lakebed 0.0.19 → 0.0.21

package/README.md

@@ -142,7 +142,7 @@ npx lakebed build [capsule-dir] --target anonymous [--out .lakebed/artifacts/app
 npx lakebed deploy [capsule-dir] [--api <url>] [--public-inspect] [--json]
 npx lakebed claim [capsule-dir] [--api <url>] [--json]
 npx lakebed domains add <subdomain.lakebed.app> [--api <url>] [--json]
-npx lakebed anonymous-server [--port 8787] [--public-root-url <url>] [--app-base-domain <domain>]
+npx lakebed anonymous-server [--port 8787] [--public-root-url <url>] [--dashboard-root-url <url>] [--app-base-domain <domain>] [--role all|api-dashboard|runner]
 npx lakebed inspect <deploy-id-or-url> [--api <url>] [--inspect-token <token>] [--json]
 npx lakebed db list [deploy-id-or-url] [--port 3000] [--inspect-token <token>]
 npx lakebed db dump [deploy-id-or-url] [--port 3000] [--inspect-token <token>]
@@ -179,10 +179,19 @@ npx lakebed deploy --api http://localhost:8787
 In production, set `PUBLIC_ROOT_URL` to the deploy API origin and `LAKEBED_APP_BASE_DOMAIN` to the app domain without the wildcard prefix:
 
 ```sh
-PUBLIC_ROOT_URL=https://api.lakebed.app
+PUBLIC_ROOT_URL=https://api.lakebed.dev
+LAKEBED_DASHBOARD_ROOT_URL=https://dashboard.lakebed.dev
 LAKEBED_APP_BASE_DOMAIN=lakebed.app
 ```
 
+The staged Railway split uses dedicated service entrypoints:
+
+```sh
+node packages/lakebed/src/services/all-in-one.js
+node packages/lakebed/src/services/api-dashboard.js
+node packages/lakebed/src/services/capsule-runner.js
+```
+
 With a verified `*.lakebed.app` custom domain on the runner, deploy responses use `https://<slug>.lakebed.app`.
 
 Anonymous deploy creation is relaxed for local `localhost` runners. When `PUBLIC_ROOT_URL` points at a non-local origin, the runner defaults to 50 anonymous deploy creates per forwarded client per UTC day and 5,000 globally. Override those with:
@@ -205,7 +214,7 @@ LAKEBED_ANONYMOUS_CLEANUP_RETENTION=7d
 LAKEBED_ANONYMOUS_CLEANUP_INTERVAL=1h
 ```
 
-Deploy responses include claim metadata. Configure GitHub OAuth on the runner, then run `npx lakebed claim` to open the claim page and attach the anonymous deploy to a developer account:
+Deploy responses include claim metadata. Configure GitHub OAuth on the API and dashboard service, then run `npx lakebed claim` to open the claim page and attach the anonymous deploy to a developer account:
 
 ```sh
 LAKEBED_GITHUB_CLIENT_ID=...
@@ -214,7 +223,7 @@ LAKEBED_SESSION_SECRET=...
 LAKEBED_SERVER_ENV_SECRET=...
 ```
 
-Claimed deploys are listed at `/deploys` on the deploy API origin. They keep the same resource limits as anonymous deploys and do not expire. Anonymous deploys cannot use outbound `fetch` or hosted server env; after a deploy is claimed, `npx lakebed deploy` can update it with a source-backed server artifact that supports async handlers, server-side fetch, and `.env.lakebed.server` sync. If the first deploy already needs server-side `fetch` or server env, `npx lakebed deploy` creates a claim-required preview, saves its claim metadata, and prints the `npx lakebed claim` command. Run that command, then run `npx lakebed deploy` again to publish the real source-backed app. Set `LAKEBED_SERVER_ENV_SECRET` on Postgres-backed runners to encrypt stored server env values.
+Claimed deploys are listed at `/deploys` on the dashboard origin. They keep the same resource limits as anonymous deploys and do not expire. Anonymous deploys cannot use outbound `fetch` or hosted server env; after a deploy is claimed, `npx lakebed deploy` can update it with a source-backed server artifact that supports async handlers, server-side fetch, and `.env.lakebed.server` sync. If the first deploy already needs server-side `fetch` or server env, `npx lakebed deploy` creates a claim-required preview, saves its claim metadata, and prints the `npx lakebed claim` command. Run that command, then run `npx lakebed deploy` again to publish the real source-backed app. Set `LAKEBED_SERVER_ENV_SECRET` on Postgres-backed runners to encrypt stored server env values.
 
 Hosted inspection is private by default. `npx lakebed inspect`, `npx lakebed db list`, `npx lakebed db dump`, and `npx lakebed logs` send the saved claim token automatically when run from the capsule directory.
 
@@ -228,4 +237,4 @@ Reserved product names such as `api`, `admin`, `docs`, and `www` are rejected.
 
 ## Admin Dashboard
 
-Set `LAKEBED_ADMIN_PASSWORD` on the anonymous deploy runner, then open `/admin` on the runner origin. The password is exchanged for an HttpOnly cookie so the dashboard stays unlocked until the cookie expires or the password changes. The resource table can terminate active deploys while preserving their resource history, and the users table can set per-user request and mutation limit overrides for claimed deploys.
+Set `LAKEBED_ADMIN_PASSWORD` on the API and dashboard service, then open `/admin` on the dashboard origin. The password is exchanged for an HttpOnly cookie so the dashboard stays unlocked until the cookie expires or the password changes. The resource table can terminate active deploys while preserving their resource history, and the users table can set per-user request and mutation limit overrides for claimed deploys.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "lakebed",
-  "version": "0.0.19",
+  "version": "0.0.21",
   "description": "Agent-native CLI and runtime for building and deploying Lakebed capsules.",
   "license": "UNLICENSED",
   "type": "module",
@@ -29,6 +29,9 @@
     "src/runtime.js",
     "src/server.d.ts",
     "src/server.js",
+    "src/services/all-in-one.js",
+    "src/services/api-dashboard.js",
+    "src/services/capsule-runner.js",
     "src/source-runtime-loader.mjs",
     "src/source-runtime-worker.js",
     "src/source-runtime.js",
@@ -52,9 +55,6 @@
   "publishConfig": {
     "access": "public"
   },
-  "scripts": {
-    "check": "node --check src/cli.js && node --check src/runtime.js && node --check src/server.js && node --check src/client.js && node --check src/source-store.js && node --check src/source-runtime.js && node --check src/source-runtime-worker.js && node --check src/source-runtime-loader.mjs && node --check src/anonymous.js && node --check src/anonymous-server.js && node --check src/auth.js && node --check src/version.js"
-  },
   "dependencies": {
     "esbuild": "^0.27.1",
     "pg": "^8.16.3",
@@ -63,5 +63,8 @@
   },
   "devDependencies": {
     "@types/ws": "^8.18.1"
+  },
+  "scripts": {
+    "check": "node --check src/cli.js && node --check src/runtime.js && node --check src/server.js && node --check src/client.js && node --check src/source-store.js && node --check src/source-runtime.js && node --check src/source-runtime-worker.js && node --check src/source-runtime-loader.mjs && node --check src/anonymous.js && node --check src/anonymous-server.js && node --check src/auth.js && node --check src/version.js && node --check src/services/all-in-one.js && node --check src/services/api-dashboard.js && node --check src/services/capsule-runner.js"
   }
-}
+}

package/src/anonymous-server.js

@@ -405,16 +405,47 @@ function normalizeLakebedSubdomainInput(value, appBaseDomain) {
   };
 }
 
-function appUrlForSlug({ appBaseDomain, publicRootUrl, slug }) {
-  if (appBaseDomain) {
-    return `https://${slug}.${appBaseDomain}`;
+function normalizeServerRole(value) {
+  const role = String(value ?? "all").trim().toLowerCase();
+  if (role === "all" || role === "api-dashboard" || role === "runner") {
+    return role;
   }
 
-  return `${publicRootUrl}/d/${slug}`;
+  throw new Error(`Unsupported LAKEBED_SERVER_ROLE: ${role}. Expected all, api-dashboard, or runner.`);
 }
 
-function claimUrlForDeploy({ deployId, publicRootUrl, token }) {
-  return `${publicRootUrl}/claim/${deployId}/${token}`;
+function roleServesApiDashboard(role) {
+  return role === "all" || role === "api-dashboard";
+}
+
+function roleServesRunner(role) {
+  return role === "all" || role === "runner";
+}
+
+function isApiDashboardRoute(pathname) {
+  return (
+    pathname === "/deploys" ||
+    pathname === "/dashboard" ||
+    pathname === "/auth" ||
+    (pathname.startsWith("/auth/") && pathname !== "/auth/callback") ||
+    pathname === "/admin" ||
+    pathname.startsWith("/admin/") ||
+    pathname === "/v1" ||
+    pathname.startsWith("/v1/") ||
+    pathname.startsWith("/claim/")
+  );
+}
+
+function appUrlForSlug({ appBaseDomain, slug }) {
+  if (!appBaseDomain) {
+    throw new Error("LAKEBED_APP_BASE_DOMAIN is required to create hosted deploy URLs.");
+  }
+
+  return `https://${slug}.${appBaseDomain}`;
+}
+
+function claimUrlForDeploy({ dashboardRootUrl, deployId, token }) {
+  return `${dashboardRootUrl}/claim/${deployId}/${token}`;
 }
 
 function inspectUrls(url) {
@@ -426,11 +457,11 @@ function inspectUrls(url) {
   };
 }
 
-function responseForDeploy({ deploy, token }) {
+function responseForDeploy({ dashboardRootUrl, deploy, token }) {
   return {
     claimed: Boolean(deploy.ownerId),
     claimedAt: deploy.claimedAt ?? undefined,
-    claimUrl: token ? claimUrlForDeploy({ deployId: deploy.id, publicRootUrl: deploy.publicRootUrl, token }) : undefined,
+    claimUrl: token ? claimUrlForDeploy({ dashboardRootUrl: dashboardRootUrl ?? deploy.publicRootUrl, deployId: deploy.id, token }) : undefined,
     deployId: deploy.id,
     expiresAt: deploy.expiresAt,
     inspect: inspectUrls(deploy.url),
@@ -474,19 +505,24 @@ function routeSystemPath(pathname) {
   return pathname;
 }
 
-function parsePathDeploy(url) {
-  const parts = url.pathname.split("/").filter(Boolean);
-  if (parts[0] !== "d" || !parts[1]) {
-    return null;
-  }
+function wantsHtml(req) {
+  const accept = String(req.headers.accept ?? "");
+  return !accept || accept.includes("text/html");
+}
 
-  const prefix = `/d/${parts[1]}`;
-  const appPath = url.pathname === prefix ? "/" : url.pathname.slice(prefix.length) || "/";
-  return {
-    appPath,
-    basePath: prefix,
-    slug: parts[1]
-  };
+function isReservedClientShellPath(pathname) {
+  return (
+    pathname === "/client.js" ||
+    pathname === "/__lakebed" ||
+    pathname.startsWith("/__lakebed/") ||
+    pathname === "/__span" ||
+    pathname.startsWith("/__span/") ||
+    (pathname.startsWith("/auth/") && pathname !== "/auth/callback")
+  );
+}
+
+function isClientShellRequest(req, pathname) {
+  return req.method === "GET" && wantsHtml(req) && !isReservedClientShellPath(pathname);
 }
 
 function parseHostDeploy({ appBaseDomain, host, url }) {
@@ -512,6 +548,10 @@ function parseHostDeploy({ appBaseDomain, host, url }) {
   };
 }
 
+function isDisabledPathDeployRoute(pathname) {
+  return pathname === "/d" || pathname.startsWith("/d/");
+}
+
 function quotaLimitForBucket(bucket, deploy) {
   if (bucket === "mutations") {
     return deploy.limits.mutationsPerDay;
@@ -5696,7 +5736,7 @@ async function loadDeployByRoute({ appBaseDomain, host, store, url }) {
         hostname: domain.hostname,
         deployId: domain.deployId
       }
-    : parseHostDeploy({ appBaseDomain, host, url }) ?? parsePathDeploy(url);
+    : parseHostDeploy({ appBaseDomain, host, url });
   if (!route) {
     return null;
   }
@@ -5914,17 +5954,23 @@ async function serveInspect({ adminPassword, artifact, currentDeveloper, deploy,
 export async function startAnonymousServer({
   adminPassword = adminPasswordFromEnv(),
   appBaseDomain = process.env.LAKEBED_APP_BASE_DOMAIN ?? "",
+  dashboardRootUrl = process.env.LAKEBED_DASHBOARD_ROOT_URL,
   developerSessionSecret = process.env.LAKEBED_SESSION_SECRET ?? "",
   githubOAuth = githubOAuthFromEnv(),
   port = Number(process.env.PORT ?? 8787),
   publicRootUrl,
   quiet = false,
+  role = process.env.LAKEBED_SERVER_ROLE ?? "all",
   shooBaseUrl = shooBaseUrlFromEnv(),
   sourceRuntime,
   store
 } = {}) {
+  const resolvedRole = normalizeServerRole(role);
+  const servesApiDashboard = roleServesApiDashboard(resolvedRole);
+  const servesRunner = roleServesRunner(resolvedRole);
   const resolvedAppBaseDomain = normalizeAppBaseDomain(appBaseDomain);
   const resolvedPublicRootUrl = normalizePublicRootUrl(publicRootUrl ?? process.env.PUBLIC_ROOT_URL, port);
+  const resolvedDashboardRootUrl = normalizePublicRootUrl(dashboardRootUrl ?? resolvedPublicRootUrl, port);
   const deployCreationPolicy = anonymousDeployCreationPolicy({ publicRootUrl: resolvedPublicRootUrl });
   const clientTrafficPolicy = anonymousClientTrafficPolicy({ publicRootUrl: resolvedPublicRootUrl });
   const cleanupPolicy = cleanupPolicyFromEnv();
@@ -5932,7 +5978,7 @@ export async function startAnonymousServer({
   const resolvedDeveloperSessionSecret =
     developerSessionSecret || resolvedGithubOAuth?.sessionSecret || resolvedGithubOAuth?.clientSecret || adminPassword || "";
   const resolvedStore = store ?? (await createAnonymousStoreFromEnv());
-  const resolvedSourceRuntime = sourceRuntime === undefined ? createSourceRuntimeFromEnv() : sourceRuntime;
+  const resolvedSourceRuntime = sourceRuntime === undefined && servesRunner ? createSourceRuntimeFromEnv() : sourceRuntime;
   await resolvedStore.initialize();
   const subscriptions = new Map();
   let cleanupInterval = null;
@@ -6171,7 +6217,7 @@ export async function startAnonymousServer({
         return;
       }
 
-      if (req.method === "GET" && (requestUrl.pathname === "/deploys" || requestUrl.pathname === "/dashboard")) {
+      if (servesApiDashboard && req.method === "GET" && (requestUrl.pathname === "/deploys" || requestUrl.pathname === "/dashboard")) {
         const authConfigured = developerAuthConfigured(resolvedGithubOAuth, resolvedDeveloperSessionSecret);
         const user = authConfigured ? currentDeveloper(req) : null;
         sendText(
@@ -6187,7 +6233,7 @@ export async function startAnonymousServer({
         return;
       }
 
-      if (req.method === "GET" && requestUrl.pathname === "/v1/me") {
+      if (servesApiDashboard && req.method === "GET" && requestUrl.pathname === "/v1/me") {
         const user = currentDeveloper(req);
         if (!developerAuthConfigured(resolvedGithubOAuth, resolvedDeveloperSessionSecret) || !user) {
           sendJson(res, 401, { error: "Developer authentication required." });
@@ -6198,7 +6244,7 @@ export async function startAnonymousServer({
         return;
       }
 
-      if (req.method === "GET" && requestUrl.pathname === "/v1/me/deploys") {
+      if (servesApiDashboard && req.method === "GET" && requestUrl.pathname === "/v1/me/deploys") {
         const user = currentDeveloper(req);
         if (!developerAuthConfigured(resolvedGithubOAuth, resolvedDeveloperSessionSecret) || !user) {
           sendJson(res, 401, { error: "Developer authentication required." });
@@ -6210,7 +6256,7 @@ export async function startAnonymousServer({
       }
 
       const developerTerminateMatch =
-        req.method === "POST" ? requestUrl.pathname.match(/^\/v1\/me\/deploys\/([^/]+)\/terminate$/) : null;
+        servesApiDashboard && req.method === "POST" ? requestUrl.pathname.match(/^\/v1\/me\/deploys\/([^/]+)\/terminate$/) : null;
       if (developerTerminateMatch) {
         const user = currentDeveloper(req);
         if (!developerAuthConfigured(resolvedGithubOAuth, resolvedDeveloperSessionSecret) || !user) {
@@ -6246,7 +6292,7 @@ export async function startAnonymousServer({
         return;
       }
 
-      if (req.method === "GET" && requestUrl.pathname === "/auth/github") {
+      if (servesApiDashboard && req.method === "GET" && requestUrl.pathname === "/auth/github") {
         if (!developerAuthConfigured(resolvedGithubOAuth, resolvedDeveloperSessionSecret)) {
           sendText(res, 503, "GitHub sign-in is not configured.\n", { "Content-Type": "text/plain; charset=utf-8" });
           return;
@@ -6264,7 +6310,7 @@ export async function startAnonymousServer({
         );
         const authorizeUrl = new URL(resolvedGithubOAuth.authorizeUrl);
         authorizeUrl.searchParams.set("client_id", resolvedGithubOAuth.clientId);
-        authorizeUrl.searchParams.set("redirect_uri", githubRedirectUri(resolvedGithubOAuth, resolvedPublicRootUrl));
+        authorizeUrl.searchParams.set("redirect_uri", githubRedirectUri(resolvedGithubOAuth, resolvedDashboardRootUrl));
         authorizeUrl.searchParams.set("scope", "read:user");
         authorizeUrl.searchParams.set("state", state);
         redirect(res, authorizeUrl.href, {
@@ -6273,7 +6319,7 @@ export async function startAnonymousServer({
         return;
       }
 
-      if (req.method === "GET" && requestUrl.pathname === "/auth/github/callback") {
+      if (servesApiDashboard && req.method === "GET" && requestUrl.pathname === "/auth/github/callback") {
         if (!developerAuthConfigured(resolvedGithubOAuth, resolvedDeveloperSessionSecret)) {
           sendText(res, 503, "GitHub sign-in is not configured.\n", { "Content-Type": "text/plain; charset=utf-8" });
           return;
@@ -6319,7 +6365,7 @@ export async function startAnonymousServer({
         const user = await githubUserFromCode({
           code,
           githubOAuth: resolvedGithubOAuth,
-          redirectUri: githubRedirectUri(resolvedGithubOAuth, resolvedPublicRootUrl)
+          redirectUri: githubRedirectUri(resolvedGithubOAuth, resolvedDashboardRootUrl)
         });
         redirect(res, normalizeReturnTo(statePayload.returnTo), {
           "Set-Cookie": [developerCookie(user, resolvedDeveloperSessionSecret, secure), clearOauthStateCookie(secure)]
@@ -6327,14 +6373,14 @@ export async function startAnonymousServer({
         return;
       }
 
-      if (req.method === "GET" && requestUrl.pathname === "/auth/logout") {
+      if (servesApiDashboard && req.method === "GET" && requestUrl.pathname === "/auth/logout") {
         redirect(res, "/deploys", {
           "Set-Cookie": clearDeveloperCookie(isSecureRequest(req))
         });
         return;
       }
 
-      const claimMatch = req.method === "GET" ? requestUrl.pathname.match(/^\/claim\/([^/]+)\/([^/]+)$/) : null;
+      const claimMatch = servesApiDashboard && req.method === "GET" ? requestUrl.pathname.match(/^\/claim\/([^/]+)\/([^/]+)$/) : null;
       if (claimMatch) {
         if (!developerAuthConfigured(resolvedGithubOAuth, resolvedDeveloperSessionSecret)) {
           sendText(res, 503, "GitHub sign-in is not configured.\n", { "Content-Type": "text/plain; charset=utf-8" });
@@ -6372,6 +6418,7 @@ export async function startAnonymousServer({
       }
 
       if (
+        servesApiDashboard &&
         req.method === "GET" &&
         (requestUrl.pathname === "/admin" ||
           requestUrl.pathname === "/admin/" ||
@@ -6383,7 +6430,7 @@ export async function startAnonymousServer({
         return;
       }
 
-      if (requestUrl.pathname === "/admin/api/login" && req.method === "POST") {
+      if (servesApiDashboard && requestUrl.pathname === "/admin/api/login" && req.method === "POST") {
         if (!isAdminConfigured(adminPassword)) {
           sendJson(res, 503, { error: "Lakebed admin is not configured. Set LAKEBED_ADMIN_PASSWORD." });
           return;
@@ -6399,12 +6446,12 @@ export async function startAnonymousServer({
         return;
       }
 
-      if (requestUrl.pathname === "/admin/api/logout" && req.method === "POST") {
+      if (servesApiDashboard && requestUrl.pathname === "/admin/api/logout" && req.method === "POST") {
         sendJson(res, 200, { ok: true }, { "Set-Cookie": adminCookie("", 0, isSecureRequest(req)) });
         return;
       }
 
-      if (requestUrl.pathname === "/admin/api/summary" && req.method === "GET") {
+      if (servesApiDashboard && requestUrl.pathname === "/admin/api/summary" && req.method === "GET") {
         if (!isAdminConfigured(adminPassword)) {
           sendJson(res, 503, { error: "Lakebed admin is not configured. Set LAKEBED_ADMIN_PASSWORD." });
           return;
@@ -6420,7 +6467,7 @@ export async function startAnonymousServer({
       }
 
       const adminUserDetailMatch =
-        req.method === "GET" ? requestUrl.pathname.match(/^\/admin\/api\/users\/([^/]+)$/) : null;
+        servesApiDashboard && req.method === "GET" ? requestUrl.pathname.match(/^\/admin\/api\/users\/([^/]+)$/) : null;
       if (adminUserDetailMatch) {
         if (!isAdminConfigured(adminPassword)) {
           sendJson(res, 503, { error: "Lakebed admin is not configured. Set LAKEBED_ADMIN_PASSWORD." });
@@ -6443,7 +6490,7 @@ export async function startAnonymousServer({
       }
 
       const userLimitsMatch =
-        req.method === "PUT" ? requestUrl.pathname.match(/^\/admin\/api\/users\/([^/]+)\/limits$/) : null;
+        servesApiDashboard && req.method === "PUT" ? requestUrl.pathname.match(/^\/admin\/api\/users\/([^/]+)\/limits$/) : null;
       if (userLimitsMatch) {
         if (!isAdminConfigured(adminPassword)) {
           sendJson(res, 503, { error: "Lakebed admin is not configured. Set LAKEBED_ADMIN_PASSWORD." });
@@ -6479,7 +6526,7 @@ export async function startAnonymousServer({
       }
 
       const terminateMatch =
-        req.method === "POST"
+        servesApiDashboard && req.method === "POST"
           ? requestUrl.pathname.match(/^\/admin\/api\/deploys\/([^/]+)\/terminate$/)
           : null;
       if (terminateMatch) {
@@ -6513,7 +6560,7 @@ export async function startAnonymousServer({
       }
 
       const deployDomainsMatch = requestUrl.pathname.match(/^\/v1\/deploys\/([^/]+)\/domains$/);
-      if (deployDomainsMatch && (req.method === "GET" || req.method === "POST")) {
+      if (servesApiDashboard && deployDomainsMatch && (req.method === "GET" || req.method === "POST")) {
         const deployId = decodeURIComponent(deployDomainsMatch[1]);
         const currentDeploy = await resolvedStore.getDeployById(deployId);
         if (!currentDeploy) {
@@ -6596,7 +6643,12 @@ export async function startAnonymousServer({
         return;
       }
 
-      if (req.method === "POST" && requestUrl.pathname === "/v1/anonymous-deploys") {
+      if (servesApiDashboard && req.method === "POST" && requestUrl.pathname === "/v1/anonymous-deploys") {
+        if (!resolvedAppBaseDomain) {
+          sendJson(res, 503, { error: "LAKEBED_APP_BASE_DOMAIN is required to create hosted deploys." });
+          return;
+        }
+
         await enforceAnonymousDeployCreation(req);
         const body = await readJsonBody(req);
         const payload = validateAnonymousDeployPayload(body);
@@ -6622,11 +6674,16 @@ export async function startAnonymousServer({
           serverEnv: payload.serverEnv
         });
         await resolvedStore.appendLog(deploy.id, "info", "anonymous deploy created", { artifactHash: deploy.artifactHash });
-        sendJson(res, 201, responseForDeploy({ deploy, token }));
+        sendJson(res, 201, responseForDeploy({ dashboardRootUrl: resolvedDashboardRootUrl, deploy, token }));
         return;
       }
 
-      if ((req.method === "PUT" || req.method === "PATCH") && requestUrl.pathname.startsWith("/v1/deploys/")) {
+      if (servesApiDashboard && (req.method === "PUT" || req.method === "PATCH") && requestUrl.pathname.startsWith("/v1/deploys/")) {
+        if (!resolvedAppBaseDomain) {
+          sendJson(res, 503, { error: "LAKEBED_APP_BASE_DOMAIN is required to update hosted deploys." });
+          return;
+        }
+
         const deployId = requestUrl.pathname.slice("/v1/deploys/".length);
         const currentDeploy = await resolvedStore.getDeployById(deployId);
         if (!currentDeploy) {
@@ -6672,23 +6729,43 @@ export async function startAnonymousServer({
         await refreshDeploySubscriptions(deploy);
         refreshDeployClients(deploy);
         await publishDeploy(deploy.id);
-        sendJson(res, 200, responseForDeploy({ deploy }));
+        sendJson(res, 200, responseForDeploy({ dashboardRootUrl: resolvedDashboardRootUrl, deploy }));
         return;
       }
 
-      if (req.method === "GET" && requestUrl.pathname.startsWith("/v1/deploys/")) {
+      if (servesApiDashboard && req.method === "GET" && requestUrl.pathname.startsWith("/v1/deploys/")) {
         const id = requestUrl.pathname.slice("/v1/deploys/".length);
         const deploy = (await resolvedStore.getDeployById(id)) ?? (await resolvedStore.getDeployBySlug(id));
         if (!deploy) {
           sendJson(res, 404, { error: "Unknown deploy." });
           return;
         }
-        sendJson(res, 200, responseForDeploy({ deploy }));
+        sendJson(res, 200, responseForDeploy({ dashboardRootUrl: resolvedDashboardRootUrl, deploy }));
+        return;
+      }
+
+      if (isDisabledPathDeployRoute(requestUrl.pathname)) {
+        sendText(res, 404, "Path-based deploy URLs are no longer supported.\n", { "Content-Type": "text/plain; charset=utf-8" });
+        return;
+      }
+
+      if (!servesRunner) {
+        if (req.method === "GET" && requestUrl.pathname === "/") {
+          redirect(res, "/deploys");
+          return;
+        }
+
+        sendText(res, 404, "Not found\n", { "Content-Type": "text/plain; charset=utf-8" });
         return;
       }
 
       const loaded = await loadDeployByRoute({ appBaseDomain: resolvedAppBaseDomain, host, store: resolvedStore, url: requestUrl });
       if (!loaded) {
+        if (!servesApiDashboard && isApiDashboardRoute(requestUrl.pathname)) {
+          sendText(res, 404, "Not found\n", { "Content-Type": "text/plain; charset=utf-8" });
+          return;
+        }
+
         sendText(res, 200, "Lakebed anonymous deploy runner\n", { "Content-Type": "text/plain; charset=utf-8" });
         return;
       }
@@ -6771,6 +6848,14 @@ export async function startAnonymousServer({
         return;
       }
 
+      if (isClientShellRequest(req, appPath)) {
+        sendText(res, 200, html(loaded.artifact.name ?? "Lakebed Capsule", loaded.basePath, { clientBundleHash: loaded.deploy.clientBundleHash, shooBaseUrl }), {
+          "Cache-Control": "no-store",
+          "Content-Type": "text/html; charset=utf-8"
+        });
+        return;
+      }
+
       sendText(res, 404, "Not found\n", { "Content-Type": "text/plain; charset=utf-8" });
     } catch (error) {
       if (isQuotaError(error)) {
@@ -6891,6 +6976,11 @@ export async function startAnonymousServer({
   });
 
   server.on("upgrade", async (req, socket, head) => {
+    if (!servesRunner) {
+      socket.destroy();
+      return;
+    }
+
     const host = req.headers.host ?? "localhost";
     const requestUrl = new URL(req.url ?? "/", `http://${host}`);
     const loaded = await loadDeployByRoute({ appBaseDomain: resolvedAppBaseDomain, host, store: resolvedStore, url: requestUrl });
@@ -6943,8 +7033,10 @@ export async function startAnonymousServer({
 
   return {
     appBaseDomain: resolvedAppBaseDomain,
+    dashboardRootUrl: resolvedDashboardRootUrl,
     port,
     publicRootUrl: resolvedPublicRootUrl,
+    role: resolvedRole,
     store: resolvedStore,
     url: resolvedPublicRootUrl,
     async close() {

package/src/cli.js

@@ -1,6 +1,7 @@
 #!/usr/bin/env node
 import { execFile } from "node:child_process";
-import { createServer } from "node:http";
+import { createServer, request as httpRequest } from "node:http";
+import { request as httpsRequest } from "node:https";
 import { existsSync, realpathSync } from "node:fs";
 import { mkdir, readdir, readFile, rm, stat, writeFile } from "node:fs/promises";
 import { basename, dirname, isAbsolute, join, relative, resolve, sep } from "node:path";
@@ -29,7 +30,7 @@ const root = process.cwd();
 const packageDir = resolve(dirname(fileURLToPath(import.meta.url)), "..");
 const packageNodeModules = resolve(packageDir, "node_modules");
 const sourceNamespace = "lakebed-source";
-const defaultDeployApiUrl = "https://api.lakebed.app";
+const defaultDeployApiUrl = "https://api.lakebed.dev";
 const execFileAsync = promisify(execFile);
 const endpointBodyMaxBytes = 2 * 1024 * 1024;
 
@@ -44,7 +45,7 @@ Usage:
   npx lakebed deploy [capsule-dir] [--api <url>] [--public-inspect] [--json]
   npx lakebed claim [capsule-dir] [--api <url>] [--json]
   npx lakebed domains add <subdomain.lakebed.app> [--api <url>] [--json]
-  npx lakebed anonymous-server [--port 8787] [--public-root-url <url>] [--app-base-domain <domain>]
+  npx lakebed anonymous-server [--port 8787] [--public-root-url <url>] [--dashboard-root-url <url>] [--app-base-domain <domain>] [--role all|api-dashboard|runner]
   npx lakebed inspect <deploy-id-or-url> [--api <url>] [--inspect-token <token>] [--json]
   npx lakebed run-many [capsule-dir] [--count 20] [--base-port 4000]
   npx lakebed auth as <name>
@@ -69,10 +70,12 @@ const optionsWithValues = new Set([
   "--app-base-domain",
   "--base-port",
   "--count",
+  "--dashboard-root-url",
   "--inspect-token",
   "--out",
   "--port",
   "--public-root-url",
+  "--role",
   "--target",
   "--template"
 ]);
@@ -452,6 +455,26 @@ function html(title, { shooBaseUrl } = {}) {
 </html>`;
 }
 
+function wantsHtml(req) {
+  const accept = String(req.headers.accept ?? "");
+  return !accept || accept.includes("text/html");
+}
+
+function isReservedClientShellPath(pathname) {
+  return (
+    pathname === "/client.js" ||
+    pathname === "/__lakebed" ||
+    pathname.startsWith("/__lakebed/") ||
+    pathname === "/__span" ||
+    pathname.startsWith("/__span/") ||
+    (pathname.startsWith("/auth/") && pathname !== "/auth/callback")
+  );
+}
+
+function isClientShellRequest(req, pathname) {
+  return req.method === "GET" && wantsHtml(req) && !isReservedClientShellPath(pathname);
+}
+
 function sendJson(ws, message) {
   ws.send(JSON.stringify(message));
 }
@@ -819,6 +842,12 @@ export async function startDevServer({
         return;
       }
 
+      if (isClientShellRequest(req, requestUrl.pathname)) {
+        res.writeHead(200, { "Cache-Control": "no-store", "Content-Type": "text/html; charset=utf-8" });
+        res.end(html(currentBuild.app.name ?? "Lakebed Capsule", { shooBaseUrl }));
+        return;
+      }
+
       res.writeHead(404);
       res.end("Not found");
     } catch (error) {
@@ -1564,8 +1593,10 @@ async function anonymousServerCommand(args) {
   const port = readNumberArg(args, "--port", Number(process.env.PORT ?? 8787));
   await startAnonymousServer({
     appBaseDomain: readArg(args, "--app-base-domain", process.env.LAKEBED_APP_BASE_DOMAIN ?? ""),
+    dashboardRootUrl: readArg(args, "--dashboard-root-url", process.env.LAKEBED_DASHBOARD_ROOT_URL),
     port,
-    publicRootUrl: readArg(args, "--public-root-url", process.env.PUBLIC_ROOT_URL ?? `http://localhost:${port}`)
+    publicRootUrl: readArg(args, "--public-root-url", process.env.PUBLIC_ROOT_URL ?? `http://localhost:${port}`),
+    role: readArg(args, "--role", process.env.LAKEBED_SERVER_ROLE ?? "all")
   });
   await new Promise(() => {});
 }
@@ -1594,6 +1625,61 @@ async function resolveDeployUrl(target, args, metadata) {
   }
 }
 
+async function resolveHostedTarget(target, args, metadata) {
+  if (!target) {
+    throw new Error("Expected a deploy ID or URL.");
+  }
+
+  try {
+    const url = new URL(target);
+    return { api: "", url: url.href.replace(/\/+$/g, "") };
+  } catch {
+    const api = deployLookupApiUrl(target, args, metadata);
+    const response = await fetch(`${api}/v1/deploys/${encodeURIComponent(target)}`);
+    const deploy = await readResponseJson(response);
+    return { api, url: deploy.url.replace(/\/+$/g, "") };
+  }
+}
+
+function isLocalApiUrl(value) {
+  try {
+    const { hostname } = new URL(value);
+    return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "::1";
+  } catch {
+    return false;
+  }
+}
+
+async function requestWithHostHeader(url, headers) {
+  const requestUrl = new URL(url);
+  const transport = requestUrl.protocol === "https:" ? httpsRequest : httpRequest;
+  return new Promise((resolveRequest, rejectRequest) => {
+    const req = transport(
+      {
+        headers,
+        hostname: requestUrl.hostname,
+        method: "GET",
+        path: `${requestUrl.pathname}${requestUrl.search}`,
+        port: requestUrl.port
+      },
+      (res) => {
+        const chunks = [];
+        res.on("data", (chunk) => chunks.push(chunk));
+        res.on("end", () => {
+          const body = Buffer.concat(chunks).toString("utf8");
+          resolveRequest({
+            ok: (res.statusCode ?? 500) >= 200 && (res.statusCode ?? 500) < 300,
+            status: res.statusCode ?? 500,
+            text: async () => body
+          });
+        });
+      }
+    );
+    req.on("error", rejectRequest);
+    req.end();
+  });
+}
+
 function inspectTokenForHostedTarget({ args, metadata, target, url }) {
   const explicitToken = readArg(args, "--inspect-token", process.env.LAKEBED_INSPECT_TOKEN ?? "");
   if (explicitToken) {
@@ -1616,11 +1702,22 @@ function inspectTokenForHostedTarget({ args, metadata, target, url }) {
 
 async function hostedJson(target, path, args) {
   const metadata = await readDeployMetadata(root);
-  const url = await resolveDeployUrl(target, args, metadata);
+  const { api, url } = await resolveHostedTarget(target, args, metadata);
   const inspectToken = inspectTokenForHostedTarget({ args, metadata, target, url });
-  const response = await fetch(`${url}${path}`, {
-    headers: inspectToken ? { Authorization: `Bearer ${inspectToken}` } : {}
-  });
+  const headers = inspectToken ? { Authorization: `Bearer ${inspectToken}` } : {};
+  let response;
+  try {
+    response = await fetch(`${url}${path}`, { headers });
+  } catch (error) {
+    if (!api || !isLocalApiUrl(api)) {
+      throw error;
+    }
+
+    response = await requestWithHostHeader(`${api}${path}`, {
+      ...headers,
+      Host: new URL(url).host
+    });
+  }
   return readResponseJson(response);
 }
 
@@ -1735,7 +1832,7 @@ async function dbCommand(args) {
 }
 
 function agentInstructionsTemplate() {
-  return `# Building with Lakebed.
+  return `# Lakebed App Instructions
 
 This directory is for a Lakebed "capsule". Lakebed is an all-inclusive suite of tools to build web applications purely from code and a CLI.
 
@@ -1751,7 +1848,7 @@ Your role is to build software within this capsule. Lakebed is the runtime, the
 - Data needed on client should be fetched through queries. User-driven changes should be done via mutations. Endpoints should be treated as an "escape hatch" for exposing functionality over endpoints for HTTP-based flows.
 - Styling must be done via raw CSS or Tailwind classes in the JSX.
 - Do not add a CSS, PostCSS, or Tailwind build pipeline. They are built in.
-- There is no file based routing. You can define routes yourself through typescript.
+- There is no file based routing. Use the built-in client router from \`lakebed/client\` when you need pages.
 - All imports must be from Lakebed or from relative paths.
 - Do not use Node built-ins in app code.
 - Use auth through \`ctx.auth\` on the server and \`useAuth()\` on the client.
@@ -1788,6 +1885,10 @@ npx lakebed db dump --port 3000
 npx lakebed logs --port 3000
 \`\`\`
 
+## External endpoints
+
+Use \`endpoint({ method, path }, handler)\` from \`lakebed/server\` when the app needs to expose an HTTP route for webhooks or other non-Lakebed clients. Endpoint handlers receive request data including \`headers.get(name)\`, URL params, query params, and body helpers.
+
 ## Additional resources
 
 - [Lakebed docs](https://docs.lakebed.dev/)
@@ -1812,7 +1913,7 @@ function todoTemplate(name) {
   return {
     "AGENTS.md": agentInstructions,
     "CLAUDE.md": agentInstructions,
-    "server/index.ts": `import { boolean, capsule, mutation, query, string, table } from "lakebed/server";
+    "server/index.ts": `import { boolean, capsule, endpoint, mutation, query, string, table, text } from "lakebed/server";
 import { cleanTodoText } from "../shared/todo";
 
 export default capsule({
@@ -1844,10 +1945,15 @@ export default capsule({
 
       ctx.db.todos.insert({ text: cleanText, ownerId: ctx.auth.userId });
     })
+  },
+
+  endpoints: {
+    status: endpoint({ method: "GET", path: "/api/status" }, () => text("ok"))
   }
 });
 `,
-    "client/index.tsx": `import { SignInWithGoogle, signOut, useAuth, useMutation, useQuery } from "lakebed/client";
+    "client/index.tsx": `import { Link, Route, Router, Routes, SignInWithGoogle, signOut, useAuth, useMutation, useQuery } from "lakebed/client";
+import { useState } from "preact/hooks";
 import { cleanTodoText, type Todo } from "../shared/todo";
 
 function AuthAvatar({ label, picture }: { label: string; picture?: string }) {
@@ -1874,12 +1980,9 @@ function AuthAvatar({ label, picture }: { label: string; picture?: string }) {
   );
 }
 
-export function App() {
-  const auth = useAuth();
+function TodoPage() {
   const todos = useQuery<Todo[]>("todos");
   const addTodo = useMutation<[text: string], void>("addTodo");
-  const authLabel = auth.displayName;
-  const authStatus = auth.isLoading && auth.isGuest ? "checking session" : "signed in as " + authLabel;
 
   async function onSubmit(event: SubmitEvent) {
     event.preventDefault();
@@ -1895,33 +1998,75 @@ export function App() {
   }
 
   return (
-    <main className="min-h-screen bg-black px-6 py-10 text-white">
-      <section className="mx-auto max-w-2xl">
-        <div className="mb-3 flex items-center justify-between gap-3">
-          <div className="flex min-w-0 items-center gap-2">
-            {!auth.isLoading ? <AuthAvatar label={authLabel} picture={auth.picture} /> : null}
-            <p className="min-w-0 truncate font-mono text-sm text-neutral-500">{authStatus}</p>
+    <section>
+      <h1 className="mb-8 text-5xl font-bold tracking-tight">${title}</h1>
+      <form className="mb-8 flex gap-3" onSubmit={(event) => void onSubmit(event)}>
+        <input className="min-w-0 flex-1 border border-neutral-700 bg-black px-3 py-2 text-white outline-none focus:border-white" name="text" placeholder="Add a todo" />
+        <button className="border border-white px-4 py-2 font-medium" type="submit">Add</button>
+      </form>
+      <ul className="divide-y divide-neutral-800 border-y border-neutral-800">
+        {todos.map((todo) => (
+          <li className="py-3" key={todo.id}>{todo.text}</li>
+        ))}
+      </ul>
+    </section>
+  );
+}
+
+function StatusPage() {
+  const [status, setStatus] = useState("not checked");
+
+  async function checkStatus() {
+    const response = await fetch("api/status");
+    setStatus(response.ok ? await response.text() : "error " + response.status);
+  }
+
+  return (
+    <section>
+      <h1 className="mb-4 text-4xl font-bold tracking-tight">Status</h1>
+      <p className="mb-6 text-neutral-400">This route calls the server endpoint at /api/status.</p>
+      <button className="border border-white px-4 py-2 font-medium" type="button" onClick={() => void checkStatus()}>
+        Check endpoint
+      </button>
+      <p className="mt-4 font-mono text-sm text-neutral-400">endpoint: {status}</p>
+    </section>
+  );
+}
+
+export function App() {
+  const auth = useAuth();
+  const authLabel = auth.displayName;
+  const authStatus = auth.isLoading && auth.isGuest ? "checking session" : "signed in as " + authLabel;
+
+  return (
+    <Router>
+      <main className="min-h-screen bg-black px-6 py-10 text-white">
+        <section className="mx-auto max-w-2xl">
+          <div className="mb-3 flex items-center justify-between gap-3">
+            <div className="flex min-w-0 items-center gap-2">
+              {!auth.isLoading ? <AuthAvatar label={authLabel} picture={auth.picture} /> : null}
+              <p className="min-w-0 truncate font-mono text-sm text-neutral-500">{authStatus}</p>
+            </div>
+            {!auth.isLoading && auth.isGuest ? (
+              <SignInWithGoogle className="shrink-0 border border-neutral-700 px-3 py-1.5 text-sm font-medium text-neutral-200 hover:border-white hover:text-white" />
+            ) : !auth.isLoading ? (
+              <button className="shrink-0 text-sm text-neutral-400 hover:text-white" type="button" onClick={() => signOut()}>
+                Sign out
+              </button>
+            ) : null}
           </div>
-          {!auth.isLoading && auth.isGuest ? (
-            <SignInWithGoogle className="shrink-0 border border-neutral-700 px-3 py-1.5 text-sm font-medium text-neutral-200 hover:border-white hover:text-white" />
-          ) : !auth.isLoading ? (
-            <button className="shrink-0 text-sm text-neutral-400 hover:text-white" type="button" onClick={() => signOut()}>
-              Sign out
-            </button>
-          ) : null}
-        </div>
-        <h1 className="mb-8 text-5xl font-bold tracking-tight">${title}</h1>
-        <form className="mb-8 flex gap-3" onSubmit={(event) => void onSubmit(event)}>
-          <input className="min-w-0 flex-1 border border-neutral-700 bg-black px-3 py-2 text-white outline-none focus:border-white" name="text" placeholder="Add a todo" />
-          <button className="border border-white px-4 py-2 font-medium" type="submit">Add</button>
-        </form>
-        <ul className="divide-y divide-neutral-800 border-y border-neutral-800">
-          {todos.map((todo) => (
-            <li className="py-3" key={todo.id}>{todo.text}</li>
-          ))}
-        </ul>
-      </section>
-    </main>
+          <nav className="mb-8 flex gap-4 text-sm text-neutral-400">
+            <Link className="hover:text-white" to="/">Todos</Link>
+            <Link className="hover:text-white" to="/status">Status</Link>
+          </nav>
+          <Routes>
+            <Route path="/" element={<TodoPage />} />
+            <Route path="/status" element={<StatusPage />} />
+            <Route path="*" element={<section><h1 className="mb-4 text-4xl font-bold">Not found</h1><Link className="text-neutral-300 hover:text-white" to="/">Back to todos</Link></section>} />
+          </Routes>
+        </section>
+      </main>
+    </Router>
   );
 }
 `,
@@ -1948,6 +2093,17 @@ Run this Lakebed capsule:
 \`\`\`sh
 npx lakebed dev
 \`\`\`
+
+The starter app includes two client routes:
+
+- \`/\`: the todo list.
+- \`/status\`: a page that calls the \`GET /api/status\` endpoint.
+
+You can also call the endpoint directly:
+
+\`\`\`sh
+curl http://localhost:3000/api/status
+\`\`\`
 `
   };
 }

package/src/client.d.ts

@@ -53,11 +53,49 @@ export type SignInWithGoogleProps = Omit<JSX.ButtonHTMLAttributes<HTMLButtonElem
     children?: ComponentChildren;
   };
 
+export type LakebedLocation = {
+  pathname: string;
+  search: string;
+  hash: string;
+  href: string;
+};
+
+export type NavigateOptions = {
+  replace?: boolean;
+};
+
+export type RouterProps = {
+  children?: ComponentChildren;
+};
+
+export type RoutesProps = {
+  children?: ComponentChildren;
+};
+
+export type RouteProps = {
+  path: string;
+  element: ComponentChildren;
+};
+
+export type LinkProps = Omit<JSX.AnchorHTMLAttributes<HTMLAnchorElement>, "href"> & {
+  to: string;
+  replace?: boolean;
+  children?: ComponentChildren;
+};
+
 export function useAuth(): Auth;
 export function signInWithGoogle(options?: SignInWithGoogleOptions): Promise<SignInWithGoogleResult>;
 export function signOut(): void;
 export function getIdentity(): Identity;
 export function decodeIdentityClaims(idToken?: string): IdentityClaims | null;
 export function SignInWithGoogle(props?: SignInWithGoogleProps): JSX.Element;
+export function Router(props?: RouterProps): JSX.Element;
+export function Routes(props?: RoutesProps): JSX.Element | null;
+export function Route(props: RouteProps): JSX.Element | null;
+export function Link(props: LinkProps): JSX.Element;
+export function navigate(to: string, options?: NavigateOptions): void;
+export function useLocation(): LakebedLocation;
+export function useNavigate(): (to: string, options?: NavigateOptions) => void;
+export function useParams<TParams = Record<string, string | undefined>>(): TParams;
 export function useQuery<T>(name: string): T;
 export function useMutation<TArgs extends unknown[], TResult>(name: string): (...args: TArgs) => Promise<TResult>;

package/src/client.js

@@ -1,5 +1,5 @@
-import { h } from "preact";
-import { useEffect, useState } from "preact/hooks";
+import { createContext, h, toChildArray } from "preact";
+import { useContext, useEffect, useState } from "preact/hooks";
 
 const DEFAULT_SHOO_BASE_URL = "https://shoo.dev";
 const AUTH_STORAGE_KEY = "lakebed_identity";
@@ -23,6 +23,14 @@ let authInitialized = false;
 let authResumeStarted = false;
 let refreshRequested = false;
 
+const RouterContext = createContext(null);
+const RouteContext = createContext({ params: {} });
+
+function normalizeBasePathValue(value) {
+  const clean = String(value ?? "").replace(/\/+$/g, "");
+  return clean === "/" ? "" : clean;
+}
+
 function toGuestName(name) {
   return (
     String(name ?? "local")
@@ -144,7 +152,7 @@ function send(message) {
 }
 
 function basePath() {
-  return window.__LAKEBED_BASE_PATH__ ?? "";
+  return normalizeBasePathValue(window.__LAKEBED_BASE_PATH__ ?? "");
 }
 
 function authConfig() {
@@ -159,6 +167,214 @@ function currentRoute() {
   return `${window.location.pathname}${window.location.search}${window.location.hash}`;
 }
 
+function appPathnameFromBrowserPathname(pathname) {
+  const base = basePath();
+  if (!base) {
+    return pathname || "/";
+  }
+
+  if (pathname === base) {
+    return "/";
+  }
+
+  if (pathname.startsWith(`${base}/`)) {
+    return pathname.slice(base.length) || "/";
+  }
+
+  return pathname || "/";
+}
+
+function currentAppLocation() {
+  if (typeof window === "undefined") {
+    return { hash: "", href: "/", pathname: "/", search: "" };
+  }
+
+  const pathname = appPathnameFromBrowserPathname(window.location.pathname);
+  const search = window.location.search;
+  const hash = window.location.hash;
+  return {
+    hash,
+    href: `${pathname}${search}${hash}`,
+    pathname,
+    search
+  };
+}
+
+function isExternalHref(value) {
+  return /^[a-zA-Z][a-zA-Z\d+.-]*:/.test(value) || value.startsWith("//");
+}
+
+function browserHrefForAppHref(appHref) {
+  const url = new URL(appHref, "http://lakebed.local/");
+  const base = basePath();
+  const pathname = base ? `${base}${url.pathname === "/" ? "/" : url.pathname}` : url.pathname;
+  return `${pathname}${url.search}${url.hash}`;
+}
+
+function hrefForRoute(to) {
+  const value = String(to ?? "");
+  if (!value) {
+    return browserHrefForAppHref(currentAppLocation().href);
+  }
+
+  if (isExternalHref(value)) {
+    return value;
+  }
+
+  const current = currentAppLocation();
+  const resolved = new URL(value, `http://lakebed.local${current.href}`);
+  return browserHrefForAppHref(`${resolved.pathname}${resolved.search}${resolved.hash}`);
+}
+
+function emitLocationChange() {
+  window.dispatchEvent(new Event("lakebed:locationchange"));
+}
+
+export function navigate(to, options = {}) {
+  const href = hrefForRoute(to);
+  const parsed = new URL(href, window.location.href);
+
+  if (parsed.origin !== window.location.origin) {
+    window.location.assign(parsed.toString());
+    return;
+  }
+
+  const next = `${parsed.pathname}${parsed.search}${parsed.hash}`;
+  const current = `${window.location.pathname}${window.location.search}${window.location.hash}`;
+  if (next === current) {
+    return;
+  }
+
+  if (options.replace) {
+    window.history.replaceState({}, "", next);
+  } else {
+    window.history.pushState({}, "", next);
+  }
+  emitLocationChange();
+}
+
+function useBrowserLocation() {
+  const [location, setLocation] = useState(currentAppLocation);
+
+  useEffect(() => {
+    function updateLocation() {
+      setLocation(currentAppLocation());
+    }
+
+    window.addEventListener("popstate", updateLocation);
+    window.addEventListener("lakebed:locationchange", updateLocation);
+    return () => {
+      window.removeEventListener("popstate", updateLocation);
+      window.removeEventListener("lakebed:locationchange", updateLocation);
+    };
+  }, []);
+
+  return location;
+}
+
+function normalizeMatchPath(path) {
+  const value = String(path ?? "/").trim();
+  if (value === "*" || value === "/*") {
+    return "*";
+  }
+
+  const withSlash = value.startsWith("/") ? value : `/${value}`;
+  return withSlash.length > 1 ? withSlash.replace(/\/+$/g, "") : "/";
+}
+
+function pathSegments(path) {
+  const normalized = normalizeMatchPath(path);
+  if (normalized === "*" || normalized === "/") {
+    return [];
+  }
+
+  return normalized.replace(/^\/+|\/+$/g, "").split("/");
+}
+
+function decodeRouteSegment(value) {
+  try {
+    return decodeURIComponent(value);
+  } catch {
+    return value;
+  }
+}
+
+function matchRoutePath(pattern, pathname) {
+  const normalizedPattern = normalizeMatchPath(pattern);
+  if (normalizedPattern === "*") {
+    return { params: {} };
+  }
+
+  const patternSegments = pathSegments(normalizedPattern);
+  const pathnameSegments = pathSegments(pathname);
+  const params = {};
+
+  for (let index = 0; index < patternSegments.length; index += 1) {
+    const patternSegment = patternSegments[index];
+    const pathnameSegment = pathnameSegments[index];
+
+    if (patternSegment === "*") {
+      params["*"] = pathnameSegments.slice(index).map(decodeRouteSegment).join("/");
+      return { params };
+    }
+
+    if (pathnameSegment === undefined) {
+      return null;
+    }
+
+    if (patternSegment.startsWith(":")) {
+      const name = patternSegment.slice(1);
+      if (!name) {
+        return null;
+      }
+      params[name] = decodeRouteSegment(pathnameSegment);
+      continue;
+    }
+
+    if (patternSegment !== pathnameSegment) {
+      return null;
+    }
+  }
+
+  if (patternSegments.length !== pathnameSegments.length) {
+    return null;
+  }
+
+  return { params };
+}
+
+function routeChildren(children) {
+  const routes = [];
+  for (const child of toChildArray(children)) {
+    if (!child || typeof child !== "object") {
+      continue;
+    }
+
+    if (child.props?.path !== undefined) {
+      routes.push(child);
+      continue;
+    }
+
+    if (child.props?.children !== undefined) {
+      routes.push(...routeChildren(child.props.children));
+    }
+  }
+  return routes;
+}
+
+function shouldHandleLinkClick(event, target) {
+  return (
+    !event.defaultPrevented &&
+    event.button === 0 &&
+    !event.altKey &&
+    !event.ctrlKey &&
+    !event.metaKey &&
+    !event.shiftKey &&
+    (!target || target === "_self") &&
+    !event.currentTarget?.hasAttribute("download")
+  );
+}
+
 function normalizeReturnTo(value) {
   if (!value) {
     return null;
@@ -746,6 +962,72 @@ export function SignInWithGoogle({
   );
 }
 
+export function Router({ children } = {}) {
+  const location = useBrowserLocation();
+  return h(RouterContext.Provider, { value: { location, navigate } }, children);
+}
+
+export function Routes({ children } = {}) {
+  const location = useLocation();
+  const routes = routeChildren(children);
+  for (const route of routes) {
+    const match = matchRoutePath(route.props.path, location.pathname);
+    if (!match) {
+      continue;
+    }
+
+    return h(RouteContext.Provider, { value: match }, route.props.element ?? null);
+  }
+
+  return null;
+}
+
+export function Route() {
+  return null;
+}
+
+export function Link({ children, onClick, replace = false, target, to, ...props } = {}) {
+  const href = hrefForRoute(to);
+  return h(
+    "a",
+    {
+      ...props,
+      href,
+      onClick: (event) => {
+        onClick?.(event);
+        if (!shouldHandleLinkClick(event, target)) {
+          return;
+        }
+
+        const parsed = new URL(href, window.location.href);
+        if (parsed.origin !== window.location.origin) {
+          return;
+        }
+
+        event.preventDefault();
+        navigate(to, { replace });
+      },
+      target
+    },
+    children
+  );
+}
+
+export function useLocation() {
+  const context = useContext(RouterContext);
+  const fallback = useBrowserLocation();
+  return context?.location ?? fallback;
+}
+
+export function useNavigate() {
+  const context = useContext(RouterContext);
+  return context?.navigate ?? navigate;
+}
+
+export function useParams() {
+  return useContext(RouteContext).params;
+}
+
 export function useQuery(name) {
   const [value, setValue] = useState(queryValues.get(name) ?? []);
 

package/src/services/all-in-one.js

@@ -0,0 +1,5 @@
+import { startAnonymousServer } from "../anonymous-server.js";
+
+await startAnonymousServer({
+  role: "all"
+});

package/src/services/api-dashboard.js

@@ -0,0 +1,7 @@
+import { startAnonymousServer } from "../anonymous-server.js";
+
+await startAnonymousServer({
+  dashboardRootUrl: process.env.LAKEBED_DASHBOARD_ROOT_URL ?? "https://dashboard.lakebed.dev",
+  publicRootUrl: process.env.PUBLIC_ROOT_URL ?? "https://api.lakebed.dev",
+  role: "api-dashboard"
+});

package/src/services/capsule-runner.js

@@ -0,0 +1,5 @@
+import { startAnonymousServer } from "../anonymous-server.js";
+
+await startAnonymousServer({
+  role: "runner"
+});

package/src/version.js

@@ -1 +1 @@
-export const LAKEBED_VERSION = "0.0.19";
+export const LAKEBED_VERSION = "0.0.21";