lakebed 0.0.2 → 0.0.3

package/src/anonymous-server.js

@@ -1,3 +1,4 @@
+import { createHmac, randomBytes, timingSafeEqual } from "node:crypto";
 import { createServer } from "node:http";
 import {
   createClaimToken,
@@ -10,6 +11,7 @@ import {
   parseTtlSeconds,
   validateAnonymousDeployPayload
 } from "./anonymous.js";
+import { authFromUrl as resolveAuthFromUrl, createGuestAuth, requestOrigin, shooBaseUrlFromEnv } from "./auth.js";
 import { WebSocketServer } from "ws";
 
 function now() {
@@ -20,38 +22,7 @@ function dayWindowStart() {
   return `${new Date().toISOString().slice(0, 10)}T00:00:00.000Z`;
 }
 
-function toGuestName(name) {
-  return (
-    String(name ?? "local")
-      .replace(/^guest:/, "")
-      .trim()
-      .replace(/[^a-zA-Z0-9_.-]+/g, "-")
-      .replace(/^-+|-+$/g, "")
-      .toLowerCase() || "local"
-  );
-}
-
-function toDisplayName(name) {
-  return toGuestName(name)
-    .split(/[-_\s.]+/)
-    .filter(Boolean)
-    .map((part) => `${part[0]?.toUpperCase() ?? ""}${part.slice(1)}`)
-    .join(" ");
-}
-
-function createGuestAuth(name) {
-  const guestName = toGuestName(name);
-  return {
-    displayName: toDisplayName(guestName),
-    userId: `guest:${guestName}`
-  };
-}
-
-function authFromUrl(url) {
-  return createGuestAuth(url.searchParams.get("lakebed_guest") ?? url.searchParams.get("guest") ?? "local");
-}
-
-function html(title, basePath) {
+function html(title, basePath, { shooBaseUrl } = {}) {
   return `<!doctype html>
 <html lang="en">
   <head>
@@ -62,6 +33,7 @@ function html(title, basePath) {
   <body>
     <div id="app"></div>
     <script>window.__LAKEBED_BASE_PATH__ = ${JSON.stringify(basePath)};</script>
+    <script>window.__LAKEBED_AUTH__ = ${JSON.stringify({ shooBaseUrl })};</script>
     <script type="module" src="${basePath}/client.js"></script>
     <script>
       const tailwind = document.createElement("script");
@@ -86,6 +58,14 @@ function sendText(res, status, value, headers = {}) {
   res.end(value);
 }
 
+function redirect(res, location, headers = {}) {
+  res.writeHead(302, {
+    Location: location,
+    ...headers
+  });
+  res.end();
+}
+
 function websocketSend(ws, message) {
   ws.send(JSON.stringify(message));
 }
@@ -108,11 +88,36 @@ async function readJsonBody(req, maxBytes = 2 * 1024 * 1024) {
   return JSON.parse(Buffer.concat(chunks).toString("utf8"));
 }
 
+function bearerToken(req) {
+  const header = req.headers.authorization;
+  if (!header) {
+    return "";
+  }
+
+  const match = String(header).match(/^Bearer\s+(.+)$/i);
+  return match?.[1]?.trim() ?? "";
+}
+
+function isDeployTokenValid(deploy, token) {
+  return Boolean(token && deploy?.claimTokenHash && hashClaimToken(token) === deploy.claimTokenHash);
+}
+
 function normalizePublicRootUrl(value, port) {
   const fallback = `http://localhost:${port}`;
   return String(value || fallback).replace(/\/+$/g, "");
 }
 
+function normalizeAppBaseDomain(value) {
+  return String(value ?? "")
+    .trim()
+    .replace(/^https?:\/\//i, "")
+    .replace(/\/.*$/g, "")
+    .replace(/^\*\./, "")
+    .replace(/:\d+$/g, "")
+    .replace(/\.$/, "")
+    .toLowerCase();
+}
+
 function appUrlForSlug({ appBaseDomain, publicRootUrl, slug }) {
   if (appBaseDomain) {
     return `https://${slug}.${appBaseDomain}`;
@@ -136,6 +141,8 @@ function inspectUrls(url) {
 
 function responseForDeploy({ deploy, token }) {
   return {
+    claimed: Boolean(deploy.ownerId),
+    claimedAt: deploy.claimedAt ?? undefined,
     claimUrl: token ? claimUrlForDeploy({ deployId: deploy.id, publicRootUrl: deploy.publicRootUrl, token }) : undefined,
     deployId: deploy.id,
     expiresAt: deploy.expiresAt,
@@ -207,6 +214,1217 @@ function quotaLimitForBucket(bucket, deploy) {
   return deploy.limits.requestsPerDay;
 }
 
+const adminCookieName = "lakebed_admin";
+const adminCookieMaxAgeSeconds = 60 * 60 * 24 * 7;
+const developerCookieName = "lakebed_developer";
+const developerCookieMaxAgeSeconds = 60 * 60 * 24 * 30;
+const oauthStateCookieName = "lakebed_oauth_state";
+
+function adminPasswordFromEnv(env = process.env) {
+  return env.LAKEBED_ADMIN_PASSWORD ?? env.SPAN_ADMIN_PASSWORD ?? "";
+}
+
+function isAdminConfigured(adminPassword) {
+  return String(adminPassword ?? "").length > 0;
+}
+
+function safeEqual(left, right) {
+  const leftBuffer = Buffer.from(String(left));
+  const rightBuffer = Buffer.from(String(right));
+  if (leftBuffer.length !== rightBuffer.length) {
+    return false;
+  }
+
+  return timingSafeEqual(leftBuffer, rightBuffer);
+}
+
+function adminSessionToken(adminPassword) {
+  return createHmac("sha256", String(adminPassword)).update("lakebed.admin.session.v1").digest("base64url");
+}
+
+function isAdminPasswordValid(candidate, adminPassword) {
+  if (!isAdminConfigured(adminPassword)) {
+    return false;
+  }
+
+  return safeEqual(adminSessionToken(candidate ?? ""), adminSessionToken(adminPassword));
+}
+
+function parseCookies(req) {
+  const cookies = {};
+  for (const part of String(req.headers.cookie ?? "").split(";")) {
+    const [rawName, ...rawValue] = part.trim().split("=");
+    if (!rawName) {
+      continue;
+    }
+
+    cookies[rawName] = rawValue.join("=");
+  }
+  return cookies;
+}
+
+function isAdminAuthenticated(req, adminPassword) {
+  if (!isAdminConfigured(adminPassword)) {
+    return false;
+  }
+
+  return safeEqual(parseCookies(req)[adminCookieName] ?? "", adminSessionToken(adminPassword));
+}
+
+function isSecureRequest(req) {
+  return String(req.headers["x-forwarded-proto"] ?? "")
+    .split(",")[0]
+    .trim()
+    .toLowerCase() === "https";
+}
+
+function adminCookie(value, maxAge = adminCookieMaxAgeSeconds, secure = false) {
+  return `${adminCookieName}=${value}; HttpOnly; SameSite=Lax; Path=/admin; Max-Age=${maxAge}${secure ? "; Secure" : ""}`;
+}
+
+function cookie(name, value, { httpOnly = true, maxAge, path = "/", sameSite = "Lax", secure = false } = {}) {
+  const parts = [`${name}=${encodeURIComponent(value)}`, `Path=${path}`, `SameSite=${sameSite}`];
+  if (httpOnly) {
+    parts.push("HttpOnly");
+  }
+  if (typeof maxAge === "number") {
+    parts.push(`Max-Age=${maxAge}`);
+  }
+  if (secure) {
+    parts.push("Secure");
+  }
+  return parts.join("; ");
+}
+
+function hmac(value, secret) {
+  return createHmac("sha256", String(secret)).update(String(value)).digest("base64url");
+}
+
+function signedValue(value, secret) {
+  return `${value}.${hmac(value, secret)}`;
+}
+
+function verifySignedValue(value, secret) {
+  if (!value || !secret) {
+    return null;
+  }
+
+  const signed = decodeURIComponent(String(value));
+  const splitAt = signed.lastIndexOf(".");
+  if (splitAt <= 0) {
+    return null;
+  }
+
+  const payload = signed.slice(0, splitAt);
+  const signature = signed.slice(splitAt + 1);
+  return safeEqual(signature, hmac(payload, secret)) ? payload : null;
+}
+
+function signedJson(value, secret) {
+  return signedValue(Buffer.from(JSON.stringify(value), "utf8").toString("base64url"), secret);
+}
+
+function verifySignedJson(value, secret) {
+  const payload = verifySignedValue(value, secret);
+  if (!payload) {
+    return null;
+  }
+
+  try {
+    return JSON.parse(Buffer.from(payload, "base64url").toString("utf8"));
+  } catch {
+    return null;
+  }
+}
+
+function normalizeReturnTo(value, fallback = "/deploys") {
+  const candidate = String(value || fallback);
+  if (!candidate.startsWith("/") || candidate.startsWith("//") || candidate.includes("\\") || candidate.startsWith("/auth/github")) {
+    return fallback;
+  }
+  return candidate;
+}
+
+function githubOAuthFromEnv(env = process.env) {
+  const clientId = env.LAKEBED_GITHUB_CLIENT_ID ?? env.GITHUB_CLIENT_ID ?? "";
+  const clientSecret = env.LAKEBED_GITHUB_CLIENT_SECRET ?? env.GITHUB_CLIENT_SECRET ?? "";
+  if (!clientId || !clientSecret) {
+    return null;
+  }
+
+  return {
+    authorizeUrl: env.LAKEBED_GITHUB_AUTHORIZE_URL ?? "https://github.com/login/oauth/authorize",
+    clientId,
+    clientSecret,
+    redirectUri: env.LAKEBED_GITHUB_REDIRECT_URI,
+    tokenUrl: env.LAKEBED_GITHUB_TOKEN_URL ?? "https://github.com/login/oauth/access_token",
+    userUrl: env.LAKEBED_GITHUB_USER_URL ?? "https://api.github.com/user"
+  };
+}
+
+function normalizeGithubOAuth(value) {
+  if (!value?.clientId || !value?.clientSecret) {
+    return null;
+  }
+
+  return {
+    authorizeUrl: value.authorizeUrl ?? "https://github.com/login/oauth/authorize",
+    clientId: String(value.clientId),
+    clientSecret: String(value.clientSecret),
+    redirectUri: value.redirectUri,
+    sessionSecret: value.sessionSecret,
+    tokenUrl: value.tokenUrl ?? "https://github.com/login/oauth/access_token",
+    userUrl: value.userUrl ?? "https://api.github.com/user"
+  };
+}
+
+function developerAuthConfigured(githubOAuth, sessionSecret) {
+  return Boolean(githubOAuth?.clientId && githubOAuth?.clientSecret && sessionSecret);
+}
+
+function githubRedirectUri(githubOAuth, publicRootUrl) {
+  return githubOAuth.redirectUri ?? `${publicRootUrl}/auth/github/callback`;
+}
+
+function normalizeGithubUser(user) {
+  if (!user?.id || !user?.login) {
+    throw new Error("GitHub did not return a usable user profile.");
+  }
+
+  const providerId = String(user.id).replace(/^github:/, "");
+  return {
+    avatarUrl: typeof user.avatar_url === "string" ? user.avatar_url : null,
+    displayName: typeof user.name === "string" && user.name.trim() ? user.name : String(user.login),
+    id: `github:${providerId}`,
+    login: String(user.login),
+    provider: "github",
+    providerId,
+    url: typeof user.html_url === "string" ? user.html_url : `https://github.com/${user.login}`
+  };
+}
+
+function developerCookie(user, sessionSecret, secure) {
+  return cookie(
+    developerCookieName,
+    signedJson(
+      {
+        createdAt: now(),
+        user
+      },
+      sessionSecret
+    ),
+    {
+      maxAge: developerCookieMaxAgeSeconds,
+      path: "/",
+      secure
+    }
+  );
+}
+
+function clearDeveloperCookie(secure) {
+  return cookie(developerCookieName, "", { maxAge: 0, path: "/", secure });
+}
+
+function developerFromRequest(req, sessionSecret) {
+  const session = verifySignedJson(parseCookies(req)[developerCookieName], sessionSecret);
+  if (!session?.user?.id || !session.createdAt) {
+    return null;
+  }
+
+  if (Date.parse(session.createdAt) + developerCookieMaxAgeSeconds * 1000 <= Date.now()) {
+    return null;
+  }
+
+  return session.user;
+}
+
+function oauthStateCookie(value, secure) {
+  return cookie(oauthStateCookieName, value, {
+    maxAge: 10 * 60,
+    path: "/auth/github",
+    secure
+  });
+}
+
+function clearOauthStateCookie(secure) {
+  return cookie(oauthStateCookieName, "", {
+    maxAge: 0,
+    path: "/auth/github",
+    secure
+  });
+}
+
+async function githubUserFromCode({ code, githubOAuth, redirectUri }) {
+  const tokenResponse = await fetch(githubOAuth.tokenUrl, {
+    body: new URLSearchParams({
+      client_id: githubOAuth.clientId,
+      client_secret: githubOAuth.clientSecret,
+      code,
+      redirect_uri: redirectUri
+    }),
+    headers: {
+      Accept: "application/json",
+      "Content-Type": "application/x-www-form-urlencoded",
+      "User-Agent": "Lakebed"
+    },
+    method: "POST"
+  });
+  const tokenBody = await tokenResponse.json().catch(() => ({}));
+  if (!tokenResponse.ok || !tokenBody.access_token) {
+    throw new Error(tokenBody.error_description ?? tokenBody.error ?? "GitHub OAuth token exchange failed.");
+  }
+
+  const userResponse = await fetch(githubOAuth.userUrl, {
+    headers: {
+      Accept: "application/vnd.github+json",
+      Authorization: `Bearer ${tokenBody.access_token}`,
+      "User-Agent": "Lakebed"
+    }
+  });
+  const userBody = await userResponse.json().catch(() => ({}));
+  if (!userResponse.ok) {
+    throw new Error(userBody.message ?? "GitHub user lookup failed.");
+  }
+
+  return normalizeGithubUser(userBody);
+}
+
+function bytesOfJson(value) {
+  return Buffer.byteLength(JSON.stringify(value ?? null), "utf8");
+}
+
+function usageCounts(usage) {
+  const windowStart = dayWindowStart();
+  const counts = {
+    mutationsToday: 0,
+    requestsToday: 0
+  };
+
+  for (const event of usage) {
+    if (event.windowStart !== windowStart) {
+      continue;
+    }
+
+    if (event.bucket === "mutations") {
+      counts.mutationsToday += event.count;
+    } else if (event.bucket === "requests") {
+      counts.requestsToday += event.count;
+    }
+  }
+
+  return counts;
+}
+
+function adminDeploySummary({ artifact, artifactBytes = 0, deploy, logBytes = 0, logEntries = 0, stateBytes = 0, stateRows = 0, usage }) {
+  return {
+    artifactBytes,
+    artifactHash: deploy.artifactHash,
+    claimedAt: deploy.claimedAt,
+    clientBundleHash: deploy.clientBundleHash,
+    createdAt: deploy.createdAt,
+    expiresAt: deploy.expiresAt,
+    id: deploy.id,
+    limits: deploy.limits,
+    logBytes,
+    logEntries,
+    name: artifact?.name ?? "Lakebed Capsule",
+    ownerId: deploy.ownerId,
+    slug: deploy.slug,
+    stateBytes,
+    stateRows,
+    status: isExpired(deploy) ? "expired" : deploy.status,
+    tableCount: Object.keys(artifact?.server?.schema ?? {}).length,
+    url: deploy.url,
+    ...usageCounts(usage)
+  };
+}
+
+function adminHtml() {
+  return `<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>Lakebed Admin</title>
+    <style>
+      :root {
+        color-scheme: dark;
+        --bg: #10100f;
+        --panel: #181816;
+        --line: #34342f;
+        --line-strong: #575247;
+        --text: #f3efe2;
+        --muted: #aaa28f;
+        --accent: #9ad66b;
+        --warn: #e9bc5d;
+        --bad: #ee7d71;
+        --ink: #0f120d;
+      }
+
+      * {
+        box-sizing: border-box;
+      }
+
+      body {
+        margin: 0;
+        background:
+          linear-gradient(90deg, rgba(154, 214, 107, 0.06) 1px, transparent 1px),
+          linear-gradient(180deg, rgba(154, 214, 107, 0.04) 1px, transparent 1px),
+          var(--bg);
+        background-size: 34px 34px;
+        color: var(--text);
+        font-family: "DIN Alternate", "Avenir Next", "Helvetica Neue", sans-serif;
+        letter-spacing: 0;
+      }
+
+      button,
+      input {
+        font: inherit;
+        letter-spacing: 0;
+      }
+
+      a {
+        color: var(--accent);
+        text-decoration: none;
+      }
+
+      a:hover {
+        text-decoration: underline;
+      }
+
+      .shell {
+        margin: 0 auto;
+        max-width: 1280px;
+        min-height: 100vh;
+        padding: 24px 28px;
+      }
+
+      .topbar {
+        align-items: center;
+        display: flex;
+        gap: 18px;
+        justify-content: space-between;
+        margin-bottom: 24px;
+      }
+
+      .brand {
+        display: grid;
+        gap: 4px;
+      }
+
+      .eyebrow {
+        color: var(--accent);
+        font-family: "SFMono-Regular", Consolas, monospace;
+        font-size: 12px;
+      }
+
+      h1 {
+        font-size: clamp(24px, 3vw, 36px);
+        font-weight: 700;
+        line-height: 1;
+        margin: 0;
+      }
+
+      .actions {
+        display: flex;
+        flex-wrap: wrap;
+        gap: 10px;
+        justify-content: flex-end;
+      }
+
+      .button {
+        background: var(--accent);
+        border: 1px solid var(--accent);
+        border-radius: 6px;
+        color: var(--ink);
+        cursor: pointer;
+        font-weight: 700;
+        min-height: 40px;
+        padding: 0 14px;
+      }
+
+      .button.secondary {
+        background: transparent;
+        color: var(--text);
+      }
+
+      .metrics {
+        display: grid;
+        gap: 1px;
+        grid-template-columns: repeat(6, minmax(130px, 1fr));
+        margin-bottom: 26px;
+      }
+
+      .metric {
+        background: rgba(24, 24, 22, 0.94);
+        border: 1px solid var(--line);
+        min-height: 96px;
+        padding: 16px;
+      }
+
+      .metric:first-child {
+        border-radius: 8px 0 0 8px;
+      }
+
+      .metric:last-child {
+        border-radius: 0 8px 8px 0;
+      }
+
+      .metric span {
+        color: var(--muted);
+        display: block;
+        font-family: "SFMono-Regular", Consolas, monospace;
+        font-size: 12px;
+        margin-bottom: 12px;
+      }
+
+      .metric strong {
+        display: block;
+        font-size: 26px;
+        line-height: 1.1;
+      }
+
+      .panel {
+        background: rgba(24, 24, 22, 0.96);
+        border: 1px solid var(--line);
+        border-radius: 8px;
+        overflow: hidden;
+      }
+
+      .panel-head {
+        align-items: center;
+        border-bottom: 1px solid var(--line);
+        display: flex;
+        gap: 12px;
+        justify-content: space-between;
+        padding: 14px 16px;
+      }
+
+      .panel-head h2 {
+        font-size: 16px;
+        margin: 0;
+      }
+
+      .status-line {
+        color: var(--muted);
+        font-family: "SFMono-Regular", Consolas, monospace;
+        font-size: 12px;
+      }
+
+      .table-wrap {
+        overflow-x: auto;
+      }
+
+      table {
+        border-collapse: collapse;
+        min-width: 1220px;
+        width: 100%;
+      }
+
+      th,
+      td {
+        border-bottom: 1px solid var(--line);
+        padding: 12px 14px;
+        text-align: left;
+        vertical-align: top;
+      }
+
+      th {
+        color: var(--muted);
+        font-family: "SFMono-Regular", Consolas, monospace;
+        font-size: 12px;
+        font-weight: 600;
+      }
+
+      td {
+        font-size: 14px;
+        white-space: nowrap;
+      }
+
+      tr:last-child td {
+        border-bottom: 0;
+      }
+
+      .deploy-name {
+        display: grid;
+        gap: 4px;
+        min-width: 240px;
+      }
+
+      .deploy-name strong {
+        font-size: 15px;
+      }
+
+      .mono,
+      .deploy-name small {
+        color: var(--muted);
+        font-family: "SFMono-Regular", Consolas, monospace;
+        font-size: 12px;
+      }
+
+      .deploy-name small {
+        white-space: normal;
+      }
+
+      .pill {
+        border: 1px solid var(--line-strong);
+        border-radius: 999px;
+        display: inline-flex;
+        font-family: "SFMono-Regular", Consolas, monospace;
+        font-size: 12px;
+        padding: 3px 8px;
+      }
+
+      .pill.active {
+        border-color: rgba(154, 214, 107, 0.75);
+        color: var(--accent);
+      }
+
+      .pill.expired {
+        border-color: rgba(238, 125, 113, 0.75);
+        color: var(--bad);
+      }
+
+      .pill.terminated {
+        border-color: rgba(233, 188, 93, 0.75);
+        color: var(--warn);
+      }
+
+      .status-cell {
+        align-items: center;
+        display: flex;
+        gap: 8px;
+      }
+
+      .row-action {
+        background: transparent;
+        border: 1px solid rgba(238, 125, 113, 0.8);
+        border-radius: 6px;
+        color: var(--bad);
+        cursor: pointer;
+        font-family: "SFMono-Regular", Consolas, monospace;
+        font-size: 12px;
+        min-height: 32px;
+        padding: 0 10px;
+      }
+
+      .row-action:disabled {
+        border-color: var(--line);
+        color: var(--muted);
+        cursor: default;
+        opacity: 0.62;
+      }
+
+      th:nth-child(8),
+      td:nth-child(8),
+      th:nth-child(9),
+      td:nth-child(9) {
+        min-width: 124px;
+      }
+
+      .login {
+        align-items: center;
+        display: flex;
+        min-height: calc(100vh - 56px);
+      }
+
+      .login-panel {
+        background: rgba(24, 24, 22, 0.98);
+        border: 1px solid var(--line);
+        border-radius: 8px;
+        max-width: 460px;
+        padding: 24px;
+        width: 100%;
+      }
+
+      .login-panel h1 {
+        font-size: 34px;
+        margin-bottom: 20px;
+      }
+
+      .field {
+        display: grid;
+        gap: 8px;
+      }
+
+      label {
+        color: var(--muted);
+        font-family: "SFMono-Regular", Consolas, monospace;
+        font-size: 12px;
+      }
+
+      input {
+        background: #0c0d0b;
+        border: 1px solid var(--line-strong);
+        border-radius: 6px;
+        color: var(--text);
+        min-height: 44px;
+        outline: none;
+        padding: 0 12px;
+        width: 100%;
+      }
+
+      input:focus {
+        border-color: var(--accent);
+      }
+
+      .form-row {
+        display: flex;
+        gap: 10px;
+        margin-top: 16px;
+      }
+
+      .error {
+        color: var(--bad);
+        min-height: 20px;
+      }
+
+      .hidden {
+        display: none;
+      }
+
+      @media (max-width: 860px) {
+        .shell {
+          padding: 18px;
+        }
+
+        .topbar,
+        .panel-head {
+          align-items: flex-start;
+          flex-direction: column;
+        }
+
+        .actions {
+          justify-content: flex-start;
+        }
+
+        .metrics {
+          grid-template-columns: repeat(2, minmax(0, 1fr));
+        }
+
+        .metric,
+        .metric:first-child,
+        .metric:last-child {
+          border-radius: 8px;
+        }
+      }
+    </style>
+  </head>
+  <body>
+    <main class="shell">
+      <section class="login hidden" id="login-view">
+        <form class="login-panel" id="login-form">
+          <div class="eyebrow">lakebed admin</div>
+          <h1>Deploy monitor</h1>
+          <div class="field">
+            <label for="password">Password</label>
+            <input id="password" name="password" type="password" autocomplete="current-password" autofocus />
+          </div>
+          <div class="form-row">
+            <button class="button" type="submit">Unlock</button>
+          </div>
+          <p class="error" id="login-error"></p>
+        </form>
+      </section>
+
+      <section class="hidden" id="dashboard-view">
+        <header class="topbar">
+          <div class="brand">
+            <div class="eyebrow">lakebed admin</div>
+            <h1>Deploy monitor</h1>
+          </div>
+          <div class="actions">
+            <button class="button secondary" id="refresh-button" type="button">Refresh</button>
+            <button class="button secondary" id="logout-button" type="button">Lock</button>
+          </div>
+        </header>
+
+        <section class="metrics" aria-label="Deploy resource totals">
+          <div class="metric"><span>deploys</span><strong id="metric-deploys">0</strong></div>
+          <div class="metric"><span>artifact bytes</span><strong id="metric-artifacts">0 B</strong></div>
+          <div class="metric"><span>state bytes</span><strong id="metric-state">0 B</strong></div>
+          <div class="metric"><span>state rows</span><strong id="metric-rows">0</strong></div>
+          <div class="metric"><span>requests today</span><strong id="metric-requests">0</strong></div>
+          <div class="metric"><span>mutations today</span><strong id="metric-mutations">0</strong></div>
+        </section>
+
+        <section class="panel">
+          <div class="panel-head">
+            <h2>Deploy resource table</h2>
+            <div class="status-line" id="status-line">Loading</div>
+          </div>
+          <div class="table-wrap">
+            <table>
+              <thead>
+                <tr>
+                  <th>Deploy</th>
+                  <th>Status</th>
+                  <th>Created</th>
+                  <th>Expires</th>
+                  <th>Artifact</th>
+                  <th>State</th>
+                  <th>Logs</th>
+                  <th>Requests</th>
+                  <th>Mutations</th>
+                  <th>Connections</th>
+                </tr>
+              </thead>
+              <tbody id="deploy-rows"></tbody>
+            </table>
+          </div>
+        </section>
+      </section>
+    </main>
+
+    <script>
+      const loginView = document.getElementById("login-view");
+      const dashboardView = document.getElementById("dashboard-view");
+      const loginForm = document.getElementById("login-form");
+      const loginError = document.getElementById("login-error");
+      const rows = document.getElementById("deploy-rows");
+      const statusLine = document.getElementById("status-line");
+      let terminatingDeployId = null;
+
+      function show(view) {
+        loginView.classList.toggle("hidden", view !== "login");
+        dashboardView.classList.toggle("hidden", view !== "dashboard");
+      }
+
+      function formatBytes(bytes) {
+        const value = Number(bytes || 0);
+        if (value < 1024) {
+          return value + " B";
+        }
+        if (value < 1024 * 1024) {
+          return (value / 1024).toFixed(1) + " KB";
+        }
+        return (value / 1024 / 1024).toFixed(2) + " MB";
+      }
+
+      function formatNumber(value) {
+        return new Intl.NumberFormat().format(Number(value || 0));
+      }
+
+      function formatTime(value) {
+        if (!value) {
+          return "unknown";
+        }
+        return new Intl.DateTimeFormat(undefined, {
+          dateStyle: "medium",
+          timeStyle: "short"
+        }).format(new Date(value));
+      }
+
+      function setMetric(id, value) {
+        document.getElementById(id).textContent = value;
+      }
+
+      function textCell(value, className) {
+        const td = document.createElement("td");
+        td.textContent = value;
+        if (className) {
+          td.className = className;
+        }
+        return td;
+      }
+
+      function deployCell(deploy) {
+        const td = document.createElement("td");
+        const wrap = document.createElement("div");
+        const name = document.createElement("strong");
+        const link = document.createElement("a");
+        const id = document.createElement("small");
+        wrap.className = "deploy-name";
+        link.href = deploy.url;
+        link.textContent = deploy.name || deploy.slug;
+        name.appendChild(link);
+        id.textContent = deploy.id + " / " + deploy.slug;
+        wrap.appendChild(name);
+        wrap.appendChild(id);
+        td.appendChild(wrap);
+        return td;
+      }
+
+      function statusCell(deploy) {
+        const td = document.createElement("td");
+        const wrap = document.createElement("div");
+        const pill = document.createElement("span");
+        wrap.className = "status-cell";
+        pill.className = "pill " + deploy.status;
+        pill.textContent = deploy.status;
+        wrap.appendChild(pill);
+
+        if (deploy.status === "active") {
+          const button = document.createElement("button");
+          button.className = "row-action";
+          button.type = "button";
+          button.textContent = terminatingDeployId === deploy.id ? "Terminating" : "Terminate";
+          button.disabled = terminatingDeployId === deploy.id;
+          button.addEventListener("click", () => {
+            void terminateDeploy(deploy).catch((error) => {
+              statusLine.textContent = error instanceof Error ? error.message : String(error);
+            });
+          });
+          wrap.appendChild(button);
+        }
+
+        td.appendChild(wrap);
+        return td;
+      }
+
+      function render(summary) {
+        setMetric("metric-deploys", formatNumber(summary.deployCount));
+        setMetric("metric-artifacts", formatBytes(summary.totals.artifactBytes));
+        setMetric("metric-state", formatBytes(summary.totals.stateBytes));
+        setMetric("metric-rows", formatNumber(summary.totals.stateRows));
+        setMetric("metric-requests", formatNumber(summary.totals.requestsToday));
+        setMetric("metric-mutations", formatNumber(summary.totals.mutationsToday));
+        statusLine.textContent = "Updated " + formatTime(summary.generatedAt);
+        rows.replaceChildren();
+
+        for (const deploy of summary.deploys) {
+          const tr = document.createElement("tr");
+          tr.appendChild(deployCell(deploy));
+          tr.appendChild(statusCell(deploy));
+          tr.appendChild(textCell(formatTime(deploy.createdAt)));
+          tr.appendChild(textCell(formatTime(deploy.expiresAt)));
+          tr.appendChild(textCell(formatBytes(deploy.artifactBytes), "mono"));
+          tr.appendChild(textCell(formatBytes(deploy.stateBytes) + " / " + formatNumber(deploy.stateRows) + " rows", "mono"));
+          tr.appendChild(textCell(formatBytes(deploy.logBytes) + " / " + formatNumber(deploy.logEntries) + " entries", "mono"));
+          tr.appendChild(textCell(formatNumber(deploy.requestsToday) + " / " + formatNumber(deploy.limits.requestsPerDay), "mono"));
+          tr.appendChild(textCell(formatNumber(deploy.mutationsToday) + " / " + formatNumber(deploy.limits.mutationsPerDay), "mono"));
+          tr.appendChild(textCell(formatNumber(deploy.connections), "mono"));
+          rows.appendChild(tr);
+        }
+      }
+
+      async function loadSummary() {
+        const response = await fetch("/admin/api/summary");
+        if (response.status === 401) {
+          show("login");
+          return;
+        }
+        if (response.status === 503) {
+          show("login");
+          loginError.textContent = "Set LAKEBED_ADMIN_PASSWORD on the deploy runner.";
+          return;
+        }
+        if (!response.ok) {
+          throw new Error(await response.text());
+        }
+        render(await response.json());
+        show("dashboard");
+      }
+
+      async function terminateDeploy(deploy) {
+        if (!confirm("Terminate " + (deploy.name || deploy.slug) + "?")) {
+          return;
+        }
+
+        terminatingDeployId = deploy.id;
+        statusLine.textContent = "Terminating " + deploy.id;
+        const response = await fetch("/admin/api/deploys/" + encodeURIComponent(deploy.id) + "/terminate", {
+          method: "POST"
+        });
+        terminatingDeployId = null;
+
+        if (response.status === 401) {
+          show("login");
+          return;
+        }
+        if (!response.ok) {
+          statusLine.textContent = "Terminate failed";
+          throw new Error(await response.text());
+        }
+        await loadSummary();
+      }
+
+      loginForm.addEventListener("submit", async (event) => {
+        event.preventDefault();
+        loginError.textContent = "";
+        const form = new FormData(loginForm);
+        const response = await fetch("/admin/api/login", {
+          body: JSON.stringify({ password: String(form.get("password") || "") }),
+          headers: { "Content-Type": "application/json" },
+          method: "POST"
+        });
+        if (!response.ok) {
+          loginError.textContent = response.status === 503
+            ? "Set LAKEBED_ADMIN_PASSWORD on the deploy runner."
+            : "Invalid password.";
+          return;
+        }
+        loginForm.reset();
+        await loadSummary();
+      });
+
+      document.getElementById("refresh-button").addEventListener("click", () => {
+        void loadSummary();
+      });
+
+      document.getElementById("logout-button").addEventListener("click", async () => {
+        await fetch("/admin/api/logout", { method: "POST" });
+        show("login");
+      });
+
+      void loadSummary().catch((error) => {
+        statusLine.textContent = error.message;
+        show("dashboard");
+      });
+    </script>
+  </body>
+</html>`;
+}
+
+function escapeHtml(value) {
+  return String(value ?? "")
+    .replace(/&/g, "&amp;")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;")
+    .replace(/"/g, "&quot;");
+}
+
+function developerDeploySummary({ artifact, deploy, usage }) {
+  return {
+    artifactHash: deploy.artifactHash,
+    claimedAt: deploy.claimedAt,
+    clientBundleHash: deploy.clientBundleHash,
+    createdAt: deploy.createdAt,
+    deployId: deploy.id,
+    expiresAt: deploy.expiresAt,
+    inspect: inspectUrls(deploy.url),
+    limits: deploy.limits,
+    name: artifact?.name ?? "Lakebed Capsule",
+    ownerId: deploy.ownerId,
+    slug: deploy.slug,
+    status: isExpired(deploy) ? "expired" : deploy.status,
+    url: deploy.url,
+    usage: usageCounts(usage)
+  };
+}
+
+function developerHtml({ authConfigured, deploys = [], user }) {
+  const signedIn = Boolean(user);
+  const rows = deploys
+    .map(
+      (deploy) => `<tr>
+        <td><a href="${escapeHtml(deploy.url)}">${escapeHtml(deploy.name)}</a><small>${escapeHtml(deploy.deployId)} / ${escapeHtml(deploy.slug)}</small></td>
+        <td><span class="pill ${escapeHtml(deploy.status)}">${escapeHtml(deploy.status)}</span></td>
+        <td>${escapeHtml(new Date(deploy.createdAt).toLocaleString())}</td>
+        <td>${escapeHtml(new Date(deploy.expiresAt).toLocaleString())}</td>
+        <td>${escapeHtml(deploy.usage.requestsToday)} / ${escapeHtml(deploy.limits.requestsPerDay)}</td>
+        <td>${escapeHtml(deploy.usage.mutationsToday)} / ${escapeHtml(deploy.limits.mutationsPerDay)}</td>
+      </tr>`
+    )
+    .join("");
+
+  return `<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>Lakebed Deployments</title>
+    <style>
+      :root {
+        color-scheme: dark;
+        --bg: #11130f;
+        --panel: #191c16;
+        --line: #343b2e;
+        --text: #f2f0e8;
+        --muted: #a8ab9e;
+        --accent: #91d46f;
+        --bad: #ee7d71;
+        --ink: #0c110a;
+      }
+
+      * {
+        box-sizing: border-box;
+      }
+
+      body {
+        background: var(--bg);
+        color: var(--text);
+        font-family: "Avenir Next", "Helvetica Neue", sans-serif;
+        letter-spacing: 0;
+        margin: 0;
+      }
+
+      a {
+        color: var(--accent);
+        text-decoration: none;
+      }
+
+      a:hover {
+        text-decoration: underline;
+      }
+
+      .shell {
+        margin: 0 auto;
+        max-width: 1120px;
+        min-height: 100vh;
+        padding: 28px;
+      }
+
+      header {
+        align-items: center;
+        display: flex;
+        gap: 16px;
+        justify-content: space-between;
+        margin-bottom: 24px;
+      }
+
+      h1 {
+        font-size: 32px;
+        line-height: 1;
+        margin: 0;
+      }
+
+      .eyebrow,
+      small,
+      th,
+      .meta {
+        color: var(--muted);
+        font-family: "SFMono-Regular", Consolas, monospace;
+        font-size: 12px;
+      }
+
+      .button {
+        background: var(--accent);
+        border: 1px solid var(--accent);
+        border-radius: 6px;
+        color: var(--ink);
+        display: inline-flex;
+        font-weight: 700;
+        min-height: 40px;
+        padding: 10px 14px;
+      }
+
+      .button.secondary {
+        background: transparent;
+        color: var(--text);
+      }
+
+      .panel {
+        background: var(--panel);
+        border: 1px solid var(--line);
+        border-radius: 8px;
+        overflow: hidden;
+      }
+
+      .empty {
+        color: var(--muted);
+        padding: 22px;
+      }
+
+      table {
+        border-collapse: collapse;
+        width: 100%;
+      }
+
+      th,
+      td {
+        border-bottom: 1px solid var(--line);
+        padding: 13px 14px;
+        text-align: left;
+        vertical-align: top;
+      }
+
+      tr:last-child td {
+        border-bottom: 0;
+      }
+
+      td:first-child {
+        display: grid;
+        gap: 4px;
+      }
+
+      .pill {
+        border: 1px solid var(--line);
+        border-radius: 999px;
+        display: inline-flex;
+        font-family: "SFMono-Regular", Consolas, monospace;
+        font-size: 12px;
+        padding: 3px 8px;
+      }
+
+      .pill.active {
+        border-color: rgba(145, 212, 111, 0.7);
+        color: var(--accent);
+      }
+
+      .pill.expired,
+      .pill.terminated {
+        border-color: rgba(238, 125, 113, 0.75);
+        color: var(--bad);
+      }
+
+      @media (max-width: 720px) {
+        .shell {
+          padding: 18px;
+        }
+
+        header {
+          align-items: flex-start;
+          flex-direction: column;
+        }
+
+        table {
+          min-width: 760px;
+        }
+
+        .panel {
+          overflow-x: auto;
+        }
+      }
+    </style>
+  </head>
+  <body>
+    <main class="shell">
+      <header>
+        <div>
+          <div class="eyebrow">lakebed</div>
+          <h1>Deployments</h1>
+          ${signedIn ? `<div class="meta">Signed in as ${escapeHtml(user.login)}</div>` : ""}
+        </div>
+        <div>
+          ${
+            signedIn
+              ? `<a class="button secondary" href="/auth/logout">Sign out</a>`
+              : authConfigured
+                ? `<a class="button" href="/auth/github">Sign in with GitHub</a>`
+                : ""
+          }
+        </div>
+      </header>
+
+      ${
+        !authConfigured
+          ? `<section class="panel"><div class="empty">GitHub sign-in is not configured.</div></section>`
+          : !signedIn
+            ? `<section class="panel"><div class="empty">Sign in to view claimed deployments.</div></section>`
+            : deploys.length === 0
+              ? `<section class="panel"><div class="empty">No claimed deployments.</div></section>`
+              : `<section class="panel">
+                  <table>
+                    <thead>
+                      <tr>
+                        <th>Deploy</th>
+                        <th>Status</th>
+                        <th>Created</th>
+                        <th>Expires</th>
+                        <th>Requests</th>
+                        <th>Mutations</th>
+                      </tr>
+                    </thead>
+                    <tbody>${rows}</tbody>
+                  </table>
+                </section>`
+      }
+    </main>
+  </body>
+</html>`;
+}
+
 export class MemoryAnonymousStore {
   constructor() {
     this.artifacts = new Map();
@@ -220,8 +1438,22 @@ export class MemoryAnonymousStore {
 
   async initialize() {}
 
+  storeArtifact({ artifact, artifactHash, clientBundleBase64, clientBundleHash, createdAt }) {
+    const currentArtifact = this.artifacts.get(artifactHash);
+    this.artifacts.set(artifactHash, {
+      artifact,
+      bytes: Buffer.byteLength(clientBundleBase64, "base64"),
+      clientBundleBase64,
+      clientBundleHash,
+      createdAt,
+      hash: artifactHash,
+      refCount: (currentArtifact?.refCount ?? 0) + 1
+    });
+  }
+
   async createDeploy({ appBaseDomain, artifact, artifactHash, clientBundleBase64, clientBundleHash, publicRootUrl, requestedTtlSeconds }) {
     const deployId = createDeployId();
+    const normalizedAppBaseDomain = normalizeAppBaseDomain(appBaseDomain);
     let slug = createSlug();
     while (this.deploysBySlug.has(slug)) {
       slug = createSlug();
@@ -231,28 +1463,28 @@ export class MemoryAnonymousStore {
     const createdAt = now();
     const ttlSeconds = parseTtlSeconds(requestedTtlSeconds);
     const expiresAt = new Date(Date.now() + ttlSeconds * 1000).toISOString();
-    const url = appUrlForSlug({ appBaseDomain, publicRootUrl, slug });
+    const url = appUrlForSlug({ appBaseDomain: normalizedAppBaseDomain, publicRootUrl, slug });
 
-    const currentArtifact = this.artifacts.get(artifactHash);
-    this.artifacts.set(artifactHash, {
+    this.storeArtifact({
       artifact,
-      bytes: Buffer.byteLength(clientBundleBase64, "base64"),
       clientBundleBase64,
       clientBundleHash,
       createdAt,
-      hash: artifactHash,
-      refCount: (currentArtifact?.refCount ?? 0) + 1
+      artifactHash
     });
 
     const deploy = {
-      appBaseDomain,
+      appBaseDomain: normalizedAppBaseDomain,
       artifactHash,
+      claimedAt: null,
       claimTokenHash: hashClaimToken(token),
       clientBundleHash,
       createdAt,
       expiresAt,
       id: deployId,
       limits: { ...DEFAULT_ANONYMOUS_LIMITS },
+      owner: null,
+      ownerId: null,
       publicRootUrl,
       slug,
       status: "active",
@@ -263,6 +1495,85 @@ export class MemoryAnonymousStore {
     return { deploy, token };
   }
 
+  async updateDeploy({
+    appBaseDomain,
+    artifact,
+    artifactHash,
+    clientBundleBase64,
+    clientBundleHash,
+    deployId,
+    publicRootUrl,
+    requestedTtlSeconds
+  }) {
+    const currentDeploy = await this.getDeployById(deployId);
+    if (!currentDeploy) {
+      return null;
+    }
+
+    const createdAt = now();
+    const ttlSeconds = parseTtlSeconds(requestedTtlSeconds);
+    const nextAppBaseDomain = normalizeAppBaseDomain(appBaseDomain ?? currentDeploy.appBaseDomain);
+    const nextPublicRootUrl = publicRootUrl ?? currentDeploy.publicRootUrl;
+    const deploy = {
+      ...currentDeploy,
+      appBaseDomain: nextAppBaseDomain,
+      artifactHash,
+      clientBundleHash,
+      expiresAt: new Date(Date.now() + ttlSeconds * 1000).toISOString(),
+      publicRootUrl: nextPublicRootUrl,
+      url: appUrlForSlug({ appBaseDomain: nextAppBaseDomain, publicRootUrl: nextPublicRootUrl, slug: currentDeploy.slug }),
+      status: "active"
+    };
+
+    this.storeArtifact({
+      artifact,
+      artifactHash,
+      clientBundleBase64,
+      clientBundleHash,
+      createdAt
+    });
+    this.deploys.set(deployId, deploy);
+    return deploy;
+  }
+
+  async claimDeploy(deployId, token, owner) {
+    const currentDeploy = await this.getDeployById(deployId);
+    if (!currentDeploy) {
+      return { status: "missing" };
+    }
+
+    if (!isDeployTokenValid(currentDeploy, token)) {
+      return { deploy: currentDeploy, status: "invalid" };
+    }
+
+    if (currentDeploy.ownerId && currentDeploy.ownerId !== owner.id) {
+      return { deploy: currentDeploy, status: "conflict" };
+    }
+
+    const deploy = {
+      ...currentDeploy,
+      claimedAt: currentDeploy.claimedAt ?? now(),
+      owner,
+      ownerId: owner.id
+    };
+    this.deploys.set(deployId, deploy);
+    return { deploy, status: currentDeploy.ownerId ? "already_claimed" : "claimed" };
+  }
+
+  async terminateDeploy(deployId) {
+    const currentDeploy = await this.getDeployById(deployId);
+    if (!currentDeploy) {
+      return null;
+    }
+
+    const deploy = {
+      ...currentDeploy,
+      status: "terminated"
+    };
+    this.deploys.set(deployId, deploy);
+    return deploy;
+  }
+
   async getDeployById(id) {
     return this.deploys.get(id) ?? null;
   }
@@ -364,26 +1675,95 @@ export class MemoryAnonymousStore {
     return { tables, truncated };
   }
 
-  async incrementQuota(deployId, bucket, limit) {
-    const windowStart = dayWindowStart();
-    const key = `${deployId}:${bucket}:${windowStart}`;
-    const count = (this.quotaEvents.get(key) ?? 0) + 1;
-    this.quotaEvents.set(key, count);
-    if (count > limit) {
-      throw new Error(`Anonymous ${bucket} quota exceeded. Limit: ${limit} per day.`);
+  async incrementQuota(deployId, bucket, limit) {
+    const windowStart = dayWindowStart();
+    const key = `${deployId}:${bucket}:${windowStart}`;
+    const count = (this.quotaEvents.get(key) ?? 0) + 1;
+    this.quotaEvents.set(key, count);
+    if (count > limit) {
+      throw new Error(`Anonymous ${bucket} quota exceeded. Limit: ${limit} per day.`);
+    }
+    return { bucket, count, limit, windowStart };
+  }
+
+  async readUsage(deployId) {
+    const usage = [];
+    for (const [key, count] of this.quotaEvents) {
+      const [eventDeployId, bucket, ...windowParts] = key.split(":");
+      const windowStart = windowParts.join(":");
+      if (eventDeployId === deployId) {
+        usage.push({ bucket, count, windowStart });
+      }
+    }
+    return usage;
+  }
+
+  stateResourceForDeploy(deployId) {
+    let stateBytes = 0;
+    let stateRows = 0;
+
+    for (const [key, rows] of this.rows) {
+      const [eventDeployId] = key.split(":");
+      if (eventDeployId !== deployId) {
+        continue;
+      }
+
+      for (const row of rows.values()) {
+        stateRows += 1;
+        stateBytes += bytesOfJson(row);
+      }
+    }
+
+    return { stateBytes, stateRows };
+  }
+
+  logResourceForDeploy(deployId) {
+    const entries = this.logs.get(deployId) ?? [];
+    return {
+      logBytes: bytesOfJson(entries),
+      logEntries: entries.length
+    };
+  }
+
+  async listDeployResourceUsage() {
+    const deploys = Array.from(this.deploys.values()).sort((left, right) => String(right.createdAt).localeCompare(String(left.createdAt)));
+    const summaries = [];
+
+    for (const deploy of deploys) {
+      const storedArtifact = await this.getArtifact(deploy.artifactHash);
+      summaries.push(
+        adminDeploySummary({
+          artifact: storedArtifact?.artifact,
+          artifactBytes: storedArtifact?.bytes ?? 0,
+          deploy,
+          ...this.logResourceForDeploy(deploy.id),
+          ...this.stateResourceForDeploy(deploy.id),
+          usage: await this.readUsage(deploy.id)
+        })
+      );
     }
-    return { bucket, count, limit, windowStart };
+
+    return summaries;
   }
 
-  async readUsage(deployId) {
-    const usage = [];
-    for (const [key, count] of this.quotaEvents) {
-      const [eventDeployId, bucket, windowStart] = key.split(":");
-      if (eventDeployId === deployId) {
-        usage.push({ bucket, count, windowStart });
-      }
+  async listDeploysForOwner(ownerId) {
+    const deploys = Array.from(this.deploys.values())
+      .filter((deploy) => deploy.ownerId === ownerId)
+      .sort((left, right) => String(right.createdAt).localeCompare(String(left.createdAt)));
+    const summaries = [];
+
+    for (const deploy of deploys) {
+      const storedArtifact = await this.getArtifact(deploy.artifactHash);
+      summaries.push(
+        developerDeploySummary({
+          artifact: storedArtifact?.artifact,
+          deploy,
+          usage: await this.readUsage(deploy.id)
+        })
+      );
     }
-    return usage;
+
+    return summaries;
   }
 }
 
@@ -408,6 +1788,7 @@ export class PostgresAnonymousStore {
         expires_at timestamptz not null,
         claimed_at timestamptz,
         owner_id text,
+        owner_json jsonb,
         claim_token_hash text not null,
         limits_json jsonb not null,
         counters_json jsonb not null default '{}',
@@ -416,6 +1797,9 @@ export class PostgresAnonymousStore {
         url text not null
       )
     `);
+    await this.query("alter table deploys add column if not exists claimed_at timestamptz");
+    await this.query("alter table deploys add column if not exists owner_id text");
+    await this.query("alter table deploys add column if not exists owner_json jsonb");
     await this.query(`
       create table if not exists artifacts(
         hash text primary key,
@@ -467,13 +1851,7 @@ export class PostgresAnonymousStore {
     return this.pool.query(sql, params);
   }
 
-  async createDeploy({ appBaseDomain, artifact, artifactHash, clientBundleBase64, clientBundleHash, publicRootUrl, requestedTtlSeconds }) {
-    const createdAt = now();
-    const ttlSeconds = parseTtlSeconds(requestedTtlSeconds);
-    const expiresAt = new Date(Date.now() + ttlSeconds * 1000).toISOString();
-    const token = createClaimToken();
-    const deployId = createDeployId();
-
+  async storeArtifact({ artifact, artifactHash, clientBundleBase64, clientBundleHash, createdAt }) {
     await this.query(
       `
       insert into artifacts(hash, artifact_json, client_bundle_base64, client_bundle_hash, bytes, created_at, ref_count)
@@ -482,19 +1860,33 @@ export class PostgresAnonymousStore {
       `,
       [artifactHash, JSON.stringify(artifact), clientBundleBase64, clientBundleHash, Buffer.byteLength(clientBundleBase64, "base64"), createdAt]
     );
+  }
+
+  async createDeploy({ appBaseDomain, artifact, artifactHash, clientBundleBase64, clientBundleHash, publicRootUrl, requestedTtlSeconds }) {
+    const createdAt = now();
+    const normalizedAppBaseDomain = normalizeAppBaseDomain(appBaseDomain);
+    const ttlSeconds = parseTtlSeconds(requestedTtlSeconds);
+    const expiresAt = new Date(Date.now() + ttlSeconds * 1000).toISOString();
+    const token = createClaimToken();
+    const deployId = createDeployId();
+
+    await this.storeArtifact({ artifact, artifactHash, clientBundleBase64, clientBundleHash, createdAt });
 
     for (let attempt = 0; attempt < 8; attempt += 1) {
       const slug = createSlug();
-      const url = appUrlForSlug({ appBaseDomain, publicRootUrl, slug });
+      const url = appUrlForSlug({ appBaseDomain: normalizedAppBaseDomain, publicRootUrl, slug });
       const deploy = {
-        appBaseDomain,
+        appBaseDomain: normalizedAppBaseDomain,
         artifactHash,
+        claimedAt: null,
         claimTokenHash: hashClaimToken(token),
         clientBundleHash,
         createdAt,
         expiresAt,
         id: deployId,
         limits: { ...DEFAULT_ANONYMOUS_LIMITS },
+        owner: null,
+        ownerId: null,
         publicRootUrl,
         slug,
         status: "active",
@@ -536,6 +1928,89 @@ export class PostgresAnonymousStore {
     throw new Error("Unable to allocate anonymous deploy slug.");
   }
 
+  async updateDeploy({
+    appBaseDomain,
+    artifact,
+    artifactHash,
+    clientBundleBase64,
+    clientBundleHash,
+    deployId,
+    publicRootUrl,
+    requestedTtlSeconds
+  }) {
+    const currentDeploy = await this.getDeployById(deployId);
+    if (!currentDeploy) {
+      return null;
+    }
+
+    const createdAt = now();
+    const ttlSeconds = parseTtlSeconds(requestedTtlSeconds);
+    const expiresAt = new Date(Date.now() + ttlSeconds * 1000).toISOString();
+    const nextAppBaseDomain = normalizeAppBaseDomain(appBaseDomain ?? currentDeploy.appBaseDomain);
+    const nextPublicRootUrl = publicRootUrl ?? currentDeploy.publicRootUrl;
+    const url = appUrlForSlug({ appBaseDomain: nextAppBaseDomain, publicRootUrl: nextPublicRootUrl, slug: currentDeploy.slug });
+    await this.storeArtifact({ artifact, artifactHash, clientBundleBase64, clientBundleHash, createdAt });
+
+    const result = await this.query(
+      `
+      update deploys
+      set status = 'active',
+        artifact_hash = $2,
+        client_bundle_hash = $3,
+        expires_at = $4,
+        public_root_url = $5,
+        app_base_domain = $6,
+        url = $7
+      where id = $1
+      returning *
+      `,
+      [deployId, artifactHash, clientBundleHash, expiresAt, nextPublicRootUrl, nextAppBaseDomain || null, url]
+    );
+    return this.rowToDeploy(result.rows[0]);
+  }
+
+  async claimDeploy(deployId, token, owner) {
+    const currentDeploy = await this.getDeployById(deployId);
+    if (!currentDeploy) {
+      return { status: "missing" };
+    }
+
+    if (!isDeployTokenValid(currentDeploy, token)) {
+      return { deploy: currentDeploy, status: "invalid" };
+    }
+
+    if (currentDeploy.ownerId && currentDeploy.ownerId !== owner.id) {
+      return { deploy: currentDeploy, status: "conflict" };
+    }
+
+    const claimedAt = currentDeploy.claimedAt ?? now();
+    const result = await this.query(
+      `
+      update deploys
+      set claimed_at = coalesce(claimed_at, $3),
+        owner_id = $2,
+        owner_json = $4::jsonb
+      where id = $1
+      returning *
+      `,
+      [deployId, owner.id, claimedAt, JSON.stringify(owner)]
+    );
+    return { deploy: this.rowToDeploy(result.rows[0]), status: currentDeploy.ownerId ? "already_claimed" : "claimed" };
+  }
+
+  async terminateDeploy(deployId) {
+    const result = await this.query(
+      `
+      update deploys
+      set status = 'terminated'
+      where id = $1
+      returning *
+      `,
+      [deployId]
+    );
+    return this.rowToDeploy(result.rows[0]);
+  }
+
   rowToDeploy(row) {
     if (!row) {
       return null;
@@ -544,12 +2019,15 @@ export class PostgresAnonymousStore {
     return {
       appBaseDomain: row.app_base_domain,
       artifactHash: row.artifact_hash,
+      claimedAt: row.claimed_at ? new Date(row.claimed_at).toISOString() : null,
       claimTokenHash: row.claim_token_hash,
       clientBundleHash: row.client_bundle_hash,
       createdAt: new Date(row.created_at).toISOString(),
       expiresAt: new Date(row.expires_at).toISOString(),
       id: row.id,
       limits: row.limits_json,
+      owner: row.owner_json ?? null,
+      ownerId: row.owner_id ?? null,
       publicRootUrl: row.public_root_url,
       slug: row.slug,
       status: row.status,
@@ -726,6 +2204,99 @@ export class PostgresAnonymousStore {
       windowStart: new Date(row.window_start).toISOString()
     }));
   }
+
+  async listDeployResourceUsage() {
+    const windowStart = dayWindowStart();
+    const result = await this.query(
+      `
+      select
+        d.*,
+        a.artifact_json,
+        coalesce(a.bytes, 0)::int as artifact_bytes,
+        coalesce(sr.state_rows, 0)::int as state_rows,
+        coalesce(sr.state_bytes, 0)::int as state_bytes,
+        coalesce(l.log_entries, 0)::int as log_entries,
+        coalesce(l.log_bytes, 0)::int as log_bytes,
+        coalesce(q.requests_today, 0)::int as requests_today,
+        coalesce(q.mutations_today, 0)::int as mutations_today
+      from deploys d
+      left join artifacts a on a.hash = d.artifact_hash
+      left join (
+        select deploy_id, count(*)::int as state_rows, coalesce(sum(octet_length(data_json::text)), 0)::int as state_bytes
+        from state_rows
+        group by deploy_id
+      ) sr on sr.deploy_id = d.id
+      left join (
+        select deploy_id, count(*)::int as log_entries, coalesce(sum(octet_length(message) + octet_length(coalesce(data_json::text, ''))), 0)::int as log_bytes
+        from logs
+        group by deploy_id
+      ) l on l.deploy_id = d.id
+      left join (
+        select
+          deploy_id,
+          coalesce(sum(count) filter (where bucket = 'requests' and window_start = $1), 0)::int as requests_today,
+          coalesce(sum(count) filter (where bucket = 'mutations' and window_start = $1), 0)::int as mutations_today
+        from quota_events
+        group by deploy_id
+      ) q on q.deploy_id = d.id
+      order by d.created_at desc
+      `,
+      [windowStart]
+    );
+
+    return result.rows.map((row) =>
+      adminDeploySummary({
+        artifact: row.artifact_json,
+        artifactBytes: row.artifact_bytes,
+        deploy: this.rowToDeploy(row),
+        logBytes: row.log_bytes,
+        logEntries: row.log_entries,
+        stateBytes: row.state_bytes,
+        stateRows: row.state_rows,
+        usage: [
+          { bucket: "requests", count: row.requests_today, windowStart },
+          { bucket: "mutations", count: row.mutations_today, windowStart }
+        ]
+      })
+    );
+  }
+
+  async listDeploysForOwner(ownerId) {
+    const windowStart = dayWindowStart();
+    const result = await this.query(
+      `
+      select
+        d.*,
+        a.artifact_json,
+        coalesce(q.requests_today, 0)::int as requests_today,
+        coalesce(q.mutations_today, 0)::int as mutations_today
+      from deploys d
+      left join artifacts a on a.hash = d.artifact_hash
+      left join (
+        select
+          deploy_id,
+          coalesce(sum(count) filter (where bucket = 'requests' and window_start = $2), 0)::int as requests_today,
+          coalesce(sum(count) filter (where bucket = 'mutations' and window_start = $2), 0)::int as mutations_today
+        from quota_events
+        group by deploy_id
+      ) q on q.deploy_id = d.id
+      where d.owner_id = $1
+      order by d.created_at desc
+      `,
+      [ownerId, windowStart]
+    );
+
+    return result.rows.map((row) =>
+      developerDeploySummary({
+        artifact: row.artifact_json,
+        deploy: this.rowToDeploy(row),
+        usage: [
+          { bucket: "requests", count: row.requests_today, windowStart },
+          { bucket: "mutations", count: row.mutations_today, windowStart }
+        ]
+      })
+    );
+  }
 }
 
 export async function createAnonymousStoreFromEnv(env = process.env) {
@@ -823,17 +2394,104 @@ async function serveInspect({ artifact, deploy, route, store, systemPath }, res)
 }
 
 export async function startAnonymousServer({
+  adminPassword = adminPasswordFromEnv(),
   appBaseDomain = process.env.LAKEBED_APP_BASE_DOMAIN ?? "",
+  developerSessionSecret = process.env.LAKEBED_SESSION_SECRET ?? "",
+  githubOAuth = githubOAuthFromEnv(),
   port = Number(process.env.PORT ?? 8787),
   publicRootUrl,
   quiet = false,
+  shooBaseUrl = shooBaseUrlFromEnv(),
   store
 } = {}) {
+  const resolvedAppBaseDomain = normalizeAppBaseDomain(appBaseDomain);
   const resolvedPublicRootUrl = normalizePublicRootUrl(publicRootUrl ?? process.env.PUBLIC_ROOT_URL, port);
+  const resolvedGithubOAuth = normalizeGithubOAuth(githubOAuth);
+  const resolvedDeveloperSessionSecret =
+    developerSessionSecret || resolvedGithubOAuth?.sessionSecret || resolvedGithubOAuth?.clientSecret || adminPassword || "";
   const resolvedStore = store ?? (await createAnonymousStoreFromEnv());
   await resolvedStore.initialize();
   const subscriptions = new Map();
 
+  function activeConnectionCounts() {
+    const counts = new Map();
+    for (const subscription of subscriptions.values()) {
+      counts.set(subscription.deploy.id, (counts.get(subscription.deploy.id) ?? 0) + 1);
+    }
+    return counts;
+  }
+
+  async function adminSummary() {
+    const connections = activeConnectionCounts();
+    const deploys = (await resolvedStore.listDeployResourceUsage()).map((deploy) => ({
+      ...deploy,
+      connections: connections.get(deploy.id) ?? 0
+    }));
+    const totals = deploys.reduce(
+      (acc, deploy) => ({
+        artifactBytes: acc.artifactBytes + deploy.artifactBytes,
+        connections: acc.connections + deploy.connections,
+        logBytes: acc.logBytes + deploy.logBytes,
+        logEntries: acc.logEntries + deploy.logEntries,
+        mutationsToday: acc.mutationsToday + deploy.mutationsToday,
+        requestsToday: acc.requestsToday + deploy.requestsToday,
+        stateBytes: acc.stateBytes + deploy.stateBytes,
+        stateRows: acc.stateRows + deploy.stateRows
+      }),
+      {
+        artifactBytes: 0,
+        connections: 0,
+        logBytes: 0,
+        logEntries: 0,
+        mutationsToday: 0,
+        requestsToday: 0,
+        stateBytes: 0,
+        stateRows: 0
+      }
+    );
+
+    return {
+      deployCount: deploys.length,
+      deploys,
+      generatedAt: now(),
+      totals
+    };
+  }
+
+  function currentDeveloper(req) {
+    return developerFromRequest(req, resolvedDeveloperSessionSecret);
+  }
+
+  async function developerDeploys(user) {
+    return resolvedStore.listDeploysForOwner(user.id);
+  }
+
+  async function refreshDeploySubscriptions(deploy) {
+    const storedArtifact = await resolvedStore.getArtifact(deploy.artifactHash);
+    if (!storedArtifact) {
+      return;
+    }
+
+    for (const subscription of subscriptions.values()) {
+      if (subscription.deploy.id === deploy.id) {
+        subscription.artifact = storedArtifact.artifact;
+        subscription.deploy = deploy;
+      }
+    }
+  }
+
+  function closeDeployConnections(deployId) {
+    for (const [ws, subscription] of subscriptions) {
+      if (subscription.deploy.id !== deployId) {
+        continue;
+      }
+
+      websocketSend(ws, { error: "Anonymous deploy terminated.", ok: false, op: "error" });
+      subscriptions.delete(ws);
+      ws.close(1008, "Deploy terminated");
+    }
+  }
+
   async function publishDeploy(deployId) {
     for (const [ws, subscription] of subscriptions) {
       if (subscription.deploy.id !== deployId) {
@@ -867,11 +2525,249 @@ export async function startAnonymousServer({
         return;
       }
 
+      if (req.method === "GET" && (requestUrl.pathname === "/deploys" || requestUrl.pathname === "/dashboard")) {
+        const authConfigured = developerAuthConfigured(resolvedGithubOAuth, resolvedDeveloperSessionSecret);
+        const user = authConfigured ? currentDeveloper(req) : null;
+        sendText(
+          res,
+          200,
+          developerHtml({
+            authConfigured,
+            deploys: user ? await developerDeploys(user) : [],
+            user
+          }),
+          { "Content-Type": "text/html; charset=utf-8" }
+        );
+        return;
+      }
+
+      if (req.method === "GET" && requestUrl.pathname === "/v1/me") {
+        const user = currentDeveloper(req);
+        if (!developerAuthConfigured(resolvedGithubOAuth, resolvedDeveloperSessionSecret) || !user) {
+          sendJson(res, 401, { error: "Developer authentication required." });
+          return;
+        }
+
+        sendJson(res, 200, { user });
+        return;
+      }
+
+      if (req.method === "GET" && requestUrl.pathname === "/v1/me/deploys") {
+        const user = currentDeveloper(req);
+        if (!developerAuthConfigured(resolvedGithubOAuth, resolvedDeveloperSessionSecret) || !user) {
+          sendJson(res, 401, { error: "Developer authentication required." });
+          return;
+        }
+
+        sendJson(res, 200, { deploys: await developerDeploys(user), user });
+        return;
+      }
+
+      if (req.method === "GET" && requestUrl.pathname === "/auth/github") {
+        if (!developerAuthConfigured(resolvedGithubOAuth, resolvedDeveloperSessionSecret)) {
+          sendText(res, 503, "GitHub sign-in is not configured.\n", { "Content-Type": "text/plain; charset=utf-8" });
+          return;
+        }
+
+        const returnTo = normalizeReturnTo(requestUrl.searchParams.get("return_to") ?? requestUrl.searchParams.get("returnTo"));
+        const state = randomBytes(16).toString("base64url");
+        const stateCookie = signedJson(
+          {
+            createdAt: now(),
+            nonce: state,
+            returnTo
+          },
+          resolvedDeveloperSessionSecret
+        );
+        const authorizeUrl = new URL(resolvedGithubOAuth.authorizeUrl);
+        authorizeUrl.searchParams.set("client_id", resolvedGithubOAuth.clientId);
+        authorizeUrl.searchParams.set("redirect_uri", githubRedirectUri(resolvedGithubOAuth, resolvedPublicRootUrl));
+        authorizeUrl.searchParams.set("scope", "read:user");
+        authorizeUrl.searchParams.set("state", state);
+        redirect(res, authorizeUrl.href, {
+          "Set-Cookie": oauthStateCookie(stateCookie, isSecureRequest(req))
+        });
+        return;
+      }
+
+      if (req.method === "GET" && requestUrl.pathname === "/auth/github/callback") {
+        if (!developerAuthConfigured(resolvedGithubOAuth, resolvedDeveloperSessionSecret)) {
+          sendText(res, 503, "GitHub sign-in is not configured.\n", { "Content-Type": "text/plain; charset=utf-8" });
+          return;
+        }
+
+        const secure = isSecureRequest(req);
+        const state = requestUrl.searchParams.get("state") ?? "";
+        const stateCookie = parseCookies(req)[oauthStateCookieName] ?? "";
+        const statePayload = verifySignedJson(stateCookie, resolvedDeveloperSessionSecret);
+        if (!state || !statePayload?.nonce || !safeEqual(String(statePayload.nonce), state) || !statePayload.createdAt) {
+          sendText(res, 400, "Invalid GitHub sign-in state.\n", {
+            "Content-Type": "text/plain; charset=utf-8",
+            "Set-Cookie": clearOauthStateCookie(secure)
+          });
+          return;
+        }
+
+        if (Date.parse(statePayload.createdAt) + 10 * 60 * 1000 <= Date.now()) {
+          sendText(res, 400, "Expired GitHub sign-in state.\n", {
+            "Content-Type": "text/plain; charset=utf-8",
+            "Set-Cookie": clearOauthStateCookie(secure)
+          });
+          return;
+        }
+
+        if (requestUrl.searchParams.get("error")) {
+          sendText(res, 401, `${requestUrl.searchParams.get("error_description") ?? "GitHub sign-in failed."}\n`, {
+            "Content-Type": "text/plain; charset=utf-8",
+            "Set-Cookie": clearOauthStateCookie(secure)
+          });
+          return;
+        }
+
+        const code = requestUrl.searchParams.get("code");
+        if (!code) {
+          sendText(res, 400, "Missing GitHub OAuth code.\n", {
+            "Content-Type": "text/plain; charset=utf-8",
+            "Set-Cookie": clearOauthStateCookie(secure)
+          });
+          return;
+        }
+
+        const user = await githubUserFromCode({
+          code,
+          githubOAuth: resolvedGithubOAuth,
+          redirectUri: githubRedirectUri(resolvedGithubOAuth, resolvedPublicRootUrl)
+        });
+        redirect(res, normalizeReturnTo(statePayload.returnTo), {
+          "Set-Cookie": [developerCookie(user, resolvedDeveloperSessionSecret, secure), clearOauthStateCookie(secure)]
+        });
+        return;
+      }
+
+      if (req.method === "GET" && requestUrl.pathname === "/auth/logout") {
+        redirect(res, "/deploys", {
+          "Set-Cookie": clearDeveloperCookie(isSecureRequest(req))
+        });
+        return;
+      }
+
+      const claimMatch = req.method === "GET" ? requestUrl.pathname.match(/^\/claim\/([^/]+)\/([^/]+)$/) : null;
+      if (claimMatch) {
+        if (!developerAuthConfigured(resolvedGithubOAuth, resolvedDeveloperSessionSecret)) {
+          sendText(res, 503, "GitHub sign-in is not configured.\n", { "Content-Type": "text/plain; charset=utf-8" });
+          return;
+        }
+
+        const user = currentDeveloper(req);
+        if (!user) {
+          redirect(res, `/auth/github?return_to=${encodeURIComponent(requestUrl.pathname)}`);
+          return;
+        }
+
+        const deployId = decodeURIComponent(claimMatch[1]);
+        const claimToken = decodeURIComponent(claimMatch[2]);
+        const claim = await resolvedStore.claimDeploy(deployId, claimToken, user);
+        if (claim.status === "missing") {
+          sendJson(res, 404, { error: "Unknown deploy." });
+          return;
+        }
+        if (claim.status === "invalid") {
+          sendJson(res, 401, { error: "Invalid claim token." });
+          return;
+        }
+        if (claim.status === "conflict") {
+          sendJson(res, 409, { error: "Deploy is already claimed by another developer." });
+          return;
+        }
+
+        await resolvedStore.appendLog(claim.deploy.id, "info", "anonymous deploy claimed", {
+          ownerId: user.id,
+          ownerLogin: user.login
+        });
+        redirect(res, `/deploys?claimed=${encodeURIComponent(claim.deploy.id)}`);
+        return;
+      }
+
+      if (req.method === "GET" && (requestUrl.pathname === "/admin" || requestUrl.pathname === "/admin/")) {
+        sendText(res, 200, adminHtml(), { "Content-Type": "text/html; charset=utf-8" });
+        return;
+      }
+
+      if (requestUrl.pathname === "/admin/api/login" && req.method === "POST") {
+        if (!isAdminConfigured(adminPassword)) {
+          sendJson(res, 503, { error: "Lakebed admin is not configured. Set LAKEBED_ADMIN_PASSWORD." });
+          return;
+        }
+
+        const body = await readJsonBody(req, 4096);
+        if (!isAdminPasswordValid(body.password, adminPassword)) {
+          sendJson(res, 401, { error: "Invalid admin password." });
+          return;
+        }
+
+        sendJson(res, 200, { ok: true }, { "Set-Cookie": adminCookie(adminSessionToken(adminPassword), adminCookieMaxAgeSeconds, isSecureRequest(req)) });
+        return;
+      }
+
+      if (requestUrl.pathname === "/admin/api/logout" && req.method === "POST") {
+        sendJson(res, 200, { ok: true }, { "Set-Cookie": adminCookie("", 0, isSecureRequest(req)) });
+        return;
+      }
+
+      if (requestUrl.pathname === "/admin/api/summary" && req.method === "GET") {
+        if (!isAdminConfigured(adminPassword)) {
+          sendJson(res, 503, { error: "Lakebed admin is not configured. Set LAKEBED_ADMIN_PASSWORD." });
+          return;
+        }
+
+        if (!isAdminAuthenticated(req, adminPassword)) {
+          sendJson(res, 401, { error: "Admin authentication required." });
+          return;
+        }
+
+        sendJson(res, 200, await adminSummary());
+        return;
+      }
+
+      const terminateMatch =
+        req.method === "POST"
+          ? requestUrl.pathname.match(/^\/admin\/api\/deploys\/([^/]+)\/terminate$/)
+          : null;
+      if (terminateMatch) {
+        if (!isAdminConfigured(adminPassword)) {
+          sendJson(res, 503, { error: "Lakebed admin is not configured. Set LAKEBED_ADMIN_PASSWORD." });
+          return;
+        }
+
+        if (!isAdminAuthenticated(req, adminPassword)) {
+          sendJson(res, 401, { error: "Admin authentication required." });
+          return;
+        }
+
+        const deployId = decodeURIComponent(terminateMatch[1]);
+        const deploy = await resolvedStore.terminateDeploy(deployId);
+        if (!deploy) {
+          sendJson(res, 404, { error: "Unknown deploy." });
+          return;
+        }
+
+        await resolvedStore.appendLog(deploy.id, "warn", "anonymous deploy terminated", { source: "admin" });
+        await refreshDeploySubscriptions(deploy);
+        closeDeployConnections(deploy.id);
+        sendJson(res, 200, {
+          deploy: adminDeploySummary({
+            deploy,
+            usage: await resolvedStore.readUsage(deploy.id)
+          })
+        });
+        return;
+      }
+
       if (req.method === "POST" && requestUrl.pathname === "/v1/anonymous-deploys") {
         const body = await readJsonBody(req);
         const payload = validateAnonymousDeployPayload(body);
         const { deploy, token } = await resolvedStore.createDeploy({
-          appBaseDomain,
+          appBaseDomain: resolvedAppBaseDomain,
           artifact: payload.artifact,
           artifactHash: payload.artifactHash,
           clientBundleBase64: payload.clientBundleBase64,
@@ -884,6 +2780,43 @@ export async function startAnonymousServer({
         return;
       }
 
+      if ((req.method === "PUT" || req.method === "PATCH") && requestUrl.pathname.startsWith("/v1/deploys/")) {
+        const deployId = requestUrl.pathname.slice("/v1/deploys/".length);
+        const currentDeploy = await resolvedStore.getDeployById(deployId);
+        if (!currentDeploy) {
+          sendJson(res, 404, { error: "Unknown deploy." });
+          return;
+        }
+
+        if (!isDeployTokenValid(currentDeploy, bearerToken(req))) {
+          sendJson(res, 401, { error: "Invalid deploy token." });
+          return;
+        }
+
+        const body = await readJsonBody(req);
+        const payload = validateAnonymousDeployPayload(body);
+        const deploy = await resolvedStore.updateDeploy({
+          appBaseDomain: resolvedAppBaseDomain,
+          artifact: payload.artifact,
+          artifactHash: payload.artifactHash,
+          clientBundleBase64: payload.clientBundleBase64,
+          clientBundleHash: payload.clientBundleHash,
+          deployId,
+          publicRootUrl: resolvedPublicRootUrl,
+          requestedTtlSeconds: body.requestedTtlSeconds ?? requestUrl.searchParams.get("ttl") ?? undefined
+        });
+        if (!deploy) {
+          sendJson(res, 404, { error: "Unknown deploy." });
+          return;
+        }
+
+        await resolvedStore.appendLog(deploy.id, "info", "anonymous deploy updated", { artifactHash: deploy.artifactHash });
+        await refreshDeploySubscriptions(deploy);
+        await publishDeploy(deploy.id);
+        sendJson(res, 200, responseForDeploy({ deploy }));
+        return;
+      }
+
       if (req.method === "GET" && requestUrl.pathname.startsWith("/v1/deploys/")) {
         const id = requestUrl.pathname.slice("/v1/deploys/".length);
         const deploy = (await resolvedStore.getDeployById(id)) ?? (await resolvedStore.getDeployBySlug(id));
@@ -895,7 +2828,7 @@ export async function startAnonymousServer({
         return;
       }
 
-      const loaded = await loadDeployByRoute({ appBaseDomain, host, store: resolvedStore, url: requestUrl });
+      const loaded = await loadDeployByRoute({ appBaseDomain: resolvedAppBaseDomain, host, store: resolvedStore, url: requestUrl });
       if (!loaded) {
         sendText(res, 200, "Lakebed anonymous deploy runner\n", { "Content-Type": "text/plain; charset=utf-8" });
         return;
@@ -913,8 +2846,8 @@ export async function startAnonymousServer({
       );
 
       const appPath = routeSystemPath(loaded.route.appPath);
-      if (req.method === "GET" && (appPath === "/" || appPath === "/index.html")) {
-        sendText(res, 200, html(loaded.artifact.name ?? "Lakebed Capsule", loaded.basePath), {
+      if (req.method === "GET" && (appPath === "/" || appPath === "/index.html" || appPath === "/auth/callback")) {
+        sendText(res, 200, html(loaded.artifact.name ?? "Lakebed Capsule", loaded.basePath, { shooBaseUrl }), {
           "Content-Type": "text/html; charset=utf-8"
         });
         return;
@@ -1030,14 +2963,23 @@ export async function startAnonymousServer({
   server.on("upgrade", async (req, socket, head) => {
     const host = req.headers.host ?? "localhost";
     const requestUrl = new URL(req.url ?? "/", `http://${host}`);
-    const loaded = await loadDeployByRoute({ appBaseDomain, host, store: resolvedStore, url: requestUrl });
+    const loaded = await loadDeployByRoute({ appBaseDomain: resolvedAppBaseDomain, host, store: resolvedStore, url: requestUrl });
 
     if (!loaded || loaded.error || routeSystemPath(loaded.route.appPath) !== "/__lakebed/ws") {
       socket.destroy();
       return;
     }
 
-    const auth = authFromUrl(requestUrl);
+    const auth = await resolveAuthFromUrl({
+      defaultAuth: createGuestAuth("local"),
+      onError: (error) =>
+        resolvedStore.appendLog(loaded.deploy.id, "warn", "google auth verification failed", {
+          error: error instanceof Error ? error.message : String(error)
+        }),
+      origin: requestOrigin(req, loaded.deploy.url),
+      shooBaseUrl,
+      url: requestUrl
+    });
     wss.handleUpgrade(req, socket, head, (ws) => {
       wss.emit("connection", ws, req, loaded, auth);
     });
@@ -1056,6 +2998,7 @@ export async function startAnonymousServer({
   }
 
   return {
+    appBaseDomain: resolvedAppBaseDomain,
     port,
     publicRootUrl: resolvedPublicRootUrl,
     store: resolvedStore,