lakebed 0.0.14 → 0.0.16

package/src/anonymous-server.js

@@ -1,5 +1,7 @@
 import { createCipheriv, createDecipheriv, createHash, createHmac, randomBytes, timingSafeEqual } from "node:crypto";
 import { createServer } from "node:http";
+import { isIP } from "node:net";
+import { domainToASCII } from "node:url";
 import {
   createClaimToken,
   createDeployId,
@@ -19,6 +21,11 @@ function now() {
   return new Date().toISOString();
 }
 
+function anonymousDeployExpiresAt() {
+  const ttlSeconds = parseTtlSeconds();
+  return new Date(Date.now() + ttlSeconds * 1000).toISOString();
+}
+
 function dayWindowStart() {
   return `${new Date().toISOString().slice(0, 10)}T00:00:00.000Z`;
 }
@@ -160,6 +167,106 @@ function normalizeAppBaseDomain(value) {
     .toLowerCase();
 }
 
+const reservedLakebedSubdomainLabels = new Set([
+  "admin",
+  "api",
+  "app",
+  "assets",
+  "auth",
+  "billing",
+  "cdn",
+  "cname",
+  "console",
+  "dashboard",
+  "docs",
+  "ftp",
+  "imap",
+  "login",
+  "mail",
+  "ns1",
+  "ns2",
+  "origin",
+  "pop",
+  "proxy-fallback",
+  "smtp",
+  "static",
+  "status",
+  "support",
+  "www"
+]);
+
+function normalizeHostname(value) {
+  const trimmed = String(value ?? "")
+    .trim()
+    .replace(/\.$/, "")
+    .toLowerCase();
+  if (!trimmed) {
+    return "";
+  }
+
+  return domainToASCII(trimmed).toLowerCase();
+}
+
+function hostnameFromHost(host) {
+  const value = String(host ?? "").trim();
+  if (value.startsWith("[")) {
+    const end = value.indexOf("]");
+    return normalizeHostname(end === -1 ? value : value.slice(1, end));
+  }
+
+  return normalizeHostname(value.split(":")[0]);
+}
+
+function validateLakebedSubdomainLabel(label) {
+  if (!/^[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?$/.test(label)) {
+    throw new Error("Lakebed subdomains must use one DNS label with letters, numbers, or hyphens.");
+  }
+
+  if (reservedLakebedSubdomainLabels.has(label)) {
+    throw new Error(`The subdomain ${label} is reserved for Lakebed.`);
+  }
+}
+
+function normalizeLakebedSubdomainInput(value, appBaseDomain) {
+  const baseDomain = normalizeHostname(appBaseDomain);
+  if (!baseDomain) {
+    throw new Error("Lakebed app subdomains are not configured on this runner.");
+  }
+
+  const raw = String(value ?? "").trim();
+  if (!raw) {
+    throw new Error("Subdomain is required.");
+  }
+
+  if (/^[a-z][a-z0-9+.-]*:\/\//i.test(raw) || raw.includes("/") || raw.includes("\\") || raw.includes(":")) {
+    throw new Error("Enter a subdomain like my-app.lakebed.app, without a scheme, port, or path.");
+  }
+
+  const hostname = normalizeHostname(raw);
+  if (!hostname) {
+    throw new Error("Subdomain is not a valid hostname.");
+  }
+
+  const suffix = `.${baseDomain}`;
+  let label;
+  if (hostname.endsWith(suffix)) {
+    label = hostname.slice(0, -suffix.length);
+    if (!label || label.includes(".")) {
+      throw new Error(`Lakebed subdomains must be exactly one label under ${baseDomain}.`);
+    }
+  } else if (!hostname.includes(".")) {
+    label = hostname;
+  } else {
+    throw new Error(`Lakebed subdomains must end with ${baseDomain}.`);
+  }
+
+  validateLakebedSubdomainLabel(label);
+  return {
+    hostname: `${label}.${baseDomain}`,
+    label
+  };
+}
+
 function appUrlForSlug({ appBaseDomain, publicRootUrl, slug }) {
   if (appBaseDomain) {
     return `https://${slug}.${appBaseDomain}`;
@@ -195,6 +302,19 @@ function responseForDeploy({ deploy, token }) {
   };
 }
 
+function responseForDeployDomain(domain) {
+  return {
+    createdAt: domain.createdAt,
+    deployId: domain.deployId,
+    hostname: domain.hostname,
+    kind: domain.kind,
+    primary: Boolean(domain.isPrimary),
+    status: domain.status,
+    updatedAt: domain.updatedAt,
+    url: domain.url
+  };
+}
+
 function isExpired(deploy) {
   if (deploy?.ownerId) {
     return false;
@@ -235,14 +355,14 @@ function parseHostDeploy({ appBaseDomain, host, url }) {
     return null;
   }
 
-  const hostname = host.split(":")[0].toLowerCase();
+  const hostname = hostnameFromHost(host);
   const suffix = `.${appBaseDomain.toLowerCase()}`;
   if (!hostname.endsWith(suffix)) {
     return null;
   }
 
   const slug = hostname.slice(0, -suffix.length);
-  if (!slug || slug === "www") {
+  if (!slug || slug.includes(".") || reservedLakebedSubdomainLabels.has(slug)) {
     return null;
   }
 
@@ -261,6 +381,138 @@ function quotaLimitForBucket(bucket, deploy) {
   return deploy.limits.requestsPerDay;
 }
 
+function clientTrafficQuotaBucket(bucket) {
+  return bucket === "mutations" ? "anonymous_client_mutations" : "anonymous_client_requests";
+}
+
+function clientTrafficQuotaSuggestion(bucket) {
+  return bucket === "mutations"
+    ? "Retry after reset or reduce mutation frequency from this client."
+    : "Retry after reset or reduce request frequency from this client.";
+}
+
+function anonymousDeployCreationPolicy({ env = process.env, publicRootUrl }) {
+  const production = !isLocalPublicRootUrl(publicRootUrl);
+  const disabled =
+    booleanFromEnv(env.LAKEBED_ANONYMOUS_DEPLOY_CREATE_DISABLED) ||
+    booleanFromEnv(env.LAKEBED_ANONYMOUS_DEPLOYS_DISABLED);
+  const defaultPerClient = production ? 50 : Number.POSITIVE_INFINITY;
+  const defaultGlobal = production ? 5000 : Number.POSITIVE_INFINITY;
+  return {
+    disabled,
+    globalLimit: positiveIntegerLimitFromEnv(env.LAKEBED_ANONYMOUS_DEPLOY_CREATE_GLOBAL_PER_DAY, defaultGlobal),
+    perClientLimit: positiveIntegerLimitFromEnv(env.LAKEBED_ANONYMOUS_DEPLOY_CREATE_PER_CLIENT_PER_DAY, defaultPerClient),
+    production
+  };
+}
+
+function anonymousClientTrafficPolicy({ env = process.env, publicRootUrl }) {
+  const production = !isLocalPublicRootUrl(publicRootUrl);
+  return {
+    mutationsPerClientLimit: positiveIntegerLimitFromEnv(
+      env.LAKEBED_ANONYMOUS_MUTATIONS_PER_CLIENT_PER_DAY,
+      production ? 10000 : Number.POSITIVE_INFINITY
+    ),
+    requestsPerClientLimit: positiveIntegerLimitFromEnv(
+      env.LAKEBED_ANONYMOUS_REQUESTS_PER_CLIENT_PER_DAY,
+      production ? 100000 : Number.POSITIVE_INFINITY
+    )
+  };
+}
+
+function cleanupPolicyFromEnv(env = process.env) {
+  return {
+    graceSeconds: durationSecondsFromEnv(env.LAKEBED_ANONYMOUS_CLEANUP_GRACE, 60 * 60, { min: 0 }),
+    intervalSeconds: durationSecondsFromEnv(env.LAKEBED_ANONYMOUS_CLEANUP_INTERVAL, 60 * 60, { min: 60 }),
+    retentionSeconds: durationSecondsFromEnv(env.LAKEBED_ANONYMOUS_CLEANUP_RETENTION, 7 * 24 * 60 * 60, { min: 0 })
+  };
+}
+
+function normalizePeerAddress(value) {
+  let address = String(value ?? "").trim();
+  if (!address) {
+    return "unknown";
+  }
+  if (address.startsWith("::ffff:")) {
+    address = address.slice("::ffff:".length);
+  }
+  if (address.startsWith("[") && address.includes("]")) {
+    address = address.slice(1, address.indexOf("]"));
+  }
+  if (/^\d+\.\d+\.\d+\.\d+:\d+$/.test(address)) {
+    address = address.slice(0, address.lastIndexOf(":"));
+  }
+  return address;
+}
+
+function ipv4ToNumber(address) {
+  const parts = address.split(".").map((part) => Number(part));
+  if (parts.length !== 4 || parts.some((part) => !Number.isInteger(part) || part < 0 || part > 255)) {
+    return null;
+  }
+  return parts.reduce((acc, part) => (acc << 8) + part, 0) >>> 0;
+}
+
+function ipv4InCidr(address, cidr) {
+  const [base, rawBits] = cidr.split("/");
+  const bits = Number(rawBits);
+  const value = ipv4ToNumber(address);
+  const baseValue = ipv4ToNumber(base);
+  if (value === null || baseValue === null || !Number.isInteger(bits) || bits < 0 || bits > 32) {
+    return false;
+  }
+
+  const mask = bits === 0 ? 0 : (0xffffffff << (32 - bits)) >>> 0;
+  return (value & mask) === (baseValue & mask);
+}
+
+function hasRailwayRuntimeEnv(env = process.env) {
+  return Boolean(env.RAILWAY_SERVICE_ID || env.RAILWAY_PROJECT_ID || env.RAILWAY_DEPLOYMENT_ID || env.RAILWAY_REPLICA_ID);
+}
+
+function isRailwayProxyPeer(req, env = process.env) {
+  const edge = String(req.headers["x-railway-edge"] ?? "");
+  if (!hasRailwayRuntimeEnv(env) || !/^railway\/[a-z0-9][a-z0-9-]*$/i.test(edge)) {
+    return false;
+  }
+
+  // Railway's proxy guidance treats 100.0.0.0/8 as the trusted internal proxy range.
+  const address = normalizePeerAddress(req.socket.remoteAddress);
+  return isIP(address) === 4 && ipv4InCidr(address, "100.0.0.0/8");
+}
+
+function shouldTrustProxyHeaders(req, env = process.env) {
+  if (booleanFromEnv(env.LAKEBED_TRUST_PROXY_HEADERS)) {
+    return true;
+  }
+
+  return isRailwayProxyPeer(req, env);
+}
+
+function firstHeaderValue(req, names) {
+  for (const name of names) {
+    const raw = req.headers[name];
+    const candidate = String(Array.isArray(raw) ? raw[0] : (raw ?? ""))
+      .split(",")[0]
+      .trim();
+    if (candidate) {
+      return normalizePeerAddress(candidate).slice(0, 256);
+    }
+  }
+  return "";
+}
+
+function forwardedClientKey(req, env = process.env) {
+  if (shouldTrustProxyHeaders(req, env)) {
+    const forwarded = firstHeaderValue(req, ["x-real-ip", "cf-connecting-ip", "fly-client-ip", "x-forwarded-for"]);
+    if (forwarded) {
+      return forwarded;
+    }
+  }
+
+  return normalizePeerAddress(req.socket.remoteAddress).slice(0, 256);
+}
+
 const USER_LIMIT_OVERRIDE_KEYS = ["requestsPerDay", "mutationsPerDay"];
 const USER_BOOST_MULTIPLIER = 20;
 
@@ -660,6 +912,193 @@ function bytesOfJson(value) {
   return Buffer.byteLength(JSON.stringify(value ?? null), "utf8");
 }
 
+function durationSecondsFromEnv(value, fallback, { min = 0, max = Number.MAX_SAFE_INTEGER } = {}) {
+  if (value === undefined || value === null || value === "") {
+    return fallback;
+  }
+
+  const match = String(value).trim().match(/^(\d+)([smhd])?$/);
+  if (!match) {
+    throw new Error(`Invalid duration: ${value}. Use a value like 15m, 1h, 7d, or 604800.`);
+  }
+
+  const multipliers = { d: 86400, h: 3600, m: 60, s: 1 };
+  const seconds = Number(match[1]) * multipliers[match[2] ?? "s"];
+  return Math.max(min, Math.min(max, seconds));
+}
+
+function positiveIntegerLimitFromEnv(value, fallback) {
+  if (value === undefined || value === null || value === "") {
+    return fallback;
+  }
+
+  const parsed = Number(value);
+  if (!Number.isSafeInteger(parsed) || parsed < 0) {
+    throw new Error(`Invalid limit: ${value}. Use a non-negative integer.`);
+  }
+  return parsed;
+}
+
+function isLocalPublicRootUrl(publicRootUrl) {
+  try {
+    const hostname = new URL(publicRootUrl).hostname.toLowerCase();
+    return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "::1" || hostname.endsWith(".localhost");
+  } catch {
+    return true;
+  }
+}
+
+function booleanFromEnv(value) {
+  return ["1", "true", "yes", "on"].includes(String(value ?? "").trim().toLowerCase());
+}
+
+function quotaResetAt(windowStart) {
+  return new Date(Date.parse(windowStart) + 24 * 60 * 60 * 1000).toISOString();
+}
+
+function quotaRetryAfterSeconds(windowStart) {
+  return Math.max(1, Math.ceil((Date.parse(quotaResetAt(windowStart)) - Date.now()) / 1000));
+}
+
+export class LakebedQuotaError extends Error {
+  constructor({ bucket, count, limit, resetAt, retryAfterSeconds, status = 429, suggestion }) {
+    super(`${bucket} quota exceeded. Limit: ${limit}.`);
+    this.name = "LakebedQuotaError";
+    this.bucket = bucket;
+    this.code = "lakebed_quota_exceeded";
+    this.count = count;
+    this.limit = limit;
+    this.resetAt = resetAt ?? null;
+    this.retryAfterSeconds = retryAfterSeconds ?? null;
+    this.status = status;
+    this.suggestion = suggestion;
+  }
+}
+
+function isQuotaError(error) {
+  return error instanceof LakebedQuotaError || error?.code === "lakebed_quota_exceeded";
+}
+
+function quotaErrorBody(error, extra = {}) {
+  return {
+    bucket: error.bucket,
+    code: error.code ?? "lakebed_quota_exceeded",
+    current: error.count,
+    error: error.message,
+    limit: error.limit,
+    resetAt: error.resetAt ?? null,
+    retryAfterSeconds: error.retryAfterSeconds ?? null,
+    suggestion: error.suggestion,
+    ...extra
+  };
+}
+
+function quotaErrorHeaders(error) {
+  const headers = {};
+  if (Number.isFinite(error.retryAfterSeconds)) {
+    headers["Retry-After"] = String(error.retryAfterSeconds);
+  }
+  if (Number.isFinite(error.limit)) {
+    headers["X-RateLimit-Limit"] = String(error.limit);
+  }
+  if (Number.isFinite(error.count) && Number.isFinite(error.limit)) {
+    headers["X-RateLimit-Remaining"] = String(Math.max(0, error.limit - error.count));
+  }
+  if (error.resetAt) {
+    headers["X-RateLimit-Reset"] = error.resetAt;
+  }
+  return headers;
+}
+
+function stateRowsLimitFromTransactionOptions(options = {}) {
+  const explicit = options.stateRowsLimit;
+  if (Number.isSafeInteger(explicit) && explicit > 0) {
+    return explicit;
+  }
+  const stateBytes = options.stateBytesLimit ?? DEFAULT_ANONYMOUS_LIMITS.stateBytes;
+  return Math.max(1, Math.floor(stateBytes / 64));
+}
+
+function assertStateResourceLimits({ stateBytes, stateRows }, options = {}) {
+  const stateBytesLimit = options.stateBytesLimit ?? DEFAULT_ANONYMOUS_LIMITS.stateBytes;
+  const stateRowsLimit = stateRowsLimitFromTransactionOptions(options);
+  if (Number.isFinite(stateRowsLimit) && stateRows > stateRowsLimit) {
+    throw new LakebedQuotaError({
+      bucket: "state_rows",
+      count: stateRows,
+      limit: stateRowsLimit,
+      suggestion: "Delete rows or claim the deploy before retrying this mutation."
+    });
+  }
+  if (Number.isFinite(stateBytesLimit) && stateBytes > stateBytesLimit) {
+    throw new LakebedQuotaError({
+      bucket: "state_bytes",
+      count: stateBytes,
+      limit: stateBytesLimit,
+      suggestion: "Reduce stored values, delete rows, or claim the deploy before retrying this mutation."
+    });
+  }
+}
+
+function safeJsonValue(value) {
+  if (value === undefined) {
+    return null;
+  }
+
+  try {
+    JSON.stringify(value);
+    return value;
+  } catch {
+    return String(value);
+  }
+}
+
+function truncateUtf8(value, maxBytes) {
+  const text = String(value ?? "");
+  if (Buffer.byteLength(text, "utf8") <= maxBytes) {
+    return text;
+  }
+
+  let end = text.length;
+  while (end > 0 && Buffer.byteLength(text.slice(0, end), "utf8") > maxBytes) {
+    end -= 1;
+  }
+  return text.slice(0, end);
+}
+
+function normalizeLogEntry(level, message, data, limits = DEFAULT_ANONYMOUS_LIMITS) {
+  const maxEntryBytes = limits.logEntryBytes ?? DEFAULT_ANONYMOUS_LIMITS.logEntryBytes;
+  const maxMessageBytes = Math.max(128, Math.min(maxEntryBytes, Math.floor(maxEntryBytes / 2)));
+  const originalMessageBytes = Buffer.byteLength(String(message ?? ""), "utf8");
+  const cleanMessage =
+    originalMessageBytes > maxMessageBytes
+      ? `${truncateUtf8(message, Math.max(0, maxMessageBytes - 18))}...[truncated]`
+      : String(message ?? "");
+  let cleanData = safeJsonValue(data);
+  let entry = { at: now(), data: cleanData, level, message: cleanMessage };
+
+  if (bytesOfJson(entry) > maxEntryBytes) {
+    const dataText = JSON.stringify(cleanData ?? null);
+    cleanData = {
+      preview: truncateUtf8(dataText, Math.max(0, maxEntryBytes - bytesOfJson({ at: entry.at, data: null, level, message: cleanMessage }) - 128)),
+      truncated: true,
+      originalBytes: Buffer.byteLength(dataText, "utf8")
+    };
+    entry = { ...entry, data: cleanData };
+  }
+
+  if (bytesOfJson(entry) > maxEntryBytes) {
+    entry = {
+      at: entry.at,
+      data: { truncated: true },
+      level,
+      message: truncateUtf8(cleanMessage, Math.max(64, maxEntryBytes - 96))
+    };
+  }
+
+  return entry;
+}
+
 function usageCounts(usage) {
   const windowStart = dayWindowStart();
   const counts = {
@@ -891,7 +1330,7 @@ function adminHtml() {
       .metrics {
         display: grid;
         gap: 8px;
-        grid-template-columns: repeat(6, minmax(120px, 1fr));
+        grid-template-columns: repeat(8, minmax(120px, 1fr));
         margin-bottom: 14px;
       }
 
@@ -1273,8 +1712,10 @@ function adminHtml() {
           <div class="metric"><span>artifact bytes</span><strong id="metric-artifacts">0 B</strong></div>
           <div class="metric"><span>state bytes</span><strong id="metric-state">0 B</strong></div>
           <div class="metric"><span>state rows</span><strong id="metric-rows">0</strong></div>
+          <div class="metric"><span>log bytes</span><strong id="metric-logs">0 B</strong></div>
           <div class="metric"><span>requests today</span><strong id="metric-requests">0</strong></div>
           <div class="metric"><span>mutations today</span><strong id="metric-mutations">0</strong></div>
+          <div class="metric"><span>cleaned deploys</span><strong id="metric-cleanup">0</strong></div>
         </section>
 
         <section class="panel" id="deployments-view">
@@ -1875,8 +2316,10 @@ function adminHtml() {
         setMetric("metric-artifacts", formatBytes(summary.totals.artifactBytes));
         setMetric("metric-state", formatBytes(summary.totals.stateBytes));
         setMetric("metric-rows", formatNumber(summary.totals.stateRows));
+        setMetric("metric-logs", formatBytes(summary.totals.logBytes));
         setMetric("metric-requests", formatNumber(summary.totals.requestsToday));
         setMetric("metric-mutations", formatNumber(summary.totals.mutationsToday));
+        setMetric("metric-cleanup", formatNumber(summary.cleanup?.totals?.deletedDeploys || 0));
         statusLine.textContent = "Updated " + formatTime(summary.generatedAt);
       }
 
@@ -2220,12 +2663,109 @@ function escapeHtml(value) {
     .replace(/"/g, "&quot;");
 }
 
-function formatHtmlTime(value) {
-  return value ? new Date(value).toLocaleString() : "unknown";
+function formatHtmlNumber(value) {
+  return new Intl.NumberFormat().format(Number(value || 0));
+}
+
+function parseHtmlDate(value) {
+  if (!value) {
+    return null;
+  }
+  const date = value instanceof Date ? value : new Date(value);
+  return Number.isFinite(date.getTime()) ? date : null;
+}
+
+function formatHtmlAbsoluteTime(value) {
+  const date = parseHtmlDate(value);
+  if (!date) {
+    return "unknown";
+  }
+  return new Intl.DateTimeFormat(undefined, {
+    day: "numeric",
+    hour: "numeric",
+    minute: "2-digit",
+    month: "short",
+    timeZoneName: "short",
+    year: "numeric"
+  }).format(date);
+}
+
+function relativeHtmlUnit(diffMs, unitMs) {
+  const value = Math.round(diffMs / unitMs);
+  if (value === 0) {
+    return diffMs < 0 ? -1 : 1;
+  }
+  return value;
+}
+
+function formatHtmlRelativeTime(value, baseDate = new Date()) {
+  const date = parseHtmlDate(value);
+  if (!date) {
+    return "unknown";
+  }
+
+  const diffMs = date.getTime() - baseDate.getTime();
+  const absMs = Math.abs(diffMs);
+  const second = 1000;
+  const minute = 60 * second;
+  const hour = 60 * minute;
+  const day = 24 * hour;
+  const week = 7 * day;
+  const formatter = new Intl.RelativeTimeFormat(undefined, { numeric: "auto" });
+
+  if (absMs < 45 * second) {
+    return diffMs < 0 ? "just now" : "soon";
+  }
+  if (absMs < 45 * minute) {
+    return formatter.format(relativeHtmlUnit(diffMs, minute), "minute");
+  }
+  if (absMs < 22 * hour) {
+    return formatter.format(relativeHtmlUnit(diffMs, hour), "hour");
+  }
+  if (absMs < 26 * day) {
+    return formatter.format(relativeHtmlUnit(diffMs, day), "day");
+  }
+  if (absMs < 8 * week) {
+    return formatter.format(relativeHtmlUnit(diffMs, week), "week");
+  }
+  return formatHtmlAbsoluteTime(date);
+}
+
+function htmlTime(value) {
+  const date = parseHtmlDate(value);
+  if (!date) {
+    return `<span>unknown</span>`;
+  }
+
+  return `<time datetime="${escapeHtml(date.toISOString())}" title="${escapeHtml(formatHtmlAbsoluteTime(date))}">${escapeHtml(formatHtmlRelativeTime(date))}</time>`;
+}
+
+function cssClassToken(value) {
+  return (
+    String(value ?? "")
+      .toLowerCase()
+      .replace(/[^a-z0-9_-]+/g, "-")
+      .replace(/^-+|-+$/g, "") || "unknown"
+  );
+}
+
+function quotaPercent(used, limit) {
+  const numericLimit = Number(limit || 0);
+  if (numericLimit <= 0) {
+    return 0;
+  }
+  return Math.max(0, Math.min(100, (Number(used || 0) / numericLimit) * 100));
 }
 
-function formatHtmlExpiry(value) {
-  return value ? formatHtmlTime(value) : "never";
+function quotaHtml(label, used, limit) {
+  const percent = quotaPercent(used, limit).toFixed(2);
+  return `<div class="quota">
+    <div class="quota-row">
+      <span class="quota-label">${escapeHtml(label)}</span>
+      <span class="quota-count">${escapeHtml(formatHtmlNumber(used))} / ${escapeHtml(formatHtmlNumber(limit))}</span>
+    </div>
+    <div class="meter" aria-hidden="true"><span style="--usage: ${percent}%"></span></div>
+  </div>`;
 }
 
 function developerDeploySummary({ artifact, deploy, usage }) {
@@ -2250,18 +2790,34 @@ function developerDeploySummary({ artifact, deploy, usage }) {
 
 function developerHtml({ authConfigured, deploys = [], user }) {
   const signedIn = Boolean(user);
+  const activeDeploys = deploys.filter((deploy) => deploy.status === "active").length;
+  const requestsToday = deploys.reduce((total, deploy) => total + Number(deploy.usage.requestsToday || 0), 0);
+  const mutationsToday = deploys.reduce((total, deploy) => total + Number(deploy.usage.mutationsToday || 0), 0);
   const rows = deploys
-    .map(
-      (deploy) => `<tr>
-        <td><a href="${escapeHtml(deploy.url)}" target="_blank" rel="noopener noreferrer">${escapeHtml(deploy.name)}</a><small>${escapeHtml(deploy.deployId)} / ${escapeHtml(deploy.slug)}</small></td>
-        <td><span class="pill ${escapeHtml(deploy.status)}">${escapeHtml(deploy.status)}</span></td>
-        <td>${escapeHtml(formatHtmlTime(deploy.createdAt))}</td>
-        <td>${escapeHtml(formatHtmlTime(deploy.updatedAt))}</td>
-        <td>${escapeHtml(formatHtmlExpiry(deploy.expiresAt))}</td>
-        <td>${escapeHtml(deploy.usage.requestsToday)} / ${escapeHtml(deploy.limits.requestsPerDay)}</td>
-        <td>${escapeHtml(deploy.usage.mutationsToday)} / ${escapeHtml(deploy.limits.mutationsPerDay)}</td>
-      </tr>`
-    )
+    .map((deploy) => {
+      const statusClass = cssClassToken(deploy.status);
+      return `<article class="deploy-row">
+        <div class="deploy-main">
+          <div class="deploy-title-line">
+            <a class="deploy-name" href="${escapeHtml(deploy.url)}" target="_blank" rel="noopener noreferrer">${escapeHtml(deploy.name)}</a>
+            <span class="status status-${escapeHtml(statusClass)}">${escapeHtml(deploy.status)}</span>
+            ${deploy.expiresAt ? `<span class="expiry">expires ${htmlTime(deploy.expiresAt)}</span>` : ""}
+          </div>
+          <div class="deploy-ids">
+            <span>${escapeHtml(deploy.deployId)}</span>
+            <span>${escapeHtml(deploy.slug)}</span>
+          </div>
+        </div>
+        <div class="activity">
+          <div class="activity-item"><span>Updated</span>${htmlTime(deploy.updatedAt)}</div>
+          <div class="activity-item"><span>Created</span>${htmlTime(deploy.createdAt)}</div>
+        </div>
+        <div class="usage-grid">
+          ${quotaHtml("Requests", deploy.usage.requestsToday, deploy.limits.requestsPerDay)}
+          ${quotaHtml("Mutations", deploy.usage.mutationsToday, deploy.limits.mutationsPerDay)}
+        </div>
+      </article>`;
+    })
     .join("");
 
   return `<!doctype html>
@@ -2273,14 +2829,18 @@ function developerHtml({ authConfigured, deploys = [], user }) {
     <style>
       :root {
         color-scheme: dark;
-        --bg: #11130f;
-        --panel: #191c16;
-        --line: #343b2e;
-        --text: #f2f0e8;
-        --muted: #a8ab9e;
-        --accent: #91d46f;
-        --bad: #ee7d71;
-        --ink: #0c110a;
+        --accent: #b7f26d;
+        --bg: #070a09;
+        --cyan: #71d6ff;
+        --danger: #ff7b72;
+        --line: #26302b;
+        --line-strong: #3b4740;
+        --muted: #8f9c94;
+        --panel: #0f1513;
+        --panel-raised: #141b18;
+        --soft: #bfcbc3;
+        --text: #eef6f0;
+        --warning: #ffd166;
       }
 
       * {
@@ -2290,13 +2850,12 @@ function developerHtml({ authConfigured, deploys = [], user }) {
       body {
         background: var(--bg);
         color: var(--text);
-        font-family: "Avenir Next", "Helvetica Neue", sans-serif;
-        letter-spacing: 0;
+        font-family: Inter, ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
         margin: 0;
       }
 
       a {
-        color: var(--accent);
+        color: inherit;
         text-decoration: none;
       }
 
@@ -2306,50 +2865,104 @@ function developerHtml({ authConfigured, deploys = [], user }) {
 
       .shell {
         margin: 0 auto;
-        max-width: 1120px;
+        max-width: 1560px;
         min-height: 100vh;
-        padding: 28px;
+        padding: 34px 32px 56px;
+        width: 100%;
       }
 
       header {
         align-items: center;
+        border-bottom: 1px solid var(--line);
         display: flex;
         gap: 16px;
         justify-content: space-between;
-        margin-bottom: 24px;
+        margin-bottom: 22px;
+        padding-bottom: 22px;
       }
 
       h1 {
-        font-size: 32px;
-        line-height: 1;
+        font-size: 40px;
+        line-height: 1.05;
         margin: 0;
       }
 
       .eyebrow,
-      small,
-      th,
-      .meta {
+      .meta,
+      .deploy-ids,
+      .activity-item span,
+      .expiry,
+      .list-head,
+      .quota-label,
+      .quota-count,
+      .status {
         color: var(--muted);
         font-family: "SFMono-Regular", Consolas, monospace;
         font-size: 12px;
       }
 
+      .eyebrow {
+        color: var(--accent);
+        margin-bottom: 6px;
+      }
+
+      .meta {
+        margin-top: 4px;
+      }
+
       .button {
-        background: var(--accent);
-        border: 1px solid var(--accent);
+        align-items: center;
+        background: transparent;
+        border: 1px solid var(--line-strong);
         border-radius: 6px;
-        color: var(--ink);
+        color: var(--text);
         display: inline-flex;
         font-weight: 700;
         min-height: 40px;
         padding: 10px 14px;
       }
 
+      .button:hover {
+        border-color: var(--accent);
+        text-decoration: none;
+      }
+
       .button.secondary {
         background: transparent;
         color: var(--text);
       }
 
+      .summary {
+        background: var(--line);
+        border: 1px solid var(--line);
+        border-radius: 8px;
+        display: grid;
+        gap: 1px;
+        grid-template-columns: repeat(3, minmax(0, 1fr));
+        margin-bottom: 18px;
+        overflow: hidden;
+      }
+
+      .metric {
+        background: var(--panel);
+        padding: 15px 16px;
+      }
+
+      .metric span {
+        color: var(--muted);
+        display: block;
+        font-family: "SFMono-Regular", Consolas, monospace;
+        font-size: 12px;
+        margin-bottom: 6px;
+      }
+
+      .metric strong {
+        color: var(--text);
+        display: block;
+        font-size: 22px;
+        line-height: 1;
+      }
+
       .panel {
         background: var(--panel);
         border: 1px solid var(--line);
@@ -2362,51 +2975,160 @@ function developerHtml({ authConfigured, deploys = [], user }) {
         padding: 22px;
       }
 
-      table {
-        border-collapse: collapse;
-        width: 100%;
+      .deploy-list {
+        display: grid;
       }
 
-      th,
-      td {
-        border-bottom: 1px solid var(--line);
-        padding: 13px 14px;
-        text-align: left;
-        vertical-align: top;
+      .list-head,
+      .deploy-row {
+        align-items: center;
+        display: grid;
+        gap: 24px;
+        grid-template-columns: minmax(360px, 1fr) minmax(210px, 300px) minmax(360px, 430px);
       }
 
-      tr:last-child td {
+      .list-head {
+        background: #0b100e;
+        border-bottom: 1px solid var(--line);
+        padding: 12px 18px;
+      }
+
+      .deploy-row {
+        background: var(--panel);
+        border-bottom: 1px solid var(--line);
+        min-width: 0;
+        padding: 18px;
+      }
+
+      .deploy-row:last-child {
         border-bottom: 0;
       }
 
-      td:first-child {
-        display: grid;
-        gap: 4px;
+      .deploy-row:hover {
+        background: var(--panel-raised);
       }
 
-      .pill {
-        border: 1px solid var(--line);
-        border-radius: 999px;
-        display: inline-flex;
-        font-family: "SFMono-Regular", Consolas, monospace;
-        font-size: 12px;
-        padding: 3px 8px;
+      .deploy-main,
+      .activity,
+      .usage-grid,
+      .quota {
+        min-width: 0;
       }
 
-      .pill.active {
-        border-color: rgba(145, 212, 111, 0.7);
+      .deploy-title-line {
+        align-items: center;
+        display: flex;
+        flex-wrap: wrap;
+        gap: 8px 10px;
+        margin-bottom: 8px;
+        min-width: 0;
+      }
+
+      .deploy-name {
+        color: var(--text);
+        font-size: 16px;
+        font-weight: 700;
+        overflow-wrap: anywhere;
+      }
+
+      .deploy-ids {
+        align-items: center;
+        display: flex;
+        flex-wrap: wrap;
+        gap: 6px 12px;
+      }
+
+      .deploy-ids span {
+        overflow-wrap: anywhere;
+      }
+
+      .status {
+        align-items: center;
         color: var(--accent);
+        display: inline-flex;
+        gap: 6px;
+        white-space: nowrap;
       }
 
-      .pill.expired,
-      .pill.terminated {
-        border-color: rgba(238, 125, 113, 0.75);
-        color: var(--bad);
+      .status::before {
+        background: var(--accent);
+        border-radius: 999px;
+        box-shadow: 0 0 0 3px rgba(183, 242, 109, 0.14);
+        content: "";
+        height: 7px;
+        width: 7px;
+      }
+
+      .status-expired,
+      .status-terminated {
+        color: var(--danger);
+      }
+
+      .status-expired::before,
+      .status-terminated::before {
+        background: var(--danger);
+        box-shadow: 0 0 0 3px rgba(255, 123, 114, 0.15);
+      }
+
+      .expiry {
+        color: var(--warning);
+        white-space: nowrap;
+      }
+
+      .activity {
+        display: grid;
+        gap: 6px;
+      }
+
+      .activity-item {
+        align-items: baseline;
+        color: var(--soft);
+        display: flex;
+        gap: 12px;
+        justify-content: space-between;
+      }
+
+      time {
+        color: var(--text);
+        white-space: nowrap;
+      }
+
+      .usage-grid {
+        display: grid;
+        gap: 12px;
+        grid-template-columns: repeat(2, minmax(0, 1fr));
+      }
+
+      .quota-row {
+        align-items: baseline;
+        display: flex;
+        gap: 12px;
+        justify-content: space-between;
+        margin-bottom: 8px;
+      }
+
+      .quota-count {
+        color: var(--text);
+        white-space: nowrap;
+      }
+
+      .meter {
+        background: #222b26;
+        border-radius: 999px;
+        height: 6px;
+        overflow: hidden;
       }
 
-      @media (max-width: 720px) {
+      .meter span {
+        background: linear-gradient(90deg, var(--accent), var(--cyan));
+        display: block;
+        height: 100%;
+        width: var(--usage);
+      }
+
+      @media (max-width: 980px) {
         .shell {
-          padding: 18px;
+          padding: 24px 18px 40px;
         }
 
         header {
@@ -2414,12 +3136,46 @@ function developerHtml({ authConfigured, deploys = [], user }) {
           flex-direction: column;
         }
 
-        table {
-          min-width: 760px;
+        h1 {
+          font-size: 32px;
+        }
+
+        .summary {
+          grid-template-columns: repeat(3, minmax(0, 1fr));
+        }
+
+        .list-head {
+          display: none;
+        }
+
+        .deploy-row {
+          align-items: stretch;
+          gap: 16px;
+          grid-template-columns: 1fr;
         }
 
-        .panel {
-          overflow-x: auto;
+        .activity-item {
+          justify-content: flex-start;
+        }
+      }
+
+      @media (max-width: 640px) {
+        .shell {
+          padding: 20px 12px 36px;
+        }
+
+        .summary,
+        .usage-grid {
+          grid-template-columns: 1fr;
+        }
+
+        .deploy-ids {
+          display: grid;
+        }
+
+        .activity-item {
+          display: grid;
+          gap: 2px;
         }
       }
     </style>
@@ -2442,6 +3198,15 @@ function developerHtml({ authConfigured, deploys = [], user }) {
           }
         </div>
       </header>
+      ${
+        signedIn && deploys.length
+          ? `<section class="summary" aria-label="Deployment summary">
+              <div class="metric"><span>active deploys</span><strong>${escapeHtml(formatHtmlNumber(activeDeploys))}</strong></div>
+              <div class="metric"><span>requests today</span><strong>${escapeHtml(formatHtmlNumber(requestsToday))}</strong></div>
+              <div class="metric"><span>mutations today</span><strong>${escapeHtml(formatHtmlNumber(mutationsToday))}</strong></div>
+            </section>`
+          : ""
+      }
 
       ${
         !authConfigured
@@ -2451,20 +3216,14 @@ function developerHtml({ authConfigured, deploys = [], user }) {
             : deploys.length === 0
               ? `<section class="panel"><div class="empty">No claimed deployments.</div></section>`
               : `<section class="panel">
-                  <table>
-                    <thead>
-                      <tr>
-                        <th>Deploy</th>
-                        <th>Status</th>
-                        <th>Created</th>
-                        <th>Updated</th>
-                        <th>Expires</th>
-                        <th>Requests</th>
-                        <th>Mutations</th>
-                      </tr>
-                    </thead>
-                    <tbody>${rows}</tbody>
-                  </table>
+                  <div class="deploy-list">
+                    <div class="list-head" aria-hidden="true">
+                      <span>Deploy</span>
+                      <span>Activity</span>
+                      <span>Usage today</span>
+                    </div>
+                    ${rows}
+                  </div>
                 </section>`
       }
     </main>
@@ -2475,14 +3234,19 @@ function developerHtml({ authConfigured, deploys = [], user }) {
 export class MemoryAnonymousStore {
   constructor() {
     this.artifacts = new Map();
+    this.deployDomainsByHostname = new Map();
     this.deploys = new Map();
     this.deploysBySlug = new Map();
+    this.deployCreateQuotaEvents = new Map();
+    this.clientQuotaEvents = new Map();
     this.logs = new Map();
     this.quotaEvents = new Map();
     this.queues = new Map();
     this.rows = new Map();
     this.serverEnv = new Map();
     this.users = new Map();
+    this.cleanupRuns = [];
+    this.cleanupTotals = {};
   }
 
   async initialize() {}
@@ -2609,18 +3373,36 @@ export class MemoryAnonymousStore {
     });
   }
 
-  async createDeploy({ appBaseDomain, artifact, artifactHash, clientBundleBase64, clientBundleHash, publicRootUrl, requestedTtlSeconds, serverEnv }) {
+  decrementArtifactRef(artifactHash) {
+    const artifact = this.artifacts.get(artifactHash);
+    if (!artifact) {
+      return false;
+    }
+
+    const refCount = Math.max(0, Number(artifact.refCount ?? 0) - 1);
+    if (refCount <= 0) {
+      this.artifacts.delete(artifactHash);
+      return true;
+    }
+
+    this.artifacts.set(artifactHash, { ...artifact, refCount });
+    return false;
+  }
+
+  async createDeploy({ appBaseDomain, artifact, artifactHash, clientBundleBase64, clientBundleHash, publicRootUrl, serverEnv }) {
     const deployId = createDeployId();
     const normalizedAppBaseDomain = normalizeAppBaseDomain(appBaseDomain);
     let slug = createSlug();
-    while (this.deploysBySlug.has(slug)) {
+    while (
+      this.deploysBySlug.has(slug) ||
+      (normalizedAppBaseDomain && this.deployDomainsByHostname.has(`${slug}.${normalizedAppBaseDomain}`))
+    ) {
       slug = createSlug();
     }
 
     const token = createClaimToken();
     const createdAt = now();
-    const ttlSeconds = parseTtlSeconds(requestedTtlSeconds);
-    const expiresAt = new Date(Date.now() + ttlSeconds * 1000).toISOString();
+    const expiresAt = anonymousDeployExpiresAt();
     const url = appUrlForSlug({ appBaseDomain: normalizedAppBaseDomain, publicRootUrl, slug });
 
     this.storeArtifact({
@@ -2665,7 +3447,6 @@ export class MemoryAnonymousStore {
     clientBundleHash,
     deployId,
     publicRootUrl,
-    requestedTtlSeconds,
     serverEnv
   }) {
     const currentDeploy = await this.getStoredDeployById(deployId);
@@ -2674,7 +3455,6 @@ export class MemoryAnonymousStore {
     }
 
     const updatedAt = now();
-    const ttlSeconds = parseTtlSeconds(requestedTtlSeconds);
     const nextAppBaseDomain = normalizeAppBaseDomain(appBaseDomain ?? currentDeploy.appBaseDomain);
     const nextPublicRootUrl = publicRootUrl ?? currentDeploy.publicRootUrl;
     const deploy = {
@@ -2682,7 +3462,7 @@ export class MemoryAnonymousStore {
       appBaseDomain: nextAppBaseDomain,
       artifactHash,
       clientBundleHash,
-      expiresAt: currentDeploy.ownerId ? null : new Date(Date.now() + ttlSeconds * 1000).toISOString(),
+      expiresAt: currentDeploy.ownerId ? null : anonymousDeployExpiresAt(),
       publicRootUrl: nextPublicRootUrl,
       url: appUrlForSlug({ appBaseDomain: nextAppBaseDomain, publicRootUrl: nextPublicRootUrl, slug: currentDeploy.slug }),
       status: "active",
@@ -2697,6 +3477,7 @@ export class MemoryAnonymousStore {
       createdAt: updatedAt
     });
     this.deploys.set(deployId, deploy);
+    this.decrementArtifactRef(currentDeploy.artifactHash);
     if (serverEnv !== undefined) {
       this.serverEnv.set(deployId, { ...serverEnv });
     }
@@ -2755,6 +3536,62 @@ export class MemoryAnonymousStore {
     return id ? this.getDeployById(id) : null;
   }
 
+  async getDeployDomainByHostname(hostname) {
+    const domain = this.deployDomainsByHostname.get(hostname);
+    return domain ? { ...domain } : null;
+  }
+
+  async listDeployDomainsForDeploy(deployId) {
+    return Array.from(this.deployDomainsByHostname.values())
+      .filter((domain) => domain.deployId === deployId)
+      .sort((left, right) => String(left.hostname).localeCompare(String(right.hostname)))
+      .map((domain) => ({ ...domain }));
+  }
+
+  async createLakebedSubdomain({ deployId, hostname, label, ownerId }) {
+    const deploy = await this.getStoredDeployById(deployId);
+    if (!deploy) {
+      return { status: "missing" };
+    }
+    if (!deploy.ownerId) {
+      return { deploy, status: "unclaimed" };
+    }
+    if (deploy.ownerId !== ownerId) {
+      return { deploy, status: "forbidden" };
+    }
+    if (deploy.status !== "active" || isExpired(deploy)) {
+      return { deploy, status: "inactive" };
+    }
+
+    const existingDomain = this.deployDomainsByHostname.get(hostname);
+    if (existingDomain) {
+      if (existingDomain.deployId === deployId) {
+        return { deploy, domain: { ...existingDomain }, status: "exists" };
+      }
+
+      return { deploy, domain: { ...existingDomain }, status: "conflict" };
+    }
+
+    if (this.deploysBySlug.has(label)) {
+      return { deploy, status: "slug_conflict" };
+    }
+
+    const timestamp = now();
+    const domain = {
+      createdAt: timestamp,
+      deployId,
+      hostname,
+      isPrimary: false,
+      kind: "lakebed_subdomain",
+      ownerId,
+      status: "active",
+      updatedAt: timestamp,
+      url: `https://${hostname}`
+    };
+    this.deployDomainsByHostname.set(hostname, domain);
+    return { deploy, domain: { ...domain }, status: "created" };
+  }
+
   async getArtifact(hash) {
     return this.artifacts.get(hash) ?? null;
   }
@@ -2804,8 +3641,45 @@ export class MemoryAnonymousStore {
     return { ...(this.serverEnv.get(deployId) ?? {}) };
   }
 
-  async transaction(deployId, handler) {
-    const run = () => handler(this);
+  snapshotRowsForDeploy(deployId) {
+    const snapshot = new Map();
+    for (const [key, rows] of this.rows) {
+      const [eventDeployId] = key.split(":");
+      if (eventDeployId === deployId) {
+        snapshot.set(key, new Map(Array.from(rows.entries()).map(([rowId, row]) => [rowId, { ...row }])));
+      }
+    }
+    return snapshot;
+  }
+
+  restoreRowsForDeploy(deployId, snapshot) {
+    for (const key of Array.from(this.rows.keys())) {
+      const [eventDeployId] = key.split(":");
+      if (eventDeployId === deployId) {
+        this.rows.delete(key);
+      }
+    }
+    for (const [key, rows] of snapshot) {
+      this.rows.set(key, new Map(Array.from(rows.entries()).map(([rowId, row]) => [rowId, { ...row }])));
+    }
+  }
+
+  assertStateWithinLimits(deployId, options) {
+    assertStateResourceLimits(this.stateResourceForDeploy(deployId), options);
+  }
+
+  async transaction(deployId, handler, options = {}) {
+    const run = async () => {
+      const snapshot = this.snapshotRowsForDeploy(deployId);
+      try {
+        const result = await handler(this);
+        this.assertStateWithinLimits(deployId, options);
+        return result;
+      } catch (error) {
+        this.restoreRowsForDeploy(deployId, snapshot);
+        throw error;
+      }
+    };
     const next = (this.queues.get(deployId) ?? Promise.resolve()).then(run, run);
     this.queues.set(
       deployId,
@@ -2818,9 +3692,13 @@ export class MemoryAnonymousStore {
   }
 
   async appendLog(deployId, level, message, data) {
-    const entries = this.logs.get(deployId) ?? [];
-    entries.push({ at: now(), data, level, message });
-    this.logs.set(deployId, entries.slice(-DEFAULT_ANONYMOUS_LIMITS.logEntries));
+    const entries = [...(this.logs.get(deployId) ?? []), normalizeLogEntry(level, message, data)];
+    const maxEntries = DEFAULT_ANONYMOUS_LIMITS.logEntries;
+    const maxBytes = DEFAULT_ANONYMOUS_LIMITS.logBytes;
+    while (entries.length > maxEntries || bytesOfJson(entries) > maxBytes) {
+      entries.shift();
+    }
+    this.logs.set(deployId, entries);
   }
 
   async readLogs(deployId, limit = 100) {
@@ -2856,12 +3734,67 @@ export class MemoryAnonymousStore {
   }
 
   async incrementQuota(deployId, bucket, limit) {
+    if (!Number.isFinite(limit)) {
+      return { bucket, count: 0, limit, windowStart: dayWindowStart() };
+    }
+
     const windowStart = dayWindowStart();
     const key = `${deployId}:${bucket}:${windowStart}`;
     const count = (this.quotaEvents.get(key) ?? 0) + 1;
     this.quotaEvents.set(key, count);
     if (count > limit) {
-      throw new Error(`Anonymous ${bucket} quota exceeded. Limit: ${limit} per day.`);
+      throw new LakebedQuotaError({
+        bucket,
+        count,
+        limit,
+        resetAt: quotaResetAt(windowStart),
+        retryAfterSeconds: quotaRetryAfterSeconds(windowStart),
+        suggestion: bucket === "mutations" ? "Retry after reset, reduce mutation frequency, or claim the deploy." : "Retry after reset or reduce request frequency."
+      });
+    }
+    return { bucket, count, limit, windowStart };
+  }
+
+  async incrementDeployCreateQuota(clientKey, bucket, limit) {
+    if (!Number.isFinite(limit)) {
+      return { bucket, count: 0, limit, windowStart: dayWindowStart() };
+    }
+
+    const windowStart = dayWindowStart();
+    const key = JSON.stringify([clientKey, bucket, windowStart]);
+    const count = (this.deployCreateQuotaEvents.get(key) ?? 0) + 1;
+    this.deployCreateQuotaEvents.set(key, count);
+    if (count > limit) {
+      throw new LakebedQuotaError({
+        bucket,
+        count,
+        limit,
+        resetAt: quotaResetAt(windowStart),
+        retryAfterSeconds: quotaRetryAfterSeconds(windowStart),
+        suggestion: "Retry after reset, reuse an existing deploy, or sign in and claim deploys you want to keep."
+      });
+    }
+    return { bucket, count, limit, windowStart };
+  }
+
+  async incrementClientQuota(clientKey, bucket, limit) {
+    if (!Number.isFinite(limit)) {
+      return { bucket, count: 0, limit, windowStart: dayWindowStart() };
+    }
+
+    const windowStart = dayWindowStart();
+    const key = JSON.stringify([clientKey, bucket, windowStart]);
+    const count = (this.clientQuotaEvents.get(key) ?? 0) + 1;
+    this.clientQuotaEvents.set(key, count);
+    if (count > limit) {
+      throw new LakebedQuotaError({
+        bucket,
+        count,
+        limit,
+        resetAt: quotaResetAt(windowStart),
+        retryAfterSeconds: quotaRetryAfterSeconds(windowStart),
+        suggestion: clientTrafficQuotaSuggestion(bucket)
+      });
     }
     return { bucket, count, limit, windowStart };
   }
@@ -2947,6 +3880,160 @@ export class MemoryAnonymousStore {
 
     return summaries;
   }
+
+  deleteDeployResources(deployId) {
+    const deploy = this.deploys.get(deployId);
+    if (!deploy) {
+      return {
+        deletedArtifacts: 0,
+        deletedDomains: 0,
+        deletedLogEntries: 0,
+        deletedQuotaEvents: 0,
+        deletedServerEnv: 0,
+        deletedStateRows: 0
+      };
+    }
+
+    let deletedStateRows = 0;
+    for (const [key, rows] of Array.from(this.rows.entries())) {
+      const [eventDeployId] = key.split(":");
+      if (eventDeployId === deployId) {
+        deletedStateRows += rows.size;
+        this.rows.delete(key);
+      }
+    }
+
+    const deletedLogEntries = this.logs.get(deployId)?.length ?? 0;
+    this.logs.delete(deployId);
+
+    let deletedQuotaEvents = 0;
+    for (const key of Array.from(this.quotaEvents.keys())) {
+      const [eventDeployId] = key.split(":");
+      if (eventDeployId === deployId) {
+        deletedQuotaEvents += 1;
+        this.quotaEvents.delete(key);
+      }
+    }
+
+    const deletedServerEnv = this.serverEnv.has(deployId) ? Object.keys(this.serverEnv.get(deployId) ?? {}).length : 0;
+    this.serverEnv.delete(deployId);
+
+    let deletedDomains = 0;
+    for (const [hostname, domain] of Array.from(this.deployDomainsByHostname.entries())) {
+      if (domain.deployId === deployId) {
+        this.deployDomainsByHostname.delete(hostname);
+        deletedDomains += 1;
+      }
+    }
+
+    this.deploys.delete(deployId);
+    this.deploysBySlug.delete(deploy.slug);
+    const deletedArtifacts = this.decrementArtifactRef(deploy.artifactHash) ? 1 : 0;
+
+    return {
+      deletedArtifacts,
+      deletedDomains,
+      deletedLogEntries,
+      deletedQuotaEvents,
+      deletedServerEnv,
+      deletedStateRows
+    };
+  }
+
+  recordCleanupRun(stats) {
+    this.cleanupRuns.push(stats);
+    this.cleanupRuns = this.cleanupRuns.slice(-20);
+    for (const [key, value] of Object.entries(stats)) {
+      if (typeof value === "number") {
+        this.cleanupTotals[key] = (this.cleanupTotals[key] ?? 0) + value;
+      }
+    }
+  }
+
+  async cleanupExpiredDeploys({ graceSeconds = 60 * 60, retentionSeconds = 7 * 24 * 60 * 60, nowMs = Date.now() } = {}) {
+    const startedAt = new Date(nowMs).toISOString();
+    const markCutoffMs = nowMs - graceSeconds * 1000;
+    const deleteCutoffMs = nowMs - retentionSeconds * 1000;
+    const stats = {
+      deletedArtifacts: 0,
+      deletedDomains: 0,
+      deletedDeploys: 0,
+      deletedLogEntries: 0,
+      deletedQuotaEvents: 0,
+      deletedServerEnv: 0,
+      deletedStateRows: 0,
+      examinedDeploys: this.deploys.size,
+      finishedAt: null,
+      markedTerminated: 0,
+      startedAt
+    };
+
+    for (const deploy of Array.from(this.deploys.values())) {
+      if (deploy.ownerId || !deploy.expiresAt) {
+        continue;
+      }
+
+      const expiresAtMs = Date.parse(deploy.expiresAt);
+      if (Number.isFinite(expiresAtMs) && expiresAtMs <= markCutoffMs && deploy.status === "active") {
+        this.deploys.set(deploy.id, { ...deploy, status: "terminated", updatedAt: new Date(nowMs).toISOString() });
+        stats.markedTerminated += 1;
+      }
+    }
+
+    for (const deploy of Array.from(this.deploys.values())) {
+      if (deploy.ownerId || !deploy.expiresAt) {
+        continue;
+      }
+
+      const expiresAtMs = Date.parse(deploy.expiresAt);
+      if (!Number.isFinite(expiresAtMs) || expiresAtMs > deleteCutoffMs) {
+        continue;
+      }
+
+      const deleted = this.deleteDeployResources(deploy.id);
+      stats.deletedDeploys += 1;
+      for (const [key, value] of Object.entries(deleted)) {
+        stats[key] += value;
+      }
+    }
+
+    for (const [key] of Array.from(this.deployCreateQuotaEvents.entries())) {
+      try {
+        const [, , windowStart] = JSON.parse(key);
+        if (Date.parse(windowStart) <= deleteCutoffMs) {
+          this.deployCreateQuotaEvents.delete(key);
+          stats.deletedQuotaEvents += 1;
+        }
+      } catch {
+        this.deployCreateQuotaEvents.delete(key);
+        stats.deletedQuotaEvents += 1;
+      }
+    }
+    for (const [key] of Array.from(this.clientQuotaEvents.entries())) {
+      try {
+        const [, , windowStart] = JSON.parse(key);
+        if (Date.parse(windowStart) <= deleteCutoffMs) {
+          this.clientQuotaEvents.delete(key);
+          stats.deletedQuotaEvents += 1;
+        }
+      } catch {
+        this.clientQuotaEvents.delete(key);
+        stats.deletedQuotaEvents += 1;
+      }
+    }
+
+    stats.finishedAt = now();
+    this.recordCleanupRun(stats);
+    return stats;
+  }
+
+  async readCleanupActivity() {
+    return {
+      lastRun: this.cleanupRuns[this.cleanupRuns.length - 1] ?? null,
+      recentRuns: [...this.cleanupRuns].reverse(),
+      totals: { ...this.cleanupTotals }
+    };
+  }
 }
 
 export class PostgresAnonymousStore {
@@ -2989,6 +4076,20 @@ export class PostgresAnonymousStore {
     await this.query("alter table deploys alter column updated_at set not null");
     await this.query("alter table deploys alter column expires_at drop not null");
     await this.query("update deploys set expires_at = null where owner_id is not null and expires_at is not null");
+    await this.query(`
+      create table if not exists deploy_domains(
+        hostname text primary key,
+        deploy_id text not null references deploys(id) on delete cascade,
+        owner_id text not null,
+        kind text not null,
+        status text not null,
+        is_primary boolean not null default false,
+        created_at timestamptz not null,
+        updated_at timestamptz not null
+      )
+    `);
+    await this.query("create index if not exists deploy_domains_deploy_id_idx on deploy_domains(deploy_id)");
+    await this.query("create index if not exists deploy_domains_owner_id_idx on deploy_domains(owner_id)");
     await this.query(`
       create table if not exists artifacts(
         hash text primary key,
@@ -3030,6 +4131,24 @@ export class PostgresAnonymousStore {
         primary key (deploy_id, bucket, window_start)
       )
     `);
+    await this.query(`
+      create table if not exists deploy_create_quota_events(
+        client_key text not null,
+        bucket text not null,
+        window_start timestamptz not null,
+        count integer not null,
+        primary key (client_key, bucket, window_start)
+      )
+    `);
+    await this.query(`
+      create table if not exists client_quota_events(
+        client_key text not null,
+        bucket text not null,
+        window_start timestamptz not null,
+        count integer not null,
+        primary key (client_key, bucket, window_start)
+      )
+    `);
     await this.query(`
       create table if not exists deploy_server_env(
         deploy_id text not null references deploys(id) on delete cascade,
@@ -3054,6 +4173,14 @@ export class PostgresAnonymousStore {
         updated_at timestamptz not null
       )
     `);
+    await this.query(`
+      create table if not exists cleanup_runs(
+        id bigserial primary key,
+        started_at timestamptz not null,
+        finished_at timestamptz not null,
+        stats_json jsonb not null
+      )
+    `);
     await this.query("alter table users add column if not exists boost boolean not null default false");
     await this.query(`
       insert into users(
@@ -3094,6 +4221,33 @@ export class PostgresAnonymousStore {
     return this.pool.query(sql, params);
   }
 
+  async withPostgresTransaction(handler) {
+    if (!this.pool) {
+      throw new Error("Postgres store is not initialized.");
+    }
+
+    const client = await this.pool.connect();
+    try {
+      await client.query("begin");
+      const result = await handler(client);
+      await client.query("commit");
+      return result;
+    } catch (error) {
+      try {
+        await client.query("rollback");
+      } catch {
+        // Preserve the original transaction error.
+      }
+      throw error;
+    } finally {
+      client.release();
+    }
+  }
+
+  async lockHostnameAllocation(client, hostname) {
+    await client.query("select pg_advisory_xact_lock(hashtext('lakebed.deploy_hostname'), hashtext($1))", [hostname]);
+  }
+
   rowToUser(row) {
     if (!row) {
       return null;
@@ -3318,11 +4472,29 @@ export class PostgresAnonymousStore {
     );
   }
 
-  async createDeploy({ appBaseDomain, artifact, artifactHash, clientBundleBase64, clientBundleHash, publicRootUrl, requestedTtlSeconds, serverEnv }) {
+  async decrementArtifactRef(artifactHash) {
+    const result = await this.query(
+      `
+      update artifacts
+      set ref_count = greatest(ref_count - 1, 0)
+      where hash = $1
+      returning ref_count
+      `,
+      [artifactHash]
+    );
+    const refCount = result.rows[0]?.ref_count;
+    if (refCount === undefined || Number(refCount) > 0) {
+      return false;
+    }
+
+    await this.query("delete from artifacts where hash = $1 and ref_count <= 0", [artifactHash]);
+    return true;
+  }
+
+  async createDeploy({ appBaseDomain, artifact, artifactHash, clientBundleBase64, clientBundleHash, publicRootUrl, serverEnv }) {
     const createdAt = now();
     const normalizedAppBaseDomain = normalizeAppBaseDomain(appBaseDomain);
-    const ttlSeconds = parseTtlSeconds(requestedTtlSeconds);
-    const expiresAt = new Date(Date.now() + ttlSeconds * 1000).toISOString();
+    const expiresAt = anonymousDeployExpiresAt();
     const token = createClaimToken();
     const deployId = createDeployId();
 
@@ -3330,6 +4502,8 @@ export class PostgresAnonymousStore {
 
     for (let attempt = 0; attempt < 8; attempt += 1) {
       const slug = createSlug();
+      const generatedHostname = normalizedAppBaseDomain ? `${slug}.${normalizedAppBaseDomain}` : null;
+
       const url = appUrlForSlug({ appBaseDomain: normalizedAppBaseDomain, publicRootUrl, slug });
       const deploy = {
         appBaseDomain: normalizedAppBaseDomain,
@@ -3351,30 +4525,44 @@ export class PostgresAnonymousStore {
       };
 
       try {
-        await this.query(
-          `
-          insert into deploys(
-            id, slug, status, artifact_hash, client_bundle_hash, created_at, updated_at, expires_at,
-            claim_token_hash, limits_json, counters_json, public_root_url, app_base_domain, url
-          )
-          values($1, $2, $3, $4, $5, $6, $7, $8, $9, $10::jsonb, '{}'::jsonb, $11, $12, $13)
-          `,
-          [
-            deploy.id,
-            deploy.slug,
-            deploy.status,
-            deploy.artifactHash,
-            deploy.clientBundleHash,
-            deploy.createdAt,
-            deploy.updatedAt,
-            deploy.expiresAt,
-            deploy.claimTokenHash,
-            JSON.stringify(deploy.limits),
-            deploy.publicRootUrl,
-            deploy.appBaseDomain,
-            deploy.url
-          ]
-        );
+        const inserted = await this.withPostgresTransaction(async (client) => {
+          if (generatedHostname) {
+            await this.lockHostnameAllocation(client, generatedHostname);
+            const domainConflict = await client.query("select 1 from deploy_domains where hostname = $1", [generatedHostname]);
+            if (domainConflict.rows.length > 0) {
+              return false;
+            }
+          }
+
+          await client.query(
+            `
+            insert into deploys(
+              id, slug, status, artifact_hash, client_bundle_hash, created_at, updated_at, expires_at,
+              claim_token_hash, limits_json, counters_json, public_root_url, app_base_domain, url
+            )
+            values($1, $2, $3, $4, $5, $6, $7, $8, $9, $10::jsonb, '{}'::jsonb, $11, $12, $13)
+            `,
+            [
+              deploy.id,
+              deploy.slug,
+              deploy.status,
+              deploy.artifactHash,
+              deploy.clientBundleHash,
+              deploy.createdAt,
+              deploy.updatedAt,
+              deploy.expiresAt,
+              deploy.claimTokenHash,
+              JSON.stringify(deploy.limits),
+              deploy.publicRootUrl,
+              deploy.appBaseDomain,
+              deploy.url
+            ]
+          );
+          return true;
+        });
+        if (!inserted) {
+          continue;
+        }
         if (serverEnv !== undefined) {
           await this.replaceServerEnv(deploy.id, serverEnv, createdAt);
         }
@@ -3397,7 +4585,6 @@ export class PostgresAnonymousStore {
     clientBundleHash,
     deployId,
     publicRootUrl,
-    requestedTtlSeconds,
     serverEnv
   }) {
     const currentDeploy = await this.getBaseDeployById(deployId);
@@ -3406,8 +4593,7 @@ export class PostgresAnonymousStore {
     }
 
     const updatedAt = now();
-    const ttlSeconds = parseTtlSeconds(requestedTtlSeconds);
-    const expiresAt = currentDeploy.ownerId ? null : new Date(Date.now() + ttlSeconds * 1000).toISOString();
+    const expiresAt = currentDeploy.ownerId ? null : anonymousDeployExpiresAt();
     const nextAppBaseDomain = normalizeAppBaseDomain(appBaseDomain ?? currentDeploy.appBaseDomain);
     const nextPublicRootUrl = publicRootUrl ?? currentDeploy.publicRootUrl;
     const url = appUrlForSlug({ appBaseDomain: nextAppBaseDomain, publicRootUrl: nextPublicRootUrl, slug: currentDeploy.slug });
@@ -3432,6 +4618,7 @@ export class PostgresAnonymousStore {
     if (serverEnv !== undefined) {
       await this.replaceServerEnv(deployId, serverEnv, updatedAt);
     }
+    await this.decrementArtifactRef(currentDeploy.artifactHash);
     return this.deployWithUserLimitOverrides(this.rowToDeploy(result.rows[0]));
   }
 
@@ -3500,7 +4687,7 @@ export class PostgresAnonymousStore {
       createdAt: new Date(row.created_at).toISOString(),
       expiresAt: row.expires_at ? new Date(row.expires_at).toISOString() : null,
       id: row.id,
-      limits: row.limits_json,
+      limits: { ...DEFAULT_ANONYMOUS_LIMITS, ...(row.limits_json ?? {}) },
       owner: row.owner_json ?? null,
       ownerId: row.owner_id ?? null,
       publicRootUrl: row.public_root_url,
@@ -3511,6 +4698,24 @@ export class PostgresAnonymousStore {
     };
   }
 
+  rowToDeployDomain(row) {
+    if (!row) {
+      return null;
+    }
+
+    return {
+      createdAt: new Date(row.created_at).toISOString(),
+      deployId: row.deploy_id,
+      hostname: row.hostname,
+      isPrimary: Boolean(row.is_primary),
+      kind: row.kind,
+      ownerId: row.owner_id,
+      status: row.status,
+      updatedAt: new Date(row.updated_at).toISOString(),
+      url: `https://${row.hostname}`
+    };
+  }
+
   async getDeployById(id) {
     return this.deployWithUserLimitOverrides(await this.getBaseDeployById(id));
   }
@@ -3520,6 +4725,80 @@ export class PostgresAnonymousStore {
     return this.deployWithUserLimitOverrides(this.rowToDeploy(result.rows[0]));
   }
 
+  async getDeployDomainByHostname(hostname) {
+    const result = await this.query("select * from deploy_domains where hostname = $1", [hostname]);
+    return this.rowToDeployDomain(result.rows[0]);
+  }
+
+  async listDeployDomainsForDeploy(deployId) {
+    const result = await this.query("select * from deploy_domains where deploy_id = $1 order by hostname asc", [deployId]);
+    return result.rows.map((row) => this.rowToDeployDomain(row));
+  }
+
+  async createLakebedSubdomain({ deployId, hostname, label, ownerId }) {
+    try {
+      return await this.withPostgresTransaction(async (client) => {
+        const deployResult = await client.query("select * from deploys where id = $1 for update", [deployId]);
+        const deploy = this.rowToDeploy(deployResult.rows[0]);
+        if (!deploy) {
+          return { status: "missing" };
+        }
+        if (!deploy.ownerId) {
+          return { deploy, status: "unclaimed" };
+        }
+        if (deploy.ownerId !== ownerId) {
+          return { deploy, status: "forbidden" };
+        }
+        if (deploy.status !== "active" || isExpired(deploy)) {
+          return { deploy, status: "inactive" };
+        }
+
+        await this.lockHostnameAllocation(client, hostname);
+
+        const existingResult = await client.query("select * from deploy_domains where hostname = $1", [hostname]);
+        const existing = this.rowToDeployDomain(existingResult.rows[0]);
+        if (existing) {
+          if (existing.deployId === deployId) {
+            return { deploy, domain: existing, status: "exists" };
+          }
+
+          return { deploy, domain: existing, status: "conflict" };
+        }
+
+        const slugConflict = await client.query("select id from deploys where slug = $1 limit 1", [label]);
+        if (slugConflict.rows.length > 0) {
+          return { deploy, status: "slug_conflict" };
+        }
+
+        const timestamp = now();
+        const insertResult = await client.query(
+          `
+          insert into deploy_domains(hostname, deploy_id, owner_id, kind, status, is_primary, created_at, updated_at)
+          values($1, $2, $3, 'lakebed_subdomain', 'active', false, $4, $4)
+          returning *
+          `,
+          [hostname, deployId, ownerId, timestamp]
+        );
+        return { deploy, domain: this.rowToDeployDomain(insertResult.rows[0]), status: "created" };
+      });
+    } catch (error) {
+      if (error?.code !== "23505") {
+        throw error;
+      }
+
+      const deploy = await this.getBaseDeployById(deployId);
+      if (!deploy) {
+        return { status: "missing" };
+      }
+      const conflict = await this.getDeployDomainByHostname(hostname);
+      if (conflict?.deployId === deployId) {
+        return { deploy, domain: conflict, status: "exists" };
+      }
+
+      return { deploy, domain: conflict, status: "conflict" };
+    }
+  }
+
   async getArtifact(hash) {
     const result = await this.query("select * from artifacts where hash = $1", [hash]);
     const row = result.rows[0];
@@ -3600,8 +4879,46 @@ export class PostgresAnonymousStore {
     return Object.fromEntries(result.rows.map((row) => [row.env_key, decryptServerEnvValue(row.env_value, this.serverEnvSecret)]));
   }
 
-  async transaction(deployId, handler) {
-    const run = () => handler(this);
+  async stateResourceForDeploy(deployId) {
+    const result = await this.query(
+      `
+      select
+        count(*)::int as state_rows,
+        coalesce(sum(octet_length(data_json::text)), 0)::int as state_bytes
+      from state_rows
+      where deploy_id = $1
+      `,
+      [deployId]
+    );
+    return {
+      stateBytes: result.rows[0]?.state_bytes ?? 0,
+      stateRows: result.rows[0]?.state_rows ?? 0
+    };
+  }
+
+  async assertStateWithinLimits(deployId, options) {
+    assertStateResourceLimits(await this.stateResourceForDeploy(deployId), options);
+  }
+
+  async transaction(deployId, handler, options = {}) {
+    const run = async () => {
+      const client = await this.pool.connect();
+      const tx = Object.create(this);
+      tx.query = (sql, params = []) => client.query(sql, params);
+      tx.pool = this.pool;
+      try {
+        await client.query("begin");
+        const result = await handler(tx);
+        await tx.assertStateWithinLimits(deployId, options);
+        await client.query("commit");
+        return result;
+      } catch (error) {
+        await client.query("rollback").catch(() => undefined);
+        throw error;
+      } finally {
+        client.release();
+      }
+    };
     const next = (this.queues.get(deployId) ?? Promise.resolve()).then(run, run);
     this.queues.set(
       deployId,
@@ -3614,9 +4931,29 @@ export class PostgresAnonymousStore {
   }
 
   async appendLog(deployId, level, message, data) {
+    const entry = normalizeLogEntry(level, message, data);
     await this.query(
       "insert into logs(deploy_id, level, message, data_json, created_at) values($1, $2, $3, $4::jsonb, $5)",
-      [deployId, level, message, JSON.stringify(data ?? null), now()]
+      [deployId, entry.level, entry.message, JSON.stringify(entry.data ?? null), entry.at]
+    );
+    await this.query(
+      `
+      delete from logs
+      where deploy_id = $1
+        and sequence in (
+          select sequence
+          from (
+            select
+              sequence,
+              row_number() over (order by sequence desc) as row_number,
+              sum(octet_length(message) + octet_length(coalesce(data_json::text, ''))) over (order by sequence desc) as cumulative_bytes
+            from logs
+            where deploy_id = $1
+          ) ranked
+          where row_number > $2 or cumulative_bytes > $3
+        )
+      `,
+      [deployId, DEFAULT_ANONYMOUS_LIMITS.logEntries, DEFAULT_ANONYMOUS_LIMITS.logBytes]
     );
   }
 
@@ -3669,6 +5006,10 @@ export class PostgresAnonymousStore {
   }
 
   async incrementQuota(deployId, bucket, limit) {
+    if (!Number.isFinite(limit)) {
+      return { bucket, count: 0, limit, windowStart: dayWindowStart() };
+    }
+
     const windowStart = dayWindowStart();
     const result = await this.query(
       `
@@ -3682,7 +5023,74 @@ export class PostgresAnonymousStore {
     );
     const count = result.rows[0].count;
     if (count > limit) {
-      throw new Error(`Anonymous ${bucket} quota exceeded. Limit: ${limit} per day.`);
+      throw new LakebedQuotaError({
+        bucket,
+        count,
+        limit,
+        resetAt: quotaResetAt(windowStart),
+        retryAfterSeconds: quotaRetryAfterSeconds(windowStart),
+        suggestion: bucket === "mutations" ? "Retry after reset, reduce mutation frequency, or claim the deploy." : "Retry after reset or reduce request frequency."
+      });
+    }
+    return { bucket, count, limit, windowStart };
+  }
+
+  async incrementDeployCreateQuota(clientKey, bucket, limit) {
+    if (!Number.isFinite(limit)) {
+      return { bucket, count: 0, limit, windowStart: dayWindowStart() };
+    }
+
+    const windowStart = dayWindowStart();
+    const result = await this.query(
+      `
+      insert into deploy_create_quota_events(client_key, bucket, window_start, count)
+      values($1, $2, $3, 1)
+      on conflict(client_key, bucket, window_start)
+      do update set count = deploy_create_quota_events.count + 1
+      returning count
+      `,
+      [clientKey, bucket, windowStart]
+    );
+    const count = result.rows[0].count;
+    if (count > limit) {
+      throw new LakebedQuotaError({
+        bucket,
+        count,
+        limit,
+        resetAt: quotaResetAt(windowStart),
+        retryAfterSeconds: quotaRetryAfterSeconds(windowStart),
+        suggestion: "Retry after reset, reuse an existing deploy, or sign in and claim deploys you want to keep."
+      });
+    }
+    return { bucket, count, limit, windowStart };
+  }
+
+  async incrementClientQuota(clientKey, bucket, limit) {
+    if (!Number.isFinite(limit)) {
+      return { bucket, count: 0, limit, windowStart: dayWindowStart() };
+    }
+
+    const windowStart = dayWindowStart();
+    const result = await this.query(
+      `
+      insert into client_quota_events(client_key, bucket, window_start, count)
+      values($1, $2, $3, 1)
+      on conflict(client_key, bucket, window_start)
+      do update set count = client_quota_events.count + 1
+      returning count
+      `,
+      [clientKey, bucket, windowStart]
+    );
+    const count = result.rows[0].count;
+    if (count > limit) {
+      throw new LakebedQuotaError({
+        bucket,
+        count,
+        limit,
+        resetAt: quotaResetAt(windowStart),
+        retryAfterSeconds: quotaRetryAfterSeconds(windowStart),
+        suggestion: clientTrafficQuotaSuggestion(bucket)
+      });
     }
     return { bucket, count, limit, windowStart };
   }
@@ -3796,6 +5204,109 @@ export class PostgresAnonymousStore {
       })
     );
   }
+
+  async recordCleanupRun(stats) {
+    await this.query(
+      "insert into cleanup_runs(started_at, finished_at, stats_json) values($1, $2, $3::jsonb)",
+      [stats.startedAt, stats.finishedAt, JSON.stringify(stats)]
+    );
+  }
+
+  async cleanupExpiredDeploys({ graceSeconds = 60 * 60, retentionSeconds = 7 * 24 * 60 * 60, nowMs = Date.now() } = {}) {
+    const startedAt = new Date(nowMs).toISOString();
+    const finishedAt = now();
+    const markCutoff = new Date(nowMs - graceSeconds * 1000).toISOString();
+    const deleteCutoff = new Date(nowMs - retentionSeconds * 1000).toISOString();
+    const examined = await this.query("select count(*)::int as count from deploys");
+    const marked = await this.query(
+      `
+      update deploys
+      set status = 'terminated',
+        updated_at = $2
+      where owner_id is null
+        and expires_at is not null
+        and expires_at <= $1
+        and status = 'active'
+      returning id
+      `,
+      [markCutoff, finishedAt]
+    );
+    const candidates = await this.query(
+      `
+      select id, artifact_hash
+      from deploys
+      where owner_id is null
+        and expires_at is not null
+        and expires_at <= $1
+      `,
+      [deleteCutoff]
+    );
+    const stats = {
+      deletedArtifacts: 0,
+      deletedDeploys: 0,
+      deletedLogEntries: 0,
+      deletedQuotaEvents: 0,
+      deletedServerEnv: 0,
+      deletedStateRows: 0,
+      examinedDeploys: examined.rows[0]?.count ?? 0,
+      finishedAt,
+      markedTerminated: marked.rowCount,
+      startedAt
+    };
+
+    for (const deploy of candidates.rows) {
+      const stateRows = await this.query("delete from state_rows where deploy_id = $1", [deploy.id]);
+      const logs = await this.query("delete from logs where deploy_id = $1", [deploy.id]);
+      const quota = await this.query("delete from quota_events where deploy_id = $1", [deploy.id]);
+      const serverEnv = await this.query("delete from deploy_server_env where deploy_id = $1", [deploy.id]);
+      await this.query("delete from deploys where id = $1", [deploy.id]);
+      stats.deletedDeploys += 1;
+      stats.deletedStateRows += stateRows.rowCount;
+      stats.deletedLogEntries += logs.rowCount;
+      stats.deletedQuotaEvents += quota.rowCount;
+      stats.deletedServerEnv += serverEnv.rowCount;
+      stats.deletedArtifacts += (await this.decrementArtifactRef(deploy.artifact_hash)) ? 1 : 0;
+    }
+    const deployCreateQuota = await this.query("delete from deploy_create_quota_events where window_start <= $1", [deleteCutoff]);
+    stats.deletedQuotaEvents += deployCreateQuota.rowCount;
+    const clientQuota = await this.query("delete from client_quota_events where window_start <= $1", [deleteCutoff]);
+    stats.deletedQuotaEvents += clientQuota.rowCount;
+
+    await this.recordCleanupRun(stats);
+    return stats;
+  }
+
+  async readCleanupActivity() {
+    const result = await this.query("select stats_json from cleanup_runs order by id desc limit 20");
+    const recentRuns = result.rows.map((row) => row.stats_json);
+    const totalsResult = await this.query(`
+      select
+        coalesce(sum((stats_json->>'deletedArtifacts')::int), 0)::int as deleted_artifacts,
+        coalesce(sum((stats_json->>'deletedDeploys')::int), 0)::int as deleted_deploys,
+        coalesce(sum((stats_json->>'deletedLogEntries')::int), 0)::int as deleted_log_entries,
+        coalesce(sum((stats_json->>'deletedQuotaEvents')::int), 0)::int as deleted_quota_events,
+        coalesce(sum((stats_json->>'deletedServerEnv')::int), 0)::int as deleted_server_env,
+        coalesce(sum((stats_json->>'deletedStateRows')::int), 0)::int as deleted_state_rows,
+        coalesce(sum((stats_json->>'examinedDeploys')::int), 0)::int as examined_deploys,
+        coalesce(sum((stats_json->>'markedTerminated')::int), 0)::int as marked_terminated
+      from cleanup_runs
+    `);
+    const totalsRow = totalsResult.rows[0] ?? {};
+    return {
+      lastRun: recentRuns[0] ?? null,
+      recentRuns,
+      totals: {
+        deletedArtifacts: totalsRow.deleted_artifacts ?? 0,
+        deletedDeploys: totalsRow.deleted_deploys ?? 0,
+        deletedLogEntries: totalsRow.deleted_log_entries ?? 0,
+        deletedQuotaEvents: totalsRow.deleted_quota_events ?? 0,
+        deletedServerEnv: totalsRow.deleted_server_env ?? 0,
+        deletedStateRows: totalsRow.deleted_state_rows ?? 0,
+        examinedDeploys: totalsRow.examined_deploys ?? 0,
+        markedTerminated: totalsRow.marked_terminated ?? 0
+      }
+    };
+  }
 }
 
 export async function createAnonymousStoreFromEnv(env = process.env) {
@@ -3814,12 +5325,30 @@ export async function createAnonymousStoreFromEnv(env = process.env) {
 }
 
 async function loadDeployByRoute({ appBaseDomain, host, store, url }) {
-  const route = parseHostDeploy({ appBaseDomain, host, url }) ?? parsePathDeploy(url);
+  const hostname = hostnameFromHost(host);
+  const domain = hostname && typeof store.getDeployDomainByHostname === "function" ? await store.getDeployDomainByHostname(hostname) : null;
+  const route = domain
+    ? {
+        appPath: url.pathname || "/",
+        basePath: "",
+        domain,
+        hostname: domain.hostname,
+        deployId: domain.deployId
+      }
+    : parseHostDeploy({ appBaseDomain, host, url }) ?? parsePathDeploy(url);
   if (!route) {
     return null;
   }
 
-  const deploy = await store.getDeployBySlug(route.slug);
+  if (domain?.status && domain.status !== "active") {
+    return {
+      error: domain.status === "disabled" ? "Lakebed subdomain is disabled." : "Lakebed subdomain is not active.",
+      route,
+      status: domain.status === "disabled" ? 410 : 404
+    };
+  }
+
+  const deploy = route.deployId ? await store.getDeployById(route.deployId) : await store.getDeployBySlug(route.slug);
   if (!deploy) {
     return { error: "Unknown anonymous deploy.", route, status: 404 };
   }
@@ -3846,6 +5375,10 @@ async function serveInspect({ artifact, deploy, route, store, systemPath }, res)
       artifactHash: deploy.artifactHash,
       clientBundleHash: deploy.clientBundleHash,
       deployId: deploy.id,
+      domains:
+        typeof store.listDeployDomainsForDeploy === "function"
+          ? (await store.listDeployDomainsForDeploy(deploy.id)).map(responseForDeployDomain)
+          : [],
       expiresAt: deploy.expiresAt,
       limits: deploy.limits,
       mutations: Object.keys(artifact.server.mutations ?? {}),
@@ -3911,6 +5444,9 @@ export async function startAnonymousServer({
 } = {}) {
   const resolvedAppBaseDomain = normalizeAppBaseDomain(appBaseDomain);
   const resolvedPublicRootUrl = normalizePublicRootUrl(publicRootUrl ?? process.env.PUBLIC_ROOT_URL, port);
+  const deployCreationPolicy = anonymousDeployCreationPolicy({ publicRootUrl: resolvedPublicRootUrl });
+  const clientTrafficPolicy = anonymousClientTrafficPolicy({ publicRootUrl: resolvedPublicRootUrl });
+  const cleanupPolicy = cleanupPolicyFromEnv();
   const resolvedGithubOAuth = normalizeGithubOAuth(githubOAuth);
   const resolvedDeveloperSessionSecret =
     developerSessionSecret || resolvedGithubOAuth?.sessionSecret || resolvedGithubOAuth?.clientSecret || adminPassword || "";
@@ -3918,6 +5454,7 @@ export async function startAnonymousServer({
   const resolvedSourceRuntime = sourceRuntime === undefined ? createSourceRuntimeFromEnv() : sourceRuntime;
   await resolvedStore.initialize();
   const subscriptions = new Map();
+  let cleanupInterval = null;
 
   function activeConnectionCounts() {
     const counts = new Map();
@@ -3938,6 +5475,10 @@ export async function startAnonymousServer({
   async function adminSummary() {
     const deploys = await adminDeploysWithConnections();
     const users = await resolvedStore.listAdminUsers();
+    const cleanup =
+      typeof resolvedStore.readCleanupActivity === "function"
+        ? await resolvedStore.readCleanupActivity()
+        : { lastRun: null, recentRuns: [], totals: {} };
     const totals = deploys.reduce(
       (acc, deploy) => ({
         artifactBytes: acc.artifactBytes + deploy.artifactBytes,
@@ -3964,6 +5505,7 @@ export async function startAnonymousServer({
     return {
       deployCount: deploys.length,
       deploys,
+      cleanup,
       generatedAt: now(),
       totals,
       userCount: users.length,
@@ -3990,10 +5532,50 @@ export async function startAnonymousServer({
     return developerFromRequest(req, resolvedDeveloperSessionSecret);
   }
 
+  function canManageDeploy(req, deploy) {
+    if (isDeployTokenValid(deploy, bearerToken(req))) {
+      return true;
+    }
+
+    const user = currentDeveloper(req);
+    return Boolean(user?.id && deploy.ownerId && user.id === deploy.ownerId);
+  }
+
   async function developerDeploys(user) {
     return resolvedStore.listDeploysForOwner(user.id);
   }
 
+  async function enforceAnonymousDeployCreation(req) {
+    if (deployCreationPolicy.disabled) {
+      const error = new LakebedQuotaError({
+        bucket: "anonymous_deploy_create_global",
+        count: deployCreationPolicy.globalLimit,
+        limit: deployCreationPolicy.globalLimit,
+        status: 503,
+        suggestion: "Anonymous deploy creation is temporarily disabled. Retry later or claim an existing deploy."
+      });
+      error.code = "lakebed_deploy_creation_disabled";
+      error.message = "Anonymous deploy creation is temporarily disabled.";
+      throw error;
+    }
+
+    const clientKey = forwardedClientKey(req);
+    await resolvedStore.incrementDeployCreateQuota(clientKey, "anonymous_deploy_create_client", deployCreationPolicy.perClientLimit);
+    await resolvedStore.incrementDeployCreateQuota("global", "anonymous_deploy_create_global", deployCreationPolicy.globalLimit);
+  }
+
+  async function enforceClientTrafficQuota(clientKey, bucket) {
+    if (typeof resolvedStore.incrementClientQuota !== "function") {
+      return;
+    }
+
+    const limit =
+      bucket === "mutations"
+        ? clientTrafficPolicy.mutationsPerClientLimit
+        : clientTrafficPolicy.requestsPerClientLimit;
+    await resolvedStore.incrementClientQuota(clientKey, clientTrafficQuotaBucket(bucket), limit);
+  }
+
   async function refreshDeploySubscriptions(deploy) {
     const storedArtifact = await resolvedStore.getArtifact(deploy.artifactHash);
     if (!storedArtifact) {
@@ -4033,6 +5615,30 @@ export async function startAnonymousServer({
     }
   }
 
+  function cleanupTouchedResources(stats) {
+    return (
+      Number(stats?.markedTerminated ?? 0) +
+      Number(stats?.deletedDeploys ?? 0) +
+      Number(stats?.deletedStateRows ?? 0) +
+      Number(stats?.deletedLogEntries ?? 0) +
+      Number(stats?.deletedArtifacts ?? 0)
+    );
+  }
+
+  async function runCleanup(reason = "periodic") {
+    if (typeof resolvedStore.cleanupExpiredDeploys !== "function") {
+      return null;
+    }
+
+    const stats = await resolvedStore.cleanupExpiredDeploys(cleanupPolicy);
+    if (!quiet && cleanupTouchedResources(stats) > 0) {
+      console.log(
+        `[lakebed:cleanup] ${reason} marked=${stats.markedTerminated} deleted=${stats.deletedDeploys} stateRows=${stats.deletedStateRows} logs=${stats.deletedLogEntries} artifacts=${stats.deletedArtifacts}`
+      );
+    }
+    return stats;
+  }
+
   async function publishDeploy(deployId) {
     for (const [ws, subscription] of subscriptions) {
       if (subscription.deploy.id !== deployId) {
@@ -4379,7 +5985,92 @@ export async function startAnonymousServer({
         return;
       }
 
+      const deployDomainsMatch = requestUrl.pathname.match(/^\/v1\/deploys\/([^/]+)\/domains$/);
+      if (deployDomainsMatch && (req.method === "GET" || req.method === "POST")) {
+        const deployId = decodeURIComponent(deployDomainsMatch[1]);
+        const currentDeploy = await resolvedStore.getDeployById(deployId);
+        if (!currentDeploy) {
+          sendJson(res, 404, { error: "Unknown deploy." });
+          return;
+        }
+
+        if (!canManageDeploy(req, currentDeploy)) {
+          sendJson(res, 401, { error: "Invalid deploy token." });
+          return;
+        }
+
+        if (req.method === "GET") {
+          sendJson(res, 200, {
+            deployId: currentDeploy.id,
+            domains:
+              typeof resolvedStore.listDeployDomainsForDeploy === "function"
+                ? (await resolvedStore.listDeployDomainsForDeploy(currentDeploy.id)).map(responseForDeployDomain)
+                : []
+          });
+          return;
+        }
+
+        if (!currentDeploy.ownerId) {
+          sendJson(res, 409, { error: "Deploy must be claimed before registering Lakebed subdomains." });
+          return;
+        }
+        if (currentDeploy.status !== "active" || isExpired(currentDeploy)) {
+          sendJson(res, 409, { error: "Deploy must be active to register Lakebed subdomains." });
+          return;
+        }
+
+        let normalizedDomain;
+        try {
+          const body = await readJsonBody(req, 8192);
+          normalizedDomain = normalizeLakebedSubdomainInput(body.hostname ?? body.subdomain, resolvedAppBaseDomain);
+        } catch (error) {
+          sendJson(res, 400, { error: error instanceof Error ? error.message : String(error) });
+          return;
+        }
+
+        const created = await resolvedStore.createLakebedSubdomain({
+          deployId: currentDeploy.id,
+          hostname: normalizedDomain.hostname,
+          label: normalizedDomain.label,
+          ownerId: currentDeploy.ownerId
+        });
+        if (created.status === "missing") {
+          sendJson(res, 404, { error: "Unknown deploy." });
+          return;
+        }
+        if (created.status === "unclaimed") {
+          sendJson(res, 409, { error: "Deploy must be claimed before registering Lakebed subdomains." });
+          return;
+        }
+        if (created.status === "forbidden") {
+          sendJson(res, 403, { error: "Deploy is claimed by another developer." });
+          return;
+        }
+        if (created.status === "inactive") {
+          sendJson(res, 409, { error: "Deploy must be active to register Lakebed subdomains." });
+          return;
+        }
+        if (created.status === "conflict") {
+          sendJson(res, 409, { error: "Subdomain is already registered." });
+          return;
+        }
+        if (created.status === "slug_conflict") {
+          sendJson(res, 409, { error: "Subdomain is already used by a generated Lakebed deploy URL." });
+          return;
+        }
+
+        if (created.status === "created") {
+          await resolvedStore.appendLog(currentDeploy.id, "info", "lakebed subdomain registered", {
+            hostname: created.domain.hostname
+          });
+        }
+
+        sendJson(res, created.status === "created" ? 201 : 200, responseForDeployDomain(created.domain));
+        return;
+      }
+
       if (req.method === "POST" && requestUrl.pathname === "/v1/anonymous-deploys") {
+        await enforceAnonymousDeployCreation(req);
         const body = await readJsonBody(req);
         const payload = validateAnonymousDeployPayload(body);
         if (payload.serverEnv !== undefined && Object.keys(payload.serverEnv).length > 0) {
@@ -4393,7 +6084,6 @@ export async function startAnonymousServer({
           clientBundleBase64: payload.clientBundleBase64,
           clientBundleHash: payload.clientBundleHash,
           publicRootUrl: resolvedPublicRootUrl,
-          requestedTtlSeconds: body.requestedTtlSeconds ?? requestUrl.searchParams.get("ttl") ?? undefined,
           serverEnv: payload.serverEnv
         });
         await resolvedStore.appendLog(deploy.id, "info", "anonymous deploy created", { artifactHash: deploy.artifactHash });
@@ -4428,7 +6118,6 @@ export async function startAnonymousServer({
           clientBundleHash: payload.clientBundleHash,
           deployId,
           publicRootUrl: resolvedPublicRootUrl,
-          requestedTtlSeconds: body.requestedTtlSeconds ?? requestUrl.searchParams.get("ttl") ?? undefined,
           serverEnv: payload.serverEnv
         });
         if (!deploy) {
@@ -4466,6 +6155,8 @@ export async function startAnonymousServer({
         return;
       }
 
+      const clientKey = forwardedClientKey(req);
+      await enforceClientTrafficQuota(clientKey, "requests");
       await resolvedStore.incrementQuota(
         loaded.deploy.id,
         "requests",
@@ -4495,16 +6186,28 @@ export async function startAnonymousServer({
 
       sendText(res, 404, "Not found\n", { "Content-Type": "text/plain; charset=utf-8" });
     } catch (error) {
+      if (isQuotaError(error)) {
+        sendJson(
+          res,
+          error.status ?? 429,
+          quotaErrorBody(error, {
+            signInUrl: `${resolvedPublicRootUrl}/auth/github?return_to=${encodeURIComponent("/deploys")}`
+          }),
+          quotaErrorHeaders(error)
+        );
+        return;
+      }
       sendJson(res, 500, { error: error instanceof Error ? error.message : String(error) });
     }
   });
 
   const wss = new WebSocketServer({ noServer: true });
 
-  wss.on("connection", (ws, _req, loaded, auth) => {
+  wss.on("connection", (ws, req, loaded, auth) => {
     subscriptions.set(ws, {
       artifact: loaded.artifact,
       auth,
+      clientKey: forwardedClientKey(req),
       deploy: loaded.deploy,
       queries: new Set()
     });
@@ -4525,6 +6228,7 @@ export async function startAnonymousServer({
       }
 
       try {
+        await enforceClientTrafficQuota(subscription.clientKey, "requests");
         await resolvedStore.incrementQuota(
           subscription.deploy.id,
           "requests",
@@ -4551,6 +6255,7 @@ export async function startAnonymousServer({
         }
 
         if (message.op === "mutation.run") {
+          await enforceClientTrafficQuota(subscription.clientKey, "mutations");
           await resolvedStore.incrementQuota(
             subscription.deploy.id,
             "mutations",
@@ -4577,7 +6282,14 @@ export async function startAnonymousServer({
           error: error instanceof Error ? error.message : String(error),
           op: message?.op
         });
+        const quota = isQuotaError(error) ? quotaErrorBody(error) : null;
         websocketSend(ws, {
+          ...(quota
+            ? {
+                code: quota.code,
+                quota
+              }
+            : {}),
           error: error instanceof Error ? error.message : String(error),
           id: message?.id,
           ok: false,
@@ -4624,6 +6336,20 @@ export async function startAnonymousServer({
     });
   });
 
+  void runCleanup("startup").catch((error) => {
+    if (!quiet) {
+      console.error(`[lakebed:cleanup] startup failed: ${error instanceof Error ? error.message : String(error)}`);
+    }
+  });
+  cleanupInterval = setInterval(() => {
+    void runCleanup("periodic").catch((error) => {
+      if (!quiet) {
+        console.error(`[lakebed:cleanup] periodic failed: ${error instanceof Error ? error.message : String(error)}`);
+      }
+    });
+  }, cleanupPolicy.intervalSeconds * 1000);
+  cleanupInterval.unref?.();
+
   if (!quiet) {
     console.log(`Lakebed anonymous runner listening at ${resolvedPublicRootUrl}`);
   }
@@ -4635,6 +6361,9 @@ export async function startAnonymousServer({
     store: resolvedStore,
     url: resolvedPublicRootUrl,
     async close() {
+      if (cleanupInterval) {
+        clearInterval(cleanupInterval);
+      }
       for (const client of wss.clients) {
         client.close();
       }