lakebed 0.0.5 → 0.0.7

package/src/anonymous-server.js

@@ -1,4 +1,4 @@
-import { createHmac, randomBytes, timingSafeEqual } from "node:crypto";
+import { createCipheriv, createDecipheriv, createHash, createHmac, randomBytes, timingSafeEqual } from "node:crypto";
 import { createServer } from "node:http";
 import {
   createClaimToken,
@@ -22,7 +22,48 @@ function dayWindowStart() {
   return `${new Date().toISOString().slice(0, 10)}T00:00:00.000Z`;
 }
 
-function html(title, basePath, { shooBaseUrl } = {}) {
+function serverEnvSecretFromEnv(env = process.env) {
+  return env.LAKEBED_SERVER_ENV_SECRET ?? env.LAKEBED_SESSION_SECRET ?? env.SPAN_SESSION_SECRET ?? "";
+}
+
+function serverEnvEncryptionKey(secret) {
+  return createHash("sha256").update(String(secret)).digest();
+}
+
+function encryptServerEnvValue(value, secret) {
+  if (!secret) {
+    return `plain:${Buffer.from(value, "utf8").toString("base64")}`;
+  }
+
+  const iv = randomBytes(12);
+  const cipher = createCipheriv("aes-256-gcm", serverEnvEncryptionKey(secret), iv);
+  const ciphertext = Buffer.concat([cipher.update(value, "utf8"), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return `v1:${iv.toString("base64url")}:${tag.toString("base64url")}:${ciphertext.toString("base64url")}`;
+}
+
+function decryptServerEnvValue(value, secret) {
+  const stored = String(value ?? "");
+  if (stored.startsWith("plain:")) {
+    return Buffer.from(stored.slice("plain:".length), "base64").toString("utf8");
+  }
+
+  if (!stored.startsWith("v1:")) {
+    return stored;
+  }
+
+  if (!secret) {
+    throw new Error("LAKEBED_SERVER_ENV_SECRET is required to decrypt hosted server env.");
+  }
+
+  const [, ivBase64, tagBase64, ciphertextBase64] = stored.split(":");
+  const decipher = createDecipheriv("aes-256-gcm", serverEnvEncryptionKey(secret), Buffer.from(ivBase64, "base64url"));
+  decipher.setAuthTag(Buffer.from(tagBase64, "base64url"));
+  return Buffer.concat([decipher.update(Buffer.from(ciphertextBase64, "base64url")), decipher.final()]).toString("utf8");
+}
+
+function html(title, basePath, { clientBundleHash, shooBaseUrl } = {}) {
+  const clientScriptUrl = `${basePath}/client.js${clientBundleHash ? `?v=${encodeURIComponent(clientBundleHash)}` : ""}`;
   return `<!doctype html>
 <html lang="en">
   <head>
@@ -34,7 +75,7 @@ function html(title, basePath, { shooBaseUrl } = {}) {
     <div id="app"></div>
     <script>window.__LAKEBED_BASE_PATH__ = ${JSON.stringify(basePath)};</script>
     <script>window.__LAKEBED_AUTH__ = ${JSON.stringify({ shooBaseUrl })};</script>
-    <script type="module" src="${basePath}/client.js"></script>
+    <script type="module" src="${clientScriptUrl}"></script>
     <script>
       const tailwind = document.createElement("script");
       tailwind.src = "https://cdn.jsdelivr.net/npm/@tailwindcss/browser@4";
@@ -214,6 +255,93 @@ function quotaLimitForBucket(bucket, deploy) {
   return deploy.limits.requestsPerDay;
 }
 
+const USER_LIMIT_OVERRIDE_KEYS = ["requestsPerDay", "mutationsPerDay"];
+
+function normalizeUserId(value) {
+  const userId = String(value ?? "").trim();
+  if (!userId) {
+    throw new Error("User id is required.");
+  }
+  if (userId.length > 256) {
+    throw new Error("User id must be 256 characters or fewer.");
+  }
+  return userId;
+}
+
+function normalizeLimitOverrideValue(value, key) {
+  const parsed = typeof value === "string" && value.trim() ? Number(value) : value;
+  if (!Number.isSafeInteger(parsed) || parsed < 1) {
+    throw new Error(`${key} must be a positive integer.`);
+  }
+  return parsed;
+}
+
+function normalizeUserLimitOverrides(value = {}) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    throw new Error("limits must be a JSON object.");
+  }
+
+  const overrides = {};
+  for (const key of Object.keys(value)) {
+    if (!USER_LIMIT_OVERRIDE_KEYS.includes(key)) {
+      throw new Error(`Unsupported user limit override: ${key}.`);
+    }
+  }
+
+  for (const key of USER_LIMIT_OVERRIDE_KEYS) {
+    const raw = value[key];
+    if (raw === undefined || raw === null || raw === "") {
+      continue;
+    }
+    overrides[key] = normalizeLimitOverrideValue(raw, key);
+  }
+  return overrides;
+}
+
+function limitsWithOverrides(baseLimits, limitOverrides) {
+  return {
+    ...baseLimits,
+    ...normalizeUserLimitOverrides(limitOverrides ?? {})
+  };
+}
+
+function userFromOwner(owner, current = {}) {
+  const id = normalizeUserId(owner?.id ?? current.id);
+  return {
+    avatarUrl: owner?.avatarUrl ?? current.avatarUrl ?? null,
+    createdAt: current.createdAt ?? now(),
+    displayName: owner?.displayName ?? owner?.login ?? current.displayName ?? id,
+    id,
+    limitOverrides: normalizeUserLimitOverrides(current.limitOverrides ?? {}),
+    login: owner?.login ?? current.login ?? null,
+    provider: owner?.provider ?? current.provider ?? null,
+    providerId: owner?.providerId ?? current.providerId ?? null,
+    updatedAt: now(),
+    url: owner?.url ?? current.url ?? null
+  };
+}
+
+function adminUserSummary({ activeDeployCount = 0, deployCount = 0, usage = [], user }) {
+  const limitOverrides = normalizeUserLimitOverrides(user.limitOverrides ?? {});
+  return {
+    activeDeployCount,
+    avatarUrl: user.avatarUrl,
+    createdAt: user.createdAt,
+    defaultLimits: DEFAULT_ANONYMOUS_LIMITS,
+    deployCount,
+    displayName: user.displayName ?? user.login ?? user.id,
+    id: user.id,
+    limitOverrides,
+    limits: limitsWithOverrides(DEFAULT_ANONYMOUS_LIMITS, limitOverrides),
+    login: user.login,
+    provider: user.provider,
+    providerId: user.providerId,
+    updatedAt: user.updatedAt,
+    url: user.url,
+    ...usageCounts(usage)
+  };
+}
+
 const adminCookieName = "lakebed_admin";
 const adminCookieMaxAgeSeconds = 60 * 60 * 24 * 7;
 const developerCookieName = "lakebed_developer";
@@ -691,6 +819,10 @@ function adminHtml() {
         overflow: hidden;
       }
 
+      .panel + .panel {
+        margin-top: 18px;
+      }
+
       .panel-head {
         align-items: center;
         border-bottom: 1px solid var(--line);
@@ -815,6 +947,58 @@ function adminHtml() {
         opacity: 0.62;
       }
 
+      .row-action.neutral {
+        border-color: var(--line-strong);
+        color: var(--text);
+      }
+
+      .row-action.primary {
+        border-color: rgba(154, 214, 107, 0.8);
+        color: var(--accent);
+      }
+
+      .user-name {
+        display: grid;
+        gap: 4px;
+        min-width: 220px;
+      }
+
+      .user-name strong {
+        font-size: 15px;
+      }
+
+      .limit-cell {
+        display: grid;
+        gap: 6px;
+        min-width: 150px;
+      }
+
+      .limit-cell input {
+        min-height: 34px;
+        padding: 0 10px;
+      }
+
+      .limit-form {
+        align-items: end;
+        display: grid;
+        gap: 8px;
+        grid-template-columns: minmax(180px, 1fr) 132px 132px auto;
+        width: min(100%, 720px);
+      }
+
+      .limit-form .field {
+        gap: 5px;
+      }
+
+      .limit-form input {
+        min-height: 36px;
+      }
+
+      .limit-actions {
+        display: flex;
+        gap: 8px;
+      }
+
       th:nth-child(8),
       td:nth-child(8),
       th:nth-child(9),
@@ -898,6 +1082,11 @@ function adminHtml() {
           justify-content: flex-start;
         }
 
+        .limit-form {
+          grid-template-columns: 1fr;
+          width: 100%;
+        }
+
         .metrics {
           grid-template-columns: repeat(2, minmax(0, 1fr));
         }
@@ -973,6 +1162,43 @@ function adminHtml() {
             </table>
           </div>
         </section>
+
+        <section class="panel">
+          <div class="panel-head">
+            <h2>User limit overrides</h2>
+            <form class="limit-form" id="new-user-limit-form">
+              <div class="field">
+                <label for="new-user-id">User id</label>
+                <input id="new-user-id" name="userId" autocomplete="off" placeholder="github:42" />
+              </div>
+              <div class="field">
+                <label for="new-user-requests">Requests</label>
+                <input id="new-user-requests" name="requestsPerDay" inputmode="numeric" min="1" step="1" type="number" />
+              </div>
+              <div class="field">
+                <label for="new-user-mutations">Mutations</label>
+                <input id="new-user-mutations" name="mutationsPerDay" inputmode="numeric" min="1" step="1" type="number" />
+              </div>
+              <button class="button secondary" type="submit">Save</button>
+            </form>
+          </div>
+          <div class="table-wrap">
+            <table>
+              <thead>
+                <tr>
+                  <th>User</th>
+                  <th>Deploys</th>
+                  <th>Requests today</th>
+                  <th>Mutations today</th>
+                  <th>Request limit</th>
+                  <th>Mutation limit</th>
+                  <th>Actions</th>
+                </tr>
+              </thead>
+              <tbody id="user-rows"></tbody>
+            </table>
+          </div>
+        </section>
       </section>
     </main>
 
@@ -982,8 +1208,11 @@ function adminHtml() {
       const loginForm = document.getElementById("login-form");
       const loginError = document.getElementById("login-error");
       const rows = document.getElementById("deploy-rows");
+      const userRows = document.getElementById("user-rows");
+      const newUserLimitForm = document.getElementById("new-user-limit-form");
       const statusLine = document.getElementById("status-line");
       let terminatingDeployId = null;
+      let savingUserId = null;
 
       function show(view) {
         loginView.classList.toggle("hidden", view !== "login");
@@ -1019,6 +1248,19 @@ function adminHtml() {
         document.getElementById(id).textContent = value;
       }
 
+      function parseLimitValue(value, name) {
+        const trimmed = String(value || "").trim();
+        if (!trimmed) {
+          return null;
+        }
+
+        const parsed = Number(trimmed);
+        if (!Number.isSafeInteger(parsed) || parsed < 1) {
+          throw new Error(name + " must be a positive integer.");
+        }
+        return parsed;
+      }
+
       function textCell(value, className) {
         const td = document.createElement("td");
         td.textContent = value;
@@ -1072,6 +1314,80 @@ function adminHtml() {
         return td;
       }
 
+      function userCell(user) {
+        const td = document.createElement("td");
+        const wrap = document.createElement("div");
+        const name = document.createElement("strong");
+        const id = document.createElement("small");
+        wrap.className = "user-name";
+        if (user.url) {
+          const link = document.createElement("a");
+          link.href = user.url;
+          link.textContent = user.login || user.displayName || user.id;
+          name.appendChild(link);
+        } else {
+          name.textContent = user.login || user.displayName || user.id;
+        }
+        id.className = "mono";
+        id.textContent = user.id;
+        wrap.appendChild(name);
+        wrap.appendChild(id);
+        td.appendChild(wrap);
+        return td;
+      }
+
+      function limitInputCell(user, key, label) {
+        const td = document.createElement("td");
+        const wrap = document.createElement("div");
+        const input = document.createElement("input");
+        const effective = document.createElement("small");
+        wrap.className = "limit-cell";
+        input.inputMode = "numeric";
+        input.min = "1";
+        input.step = "1";
+        input.type = "number";
+        input.dataset.key = key;
+        input.value = user.limitOverrides[key] ? String(user.limitOverrides[key]) : "";
+        input.placeholder = String(user.defaultLimits[key]);
+        input.setAttribute("aria-label", label + " override for " + user.id);
+        effective.className = "mono";
+        effective.textContent = "effective " + formatNumber(user.limits[key]);
+        wrap.appendChild(input);
+        wrap.appendChild(effective);
+        td.appendChild(wrap);
+        return td;
+      }
+
+      function userActionCell(user) {
+        const td = document.createElement("td");
+        const wrap = document.createElement("div");
+        const save = document.createElement("button");
+        const clear = document.createElement("button");
+        wrap.className = "limit-actions";
+        save.className = "row-action primary";
+        save.type = "button";
+        save.textContent = savingUserId === user.id ? "Saving" : "Save";
+        save.disabled = savingUserId === user.id;
+        save.addEventListener("click", () => {
+          void saveUserLimits(user.id, save.closest("tr")).catch((error) => {
+            statusLine.textContent = error instanceof Error ? error.message : String(error);
+          });
+        });
+        clear.className = "row-action neutral";
+        clear.type = "button";
+        clear.textContent = "Clear";
+        clear.disabled = savingUserId === user.id;
+        clear.addEventListener("click", () => {
+          void saveUserLimits(user.id, null, { requestsPerDay: null, mutationsPerDay: null }).catch((error) => {
+            statusLine.textContent = error instanceof Error ? error.message : String(error);
+          });
+        });
+        wrap.appendChild(save);
+        wrap.appendChild(clear);
+        td.appendChild(wrap);
+        return td;
+      }
+
       function render(summary) {
         setMetric("metric-deploys", formatNumber(summary.deployCount));
         setMetric("metric-artifacts", formatBytes(summary.totals.artifactBytes));
@@ -1096,6 +1412,27 @@ function adminHtml() {
           tr.appendChild(textCell(formatNumber(deploy.connections), "mono"));
           rows.appendChild(tr);
         }
+
+        userRows.replaceChildren();
+        for (const user of summary.users || []) {
+          const tr = document.createElement("tr");
+          tr.appendChild(userCell(user));
+          tr.appendChild(textCell(formatNumber(user.activeDeployCount) + " / " + formatNumber(user.deployCount), "mono"));
+          tr.appendChild(textCell(formatNumber(user.requestsToday) + " / " + formatNumber(user.limits.requestsPerDay), "mono"));
+          tr.appendChild(textCell(formatNumber(user.mutationsToday) + " / " + formatNumber(user.limits.mutationsPerDay), "mono"));
+          tr.appendChild(limitInputCell(user, "requestsPerDay", "Request limit"));
+          tr.appendChild(limitInputCell(user, "mutationsPerDay", "Mutation limit"));
+          tr.appendChild(userActionCell(user));
+          userRows.appendChild(tr);
+        }
+
+        if (!summary.users?.length) {
+          const tr = document.createElement("tr");
+          const td = textCell("No claimed users or manual overrides yet.", "mono");
+          td.colSpan = 7;
+          tr.appendChild(td);
+          userRows.appendChild(tr);
+        }
       }
 
       async function loadSummary() {
@@ -1116,6 +1453,35 @@ function adminHtml() {
         show("dashboard");
       }
 
+      async function saveUserLimits(userId, row, explicitLimits) {
+        const limits = explicitLimits || {
+          requestsPerDay: parseLimitValue(row.querySelector('input[data-key="requestsPerDay"]').value, "Request limit"),
+          mutationsPerDay: parseLimitValue(row.querySelector('input[data-key="mutationsPerDay"]').value, "Mutation limit")
+        };
+
+        savingUserId = userId;
+        statusLine.textContent = "Saving limits for " + userId;
+        try {
+          const response = await fetch("/admin/api/users/" + encodeURIComponent(userId) + "/limits", {
+            body: JSON.stringify({ limits }),
+            headers: { "Content-Type": "application/json" },
+            method: "PUT"
+          });
+
+          if (response.status === 401) {
+            show("login");
+            return;
+          }
+          if (!response.ok) {
+            statusLine.textContent = "Save failed";
+            throw new Error(await response.text());
+          }
+        } finally {
+          savingUserId = null;
+        }
+        await loadSummary();
+      }
+
       async function terminateDeploy(deploy) {
         if (!confirm("Terminate " + (deploy.name || deploy.slug) + "?")) {
           return;
@@ -1158,6 +1524,33 @@ function adminHtml() {
         await loadSummary();
       });
 
+      newUserLimitForm.addEventListener("submit", async (event) => {
+        event.preventDefault();
+        const form = new FormData(newUserLimitForm);
+        const userId = String(form.get("userId") || "").trim();
+        if (!userId) {
+          statusLine.textContent = "User id is required.";
+          return;
+        }
+
+        try {
+          const requestsPerDay = parseLimitValue(form.get("requestsPerDay"), "Request limit");
+          const mutationsPerDay = parseLimitValue(form.get("mutationsPerDay"), "Mutation limit");
+          if (!requestsPerDay && !mutationsPerDay) {
+            statusLine.textContent = "Enter at least one custom limit.";
+            return;
+          }
+
+          await saveUserLimits(userId, null, {
+            requestsPerDay,
+            mutationsPerDay
+          });
+          newUserLimitForm.reset();
+        } catch (error) {
+          statusLine.textContent = error instanceof Error ? error.message : String(error);
+        }
+      });
+
       document.getElementById("refresh-button").addEventListener("click", () => {
         void loadSummary();
       });
@@ -1434,10 +1827,100 @@ export class MemoryAnonymousStore {
     this.quotaEvents = new Map();
     this.queues = new Map();
     this.rows = new Map();
+    this.serverEnv = new Map();
+    this.users = new Map();
   }
 
   async initialize() {}
 
+  async rememberUser(owner) {
+    const id = normalizeUserId(owner?.id);
+    const user = userFromOwner(owner, this.users.get(id));
+    this.users.set(id, user);
+    return user;
+  }
+
+  async getUserLimitOverrides(userId) {
+    return normalizeUserLimitOverrides(this.users.get(normalizeUserId(userId))?.limitOverrides ?? {});
+  }
+
+  async setUserLimitOverrides(userId, limitOverrides) {
+    const id = normalizeUserId(userId);
+    const current = this.users.get(id) ?? {
+      createdAt: now(),
+      displayName: id,
+      id,
+      limitOverrides: {}
+    };
+    const user = {
+      ...current,
+      displayName: current.displayName ?? current.login ?? id,
+      id,
+      limitOverrides: normalizeUserLimitOverrides(limitOverrides),
+      updatedAt: now()
+    };
+    this.users.set(id, user);
+    return this.getAdminUser(id);
+  }
+
+  async deployWithUserLimitOverrides(deploy) {
+    if (!deploy?.ownerId) {
+      return deploy;
+    }
+
+    const limitOverrides = await this.getUserLimitOverrides(deploy.ownerId);
+    if (Object.keys(limitOverrides).length === 0) {
+      return deploy;
+    }
+
+    return {
+      ...deploy,
+      limits: limitsWithOverrides(deploy.limits, limitOverrides)
+    };
+  }
+
+  async getStoredDeployById(id) {
+    return this.deploys.get(id) ?? null;
+  }
+
+  async getAdminUser(userId) {
+    const id = normalizeUserId(userId);
+    const user = this.users.get(id);
+    if (!user) {
+      return null;
+    }
+
+    const deploys = Array.from(this.deploys.values()).filter((deploy) => deploy.ownerId === id);
+    const usage = [];
+    for (const deploy of deploys) {
+      usage.push(...(await this.readUsage(deploy.id)));
+    }
+
+    return adminUserSummary({
+      activeDeployCount: deploys.filter((deploy) => deploy.status === "active" && !isExpired(deploy)).length,
+      deployCount: deploys.length,
+      usage,
+      user
+    });
+  }
+
+  async listAdminUsers() {
+    for (const deploy of this.deploys.values()) {
+      if (deploy.owner && !this.users.has(deploy.ownerId)) {
+        await this.rememberUser(deploy.owner);
+      }
+    }
+
+    const users = [];
+    for (const user of this.users.values()) {
+      users.push(await this.getAdminUser(user.id));
+    }
+
+    return users
+      .filter(Boolean)
+      .sort((left, right) => String(left.login ?? left.id).localeCompare(String(right.login ?? right.id)));
+  }
+
   storeArtifact({ artifact, artifactHash, clientBundleBase64, clientBundleHash, createdAt }) {
     const currentArtifact = this.artifacts.get(artifactHash);
     this.artifacts.set(artifactHash, {
@@ -1451,7 +1934,7 @@ export class MemoryAnonymousStore {
     });
   }
 
-  async createDeploy({ appBaseDomain, artifact, artifactHash, clientBundleBase64, clientBundleHash, publicRootUrl, requestedTtlSeconds }) {
+  async createDeploy({ appBaseDomain, artifact, artifactHash, clientBundleBase64, clientBundleHash, publicRootUrl, requestedTtlSeconds, serverEnv }) {
     const deployId = createDeployId();
     const normalizedAppBaseDomain = normalizeAppBaseDomain(appBaseDomain);
     let slug = createSlug();
@@ -1492,6 +1975,9 @@ export class MemoryAnonymousStore {
     };
     this.deploys.set(deployId, deploy);
     this.deploysBySlug.set(slug, deployId);
+    if (serverEnv !== undefined) {
+      this.serverEnv.set(deployId, { ...serverEnv });
+    }
     return { deploy, token };
   }
 
@@ -1503,9 +1989,10 @@ export class MemoryAnonymousStore {
     clientBundleHash,
     deployId,
     publicRootUrl,
-    requestedTtlSeconds
+    requestedTtlSeconds,
+    serverEnv
   }) {
-    const currentDeploy = await this.getDeployById(deployId);
+    const currentDeploy = await this.getStoredDeployById(deployId);
     if (!currentDeploy) {
       return null;
     }
@@ -1533,11 +2020,14 @@ export class MemoryAnonymousStore {
       createdAt
     });
     this.deploys.set(deployId, deploy);
-    return deploy;
+    if (serverEnv !== undefined) {
+      this.serverEnv.set(deployId, { ...serverEnv });
+    }
+    return this.deployWithUserLimitOverrides(deploy);
   }
 
   async claimDeploy(deployId, token, owner) {
-    const currentDeploy = await this.getDeployById(deployId);
+    const currentDeploy = await this.getStoredDeployById(deployId);
     if (!currentDeploy) {
       return { status: "missing" };
     }
@@ -1556,12 +2046,13 @@ export class MemoryAnonymousStore {
       owner,
       ownerId: owner.id
     };
+    await this.rememberUser(owner);
     this.deploys.set(deployId, deploy);
-    return { deploy, status: currentDeploy.ownerId ? "already_claimed" : "claimed" };
+    return { deploy: await this.deployWithUserLimitOverrides(deploy), status: currentDeploy.ownerId ? "already_claimed" : "claimed" };
   }
 
   async terminateDeploy(deployId) {
-    const currentDeploy = await this.getDeployById(deployId);
+    const currentDeploy = await this.getStoredDeployById(deployId);
     if (!currentDeploy) {
       return null;
     }
@@ -1571,11 +2062,11 @@ export class MemoryAnonymousStore {
       status: "terminated"
     };
     this.deploys.set(deployId, deploy);
-    return deploy;
+    return this.deployWithUserLimitOverrides(deploy);
   }
 
   async getDeployById(id) {
-    return this.deploys.get(id) ?? null;
+    return this.deployWithUserLimitOverrides(await this.getStoredDeployById(id));
   }
 
   async getDeployBySlug(slug) {
@@ -1624,6 +2115,14 @@ export class MemoryAnonymousStore {
     this.tableRows(deployId, tableName).delete(rowId);
   }
 
+  async replaceServerEnv(deployId, serverEnv) {
+    this.serverEnv.set(deployId, { ...serverEnv });
+  }
+
+  async getServerEnv(deployId) {
+    return { ...(this.serverEnv.get(deployId) ?? {}) };
+  }
+
   async transaction(deployId, handler) {
     const run = () => handler(this);
     const next = (this.queues.get(deployId) ?? Promise.resolve()).then(run, run);
@@ -1730,12 +2229,13 @@ export class MemoryAnonymousStore {
     const summaries = [];
 
     for (const deploy of deploys) {
+      const effectiveDeploy = await this.deployWithUserLimitOverrides(deploy);
       const storedArtifact = await this.getArtifact(deploy.artifactHash);
       summaries.push(
         adminDeploySummary({
           artifact: storedArtifact?.artifact,
           artifactBytes: storedArtifact?.bytes ?? 0,
-          deploy,
+          deploy: effectiveDeploy,
           ...this.logResourceForDeploy(deploy.id),
           ...this.stateResourceForDeploy(deploy.id),
           usage: await this.readUsage(deploy.id)
@@ -1753,11 +2253,12 @@ export class MemoryAnonymousStore {
     const summaries = [];
 
     for (const deploy of deploys) {
+      const effectiveDeploy = await this.deployWithUserLimitOverrides(deploy);
       const storedArtifact = await this.getArtifact(deploy.artifactHash);
       summaries.push(
         developerDeploySummary({
           artifact: storedArtifact?.artifact,
-          deploy,
+          deploy: effectiveDeploy,
           usage: await this.readUsage(deploy.id)
         })
       );
@@ -1768,10 +2269,11 @@ export class MemoryAnonymousStore {
 }
 
 export class PostgresAnonymousStore {
-  constructor({ connectionString }) {
+  constructor({ connectionString, serverEnvSecret = "" }) {
     this.connectionString = connectionString;
     this.pool = null;
     this.queues = new Map();
+    this.serverEnvSecret = serverEnvSecret;
   }
 
   async initialize() {
@@ -1841,6 +2343,57 @@ export class PostgresAnonymousStore {
         primary key (deploy_id, bucket, window_start)
       )
     `);
+    await this.query(`
+      create table if not exists deploy_server_env(
+        deploy_id text not null references deploys(id) on delete cascade,
+        env_key text not null,
+        env_value text not null,
+        updated_at timestamptz not null,
+        primary key (deploy_id, env_key)
+      )
+    `);
+    await this.query(`
+      create table if not exists users(
+        id text primary key,
+        provider text,
+        provider_id text,
+        login text,
+        display_name text,
+        avatar_url text,
+        url text,
+        limit_overrides_json jsonb not null default '{}',
+        created_at timestamptz not null,
+        updated_at timestamptz not null
+      )
+    `);
+    await this.query(`
+      insert into users(
+        id, provider, provider_id, login, display_name, avatar_url, url,
+        limit_overrides_json, created_at, updated_at
+      )
+      select distinct on (owner_id)
+        owner_id,
+        owner_json->>'provider',
+        owner_json->>'providerId',
+        owner_json->>'login',
+        coalesce(owner_json->>'displayName', owner_json->>'login', owner_id),
+        owner_json->>'avatarUrl',
+        owner_json->>'url',
+        '{}'::jsonb,
+        coalesce(claimed_at, created_at, now()),
+        coalesce(claimed_at, created_at, now())
+      from deploys
+      where owner_id is not null
+      order by owner_id, claimed_at desc nulls last, created_at desc
+      on conflict(id) do update set
+        provider = coalesce(excluded.provider, users.provider),
+        provider_id = coalesce(excluded.provider_id, users.provider_id),
+        login = coalesce(excluded.login, users.login),
+        display_name = coalesce(excluded.display_name, users.display_name),
+        avatar_url = coalesce(excluded.avatar_url, users.avatar_url),
+        url = coalesce(excluded.url, users.url),
+        updated_at = greatest(users.updated_at, excluded.updated_at)
+    `);
   }
 
   async query(sql, params = []) {
@@ -1851,6 +2404,199 @@ export class PostgresAnonymousStore {
     return this.pool.query(sql, params);
   }
 
+  rowToUser(row) {
+    if (!row) {
+      return null;
+    }
+
+    return {
+      avatarUrl: row.avatar_url ?? null,
+      createdAt: new Date(row.created_at).toISOString(),
+      displayName: row.display_name ?? row.login ?? row.id,
+      id: row.id,
+      limitOverrides: normalizeUserLimitOverrides(row.limit_overrides_json ?? {}),
+      login: row.login ?? null,
+      provider: row.provider ?? null,
+      providerId: row.provider_id ?? null,
+      updatedAt: new Date(row.updated_at).toISOString(),
+      url: row.url ?? null
+    };
+  }
+
+  async rememberUser(owner) {
+    const user = userFromOwner(owner);
+    const result = await this.query(
+      `
+      insert into users(
+        id, provider, provider_id, login, display_name, avatar_url, url,
+        limit_overrides_json, created_at, updated_at
+      )
+      values($1, $2, $3, $4, $5, $6, $7, '{}'::jsonb, $8, $9)
+      on conflict(id) do update set
+        provider = excluded.provider,
+        provider_id = excluded.provider_id,
+        login = excluded.login,
+        display_name = excluded.display_name,
+        avatar_url = excluded.avatar_url,
+        url = excluded.url,
+        updated_at = excluded.updated_at
+      returning *
+      `,
+      [
+        user.id,
+        user.provider,
+        user.providerId,
+        user.login,
+        user.displayName,
+        user.avatarUrl,
+        user.url,
+        user.createdAt,
+        user.updatedAt
+      ]
+    );
+    return this.rowToUser(result.rows[0]);
+  }
+
+  async getUserLimitOverrides(userId) {
+    const result = await this.query("select limit_overrides_json from users where id = $1", [normalizeUserId(userId)]);
+    return normalizeUserLimitOverrides(result.rows[0]?.limit_overrides_json ?? {});
+  }
+
+  async setUserLimitOverrides(userId, limitOverrides) {
+    const id = normalizeUserId(userId);
+    const updatedAt = now();
+    await this.query(
+      `
+      insert into users(id, display_name, limit_overrides_json, created_at, updated_at)
+      values($1, $2, $3::jsonb, $4, $4)
+      on conflict(id) do update set
+        limit_overrides_json = excluded.limit_overrides_json,
+        updated_at = excluded.updated_at
+      `,
+      [id, id, JSON.stringify(normalizeUserLimitOverrides(limitOverrides)), updatedAt]
+    );
+    return this.getAdminUser(id);
+  }
+
+  async deployWithUserLimitOverrides(deploy) {
+    if (!deploy?.ownerId) {
+      return deploy;
+    }
+
+    const limitOverrides = await this.getUserLimitOverrides(deploy.ownerId);
+    if (Object.keys(limitOverrides).length === 0) {
+      return deploy;
+    }
+
+    return {
+      ...deploy,
+      limits: limitsWithOverrides(deploy.limits, limitOverrides)
+    };
+  }
+
+  async getBaseDeployById(id) {
+    const result = await this.query("select * from deploys where id = $1", [id]);
+    return this.rowToDeploy(result.rows[0]);
+  }
+
+  async getAdminUser(userId) {
+    const windowStart = dayWindowStart();
+    const result = await this.query(
+      `
+      select
+        u.*,
+        coalesce(d.deploy_count, 0)::int as deploy_count,
+        coalesce(d.active_deploy_count, 0)::int as active_deploy_count,
+        coalesce(q.requests_today, 0)::int as requests_today,
+        coalesce(q.mutations_today, 0)::int as mutations_today
+      from users u
+      left join (
+        select
+          owner_id,
+          count(*)::int as deploy_count,
+          count(*) filter (where status = 'active' and expires_at > now())::int as active_deploy_count
+        from deploys
+        where owner_id is not null
+        group by owner_id
+      ) d on d.owner_id = u.id
+      left join (
+        select
+          d.owner_id,
+          coalesce(sum(q.count) filter (where q.bucket = 'requests' and q.window_start = $2), 0)::int as requests_today,
+          coalesce(sum(q.count) filter (where q.bucket = 'mutations' and q.window_start = $2), 0)::int as mutations_today
+        from deploys d
+        join quota_events q on q.deploy_id = d.id
+        where d.owner_id is not null
+        group by d.owner_id
+      ) q on q.owner_id = u.id
+      where u.id = $1
+      `,
+      [normalizeUserId(userId), windowStart]
+    );
+    const row = result.rows[0];
+    if (!row) {
+      return null;
+    }
+
+    return adminUserSummary({
+      activeDeployCount: row.active_deploy_count,
+      deployCount: row.deploy_count,
+      usage: [
+        { bucket: "requests", count: row.requests_today, windowStart },
+        { bucket: "mutations", count: row.mutations_today, windowStart }
+      ],
+      user: this.rowToUser(row)
+    });
+  }
+
+  async listAdminUsers() {
+    const windowStart = dayWindowStart();
+    const result = await this.query(
+      `
+      select
+        u.*,
+        coalesce(d.deploy_count, 0)::int as deploy_count,
+        coalesce(d.active_deploy_count, 0)::int as active_deploy_count,
+        coalesce(q.requests_today, 0)::int as requests_today,
+        coalesce(q.mutations_today, 0)::int as mutations_today
+      from users u
+      left join (
+        select
+          owner_id,
+          count(*)::int as deploy_count,
+          count(*) filter (where status = 'active' and expires_at > now())::int as active_deploy_count
+        from deploys
+        where owner_id is not null
+        group by owner_id
+      ) d on d.owner_id = u.id
+      left join (
+        select
+          d.owner_id,
+          coalesce(sum(q.count) filter (where q.bucket = 'requests' and q.window_start = $1), 0)::int as requests_today,
+          coalesce(sum(q.count) filter (where q.bucket = 'mutations' and q.window_start = $1), 0)::int as mutations_today
+        from deploys d
+        join quota_events q on q.deploy_id = d.id
+        where d.owner_id is not null
+        group by d.owner_id
+      ) q on q.owner_id = u.id
+      order by coalesce(u.login, u.id) asc
+      `,
+      [windowStart]
+    );
+
+    return result.rows.map((row) =>
+      adminUserSummary({
+        activeDeployCount: row.active_deploy_count,
+        deployCount: row.deploy_count,
+        usage: [
+          { bucket: "requests", count: row.requests_today, windowStart },
+          { bucket: "mutations", count: row.mutations_today, windowStart }
+        ],
+        user: this.rowToUser(row)
+      })
+    );
+  }
+
   async storeArtifact({ artifact, artifactHash, clientBundleBase64, clientBundleHash, createdAt }) {
     await this.query(
       `
@@ -1862,7 +2608,7 @@ export class PostgresAnonymousStore {
     );
   }
 
-  async createDeploy({ appBaseDomain, artifact, artifactHash, clientBundleBase64, clientBundleHash, publicRootUrl, requestedTtlSeconds }) {
+  async createDeploy({ appBaseDomain, artifact, artifactHash, clientBundleBase64, clientBundleHash, publicRootUrl, requestedTtlSeconds, serverEnv }) {
     const createdAt = now();
     const normalizedAppBaseDomain = normalizeAppBaseDomain(appBaseDomain);
     const ttlSeconds = parseTtlSeconds(requestedTtlSeconds);
@@ -1917,6 +2663,9 @@ export class PostgresAnonymousStore {
             deploy.url
           ]
         );
+        if (serverEnv !== undefined) {
+          await this.replaceServerEnv(deploy.id, serverEnv, createdAt);
+        }
         return { deploy, token };
       } catch (error) {
         if (error?.code !== "23505" || attempt === 7) {
@@ -1936,9 +2685,10 @@ export class PostgresAnonymousStore {
     clientBundleHash,
     deployId,
     publicRootUrl,
-    requestedTtlSeconds
+    requestedTtlSeconds,
+    serverEnv
   }) {
-    const currentDeploy = await this.getDeployById(deployId);
+    const currentDeploy = await this.getBaseDeployById(deployId);
     if (!currentDeploy) {
       return null;
     }
@@ -1966,11 +2716,14 @@ export class PostgresAnonymousStore {
       `,
       [deployId, artifactHash, clientBundleHash, expiresAt, nextPublicRootUrl, nextAppBaseDomain || null, url]
     );
-    return this.rowToDeploy(result.rows[0]);
+    if (serverEnv !== undefined) {
+      await this.replaceServerEnv(deployId, serverEnv, createdAt);
+    }
+    return this.deployWithUserLimitOverrides(this.rowToDeploy(result.rows[0]));
   }
 
   async claimDeploy(deployId, token, owner) {
-    const currentDeploy = await this.getDeployById(deployId);
+    const currentDeploy = await this.getBaseDeployById(deployId);
     if (!currentDeploy) {
       return { status: "missing" };
     }
@@ -1995,7 +2748,11 @@ export class PostgresAnonymousStore {
       `,
       [deployId, owner.id, claimedAt, JSON.stringify(owner)]
     );
-    return { deploy: this.rowToDeploy(result.rows[0]), status: currentDeploy.ownerId ? "already_claimed" : "claimed" };
+    await this.rememberUser(owner);
+    return {
+      deploy: await this.deployWithUserLimitOverrides(this.rowToDeploy(result.rows[0])),
+      status: currentDeploy.ownerId ? "already_claimed" : "claimed"
+    };
   }
 
   async terminateDeploy(deployId) {
@@ -2008,7 +2765,7 @@ export class PostgresAnonymousStore {
       `,
       [deployId]
     );
-    return this.rowToDeploy(result.rows[0]);
+    return this.deployWithUserLimitOverrides(this.rowToDeploy(result.rows[0]));
   }
 
   rowToDeploy(row) {
@@ -2036,13 +2793,12 @@ export class PostgresAnonymousStore {
   }
 
   async getDeployById(id) {
-    const result = await this.query("select * from deploys where id = $1", [id]);
-    return this.rowToDeploy(result.rows[0]);
+    return this.deployWithUserLimitOverrides(await this.getBaseDeployById(id));
   }
 
   async getDeployBySlug(slug) {
     const result = await this.query("select * from deploys where slug = $1", [slug]);
-    return this.rowToDeploy(result.rows[0]);
+    return this.deployWithUserLimitOverrides(this.rowToDeploy(result.rows[0]));
   }
 
   async getArtifact(hash) {
@@ -2107,6 +2863,24 @@ export class PostgresAnonymousStore {
     await this.query("delete from state_rows where deploy_id = $1 and table_name = $2 and row_id = $3", [deployId, tableName, rowId]);
   }
 
+  async replaceServerEnv(deployId, serverEnv, updatedAt = now()) {
+    await this.query("delete from deploy_server_env where deploy_id = $1", [deployId]);
+    for (const [key, value] of Object.entries(serverEnv)) {
+      await this.query(
+        `
+        insert into deploy_server_env(deploy_id, env_key, env_value, updated_at)
+        values($1, $2, $3, $4)
+        `,
+        [deployId, key, encryptServerEnvValue(value, this.serverEnvSecret), updatedAt]
+      );
+    }
+  }
+
+  async getServerEnv(deployId) {
+    const result = await this.query("select env_key, env_value from deploy_server_env where deploy_id = $1", [deployId]);
+    return Object.fromEntries(result.rows.map((row) => [row.env_key, decryptServerEnvValue(row.env_value, this.serverEnvSecret)]));
+  }
+
   async transaction(deployId, handler) {
     const run = () => handler(this);
     const next = (this.queues.get(deployId) ?? Promise.resolve()).then(run, run);
@@ -2244,11 +3018,13 @@ export class PostgresAnonymousStore {
       [windowStart]
     );
 
-    return result.rows.map((row) =>
-      adminDeploySummary({
+    return Promise.all(
+      result.rows.map(async (row) => {
+        const deploy = await this.deployWithUserLimitOverrides(this.rowToDeploy(row));
+        return adminDeploySummary({
         artifact: row.artifact_json,
         artifactBytes: row.artifact_bytes,
-        deploy: this.rowToDeploy(row),
+        deploy,
         logBytes: row.log_bytes,
         logEntries: row.log_entries,
         stateBytes: row.state_bytes,
@@ -2257,6 +3033,7 @@ export class PostgresAnonymousStore {
           { bucket: "requests", count: row.requests_today, windowStart },
           { bucket: "mutations", count: row.mutations_today, windowStart }
         ]
+        });
       })
     );
   }
@@ -2286,14 +3063,17 @@ export class PostgresAnonymousStore {
       [ownerId, windowStart]
     );
 
-    return result.rows.map((row) =>
-      developerDeploySummary({
+    return Promise.all(
+      result.rows.map(async (row) => {
+        const deploy = await this.deployWithUserLimitOverrides(this.rowToDeploy(row));
+        return developerDeploySummary({
         artifact: row.artifact_json,
-        deploy: this.rowToDeploy(row),
+        deploy,
         usage: [
           { bucket: "requests", count: row.requests_today, windowStart },
           { bucket: "mutations", count: row.mutations_today, windowStart }
         ]
+        });
       })
     );
   }
@@ -2301,7 +3081,10 @@ export class PostgresAnonymousStore {
 
 export async function createAnonymousStoreFromEnv(env = process.env) {
   if (env.DATABASE_URL) {
-    const store = new PostgresAnonymousStore({ connectionString: env.DATABASE_URL });
+    const store = new PostgresAnonymousStore({
+      connectionString: env.DATABASE_URL,
+      serverEnvSecret: serverEnvSecretFromEnv(env)
+    });
     await store.initialize();
     return store;
   }
@@ -2427,6 +3210,7 @@ export async function startAnonymousServer({
       ...deploy,
       connections: connections.get(deploy.id) ?? 0
     }));
+    const users = await resolvedStore.listAdminUsers();
     const totals = deploys.reduce(
       (acc, deploy) => ({
         artifactBytes: acc.artifactBytes + deploy.artifactBytes,
@@ -2454,7 +3238,9 @@ export async function startAnonymousServer({
       deployCount: deploys.length,
       deploys,
       generatedAt: now(),
-      totals
+      totals,
+      userCount: users.length,
+      users
     };
   }
 
@@ -2480,6 +3266,19 @@ export async function startAnonymousServer({
     }
   }
 
+  async function refreshOwnerSubscriptions(ownerId) {
+    for (const subscription of subscriptions.values()) {
+      if (subscription.deploy.ownerId !== ownerId) {
+        continue;
+      }
+
+      const deploy = await resolvedStore.getDeployById(subscription.deploy.id);
+      if (deploy) {
+        subscription.deploy = deploy;
+      }
+    }
+  }
+
   function closeDeployConnections(deployId) {
     for (const [ws, subscription] of subscriptions) {
       if (subscription.deploy.id !== deployId) {
@@ -2515,6 +3314,14 @@ export async function startAnonymousServer({
     }
   }
 
+  function refreshDeployClients(deploy) {
+    for (const [ws, subscription] of subscriptions) {
+      if (subscription.deploy.id === deploy.id) {
+        websocketSend(ws, { clientBundleHash: deploy.clientBundleHash, op: "refresh" });
+      }
+    }
+  }
+
   const server = createServer(async (req, res) => {
     const host = req.headers.host ?? "localhost";
     const requestUrl = new URL(req.url ?? "/", `http://${host}`);
@@ -2729,6 +3536,34 @@ export async function startAnonymousServer({
         return;
       }
 
+      const userLimitsMatch =
+        req.method === "PUT" ? requestUrl.pathname.match(/^\/admin\/api\/users\/([^/]+)\/limits$/) : null;
+      if (userLimitsMatch) {
+        if (!isAdminConfigured(adminPassword)) {
+          sendJson(res, 503, { error: "Lakebed admin is not configured. Set LAKEBED_ADMIN_PASSWORD." });
+          return;
+        }
+
+        if (!isAdminAuthenticated(req, adminPassword)) {
+          sendJson(res, 401, { error: "Admin authentication required." });
+          return;
+        }
+
+        const body = await readJsonBody(req, 4096);
+        let limitOverrides;
+        try {
+          limitOverrides = normalizeUserLimitOverrides(body.limits ?? body.limitOverrides ?? {});
+        } catch (error) {
+          sendJson(res, 400, { error: error instanceof Error ? error.message : String(error) });
+          return;
+        }
+
+        const user = await resolvedStore.setUserLimitOverrides(decodeURIComponent(userLimitsMatch[1]), limitOverrides);
+        await refreshOwnerSubscriptions(user.id);
+        sendJson(res, 200, { user });
+        return;
+      }
+
       const terminateMatch =
         req.method === "POST"
           ? requestUrl.pathname.match(/^\/admin\/api\/deploys\/([^/]+)\/terminate$/)
@@ -2766,6 +3601,10 @@ export async function startAnonymousServer({
       if (req.method === "POST" && requestUrl.pathname === "/v1/anonymous-deploys") {
         const body = await readJsonBody(req);
         const payload = validateAnonymousDeployPayload(body);
+        if (payload.serverEnv !== undefined && Object.keys(payload.serverEnv).length > 0) {
+          sendJson(res, 400, { error: "Server env requires a claimed deploy." });
+          return;
+        }
         const { deploy, token } = await resolvedStore.createDeploy({
           appBaseDomain: resolvedAppBaseDomain,
           artifact: payload.artifact,
@@ -2773,7 +3612,8 @@ export async function startAnonymousServer({
           clientBundleBase64: payload.clientBundleBase64,
           clientBundleHash: payload.clientBundleHash,
           publicRootUrl: resolvedPublicRootUrl,
-          requestedTtlSeconds: body.requestedTtlSeconds ?? requestUrl.searchParams.get("ttl") ?? undefined
+          requestedTtlSeconds: body.requestedTtlSeconds ?? requestUrl.searchParams.get("ttl") ?? undefined,
+          serverEnv: payload.serverEnv
         });
         await resolvedStore.appendLog(deploy.id, "info", "anonymous deploy created", { artifactHash: deploy.artifactHash });
         sendJson(res, 201, responseForDeploy({ deploy, token }));
@@ -2795,6 +3635,10 @@ export async function startAnonymousServer({
 
         const body = await readJsonBody(req);
         const payload = validateAnonymousDeployPayload(body, { allowClaimedSource: Boolean(currentDeploy.ownerId) });
+        if (payload.serverEnv !== undefined && !currentDeploy.ownerId) {
+          sendJson(res, 400, { error: "Server env requires a claimed deploy." });
+          return;
+        }
         const deploy = await resolvedStore.updateDeploy({
           appBaseDomain: resolvedAppBaseDomain,
           artifact: payload.artifact,
@@ -2803,7 +3647,8 @@ export async function startAnonymousServer({
           clientBundleHash: payload.clientBundleHash,
           deployId,
           publicRootUrl: resolvedPublicRootUrl,
-          requestedTtlSeconds: body.requestedTtlSeconds ?? requestUrl.searchParams.get("ttl") ?? undefined
+          requestedTtlSeconds: body.requestedTtlSeconds ?? requestUrl.searchParams.get("ttl") ?? undefined,
+          serverEnv: payload.serverEnv
         });
         if (!deploy) {
           sendJson(res, 404, { error: "Unknown deploy." });
@@ -2812,6 +3657,7 @@ export async function startAnonymousServer({
 
         await resolvedStore.appendLog(deploy.id, "info", "anonymous deploy updated", { artifactHash: deploy.artifactHash });
         await refreshDeploySubscriptions(deploy);
+        refreshDeployClients(deploy);
         await publishDeploy(deploy.id);
         sendJson(res, 200, responseForDeploy({ deploy }));
         return;
@@ -2847,7 +3693,8 @@ export async function startAnonymousServer({
 
       const appPath = routeSystemPath(loaded.route.appPath);
       if (req.method === "GET" && (appPath === "/" || appPath === "/index.html" || appPath === "/auth/callback")) {
-        sendText(res, 200, html(loaded.artifact.name ?? "Lakebed Capsule", loaded.basePath, { shooBaseUrl }), {
+        sendText(res, 200, html(loaded.artifact.name ?? "Lakebed Capsule", loaded.basePath, { clientBundleHash: loaded.deploy.clientBundleHash, shooBaseUrl }), {
+          "Cache-Control": "no-store",
           "Content-Type": "text/html; charset=utf-8"
         });
         return;