lakebed 0.0.20 → 0.0.22

package/README.md

@@ -142,7 +142,7 @@ npx lakebed build [capsule-dir] --target anonymous [--out .lakebed/artifacts/app
 npx lakebed deploy [capsule-dir] [--api <url>] [--public-inspect] [--json]
 npx lakebed claim [capsule-dir] [--api <url>] [--json]
 npx lakebed domains add <subdomain.lakebed.app> [--api <url>] [--json]
-npx lakebed anonymous-server [--port 8787] [--public-root-url <url>] [--app-base-domain <domain>]
+npx lakebed anonymous-server [--port 8787] [--public-root-url <url>] [--dashboard-root-url <url>] [--app-base-domain <domain>] [--role all|api-dashboard|runner]
 npx lakebed inspect <deploy-id-or-url> [--api <url>] [--inspect-token <token>] [--json]
 npx lakebed db list [deploy-id-or-url] [--port 3000] [--inspect-token <token>]
 npx lakebed db dump [deploy-id-or-url] [--port 3000] [--inspect-token <token>]
@@ -179,10 +179,19 @@ npx lakebed deploy --api http://localhost:8787
 In production, set `PUBLIC_ROOT_URL` to the deploy API origin and `LAKEBED_APP_BASE_DOMAIN` to the app domain without the wildcard prefix:
 
 ```sh
-PUBLIC_ROOT_URL=https://api.lakebed.app
+PUBLIC_ROOT_URL=https://api.lakebed.dev
+LAKEBED_DASHBOARD_ROOT_URL=https://dashboard.lakebed.dev
 LAKEBED_APP_BASE_DOMAIN=lakebed.app
 ```
 
+The staged Railway split uses dedicated service entrypoints:
+
+```sh
+node packages/lakebed/src/services/all-in-one.js
+node packages/lakebed/src/services/api-dashboard.js
+node packages/lakebed/src/services/capsule-runner.js
+```
+
 With a verified `*.lakebed.app` custom domain on the runner, deploy responses use `https://<slug>.lakebed.app`.
 
 Anonymous deploy creation is relaxed for local `localhost` runners. When `PUBLIC_ROOT_URL` points at a non-local origin, the runner defaults to 50 anonymous deploy creates per forwarded client per UTC day and 5,000 globally. Override those with:
@@ -205,7 +214,7 @@ LAKEBED_ANONYMOUS_CLEANUP_RETENTION=7d
 LAKEBED_ANONYMOUS_CLEANUP_INTERVAL=1h
 ```
 
-Deploy responses include claim metadata. Configure GitHub OAuth on the runner, then run `npx lakebed claim` to open the claim page and attach the anonymous deploy to a developer account:
+Deploy responses include claim metadata. Configure GitHub OAuth on the API and dashboard service, then run `npx lakebed claim` to open the claim page and attach the anonymous deploy to a developer account:
 
 ```sh
 LAKEBED_GITHUB_CLIENT_ID=...
@@ -214,7 +223,7 @@ LAKEBED_SESSION_SECRET=...
 LAKEBED_SERVER_ENV_SECRET=...
 ```
 
-Claimed deploys are listed at `/deploys` on the deploy API origin. They keep the same resource limits as anonymous deploys and do not expire. Anonymous deploys cannot use outbound `fetch` or hosted server env; after a deploy is claimed, `npx lakebed deploy` can update it with a source-backed server artifact that supports async handlers, server-side fetch, and `.env.lakebed.server` sync. If the first deploy already needs server-side `fetch` or server env, `npx lakebed deploy` creates a claim-required preview, saves its claim metadata, and prints the `npx lakebed claim` command. Run that command, then run `npx lakebed deploy` again to publish the real source-backed app. Set `LAKEBED_SERVER_ENV_SECRET` on Postgres-backed runners to encrypt stored server env values.
+Claimed deploys are listed at `/deploys` on the dashboard origin. They keep the same resource limits as anonymous deploys and do not expire. Anonymous deploys cannot use outbound `fetch` or hosted server env; after a deploy is claimed, `npx lakebed deploy` can update it with a source-backed server artifact that supports async handlers, server-side fetch, and `.env.lakebed.server` sync. If the first deploy already needs server-side `fetch` or server env, `npx lakebed deploy` creates a claim-required preview, saves its claim metadata, and prints the `npx lakebed claim` command. Run that command, then run `npx lakebed deploy` again to publish the real source-backed app. Set `LAKEBED_SERVER_ENV_SECRET` on Postgres-backed runners to encrypt stored server env values.
 
 Hosted inspection is private by default. `npx lakebed inspect`, `npx lakebed db list`, `npx lakebed db dump`, and `npx lakebed logs` send the saved claim token automatically when run from the capsule directory.
 
@@ -228,4 +237,4 @@ Reserved product names such as `api`, `admin`, `docs`, and `www` are rejected.
 
 ## Admin Dashboard
 
-Set `LAKEBED_ADMIN_PASSWORD` on the anonymous deploy runner, then open `/admin` on the runner origin. The password is exchanged for an HttpOnly cookie so the dashboard stays unlocked until the cookie expires or the password changes. The resource table can terminate active deploys while preserving their resource history, and the users table can set per-user request and mutation limit overrides for claimed deploys.
+Set `LAKEBED_ADMIN_PASSWORD` on the API and dashboard service, then open `/admin` on the dashboard origin. The password is exchanged for an HttpOnly cookie so the dashboard stays unlocked until the cookie expires or the password changes. The resource table can terminate active deploys while preserving their resource history, and the users table can set per-user request and mutation limit overrides for claimed deploys.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "lakebed",
-  "version": "0.0.20",
+  "version": "0.0.22",
   "description": "Agent-native CLI and runtime for building and deploying Lakebed capsules.",
   "license": "UNLICENSED",
   "type": "module",
@@ -29,6 +29,9 @@
     "src/runtime.js",
     "src/server.d.ts",
     "src/server.js",
+    "src/services/all-in-one.js",
+    "src/services/api-dashboard.js",
+    "src/services/capsule-runner.js",
     "src/source-runtime-loader.mjs",
     "src/source-runtime-worker.js",
     "src/source-runtime.js",
@@ -53,7 +56,7 @@
     "access": "public"
   },
   "scripts": {
-    "check": "node --check src/cli.js && node --check src/runtime.js && node --check src/server.js && node --check src/client.js && node --check src/source-store.js && node --check src/source-runtime.js && node --check src/source-runtime-worker.js && node --check src/source-runtime-loader.mjs && node --check src/anonymous.js && node --check src/anonymous-server.js && node --check src/auth.js && node --check src/version.js"
+    "check": "node --check src/cli.js && node --check src/runtime.js && node --check src/server.js && node --check src/client.js && node --check src/source-store.js && node --check src/source-runtime.js && node --check src/source-runtime-worker.js && node --check src/source-runtime-loader.mjs && node --check src/anonymous.js && node --check src/anonymous-server.js && node --check src/auth.js && node --check src/version.js && node --check src/services/all-in-one.js && node --check src/services/api-dashboard.js && node --check src/services/capsule-runner.js"
   },
   "dependencies": {
     "esbuild": "^0.27.1",

package/src/anonymous-server.js

@@ -405,16 +405,89 @@ function normalizeLakebedSubdomainInput(value, appBaseDomain) {
   };
 }
 
-function appUrlForSlug({ appBaseDomain, publicRootUrl, slug }) {
-  if (appBaseDomain) {
-    return `https://${slug}.${appBaseDomain}`;
+function normalizeServerRole(value) {
+  const role = String(value ?? "all").trim().toLowerCase();
+  if (role === "all" || role === "api-dashboard" || role === "runner") {
+    return role;
   }
 
-  return `${publicRootUrl}/d/${slug}`;
+  throw new Error(`Unsupported LAKEBED_SERVER_ROLE: ${role}. Expected all, api-dashboard, or runner.`);
 }
 
-function claimUrlForDeploy({ deployId, publicRootUrl, token }) {
-  return `${publicRootUrl}/claim/${deployId}/${token}`;
+function roleServesApiDashboard(role) {
+  return role === "all" || role === "api-dashboard";
+}
+
+function roleServesRunner(role) {
+  return role === "all" || role === "runner";
+}
+
+function isApiDashboardRoute(pathname) {
+  return (
+    pathname === "/deploys" ||
+    pathname === "/dashboard" ||
+    pathname === "/auth" ||
+    (pathname.startsWith("/auth/") && pathname !== "/auth/callback") ||
+    pathname === "/admin" ||
+    pathname.startsWith("/admin/") ||
+    pathname === "/v1" ||
+    pathname.startsWith("/v1/") ||
+    pathname.startsWith("/claim/")
+  );
+}
+
+function isDashboardBrowserRoute(pathname) {
+  return (
+    pathname === "/" ||
+    pathname === "/deploys" ||
+    pathname === "/dashboard" ||
+    pathname === "/auth" ||
+    pathname.startsWith("/auth/") ||
+    pathname === "/admin" ||
+    pathname.startsWith("/admin/") ||
+    pathname.startsWith("/claim/")
+  );
+}
+
+function normalizedUrlHost(value) {
+  try {
+    return new URL(value).host.toLowerCase();
+  } catch {
+    return "";
+  }
+}
+
+function dashboardRedirectLocation({ dashboardRootUrl, requestUrl }) {
+  const pathname = requestUrl.pathname === "/" ? "/deploys" : requestUrl.pathname;
+  const target = new URL(pathname, dashboardRootUrl);
+  target.search = requestUrl.search;
+  return target.href;
+}
+
+function shouldRedirectToDashboardHost({ dashboardRootUrl, host, publicRootUrl, requestUrl }) {
+  if (!isDashboardBrowserRoute(requestUrl.pathname)) {
+    return false;
+  }
+
+  const publicHost = normalizedUrlHost(publicRootUrl);
+  const dashboardHost = normalizedUrlHost(dashboardRootUrl);
+  if (!publicHost || !dashboardHost || publicHost === dashboardHost) {
+    return false;
+  }
+
+  return String(host).toLowerCase() === publicHost;
+}
+
+function appUrlForSlug({ appBaseDomain, slug }) {
+  if (!appBaseDomain) {
+    throw new Error("LAKEBED_APP_BASE_DOMAIN is required to create hosted deploy URLs.");
+  }
+
+  return `https://${slug}.${appBaseDomain}`;
+}
+
+function claimUrlForDeploy({ dashboardRootUrl, deployId, token }) {
+  return `${dashboardRootUrl}/claim/${deployId}/${token}`;
 }
 
 function inspectUrls(url) {
@@ -426,11 +499,11 @@ function inspectUrls(url) {
   };
 }
 
-function responseForDeploy({ deploy, token }) {
+function responseForDeploy({ dashboardRootUrl, deploy, token }) {
   return {
     claimed: Boolean(deploy.ownerId),
     claimedAt: deploy.claimedAt ?? undefined,
-    claimUrl: token ? claimUrlForDeploy({ deployId: deploy.id, publicRootUrl: deploy.publicRootUrl, token }) : undefined,
+    claimUrl: token ? claimUrlForDeploy({ dashboardRootUrl: dashboardRootUrl ?? deploy.publicRootUrl, deployId: deploy.id, token }) : undefined,
     deployId: deploy.id,
     expiresAt: deploy.expiresAt,
     inspect: inspectUrls(deploy.url),
@@ -494,21 +567,6 @@ function isClientShellRequest(req, pathname) {
   return req.method === "GET" && wantsHtml(req) && !isReservedClientShellPath(pathname);
 }
 
-function parsePathDeploy(url) {
-  const parts = url.pathname.split("/").filter(Boolean);
-  if (parts[0] !== "d" || !parts[1]) {
-    return null;
-  }
-
-  const prefix = `/d/${parts[1]}`;
-  const appPath = url.pathname === prefix ? "/" : url.pathname.slice(prefix.length) || "/";
-  return {
-    appPath,
-    basePath: prefix,
-    slug: parts[1]
-  };
-}
-
 function parseHostDeploy({ appBaseDomain, host, url }) {
   if (!appBaseDomain) {
     return null;
@@ -532,6 +590,10 @@ function parseHostDeploy({ appBaseDomain, host, url }) {
   };
 }
 
+function isDisabledPathDeployRoute(pathname) {
+  return pathname === "/d" || pathname.startsWith("/d/");
+}
+
 function quotaLimitForBucket(bucket, deploy) {
   if (bucket === "mutations") {
     return deploy.limits.mutationsPerDay;
@@ -5716,7 +5778,7 @@ async function loadDeployByRoute({ appBaseDomain, host, store, url }) {
         hostname: domain.hostname,
         deployId: domain.deployId
       }
-    : parseHostDeploy({ appBaseDomain, host, url }) ?? parsePathDeploy(url);
+    : parseHostDeploy({ appBaseDomain, host, url });
   if (!route) {
     return null;
   }
@@ -5934,17 +5996,23 @@ async function serveInspect({ adminPassword, artifact, currentDeveloper, deploy,
 export async function startAnonymousServer({
   adminPassword = adminPasswordFromEnv(),
   appBaseDomain = process.env.LAKEBED_APP_BASE_DOMAIN ?? "",
+  dashboardRootUrl = process.env.LAKEBED_DASHBOARD_ROOT_URL,
   developerSessionSecret = process.env.LAKEBED_SESSION_SECRET ?? "",
   githubOAuth = githubOAuthFromEnv(),
   port = Number(process.env.PORT ?? 8787),
   publicRootUrl,
   quiet = false,
+  role = process.env.LAKEBED_SERVER_ROLE ?? "all",
   shooBaseUrl = shooBaseUrlFromEnv(),
   sourceRuntime,
   store
 } = {}) {
+  const resolvedRole = normalizeServerRole(role);
+  const servesApiDashboard = roleServesApiDashboard(resolvedRole);
+  const servesRunner = roleServesRunner(resolvedRole);
   const resolvedAppBaseDomain = normalizeAppBaseDomain(appBaseDomain);
   const resolvedPublicRootUrl = normalizePublicRootUrl(publicRootUrl ?? process.env.PUBLIC_ROOT_URL, port);
+  const resolvedDashboardRootUrl = normalizePublicRootUrl(dashboardRootUrl ?? resolvedPublicRootUrl, port);
   const deployCreationPolicy = anonymousDeployCreationPolicy({ publicRootUrl: resolvedPublicRootUrl });
   const clientTrafficPolicy = anonymousClientTrafficPolicy({ publicRootUrl: resolvedPublicRootUrl });
   const cleanupPolicy = cleanupPolicyFromEnv();
@@ -5952,7 +6020,7 @@ export async function startAnonymousServer({
   const resolvedDeveloperSessionSecret =
     developerSessionSecret || resolvedGithubOAuth?.sessionSecret || resolvedGithubOAuth?.clientSecret || adminPassword || "";
   const resolvedStore = store ?? (await createAnonymousStoreFromEnv());
-  const resolvedSourceRuntime = sourceRuntime === undefined ? createSourceRuntimeFromEnv() : sourceRuntime;
+  const resolvedSourceRuntime = sourceRuntime === undefined && servesRunner ? createSourceRuntimeFromEnv() : sourceRuntime;
   await resolvedStore.initialize();
   const subscriptions = new Map();
   let cleanupInterval = null;
@@ -6191,7 +6259,20 @@ export async function startAnonymousServer({
         return;
       }
 
-      if (req.method === "GET" && (requestUrl.pathname === "/deploys" || requestUrl.pathname === "/dashboard")) {
+      if (
+        servesApiDashboard &&
+        shouldRedirectToDashboardHost({
+          dashboardRootUrl: resolvedDashboardRootUrl,
+          host,
+          publicRootUrl: resolvedPublicRootUrl,
+          requestUrl
+        })
+      ) {
+        redirect(res, dashboardRedirectLocation({ dashboardRootUrl: resolvedDashboardRootUrl, requestUrl }));
+        return;
+      }
+
+      if (servesApiDashboard && req.method === "GET" && (requestUrl.pathname === "/deploys" || requestUrl.pathname === "/dashboard")) {
         const authConfigured = developerAuthConfigured(resolvedGithubOAuth, resolvedDeveloperSessionSecret);
         const user = authConfigured ? currentDeveloper(req) : null;
         sendText(
@@ -6207,7 +6288,7 @@ export async function startAnonymousServer({
         return;
       }
 
-      if (req.method === "GET" && requestUrl.pathname === "/v1/me") {
+      if (servesApiDashboard && req.method === "GET" && requestUrl.pathname === "/v1/me") {
         const user = currentDeveloper(req);
         if (!developerAuthConfigured(resolvedGithubOAuth, resolvedDeveloperSessionSecret) || !user) {
           sendJson(res, 401, { error: "Developer authentication required." });
@@ -6218,7 +6299,7 @@ export async function startAnonymousServer({
         return;
       }
 
-      if (req.method === "GET" && requestUrl.pathname === "/v1/me/deploys") {
+      if (servesApiDashboard && req.method === "GET" && requestUrl.pathname === "/v1/me/deploys") {
         const user = currentDeveloper(req);
         if (!developerAuthConfigured(resolvedGithubOAuth, resolvedDeveloperSessionSecret) || !user) {
           sendJson(res, 401, { error: "Developer authentication required." });
@@ -6230,7 +6311,7 @@ export async function startAnonymousServer({
       }
 
       const developerTerminateMatch =
-        req.method === "POST" ? requestUrl.pathname.match(/^\/v1\/me\/deploys\/([^/]+)\/terminate$/) : null;
+        servesApiDashboard && req.method === "POST" ? requestUrl.pathname.match(/^\/v1\/me\/deploys\/([^/]+)\/terminate$/) : null;
       if (developerTerminateMatch) {
         const user = currentDeveloper(req);
         if (!developerAuthConfigured(resolvedGithubOAuth, resolvedDeveloperSessionSecret) || !user) {
@@ -6266,7 +6347,7 @@ export async function startAnonymousServer({
         return;
       }
 
-      if (req.method === "GET" && requestUrl.pathname === "/auth/github") {
+      if (servesApiDashboard && req.method === "GET" && requestUrl.pathname === "/auth/github") {
         if (!developerAuthConfigured(resolvedGithubOAuth, resolvedDeveloperSessionSecret)) {
           sendText(res, 503, "GitHub sign-in is not configured.\n", { "Content-Type": "text/plain; charset=utf-8" });
           return;
@@ -6284,7 +6365,7 @@ export async function startAnonymousServer({
         );
         const authorizeUrl = new URL(resolvedGithubOAuth.authorizeUrl);
         authorizeUrl.searchParams.set("client_id", resolvedGithubOAuth.clientId);
-        authorizeUrl.searchParams.set("redirect_uri", githubRedirectUri(resolvedGithubOAuth, resolvedPublicRootUrl));
+        authorizeUrl.searchParams.set("redirect_uri", githubRedirectUri(resolvedGithubOAuth, resolvedDashboardRootUrl));
         authorizeUrl.searchParams.set("scope", "read:user");
         authorizeUrl.searchParams.set("state", state);
         redirect(res, authorizeUrl.href, {
@@ -6293,7 +6374,7 @@ export async function startAnonymousServer({
         return;
       }
 
-      if (req.method === "GET" && requestUrl.pathname === "/auth/github/callback") {
+      if (servesApiDashboard && req.method === "GET" && requestUrl.pathname === "/auth/github/callback") {
         if (!developerAuthConfigured(resolvedGithubOAuth, resolvedDeveloperSessionSecret)) {
           sendText(res, 503, "GitHub sign-in is not configured.\n", { "Content-Type": "text/plain; charset=utf-8" });
           return;
@@ -6339,7 +6420,7 @@ export async function startAnonymousServer({
         const user = await githubUserFromCode({
           code,
           githubOAuth: resolvedGithubOAuth,
-          redirectUri: githubRedirectUri(resolvedGithubOAuth, resolvedPublicRootUrl)
+          redirectUri: githubRedirectUri(resolvedGithubOAuth, resolvedDashboardRootUrl)
         });
         redirect(res, normalizeReturnTo(statePayload.returnTo), {
           "Set-Cookie": [developerCookie(user, resolvedDeveloperSessionSecret, secure), clearOauthStateCookie(secure)]
@@ -6347,14 +6428,14 @@ export async function startAnonymousServer({
         return;
       }
 
-      if (req.method === "GET" && requestUrl.pathname === "/auth/logout") {
+      if (servesApiDashboard && req.method === "GET" && requestUrl.pathname === "/auth/logout") {
         redirect(res, "/deploys", {
           "Set-Cookie": clearDeveloperCookie(isSecureRequest(req))
         });
         return;
       }
 
-      const claimMatch = req.method === "GET" ? requestUrl.pathname.match(/^\/claim\/([^/]+)\/([^/]+)$/) : null;
+      const claimMatch = servesApiDashboard && req.method === "GET" ? requestUrl.pathname.match(/^\/claim\/([^/]+)\/([^/]+)$/) : null;
       if (claimMatch) {
         if (!developerAuthConfigured(resolvedGithubOAuth, resolvedDeveloperSessionSecret)) {
           sendText(res, 503, "GitHub sign-in is not configured.\n", { "Content-Type": "text/plain; charset=utf-8" });
@@ -6392,6 +6473,7 @@ export async function startAnonymousServer({
       }
 
       if (
+        servesApiDashboard &&
         req.method === "GET" &&
         (requestUrl.pathname === "/admin" ||
           requestUrl.pathname === "/admin/" ||
@@ -6403,7 +6485,7 @@ export async function startAnonymousServer({
         return;
       }
 
-      if (requestUrl.pathname === "/admin/api/login" && req.method === "POST") {
+      if (servesApiDashboard && requestUrl.pathname === "/admin/api/login" && req.method === "POST") {
         if (!isAdminConfigured(adminPassword)) {
           sendJson(res, 503, { error: "Lakebed admin is not configured. Set LAKEBED_ADMIN_PASSWORD." });
           return;
@@ -6419,12 +6501,12 @@ export async function startAnonymousServer({
         return;
       }
 
-      if (requestUrl.pathname === "/admin/api/logout" && req.method === "POST") {
+      if (servesApiDashboard && requestUrl.pathname === "/admin/api/logout" && req.method === "POST") {
         sendJson(res, 200, { ok: true }, { "Set-Cookie": adminCookie("", 0, isSecureRequest(req)) });
         return;
       }
 
-      if (requestUrl.pathname === "/admin/api/summary" && req.method === "GET") {
+      if (servesApiDashboard && requestUrl.pathname === "/admin/api/summary" && req.method === "GET") {
         if (!isAdminConfigured(adminPassword)) {
           sendJson(res, 503, { error: "Lakebed admin is not configured. Set LAKEBED_ADMIN_PASSWORD." });
           return;
@@ -6440,7 +6522,7 @@ export async function startAnonymousServer({
       }
 
       const adminUserDetailMatch =
-        req.method === "GET" ? requestUrl.pathname.match(/^\/admin\/api\/users\/([^/]+)$/) : null;
+        servesApiDashboard && req.method === "GET" ? requestUrl.pathname.match(/^\/admin\/api\/users\/([^/]+)$/) : null;
       if (adminUserDetailMatch) {
         if (!isAdminConfigured(adminPassword)) {
           sendJson(res, 503, { error: "Lakebed admin is not configured. Set LAKEBED_ADMIN_PASSWORD." });
@@ -6463,7 +6545,7 @@ export async function startAnonymousServer({
       }
 
       const userLimitsMatch =
-        req.method === "PUT" ? requestUrl.pathname.match(/^\/admin\/api\/users\/([^/]+)\/limits$/) : null;
+        servesApiDashboard && req.method === "PUT" ? requestUrl.pathname.match(/^\/admin\/api\/users\/([^/]+)\/limits$/) : null;
       if (userLimitsMatch) {
         if (!isAdminConfigured(adminPassword)) {
           sendJson(res, 503, { error: "Lakebed admin is not configured. Set LAKEBED_ADMIN_PASSWORD." });
@@ -6499,7 +6581,7 @@ export async function startAnonymousServer({
       }
 
       const terminateMatch =
-        req.method === "POST"
+        servesApiDashboard && req.method === "POST"
           ? requestUrl.pathname.match(/^\/admin\/api\/deploys\/([^/]+)\/terminate$/)
           : null;
       if (terminateMatch) {
@@ -6533,7 +6615,7 @@ export async function startAnonymousServer({
       }
 
       const deployDomainsMatch = requestUrl.pathname.match(/^\/v1\/deploys\/([^/]+)\/domains$/);
-      if (deployDomainsMatch && (req.method === "GET" || req.method === "POST")) {
+      if (servesApiDashboard && deployDomainsMatch && (req.method === "GET" || req.method === "POST")) {
         const deployId = decodeURIComponent(deployDomainsMatch[1]);
         const currentDeploy = await resolvedStore.getDeployById(deployId);
         if (!currentDeploy) {
@@ -6616,7 +6698,12 @@ export async function startAnonymousServer({
         return;
       }
 
-      if (req.method === "POST" && requestUrl.pathname === "/v1/anonymous-deploys") {
+      if (servesApiDashboard && req.method === "POST" && requestUrl.pathname === "/v1/anonymous-deploys") {
+        if (!resolvedAppBaseDomain) {
+          sendJson(res, 503, { error: "LAKEBED_APP_BASE_DOMAIN is required to create hosted deploys." });
+          return;
+        }
+
         await enforceAnonymousDeployCreation(req);
         const body = await readJsonBody(req);
         const payload = validateAnonymousDeployPayload(body);
@@ -6642,11 +6729,16 @@ export async function startAnonymousServer({
           serverEnv: payload.serverEnv
         });
         await resolvedStore.appendLog(deploy.id, "info", "anonymous deploy created", { artifactHash: deploy.artifactHash });
-        sendJson(res, 201, responseForDeploy({ deploy, token }));
+        sendJson(res, 201, responseForDeploy({ dashboardRootUrl: resolvedDashboardRootUrl, deploy, token }));
         return;
       }
 
-      if ((req.method === "PUT" || req.method === "PATCH") && requestUrl.pathname.startsWith("/v1/deploys/")) {
+      if (servesApiDashboard && (req.method === "PUT" || req.method === "PATCH") && requestUrl.pathname.startsWith("/v1/deploys/")) {
+        if (!resolvedAppBaseDomain) {
+          sendJson(res, 503, { error: "LAKEBED_APP_BASE_DOMAIN is required to update hosted deploys." });
+          return;
+        }
+
         const deployId = requestUrl.pathname.slice("/v1/deploys/".length);
         const currentDeploy = await resolvedStore.getDeployById(deployId);
         if (!currentDeploy) {
@@ -6692,23 +6784,43 @@ export async function startAnonymousServer({
         await refreshDeploySubscriptions(deploy);
         refreshDeployClients(deploy);
         await publishDeploy(deploy.id);
-        sendJson(res, 200, responseForDeploy({ deploy }));
+        sendJson(res, 200, responseForDeploy({ dashboardRootUrl: resolvedDashboardRootUrl, deploy }));
         return;
       }
 
-      if (req.method === "GET" && requestUrl.pathname.startsWith("/v1/deploys/")) {
+      if (servesApiDashboard && req.method === "GET" && requestUrl.pathname.startsWith("/v1/deploys/")) {
         const id = requestUrl.pathname.slice("/v1/deploys/".length);
         const deploy = (await resolvedStore.getDeployById(id)) ?? (await resolvedStore.getDeployBySlug(id));
         if (!deploy) {
           sendJson(res, 404, { error: "Unknown deploy." });
           return;
         }
-        sendJson(res, 200, responseForDeploy({ deploy }));
+        sendJson(res, 200, responseForDeploy({ dashboardRootUrl: resolvedDashboardRootUrl, deploy }));
+        return;
+      }
+
+      if (isDisabledPathDeployRoute(requestUrl.pathname)) {
+        sendText(res, 404, "Path-based deploy URLs are no longer supported.\n", { "Content-Type": "text/plain; charset=utf-8" });
+        return;
+      }
+
+      if (!servesRunner) {
+        if (req.method === "GET" && requestUrl.pathname === "/") {
+          redirect(res, "/deploys");
+          return;
+        }
+
+        sendText(res, 404, "Not found\n", { "Content-Type": "text/plain; charset=utf-8" });
         return;
       }
 
       const loaded = await loadDeployByRoute({ appBaseDomain: resolvedAppBaseDomain, host, store: resolvedStore, url: requestUrl });
       if (!loaded) {
+        if (!servesApiDashboard && isApiDashboardRoute(requestUrl.pathname)) {
+          sendText(res, 404, "Not found\n", { "Content-Type": "text/plain; charset=utf-8" });
+          return;
+        }
+
         sendText(res, 200, "Lakebed anonymous deploy runner\n", { "Content-Type": "text/plain; charset=utf-8" });
         return;
       }
@@ -6919,6 +7031,11 @@ export async function startAnonymousServer({
   });
 
   server.on("upgrade", async (req, socket, head) => {
+    if (!servesRunner) {
+      socket.destroy();
+      return;
+    }
+
     const host = req.headers.host ?? "localhost";
     const requestUrl = new URL(req.url ?? "/", `http://${host}`);
     const loaded = await loadDeployByRoute({ appBaseDomain: resolvedAppBaseDomain, host, store: resolvedStore, url: requestUrl });
@@ -6971,8 +7088,10 @@ export async function startAnonymousServer({
 
   return {
     appBaseDomain: resolvedAppBaseDomain,
+    dashboardRootUrl: resolvedDashboardRootUrl,
     port,
     publicRootUrl: resolvedPublicRootUrl,
+    role: resolvedRole,
     store: resolvedStore,
     url: resolvedPublicRootUrl,
     async close() {

package/src/cli.js

@@ -1,6 +1,7 @@
 #!/usr/bin/env node
 import { execFile } from "node:child_process";
-import { createServer } from "node:http";
+import { createServer, request as httpRequest } from "node:http";
+import { request as httpsRequest } from "node:https";
 import { existsSync, realpathSync } from "node:fs";
 import { mkdir, readdir, readFile, rm, stat, writeFile } from "node:fs/promises";
 import { basename, dirname, isAbsolute, join, relative, resolve, sep } from "node:path";
@@ -29,7 +30,8 @@ const root = process.cwd();
 const packageDir = resolve(dirname(fileURLToPath(import.meta.url)), "..");
 const packageNodeModules = resolve(packageDir, "node_modules");
 const sourceNamespace = "lakebed-source";
-const defaultDeployApiUrl = "https://api.lakebed.app";
+const defaultDeployApiUrl = "https://api.lakebed.dev";
+const legacyDeployApiUrl = "https://api.lakebed.app";
 const execFileAsync = promisify(execFile);
 const endpointBodyMaxBytes = 2 * 1024 * 1024;
 
@@ -44,7 +46,7 @@ Usage:
   npx lakebed deploy [capsule-dir] [--api <url>] [--public-inspect] [--json]
   npx lakebed claim [capsule-dir] [--api <url>] [--json]
   npx lakebed domains add <subdomain.lakebed.app> [--api <url>] [--json]
-  npx lakebed anonymous-server [--port 8787] [--public-root-url <url>] [--app-base-domain <domain>]
+  npx lakebed anonymous-server [--port 8787] [--public-root-url <url>] [--dashboard-root-url <url>] [--app-base-domain <domain>] [--role all|api-dashboard|runner]
   npx lakebed inspect <deploy-id-or-url> [--api <url>] [--inspect-token <token>] [--json]
   npx lakebed run-many [capsule-dir] [--count 20] [--base-port 4000]
   npx lakebed auth as <name>
@@ -69,10 +71,12 @@ const optionsWithValues = new Set([
   "--app-base-domain",
   "--base-port",
   "--count",
+  "--dashboard-root-url",
   "--inspect-token",
   "--out",
   "--port",
   "--public-root-url",
+  "--role",
   "--target",
   "--template"
 ]);
@@ -1190,12 +1194,12 @@ function claimTokenFromDeployResponse(deployed) {
   return null;
 }
 
-function claimUrlFromDeployMetadata(metadata) {
+function claimUrlFromDeployMetadata(metadata, api = metadata?.api) {
   if (!metadata?.api || !metadata?.deployId || !metadata?.claimToken) {
     return null;
   }
 
-  return `${String(metadata.api).replace(/\/+$/g, "")}/claim/${encodeURIComponent(metadata.deployId)}/${encodeURIComponent(metadata.claimToken)}`;
+  return `${normalizeHostedUrl(api)}/claim/${encodeURIComponent(metadata.deployId)}/${encodeURIComponent(metadata.claimToken)}`;
 }
 
 function claimCommandText({ api, capsuleArg }) {
@@ -1327,6 +1331,15 @@ function normalizeHostedUrl(value) {
   }
 }
 
+function canonicalDeployApiUrl(value) {
+  const normalized = normalizeHostedUrl(value);
+  return normalized === legacyDeployApiUrl ? defaultDeployApiUrl : normalized;
+}
+
+function deployApiUrlsMatch(left, right) {
+  return canonicalDeployApiUrl(left) === canonicalDeployApiUrl(right);
+}
+
 async function readResponseJson(response) {
   const body = await response.text();
   if (!response.ok) {
@@ -1351,7 +1364,7 @@ async function deployCommand(args) {
   const inspectPolicy = hasFlag(args, "--public-inspect") ? "public" : undefined;
   const metadata = await readDeployMetadata(capsuleDir);
   const canUpdate =
-    metadata?.api === api && typeof metadata?.deployId === "string" && typeof metadata?.claimToken === "string";
+    deployApiUrlsMatch(metadata?.api, api) && typeof metadata?.deployId === "string" && typeof metadata?.claimToken === "string";
   let currentDeploy = null;
   if (canUpdate) {
     const currentResponse = await fetch(`${api}/v1/deploys/${encodeURIComponent(metadata.deployId)}`);
@@ -1495,11 +1508,11 @@ async function claimCommand(args) {
     throw new Error(`No Lakebed deploy metadata found at ${deployMetadataPath(capsuleDir)}. Run npx lakebed deploy from this project first.`);
   }
 
-  if (metadata.api !== api) {
+  if (!deployApiUrlsMatch(metadata.api, api)) {
     throw new Error(`Saved deploy metadata is for ${metadata.api}, but this command is using ${api}. Pass --api ${metadata.api} to claim it.`);
   }
 
-  const claimUrl = claimUrlFromDeployMetadata(metadata);
+  const claimUrl = claimUrlFromDeployMetadata(metadata, api);
   if (!claimUrl) {
     throw new Error("This project does not have a saved claim token. Redeploy to create a new claim URL.");
   }
@@ -1558,7 +1571,7 @@ async function domainsCommand(args) {
   if (!metadata) {
     throw new Error(`No Lakebed deploy metadata found at ${deployMetadataPath(capsuleDir)}. Run npx lakebed deploy from this project first.`);
   }
-  if (metadata.api !== api) {
+  if (!deployApiUrlsMatch(metadata.api, api)) {
     throw new Error(`Saved deploy metadata is for ${metadata.api}, but this command is using ${api}. Pass --api ${metadata.api} to use it.`);
   }
   if (!metadata.deployId || !metadata.claimToken) {
@@ -1590,15 +1603,17 @@ async function anonymousServerCommand(args) {
   const port = readNumberArg(args, "--port", Number(process.env.PORT ?? 8787));
   await startAnonymousServer({
     appBaseDomain: readArg(args, "--app-base-domain", process.env.LAKEBED_APP_BASE_DOMAIN ?? ""),
+    dashboardRootUrl: readArg(args, "--dashboard-root-url", process.env.LAKEBED_DASHBOARD_ROOT_URL),
     port,
-    publicRootUrl: readArg(args, "--public-root-url", process.env.PUBLIC_ROOT_URL ?? `http://localhost:${port}`)
+    publicRootUrl: readArg(args, "--public-root-url", process.env.PUBLIC_ROOT_URL ?? `http://localhost:${port}`),
+    role: readArg(args, "--role", process.env.LAKEBED_SERVER_ROLE ?? "all")
   });
   await new Promise(() => {});
 }
 
 function deployLookupApiUrl(target, args, metadata) {
   if (!hasExplicitOption(args, "--api") && metadata?.api && metadata.deployId === target) {
-    return String(metadata.api).replace(/\/+$/g, "");
+    return canonicalDeployApiUrl(metadata.api);
   }
 
   return deployApiUrl(args);
@@ -1620,6 +1635,61 @@ async function resolveDeployUrl(target, args, metadata) {
   }
 }
 
+async function resolveHostedTarget(target, args, metadata) {
+  if (!target) {
+    throw new Error("Expected a deploy ID or URL.");
+  }
+
+  try {
+    const url = new URL(target);
+    return { api: "", url: url.href.replace(/\/+$/g, "") };
+  } catch {
+    const api = deployLookupApiUrl(target, args, metadata);
+    const response = await fetch(`${api}/v1/deploys/${encodeURIComponent(target)}`);
+    const deploy = await readResponseJson(response);
+    return { api, url: deploy.url.replace(/\/+$/g, "") };
+  }
+}
+
+function isLocalApiUrl(value) {
+  try {
+    const { hostname } = new URL(value);
+    return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "::1";
+  } catch {
+    return false;
+  }
+}
+
+async function requestWithHostHeader(url, headers) {
+  const requestUrl = new URL(url);
+  const transport = requestUrl.protocol === "https:" ? httpsRequest : httpRequest;
+  return new Promise((resolveRequest, rejectRequest) => {
+    const req = transport(
+      {
+        headers,
+        hostname: requestUrl.hostname,
+        method: "GET",
+        path: `${requestUrl.pathname}${requestUrl.search}`,
+        port: requestUrl.port
+      },
+      (res) => {
+        const chunks = [];
+        res.on("data", (chunk) => chunks.push(chunk));
+        res.on("end", () => {
+          const body = Buffer.concat(chunks).toString("utf8");
+          resolveRequest({
+            ok: (res.statusCode ?? 500) >= 200 && (res.statusCode ?? 500) < 300,
+            status: res.statusCode ?? 500,
+            text: async () => body
+          });
+        });
+      }
+    );
+    req.on("error", rejectRequest);
+    req.end();
+  });
+}
+
 function inspectTokenForHostedTarget({ args, metadata, target, url }) {
   const explicitToken = readArg(args, "--inspect-token", process.env.LAKEBED_INSPECT_TOKEN ?? "");
   if (explicitToken) {
@@ -1642,11 +1712,22 @@ function inspectTokenForHostedTarget({ args, metadata, target, url }) {
 
 async function hostedJson(target, path, args) {
   const metadata = await readDeployMetadata(root);
-  const url = await resolveDeployUrl(target, args, metadata);
+  const { api, url } = await resolveHostedTarget(target, args, metadata);
   const inspectToken = inspectTokenForHostedTarget({ args, metadata, target, url });
-  const response = await fetch(`${url}${path}`, {
-    headers: inspectToken ? { Authorization: `Bearer ${inspectToken}` } : {}
-  });
+  const headers = inspectToken ? { Authorization: `Bearer ${inspectToken}` } : {};
+  let response;
+  try {
+    response = await fetch(`${url}${path}`, { headers });
+  } catch (error) {
+    if (!api || !isLocalApiUrl(api)) {
+      throw error;
+    }
+
+    response = await requestWithHostHeader(`${api}${path}`, {
+      ...headers,
+      Host: new URL(url).host
+    });
+  }
   return readResponseJson(response);
 }
 
@@ -1761,7 +1842,7 @@ async function dbCommand(args) {
 }
 
 function agentInstructionsTemplate() {
-  return `# Building with Lakebed.
+  return `# Lakebed App Instructions
 
 This directory is for a Lakebed "capsule". Lakebed is an all-inclusive suite of tools to build web applications purely from code and a CLI.
 
@@ -1814,6 +1895,10 @@ npx lakebed db dump --port 3000
 npx lakebed logs --port 3000
 \`\`\`
 
+## External endpoints
+
+Use \`endpoint({ method, path }, handler)\` from \`lakebed/server\` when the app needs to expose an HTTP route for webhooks or other non-Lakebed clients. Endpoint handlers receive request data including \`headers.get(name)\`, URL params, query params, and body helpers.
+
 ## Additional resources
 
 - [Lakebed docs](https://docs.lakebed.dev/)

package/src/services/all-in-one.js

@@ -0,0 +1,5 @@
+import { startAnonymousServer } from "../anonymous-server.js";
+
+await startAnonymousServer({
+  role: "all"
+});

package/src/services/api-dashboard.js

@@ -0,0 +1,7 @@
+import { startAnonymousServer } from "../anonymous-server.js";
+
+await startAnonymousServer({
+  dashboardRootUrl: process.env.LAKEBED_DASHBOARD_ROOT_URL ?? "https://dashboard.lakebed.dev",
+  publicRootUrl: process.env.PUBLIC_ROOT_URL ?? "https://api.lakebed.dev",
+  role: "api-dashboard"
+});

package/src/services/capsule-runner.js

@@ -0,0 +1,5 @@
+import { startAnonymousServer } from "../anonymous-server.js";
+
+await startAnonymousServer({
+  role: "runner"
+});

package/src/version.js

@@ -1 +1 @@
-export const LAKEBED_VERSION = "0.0.20";
+export const LAKEBED_VERSION = "0.0.22";