lakebed 0.0.12 → 0.0.14

package/README.md

@@ -176,7 +176,7 @@ LAKEBED_SESSION_SECRET=...
 LAKEBED_SERVER_ENV_SECRET=...
 ```
 
-Claimed deploys are listed at `/deploys` on the deploy API origin. They keep the same resource limits as anonymous deploys. Anonymous deploys cannot use outbound `fetch` or hosted server env; after a deploy is claimed, `lakebed deploy` can update it with a source-backed server artifact that supports async handlers, server-side fetch, and `.env.lakebed.server` sync. If the first deploy already needs server-side `fetch` or server env, `lakebed deploy` creates a claim-required preview, saves its claim metadata, and prints the claim URL. Open that URL, then run `lakebed deploy` again to publish the real source-backed app. Set `LAKEBED_SERVER_ENV_SECRET` on Postgres-backed runners to encrypt stored server env values.
+Claimed deploys are listed at `/deploys` on the deploy API origin. They keep the same resource limits as anonymous deploys and do not expire. Anonymous deploys cannot use outbound `fetch` or hosted server env; after a deploy is claimed, `lakebed deploy` can update it with a source-backed server artifact that supports async handlers, server-side fetch, and `.env.lakebed.server` sync. If the first deploy already needs server-side `fetch` or server env, `lakebed deploy` creates a claim-required preview, saves its claim metadata, and prints the claim URL. Open that URL, then run `lakebed deploy` again to publish the real source-backed app. Set `LAKEBED_SERVER_ENV_SECRET` on Postgres-backed runners to encrypt stored server env values.
 
 ## Admin Dashboard
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "lakebed",
-  "version": "0.0.12",
+  "version": "0.0.14",
   "description": "Agent-native CLI and runtime for building and deploying Lakebed capsules.",
   "license": "UNLICENSED",
   "type": "module",

package/src/anonymous-server.js

@@ -190,11 +190,16 @@ function responseForDeploy({ deploy, token }) {
     expiresAt: deploy.expiresAt,
     inspect: inspectUrls(deploy.url),
     limits: deploy.limits,
+    updatedAt: deploy.updatedAt,
     url: deploy.url
   };
 }
 
 function isExpired(deploy) {
+  if (deploy?.ownerId) {
+    return false;
+  }
+
   return Boolean(deploy.expiresAt) && Date.parse(deploy.expiresAt) <= Date.now();
 }
 
@@ -705,6 +710,7 @@ function adminDeploySummary({ artifact, artifactBytes = 0, deploy, logBytes = 0,
     stateRows,
     status: isExpired(deploy) ? "expired" : deploy.status,
     tableCount: Object.keys(artifact?.server?.schema ?? {}).length,
+    updatedAt: deploy.updatedAt,
     url: deploy.url,
     ...usageCounts(usage)
   };
@@ -1286,6 +1292,7 @@ function adminHtml() {
                   <th>User</th>
                   <th>Status</th>
                   <th>Created</th>
+                  <th>Updated</th>
                   <th>Expires</th>
                   <th>Usage</th>
                   <th>Storage</th>
@@ -1389,6 +1396,7 @@ function adminHtml() {
                     <th>User</th>
                     <th>Status</th>
                     <th>Created</th>
+                    <th>Updated</th>
                     <th>Expires</th>
                     <th>Usage</th>
                     <th>Storage</th>
@@ -1464,6 +1472,10 @@ function adminHtml() {
         }).format(new Date(value));
       }
 
+      function formatExpiry(value) {
+        return value ? formatTime(value) : "never";
+      }
+
       function plural(count, label) {
         return formatNumber(count) + " " + label + (count === 1 ? "" : "s");
       }
@@ -1715,7 +1727,7 @@ function adminHtml() {
         if (!deploys.length) {
           const tr = document.createElement("tr");
           const td = textCell(emptyText, "mono");
-          td.colSpan = 9;
+          td.colSpan = 10;
           tr.appendChild(td);
           tbody.appendChild(tr);
           return;
@@ -1727,7 +1739,8 @@ function adminHtml() {
           tr.appendChild(deployUserCell(deploy));
           tr.appendChild(statusCell(deploy));
           tr.appendChild(textCell(formatTime(deploy.createdAt), "mono"));
-          tr.appendChild(textCell(formatTime(deploy.expiresAt), "mono"));
+          tr.appendChild(textCell(formatTime(deploy.updatedAt), "mono"));
+          tr.appendChild(textCell(formatExpiry(deploy.expiresAt), "mono"));
           tr.appendChild(usageCell(deploy));
           tr.appendChild(storageCell(deploy));
           tr.appendChild(textCell(formatNumber(deploy.connections), "mono"));
@@ -2207,6 +2220,14 @@ function escapeHtml(value) {
     .replace(/"/g, "&quot;");
 }
 
+function formatHtmlTime(value) {
+  return value ? new Date(value).toLocaleString() : "unknown";
+}
+
+function formatHtmlExpiry(value) {
+  return value ? formatHtmlTime(value) : "never";
+}
+
 function developerDeploySummary({ artifact, deploy, usage }) {
   return {
     artifactHash: deploy.artifactHash,
@@ -2221,6 +2242,7 @@ function developerDeploySummary({ artifact, deploy, usage }) {
     ownerId: deploy.ownerId,
     slug: deploy.slug,
     status: isExpired(deploy) ? "expired" : deploy.status,
+    updatedAt: deploy.updatedAt,
     url: deploy.url,
     usage: usageCounts(usage)
   };
@@ -2233,8 +2255,9 @@ function developerHtml({ authConfigured, deploys = [], user }) {
       (deploy) => `<tr>
         <td><a href="${escapeHtml(deploy.url)}" target="_blank" rel="noopener noreferrer">${escapeHtml(deploy.name)}</a><small>${escapeHtml(deploy.deployId)} / ${escapeHtml(deploy.slug)}</small></td>
         <td><span class="pill ${escapeHtml(deploy.status)}">${escapeHtml(deploy.status)}</span></td>
-        <td>${escapeHtml(new Date(deploy.createdAt).toLocaleString())}</td>
-        <td>${escapeHtml(new Date(deploy.expiresAt).toLocaleString())}</td>
+        <td>${escapeHtml(formatHtmlTime(deploy.createdAt))}</td>
+        <td>${escapeHtml(formatHtmlTime(deploy.updatedAt))}</td>
+        <td>${escapeHtml(formatHtmlExpiry(deploy.expiresAt))}</td>
         <td>${escapeHtml(deploy.usage.requestsToday)} / ${escapeHtml(deploy.limits.requestsPerDay)}</td>
         <td>${escapeHtml(deploy.usage.mutationsToday)} / ${escapeHtml(deploy.limits.mutationsPerDay)}</td>
       </tr>`
@@ -2434,6 +2457,7 @@ function developerHtml({ authConfigured, deploys = [], user }) {
                         <th>Deploy</th>
                         <th>Status</th>
                         <th>Created</th>
+                        <th>Updated</th>
                         <th>Expires</th>
                         <th>Requests</th>
                         <th>Mutations</th>
@@ -2622,6 +2646,7 @@ export class MemoryAnonymousStore {
       publicRootUrl,
       slug,
       status: "active",
+      updatedAt: createdAt,
       url
     };
     this.deploys.set(deployId, deploy);
@@ -2648,7 +2673,7 @@ export class MemoryAnonymousStore {
       return null;
     }
 
-    const createdAt = now();
+    const updatedAt = now();
     const ttlSeconds = parseTtlSeconds(requestedTtlSeconds);
     const nextAppBaseDomain = normalizeAppBaseDomain(appBaseDomain ?? currentDeploy.appBaseDomain);
     const nextPublicRootUrl = publicRootUrl ?? currentDeploy.publicRootUrl;
@@ -2657,10 +2682,11 @@ export class MemoryAnonymousStore {
       appBaseDomain: nextAppBaseDomain,
       artifactHash,
       clientBundleHash,
-      expiresAt: new Date(Date.now() + ttlSeconds * 1000).toISOString(),
+      expiresAt: currentDeploy.ownerId ? null : new Date(Date.now() + ttlSeconds * 1000).toISOString(),
       publicRootUrl: nextPublicRootUrl,
       url: appUrlForSlug({ appBaseDomain: nextAppBaseDomain, publicRootUrl: nextPublicRootUrl, slug: currentDeploy.slug }),
-      status: "active"
+      status: "active",
+      updatedAt
     };
 
     this.storeArtifact({
@@ -2668,7 +2694,7 @@ export class MemoryAnonymousStore {
       artifactHash,
       clientBundleBase64,
       clientBundleHash,
-      createdAt
+      createdAt: updatedAt
     });
     this.deploys.set(deployId, deploy);
     if (serverEnv !== undefined) {
@@ -2691,11 +2717,14 @@ export class MemoryAnonymousStore {
       return { deploy: currentDeploy, status: "conflict" };
     }
 
+    const updatedAt = now();
     const deploy = {
       ...currentDeploy,
-      claimedAt: currentDeploy.claimedAt ?? now(),
+      claimedAt: currentDeploy.claimedAt ?? updatedAt,
+      expiresAt: null,
       owner,
-      ownerId: owner.id
+      ownerId: owner.id,
+      updatedAt
     };
     await this.rememberUser(owner);
     this.deploys.set(deployId, deploy);
@@ -2710,7 +2739,8 @@ export class MemoryAnonymousStore {
 
     const deploy = {
       ...currentDeploy,
-      status: "terminated"
+      status: "terminated",
+      updatedAt: now()
     };
     this.deploys.set(deployId, deploy);
     return this.deployWithUserLimitOverrides(deploy);
@@ -2938,7 +2968,8 @@ export class PostgresAnonymousStore {
         artifact_hash text not null,
         client_bundle_hash text not null,
         created_at timestamptz not null,
-        expires_at timestamptz not null,
+        updated_at timestamptz not null,
+        expires_at timestamptz,
         claimed_at timestamptz,
         owner_id text,
         owner_json jsonb,
@@ -2953,6 +2984,11 @@ export class PostgresAnonymousStore {
     await this.query("alter table deploys add column if not exists claimed_at timestamptz");
     await this.query("alter table deploys add column if not exists owner_id text");
     await this.query("alter table deploys add column if not exists owner_json jsonb");
+    await this.query("alter table deploys add column if not exists updated_at timestamptz");
+    await this.query("update deploys set updated_at = created_at where updated_at is null");
+    await this.query("alter table deploys alter column updated_at set not null");
+    await this.query("alter table deploys alter column expires_at drop not null");
+    await this.query("update deploys set expires_at = null where owner_id is not null and expires_at is not null");
     await this.query(`
       create table if not exists artifacts(
         hash text primary key,
@@ -3188,7 +3224,7 @@ export class PostgresAnonymousStore {
         select
           owner_id,
           count(*)::int as deploy_count,
-          count(*) filter (where status = 'active' and expires_at > now())::int as active_deploy_count
+          count(*) filter (where status = 'active')::int as active_deploy_count
         from deploys
         where owner_id is not null
         group by owner_id
@@ -3238,7 +3274,7 @@ export class PostgresAnonymousStore {
         select
           owner_id,
           count(*)::int as deploy_count,
-          count(*) filter (where status = 'active' and expires_at > now())::int as active_deploy_count
+          count(*) filter (where status = 'active')::int as active_deploy_count
         from deploys
         where owner_id is not null
         group by owner_id
@@ -3310,6 +3346,7 @@ export class PostgresAnonymousStore {
         publicRootUrl,
         slug,
         status: "active",
+        updatedAt: createdAt,
         url
       };
 
@@ -3317,10 +3354,10 @@ export class PostgresAnonymousStore {
         await this.query(
           `
           insert into deploys(
-            id, slug, status, artifact_hash, client_bundle_hash, created_at, expires_at,
+            id, slug, status, artifact_hash, client_bundle_hash, created_at, updated_at, expires_at,
             claim_token_hash, limits_json, counters_json, public_root_url, app_base_domain, url
           )
-          values($1, $2, $3, $4, $5, $6, $7, $8, $9::jsonb, '{}'::jsonb, $10, $11, $12)
+          values($1, $2, $3, $4, $5, $6, $7, $8, $9, $10::jsonb, '{}'::jsonb, $11, $12, $13)
           `,
           [
             deploy.id,
@@ -3329,6 +3366,7 @@ export class PostgresAnonymousStore {
             deploy.artifactHash,
             deploy.clientBundleHash,
             deploy.createdAt,
+            deploy.updatedAt,
             deploy.expiresAt,
             deploy.claimTokenHash,
             JSON.stringify(deploy.limits),
@@ -3367,13 +3405,13 @@ export class PostgresAnonymousStore {
       return null;
     }
 
-    const createdAt = now();
+    const updatedAt = now();
     const ttlSeconds = parseTtlSeconds(requestedTtlSeconds);
-    const expiresAt = new Date(Date.now() + ttlSeconds * 1000).toISOString();
+    const expiresAt = currentDeploy.ownerId ? null : new Date(Date.now() + ttlSeconds * 1000).toISOString();
     const nextAppBaseDomain = normalizeAppBaseDomain(appBaseDomain ?? currentDeploy.appBaseDomain);
     const nextPublicRootUrl = publicRootUrl ?? currentDeploy.publicRootUrl;
     const url = appUrlForSlug({ appBaseDomain: nextAppBaseDomain, publicRootUrl: nextPublicRootUrl, slug: currentDeploy.slug });
-    await this.storeArtifact({ artifact, artifactHash, clientBundleBase64, clientBundleHash, createdAt });
+    await this.storeArtifact({ artifact, artifactHash, clientBundleBase64, clientBundleHash, createdAt: updatedAt });
 
     const result = await this.query(
       `
@@ -3384,14 +3422,15 @@ export class PostgresAnonymousStore {
         expires_at = $4,
         public_root_url = $5,
         app_base_domain = $6,
-        url = $7
+        url = $7,
+        updated_at = $8
       where id = $1
       returning *
       `,
-      [deployId, artifactHash, clientBundleHash, expiresAt, nextPublicRootUrl, nextAppBaseDomain || null, url]
+      [deployId, artifactHash, clientBundleHash, expiresAt, nextPublicRootUrl, nextAppBaseDomain || null, url, updatedAt]
     );
     if (serverEnv !== undefined) {
-      await this.replaceServerEnv(deployId, serverEnv, createdAt);
+      await this.replaceServerEnv(deployId, serverEnv, updatedAt);
     }
     return this.deployWithUserLimitOverrides(this.rowToDeploy(result.rows[0]));
   }
@@ -3410,17 +3449,20 @@ export class PostgresAnonymousStore {
       return { deploy: currentDeploy, status: "conflict" };
     }
 
-    const claimedAt = currentDeploy.claimedAt ?? now();
+    const updatedAt = now();
+    const claimedAt = currentDeploy.claimedAt ?? updatedAt;
     const result = await this.query(
       `
       update deploys
       set claimed_at = coalesce(claimed_at, $3),
         owner_id = $2,
-        owner_json = $4::jsonb
+        owner_json = $4::jsonb,
+        expires_at = null,
+        updated_at = $5
       where id = $1
       returning *
       `,
-      [deployId, owner.id, claimedAt, JSON.stringify(owner)]
+      [deployId, owner.id, claimedAt, JSON.stringify(owner), updatedAt]
     );
     await this.rememberUser(owner);
     return {
@@ -3430,14 +3472,16 @@ export class PostgresAnonymousStore {
   }
 
   async terminateDeploy(deployId) {
+    const updatedAt = now();
     const result = await this.query(
       `
       update deploys
-      set status = 'terminated'
+      set status = 'terminated',
+        updated_at = $2
       where id = $1
       returning *
       `,
-      [deployId]
+      [deployId, updatedAt]
     );
     return this.deployWithUserLimitOverrides(this.rowToDeploy(result.rows[0]));
   }
@@ -3454,7 +3498,7 @@ export class PostgresAnonymousStore {
       claimTokenHash: row.claim_token_hash,
       clientBundleHash: row.client_bundle_hash,
       createdAt: new Date(row.created_at).toISOString(),
-      expiresAt: new Date(row.expires_at).toISOString(),
+      expiresAt: row.expires_at ? new Date(row.expires_at).toISOString() : null,
       id: row.id,
       limits: row.limits_json,
       owner: row.owner_json ?? null,
@@ -3462,6 +3506,7 @@ export class PostgresAnonymousStore {
       publicRootUrl: row.public_root_url,
       slug: row.slug,
       status: row.status,
+      updatedAt: new Date(row.updated_at).toISOString(),
       url: row.url
     };
   }
@@ -3804,9 +3849,11 @@ async function serveInspect({ artifact, deploy, route, store, systemPath }, res)
       expiresAt: deploy.expiresAt,
       limits: deploy.limits,
       mutations: Object.keys(artifact.server.mutations ?? {}),
+      name: artifact.name ?? "Lakebed Capsule",
       queries: Object.keys(artifact.server.queries ?? {}),
       schema: artifact.server.schema,
       slug: deploy.slug,
+      updatedAt: deploy.updatedAt,
       url: deploy.url
     });
     return true;

package/src/cli.js

@@ -4,6 +4,7 @@ import { createServer } from "node:http";
 import { existsSync, realpathSync } from "node:fs";
 import { mkdir, readdir, readFile, rm, stat, writeFile } from "node:fs/promises";
 import { basename, dirname, isAbsolute, join, relative, resolve, sep } from "node:path";
+import { clearLine, cursorTo } from "node:readline";
 import { createInterface } from "node:readline/promises";
 import { promisify } from "node:util";
 import { fileURLToPath, pathToFileURL } from "node:url";
@@ -105,6 +106,89 @@ function hasFlag(args, name) {
   return args.includes(name);
 }
 
+function formatDevUpdateAge(updatedAt, now = new Date()) {
+  const elapsedSeconds = Math.max(0, Math.floor((now.getTime() - updatedAt.getTime()) / 1000));
+  if (elapsedSeconds < 30) {
+    return `${elapsedSeconds} ${elapsedSeconds === 1 ? "second" : "seconds"} ago`;
+  }
+
+  if (elapsedSeconds < 60) {
+    return "under 1 minute ago";
+  }
+
+  const elapsedMinutes = Math.floor(elapsedSeconds / 60);
+  return `${elapsedMinutes} ${elapsedMinutes === 1 ? "minute" : "minutes"} ago`;
+}
+
+function formatOptionalTimestamp(value, fallback = "never") {
+  return value || fallback;
+}
+
+function devUpdateRefreshDelay(updatedAt, now = new Date()) {
+  const elapsedSeconds = Math.max(0, Math.floor((now.getTime() - updatedAt.getTime()) / 1000));
+  return elapsedSeconds < 30 ? 1_000 : 30_000;
+}
+
+function createDevStatusWriter({ quiet = false } = {}) {
+  let wroteStatusLine = false;
+  let lastUpdatedAt = null;
+  let refreshTimer = null;
+
+  function clearRefreshTimer() {
+    if (refreshTimer) {
+      clearTimeout(refreshTimer);
+      refreshTimer = null;
+    }
+  }
+
+  function render() {
+    if (quiet || !process.stdout.isTTY || !lastUpdatedAt) {
+      return;
+    }
+
+    const message = `Live updated with your changes ${formatDevUpdateAge(lastUpdatedAt)}`;
+    clearLine(process.stdout, 0);
+    cursorTo(process.stdout, 0);
+    process.stdout.write(message);
+    wroteStatusLine = true;
+  }
+
+  function scheduleRefresh() {
+    clearRefreshTimer();
+    if (quiet || !process.stdout.isTTY || !lastUpdatedAt) {
+      return;
+    }
+
+    refreshTimer = setTimeout(() => {
+      refreshTimer = null;
+      render();
+      scheduleRefresh();
+    }, devUpdateRefreshDelay(lastUpdatedAt));
+  }
+
+  return {
+    close() {
+      clearRefreshTimer();
+      this.finish();
+    },
+    finish() {
+      if (wroteStatusLine && process.stdout.isTTY) {
+        process.stdout.write("\n");
+      }
+      wroteStatusLine = false;
+    },
+    update(date = new Date()) {
+      if (quiet || !process.stdout.isTTY) {
+        return;
+      }
+
+      lastUpdatedAt = date;
+      render();
+      scheduleRefresh();
+    }
+  };
+}
+
 function resolveCapsuleDir(value) {
   if (!value) {
     return root;
@@ -446,7 +530,8 @@ export async function startDevServer({
   let currentBuild = await buildCapsule({ capsuleDir: resolvedCapsuleDir, sourceStore, capsuleId });
   const defaultAuth = await readAuth();
   const stateCell = new StateCell(currentBuild.app.schema);
-  const logs = new LogBuffer();
+  const devStatus = createDevStatusWriter({ quiet });
+  const logs = new LogBuffer({ beforeConsoleWrite: () => devStatus.finish() });
   const subscriptions = new Map();
   let fileFingerprint = sourceStore ? "" : await capsuleFileFingerprint(resolvedCapsuleDir);
   let rebuildTimer = null;
@@ -457,7 +542,7 @@ export async function startDevServer({
       const nextBuild = await buildCapsule({ capsuleDir: resolvedCapsuleDir, sourceStore, capsuleId });
       currentBuild = nextBuild;
       stateCell.updateSchema(nextBuild.app.schema);
-      logs.append("info", "dev server rebuilt capsule", { capsuleDir: resolvedCapsuleDir });
+      devStatus.update();
       for (const client of wss.clients) {
         sendJson(client, { op: "refresh" });
       }
@@ -675,6 +760,7 @@ export async function startDevServer({
         clearTimeout(rebuildTimer);
       }
       await rebuildPromise.catch(() => {});
+      devStatus.close();
       for (const client of wss.clients) {
         client.close();
       }
@@ -1044,7 +1130,8 @@ async function deployCommand(args) {
     console.log(`${mode === "updated" ? "Updated" : "Created"} anonymous preview.\n`);
   }
   console.log(`App:        ${deployed.url}`);
-  console.log(`Expires:    ${deployed.expiresAt}`);
+  console.log(`Updated:    ${formatOptionalTimestamp(deployed.updatedAt, "unknown")}`);
+  console.log(`Expires:    ${formatOptionalTimestamp(deployed.expiresAt)}`);
   if (deployed.claimUrl) {
     console.log(`Claim:      ${deployed.claimUrl}`);
   }
@@ -1163,7 +1250,8 @@ async function inspectCommand(args) {
 
   console.log(`Deploy:   ${manifest.deployId}`);
   console.log(`URL:      ${manifest.url}`);
-  console.log(`Expires:  ${manifest.expiresAt}`);
+  console.log(`Updated:  ${formatOptionalTimestamp(manifest.updatedAt, "unknown")}`);
+  console.log(`Expires:  ${formatOptionalTimestamp(manifest.expiresAt)}`);
   console.log(`Artifact: ${manifest.artifactHash}`);
   console.log(`Queries:  ${manifest.queries.join(", ") || "(none)"}`);
   console.log(`Mutations: ${manifest.mutations.join(", ") || "(none)"}`);
@@ -1301,6 +1389,8 @@ function todoTemplate(name) {
 import { cleanTodoText } from "../shared/todo";
 
 export default capsule({
+  name: ${JSON.stringify(title)},
+
   schema: {
     todos: table({
       text: string(),

package/src/client.js

@@ -6,6 +6,7 @@ const AUTH_STORAGE_KEY = "lakebed_identity";
 const LEGACY_SHOO_STORAGE_KEY = "shoo_identity";
 const PKCE_STORAGE_KEY = "lakebed_google_pkce";
 const RETURN_TO_STORAGE_KEY = "lakebed_google_return_to";
+const AUTH_RESUME_STORAGE_KEY = "lakebed_google_resume_attempt";
 const PKCE_MAX_AGE_MS = 10 * 60 * 1000;
 const encoder = new TextEncoder();
 
@@ -19,6 +20,7 @@ const pending = new Map();
 const activeSubscriptions = new Set();
 let authInitPromise = null;
 let authInitialized = false;
+let authResumeStarted = false;
 let refreshRequested = false;
 
 function toGuestName(name) {
@@ -67,6 +69,18 @@ function browserStorage() {
   }
 }
 
+function browserSessionStorage() {
+  if (typeof window === "undefined") {
+    return null;
+  }
+
+  try {
+    return window.sessionStorage;
+  } catch {
+    return null;
+  }
+}
+
 function currentGuestName() {
   if (typeof window === "undefined") {
     return "local";
@@ -236,7 +250,11 @@ export function decodeIdentityClaims(idToken) {
   return parseJson(decodeBase64Url(parts[1]));
 }
 
-function readStoredIdentity() {
+function isExpiredClaims(claims) {
+  return typeof claims?.exp === "number" && claims.exp * 1000 <= Date.now();
+}
+
+function readStoredIdentity({ allowExpired = false } = {}) {
   const storage = browserStorage();
   if (!storage) {
     return { userId: null };
@@ -260,12 +278,13 @@ function readStoredIdentity() {
 
   const token = typeof parsed.token === "string" ? parsed.token : undefined;
   const claims = decodeIdentityClaims(token);
-  if (typeof claims?.exp === "number" && claims.exp * 1000 <= Date.now()) {
-    clearStoredIdentity();
-    return { userId: null };
+  const expired = isExpiredClaims(claims);
+  if (expired && !allowExpired) {
+    return { expired, userId: null };
   }
 
   return {
+    expired,
     token,
     userId: typeof parsed.userId === "string" ? parsed.userId : (typeof parsed.pairwiseSub === "string" ? parsed.pairwiseSub : null)
   };
@@ -306,6 +325,19 @@ function clearStoredIdentity() {
   }
 }
 
+function clearAuthResumeAttempt() {
+  const storage = browserSessionStorage();
+  if (!storage) {
+    return;
+  }
+
+  try {
+    storage.removeItem(AUTH_RESUME_STORAGE_KEY);
+  } catch {
+    // Ignore storage failures; resume attempts are best effort.
+  }
+}
+
 function storedAuthToken() {
   return readStoredIdentity().token ?? "";
 }
@@ -431,6 +463,7 @@ async function handleGoogleCallback() {
     throw new Error("Google sign-in token response was missing identity claims.");
   }
   persistIdentity(token.pairwise_sub, token.id_token, token.expires_in);
+  clearAuthResumeAttempt();
   window.sessionStorage.removeItem(PKCE_STORAGE_KEY);
 
   const localAuth = createGoogleAuthFromToken(token.id_token);
@@ -445,11 +478,78 @@ async function handleGoogleCallback() {
   return token;
 }
 
+function authResumeAttemptKey(identity) {
+  const claims = decodeIdentityClaims(identity.token);
+  return [identity.userId, claims?.jti, claims?.exp].filter(Boolean).join(":") || identity.token;
+}
+
+function beginStoredGoogleSessionResume() {
+  if (typeof window === "undefined" || authResumeStarted) {
+    return false;
+  }
+
+  if (parseCallback()) {
+    return false;
+  }
+
+  const search = new URLSearchParams(window.location.search);
+  if (search.has("error") || window.location.pathname === callbackPath()) {
+    return false;
+  }
+
+  if (search.has("lakebed_guest") || search.has("guest")) {
+    return false;
+  }
+
+  const identity = readStoredIdentity({ allowExpired: true });
+  if (!identity.token || !identity.expired) {
+    return false;
+  }
+
+  const claims = decodeIdentityClaims(identity.token);
+  if (!claims?.pairwise_sub && !claims?.sub) {
+    clearStoredIdentity();
+    return false;
+  }
+
+  const storage = browserSessionStorage();
+  const attemptKey = authResumeAttemptKey(identity);
+  try {
+    if (storage?.getItem(AUTH_RESUME_STORAGE_KEY) === attemptKey) {
+      return false;
+    }
+    storage?.setItem(AUTH_RESUME_STORAGE_KEY, attemptKey);
+  } catch {
+    // Without sessionStorage, the page navigation below is still safe.
+  }
+
+  authResumeStarted = true;
+  auth = withAuthLoading(createGuestAuth(currentGuestName()), true);
+  emitAuth();
+
+  void signInWithGoogle({ returnTo: currentRoute() }).catch((error) => {
+    console.error("[lakebed] Google session resume failed", error);
+    authResumeStarted = false;
+    clearStoredIdentity();
+    clearAuthResumeAttempt();
+    auth = withAuthLoading(createGuestAuth(currentGuestName()), false);
+    emitAuth();
+    reconnect();
+  });
+
+  return true;
+}
+
 function ensureAuthInitialized() {
   if (authInitialized) {
     return Promise.resolve();
   }
 
+  if (beginStoredGoogleSessionResume()) {
+    authInitialized = true;
+    return Promise.resolve();
+  }
+
   authInitPromise ??= handleGoogleCallback()
     .catch((error) => {
       console.error("[lakebed] Google sign-in failed", error);
@@ -501,6 +601,9 @@ function connect() {
     const message = JSON.parse(String(event.data));
 
     if (message.op === "auth.result") {
+      if (authResumeStarted) {
+        return;
+      }
       auth = withAuthLoading(message.auth, false);
       emitAuth();
       return;
@@ -592,6 +695,7 @@ export async function signInWithGoogle(options = {}) {
 
 export function signOut() {
   clearStoredIdentity();
+  clearAuthResumeAttempt();
   auth = withAuthLoading(createGuestAuth(currentGuestName()), true);
   emitAuth();
   reconnect();

package/src/runtime.js

@@ -243,8 +243,9 @@ export class StateCell {
 }
 
 export class LogBuffer {
-  constructor() {
+  constructor({ beforeConsoleWrite } = {}) {
     this.entries = [];
+    this.beforeConsoleWrite = beforeConsoleWrite;
   }
 
   append(level, message, data) {
@@ -255,6 +256,7 @@ export class LogBuffer {
       at: now()
     };
     this.entries.push(entry);
+    this.beforeConsoleWrite?.();
     console[level === "error" ? "error" : level === "warn" ? "warn" : "log"](`[lakebed:${level}] ${message}`, data ?? "");
   }
 

package/src/version.js

@@ -1 +1 @@
-export const LAKEBED_VERSION = "0.0.12";
+export const LAKEBED_VERSION = "0.0.14";