lakebed 0.0.3 → 0.0.5

package/README.md

@@ -93,6 +93,7 @@ lakebed new <name> [--template todo]
 lakebed dev <capsule-dir> [--port 3000]
 lakebed build <capsule-dir> --target anonymous [--out .lakebed/artifacts/app.json] [--json]
 lakebed deploy [capsule-dir] [--ttl 7d] [--api <url>] [--json]
+lakebed claim [capsule-dir] [--api <url>] [--json]
 lakebed anonymous-server [--port 8787] [--public-root-url <url>] [--app-base-domain <domain>]
 lakebed inspect <deploy-id-or-url> [--api <url>] [--json]
 lakebed db list [deploy-id-or-url] [--port 3000]
@@ -143,7 +144,7 @@ LAKEBED_GITHUB_CLIENT_SECRET=...
 LAKEBED_SESSION_SECRET=...
 ```
 
-Claimed deploys are listed at `/deploys` on the deploy API origin. They keep the same resource limits as anonymous deploys. The current hosted runner still uses the anonymous interpreter artifact, so outbound `fetch` remains blocked until Lakebed has a claimed runtime target that can safely execute server code.
+Claimed deploys are listed at `/deploys` on the deploy API origin. They keep the same resource limits as anonymous deploys. Anonymous deploys cannot use outbound `fetch`; after a deploy is claimed, `lakebed deploy` can update it with a source-backed server artifact that supports async handlers and server-side fetch. If the first deploy already needs server-side `fetch`, `lakebed deploy` creates a claim-required preview, saves its claim metadata, and prints the claim URL. Open that URL, then run `lakebed deploy` again to publish the real source-backed app.
 
 ## Admin Dashboard
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "lakebed",
-  "version": "0.0.3",
+  "version": "0.0.5",
   "description": "Agent-native CLI and runtime for building and deploying Lakebed capsules.",
   "license": "UNLICENSED",
   "type": "module",
@@ -29,7 +29,8 @@
     "src/runtime.js",
     "src/server.d.ts",
     "src/server.js",
-    "src/source-store.js"
+    "src/source-store.js",
+    "src/version.js"
   ],
   "exports": {
     "./package.json": "./package.json",
@@ -48,6 +49,9 @@
   "publishConfig": {
     "access": "public"
   },
+  "scripts": {
+    "check": "node --check src/cli.js && node --check src/runtime.js && node --check src/server.js && node --check src/client.js && node --check src/source-store.js && node --check src/anonymous.js && node --check src/anonymous-server.js && node --check src/auth.js && node --check src/version.js"
+  },
   "dependencies": {
     "esbuild": "^0.27.1",
     "pg": "^8.16.3",
@@ -56,8 +60,5 @@
   },
   "devDependencies": {
     "@types/ws": "^8.18.1"
-  },
-  "scripts": {
-    "check": "node --check src/cli.js && node --check src/runtime.js && node --check src/server.js && node --check src/client.js && node --check src/source-store.js && node --check src/anonymous.js && node --check src/anonymous-server.js && node --check src/auth.js"
   }
-}
+}

package/src/anonymous-server.js

@@ -2794,7 +2794,7 @@ export async function startAnonymousServer({
         }
 
         const body = await readJsonBody(req);
-        const payload = validateAnonymousDeployPayload(body);
+        const payload = validateAnonymousDeployPayload(body, { allowClaimedSource: Boolean(currentDeploy.ownerId) });
         const deploy = await resolvedStore.updateDeploy({
           appBaseDomain: resolvedAppBaseDomain,
           artifact: payload.artifact,

package/src/anonymous.js

@@ -1,8 +1,10 @@
 import { createHash, randomBytes, randomUUID } from "node:crypto";
 import { readFile } from "node:fs/promises";
+import { LAKEBED_VERSION } from "./version.js";
 
 export const ANONYMOUS_ARTIFACT_FORMAT = "lakebed.capsule.artifact.v1";
 export const ANONYMOUS_ARTIFACT_MEDIA_TYPE = "application/vnd.lakebed.artifact+json";
+export { LAKEBED_VERSION };
 
 export const DEFAULT_ANONYMOUS_LIMITS = {
   artifactBytes: 1024 * 1024,
@@ -17,6 +19,7 @@ export const DEFAULT_ANONYMOUS_LIMITS = {
 
 const expressionOps = new Set(["arg", "auth", "call", "row"]);
 const authFields = new Set(["displayName", "email", "emailVerified", "isAuthenticated", "isGuest", "name", "picture", "provider", "userId"]);
+const sourceModuleCache = new Map();
 
 export class AnonymousCompilerError extends Error {
   constructor(diagnostics) {
@@ -493,7 +496,7 @@ function compileServerToIr(app, schema) {
   return { diagnostics, mutations, queries };
 }
 
-export async function createAnonymousArtifact({ app, clientOut, sourceStore, version = "0.0.3" }) {
+export async function createAnonymousArtifact({ app, clientOut, sourceStore, version = LAKEBED_VERSION }) {
   const sourceFiles = await readSourceFiles(sourceStore);
   const diagnostics = forbiddenSourceDiagnostics(sourceFiles);
   const { diagnostics: schemaDiagnostics, schema } = serializeSchema(app.schema);
@@ -555,6 +558,77 @@ export async function createAnonymousArtifact({ app, clientOut, sourceStore, ver
   };
 }
 
+export async function createClaimedArtifact({ app, clientOut, serverOut, sourceStore, version = LAKEBED_VERSION }) {
+  if (!serverOut) {
+    throw new AnonymousCompilerError([diagnostic("server/index.ts", "Claimed deploys require a bundled server module.")]);
+  }
+
+  const sourceFiles = await readSourceFiles(sourceStore);
+  const diagnostics = forbiddenSourceDiagnostics(sourceFiles).filter(
+    (entry) =>
+      entry.message !== "Outbound fetch is disabled for anonymous deploys." &&
+      entry.message !== "Async server handlers are not part of the anonymous IR yet. Use synchronous Lakebed database operations."
+  );
+  const { diagnostics: schemaDiagnostics, schema } = serializeSchema(app.schema);
+  diagnostics.push(...schemaDiagnostics);
+  if (diagnostics.length > 0) {
+    throw new AnonymousCompilerError(diagnostics);
+  }
+
+  const clientBundle = await readFile(clientOut);
+  const serverBundle = await readFile(serverOut);
+  const clientBundleBase64 = clientBundle.toString("base64");
+  const clientBundleHash = sha256(clientBundle);
+  const serverBundleBase64 = serverBundle.toString("base64");
+  const serverBundleHash = sha256(serverBundle);
+  const sourceManifest = sourceFiles.map(({ bytes, hash, path }) => ({ bytes, hash, path }));
+  const sourceSnapshotHash = sha256(stableStringify(sourceManifest));
+  const artifact = {
+    name: app.name ?? "Lakebed Capsule",
+    client: {
+      bundleHash: clientBundleHash,
+      bytes: clientBundle.byteLength,
+      entry: "/client.js"
+    },
+    createdWith: {
+      compiler: "0.1.0",
+      lakebed: version
+    },
+    deployTarget: "claimed-source",
+    format: ANONYMOUS_ARTIFACT_FORMAT,
+    limits: {
+      instructionBudget: DEFAULT_ANONYMOUS_LIMITS.instructionBudget,
+      maxRowsReturned: DEFAULT_ANONYMOUS_LIMITS.rowsReturned,
+      maxValueBytes: DEFAULT_ANONYMOUS_LIMITS.maxValueBytes
+    },
+    server: {
+      helpers: {},
+      imports: ["lakebed/server"],
+      mutations: Object.fromEntries(Object.keys(app.mutations ?? {}).map((name) => [name, { op: "source" }])),
+      queries: Object.fromEntries(Object.keys(app.queries ?? {}).map((name) => [name, { op: "source" }])),
+      schema,
+      source: {
+        bytes: serverBundle.byteLength,
+        bundle: serverBundleBase64,
+        bundleHash: serverBundleHash,
+        entry: "/server.mjs"
+      }
+    },
+    source: {
+      files: sourceManifest,
+      snapshotHash: sourceSnapshotHash
+    }
+  };
+  const artifactHash = sha256(stableStringify(artifact));
+
+  return {
+    artifact,
+    artifactHash,
+    clientBundle: clientBundleBase64,
+    clientBundleHash
+  };
+}
+
 function validateExpression(expr, path, diagnostics) {
   if (!isExpression(expr)) {
     diagnostics.push(diagnostic(path, "Expected an anonymous IR expression."));
@@ -614,6 +688,10 @@ function validateValue(value, path, diagnostics) {
 }
 
 function validateQuery(query, path, schema, diagnostics) {
+  if (query?.op === "source") {
+    return;
+  }
+
   if (!isPlainObject(query) || query.op !== "table.all" || !schema[query.table]) {
     diagnostics.push(diagnostic(path, "Invalid anonymous query IR."));
     return;
@@ -636,7 +714,7 @@ function validateQuery(query, path, schema, diagnostics) {
   }
 }
 
-export function validateAnonymousArtifact(artifact) {
+export function validateAnonymousArtifact(artifact, { allowClaimedSource = false } = {}) {
   const diagnostics = [];
 
   if (!isPlainObject(artifact)) {
@@ -647,7 +725,7 @@ export function validateAnonymousArtifact(artifact) {
     diagnostics.push(diagnostic("artifact.format", `Expected ${ANONYMOUS_ARTIFACT_FORMAT}.`));
   }
 
-  if (artifact.deployTarget !== "anonymous-interpreter") {
+  if (artifact.deployTarget !== "anonymous-interpreter" && !(allowClaimedSource && artifact.deployTarget === "claimed-source")) {
     diagnostics.push(diagnostic("artifact.deployTarget", "Anonymous deploys require deployTarget anonymous-interpreter."));
   }
 
@@ -669,9 +747,49 @@ export function validateAnonymousArtifact(artifact) {
 
   for (const [name, query] of Object.entries(artifact.server?.queries ?? {})) {
     validateQuery(query, `artifact.server.queries.${name}`, schema ?? {}, diagnostics);
+    if (query?.op === "source" && artifact.server?.source === undefined) {
+      diagnostics.push(diagnostic(`artifact.server.queries.${name}`, "Source query requires artifact.server.source."));
+    }
+    if (query?.op === "source" && artifact.deployTarget !== "claimed-source") {
+      diagnostics.push(diagnostic(`artifact.server.queries.${name}`, "Source query requires deployTarget claimed-source."));
+    }
+  }
+
+  if (artifact.server?.source !== undefined) {
+    if (artifact.deployTarget !== "claimed-source") {
+      diagnostics.push(diagnostic("artifact.server.source", "Server source bundles require deployTarget claimed-source."));
+    }
+    const source = artifact.server.source;
+    if (
+      !isPlainObject(source) ||
+      typeof source.bundle !== "string" ||
+      typeof source.bundleHash !== "string" ||
+      !Number.isInteger(source.bytes) ||
+      source.bytes <= 0
+    ) {
+      diagnostics.push(diagnostic("artifact.server.source", "Invalid anonymous server source bundle."));
+    } else {
+      const bundle = Buffer.from(source.bundle, "base64");
+      if (bundle.byteLength !== source.bytes) {
+        diagnostics.push(diagnostic("artifact.server.source.bytes", "Server bundle byte count does not match artifact.server.source.bytes."));
+      }
+      if (sha256(bundle) !== source.bundleHash) {
+        diagnostics.push(diagnostic("artifact.server.source.bundleHash", "Server bundle hash does not match artifact.server.source.bundleHash."));
+      }
+    }
   }
 
   for (const [name, mutation] of Object.entries(artifact.server?.mutations ?? {})) {
+    if (mutation?.op === "source") {
+      if (artifact.server?.source === undefined) {
+        diagnostics.push(diagnostic(`artifact.server.mutations.${name}`, "Source mutation requires artifact.server.source."));
+      }
+      if (artifact.deployTarget !== "claimed-source") {
+        diagnostics.push(diagnostic(`artifact.server.mutations.${name}`, "Source mutation requires deployTarget claimed-source."));
+      }
+      continue;
+    }
+
     if (mutation?.op !== "mutation" || !Array.isArray(mutation.body)) {
       diagnostics.push(diagnostic(`artifact.server.mutations.${name}`, "Invalid mutation IR."));
       continue;
@@ -704,12 +822,12 @@ export function validateAnonymousArtifact(artifact) {
   return diagnostics;
 }
 
-export function validateAnonymousDeployPayload(payload) {
+export function validateAnonymousDeployPayload(payload, options = {}) {
   if (!payload || typeof payload !== "object") {
     throw new Error("Deploy payload must be a JSON object.");
   }
 
-  const diagnostics = validateAnonymousArtifact(payload.artifact);
+  const diagnostics = validateAnonymousArtifact(payload.artifact, options);
   if (diagnostics.length > 0) {
     throw new AnonymousCompilerError(diagnostics);
   }
@@ -939,7 +1057,124 @@ async function executeQuerySpec({ args = [], artifact, auth, query, state, deplo
   return results.slice(0, limit);
 }
 
+async function loadSourceApp(artifact) {
+  const source = artifact.server?.source;
+  if (!source) {
+    return null;
+  }
+
+  if (!sourceModuleCache.has(source.bundleHash)) {
+    const url = `data:text/javascript;base64,${source.bundle}`;
+    sourceModuleCache.set(source.bundleHash, import(url).then((module) => module.default));
+  }
+  return sourceModuleCache.get(source.bundleHash);
+}
+
+function createSourceQuery(rows, tableName) {
+  return {
+    filters: [],
+    limitValue: null,
+    orderByValue: null,
+    tableName,
+    where(field, value) {
+      return { ...this, filters: [...this.filters, { field, value }] };
+    },
+    orderBy(field, direction = "asc") {
+      return { ...this, orderByValue: { field, direction: direction === "desc" ? "desc" : "asc" } };
+    },
+    limit(count) {
+      return { ...this, limitValue: Number(count) };
+    },
+    all() {
+      let results = [...rows[this.tableName]].map((row) => ({ ...row }));
+      for (const filter of this.filters) {
+        results = results.filter((row) => row[filter.field] === filter.value);
+      }
+      if (this.orderByValue) {
+        const direction = this.orderByValue.direction === "desc" ? -1 : 1;
+        results.sort((left, right) => compareValues(left[this.orderByValue.field], right[this.orderByValue.field]) * direction);
+      }
+      return results.slice(0, this.limitValue ?? results.length);
+    }
+  };
+}
+
+async function createSourceContext({ artifact, auth, deployId, state }) {
+  const rows = {};
+  const operations = [];
+  for (const tableName of Object.keys(artifact.server.schema ?? {})) {
+    rows[tableName] = await state.listRows(deployId, tableName);
+  }
+
+  const db = {};
+  for (const tableName of Object.keys(artifact.server.schema ?? {})) {
+    db[tableName] = {
+      ...createSourceQuery(rows, tableName),
+      get(id) {
+        return rows[tableName].find((row) => row.id === id) ?? null;
+      },
+      insert(value) {
+        const row = prepareInsert(artifact.server.schema, tableName, value);
+        rows[tableName].push(row);
+        operations.push({ op: "insert", row, table: tableName });
+        return { ...row };
+      },
+      update(id, patch) {
+        const index = rows[tableName].findIndex((row) => row.id === id);
+        if (index === -1) {
+          return;
+        }
+        const cleanPatch = preparePatch(artifact.server.schema, tableName, patch);
+        rows[tableName][index] = { ...rows[tableName][index], ...cleanPatch };
+        operations.push({ id, op: "update", patch: cleanPatch, table: tableName });
+      },
+      delete(id) {
+        const index = rows[tableName].findIndex((row) => row.id === id);
+        if (index === -1) {
+          return;
+        }
+        rows[tableName].splice(index, 1);
+        operations.push({ id, op: "delete", table: tableName });
+      }
+    };
+  }
+
+  return {
+    ctx: {
+      auth,
+      db,
+      env: {},
+      log: {
+        error() {},
+        info() {},
+        warn() {}
+      }
+    },
+    async flush(tx) {
+      for (const operation of operations) {
+        if (operation.op === "insert") {
+          await tx.insertRow(deployId, operation.table, operation.row);
+        } else if (operation.op === "update") {
+          await tx.updateRow(deployId, operation.table, operation.id, operation.patch);
+        } else if (operation.op === "delete") {
+          await tx.deleteRow(deployId, operation.table, operation.id);
+        }
+      }
+    }
+  };
+}
+
 export async function executeAnonymousQuery({ args = [], artifact, auth, deployId, name, state }) {
+  const sourceApp = await loadSourceApp(artifact);
+  if (sourceApp) {
+    const handler = sourceApp.queries?.[name];
+    if (!handler) {
+      throw new Error(`Unknown query: ${name}`);
+    }
+    const { ctx } = await createSourceContext({ artifact, auth, deployId, state });
+    return handler(ctx, ...args);
+  }
+
   const query = artifact.server.queries?.[name];
   if (!query) {
     throw new Error(`Unknown query: ${name}`);
@@ -958,6 +1193,20 @@ async function checkUpdateGuards({ auth, guards = [], row }) {
 }
 
 export async function executeAnonymousMutation({ args = [], artifact, auth, deployId, name, state }) {
+  const sourceApp = await loadSourceApp(artifact);
+  if (sourceApp) {
+    const handler = sourceApp.mutations?.[name];
+    if (!handler) {
+      throw new Error(`Unknown mutation: ${name}`);
+    }
+    return state.transaction(deployId, async (tx) => {
+      const source = await createSourceContext({ artifact, auth, deployId, state: tx });
+      const result = await handler(source.ctx, ...args);
+      await source.flush(tx);
+      return result ?? null;
+    });
+  }
+
   const mutation = artifact.server.mutations?.[name];
   if (!mutation) {
     throw new Error(`Unknown mutation: ${name}`);

package/src/cli.js

@@ -9,14 +9,16 @@ import { WebSocketServer } from "ws";
 import {
   ANONYMOUS_ARTIFACT_MEDIA_TYPE,
   AnonymousCompilerError,
+  LAKEBED_VERSION,
   createAnonymousArtifact,
+  createClaimedArtifact,
   parseTtlSeconds,
   stableStringify
 } from "./anonymous.js";
 import { startAnonymousServer } from "./anonymous-server.js";
 import { authFromUrl as resolveAuthFromUrl, createGuestAuth, requestOrigin, shooBaseUrlFromEnv } from "./auth.js";
 import { LogBuffer, StateCell } from "./runtime.js";
-import { createMemorySourceStoreFromDirectory, sourcePathDirname, sourcePathJoin } from "./source-store.js";
+import { MemorySourceStore, createMemorySourceStoreFromDirectory, sourcePathDirname, sourcePathJoin } from "./source-store.js";
 
 const root = process.cwd();
 const packageDir = resolve(dirname(fileURLToPath(import.meta.url)), "..");
@@ -32,6 +34,7 @@ Usage:
   lakebed dev <capsule-dir> [--port 3000]
   lakebed build <capsule-dir> --target anonymous [--out .lakebed/artifacts/app.json] [--json]
   lakebed deploy [capsule-dir] [--ttl 7d] [--api <url>] [--json]
+  lakebed claim [capsule-dir] [--api <url>] [--json]
   lakebed anonymous-server [--port 8787] [--public-root-url <url>] [--app-base-domain <domain>]
   lakebed inspect <deploy-id-or-url> [--api <url>] [--json]
   lakebed run-many <capsule-dir> [--count 20] [--base-port 4000]
@@ -299,6 +302,7 @@ export async function buildCapsule({ capsuleDir, sourceStore, capsuleId = "dev"
     buildDir,
     clientOut,
     env: await readServerEnv(workingStore),
+    serverOut,
     sourceStore: workingStore
   };
 }
@@ -598,6 +602,95 @@ async function buildAnonymousEnvelope(capsuleArg) {
   };
 }
 
+const claimRequiredDiagnosticMessages = new Set([
+  "Outbound fetch is disabled for anonymous deploys.",
+  "Async server handlers are not part of the anonymous IR yet. Use synchronous Lakebed database operations."
+]);
+
+function canDeployAfterClaim(error) {
+  return (
+    error instanceof AnonymousCompilerError &&
+    error.diagnostics.length > 0 &&
+    error.diagnostics.every((entry) => claimRequiredDiagnosticMessages.has(entry.message))
+  );
+}
+
+async function buildClaimRequiredEnvelope({ capsuleDir }) {
+  const sourceStore = new MemorySourceStore();
+  await sourceStore.writeFile(
+    "server/index.ts",
+    `import { capsule } from "lakebed/server";
+
+export default capsule({
+  name: "Claim Required",
+  schema: {},
+  queries: {},
+  mutations: {}
+});
+`
+  );
+  await sourceStore.writeFile(
+    "client/index.tsx",
+    `export function App() {
+  return (
+    <main className="min-h-screen bg-neutral-950 px-6 py-12 text-neutral-100">
+      <section className="mx-auto max-w-2xl rounded-lg border border-neutral-800 bg-neutral-900 p-8 shadow-2xl">
+        <p className="text-sm font-semibold uppercase tracking-wide text-cyan-300">Lakebed deploy</p>
+        <h1 className="mt-3 text-3xl font-semibold">Claim required</h1>
+        <p className="mt-4 text-neutral-300">
+          This capsule uses server-side fetch. Claim this deploy, then run lakebed deploy again to publish the app.
+        </p>
+      </section>
+    </main>
+  );
+}
+`
+  );
+  const built = await buildCapsule({
+    capsuleDir,
+    capsuleId: `claim-required-${Date.now()}`,
+    sourceStore
+  });
+  const artifact = await createAnonymousArtifact({
+    app: built.app,
+    clientOut: built.clientOut,
+    sourceStore
+  });
+
+  return {
+    artifact: artifact.artifact,
+    artifactHash: artifact.artifactHash,
+    clientBundle: artifact.clientBundle,
+    clientBundleHash: artifact.clientBundleHash,
+    claimRequired: true,
+    mediaType: ANONYMOUS_ARTIFACT_MEDIA_TYPE
+  };
+}
+
+async function buildClaimedEnvelope(capsuleArg) {
+  const capsuleDir = resolveCapsuleDir(capsuleArg);
+  const sourceStore = await createMemorySourceStoreFromDirectory(capsuleDir);
+  const built = await buildCapsule({
+    capsuleDir,
+    capsuleId: `claimed-${Date.now()}`,
+    sourceStore
+  });
+  const artifact = await createClaimedArtifact({
+    app: built.app,
+    clientOut: built.clientOut,
+    serverOut: built.serverOut,
+    sourceStore
+  });
+
+  return {
+    artifact: artifact.artifact,
+    artifactHash: artifact.artifactHash,
+    clientBundle: artifact.clientBundle,
+    clientBundleHash: artifact.clientBundleHash,
+    mediaType: ANONYMOUS_ARTIFACT_MEDIA_TYPE
+  };
+}
+
 function defaultArtifactPath(capsuleDir) {
   return resolve(root, ".lakebed/artifacts", `${basename(capsuleDir)}.anonymous.json`);
 }
@@ -642,11 +735,19 @@ function claimTokenFromDeployResponse(deployed) {
   return null;
 }
 
+function claimUrlFromDeployMetadata(metadata) {
+  if (!metadata?.api || !metadata?.deployId || !metadata?.claimToken) {
+    return null;
+  }
+
+  return `${String(metadata.api).replace(/\/+$/g, "")}/claim/${encodeURIComponent(metadata.deployId)}/${encodeURIComponent(metadata.claimToken)}`;
+}
+
 function deployRequestBody(envelope, ttl) {
   return JSON.stringify({
     artifact: envelope.artifact,
     clientBundle: envelope.clientBundle,
-    clientVersion: "0.0.3",
+    clientVersion: LAKEBED_VERSION,
     requestedTtlSeconds: ttl
   });
 }
@@ -700,13 +801,35 @@ async function readResponseJson(response) {
 async function deployCommand(args) {
   const [capsuleArg] = positionals(args);
   const capsuleDir = capsuleArg ? resolveCapsuleDir(capsuleArg) : root;
-  const envelope = await buildAnonymousEnvelope(capsuleDir);
   const ttl = parseTtlSeconds(readArg(args, "--ttl", "7d"));
   const api = deployApiUrl(args);
-  const body = deployRequestBody(envelope, ttl);
   const metadata = await readDeployMetadata(capsuleDir);
   const canUpdate =
     metadata?.api === api && typeof metadata?.deployId === "string" && typeof metadata?.claimToken === "string";
+  let currentDeploy = null;
+  if (canUpdate) {
+    const currentResponse = await fetch(`${api}/v1/deploys/${encodeURIComponent(metadata.deployId)}`);
+    if (currentResponse.ok) {
+      currentDeploy = await currentResponse.json();
+    }
+  }
+
+  let envelope;
+  try {
+    envelope = currentDeploy?.claimed ? await buildClaimedEnvelope(capsuleDir) : await buildAnonymousEnvelope(capsuleDir);
+  } catch (error) {
+    if (error instanceof AnonymousCompilerError && canUpdate && currentDeploy && !currentDeploy.claimed) {
+      throw new Error(
+        `${error.message}\n\nThis deploy is still anonymous. Claim it first, then run lakebed deploy again to use server-side fetch.`
+      );
+    }
+    if ((!canUpdate || !currentDeploy) && canDeployAfterClaim(error)) {
+      envelope = await buildClaimRequiredEnvelope({ capsuleDir });
+    } else {
+      throw error;
+    }
+  }
+  const body = deployRequestBody(envelope, ttl);
   let mode = "created";
   let response;
 
@@ -748,11 +871,15 @@ async function deployCommand(args) {
   }
 
   if (hasFlag(args, "--json")) {
-    console.log(JSON.stringify(deployed, null, 2));
+    console.log(JSON.stringify(envelope.claimRequired ? { ...deployed, claimRequired: true } : deployed, null, 2));
     return;
   }
 
-  console.log(`${mode === "updated" ? "Updated" : "Created"} anonymous preview.\n`);
+  if (envelope.claimRequired && mode !== "updated") {
+    console.log("Created claim-required preview.\n");
+  } else {
+    console.log(`${mode === "updated" ? "Updated" : "Created"} anonymous preview.\n`);
+  }
   console.log(`App:        ${deployed.url}`);
   console.log(`Expires:    ${deployed.expiresAt}`);
   if (deployed.claimUrl) {
@@ -764,7 +891,64 @@ async function deployCommand(args) {
   console.log(`  state:           ${deployed.limits.stateBytes} bytes`);
   console.log(`  requests:        ${deployed.limits.requestsPerDay} / day`);
   console.log(`  mutations:       ${deployed.limits.mutationsPerDay} / day`);
-  console.log("  outbound fetch:  disabled");
+  console.log(`  outbound fetch:  ${envelope.artifact.deployTarget === "claimed-source" ? "enabled" : "disabled"}`);
+  if (envelope.claimRequired) {
+    console.log("\nThis app needs a claimed deploy before server-side fetch can run.");
+    console.log("Open the claim URL, then run lakebed deploy again.");
+  }
+}
+
+async function claimCommand(args) {
+  const [capsuleArg] = positionals(args);
+  const capsuleDir = capsuleArg ? resolveCapsuleDir(capsuleArg) : root;
+  const api = deployApiUrl(args);
+  const metadata = await readDeployMetadata(capsuleDir);
+
+  if (!metadata) {
+    throw new Error(`No Lakebed deploy metadata found at ${deployMetadataPath(capsuleDir)}. Run lakebed deploy from this project first.`);
+  }
+
+  if (metadata.api !== api) {
+    throw new Error(`Saved deploy metadata is for ${metadata.api}, but this command is using ${api}. Pass --api ${metadata.api} to claim it.`);
+  }
+
+  const claimUrl = claimUrlFromDeployMetadata(metadata);
+  if (!claimUrl) {
+    throw new Error("This project does not have a saved claim token. Redeploy to create a new claim URL.");
+  }
+
+  let deploy = null;
+  try {
+    const response = await fetch(`${api}/v1/deploys/${encodeURIComponent(metadata.deployId)}`);
+    if (response.ok) {
+      deploy = await response.json();
+    }
+  } catch {
+    deploy = null;
+  }
+
+  const result = {
+    claimed: Boolean(deploy?.claimed),
+    claimUrl,
+    deployId: metadata.deployId,
+    url: deploy?.url ?? metadata.url
+  };
+
+  if (hasFlag(args, "--json")) {
+    console.log(JSON.stringify(result, null, 2));
+    return;
+  }
+
+  if (result.claimed) {
+    console.log(`Deploy ${result.deployId} is already claimed.`);
+    if (result.url) {
+      console.log(`App:   ${result.url}`);
+    }
+    return;
+  }
+
+  console.log("Open this URL to claim the current project's deploy:");
+  console.log(claimUrl);
 }
 
 async function anonymousServerCommand(args) {
@@ -931,7 +1115,7 @@ lakebed logs --port 3000
 - One client entry.
 - Guest auth locally, with built-in Google sign-in through Shoo.
 - No file storage.
-- No outbound fetch in anonymous deploys.
+- No outbound fetch in anonymous deploys. Claim the deploy before using server-side fetch.
 - Local state resets when \`lakebed dev\` restarts.
 `;
 }
@@ -1146,6 +1330,11 @@ async function main() {
     return;
   }
 
+  if (command === "claim") {
+    await claimCommand(args);
+    return;
+  }
+
   if (command === "anonymous-server") {
     await anonymousServerCommand(args);
     return;

package/src/version.js

@@ -0,0 +1 @@
+export const LAKEBED_VERSION = "0.0.5";