@percher/core 0.4.2 → 0.4.4

package/dist/commands/publish.js

@@ -1,18 +1,20 @@
 import { existsSync } from "node:fs";
 import { join } from "node:path";
-import { isDeployAlreadyInProgress, PercherApiError, PercherClient, } from "@percher/client";
+import { isDeployAlreadyInProgress, PercherApiError, PercherClient, saveConfig, } from "@percher/client";
+import { MAX_TARBALL_BYTES } from "@percher/shared";
+import { solvePow } from "@percher/shared/pow";
 import { TIMEOUTS } from "@percher/shared/timeouts";
 import { PercherTomlError, parseFile } from "@percher/toml";
 import { z } from "zod";
 import { renderDeployEvent } from "../event-renderer";
 import { pollDeployment } from "../poll-deployment";
 import { runDeployWithRetry } from "../publish-retry";
-import { RECOVERY_NEEDS_LOGIN, RECOVERY_NONE, recoveryAsk, recoveryDoctor, recoveryEnv, recoveryFixConfig, recoveryWait, } from "../recovery";
+import { RECOVERY_NEEDS_LOGIN, RECOVERY_NONE, recoveryAsk, recoveryDoctor, recoveryFixConfig, recoveryWait, } from "../recovery";
 import { createTarball } from "../tarball";
 import { scanForMissingBuildEnvRefs } from "./env-scan";
 import { init } from "./init";
 import { login } from "./login";
-import { classifyPublishApiError } from "./publish-api-error";
+import { classifyPublishApiError, DEPLOY_GATE_CODES } from "./publish-api-error";
 import { buildFailureResult } from "./publish-failure";
 import { resolveNodeVersion } from "./publish-node";
 import { resolveReplaced } from "./wait-deploy";
@@ -35,8 +37,11 @@ export const publishInputSchema = z.object({
         .boolean()
         .optional()
         .describe("If true (default), publish blocks until the deploy is live or failed. If false, publish returns as soon as the deploy is queued and the agent can resume with percher_wait_for_deploy. Recommended for AI agents — gives back control quickly with a deployId so they can decide between waiting, asking the user, or working on something else."),
+    anonymous: z
+        .boolean()
+        .optional()
+        .describe("Publish WITHOUT an account. Creates a throwaway anonymous app that expires in 72h unless claimed (percher_claim_app). The app runs with no outbound network, no database, and no env vars until claimed. Only honored when the caller has no token; ignored once signed in. Server-gated — fails with ANON_DEPLOYS_DISABLED if the instance hasn't enabled it."),
 });
-const MAX_BYTES = 500 * 1024 * 1024;
 const SUSPICIOUS_BYTES = 50 * 1024 * 1024;
 const SUSPICIOUS_FILES = 10_000;
 function tomlPathFor(cwd) {
@@ -99,39 +104,6 @@ function buildAlreadyInProgressResult(opts) {
         bundle: { fileCount: tarball.fileCount, bytes: tarball.bytes },
     };
 }
-/**
- * FUTURE12 Phase 6d — server rejected this publish because the user
- * already used their one auto-retry within the 10-minute window after
- * an `infra_unavailable` failure. Build an `ask_user` recovery so the
- * agent surfaces it to the human instead of looping.
- */
-function buildRetryLimitReachedResult(opts) {
-    const { err, app, tarball, cwd } = opts;
-    const extra = err.extra ?? {};
-    const resetAtStr = extra.resetAt ?? "";
-    const resetAtForPrompt = resetAtStr || "the cooldown window expires";
-    const prompt = `Percher already retried once after an infrastructure failure for ${app.name}. Wait until ${resetAtForPrompt} or surface to the user.`;
-    return {
-        status: "failed",
-        app,
-        fileCount: tarball.fileCount,
-        bytes: tarball.bytes,
-        error: {
-            title: "Retry limit reached",
-            explanation: "Percher already auto-retried once after an `infra_unavailable` failure for this app within the last 10 minutes. We won't auto-retry again — the next attempt should be a deliberate user decision.",
-            suggestion: `Wait until ${resetAtForPrompt}, then re-run \`percher publish\`. If the failure persists past that, the underlying issue is probably not transient — run \`percher doctor\` to diagnose.`,
-        },
-        recovery: recoveryAsk({
-            prompt,
-            options: ["wait before retrying", "inspect status"],
-            reasonCode: "retry_limit_reached",
-            retryable: false,
-        }),
-        summary: `Retry limit reached for ${app.name}${resetAtStr ? ` — wait until ${resetAtStr}` : ""}.`,
-        configPath: tomlPathFor(cwd),
-        bundle: { fileCount: tarball.fileCount, bytes: tarball.bytes },
-    };
-}
 /**
  * Build the one-line summary echoed back to humans. Includes app name,
  * framework when known, total seconds, and final URL — covers the
@@ -326,7 +298,7 @@ async function publishInner(ctx, input) {
     ctx.status("[2/4] Packaging files...");
     const tarball = await createTarball({ cwd: ctx.cwd, config });
     const packageMs = Date.now() - t0;
-    if (tarball.bytes > MAX_BYTES) {
+    if (tarball.bytes > MAX_TARBALL_BYTES) {
         return {
             status: "failed",
             fileCount: tarball.fileCount,
@@ -447,7 +419,29 @@ async function publishInner(ctx, input) {
         // proceeds and lets the retry loop (Phase 7.2) handle whatever
         // surfaces during the actual upload.
     }
-    // ── 4. Upload ──────────────────────────────────────────────────────
+    // ── 4. Upload → poll → result ─────────────────────────────────────
+    return executeDeploy({
+        ctx,
+        config,
+        input,
+        app,
+        firstDeploy,
+        tarball,
+        t0,
+        packageMs,
+        missingBuildEnvKeys,
+    });
+}
+/**
+ * Post-upload deploy pipeline shared by the primary publish path and
+ * the post-login retry: buffer + upload the tarball (cache probe,
+ * idempotent retry loop), poll to a terminal status via pollDeployment
+ * (which retries transient network failures), and shape the
+ * PublishResult. Both entry paths must route through here so the
+ * re-auth path can't drift from the primary one.
+ */
+async function executeDeploy(opts) {
+    const { ctx, config, input, app, firstDeploy, tarball, t0, packageMs, missingBuildEnvKeys } = opts;
     const uploadStart = Date.now();
     ctx.status("[3/4] Uploading...");
     // Buffer the tarball so the retry loop (Phase 7.2) can resend the
@@ -471,7 +465,11 @@ async function publishInner(ctx, input) {
     // Codex P2, 2026-05-08. Sent as `X-Tarball-Hash` on the upload so
     // the API stores it on `deployments.tarball_hash` for the probe.
     const contentHash = tarball.contentHash;
-    if (!input.noCache) {
+    // Preview publishes never take the probe fast-path: the probe's hit
+    // branch reruns the previous LIVE deploy (traffic swap included),
+    // which would silently turn `--preview` into a live redeploy. The
+    // server-side image cache still skips the rebuild on upload.
+    if (!input.noCache && !input.preview) {
         try {
             const probe = await ctx.client.platform.cacheProbe({
                 appId: app.id,
@@ -534,118 +532,18 @@ async function publishInner(ctx, input) {
             deployment = deployResponse;
         }
         catch (err) {
-            // FUTURE12 Phase 6d — retry-state guardrail. The user already
-            // burned their one auto-retry inside the 10-minute window after
-            // an `infra_unavailable` failure. Recovery is `ask_user` with
-            // retryable=false so an agent doesn't loop indefinitely against
-            // a non-transient outage.
-            if (err instanceof PercherApiError && err.code === "RETRY_LIMIT_REACHED") {
-                return buildRetryLimitReachedResult({
-                    err,
-                    app,
-                    tarball: { fileCount: tarball.fileCount, bytes: tarball.bytes },
-                    cwd: ctx.cwd,
-                });
-            }
-            // Daily-quota gate (Fas 4) returns 429 DAILY_QUOTA_EXCEEDED with
-            // structured `extra` fields (kind/used/limit/resetAt). Surface
-            // those to the agent as ask_user — retry only makes sense after
-            // resetAt, which the message includes verbatim.
-            // FUTURE12 Phase 6c — pre-queue env gate. Two codes, both 422:
-            //   REQUIRED_ENV_MISSING → recoveryEnv (set the keys, re-publish)
-            //   ENV_KEY_UNDECLARED   → recoveryFixConfig (declare in [env])
-            // Distinct from build-failure missing_env: the gate fires BEFORE
-            // the deploy queues, so there's no deployId/buildLog to point at —
-            // the only artifact is the structured `extra` payload.
-            if (err instanceof PercherApiError && err.code === "REQUIRED_ENV_MISSING") {
-                const extra = err.extra ?? {};
-                const keys = extra.keys ?? [];
-                const source = extra.source ?? "contract";
-                const sourceText = source === "contract"
-                    ? "declared in your [env].required"
-                    : source === "discovered"
-                        ? "learned from a previous build failure"
-                        : "both declared and learned from a previous build failure";
-                return {
-                    status: "failed",
-                    app,
-                    fileCount: tarball.fileCount,
-                    bytes: tarball.bytes,
-                    error: {
-                        title: "Required env keys not set",
-                        explanation: `${keys.length} env ${keys.length === 1 ? "key is" : "keys are"} ${sourceText} but missing from the env store: ${keys.join(", ")}.`,
-                        suggestion: `Run \`bunx percher env set ${keys[0] ?? "KEY"}=value\` (and similarly for the rest) and re-publish.`,
-                        errorClass: "missing_env",
-                        phase: "config",
-                        missingEnvVars: keys,
-                    },
-                    recovery: recoveryEnv({
-                        app: app.name,
-                        keys,
-                        reasonCode: "missing_env",
-                    }),
-                    summary: `Missing required env ${keys.length === 1 ? "key" : "keys"}: ${keys.join(", ")}.`,
+            // Pre-queue deploy gates (retry-limit guardrail, env contract,
+            // daily quota) classify via the shared table with app + bundle
+            // context. Everything else rethrows so the top-level catch-all
+            // keeps its existing rendering (no app, zero bundle).
+            if (err instanceof PercherApiError && DEPLOY_GATE_CODES.has(err.code)) {
+                const classified = classifyPublishApiError(err, {
                     configPath: tomlPathFor(ctx.cwd),
                     bundle: { fileCount: tarball.fileCount, bytes: tarball.bytes },
-                };
-            }
-            if (err instanceof PercherApiError && err.code === "ENV_KEY_UNDECLARED") {
-                const extra = err.extra ?? {};
-                const apiProblems = extra.problems ?? [];
-                const problems = apiProblems.map((p) => ({
-                    file: p.file,
-                    line: p.line,
-                    message: `Source references env key '${p.key}' which is not declared in [env]. Add it to [env].required, [env].optional, or [env].ignore in percher.toml. Context: ${p.context ?? "(unavailable)"}`,
-                }));
-                const uniqueKeys = [...new Set(apiProblems.map((p) => p.key))];
-                return {
-                    status: "failed",
                     app,
-                    fileCount: tarball.fileCount,
-                    bytes: tarball.bytes,
-                    error: {
-                        title: "Undeclared env key",
-                        explanation: `Source references ${uniqueKeys.length} env ${uniqueKeys.length === 1 ? "key" : "keys"} that aren't classified in percher.toml's [env] table: ${uniqueKeys.join(", ")}.`,
-                        suggestion: "Add each key to [env].required (must exist before deploy), [env].optional (may be referenced), or [env].ignore (intentionally unset). See https://percher.app/docs/env for the contract.",
-                        errorClass: "config_invalid",
-                        phase: "config",
-                        relevantFiles: ["percher.toml"],
-                    },
-                    recovery: recoveryFixConfig({
-                        problems,
-                        reasonCode: "env_key_undeclared",
-                    }),
-                    summary: `${uniqueKeys.length} undeclared env ${uniqueKeys.length === 1 ? "key" : "keys"} in source: ${uniqueKeys.join(", ")}.`,
-                    configPath: tomlPathFor(ctx.cwd),
-                    bundle: { fileCount: tarball.fileCount, bytes: tarball.bytes },
-                };
-            }
-            if (err instanceof PercherApiError && err.code === "DAILY_QUOTA_EXCEEDED") {
-                const extra = err.extra ?? {};
-                const kind = extra.kind ?? "live";
-                const used = extra.used ?? 0;
-                const limit = extra.limit ?? 0;
-                const resetAt = extra.resetAt ?? "";
-                const otherKind = kind === "live" ? "preview" : "live";
-                return {
-                    status: "failed",
-                    app,
-                    fileCount: tarball.fileCount,
-                    bytes: tarball.bytes,
-                    error: {
-                        title: "Daily deploy quota reached",
-                        explanation: `You've used ${used} of ${limit} ${kind} deploys today on this account. Counter resets at ${resetAt}.`,
-                        suggestion: `Wait until the counter resets, deploy a ${otherKind} instead, or upgrade your plan at https://percher.app/settings to raise this cap.`,
-                    },
-                    recovery: recoveryAsk({
-                        prompt: `Daily ${kind}-deploy quota reached (${used}/${limit}). Counter resets at ${resetAt}. Wait until then, deploy a ${otherKind} instead, or upgrade at https://percher.app/settings.`,
-                        options: ["wait", `deploy ${otherKind}`, "upgrade"],
-                        reasonCode: "quota_exceeded",
-                    }),
-                    summary: `Daily ${kind}-deploy quota reached (${used}/${limit}). Resets ${resetAt}.`,
-                    configPath: tomlPathFor(ctx.cwd),
-                    bundle: { fileCount: tarball.fileCount, bytes: tarball.bytes },
-                };
+                });
+                if (classified)
+                    return classified;
             }
             throw err;
         }
@@ -869,6 +767,22 @@ async function publishInner(ctx, input) {
     };
 }
 async function handleUnauthorized(ctx, config, tarball, input) {
+    // Anonymous publish — no account needed. Mint a throwaway anon app
+    // (server-gated) and run the ordinary pipeline with its token.
+    if (input.anonymous) {
+        return handleAnonymousPublish(ctx, config, input, tarball);
+    }
+    // Advertise the anonymous path so an agent on the needs_login branch can
+    // discover it. Added statically: if the instance hasn't enabled anon
+    // deploys, the attempt returns ANON_DEPLOYS_DISABLED with clear text and
+    // the agent falls back to the login path.
+    const anonAlternative = {
+        action: "retry",
+        suggestedTool: "percher_publish",
+        args: { ...input, anonymous: true },
+        when: "to publish without an account (expires in 72h, claim later with percher_claim_app)",
+    };
+    const needsLoginRecovery = { ...RECOVERY_NEEDS_LOGIN, alternativeActions: [anonAlternative] };
     // In MCP context we can't open a browser — return login instructions
     if (!ctx.interactiveLogin) {
         try {
@@ -885,7 +799,7 @@ async function handleUnauthorized(ctx, config, tarball, input) {
                 loginCode: userCode,
                 fileCount: tarball.fileCount,
                 bytes: tarball.bytes,
-                recovery: RECOVERY_NEEDS_LOGIN,
+                recovery: needsLoginRecovery,
                 summary: `Login required: open ${loginUrl} (code: ${userCode}).`,
                 configPath: tomlPathFor(ctx.cwd),
                 bundle: { fileCount: tarball.fileCount, bytes: tarball.bytes },
@@ -901,14 +815,17 @@ async function handleUnauthorized(ctx, config, tarball, input) {
                     explanation: "No valid Percher token found.",
                     suggestion: "Run the percher_login tool first, or set PERCHER_TOKEN environment variable.",
                 },
-                recovery: RECOVERY_NEEDS_LOGIN,
+                recovery: needsLoginRecovery,
                 summary: "Login required — run percher_login or set PERCHER_TOKEN.",
                 configPath: tomlPathFor(ctx.cwd),
                 bundle: { fileCount: tarball.fileCount, bytes: tarball.bytes },
             };
         }
     }
-    // Interactive CLI — trigger login flow
+    // Interactive CLI — trigger login flow, rebind the client to the new
+    // token, rebuild the inputs the failed attempt consumed (the tarball
+    // stream is spent, the app lookup ran against the dead token), then
+    // hand off to the same pipeline as the primary path.
     ctx.status("Not logged in — starting login...");
     const newToken = await login(ctx);
     ctx.client = new PercherClient({
@@ -916,186 +833,124 @@ async function handleUnauthorized(ctx, config, tarball, input) {
         token: newToken,
         sessionId: ctx.client.sessionId,
     });
-    // Re-create tarball since stream is consumed
+    // Timing restarts here so the interactive login wait doesn't inflate
+    // totalSeconds in the result.
+    const t0 = Date.now();
     const freshTarball = await createTarball({ cwd: ctx.cwd, config });
-    let firstDeployRetry = false;
-    let app;
-    ({ app, firstDeploy: firstDeployRetry } = await ensureApp(ctx, config));
-    ctx.status("Uploading...");
-    // Buffer for the retry loop (Phase 7.2) — same pattern as the main
-    // publishInner path; the post-login flow gets the same auto-retry
-    // protection without a parallel retry helper.
-    const freshTarballBytes = new Uint8Array(await new Response(freshTarball.stream).arrayBuffer());
-    const freshIdempotencyKey = crypto.randomUUID();
-    let deployment;
+    const packageMs = Date.now() - t0;
+    const { app, firstDeploy } = await ensureApp(ctx, config);
+    // The advisory build-env scan doesn't run on this path (the 401 fired
+    // before publishInner reached it); empty keeps the field absent.
+    return executeDeploy({
+        ctx,
+        config,
+        input,
+        app,
+        firstDeploy,
+        tarball: freshTarball,
+        t0,
+        packageMs,
+        missingBuildEnvKeys: [],
+    });
+}
+/**
+ * Anonymous (account-less) publish. Mints a throwaway anon app + token
+ * via POST /anon/apps, persists + rebinds the token, overrides the app
+ * name to the server-assigned suffixed one, then runs the ordinary
+ * deploy pipeline. The result carries the claim token + TTL + the active
+ * restrictions so the caller can claim the app into a real account later.
+ */
+async function handleAnonymousPublish(ctx, config, input, tarball) {
+    const anonClient = new PercherClient({
+        apiUrl: ctx.client.apiUrl,
+        sessionId: ctx.client.sessionId,
+    });
+    let created;
     try {
-        const { result: deployResponse } = await runDeployWithRetry({
-            call: (attempt) => ctx.client.apps.deploy(app.id, {
-                tarball: freshTarballBytes,
-                // Preserve preview/note semantics across the post-login retry.
-                // Without these, an interactive `percher publish --preview -m "x"`
-                // that hits a 401 would silently downgrade to a live deploy with
-                // no note after the user logs in. Codex P1, 2026-04-29.
-                type: input.preview ? "preview" : undefined,
-                note: input.message,
-                noCache: input.noCache,
-                idempotencyKey: freshIdempotencyKey,
-                // Phase 7.5 — same X-Publish-Attempts claim as the main
-                // publish path; ensures the post-login retry chain still
-                // yields a `retry_recovered` outcome when it eventually wins.
-                retriedAttempts: attempt - 1,
-            }),
-            onRetry: ({ attempt, decision }) => {
-                ctx.status(`Retrying after ${Math.round(decision.delayMs / 1000)}s — ${decision.reason} (attempt ${attempt + 1}/4)…`);
-            },
-        });
-        // FUTURE12 Phase 6d — same already_in_progress short-circuit as
-        // the main publishInner path. Without this branch, a user who
-        // hits a 401 mid-publish and re-auths could land on the
-        // post-login deploy step and have it silently fall through into
-        // a 5-minute polling loop against the existing deploy's row.
-        if (isDeployAlreadyInProgress(deployResponse)) {
-            return buildAlreadyInProgressResult({
-                active: deployResponse,
-                app,
-                tarball: { fileCount: freshTarball.fileCount, bytes: freshTarball.bytes },
-                cwd: ctx.cwd,
-            });
+        // Proof-of-work gate: fetch a challenge and solve it before minting
+        // the anon app. When the server-side PoW flag is off, difficulty is 0
+        // and solvePow returns "0" instantly. A null solution means a
+        // pathological difficulty exhausted the iteration budget — throw so
+        // the catch below surfaces the same graceful "anonymous unavailable"
+        // needs_login fallback as a feature-flag-off (403) challenge fetch.
+        const ch = await anonClient.anon.requestChallenge();
+        const solution = solvePow(ch.nonce, ch.difficulty);
+        if (solution === null) {
+            throw new Error("proof-of-work unsolvable (difficulty too high)");
         }
-        deployment = deployResponse;
+        created = await anonClient.anon.createAnonApp({
+            name: config.app.name,
+            powChallengeId: ch.challengeId,
+            powSolution: solution,
+        });
     }
     catch (err) {
-        if (err instanceof PercherApiError && err.code === "RETRY_LIMIT_REACHED") {
-            return buildRetryLimitReachedResult({
-                err,
-                app,
-                tarball: { fileCount: freshTarball.fileCount, bytes: freshTarball.bytes },
-                cwd: ctx.cwd,
-            });
-        }
-        throw err;
-    }
-    const replacedPreview = deployment.replacedPreview === true;
-    // FUTURE11 Phase 1 — same async opt-in as the main publishInner path.
-    // Without this, a caller that passed `waitForLive: false` and hit a
-    // 401 (interactive login flow) would silently fall through to the
-    // 5-minute polling loop after login, breaking the contract that
-    // waitForLive=false always returns as soon as the deploy is queued.
-    if (input.waitForLive === false) {
-        ctx.status(`Queued (${deployment.id}) — resume with percher_wait_for_deploy.`);
+        const code = err.code;
+        const detail = code === "ANON_CAPACITY"
+            ? "Anonymous capacity is full right now."
+            : "Anonymous deploys are not enabled on this instance.";
         return {
-            status: "queued",
-            app,
-            deployment,
-            fileCount: freshTarball.fileCount,
-            bytes: freshTarball.bytes,
-            replacedPreview: replacedPreview || undefined,
-            firstDeploy: firstDeployRetry || undefined,
-            recovery: recoveryWait({
-                app: app.name,
-                deployId: deployment.id,
-                reasonCode: "deploy_queued",
-            }),
-            summary: `${app.name} deploy ${deployment.id} queued — resume with percher_wait_for_deploy.`,
+            status: "needs_login",
+            fileCount: tarball.fileCount,
+            bytes: tarball.bytes,
+            error: {
+                title: "Anonymous publish unavailable",
+                explanation: detail,
+                suggestion: "Run the percher_login tool to publish with an account instead.",
+            },
+            recovery: RECOVERY_NEEDS_LOGIN,
+            summary: `${detail} Log in to publish instead.`,
             configPath: tomlPathFor(ctx.cwd),
-            bundle: { fileCount: freshTarball.fileCount, bytes: freshTarball.bytes },
+            bundle: { fileCount: tarball.fileCount, bytes: tarball.bytes },
         };
     }
-    const timeoutMs = TIMEOUTS.clientPublishPoll;
-    const start = Date.now();
-    while (deployment.status !== "live" &&
-        deployment.status !== "failed" &&
-        deployment.status !== "replaced") {
-        if (Date.now() - start > timeoutMs) {
-            return {
-                status: "failed",
-                app,
-                deployment,
-                fileCount: freshTarball.fileCount,
-                bytes: freshTarball.bytes,
-                error: {
-                    title: "Deploy timed out",
-                    explanation: "The deployment did not complete within 5 minutes.",
-                    suggestion: `Run \`percher doctor --app ${app.name}\` (CLI) or the percher_doctor tool (MCP) to diagnose the stall. Doctor will read deploy state + build log and return a concrete next step.`,
-                },
-                // FUTURE12 Phase 4: ambiguous stall — let doctor classify
-                // before the agent dives into the raw log.
-                recovery: recoveryDoctor({
-                    app: app.name,
-                    deployId: deployment.id,
-                    mode: "deploy",
-                    reasonCode: "deploy_stalled",
-                }),
-                summary: `Deploy timed out after 5 minutes (${deployment.id}).`,
-                configPath: tomlPathFor(ctx.cwd),
-                bundle: { fileCount: freshTarball.fileCount, bytes: freshTarball.bytes },
-            };
-        }
-        ctx.status(`${deployment.status}...`);
-        await new Promise((r) => setTimeout(r, 2000));
-        deployment = await ctx.client.apps.getDeployment(app.id, deployment.id);
-    }
-    if (deployment.status === "replaced") {
-        return await buildReplacedResult({
-            ctx,
-            app,
-            deployment,
-            tarball: { fileCount: freshTarball.fileCount, bytes: freshTarball.bytes },
-            cwd: ctx.cwd,
-        });
-    }
-    if (deployment.status === "failed") {
-        return buildFailureResult({
-            ctx,
-            app,
-            deployment,
-            tarball: { fileCount: freshTarball.fileCount, bytes: freshTarball.bytes },
-            input,
-        });
-    }
-    const totalSeconds = (Date.now() - start) / 1000;
-    const url = deployment.previewUrl ?? deployment.url ?? app.url;
-    ctx.status(`Live at ${url} (${totalSeconds.toFixed(0)}s)`);
-    return {
-        status: "live",
-        url,
+    // Persist + rebind to the anon token; stash the claim state so a later
+    // `percher claim` in this project works without re-pasting the token.
+    saveConfig({
+        token: created.token,
+        anonClaim: {
+            app: created.app.name,
+            claimToken: created.claimToken,
+            expiresAt: created.expiresAt,
+        },
+    });
+    const newClient = new PercherClient({
+        apiUrl: ctx.client.apiUrl,
+        token: created.token,
+        sessionId: ctx.client.sessionId,
+    });
+    ctx.client = newClient;
+    ctx.setClient?.(newClient);
+    // The server assigns a random suffix (anti-squat) — deploy to that name.
+    config.app.name = created.app.name;
+    const t0 = Date.now();
+    const freshTarball = await createTarball({ cwd: ctx.cwd, config });
+    const packageMs = Date.now() - t0;
+    const { app, firstDeploy } = await ensureApp(ctx, config);
+    const result = await executeDeploy({
+        ctx,
+        config,
+        input,
         app,
-        deployment,
-        timing: {
-            totalSeconds: Math.round(totalSeconds),
-            packageMs: 0,
-            uploadMs: 0,
-            buildMs: 0,
+        firstDeploy,
+        tarball: freshTarball,
+        t0,
+        packageMs,
+        missingBuildEnvKeys: [],
+    });
+    return {
+        ...result,
+        anonymous: true,
+        claim: {
+            claimUrl: created.claimUrl,
+            claimToken: created.claimToken,
+            expiresAt: created.expiresAt,
         },
-        fileCount: freshTarball.fileCount,
-        bytes: freshTarball.bytes,
-        replacedPreview,
-        firstDeploy: firstDeployRetry || undefined,
-        recovery: RECOVERY_NONE,
-        cacheHit: deployment.cacheHit,
-        // Phase 7.9 — operator-facing trace key, same shape the primary
-        // success path returns. Codex P2 follow-up on daf063f: the
-        // post-login retry path was returning a PublishResult without
-        // `traceId`, so a user who started unauthenticated, logged in,
-        // and then succeeded got no `Trace: dep_xxx` line from the CLI
-        // and the correlation key was missing for that publish.
-        traceId: deployment.id,
-        summary: buildLiveSummary({
-            appName: app.name,
-            url: url ?? app.url,
-            totalSeconds: Math.round(totalSeconds),
-            framework: config.app.framework,
-            preview: input.preview === true,
-            replacedPreview,
-            // Read directly off the polled deployment row — same source of
-            // truth as the primary publish path. Codex P2 follow-up on
-            // 9e5ceee: the previous hardcoded `false` here meant the user
-            // who hit the post-login retry branch always saw "Build cache:
-            // miss" regardless of whether the build actually used the cache.
-            cacheHit: deployment.cacheHit ?? false,
-        }),
-        configPath: tomlPathFor(ctx.cwd),
-        bundle: { fileCount: freshTarball.fileCount, bytes: freshTarball.bytes },
+        warnings: [
+            ...(result.warnings ?? []),
+            `Anonymous app: expires ${created.expiresAt} unless claimed — run percher_claim_app (claim token is in claim.claimToken).`,
+            "No outbound network, no database, and no env vars until claimed.",
+        ],
     };
 }
 // ── Helpers ────────────────────────────────────────────────────────────