lakebed 0.0.3 → 0.0.4

package/README.md

@@ -93,6 +93,7 @@ lakebed new <name> [--template todo]
 lakebed dev <capsule-dir> [--port 3000]
 lakebed build <capsule-dir> --target anonymous [--out .lakebed/artifacts/app.json] [--json]
 lakebed deploy [capsule-dir] [--ttl 7d] [--api <url>] [--json]
+lakebed claim [capsule-dir] [--api <url>] [--json]
 lakebed anonymous-server [--port 8787] [--public-root-url <url>] [--app-base-domain <domain>]
 lakebed inspect <deploy-id-or-url> [--api <url>] [--json]
 lakebed db list [deploy-id-or-url] [--port 3000]
@@ -143,7 +144,7 @@ LAKEBED_GITHUB_CLIENT_SECRET=...
 LAKEBED_SESSION_SECRET=...
 ```
 
-Claimed deploys are listed at `/deploys` on the deploy API origin. They keep the same resource limits as anonymous deploys. The current hosted runner still uses the anonymous interpreter artifact, so outbound `fetch` remains blocked until Lakebed has a claimed runtime target that can safely execute server code.
+Claimed deploys are listed at `/deploys` on the deploy API origin. They keep the same resource limits as anonymous deploys. Anonymous deploys cannot use outbound `fetch`; after a deploy is claimed, `lakebed deploy` can update it with a source-backed server artifact that supports async handlers and server-side fetch.
 
 ## Admin Dashboard
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "lakebed",
-  "version": "0.0.3",
+  "version": "0.0.4",
   "description": "Agent-native CLI and runtime for building and deploying Lakebed capsules.",
   "license": "UNLICENSED",
   "type": "module",

package/src/anonymous-server.js

@@ -2794,7 +2794,7 @@ export async function startAnonymousServer({
         }
 
         const body = await readJsonBody(req);
-        const payload = validateAnonymousDeployPayload(body);
+        const payload = validateAnonymousDeployPayload(body, { allowClaimedSource: Boolean(currentDeploy.ownerId) });
         const deploy = await resolvedStore.updateDeploy({
           appBaseDomain: resolvedAppBaseDomain,
           artifact: payload.artifact,

package/src/anonymous.js

@@ -17,6 +17,7 @@ export const DEFAULT_ANONYMOUS_LIMITS = {
 
 const expressionOps = new Set(["arg", "auth", "call", "row"]);
 const authFields = new Set(["displayName", "email", "emailVerified", "isAuthenticated", "isGuest", "name", "picture", "provider", "userId"]);
+const sourceModuleCache = new Map();
 
 export class AnonymousCompilerError extends Error {
   constructor(diagnostics) {
@@ -555,6 +556,77 @@ export async function createAnonymousArtifact({ app, clientOut, sourceStore, ver
   };
 }
 
+export async function createClaimedArtifact({ app, clientOut, serverOut, sourceStore, version = "0.0.3" }) {
+  if (!serverOut) {
+    throw new AnonymousCompilerError([diagnostic("server/index.ts", "Claimed deploys require a bundled server module.")]);
+  }
+
+  const sourceFiles = await readSourceFiles(sourceStore);
+  const diagnostics = forbiddenSourceDiagnostics(sourceFiles).filter(
+    (entry) =>
+      entry.message !== "Outbound fetch is disabled for anonymous deploys." &&
+      entry.message !== "Async server handlers are not part of the anonymous IR yet. Use synchronous Lakebed database operations."
+  );
+  const { diagnostics: schemaDiagnostics, schema } = serializeSchema(app.schema);
+  diagnostics.push(...schemaDiagnostics);
+  if (diagnostics.length > 0) {
+    throw new AnonymousCompilerError(diagnostics);
+  }
+
+  const clientBundle = await readFile(clientOut);
+  const serverBundle = await readFile(serverOut);
+  const clientBundleBase64 = clientBundle.toString("base64");
+  const clientBundleHash = sha256(clientBundle);
+  const serverBundleBase64 = serverBundle.toString("base64");
+  const serverBundleHash = sha256(serverBundle);
+  const sourceManifest = sourceFiles.map(({ bytes, hash, path }) => ({ bytes, hash, path }));
+  const sourceSnapshotHash = sha256(stableStringify(sourceManifest));
+  const artifact = {
+    name: app.name ?? "Lakebed Capsule",
+    client: {
+      bundleHash: clientBundleHash,
+      bytes: clientBundle.byteLength,
+      entry: "/client.js"
+    },
+    createdWith: {
+      compiler: "0.1.0",
+      lakebed: version
+    },
+    deployTarget: "claimed-source",
+    format: ANONYMOUS_ARTIFACT_FORMAT,
+    limits: {
+      instructionBudget: DEFAULT_ANONYMOUS_LIMITS.instructionBudget,
+      maxRowsReturned: DEFAULT_ANONYMOUS_LIMITS.rowsReturned,
+      maxValueBytes: DEFAULT_ANONYMOUS_LIMITS.maxValueBytes
+    },
+    server: {
+      helpers: {},
+      imports: ["lakebed/server"],
+      mutations: Object.fromEntries(Object.keys(app.mutations ?? {}).map((name) => [name, { op: "source" }])),
+      queries: Object.fromEntries(Object.keys(app.queries ?? {}).map((name) => [name, { op: "source" }])),
+      schema,
+      source: {
+        bytes: serverBundle.byteLength,
+        bundle: serverBundleBase64,
+        bundleHash: serverBundleHash,
+        entry: "/server.mjs"
+      }
+    },
+    source: {
+      files: sourceManifest,
+      snapshotHash: sourceSnapshotHash
+    }
+  };
+  const artifactHash = sha256(stableStringify(artifact));
+
+  return {
+    artifact,
+    artifactHash,
+    clientBundle: clientBundleBase64,
+    clientBundleHash
+  };
+}
+
 function validateExpression(expr, path, diagnostics) {
   if (!isExpression(expr)) {
     diagnostics.push(diagnostic(path, "Expected an anonymous IR expression."));
@@ -614,6 +686,10 @@ function validateValue(value, path, diagnostics) {
 }
 
 function validateQuery(query, path, schema, diagnostics) {
+  if (query?.op === "source") {
+    return;
+  }
+
   if (!isPlainObject(query) || query.op !== "table.all" || !schema[query.table]) {
     diagnostics.push(diagnostic(path, "Invalid anonymous query IR."));
     return;
@@ -636,7 +712,7 @@ function validateQuery(query, path, schema, diagnostics) {
   }
 }
 
-export function validateAnonymousArtifact(artifact) {
+export function validateAnonymousArtifact(artifact, { allowClaimedSource = false } = {}) {
   const diagnostics = [];
 
   if (!isPlainObject(artifact)) {
@@ -647,7 +723,7 @@ export function validateAnonymousArtifact(artifact) {
     diagnostics.push(diagnostic("artifact.format", `Expected ${ANONYMOUS_ARTIFACT_FORMAT}.`));
   }
 
-  if (artifact.deployTarget !== "anonymous-interpreter") {
+  if (artifact.deployTarget !== "anonymous-interpreter" && !(allowClaimedSource && artifact.deployTarget === "claimed-source")) {
     diagnostics.push(diagnostic("artifact.deployTarget", "Anonymous deploys require deployTarget anonymous-interpreter."));
   }
 
@@ -669,9 +745,49 @@ export function validateAnonymousArtifact(artifact) {
 
   for (const [name, query] of Object.entries(artifact.server?.queries ?? {})) {
     validateQuery(query, `artifact.server.queries.${name}`, schema ?? {}, diagnostics);
+    if (query?.op === "source" && artifact.server?.source === undefined) {
+      diagnostics.push(diagnostic(`artifact.server.queries.${name}`, "Source query requires artifact.server.source."));
+    }
+    if (query?.op === "source" && artifact.deployTarget !== "claimed-source") {
+      diagnostics.push(diagnostic(`artifact.server.queries.${name}`, "Source query requires deployTarget claimed-source."));
+    }
+  }
+
+  if (artifact.server?.source !== undefined) {
+    if (artifact.deployTarget !== "claimed-source") {
+      diagnostics.push(diagnostic("artifact.server.source", "Server source bundles require deployTarget claimed-source."));
+    }
+    const source = artifact.server.source;
+    if (
+      !isPlainObject(source) ||
+      typeof source.bundle !== "string" ||
+      typeof source.bundleHash !== "string" ||
+      !Number.isInteger(source.bytes) ||
+      source.bytes <= 0
+    ) {
+      diagnostics.push(diagnostic("artifact.server.source", "Invalid anonymous server source bundle."));
+    } else {
+      const bundle = Buffer.from(source.bundle, "base64");
+      if (bundle.byteLength !== source.bytes) {
+        diagnostics.push(diagnostic("artifact.server.source.bytes", "Server bundle byte count does not match artifact.server.source.bytes."));
+      }
+      if (sha256(bundle) !== source.bundleHash) {
+        diagnostics.push(diagnostic("artifact.server.source.bundleHash", "Server bundle hash does not match artifact.server.source.bundleHash."));
+      }
+    }
   }
 
   for (const [name, mutation] of Object.entries(artifact.server?.mutations ?? {})) {
+    if (mutation?.op === "source") {
+      if (artifact.server?.source === undefined) {
+        diagnostics.push(diagnostic(`artifact.server.mutations.${name}`, "Source mutation requires artifact.server.source."));
+      }
+      if (artifact.deployTarget !== "claimed-source") {
+        diagnostics.push(diagnostic(`artifact.server.mutations.${name}`, "Source mutation requires deployTarget claimed-source."));
+      }
+      continue;
+    }
+
     if (mutation?.op !== "mutation" || !Array.isArray(mutation.body)) {
       diagnostics.push(diagnostic(`artifact.server.mutations.${name}`, "Invalid mutation IR."));
       continue;
@@ -704,12 +820,12 @@ export function validateAnonymousArtifact(artifact) {
   return diagnostics;
 }
 
-export function validateAnonymousDeployPayload(payload) {
+export function validateAnonymousDeployPayload(payload, options = {}) {
   if (!payload || typeof payload !== "object") {
     throw new Error("Deploy payload must be a JSON object.");
   }
 
-  const diagnostics = validateAnonymousArtifact(payload.artifact);
+  const diagnostics = validateAnonymousArtifact(payload.artifact, options);
   if (diagnostics.length > 0) {
     throw new AnonymousCompilerError(diagnostics);
   }
@@ -939,7 +1055,124 @@ async function executeQuerySpec({ args = [], artifact, auth, query, state, deplo
   return results.slice(0, limit);
 }
 
+async function loadSourceApp(artifact) {
+  const source = artifact.server?.source;
+  if (!source) {
+    return null;
+  }
+
+  if (!sourceModuleCache.has(source.bundleHash)) {
+    const url = `data:text/javascript;base64,${source.bundle}`;
+    sourceModuleCache.set(source.bundleHash, import(url).then((module) => module.default));
+  }
+  return sourceModuleCache.get(source.bundleHash);
+}
+
+function createSourceQuery(rows, tableName) {
+  return {
+    filters: [],
+    limitValue: null,
+    orderByValue: null,
+    tableName,
+    where(field, value) {
+      return { ...this, filters: [...this.filters, { field, value }] };
+    },
+    orderBy(field, direction = "asc") {
+      return { ...this, orderByValue: { field, direction: direction === "desc" ? "desc" : "asc" } };
+    },
+    limit(count) {
+      return { ...this, limitValue: Number(count) };
+    },
+    all() {
+      let results = [...rows[this.tableName]].map((row) => ({ ...row }));
+      for (const filter of this.filters) {
+        results = results.filter((row) => row[filter.field] === filter.value);
+      }
+      if (this.orderByValue) {
+        const direction = this.orderByValue.direction === "desc" ? -1 : 1;
+        results.sort((left, right) => compareValues(left[this.orderByValue.field], right[this.orderByValue.field]) * direction);
+      }
+      return results.slice(0, this.limitValue ?? results.length);
+    }
+  };
+}
+
+async function createSourceContext({ artifact, auth, deployId, state }) {
+  const rows = {};
+  const operations = [];
+  for (const tableName of Object.keys(artifact.server.schema ?? {})) {
+    rows[tableName] = await state.listRows(deployId, tableName);
+  }
+
+  const db = {};
+  for (const tableName of Object.keys(artifact.server.schema ?? {})) {
+    db[tableName] = {
+      ...createSourceQuery(rows, tableName),
+      get(id) {
+        return rows[tableName].find((row) => row.id === id) ?? null;
+      },
+      insert(value) {
+        const row = prepareInsert(artifact.server.schema, tableName, value);
+        rows[tableName].push(row);
+        operations.push({ op: "insert", row, table: tableName });
+        return { ...row };
+      },
+      update(id, patch) {
+        const index = rows[tableName].findIndex((row) => row.id === id);
+        if (index === -1) {
+          return;
+        }
+        const cleanPatch = preparePatch(artifact.server.schema, tableName, patch);
+        rows[tableName][index] = { ...rows[tableName][index], ...cleanPatch };
+        operations.push({ id, op: "update", patch: cleanPatch, table: tableName });
+      },
+      delete(id) {
+        const index = rows[tableName].findIndex((row) => row.id === id);
+        if (index === -1) {
+          return;
+        }
+        rows[tableName].splice(index, 1);
+        operations.push({ id, op: "delete", table: tableName });
+      }
+    };
+  }
+
+  return {
+    ctx: {
+      auth,
+      db,
+      env: {},
+      log: {
+        error() {},
+        info() {},
+        warn() {}
+      }
+    },
+    async flush(tx) {
+      for (const operation of operations) {
+        if (operation.op === "insert") {
+          await tx.insertRow(deployId, operation.table, operation.row);
+        } else if (operation.op === "update") {
+          await tx.updateRow(deployId, operation.table, operation.id, operation.patch);
+        } else if (operation.op === "delete") {
+          await tx.deleteRow(deployId, operation.table, operation.id);
+        }
+      }
+    }
+  };
+}
+
 export async function executeAnonymousQuery({ args = [], artifact, auth, deployId, name, state }) {
+  const sourceApp = await loadSourceApp(artifact);
+  if (sourceApp) {
+    const handler = sourceApp.queries?.[name];
+    if (!handler) {
+      throw new Error(`Unknown query: ${name}`);
+    }
+    const { ctx } = await createSourceContext({ artifact, auth, deployId, state });
+    return handler(ctx, ...args);
+  }
+
   const query = artifact.server.queries?.[name];
   if (!query) {
     throw new Error(`Unknown query: ${name}`);
@@ -958,6 +1191,20 @@ async function checkUpdateGuards({ auth, guards = [], row }) {
 }
 
 export async function executeAnonymousMutation({ args = [], artifact, auth, deployId, name, state }) {
+  const sourceApp = await loadSourceApp(artifact);
+  if (sourceApp) {
+    const handler = sourceApp.mutations?.[name];
+    if (!handler) {
+      throw new Error(`Unknown mutation: ${name}`);
+    }
+    return state.transaction(deployId, async (tx) => {
+      const source = await createSourceContext({ artifact, auth, deployId, state: tx });
+      const result = await handler(source.ctx, ...args);
+      await source.flush(tx);
+      return result ?? null;
+    });
+  }
+
   const mutation = artifact.server.mutations?.[name];
   if (!mutation) {
     throw new Error(`Unknown mutation: ${name}`);

package/src/cli.js

@@ -10,6 +10,7 @@ import {
   ANONYMOUS_ARTIFACT_MEDIA_TYPE,
   AnonymousCompilerError,
   createAnonymousArtifact,
+  createClaimedArtifact,
   parseTtlSeconds,
   stableStringify
 } from "./anonymous.js";
@@ -32,6 +33,7 @@ Usage:
   lakebed dev <capsule-dir> [--port 3000]
   lakebed build <capsule-dir> --target anonymous [--out .lakebed/artifacts/app.json] [--json]
   lakebed deploy [capsule-dir] [--ttl 7d] [--api <url>] [--json]
+  lakebed claim [capsule-dir] [--api <url>] [--json]
   lakebed anonymous-server [--port 8787] [--public-root-url <url>] [--app-base-domain <domain>]
   lakebed inspect <deploy-id-or-url> [--api <url>] [--json]
   lakebed run-many <capsule-dir> [--count 20] [--base-port 4000]
@@ -299,6 +301,7 @@ export async function buildCapsule({ capsuleDir, sourceStore, capsuleId = "dev"
     buildDir,
     clientOut,
     env: await readServerEnv(workingStore),
+    serverOut,
     sourceStore: workingStore
   };
 }
@@ -598,6 +601,30 @@ async function buildAnonymousEnvelope(capsuleArg) {
   };
 }
 
+async function buildClaimedEnvelope(capsuleArg) {
+  const capsuleDir = resolveCapsuleDir(capsuleArg);
+  const sourceStore = await createMemorySourceStoreFromDirectory(capsuleDir);
+  const built = await buildCapsule({
+    capsuleDir,
+    capsuleId: `claimed-${Date.now()}`,
+    sourceStore
+  });
+  const artifact = await createClaimedArtifact({
+    app: built.app,
+    clientOut: built.clientOut,
+    serverOut: built.serverOut,
+    sourceStore
+  });
+
+  return {
+    artifact: artifact.artifact,
+    artifactHash: artifact.artifactHash,
+    clientBundle: artifact.clientBundle,
+    clientBundleHash: artifact.clientBundleHash,
+    mediaType: ANONYMOUS_ARTIFACT_MEDIA_TYPE
+  };
+}
+
 function defaultArtifactPath(capsuleDir) {
   return resolve(root, ".lakebed/artifacts", `${basename(capsuleDir)}.anonymous.json`);
 }
@@ -642,6 +669,14 @@ function claimTokenFromDeployResponse(deployed) {
   return null;
 }
 
+function claimUrlFromDeployMetadata(metadata) {
+  if (!metadata?.api || !metadata?.deployId || !metadata?.claimToken) {
+    return null;
+  }
+
+  return `${String(metadata.api).replace(/\/+$/g, "")}/claim/${encodeURIComponent(metadata.deployId)}/${encodeURIComponent(metadata.claimToken)}`;
+}
+
 function deployRequestBody(envelope, ttl) {
   return JSON.stringify({
     artifact: envelope.artifact,
@@ -700,13 +735,31 @@ async function readResponseJson(response) {
 async function deployCommand(args) {
   const [capsuleArg] = positionals(args);
   const capsuleDir = capsuleArg ? resolveCapsuleDir(capsuleArg) : root;
-  const envelope = await buildAnonymousEnvelope(capsuleDir);
   const ttl = parseTtlSeconds(readArg(args, "--ttl", "7d"));
   const api = deployApiUrl(args);
-  const body = deployRequestBody(envelope, ttl);
   const metadata = await readDeployMetadata(capsuleDir);
   const canUpdate =
     metadata?.api === api && typeof metadata?.deployId === "string" && typeof metadata?.claimToken === "string";
+  let currentDeploy = null;
+  if (canUpdate) {
+    const currentResponse = await fetch(`${api}/v1/deploys/${encodeURIComponent(metadata.deployId)}`);
+    if (currentResponse.ok) {
+      currentDeploy = await currentResponse.json();
+    }
+  }
+
+  let envelope;
+  try {
+    envelope = currentDeploy?.claimed ? await buildClaimedEnvelope(capsuleDir) : await buildAnonymousEnvelope(capsuleDir);
+  } catch (error) {
+    if (error instanceof AnonymousCompilerError && canUpdate && !currentDeploy?.claimed) {
+      throw new Error(
+        `${error.message}\n\nThis deploy is still anonymous. Claim it first, then run lakebed deploy again to use server-side fetch.`
+      );
+    }
+    throw error;
+  }
+  const body = deployRequestBody(envelope, ttl);
   let mode = "created";
   let response;
 
@@ -764,7 +817,60 @@ async function deployCommand(args) {
   console.log(`  state:           ${deployed.limits.stateBytes} bytes`);
   console.log(`  requests:        ${deployed.limits.requestsPerDay} / day`);
   console.log(`  mutations:       ${deployed.limits.mutationsPerDay} / day`);
-  console.log("  outbound fetch:  disabled");
+  console.log(`  outbound fetch:  ${envelope.artifact.deployTarget === "claimed-source" ? "enabled" : "disabled"}`);
+}
+
+async function claimCommand(args) {
+  const [capsuleArg] = positionals(args);
+  const capsuleDir = capsuleArg ? resolveCapsuleDir(capsuleArg) : root;
+  const api = deployApiUrl(args);
+  const metadata = await readDeployMetadata(capsuleDir);
+
+  if (!metadata) {
+    throw new Error(`No Lakebed deploy metadata found at ${deployMetadataPath(capsuleDir)}. Run lakebed deploy from this project first.`);
+  }
+
+  if (metadata.api !== api) {
+    throw new Error(`Saved deploy metadata is for ${metadata.api}, but this command is using ${api}. Pass --api ${metadata.api} to claim it.`);
+  }
+
+  const claimUrl = claimUrlFromDeployMetadata(metadata);
+  if (!claimUrl) {
+    throw new Error("This project does not have a saved claim token. Redeploy to create a new claim URL.");
+  }
+
+  let deploy = null;
+  try {
+    const response = await fetch(`${api}/v1/deploys/${encodeURIComponent(metadata.deployId)}`);
+    if (response.ok) {
+      deploy = await response.json();
+    }
+  } catch {
+    deploy = null;
+  }
+
+  const result = {
+    claimed: Boolean(deploy?.claimed),
+    claimUrl,
+    deployId: metadata.deployId,
+    url: deploy?.url ?? metadata.url
+  };
+
+  if (hasFlag(args, "--json")) {
+    console.log(JSON.stringify(result, null, 2));
+    return;
+  }
+
+  if (result.claimed) {
+    console.log(`Deploy ${result.deployId} is already claimed.`);
+    if (result.url) {
+      console.log(`App:   ${result.url}`);
+    }
+    return;
+  }
+
+  console.log("Open this URL to claim the current project's deploy:");
+  console.log(claimUrl);
 }
 
 async function anonymousServerCommand(args) {
@@ -931,7 +1037,7 @@ lakebed logs --port 3000
 - One client entry.
 - Guest auth locally, with built-in Google sign-in through Shoo.
 - No file storage.
-- No outbound fetch in anonymous deploys.
+- No outbound fetch in anonymous deploys. Claim the deploy before using server-side fetch.
 - Local state resets when \`lakebed dev\` restarts.
 `;
 }
@@ -1146,6 +1252,11 @@ async function main() {
     return;
   }
 
+  if (command === "claim") {
+    await claimCommand(args);
+    return;
+  }
+
   if (command === "anonymous-server") {
     await anonymousServerCommand(args);
     return;