@hasna/uptime 0.1.8 → 0.1.9

package/CHANGELOG.md

@@ -6,6 +6,15 @@ project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+## [0.1.9] - 2026-06-28
+
+### Changed
+
+- AWS Terraform EFS mount targets now use stable list-index keys so deployment
+  roots can create private subnets and Open Uptime resources in one plan.
+- AWS Terraform resources now include owner/project/environment/cost-center tags
+  and optional AWS Budgets alerts when recipients are configured.
+
 ## [0.1.8] - 2026-06-28
 
 ### Added
@@ -66,12 +75,12 @@ project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 - Dry-run AWS deployment plan generator for a reviewed AWS target,
   covering ECS/Fargate services, ECR image commands, ALB/RDS/S3/Secrets/Logs
   resources, rollback steps, and safety assertions.
-- Spark01 hosted-targeted private probe preflight config generator with JSON and
+- Private-probe hosted-targeted preflight config generator with JSON and
   env-file rendering.
-- CLI commands `uptime cloud plan` and `uptime cloud spark01-config`.
+- CLI commands `uptime cloud plan` and `uptime cloud private-probe-config`.
 - SDK export `@hasna/uptime/cloud-plan`.
 - Machine-readable `blocked`/`canApply:false` and `blocked`/`canStart:false`
-  gates plus blocker/evidence lists for AWS and Spark01 planning artifacts.
+  gates plus blocker/evidence lists for AWS and private-probe planning artifacts.
 
 ### Security
 

package/README.md

@@ -32,7 +32,7 @@ uptime report-schedules run-due
 uptime report-schedules runs
 uptime audit
 uptime cloud plan --json
-uptime cloud spark01-config --probe-id prb_spark01 --env
+uptime cloud private-probe-config --probe-id prb_private_01 --machine-id private-probe-01 --env
 uptime incidents
 uptime serve --port 3899 --check
 ```
@@ -41,7 +41,7 @@ Scheduled reports persist endpoint and recipient configuration, but not send
 keys or API tokens. Configure `MAILERY_SEND_KEY`, `HASNA_MAILERY_SEND_KEY`,
 `HASNA_LOGS_API_TOKEN`, or the matching service env vars before scheduled runs.
 
-The `uptime cloud ...` commands generate dry-run AWS/Spark01 planning artifacts
+The `uptime cloud ...` commands generate dry-run AWS/private-probe planning artifacts
 only. They do not call AWS, write secrets, or produce an approved deploy script;
 current output is intentionally blocked until the infra and cloud-store evidence
 in `docs/aws-deployment-runbook.md` is satisfied.
@@ -63,7 +63,7 @@ the published npm package into ECR from inside AWS.
 Private/local probes can submit signed results from another machine:
 
 ```bash
-uptime probes create spark01 --private-key-file ./spark01-probe.key.pem
+uptime probes create private-probe-01 --private-key-file ./private-probe-01.key.pem
 uptime probes jobs create --monitor <monitor-id> --schedule-slot 2026-06-28T12:00:00Z
 uptime probes jobs claim <job-id> --probe <probe-id>
 uptime probes submit \
@@ -73,7 +73,7 @@ uptime probes submit \
   --fencing-token <claim-fencing-token> \
   --monitor <monitor-id> \
   --monitor-revision <claim-monitor-revision> \
-  --private-key-file ./spark01-probe.key.pem \
+  --private-key-file ./private-probe-01.key.pem \
   --status up
 ```
 

package/dist/cli/index.js

@@ -6478,7 +6478,7 @@ function buildAwsDeploymentPlan(options = {}) {
   const image = clean(options.image, `${imageRepositoryUri}@sha256:<image-digest>`);
   const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
   const hostedSqliteDbPath = clean(options.hostedSqliteDbPath, DEFAULT_HOSTED_SQLITE_DB);
-  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.8");
+  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.9");
   const protectedAccessMode = options.protectedAccessMode ?? DEFAULT_PROTECTED_ACCESS_MODE;
   const protectedAccessUrl = protectedAccessMode === "cloudfront_default_domain" ? "https://<cloudfront-domain>" : `https://${hostname}`;
   const cluster = `${prefix}-${stage}`;
@@ -6610,9 +6610,9 @@ function buildAwsDeploymentPlan(options = {}) {
         "Disable scheduler/reporter services before data rollback.",
         "Restore EFS backup recovery point only after explicit operator approval and audit record."
       ],
-      spark01: [
+      privateProbe: [
         "Create a private probe identity with a caller-managed public key.",
-        "Install @hasna/uptime on Spark01 and write the generated env file with mode 0600.",
+        "Install @hasna/uptime on the private probe operator machine and write the generated env file with mode 0600.",
         "Run the private probe against the hosted /api/v1 probe endpoint once it exists."
       ]
     },
@@ -6621,7 +6621,7 @@ function buildAwsDeploymentPlan(options = {}) {
       "The EFS SQLite bridge is single-writer only: web target desired count is 1 and scheduler/public-probe/reporter targets remain 0 until Postgres and cloud leases exist.",
       "Hosted production auth/RBAC must replace broad static hosted-token operation before exposure.",
       "Public probe execution still needs DNS, redirect, and rebinding SSRF enforcement plus cloud check-job leases.",
-      "Spark01 hosted probe enrollment, claim, submit, heartbeat, revocation, and rotation are not cloud-backed yet."
+      "Private probe enrollment, claim, submit, heartbeat, revocation, and rotation are not cloud-backed yet."
     ],
     requiredEvidence: [
       "Infrastructure PR/synth/plan from the approved infra repository.",
@@ -6631,7 +6631,7 @@ function buildAwsDeploymentPlan(options = {}) {
       "Single-writer ECS evidence: one web task maximum and no scheduler/public-probe/reporter EFS mounts.",
       "EFS encryption, access point, mount-target, AWS Backup, and restore-drill evidence.",
       "S3 bucket KMS, versioning, lifecycle, and public-access-block evidence.",
-      "Spark01 private-probe registration, key-file mode, heartbeat, and revocation evidence."
+      "Private-probe registration, key-file mode, heartbeat, and revocation evidence."
     ],
     safety: {
       liveAwsMutation: false,
@@ -6649,16 +6649,16 @@ function buildAwsDeploymentPlan(options = {}) {
     }
   };
 }
-function buildSpark01CloudConfig(options = {}) {
+function buildPrivateProbeCloudConfig(options = {}) {
   const apiUrl = clean(options.apiUrl, `https://${DEFAULT_HOSTNAME}/api/v1`);
   const workspaceId = clean(options.workspaceId, DEFAULT_WORKSPACE_ID);
-  const machineId = clean(options.machineId, "spark01");
-  const privateKeyFile = clean(options.probePrivateKeyFile, "~/.hasna/uptime/probes/spark01.key.pem");
+  const machineId = clean(options.machineId, "private-probe-01");
+  const privateKeyFile = clean(options.probePrivateKeyFile, "~/.hasna/uptime/probes/private-probe-01.key.pem");
   const probeId = options.probeId?.trim();
   const blockers = [
     ...probeId ? [] : ["Cloud-registered private probe id is required before writing a sourceable env file."],
     "Hosted probe claim and submit routes still fail closed until cloud check_jobs and workspace stores are implemented.",
-    "Spark01 enrollment, heartbeat, revocation, rotation, and bounded offline lease handling are not implemented yet."
+    "Private probe enrollment, heartbeat, revocation, rotation, and bounded offline lease handling are not implemented yet."
   ];
   const env3 = {
     HASNA_UPTIME_MODE: "hosted",
@@ -6672,7 +6672,7 @@ function buildSpark01CloudConfig(options = {}) {
   if (probeId)
     env3.HASNA_UPTIME_PRIVATE_PROBE_ID = probeId;
   return {
-    kind: "open-uptime.spark01-cloud-config",
+    kind: "open-uptime.private-probe-cloud-config",
     version: 1,
     generatedAt: new Date().toISOString(),
     status: "blocked",
@@ -6684,7 +6684,7 @@ function buildSpark01CloudConfig(options = {}) {
       {
         path: privateKeyFile,
         mode: "0600",
-        purpose: "Ed25519 private key generated on Spark01; never paste into cloud config."
+        purpose: "Ed25519 private key generated on the private probe machine; never paste into cloud config."
       },
       {
         path: "~/.hasna/uptime/cloud.env",
@@ -6694,7 +6694,7 @@ function buildSpark01CloudConfig(options = {}) {
     ],
     commands: [
       "bun install -g @hasna/uptime@latest",
-      "Generate the Spark01 private key locally and register only its public key with the hosted control plane once registration exists.",
+      "Generate the private probe key locally and register only its public key with the hosted control plane once registration exists.",
       "Write ~/.hasna/uptime/cloud.env from this plan, then source it for the private probe service.",
       "Start the private probe worker only after hosted /api/v1 probe claim/submit routes are backed by cloud jobs."
     ],
@@ -6703,18 +6703,18 @@ function buildSpark01CloudConfig(options = {}) {
       privateKeyInline: false,
       tokenInline: false,
       notes: [
-        "This config is hosted-targeted preflight: Spark01 must not start until cloud probe routes are backed by hosted state.",
+        "This config is hosted-targeted preflight: the private probe must not start until cloud probe routes are backed by hosted state.",
         "The private key file path is referenced, not embedded.",
         "Hosted token or probe auth material must come from the machine secret store, not this generated config."
       ]
     }
   };
 }
-function renderSpark01Env(config) {
+function renderPrivateProbeEnv(config) {
   const required = ["HASNA_UPTIME_PRIVATE_PROBE_ID"];
   const missing = required.filter((key) => !config.env[key]);
   if (missing.length > 0) {
-    throw new Error(`Spark01 env output requires ${missing.join(", ")}`);
+    throw new Error(`private probe env output requires ${missing.join(", ")}`);
   }
   return Object.entries(config.env).map(([key, value]) => `${key}=${shellEscape(value)}`).join(`
 `);
@@ -7054,7 +7054,7 @@ program2.command("audit").description("List local audit events").option("--resou
     fail(error);
   }
 });
-var cloud = program2.command("cloud").description("Generate dry-run cloud deployment and Spark01 configuration artifacts");
+var cloud = program2.command("cloud").description("Generate dry-run cloud deployment and private-probe configuration artifacts");
 cloud.command("plan").description("Generate a dry-run AWS deployment plan").option("--account <name>", "AWS account/profile label", "aws-profile").option("--region <region>", "AWS region", "us-east-1").option("--stage <stage>", "deployment stage", "prod").option("--hostname <hostname>", "hosted Open Uptime hostname", "uptime.example.com").option("--workspace-id <id>", "workspace id", "workspace-id").option("--vpc-id <id>", "target VPC id").option("--hosted-sqlite-db <path>", "hosted SQLite path on the EFS mount").option("--rds-instance-id <id>", "deprecated; ignored until the hosted Postgres adapter exists").option("--database-secret-name <name>", "deprecated; ignored until the hosted Postgres adapter exists").option("--ecr-repository <name>", "ECR repository name").option("--image <uri>", "container image URI").option("--runtime-package-version <version>", "published @hasna/uptime version for the AWS image builder").addOption(new Option("--protected-access-mode <mode>", "protected web access mode").choices(["cloudfront_default_domain", "alb_https_cert"]).default("cloudfront_default_domain")).option("--evidence-bucket <name>", "S3 evidence bucket name").option("-j, --json", "print JSON").action((opts) => {
   try {
     const plan = buildAwsDeploymentPlan({
@@ -7078,9 +7078,9 @@ cloud.command("plan").description("Generate a dry-run AWS deployment plan").opti
     fail(error);
   }
 });
-cloud.command("spark01-config").description("Generate Spark01 hosted-targeted private probe preflight configuration").option("--api-url <url>", "hosted Open Uptime API URL", "https://uptime.example.com/api/v1").option("--workspace-id <id>", "workspace id", "workspace-id").option("--probe-id <id>", "cloud registered private probe id").option("--private-key-file <path>", "Spark01 private probe key file", "~/.hasna/uptime/probes/spark01.key.pem").option("--machine-id <id>", "machine id", "spark01").option("--log-level <level>", "probe log level", "info").option("--env", "print shell env file instead of summary text").option("-j, --json", "print JSON").action((opts) => {
+cloud.command("private-probe-config").description("Generate hosted-targeted private probe preflight configuration").option("--api-url <url>", "hosted Open Uptime API URL", "https://uptime.example.com/api/v1").option("--workspace-id <id>", "workspace id", "workspace-id").option("--probe-id <id>", "cloud registered private probe id").option("--private-key-file <path>", "private probe key file", "~/.hasna/uptime/probes/private-probe-01.key.pem").option("--machine-id <id>", "machine id", "private-probe-01").option("--log-level <level>", "probe log level", "info").option("--env", "print shell env file instead of summary text").option("-j, --json", "print JSON").action((opts) => {
   try {
-    const config = buildSpark01CloudConfig({
+    const config = buildPrivateProbeCloudConfig({
       apiUrl: opts.apiUrl,
       workspaceId: opts.workspaceId,
       probeId: opts.probeId,
@@ -7089,10 +7089,10 @@ cloud.command("spark01-config").description("Generate Spark01 hosted-targeted pr
       logLevel: opts.logLevel
     });
     if (opts.env && !wantsJson(opts)) {
-      console.log(renderSpark01Env(config));
+      console.log(renderPrivateProbeEnv(config));
       return;
     }
-    print(config, renderSpark01Config(config), opts);
+    print(config, renderPrivateProbeConfig(config), opts);
   } catch (error) {
     fail(error);
   }
@@ -7472,7 +7472,7 @@ function renderCloudPlan(plan) {
   ].join(`
 `);
 }
-function renderSpark01Config(config) {
+function renderPrivateProbeConfig(config) {
   return [
     `${config.machineId} ${config.mode} config`,
     `status: ${config.status}`,

package/dist/cloud-plan.d.ts

@@ -75,7 +75,7 @@ export interface AwsDeploymentPlan {
         provision: string[];
         deploy: string[];
         rollback: string[];
-        spark01: string[];
+        privateProbe: string[];
     };
     blockers: string[];
     requiredEvidence: string[];
@@ -98,7 +98,7 @@ export interface AwsServicePlan {
     environment: Record<string, string>;
     secrets: Record<string, string>;
 }
-export interface Spark01CloudConfigOptions {
+export interface PrivateProbeCloudConfigOptions {
     apiUrl?: string;
     workspaceId?: string;
     probeId?: string;
@@ -106,8 +106,8 @@ export interface Spark01CloudConfigOptions {
     machineId?: string;
     logLevel?: string;
 }
-export interface Spark01CloudConfig {
-    kind: "open-uptime.spark01-cloud-config";
+export interface PrivateProbeCloudConfig {
+    kind: "open-uptime.private-probe-cloud-config";
     version: 1;
     generatedAt: string;
     status: "blocked";
@@ -129,6 +129,6 @@ export interface Spark01CloudConfig {
     };
 }
 export declare function buildAwsDeploymentPlan(options?: AwsDeploymentPlanOptions): AwsDeploymentPlan;
-export declare function buildSpark01CloudConfig(options?: Spark01CloudConfigOptions): Spark01CloudConfig;
-export declare function renderSpark01Env(config: Spark01CloudConfig): string;
+export declare function buildPrivateProbeCloudConfig(options?: PrivateProbeCloudConfigOptions): PrivateProbeCloudConfig;
+export declare function renderPrivateProbeEnv(config: PrivateProbeCloudConfig): string;
 //# sourceMappingURL=cloud-plan.d.ts.map

package/dist/cloud-plan.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cloud-plan.d.ts","sourceRoot":"","sources":["../src/cloud-plan.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,wBAAwB;IACvC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,mBAAmB,CAAC,EAAE,2BAA2B,GAAG,gBAAgB,CAAC;IACrE,wFAAwF;IACxF,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,wFAAwF;IACxF,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,iCAAiC,CAAC;IACxC,OAAO,EAAE,CAAC,CAAC;IACX,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,SAAS,CAAC;IAClB,QAAQ,EAAE,KAAK,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,QAAQ,CAAC;IACf,SAAS,EAAE;QACT,aAAa,EAAE,MAAM,CAAC;QACtB,YAAY,EAAE,MAAM,CAAC;QACrB,UAAU,EAAE,MAAM,CAAC;QACnB,QAAQ,EAAE,cAAc,EAAE,CAAC;QAC3B,KAAK,EAAE,MAAM,CAAC;QACd,aAAa,EAAE,MAAM,CAAC;QACtB,cAAc,EAAE,MAAM,CAAC;QACvB,kBAAkB,EAAE,MAAM,CAAC;QAC3B,cAAc,EAAE,MAAM,CAAC;QACvB,YAAY,EAAE,MAAM,CAAC;QACrB,mBAAmB,EAAE,2BAA2B,GAAG,gBAAgB,CAAC;QACpE,gBAAgB,CAAC,EAAE,MAAM,CAAC;QAC1B,kBAAkB,EAAE,MAAM,CAAC;QAC3B,YAAY,EAAE,MAAM,EAAE,CAAC;QACvB,cAAc,EAAE,MAAM,EAAE,CAAC;QACzB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAChC,SAAS,EAAE,MAAM,EAAE,CAAC;QACpB,MAAM,EAAE,MAAM,EAAE,CAAC;KAClB,CAAC;IACF,KAAK,EAAE;QACL,UAAU,EAAE,MAAM,CAAC;QACnB,GAAG,EAAE,MAAM,CAAC;QACZ,UAAU,EAAE,MAAM,CAAC;QACnB,YAAY,EAAE,MAAM,CAAC;QACrB,YAAY,EAAE,MAAM,EAAE,CAAC;KACxB,CAAC;IACF,KAAK,EAAE;QACL,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,EAAE,MAAM,CAAC;QACnB,WAAW,EAAE,MAAM,CAAC;QACpB,eAAe,EAAE,MAAM,CAAC;QACxB,WAAW,EAAE,MAAM,CAAC;QACpB,YAAY,EAAE,KAAK,CAAC;KACrB,CAAC;IACF,OAAO,EAAE;QACP,SAAS,EAAE,MAAM,EAAE,CAAC;QACpB,SAAS,EAAE,MAAM,EAAE,CAAC;QACpB,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,QAAQ,EAAE,MAAM,EAAE,CAAC;QACnB,OAAO,EAAE,MAAM,EAAE,CAAC;KACnB,CAAC;IACF,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,MAAM,EAAE;QACN,eAAe,EAAE,KAAK,CAAC;QACvB,gBAAgB,EAAE,KAAK,CAAC;QACxB,wBAAwB,EAAE,KAAK,CAAC;QAChC,KAAK,EAAE,MAAM,EAAE,CAAC;KACjB,CAAC;CACH;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,KAAK,GAAG,WAAW,GAAG,cAAc,GAAG,UAAU,GAAG,WAAW,CAAC;IACtE,YAAY,EAAE,MAAM,CAAC;IACrB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACpC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACjC;AAED,MAAM,WAAW,yBAAyB;IACxC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,kCAAkC,CAAC;IACzC,OAAO,EAAE,CAAC,CAAC;IACX,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,SAAS,CAAC;IAClB,QAAQ,EAAE,KAAK,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,eAAe,CAAC;IACtB,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC5B,KAAK,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC9D,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,MAAM,EAAE;QACN,gBAAgB,EAAE,KAAK,CAAC;QACxB,WAAW,EAAE,KAAK,CAAC;QACnB,KAAK,EAAE,MAAM,EAAE,CAAC;KACjB,CAAC;CACH;AAYD,wBAAgB,sBAAsB,CAAC,OAAO,GAAE,wBAA6B,GAAG,iBAAiB,CA2LhG;AAED,wBAAgB,uBAAuB,CAAC,OAAO,GAAE,yBAA8B,GAAG,kBAAkB,CA2DnG;AAED,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,kBAAkB,GAAG,MAAM,CASnE"}
+{"version":3,"file":"cloud-plan.d.ts","sourceRoot":"","sources":["../src/cloud-plan.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,wBAAwB;IACvC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,mBAAmB,CAAC,EAAE,2BAA2B,GAAG,gBAAgB,CAAC;IACrE,wFAAwF;IACxF,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,wFAAwF;IACxF,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,iCAAiC,CAAC;IACxC,OAAO,EAAE,CAAC,CAAC;IACX,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,SAAS,CAAC;IAClB,QAAQ,EAAE,KAAK,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,QAAQ,CAAC;IACf,SAAS,EAAE;QACT,aAAa,EAAE,MAAM,CAAC;QACtB,YAAY,EAAE,MAAM,CAAC;QACrB,UAAU,EAAE,MAAM,CAAC;QACnB,QAAQ,EAAE,cAAc,EAAE,CAAC;QAC3B,KAAK,EAAE,MAAM,CAAC;QACd,aAAa,EAAE,MAAM,CAAC;QACtB,cAAc,EAAE,MAAM,CAAC;QACvB,kBAAkB,EAAE,MAAM,CAAC;QAC3B,cAAc,EAAE,MAAM,CAAC;QACvB,YAAY,EAAE,MAAM,CAAC;QACrB,mBAAmB,EAAE,2BAA2B,GAAG,gBAAgB,CAAC;QACpE,gBAAgB,CAAC,EAAE,MAAM,CAAC;QAC1B,kBAAkB,EAAE,MAAM,CAAC;QAC3B,YAAY,EAAE,MAAM,EAAE,CAAC;QACvB,cAAc,EAAE,MAAM,EAAE,CAAC;QACzB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAChC,SAAS,EAAE,MAAM,EAAE,CAAC;QACpB,MAAM,EAAE,MAAM,EAAE,CAAC;KAClB,CAAC;IACF,KAAK,EAAE;QACL,UAAU,EAAE,MAAM,CAAC;QACnB,GAAG,EAAE,MAAM,CAAC;QACZ,UAAU,EAAE,MAAM,CAAC;QACnB,YAAY,EAAE,MAAM,CAAC;QACrB,YAAY,EAAE,MAAM,EAAE,CAAC;KACxB,CAAC;IACF,KAAK,EAAE;QACL,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,EAAE,MAAM,CAAC;QACnB,WAAW,EAAE,MAAM,CAAC;QACpB,eAAe,EAAE,MAAM,CAAC;QACxB,WAAW,EAAE,MAAM,CAAC;QACpB,YAAY,EAAE,KAAK,CAAC;KACrB,CAAC;IACF,OAAO,EAAE;QACP,SAAS,EAAE,MAAM,EAAE,CAAC;QACpB,SAAS,EAAE,MAAM,EAAE,CAAC;QACpB,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,QAAQ,EAAE,MAAM,EAAE,CAAC;QACnB,YAAY,EAAE,MAAM,EAAE,CAAC;KACxB,CAAC;IACF,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,MAAM,EAAE;QACN,eAAe,EAAE,KAAK,CAAC;QACvB,gBAAgB,EAAE,KAAK,CAAC;QACxB,wBAAwB,EAAE,KAAK,CAAC;QAChC,KAAK,EAAE,MAAM,EAAE,CAAC;KACjB,CAAC;CACH;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,KAAK,GAAG,WAAW,GAAG,cAAc,GAAG,UAAU,GAAG,WAAW,CAAC;IACtE,YAAY,EAAE,MAAM,CAAC;IACrB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACpC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACjC;AAED,MAAM,WAAW,8BAA8B;IAC7C,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,uBAAuB;IACtC,IAAI,EAAE,wCAAwC,CAAC;IAC/C,OAAO,EAAE,CAAC,CAAC;IACX,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,SAAS,CAAC;IAClB,QAAQ,EAAE,KAAK,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,eAAe,CAAC;IACtB,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC5B,KAAK,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC9D,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,MAAM,EAAE;QACN,gBAAgB,EAAE,KAAK,CAAC;QACxB,WAAW,EAAE,KAAK,CAAC;QACnB,KAAK,EAAE,MAAM,EAAE,CAAC;KACjB,CAAC;CACH;AAYD,wBAAgB,sBAAsB,CAAC,OAAO,GAAE,wBAA6B,GAAG,iBAAiB,CA2LhG;AAED,wBAAgB,4BAA4B,CAAC,OAAO,GAAE,8BAAmC,GAAG,uBAAuB,CA2DlH;AAED,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,uBAAuB,GAAG,MAAM,CAS7E"}

package/dist/cloud-plan.js

@@ -21,7 +21,7 @@ function buildAwsDeploymentPlan(options = {}) {
   const image = clean(options.image, `${imageRepositoryUri}@sha256:<image-digest>`);
   const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
   const hostedSqliteDbPath = clean(options.hostedSqliteDbPath, DEFAULT_HOSTED_SQLITE_DB);
-  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.8");
+  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.9");
   const protectedAccessMode = options.protectedAccessMode ?? DEFAULT_PROTECTED_ACCESS_MODE;
   const protectedAccessUrl = protectedAccessMode === "cloudfront_default_domain" ? "https://<cloudfront-domain>" : `https://${hostname}`;
   const cluster = `${prefix}-${stage}`;
@@ -153,9 +153,9 @@ function buildAwsDeploymentPlan(options = {}) {
         "Disable scheduler/reporter services before data rollback.",
         "Restore EFS backup recovery point only after explicit operator approval and audit record."
       ],
-      spark01: [
+      privateProbe: [
         "Create a private probe identity with a caller-managed public key.",
-        "Install @hasna/uptime on Spark01 and write the generated env file with mode 0600.",
+        "Install @hasna/uptime on the private probe operator machine and write the generated env file with mode 0600.",
         "Run the private probe against the hosted /api/v1 probe endpoint once it exists."
       ]
     },
@@ -164,7 +164,7 @@ function buildAwsDeploymentPlan(options = {}) {
       "The EFS SQLite bridge is single-writer only: web target desired count is 1 and scheduler/public-probe/reporter targets remain 0 until Postgres and cloud leases exist.",
       "Hosted production auth/RBAC must replace broad static hosted-token operation before exposure.",
       "Public probe execution still needs DNS, redirect, and rebinding SSRF enforcement plus cloud check-job leases.",
-      "Spark01 hosted probe enrollment, claim, submit, heartbeat, revocation, and rotation are not cloud-backed yet."
+      "Private probe enrollment, claim, submit, heartbeat, revocation, and rotation are not cloud-backed yet."
     ],
     requiredEvidence: [
       "Infrastructure PR/synth/plan from the approved infra repository.",
@@ -174,7 +174,7 @@ function buildAwsDeploymentPlan(options = {}) {
       "Single-writer ECS evidence: one web task maximum and no scheduler/public-probe/reporter EFS mounts.",
       "EFS encryption, access point, mount-target, AWS Backup, and restore-drill evidence.",
       "S3 bucket KMS, versioning, lifecycle, and public-access-block evidence.",
-      "Spark01 private-probe registration, key-file mode, heartbeat, and revocation evidence."
+      "Private-probe registration, key-file mode, heartbeat, and revocation evidence."
     ],
     safety: {
       liveAwsMutation: false,
@@ -192,16 +192,16 @@ function buildAwsDeploymentPlan(options = {}) {
     }
   };
 }
-function buildSpark01CloudConfig(options = {}) {
+function buildPrivateProbeCloudConfig(options = {}) {
   const apiUrl = clean(options.apiUrl, `https://${DEFAULT_HOSTNAME}/api/v1`);
   const workspaceId = clean(options.workspaceId, DEFAULT_WORKSPACE_ID);
-  const machineId = clean(options.machineId, "spark01");
-  const privateKeyFile = clean(options.probePrivateKeyFile, "~/.hasna/uptime/probes/spark01.key.pem");
+  const machineId = clean(options.machineId, "private-probe-01");
+  const privateKeyFile = clean(options.probePrivateKeyFile, "~/.hasna/uptime/probes/private-probe-01.key.pem");
   const probeId = options.probeId?.trim();
   const blockers = [
     ...probeId ? [] : ["Cloud-registered private probe id is required before writing a sourceable env file."],
     "Hosted probe claim and submit routes still fail closed until cloud check_jobs and workspace stores are implemented.",
-    "Spark01 enrollment, heartbeat, revocation, rotation, and bounded offline lease handling are not implemented yet."
+    "Private probe enrollment, heartbeat, revocation, rotation, and bounded offline lease handling are not implemented yet."
   ];
   const env = {
     HASNA_UPTIME_MODE: "hosted",
@@ -215,7 +215,7 @@ function buildSpark01CloudConfig(options = {}) {
   if (probeId)
     env.HASNA_UPTIME_PRIVATE_PROBE_ID = probeId;
   return {
-    kind: "open-uptime.spark01-cloud-config",
+    kind: "open-uptime.private-probe-cloud-config",
     version: 1,
     generatedAt: new Date().toISOString(),
     status: "blocked",
@@ -227,7 +227,7 @@ function buildSpark01CloudConfig(options = {}) {
       {
         path: privateKeyFile,
         mode: "0600",
-        purpose: "Ed25519 private key generated on Spark01; never paste into cloud config."
+        purpose: "Ed25519 private key generated on the private probe machine; never paste into cloud config."
       },
       {
         path: "~/.hasna/uptime/cloud.env",
@@ -237,7 +237,7 @@ function buildSpark01CloudConfig(options = {}) {
     ],
     commands: [
       "bun install -g @hasna/uptime@latest",
-      "Generate the Spark01 private key locally and register only its public key with the hosted control plane once registration exists.",
+      "Generate the private probe key locally and register only its public key with the hosted control plane once registration exists.",
       "Write ~/.hasna/uptime/cloud.env from this plan, then source it for the private probe service.",
       "Start the private probe worker only after hosted /api/v1 probe claim/submit routes are backed by cloud jobs."
     ],
@@ -246,18 +246,18 @@ function buildSpark01CloudConfig(options = {}) {
       privateKeyInline: false,
       tokenInline: false,
       notes: [
-        "This config is hosted-targeted preflight: Spark01 must not start until cloud probe routes are backed by hosted state.",
+        "This config is hosted-targeted preflight: the private probe must not start until cloud probe routes are backed by hosted state.",
         "The private key file path is referenced, not embedded.",
         "Hosted token or probe auth material must come from the machine secret store, not this generated config."
       ]
     }
   };
 }
-function renderSpark01Env(config) {
+function renderPrivateProbeEnv(config) {
   const required = ["HASNA_UPTIME_PRIVATE_PROBE_ID"];
   const missing = required.filter((key) => !config.env[key]);
   if (missing.length > 0) {
-    throw new Error(`Spark01 env output requires ${missing.join(", ")}`);
+    throw new Error(`private probe env output requires ${missing.join(", ")}`);
   }
   return Object.entries(config.env).map(([key, value]) => `${key}=${shellEscape(value)}`).join(`
 `);
@@ -290,7 +290,7 @@ function shellEscape(value) {
   return `'${value.replace(/'/g, "'\\''")}'`;
 }
 export {
-  renderSpark01Env,
-  buildSpark01CloudConfig,
+  renderPrivateProbeEnv,
+  buildPrivateProbeCloudConfig,
   buildAwsDeploymentPlan
 };

package/dist/index.d.ts

@@ -5,13 +5,13 @@ export { createApiHandler, serveUptime } from "./api.js";
 export { applyImport, previewImport, rollbackImport } from "./imports.js";
 export { buildUptimeReport, sendUptimeReport } from "./report.js";
 export { generateProbeKeyPair, probePublicKeyFingerprint, probeResultSigningPayload, signProbeResult, verifyProbeResultSignature } from "./probes.js";
-export { buildAwsDeploymentPlan, buildSpark01CloudConfig, renderSpark01Env } from "./cloud-plan.js";
+export { buildAwsDeploymentPlan, buildPrivateProbeCloudConfig, renderPrivateProbeEnv } from "./cloud-plan.js";
 export { uptimeHome, uptimeDbPath, uptimeHostedFallbackDbPath, ensureUptimeHome } from "./paths.js";
 export type { UptimeBackup, UptimeBackupCheck, UptimeRuntimeMode, UptimeStoreOptions, MonitorProvenance, SaveImportBatchInput, StoredImportBatch, UpsertMonitorProvenanceInput, } from "./store.js";
 export type { BrowserPageRunner, BrowserPageRunnerResult, FetchLike, } from "./checks.js";
 export type { ImportAction, ImportApplyItem, ImportApplyResult, ImportCandidate, ImportPreview, ImportPreviewItem, ImportRequest, ImportRollbackItem, ImportRollbackResult, ImportSource, } from "./imports.js";
 export type { BrowserFailedRequest, BrowserPageEvidence, AuditEvent, CheckAttemptResult, CheckEvidence, CheckResult, CheckStatus, CreateMonitorKind, CreateMonitorInput, CreateReportScheduleInput, ImportedMonitorInput, ImportedUpdateMonitorInput, EvidenceArtifact, Incident, IncidentStatus, ListAuditEventsOptions, ListReportRunsOptions, ListResultsOptions, Monitor, MonitorKind, MonitorStatus, MonitorSummary, ProbeCheckJob, ProbeCheckJobStatus, ProbeIdentity, ProbeResultSubmission, ProbeSubmissionReceipt, RecordAuditEventInput, ReportDeliveryChannel, ReportDeliveryRecord, ReportEmailChannelConfig, ReportLogsChannelConfig, ReportRun, ReportRunStatus, ReportSchedule, ReportScheduleChannels, ReportScheduleStatus, ReportSmsChannelConfig, SchedulerHandle, UpdateMonitorInput, UpdateReportScheduleInput, UptimeSummary, } from "./types.js";
 export type { ProbeKeyPair, ProbeSigningInput } from "./probes.js";
-export type { AwsDeploymentPlan, AwsDeploymentPlanOptions, AwsServicePlan, Spark01CloudConfig, Spark01CloudConfigOptions, } from "./cloud-plan.js";
+export type { AwsDeploymentPlan, AwsDeploymentPlanOptions, AwsServicePlan, PrivateProbeCloudConfig, PrivateProbeCloudConfigOptions, } from "./cloud-plan.js";
 export type { BuildUptimeReportOptions, SendUptimeReportOptions, UptimeEmailReportTarget, UptimeLogsReportTarget, UptimeReport, UptimeReportDelivery, UptimeSmsReportTarget, } from "./report.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AACjE,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EAAE,mBAAmB,EAAE,eAAe,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC9F,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AACzD,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC1E,OAAO,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAClE,OAAO,EAAE,oBAAoB,EAAE,yBAAyB,EAAE,yBAAyB,EAAE,eAAe,EAAE,0BAA0B,EAAE,MAAM,aAAa,CAAC;AACtJ,OAAO,EAAE,sBAAsB,EAAE,uBAAuB,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACpG,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,0BAA0B,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AACpG,YAAY,EACV,YAAY,EACZ,iBAAiB,EACjB,iBAAiB,EACjB,kBAAkB,EAClB,iBAAiB,EACjB,oBAAoB,EACpB,iBAAiB,EACjB,4BAA4B,GAC7B,MAAM,YAAY,CAAC;AACpB,YAAY,EACV,iBAAiB,EACjB,uBAAuB,EACvB,SAAS,GACV,MAAM,aAAa,CAAC;AACrB,YAAY,EACV,YAAY,EACZ,eAAe,EACf,iBAAiB,EACjB,eAAe,EACf,aAAa,EACb,iBAAiB,EACjB,aAAa,EACb,kBAAkB,EAClB,oBAAoB,EACpB,YAAY,GACb,MAAM,cAAc,CAAC;AACtB,YAAY,EACV,oBAAoB,EACpB,mBAAmB,EACnB,UAAU,EACV,kBAAkB,EAClB,aAAa,EACb,WAAW,EACX,WAAW,EACX,iBAAiB,EACjB,kBAAkB,EAClB,yBAAyB,EACzB,oBAAoB,EACpB,0BAA0B,EAC1B,gBAAgB,EAChB,QAAQ,EACR,cAAc,EACd,sBAAsB,EACtB,qBAAqB,EACrB,kBAAkB,EAClB,OAAO,EACP,WAAW,EACX,aAAa,EACb,cAAc,EACd,aAAa,EACb,mBAAmB,EACnB,aAAa,EACb,qBAAqB,EACrB,sBAAsB,EACtB,qBAAqB,EACrB,qBAAqB,EACrB,oBAAoB,EACpB,wBAAwB,EACxB,uBAAuB,EACvB,SAAS,EACT,eAAe,EACf,cAAc,EACd,sBAAsB,EACtB,oBAAoB,EACpB,sBAAsB,EACtB,eAAe,EACf,kBAAkB,EAClB,yBAAyB,EACzB,aAAa,GACd,MAAM,YAAY,CAAC;AACpB,YAAY,EAAE,YAAY,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AACnE,YAAY,EACV,iBAAiB,EACjB,wBAAwB,EACxB,cAAc,EACd,kBAAkB,EAClB,yBAAyB,GAC1B,MAAM,iBAAiB,CAAC;AACzB,YAAY,EACV,wBAAwB,EACxB,uBAAuB,EACvB,uBAAuB,EACvB,sBAAsB,EACtB,YAAY,EACZ,oBAAoB,EACpB,qBAAqB,GACtB,MAAM,aAAa,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AACjE,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EAAE,mBAAmB,EAAE,eAAe,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC9F,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AACzD,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC1E,OAAO,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAClE,OAAO,EAAE,oBAAoB,EAAE,yBAAyB,EAAE,yBAAyB,EAAE,eAAe,EAAE,0BAA0B,EAAE,MAAM,aAAa,CAAC;AACtJ,OAAO,EAAE,sBAAsB,EAAE,4BAA4B,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AAC9G,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,0BAA0B,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AACpG,YAAY,EACV,YAAY,EACZ,iBAAiB,EACjB,iBAAiB,EACjB,kBAAkB,EAClB,iBAAiB,EACjB,oBAAoB,EACpB,iBAAiB,EACjB,4BAA4B,GAC7B,MAAM,YAAY,CAAC;AACpB,YAAY,EACV,iBAAiB,EACjB,uBAAuB,EACvB,SAAS,GACV,MAAM,aAAa,CAAC;AACrB,YAAY,EACV,YAAY,EACZ,eAAe,EACf,iBAAiB,EACjB,eAAe,EACf,aAAa,EACb,iBAAiB,EACjB,aAAa,EACb,kBAAkB,EAClB,oBAAoB,EACpB,YAAY,GACb,MAAM,cAAc,CAAC;AACtB,YAAY,EACV,oBAAoB,EACpB,mBAAmB,EACnB,UAAU,EACV,kBAAkB,EAClB,aAAa,EACb,WAAW,EACX,WAAW,EACX,iBAAiB,EACjB,kBAAkB,EAClB,yBAAyB,EACzB,oBAAoB,EACpB,0BAA0B,EAC1B,gBAAgB,EAChB,QAAQ,EACR,cAAc,EACd,sBAAsB,EACtB,qBAAqB,EACrB,kBAAkB,EAClB,OAAO,EACP,WAAW,EACX,aAAa,EACb,cAAc,EACd,aAAa,EACb,mBAAmB,EACnB,aAAa,EACb,qBAAqB,EACrB,sBAAsB,EACtB,qBAAqB,EACrB,qBAAqB,EACrB,oBAAoB,EACpB,wBAAwB,EACxB,uBAAuB,EACvB,SAAS,EACT,eAAe,EACf,cAAc,EACd,sBAAsB,EACtB,oBAAoB,EACpB,sBAAsB,EACtB,eAAe,EACf,kBAAkB,EAClB,yBAAyB,EACzB,aAAa,GACd,MAAM,YAAY,CAAC;AACpB,YAAY,EAAE,YAAY,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AACnE,YAAY,EACV,iBAAiB,EACjB,wBAAwB,EACxB,cAAc,EACd,uBAAuB,EACvB,8BAA8B,GAC/B,MAAM,iBAAiB,CAAC;AACzB,YAAY,EACV,wBAAwB,EACxB,uBAAuB,EACvB,uBAAuB,EACvB,sBAAsB,EACtB,YAAY,EACZ,oBAAoB,EACpB,qBAAqB,GACtB,MAAM,aAAa,CAAC"}

package/dist/index.js

@@ -3881,7 +3881,7 @@ function buildAwsDeploymentPlan(options = {}) {
   const image = clean(options.image, `${imageRepositoryUri}@sha256:<image-digest>`);
   const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
   const hostedSqliteDbPath = clean(options.hostedSqliteDbPath, DEFAULT_HOSTED_SQLITE_DB);
-  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.8");
+  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.9");
   const protectedAccessMode = options.protectedAccessMode ?? DEFAULT_PROTECTED_ACCESS_MODE;
   const protectedAccessUrl = protectedAccessMode === "cloudfront_default_domain" ? "https://<cloudfront-domain>" : `https://${hostname}`;
   const cluster = `${prefix}-${stage}`;
@@ -4013,9 +4013,9 @@ function buildAwsDeploymentPlan(options = {}) {
         "Disable scheduler/reporter services before data rollback.",
         "Restore EFS backup recovery point only after explicit operator approval and audit record."
       ],
-      spark01: [
+      privateProbe: [
         "Create a private probe identity with a caller-managed public key.",
-        "Install @hasna/uptime on Spark01 and write the generated env file with mode 0600.",
+        "Install @hasna/uptime on the private probe operator machine and write the generated env file with mode 0600.",
         "Run the private probe against the hosted /api/v1 probe endpoint once it exists."
       ]
     },
@@ -4024,7 +4024,7 @@ function buildAwsDeploymentPlan(options = {}) {
       "The EFS SQLite bridge is single-writer only: web target desired count is 1 and scheduler/public-probe/reporter targets remain 0 until Postgres and cloud leases exist.",
       "Hosted production auth/RBAC must replace broad static hosted-token operation before exposure.",
       "Public probe execution still needs DNS, redirect, and rebinding SSRF enforcement plus cloud check-job leases.",
-      "Spark01 hosted probe enrollment, claim, submit, heartbeat, revocation, and rotation are not cloud-backed yet."
+      "Private probe enrollment, claim, submit, heartbeat, revocation, and rotation are not cloud-backed yet."
     ],
     requiredEvidence: [
       "Infrastructure PR/synth/plan from the approved infra repository.",
@@ -4034,7 +4034,7 @@ function buildAwsDeploymentPlan(options = {}) {
       "Single-writer ECS evidence: one web task maximum and no scheduler/public-probe/reporter EFS mounts.",
       "EFS encryption, access point, mount-target, AWS Backup, and restore-drill evidence.",
       "S3 bucket KMS, versioning, lifecycle, and public-access-block evidence.",
-      "Spark01 private-probe registration, key-file mode, heartbeat, and revocation evidence."
+      "Private-probe registration, key-file mode, heartbeat, and revocation evidence."
     ],
     safety: {
       liveAwsMutation: false,
@@ -4052,16 +4052,16 @@ function buildAwsDeploymentPlan(options = {}) {
     }
   };
 }
-function buildSpark01CloudConfig(options = {}) {
+function buildPrivateProbeCloudConfig(options = {}) {
   const apiUrl = clean(options.apiUrl, `https://${DEFAULT_HOSTNAME}/api/v1`);
   const workspaceId = clean(options.workspaceId, DEFAULT_WORKSPACE_ID);
-  const machineId = clean(options.machineId, "spark01");
-  const privateKeyFile = clean(options.probePrivateKeyFile, "~/.hasna/uptime/probes/spark01.key.pem");
+  const machineId = clean(options.machineId, "private-probe-01");
+  const privateKeyFile = clean(options.probePrivateKeyFile, "~/.hasna/uptime/probes/private-probe-01.key.pem");
   const probeId = options.probeId?.trim();
   const blockers = [
     ...probeId ? [] : ["Cloud-registered private probe id is required before writing a sourceable env file."],
     "Hosted probe claim and submit routes still fail closed until cloud check_jobs and workspace stores are implemented.",
-    "Spark01 enrollment, heartbeat, revocation, rotation, and bounded offline lease handling are not implemented yet."
+    "Private probe enrollment, heartbeat, revocation, rotation, and bounded offline lease handling are not implemented yet."
   ];
   const env2 = {
     HASNA_UPTIME_MODE: "hosted",
@@ -4075,7 +4075,7 @@ function buildSpark01CloudConfig(options = {}) {
   if (probeId)
     env2.HASNA_UPTIME_PRIVATE_PROBE_ID = probeId;
   return {
-    kind: "open-uptime.spark01-cloud-config",
+    kind: "open-uptime.private-probe-cloud-config",
     version: 1,
     generatedAt: new Date().toISOString(),
     status: "blocked",
@@ -4087,7 +4087,7 @@ function buildSpark01CloudConfig(options = {}) {
       {
         path: privateKeyFile,
         mode: "0600",
-        purpose: "Ed25519 private key generated on Spark01; never paste into cloud config."
+        purpose: "Ed25519 private key generated on the private probe machine; never paste into cloud config."
       },
       {
         path: "~/.hasna/uptime/cloud.env",
@@ -4097,7 +4097,7 @@ function buildSpark01CloudConfig(options = {}) {
     ],
     commands: [
       "bun install -g @hasna/uptime@latest",
-      "Generate the Spark01 private key locally and register only its public key with the hosted control plane once registration exists.",
+      "Generate the private probe key locally and register only its public key with the hosted control plane once registration exists.",
       "Write ~/.hasna/uptime/cloud.env from this plan, then source it for the private probe service.",
       "Start the private probe worker only after hosted /api/v1 probe claim/submit routes are backed by cloud jobs."
     ],
@@ -4106,18 +4106,18 @@ function buildSpark01CloudConfig(options = {}) {
       privateKeyInline: false,
       tokenInline: false,
       notes: [
-        "This config is hosted-targeted preflight: Spark01 must not start until cloud probe routes are backed by hosted state.",
+        "This config is hosted-targeted preflight: the private probe must not start until cloud probe routes are backed by hosted state.",
         "The private key file path is referenced, not embedded.",
         "Hosted token or probe auth material must come from the machine secret store, not this generated config."
       ]
     }
   };
 }
-function renderSpark01Env(config) {
+function renderPrivateProbeEnv(config) {
   const required = ["HASNA_UPTIME_PRIVATE_PROBE_ID"];
   const missing = required.filter((key) => !config.env[key]);
   if (missing.length > 0) {
-    throw new Error(`Spark01 env output requires ${missing.join(", ")}`);
+    throw new Error(`private probe env output requires ${missing.join(", ")}`);
   }
   return Object.entries(config.env).map(([key, value]) => `${key}=${shellEscape(value)}`).join(`
 `);
@@ -4162,7 +4162,7 @@ export {
   runHttpCheck,
   runBrowserPageCheck,
   rollbackImport,
-  renderSpark01Env,
+  renderPrivateProbeEnv,
   probeResultSigningPayload,
   probePublicKeyFingerprint,
   previewImport,
@@ -4171,7 +4171,7 @@ export {
   createUptimeClient,
   createApiHandler,
   buildUptimeReport,
-  buildSpark01CloudConfig,
+  buildPrivateProbeCloudConfig,
   buildAwsDeploymentPlan,
   applyImport,
   UptimeStore,

package/docs/aws-deployment-runbook.md

@@ -8,7 +8,7 @@ call AWS or mutate infrastructure.
 
 ```bash
 uptime cloud plan --json > open-uptime-aws-plan.json
-uptime cloud spark01-config --probe-id prb_spark01 --env > spark01-uptime.env
+uptime cloud private-probe-config --probe-id prb_private_01 --machine-id private-probe-01 --env > private-probe-01-uptime.env
 ```
 
 Public package defaults are placeholders:
@@ -25,7 +25,7 @@ Override these with CLI flags or private deployment evidence for the real
 account, hostname, workspace id, VPC id, secret refs, and repository names.
 
 The generated AWS plan currently returns `status: "blocked"` and
-`canApply: false`. The generated Spark01 config returns `status: "blocked"` and
+`canApply: false`. The generated private-probe config returns `status: "blocked"` and
 `canStart: false`. Treat both as review/preflight artifacts until the blockers
 and required evidence in the JSON output are resolved.
 
@@ -33,7 +33,7 @@ The app repo includes a hosted runtime `Dockerfile` and Terraform/OpenTofu
 starter files in `infra/aws`. The plan output points to these files and keeps
 `applyAllowed: false`.
 
-`uptime cloud spark01-config --env` requires a real `--probe-id`; it will not
+`uptime cloud private-probe-config --env` requires a real `--probe-id`; it will not
 write a sourceable env file with a placeholder probe identity.
 
 ## Preflight
@@ -89,12 +89,12 @@ terraform -chdir=infra/aws plan -out open-uptime.tfplan
 
 Use Terraform/OpenTofu 1.9 or newer for this starter.
 
-## Spark01
+## Private Probe Operator
 
-Spark01 should be a private probe/operator machine, not the hosted source of
-truth. The generated env file points Spark01 at hosted `/api/v1` state and
-references a local private-key file path. It does not include private key or
-token contents.
+The operator machine should be a private probe/operator machine, not the hosted
+source of truth. The generated env file points the machine at hosted `/api/v1`
+state and references a local private-key file path. It does not include private
+key or token contents.
 
 The private probe service should not be enabled until hosted probe claim/submit
 routes are backed by cloud check jobs and cloud audit rows.
@@ -117,8 +117,14 @@ routes are backed by cloud check jobs and cloud audit rows.
 - Do not expose dashboard/API routes without hosted auth and workspace checks.
 - Do not expose the ALB directly in CloudFront mode; ALB ingress must be limited
   to CloudFront origin-facing ranges.
-- Do not treat local SQLite, local project DBs, or Spark01 local state as cloud
+- Do not treat CloudFront prefix-list ingress as distribution-bound origin
+  protection. Before enabling the web task, add CloudFront VPC origin/private
+  ALB routing or require a CloudFront-only origin header whose secret value is
+  not stored in Terraform state.
+- Do not treat local SQLite, local project DBs, or private-probe local state as cloud
   authority after cutover.
+- Do configure owner/project/environment/service/cost-center tags and AWS
+  Budgets alert recipients in the approved infra root before live scale-out.
 
 ## Rollback
 

package/infra/aws/README.md

@@ -41,12 +41,23 @@ The web task receives `HASNA_UPTIME_ALLOWED_ORIGINS` for the selected public
 HTTPS origin so hosted mutation CSRF checks still work through the private HTTP
 origin hop.
 
+CloudFront prefix-list ingress is only a network narrowing control; it is not
+bound to one distribution. Add CloudFront VPC origin/private ALB routing or an
+ALB origin-header rule with the secret value managed outside Terraform state
+before enabling the web task.
+
+All module resources carry owner, project, environment, service, account, app
+type, and cost-center tags. Set `monthly_budget_limit_usd` plus
+`budget_alert_email_addresses` in the approved infra root to create AWS Budgets
+forecasted and actual spend alerts. Leaving the email list empty skips budget
+creation and is not sufficient for live scale-out approval.
+
 ## Current Blockers
 
 - Hosted production auth/RBAC still needs scoped, revocable credentials.
 - Public probe runtime still needs execution-time DNS/redirect/rebinding SSRF
   enforcement.
-- Spark01 hosted private-probe enrollment/heartbeat/revocation is still
+- Hosted private-probe enrollment/heartbeat/revocation is still
   fail-closed.
 
 Keep `desired_count` at `0`, or at `1` for the protected web bridge only after

package/infra/aws/main.tf

@@ -53,10 +53,15 @@ locals {
     }
   }
   tags = {
-    ManagedBy = "terraform"
-    Service   = var.service_name
-    Stage     = var.stage
-    Account   = var.account_name
+    ManagedBy   = "terraform"
+    Service     = var.service_name
+    Project     = var.project_name
+    Stage       = var.stage
+    Environment = var.environment
+    Account     = var.account_name
+    Owner       = var.owner
+    AppType     = var.app_type
+    CostCenter  = var.cost_center
   }
 }
 
@@ -436,7 +441,7 @@ resource "aws_efs_access_point" "uptime" {
 }
 
 resource "aws_efs_mount_target" "data" {
-  for_each        = toset(var.private_subnet_ids)
+  for_each        = { for index, subnet_id in var.private_subnet_ids : tostring(index) => subnet_id }
   file_system_id  = aws_efs_file_system.data.id
   subnet_id       = each.value
   security_groups = [aws_security_group.efs.id]
@@ -529,6 +534,7 @@ resource "aws_lb_listener" "https" {
   port              = 443
   protocol          = "HTTPS"
   certificate_arn   = var.certificate_arn
+  tags              = local.tags
 
   default_action {
     type             = "forward"
@@ -541,6 +547,7 @@ resource "aws_lb_listener" "http_cloudfront" {
   load_balancer_arn = aws_lb.open_uptime.arn
   port              = 80
   protocol          = "HTTP"
+  tags              = local.tags
 
   default_action {
     type             = "forward"
@@ -882,3 +889,35 @@ resource "aws_cloudwatch_metric_alarm" "web_unhealthy" {
     TargetGroup  = aws_lb_target_group.web.arn_suffix
   }
 }
+
+resource "aws_budgets_budget" "monthly" {
+  count        = var.monthly_budget_limit_usd > 0 && length(var.budget_alert_email_addresses) > 0 ? 1 : 0
+  name         = "${local.prefix}-monthly-budget"
+  budget_type  = "COST"
+  limit_amount = format("%.2f", var.monthly_budget_limit_usd)
+  limit_unit   = "USD"
+  time_unit    = "MONTHLY"
+
+  cost_filter {
+    name   = "TagKeyValue"
+    values = [format("user:Service$%s", var.service_name)]
+  }
+
+  notification {
+    comparison_operator        = "GREATER_THAN"
+    notification_type          = "FORECASTED"
+    threshold                  = 80
+    threshold_type             = "PERCENTAGE"
+    subscriber_email_addresses = var.budget_alert_email_addresses
+  }
+
+  notification {
+    comparison_operator        = "GREATER_THAN"
+    notification_type          = "ACTUAL"
+    threshold                  = 100
+    threshold_type             = "PERCENTAGE"
+    subscriber_email_addresses = var.budget_alert_email_addresses
+  }
+
+  tags = local.tags
+}

package/infra/aws/terraform.tfvars.example

@@ -1,6 +1,11 @@
 region                   = "us-east-1"
 stage                    = "prod"
 service_name             = "open-uptime"
+project_name             = "open-uptime"
+owner                    = "hasna"
+app_type                 = "opensource"
+environment              = "prod"
+cost_center              = "opensource"
 hostname                 = "uptime.example.com"
 workspace_id             = "workspace-id"
 vpc_id                   = "vpc-xxxxxxxx"
@@ -10,7 +15,7 @@ public_subnet_ids        = ["subnet-replace-public-a", "subnet-replace-public-b"
 alb_ingress_cidr_blocks = []
 private_subnet_ids       = ["subnet-replace-private-a", "subnet-replace-private-b"]
 container_image          = "123456789012.dkr.ecr.us-east-1.amazonaws.com/open-uptime@sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-runtime_package_version  = "0.1.8"
+runtime_package_version  = "0.1.9"
 certificate_arn          = null
 hosted_zone_id           = null
 app_env_secret_arn       = "arn:aws:secretsmanager:us-east-1:123456789012:secret:open-uptime/prod/app/env"
@@ -19,6 +24,7 @@ public_probe_secret_arn  = "arn:aws:secretsmanager:us-east-1:123456789012:secret
 reporting_secret_arn     = "arn:aws:secretsmanager:us-east-1:123456789012:secret:open-uptime/prod/reporting"
 kms_key_arn              = "arn:aws:kms:us-east-1:123456789012:key/00000000-0000-0000-0000-000000000000"
 alarm_actions            = []
+monthly_budget_limit_usd = 0
 
 desired_counts = {
   web            = 0
@@ -27,3 +33,5 @@ desired_counts = {
   reporter       = 0
   migration      = 0
 }
+
+budget_alert_email_addresses = []

package/infra/aws/variables.tf

@@ -22,6 +22,36 @@ variable "service_name" {
   default     = "open-uptime"
 }
 
+variable "project_name" {
+  description = "Project tag value for cost allocation."
+  type        = string
+  default     = "open-uptime"
+}
+
+variable "owner" {
+  description = "Owner tag value for cost allocation and operations."
+  type        = string
+  default     = "hasna"
+}
+
+variable "app_type" {
+  description = "AppType tag value."
+  type        = string
+  default     = "opensource"
+}
+
+variable "environment" {
+  description = "Environment tag value."
+  type        = string
+  default     = "prod"
+}
+
+variable "cost_center" {
+  description = "CostCenter tag value."
+  type        = string
+  default     = "opensource"
+}
+
 variable "hostname" {
   description = "Public/internal hostname for Open Uptime."
   type        = string
@@ -86,7 +116,7 @@ variable "container_image" {
 variable "runtime_package_version" {
   description = "Published @hasna/uptime package version that CodeBuild should build into the ECR image."
   type        = string
-  default     = "0.1.8"
+  default     = "0.1.9"
 
   validation {
     condition     = can(regex("^[0-9]+\\.[0-9]+\\.[0-9]+(-[0-9A-Za-z.-]+)?$", var.runtime_package_version))
@@ -190,3 +220,20 @@ variable "alarm_actions" {
   type        = list(string)
   default     = []
 }
+
+variable "monthly_budget_limit_usd" {
+  description = "Optional monthly AWS Budgets limit in USD. Set with budget_alert_email_addresses to create a budget alert."
+  type        = number
+  default     = 0
+
+  validation {
+    condition     = var.monthly_budget_limit_usd >= 0
+    error_message = "monthly_budget_limit_usd must be non-negative."
+  }
+}
+
+variable "budget_alert_email_addresses" {
+  description = "Email recipients for AWS Budgets forecasted and actual alerts. Leave empty to skip budget creation."
+  type        = list(string)
+  default     = []
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hasna/uptime",
-  "version": "0.1.8",
+  "version": "0.1.9",
   "description": "Local-first uptime and downtime monitoring service with CLI, MCP, SDK, SQLite persistence, and a dashboard.",
   "license": "Apache-2.0",
   "type": "module",