@hasna/uptime 0.1.7 → 0.1.9

package/dist/cloud-plan.js

@@ -8,6 +8,7 @@ var DEFAULT_HOSTNAME = "uptime.example.com";
 var DEFAULT_WORKSPACE_ID = "workspace-id";
 var DEFAULT_VPC_ID = "vpc-xxxxxxxx";
 var DEFAULT_HOSTED_SQLITE_DB = "/data/uptime/uptime.db";
+var DEFAULT_PROTECTED_ACCESS_MODE = "cloudfront_default_domain";
 function buildAwsDeploymentPlan(options = {}) {
   const region = clean(options.region, DEFAULT_REGION);
   const stage = clean(options.stage, DEFAULT_STAGE);
@@ -20,7 +21,9 @@ function buildAwsDeploymentPlan(options = {}) {
   const image = clean(options.image, `${imageRepositoryUri}@sha256:<image-digest>`);
   const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
   const hostedSqliteDbPath = clean(options.hostedSqliteDbPath, DEFAULT_HOSTED_SQLITE_DB);
-  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.7");
+  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.9");
+  const protectedAccessMode = options.protectedAccessMode ?? DEFAULT_PROTECTED_ACCESS_MODE;
+  const protectedAccessUrl = protectedAccessMode === "cloudfront_default_domain" ? "https://<cloudfront-domain>" : `https://${hostname}`;
   const cluster = `${prefix}-${stage}`;
   const secrets = {
     appEnv: clean(options.appEnvSecretName, `open-uptime/${stage}/app/env`),
@@ -34,7 +37,8 @@ function buildAwsDeploymentPlan(options = {}) {
       HASNA_UPTIME_MODE: "hosted",
       HASNA_UPTIME_HOSTED_SQLITE_DB: hostedSqliteDbPath,
       HASNA_UPTIME_WORKSPACE_ID: workspaceId,
-      HASNA_UPTIME_HOSTNAME: hostname
+      HASNA_UPTIME_HOSTNAME: hostname,
+      HASNA_UPTIME_ALLOWED_ORIGINS: protectedAccessUrl
     }),
     servicePlan(prefix, stage, "scheduler", 0, image, workspaceId, secrets, {
       HASNA_UPTIME_MODE: "hosted",
@@ -60,7 +64,7 @@ function buildAwsDeploymentPlan(options = {}) {
   ];
   return {
     kind: "open-uptime.aws-deployment-plan",
-    version: 2,
+    version: 3,
     generatedAt: new Date().toISOString(),
     status: "blocked",
     canApply: false,
@@ -82,6 +86,9 @@ function buildAwsDeploymentPlan(options = {}) {
       hostedSqliteDbPath,
       evidenceBucket,
       loadBalancer: `${prefix}-${stage}-alb`,
+      protectedAccessMode,
+      edgeDistribution: protectedAccessMode === "cloudfront_default_domain" ? `${prefix}-${stage}-edge` : undefined,
+      protectedAccessUrl,
       targetGroups: [`${prefix}-${stage}-web-tg`],
       securityGroups: [
         `${prefix}-${stage}-alb-sg`,
@@ -129,7 +136,7 @@ function buildAwsDeploymentPlan(options = {}) {
         `Infra PR must declare CodeBuild image builder ${prefix}-${stage}-image-builder for @hasna/uptime@${runtimePackageVersion}.`,
         `Infra PR must declare hardened S3 evidence bucket ${evidenceBucket} with KMS, versioning, lifecycle, and public access block.`,
         `Infra PR must declare encrypted EFS ${prefix}-${stage}-data with access point, mount targets, and AWS Backup plan.`,
-        `Infra PR must declare ECS/Fargate cluster ${cluster}, ALB, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs.`,
+        protectedAccessMode === "cloudfront_default_domain" ? "Infra PR must declare CloudFront default-domain HTTPS edge, ALB HTTP listener restricted to CloudFront origin-facing ranges, ECS/Fargate cluster, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs." : `Infra PR must declare ECS/Fargate cluster ${cluster}, ALB HTTPS listener, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs.`,
         "Only apply the infra plan from the approved infrastructure repository after review evidence is attached."
       ],
       deploy: [
@@ -138,7 +145,7 @@ function buildAwsDeploymentPlan(options = {}) {
         "For the EFS SQLite bridge, do not run migration, scheduler, public-probe, or reporter tasks; keep them at desired count 0 until Postgres and cloud leases exist.",
         `Register task definitions for ${services.map((service) => service.name).join(", ")} using valueFrom secrets.`,
         `Update ECS services in cluster ${cluster} one component at a time through the approved deploy pipeline.`,
-        `Create Route53/edge record for ${hostname} only after ALB health checks pass and auth denial smokes succeed.`
+        protectedAccessMode === "cloudfront_default_domain" ? "Use the CloudFront default HTTPS domain for first protected access; add custom DNS/certificate only after edge ownership is approved." : `Create Route53/edge record for ${hostname} only after ALB health checks pass and auth denial smokes succeed.`
       ],
       rollback: [
         "Keep previous task definition ARNs before each service update.",
@@ -146,9 +153,9 @@ function buildAwsDeploymentPlan(options = {}) {
         "Disable scheduler/reporter services before data rollback.",
         "Restore EFS backup recovery point only after explicit operator approval and audit record."
       ],
-      spark01: [
+      privateProbe: [
         "Create a private probe identity with a caller-managed public key.",
-        "Install @hasna/uptime on Spark01 and write the generated env file with mode 0600.",
+        "Install @hasna/uptime on the private probe operator machine and write the generated env file with mode 0600.",
         "Run the private probe against the hosted /api/v1 probe endpoint once it exists."
       ]
     },
@@ -157,17 +164,17 @@ function buildAwsDeploymentPlan(options = {}) {
       "The EFS SQLite bridge is single-writer only: web target desired count is 1 and scheduler/public-probe/reporter targets remain 0 until Postgres and cloud leases exist.",
       "Hosted production auth/RBAC must replace broad static hosted-token operation before exposure.",
       "Public probe execution still needs DNS, redirect, and rebinding SSRF enforcement plus cloud check-job leases.",
-      "Spark01 hosted probe enrollment, claim, submit, heartbeat, revocation, and rotation are not cloud-backed yet."
+      "Private probe enrollment, claim, submit, heartbeat, revocation, and rotation are not cloud-backed yet."
     ],
     requiredEvidence: [
       "Infrastructure PR/synth/plan from the approved infra repository.",
       "CodeBuild image-builder run, container smoke, and immutable image digest.",
       "ECS task definitions using secrets.valueFrom only.",
-      "ALB/TLS/DNS/auth denial smokes and web alarm checks.",
+      "CloudFront-default-domain or ALB TLS auth-denial smokes, direct-origin denial evidence, and web alarm checks.",
       "Single-writer ECS evidence: one web task maximum and no scheduler/public-probe/reporter EFS mounts.",
       "EFS encryption, access point, mount-target, AWS Backup, and restore-drill evidence.",
       "S3 bucket KMS, versioning, lifecycle, and public-access-block evidence.",
-      "Spark01 private-probe registration, key-file mode, heartbeat, and revocation evidence."
+      "Private-probe registration, key-file mode, heartbeat, and revocation evidence."
     ],
     safety: {
       liveAwsMutation: false,
@@ -176,6 +183,7 @@ function buildAwsDeploymentPlan(options = {}) {
       notes: [
         "This plan generator does not call AWS.",
         "Blocked plan output intentionally avoids copy-pastable AWS mutation commands.",
+        "Default protected access uses CloudFront's HTTPS default domain so first deploy is not blocked on custom DNS or ACM.",
         "Hosted runtime uses explicit EFS-backed SQLite at HASNA_UPTIME_HOSTED_SQLITE_DB until the async Postgres adapter exists.",
         "Do not set HASNA_UPTIME_DATABASE_URL for hosted tasks until the Postgres adapter is implemented.",
         "Secrets are represented as secret names/refs and must be injected with valueFrom.",
@@ -184,16 +192,16 @@ function buildAwsDeploymentPlan(options = {}) {
     }
   };
 }
-function buildSpark01CloudConfig(options = {}) {
+function buildPrivateProbeCloudConfig(options = {}) {
   const apiUrl = clean(options.apiUrl, `https://${DEFAULT_HOSTNAME}/api/v1`);
   const workspaceId = clean(options.workspaceId, DEFAULT_WORKSPACE_ID);
-  const machineId = clean(options.machineId, "spark01");
-  const privateKeyFile = clean(options.probePrivateKeyFile, "~/.hasna/uptime/probes/spark01.key.pem");
+  const machineId = clean(options.machineId, "private-probe-01");
+  const privateKeyFile = clean(options.probePrivateKeyFile, "~/.hasna/uptime/probes/private-probe-01.key.pem");
   const probeId = options.probeId?.trim();
   const blockers = [
     ...probeId ? [] : ["Cloud-registered private probe id is required before writing a sourceable env file."],
     "Hosted probe claim and submit routes still fail closed until cloud check_jobs and workspace stores are implemented.",
-    "Spark01 enrollment, heartbeat, revocation, rotation, and bounded offline lease handling are not implemented yet."
+    "Private probe enrollment, heartbeat, revocation, rotation, and bounded offline lease handling are not implemented yet."
   ];
   const env = {
     HASNA_UPTIME_MODE: "hosted",
@@ -207,7 +215,7 @@ function buildSpark01CloudConfig(options = {}) {
   if (probeId)
     env.HASNA_UPTIME_PRIVATE_PROBE_ID = probeId;
   return {
-    kind: "open-uptime.spark01-cloud-config",
+    kind: "open-uptime.private-probe-cloud-config",
     version: 1,
     generatedAt: new Date().toISOString(),
     status: "blocked",
@@ -219,7 +227,7 @@ function buildSpark01CloudConfig(options = {}) {
       {
         path: privateKeyFile,
         mode: "0600",
-        purpose: "Ed25519 private key generated on Spark01; never paste into cloud config."
+        purpose: "Ed25519 private key generated on the private probe machine; never paste into cloud config."
       },
       {
         path: "~/.hasna/uptime/cloud.env",
@@ -229,7 +237,7 @@ function buildSpark01CloudConfig(options = {}) {
     ],
     commands: [
       "bun install -g @hasna/uptime@latest",
-      "Generate the Spark01 private key locally and register only its public key with the hosted control plane once registration exists.",
+      "Generate the private probe key locally and register only its public key with the hosted control plane once registration exists.",
       "Write ~/.hasna/uptime/cloud.env from this plan, then source it for the private probe service.",
       "Start the private probe worker only after hosted /api/v1 probe claim/submit routes are backed by cloud jobs."
     ],
@@ -238,18 +246,18 @@ function buildSpark01CloudConfig(options = {}) {
       privateKeyInline: false,
       tokenInline: false,
       notes: [
-        "This config is hosted-targeted preflight: Spark01 must not start until cloud probe routes are backed by hosted state.",
+        "This config is hosted-targeted preflight: the private probe must not start until cloud probe routes are backed by hosted state.",
         "The private key file path is referenced, not embedded.",
         "Hosted token or probe auth material must come from the machine secret store, not this generated config."
       ]
     }
   };
 }
-function renderSpark01Env(config) {
+function renderPrivateProbeEnv(config) {
   const required = ["HASNA_UPTIME_PRIVATE_PROBE_ID"];
   const missing = required.filter((key) => !config.env[key]);
   if (missing.length > 0) {
-    throw new Error(`Spark01 env output requires ${missing.join(", ")}`);
+    throw new Error(`private probe env output requires ${missing.join(", ")}`);
   }
   return Object.entries(config.env).map(([key, value]) => `${key}=${shellEscape(value)}`).join(`
 `);
@@ -282,7 +290,7 @@ function shellEscape(value) {
   return `'${value.replace(/'/g, "'\\''")}'`;
 }
 export {
-  renderSpark01Env,
-  buildSpark01CloudConfig,
+  renderPrivateProbeEnv,
+  buildPrivateProbeCloudConfig,
   buildAwsDeploymentPlan
 };

package/dist/index.d.ts

@@ -5,13 +5,13 @@ export { createApiHandler, serveUptime } from "./api.js";
 export { applyImport, previewImport, rollbackImport } from "./imports.js";
 export { buildUptimeReport, sendUptimeReport } from "./report.js";
 export { generateProbeKeyPair, probePublicKeyFingerprint, probeResultSigningPayload, signProbeResult, verifyProbeResultSignature } from "./probes.js";
-export { buildAwsDeploymentPlan, buildSpark01CloudConfig, renderSpark01Env } from "./cloud-plan.js";
+export { buildAwsDeploymentPlan, buildPrivateProbeCloudConfig, renderPrivateProbeEnv } from "./cloud-plan.js";
 export { uptimeHome, uptimeDbPath, uptimeHostedFallbackDbPath, ensureUptimeHome } from "./paths.js";
 export type { UptimeBackup, UptimeBackupCheck, UptimeRuntimeMode, UptimeStoreOptions, MonitorProvenance, SaveImportBatchInput, StoredImportBatch, UpsertMonitorProvenanceInput, } from "./store.js";
 export type { BrowserPageRunner, BrowserPageRunnerResult, FetchLike, } from "./checks.js";
 export type { ImportAction, ImportApplyItem, ImportApplyResult, ImportCandidate, ImportPreview, ImportPreviewItem, ImportRequest, ImportRollbackItem, ImportRollbackResult, ImportSource, } from "./imports.js";
 export type { BrowserFailedRequest, BrowserPageEvidence, AuditEvent, CheckAttemptResult, CheckEvidence, CheckResult, CheckStatus, CreateMonitorKind, CreateMonitorInput, CreateReportScheduleInput, ImportedMonitorInput, ImportedUpdateMonitorInput, EvidenceArtifact, Incident, IncidentStatus, ListAuditEventsOptions, ListReportRunsOptions, ListResultsOptions, Monitor, MonitorKind, MonitorStatus, MonitorSummary, ProbeCheckJob, ProbeCheckJobStatus, ProbeIdentity, ProbeResultSubmission, ProbeSubmissionReceipt, RecordAuditEventInput, ReportDeliveryChannel, ReportDeliveryRecord, ReportEmailChannelConfig, ReportLogsChannelConfig, ReportRun, ReportRunStatus, ReportSchedule, ReportScheduleChannels, ReportScheduleStatus, ReportSmsChannelConfig, SchedulerHandle, UpdateMonitorInput, UpdateReportScheduleInput, UptimeSummary, } from "./types.js";
 export type { ProbeKeyPair, ProbeSigningInput } from "./probes.js";
-export type { AwsDeploymentPlan, AwsDeploymentPlanOptions, AwsServicePlan, Spark01CloudConfig, Spark01CloudConfigOptions, } from "./cloud-plan.js";
+export type { AwsDeploymentPlan, AwsDeploymentPlanOptions, AwsServicePlan, PrivateProbeCloudConfig, PrivateProbeCloudConfigOptions, } from "./cloud-plan.js";
 export type { BuildUptimeReportOptions, SendUptimeReportOptions, UptimeEmailReportTarget, UptimeLogsReportTarget, UptimeReport, UptimeReportDelivery, UptimeSmsReportTarget, } from "./report.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AACjE,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EAAE,mBAAmB,EAAE,eAAe,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC9F,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AACzD,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC1E,OAAO,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAClE,OAAO,EAAE,oBAAoB,EAAE,yBAAyB,EAAE,yBAAyB,EAAE,eAAe,EAAE,0BAA0B,EAAE,MAAM,aAAa,CAAC;AACtJ,OAAO,EAAE,sBAAsB,EAAE,uBAAuB,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACpG,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,0BAA0B,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AACpG,YAAY,EACV,YAAY,EACZ,iBAAiB,EACjB,iBAAiB,EACjB,kBAAkB,EAClB,iBAAiB,EACjB,oBAAoB,EACpB,iBAAiB,EACjB,4BAA4B,GAC7B,MAAM,YAAY,CAAC;AACpB,YAAY,EACV,iBAAiB,EACjB,uBAAuB,EACvB,SAAS,GACV,MAAM,aAAa,CAAC;AACrB,YAAY,EACV,YAAY,EACZ,eAAe,EACf,iBAAiB,EACjB,eAAe,EACf,aAAa,EACb,iBAAiB,EACjB,aAAa,EACb,kBAAkB,EAClB,oBAAoB,EACpB,YAAY,GACb,MAAM,cAAc,CAAC;AACtB,YAAY,EACV,oBAAoB,EACpB,mBAAmB,EACnB,UAAU,EACV,kBAAkB,EAClB,aAAa,EACb,WAAW,EACX,WAAW,EACX,iBAAiB,EACjB,kBAAkB,EAClB,yBAAyB,EACzB,oBAAoB,EACpB,0BAA0B,EAC1B,gBAAgB,EAChB,QAAQ,EACR,cAAc,EACd,sBAAsB,EACtB,qBAAqB,EACrB,kBAAkB,EAClB,OAAO,EACP,WAAW,EACX,aAAa,EACb,cAAc,EACd,aAAa,EACb,mBAAmB,EACnB,aAAa,EACb,qBAAqB,EACrB,sBAAsB,EACtB,qBAAqB,EACrB,qBAAqB,EACrB,oBAAoB,EACpB,wBAAwB,EACxB,uBAAuB,EACvB,SAAS,EACT,eAAe,EACf,cAAc,EACd,sBAAsB,EACtB,oBAAoB,EACpB,sBAAsB,EACtB,eAAe,EACf,kBAAkB,EAClB,yBAAyB,EACzB,aAAa,GACd,MAAM,YAAY,CAAC;AACpB,YAAY,EAAE,YAAY,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AACnE,YAAY,EACV,iBAAiB,EACjB,wBAAwB,EACxB,cAAc,EACd,kBAAkB,EAClB,yBAAyB,GAC1B,MAAM,iBAAiB,CAAC;AACzB,YAAY,EACV,wBAAwB,EACxB,uBAAuB,EACvB,uBAAuB,EACvB,sBAAsB,EACtB,YAAY,EACZ,oBAAoB,EACpB,qBAAqB,GACtB,MAAM,aAAa,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AACjE,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EAAE,mBAAmB,EAAE,eAAe,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC9F,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AACzD,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC1E,OAAO,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAClE,OAAO,EAAE,oBAAoB,EAAE,yBAAyB,EAAE,yBAAyB,EAAE,eAAe,EAAE,0BAA0B,EAAE,MAAM,aAAa,CAAC;AACtJ,OAAO,EAAE,sBAAsB,EAAE,4BAA4B,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AAC9G,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,0BAA0B,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AACpG,YAAY,EACV,YAAY,EACZ,iBAAiB,EACjB,iBAAiB,EACjB,kBAAkB,EAClB,iBAAiB,EACjB,oBAAoB,EACpB,iBAAiB,EACjB,4BAA4B,GAC7B,MAAM,YAAY,CAAC;AACpB,YAAY,EACV,iBAAiB,EACjB,uBAAuB,EACvB,SAAS,GACV,MAAM,aAAa,CAAC;AACrB,YAAY,EACV,YAAY,EACZ,eAAe,EACf,iBAAiB,EACjB,eAAe,EACf,aAAa,EACb,iBAAiB,EACjB,aAAa,EACb,kBAAkB,EAClB,oBAAoB,EACpB,YAAY,GACb,MAAM,cAAc,CAAC;AACtB,YAAY,EACV,oBAAoB,EACpB,mBAAmB,EACnB,UAAU,EACV,kBAAkB,EAClB,aAAa,EACb,WAAW,EACX,WAAW,EACX,iBAAiB,EACjB,kBAAkB,EAClB,yBAAyB,EACzB,oBAAoB,EACpB,0BAA0B,EAC1B,gBAAgB,EAChB,QAAQ,EACR,cAAc,EACd,sBAAsB,EACtB,qBAAqB,EACrB,kBAAkB,EAClB,OAAO,EACP,WAAW,EACX,aAAa,EACb,cAAc,EACd,aAAa,EACb,mBAAmB,EACnB,aAAa,EACb,qBAAqB,EACrB,sBAAsB,EACtB,qBAAqB,EACrB,qBAAqB,EACrB,oBAAoB,EACpB,wBAAwB,EACxB,uBAAuB,EACvB,SAAS,EACT,eAAe,EACf,cAAc,EACd,sBAAsB,EACtB,oBAAoB,EACpB,sBAAsB,EACtB,eAAe,EACf,kBAAkB,EAClB,yBAAyB,EACzB,aAAa,GACd,MAAM,YAAY,CAAC;AACpB,YAAY,EAAE,YAAY,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AACnE,YAAY,EACV,iBAAiB,EACjB,wBAAwB,EACxB,cAAc,EACd,uBAAuB,EACvB,8BAA8B,GAC/B,MAAM,iBAAiB,CAAC;AACzB,YAAY,EACV,wBAAwB,EACxB,uBAAuB,EACvB,uBAAuB,EACvB,sBAAsB,EACtB,YAAY,EACZ,oBAAoB,EACpB,qBAAqB,GACtB,MAAM,aAAa,CAAC"}

package/dist/index.js

@@ -3510,6 +3510,7 @@ function serveUptime(options = {}) {
       apiToken: options.apiToken,
       hostedToken: options.hostedToken,
       hostedTokens: options.hostedTokens,
+      hostedAllowedOrigins: options.hostedAllowedOrigins,
       allowUnsafeRemoteMutations: options.allowUnsafeRemoteMutations,
       trustedLoopback: isLoopbackHost(options.host ?? "127.0.0.1"),
       mode
@@ -3569,13 +3570,23 @@ async function handleHostedRequest(service, request, url, options) {
   const scope = hostedScopeFor(request.method, apiPath);
   requireHostedActor(request, url, options, scope);
   if (["POST", "PATCH", "DELETE"].includes(request.method)) {
-    const origin = request.headers.get("origin");
-    if (origin && origin !== `${url.protocol}//${url.host}`) {
-      throw new ApiError("cross-origin mutation rejected", 403);
-    }
+    validateHostedMutationOrigin(request, url, options);
   }
   return handleApiRoute(service, request, url, apiPath, options, true);
 }
+function validateHostedMutationOrigin(request, url, options) {
+  const rawOrigin = request.headers.get("origin");
+  const origin = normalizeOrigin(rawOrigin);
+  if (rawOrigin && !origin) {
+    throw new ApiError("cross-origin mutation rejected", 403);
+  }
+  if (!origin)
+    return;
+  const allowedOrigins = new Set([`${url.protocol}//${url.host}`, ...resolveHostedAllowedOrigins(options)]);
+  if (!allowedOrigins.has(origin)) {
+    throw new ApiError("cross-origin mutation rejected", 403);
+  }
+}
 async function handleApiRoute(service, request, url, apiPath, options, hosted) {
   if (request.method === "GET" && apiPath === "/api/summary") {
     return json(service.summary());
@@ -3794,6 +3805,34 @@ function resolveHostedTokens(options) {
     workspaceId: process.env.HASNA_UPTIME_WORKSPACE_ID ?? "default"
   }];
 }
+function resolveHostedAllowedOrigins(options) {
+  const configured = options.hostedAllowedOrigins ?? splitCsv(process.env.HASNA_UPTIME_ALLOWED_ORIGINS);
+  return configured.map((origin) => normalizeAllowedOrigin(origin)).filter((origin) => Boolean(origin));
+}
+function splitCsv(value) {
+  if (!value)
+    return [];
+  return value.split(",").map((entry) => entry.trim()).filter(Boolean);
+}
+function normalizeAllowedOrigin(value) {
+  const origin = normalizeOrigin(value);
+  if (!origin) {
+    throw new ApiError(`invalid hosted allowed origin: ${value}`, 500);
+  }
+  return origin;
+}
+function normalizeOrigin(value) {
+  if (!value?.trim())
+    return;
+  try {
+    const parsed = new URL(value.trim());
+    if (parsed.protocol !== "http:" && parsed.protocol !== "https:")
+      return;
+    return `${parsed.protocol}//${parsed.host}`;
+  } catch {
+    return;
+  }
+}
 function safeTokenEqual(candidate, expected) {
   if (!candidate)
     return false;
@@ -3829,6 +3868,7 @@ var DEFAULT_HOSTNAME = "uptime.example.com";
 var DEFAULT_WORKSPACE_ID = "workspace-id";
 var DEFAULT_VPC_ID = "vpc-xxxxxxxx";
 var DEFAULT_HOSTED_SQLITE_DB = "/data/uptime/uptime.db";
+var DEFAULT_PROTECTED_ACCESS_MODE = "cloudfront_default_domain";
 function buildAwsDeploymentPlan(options = {}) {
   const region = clean(options.region, DEFAULT_REGION);
   const stage = clean(options.stage, DEFAULT_STAGE);
@@ -3841,7 +3881,9 @@ function buildAwsDeploymentPlan(options = {}) {
   const image = clean(options.image, `${imageRepositoryUri}@sha256:<image-digest>`);
   const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
   const hostedSqliteDbPath = clean(options.hostedSqliteDbPath, DEFAULT_HOSTED_SQLITE_DB);
-  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.7");
+  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.9");
+  const protectedAccessMode = options.protectedAccessMode ?? DEFAULT_PROTECTED_ACCESS_MODE;
+  const protectedAccessUrl = protectedAccessMode === "cloudfront_default_domain" ? "https://<cloudfront-domain>" : `https://${hostname}`;
   const cluster = `${prefix}-${stage}`;
   const secrets = {
     appEnv: clean(options.appEnvSecretName, `open-uptime/${stage}/app/env`),
@@ -3855,7 +3897,8 @@ function buildAwsDeploymentPlan(options = {}) {
       HASNA_UPTIME_MODE: "hosted",
       HASNA_UPTIME_HOSTED_SQLITE_DB: hostedSqliteDbPath,
       HASNA_UPTIME_WORKSPACE_ID: workspaceId,
-      HASNA_UPTIME_HOSTNAME: hostname
+      HASNA_UPTIME_HOSTNAME: hostname,
+      HASNA_UPTIME_ALLOWED_ORIGINS: protectedAccessUrl
     }),
     servicePlan(prefix, stage, "scheduler", 0, image, workspaceId, secrets, {
       HASNA_UPTIME_MODE: "hosted",
@@ -3881,7 +3924,7 @@ function buildAwsDeploymentPlan(options = {}) {
   ];
   return {
     kind: "open-uptime.aws-deployment-plan",
-    version: 2,
+    version: 3,
     generatedAt: new Date().toISOString(),
     status: "blocked",
     canApply: false,
@@ -3903,6 +3946,9 @@ function buildAwsDeploymentPlan(options = {}) {
       hostedSqliteDbPath,
       evidenceBucket,
       loadBalancer: `${prefix}-${stage}-alb`,
+      protectedAccessMode,
+      edgeDistribution: protectedAccessMode === "cloudfront_default_domain" ? `${prefix}-${stage}-edge` : undefined,
+      protectedAccessUrl,
       targetGroups: [`${prefix}-${stage}-web-tg`],
       securityGroups: [
         `${prefix}-${stage}-alb-sg`,
@@ -3950,7 +3996,7 @@ function buildAwsDeploymentPlan(options = {}) {
         `Infra PR must declare CodeBuild image builder ${prefix}-${stage}-image-builder for @hasna/uptime@${runtimePackageVersion}.`,
         `Infra PR must declare hardened S3 evidence bucket ${evidenceBucket} with KMS, versioning, lifecycle, and public access block.`,
         `Infra PR must declare encrypted EFS ${prefix}-${stage}-data with access point, mount targets, and AWS Backup plan.`,
-        `Infra PR must declare ECS/Fargate cluster ${cluster}, ALB, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs.`,
+        protectedAccessMode === "cloudfront_default_domain" ? "Infra PR must declare CloudFront default-domain HTTPS edge, ALB HTTP listener restricted to CloudFront origin-facing ranges, ECS/Fargate cluster, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs." : `Infra PR must declare ECS/Fargate cluster ${cluster}, ALB HTTPS listener, target groups, security groups, IAM roles, CloudWatch log groups, and Secrets Manager refs.`,
         "Only apply the infra plan from the approved infrastructure repository after review evidence is attached."
       ],
       deploy: [
@@ -3959,7 +4005,7 @@ function buildAwsDeploymentPlan(options = {}) {
         "For the EFS SQLite bridge, do not run migration, scheduler, public-probe, or reporter tasks; keep them at desired count 0 until Postgres and cloud leases exist.",
         `Register task definitions for ${services.map((service) => service.name).join(", ")} using valueFrom secrets.`,
         `Update ECS services in cluster ${cluster} one component at a time through the approved deploy pipeline.`,
-        `Create Route53/edge record for ${hostname} only after ALB health checks pass and auth denial smokes succeed.`
+        protectedAccessMode === "cloudfront_default_domain" ? "Use the CloudFront default HTTPS domain for first protected access; add custom DNS/certificate only after edge ownership is approved." : `Create Route53/edge record for ${hostname} only after ALB health checks pass and auth denial smokes succeed.`
       ],
       rollback: [
         "Keep previous task definition ARNs before each service update.",
@@ -3967,9 +4013,9 @@ function buildAwsDeploymentPlan(options = {}) {
         "Disable scheduler/reporter services before data rollback.",
         "Restore EFS backup recovery point only after explicit operator approval and audit record."
       ],
-      spark01: [
+      privateProbe: [
         "Create a private probe identity with a caller-managed public key.",
-        "Install @hasna/uptime on Spark01 and write the generated env file with mode 0600.",
+        "Install @hasna/uptime on the private probe operator machine and write the generated env file with mode 0600.",
         "Run the private probe against the hosted /api/v1 probe endpoint once it exists."
       ]
     },
@@ -3978,17 +4024,17 @@ function buildAwsDeploymentPlan(options = {}) {
       "The EFS SQLite bridge is single-writer only: web target desired count is 1 and scheduler/public-probe/reporter targets remain 0 until Postgres and cloud leases exist.",
       "Hosted production auth/RBAC must replace broad static hosted-token operation before exposure.",
       "Public probe execution still needs DNS, redirect, and rebinding SSRF enforcement plus cloud check-job leases.",
-      "Spark01 hosted probe enrollment, claim, submit, heartbeat, revocation, and rotation are not cloud-backed yet."
+      "Private probe enrollment, claim, submit, heartbeat, revocation, and rotation are not cloud-backed yet."
     ],
     requiredEvidence: [
       "Infrastructure PR/synth/plan from the approved infra repository.",
       "CodeBuild image-builder run, container smoke, and immutable image digest.",
       "ECS task definitions using secrets.valueFrom only.",
-      "ALB/TLS/DNS/auth denial smokes and web alarm checks.",
+      "CloudFront-default-domain or ALB TLS auth-denial smokes, direct-origin denial evidence, and web alarm checks.",
       "Single-writer ECS evidence: one web task maximum and no scheduler/public-probe/reporter EFS mounts.",
       "EFS encryption, access point, mount-target, AWS Backup, and restore-drill evidence.",
       "S3 bucket KMS, versioning, lifecycle, and public-access-block evidence.",
-      "Spark01 private-probe registration, key-file mode, heartbeat, and revocation evidence."
+      "Private-probe registration, key-file mode, heartbeat, and revocation evidence."
     ],
     safety: {
       liveAwsMutation: false,
@@ -3997,6 +4043,7 @@ function buildAwsDeploymentPlan(options = {}) {
       notes: [
         "This plan generator does not call AWS.",
         "Blocked plan output intentionally avoids copy-pastable AWS mutation commands.",
+        "Default protected access uses CloudFront's HTTPS default domain so first deploy is not blocked on custom DNS or ACM.",
         "Hosted runtime uses explicit EFS-backed SQLite at HASNA_UPTIME_HOSTED_SQLITE_DB until the async Postgres adapter exists.",
         "Do not set HASNA_UPTIME_DATABASE_URL for hosted tasks until the Postgres adapter is implemented.",
         "Secrets are represented as secret names/refs and must be injected with valueFrom.",
@@ -4005,16 +4052,16 @@ function buildAwsDeploymentPlan(options = {}) {
     }
   };
 }
-function buildSpark01CloudConfig(options = {}) {
+function buildPrivateProbeCloudConfig(options = {}) {
   const apiUrl = clean(options.apiUrl, `https://${DEFAULT_HOSTNAME}/api/v1`);
   const workspaceId = clean(options.workspaceId, DEFAULT_WORKSPACE_ID);
-  const machineId = clean(options.machineId, "spark01");
-  const privateKeyFile = clean(options.probePrivateKeyFile, "~/.hasna/uptime/probes/spark01.key.pem");
+  const machineId = clean(options.machineId, "private-probe-01");
+  const privateKeyFile = clean(options.probePrivateKeyFile, "~/.hasna/uptime/probes/private-probe-01.key.pem");
   const probeId = options.probeId?.trim();
   const blockers = [
     ...probeId ? [] : ["Cloud-registered private probe id is required before writing a sourceable env file."],
     "Hosted probe claim and submit routes still fail closed until cloud check_jobs and workspace stores are implemented.",
-    "Spark01 enrollment, heartbeat, revocation, rotation, and bounded offline lease handling are not implemented yet."
+    "Private probe enrollment, heartbeat, revocation, rotation, and bounded offline lease handling are not implemented yet."
   ];
   const env2 = {
     HASNA_UPTIME_MODE: "hosted",
@@ -4028,7 +4075,7 @@ function buildSpark01CloudConfig(options = {}) {
   if (probeId)
     env2.HASNA_UPTIME_PRIVATE_PROBE_ID = probeId;
   return {
-    kind: "open-uptime.spark01-cloud-config",
+    kind: "open-uptime.private-probe-cloud-config",
     version: 1,
     generatedAt: new Date().toISOString(),
     status: "blocked",
@@ -4040,7 +4087,7 @@ function buildSpark01CloudConfig(options = {}) {
       {
         path: privateKeyFile,
         mode: "0600",
-        purpose: "Ed25519 private key generated on Spark01; never paste into cloud config."
+        purpose: "Ed25519 private key generated on the private probe machine; never paste into cloud config."
       },
       {
         path: "~/.hasna/uptime/cloud.env",
@@ -4050,7 +4097,7 @@ function buildSpark01CloudConfig(options = {}) {
     ],
     commands: [
       "bun install -g @hasna/uptime@latest",
-      "Generate the Spark01 private key locally and register only its public key with the hosted control plane once registration exists.",
+      "Generate the private probe key locally and register only its public key with the hosted control plane once registration exists.",
       "Write ~/.hasna/uptime/cloud.env from this plan, then source it for the private probe service.",
       "Start the private probe worker only after hosted /api/v1 probe claim/submit routes are backed by cloud jobs."
     ],
@@ -4059,18 +4106,18 @@ function buildSpark01CloudConfig(options = {}) {
       privateKeyInline: false,
       tokenInline: false,
       notes: [
-        "This config is hosted-targeted preflight: Spark01 must not start until cloud probe routes are backed by hosted state.",
+        "This config is hosted-targeted preflight: the private probe must not start until cloud probe routes are backed by hosted state.",
         "The private key file path is referenced, not embedded.",
         "Hosted token or probe auth material must come from the machine secret store, not this generated config."
       ]
     }
   };
 }
-function renderSpark01Env(config) {
+function renderPrivateProbeEnv(config) {
   const required = ["HASNA_UPTIME_PRIVATE_PROBE_ID"];
   const missing = required.filter((key) => !config.env[key]);
   if (missing.length > 0) {
-    throw new Error(`Spark01 env output requires ${missing.join(", ")}`);
+    throw new Error(`private probe env output requires ${missing.join(", ")}`);
   }
   return Object.entries(config.env).map(([key, value]) => `${key}=${shellEscape(value)}`).join(`
 `);
@@ -4115,7 +4162,7 @@ export {
   runHttpCheck,
   runBrowserPageCheck,
   rollbackImport,
-  renderSpark01Env,
+  renderPrivateProbeEnv,
   probeResultSigningPayload,
   probePublicKeyFingerprint,
   previewImport,
@@ -4124,7 +4171,7 @@ export {
   createUptimeClient,
   createApiHandler,
   buildUptimeReport,
-  buildSpark01CloudConfig,
+  buildPrivateProbeCloudConfig,
   buildAwsDeploymentPlan,
   applyImport,
   UptimeStore,

package/docs/aws-deployment-runbook.md

@@ -8,7 +8,7 @@ call AWS or mutate infrastructure.
 
 ```bash
 uptime cloud plan --json > open-uptime-aws-plan.json
-uptime cloud spark01-config --probe-id prb_spark01 --env > spark01-uptime.env
+uptime cloud private-probe-config --probe-id prb_private_01 --machine-id private-probe-01 --env > private-probe-01-uptime.env
 ```
 
 Public package defaults are placeholders:
@@ -19,12 +19,13 @@ Public package defaults are placeholders:
 - hosted data path: EFS-mounted SQLite at `/data/uptime/uptime.db`
 - hostname: `uptime.example.com`
 - workspace id: `workspace-id`
+- protected access mode: `cloudfront_default_domain`
 
 Override these with CLI flags or private deployment evidence for the real
 account, hostname, workspace id, VPC id, secret refs, and repository names.
 
 The generated AWS plan currently returns `status: "blocked"` and
-`canApply: false`. The generated Spark01 config returns `status: "blocked"` and
+`canApply: false`. The generated private-probe config returns `status: "blocked"` and
 `canStart: false`. Treat both as review/preflight artifacts until the blockers
 and required evidence in the JSON output are resolved.
 
@@ -32,7 +33,7 @@ The app repo includes a hosted runtime `Dockerfile` and Terraform/OpenTofu
 starter files in `infra/aws`. The plan output points to these files and keeps
 `applyAllowed: false`.
 
-`uptime cloud spark01-config --env` requires a real `--probe-id`; it will not
+`uptime cloud private-probe-config --env` requires a real `--probe-id`; it will not
 write a sourceable env file with a placeholder probe identity.
 
 ## Preflight
@@ -47,7 +48,9 @@ write a sourceable env file with a placeholder probe identity.
 
 3. Confirm the target VPC, private subnets, KMS key, and EFS/Backup plan inputs
    still match the plan.
-4. Confirm Route53/edge ownership for the chosen hostname.
+4. Confirm the protected access mode. The first deploy can use the CloudFront
+   default HTTPS domain without custom DNS or ACM. Custom hostname deploys still
+   require Route53/edge ownership and an ACM certificate.
 5. Confirm the deployment role uses short-lived credentials or OIDC, not copied
    access keys.
 
@@ -59,7 +62,9 @@ The plan expects:
 - ECS/Fargate cluster with separate services for web, scheduler, public probe,
   reporter, and one-off migrations. In the current EFS SQLite bridge, only web
   may be enabled and it must run at desired count `0` or `1`.
-- ALB, TLS certificate, target group, and security groups.
+- CloudFront default-domain HTTPS edge plus ALB HTTP origin restricted to
+  CloudFront origin-facing ranges, or an ALB HTTPS listener with ACM certificate
+  when custom DNS is approved.
 - Encrypted EFS file system, access point, mount targets, and AWS Backup plan
   for `HASNA_UPTIME_HOSTED_SQLITE_DB=/data/uptime/uptime.db`.
 - S3 bucket for redacted browser evidence and generated report artifacts.
@@ -82,12 +87,14 @@ terraform -chdir=infra/aws validate
 terraform -chdir=infra/aws plan -out open-uptime.tfplan
 ```
 
-## Spark01
+Use Terraform/OpenTofu 1.9 or newer for this starter.
 
-Spark01 should be a private probe/operator machine, not the hosted source of
-truth. The generated env file points Spark01 at hosted `/api/v1` state and
-references a local private-key file path. It does not include private key or
-token contents.
+## Private Probe Operator
+
+The operator machine should be a private probe/operator machine, not the hosted
+source of truth. The generated env file points the machine at hosted `/api/v1`
+state and references a local private-key file path. It does not include private
+key or token contents.
 
 The private probe service should not be enabled until hosted probe claim/submit
 routes are backed by cloud check jobs and cloud audit rows.
@@ -98,6 +105,9 @@ routes are backed by cloud check jobs and cloud audit rows.
 - Do deploy hosted mode with `HASNA_UPTIME_HOSTED_SQLITE_DB` pointing at the EFS
   mount path `/data/uptime/uptime.db`. Do not set `HASNA_UPTIME_DATABASE_URL`
   until the async Postgres adapter exists.
+- Do set `HASNA_UPTIME_ALLOWED_ORIGINS` on the hosted web task to the public
+  HTTPS edge origin, such as the CloudFront default domain or approved custom
+  hostname.
 - Do not inline AWS keys, hosted tokens, Mailery keys, Open Logs tokens, database
   URLs, or probe private keys in task definitions. Use ECS `secrets.valueFrom`
   refs such as `HASNA_UPTIME_HOSTED_TOKEN`.
@@ -105,8 +115,16 @@ routes are backed by cloud check jobs and cloud audit rows.
 - Do not enable scheduler, public-probe, reporter, or migration workers against
   the EFS SQLite bridge; those services need Postgres/cloud leases first.
 - Do not expose dashboard/API routes without hosted auth and workspace checks.
-- Do not treat local SQLite, local project DBs, or Spark01 local state as cloud
+- Do not expose the ALB directly in CloudFront mode; ALB ingress must be limited
+  to CloudFront origin-facing ranges.
+- Do not treat CloudFront prefix-list ingress as distribution-bound origin
+  protection. Before enabling the web task, add CloudFront VPC origin/private
+  ALB routing or require a CloudFront-only origin header whose secret value is
+  not stored in Terraform state.
+- Do not treat local SQLite, local project DBs, or private-probe local state as cloud
   authority after cutover.
+- Do configure owner/project/environment/service/cost-center tags and AWS
+  Budgets alert recipients in the approved infra root before live scale-out.
 
 ## Rollback
 

package/infra/aws/README.md

@@ -15,6 +15,8 @@ terraform -chdir=infra/aws validate
 terraform -chdir=infra/aws plan -out open-uptime.tfplan
 ```
 
+Terraform 1.9 or newer is required by the variable validation in this starter.
+
 Required inputs are declared in `variables.tf` and illustrated in
 `terraform.tfvars.example`. Secrets are passed as Secrets Manager/SSM ARNs only;
 never place plaintext tokens, database URLs, private keys, or channel
@@ -31,12 +33,31 @@ The included CodeBuild project builds `@hasna/uptime` from npm with
 `Dockerfile.package` and pushes the resulting image to ECR. This avoids
 depending on a local Docker daemon for image publication.
 
+The default protected access mode is `cloudfront_default_domain`: CloudFront
+serves HTTPS on its default domain while the ALB origin accepts HTTP only from
+AWS's CloudFront origin-facing managed prefix list. Use `alb_https_cert` only
+after custom DNS and an ACM certificate are approved.
+The web task receives `HASNA_UPTIME_ALLOWED_ORIGINS` for the selected public
+HTTPS origin so hosted mutation CSRF checks still work through the private HTTP
+origin hop.
+
+CloudFront prefix-list ingress is only a network narrowing control; it is not
+bound to one distribution. Add CloudFront VPC origin/private ALB routing or an
+ALB origin-header rule with the secret value managed outside Terraform state
+before enabling the web task.
+
+All module resources carry owner, project, environment, service, account, app
+type, and cost-center tags. Set `monthly_budget_limit_usd` plus
+`budget_alert_email_addresses` in the approved infra root to create AWS Budgets
+forecasted and actual spend alerts. Leaving the email list empty skips budget
+creation and is not sufficient for live scale-out approval.
+
 ## Current Blockers
 
 - Hosted production auth/RBAC still needs scoped, revocable credentials.
 - Public probe runtime still needs execution-time DNS/redirect/rebinding SSRF
   enforcement.
-- Spark01 hosted private-probe enrollment/heartbeat/revocation is still
+- Hosted private-probe enrollment/heartbeat/revocation is still
   fail-closed.
 
 Keep `desired_count` at `0`, or at `1` for the protected web bridge only after