lakebed 0.0.15 → 0.0.17

package/src/anonymous-server.js

@@ -1,10 +1,13 @@
 import { createCipheriv, createDecipheriv, createHash, createHmac, randomBytes, timingSafeEqual } from "node:crypto";
 import { createServer } from "node:http";
+import { isIP } from "node:net";
+import { domainToASCII } from "node:url";
 import {
   createClaimToken,
   createDeployId,
   createSlug,
   DEFAULT_ANONYMOUS_LIMITS,
+  LAKEBED_VERSION,
   executeAnonymousMutation,
   executeAnonymousQuery,
   hashClaimToken,
@@ -149,6 +152,79 @@ function isDeployTokenValid(deploy, token) {
   return Boolean(token && deploy?.claimTokenHash && hashClaimToken(token) === deploy.claimTokenHash);
 }
 
+const inspectPolicies = new Set(["private", "redacted", "public"]);
+
+function normalizeInspectPolicy(value, fallback = "private") {
+  if (value === undefined || value === null || value === "") {
+    return fallback;
+  }
+
+  const policy = String(value).trim().toLowerCase();
+  if (!inspectPolicies.has(policy)) {
+    throw new Error("inspectPolicy must be private, redacted, or public.");
+  }
+  return policy;
+}
+
+function inspectPolicyForDeploy(deploy) {
+  return normalizeInspectPolicy(deploy?.inspectPolicy, "private");
+}
+
+const sensitiveKeyPattern =
+  /(^|[_-])(authorization|bearer|cookie|jwt|password|secret|session|token|api[_-]?key|access[_-]?key|private[_-]?key|refresh[_-]?token)([_-]|$)/i;
+const secretValuePatterns = [
+  /\bBearer\s+[A-Za-z0-9._~+/-]+=*/gi,
+  /\b(sk|pk|rk|ghp|gho|github_pat)_[A-Za-z0-9_]{12,}\b/g,
+  /\b[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\b/g
+];
+
+function redactSensitiveString(value) {
+  return secretValuePatterns.reduce((text, pattern) => text.replace(pattern, "[redacted]"), String(value));
+}
+
+function isSensitiveKey(key) {
+  const normalized = String(key).replace(/([a-z0-9])([A-Z])/g, "$1_$2");
+  return sensitiveKeyPattern.test(normalized);
+}
+
+function redactInspectValue(value, seen = new WeakSet()) {
+  if (typeof value === "string") {
+    return redactSensitiveString(value);
+  }
+
+  if (!value || typeof value !== "object") {
+    return value;
+  }
+
+  if (seen.has(value)) {
+    return "[redacted circular]";
+  }
+  seen.add(value);
+
+  if (Array.isArray(value)) {
+    return value.map((entry) => redactInspectValue(entry, seen));
+  }
+
+  return Object.fromEntries(
+    Object.entries(value).map(([key, entryValue]) => [
+      key,
+      isSensitiveKey(key) ? "[redacted]" : redactInspectValue(entryValue, seen)
+    ])
+  );
+}
+
+function redactLogEntry(entry) {
+  return {
+    ...entry,
+    data: redactInspectValue(entry.data),
+    message: redactSensitiveString(entry.message)
+  };
+}
+
+function redactLogData(data) {
+  return redactInspectValue(data);
+}
+
 function normalizePublicRootUrl(value, port) {
   const fallback = `http://localhost:${port}`;
   return String(value || fallback).replace(/\/+$/g, "");
@@ -165,6 +241,106 @@ function normalizeAppBaseDomain(value) {
     .toLowerCase();
 }
 
+const reservedLakebedSubdomainLabels = new Set([
+  "admin",
+  "api",
+  "app",
+  "assets",
+  "auth",
+  "billing",
+  "cdn",
+  "cname",
+  "console",
+  "dashboard",
+  "docs",
+  "ftp",
+  "imap",
+  "login",
+  "mail",
+  "ns1",
+  "ns2",
+  "origin",
+  "pop",
+  "proxy-fallback",
+  "smtp",
+  "static",
+  "status",
+  "support",
+  "www"
+]);
+
+function normalizeHostname(value) {
+  const trimmed = String(value ?? "")
+    .trim()
+    .replace(/\.$/, "")
+    .toLowerCase();
+  if (!trimmed) {
+    return "";
+  }
+
+  return domainToASCII(trimmed).toLowerCase();
+}
+
+function hostnameFromHost(host) {
+  const value = String(host ?? "").trim();
+  if (value.startsWith("[")) {
+    const end = value.indexOf("]");
+    return normalizeHostname(end === -1 ? value : value.slice(1, end));
+  }
+
+  return normalizeHostname(value.split(":")[0]);
+}
+
+function validateLakebedSubdomainLabel(label) {
+  if (!/^[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?$/.test(label)) {
+    throw new Error("Lakebed subdomains must use one DNS label with letters, numbers, or hyphens.");
+  }
+
+  if (reservedLakebedSubdomainLabels.has(label)) {
+    throw new Error(`The subdomain ${label} is reserved for Lakebed.`);
+  }
+}
+
+function normalizeLakebedSubdomainInput(value, appBaseDomain) {
+  const baseDomain = normalizeHostname(appBaseDomain);
+  if (!baseDomain) {
+    throw new Error("Lakebed app subdomains are not configured on this runner.");
+  }
+
+  const raw = String(value ?? "").trim();
+  if (!raw) {
+    throw new Error("Subdomain is required.");
+  }
+
+  if (/^[a-z][a-z0-9+.-]*:\/\//i.test(raw) || raw.includes("/") || raw.includes("\\") || raw.includes(":")) {
+    throw new Error("Enter a subdomain like my-app.lakebed.app, without a scheme, port, or path.");
+  }
+
+  const hostname = normalizeHostname(raw);
+  if (!hostname) {
+    throw new Error("Subdomain is not a valid hostname.");
+  }
+
+  const suffix = `.${baseDomain}`;
+  let label;
+  if (hostname.endsWith(suffix)) {
+    label = hostname.slice(0, -suffix.length);
+    if (!label || label.includes(".")) {
+      throw new Error(`Lakebed subdomains must be exactly one label under ${baseDomain}.`);
+    }
+  } else if (!hostname.includes(".")) {
+    label = hostname;
+  } else {
+    throw new Error(`Lakebed subdomains must end with ${baseDomain}.`);
+  }
+
+  validateLakebedSubdomainLabel(label);
+  return {
+    hostname: `${label}.${baseDomain}`,
+    label
+  };
+}
+
 function appUrlForSlug({ appBaseDomain, publicRootUrl, slug }) {
   if (appBaseDomain) {
     return `https://${slug}.${appBaseDomain}`;
@@ -194,12 +370,26 @@ function responseForDeploy({ deploy, token }) {
     deployId: deploy.id,
     expiresAt: deploy.expiresAt,
     inspect: inspectUrls(deploy.url),
+    inspectPolicy: inspectPolicyForDeploy(deploy),
     limits: deploy.limits,
     updatedAt: deploy.updatedAt,
     url: deploy.url
   };
 }
 
+function responseForDeployDomain(domain) {
+  return {
+    createdAt: domain.createdAt,
+    deployId: domain.deployId,
+    hostname: domain.hostname,
+    kind: domain.kind,
+    primary: Boolean(domain.isPrimary),
+    status: domain.status,
+    updatedAt: domain.updatedAt,
+    url: domain.url
+  };
+}
+
 function isExpired(deploy) {
   if (deploy?.ownerId) {
     return false;
@@ -240,14 +430,14 @@ function parseHostDeploy({ appBaseDomain, host, url }) {
     return null;
   }
 
-  const hostname = host.split(":")[0].toLowerCase();
+  const hostname = hostnameFromHost(host);
   const suffix = `.${appBaseDomain.toLowerCase()}`;
   if (!hostname.endsWith(suffix)) {
     return null;
   }
 
   const slug = hostname.slice(0, -suffix.length);
-  if (!slug || slug === "www") {
+  if (!slug || slug.includes(".") || reservedLakebedSubdomainLabels.has(slug)) {
     return null;
   }
 
@@ -266,6 +456,138 @@ function quotaLimitForBucket(bucket, deploy) {
   return deploy.limits.requestsPerDay;
 }
 
+function clientTrafficQuotaBucket(bucket) {
+  return bucket === "mutations" ? "anonymous_client_mutations" : "anonymous_client_requests";
+}
+
+function clientTrafficQuotaSuggestion(bucket) {
+  return bucket === "mutations"
+    ? "Retry after reset or reduce mutation frequency from this client."
+    : "Retry after reset or reduce request frequency from this client.";
+}
+
+function anonymousDeployCreationPolicy({ env = process.env, publicRootUrl }) {
+  const production = !isLocalPublicRootUrl(publicRootUrl);
+  const disabled =
+    booleanFromEnv(env.LAKEBED_ANONYMOUS_DEPLOY_CREATE_DISABLED) ||
+    booleanFromEnv(env.LAKEBED_ANONYMOUS_DEPLOYS_DISABLED);
+  const defaultPerClient = production ? 50 : Number.POSITIVE_INFINITY;
+  const defaultGlobal = production ? 5000 : Number.POSITIVE_INFINITY;
+  return {
+    disabled,
+    globalLimit: positiveIntegerLimitFromEnv(env.LAKEBED_ANONYMOUS_DEPLOY_CREATE_GLOBAL_PER_DAY, defaultGlobal),
+    perClientLimit: positiveIntegerLimitFromEnv(env.LAKEBED_ANONYMOUS_DEPLOY_CREATE_PER_CLIENT_PER_DAY, defaultPerClient),
+    production
+  };
+}
+
+function anonymousClientTrafficPolicy({ env = process.env, publicRootUrl }) {
+  const production = !isLocalPublicRootUrl(publicRootUrl);
+  return {
+    mutationsPerClientLimit: positiveIntegerLimitFromEnv(
+      env.LAKEBED_ANONYMOUS_MUTATIONS_PER_CLIENT_PER_DAY,
+      production ? 10000 : Number.POSITIVE_INFINITY
+    ),
+    requestsPerClientLimit: positiveIntegerLimitFromEnv(
+      env.LAKEBED_ANONYMOUS_REQUESTS_PER_CLIENT_PER_DAY,
+      production ? 100000 : Number.POSITIVE_INFINITY
+    )
+  };
+}
+
+function cleanupPolicyFromEnv(env = process.env) {
+  return {
+    graceSeconds: durationSecondsFromEnv(env.LAKEBED_ANONYMOUS_CLEANUP_GRACE, 60 * 60, { min: 0 }),
+    intervalSeconds: durationSecondsFromEnv(env.LAKEBED_ANONYMOUS_CLEANUP_INTERVAL, 60 * 60, { min: 60 }),
+    retentionSeconds: durationSecondsFromEnv(env.LAKEBED_ANONYMOUS_CLEANUP_RETENTION, 7 * 24 * 60 * 60, { min: 0 })
+  };
+}
+
+function normalizePeerAddress(value) {
+  let address = String(value ?? "").trim();
+  if (!address) {
+    return "unknown";
+  }
+  if (address.startsWith("::ffff:")) {
+    address = address.slice("::ffff:".length);
+  }
+  if (address.startsWith("[") && address.includes("]")) {
+    address = address.slice(1, address.indexOf("]"));
+  }
+  if (/^\d+\.\d+\.\d+\.\d+:\d+$/.test(address)) {
+    address = address.slice(0, address.lastIndexOf(":"));
+  }
+  return address;
+}
+
+function ipv4ToNumber(address) {
+  const parts = address.split(".").map((part) => Number(part));
+  if (parts.length !== 4 || parts.some((part) => !Number.isInteger(part) || part < 0 || part > 255)) {
+    return null;
+  }
+  return parts.reduce((acc, part) => (acc << 8) + part, 0) >>> 0;
+}
+
+function ipv4InCidr(address, cidr) {
+  const [base, rawBits] = cidr.split("/");
+  const bits = Number(rawBits);
+  const value = ipv4ToNumber(address);
+  const baseValue = ipv4ToNumber(base);
+  if (value === null || baseValue === null || !Number.isInteger(bits) || bits < 0 || bits > 32) {
+    return false;
+  }
+
+  const mask = bits === 0 ? 0 : (0xffffffff << (32 - bits)) >>> 0;
+  return (value & mask) === (baseValue & mask);
+}
+
+function hasRailwayRuntimeEnv(env = process.env) {
+  return Boolean(env.RAILWAY_SERVICE_ID || env.RAILWAY_PROJECT_ID || env.RAILWAY_DEPLOYMENT_ID || env.RAILWAY_REPLICA_ID);
+}
+
+function isRailwayProxyPeer(req, env = process.env) {
+  const edge = String(req.headers["x-railway-edge"] ?? "");
+  if (!hasRailwayRuntimeEnv(env) || !/^railway\/[a-z0-9][a-z0-9-]*$/i.test(edge)) {
+    return false;
+  }
+
+  // Railway's proxy guidance treats 100.0.0.0/8 as the trusted internal proxy range.
+  const address = normalizePeerAddress(req.socket.remoteAddress);
+  return isIP(address) === 4 && ipv4InCidr(address, "100.0.0.0/8");
+}
+
+function shouldTrustProxyHeaders(req, env = process.env) {
+  if (booleanFromEnv(env.LAKEBED_TRUST_PROXY_HEADERS)) {
+    return true;
+  }
+
+  return isRailwayProxyPeer(req, env);
+}
+
+function firstHeaderValue(req, names) {
+  for (const name of names) {
+    const raw = req.headers[name];
+    const candidate = String(Array.isArray(raw) ? raw[0] : (raw ?? ""))
+      .split(",")[0]
+      .trim();
+    if (candidate) {
+      return normalizePeerAddress(candidate).slice(0, 256);
+    }
+  }
+  return "";
+}
+
+function forwardedClientKey(req, env = process.env) {
+  if (shouldTrustProxyHeaders(req, env)) {
+    const forwarded = firstHeaderValue(req, ["x-real-ip", "cf-connecting-ip", "fly-client-ip", "x-forwarded-for"]);
+    if (forwarded) {
+      return forwarded;
+    }
+  }
+
+  return normalizePeerAddress(req.socket.remoteAddress).slice(0, 256);
+}
+
 const USER_LIMIT_OVERRIDE_KEYS = ["requestsPerDay", "mutationsPerDay"];
 const USER_BOOST_MULTIPLIER = 20;
 
@@ -451,7 +773,7 @@ function isSecureRequest(req) {
 }
 
 function adminCookie(value, maxAge = adminCookieMaxAgeSeconds, secure = false) {
-  return `${adminCookieName}=${value}; HttpOnly; SameSite=Lax; Path=/admin; Max-Age=${maxAge}${secure ? "; Secure" : ""}`;
+  return `${adminCookieName}=${value}; HttpOnly; SameSite=Lax; Path=/; Max-Age=${maxAge}${secure ? "; Secure" : ""}`;
 }
 
 function cookie(name, value, { httpOnly = true, maxAge, path = "/", sameSite = "Lax", secure = false } = {}) {
@@ -665,6 +987,193 @@ function bytesOfJson(value) {
   return Buffer.byteLength(JSON.stringify(value ?? null), "utf8");
 }
 
+function durationSecondsFromEnv(value, fallback, { min = 0, max = Number.MAX_SAFE_INTEGER } = {}) {
+  if (value === undefined || value === null || value === "") {
+    return fallback;
+  }
+
+  const match = String(value).trim().match(/^(\d+)([smhd])?$/);
+  if (!match) {
+    throw new Error(`Invalid duration: ${value}. Use a value like 15m, 1h, 7d, or 604800.`);
+  }
+
+  const multipliers = { d: 86400, h: 3600, m: 60, s: 1 };
+  const seconds = Number(match[1]) * multipliers[match[2] ?? "s"];
+  return Math.max(min, Math.min(max, seconds));
+}
+
+function positiveIntegerLimitFromEnv(value, fallback) {
+  if (value === undefined || value === null || value === "") {
+    return fallback;
+  }
+
+  const parsed = Number(value);
+  if (!Number.isSafeInteger(parsed) || parsed < 0) {
+    throw new Error(`Invalid limit: ${value}. Use a non-negative integer.`);
+  }
+  return parsed;
+}
+
+function isLocalPublicRootUrl(publicRootUrl) {
+  try {
+    const hostname = new URL(publicRootUrl).hostname.toLowerCase();
+    return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "::1" || hostname.endsWith(".localhost");
+  } catch {
+    return true;
+  }
+}
+
+function booleanFromEnv(value) {
+  return ["1", "true", "yes", "on"].includes(String(value ?? "").trim().toLowerCase());
+}
+
+function quotaResetAt(windowStart) {
+  return new Date(Date.parse(windowStart) + 24 * 60 * 60 * 1000).toISOString();
+}
+
+function quotaRetryAfterSeconds(windowStart) {
+  return Math.max(1, Math.ceil((Date.parse(quotaResetAt(windowStart)) - Date.now()) / 1000));
+}
+
+export class LakebedQuotaError extends Error {
+  constructor({ bucket, count, limit, resetAt, retryAfterSeconds, status = 429, suggestion }) {
+    super(`${bucket} quota exceeded. Limit: ${limit}.`);
+    this.name = "LakebedQuotaError";
+    this.bucket = bucket;
+    this.code = "lakebed_quota_exceeded";
+    this.count = count;
+    this.limit = limit;
+    this.resetAt = resetAt ?? null;
+    this.retryAfterSeconds = retryAfterSeconds ?? null;
+    this.status = status;
+    this.suggestion = suggestion;
+  }
+}
+
+function isQuotaError(error) {
+  return error instanceof LakebedQuotaError || error?.code === "lakebed_quota_exceeded";
+}
+
+function quotaErrorBody(error, extra = {}) {
+  return {
+    bucket: error.bucket,
+    code: error.code ?? "lakebed_quota_exceeded",
+    current: error.count,
+    error: error.message,
+    limit: error.limit,
+    resetAt: error.resetAt ?? null,
+    retryAfterSeconds: error.retryAfterSeconds ?? null,
+    suggestion: error.suggestion,
+    ...extra
+  };
+}
+
+function quotaErrorHeaders(error) {
+  const headers = {};
+  if (Number.isFinite(error.retryAfterSeconds)) {
+    headers["Retry-After"] = String(error.retryAfterSeconds);
+  }
+  if (Number.isFinite(error.limit)) {
+    headers["X-RateLimit-Limit"] = String(error.limit);
+  }
+  if (Number.isFinite(error.count) && Number.isFinite(error.limit)) {
+    headers["X-RateLimit-Remaining"] = String(Math.max(0, error.limit - error.count));
+  }
+  if (error.resetAt) {
+    headers["X-RateLimit-Reset"] = error.resetAt;
+  }
+  return headers;
+}
+
+function stateRowsLimitFromTransactionOptions(options = {}) {
+  const explicit = options.stateRowsLimit;
+  if (Number.isSafeInteger(explicit) && explicit > 0) {
+    return explicit;
+  }
+  const stateBytes = options.stateBytesLimit ?? DEFAULT_ANONYMOUS_LIMITS.stateBytes;
+  return Math.max(1, Math.floor(stateBytes / 64));
+}
+
+function assertStateResourceLimits({ stateBytes, stateRows }, options = {}) {
+  const stateBytesLimit = options.stateBytesLimit ?? DEFAULT_ANONYMOUS_LIMITS.stateBytes;
+  const stateRowsLimit = stateRowsLimitFromTransactionOptions(options);
+  if (Number.isFinite(stateRowsLimit) && stateRows > stateRowsLimit) {
+    throw new LakebedQuotaError({
+      bucket: "state_rows",
+      count: stateRows,
+      limit: stateRowsLimit,
+      suggestion: "Delete rows or claim the deploy before retrying this mutation."
+    });
+  }
+  if (Number.isFinite(stateBytesLimit) && stateBytes > stateBytesLimit) {
+    throw new LakebedQuotaError({
+      bucket: "state_bytes",
+      count: stateBytes,
+      limit: stateBytesLimit,
+      suggestion: "Reduce stored values, delete rows, or claim the deploy before retrying this mutation."
+    });
+  }
+}
+
+function safeJsonValue(value) {
+  if (value === undefined) {
+    return null;
+  }
+
+  try {
+    JSON.stringify(value);
+    return value;
+  } catch {
+    return String(value);
+  }
+}
+
+function truncateUtf8(value, maxBytes) {
+  const text = String(value ?? "");
+  if (Buffer.byteLength(text, "utf8") <= maxBytes) {
+    return text;
+  }
+
+  let end = text.length;
+  while (end > 0 && Buffer.byteLength(text.slice(0, end), "utf8") > maxBytes) {
+    end -= 1;
+  }
+  return text.slice(0, end);
+}
+
+function normalizeLogEntry(level, message, data, limits = DEFAULT_ANONYMOUS_LIMITS) {
+  const maxEntryBytes = limits.logEntryBytes ?? DEFAULT_ANONYMOUS_LIMITS.logEntryBytes;
+  const maxMessageBytes = Math.max(128, Math.min(maxEntryBytes, Math.floor(maxEntryBytes / 2)));
+  const originalMessageBytes = Buffer.byteLength(String(message ?? ""), "utf8");
+  const cleanMessage =
+    originalMessageBytes > maxMessageBytes
+      ? `${truncateUtf8(message, Math.max(0, maxMessageBytes - 18))}...[truncated]`
+      : String(message ?? "");
+  let cleanData = safeJsonValue(data);
+  let entry = { at: now(), data: cleanData, level, message: cleanMessage };
+
+  if (bytesOfJson(entry) > maxEntryBytes) {
+    const dataText = JSON.stringify(cleanData ?? null);
+    cleanData = {
+      preview: truncateUtf8(dataText, Math.max(0, maxEntryBytes - bytesOfJson({ at: entry.at, data: null, level, message: cleanMessage }) - 128)),
+      truncated: true,
+      originalBytes: Buffer.byteLength(dataText, "utf8")
+    };
+    entry = { ...entry, data: cleanData };
+  }
+
+  if (bytesOfJson(entry) > maxEntryBytes) {
+    entry = {
+      at: entry.at,
+      data: { truncated: true },
+      level,
+      message: truncateUtf8(cleanMessage, Math.max(64, maxEntryBytes - 96))
+    };
+  }
+
+  return entry;
+}
+
 function usageCounts(usage) {
   const windowStart = dayWindowStart();
   const counts = {
@@ -696,6 +1205,7 @@ function adminDeploySummary({ artifact, artifactBytes = 0, deploy, logBytes = 0,
     createdAt: deploy.createdAt,
     expiresAt: deploy.expiresAt,
     id: deploy.id,
+    inspectPolicy: inspectPolicyForDeploy(deploy),
     limits: deploy.limits,
     logBytes,
     logEntries,
@@ -896,7 +1406,7 @@ function adminHtml() {
       .metrics {
         display: grid;
         gap: 8px;
-        grid-template-columns: repeat(6, minmax(120px, 1fr));
+        grid-template-columns: repeat(8, minmax(120px, 1fr));
         margin-bottom: 14px;
       }
 
@@ -1278,8 +1788,10 @@ function adminHtml() {
           <div class="metric"><span>artifact bytes</span><strong id="metric-artifacts">0 B</strong></div>
           <div class="metric"><span>state bytes</span><strong id="metric-state">0 B</strong></div>
           <div class="metric"><span>state rows</span><strong id="metric-rows">0</strong></div>
+          <div class="metric"><span>log bytes</span><strong id="metric-logs">0 B</strong></div>
           <div class="metric"><span>requests today</span><strong id="metric-requests">0</strong></div>
           <div class="metric"><span>mutations today</span><strong id="metric-mutations">0</strong></div>
+          <div class="metric"><span>cleaned deploys</span><strong id="metric-cleanup">0</strong></div>
         </section>
 
         <section class="panel" id="deployments-view">
@@ -1880,8 +2392,10 @@ function adminHtml() {
         setMetric("metric-artifacts", formatBytes(summary.totals.artifactBytes));
         setMetric("metric-state", formatBytes(summary.totals.stateBytes));
         setMetric("metric-rows", formatNumber(summary.totals.stateRows));
+        setMetric("metric-logs", formatBytes(summary.totals.logBytes));
         setMetric("metric-requests", formatNumber(summary.totals.requestsToday));
         setMetric("metric-mutations", formatNumber(summary.totals.mutationsToday));
+        setMetric("metric-cleanup", formatNumber(summary.cleanup?.totals?.deletedDeploys || 0));
         statusLine.textContent = "Updated " + formatTime(summary.generatedAt);
       }
 
@@ -2225,12 +2739,109 @@ function escapeHtml(value) {
     .replace(/"/g, "&quot;");
 }
 
-function formatHtmlTime(value) {
-  return value ? new Date(value).toLocaleString() : "unknown";
+function formatHtmlNumber(value) {
+  return new Intl.NumberFormat().format(Number(value || 0));
+}
+
+function parseHtmlDate(value) {
+  if (!value) {
+    return null;
+  }
+  const date = value instanceof Date ? value : new Date(value);
+  return Number.isFinite(date.getTime()) ? date : null;
+}
+
+function formatHtmlAbsoluteTime(value) {
+  const date = parseHtmlDate(value);
+  if (!date) {
+    return "unknown";
+  }
+  return new Intl.DateTimeFormat(undefined, {
+    day: "numeric",
+    hour: "numeric",
+    minute: "2-digit",
+    month: "short",
+    timeZoneName: "short",
+    year: "numeric"
+  }).format(date);
+}
+
+function relativeHtmlUnit(diffMs, unitMs) {
+  const value = Math.round(diffMs / unitMs);
+  if (value === 0) {
+    return diffMs < 0 ? -1 : 1;
+  }
+  return value;
+}
+
+function formatHtmlRelativeTime(value, baseDate = new Date()) {
+  const date = parseHtmlDate(value);
+  if (!date) {
+    return "unknown";
+  }
+
+  const diffMs = date.getTime() - baseDate.getTime();
+  const absMs = Math.abs(diffMs);
+  const second = 1000;
+  const minute = 60 * second;
+  const hour = 60 * minute;
+  const day = 24 * hour;
+  const week = 7 * day;
+  const formatter = new Intl.RelativeTimeFormat(undefined, { numeric: "auto" });
+
+  if (absMs < 45 * second) {
+    return diffMs < 0 ? "just now" : "soon";
+  }
+  if (absMs < 45 * minute) {
+    return formatter.format(relativeHtmlUnit(diffMs, minute), "minute");
+  }
+  if (absMs < 22 * hour) {
+    return formatter.format(relativeHtmlUnit(diffMs, hour), "hour");
+  }
+  if (absMs < 26 * day) {
+    return formatter.format(relativeHtmlUnit(diffMs, day), "day");
+  }
+  if (absMs < 8 * week) {
+    return formatter.format(relativeHtmlUnit(diffMs, week), "week");
+  }
+  return formatHtmlAbsoluteTime(date);
+}
+
+function htmlTime(value) {
+  const date = parseHtmlDate(value);
+  if (!date) {
+    return `<span>unknown</span>`;
+  }
+
+  return `<time datetime="${escapeHtml(date.toISOString())}" title="${escapeHtml(formatHtmlAbsoluteTime(date))}">${escapeHtml(formatHtmlRelativeTime(date))}</time>`;
+}
+
+function cssClassToken(value) {
+  return (
+    String(value ?? "")
+      .toLowerCase()
+      .replace(/[^a-z0-9_-]+/g, "-")
+      .replace(/^-+|-+$/g, "") || "unknown"
+  );
+}
+
+function quotaPercent(used, limit) {
+  const numericLimit = Number(limit || 0);
+  if (numericLimit <= 0) {
+    return 0;
+  }
+  return Math.max(0, Math.min(100, (Number(used || 0) / numericLimit) * 100));
 }
 
-function formatHtmlExpiry(value) {
-  return value ? formatHtmlTime(value) : "never";
+function quotaHtml(label, used, limit) {
+  const percent = quotaPercent(used, limit).toFixed(2);
+  return `<div class="quota">
+    <div class="quota-row">
+      <span class="quota-label">${escapeHtml(label)}</span>
+      <span class="quota-count">${escapeHtml(formatHtmlNumber(used))} / ${escapeHtml(formatHtmlNumber(limit))}</span>
+    </div>
+    <div class="meter" aria-hidden="true"><span style="--usage: ${percent}%"></span></div>
+  </div>`;
 }
 
 function developerDeploySummary({ artifact, deploy, usage }) {
@@ -2242,6 +2853,7 @@ function developerDeploySummary({ artifact, deploy, usage }) {
     deployId: deploy.id,
     expiresAt: deploy.expiresAt,
     inspect: inspectUrls(deploy.url),
+    inspectPolicy: inspectPolicyForDeploy(deploy),
     limits: deploy.limits,
     name: artifact?.name ?? "Lakebed Capsule",
     ownerId: deploy.ownerId,
@@ -2255,18 +2867,34 @@ function developerDeploySummary({ artifact, deploy, usage }) {
 
 function developerHtml({ authConfigured, deploys = [], user }) {
   const signedIn = Boolean(user);
+  const activeDeploys = deploys.filter((deploy) => deploy.status === "active").length;
+  const requestsToday = deploys.reduce((total, deploy) => total + Number(deploy.usage.requestsToday || 0), 0);
+  const mutationsToday = deploys.reduce((total, deploy) => total + Number(deploy.usage.mutationsToday || 0), 0);
   const rows = deploys
-    .map(
-      (deploy) => `<tr>
-        <td><a href="${escapeHtml(deploy.url)}" target="_blank" rel="noopener noreferrer">${escapeHtml(deploy.name)}</a><small>${escapeHtml(deploy.deployId)} / ${escapeHtml(deploy.slug)}</small></td>
-        <td><span class="pill ${escapeHtml(deploy.status)}">${escapeHtml(deploy.status)}</span></td>
-        <td>${escapeHtml(formatHtmlTime(deploy.createdAt))}</td>
-        <td>${escapeHtml(formatHtmlTime(deploy.updatedAt))}</td>
-        <td>${escapeHtml(formatHtmlExpiry(deploy.expiresAt))}</td>
-        <td>${escapeHtml(deploy.usage.requestsToday)} / ${escapeHtml(deploy.limits.requestsPerDay)}</td>
-        <td>${escapeHtml(deploy.usage.mutationsToday)} / ${escapeHtml(deploy.limits.mutationsPerDay)}</td>
-      </tr>`
-    )
+    .map((deploy) => {
+      const statusClass = cssClassToken(deploy.status);
+      return `<article class="deploy-row">
+        <div class="deploy-main">
+          <div class="deploy-title-line">
+            <a class="deploy-name" href="${escapeHtml(deploy.url)}" target="_blank" rel="noopener noreferrer">${escapeHtml(deploy.name)}</a>
+            <span class="status status-${escapeHtml(statusClass)}">${escapeHtml(deploy.status)}</span>
+            ${deploy.expiresAt ? `<span class="expiry">expires ${htmlTime(deploy.expiresAt)}</span>` : ""}
+          </div>
+          <div class="deploy-ids">
+            <span>${escapeHtml(deploy.deployId)}</span>
+            <span>${escapeHtml(deploy.slug)}</span>
+          </div>
+        </div>
+        <div class="activity">
+          <div class="activity-item"><span>Updated</span>${htmlTime(deploy.updatedAt)}</div>
+          <div class="activity-item"><span>Created</span>${htmlTime(deploy.createdAt)}</div>
+        </div>
+        <div class="usage-grid">
+          ${quotaHtml("Requests", deploy.usage.requestsToday, deploy.limits.requestsPerDay)}
+          ${quotaHtml("Mutations", deploy.usage.mutationsToday, deploy.limits.mutationsPerDay)}
+        </div>
+      </article>`;
+    })
     .join("");
 
   return `<!doctype html>
@@ -2278,14 +2906,18 @@ function developerHtml({ authConfigured, deploys = [], user }) {
     <style>
       :root {
         color-scheme: dark;
-        --bg: #11130f;
-        --panel: #191c16;
-        --line: #343b2e;
-        --text: #f2f0e8;
-        --muted: #a8ab9e;
-        --accent: #91d46f;
-        --bad: #ee7d71;
-        --ink: #0c110a;
+        --accent: #b7f26d;
+        --bg: #070a09;
+        --cyan: #71d6ff;
+        --danger: #ff7b72;
+        --line: #26302b;
+        --line-strong: #3b4740;
+        --muted: #8f9c94;
+        --panel: #0f1513;
+        --panel-raised: #141b18;
+        --soft: #bfcbc3;
+        --text: #eef6f0;
+        --warning: #ffd166;
       }
 
       * {
@@ -2295,13 +2927,12 @@ function developerHtml({ authConfigured, deploys = [], user }) {
       body {
         background: var(--bg);
         color: var(--text);
-        font-family: "Avenir Next", "Helvetica Neue", sans-serif;
-        letter-spacing: 0;
+        font-family: Inter, ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
         margin: 0;
       }
 
       a {
-        color: var(--accent);
+        color: inherit;
         text-decoration: none;
       }
 
@@ -2311,48 +2942,102 @@ function developerHtml({ authConfigured, deploys = [], user }) {
 
       .shell {
         margin: 0 auto;
-        max-width: 1120px;
+        max-width: 1560px;
         min-height: 100vh;
-        padding: 28px;
+        padding: 34px 32px 56px;
+        width: 100%;
       }
 
       header {
         align-items: center;
+        border-bottom: 1px solid var(--line);
         display: flex;
         gap: 16px;
         justify-content: space-between;
-        margin-bottom: 24px;
+        margin-bottom: 22px;
+        padding-bottom: 22px;
       }
 
       h1 {
-        font-size: 32px;
-        line-height: 1;
+        font-size: 40px;
+        line-height: 1.05;
         margin: 0;
       }
 
       .eyebrow,
-      small,
-      th,
-      .meta {
+      .meta,
+      .deploy-ids,
+      .activity-item span,
+      .expiry,
+      .list-head,
+      .quota-label,
+      .quota-count,
+      .status {
         color: var(--muted);
         font-family: "SFMono-Regular", Consolas, monospace;
         font-size: 12px;
       }
 
+      .eyebrow {
+        color: var(--accent);
+        margin-bottom: 6px;
+      }
+
+      .meta {
+        margin-top: 4px;
+      }
+
       .button {
-        background: var(--accent);
-        border: 1px solid var(--accent);
+        align-items: center;
+        background: transparent;
+        border: 1px solid var(--line-strong);
         border-radius: 6px;
-        color: var(--ink);
+        color: var(--text);
         display: inline-flex;
         font-weight: 700;
         min-height: 40px;
         padding: 10px 14px;
       }
 
-      .button.secondary {
-        background: transparent;
+      .button:hover {
+        border-color: var(--accent);
+        text-decoration: none;
+      }
+
+      .button.secondary {
+        background: transparent;
+        color: var(--text);
+      }
+
+      .summary {
+        background: var(--line);
+        border: 1px solid var(--line);
+        border-radius: 8px;
+        display: grid;
+        gap: 1px;
+        grid-template-columns: repeat(3, minmax(0, 1fr));
+        margin-bottom: 18px;
+        overflow: hidden;
+      }
+
+      .metric {
+        background: var(--panel);
+        padding: 15px 16px;
+      }
+
+      .metric span {
+        color: var(--muted);
+        display: block;
+        font-family: "SFMono-Regular", Consolas, monospace;
+        font-size: 12px;
+        margin-bottom: 6px;
+      }
+
+      .metric strong {
         color: var(--text);
+        display: block;
+        font-size: 22px;
+        line-height: 1;
       }
 
       .panel {
@@ -2367,51 +3052,160 @@ function developerHtml({ authConfigured, deploys = [], user }) {
         padding: 22px;
       }
 
-      table {
-        border-collapse: collapse;
-        width: 100%;
+      .deploy-list {
+        display: grid;
       }
 
-      th,
-      td {
+      .list-head,
+      .deploy-row {
+        align-items: center;
+        display: grid;
+        gap: 24px;
+        grid-template-columns: minmax(360px, 1fr) minmax(210px, 300px) minmax(360px, 430px);
+      }
+
+      .list-head {
+        background: #0b100e;
         border-bottom: 1px solid var(--line);
-        padding: 13px 14px;
-        text-align: left;
-        vertical-align: top;
+        padding: 12px 18px;
       }
 
-      tr:last-child td {
+      .deploy-row {
+        background: var(--panel);
+        border-bottom: 1px solid var(--line);
+        min-width: 0;
+        padding: 18px;
+      }
+
+      .deploy-row:last-child {
         border-bottom: 0;
       }
 
-      td:first-child {
-        display: grid;
-        gap: 4px;
+      .deploy-row:hover {
+        background: var(--panel-raised);
       }
 
-      .pill {
-        border: 1px solid var(--line);
-        border-radius: 999px;
-        display: inline-flex;
-        font-family: "SFMono-Regular", Consolas, monospace;
-        font-size: 12px;
-        padding: 3px 8px;
+      .deploy-main,
+      .activity,
+      .usage-grid,
+      .quota {
+        min-width: 0;
       }
 
-      .pill.active {
-        border-color: rgba(145, 212, 111, 0.7);
+      .deploy-title-line {
+        align-items: center;
+        display: flex;
+        flex-wrap: wrap;
+        gap: 8px 10px;
+        margin-bottom: 8px;
+        min-width: 0;
+      }
+
+      .deploy-name {
+        color: var(--text);
+        font-size: 16px;
+        font-weight: 700;
+        overflow-wrap: anywhere;
+      }
+
+      .deploy-ids {
+        align-items: center;
+        display: flex;
+        flex-wrap: wrap;
+        gap: 6px 12px;
+      }
+
+      .deploy-ids span {
+        overflow-wrap: anywhere;
+      }
+
+      .status {
+        align-items: center;
         color: var(--accent);
+        display: inline-flex;
+        gap: 6px;
+        white-space: nowrap;
       }
 
-      .pill.expired,
-      .pill.terminated {
-        border-color: rgba(238, 125, 113, 0.75);
-        color: var(--bad);
+      .status::before {
+        background: var(--accent);
+        border-radius: 999px;
+        box-shadow: 0 0 0 3px rgba(183, 242, 109, 0.14);
+        content: "";
+        height: 7px;
+        width: 7px;
+      }
+
+      .status-expired,
+      .status-terminated {
+        color: var(--danger);
       }
 
-      @media (max-width: 720px) {
+      .status-expired::before,
+      .status-terminated::before {
+        background: var(--danger);
+        box-shadow: 0 0 0 3px rgba(255, 123, 114, 0.15);
+      }
+
+      .expiry {
+        color: var(--warning);
+        white-space: nowrap;
+      }
+
+      .activity {
+        display: grid;
+        gap: 6px;
+      }
+
+      .activity-item {
+        align-items: baseline;
+        color: var(--soft);
+        display: flex;
+        gap: 12px;
+        justify-content: space-between;
+      }
+
+      time {
+        color: var(--text);
+        white-space: nowrap;
+      }
+
+      .usage-grid {
+        display: grid;
+        gap: 12px;
+        grid-template-columns: repeat(2, minmax(0, 1fr));
+      }
+
+      .quota-row {
+        align-items: baseline;
+        display: flex;
+        gap: 12px;
+        justify-content: space-between;
+        margin-bottom: 8px;
+      }
+
+      .quota-count {
+        color: var(--text);
+        white-space: nowrap;
+      }
+
+      .meter {
+        background: #222b26;
+        border-radius: 999px;
+        height: 6px;
+        overflow: hidden;
+      }
+
+      .meter span {
+        background: linear-gradient(90deg, var(--accent), var(--cyan));
+        display: block;
+        height: 100%;
+        width: var(--usage);
+      }
+
+      @media (max-width: 980px) {
         .shell {
-          padding: 18px;
+          padding: 24px 18px 40px;
         }
 
         header {
@@ -2419,12 +3213,46 @@ function developerHtml({ authConfigured, deploys = [], user }) {
           flex-direction: column;
         }
 
-        table {
-          min-width: 760px;
+        h1 {
+          font-size: 32px;
         }
 
-        .panel {
-          overflow-x: auto;
+        .summary {
+          grid-template-columns: repeat(3, minmax(0, 1fr));
+        }
+
+        .list-head {
+          display: none;
+        }
+
+        .deploy-row {
+          align-items: stretch;
+          gap: 16px;
+          grid-template-columns: 1fr;
+        }
+
+        .activity-item {
+          justify-content: flex-start;
+        }
+      }
+
+      @media (max-width: 640px) {
+        .shell {
+          padding: 20px 12px 36px;
+        }
+
+        .summary,
+        .usage-grid {
+          grid-template-columns: 1fr;
+        }
+
+        .deploy-ids {
+          display: grid;
+        }
+
+        .activity-item {
+          display: grid;
+          gap: 2px;
         }
       }
     </style>
@@ -2447,6 +3275,15 @@ function developerHtml({ authConfigured, deploys = [], user }) {
           }
         </div>
       </header>
+      ${
+        signedIn && deploys.length
+          ? `<section class="summary" aria-label="Deployment summary">
+              <div class="metric"><span>active deploys</span><strong>${escapeHtml(formatHtmlNumber(activeDeploys))}</strong></div>
+              <div class="metric"><span>requests today</span><strong>${escapeHtml(formatHtmlNumber(requestsToday))}</strong></div>
+              <div class="metric"><span>mutations today</span><strong>${escapeHtml(formatHtmlNumber(mutationsToday))}</strong></div>
+            </section>`
+          : ""
+      }
 
       ${
         !authConfigured
@@ -2456,20 +3293,14 @@ function developerHtml({ authConfigured, deploys = [], user }) {
             : deploys.length === 0
               ? `<section class="panel"><div class="empty">No claimed deployments.</div></section>`
               : `<section class="panel">
-                  <table>
-                    <thead>
-                      <tr>
-                        <th>Deploy</th>
-                        <th>Status</th>
-                        <th>Created</th>
-                        <th>Updated</th>
-                        <th>Expires</th>
-                        <th>Requests</th>
-                        <th>Mutations</th>
-                      </tr>
-                    </thead>
-                    <tbody>${rows}</tbody>
-                  </table>
+                  <div class="deploy-list">
+                    <div class="list-head" aria-hidden="true">
+                      <span>Deploy</span>
+                      <span>Activity</span>
+                      <span>Usage today</span>
+                    </div>
+                    ${rows}
+                  </div>
                 </section>`
       }
     </main>
@@ -2480,14 +3311,19 @@ function developerHtml({ authConfigured, deploys = [], user }) {
 export class MemoryAnonymousStore {
   constructor() {
     this.artifacts = new Map();
+    this.deployDomainsByHostname = new Map();
     this.deploys = new Map();
     this.deploysBySlug = new Map();
+    this.deployCreateQuotaEvents = new Map();
+    this.clientQuotaEvents = new Map();
     this.logs = new Map();
     this.quotaEvents = new Map();
     this.queues = new Map();
     this.rows = new Map();
     this.serverEnv = new Map();
     this.users = new Map();
+    this.cleanupRuns = [];
+    this.cleanupTotals = {};
   }
 
   async initialize() {}
@@ -2614,11 +3450,30 @@ export class MemoryAnonymousStore {
     });
   }
 
-  async createDeploy({ appBaseDomain, artifact, artifactHash, clientBundleBase64, clientBundleHash, publicRootUrl, serverEnv }) {
+  decrementArtifactRef(artifactHash) {
+    const artifact = this.artifacts.get(artifactHash);
+    if (!artifact) {
+      return false;
+    }
+
+    const refCount = Math.max(0, Number(artifact.refCount ?? 0) - 1);
+    if (refCount <= 0) {
+      this.artifacts.delete(artifactHash);
+      return true;
+    }
+
+    this.artifacts.set(artifactHash, { ...artifact, refCount });
+    return false;
+  }
+
+  async createDeploy({ appBaseDomain, artifact, artifactHash, clientBundleBase64, clientBundleHash, inspectPolicy, publicRootUrl, serverEnv }) {
     const deployId = createDeployId();
     const normalizedAppBaseDomain = normalizeAppBaseDomain(appBaseDomain);
     let slug = createSlug();
-    while (this.deploysBySlug.has(slug)) {
+    while (
+      this.deploysBySlug.has(slug) ||
+      (normalizedAppBaseDomain && this.deployDomainsByHostname.has(`${slug}.${normalizedAppBaseDomain}`))
+    ) {
       slug = createSlug();
     }
 
@@ -2644,6 +3499,7 @@ export class MemoryAnonymousStore {
       createdAt,
       expiresAt,
       id: deployId,
+      inspectPolicy: normalizeInspectPolicy(inspectPolicy),
       limits: { ...DEFAULT_ANONYMOUS_LIMITS },
       owner: null,
       ownerId: null,
@@ -2668,6 +3524,7 @@ export class MemoryAnonymousStore {
     clientBundleBase64,
     clientBundleHash,
     deployId,
+    inspectPolicy,
     publicRootUrl,
     serverEnv
   }) {
@@ -2685,6 +3542,7 @@ export class MemoryAnonymousStore {
       artifactHash,
       clientBundleHash,
       expiresAt: currentDeploy.ownerId ? null : anonymousDeployExpiresAt(),
+      inspectPolicy: inspectPolicy === undefined ? inspectPolicyForDeploy(currentDeploy) : normalizeInspectPolicy(inspectPolicy),
       publicRootUrl: nextPublicRootUrl,
       url: appUrlForSlug({ appBaseDomain: nextAppBaseDomain, publicRootUrl: nextPublicRootUrl, slug: currentDeploy.slug }),
       status: "active",
@@ -2699,6 +3557,7 @@ export class MemoryAnonymousStore {
       createdAt: updatedAt
     });
     this.deploys.set(deployId, deploy);
+    this.decrementArtifactRef(currentDeploy.artifactHash);
     if (serverEnv !== undefined) {
       this.serverEnv.set(deployId, { ...serverEnv });
     }
@@ -2757,6 +3616,62 @@ export class MemoryAnonymousStore {
     return id ? this.getDeployById(id) : null;
   }
 
+  async getDeployDomainByHostname(hostname) {
+    const domain = this.deployDomainsByHostname.get(hostname);
+    return domain ? { ...domain } : null;
+  }
+
+  async listDeployDomainsForDeploy(deployId) {
+    return Array.from(this.deployDomainsByHostname.values())
+      .filter((domain) => domain.deployId === deployId)
+      .sort((left, right) => String(left.hostname).localeCompare(String(right.hostname)))
+      .map((domain) => ({ ...domain }));
+  }
+
+  async createLakebedSubdomain({ deployId, hostname, label, ownerId }) {
+    const deploy = await this.getStoredDeployById(deployId);
+    if (!deploy) {
+      return { status: "missing" };
+    }
+    if (!deploy.ownerId) {
+      return { deploy, status: "unclaimed" };
+    }
+    if (deploy.ownerId !== ownerId) {
+      return { deploy, status: "forbidden" };
+    }
+    if (deploy.status !== "active" || isExpired(deploy)) {
+      return { deploy, status: "inactive" };
+    }
+
+    const existingDomain = this.deployDomainsByHostname.get(hostname);
+    if (existingDomain) {
+      if (existingDomain.deployId === deployId) {
+        return { deploy, domain: { ...existingDomain }, status: "exists" };
+      }
+
+      return { deploy, domain: { ...existingDomain }, status: "conflict" };
+    }
+
+    if (this.deploysBySlug.has(label)) {
+      return { deploy, status: "slug_conflict" };
+    }
+
+    const timestamp = now();
+    const domain = {
+      createdAt: timestamp,
+      deployId,
+      hostname,
+      isPrimary: false,
+      kind: "lakebed_subdomain",
+      ownerId,
+      status: "active",
+      updatedAt: timestamp,
+      url: `https://${hostname}`
+    };
+    this.deployDomainsByHostname.set(hostname, domain);
+    return { deploy, domain: { ...domain }, status: "created" };
+  }
+
   async getArtifact(hash) {
     return this.artifacts.get(hash) ?? null;
   }
@@ -2806,8 +3721,45 @@ export class MemoryAnonymousStore {
     return { ...(this.serverEnv.get(deployId) ?? {}) };
   }
 
-  async transaction(deployId, handler) {
-    const run = () => handler(this);
+  snapshotRowsForDeploy(deployId) {
+    const snapshot = new Map();
+    for (const [key, rows] of this.rows) {
+      const [eventDeployId] = key.split(":");
+      if (eventDeployId === deployId) {
+        snapshot.set(key, new Map(Array.from(rows.entries()).map(([rowId, row]) => [rowId, { ...row }])));
+      }
+    }
+    return snapshot;
+  }
+
+  restoreRowsForDeploy(deployId, snapshot) {
+    for (const key of Array.from(this.rows.keys())) {
+      const [eventDeployId] = key.split(":");
+      if (eventDeployId === deployId) {
+        this.rows.delete(key);
+      }
+    }
+    for (const [key, rows] of snapshot) {
+      this.rows.set(key, new Map(Array.from(rows.entries()).map(([rowId, row]) => [rowId, { ...row }])));
+    }
+  }
+
+  assertStateWithinLimits(deployId, options) {
+    assertStateResourceLimits(this.stateResourceForDeploy(deployId), options);
+  }
+
+  async transaction(deployId, handler, options = {}) {
+    const run = async () => {
+      const snapshot = this.snapshotRowsForDeploy(deployId);
+      try {
+        const result = await handler(this);
+        this.assertStateWithinLimits(deployId, options);
+        return result;
+      } catch (error) {
+        this.restoreRowsForDeploy(deployId, snapshot);
+        throw error;
+      }
+    };
     const next = (this.queues.get(deployId) ?? Promise.resolve()).then(run, run);
     this.queues.set(
       deployId,
@@ -2820,13 +3772,17 @@ export class MemoryAnonymousStore {
   }
 
   async appendLog(deployId, level, message, data) {
-    const entries = this.logs.get(deployId) ?? [];
-    entries.push({ at: now(), data, level, message });
-    this.logs.set(deployId, entries.slice(-DEFAULT_ANONYMOUS_LIMITS.logEntries));
+    const entries = [...(this.logs.get(deployId) ?? []), redactLogEntry(normalizeLogEntry(level, message, data))];
+    const maxEntries = DEFAULT_ANONYMOUS_LIMITS.logEntries;
+    const maxBytes = DEFAULT_ANONYMOUS_LIMITS.logBytes;
+    while (entries.length > maxEntries || bytesOfJson(entries) > maxBytes) {
+      entries.shift();
+    }
+    this.logs.set(deployId, entries);
   }
 
   async readLogs(deployId, limit = 100) {
-    return (this.logs.get(deployId) ?? []).slice(-limit);
+    return (this.logs.get(deployId) ?? []).slice(-limit).map(redactLogEntry);
   }
 
   async tableCounts(deployId, schema) {
@@ -2858,12 +3814,67 @@ export class MemoryAnonymousStore {
   }
 
   async incrementQuota(deployId, bucket, limit) {
+    if (!Number.isFinite(limit)) {
+      return { bucket, count: 0, limit, windowStart: dayWindowStart() };
+    }
+
     const windowStart = dayWindowStart();
     const key = `${deployId}:${bucket}:${windowStart}`;
     const count = (this.quotaEvents.get(key) ?? 0) + 1;
     this.quotaEvents.set(key, count);
     if (count > limit) {
-      throw new Error(`Anonymous ${bucket} quota exceeded. Limit: ${limit} per day.`);
+      throw new LakebedQuotaError({
+        bucket,
+        count,
+        limit,
+        resetAt: quotaResetAt(windowStart),
+        retryAfterSeconds: quotaRetryAfterSeconds(windowStart),
+        suggestion: bucket === "mutations" ? "Retry after reset, reduce mutation frequency, or claim the deploy." : "Retry after reset or reduce request frequency."
+      });
+    }
+    return { bucket, count, limit, windowStart };
+  }
+
+  async incrementDeployCreateQuota(clientKey, bucket, limit) {
+    if (!Number.isFinite(limit)) {
+      return { bucket, count: 0, limit, windowStart: dayWindowStart() };
+    }
+
+    const windowStart = dayWindowStart();
+    const key = JSON.stringify([clientKey, bucket, windowStart]);
+    const count = (this.deployCreateQuotaEvents.get(key) ?? 0) + 1;
+    this.deployCreateQuotaEvents.set(key, count);
+    if (count > limit) {
+      throw new LakebedQuotaError({
+        bucket,
+        count,
+        limit,
+        resetAt: quotaResetAt(windowStart),
+        retryAfterSeconds: quotaRetryAfterSeconds(windowStart),
+        suggestion: "Retry after reset, reuse an existing deploy, or sign in and claim deploys you want to keep."
+      });
+    }
+    return { bucket, count, limit, windowStart };
+  }
+
+  async incrementClientQuota(clientKey, bucket, limit) {
+    if (!Number.isFinite(limit)) {
+      return { bucket, count: 0, limit, windowStart: dayWindowStart() };
+    }
+
+    const windowStart = dayWindowStart();
+    const key = JSON.stringify([clientKey, bucket, windowStart]);
+    const count = (this.clientQuotaEvents.get(key) ?? 0) + 1;
+    this.clientQuotaEvents.set(key, count);
+    if (count > limit) {
+      throw new LakebedQuotaError({
+        bucket,
+        count,
+        limit,
+        resetAt: quotaResetAt(windowStart),
+        retryAfterSeconds: quotaRetryAfterSeconds(windowStart),
+        suggestion: clientTrafficQuotaSuggestion(bucket)
+      });
     }
     return { bucket, count, limit, windowStart };
   }
@@ -2949,6 +3960,160 @@ export class MemoryAnonymousStore {
 
     return summaries;
   }
+
+  deleteDeployResources(deployId) {
+    const deploy = this.deploys.get(deployId);
+    if (!deploy) {
+      return {
+        deletedArtifacts: 0,
+        deletedDomains: 0,
+        deletedLogEntries: 0,
+        deletedQuotaEvents: 0,
+        deletedServerEnv: 0,
+        deletedStateRows: 0
+      };
+    }
+
+    let deletedStateRows = 0;
+    for (const [key, rows] of Array.from(this.rows.entries())) {
+      const [eventDeployId] = key.split(":");
+      if (eventDeployId === deployId) {
+        deletedStateRows += rows.size;
+        this.rows.delete(key);
+      }
+    }
+
+    const deletedLogEntries = this.logs.get(deployId)?.length ?? 0;
+    this.logs.delete(deployId);
+
+    let deletedQuotaEvents = 0;
+    for (const key of Array.from(this.quotaEvents.keys())) {
+      const [eventDeployId] = key.split(":");
+      if (eventDeployId === deployId) {
+        deletedQuotaEvents += 1;
+        this.quotaEvents.delete(key);
+      }
+    }
+
+    const deletedServerEnv = this.serverEnv.has(deployId) ? Object.keys(this.serverEnv.get(deployId) ?? {}).length : 0;
+    this.serverEnv.delete(deployId);
+
+    let deletedDomains = 0;
+    for (const [hostname, domain] of Array.from(this.deployDomainsByHostname.entries())) {
+      if (domain.deployId === deployId) {
+        this.deployDomainsByHostname.delete(hostname);
+        deletedDomains += 1;
+      }
+    }
+
+    this.deploys.delete(deployId);
+    this.deploysBySlug.delete(deploy.slug);
+    const deletedArtifacts = this.decrementArtifactRef(deploy.artifactHash) ? 1 : 0;
+
+    return {
+      deletedArtifacts,
+      deletedDomains,
+      deletedLogEntries,
+      deletedQuotaEvents,
+      deletedServerEnv,
+      deletedStateRows
+    };
+  }
+
+  recordCleanupRun(stats) {
+    this.cleanupRuns.push(stats);
+    this.cleanupRuns = this.cleanupRuns.slice(-20);
+    for (const [key, value] of Object.entries(stats)) {
+      if (typeof value === "number") {
+        this.cleanupTotals[key] = (this.cleanupTotals[key] ?? 0) + value;
+      }
+    }
+  }
+
+  async cleanupExpiredDeploys({ graceSeconds = 60 * 60, retentionSeconds = 7 * 24 * 60 * 60, nowMs = Date.now() } = {}) {
+    const startedAt = new Date(nowMs).toISOString();
+    const markCutoffMs = nowMs - graceSeconds * 1000;
+    const deleteCutoffMs = nowMs - retentionSeconds * 1000;
+    const stats = {
+      deletedArtifacts: 0,
+      deletedDomains: 0,
+      deletedDeploys: 0,
+      deletedLogEntries: 0,
+      deletedQuotaEvents: 0,
+      deletedServerEnv: 0,
+      deletedStateRows: 0,
+      examinedDeploys: this.deploys.size,
+      finishedAt: null,
+      markedTerminated: 0,
+      startedAt
+    };
+
+    for (const deploy of Array.from(this.deploys.values())) {
+      if (deploy.ownerId || !deploy.expiresAt) {
+        continue;
+      }
+
+      const expiresAtMs = Date.parse(deploy.expiresAt);
+      if (Number.isFinite(expiresAtMs) && expiresAtMs <= markCutoffMs && deploy.status === "active") {
+        this.deploys.set(deploy.id, { ...deploy, status: "terminated", updatedAt: new Date(nowMs).toISOString() });
+        stats.markedTerminated += 1;
+      }
+    }
+
+    for (const deploy of Array.from(this.deploys.values())) {
+      if (deploy.ownerId || !deploy.expiresAt) {
+        continue;
+      }
+
+      const expiresAtMs = Date.parse(deploy.expiresAt);
+      if (!Number.isFinite(expiresAtMs) || expiresAtMs > deleteCutoffMs) {
+        continue;
+      }
+
+      const deleted = this.deleteDeployResources(deploy.id);
+      stats.deletedDeploys += 1;
+      for (const [key, value] of Object.entries(deleted)) {
+        stats[key] += value;
+      }
+    }
+
+    for (const [key] of Array.from(this.deployCreateQuotaEvents.entries())) {
+      try {
+        const [, , windowStart] = JSON.parse(key);
+        if (Date.parse(windowStart) <= deleteCutoffMs) {
+          this.deployCreateQuotaEvents.delete(key);
+          stats.deletedQuotaEvents += 1;
+        }
+      } catch {
+        this.deployCreateQuotaEvents.delete(key);
+        stats.deletedQuotaEvents += 1;
+      }
+    }
+    for (const [key] of Array.from(this.clientQuotaEvents.entries())) {
+      try {
+        const [, , windowStart] = JSON.parse(key);
+        if (Date.parse(windowStart) <= deleteCutoffMs) {
+          this.clientQuotaEvents.delete(key);
+          stats.deletedQuotaEvents += 1;
+        }
+      } catch {
+        this.clientQuotaEvents.delete(key);
+        stats.deletedQuotaEvents += 1;
+      }
+    }
+
+    stats.finishedAt = now();
+    this.recordCleanupRun(stats);
+    return stats;
+  }
+
+  async readCleanupActivity() {
+    return {
+      lastRun: this.cleanupRuns[this.cleanupRuns.length - 1] ?? null,
+      recentRuns: [...this.cleanupRuns].reverse(),
+      totals: { ...this.cleanupTotals }
+    };
+  }
 }
 
 export class PostgresAnonymousStore {
@@ -2976,6 +4141,7 @@ export class PostgresAnonymousStore {
         owner_id text,
         owner_json jsonb,
         claim_token_hash text not null,
+        inspect_policy text not null default 'private',
         limits_json jsonb not null,
         counters_json jsonb not null default '{}',
         public_root_url text not null,
@@ -2986,11 +4152,26 @@ export class PostgresAnonymousStore {
     await this.query("alter table deploys add column if not exists claimed_at timestamptz");
     await this.query("alter table deploys add column if not exists owner_id text");
     await this.query("alter table deploys add column if not exists owner_json jsonb");
+    await this.query("alter table deploys add column if not exists inspect_policy text not null default 'private'");
     await this.query("alter table deploys add column if not exists updated_at timestamptz");
     await this.query("update deploys set updated_at = created_at where updated_at is null");
     await this.query("alter table deploys alter column updated_at set not null");
     await this.query("alter table deploys alter column expires_at drop not null");
     await this.query("update deploys set expires_at = null where owner_id is not null and expires_at is not null");
+    await this.query(`
+      create table if not exists deploy_domains(
+        hostname text primary key,
+        deploy_id text not null references deploys(id) on delete cascade,
+        owner_id text not null,
+        kind text not null,
+        status text not null,
+        is_primary boolean not null default false,
+        created_at timestamptz not null,
+        updated_at timestamptz not null
+      )
+    `);
+    await this.query("create index if not exists deploy_domains_deploy_id_idx on deploy_domains(deploy_id)");
+    await this.query("create index if not exists deploy_domains_owner_id_idx on deploy_domains(owner_id)");
     await this.query(`
       create table if not exists artifacts(
         hash text primary key,
@@ -3032,6 +4213,24 @@ export class PostgresAnonymousStore {
         primary key (deploy_id, bucket, window_start)
       )
     `);
+    await this.query(`
+      create table if not exists deploy_create_quota_events(
+        client_key text not null,
+        bucket text not null,
+        window_start timestamptz not null,
+        count integer not null,
+        primary key (client_key, bucket, window_start)
+      )
+    `);
+    await this.query(`
+      create table if not exists client_quota_events(
+        client_key text not null,
+        bucket text not null,
+        window_start timestamptz not null,
+        count integer not null,
+        primary key (client_key, bucket, window_start)
+      )
+    `);
     await this.query(`
       create table if not exists deploy_server_env(
         deploy_id text not null references deploys(id) on delete cascade,
@@ -3056,6 +4255,14 @@ export class PostgresAnonymousStore {
         updated_at timestamptz not null
       )
     `);
+    await this.query(`
+      create table if not exists cleanup_runs(
+        id bigserial primary key,
+        started_at timestamptz not null,
+        finished_at timestamptz not null,
+        stats_json jsonb not null
+      )
+    `);
     await this.query("alter table users add column if not exists boost boolean not null default false");
     await this.query(`
       insert into users(
@@ -3096,6 +4303,33 @@ export class PostgresAnonymousStore {
     return this.pool.query(sql, params);
   }
 
+  async withPostgresTransaction(handler) {
+    if (!this.pool) {
+      throw new Error("Postgres store is not initialized.");
+    }
+
+    const client = await this.pool.connect();
+    try {
+      await client.query("begin");
+      const result = await handler(client);
+      await client.query("commit");
+      return result;
+    } catch (error) {
+      try {
+        await client.query("rollback");
+      } catch {
+        // Preserve the original transaction error.
+      }
+      throw error;
+    } finally {
+      client.release();
+    }
+  }
+
+  async lockHostnameAllocation(client, hostname) {
+    await client.query("select pg_advisory_xact_lock(hashtext('lakebed.deploy_hostname'), hashtext($1))", [hostname]);
+  }
+
   rowToUser(row) {
     if (!row) {
       return null;
@@ -3320,10 +4554,30 @@ export class PostgresAnonymousStore {
     );
   }
 
-  async createDeploy({ appBaseDomain, artifact, artifactHash, clientBundleBase64, clientBundleHash, publicRootUrl, serverEnv }) {
+  async decrementArtifactRef(artifactHash) {
+    const result = await this.query(
+      `
+      update artifacts
+      set ref_count = greatest(ref_count - 1, 0)
+      where hash = $1
+      returning ref_count
+      `,
+      [artifactHash]
+    );
+    const refCount = result.rows[0]?.ref_count;
+    if (refCount === undefined || Number(refCount) > 0) {
+      return false;
+    }
+
+    await this.query("delete from artifacts where hash = $1 and ref_count <= 0", [artifactHash]);
+    return true;
+  }
+
+  async createDeploy({ appBaseDomain, artifact, artifactHash, clientBundleBase64, clientBundleHash, inspectPolicy, publicRootUrl, serverEnv }) {
     const createdAt = now();
     const normalizedAppBaseDomain = normalizeAppBaseDomain(appBaseDomain);
     const expiresAt = anonymousDeployExpiresAt();
+    const normalizedInspectPolicy = normalizeInspectPolicy(inspectPolicy);
     const token = createClaimToken();
     const deployId = createDeployId();
 
@@ -3331,6 +4585,8 @@ export class PostgresAnonymousStore {
 
     for (let attempt = 0; attempt < 8; attempt += 1) {
       const slug = createSlug();
+      const generatedHostname = normalizedAppBaseDomain ? `${slug}.${normalizedAppBaseDomain}` : null;
+
       const url = appUrlForSlug({ appBaseDomain: normalizedAppBaseDomain, publicRootUrl, slug });
       const deploy = {
         appBaseDomain: normalizedAppBaseDomain,
@@ -3341,6 +4597,7 @@ export class PostgresAnonymousStore {
         createdAt,
         expiresAt,
         id: deployId,
+        inspectPolicy: normalizedInspectPolicy,
         limits: { ...DEFAULT_ANONYMOUS_LIMITS },
         owner: null,
         ownerId: null,
@@ -3352,30 +4609,45 @@ export class PostgresAnonymousStore {
       };
 
       try {
-        await this.query(
-          `
-          insert into deploys(
-            id, slug, status, artifact_hash, client_bundle_hash, created_at, updated_at, expires_at,
-            claim_token_hash, limits_json, counters_json, public_root_url, app_base_domain, url
-          )
-          values($1, $2, $3, $4, $5, $6, $7, $8, $9, $10::jsonb, '{}'::jsonb, $11, $12, $13)
-          `,
-          [
-            deploy.id,
-            deploy.slug,
-            deploy.status,
-            deploy.artifactHash,
-            deploy.clientBundleHash,
-            deploy.createdAt,
-            deploy.updatedAt,
-            deploy.expiresAt,
-            deploy.claimTokenHash,
-            JSON.stringify(deploy.limits),
-            deploy.publicRootUrl,
-            deploy.appBaseDomain,
-            deploy.url
-          ]
-        );
+        const inserted = await this.withPostgresTransaction(async (client) => {
+          if (generatedHostname) {
+            await this.lockHostnameAllocation(client, generatedHostname);
+            const domainConflict = await client.query("select 1 from deploy_domains where hostname = $1", [generatedHostname]);
+            if (domainConflict.rows.length > 0) {
+              return false;
+            }
+          }
+
+          await client.query(
+            `
+            insert into deploys(
+              id, slug, status, artifact_hash, client_bundle_hash, created_at, updated_at, expires_at,
+              claim_token_hash, inspect_policy, limits_json, counters_json, public_root_url, app_base_domain, url
+            )
+            values($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11::jsonb, '{}'::jsonb, $12, $13, $14)
+            `,
+            [
+              deploy.id,
+              deploy.slug,
+              deploy.status,
+              deploy.artifactHash,
+              deploy.clientBundleHash,
+              deploy.createdAt,
+              deploy.updatedAt,
+              deploy.expiresAt,
+              deploy.claimTokenHash,
+              deploy.inspectPolicy,
+              JSON.stringify(deploy.limits),
+              deploy.publicRootUrl,
+              deploy.appBaseDomain,
+              deploy.url
+            ]
+          );
+          return true;
+        });
+        if (!inserted) {
+          continue;
+        }
         if (serverEnv !== undefined) {
           await this.replaceServerEnv(deploy.id, serverEnv, createdAt);
         }
@@ -3397,6 +4669,7 @@ export class PostgresAnonymousStore {
     clientBundleBase64,
     clientBundleHash,
     deployId,
+    inspectPolicy,
     publicRootUrl,
     serverEnv
   }) {
@@ -3409,6 +4682,7 @@ export class PostgresAnonymousStore {
     const expiresAt = currentDeploy.ownerId ? null : anonymousDeployExpiresAt();
     const nextAppBaseDomain = normalizeAppBaseDomain(appBaseDomain ?? currentDeploy.appBaseDomain);
     const nextPublicRootUrl = publicRootUrl ?? currentDeploy.publicRootUrl;
+    const nextInspectPolicy = inspectPolicy === undefined ? inspectPolicyForDeploy(currentDeploy) : normalizeInspectPolicy(inspectPolicy);
     const url = appUrlForSlug({ appBaseDomain: nextAppBaseDomain, publicRootUrl: nextPublicRootUrl, slug: currentDeploy.slug });
     await this.storeArtifact({ artifact, artifactHash, clientBundleBase64, clientBundleHash, createdAt: updatedAt });
 
@@ -3422,15 +4696,17 @@ export class PostgresAnonymousStore {
         public_root_url = $5,
         app_base_domain = $6,
         url = $7,
-        updated_at = $8
+        inspect_policy = $8,
+        updated_at = $9
       where id = $1
       returning *
       `,
-      [deployId, artifactHash, clientBundleHash, expiresAt, nextPublicRootUrl, nextAppBaseDomain || null, url, updatedAt]
+      [deployId, artifactHash, clientBundleHash, expiresAt, nextPublicRootUrl, nextAppBaseDomain || null, url, nextInspectPolicy, updatedAt]
     );
     if (serverEnv !== undefined) {
       await this.replaceServerEnv(deployId, serverEnv, updatedAt);
     }
+    await this.decrementArtifactRef(currentDeploy.artifactHash);
     return this.deployWithUserLimitOverrides(this.rowToDeploy(result.rows[0]));
   }
 
@@ -3499,7 +4775,8 @@ export class PostgresAnonymousStore {
       createdAt: new Date(row.created_at).toISOString(),
       expiresAt: row.expires_at ? new Date(row.expires_at).toISOString() : null,
       id: row.id,
-      limits: row.limits_json,
+      inspectPolicy: normalizeInspectPolicy(row.inspect_policy),
+      limits: { ...DEFAULT_ANONYMOUS_LIMITS, ...(row.limits_json ?? {}) },
       owner: row.owner_json ?? null,
       ownerId: row.owner_id ?? null,
       publicRootUrl: row.public_root_url,
@@ -3510,6 +4787,24 @@ export class PostgresAnonymousStore {
     };
   }
 
+  rowToDeployDomain(row) {
+    if (!row) {
+      return null;
+    }
+
+    return {
+      createdAt: new Date(row.created_at).toISOString(),
+      deployId: row.deploy_id,
+      hostname: row.hostname,
+      isPrimary: Boolean(row.is_primary),
+      kind: row.kind,
+      ownerId: row.owner_id,
+      status: row.status,
+      updatedAt: new Date(row.updated_at).toISOString(),
+      url: `https://${row.hostname}`
+    };
+  }
+
   async getDeployById(id) {
     return this.deployWithUserLimitOverrides(await this.getBaseDeployById(id));
   }
@@ -3519,6 +4814,80 @@ export class PostgresAnonymousStore {
     return this.deployWithUserLimitOverrides(this.rowToDeploy(result.rows[0]));
   }
 
+  async getDeployDomainByHostname(hostname) {
+    const result = await this.query("select * from deploy_domains where hostname = $1", [hostname]);
+    return this.rowToDeployDomain(result.rows[0]);
+  }
+
+  async listDeployDomainsForDeploy(deployId) {
+    const result = await this.query("select * from deploy_domains where deploy_id = $1 order by hostname asc", [deployId]);
+    return result.rows.map((row) => this.rowToDeployDomain(row));
+  }
+
+  async createLakebedSubdomain({ deployId, hostname, label, ownerId }) {
+    try {
+      return await this.withPostgresTransaction(async (client) => {
+        const deployResult = await client.query("select * from deploys where id = $1 for update", [deployId]);
+        const deploy = this.rowToDeploy(deployResult.rows[0]);
+        if (!deploy) {
+          return { status: "missing" };
+        }
+        if (!deploy.ownerId) {
+          return { deploy, status: "unclaimed" };
+        }
+        if (deploy.ownerId !== ownerId) {
+          return { deploy, status: "forbidden" };
+        }
+        if (deploy.status !== "active" || isExpired(deploy)) {
+          return { deploy, status: "inactive" };
+        }
+
+        await this.lockHostnameAllocation(client, hostname);
+
+        const existingResult = await client.query("select * from deploy_domains where hostname = $1", [hostname]);
+        const existing = this.rowToDeployDomain(existingResult.rows[0]);
+        if (existing) {
+          if (existing.deployId === deployId) {
+            return { deploy, domain: existing, status: "exists" };
+          }
+
+          return { deploy, domain: existing, status: "conflict" };
+        }
+
+        const slugConflict = await client.query("select id from deploys where slug = $1 limit 1", [label]);
+        if (slugConflict.rows.length > 0) {
+          return { deploy, status: "slug_conflict" };
+        }
+
+        const timestamp = now();
+        const insertResult = await client.query(
+          `
+          insert into deploy_domains(hostname, deploy_id, owner_id, kind, status, is_primary, created_at, updated_at)
+          values($1, $2, $3, 'lakebed_subdomain', 'active', false, $4, $4)
+          returning *
+          `,
+          [hostname, deployId, ownerId, timestamp]
+        );
+        return { deploy, domain: this.rowToDeployDomain(insertResult.rows[0]), status: "created" };
+      });
+    } catch (error) {
+      if (error?.code !== "23505") {
+        throw error;
+      }
+
+      const deploy = await this.getBaseDeployById(deployId);
+      if (!deploy) {
+        return { status: "missing" };
+      }
+      const conflict = await this.getDeployDomainByHostname(hostname);
+      if (conflict?.deployId === deployId) {
+        return { deploy, domain: conflict, status: "exists" };
+      }
+
+      return { deploy, domain: conflict, status: "conflict" };
+    }
+  }
+
   async getArtifact(hash) {
     const result = await this.query("select * from artifacts where hash = $1", [hash]);
     const row = result.rows[0];
@@ -3594,13 +4963,51 @@ export class PostgresAnonymousStore {
     }
   }
 
-  async getServerEnv(deployId) {
-    const result = await this.query("select env_key, env_value from deploy_server_env where deploy_id = $1", [deployId]);
-    return Object.fromEntries(result.rows.map((row) => [row.env_key, decryptServerEnvValue(row.env_value, this.serverEnvSecret)]));
+  async getServerEnv(deployId) {
+    const result = await this.query("select env_key, env_value from deploy_server_env where deploy_id = $1", [deployId]);
+    return Object.fromEntries(result.rows.map((row) => [row.env_key, decryptServerEnvValue(row.env_value, this.serverEnvSecret)]));
+  }
+
+  async stateResourceForDeploy(deployId) {
+    const result = await this.query(
+      `
+      select
+        count(*)::int as state_rows,
+        coalesce(sum(octet_length(data_json::text)), 0)::int as state_bytes
+      from state_rows
+      where deploy_id = $1
+      `,
+      [deployId]
+    );
+    return {
+      stateBytes: result.rows[0]?.state_bytes ?? 0,
+      stateRows: result.rows[0]?.state_rows ?? 0
+    };
+  }
+
+  async assertStateWithinLimits(deployId, options) {
+    assertStateResourceLimits(await this.stateResourceForDeploy(deployId), options);
   }
 
-  async transaction(deployId, handler) {
-    const run = () => handler(this);
+  async transaction(deployId, handler, options = {}) {
+    const run = async () => {
+      const client = await this.pool.connect();
+      const tx = Object.create(this);
+      tx.query = (sql, params = []) => client.query(sql, params);
+      tx.pool = this.pool;
+      try {
+        await client.query("begin");
+        const result = await handler(tx);
+        await tx.assertStateWithinLimits(deployId, options);
+        await client.query("commit");
+        return result;
+      } catch (error) {
+        await client.query("rollback").catch(() => undefined);
+        throw error;
+      } finally {
+        client.release();
+      }
+    };
     const next = (this.queues.get(deployId) ?? Promise.resolve()).then(run, run);
     this.queues.set(
       deployId,
@@ -3613,9 +5020,29 @@ export class PostgresAnonymousStore {
   }
 
   async appendLog(deployId, level, message, data) {
+    const entry = redactLogEntry(normalizeLogEntry(level, message, data));
     await this.query(
       "insert into logs(deploy_id, level, message, data_json, created_at) values($1, $2, $3, $4::jsonb, $5)",
-      [deployId, level, message, JSON.stringify(data ?? null), now()]
+      [deployId, entry.level, entry.message, JSON.stringify(entry.data ?? null), entry.at]
+    );
+    await this.query(
+      `
+      delete from logs
+      where deploy_id = $1
+        and sequence in (
+          select sequence
+          from (
+            select
+              sequence,
+              row_number() over (order by sequence desc) as row_number,
+              sum(octet_length(message) + octet_length(coalesce(data_json::text, ''))) over (order by sequence desc) as cumulative_bytes
+            from logs
+            where deploy_id = $1
+          ) ranked
+          where row_number > $2 or cumulative_bytes > $3
+        )
+      `,
+      [deployId, DEFAULT_ANONYMOUS_LIMITS.logEntries, DEFAULT_ANONYMOUS_LIMITS.logBytes]
     );
   }
 
@@ -3624,7 +5051,7 @@ export class PostgresAnonymousStore {
       "select level, message, data_json, created_at from logs where deploy_id = $1 order by sequence desc limit $2",
       [deployId, limit]
     );
-    return result.rows.reverse().map((row) => ({
+    return result.rows.reverse().map((row) => redactLogEntry({
       at: new Date(row.created_at).toISOString(),
       data: row.data_json,
       level: row.level,
@@ -3668,6 +5095,10 @@ export class PostgresAnonymousStore {
   }
 
   async incrementQuota(deployId, bucket, limit) {
+    if (!Number.isFinite(limit)) {
+      return { bucket, count: 0, limit, windowStart: dayWindowStart() };
+    }
+
     const windowStart = dayWindowStart();
     const result = await this.query(
       `
@@ -3681,7 +5112,74 @@ export class PostgresAnonymousStore {
     );
     const count = result.rows[0].count;
     if (count > limit) {
-      throw new Error(`Anonymous ${bucket} quota exceeded. Limit: ${limit} per day.`);
+      throw new LakebedQuotaError({
+        bucket,
+        count,
+        limit,
+        resetAt: quotaResetAt(windowStart),
+        retryAfterSeconds: quotaRetryAfterSeconds(windowStart),
+        suggestion: bucket === "mutations" ? "Retry after reset, reduce mutation frequency, or claim the deploy." : "Retry after reset or reduce request frequency."
+      });
+    }
+    return { bucket, count, limit, windowStart };
+  }
+
+  async incrementDeployCreateQuota(clientKey, bucket, limit) {
+    if (!Number.isFinite(limit)) {
+      return { bucket, count: 0, limit, windowStart: dayWindowStart() };
+    }
+
+    const windowStart = dayWindowStart();
+    const result = await this.query(
+      `
+      insert into deploy_create_quota_events(client_key, bucket, window_start, count)
+      values($1, $2, $3, 1)
+      on conflict(client_key, bucket, window_start)
+      do update set count = deploy_create_quota_events.count + 1
+      returning count
+      `,
+      [clientKey, bucket, windowStart]
+    );
+    const count = result.rows[0].count;
+    if (count > limit) {
+      throw new LakebedQuotaError({
+        bucket,
+        count,
+        limit,
+        resetAt: quotaResetAt(windowStart),
+        retryAfterSeconds: quotaRetryAfterSeconds(windowStart),
+        suggestion: "Retry after reset, reuse an existing deploy, or sign in and claim deploys you want to keep."
+      });
+    }
+    return { bucket, count, limit, windowStart };
+  }
+
+  async incrementClientQuota(clientKey, bucket, limit) {
+    if (!Number.isFinite(limit)) {
+      return { bucket, count: 0, limit, windowStart: dayWindowStart() };
+    }
+
+    const windowStart = dayWindowStart();
+    const result = await this.query(
+      `
+      insert into client_quota_events(client_key, bucket, window_start, count)
+      values($1, $2, $3, 1)
+      on conflict(client_key, bucket, window_start)
+      do update set count = client_quota_events.count + 1
+      returning count
+      `,
+      [clientKey, bucket, windowStart]
+    );
+    const count = result.rows[0].count;
+    if (count > limit) {
+      throw new LakebedQuotaError({
+        bucket,
+        count,
+        limit,
+        resetAt: quotaResetAt(windowStart),
+        retryAfterSeconds: quotaRetryAfterSeconds(windowStart),
+        suggestion: clientTrafficQuotaSuggestion(bucket)
+      });
     }
     return { bucket, count, limit, windowStart };
   }
@@ -3795,6 +5293,109 @@ export class PostgresAnonymousStore {
       })
     );
   }
+
+  async recordCleanupRun(stats) {
+    await this.query(
+      "insert into cleanup_runs(started_at, finished_at, stats_json) values($1, $2, $3::jsonb)",
+      [stats.startedAt, stats.finishedAt, JSON.stringify(stats)]
+    );
+  }
+
+  async cleanupExpiredDeploys({ graceSeconds = 60 * 60, retentionSeconds = 7 * 24 * 60 * 60, nowMs = Date.now() } = {}) {
+    const startedAt = new Date(nowMs).toISOString();
+    const finishedAt = now();
+    const markCutoff = new Date(nowMs - graceSeconds * 1000).toISOString();
+    const deleteCutoff = new Date(nowMs - retentionSeconds * 1000).toISOString();
+    const examined = await this.query("select count(*)::int as count from deploys");
+    const marked = await this.query(
+      `
+      update deploys
+      set status = 'terminated',
+        updated_at = $2
+      where owner_id is null
+        and expires_at is not null
+        and expires_at <= $1
+        and status = 'active'
+      returning id
+      `,
+      [markCutoff, finishedAt]
+    );
+    const candidates = await this.query(
+      `
+      select id, artifact_hash
+      from deploys
+      where owner_id is null
+        and expires_at is not null
+        and expires_at <= $1
+      `,
+      [deleteCutoff]
+    );
+    const stats = {
+      deletedArtifacts: 0,
+      deletedDeploys: 0,
+      deletedLogEntries: 0,
+      deletedQuotaEvents: 0,
+      deletedServerEnv: 0,
+      deletedStateRows: 0,
+      examinedDeploys: examined.rows[0]?.count ?? 0,
+      finishedAt,
+      markedTerminated: marked.rowCount,
+      startedAt
+    };
+
+    for (const deploy of candidates.rows) {
+      const stateRows = await this.query("delete from state_rows where deploy_id = $1", [deploy.id]);
+      const logs = await this.query("delete from logs where deploy_id = $1", [deploy.id]);
+      const quota = await this.query("delete from quota_events where deploy_id = $1", [deploy.id]);
+      const serverEnv = await this.query("delete from deploy_server_env where deploy_id = $1", [deploy.id]);
+      await this.query("delete from deploys where id = $1", [deploy.id]);
+      stats.deletedDeploys += 1;
+      stats.deletedStateRows += stateRows.rowCount;
+      stats.deletedLogEntries += logs.rowCount;
+      stats.deletedQuotaEvents += quota.rowCount;
+      stats.deletedServerEnv += serverEnv.rowCount;
+      stats.deletedArtifacts += (await this.decrementArtifactRef(deploy.artifact_hash)) ? 1 : 0;
+    }
+    const deployCreateQuota = await this.query("delete from deploy_create_quota_events where window_start <= $1", [deleteCutoff]);
+    stats.deletedQuotaEvents += deployCreateQuota.rowCount;
+    const clientQuota = await this.query("delete from client_quota_events where window_start <= $1", [deleteCutoff]);
+    stats.deletedQuotaEvents += clientQuota.rowCount;
+
+    await this.recordCleanupRun(stats);
+    return stats;
+  }
+
+  async readCleanupActivity() {
+    const result = await this.query("select stats_json from cleanup_runs order by id desc limit 20");
+    const recentRuns = result.rows.map((row) => row.stats_json);
+    const totalsResult = await this.query(`
+      select
+        coalesce(sum((stats_json->>'deletedArtifacts')::int), 0)::int as deleted_artifacts,
+        coalesce(sum((stats_json->>'deletedDeploys')::int), 0)::int as deleted_deploys,
+        coalesce(sum((stats_json->>'deletedLogEntries')::int), 0)::int as deleted_log_entries,
+        coalesce(sum((stats_json->>'deletedQuotaEvents')::int), 0)::int as deleted_quota_events,
+        coalesce(sum((stats_json->>'deletedServerEnv')::int), 0)::int as deleted_server_env,
+        coalesce(sum((stats_json->>'deletedStateRows')::int), 0)::int as deleted_state_rows,
+        coalesce(sum((stats_json->>'examinedDeploys')::int), 0)::int as examined_deploys,
+        coalesce(sum((stats_json->>'markedTerminated')::int), 0)::int as marked_terminated
+      from cleanup_runs
+    `);
+    const totalsRow = totalsResult.rows[0] ?? {};
+    return {
+      lastRun: recentRuns[0] ?? null,
+      recentRuns,
+      totals: {
+        deletedArtifacts: totalsRow.deleted_artifacts ?? 0,
+        deletedDeploys: totalsRow.deleted_deploys ?? 0,
+        deletedLogEntries: totalsRow.deleted_log_entries ?? 0,
+        deletedQuotaEvents: totalsRow.deleted_quota_events ?? 0,
+        deletedServerEnv: totalsRow.deleted_server_env ?? 0,
+        deletedStateRows: totalsRow.deleted_state_rows ?? 0,
+        examinedDeploys: totalsRow.examined_deploys ?? 0,
+        markedTerminated: totalsRow.marked_terminated ?? 0
+      }
+    };
+  }
 }
 
 export async function createAnonymousStoreFromEnv(env = process.env) {
@@ -3813,12 +5414,30 @@ export async function createAnonymousStoreFromEnv(env = process.env) {
 }
 
 async function loadDeployByRoute({ appBaseDomain, host, store, url }) {
-  const route = parseHostDeploy({ appBaseDomain, host, url }) ?? parsePathDeploy(url);
+  const hostname = hostnameFromHost(host);
+  const domain = hostname && typeof store.getDeployDomainByHostname === "function" ? await store.getDeployDomainByHostname(hostname) : null;
+  const route = domain
+    ? {
+        appPath: url.pathname || "/",
+        basePath: "",
+        domain,
+        hostname: domain.hostname,
+        deployId: domain.deployId
+      }
+    : parseHostDeploy({ appBaseDomain, host, url }) ?? parsePathDeploy(url);
   if (!route) {
     return null;
   }
 
-  const deploy = await store.getDeployBySlug(route.slug);
+  if (domain?.status && domain.status !== "active") {
+    return {
+      error: domain.status === "disabled" ? "Lakebed subdomain is disabled." : "Lakebed subdomain is not active.",
+      route,
+      status: domain.status === "disabled" ? 410 : 404
+    };
+  }
+
+  const deploy = route.deployId ? await store.getDeployById(route.deployId) : await store.getDeployBySlug(route.slug);
   if (!deploy) {
     return { error: "Unknown anonymous deploy.", route, status: 404 };
   }
@@ -3839,45 +5458,164 @@ async function loadDeployByRoute({ appBaseDomain, host, store, url }) {
   return { artifact: storedArtifact.artifact, basePath: route.basePath, deploy, route, storedArtifact };
 }
 
-async function serveInspect({ artifact, deploy, route, store, systemPath }, res) {
+function mutationInspectDetails(artifact) {
+  return Object.entries(artifact.server?.mutations ?? {}).map(([name, mutation]) => {
+    if (mutation?.op === "source") {
+      return { guards: [], mode: "source-backed", name };
+    }
+
+    const guards = [];
+    for (const operation of mutation?.body ?? []) {
+      for (const guard of operation.guards ?? []) {
+        guards.push({
+          equalsAuth: guard.equalsAuth,
+          field: guard.field,
+          operation: operation.op,
+          table: operation.table
+        });
+      }
+    }
+
+    return {
+      guards,
+      mode: guards.length > 0 ? "guarded-ir" : "interpreted-ir",
+      name
+    };
+  });
+}
+
+function publicManifestForDeploy({ artifact, deploy }) {
+  return {
+    clientBundleHash: deploy.clientBundleHash,
+    deployId: deploy.id,
+    name: artifact.name ?? "Lakebed Capsule",
+    runtimeVersion: LAKEBED_VERSION
+  };
+}
+
+function fullManifestForDeploy({ artifact, deploy, domains = [] }) {
+  return {
+    artifactHash: deploy.artifactHash,
+    clientBundleHash: deploy.clientBundleHash,
+    deployId: deploy.id,
+    domains,
+    expiresAt: deploy.expiresAt,
+    inspectPolicy: inspectPolicyForDeploy(deploy),
+    limits: deploy.limits,
+    mutationDetails: mutationInspectDetails(artifact),
+    mutations: Object.keys(artifact.server.mutations ?? {}),
+    name: artifact.name ?? "Lakebed Capsule",
+    queries: Object.keys(artifact.server.queries ?? {}),
+    runtimeVersion: LAKEBED_VERSION,
+    schema: artifact.server.schema,
+    slug: deploy.slug,
+    updatedAt: deploy.updatedAt,
+    url: deploy.url
+  };
+}
+
+function inspectCommandForPath(deploy, systemPath) {
+  if (systemPath === "/__lakebed/db") {
+    return `lakebed db dump ${deploy.id}`;
+  }
+  if (systemPath === "/__lakebed/db/tables") {
+    return `lakebed db list ${deploy.id}`;
+  }
+  if (systemPath === "/__lakebed/logs") {
+    return `lakebed logs ${deploy.id}`;
+  }
+  return `lakebed inspect ${deploy.id}`;
+}
+
+function inspectAuthFailure(deploy, systemPath) {
+  return {
+    command: inspectCommandForPath(deploy, systemPath),
+    error: "Lakebed hosted inspection requires authorization.",
+    hint: "Run this command from the capsule directory so Lakebed can read .lakebed/deploy.json, or send Authorization: Bearer <claim-token>.",
+    inspectPolicy: inspectPolicyForDeploy(deploy),
+    path: systemPath
+  };
+}
+
+function inspectAuthorized({ adminPassword, currentDeveloper, deploy, req }) {
+  if (inspectPolicyForDeploy(deploy) === "public") {
+    return true;
+  }
+
+  if (isDeployTokenValid(deploy, bearerToken(req))) {
+    return true;
+  }
+
+  if (isAdminAuthenticated(req, adminPassword)) {
+    return true;
+  }
+
+  const user = currentDeveloper(req);
+  return Boolean(user?.id && deploy.ownerId && user.id === deploy.ownerId);
+}
+
+async function serveInspect({ adminPassword, artifact, currentDeveloper, deploy, req, route, store, systemPath }, res) {
+  const policy = inspectPolicyForDeploy(deploy);
+  const authorized = inspectAuthorized({ adminPassword, currentDeveloper, deploy, req });
+
   if (systemPath === "/__lakebed/manifest") {
-    sendJson(res, 200, {
-      artifactHash: deploy.artifactHash,
-      clientBundleHash: deploy.clientBundleHash,
-      deployId: deploy.id,
-      expiresAt: deploy.expiresAt,
-      limits: deploy.limits,
-      mutations: Object.keys(artifact.server.mutations ?? {}),
-      name: artifact.name ?? "Lakebed Capsule",
-      queries: Object.keys(artifact.server.queries ?? {}),
-      schema: artifact.server.schema,
-      slug: deploy.slug,
-      updatedAt: deploy.updatedAt,
-      url: deploy.url
-    });
+    if (!authorized && policy === "private") {
+      sendJson(res, 401, inspectAuthFailure(deploy, systemPath));
+      return true;
+    }
+
+    const domains =
+      typeof store.listDeployDomainsForDeploy === "function"
+        ? (await store.listDeployDomainsForDeploy(deploy.id)).map(responseForDeployDomain)
+        : [];
+    sendJson(res, 200, authorized ? fullManifestForDeploy({ artifact, deploy, domains }) : publicManifestForDeploy({ artifact, deploy }));
     return true;
   }
 
   if (systemPath === "/__lakebed/db/tables") {
     const counts = await store.tableCounts(deploy.id, artifact.server.schema);
-    sendJson(res, 200, {
-      tables: Object.keys(artifact.server.schema ?? {}),
-      counts
-    });
+    if (!authorized && policy !== "redacted") {
+      sendJson(res, 401, inspectAuthFailure(deploy, systemPath));
+      return true;
+    }
+
+    sendJson(res, 200, authorized ? { tables: Object.keys(artifact.server.schema ?? {}), counts } : { counts, redacted: true });
     return true;
   }
 
   if (systemPath === "/__lakebed/db") {
+    if (!authorized && policy !== "redacted") {
+      sendJson(res, 401, inspectAuthFailure(deploy, systemPath));
+      return true;
+    }
+
+    if (policy === "redacted" && !authorized) {
+      const counts = await store.tableCounts(deploy.id, artifact.server.schema);
+      sendJson(res, 200, { counts, redacted: true });
+      return true;
+    }
+
     sendJson(res, 200, await store.dumpState(deploy.id, artifact.server.schema, deploy.limits.rowsReturned));
     return true;
   }
 
   if (systemPath === "/__lakebed/logs") {
-    sendJson(res, 200, await store.readLogs(deploy.id, 100));
+    if (!authorized && policy !== "redacted") {
+      sendJson(res, 401, inspectAuthFailure(deploy, systemPath));
+      return true;
+    }
+
+    const logs = await store.readLogs(deploy.id, 100);
+    sendJson(res, 200, policy === "redacted" && !authorized ? logs.map(redactLogEntry) : logs);
     return true;
   }
 
   if (systemPath === "/__lakebed/usage") {
+    if (!authorized && policy !== "redacted") {
+      sendJson(res, 401, inspectAuthFailure(deploy, systemPath));
+      return true;
+    }
+
     sendJson(res, 200, {
       limits: deploy.limits,
       usage: await store.readUsage(deploy.id)
@@ -3910,6 +5648,9 @@ export async function startAnonymousServer({
 } = {}) {
   const resolvedAppBaseDomain = normalizeAppBaseDomain(appBaseDomain);
   const resolvedPublicRootUrl = normalizePublicRootUrl(publicRootUrl ?? process.env.PUBLIC_ROOT_URL, port);
+  const deployCreationPolicy = anonymousDeployCreationPolicy({ publicRootUrl: resolvedPublicRootUrl });
+  const clientTrafficPolicy = anonymousClientTrafficPolicy({ publicRootUrl: resolvedPublicRootUrl });
+  const cleanupPolicy = cleanupPolicyFromEnv();
   const resolvedGithubOAuth = normalizeGithubOAuth(githubOAuth);
   const resolvedDeveloperSessionSecret =
     developerSessionSecret || resolvedGithubOAuth?.sessionSecret || resolvedGithubOAuth?.clientSecret || adminPassword || "";
@@ -3917,6 +5658,7 @@ export async function startAnonymousServer({
   const resolvedSourceRuntime = sourceRuntime === undefined ? createSourceRuntimeFromEnv() : sourceRuntime;
   await resolvedStore.initialize();
   const subscriptions = new Map();
+  let cleanupInterval = null;
 
   function activeConnectionCounts() {
     const counts = new Map();
@@ -3937,6 +5679,10 @@ export async function startAnonymousServer({
   async function adminSummary() {
     const deploys = await adminDeploysWithConnections();
     const users = await resolvedStore.listAdminUsers();
+    const cleanup =
+      typeof resolvedStore.readCleanupActivity === "function"
+        ? await resolvedStore.readCleanupActivity()
+        : { lastRun: null, recentRuns: [], totals: {} };
     const totals = deploys.reduce(
       (acc, deploy) => ({
         artifactBytes: acc.artifactBytes + deploy.artifactBytes,
@@ -3963,6 +5709,7 @@ export async function startAnonymousServer({
     return {
       deployCount: deploys.length,
       deploys,
+      cleanup,
       generatedAt: now(),
       totals,
       userCount: users.length,
@@ -3989,10 +5736,50 @@ export async function startAnonymousServer({
     return developerFromRequest(req, resolvedDeveloperSessionSecret);
   }
 
+  function canManageDeploy(req, deploy) {
+    if (isDeployTokenValid(deploy, bearerToken(req))) {
+      return true;
+    }
+
+    const user = currentDeveloper(req);
+    return Boolean(user?.id && deploy.ownerId && user.id === deploy.ownerId);
+  }
+
   async function developerDeploys(user) {
     return resolvedStore.listDeploysForOwner(user.id);
   }
 
+  async function enforceAnonymousDeployCreation(req) {
+    if (deployCreationPolicy.disabled) {
+      const error = new LakebedQuotaError({
+        bucket: "anonymous_deploy_create_global",
+        count: deployCreationPolicy.globalLimit,
+        limit: deployCreationPolicy.globalLimit,
+        status: 503,
+        suggestion: "Anonymous deploy creation is temporarily disabled. Retry later or claim an existing deploy."
+      });
+      error.code = "lakebed_deploy_creation_disabled";
+      error.message = "Anonymous deploy creation is temporarily disabled.";
+      throw error;
+    }
+
+    const clientKey = forwardedClientKey(req);
+    await resolvedStore.incrementDeployCreateQuota(clientKey, "anonymous_deploy_create_client", deployCreationPolicy.perClientLimit);
+    await resolvedStore.incrementDeployCreateQuota("global", "anonymous_deploy_create_global", deployCreationPolicy.globalLimit);
+  }
+
+  async function enforceClientTrafficQuota(clientKey, bucket) {
+    if (typeof resolvedStore.incrementClientQuota !== "function") {
+      return;
+    }
+
+    const limit =
+      bucket === "mutations"
+        ? clientTrafficPolicy.mutationsPerClientLimit
+        : clientTrafficPolicy.requestsPerClientLimit;
+    await resolvedStore.incrementClientQuota(clientKey, clientTrafficQuotaBucket(bucket), limit);
+  }
+
   async function refreshDeploySubscriptions(deploy) {
     const storedArtifact = await resolvedStore.getArtifact(deploy.artifactHash);
     if (!storedArtifact) {
@@ -4032,6 +5819,30 @@ export async function startAnonymousServer({
     }
   }
 
+  function cleanupTouchedResources(stats) {
+    return (
+      Number(stats?.markedTerminated ?? 0) +
+      Number(stats?.deletedDeploys ?? 0) +
+      Number(stats?.deletedStateRows ?? 0) +
+      Number(stats?.deletedLogEntries ?? 0) +
+      Number(stats?.deletedArtifacts ?? 0)
+    );
+  }
+
+  async function runCleanup(reason = "periodic") {
+    if (typeof resolvedStore.cleanupExpiredDeploys !== "function") {
+      return null;
+    }
+
+    const stats = await resolvedStore.cleanupExpiredDeploys(cleanupPolicy);
+    if (!quiet && cleanupTouchedResources(stats) > 0) {
+      console.log(
+        `[lakebed:cleanup] ${reason} marked=${stats.markedTerminated} deleted=${stats.deletedDeploys} stateRows=${stats.deletedStateRows} logs=${stats.deletedLogEntries} artifacts=${stats.deletedArtifacts}`
+      );
+    }
+    return stats;
+  }
+
   async function publishDeploy(deployId) {
     for (const [ws, subscription] of subscriptions) {
       if (subscription.deploy.id !== deployId) {
@@ -4378,9 +6189,101 @@ export async function startAnonymousServer({
         return;
       }
 
+      const deployDomainsMatch = requestUrl.pathname.match(/^\/v1\/deploys\/([^/]+)\/domains$/);
+      if (deployDomainsMatch && (req.method === "GET" || req.method === "POST")) {
+        const deployId = decodeURIComponent(deployDomainsMatch[1]);
+        const currentDeploy = await resolvedStore.getDeployById(deployId);
+        if (!currentDeploy) {
+          sendJson(res, 404, { error: "Unknown deploy." });
+          return;
+        }
+
+        if (!canManageDeploy(req, currentDeploy)) {
+          sendJson(res, 401, { error: "Invalid deploy token." });
+          return;
+        }
+
+        if (req.method === "GET") {
+          sendJson(res, 200, {
+            deployId: currentDeploy.id,
+            domains:
+              typeof resolvedStore.listDeployDomainsForDeploy === "function"
+                ? (await resolvedStore.listDeployDomainsForDeploy(currentDeploy.id)).map(responseForDeployDomain)
+                : []
+          });
+          return;
+        }
+
+        if (!currentDeploy.ownerId) {
+          sendJson(res, 409, { error: "Deploy must be claimed before registering Lakebed subdomains." });
+          return;
+        }
+        if (currentDeploy.status !== "active" || isExpired(currentDeploy)) {
+          sendJson(res, 409, { error: "Deploy must be active to register Lakebed subdomains." });
+          return;
+        }
+
+        let normalizedDomain;
+        try {
+          const body = await readJsonBody(req, 8192);
+          normalizedDomain = normalizeLakebedSubdomainInput(body.hostname ?? body.subdomain, resolvedAppBaseDomain);
+        } catch (error) {
+          sendJson(res, 400, { error: error instanceof Error ? error.message : String(error) });
+          return;
+        }
+
+        const created = await resolvedStore.createLakebedSubdomain({
+          deployId: currentDeploy.id,
+          hostname: normalizedDomain.hostname,
+          label: normalizedDomain.label,
+          ownerId: currentDeploy.ownerId
+        });
+        if (created.status === "missing") {
+          sendJson(res, 404, { error: "Unknown deploy." });
+          return;
+        }
+        if (created.status === "unclaimed") {
+          sendJson(res, 409, { error: "Deploy must be claimed before registering Lakebed subdomains." });
+          return;
+        }
+        if (created.status === "forbidden") {
+          sendJson(res, 403, { error: "Deploy is claimed by another developer." });
+          return;
+        }
+        if (created.status === "inactive") {
+          sendJson(res, 409, { error: "Deploy must be active to register Lakebed subdomains." });
+          return;
+        }
+        if (created.status === "conflict") {
+          sendJson(res, 409, { error: "Subdomain is already registered." });
+          return;
+        }
+        if (created.status === "slug_conflict") {
+          sendJson(res, 409, { error: "Subdomain is already used by a generated Lakebed deploy URL." });
+          return;
+        }
+
+        if (created.status === "created") {
+          await resolvedStore.appendLog(currentDeploy.id, "info", "lakebed subdomain registered", {
+            hostname: created.domain.hostname
+          });
+        }
+
+        sendJson(res, created.status === "created" ? 201 : 200, responseForDeployDomain(created.domain));
+        return;
+      }
+
       if (req.method === "POST" && requestUrl.pathname === "/v1/anonymous-deploys") {
+        await enforceAnonymousDeployCreation(req);
         const body = await readJsonBody(req);
         const payload = validateAnonymousDeployPayload(body);
+        let inspectPolicy;
+        try {
+          inspectPolicy = normalizeInspectPolicy(body.inspectPolicy);
+        } catch (error) {
+          sendJson(res, 400, { error: error instanceof Error ? error.message : String(error) });
+          return;
+        }
         if (payload.serverEnv !== undefined && Object.keys(payload.serverEnv).length > 0) {
           sendJson(res, 400, { error: "Server env requires a claimed deploy." });
           return;
@@ -4391,6 +6294,7 @@ export async function startAnonymousServer({
           artifactHash: payload.artifactHash,
           clientBundleBase64: payload.clientBundleBase64,
           clientBundleHash: payload.clientBundleHash,
+          inspectPolicy,
           publicRootUrl: resolvedPublicRootUrl,
           serverEnv: payload.serverEnv
         });
@@ -4414,6 +6318,13 @@ export async function startAnonymousServer({
 
         const body = await readJsonBody(req);
         const payload = validateAnonymousDeployPayload(body, { allowClaimedSource: Boolean(currentDeploy.ownerId) });
+        let inspectPolicy;
+        try {
+          inspectPolicy = Object.hasOwn(body, "inspectPolicy") ? normalizeInspectPolicy(body.inspectPolicy) : undefined;
+        } catch (error) {
+          sendJson(res, 400, { error: error instanceof Error ? error.message : String(error) });
+          return;
+        }
         if (payload.serverEnv !== undefined && !currentDeploy.ownerId) {
           sendJson(res, 400, { error: "Server env requires a claimed deploy." });
           return;
@@ -4425,6 +6336,7 @@ export async function startAnonymousServer({
           clientBundleBase64: payload.clientBundleBase64,
           clientBundleHash: payload.clientBundleHash,
           deployId,
+          inspectPolicy,
           publicRootUrl: resolvedPublicRootUrl,
           serverEnv: payload.serverEnv
         });
@@ -4463,6 +6375,8 @@ export async function startAnonymousServer({
         return;
       }
 
+      const clientKey = forwardedClientKey(req);
+      await enforceClientTrafficQuota(clientKey, "requests");
       await resolvedStore.incrementQuota(
         loaded.deploy.id,
         "requests",
@@ -4486,22 +6400,44 @@ export async function startAnonymousServer({
         return;
       }
 
-      if (req.method === "GET" && (await serveInspect({ ...loaded, store: resolvedStore, systemPath: appPath }, res))) {
+      if (
+        req.method === "GET" &&
+        (await serveInspect({
+          ...loaded,
+          adminPassword,
+          currentDeveloper,
+          req,
+          store: resolvedStore,
+          systemPath: appPath
+        }, res))
+      ) {
         return;
       }
 
       sendText(res, 404, "Not found\n", { "Content-Type": "text/plain; charset=utf-8" });
     } catch (error) {
+      if (isQuotaError(error)) {
+        sendJson(
+          res,
+          error.status ?? 429,
+          quotaErrorBody(error, {
+            signInUrl: `${resolvedPublicRootUrl}/auth/github?return_to=${encodeURIComponent("/deploys")}`
+          }),
+          quotaErrorHeaders(error)
+        );
+        return;
+      }
       sendJson(res, 500, { error: error instanceof Error ? error.message : String(error) });
     }
   });
 
   const wss = new WebSocketServer({ noServer: true });
 
-  wss.on("connection", (ws, _req, loaded, auth) => {
+  wss.on("connection", (ws, req, loaded, auth) => {
     subscriptions.set(ws, {
       artifact: loaded.artifact,
       auth,
+      clientKey: forwardedClientKey(req),
       deploy: loaded.deploy,
       queries: new Set()
     });
@@ -4522,6 +6458,7 @@ export async function startAnonymousServer({
       }
 
       try {
+        await enforceClientTrafficQuota(subscription.clientKey, "requests");
         await resolvedStore.incrementQuota(
           subscription.deploy.id,
           "requests",
@@ -4548,6 +6485,7 @@ export async function startAnonymousServer({
         }
 
         if (message.op === "mutation.run") {
+          await enforceClientTrafficQuota(subscription.clientKey, "mutations");
           await resolvedStore.incrementQuota(
             subscription.deploy.id,
             "mutations",
@@ -4574,7 +6512,14 @@ export async function startAnonymousServer({
           error: error instanceof Error ? error.message : String(error),
           op: message?.op
         });
+        const quota = isQuotaError(error) ? quotaErrorBody(error) : null;
         websocketSend(ws, {
+          ...(quota
+            ? {
+                code: quota.code,
+                quota
+              }
+            : {}),
           error: error instanceof Error ? error.message : String(error),
           id: message?.id,
           ok: false,
@@ -4621,6 +6566,20 @@ export async function startAnonymousServer({
     });
   });
 
+  void runCleanup("startup").catch((error) => {
+    if (!quiet) {
+      console.error(`[lakebed:cleanup] startup failed: ${error instanceof Error ? error.message : String(error)}`);
+    }
+  });
+  cleanupInterval = setInterval(() => {
+    void runCleanup("periodic").catch((error) => {
+      if (!quiet) {
+        console.error(`[lakebed:cleanup] periodic failed: ${error instanceof Error ? error.message : String(error)}`);
+      }
+    });
+  }, cleanupPolicy.intervalSeconds * 1000);
+  cleanupInterval.unref?.();
+
   if (!quiet) {
     console.log(`Lakebed anonymous runner listening at ${resolvedPublicRootUrl}`);
   }
@@ -4632,6 +6591,9 @@ export async function startAnonymousServer({
     store: resolvedStore,
     url: resolvedPublicRootUrl,
     async close() {
+      if (cleanupInterval) {
+        clearInterval(cleanupInterval);
+      }
       for (const client of wss.clients) {
         client.close();
       }