lakebed 0.0.16 → 0.0.17

package/README.md

@@ -122,14 +122,14 @@ lakebed new [name] [--template todo] [--no-git]
 lakebed create [name] [--template todo] [--no-git]
 lakebed dev [capsule-dir] [--port 3000]
 lakebed build [capsule-dir] --target anonymous [--out .lakebed/artifacts/app.json] [--json]
-lakebed deploy [capsule-dir] [--api <url>] [--json]
+lakebed deploy [capsule-dir] [--api <url>] [--public-inspect] [--json]
 lakebed claim [capsule-dir] [--api <url>] [--json]
 lakebed domains add <subdomain.lakebed.app> [--api <url>] [--json]
 lakebed anonymous-server [--port 8787] [--public-root-url <url>] [--app-base-domain <domain>]
-lakebed inspect <deploy-id-or-url> [--api <url>] [--json]
-lakebed db list [deploy-id-or-url] [--port 3000]
-lakebed db dump [deploy-id-or-url] [--port 3000]
-lakebed logs [deploy-id-or-url] [--port 3000]
+lakebed inspect <deploy-id-or-url> [--api <url>] [--inspect-token <token>] [--json]
+lakebed db list [deploy-id-or-url] [--port 3000] [--inspect-token <token>]
+lakebed db dump [deploy-id-or-url] [--port 3000] [--inspect-token <token>]
+lakebed logs [deploy-id-or-url] [--port 3000] [--inspect-token <token>]
 ```
 
 ## Current Constraints
@@ -199,6 +199,8 @@ LAKEBED_SERVER_ENV_SECRET=...
 
 Claimed deploys are listed at `/deploys` on the deploy API origin. They keep the same resource limits as anonymous deploys and do not expire. Anonymous deploys cannot use outbound `fetch` or hosted server env; after a deploy is claimed, `lakebed deploy` can update it with a source-backed server artifact that supports async handlers, server-side fetch, and `.env.lakebed.server` sync. If the first deploy already needs server-side `fetch` or server env, `lakebed deploy` creates a claim-required preview, saves its claim metadata, and prints the `lakebed claim` command. Run that command, then run `lakebed deploy` again to publish the real source-backed app. Set `LAKEBED_SERVER_ENV_SECRET` on Postgres-backed runners to encrypt stored server env values.
 
+Hosted inspection is private by default. `lakebed inspect`, `lakebed db list`, `lakebed db dump`, and `lakebed logs` send the saved claim token automatically when run from the capsule directory.
+
 After a deploy is claimed, reserve a Lakebed-owned app subdomain from the capsule directory:
 
 ```sh

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "lakebed",
-  "version": "0.0.16",
+  "version": "0.0.17",
   "description": "Agent-native CLI and runtime for building and deploying Lakebed capsules.",
   "license": "UNLICENSED",
   "type": "module",

package/src/anonymous-server.js

@@ -7,6 +7,7 @@ import {
   createDeployId,
   createSlug,
   DEFAULT_ANONYMOUS_LIMITS,
+  LAKEBED_VERSION,
   executeAnonymousMutation,
   executeAnonymousQuery,
   hashClaimToken,
@@ -151,6 +152,79 @@ function isDeployTokenValid(deploy, token) {
   return Boolean(token && deploy?.claimTokenHash && hashClaimToken(token) === deploy.claimTokenHash);
 }
 
+const inspectPolicies = new Set(["private", "redacted", "public"]);
+
+function normalizeInspectPolicy(value, fallback = "private") {
+  if (value === undefined || value === null || value === "") {
+    return fallback;
+  }
+
+  const policy = String(value).trim().toLowerCase();
+  if (!inspectPolicies.has(policy)) {
+    throw new Error("inspectPolicy must be private, redacted, or public.");
+  }
+  return policy;
+}
+
+function inspectPolicyForDeploy(deploy) {
+  return normalizeInspectPolicy(deploy?.inspectPolicy, "private");
+}
+
+const sensitiveKeyPattern =
+  /(^|[_-])(authorization|bearer|cookie|jwt|password|secret|session|token|api[_-]?key|access[_-]?key|private[_-]?key|refresh[_-]?token)([_-]|$)/i;
+const secretValuePatterns = [
+  /\bBearer\s+[A-Za-z0-9._~+/-]+=*/gi,
+  /\b(sk|pk|rk|ghp|gho|github_pat)_[A-Za-z0-9_]{12,}\b/g,
+  /\b[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\b/g
+];
+
+function redactSensitiveString(value) {
+  return secretValuePatterns.reduce((text, pattern) => text.replace(pattern, "[redacted]"), String(value));
+}
+
+function isSensitiveKey(key) {
+  const normalized = String(key).replace(/([a-z0-9])([A-Z])/g, "$1_$2");
+  return sensitiveKeyPattern.test(normalized);
+}
+
+function redactInspectValue(value, seen = new WeakSet()) {
+  if (typeof value === "string") {
+    return redactSensitiveString(value);
+  }
+
+  if (!value || typeof value !== "object") {
+    return value;
+  }
+
+  if (seen.has(value)) {
+    return "[redacted circular]";
+  }
+  seen.add(value);
+
+  if (Array.isArray(value)) {
+    return value.map((entry) => redactInspectValue(entry, seen));
+  }
+
+  return Object.fromEntries(
+    Object.entries(value).map(([key, entryValue]) => [
+      key,
+      isSensitiveKey(key) ? "[redacted]" : redactInspectValue(entryValue, seen)
+    ])
+  );
+}
+
+function redactLogEntry(entry) {
+  return {
+    ...entry,
+    data: redactInspectValue(entry.data),
+    message: redactSensitiveString(entry.message)
+  };
+}
+
+function redactLogData(data) {
+  return redactInspectValue(data);
+}
+
 function normalizePublicRootUrl(value, port) {
   const fallback = `http://localhost:${port}`;
   return String(value || fallback).replace(/\/+$/g, "");
@@ -296,6 +370,7 @@ function responseForDeploy({ deploy, token }) {
     deployId: deploy.id,
     expiresAt: deploy.expiresAt,
     inspect: inspectUrls(deploy.url),
+    inspectPolicy: inspectPolicyForDeploy(deploy),
     limits: deploy.limits,
     updatedAt: deploy.updatedAt,
     url: deploy.url
@@ -698,7 +773,7 @@ function isSecureRequest(req) {
 }
 
 function adminCookie(value, maxAge = adminCookieMaxAgeSeconds, secure = false) {
-  return `${adminCookieName}=${value}; HttpOnly; SameSite=Lax; Path=/admin; Max-Age=${maxAge}${secure ? "; Secure" : ""}`;
+  return `${adminCookieName}=${value}; HttpOnly; SameSite=Lax; Path=/; Max-Age=${maxAge}${secure ? "; Secure" : ""}`;
 }
 
 function cookie(name, value, { httpOnly = true, maxAge, path = "/", sameSite = "Lax", secure = false } = {}) {
@@ -1130,6 +1205,7 @@ function adminDeploySummary({ artifact, artifactBytes = 0, deploy, logBytes = 0,
     createdAt: deploy.createdAt,
     expiresAt: deploy.expiresAt,
     id: deploy.id,
+    inspectPolicy: inspectPolicyForDeploy(deploy),
     limits: deploy.limits,
     logBytes,
     logEntries,
@@ -2777,6 +2853,7 @@ function developerDeploySummary({ artifact, deploy, usage }) {
     deployId: deploy.id,
     expiresAt: deploy.expiresAt,
     inspect: inspectUrls(deploy.url),
+    inspectPolicy: inspectPolicyForDeploy(deploy),
     limits: deploy.limits,
     name: artifact?.name ?? "Lakebed Capsule",
     ownerId: deploy.ownerId,
@@ -3389,7 +3466,7 @@ export class MemoryAnonymousStore {
     return false;
   }
 
-  async createDeploy({ appBaseDomain, artifact, artifactHash, clientBundleBase64, clientBundleHash, publicRootUrl, serverEnv }) {
+  async createDeploy({ appBaseDomain, artifact, artifactHash, clientBundleBase64, clientBundleHash, inspectPolicy, publicRootUrl, serverEnv }) {
     const deployId = createDeployId();
     const normalizedAppBaseDomain = normalizeAppBaseDomain(appBaseDomain);
     let slug = createSlug();
@@ -3422,6 +3499,7 @@ export class MemoryAnonymousStore {
       createdAt,
       expiresAt,
       id: deployId,
+      inspectPolicy: normalizeInspectPolicy(inspectPolicy),
       limits: { ...DEFAULT_ANONYMOUS_LIMITS },
       owner: null,
       ownerId: null,
@@ -3446,6 +3524,7 @@ export class MemoryAnonymousStore {
     clientBundleBase64,
     clientBundleHash,
     deployId,
+    inspectPolicy,
     publicRootUrl,
     serverEnv
   }) {
@@ -3463,6 +3542,7 @@ export class MemoryAnonymousStore {
       artifactHash,
       clientBundleHash,
       expiresAt: currentDeploy.ownerId ? null : anonymousDeployExpiresAt(),
+      inspectPolicy: inspectPolicy === undefined ? inspectPolicyForDeploy(currentDeploy) : normalizeInspectPolicy(inspectPolicy),
       publicRootUrl: nextPublicRootUrl,
       url: appUrlForSlug({ appBaseDomain: nextAppBaseDomain, publicRootUrl: nextPublicRootUrl, slug: currentDeploy.slug }),
       status: "active",
@@ -3692,7 +3772,7 @@ export class MemoryAnonymousStore {
   }
 
   async appendLog(deployId, level, message, data) {
-    const entries = [...(this.logs.get(deployId) ?? []), normalizeLogEntry(level, message, data)];
+    const entries = [...(this.logs.get(deployId) ?? []), redactLogEntry(normalizeLogEntry(level, message, data))];
     const maxEntries = DEFAULT_ANONYMOUS_LIMITS.logEntries;
     const maxBytes = DEFAULT_ANONYMOUS_LIMITS.logBytes;
     while (entries.length > maxEntries || bytesOfJson(entries) > maxBytes) {
@@ -3702,7 +3782,7 @@ export class MemoryAnonymousStore {
   }
 
   async readLogs(deployId, limit = 100) {
-    return (this.logs.get(deployId) ?? []).slice(-limit);
+    return (this.logs.get(deployId) ?? []).slice(-limit).map(redactLogEntry);
   }
 
   async tableCounts(deployId, schema) {
@@ -4061,6 +4141,7 @@ export class PostgresAnonymousStore {
         owner_id text,
         owner_json jsonb,
         claim_token_hash text not null,
+        inspect_policy text not null default 'private',
         limits_json jsonb not null,
         counters_json jsonb not null default '{}',
         public_root_url text not null,
@@ -4071,6 +4152,7 @@ export class PostgresAnonymousStore {
     await this.query("alter table deploys add column if not exists claimed_at timestamptz");
     await this.query("alter table deploys add column if not exists owner_id text");
     await this.query("alter table deploys add column if not exists owner_json jsonb");
+    await this.query("alter table deploys add column if not exists inspect_policy text not null default 'private'");
     await this.query("alter table deploys add column if not exists updated_at timestamptz");
     await this.query("update deploys set updated_at = created_at where updated_at is null");
     await this.query("alter table deploys alter column updated_at set not null");
@@ -4491,10 +4573,11 @@ export class PostgresAnonymousStore {
     return true;
   }
 
-  async createDeploy({ appBaseDomain, artifact, artifactHash, clientBundleBase64, clientBundleHash, publicRootUrl, serverEnv }) {
+  async createDeploy({ appBaseDomain, artifact, artifactHash, clientBundleBase64, clientBundleHash, inspectPolicy, publicRootUrl, serverEnv }) {
     const createdAt = now();
     const normalizedAppBaseDomain = normalizeAppBaseDomain(appBaseDomain);
     const expiresAt = anonymousDeployExpiresAt();
+    const normalizedInspectPolicy = normalizeInspectPolicy(inspectPolicy);
     const token = createClaimToken();
     const deployId = createDeployId();
 
@@ -4514,6 +4597,7 @@ export class PostgresAnonymousStore {
         createdAt,
         expiresAt,
         id: deployId,
+        inspectPolicy: normalizedInspectPolicy,
         limits: { ...DEFAULT_ANONYMOUS_LIMITS },
         owner: null,
         ownerId: null,
@@ -4538,9 +4622,9 @@ export class PostgresAnonymousStore {
             `
             insert into deploys(
               id, slug, status, artifact_hash, client_bundle_hash, created_at, updated_at, expires_at,
-              claim_token_hash, limits_json, counters_json, public_root_url, app_base_domain, url
+              claim_token_hash, inspect_policy, limits_json, counters_json, public_root_url, app_base_domain, url
             )
-            values($1, $2, $3, $4, $5, $6, $7, $8, $9, $10::jsonb, '{}'::jsonb, $11, $12, $13)
+            values($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11::jsonb, '{}'::jsonb, $12, $13, $14)
             `,
             [
               deploy.id,
@@ -4552,6 +4636,7 @@ export class PostgresAnonymousStore {
               deploy.updatedAt,
               deploy.expiresAt,
               deploy.claimTokenHash,
+              deploy.inspectPolicy,
               JSON.stringify(deploy.limits),
               deploy.publicRootUrl,
               deploy.appBaseDomain,
@@ -4584,6 +4669,7 @@ export class PostgresAnonymousStore {
     clientBundleBase64,
     clientBundleHash,
     deployId,
+    inspectPolicy,
     publicRootUrl,
     serverEnv
   }) {
@@ -4596,6 +4682,7 @@ export class PostgresAnonymousStore {
     const expiresAt = currentDeploy.ownerId ? null : anonymousDeployExpiresAt();
     const nextAppBaseDomain = normalizeAppBaseDomain(appBaseDomain ?? currentDeploy.appBaseDomain);
     const nextPublicRootUrl = publicRootUrl ?? currentDeploy.publicRootUrl;
+    const nextInspectPolicy = inspectPolicy === undefined ? inspectPolicyForDeploy(currentDeploy) : normalizeInspectPolicy(inspectPolicy);
     const url = appUrlForSlug({ appBaseDomain: nextAppBaseDomain, publicRootUrl: nextPublicRootUrl, slug: currentDeploy.slug });
     await this.storeArtifact({ artifact, artifactHash, clientBundleBase64, clientBundleHash, createdAt: updatedAt });
 
@@ -4609,11 +4696,12 @@ export class PostgresAnonymousStore {
         public_root_url = $5,
         app_base_domain = $6,
         url = $7,
-        updated_at = $8
+        inspect_policy = $8,
+        updated_at = $9
       where id = $1
       returning *
       `,
-      [deployId, artifactHash, clientBundleHash, expiresAt, nextPublicRootUrl, nextAppBaseDomain || null, url, updatedAt]
+      [deployId, artifactHash, clientBundleHash, expiresAt, nextPublicRootUrl, nextAppBaseDomain || null, url, nextInspectPolicy, updatedAt]
     );
     if (serverEnv !== undefined) {
       await this.replaceServerEnv(deployId, serverEnv, updatedAt);
@@ -4687,6 +4775,7 @@ export class PostgresAnonymousStore {
       createdAt: new Date(row.created_at).toISOString(),
       expiresAt: row.expires_at ? new Date(row.expires_at).toISOString() : null,
       id: row.id,
+      inspectPolicy: normalizeInspectPolicy(row.inspect_policy),
       limits: { ...DEFAULT_ANONYMOUS_LIMITS, ...(row.limits_json ?? {}) },
       owner: row.owner_json ?? null,
       ownerId: row.owner_id ?? null,
@@ -4931,7 +5020,7 @@ export class PostgresAnonymousStore {
   }
 
   async appendLog(deployId, level, message, data) {
-    const entry = normalizeLogEntry(level, message, data);
+    const entry = redactLogEntry(normalizeLogEntry(level, message, data));
     await this.query(
       "insert into logs(deploy_id, level, message, data_json, created_at) values($1, $2, $3, $4::jsonb, $5)",
       [deployId, entry.level, entry.message, JSON.stringify(entry.data ?? null), entry.at]
@@ -4962,7 +5051,7 @@ export class PostgresAnonymousStore {
       "select level, message, data_json, created_at from logs where deploy_id = $1 order by sequence desc limit $2",
       [deployId, limit]
     );
-    return result.rows.reverse().map((row) => ({
+    return result.rows.reverse().map((row) => redactLogEntry({
       at: new Date(row.created_at).toISOString(),
       data: row.data_json,
       level: row.level,
@@ -5369,49 +5458,164 @@ async function loadDeployByRoute({ appBaseDomain, host, store, url }) {
   return { artifact: storedArtifact.artifact, basePath: route.basePath, deploy, route, storedArtifact };
 }
 
-async function serveInspect({ artifact, deploy, route, store, systemPath }, res) {
+function mutationInspectDetails(artifact) {
+  return Object.entries(artifact.server?.mutations ?? {}).map(([name, mutation]) => {
+    if (mutation?.op === "source") {
+      return { guards: [], mode: "source-backed", name };
+    }
+
+    const guards = [];
+    for (const operation of mutation?.body ?? []) {
+      for (const guard of operation.guards ?? []) {
+        guards.push({
+          equalsAuth: guard.equalsAuth,
+          field: guard.field,
+          operation: operation.op,
+          table: operation.table
+        });
+      }
+    }
+
+    return {
+      guards,
+      mode: guards.length > 0 ? "guarded-ir" : "interpreted-ir",
+      name
+    };
+  });
+}
+
+function publicManifestForDeploy({ artifact, deploy }) {
+  return {
+    clientBundleHash: deploy.clientBundleHash,
+    deployId: deploy.id,
+    name: artifact.name ?? "Lakebed Capsule",
+    runtimeVersion: LAKEBED_VERSION
+  };
+}
+
+function fullManifestForDeploy({ artifact, deploy, domains = [] }) {
+  return {
+    artifactHash: deploy.artifactHash,
+    clientBundleHash: deploy.clientBundleHash,
+    deployId: deploy.id,
+    domains,
+    expiresAt: deploy.expiresAt,
+    inspectPolicy: inspectPolicyForDeploy(deploy),
+    limits: deploy.limits,
+    mutationDetails: mutationInspectDetails(artifact),
+    mutations: Object.keys(artifact.server.mutations ?? {}),
+    name: artifact.name ?? "Lakebed Capsule",
+    queries: Object.keys(artifact.server.queries ?? {}),
+    runtimeVersion: LAKEBED_VERSION,
+    schema: artifact.server.schema,
+    slug: deploy.slug,
+    updatedAt: deploy.updatedAt,
+    url: deploy.url
+  };
+}
+
+function inspectCommandForPath(deploy, systemPath) {
+  if (systemPath === "/__lakebed/db") {
+    return `lakebed db dump ${deploy.id}`;
+  }
+  if (systemPath === "/__lakebed/db/tables") {
+    return `lakebed db list ${deploy.id}`;
+  }
+  if (systemPath === "/__lakebed/logs") {
+    return `lakebed logs ${deploy.id}`;
+  }
+  return `lakebed inspect ${deploy.id}`;
+}
+
+function inspectAuthFailure(deploy, systemPath) {
+  return {
+    command: inspectCommandForPath(deploy, systemPath),
+    error: "Lakebed hosted inspection requires authorization.",
+    hint: "Run this command from the capsule directory so Lakebed can read .lakebed/deploy.json, or send Authorization: Bearer <claim-token>.",
+    inspectPolicy: inspectPolicyForDeploy(deploy),
+    path: systemPath
+  };
+}
+
+function inspectAuthorized({ adminPassword, currentDeveloper, deploy, req }) {
+  if (inspectPolicyForDeploy(deploy) === "public") {
+    return true;
+  }
+
+  if (isDeployTokenValid(deploy, bearerToken(req))) {
+    return true;
+  }
+
+  if (isAdminAuthenticated(req, adminPassword)) {
+    return true;
+  }
+
+  const user = currentDeveloper(req);
+  return Boolean(user?.id && deploy.ownerId && user.id === deploy.ownerId);
+}
+
+async function serveInspect({ adminPassword, artifact, currentDeveloper, deploy, req, route, store, systemPath }, res) {
+  const policy = inspectPolicyForDeploy(deploy);
+  const authorized = inspectAuthorized({ adminPassword, currentDeveloper, deploy, req });
+
   if (systemPath === "/__lakebed/manifest") {
-    sendJson(res, 200, {
-      artifactHash: deploy.artifactHash,
-      clientBundleHash: deploy.clientBundleHash,
-      deployId: deploy.id,
-      domains:
-        typeof store.listDeployDomainsForDeploy === "function"
-          ? (await store.listDeployDomainsForDeploy(deploy.id)).map(responseForDeployDomain)
-          : [],
-      expiresAt: deploy.expiresAt,
-      limits: deploy.limits,
-      mutations: Object.keys(artifact.server.mutations ?? {}),
-      name: artifact.name ?? "Lakebed Capsule",
-      queries: Object.keys(artifact.server.queries ?? {}),
-      schema: artifact.server.schema,
-      slug: deploy.slug,
-      updatedAt: deploy.updatedAt,
-      url: deploy.url
-    });
+    if (!authorized && policy === "private") {
+      sendJson(res, 401, inspectAuthFailure(deploy, systemPath));
+      return true;
+    }
+
+    const domains =
+      typeof store.listDeployDomainsForDeploy === "function"
+        ? (await store.listDeployDomainsForDeploy(deploy.id)).map(responseForDeployDomain)
+        : [];
+    sendJson(res, 200, authorized ? fullManifestForDeploy({ artifact, deploy, domains }) : publicManifestForDeploy({ artifact, deploy }));
     return true;
   }
 
   if (systemPath === "/__lakebed/db/tables") {
     const counts = await store.tableCounts(deploy.id, artifact.server.schema);
-    sendJson(res, 200, {
-      tables: Object.keys(artifact.server.schema ?? {}),
-      counts
-    });
+    if (!authorized && policy !== "redacted") {
+      sendJson(res, 401, inspectAuthFailure(deploy, systemPath));
+      return true;
+    }
+
+    sendJson(res, 200, authorized ? { tables: Object.keys(artifact.server.schema ?? {}), counts } : { counts, redacted: true });
     return true;
   }
 
   if (systemPath === "/__lakebed/db") {
+    if (!authorized && policy !== "redacted") {
+      sendJson(res, 401, inspectAuthFailure(deploy, systemPath));
+      return true;
+    }
+
+    if (policy === "redacted" && !authorized) {
+      const counts = await store.tableCounts(deploy.id, artifact.server.schema);
+      sendJson(res, 200, { counts, redacted: true });
+      return true;
+    }
+
     sendJson(res, 200, await store.dumpState(deploy.id, artifact.server.schema, deploy.limits.rowsReturned));
     return true;
   }
 
   if (systemPath === "/__lakebed/logs") {
-    sendJson(res, 200, await store.readLogs(deploy.id, 100));
+    if (!authorized && policy !== "redacted") {
+      sendJson(res, 401, inspectAuthFailure(deploy, systemPath));
+      return true;
+    }
+
+    const logs = await store.readLogs(deploy.id, 100);
+    sendJson(res, 200, policy === "redacted" && !authorized ? logs.map(redactLogEntry) : logs);
     return true;
   }
 
   if (systemPath === "/__lakebed/usage") {
+    if (!authorized && policy !== "redacted") {
+      sendJson(res, 401, inspectAuthFailure(deploy, systemPath));
+      return true;
+    }
+
     sendJson(res, 200, {
       limits: deploy.limits,
       usage: await store.readUsage(deploy.id)
@@ -6073,6 +6277,13 @@ export async function startAnonymousServer({
         await enforceAnonymousDeployCreation(req);
         const body = await readJsonBody(req);
         const payload = validateAnonymousDeployPayload(body);
+        let inspectPolicy;
+        try {
+          inspectPolicy = normalizeInspectPolicy(body.inspectPolicy);
+        } catch (error) {
+          sendJson(res, 400, { error: error instanceof Error ? error.message : String(error) });
+          return;
+        }
         if (payload.serverEnv !== undefined && Object.keys(payload.serverEnv).length > 0) {
           sendJson(res, 400, { error: "Server env requires a claimed deploy." });
           return;
@@ -6083,6 +6294,7 @@ export async function startAnonymousServer({
           artifactHash: payload.artifactHash,
           clientBundleBase64: payload.clientBundleBase64,
           clientBundleHash: payload.clientBundleHash,
+          inspectPolicy,
           publicRootUrl: resolvedPublicRootUrl,
           serverEnv: payload.serverEnv
         });
@@ -6106,6 +6318,13 @@ export async function startAnonymousServer({
 
         const body = await readJsonBody(req);
         const payload = validateAnonymousDeployPayload(body, { allowClaimedSource: Boolean(currentDeploy.ownerId) });
+        let inspectPolicy;
+        try {
+          inspectPolicy = Object.hasOwn(body, "inspectPolicy") ? normalizeInspectPolicy(body.inspectPolicy) : undefined;
+        } catch (error) {
+          sendJson(res, 400, { error: error instanceof Error ? error.message : String(error) });
+          return;
+        }
         if (payload.serverEnv !== undefined && !currentDeploy.ownerId) {
           sendJson(res, 400, { error: "Server env requires a claimed deploy." });
           return;
@@ -6117,6 +6336,7 @@ export async function startAnonymousServer({
           clientBundleBase64: payload.clientBundleBase64,
           clientBundleHash: payload.clientBundleHash,
           deployId,
+          inspectPolicy,
           publicRootUrl: resolvedPublicRootUrl,
           serverEnv: payload.serverEnv
         });
@@ -6180,7 +6400,17 @@ export async function startAnonymousServer({
         return;
       }
 
-      if (req.method === "GET" && (await serveInspect({ ...loaded, store: resolvedStore, systemPath: appPath }, res))) {
+      if (
+        req.method === "GET" &&
+        (await serveInspect({
+          ...loaded,
+          adminPassword,
+          currentDeveloper,
+          req,
+          store: resolvedStore,
+          systemPath: appPath
+        }, res))
+      ) {
         return;
       }
 

package/src/anonymous.js

@@ -420,13 +420,13 @@ async function readSourceFiles(sourceStore) {
   return files.sort((left, right) => left.path.localeCompare(right.path));
 }
 
-function forbiddenSourceDiagnostics(files) {
+function forbiddenSourceDiagnostics(files, { allowAsync = false } = {}) {
   const checks = [
     [/\beval\s*\(/, "eval is not available in anonymous server code."],
     [/\bFunction\s*\(/, "Function constructors are not available in anonymous server code."],
     [/\bimport\s*\(/, "Dynamic import is not available in anonymous server code."],
-    [/\bfetch\s*\(/, "Outbound fetch is disabled for anonymous deploys."],
-    [/\basync\b/, "Async server handlers are not part of the anonymous IR yet. Use synchronous Lakebed database operations."],
+    [/\bfetch\b/, "Outbound fetch is disabled for anonymous deploys."],
+    ...(allowAsync ? [] : [[/\basync\b/, "Async server handlers are not part of the anonymous IR yet. Use synchronous Lakebed database operations."]]),
     [/\bwhile\s*\(/, "while loops are not available in anonymous server code."],
     [/\bfor\s*\(\s*;/, "Unbounded for loops are not available in anonymous server code."],
     [/\bprocess\b/, "process is not available in anonymous server code."],
@@ -486,18 +486,6 @@ function serializeSchema(schema) {
   return { diagnostics, schema: cleanSchema };
 }
 
-function inferMutationGuards(handler) {
-  const source = Function.prototype.toString.call(handler);
-  const guards = [];
-  if (source.includes("ownerId") && source.includes("auth.userId")) {
-    guards.push({ field: "ownerId", equalsAuth: "userId", op: "rowFieldEqualsAuth" });
-  }
-  if (source.includes("authorId") && source.includes("auth.userId")) {
-    guards.push({ field: "authorId", equalsAuth: "userId", op: "rowFieldEqualsAuth" });
-  }
-  return guards;
-}
-
 function compileQueryHandler({ handler, name, schema }) {
   const { ctx, recorder } = createTraceContext({ mode: "query", schema });
   try {
@@ -513,6 +501,40 @@ function compileQueryHandler({ handler, name, schema }) {
   return recorder.query;
 }
 
+function isArgExpression(expr) {
+  return Array.isArray(expr) && expr[0] === "arg" && Number.isInteger(expr[1]);
+}
+
+function expressionContainsOp(expr, targetOp) {
+  if (!isExpression(expr)) {
+    if (Array.isArray(expr)) {
+      return expr.some((item) => expressionContainsOp(item, targetOp));
+    }
+    if (isPlainObject(expr)) {
+      return Object.values(expr).some((value) => expressionContainsOp(value, targetOp));
+    }
+    return false;
+  }
+
+  if (expr[0] === targetOp) {
+    return true;
+  }
+
+  return expr.slice(1).some((item) => expressionContainsOp(item, targetOp));
+}
+
+function expressionContainsArg(expr) {
+  return isArgExpression(expr) || expressionContainsOp(expr, "arg");
+}
+
+function expressionContainsRow(expr) {
+  return expressionContainsOp(expr, "row");
+}
+
+function directWriteGuardDiagnostic(name, operation) {
+  return `Unable to compile mutation "${name}" to anonymous IR: Direct ${operation.op}(id) from an argument-derived value cannot be proven safe by the IR compiler. Use the anonymous source runtime, claim the deploy, or rewrite this mutation to an owner-filtered query shape.`;
+}
+
 function compileMutationHandler({ handler, name, schema }) {
   const { ctx, recorder } = createTraceContext({ mode: "mutation", schema });
   const args = Array.from({ length: Math.max(0, handler.length - 1) }, (_, index) => createSymbolicArg(index));
@@ -523,7 +545,6 @@ function compileMutationHandler({ handler, name, schema }) {
     throw new Error(`Unable to compile mutation "${name}" to anonymous IR: ${error instanceof Error ? error.message : String(error)}`);
   }
 
-  const guards = inferMutationGuards(handler);
   const operations = [];
 
   for (const operation of recorder.operations) {
@@ -540,8 +561,14 @@ function compileMutationHandler({ handler, name, schema }) {
       continue;
     }
 
-    if (operation.op === "update") {
-      operations.push({ ...operation, guards });
+    if (operation.op === "update" || operation.op === "delete") {
+      if (expressionContainsArg(operation.id)) {
+        throw new Error(directWriteGuardDiagnostic(name, operation));
+      }
+      if (expressionContainsRow(operation.id)) {
+        throw new Error(`Unable to compile mutation "${name}" to anonymous IR: ${operation.op} uses an unsupported symbolic row id.`);
+      }
+      operations.push(operation);
       continue;
     }
 
@@ -583,9 +610,9 @@ function compileServerToIr(app, schema) {
   return { diagnostics, mutations, queries };
 }
 
-export async function createAnonymousArtifact({ app, clientOut, sourceStore, version = LAKEBED_VERSION }) {
+export async function createAnonymousArtifact({ app, clientOut, serverOut, sourceStore, version = LAKEBED_VERSION }) {
   const sourceFiles = await readSourceFiles(sourceStore);
-  const diagnostics = forbiddenSourceDiagnostics(sourceFiles);
+  const diagnostics = forbiddenSourceDiagnostics(sourceFiles, { allowAsync: Boolean(serverOut) });
   const { diagnostics: schemaDiagnostics, schema } = serializeSchema(app.schema);
   diagnostics.push(...schemaDiagnostics);
 
@@ -593,18 +620,40 @@ export async function createAnonymousArtifact({ app, clientOut, sourceStore, ver
     throw new AnonymousCompilerError(diagnostics);
   }
 
-  const compiled = compileServerToIr(app, schema);
-  diagnostics.push(...compiled.diagnostics);
-
-  if (diagnostics.length > 0) {
-    throw new AnonymousCompilerError(diagnostics);
-  }
-
   const clientBundle = await readFile(clientOut);
   const clientBundleBase64 = clientBundle.toString("base64");
   const clientBundleHash = sha256(clientBundle);
+  const serverBundle = serverOut ? await readFile(serverOut) : null;
+  const serverBundleBase64 = serverBundle?.toString("base64");
+  const serverBundleHash = serverBundle ? sha256(serverBundle) : null;
   const sourceManifest = sourceFiles.map(({ bytes, hash, path }) => ({ bytes, hash, path }));
   const sourceSnapshotHash = sha256(stableStringify(sourceManifest));
+  const server = serverBundle
+    ? {
+        helpers: {},
+        imports: ["lakebed/server"],
+        mutations: Object.fromEntries(Object.keys(app.mutations ?? {}).map((name) => [name, { op: "source" }])),
+        queries: Object.fromEntries(Object.keys(app.queries ?? {}).map((name) => [name, { op: "source" }])),
+        schema,
+        source: {
+          bytes: serverBundle.byteLength,
+          bundle: serverBundleBase64,
+          bundleHash: serverBundleHash,
+          entry: "/server.mjs"
+        }
+      }
+    : null;
+  let compiled = null;
+
+  if (!server) {
+    compiled = compileServerToIr(app, schema);
+    diagnostics.push(...compiled.diagnostics);
+
+    if (diagnostics.length > 0) {
+      throw new AnonymousCompilerError(diagnostics);
+    }
+  }
+
   const artifact = {
     name: app.name ?? "Lakebed Capsule",
     client: {
@@ -616,14 +665,14 @@ export async function createAnonymousArtifact({ app, clientOut, sourceStore, ver
       compiler: "0.1.0",
       lakebed: version
     },
-    deployTarget: "anonymous-interpreter",
+    deployTarget: server ? "anonymous-source" : "anonymous-interpreter",
     format: ANONYMOUS_ARTIFACT_FORMAT,
     limits: {
       instructionBudget: DEFAULT_ANONYMOUS_LIMITS.instructionBudget,
       maxRowsReturned: DEFAULT_ANONYMOUS_LIMITS.rowsReturned,
       maxValueBytes: DEFAULT_ANONYMOUS_LIMITS.maxValueBytes
     },
-    server: {
+    server: server ?? {
       helpers: {},
       imports: ["lakebed/server"],
       mutations: compiled.mutations,
@@ -801,6 +850,31 @@ function validateQuery(query, path, schema, diagnostics) {
   }
 }
 
+function validateGuards(guards, path, schema, tableName, diagnostics) {
+  if (guards === undefined) {
+    return;
+  }
+
+  if (!Array.isArray(guards)) {
+    diagnostics.push(diagnostic(path, "Mutation guards must be an array."));
+    return;
+  }
+
+  for (const [index, guard] of guards.entries()) {
+    const guardPath = `${path}.guards.${index}`;
+    if (!isPlainObject(guard) || guard.op !== "rowFieldEqualsAuth") {
+      diagnostics.push(diagnostic(guardPath, "Unsupported mutation guard."));
+      continue;
+    }
+    if (typeof guard.field !== "string" || !schema?.[tableName]?.fields?.[guard.field]) {
+      diagnostics.push(diagnostic(guardPath, "Mutation guard field must exist in the table schema."));
+    }
+    if (guard.equalsAuth !== "userId") {
+      diagnostics.push(diagnostic(guardPath, "Mutation guard auth field must be userId."));
+    }
+  }
+}
+
 export function validateAnonymousArtifact(artifact, { allowClaimedSource = false } = {}) {
   const diagnostics = [];
 
@@ -812,8 +886,13 @@ export function validateAnonymousArtifact(artifact, { allowClaimedSource = false
     diagnostics.push(diagnostic("artifact.format", `Expected ${ANONYMOUS_ARTIFACT_FORMAT}.`));
   }
 
-  if (artifact.deployTarget !== "anonymous-interpreter" && !(allowClaimedSource && artifact.deployTarget === "claimed-source")) {
-    diagnostics.push(diagnostic("artifact.deployTarget", "Anonymous deploys require deployTarget anonymous-interpreter."));
+  const sourceDeployTargets = new Set(["anonymous-source", "claimed-source"]);
+  if (
+    artifact.deployTarget !== "anonymous-interpreter" &&
+    artifact.deployTarget !== "anonymous-source" &&
+    !(allowClaimedSource && artifact.deployTarget === "claimed-source")
+  ) {
+    diagnostics.push(diagnostic("artifact.deployTarget", "Anonymous deploys require deployTarget anonymous-interpreter or anonymous-source."));
   }
 
   const schema = artifact.server?.schema;
@@ -837,14 +916,14 @@ export function validateAnonymousArtifact(artifact, { allowClaimedSource = false
     if (query?.op === "source" && artifact.server?.source === undefined) {
       diagnostics.push(diagnostic(`artifact.server.queries.${name}`, "Source query requires artifact.server.source."));
     }
-    if (query?.op === "source" && artifact.deployTarget !== "claimed-source") {
-      diagnostics.push(diagnostic(`artifact.server.queries.${name}`, "Source query requires deployTarget claimed-source."));
+    if (query?.op === "source" && !sourceDeployTargets.has(artifact.deployTarget)) {
+      diagnostics.push(diagnostic(`artifact.server.queries.${name}`, "Source query requires deployTarget anonymous-source or claimed-source."));
     }
   }
 
   if (artifact.server?.source !== undefined) {
-    if (artifact.deployTarget !== "claimed-source") {
-      diagnostics.push(diagnostic("artifact.server.source", "Server source bundles require deployTarget claimed-source."));
+    if (!sourceDeployTargets.has(artifact.deployTarget)) {
+      diagnostics.push(diagnostic("artifact.server.source", "Server source bundles require deployTarget anonymous-source or claimed-source."));
     }
     const source = artifact.server.source;
     if (
@@ -871,8 +950,8 @@ export function validateAnonymousArtifact(artifact, { allowClaimedSource = false
       if (artifact.server?.source === undefined) {
         diagnostics.push(diagnostic(`artifact.server.mutations.${name}`, "Source mutation requires artifact.server.source."));
       }
-      if (artifact.deployTarget !== "claimed-source") {
-        diagnostics.push(diagnostic(`artifact.server.mutations.${name}`, "Source mutation requires deployTarget claimed-source."));
+      if (!sourceDeployTargets.has(artifact.deployTarget)) {
+        diagnostics.push(diagnostic(`artifact.server.mutations.${name}`, "Source mutation requires deployTarget anonymous-source or claimed-source."));
       }
       continue;
     }
@@ -894,8 +973,10 @@ export function validateAnonymousArtifact(artifact, { allowClaimedSource = false
       } else if (operation.op === "update") {
         validateValue(operation.id, path, diagnostics);
         validateValue(operation.patch, path, diagnostics);
+        validateGuards(operation.guards, path, schema, operation.table, diagnostics);
       } else if (operation.op === "delete") {
         validateValue(operation.id, path, diagnostics);
+        validateGuards(operation.guards, path, schema, operation.table, diagnostics);
       } else if (operation.op === "deleteWhere") {
         validateQuery(operation.query, path, schema, diagnostics);
       }
@@ -1290,7 +1371,7 @@ export async function executeAnonymousQuery({ args = [], artifact, auth, deployI
   return executeQuerySpec({ args, artifact, auth, deployId, query, state });
 }
 
-async function checkUpdateGuards({ auth, guards = [], row }) {
+async function checkRowGuards({ auth, guards = [], row }) {
   for (const guard of guards) {
     if (guard.op === "rowFieldEqualsAuth" && row?.[guard.field] !== auth[guard.equalsAuth]) {
       return false;
@@ -1335,7 +1416,7 @@ export async function executeAnonymousMutation({ args = [], artifact, auth, depl
       if (operation.op === "update") {
         const id = evaluateValue(operation.id, { args, auth });
         const row = await tx.getRow(deployId, operation.table, id);
-        if (!row || !(await checkUpdateGuards({ auth, guards: operation.guards, row }))) {
+        if (!row || !(await checkRowGuards({ auth, guards: operation.guards, row }))) {
           continue;
         }
         const patch = preparePatch(artifact.server.schema, operation.table, evaluateValue(operation.patch, { args, auth, row }));
@@ -1345,6 +1426,10 @@ export async function executeAnonymousMutation({ args = [], artifact, auth, depl
 
       if (operation.op === "delete") {
         const id = evaluateValue(operation.id, { args, auth });
+        const row = await tx.getRow(deployId, operation.table, id);
+        if (!row || !(await checkRowGuards({ auth, guards: operation.guards, row }))) {
+          continue;
+        }
         await tx.deleteRow(deployId, operation.table, id);
         continue;
       }

package/src/cli.js

@@ -40,17 +40,17 @@ Usage:
   lakebed create [name] [--template todo] [--no-git]
   lakebed dev [capsule-dir] [--port 3000]
   lakebed build [capsule-dir] --target anonymous [--out .lakebed/artifacts/app.json] [--json]
-  lakebed deploy [capsule-dir] [--api <url>] [--json]
+  lakebed deploy [capsule-dir] [--api <url>] [--public-inspect] [--json]
   lakebed claim [capsule-dir] [--api <url>] [--json]
   lakebed domains add <subdomain.lakebed.app> [--api <url>] [--json]
   lakebed anonymous-server [--port 8787] [--public-root-url <url>] [--app-base-domain <domain>]
-  lakebed inspect <deploy-id-or-url> [--api <url>] [--json]
+  lakebed inspect <deploy-id-or-url> [--api <url>] [--inspect-token <token>] [--json]
   lakebed run-many [capsule-dir] [--count 20] [--base-port 4000]
   lakebed auth as <name>
   lakebed auth reset
-  lakebed db list [deploy-id-or-url] [--port 3000]
-  lakebed db dump [deploy-id-or-url] [--port 3000]
-  lakebed logs [deploy-id-or-url] [--port 3000]
+  lakebed db list [deploy-id-or-url] [--port 3000] [--inspect-token <token>]
+  lakebed db dump [deploy-id-or-url] [--port 3000] [--inspect-token <token>]
+  lakebed logs [deploy-id-or-url] [--port 3000] [--inspect-token <token>]
 `);
 }
 
@@ -68,6 +68,7 @@ const optionsWithValues = new Set([
   "--app-base-domain",
   "--base-port",
   "--count",
+  "--inspect-token",
   "--out",
   "--port",
   "--public-root-url",
@@ -794,6 +795,7 @@ async function buildAnonymousEnvelope(capsuleArg, sourceStore) {
   const artifact = await createAnonymousArtifact({
     app: built.app,
     clientOut: built.clientOut,
+    serverOut: built.serverOut,
     sourceStore
   });
 
@@ -1003,12 +1005,15 @@ async function openUrlInBrowser(url) {
   await execFileAsync(invocation.command, invocation.args, { windowsHide: true });
 }
 
-function deployRequestBody(envelope, { serverEnv } = {}) {
+function deployRequestBody(envelope, { inspectPolicy, serverEnv } = {}) {
   const body = {
     artifact: envelope.artifact,
     clientBundle: envelope.clientBundle,
     clientVersion: LAKEBED_VERSION
   };
+  if (inspectPolicy !== undefined) {
+    body.inspectPolicy = inspectPolicy;
+  }
   if (serverEnv !== undefined) {
     body.serverEnv = {
       mode: "replace",
@@ -1057,6 +1062,22 @@ function deployApiUrl(args) {
   return String(readArg(args, "--api", process.env.LAKEBED_DEPLOY_API ?? process.env.SPAN_DEPLOY_API ?? defaultDeployApiUrl)).replace(/\/+$/g, "");
 }
 
+function hasExplicitOption(args, name) {
+  return args.some((arg) => arg === name || arg.startsWith(`${name}=`));
+}
+
+function normalizeHostedUrl(value) {
+  if (!value) {
+    return "";
+  }
+
+  try {
+    return new URL(value).href.replace(/\/+$/g, "");
+  } catch {
+    return String(value).replace(/\/+$/g, "");
+  }
+}
+
 async function readResponseJson(response) {
   const body = await response.text();
   if (!response.ok) {
@@ -1078,6 +1099,7 @@ async function deployCommand(args) {
   const serverEnvKeys = Object.keys(serverEnv).sort();
   const hasServerEnvValues = serverEnvKeys.length > 0;
   const api = deployApiUrl(args);
+  const inspectPolicy = hasFlag(args, "--public-inspect") ? "public" : undefined;
   const metadata = await readDeployMetadata(capsuleDir);
   const canUpdate =
     metadata?.api === api && typeof metadata?.deployId === "string" && typeof metadata?.claimToken === "string";
@@ -1128,7 +1150,7 @@ async function deployCommand(args) {
 
   if (canUpdate) {
     response = await fetch(`${api}/v1/deploys/${encodeURIComponent(metadata.deployId)}`, {
-      body: deployRequestBody(envelope, { serverEnv: serverEnvForUpdate }),
+      body: deployRequestBody(envelope, { inspectPolicy, serverEnv: serverEnvForUpdate }),
       headers: {
         "Authorization": `Bearer ${metadata.claimToken}`,
         "Content-Type": "application/json"
@@ -1149,7 +1171,7 @@ async function deployCommand(args) {
   }
 
   response ??= await fetch(`${api}/v1/anonymous-deploys`, {
-    body: deployRequestBody(envelope),
+    body: deployRequestBody(envelope, { inspectPolicy }),
     headers: {
       "Content-Type": "application/json"
     },
@@ -1193,6 +1215,9 @@ async function deployCommand(args) {
     console.log(`Claim:      ${claimCommandText({ api, capsuleArg })}`);
   }
   console.log(`Inspect:    lakebed inspect ${deployed.deployId}`);
+  if (deployed.inspectPolicy === "public") {
+    console.log("Inspect policy: public - data and logs are readable by anyone with the app URL.");
+  }
   console.log("\nLimits:");
   console.log(`  source/artifact: ${deployed.limits.artifactBytes} bytes`);
   console.log(`  state:           ${deployed.limits.stateBytes} bytes`);
@@ -1322,7 +1347,15 @@ async function anonymousServerCommand(args) {
   await new Promise(() => {});
 }
 
-async function resolveDeployUrl(target, args) {
+function deployLookupApiUrl(target, args, metadata) {
+  if (!hasExplicitOption(args, "--api") && metadata?.api && metadata.deployId === target) {
+    return String(metadata.api).replace(/\/+$/g, "");
+  }
+
+  return deployApiUrl(args);
+}
+
+async function resolveDeployUrl(target, args, metadata) {
   if (!target) {
     throw new Error("Expected a deploy ID or URL.");
   }
@@ -1331,16 +1364,40 @@ async function resolveDeployUrl(target, args) {
     const url = new URL(target);
     return url.href.replace(/\/+$/g, "");
   } catch {
-    const api = deployApiUrl(args);
+    const api = deployLookupApiUrl(target, args, metadata);
     const response = await fetch(`${api}/v1/deploys/${encodeURIComponent(target)}`);
     const deploy = await readResponseJson(response);
     return deploy.url.replace(/\/+$/g, "");
   }
 }
 
+function inspectTokenForHostedTarget({ args, metadata, target, url }) {
+  const explicitToken = readArg(args, "--inspect-token", process.env.LAKEBED_INSPECT_TOKEN ?? "");
+  if (explicitToken) {
+    return explicitToken;
+  }
+
+  if (!metadata?.claimToken) {
+    return "";
+  }
+
+  const normalizedTarget = normalizeHostedUrl(target);
+  const normalizedUrl = normalizeHostedUrl(url);
+  const metadataUrl = normalizeHostedUrl(metadata.url);
+  if (metadata.deployId === target || (metadataUrl && (metadataUrl === normalizedTarget || metadataUrl === normalizedUrl))) {
+    return metadata.claimToken;
+  }
+
+  return "";
+}
+
 async function hostedJson(target, path, args) {
-  const url = await resolveDeployUrl(target, args);
-  const response = await fetch(`${url}${path}`);
+  const metadata = await readDeployMetadata(root);
+  const url = await resolveDeployUrl(target, args, metadata);
+  const inspectToken = inspectTokenForHostedTarget({ args, metadata, target, url });
+  const response = await fetch(`${url}${path}`, {
+    headers: inspectToken ? { Authorization: `Bearer ${inspectToken}` } : {}
+  });
   return readResponseJson(response);
 }
 
@@ -1354,15 +1411,36 @@ async function inspectCommand(args) {
   }
 
   console.log(`Deploy:   ${manifest.deployId}`);
-  console.log(`URL:      ${manifest.url}`);
+  if (manifest.url) {
+    console.log(`URL:      ${manifest.url}`);
+  }
   console.log(`Updated:  ${formatOptionalTimestamp(manifest.updatedAt, "unknown")}`);
   console.log(`Expires:  ${formatOptionalTimestamp(manifest.expiresAt)}`);
+  console.log(`Runtime:  ${manifest.runtimeVersion ?? "unknown"}`);
+  if (manifest.inspectPolicy) {
+    console.log(`Policy:   ${manifest.inspectPolicy}`);
+  }
   if (Array.isArray(manifest.domains) && manifest.domains.length > 0) {
     console.log(`Domains:  ${manifest.domains.map((domain) => domain.hostname).join(", ")}`);
   }
-  console.log(`Artifact: ${manifest.artifactHash}`);
-  console.log(`Queries:  ${manifest.queries.join(", ") || "(none)"}`);
-  console.log(`Mutations: ${manifest.mutations.join(", ") || "(none)"}`);
+  if (manifest.artifactHash) {
+    console.log(`Artifact: ${manifest.artifactHash}`);
+  }
+  if (Array.isArray(manifest.queries)) {
+    console.log(`Queries:  ${manifest.queries.join(", ") || "(none)"}`);
+  }
+  if (Array.isArray(manifest.mutations)) {
+    console.log(`Mutations: ${manifest.mutations.join(", ") || "(none)"}`);
+  }
+  if (Array.isArray(manifest.mutationDetails) && manifest.mutationDetails.length > 0) {
+    console.log("Mutation runtime:");
+    for (const detail of manifest.mutationDetails) {
+      const guardSummary = (detail.guards ?? [])
+        .map((guard) => `${guard.table}.${guard.operation}:${guard.field}=auth.${guard.equalsAuth}`)
+        .join(", ");
+      console.log(`  ${detail.name}: ${detail.mode}${guardSummary ? ` (${guardSummary})` : ""}`);
+    }
+  }
 }
 
 async function authCommand(args) {

package/src/source-runtime-worker.js

@@ -13,6 +13,7 @@ const DEFAULT_LIMITS = {
 
 let nextFetchId = 1;
 const pendingFetches = new Map();
+let allowBrokeredFetch = true;
 
 function stableStringify(value) {
   if (value === undefined) {
@@ -312,6 +313,9 @@ function createBrokeredResponse(response) {
 }
 
 function brokeredFetch(input, init = {}) {
+  if (!allowBrokeredFetch) {
+    return Promise.reject(new Error("Outbound fetch is disabled for anonymous deploys."));
+  }
   if (!sendToParent) {
     return Promise.reject(new Error("Source fetch broker is not available."));
   }
@@ -393,6 +397,7 @@ function sendError(error) {
 }
 
 async function runSource(request) {
+  allowBrokeredFetch = request.allowFetch !== false;
   const app = await loadSourceApp(request.artifact);
   const source = createSourceContext({
     artifact: request.artifact,

package/src/source-runtime.js

@@ -522,6 +522,7 @@ export class ChildProcessSourceRuntime {
   async executeQuery({ args = [], artifact, auth, deployId, name, state }) {
     const snapshot = await snapshotSourceState({ artifact, deployId, state });
     const response = await this.runWorker({
+      allowFetch: artifact.deployTarget === "claimed-source",
       args,
       artifact,
       auth,
@@ -537,6 +538,7 @@ export class ChildProcessSourceRuntime {
     return state.transaction(deployId, async (tx) => {
       const snapshot = await snapshotSourceState({ artifact, deployId, state: tx });
       const response = await this.runWorker({
+        allowFetch: artifact.deployTarget === "claimed-source",
         args,
         artifact,
         auth,

package/src/version.js

@@ -1 +1 @@
-export const LAKEBED_VERSION = "0.0.16";
+export const LAKEBED_VERSION = "0.0.17";