicePlan(prefix, stage, "web", 2, image, workspaceId, secrets, {
+    servicePlan(prefix, stage, "web", 1, image, workspaceId, secrets, {
       HASNA_UPTIME_MODE: "hosted",
+      HASNA_UPTIME_HOSTED_SQLITE_DB: hostedSqliteDbPath,
       HASNA_UPTIME_WORKSPACE_ID: workspaceId,
-      HASNA_UPTIME_HOSTNAME: hostname
+      HASNA_UPTIME_HOSTNAME: hostname,
+      HASNA_UPTIME_ALLOWED_ORIGINS: protectedAccessUrl
     }),
-    servicePlan(prefix, stage, "scheduler", 1, image, workspaceId, secrets, {
+    servicePlan(prefix, stage, "scheduler", 0, image, workspaceId, secrets, {
       HASNA_UPTIME_MODE: "hosted",
       HASNA_UPTIME_WORKSPACE_ID: workspaceId,
       HASNA_UPTIME_COMPONENT: "scheduler"
     }),
-    servicePlan(prefix, stage, "public-probe", 1, image, workspaceId, secrets, {
+    servicePlan(prefix, stage, "public-probe", 0, image, workspaceId, secrets, {
       HASNA_UPTIME_MODE: "hosted",
       HASNA_UPTIME_WORKSPACE_ID: workspaceId,
       HASNA_UPTIME_COMPONENT: "public-probe",
       HASNA_UPTIME_PROBE_LOCATION: region
     }),
-    servicePlan(prefix, stage, "reporter", 1, image, workspaceId, secrets, {
+    servicePlan(prefix, stage, "reporter", 0, image, workspaceId, secrets, {
       HASNA_UPTIME_MODE: "hosted",
       HASNA_UPTIME_WORKSPACE_ID: workspaceId,
       HASNA_UPTIME_COMPONENT: "reporter"
@@ -58,7 +64,7 @@ function buildAwsDeploymentPlan(options = {}) {
   ];
   return {
     kind: "open-uptime.aws-deployment-plan",
-    version: 1,
+    version: 3,
     generatedAt: new Date().toISOString(),
     status: "blocked",
     canApply: false,
@@ -71,12 +77,18 @@ function buildAwsDeploymentPlan(options = {}) {
     mode: "hosted",
     resources: {
       ecrRepository,
+      imageBuilder: `${prefix}-${stage}-image-builder`,
       ecsCluster: cluster,
       services,
       vpcId: clean(options.vpcId, DEFAULT_VPC_ID),
-      rdsInstanceId: clean(options.rdsInstanceId, DEFAULT_RDS),
+      efsFileSystem: `${prefix}-${stage}-data`,
+      efsAccessPoint: `${prefix}-${stage}-uptime`,
+      hostedSqliteDbPath,
       evidenceBucket,
       loadBalancer: `${prefix}-${stage}-alb`,
+      protectedAccessMode,
+      edgeDistribution: protectedAccessMode === "cloudfront_default_domain" ? `${prefix}-${stage}-edge` : undefined,
+      protectedAccessUrl,
       targetGroups: [`${prefix}-${stage}-web-tg`],
       securityGroups: [
         `${prefix}-${stage}-alb-sg`,
@@ -84,7 +96,8 @@ function buildAwsDeploymentPlan(options = {}) {
         `${prefix}-${stage}-scheduler-sg`,
         `${prefix}-${stage}-public-probe-sg`,
         `${prefix}-${stage}-reporter-sg`,
-        `${prefix}-${stage}-migration-sg`
+        `${prefix}-${stage}-migration-sg`,
+        `${prefix}-${stage}-efs-sg`
       ],
       secrets,
       logGroups: services.map((service) => service.logGroup),
@@ -96,10 +109,10 @@ function buildAwsDeploymentPlan(options = {}) {
     image: {
       repository: ecrRepository,
       uri: image,
-      dockerfile: "Dockerfile",
-      buildCommand: `docker build --pull -t ${imageRepositoryUri}:<git-sha> .`,
+      dockerfile: "Dockerfile.package",
+      buildCommand: `BLOCKED: after infra approval, AWS CodeBuild builds Dockerfile.package from @hasna/uptime@${runtimePackageVersion} into ${imageRepositoryUri}`,
       pushCommands: [
-        "BLOCKED: push only from approved CI/CD after the ECR repository and image digest policy exist",
+        `BLOCKED: start ${prefix}-${stage}-image-builder only through the approved deploy pipeline after @hasna/uptime@${runtimePackageVersion} is published`,
         "BLOCKED: deploy services by immutable image digest, not by mutable tags"
       ]
     },
@@ -114,28 +127,31 @@ function buildAwsDeploymentPlan(options = {}) {
     runbook: {
       preflight: [
         `aws sts get-caller-identity --profile ${accountName}`,
-        `aws rds describe-db-instances --db-instance-identifier ${clean(options.rdsInstanceId, DEFAULT_RDS)} --region ${region}`,
         `aws ec2 describe-vpcs --vpc-ids ${clean(options.vpcId, DEFAULT_VPC_ID)} --region ${region}`,
+        `aws efs describe-file-systems --region ${region}`,
         "Confirm the infra repository and Terraform/CloudFormation owner before live mutation."
       ],
       provision: [
         `Infra PR must declare or update ECR repository ${ecrRepository}.`,
+        `Infra PR must declare CodeBuild image builder ${prefix}-${stage}-image-builder for @hasna/uptime@${runtimePackageVersion}.`,
         `Infra PR must declare hardened S3 evidence bucket ${evidenceBucket} with KMS, versioning, lifecycle, and public access block.`,
-        `Infra PR must declare ECS/Fargate cluster ${cluster}, ALB, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs.`,
+        `Infra PR must declare encrypted EFS ${prefix}-${stage}-data with access point, mount targets, and AWS Backup plan.`,
+        protectedAccessMode === "cloudfront_default_domain" ? "Infra PR must declare CloudFront default-domain HTTPS edge, ALB HTTP listener restricted to CloudFront origin-facing ranges, ECS/Fargate cluster, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs." : `Infra PR must declare ECS/Fargate cluster ${cluster}, ALB HTTPS listener, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs.`,
         "Only apply the infra plan from the approved infrastructure repository after review evidence is attached."
       ],
       deploy: [
         "Build and publish the image only after the Dockerfile/container target is reviewed.",
-        "Run the migration task with the migrator role before web/scheduler/probe services.",
+        `Start the AWS image builder for @hasna/uptime@${runtimePackageVersion} and record the pushed image digest.`,
+        "For the EFS SQLite bridge, do not run migration, scheduler, public-probe, or reporter tasks; keep them at desired count 0 until Postgres and cloud leases exist.",
         `Register task definitions for ${services.map((service) => service.name).join(", ")} using valueFrom secrets.`,
         `Update ECS services in cluster ${cluster} one component at a time through the approved deploy pipeline.`,
-        `Create Route53/edge record for ${hostname} only after ALB health checks pass and auth denial smokes succeed.`
+        protectedAccessMode === "cloudfront_default_domain" ? "Use the CloudFront default HTTPS domain for first protected access; add custom DNS/certificate only after edge ownership is approved." : `Create Route53/edge record for ${hostname} only after ALB health checks pass and auth denial smokes succeed.`
       ],
       rollback: [
         "Keep previous task definition ARNs before each service update.",
         "Rollback through the approved deploy pipeline to the previously recorded task definition ARNs.",
         "Disable scheduler/reporter services before data rollback.",
-        "Restore RDS snapshot only after explicit operator approval and audit record."
+        "Restore EFS backup recovery point only after explicit operator approval and audit record."
       ],
       spark01: [
         "Create a private probe identity with a caller-managed public key.",
@@ -144,18 +160,19 @@ function buildAwsDeploymentPlan(options = {}) {
       ]
     },
     blockers: [
-      "The hasna-xyz-infra infrastructure owner repository was not found in this workspace.",
-      "Hosted Postgres storage adapter and migrations are not implemented.",
+      "The infrastructure owner repository was not found in this workspace.",
+      "The EFS SQLite bridge is single-writer only: web target desired count is 1 and scheduler/public-probe/reporter targets remain 0 until Postgres and cloud leases exist.",
       "Hosted production auth/RBAC must replace broad static hosted-token operation before exposure.",
       "Public probe execution still needs DNS, redirect, and rebinding SSRF enforcement plus cloud check-job leases.",
       "Spark01 hosted probe enrollment, claim, submit, heartbeat, revocation, and rotation are not cloud-backed yet."
     ],
     requiredEvidence: [
       "Infrastructure PR/synth/plan from the approved infra repository.",
-      "Container build smoke and immutable image digest.",
+      "CodeBuild image-builder run, container smoke, and immutable image digest.",
       "ECS task definitions using secrets.valueFrom only.",
-      "ALB/TLS/DNS/auth denial smokes and web alarm checks.",
-      "RDS TLS, backups/PITR, scoped roles, and migration dry-run evidence.",
+      "CloudFront-default-domain or ALB TLS auth-denial smokes, direct-origin denial evidence, and web alarm checks.",
+      "Single-writer ECS evidence: one web task maximum and no scheduler/public-probe/reporter EFS mounts.",
+      "EFS encryption, access point, mount-target, AWS Backup, and restore-drill evidence.",
       "S3 bucket KMS, versioning, lifecycle, and public-access-block evidence.",
       "Spark01 private-probe registration, key-file mode, heartbeat, and revocation evidence."
     ],
@@ -165,7 +182,10 @@ function buildAwsDeploymentPlan(options = {}) {
       hostedLocalSqliteAllowed: false,
       notes: [
         "This plan generator does not call AWS.",
-        "Hosted runtime must use Postgres; SQLite remains local/dev fallback only.",
+        "Blocked plan output intentionally avoids copy-pastable AWS mutation commands.",
+        "Default protected access uses CloudFront's HTTPS default domain so first deploy is not blocked on custom DNS or ACM.",
+        "Hosted runtime uses explicit EFS-backed SQLite at HASNA_UPTIME_HOSTED_SQLITE_DB until the async Postgres adapter exists.",
+        "Do not set HASNA_UPTIME_DATABASE_URL for hosted tasks until the Postgres adapter is implemented.",
         "Secrets are represented as secret names/refs and must be injected with valueFrom.",
         "Actual deploy belongs in the deploy_release_operate_final goal node after infra review."
       ]
@@ -257,7 +277,7 @@ function servicePlan(prefix, stage, role, desiredCount, image, workspaceId, secr
       HASNA_UPTIME_IMAGE: image,
       ...environment
     },
-    secrets: role === "web" ? { HASNA_UPTIME_DATABASE_URL: secrets.database, APP_ENV: secrets.appEnv, HASNA_UPTIME_HOSTED_TOKEN: secrets.hostedToken } : role === "public-probe" ? { PROBE_CONFIG: secrets.publicProbe } : role === "reporter" ? { HASNA_UPTIME_DATABASE_URL: secrets.database, REPORTING_CONFIG: secrets.reporting } : { HASNA_UPTIME_DATABASE_URL: secrets.database, APP_ENV: secrets.appEnv }
+    secrets: role === "web" ? { APP_ENV: secrets.appEnv, HASNA_UPTIME_HOSTED_TOKEN: secrets.hostedToken } : role === "public-probe" ? { PROBE_CONFIG: secrets.publicProbe } : role === "reporter" ? { REPORTING_CONFIG: secrets.reporting } : { APP_ENV: secrets.appEnv }
   };
 }
 function clean(value, fallback) {

package/dist/index.js

@@ -820,10 +820,12 @@ function ensureUptimeHome() {
 }
 
 // src/store.ts
-import { copyFileSync, existsSync, mkdirSync as mkdirSync2, statSync } from "fs";
+import { copyFileSync, existsSync, mkdirSync as mkdirSync2, statfsSync, statSync } from "fs";
 import { dirname, join as join2 } from "path";
 import { randomUUID as randomUUID2 } from "crypto";
 import { Database } from "bun:sqlite";
+var DEFAULT_HOSTED_SQLITE_DB_PATH = "/data/uptime/uptime.db";
+var NFS_SUPER_MAGIC = 26985;
 var SECRET_URL_PARAM_PATTERN = /(token|secret|password|passwd|api[_-]?key|access[_-]?token|auth|credential|session)/i;
 var REQUIRED_TABLES = [
   "schema_migrations",
@@ -860,18 +862,39 @@ class UptimeStore {
     this.mode = resolveRuntimeMode(options.mode ?? "local");
     const cloudDatabaseUrl = options.cloudDatabaseUrl ?? process.env.HASNA_UPTIME_DATABASE_URL;
     if (this.mode === "hosted" && cloudDatabaseUrl) {
-      throw new Error("hosted cloud database adapter is not implemented yet");
+      throw new Error("hosted Postgres adapter is not implemented yet; use HASNA_UPTIME_HOSTED_SQLITE_DB on cloud-mounted storage for the current hosted deployment path");
     }
-    if (this.mode === "hosted" && !allowHostedLocalStore(options.allowHostedLocalStore)) {
-      throw new Error("hosted mode requires a cloud data layer; set HASNA_UPTIME_ALLOW_HOSTED_LOCAL_STORE=1 only for explicit local fallback testing");
+    const hostedSqliteDbPath = options.hostedSqliteDbPath ?? process.env.HASNA_UPTIME_HOSTED_SQLITE_DB;
+    if (this.mode === "hosted" && hostedSqliteDbPath) {
+      if (hostedSqliteDbPath === ":memory:" || !hostedSqliteDbPath.startsWith("/")) {
+        throw new Error("HASNA_UPTIME_HOSTED_SQLITE_DB must be an absolute path on mounted cloud storage");
+      }
+      const approvedHostedPath = hostedSqliteDbPath === DEFAULT_HOSTED_SQLITE_DB_PATH;
+      if (!approvedHostedPath && !allowHostedLocalStore(options.allowHostedLocalStore)) {
+        throw new Error(`HASNA_UPTIME_HOSTED_SQLITE_DB must be ${DEFAULT_HOSTED_SQLITE_DB_PATH}; set HASNA_UPTIME_ALLOW_HOSTED_LOCAL_STORE=1 only for explicit local fallback testing`);
+      }
+      const verifiedCloudMount = approvedHostedPath && isNfsMount(dirname(hostedSqliteDbPath));
+      if (approvedHostedPath && !verifiedCloudMount && !allowHostedLocalStore(options.allowHostedLocalStore)) {
+        throw new Error(`${DEFAULT_HOSTED_SQLITE_DB_PATH} must be on a mounted EFS/NFS filesystem; refusing to create hosted task-local SQLite`);
+      }
+      this.dataMode = verifiedCloudMount ? "hosted-efs-sqlite" : "hosted-local-sqlite";
+      this.dbPath = hostedSqliteDbPath;
+    } else if (this.mode === "hosted") {
+      if (!allowHostedLocalStore(options.allowHostedLocalStore)) {
+        throw new Error("hosted mode requires HASNA_UPTIME_HOSTED_SQLITE_DB on mounted cloud storage; set HASNA_UPTIME_ALLOW_HOSTED_LOCAL_STORE=1 only for explicit local fallback testing");
+      }
+      this.dataMode = "hosted-local-sqlite";
+      this.dbPath = options.dbPath ?? uptimeHostedFallbackDbPath();
+    } else {
+      this.dataMode = "local-sqlite";
+      this.dbPath = options.dbPath ?? uptimeDbPath();
     }
-    this.dataMode = this.mode === "hosted" ? "hosted-local-sqlite" : "local-sqlite";
-    this.dbPath = options.dbPath ?? (this.mode === "hosted" ? uptimeHostedFallbackDbPath() : uptimeDbPath());
-    if (this.dbPath !== ":memory:") {
+    if (this.dbPath !== ":memory:" && this.dataMode !== "hosted-efs-sqlite") {
       mkdirSync2(dirname(this.dbPath), { recursive: true });
     }
     this.db = new Database(this.dbPath, { create: true });
-    this.db.run("PRAGMA journal_mode = WAL");
+    this.db.run(this.dataMode === "hosted-efs-sqlite" ? "PRAGMA journal_mode = DELETE" : "PRAGMA journal_mode = WAL");
+    this.db.run("PRAGMA busy_timeout = 5000");
     this.db.run("PRAGMA foreign_keys = ON");
     this.migrate();
   }
@@ -1751,6 +1774,13 @@ function resolveRuntimeMode(mode) {
 function allowHostedLocalStore(value) {
   return value === true || process.env.HASNA_UPTIME_ALLOW_HOSTED_LOCAL_STORE === "1";
 }
+function isNfsMount(path) {
+  try {
+    return statfsSync(path).type === NFS_SUPER_MAGIC;
+  } catch {
+    return false;
+  }
+}
 function verifyBackupFile(backupPath) {
   const db = new Database(backupPath, { readonly: true });
   try {
@@ -3480,6 +3510,7 @@ function serveUptime(options = {}) {
       apiToken: options.apiToken,
       hostedToken: options.hostedToken,
       hostedTokens: options.hostedTokens,
+      hostedAllowedOrigins: options.hostedAllowedOrigins,
       allowUnsafeRemoteMutations: options.allowUnsafeRemoteMutations,
       trustedLoopback: isLoopbackHost(options.host ?? "127.0.0.1"),
       mode
@@ -3539,13 +3570,23 @@ async function handleHostedRequest(service, request, url, options) {
   const scope = hostedScopeFor(request.method, apiPath);
   requireHostedActor(request, url, options, scope);
   if (["POST", "PATCH", "DELETE"].includes(request.method)) {
-    const origin = request.headers.get("origin");
-    if (origin && origin !== `${url.protocol}//${url.host}`) {
-      throw new ApiError("cross-origin mutation rejected", 403);
-    }
+    validateHostedMutationOrigin(request, url, options);
   }
   return handleApiRoute(service, request, url, apiPath, options, true);
 }
+function validateHostedMutationOrigin(request, url, options) {
+  const rawOrigin = request.headers.get("origin");
+  const origin = normalizeOrigin(rawOrigin);
+  if (rawOrigin && !origin) {
+    throw new ApiError("cross-origin mutation rejected", 403);
+  }
+  if (!origin)
+    return;
+  const allowedOrigins = new Set([`${url.protocol}//${url.host}`, ...resolveHostedAllowedOrigins(options)]);
+  if (!allowedOrigins.has(origin)) {
+    throw new ApiError("cross-origin mutation rejected", 403);
+  }
+}
 async function handleApiRoute(service, request, url, apiPath, options, hosted) {
   if (request.method === "GET" && apiPath === "/api/summary") {
     return json(service.summary());
@@ -3764,6 +3805,34 @@ function resolveHostedTokens(options) {
     workspaceId: process.env.HASNA_UPTIME_WORKSPACE_ID ?? "default"
   }];
 }
+function resolveHostedAllowedOrigins(options) {
+  const configured = options.hostedAllowedOrigins ?? splitCsv(process.env.HASNA_UPTIME_ALLOWED_ORIGINS);
+  return configured.map((origin) => normalizeAllowedOrigin(origin)).filter((origin) => Boolean(origin));
+}
+function splitCsv(value) {
+  if (!value)
+    return [];
+  return value.split(",").map((entry) => entry.trim()).filter(Boolean);
+}
+function normalizeAllowedOrigin(value) {
+  const origin = normalizeOrigin(value);
+  if (!origin) {
+    throw new ApiError(`invalid hosted allowed origin: ${value}`, 500);
+  }
+  return origin;
+}
+function normalizeOrigin(value) {
+  if (!value?.trim())
+    return;
+  try {
+    const parsed = new URL(value.trim());
+    if (parsed.protocol !== "http:" && parsed.protocol !== "https:")
+      return;
+    return `${parsed.protocol}//${parsed.host}`;
+  } catch {
+    return;
+  }
+}
 function safeTokenEqual(candidate, expected) {
   if (!candidate)
     return false;
@@ -3791,14 +3860,15 @@ class ApiError extends Error {
 }
 
 // src/cloud-plan.ts
-var DEFAULT_ACCOUNT = "hasna-xyz-infra";
+var DEFAULT_ACCOUNT = "aws-profile";
 var DEFAULT_REGION = "us-east-1";
 var DEFAULT_STAGE = "prod";
 var DEFAULT_PREFIX = "open-uptime";
-var DEFAULT_HOSTNAME = "uptime.hasna.xyz";
-var DEFAULT_WORKSPACE_ID = "wks_2tyysw05cwap";
-var DEFAULT_VPC_ID = "vpc-04c7f7abc1d3c3f56";
-var DEFAULT_RDS = "hasna-xyz-infra-apps-prod-postgres";
+var DEFAULT_HOSTNAME = "uptime.example.com";
+var DEFAULT_WORKSPACE_ID = "workspace-id";
+var DEFAULT_VPC_ID = "vpc-xxxxxxxx";
+var DEFAULT_HOSTED_SQLITE_DB = "/data/uptime/uptime.db";
+var DEFAULT_PROTECTED_ACCESS_MODE = "cloudfront_default_domain";
 function buildAwsDeploymentPlan(options = {}) {
   const region = clean(options.region, DEFAULT_REGION);
   const stage = clean(options.stage, DEFAULT_STAGE);
@@ -3806,37 +3876,42 @@ function buildAwsDeploymentPlan(options = {}) {
   const accountName = clean(options.accountName, DEFAULT_ACCOUNT);
   const hostname = clean(options.hostname, DEFAULT_HOSTNAME);
   const workspaceId = clean(options.workspaceId, DEFAULT_WORKSPACE_ID);
-  const ecrRepository = clean(options.ecrRepository, `hasna/opensource/${prefix}`);
+  const ecrRepository = clean(options.ecrRepository, prefix);
   const imageRepositoryUri = `<account-id>.dkr.ecr.${region}.amazonaws.com/${ecrRepository}`;
   const image = clean(options.image, `${imageRepositoryUri}@sha256:<image-digest>`);
   const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
+  const hostedSqliteDbPath = clean(options.hostedSqliteDbPath, DEFAULT_HOSTED_SQLITE_DB);
+  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.8");
+  const protectedAccessMode = options.protectedAccessMode ?? DEFAULT_PROTECTED_ACCESS_MODE;
+  const protectedAccessUrl = protectedAccessMode === "cloudfront_default_domain" ? "https://<cloudfront-domain>" : `https://${hostname}`;
   const cluster = `${prefix}-${stage}`;
   const secrets = {
-    database: clean(options.databaseSecretName, `hasna/xyz/opensource/uptime/${stage}/rds`),
-    appEnv: clean(options.appEnvSecretName, `hasna/xyz/opensource/uptime/${stage}/app/env`),
-    hostedToken: clean(options.hostedTokenSecretName, `hasna/xyz/opensource/uptime/${stage}/hosted-token`),
-    publicProbe: clean(options.publicProbeSecretName, `hasna/xyz/opensource/uptime/${stage}/probe/public`),
-    privateProbe: clean(options.privateProbeSecretName, `hasna/xyz/opensource/uptime/${stage}/probe/private`),
-    reporting: clean(options.reportingSecretName, `hasna/xyz/opensource/uptime/${stage}/reporting`)
+    appEnv: clean(options.appEnvSecretName, `open-uptime/${stage}/app/env`),
+    hostedToken: clean(options.hostedTokenSecretName, `open-uptime/${stage}/hosted-token`),
+    publicProbe: clean(options.publicProbeSecretName, `open-uptime/${stage}/probe/public`),
+    privateProbe: clean(options.privateProbeSecretName, `open-uptime/${stage}/probe/private`),
+    reporting: clean(options.reportingSecretName, `open-uptime/${stage}/reporting`)
   };
   const services = [
-    servicePlan(prefix, stage, "web", 2, image, workspaceId, secrets, {
+    servicePlan(prefix, stage, "web", 1, image, workspaceId, secrets, {
       HASNA_UPTIME_MODE: "hosted",
+      HASNA_UPTIME_HOSTED_SQLITE_DB: hostedSqliteDbPath,
       HASNA_UPTIME_WORKSPACE_ID: workspaceId,
-      HASNA_UPTIME_HOSTNAME: hostname
+      HASNA_UPTIME_HOSTNAME: hostname,
+      HASNA_UPTIME_ALLOWED_ORIGINS: protectedAccessUrl
     }),
-    servicePlan(prefix, stage, "scheduler", 1, image, workspaceId, secrets, {
+    servicePlan(prefix, stage, "scheduler", 0, image, workspaceId, secrets, {
       HASNA_UPTIME_MODE: "hosted",
       HASNA_UPTIME_WORKSPACE_ID: workspaceId,
       HASNA_UPTIME_COMPONENT: "scheduler"
     }),
-    servicePlan(prefix, stage, "public-probe", 1, image, workspaceId, secrets, {
+    servicePlan(prefix, stage, "public-probe", 0, image, workspaceId, secrets, {
       HASNA_UPTIME_MODE: "hosted",
       HASNA_UPTIME_WORKSPACE_ID: workspaceId,
       HASNA_UPTIME_COMPONENT: "public-probe",
       HASNA_UPTIME_PROBE_LOCATION: region
     }),
-    servicePlan(prefix, stage, "reporter", 1, image, workspaceId, secrets, {
+    servicePlan(prefix, stage, "reporter", 0, image, workspaceId, secrets, {
       HASNA_UPTIME_MODE: "hosted",
       HASNA_UPTIME_WORKSPACE_ID: workspaceId,
       HASNA_UPTIME_COMPONENT: "reporter"
@@ -3849,7 +3924,7 @@ function buildAwsDeploymentPlan(options = {}) {
   ];
   return {
     kind: "open-uptime.aws-deployment-plan",
-    version: 1,
+    version: 3,
     generatedAt: new Date().toISOString(),
     status: "blocked",
     canApply: false,
@@ -3862,12 +3937,18 @@ function buildAwsDeploymentPlan(options = {}) {
     mode: "hosted",
     resources: {
       ecrRepository,
+      imageBuilder: `${prefix}-${stage}-image-builder`,
       ecsCluster: cluster,
       services,
       vpcId: clean(options.vpcId, DEFAULT_VPC_ID),
-      rdsInstanceId: clean(options.rdsInstanceId, DEFAULT_RDS),
+      efsFileSystem: `${prefix}-${stage}-data`,
+      efsAccessPoint: `${prefix}-${stage}-uptime`,
+      hostedSqliteDbPath,
       evidenceBucket,
       loadBalancer: `${prefix}-${stage}-alb`,
+      protectedAccessMode,
+      edgeDistribution: protectedAccessMode === "cloudfront_default_domain" ? `${prefix}-${stage}-edge` : undefined,
+      protectedAccessUrl,
       targetGroups: [`${prefix}-${stage}-web-tg`],
       securityGroups: [
         `${prefix}-${stage}-alb-sg`,
@@ -3875,7 +3956,8 @@ function buildAwsDeploymentPlan(options = {}) {
         `${prefix}-${stage}-scheduler-sg`,
         `${prefix}-${stage}-public-probe-sg`,
         `${prefix}-${stage}-reporter-sg`,
-        `${prefix}-${stage}-migration-sg`
+        `${prefix}-${stage}-migration-sg`,
+        `${prefix}-${stage}-efs-sg`
       ],
       secrets,
       logGroups: services.map((service) => service.logGroup),
@@ -3887,10 +3969,10 @@ function buildAwsDeploymentPlan(options = {}) {
     image: {
       repository: ecrRepository,
       uri: image,
-      dockerfile: "Dockerfile",
-      buildCommand: `docker build --pull -t ${imageRepositoryUri}:<git-sha> .`,
+      dockerfile: "Dockerfile.package",
+      buildCommand: `BLOCKED: after infra approval, AWS CodeBuild builds Dockerfile.package from @hasna/uptime@${runtimePackageVersion} into ${imageRepositoryUri}`,
       pushCommands: [
-        "BLOCKED: push only from approved CI/CD after the ECR repository and image digest policy exist",
+        `BLOCKED: start ${prefix}-${stage}-image-builder only through the approved deploy pipeline after @hasna/uptime@${runtimePackageVersion} is published`,
         "BLOCKED: deploy services by immutable image digest, not by mutable tags"
       ]
     },
@@ -3905,28 +3987,31 @@ function buildAwsDeploymentPlan(options = {}) {
     runbook: {
       preflight: [
         `aws sts get-caller-identity --profile ${accountName}`,
-        `aws rds describe-db-instances --db-instance-identifier ${clean(options.rdsInstanceId, DEFAULT_RDS)} --region ${region}`,
         `aws ec2 describe-vpcs --vpc-ids ${clean(options.vpcId, DEFAULT_VPC_ID)} --region ${region}`,
+        `aws efs describe-file-systems --region ${region}`,
         "Confirm the infra repository and Terraform/CloudFormation owner before live mutation."
       ],
       provision: [
         `Infra PR must declare or update ECR repository ${ecrRepository}.`,
+        `Infra PR must declare CodeBuild image builder ${prefix}-${stage}-image-builder for @hasna/uptime@${runtimePackageVersion}.`,
         `Infra PR must declare hardened S3 evidence bucket ${evidenceBucket} with KMS, versioning, lifecycle, and public access block.`,
-        `Infra PR must declare ECS/Fargate cluster ${cluster}, ALB, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs.`,
+        `Infra PR must declare encrypted EFS ${prefix}-${stage}-data with access point, mount targets, and AWS Backup plan.`,
+        protectedAccessMode === "cloudfront_default_domain" ? "Infra PR must declare CloudFront default-domain HTTPS edge, ALB HTTP listener restricted to CloudFront origin-facing ranges, ECS/Fargate cluster, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs." : `Infra PR must declare ECS/Fargate cluster ${cluster}, ALB HTTPS listener, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs.`,
         "Only apply the infra plan from the approved infrastructure repository after review evidence is attached."
       ],
       deploy: [
         "Build and publish the image only after the Dockerfile/container target is reviewed.",
-        "Run the migration task with the migrator role before web/scheduler/probe services.",
+        `Start the AWS image builder for @hasna/uptime@${runtimePackageVersion} and record the pushed image digest.`,
+        "For the EFS SQLite bridge, do not run migration, scheduler, public-probe, or reporter tasks; keep them at desired count 0 until Postgres and cloud leases exist.",
         `Register task definitions for ${services.map((service) => service.name).join(", ")} using valueFrom secrets.`,
         `Update ECS services in cluster ${cluster} one component at a time through the approved deploy pipeline.`,
-        `Create Route53/edge record for ${hostname} only after ALB health checks pass and auth denial smokes succeed.`
+        protectedAccessMode === "cloudfront_default_domain" ? "Use the CloudFront default HTTPS domain for first protected access; add custom DNS/certificate only after edge ownership is approved." : `Create Route53/edge record for ${hostname} only after ALB health checks pass and auth denial smokes succeed.`
       ],
       rollback: [
         "Keep previous task definition ARNs before each service update.",
         "Rollback through the approved deploy pipeline to the previously recorded task definition ARNs.",
         "Disable scheduler/reporter services before data rollback.",
-        "Restore RDS snapshot only after explicit operator approval and audit record."
+        "Restore EFS backup recovery point only after explicit operator approval and audit record."
       ],
       spark01: [
         "Create a private probe identity with a caller-managed public key.",
@@ -3935,18 +4020,19 @@ function buildAwsDeploymentPlan(options = {}) {
       ]
     },
     blockers: [
-      "The hasna-xyz-infra infrastructure owner repository was not found in this workspace.",
-      "Hosted Postgres storage adapter and migrations are not implemented.",
+      "The infrastructure owner repository was not found in this workspace.",
+      "The EFS SQLite bridge is single-writer only: web target desired count is 1 and scheduler/public-probe/reporter targets remain 0 until Postgres and cloud leases exist.",
       "Hosted production auth/RBAC must replace broad static hosted-token operation before exposure.",
       "Public probe execution still needs DNS, redirect, and rebinding SSRF enforcement plus cloud check-job leases.",
       "Spark01 hosted probe enrollment, claim, submit, heartbeat, revocation, and rotation are not cloud-backed yet."
     ],
     requiredEvidence: [
       "Infrastructure PR/synth/plan from the approved infra repository.",
-      "Container build smoke and immutable image digest.",
+      "CodeBuild image-builder run, container smoke, and immutable image digest.",
       "ECS task definitions using secrets.valueFrom only.",
-      "ALB/TLS/DNS/auth denial smokes and web alarm checks.",
-      "RDS TLS, backups/PITR, scoped roles, and migration dry-run evidence.",
+      "CloudFront-default-domain or ALB TLS auth-denial smokes, direct-origin denial evidence, and web alarm checks.",
+      "Single-writer ECS evidence: one web task maximum and no scheduler/public-probe/reporter EFS mounts.",
+      "EFS encryption, access point, mount-target, AWS Backup, and restore-drill evidence.",
       "S3 bucket KMS, versioning, lifecycle, and public-access-block evidence.",
       "Spark01 private-probe registration, key-file mode, heartbeat, and revocation evidence."
     ],
@@ -3956,7 +4042,10 @@ function buildAwsDeploymentPlan(options = {}) {
       hostedLocalSqliteAllowed: false,
       notes: [
         "This plan generator does not call AWS.",
-        "Hosted runtime must use Postgres; SQLite remains local/dev fallback only.",
+        "Blocked plan output intentionally avoids copy-pastable AWS mutation commands.",
+        "Default protected access uses CloudFront's HTTPS default domain so first deploy is not blocked on custom DNS or ACM.",
+        "Hosted runtime uses explicit EFS-backed SQLite at HASNA_UPTIME_HOSTED_SQLITE_DB until the async Postgres adapter exists.",
+        "Do not set HASNA_UPTIME_DATABASE_URL for hosted tasks until the Postgres adapter is implemented.",
         "Secrets are represented as secret names/refs and must be injected with valueFrom.",
         "Actual deploy belongs in the deploy_release_operate_final goal node after infra review."
       ]
@@ -4048,7 +4137,7 @@ function servicePlan(prefix, stage, role, desiredCount, image, workspaceId, secr
       HASNA_UPTIME_IMAGE: image,
       ...environment
     },
-    secrets: role === "web" ? { HASNA_UPTIME_DATABASE_URL: secrets.database, APP_ENV: secrets.appEnv, HASNA_UPTIME_HOSTED_TOKEN: secrets.hostedToken } : role === "public-probe" ? { PROBE_CONFIG: secrets.publicProbe } : role === "reporter" ? { HASNA_UPTIME_DATABASE_URL: secrets.database, REPORTING_CONFIG: secrets.reporting } : { HASNA_UPTIME_DATABASE_URL: secrets.database, APP_ENV: secrets.appEnv }
+    secrets: role === "web" ? { APP_ENV: secrets.appEnv, HASNA_UPTIME_HOSTED_TOKEN: secrets.hostedToken } : role === "public-probe" ? { PROBE_CONFIG: secrets.publicProbe } : role === "reporter" ? { REPORTING_CONFIG: secrets.reporting } : { APP_ENV: secrets.appEnv }
   };
 }
 function clean(value, fallback) {