@pikku/inspector 0.12.26 → 0.12.28

package/dist/utils/workflow/graph/finalize-workflows.js

@@ -1,6 +1,7 @@
 import { isVersionedId, formatVersionedId, parseVersionedId } from '@pikku/core';
 import { canonicalJSON, hashString } from '../../hash.js';
 import { convertDslToGraph } from './convert-dsl-to-graph.js';
+import { deriveWorkflowPlan } from '../derive-workflow-plan.js';
 export function finalizeWorkflows(state) {
     const { workflows, functions } = state;
     const functionsMeta = functions.meta;
@@ -9,6 +10,20 @@ export function finalizeWorkflows(state) {
         stampVersionsOnGraph(graph, functionsMeta);
         computeStepHashes(graph, functionsMeta);
         graph.graphHash = computeGraphHash(graph);
+        // Predictable (loopless) DSL workflows carry their full step list so a UI
+        // can render the skeleton up front without executing the run. Only DSL is
+        // gated: a complex workflow's step tree is incomplete (inline JS branches
+        // aren't captured) and flattens loops into plain steps, so its plan would
+        // lie about determinism.
+        if (graph.source === 'dsl') {
+            const { deterministic, plannedSteps } = deriveWorkflowPlan(meta.steps);
+            graph.deterministic = deterministic;
+            // Omit an empty list — a deterministic workflow with no plannedSteps is
+            // simply one with no named steps (e.g. a bare return).
+            if (plannedSteps?.length) {
+                graph.plannedSteps = plannedSteps;
+            }
+        }
         workflows.graphMeta[name] = graph;
     }
     for (const graph of Object.values(workflows.graphMeta)) {

package/dist/utils/workflow/graph/workflow-graph.types.d.ts

@@ -62,14 +62,12 @@ export interface NodeOptions {
     retryDelay?: string;
     /** Timeout for node execution (e.g., '30s', '5m') */
     timeout?: string;
-    /** If true, execute via queue (async). Default: false (inline) */
-    async?: boolean;
 }
 /**
  * Flow node types for control flow (no RPC call)
  */
 export type FlowType = 'sleep' | 'branch' | 'parallel' | 'fanout' | 'inline' | 'switch' | 'filter' | 'arrayPredicate' | 'return' | 'cancel' | 'set';
-import type { ContextVariable, WorkflowContext } from '@pikku/core/workflow';
+import type { ContextVariable, WorkflowContext, WorkflowPlannedStep } from '@pikku/core/workflow';
 export type { ContextVariable, WorkflowContext };
 /**
  * Base node properties shared by all node types
@@ -151,6 +149,19 @@ export interface SerializedWorkflowGraph {
     entryNodeIds: string[];
     /** Hash of graph topology (nodes, edges, input mappings) */
     graphHash?: string;
+    /**
+     * True when the exact executed step sequence is known up front: a loopless
+     * DSL workflow with no branches/switches. Lets a UI render the run as a fixed
+     * pipeline. Loops (fanout) → omitted; branchy-but-loopless → false.
+     */
+    deterministic?: boolean;
+    /**
+     * Every named step the workflow can run, in source order — so a frontend can
+     * render the step skeleton before the run starts. Populated for any loopless
+     * DSL workflow (a branchy one lists all possible steps); omitted when the step
+     * count is runtime-dependent (any fanout).
+     */
+    plannedSteps?: WorkflowPlannedStep[];
     /** Wire entry points (HTTP, channel, queue, etc.) that trigger this workflow */
     wires?: WorkflowWires;
 }

package/dist/visit.d.ts

@@ -1,4 +1,5 @@
 import * as ts from 'typescript';
 import type { InspectorState, InspectorLogger, InspectorOptions } from './types.js';
 export declare const visitSetup: (logger: InspectorLogger, checker: ts.TypeChecker, node: ts.Node, state: InspectorState, options: InspectorOptions) => void;
+export declare const visitFunctions: (logger: InspectorLogger, checker: ts.TypeChecker, node: ts.Node, state: InspectorState, options: InspectorOptions) => void;
 export declare const visitRoutes: (logger: InspectorLogger, checker: ts.TypeChecker, node: ts.Node, state: InspectorState, options: InspectorOptions) => void;

package/dist/visit.js

@@ -41,12 +41,25 @@ export const visitSetup = (logger, checker, node, state, options) => {
     addWorkflow(logger, node, checker, state, options);
     ts.forEachChild(node, (child) => visitSetup(logger, checker, child, state, options));
 };
+// Register every pikku function before transports/wirings are resolved, so that
+// resolution (e.g. a channel handler referencing a function defined in another
+// file) is independent of source-file traversal order. Runs between visitSetup
+// and visitRoutes.
+export const visitFunctions = (logger, checker, node, state, options) => {
+    const nextOptions = ts.isSourceFile(node)
+        ? { ...options, sourceFile: node }
+        : options;
+    addFunctions(logger, node, checker, state, nextOptions);
+    ts.forEachChild(node, (child) => visitFunctions(logger, checker, child, state, nextOptions));
+};
 export const visitRoutes = (logger, checker, node, state, options) => {
     const nextOptions = ts.isSourceFile(node)
         ? { ...options, sourceFile: node }
         : options;
     checkAddonBans(logger, node, checker, state, nextOptions);
-    addFunctions(logger, node, checker, state, nextOptions);
+    // NOTE: addFunctions runs in its own earlier pass (visitFunctions) so that
+    // every function is registered before any wiring (channels, CLI, etc.)
+    // resolves it — wiring resolution must not depend on source-file order.
     addAuth(logger, node, checker, state, nextOptions);
     addSecret(logger, node, checker, state, nextOptions);
     addCredential(logger, node, checker, state, nextOptions);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pikku/inspector",
-  "version": "0.12.26",
+  "version": "0.12.28",
   "author": "yasser.fadl@gmail.com",
   "license": "BUSL-1.1",
   "type": "module",
@@ -35,7 +35,7 @@
   },
   "dependencies": {
     "@openapi-contrib/json-schema-to-openapi-schema": "^4.3.1",
-    "@pikku/core": "^0.12.37",
+    "@pikku/core": "^0.12.40",
     "openapi-types": "^12.1.3",
     "path-to-regexp": "^8.3.0",
     "ts-json-schema-generator": "^2.5.0",

package/src/add/add-functions.ts

@@ -392,7 +392,9 @@ export const addFunctions: AddWiring = (
   let deploy: 'serverless' | 'server' | 'auto' | undefined
   let approvalRequired: boolean | undefined
   let approvalDescription: string | undefined
-  let inline: boolean | undefined
+  let workflowQueued: boolean | undefined
+  let workflowRetries: number | undefined
+  let workflowTimeout: string | undefined
   let version: number | undefined
   let objectNode: ts.ObjectLiteralExpression | undefined
   let nodeDisplayName: string | null = null
@@ -488,7 +490,9 @@ export const addFunctions: AddWiring = (
     approvalRequired = getPropertyValue(firstArg, 'approvalRequired') as
       | boolean
       | undefined
-    inline = getPropertyValue(firstArg, 'inline') as boolean | undefined
+    workflowQueued = getPropertyValue(firstArg, 'workflowQueued') as boolean | undefined
+    workflowRetries = getPropertyValue(firstArg, 'workflowRetries') as number | undefined
+    workflowTimeout = getPropertyValue(firstArg, 'workflowTimeout') as string | undefined
 
     // Extract approvalDescription identifier reference
     for (const prop of firstArg.properties) {
@@ -913,7 +917,12 @@ export const addFunctions: AddWiring = (
   //   secret  → never returned by any exposed function (sessioned or not)
   //   private → only visible to authenticated (sessioned) users; ok for pikkuFunc
   //   public  → safe for sessionless functions
-  {
+  // Opt-in only: inferring every handler's return type (getReturnTypeOfSignature)
+  // is the single most expensive checker operation and dominates `pikku all`
+  // wall-clock. The classification leak scan is a security lint, not codegen, so
+  // it runs ONLY when explicitly requested (`pikku all --security`) — see the
+  // classificationCheck option. Default codegen skips it entirely.
+  if (options.classificationCheck) {
     const sig = checker.getSignatureFromDeclaration(handler)
     if (sig) {
       const rawRet = checker.getReturnTypeOfSignature(sig)
@@ -1022,7 +1031,9 @@ export const addFunctions: AddWiring = (
     deploy: deploy || undefined,
     approvalRequired: approvalRequired || undefined,
     approvalDescription: approvalDescription || undefined,
-    inline: inline === false ? false : undefined,
+    workflowQueued: workflowQueued === true ? true : undefined,
+    workflowRetries: workflowRetries ?? undefined,
+    workflowTimeout: workflowTimeout ?? undefined,
     implementationHash,
     version,
     title,

package/src/add/add-rpc-invocations.ts

@@ -1,5 +1,24 @@
 import * as ts from 'typescript'
 import type { InspectorState, InspectorLogger } from '../types.js'
+import { ErrorCode } from '../error-codes.js'
+
+function hasTypeCast(node: ts.Node): boolean {
+  return ts.isAsExpression(node) || ts.isTypeAssertionExpression(node)
+}
+
+function outerParent(node: ts.Node): ts.Node {
+  let p = node.parent
+  while (p && (ts.isAwaitExpression(p) || ts.isParenthesizedExpression(p))) {
+    p = p.parent
+  }
+  return p
+}
+
+function findCastArg(
+  args: ts.NodeArray<ts.Expression>
+): ts.Expression | undefined {
+  return args.find(hasTypeCast)
+}
 
 /**
  * Helper to extract namespace from a namespaced function reference like 'ext:hello'
@@ -67,6 +86,28 @@ export function addRPCInvocations(
       ts.isIdentifier(expression.expression) &&
       expression.expression.text === 'rpc'
     ) {
+      // Skip PKU940 for generated files — they may contain intentional casts
+      // (e.g. the paginated useInfiniteQuery hook in pikku-react-query.gen.ts).
+      const sourceFileName = node.getSourceFile().fileName
+      const isGenerated =
+        sourceFileName.endsWith('.gen.ts') || sourceFileName.endsWith('.gen.js')
+      if (!isGenerated) {
+        if (hasTypeCast(outerParent(node))) {
+          logger.critical(
+            ErrorCode.RPC_INVOCATION_TYPE_CAST,
+            `rpc.invoke() result is type-cast — remove the 'as' expression and rely on Pikku's generated types`
+          )
+        }
+
+        const castArg = findCastArg(args)
+        if (castArg) {
+          logger.critical(
+            ErrorCode.RPC_INVOCATION_TYPE_CAST,
+            `rpc.invoke() has a type cast on an argument — remove the 'as' expression and rely on Pikku's generated types`
+          )
+        }
+      }
+
       const [firstArg] = args
       if (firstArg) {
         if (ts.isStringLiteral(firstArg)) {

package/src/add/pii-check.test.ts

@@ -48,7 +48,9 @@ async function runInspect(sourceCode: string) {
   await writeFile(file, sourceCode)
   const { logger, criticals } = makeLogger()
   try {
-    await inspect(logger, [file], { rootDir: tmpDir })
+    // The data-classification leak scan is opt-in (off by default to keep it
+    // off the `pikku all` hot path); these tests exercise it, so enable it.
+    await inspect(logger, [file], { rootDir: tmpDir, classificationCheck: true })
   } finally {
     await rm(tmpDir, { recursive: true, force: true })
   }

package/src/add/rpc-type-cast.test.ts

@@ -0,0 +1,123 @@
+import { strict as assert } from 'assert'
+import { describe, test } from 'node:test'
+import { mkdtemp, rm, writeFile } from 'node:fs/promises'
+import { tmpdir } from 'node:os'
+import { join } from 'node:path'
+import { inspect } from '../inspector.js'
+import { ErrorCode } from '../error-codes.js'
+import type { InspectorLogger } from '../types.js'
+
+function makeLogger() {
+  const criticals: Array<{ code: ErrorCode; message: string }> = []
+  const logger: InspectorLogger = {
+    debug: () => {},
+    info: () => {},
+    warn: () => {},
+    error: () => {},
+    diagnostic: ({ code, message }) => criticals.push({ code, message }),
+    critical: (code, message) => criticals.push({ code, message }),
+    hasCriticalErrors: () => criticals.length > 0,
+  }
+  return { logger, criticals }
+}
+
+async function runInspect(sourceCode: string) {
+  const tmpDir = await mkdtemp(join(tmpdir(), 'pikku-rpc-cast-test-'))
+  const file = join(tmpDir, 'funcs.ts')
+  await writeFile(file, sourceCode)
+  const { logger, criticals } = makeLogger()
+  try {
+    await inspect(logger, [file], { rootDir: tmpDir })
+  } finally {
+    await rm(tmpDir, { recursive: true, force: true })
+  }
+  return criticals
+}
+
+describe('RPC type-cast check — PKU940', () => {
+  test('flags rpc.invoke() with an as-cast on an argument', async () => {
+    const criticals = await runInspect(`
+declare const rpc: { invoke: (name: string, data: unknown) => Promise<unknown> }
+export async function doWork() {
+  return rpc.invoke('someFunction', { id: 1 } as any)
+}
+`)
+    const hit = criticals.find(
+      (c) => c.code === ErrorCode.RPC_INVOCATION_TYPE_CAST
+    )
+    assert.ok(hit, `Expected PKU940 but got: ${JSON.stringify(criticals)}`)
+  })
+
+  test('flags rpc.invoke() with an angle-bracket cast on an argument', async () => {
+    const criticals = await runInspect(`
+declare const rpc: { invoke: (name: string, data: unknown) => Promise<unknown> }
+export async function doWork() {
+  return rpc.invoke('someFunction', <any>{ id: 1 })
+}
+`)
+    const hit = criticals.find(
+      (c) => c.code === ErrorCode.RPC_INVOCATION_TYPE_CAST
+    )
+    assert.ok(hit, `Expected PKU940 but got: ${JSON.stringify(criticals)}`)
+  })
+
+  test('flags rpc.invoke() result cast with as any', async () => {
+    const criticals = await runInspect(`
+declare const rpc: { invoke: (name: string, data: unknown) => Promise<unknown> }
+export async function doWork() {
+  return (rpc.invoke('someFunction', { id: 1 }) as any)
+}
+`)
+    const hit = criticals.find(
+      (c) => c.code === ErrorCode.RPC_INVOCATION_TYPE_CAST
+    )
+    assert.ok(hit, `Expected PKU940 but got: ${JSON.stringify(criticals)}`)
+  })
+
+  test('flags rpc.invoke() result cast with as never', async () => {
+    const criticals = await runInspect(`
+declare const rpc: { invoke: (name: string, data: unknown) => Promise<unknown> }
+export async function doWork() {
+  return (rpc.invoke('someFunction', { id: 1 }) as never)
+}
+`)
+    const hit = criticals.find(
+      (c) => c.code === ErrorCode.RPC_INVOCATION_TYPE_CAST
+    )
+    assert.ok(hit, `Expected PKU940 but got: ${JSON.stringify(criticals)}`)
+  })
+
+  test('does not flag a clean rpc.invoke() call', async () => {
+    const criticals = await runInspect(`
+declare const rpc: { invoke: (name: string, data: unknown) => Promise<unknown> }
+export async function doWork() {
+  return rpc.invoke('someFunction', { id: 1 })
+}
+`)
+    const hit = criticals.find(
+      (c) => c.code === ErrorCode.RPC_INVOCATION_TYPE_CAST
+    )
+    assert.equal(
+      hit,
+      undefined,
+      `Expected no PKU940 but got: ${JSON.stringify(hit)}`
+    )
+  })
+
+  test('does not flag as-casts on unrelated calls', async () => {
+    const criticals = await runInspect(`
+declare function otherFn(data: unknown): Promise<unknown>
+export async function doWork() {
+  return otherFn({ id: 1 } as any)
+}
+`)
+    const hit = criticals.find(
+      (c) => c.code === ErrorCode.RPC_INVOCATION_TYPE_CAST
+    )
+    assert.equal(
+      hit,
+      undefined,
+      `Expected no PKU940 but got: ${JSON.stringify(hit)}`
+    )
+  })
+})

package/src/error-codes.ts

@@ -88,6 +88,8 @@ export enum ErrorCode {
   // Addon authoring errors
   ADDON_WIRING_NOT_ALLOWED = 'PKU920',
   ADDON_CONTRACT_HANDLERS_NOT_ALLOWED = 'PKU921',
+
+  RPC_INVOCATION_TYPE_CAST = 'PKU940',
 }
 
 /**

package/src/inspector.ts

@@ -1,7 +1,7 @@
 import * as ts from 'typescript'
 import { performance } from 'perf_hooks'
 import { resolve } from 'path'
-import { visitSetup, visitRoutes } from './visit.js'
+import { visitSetup, visitFunctions, visitRoutes } from './visit.js'
 import { TypesMap } from './types-map.js'
 import type {
   InspectorState,
@@ -269,6 +269,12 @@ export const inspect = async (
   // node_modules under rootDir (e.g. a locally-installed addon) is a
   // dependency, not project source — scanning it double-counts the addon's
   // own application types (CoreConfig/Services/SingletonServices).
+  // Sort by file name so the sweeps populate state in a stable order. The
+  // program's own file order depends on glob + import-graph resolution, which
+  // varies run to run — leaving generated meta keys (and anything serialized
+  // in insertion order) non-reproducible across identical `pikku all` runs.
+  // Safe because function registration is a dedicated pass (visitFunctions)
+  // that completes before any order-sensitive wiring resolution in visitRoutes.
   const sourceFiles = program
     .getSourceFiles()
     .filter(
@@ -276,6 +282,9 @@ export const inspect = async (
         sf.fileName.startsWith(rootDir) &&
         !sf.fileName.includes('/node_modules/')
     )
+    .sort((a, b) =>
+      a.fileName < b.fileName ? -1 : a.fileName > b.fileName ? 1 : 0
+    )
   logger.debug(
     `Got source files in ${(performance.now() - startSourceFiles).toFixed(2)}ms`
   )
@@ -298,7 +307,20 @@ export const inspect = async (
   await loadAddonFunctionsMeta(logger, state)
 
   if (!options.setupOnly) {
-    // Second sweep: add all transports
+    // Function sweep: register every function before transports/wirings resolve
+    // them, so resolution doesn't depend on source-file order.
+    const startFunctions = performance.now()
+    for (const sourceFile of sourceFiles) {
+      const sourceOptions = { ...options, sourceFile }
+      ts.forEachChild(sourceFile, (child) =>
+        visitFunctions(logger, checker, child, state, sourceOptions)
+      )
+    }
+    logger.debug(
+      `Visit functions phase completed in ${(performance.now() - startFunctions).toFixed(0)}ms`
+    )
+
+    // Transport sweep: add all transports/wirings
     const startRoutes = performance.now()
     for (const sourceFile of sourceFiles) {
       const sourceOptions = { ...options, sourceFile }

package/src/types.ts

@@ -263,6 +263,10 @@ export type InspectorFilters = {
   // to 'server'. Sourced from `pikku.config.json` →
   // `deploy.serverlessIncompatible`. Used only when deploy filters are set.
   serverlessIncompatible?: string[]
+  // Default deploy target for functions without an explicit `deploy` flag.
+  // Sourced from `pikku.config.json` → `deploy.defaultTarget`. Used only
+  // when deploy filters are set. Defaults to 'serverless'.
+  defaultTarget?: 'serverless' | 'server'
 }
 
 export type AddonConfig = {
@@ -287,6 +291,13 @@ export type InspectorOptions = Partial<{
     tsconfig: string
     schemasFromTypes?: string[]
     schema?: { additionalProperties?: boolean }
+    /**
+     * Directory for the on-disk TS-schema cache. When set, generated TS schemas
+     * are persisted here keyed by a hash of the custom-types content, so a warm
+     * `pikku all` whose function types are unchanged skips ts-json-schema-generator
+     * entirely (the single largest cold-run cost). Omit to disable disk caching.
+     */
+    cacheDir?: string
   }
   openAPI: {
     additionalInfo: OpenAPISpecInfo
@@ -294,6 +305,12 @@ export type InspectorOptions = Partial<{
   tags: string[]
   manifest: VersionManifest
   oldProgram: ts.Program | undefined
+  /**
+   * Run the data-classification leak scan (Private/Pii/Secret brands in function
+   * return types). Off by default — it forces return-type inference on every
+   * function, which is expensive. Enabled via `pikku all --security`.
+   */
+  classificationCheck: boolean
 }>
 
 export interface InspectorLogger {

package/src/utils/extract-function-name.ts

@@ -1,7 +1,25 @@
 import * as ts from 'typescript'
-import { randomUUID } from 'crypto'
+import { createHash } from 'crypto'
+import { relative } from 'path'
 import { formatVersionedId } from '@pikku/core'
 
+/**
+ * Deterministic placeholder id for an anonymous/unnamed pikku function or
+ * permission. Derived from the call expression's source location (relative path
+ * + start position) so `pikku all` produces byte-identical output across runs —
+ * a `randomUUID()` here made generated meta non-reproducible. Still `__temp_`
+ * prefixed so downstream resolution (which keys off that prefix) is unchanged.
+ */
+function tempFuncId(callExpr: ts.Node, rootDir: string): string {
+  const sourceFile = callExpr.getSourceFile()
+  const relPath = relative(rootDir, sourceFile.fileName)
+  const hash = createHash('sha1')
+    .update(`${relPath}:${callExpr.getStart()}`)
+    .digest('hex')
+    .slice(0, 16)
+  return `__temp_${hash}`
+}
+
 export type ExtractedFunctionName = {
   pikkuFuncId: string
   name: string
@@ -126,7 +144,7 @@ export function extractFunctionName(
               }
 
               if (!result.pikkuFuncId) {
-                result.pikkuFuncId = `__temp_${randomUUID()}`
+                result.pikkuFuncId = tempFuncId(callExpr, rootDir)
               }
 
               populateNameByPriority(result)
@@ -440,7 +458,7 @@ export function extractFunctionName(
   } else if (result.exportedName) {
     result.pikkuFuncId = result.exportedName
   } else {
-    result.pikkuFuncId = `__temp_${randomUUID()}`
+    result.pikkuFuncId = tempFuncId(callExpr, rootDir)
   }
 
   if (result.version !== null) {

package/src/utils/filter-inspector-state.ts

@@ -340,9 +340,15 @@ export function filterInspectorState(
       ? new Set(filters.excludeTarget)
       : null
     const incompatible = new Set(filters.serverlessIncompatible ?? [])
+    const defaultTarget = filters.defaultTarget ?? 'serverless'
     keptByDeploy = new Set<string>()
     for (const [funcId, funcMeta] of Object.entries(state.functions.meta)) {
-      const target = resolveDeployTarget(funcMeta as any, incompatible, funcId)
+      const target = resolveDeployTarget(
+        funcMeta as any,
+        incompatible,
+        funcId,
+        defaultTarget
+      )
       if (allowed && !allowed.has(target)) continue
       if (excluded && excluded.has(target)) continue
       keptByDeploy.add(funcId)
@@ -1062,10 +1068,10 @@ export function filterInspectorState(
   }
 
   // Step dispatch is decided purely per-function: a workflow step runs via the
-  // queue only when its function opts out of inline execution (inline: false).
-  // Such a unit needs workflowService + queueService injected even though the
-  // function itself doesn't reference them. Check the ORIGINAL graph meta
-  // (before filtering pruned it).
+  // queue only when its function is marked `workflowQueued: true`. Such a unit
+  // needs workflowService + queueService injected even though the function
+  // itself doesn't reference them. Check the ORIGINAL graph meta (before
+  // filtering pruned it).
   const survivingFuncIds = new Set(Object.keys(filteredState.functions.meta))
   const resolveFuncId = (rpcName: string): string =>
     filteredState.rpc.internalMeta[rpcName] ??
@@ -1081,8 +1087,8 @@ export function filterInspectorState(
       if (!survivingFuncIds.has(funcId) && !survivingFuncIds.has(rpcName))
         continue
       const funcMeta = (filteredState.functions.meta[funcId] ??
-        filteredState.functions.meta[rpcName]) as { inline?: boolean }
-      if (funcMeta?.inline === false) {
+        filteredState.functions.meta[rpcName]) as { workflowQueued?: boolean }
+      if (funcMeta?.workflowQueued === true) {
         filteredState.serviceAggregation.requiredServices.add('workflowService')
         filteredState.serviceAggregation.requiredServices.add('queueService')
       }

package/src/utils/post-process.ts

@@ -290,10 +290,17 @@ export function aggregateRequiredServices(
       }
     }
 
-    // Per-step queues
+    // Per-step queues — only for steps explicitly marked workflowQueued: true
     for (const node of Object.values(graph.nodes)) {
       if (!('rpcName' in node) || !node.rpcName) continue
       const rpcName = node.rpcName as string
+      const funcId =
+        state.rpc?.internalMeta?.[rpcName] ??
+        state.rpc?.exposedMeta?.[rpcName] ??
+        rpcName
+      const funcMeta = (state.functions.meta[funcId] ??
+        state.functions.meta[rpcName]) as { workflowQueued?: boolean }
+      if (funcMeta?.workflowQueued !== true) continue
       const stepQueueName = `wf-step-${toKebab(rpcName)}`
       if (!state.queueWorkers.meta[stepQueueName]) {
         state.queueWorkers.meta[stepQueueName] = {

package/src/utils/resolve-deploy-target.test.ts

@@ -102,4 +102,34 @@ describe('resolveDeployTarget', () => {
       'server'
     )
   })
+
+  test('defaultTarget: server overrides the serverless default', () => {
+    assert.strictEqual(
+      resolveDeployTarget({}, new Set(), '<unknown>', 'server'),
+      'server'
+    )
+  })
+
+  test('explicit deploy flag wins over defaultTarget', () => {
+    assert.strictEqual(
+      resolveDeployTarget({ deploy: 'serverless' }, new Set(), 'fn', 'server'),
+      'serverless'
+    )
+    assert.strictEqual(
+      resolveDeployTarget({ deploy: 'server' }, new Set(), 'fn', 'serverless'),
+      'server'
+    )
+  })
+
+  test('serverlessIncompatible still forces server regardless of defaultTarget', () => {
+    assert.strictEqual(
+      resolveDeployTarget(
+        { services: { services: ['metaService'] } as any },
+        new Set(['metaService']),
+        'fn',
+        'serverless'
+      ),
+      'server'
+    )
+  })
 })

package/src/utils/resolve-deploy-target.ts

@@ -29,7 +29,8 @@ export class IncompatibleDeployTargetError extends Error {
  *      - throw if the function explicitly declares `deploy: 'serverless'`
  *      - otherwise target is 'server'
  *   2. Explicit `funcMeta.deploy: 'serverless' | 'server'`
- *   3. Default 'serverless'
+ *   3. `defaultTarget` (sourced from `pikku.config.json` →
+ *      `deploy.defaultTarget`, falling back to 'serverless')
  *
  * Used both by the per-unit deploy analyzer (when bucketing functions
  * into deployment units) and by `filterInspectorState` (when
@@ -39,7 +40,8 @@ export class IncompatibleDeployTargetError extends Error {
 export function resolveDeployTarget(
   funcMeta: Pick<FunctionMeta, 'deploy' | 'services'>,
   serverlessIncompatible: Set<string>,
-  functionName = '<unknown>'
+  functionName = '<unknown>',
+  defaultTarget: 'serverless' | 'server' = 'serverless'
 ): 'serverless' | 'server' {
   // Service compatibility wins over the explicit flag — a serverless
   // bundle of a function that needs (e.g.) node:fs would crash at runtime.
@@ -59,5 +61,5 @@ export function resolveDeployTarget(
 
   if (funcMeta.deploy === 'server') return 'server'
   if (funcMeta.deploy === 'serverless') return 'serverless'
-  return 'serverless'
+  return defaultTarget
 }