@hasna/uptime 0.1.7 → 0.1.8

package/CHANGELOG.md

@@ -6,6 +6,21 @@ project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+## [0.1.8] - 2026-06-28
+
+### Added
+
+- CloudFront default-domain protected web access mode for first AWS deployment,
+  with ALB HTTP restricted to CloudFront origin-facing ranges.
+- Hosted public-origin allow-list support through
+  `HASNA_UPTIME_ALLOWED_ORIGINS`, wired by the AWS template for CloudFront and
+  custom HTTPS access modes.
+
+### Changed
+
+- AWS Terraform and cloud-plan defaults no longer require custom Route53/ACM
+  inputs for the first protected web deployment path.
+
 ## [0.1.7] - 2026-06-28
 
 ### Added

package/README.md

@@ -48,7 +48,11 @@ in `docs/aws-deployment-runbook.md` is satisfied.
 
 Deployment review artifacts live in `Dockerfile` and `infra/aws`. The Terraform
 desired counts default to zero, and `uptime cloud plan --json` exposes the
-format/init/validate/plan commands with `applyAllowed: false`. Hosted AWS
+format/init/validate/plan commands with `applyAllowed: false`. The first
+protected access path uses the CloudFront default HTTPS domain with ALB origin
+ingress restricted to CloudFront. The hosted web task must set
+`HASNA_UPTIME_ALLOWED_ORIGINS` to the public HTTPS edge origin so same-origin
+browser mutations still pass when the private origin hop is HTTP. Hosted AWS
 runtime state currently uses explicit EFS-backed SQLite via
 `HASNA_UPTIME_HOSTED_SQLITE_DB=/data/uptime/uptime.db` for one protected web
 task maximum; do not set `HASNA_UPTIME_DATABASE_URL` until the async Postgres
@@ -87,6 +91,8 @@ State-changing API requests reject cross-origin browser requests and
 non-loopback mutation hosts by default. For a trusted remote bind, set
 `HASNA_UPTIME_API_TOKEN` or pass `uptime serve --api-token <token>` and send
 `Authorization: Bearer <token>` or `X-Uptime-Token: <token>`.
+Hosted mode additionally accepts comma-separated public origins from
+`HASNA_UPTIME_ALLOWED_ORIGINS` for deployments behind a TLS-terminating edge.
 Endpoints that accept request bodies require `content-type: application/json`.
 
 ## Uptime Semantics

package/dist/api.d.ts

@@ -9,12 +9,14 @@ export interface ServeOptions extends UptimeServiceOptions {
     apiToken?: string;
     hostedToken?: string;
     hostedTokens?: HostedToken[];
+    hostedAllowedOrigins?: string[];
     allowUnsafeRemoteMutations?: boolean;
 }
 export interface CreateApiHandlerOptions {
     apiToken?: string;
     hostedToken?: string;
     hostedTokens?: HostedToken[];
+    hostedAllowedOrigins?: string[];
     allowUnsafeRemoteMutations?: boolean;
     fetchImpl?: typeof fetch;
     trustedLoopback?: boolean;

package/dist/api.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"api.d.ts","sourceRoot":"","sources":["../src/api.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,aAAa,EAAE,KAAK,oBAAoB,EAAE,MAAM,cAAc,CAAC;AACxE,OAAO,EAAsB,KAAK,iBAAiB,EAAE,MAAM,YAAY,CAAC;AACxE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAElD,MAAM,WAAW,YAAa,SAAQ,oBAAoB;IACxD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,OAAO,CAAC,EAAE,aAAa,CAAC;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,WAAW,EAAE,CAAC;IAC7B,0BAA0B,CAAC,EAAE,OAAO,CAAC;CACtC;AAED,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,WAAW,EAAE,CAAC;IAC7B,0BAA0B,CAAC,EAAE,OAAO,CAAC;IACrC,SAAS,CAAC,EAAE,OAAO,KAAK,CAAC;IACzB,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,IAAI,CAAC,EAAE,iBAAiB,CAAC;CAC1B;AAED,MAAM,MAAM,WAAW,GAAG,aAAa,GAAG,cAAc,GAAG,cAAc,GAAG,eAAe,GAAG,cAAc,CAAC;AAE7G,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,WAAW,EAAE,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAOD,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,aAAa,EAAE,OAAO,GAAE,uBAA4B,GAAG,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CA2BvI;AAED,wBAAgB,WAAW,CAAC,OAAO,GAAE,YAAiB,GAAG;IAAE,MAAM,EAAE,UAAU,CAAC,OAAO,GAAG,CAAC,KAAK,CAAC,CAAC;IAAC,OAAO,EAAE,aAAa,CAAC;IAAC,SAAS,CAAC,EAAE,eAAe,CAAA;CAAE,CA2BrJ"}
+{"version":3,"file":"api.d.ts","sourceRoot":"","sources":["../src/api.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,aAAa,EAAE,KAAK,oBAAoB,EAAE,MAAM,cAAc,CAAC;AACxE,OAAO,EAAsB,KAAK,iBAAiB,EAAE,MAAM,YAAY,CAAC;AACxE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAElD,MAAM,WAAW,YAAa,SAAQ,oBAAoB;IACxD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,OAAO,CAAC,EAAE,aAAa,CAAC;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,WAAW,EAAE,CAAC;IAC7B,oBAAoB,CAAC,EAAE,MAAM,EAAE,CAAC;IAChC,0BAA0B,CAAC,EAAE,OAAO,CAAC;CACtC;AAED,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,WAAW,EAAE,CAAC;IAC7B,oBAAoB,CAAC,EAAE,MAAM,EAAE,CAAC;IAChC,0BAA0B,CAAC,EAAE,OAAO,CAAC;IACrC,SAAS,CAAC,EAAE,OAAO,KAAK,CAAC;IACzB,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,IAAI,CAAC,EAAE,iBAAiB,CAAC;CAC1B;AAED,MAAM,MAAM,WAAW,GAAG,aAAa,GAAG,cAAc,GAAG,cAAc,GAAG,eAAe,GAAG,cAAc,CAAC;AAE7G,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,WAAW,EAAE,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAOD,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,aAAa,EAAE,OAAO,GAAE,uBAA4B,GAAG,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CA2BvI;AAED,wBAAgB,WAAW,CAAC,OAAO,GAAE,YAAiB,GAAG;IAAE,MAAM,EAAE,UAAU,CAAC,OAAO,GAAG,CAAC,KAAK,CAAC,CAAC;IAAC,OAAO,EAAE,aAAa,CAAC;IAAC,SAAS,CAAC,EAAE,eAAe,CAAA;CAAE,CA4BrJ"}

package/dist/api.js

@@ -3510,6 +3510,7 @@ function serveUptime(options = {}) {
       apiToken: options.apiToken,
       hostedToken: options.hostedToken,
       hostedTokens: options.hostedTokens,
+      hostedAllowedOrigins: options.hostedAllowedOrigins,
       allowUnsafeRemoteMutations: options.allowUnsafeRemoteMutations,
       trustedLoopback: isLoopbackHost(options.host ?? "127.0.0.1"),
       mode
@@ -3569,13 +3570,23 @@ async function handleHostedRequest(service, request, url, options) {
   const scope = hostedScopeFor(request.method, apiPath);
   requireHostedActor(request, url, options, scope);
   if (["POST", "PATCH", "DELETE"].includes(request.method)) {
-    const origin = request.headers.get("origin");
-    if (origin && origin !== `${url.protocol}//${url.host}`) {
-      throw new ApiError("cross-origin mutation rejected", 403);
-    }
+    validateHostedMutationOrigin(request, url, options);
   }
   return handleApiRoute(service, request, url, apiPath, options, true);
 }
+function validateHostedMutationOrigin(request, url, options) {
+  const rawOrigin = request.headers.get("origin");
+  const origin = normalizeOrigin(rawOrigin);
+  if (rawOrigin && !origin) {
+    throw new ApiError("cross-origin mutation rejected", 403);
+  }
+  if (!origin)
+    return;
+  const allowedOrigins = new Set([`${url.protocol}//${url.host}`, ...resolveHostedAllowedOrigins(options)]);
+  if (!allowedOrigins.has(origin)) {
+    throw new ApiError("cross-origin mutation rejected", 403);
+  }
+}
 async function handleApiRoute(service, request, url, apiPath, options, hosted) {
   if (request.method === "GET" && apiPath === "/api/summary") {
     return json(service.summary());
@@ -3794,6 +3805,34 @@ function resolveHostedTokens(options) {
     workspaceId: process.env.HASNA_UPTIME_WORKSPACE_ID ?? "default"
   }];
 }
+function resolveHostedAllowedOrigins(options) {
+  const configured = options.hostedAllowedOrigins ?? splitCsv(process.env.HASNA_UPTIME_ALLOWED_ORIGINS);
+  return configured.map((origin) => normalizeAllowedOrigin(origin)).filter((origin) => Boolean(origin));
+}
+function splitCsv(value) {
+  if (!value)
+    return [];
+  return value.split(",").map((entry) => entry.trim()).filter(Boolean);
+}
+function normalizeAllowedOrigin(value) {
+  const origin = normalizeOrigin(value);
+  if (!origin) {
+    throw new ApiError(`invalid hosted allowed origin: ${value}`, 500);
+  }
+  return origin;
+}
+function normalizeOrigin(value) {
+  if (!value?.trim())
+    return;
+  try {
+    const parsed = new URL(value.trim());
+    if (parsed.protocol !== "http:" && parsed.protocol !== "https:")
+      return;
+    return `${parsed.protocol}//${parsed.host}`;
+  } catch {
+    return;
+  }
+}
 function safeTokenEqual(candidate, expected) {
   if (!candidate)
     return false;

package/dist/cli/index.js

@@ -6107,6 +6107,7 @@ function serveUptime(options = {}) {
       apiToken: options.apiToken,
       hostedToken: options.hostedToken,
       hostedTokens: options.hostedTokens,
+      hostedAllowedOrigins: options.hostedAllowedOrigins,
       allowUnsafeRemoteMutations: options.allowUnsafeRemoteMutations,
       trustedLoopback: isLoopbackHost(options.host ?? "127.0.0.1"),
       mode
@@ -6166,13 +6167,23 @@ async function handleHostedRequest(service, request, url, options) {
   const scope = hostedScopeFor(request.method, apiPath);
   requireHostedActor(request, url, options, scope);
   if (["POST", "PATCH", "DELETE"].includes(request.method)) {
-    const origin = request.headers.get("origin");
-    if (origin && origin !== `${url.protocol}//${url.host}`) {
-      throw new ApiError("cross-origin mutation rejected", 403);
-    }
+    validateHostedMutationOrigin(request, url, options);
   }
   return handleApiRoute(service, request, url, apiPath, options, true);
 }
+function validateHostedMutationOrigin(request, url, options) {
+  const rawOrigin = request.headers.get("origin");
+  const origin = normalizeOrigin(rawOrigin);
+  if (rawOrigin && !origin) {
+    throw new ApiError("cross-origin mutation rejected", 403);
+  }
+  if (!origin)
+    return;
+  const allowedOrigins = new Set([`${url.protocol}//${url.host}`, ...resolveHostedAllowedOrigins(options)]);
+  if (!allowedOrigins.has(origin)) {
+    throw new ApiError("cross-origin mutation rejected", 403);
+  }
+}
 async function handleApiRoute(service, request, url, apiPath, options, hosted) {
   if (request.method === "GET" && apiPath === "/api/summary") {
     return json(service.summary());
@@ -6391,6 +6402,34 @@ function resolveHostedTokens(options) {
     workspaceId: process.env.HASNA_UPTIME_WORKSPACE_ID ?? "default"
   }];
 }
+function resolveHostedAllowedOrigins(options) {
+  const configured = options.hostedAllowedOrigins ?? splitCsv(process.env.HASNA_UPTIME_ALLOWED_ORIGINS);
+  return configured.map((origin) => normalizeAllowedOrigin(origin)).filter((origin) => Boolean(origin));
+}
+function splitCsv(value) {
+  if (!value)
+    return [];
+  return value.split(",").map((entry) => entry.trim()).filter(Boolean);
+}
+function normalizeAllowedOrigin(value) {
+  const origin = normalizeOrigin(value);
+  if (!origin) {
+    throw new ApiError(`invalid hosted allowed origin: ${value}`, 500);
+  }
+  return origin;
+}
+function normalizeOrigin(value) {
+  if (!value?.trim())
+    return;
+  try {
+    const parsed = new URL(value.trim());
+    if (parsed.protocol !== "http:" && parsed.protocol !== "https:")
+      return;
+    return `${parsed.protocol}//${parsed.host}`;
+  } catch {
+    return;
+  }
+}
 function safeTokenEqual(candidate, expected) {
   if (!candidate)
     return false;
@@ -6426,6 +6465,7 @@ var DEFAULT_HOSTNAME = "uptime.example.com";
 var DEFAULT_WORKSPACE_ID = "workspace-id";
 var DEFAULT_VPC_ID = "vpc-xxxxxxxx";
 var DEFAULT_HOSTED_SQLITE_DB = "/data/uptime/uptime.db";
+var DEFAULT_PROTECTED_ACCESS_MODE = "cloudfront_default_domain";
 function buildAwsDeploymentPlan(options = {}) {
   const region = clean(options.region, DEFAULT_REGION);
   const stage = clean(options.stage, DEFAULT_STAGE);
@@ -6438,7 +6478,9 @@ function buildAwsDeploymentPlan(options = {}) {
   const image = clean(options.image, `${imageRepositoryUri}@sha256:<image-digest>`);
   const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
   const hostedSqliteDbPath = clean(options.hostedSqliteDbPath, DEFAULT_HOSTED_SQLITE_DB);
-  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.7");
+  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.8");
+  const protectedAccessMode = options.protectedAccessMode ?? DEFAULT_PROTECTED_ACCESS_MODE;
+  const protectedAccessUrl = protectedAccessMode === "cloudfront_default_domain" ? "https://<cloudfront-domain>" : `https://${hostname}`;
   const cluster = `${prefix}-${stage}`;
   const secrets = {
     appEnv: clean(options.appEnvSecretName, `open-uptime/${stage}/app/env`),
@@ -6452,7 +6494,8 @@ function buildAwsDeploymentPlan(options = {}) {
       HASNA_UPTIME_MODE: "hosted",
       HASNA_UPTIME_HOSTED_SQLITE_DB: hostedSqliteDbPath,
       HASNA_UPTIME_WORKSPACE_ID: workspaceId,
-      HASNA_UPTIME_HOSTNAME: hostname
+      HASNA_UPTIME_HOSTNAME: hostname,
+      HASNA_UPTIME_ALLOWED_ORIGINS: protectedAccessUrl
     }),
     servicePlan(prefix, stage, "scheduler", 0, image, workspaceId, secrets, {
       HASNA_UPTIME_MODE: "hosted",
@@ -6478,7 +6521,7 @@ function buildAwsDeploymentPlan(options = {}) {
   ];
   return {
     kind: "open-uptime.aws-deployment-plan",
-    version: 2,
+    version: 3,
     generatedAt: new Date().toISOString(),
     status: "blocked",
     canApply: false,
@@ -6500,6 +6543,9 @@ function buildAwsDeploymentPlan(options = {}) {
       hostedSqliteDbPath,
       evidenceBucket,
       loadBalancer: `${prefix}-${stage}-alb`,
+      protectedAccessMode,
+      edgeDistribution: protectedAccessMode === "cloudfront_default_domain" ? `${prefix}-${stage}-edge` : undefined,
+      protectedAccessUrl,
       targetGroups: [`${prefix}-${stage}-web-tg`],
       securityGroups: [
         `${prefix}-${stage}-alb-sg`,
@@ -6547,7 +6593,7 @@ function buildAwsDeploymentPlan(options = {}) {
         `Infra PR must declare CodeBuild image builder ${prefix}-${stage}-image-builder for @hasna/uptime@${runtimePackageVersion}.`,
         `Infra PR must declare hardened S3 evidence bucket ${evidenceBucket} with KMS, versioning, lifecycle, and public access block.`,
         `Infra PR must declare encrypted EFS ${prefix}-${stage}-data with access point, mount targets, and AWS Backup plan.`,
-        `Infra PR must declare ECS/Fargate cluster ${cluster}, ALB, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs.`,
+        protectedAccessMode === "cloudfront_default_domain" ? "Infra PR must declare CloudFront default-domain HTTPS edge, ALB HTTP listener restricted to CloudFront origin-facing ranges, ECS/Fargate cluster, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs." : `Infra PR must declare ECS/Fargate cluster ${cluster}, ALB HTTPS listener, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs.`,
         "Only apply the infra plan from the approved infrastructure repository after review evidence is attached."
       ],
       deploy: [
@@ -6556,7 +6602,7 @@ function buildAwsDeploymentPlan(options = {}) {
         "For the EFS SQLite bridge, do not run migration, scheduler, public-probe, or reporter tasks; keep them at desired count 0 until Postgres and cloud leases exist.",
         `Register task definitions for ${services.map((service) => service.name).join(", ")} using valueFrom secrets.`,
         `Update ECS services in cluster ${cluster} one component at a time through the approved deploy pipeline.`,
-        `Create Route53/edge record for ${hostname} only after ALB health checks pass and auth denial smokes succeed.`
+        protectedAccessMode === "cloudfront_default_domain" ? "Use the CloudFront default HTTPS domain for first protected access; add custom DNS/certificate only after edge ownership is approved." : `Create Route53/edge record for ${hostname} only after ALB health checks pass and auth denial smokes succeed.`
       ],
       rollback: [
         "Keep previous task definition ARNs before each service update.",
@@ -6581,7 +6627,7 @@ function buildAwsDeploymentPlan(options = {}) {
       "Infrastructure PR/synth/plan from the approved infra repository.",
       "CodeBuild image-builder run, container smoke, and immutable image digest.",
       "ECS task definitions using secrets.valueFrom only.",
-      "ALB/TLS/DNS/auth denial smokes and web alarm checks.",
+      "CloudFront-default-domain or ALB TLS auth-denial smokes, direct-origin denial evidence, and web alarm checks.",
       "Single-writer ECS evidence: one web task maximum and no scheduler/public-probe/reporter EFS mounts.",
       "EFS encryption, access point, mount-target, AWS Backup, and restore-drill evidence.",
       "S3 bucket KMS, versioning, lifecycle, and public-access-block evidence.",
@@ -6594,6 +6640,7 @@ function buildAwsDeploymentPlan(options = {}) {
       notes: [
         "This plan generator does not call AWS.",
         "Blocked plan output intentionally avoids copy-pastable AWS mutation commands.",
+        "Default protected access uses CloudFront's HTTPS default domain so first deploy is not blocked on custom DNS or ACM.",
         "Hosted runtime uses explicit EFS-backed SQLite at HASNA_UPTIME_HOSTED_SQLITE_DB until the async Postgres adapter exists.",
         "Do not set HASNA_UPTIME_DATABASE_URL for hosted tasks until the Postgres adapter is implemented.",
         "Secrets are represented as secret names/refs and must be injected with valueFrom.",
@@ -7008,7 +7055,7 @@ program2.command("audit").description("List local audit events").option("--resou
   }
 });
 var cloud = program2.command("cloud").description("Generate dry-run cloud deployment and Spark01 configuration artifacts");
-cloud.command("plan").description("Generate a dry-run AWS deployment plan").option("--account <name>", "AWS account/profile label", "aws-profile").option("--region <region>", "AWS region", "us-east-1").option("--stage <stage>", "deployment stage", "prod").option("--hostname <hostname>", "hosted Open Uptime hostname", "uptime.example.com").option("--workspace-id <id>", "workspace id", "workspace-id").option("--vpc-id <id>", "target VPC id").option("--hosted-sqlite-db <path>", "hosted SQLite path on the EFS mount").option("--rds-instance-id <id>", "deprecated; ignored until the hosted Postgres adapter exists").option("--database-secret-name <name>", "deprecated; ignored until the hosted Postgres adapter exists").option("--ecr-repository <name>", "ECR repository name").option("--image <uri>", "container image URI").option("--runtime-package-version <version>", "published @hasna/uptime version for the AWS image builder").option("--evidence-bucket <name>", "S3 evidence bucket name").option("-j, --json", "print JSON").action((opts) => {
+cloud.command("plan").description("Generate a dry-run AWS deployment plan").option("--account <name>", "AWS account/profile label", "aws-profile").option("--region <region>", "AWS region", "us-east-1").option("--stage <stage>", "deployment stage", "prod").option("--hostname <hostname>", "hosted Open Uptime hostname", "uptime.example.com").option("--workspace-id <id>", "workspace id", "workspace-id").option("--vpc-id <id>", "target VPC id").option("--hosted-sqlite-db <path>", "hosted SQLite path on the EFS mount").option("--rds-instance-id <id>", "deprecated; ignored until the hosted Postgres adapter exists").option("--database-secret-name <name>", "deprecated; ignored until the hosted Postgres adapter exists").option("--ecr-repository <name>", "ECR repository name").option("--image <uri>", "container image URI").option("--runtime-package-version <version>", "published @hasna/uptime version for the AWS image builder").addOption(new Option("--protected-access-mode <mode>", "protected web access mode").choices(["cloudfront_default_domain", "alb_https_cert"]).default("cloudfront_default_domain")).option("--evidence-bucket <name>", "S3 evidence bucket name").option("-j, --json", "print JSON").action((opts) => {
   try {
     const plan = buildAwsDeploymentPlan({
       accountName: opts.account,
@@ -7023,6 +7070,7 @@ cloud.command("plan").description("Generate a dry-run AWS deployment plan").opti
       ecrRepository: opts.ecrRepository,
       image: opts.image,
       runtimePackageVersion: opts.runtimePackageVersion,
+      protectedAccessMode: opts.protectedAccessMode,
       evidenceBucket: opts.evidenceBucket
     });
     print(plan, renderCloudPlan(plan), opts);
@@ -7416,6 +7464,7 @@ function renderCloudPlan(plan) {
     `vpc: ${plan.resources.vpcId}`,
     `efs: ${plan.resources.efsFileSystem}`,
     `hosted sqlite: ${plan.resources.hostedSqliteDbPath}`,
+    `protected access: ${plan.resources.protectedAccessMode} ${plan.resources.protectedAccessUrl}`,
     `services: ${plan.resources.services.map((service2) => `${service2.name}:${service2.desiredCount}/${service2.targetDesiredCount}`).join(", ")}`,
     `evidence bucket: ${plan.resources.evidenceBucket}`,
     `blockers: ${plan.blockers.length}`,

package/dist/cloud-plan.d.ts

@@ -11,6 +11,7 @@ export interface AwsDeploymentPlanOptions {
     evidenceBucket?: string;
     hostedSqliteDbPath?: string;
     runtimePackageVersion?: string;
+    protectedAccessMode?: "cloudfront_default_domain" | "alb_https_cert";
     /** @deprecated Postgres is target-state only until the async adapter is implemented. */
     rdsInstanceId?: string;
     /** @deprecated Postgres is target-state only until the async adapter is implemented. */
@@ -23,7 +24,7 @@ export interface AwsDeploymentPlanOptions {
 }
 export interface AwsDeploymentPlan {
     kind: "open-uptime.aws-deployment-plan";
-    version: 2;
+    version: 3;
     generatedAt: string;
     status: "blocked";
     canApply: false;
@@ -45,6 +46,9 @@ export interface AwsDeploymentPlan {
         hostedSqliteDbPath: string;
         evidenceBucket: string;
         loadBalancer: string;
+        protectedAccessMode: "cloudfront_default_domain" | "alb_https_cert";
+        edgeDistribution?: string;
+        protectedAccessUrl: string;
         targetGroups: string[];
         securityGroups: string[];
         secrets: Record<string, string>;

package/dist/cloud-plan.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cloud-plan.d.ts","sourceRoot":"","sources":["../src/cloud-plan.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,wBAAwB;IACvC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,wFAAwF;IACxF,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,wFAAwF;IACxF,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,iCAAiC,CAAC;IACxC,OAAO,EAAE,CAAC,CAAC;IACX,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,SAAS,CAAC;IAClB,QAAQ,EAAE,KAAK,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,QAAQ,CAAC;IACf,SAAS,EAAE;QACT,aAAa,EAAE,MAAM,CAAC;QACtB,YAAY,EAAE,MAAM,CAAC;QACrB,UAAU,EAAE,MAAM,CAAC;QACnB,QAAQ,EAAE,cAAc,EAAE,CAAC;QAC3B,KAAK,EAAE,MAAM,CAAC;QACd,aAAa,EAAE,MAAM,CAAC;QACtB,cAAc,EAAE,MAAM,CAAC;QACvB,kBAAkB,EAAE,MAAM,CAAC;QAC3B,cAAc,EAAE,MAAM,CAAC;QACvB,YAAY,EAAE,MAAM,CAAC;QACrB,YAAY,EAAE,MAAM,EAAE,CAAC;QACvB,cAAc,EAAE,MAAM,EAAE,CAAC;QACzB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAChC,SAAS,EAAE,MAAM,EAAE,CAAC;QACpB,MAAM,EAAE,MAAM,EAAE,CAAC;KAClB,CAAC;IACF,KAAK,EAAE;QACL,UAAU,EAAE,MAAM,CAAC;QACnB,GAAG,EAAE,MAAM,CAAC;QACZ,UAAU,EAAE,MAAM,CAAC;QACnB,YAAY,EAAE,MAAM,CAAC;QACrB,YAAY,EAAE,MAAM,EAAE,CAAC;KACxB,CAAC;IACF,KAAK,EAAE;QACL,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,EAAE,MAAM,CAAC;QACnB,WAAW,EAAE,MAAM,CAAC;QACpB,eAAe,EAAE,MAAM,CAAC;QACxB,WAAW,EAAE,MAAM,CAAC;QACpB,YAAY,EAAE,KAAK,CAAC;KACrB,CAAC;IACF,OAAO,EAAE;QACP,SAAS,EAAE,MAAM,EAAE,CAAC;QACpB,SAAS,EAAE,MAAM,EAAE,CAAC;QACpB,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,QAAQ,EAAE,MAAM,EAAE,CAAC;QACnB,OAAO,EAAE,MAAM,EAAE,CAAC;KACnB,CAAC;IACF,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,MAAM,EAAE;QACN,eAAe,EAAE,KAAK,CAAC;QACvB,gBAAgB,EAAE,KAAK,CAAC;QACxB,wBAAwB,EAAE,KAAK,CAAC;QAChC,KAAK,EAAE,MAAM,EAAE,CAAC;KACjB,CAAC;CACH;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,KAAK,GAAG,WAAW,GAAG,cAAc,GAAG,UAAU,GAAG,WAAW,CAAC;IACtE,YAAY,EAAE,MAAM,CAAC;IACrB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACpC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACjC;AAED,MAAM,WAAW,yBAAyB;IACxC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,kCAAkC,CAAC;IACzC,OAAO,EAAE,CAAC,CAAC;IACX,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,SAAS,CAAC;IAClB,QAAQ,EAAE,KAAK,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,eAAe,CAAC;IACtB,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC5B,KAAK,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC9D,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,MAAM,EAAE;QACN,gBAAgB,EAAE,KAAK,CAAC;QACxB,WAAW,EAAE,KAAK,CAAC;QACnB,KAAK,EAAE,MAAM,EAAE,CAAC;KACjB,CAAC;CACH;AAWD,wBAAgB,sBAAsB,CAAC,OAAO,GAAE,wBAA6B,GAAG,iBAAiB,CAgLhG;AAED,wBAAgB,uBAAuB,CAAC,OAAO,GAAE,yBAA8B,GAAG,kBAAkB,CA2DnG;AAED,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,kBAAkB,GAAG,MAAM,CASnE"}
+{"version":3,"file":"cloud-plan.d.ts","sourceRoot":"","sources":["../src/cloud-plan.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,wBAAwB;IACvC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,mBAAmB,CAAC,EAAE,2BAA2B,GAAG,gBAAgB,CAAC;IACrE,wFAAwF;IACxF,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,wFAAwF;IACxF,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,iCAAiC,CAAC;IACxC,OAAO,EAAE,CAAC,CAAC;IACX,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,SAAS,CAAC;IAClB,QAAQ,EAAE,KAAK,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,QAAQ,CAAC;IACf,SAAS,EAAE;QACT,aAAa,EAAE,MAAM,CAAC;QACtB,YAAY,EAAE,MAAM,CAAC;QACrB,UAAU,EAAE,MAAM,CAAC;QACnB,QAAQ,EAAE,cAAc,EAAE,CAAC;QAC3B,KAAK,EAAE,MAAM,CAAC;QACd,aAAa,EAAE,MAAM,CAAC;QACtB,cAAc,EAAE,MAAM,CAAC;QACvB,kBAAkB,EAAE,MAAM,CAAC;QAC3B,cAAc,EAAE,MAAM,CAAC;QACvB,YAAY,EAAE,MAAM,CAAC;QACrB,mBAAmB,EAAE,2BAA2B,GAAG,gBAAgB,CAAC;QACpE,gBAAgB,CAAC,EAAE,MAAM,CAAC;QAC1B,kBAAkB,EAAE,MAAM,CAAC;QAC3B,YAAY,EAAE,MAAM,EAAE,CAAC;QACvB,cAAc,EAAE,MAAM,EAAE,CAAC;QACzB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAChC,SAAS,EAAE,MAAM,EAAE,CAAC;QACpB,MAAM,EAAE,MAAM,EAAE,CAAC;KAClB,CAAC;IACF,KAAK,EAAE;QACL,UAAU,EAAE,MAAM,CAAC;QACnB,GAAG,EAAE,MAAM,CAAC;QACZ,UAAU,EAAE,MAAM,CAAC;QACnB,YAAY,EAAE,MAAM,CAAC;QACrB,YAAY,EAAE,MAAM,EAAE,CAAC;KACxB,CAAC;IACF,KAAK,EAAE;QACL,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,EAAE,MAAM,CAAC;QACnB,WAAW,EAAE,MAAM,CAAC;QACpB,eAAe,EAAE,MAAM,CAAC;QACxB,WAAW,EAAE,MAAM,CAAC;QACpB,YAAY,EAAE,KAAK,CAAC;KACrB,CAAC;IACF,OAAO,EAAE;QACP,SAAS,EAAE,MAAM,EAAE,CAAC;QACpB,SAAS,EAAE,MAAM,EAAE,CAAC;QACpB,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,QAAQ,EAAE,MAAM,EAAE,CAAC;QACnB,OAAO,EAAE,MAAM,EAAE,CAAC;KACnB,CAAC;IACF,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,MAAM,EAAE;QACN,eAAe,EAAE,KAAK,CAAC;QACvB,gBAAgB,EAAE,KAAK,CAAC;QACxB,wBAAwB,EAAE,KAAK,CAAC;QAChC,KAAK,EAAE,MAAM,EAAE,CAAC;KACjB,CAAC;CACH;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,KAAK,GAAG,WAAW,GAAG,cAAc,GAAG,UAAU,GAAG,WAAW,CAAC;IACtE,YAAY,EAAE,MAAM,CAAC;IACrB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACpC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACjC;AAED,MAAM,WAAW,yBAAyB;IACxC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,kCAAkC,CAAC;IACzC,OAAO,EAAE,CAAC,CAAC;IACX,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,SAAS,CAAC;IAClB,QAAQ,EAAE,KAAK,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,eAAe,CAAC;IACtB,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC5B,KAAK,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC9D,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,MAAM,EAAE;QACN,gBAAgB,EAAE,KAAK,CAAC;QACxB,WAAW,EAAE,KAAK,CAAC;QACnB,KAAK,EAAE,MAAM,EAAE,CAAC;KACjB,CAAC;CACH;AAYD,wBAAgB,sBAAsB,CAAC,OAAO,GAAE,wBAA6B,GAAG,iBAAiB,CA2LhG;AAED,wBAAgB,uBAAuB,CAAC,OAAO,GAAE,yBAA8B,GAAG,kBAAkB,CA2DnG;AAED,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,kBAAkB,GAAG,MAAM,CASnE"}

package/dist/cloud-plan.js

@@ -8,6 +8,7 @@ var DEFAULT_HOSTNAME = "uptime.example.com";
 var DEFAULT_WORKSPACE_ID = "workspace-id";
 var DEFAULT_VPC_ID = "vpc-xxxxxxxx";
 var DEFAULT_HOSTED_SQLITE_DB = "/data/uptime/uptime.db";
+var DEFAULT_PROTECTED_ACCESS_MODE = "cloudfront_default_domain";
 function buildAwsDeploymentPlan(options = {}) {
   const region = clean(options.region, DEFAULT_REGION);
   const stage = clean(options.stage, DEFAULT_STAGE);
@@ -20,7 +21,9 @@ function buildAwsDeploymentPlan(options = {}) {
   const image = clean(options.image, `${imageRepositoryUri}@sha256:<image-digest>`);
   const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
   const hostedSqliteDbPath = clean(options.hostedSqliteDbPath, DEFAULT_HOSTED_SQLITE_DB);
-  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.7");
+  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.8");
+  const protectedAccessMode = options.protectedAccessMode ?? DEFAULT_PROTECTED_ACCESS_MODE;
+  const protectedAccessUrl = protectedAccessMode === "cloudfront_default_domain" ? "https://<cloudfront-domain>" : `https://${hostname}`;
   const cluster = `${prefix}-${stage}`;
   const secrets = {
     appEnv: clean(options.appEnvSecretName, `open-uptime/${stage}/app/env`),
@@ -34,7 +37,8 @@ function buildAwsDeploymentPlan(options = {}) {
       HASNA_UPTIME_MODE: "hosted",
       HASNA_UPTIME_HOSTED_SQLITE_DB: hostedSqliteDbPath,
       HASNA_UPTIME_WORKSPACE_ID: workspaceId,
-      HASNA_UPTIME_HOSTNAME: hostname
+      HASNA_UPTIME_HOSTNAME: hostname,
+      HASNA_UPTIME_ALLOWED_ORIGINS: protectedAccessUrl
     }),
     servicePlan(prefix, stage, "scheduler", 0, image, workspaceId, secrets, {
       HASNA_UPTIME_MODE: "hosted",
@@ -60,7 +64,7 @@ function buildAwsDeploymentPlan(options = {}) {
   ];
   return {
     kind: "open-uptime.aws-deployment-plan",
-    version: 2,
+    version: 3,
     generatedAt: new Date().toISOString(),
     status: "blocked",
     canApply: false,
@@ -82,6 +86,9 @@ function buildAwsDeploymentPlan(options = {}) {
       hostedSqliteDbPath,
       evidenceBucket,
       loadBalancer: `${prefix}-${stage}-alb`,
+      protectedAccessMode,
+      edgeDistribution: protectedAccessMode === "cloudfront_default_domain" ? `${prefix}-${stage}-edge` : undefined,
+      protectedAccessUrl,
       targetGroups: [`${prefix}-${stage}-web-tg`],
       securityGroups: [
         `${prefix}-${stage}-alb-sg`,
@@ -129,7 +136,7 @@ function buildAwsDeploymentPlan(options = {}) {
         `Infra PR must declare CodeBuild image builder ${prefix}-${stage}-image-builder for @hasna/uptime@${runtimePackageVersion}.`,
         `Infra PR must declare hardened S3 evidence bucket ${evidenceBucket} with KMS, versioning, lifecycle, and public access block.`,
         `Infra PR must declare encrypted EFS ${prefix}-${stage}-data with access point, mount targets, and AWS Backup plan.`,
-        `Infra PR must declare ECS/Fargate cluster ${cluster}, ALB, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs.`,
+        protectedAccessMode === "cloudfront_default_domain" ? "Infra PR must declare CloudFront default-domain HTTPS edge, ALB HTTP listener restricted to CloudFront origin-facing ranges, ECS/Fargate cluster, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs." : `Infra PR must declare ECS/Fargate cluster ${cluster}, ALB HTTPS listener, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs.`,
         "Only apply the infra plan from the approved infrastructure repository after review evidence is attached."
       ],
       deploy: [
@@ -138,7 +145,7 @@ function buildAwsDeploymentPlan(options = {}) {
         "For the EFS SQLite bridge, do not run migration, scheduler, public-probe, or reporter tasks; keep them at desired count 0 until Postgres and cloud leases exist.",
         `Register task definitions for ${services.map((service) => service.name).join(", ")} using valueFrom secrets.`,
         `Update ECS services in cluster ${cluster} one component at a time through the approved deploy pipeline.`,
-        `Create Route53/edge record for ${hostname} only after ALB health checks pass and auth denial smokes succeed.`
+        protectedAccessMode === "cloudfront_default_domain" ? "Use the CloudFront default HTTPS domain for first protected access; add custom DNS/certificate only after edge ownership is approved." : `Create Route53/edge record for ${hostname} only after ALB health checks pass and auth denial smokes succeed.`
       ],
       rollback: [
         "Keep previous task definition ARNs before each service update.",
@@ -163,7 +170,7 @@ function buildAwsDeploymentPlan(options = {}) {
       "Infrastructure PR/synth/plan from the approved infra repository.",
       "CodeBuild image-builder run, container smoke, and immutable image digest.",
       "ECS task definitions using secrets.valueFrom only.",
-      "ALB/TLS/DNS/auth denial smokes and web alarm checks.",
+      "CloudFront-default-domain or ALB TLS auth-denial smokes, direct-origin denial evidence, and web alarm checks.",
       "Single-writer ECS evidence: one web task maximum and no scheduler/public-probe/reporter EFS mounts.",
       "EFS encryption, access point, mount-target, AWS Backup, and restore-drill evidence.",
       "S3 bucket KMS, versioning, lifecycle, and public-access-block evidence.",
@@ -176,6 +183,7 @@ function buildAwsDeploymentPlan(options = {}) {
       notes: [
         "This plan generator does not call AWS.",
         "Blocked plan output intentionally avoids copy-pastable AWS mutation commands.",
+        "Default protected access uses CloudFront's HTTPS default domain so first deploy is not blocked on custom DNS or ACM.",
         "Hosted runtime uses explicit EFS-backed SQLite at HASNA_UPTIME_HOSTED_SQLITE_DB until the async Postgres adapter exists.",
         "Do not set HASNA_UPTIME_DATABASE_URL for hosted tasks until the Postgres adapter is implemented.",
         "Secrets are represented as secret names/refs and must be injected with valueFrom.",

package/dist/index.js

@@ -3510,6 +3510,7 @@ function serveUptime(options = {}) {
       apiToken: options.apiToken,
       hostedToken: options.hostedToken,
       hostedTokens: options.hostedTokens,
+      hostedAllowedOrigins: options.hostedAllowedOrigins,
       allowUnsafeRemoteMutations: options.allowUnsafeRemoteMutations,
       trustedLoopback: isLoopbackHost(options.host ?? "127.0.0.1"),
       mode
@@ -3569,13 +3570,23 @@ async function handleHostedRequest(service, request, url, options) {
   const scope = hostedScopeFor(request.method, apiPath);
   requireHostedActor(request, url, options, scope);
   if (["POST", "PATCH", "DELETE"].includes(request.method)) {
-    const origin = request.headers.get("origin");
-    if (origin && origin !== `${url.protocol}//${url.host}`) {
-      throw new ApiError("cross-origin mutation rejected", 403);
-    }
+    validateHostedMutationOrigin(request, url, options);
   }
   return handleApiRoute(service, request, url, apiPath, options, true);
 }
+function validateHostedMutationOrigin(request, url, options) {
+  const rawOrigin = request.headers.get("origin");
+  const origin = normalizeOrigin(rawOrigin);
+  if (rawOrigin && !origin) {
+    throw new ApiError("cross-origin mutation rejected", 403);
+  }
+  if (!origin)
+    return;
+  const allowedOrigins = new Set([`${url.protocol}//${url.host}`, ...resolveHostedAllowedOrigins(options)]);
+  if (!allowedOrigins.has(origin)) {
+    throw new ApiError("cross-origin mutation rejected", 403);
+  }
+}
 async function handleApiRoute(service, request, url, apiPath, options, hosted) {
   if (request.method === "GET" && apiPath === "/api/summary") {
     return json(service.summary());
@@ -3794,6 +3805,34 @@ function resolveHostedTokens(options) {
     workspaceId: process.env.HASNA_UPTIME_WORKSPACE_ID ?? "default"
   }];
 }
+function resolveHostedAllowedOrigins(options) {
+  const configured = options.hostedAllowedOrigins ?? splitCsv(process.env.HASNA_UPTIME_ALLOWED_ORIGINS);
+  return configured.map((origin) => normalizeAllowedOrigin(origin)).filter((origin) => Boolean(origin));
+}
+function splitCsv(value) {
+  if (!value)
+    return [];
+  return value.split(",").map((entry) => entry.trim()).filter(Boolean);
+}
+function normalizeAllowedOrigin(value) {
+  const origin = normalizeOrigin(value);
+  if (!origin) {
+    throw new ApiError(`invalid hosted allowed origin: ${value}`, 500);
+  }
+  return origin;
+}
+function normalizeOrigin(value) {
+  if (!value?.trim())
+    return;
+  try {
+    const parsed = new URL(value.trim());
+    if (parsed.protocol !== "http:" && parsed.protocol !== "https:")
+      return;
+    return `${parsed.protocol}//${parsed.host}`;
+  } catch {
+    return;
+  }
+}
 function safeTokenEqual(candidate, expected) {
   if (!candidate)
     return false;
@@ -3829,6 +3868,7 @@ var DEFAULT_HOSTNAME = "uptime.example.com";
 var DEFAULT_WORKSPACE_ID = "workspace-id";
 var DEFAULT_VPC_ID = "vpc-xxxxxxxx";
 var DEFAULT_HOSTED_SQLITE_DB = "/data/uptime/uptime.db";
+var DEFAULT_PROTECTED_ACCESS_MODE = "cloudfront_default_domain";
 function buildAwsDeploymentPlan(options = {}) {
   const region = clean(options.region, DEFAULT_REGION);
   const stage = clean(options.stage, DEFAULT_STAGE);
@@ -3841,7 +3881,9 @@ function buildAwsDeploymentPlan(options = {}) {
   const image = clean(options.image, `${imageRepositoryUri}@sha256:<image-digest>`);
   const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
   const hostedSqliteDbPath = clean(options.hostedSqliteDbPath, DEFAULT_HOSTED_SQLITE_DB);
-  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.7");
+  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.8");
+  const protectedAccessMode = options.protectedAccessMode ?? DEFAULT_PROTECTED_ACCESS_MODE;
+  const protectedAccessUrl = protectedAccessMode === "cloudfront_default_domain" ? "https://<cloudfront-domain>" : `https://${hostname}`;
   const cluster = `${prefix}-${stage}`;
   const secrets = {
     appEnv: clean(options.appEnvSecretName, `open-uptime/${stage}/app/env`),
@@ -3855,7 +3897,8 @@ function buildAwsDeploymentPlan(options = {}) {
       HASNA_UPTIME_MODE: "hosted",
       HASNA_UPTIME_HOSTED_SQLITE_DB: hostedSqliteDbPath,
       HASNA_UPTIME_WORKSPACE_ID: workspaceId,
-      HASNA_UPTIME_HOSTNAME: hostname
+      HASNA_UPTIME_HOSTNAME: hostname,
+      HASNA_UPTIME_ALLOWED_ORIGINS: protectedAccessUrl
     }),
     servicePlan(prefix, stage, "scheduler", 0, image, workspaceId, secrets, {
       HASNA_UPTIME_MODE: "hosted",
@@ -3881,7 +3924,7 @@ function buildAwsDeploymentPlan(options = {}) {
   ];
   return {
     kind: "open-uptime.aws-deployment-plan",
-    version: 2,
+    version: 3,
     generatedAt: new Date().toISOString(),
     status: "blocked",
     canApply: false,
@@ -3903,6 +3946,9 @@ function buildAwsDeploymentPlan(options = {}) {
       hostedSqliteDbPath,
       evidenceBucket,
       loadBalancer: `${prefix}-${stage}-alb`,
+      protectedAccessMode,
+      edgeDistribution: protectedAccessMode === "cloudfront_default_domain" ? `${prefix}-${stage}-edge` : undefined,
+      protectedAccessUrl,
       targetGroups: [`${prefix}-${stage}-web-tg`],
       securityGroups: [
         `${prefix}-${stage}-alb-sg`,
@@ -3950,7 +3996,7 @@ function buildAwsDeploymentPlan(options = {}) {
         `Infra PR must declare CodeBuild image builder ${prefix}-${stage}-image-builder for @hasna/uptime@${runtimePackageVersion}.`,
         `Infra PR must declare hardened S3 evidence bucket ${evidenceBucket} with KMS, versioning, lifecycle, and public access block.`,
         `Infra PR must declare encrypted EFS ${prefix}-${stage}-data with access point, mount targets, and AWS Backup plan.`,
-        `Infra PR must declare ECS/Fargate cluster ${cluster}, ALB, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs.`,
+        protectedAccessMode === "cloudfront_default_domain" ? "Infra PR must declare CloudFront default-domain HTTPS edge, ALB HTTP listener restricted to CloudFront origin-facing ranges, ECS/Fargate cluster, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs." : `Infra PR must declare ECS/Fargate cluster ${cluster}, ALB HTTPS listener, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs.`,
         "Only apply the infra plan from the approved infrastructure repository after review evidence is attached."
       ],
       deploy: [
@@ -3959,7 +4005,7 @@ function buildAwsDeploymentPlan(options = {}) {
         "For the EFS SQLite bridge, do not run migration, scheduler, public-probe, or reporter tasks; keep them at desired count 0 until Postgres and cloud leases exist.",
         `Register task definitions for ${services.map((service) => service.name).join(", ")} using valueFrom secrets.`,
         `Update ECS services in cluster ${cluster} one component at a time through the approved deploy pipeline.`,
-        `Create Route53/edge record for ${hostname} only after ALB health checks pass and auth denial smokes succeed.`
+        protectedAccessMode === "cloudfront_default_domain" ? "Use the CloudFront default HTTPS domain for first protected access; add custom DNS/certificate only after edge ownership is approved." : `Create Route53/edge record for ${hostname} only after ALB health checks pass and auth denial smokes succeed.`
       ],
       rollback: [
         "Keep previous task definition ARNs before each service update.",
@@ -3984,7 +4030,7 @@ function buildAwsDeploymentPlan(options = {}) {
       "Infrastructure PR/synth/plan from the approved infra repository.",
       "CodeBuild image-builder run, container smoke, and immutable image digest.",
       "ECS task definitions using secrets.valueFrom only.",
-      "ALB/TLS/DNS/auth denial smokes and web alarm checks.",
+      "CloudFront-default-domain or ALB TLS auth-denial smokes, direct-origin denial evidence, and web alarm checks.",
       "Single-writer ECS evidence: one web task maximum and no scheduler/public-probe/reporter EFS mounts.",
       "EFS encryption, access point, mount-target, AWS Backup, and restore-drill evidence.",
       "S3 bucket KMS, versioning, lifecycle, and public-access-block evidence.",
@@ -3997,6 +4043,7 @@ function buildAwsDeploymentPlan(options = {}) {
       notes: [
         "This plan generator does not call AWS.",
         "Blocked plan output intentionally avoids copy-pastable AWS mutation commands.",
+        "Default protected access uses CloudFront's HTTPS default domain so first deploy is not blocked on custom DNS or ACM.",
         "Hosted runtime uses explicit EFS-backed SQLite at HASNA_UPTIME_HOSTED_SQLITE_DB until the async Postgres adapter exists.",
         "Do not set HASNA_UPTIME_DATABASE_URL for hosted tasks until the Postgres adapter is implemented.",
         "Secrets are represented as secret names/refs and must be injected with valueFrom.",

package/docs/aws-deployment-runbook.md

@@ -19,6 +19,7 @@ Public package defaults are placeholders:
 - hosted data path: EFS-mounted SQLite at `/data/uptime/uptime.db`
 - hostname: `uptime.example.com`
 - workspace id: `workspace-id`
+- protected access mode: `cloudfront_default_domain`
 
 Override these with CLI flags or private deployment evidence for the real
 account, hostname, workspace id, VPC id, secret refs, and repository names.
@@ -47,7 +48,9 @@ write a sourceable env file with a placeholder probe identity.
 
 3. Confirm the target VPC, private subnets, KMS key, and EFS/Backup plan inputs
    still match the plan.
-4. Confirm Route53/edge ownership for the chosen hostname.
+4. Confirm the protected access mode. The first deploy can use the CloudFront
+   default HTTPS domain without custom DNS or ACM. Custom hostname deploys still
+   require Route53/edge ownership and an ACM certificate.
 5. Confirm the deployment role uses short-lived credentials or OIDC, not copied
    access keys.
 
@@ -59,7 +62,9 @@ The plan expects:
 - ECS/Fargate cluster with separate services for web, scheduler, public probe,
   reporter, and one-off migrations. In the current EFS SQLite bridge, only web
   may be enabled and it must run at desired count `0` or `1`.
-- ALB, TLS certificate, target group, and security groups.
+- CloudFront default-domain HTTPS edge plus ALB HTTP origin restricted to
+  CloudFront origin-facing ranges, or an ALB HTTPS listener with ACM certificate
+  when custom DNS is approved.
 - Encrypted EFS file system, access point, mount targets, and AWS Backup plan
   for `HASNA_UPTIME_HOSTED_SQLITE_DB=/data/uptime/uptime.db`.
 - S3 bucket for redacted browser evidence and generated report artifacts.
@@ -82,6 +87,8 @@ terraform -chdir=infra/aws validate
 terraform -chdir=infra/aws plan -out open-uptime.tfplan
 ```
 
+Use Terraform/OpenTofu 1.9 or newer for this starter.
+
 ## Spark01
 
 Spark01 should be a private probe/operator machine, not the hosted source of
@@ -98,6 +105,9 @@ routes are backed by cloud check jobs and cloud audit rows.
 - Do deploy hosted mode with `HASNA_UPTIME_HOSTED_SQLITE_DB` pointing at the EFS
   mount path `/data/uptime/uptime.db`. Do not set `HASNA_UPTIME_DATABASE_URL`
   until the async Postgres adapter exists.
+- Do set `HASNA_UPTIME_ALLOWED_ORIGINS` on the hosted web task to the public
+  HTTPS edge origin, such as the CloudFront default domain or approved custom
+  hostname.
 - Do not inline AWS keys, hosted tokens, Mailery keys, Open Logs tokens, database
   URLs, or probe private keys in task definitions. Use ECS `secrets.valueFrom`
   refs such as `HASNA_UPTIME_HOSTED_TOKEN`.
@@ -105,6 +115,8 @@ routes are backed by cloud check jobs and cloud audit rows.
 - Do not enable scheduler, public-probe, reporter, or migration workers against
   the EFS SQLite bridge; those services need Postgres/cloud leases first.
 - Do not expose dashboard/API routes without hosted auth and workspace checks.
+- Do not expose the ALB directly in CloudFront mode; ALB ingress must be limited
+  to CloudFront origin-facing ranges.
 - Do not treat local SQLite, local project DBs, or Spark01 local state as cloud
   authority after cutover.
 

package/infra/aws/README.md

@@ -15,6 +15,8 @@ terraform -chdir=infra/aws validate
 terraform -chdir=infra/aws plan -out open-uptime.tfplan
 ```
 
+Terraform 1.9 or newer is required by the variable validation in this starter.
+
 Required inputs are declared in `variables.tf` and illustrated in
 `terraform.tfvars.example`. Secrets are passed as Secrets Manager/SSM ARNs only;
 never place plaintext tokens, database URLs, private keys, or channel
@@ -31,6 +33,14 @@ The included CodeBuild project builds `@hasna/uptime` from npm with
 `Dockerfile.package` and pushes the resulting image to ECR. This avoids
 depending on a local Docker daemon for image publication.
 
+The default protected access mode is `cloudfront_default_domain`: CloudFront
+serves HTTPS on its default domain while the ALB origin accepts HTTP only from
+AWS's CloudFront origin-facing managed prefix list. Use `alb_https_cert` only
+after custom DNS and an ACM certificate are approved.
+The web task receives `HASNA_UPTIME_ALLOWED_ORIGINS` for the selected public
+HTTPS origin so hosted mutation CSRF checks still work through the private HTTP
+origin hop.
+
 ## Current Blockers
 
 - Hosted production auth/RBAC still needs scoped, revocable credentials.

package/infra/aws/main.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.6.0"
+  required_version = ">= 1.9.0"
 
   required_providers {
     aws = {
@@ -23,6 +23,8 @@ locals {
   efs_gid               = 10001
   hosted_sqlite_db_path = "/data/uptime/uptime.db"
   efs_enabled_services  = toset(["web"])
+  use_alb_https         = var.protected_access_mode == "alb_https_cert"
+  use_cloudfront        = var.protected_access_mode == "cloudfront_default_domain"
   services = {
     web = {
       desired_count = lookup(var.desired_counts, "web", 0)
@@ -62,6 +64,11 @@ data "aws_vpc" "target" {
   id = var.vpc_id
 }
 
+data "aws_ec2_managed_prefix_list" "cloudfront_origin_facing" {
+  count = local.use_cloudfront ? 1 : 0
+  name  = "com.amazonaws.global.cloudfront.origin-facing"
+}
+
 resource "aws_ecr_repository" "open_uptime" {
   name                 = var.ecr_repository_name
   image_tag_mutability = "IMMUTABLE"
@@ -290,7 +297,7 @@ resource "aws_security_group" "alb" {
 }
 
 resource "aws_security_group_rule" "alb_https_ingress" {
-  count             = length(var.alb_ingress_cidr_blocks) > 0 ? 1 : 0
+  count             = local.use_alb_https && length(var.alb_ingress_cidr_blocks) > 0 ? 1 : 0
   type              = "ingress"
   description       = "HTTPS"
   security_group_id = aws_security_group.alb.id
@@ -300,6 +307,17 @@ resource "aws_security_group_rule" "alb_https_ingress" {
   cidr_blocks       = var.alb_ingress_cidr_blocks
 }
 
+resource "aws_security_group_rule" "alb_http_from_cloudfront" {
+  count             = local.use_cloudfront ? 1 : 0
+  type              = "ingress"
+  description       = "HTTP from CloudFront origin-facing ranges"
+  security_group_id = aws_security_group.alb.id
+  from_port         = 80
+  to_port           = 80
+  protocol          = "tcp"
+  prefix_list_ids   = [data.aws_ec2_managed_prefix_list.cloudfront_origin_facing[0].id]
+}
+
 resource "aws_security_group_rule" "alb_to_web" {
   type                     = "egress"
   description              = "To Open Uptime web"
@@ -506,6 +524,7 @@ resource "aws_lb_target_group" "web" {
 }
 
 resource "aws_lb_listener" "https" {
+  count             = local.use_alb_https ? 1 : 0
   load_balancer_arn = aws_lb.open_uptime.arn
   port              = 443
   protocol          = "HTTPS"
@@ -517,8 +536,73 @@ resource "aws_lb_listener" "https" {
   }
 }
 
+resource "aws_lb_listener" "http_cloudfront" {
+  count             = local.use_cloudfront ? 1 : 0
+  load_balancer_arn = aws_lb.open_uptime.arn
+  port              = 80
+  protocol          = "HTTP"
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.web.arn
+  }
+}
+
+resource "aws_cloudfront_distribution" "open_uptime" {
+  count           = local.use_cloudfront ? 1 : 0
+  enabled         = true
+  is_ipv6_enabled = true
+  comment         = "Open Uptime ${local.prefix} protected HTTPS edge"
+  price_class     = "PriceClass_100"
+  tags            = local.tags
+
+  origin {
+    domain_name = aws_lb.open_uptime.dns_name
+    origin_id   = "${local.prefix}-alb"
+
+    custom_origin_config {
+      http_port              = 80
+      https_port             = 443
+      origin_protocol_policy = "http-only"
+      origin_ssl_protocols   = ["TLSv1.2"]
+    }
+  }
+
+  default_cache_behavior {
+    target_origin_id       = "${local.prefix}-alb"
+    viewer_protocol_policy = "redirect-to-https"
+    compress               = true
+    allowed_methods        = ["GET", "HEAD", "OPTIONS", "PUT", "POST", "PATCH", "DELETE"]
+    cached_methods         = ["GET", "HEAD"]
+    default_ttl            = 0
+    max_ttl                = 0
+    min_ttl                = 0
+
+    forwarded_values {
+      query_string = true
+      headers      = ["Authorization", "Content-Type", "Origin", "X-Uptime-Hosted-Token"]
+
+      cookies {
+        forward = "all"
+      }
+    }
+  }
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+    }
+  }
+
+  viewer_certificate {
+    cloudfront_default_certificate = true
+  }
+
+  depends_on = [aws_lb_listener.http_cloudfront]
+}
+
 resource "aws_route53_record" "open_uptime" {
-  count   = var.hosted_zone_id == null ? 0 : 1
+  count   = var.hosted_zone_id == null || !local.use_alb_https ? 0 : 1
   zone_id = var.hosted_zone_id
   name    = var.hostname
   type    = "A"
@@ -670,7 +754,12 @@ resource "aws_ecs_task_definition" "service" {
         { name = "HASNA_UPTIME_WORKSPACE_ID", value = var.workspace_id },
         { name = "HASNA_UPTIME_COMPONENT", value = each.key },
         { name = "HASNA_UPTIME_HOSTNAME", value = var.hostname },
-        ], contains(local.efs_enabled_services, each.key) ? [
+        ], each.key == "web" ? [
+        {
+          name  = "HASNA_UPTIME_ALLOWED_ORIGINS"
+          value = local.use_cloudfront ? "https://${aws_cloudfront_distribution.open_uptime[0].domain_name}" : "https://${var.hostname}"
+        },
+        ] : [], contains(local.efs_enabled_services, each.key) ? [
         { name = "HASNA_UPTIME_HOSTED_SQLITE_DB", value = local.hosted_sqlite_db_path },
       ] : [])
       mountPoints = contains(local.efs_enabled_services, each.key) ? [
@@ -725,7 +814,7 @@ resource "aws_ecs_service" "web" {
     container_port   = local.container_port
   }
 
-  depends_on = [aws_lb_listener.https, aws_efs_mount_target.data]
+  depends_on = [aws_lb_listener.https, aws_lb_listener.http_cloudfront, aws_efs_mount_target.data]
 }
 
 resource "aws_ecs_service" "worker" {

package/infra/aws/outputs.tf

@@ -14,6 +14,14 @@ output "alb_dns_name" {
   value = aws_lb.open_uptime.dns_name
 }
 
+output "cloudfront_domain_name" {
+  value = try(aws_cloudfront_distribution.open_uptime[0].domain_name, null)
+}
+
+output "protected_access_url" {
+  value = var.protected_access_mode == "cloudfront_default_domain" ? "https://${aws_cloudfront_distribution.open_uptime[0].domain_name}" : "https://${var.hostname}"
+}
+
 output "evidence_bucket" {
   value = aws_s3_bucket.evidence.bucket
 }

package/infra/aws/terraform.tfvars.example

@@ -5,13 +5,14 @@ hostname                 = "uptime.example.com"
 workspace_id             = "workspace-id"
 vpc_id                   = "vpc-xxxxxxxx"
 ecr_repository_name      = "open-uptime"
+protected_access_mode    = "cloudfront_default_domain"
 public_subnet_ids        = ["subnet-replace-public-a", "subnet-replace-public-b"]
 alb_ingress_cidr_blocks = []
 private_subnet_ids       = ["subnet-replace-private-a", "subnet-replace-private-b"]
 container_image          = "123456789012.dkr.ecr.us-east-1.amazonaws.com/open-uptime@sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-runtime_package_version  = "0.1.7"
-certificate_arn          = "arn:aws:acm:us-east-1:123456789012:certificate/replace"
-hosted_zone_id           = "ZREPLACE"
+runtime_package_version  = "0.1.8"
+certificate_arn          = null
+hosted_zone_id           = null
 app_env_secret_arn       = "arn:aws:secretsmanager:us-east-1:123456789012:secret:open-uptime/prod/app/env"
 hosted_token_secret_arn  = "arn:aws:secretsmanager:us-east-1:123456789012:secret:open-uptime/prod/hosted-token"
 public_probe_secret_arn  = "arn:aws:secretsmanager:us-east-1:123456789012:secret:open-uptime/prod/probe/public"

package/infra/aws/variables.tf

@@ -46,13 +46,24 @@ variable "ecr_repository_name" {
   default     = "open-uptime"
 }
 
+variable "protected_access_mode" {
+  description = "Protected web access mode. cloudfront_default_domain uses the CloudFront HTTPS default domain and restricts ALB HTTP to CloudFront origin-facing ranges. alb_https_cert uses an ALB HTTPS listener with certificate_arn."
+  type        = string
+  default     = "cloudfront_default_domain"
+
+  validation {
+    condition     = contains(["cloudfront_default_domain", "alb_https_cert"], var.protected_access_mode)
+    error_message = "protected_access_mode must be cloudfront_default_domain or alb_https_cert."
+  }
+}
+
 variable "public_subnet_ids" {
   description = "Public subnets for the ALB."
   type        = list(string)
 }
 
 variable "alb_ingress_cidr_blocks" {
-  description = "Approved HTTPS source CIDR blocks for the ALB. Keep empty until edge/source policy is approved."
+  description = "Approved HTTPS source CIDR blocks for ALB HTTPS mode. Keep empty until edge/source policy is approved."
   type        = list(string)
   default     = []
 }
@@ -75,7 +86,7 @@ variable "container_image" {
 variable "runtime_package_version" {
   description = "Published @hasna/uptime package version that CodeBuild should build into the ECR image."
   type        = string
-  default     = "0.1.7"
+  default     = "0.1.8"
 
   validation {
     condition     = can(regex("^[0-9]+\\.[0-9]+\\.[0-9]+(-[0-9A-Za-z.-]+)?$", var.runtime_package_version))
@@ -84,8 +95,19 @@ variable "runtime_package_version" {
 }
 
 variable "certificate_arn" {
-  description = "ACM certificate ARN for HTTPS listener."
+  description = "ACM certificate ARN for ALB HTTPS mode. Leave null when protected_access_mode is cloudfront_default_domain."
   type        = string
+  default     = null
+
+  validation {
+    condition     = var.certificate_arn == null || can(regex("^arn:aws:acm:", var.certificate_arn))
+    error_message = "certificate_arn must be null or an ACM certificate ARN."
+  }
+
+  validation {
+    condition     = var.protected_access_mode != "alb_https_cert" || var.certificate_arn != null
+    error_message = "certificate_arn is required when protected_access_mode is alb_https_cert."
+  }
 }
 
 variable "hosted_zone_id" {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hasna/uptime",
-  "version": "0.1.7",
+  "version": "0.1.8",
   "description": "Local-first uptime and downtime monitoring service with CLI, MCP, SDK, SQLite persistence, and a dashboard.",
   "license": "Apache-2.0",
   "type": "module",