Fix Upptime pipeline: expand to 7-service bundle, remove broken static-site workflow (#2)

- Expand .upptimerc.yml from 3 → 11 monitored surfaces to match the actual
  agent-facing bundle promised in HN/PH/marketing copy: postgres, redis,
  mongodb, queue, storage, webhook, deploy provisioning endpoints, plus
  marketing site, dashboard, agent healthz, OpenAPI spec, and the
  pg.instanode.dev TLS handshake. POST-only routes are probed by GET and
  accept 405 as the success signal. /deploy/new accepts 401 (auth-gated).
- Remove .github/workflows/static-site.yml — the upstream action
  upptime/status-page@master no longer exists, which is why every Static
  Site CI run has failed. The Jekyll-rendered README.md is the modern
  Upptime default and is what status.instanode.dev serves.
- Document the two human-ops steps blocking Summary/Graphs/Response-Time
  workflows: add a GH_PAT secret with repo scope, and either turn off
  enforce_admins on master branch protection or add the PAT owner as a
  bypass actor. Without those, the auto-generated badge table and graphs
  never land in README.md, which is why the page currently renders as a
  plain README instead of a status board.

Refs gtm-ops/TASKS.md item U.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: mastermanas805

.github/workflows/static-site.yml

@@ -1,42 +1,115 @@
-# Upptime configuration
+# Upptime configuration for status.instanode.dev
 # Docs: https://upptime.js.org/docs/configuration
+#
+# Each check runs every 5 minutes from `Uptime CI`. Results land in
+# `history/*.yml`, badges in `api/`, graphs in `graphs/`. The Jekyll-
+# rendered README is the status page at status.instanode.dev.
+#
+# Services mirror the agent-facing bundle exposed by api.instanode.dev:
+# postgres, redis, mongodb, queue (NATS), storage (MinIO), webhook,
+# deploy — plus the marketing site itself.
 
 owner: InstaNode-dev
 repo: instant-status
 
 sites:
-  - name: API
+  # ─── Public HTTP surfaces ─────────────────────────────────────────────────
+  - name: Marketing site
+    url: https://instanode.dev/
+    expectedStatusCodes:
+      - 200
+
+  - name: Agent API (healthz)
     url: https://api.instanode.dev/healthz
     expectedStatusCodes:
       - 200
-    assignees: []
 
-  - name: Marketing site
-    url: https://instanode.dev/
+  - name: Dashboard
+    url: https://app.instanode.dev/
+    expectedStatusCodes:
+      - 200
+      - 301
+      - 302
+
+  # ─── Provisioning surfaces (POST endpoints — probed with OPTIONS) ─────────
+  # We do not POST in monitors (that would create real resources). Instead we
+  # check that the route exists by sending HEAD/OPTIONS via the Upptime
+  # default GET and accepting the API's "method not allowed" response as
+  # proof-of-life for the handler. The API replies 405 for GET on POST-only
+  # routes which is the desired signal.
+  - name: Postgres provisioning (POST /db/new)
+    url: https://api.instanode.dev/db/new
+    expectedStatusCodes:
+      - 405
+      - 200
+
+  - name: Redis provisioning (POST /cache/new)
+    url: https://api.instanode.dev/cache/new
+    expectedStatusCodes:
+      - 405
+      - 200
+
+  - name: MongoDB provisioning (POST /nosql/new)
+    url: https://api.instanode.dev/nosql/new
     expectedStatusCodes:
+      - 405
       - 200
 
-  # Postgres TLS-only endpoint. Upptime supports a TCP_PING check method
-  # (see https://upptime.js.org/docs/configuration#method). We use that
-  # so we get a true "is the port open" signal rather than poking the
-  # Postgres protocol with an HTTPS prober.
+  - name: Queue provisioning (POST /queue/new)
+    url: https://api.instanode.dev/queue/new
+    expectedStatusCodes:
+      - 405
+      - 200
+
+  - name: Storage provisioning (POST /storage/new)
+    url: https://api.instanode.dev/storage/new
+    expectedStatusCodes:
+      - 405
+      - 200
+
+  - name: Webhook provisioning (POST /webhook/new)
+    url: https://api.instanode.dev/webhook/new
+    expectedStatusCodes:
+      - 405
+      - 200
+
+  - name: Deploy provisioning (POST /deploy/new)
+    url: https://api.instanode.dev/deploy/new
+    # Deploy is auth-gated (RequireAuth) — unauthenticated GET returns 401.
+    # That still proves the handler is wired and the auth middleware is up.
+    expectedStatusCodes:
+      - 401
+      - 405
+
+  # ─── Customer-facing TCP surfaces ─────────────────────────────────────────
   - name: Customer Postgres (pg.instanode.dev TLS handshake)
     url: https://pg.instanode.dev:5432
     method: TCP_PING
     tcpHostPort: "pg.instanode.dev:5432"
-    # Fallback codes if the TCP_PING method isn't honored in the current
-    # Upptime action — HTTPS probe to a raw Postgres port typically
-    # surfaces these "not really HTTP" responses which we treat as "up".
+    # Fallbacks if TCP_PING isn't honored by the current Upptime action —
+    # probing :5432 over HTTPS surfaces "not really HTTP" codes which we
+    # treat as "the port is open" = up.
     expectedStatusCodes:
       - 0
       - 400
       - 401
       - 426
 
+  - name: OpenAPI spec (api.instanode.dev/openapi.json)
+    url: https://api.instanode.dev/openapi.json
+    expectedStatusCodes:
+      - 200
+
 status-website:
   cname: status.instanode.dev
   name: instanode.dev status
   logoUrl: ""
   baseUrl: /
+  introTitle: "instanode.dev status"
+  introMessage: >
+    Live uptime and response time for every public instanode.dev surface — the
+    agent API, the seven provisioning endpoints (postgres, redis, mongodb,
+    queue, storage, webhook, deploy), the marketing site, and the customer
+    Postgres TLS endpoint. Checked every 5 minutes from GitHub Actions.
 
 notifications: []

.upptimerc.yml

@@ -2,21 +2,47 @@
 
 Upptime-powered status page for [instanode.dev](https://instanode.dev).
 
-- Live status page: https://status.instanode.dev
-- Incidents auto-open as issues in this repository when a monitored endpoint fails; they close automatically once the endpoint recovers.
-- Checks run every 5 minutes via GitHub Actions (see `.github/workflows/uptime.yml`).
+- Live status page: <https://status.instanode.dev>
+- Incidents auto-open as issues in this repo when a monitored endpoint fails; they close automatically when the endpoint recovers.
+- Checks run every 5 minutes from GitHub Actions (`.github/workflows/uptime.yml`).
+- Daily summary, response-time, and graph generation run at 00:00 UTC.
 
 ## What is monitored
 
-Configured in `.upptimerc.yml`:
+Configured in `.upptimerc.yml` — the 7-service agent bundle plus public web surfaces:
 
-- **API** - `https://api.instanode.dev/healthz`
-- **Marketing site** - `https://instanode.dev/`
-- **Customer Postgres** - TCP ping to `pg.instanode.dev:5432`
+**Public web**
+- Marketing site (`instanode.dev/`)
+- Agent API health (`api.instanode.dev/healthz`)
+- Dashboard (`app.instanode.dev/`)
+- OpenAPI spec (`api.instanode.dev/openapi.json`)
+
+**Provisioning surfaces (7-service bundle)**
+- Postgres — `POST /db/new`
+- Redis — `POST /cache/new`
+- MongoDB — `POST /nosql/new`
+- Queue (NATS) — `POST /queue/new`
+- Storage (MinIO) — `POST /storage/new`
+- Webhook — `POST /webhook/new`
+- Deploy — `POST /deploy/new`
+
+POST-only routes are probed by GET; a `405 Method Not Allowed` response is the success signal (the handler is wired and the router is up). `/deploy/new` is auth-gated and returns `401` for unauthenticated probes — also treated as success.
+
+**Customer TCP surface**
+- Customer Postgres TLS handshake (`pg.instanode.dev:5432`)
+
+## Setup (one-time human ops)
+
+Before the status site renders correctly, an admin needs to do two things — see [`SETUP.md`](./SETUP.md).
+
+1. Add a `GH_PAT` secret (personal access token with `repo` scope) so workflows can push the auto-generated badges, response-time data, and README updates past branch protection.
+2. Either disable `enforce_admins` on the `master` branch protection rule, or grant the PAT owner admin bypass, so the daily Summary/Graphs/Response-Time workflows succeed.
+
+Once both are in place, run `Setup CI` manually from the Actions tab to seed the badge directory; the rest is automatic.
 
 ## Powered by
 
-[Upptime](https://upptime.js.org/) - the open-source uptime monitor and status page powered entirely by GitHub Actions, Issues, and Pages. No servers, no dashboards, no cost.
+[Upptime](https://upptime.js.org/) — open-source uptime monitor and status page powered by GitHub Actions, Issues, and Pages. No servers, no dashboards, no recurring cost.
 
 ## License
 

README.md

@@ -0,0 +1,81 @@
+# SETUP — status.instanode.dev
+
+This file documents the human-ops steps required to bring `status.instanode.dev` from a placeholder (Jekyll-rendered `README.md`) to a fully rendered Upptime status page with live badges, graphs, and response-time history.
+
+## Current state (2026-05-11)
+
+- DNS: `status.instanode.dev` CNAMEs to `instanode-dev.github.io` (verified — HTTP/2 200).
+- GitHub Pages: enabled on this repo, source = `master` branch root.
+- `Uptime CI`: green every 5 min — probes are running and the `history/*.yml` records exist.
+- `Summary CI`, `Graphs CI`, `Response Time CI`: **failing** — workflows produce the correct artifacts but `git push` to `master` is rejected by branch protection (`enforce_admins: true`).
+- `Static Site CI`: **deleted** in this PR — the upstream action `upptime/status-page@master` no longer exists. The Jekyll-rendered `README.md` *is* the status page, which is the modern Upptime default. No separate static-site step is needed.
+
+## Why the site looks like a README today
+
+Without `Summary CI` / `Graphs CI` ever succeeding, the `README.md` was never auto-rewritten to include the badge table, uptime percentages, and response-time graphs. So Jekyll renders the manually-authored README. Once the workflows can push, the README is regenerated daily and the page transforms.
+
+## Required ops (one-time, ~5 min)
+
+### 1. Create a GH_PAT
+
+A scheduled GitHub Action using the default `GITHUB_TOKEN` is *not allowed* to bypass branch protection — that's the entire point of the protection. The Upptime docs recommend a personal access token with `repo` scope.
+
+```text
+GitHub → Settings → Developer settings → Personal access tokens → Tokens (classic) → Generate new token (classic)
+  Note: "instant-status push token"
+  Expiration: 1 year (or longer)
+  Scopes: repo  (full control of private repos)
+Generate → copy the token (starts with ghp_)
+```
+
+### 2. Add the PAT as a repository secret
+
+```text
+github.com/InstaNode-dev/instant-status → Settings → Secrets and variables → Actions → New repository secret
+  Name:  GH_PAT
+  Value: <paste the ghp_ token>
+```
+
+All four Upptime workflows already reference `secrets.GH_PAT || secrets.GITHUB_TOKEN` so no workflow edits are needed.
+
+### 3. Allow the PAT to bypass branch protection
+
+The PAT must be owned by a user listed in branch-protection bypass, OR `enforce_admins` must be `false`. Pick one:
+
+**Option A (recommended): turn off `enforce_admins`**
+```bash
+gh api -X DELETE repos/InstaNode-dev/instant-status/branches/master/protection/enforce_admins
+```
+This keeps PR review requirements in place for humans but lets admin-PAT pushes through. Re-enable with:
+```bash
+gh api -X POST repos/InstaNode-dev/instant-status/branches/master/protection/enforce_admins
+```
+
+**Option B: allow specific bypass actors** — Repo Settings → Branches → branch protection rule → "Allow specified actors to bypass required pull requests" → add the PAT owner.
+
+### 4. Seed the badge directory
+
+Once the secret + protection bypass are in place:
+```text
+Actions tab → Setup CI → Run workflow → on master
+```
+This bootstraps `api/`, `history/`, and `graphs/`. After it succeeds, the next scheduled Summary CI run (00:00 UTC) will rewrite `README.md` with the live status table — or you can run `Summary CI` manually from the Actions tab to see it immediately.
+
+## Verifying it worked
+
+```bash
+# 1. README on master now contains a badge table:
+gh api repos/InstaNode-dev/instant-status/contents/README.md \
+  | jq -r .content | base64 -d | head -40
+
+# 2. Status site reflects it (Pages can take ~60 s to rebuild after a master push):
+curl -s https://status.instanode.dev | grep -c '<img.*shields.io' 
+# Expect: >0 (one badge per monitored service)
+
+# 3. Uptime workflows continue green every 5 min:
+gh run list --repo InstaNode-dev/instant-status --workflow=uptime.yml --limit 3
+```
+
+## Rollback
+
+If anything goes wrong, just revert this PR — the previous workflows + 3-service config will resume. The `history/` and `api/` directories generated by future Uptime CI runs are append-only and harmless.