@gooddata/sdk-ui-pluggable-host 11.41.0-alpha.5 → 11.41.0

package/esm/loader/appSecurityValidation.d.ts

@@ -0,0 +1,57 @@
+import { type PluggableApplicationRegistryItem } from "@gooddata/sdk-model";
+import { type IPluggableApp, type IPlatformContext } from "@gooddata/sdk-pluggable-application-model";
+/**
+ * Maximum age of a secured-remote build, in milliseconds.
+ *
+ * @remarks
+ * Demo apps shipped from the playground are explicitly time-boxed; the host
+ * refuses to mount builds older than this window. App owners must rebuild
+ * and redeploy at least this often, even if nothing else changed.
+ */
+export declare const BUILD_FRESHNESS_WINDOW_MS: number;
+/**
+ * Why a secured-remote app was rejected by {@link validateAppSecurity}.
+ */
+export type AppSecurityFailure = {
+    kind: "organization-not-allowed";
+} | {
+    kind: "build-expired";
+    ageMs: number;
+} | {
+    kind: "metadata-missing";
+};
+/**
+ * Returns true when a remote URL points at a hostname that requires
+ * build-time-baked security metadata on the loaded app.
+ */
+export declare function isSecuredRemoteUrl(url: string | undefined): boolean;
+/**
+ * Validates the build-time-baked security metadata of a loaded pluggable app
+ * against the current platform context.
+ *
+ * @remarks
+ * Returns `undefined` when the app is not subject to these checks (i.e. it
+ * was not loaded from a secured remote hostname). Otherwise returns a
+ * structured failure describing the reason; the caller is responsible for
+ * surfacing it via the renderer's error UI.
+ *
+ * The check fails closed: a secured-remote app missing either
+ * `allowedOrganizations` or `buildTimestamp` — or carrying a non-finite or
+ * future-dated `buildTimestamp` (which would otherwise bypass the
+ * freshness window via a negative age) — is rejected with
+ * `metadata-missing`. An empty allowlist is treated like any other
+ * allowlist — it simply matches no organization.
+ */
+export declare function validateAppSecurity(app: PluggableApplicationRegistryItem, loadedApp: IPluggableApp, ctx: IPlatformContext, now?: number): AppSecurityFailure | undefined;
+/**
+ * Returns the timestamp until which a secured-remote ("demo bucket") app stays
+ * within its build freshness window, or `undefined` when the app is not a
+ * secured-remote app carrying a usable build timestamp.
+ *
+ * @remarks
+ * Intended to be called only for apps that have already passed
+ * {@link validateAppSecurity}. The host surfaces the returned date in a small
+ * "valid till" badge so demo users can see when the build will expire.
+ */
+export declare function getSecuredRemoteAppValidUntil(app: PluggableApplicationRegistryItem, loadedApp: IPluggableApp): number | undefined;
+//# sourceMappingURL=appSecurityValidation.d.ts.map

package/esm/loader/appSecurityValidation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"appSecurityValidation.d.ts","sourceRoot":"","sources":["../../src/loader/appSecurityValidation.ts"],"names":[],"mappings":"AAEA,OAAO,EACH,KAAK,gCAAgC,EAExC,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,KAAK,aAAa,EAAE,KAAK,gBAAgB,EAAE,MAAM,2CAA2C,CAAC;AAgBtG;;;;;;;GAOG;AACH,eAAO,MAAM,yBAAyB,QAA2B,CAAC;AAElE;;GAEG;AACH,MAAM,MAAM,kBAAkB,GACxB;IAAE,IAAI,EAAE,0BAA0B,CAAA;CAAE,GACpC;IAAE,IAAI,EAAE,eAAe,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,GACxC;IAAE,IAAI,EAAE,kBAAkB,CAAA;CAAE,CAAC;AAEnC;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,SAAS,GAAG,OAAO,CAUnE;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,mBAAmB,CAC/B,GAAG,EAAE,gCAAgC,EACrC,SAAS,EAAE,aAAa,EACxB,GAAG,EAAE,gBAAgB,EACrB,GAAG,GAAE,MAAmB,GACzB,kBAAkB,GAAG,SAAS,CA4BhC;AAED;;;;;;;;;GASG;AACH,wBAAgB,6BAA6B,CACzC,GAAG,EAAE,gCAAgC,EACrC,SAAS,EAAE,aAAa,GACzB,MAAM,GAAG,SAAS,CAWpB"}

package/esm/loader/appSecurityValidation.js

@@ -0,0 +1,102 @@
+// (C) 2026 GoodData Corporation
+import { isRemotePluggableApplicationRegistryItem, } from "@gooddata/sdk-model";
+/**
+ * Hostnames that trigger build-time-baked security checks on loaded apps.
+ *
+ * @remarks
+ * These hostnames host artifacts written by external pipelines (e.g. the
+ * gdc-ui-pluggable-applications playground). The build artifacts are expected
+ * to embed `allowedOrganizations` and `buildTimestamp` on the exported
+ * pluggable app; the host enforces both at load time. Apps loaded from any
+ * other origin (same-hostname, local bundle) are not subject to these checks
+ * — their integrity is already constrained by the hostname allowlist in
+ * `remoteUrlSecurity.ts`.
+ */
+const SECURED_REMOTE_HOSTNAMES = new Set(["demo-dashboard-plugins.gooddata.com"]);
+/**
+ * Maximum age of a secured-remote build, in milliseconds.
+ *
+ * @remarks
+ * Demo apps shipped from the playground are explicitly time-boxed; the host
+ * refuses to mount builds older than this window. App owners must rebuild
+ * and redeploy at least this often, even if nothing else changed.
+ */
+export const BUILD_FRESHNESS_WINDOW_MS = 30 * 24 * 60 * 60 * 1000;
+/**
+ * Returns true when a remote URL points at a hostname that requires
+ * build-time-baked security metadata on the loaded app.
+ */
+export function isSecuredRemoteUrl(url) {
+    if (!url) {
+        return false;
+    }
+    try {
+        const { hostname } = new URL(url, window.location.origin);
+        return SECURED_REMOTE_HOSTNAMES.has(hostname);
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Validates the build-time-baked security metadata of a loaded pluggable app
+ * against the current platform context.
+ *
+ * @remarks
+ * Returns `undefined` when the app is not subject to these checks (i.e. it
+ * was not loaded from a secured remote hostname). Otherwise returns a
+ * structured failure describing the reason; the caller is responsible for
+ * surfacing it via the renderer's error UI.
+ *
+ * The check fails closed: a secured-remote app missing either
+ * `allowedOrganizations` or `buildTimestamp` — or carrying a non-finite or
+ * future-dated `buildTimestamp` (which would otherwise bypass the
+ * freshness window via a negative age) — is rejected with
+ * `metadata-missing`. An empty allowlist is treated like any other
+ * allowlist — it simply matches no organization.
+ */
+export function validateAppSecurity(app, loadedApp, ctx, now = Date.now()) {
+    if (!isRemotePluggableApplicationRegistryItem(app)) {
+        return undefined;
+    }
+    if (!isSecuredRemoteUrl(app.remote.url)) {
+        return undefined;
+    }
+    if (!Array.isArray(loadedApp.allowedOrganizations) ||
+        typeof loadedApp.buildTimestamp !== "number" ||
+        !Number.isFinite(loadedApp.buildTimestamp) ||
+        loadedApp.buildTimestamp > now) {
+        return { kind: "metadata-missing" };
+    }
+    const orgId = ctx.organization?.id;
+    if (!orgId || !loadedApp.allowedOrganizations.includes(orgId)) {
+        return { kind: "organization-not-allowed" };
+    }
+    const ageMs = now - loadedApp.buildTimestamp;
+    if (ageMs > BUILD_FRESHNESS_WINDOW_MS) {
+        return { kind: "build-expired", ageMs };
+    }
+    return undefined;
+}
+/**
+ * Returns the timestamp until which a secured-remote ("demo bucket") app stays
+ * within its build freshness window, or `undefined` when the app is not a
+ * secured-remote app carrying a usable build timestamp.
+ *
+ * @remarks
+ * Intended to be called only for apps that have already passed
+ * {@link validateAppSecurity}. The host surfaces the returned date in a small
+ * "valid till" badge so demo users can see when the build will expire.
+ */
+export function getSecuredRemoteAppValidUntil(app, loadedApp) {
+    if (!isRemotePluggableApplicationRegistryItem(app)) {
+        return undefined;
+    }
+    if (!isSecuredRemoteUrl(app.remote.url)) {
+        return undefined;
+    }
+    if (typeof loadedApp.buildTimestamp !== "number" || !Number.isFinite(loadedApp.buildTimestamp)) {
+        return undefined;
+    }
+    return loadedApp.buildTimestamp + BUILD_FRESHNESS_WINDOW_MS;
+}

package/esm/translations/de-DE.json

@@ -30,5 +30,8 @@
     "messages.genAi.visualisation.link.copied": "Der Visualisierungslink wurde in Ihre Zwischenablage kopiert.",
     "messages.showMore": "Mehr anzeigen",
     "messages.showLess": "Weniger anzeigen",
-    "gen-ai.ask-assistant.search": "Erstellen Sie eine neue Visualisierung basierend auf: {question}"
+    "gen-ai.ask-assistant.search": "Erstellen Sie eine neue Visualisierung basierend auf: {question}",
+    "gs.host.error.appNotAllowedForOrganization": "This application is not available for your organization.",
+    "gs.host.error.appBuildExpired": "This application is out of date and must be rebuilt by its author before it can run again.",
+    "gs.host.error.appSecurityMetadataMissing": "This application is missing required security metadata and cannot be loaded."
 }

package/esm/translations/en-AU.json

@@ -30,5 +30,8 @@
     "messages.genAi.visualisation.link.copied": "The visualisation link has been copied to your clipboard.",
     "messages.showMore": "Show more",
     "messages.showLess": "Show less",
-    "gen-ai.ask-assistant.search": "Create new visualisation based on: {question}"
+    "gen-ai.ask-assistant.search": "Create new visualisation based on: {question}",
+    "gs.host.error.appNotAllowedForOrganization": "This application is not available for your organization.",
+    "gs.host.error.appBuildExpired": "This application is out of date and must be rebuilt by its author before it can run again.",
+    "gs.host.error.appSecurityMetadataMissing": "This application is missing required security metadata and cannot be loaded."
 }

package/esm/translations/en-GB.json

@@ -30,5 +30,8 @@
     "messages.genAi.visualisation.link.copied": "The visualisation link has been copied to your clipboard.",
     "messages.showMore": "Show more",
     "messages.showLess": "Show less",
-    "gen-ai.ask-assistant.search": "Build new visualisation based on: {question}"
+    "gen-ai.ask-assistant.search": "Build new visualisation based on: {question}",
+    "gs.host.error.appNotAllowedForOrganization": "This application is not available for your organization.",
+    "gs.host.error.appBuildExpired": "This application is out of date and must be rebuilt by its author before it can run again.",
+    "gs.host.error.appSecurityMetadataMissing": "This application is missing required security metadata and cannot be loaded."
 }

package/esm/translations/en-US.json

@@ -75,6 +75,22 @@
         "text": "Something went wrong",
         "crowdinContext": "Heading displayed when an unexpected error occurs during application redirect resolution."
     },
+    "gs.host.error.appNotAllowedForOrganization": {
+        "text": "This application is not available for your organization.",
+        "crowdinContext": "Error shown when the host refuses to mount a pluggable application because the current organization is not in the application's build-time-baked allowlist of permitted organizations."
+    },
+    "gs.host.error.appBuildExpired": {
+        "text": "This application is out of date and must be rebuilt by its author before it can run again.",
+        "crowdinContext": "Error shown when the host refuses to mount a pluggable application because its build is older than the freshness window (currently 30 days)."
+    },
+    "gs.host.error.appSecurityMetadataMissing": {
+        "text": "This application is missing required security metadata and cannot be loaded.",
+        "crowdinContext": "Error shown when the host refuses to mount a pluggable application loaded from a secured remote origin that does not declare its allowed organizations and build timestamp."
+    },
+    "gs.host.demoApp.validUntil": {
+        "text": "Demo application valid till {date}",
+        "crowdinContext": "Text in a small floating badge shown at the bottom-right of the page for a validated demo application loaded from the demo bucket. {date} is the localized date until which the demo build remains valid."
+    },
     "gs.host.notification.newDeployment.message": {
         "text": "A new version of GoodData is available.",
         "crowdinContext": "Toast message shown when the host detects that a newer build of the application has been deployed while the user's tab was open. Followed by a reload link."
@@ -99,6 +115,42 @@
         "text": "Managing users and user groups",
         "crowdinContext": "Link to user management documentation in help menu"
     },
+    "gs.header.helpMenu.connecting": {
+        "text": "Connecting data",
+        "crowdinContext": "LDM Modeler help menu link to data connection guide"
+    },
+    "gs.header.helpMenu.starting": {
+        "text": "Starting with LDM Modeler",
+        "crowdinContext": "LDM Modeler help menu link to getting started guide"
+    },
+    "gs.header.helpMenu.modeling": {
+        "text": "Modeling data in depth",
+        "crowdinContext": "LDM Modeler help menu link to data modeling guide"
+    },
+    "gs.header.helpMenu.understanding": {
+        "text": "Understanding the Logical Data Model",
+        "crowdinContext": "LDM Modeler help menu link to LDM concept guide"
+    },
+    "gs.header.helpMenu.learning": {
+        "text": "Learning the principles of data modeling",
+        "crowdinContext": "LDM Modeler help menu link to data modeling principles"
+    },
+    "gs.header.helpMenu.firstSteps": {
+        "text": "First steps in Analytical Designer",
+        "crowdinContext": "Analytical Designer help menu link to getting started guide"
+    },
+    "gs.header.helpMenu.visualizing": {
+        "text": "Visualizing your data",
+        "crowdinContext": "Analytical Designer help menu link to data visualization guide"
+    },
+    "gs.header.helpMenu.sorting": {
+        "text": "Sorting and filtering your results",
+        "crowdinContext": "Analytical Designer help menu link to sorting and filtering guide"
+    },
+    "gs.header.helpMenu.embedding": {
+        "text": "Embedding Analytical Designer into your app",
+        "crowdinContext": "Analytical Designer help menu link to embedding integration guide"
+    },
     "messages.genAi.visualisation.saved.success": {
         "text": "Great! We saved your visualization.",
         "crowdinContext": "Success message when generative AI visualization is saved"

package/esm/translations/es-419.json

@@ -30,5 +30,8 @@
     "messages.genAi.visualisation.link.copied": "El enlace de visualización se ha copiado en el portapapeles.",
     "messages.showMore": "Mostrar más",
     "messages.showLess": "Mostrar menos",
-    "gen-ai.ask-assistant.search": "Crear una nueva visualización basada en: {question}"
+    "gen-ai.ask-assistant.search": "Crear una nueva visualización basada en: {question}",
+    "gs.host.error.appNotAllowedForOrganization": "This application is not available for your organization.",
+    "gs.host.error.appBuildExpired": "This application is out of date and must be rebuilt by its author before it can run again.",
+    "gs.host.error.appSecurityMetadataMissing": "This application is missing required security metadata and cannot be loaded."
 }

package/esm/translations/es-ES.json

@@ -30,5 +30,8 @@
     "messages.genAi.visualisation.link.copied": "El enlace de visualización se ha copiado en el portapapeles.",
     "messages.showMore": "Mostrar más",
     "messages.showLess": "Mostrar menos",
-    "gen-ai.ask-assistant.search": "Construir una nueva visualización basada en{question}: "
+    "gen-ai.ask-assistant.search": "Construir una nueva visualización basada en{question}: ",
+    "gs.host.error.appNotAllowedForOrganization": "This application is not available for your organization.",
+    "gs.host.error.appBuildExpired": "This application is out of date and must be rebuilt by its author before it can run again.",
+    "gs.host.error.appSecurityMetadataMissing": "This application is missing required security metadata and cannot be loaded."
 }

package/esm/translations/fi-FI.json

@@ -30,5 +30,8 @@
     "messages.genAi.visualisation.link.copied": "Visualisointilinkki on kopioitu leikepöydällesi.",
     "messages.showMore": "Näytä lisää",
     "messages.showLess": "Näytä vähemmän",
-    "gen-ai.ask-assistant.search": "Luo uusi visualisointi, joka perustuu{question}: "
+    "gen-ai.ask-assistant.search": "Luo uusi visualisointi, joka perustuu{question}: ",
+    "gs.host.error.appNotAllowedForOrganization": "This application is not available for your organization.",
+    "gs.host.error.appBuildExpired": "This application is out of date and must be rebuilt by its author before it can run again.",
+    "gs.host.error.appSecurityMetadataMissing": "This application is missing required security metadata and cannot be loaded."
 }

package/esm/translations/fr-CA.json

@@ -30,5 +30,8 @@
     "messages.genAi.visualisation.link.copied": "Le lien de visualisation a été copié dans votre presse-papiers.",
     "messages.showMore": "Montrer plus",
     "messages.showLess": "Montrer moins",
-    "gen-ai.ask-assistant.search": "Construire une nouvelle visualisation basée sur: {question}"
+    "gen-ai.ask-assistant.search": "Construire une nouvelle visualisation basée sur: {question}",
+    "gs.host.error.appNotAllowedForOrganization": "This application is not available for your organization.",
+    "gs.host.error.appBuildExpired": "This application is out of date and must be rebuilt by its author before it can run again.",
+    "gs.host.error.appSecurityMetadataMissing": "This application is missing required security metadata and cannot be loaded."
 }

package/esm/translations/fr-FR.json

@@ -30,5 +30,8 @@
     "messages.genAi.visualisation.link.copied": "Le lien de la visualisation a été copié dans votre presse-papiers.",
     "messages.showMore": "Montrer plus",
     "messages.showLess": "Montrer moins",
-    "gen-ai.ask-assistant.search": "Construire une nouvelle visualisation bas\u0000e9e sur\u0000a0: {question}"
+    "gen-ai.ask-assistant.search": "Construire une nouvelle visualisation bas\u0000e9e sur\u0000a0: {question}",
+    "gs.host.error.appNotAllowedForOrganization": "This application is not available for your organization.",
+    "gs.host.error.appBuildExpired": "This application is out of date and must be rebuilt by its author before it can run again.",
+    "gs.host.error.appSecurityMetadataMissing": "This application is missing required security metadata and cannot be loaded."
 }

package/esm/translations/id-ID.json

@@ -30,5 +30,8 @@
     "messages.genAi.visualisation.link.copied": "Tautan visualisasi telah disalin ke clipboard Anda.",
     "messages.showMore": "Tampilkan lebih banyak",
     "messages.showLess": "Tampilkan lebih sedikit",
-    "gen-ai.ask-assistant.search": "Bangun visualisasi baru berdasarkan: {question}"
+    "gen-ai.ask-assistant.search": "Bangun visualisasi baru berdasarkan: {question}",
+    "gs.host.error.appNotAllowedForOrganization": "This application is not available for your organization.",
+    "gs.host.error.appBuildExpired": "This application is out of date and must be rebuilt by its author before it can run again.",
+    "gs.host.error.appSecurityMetadataMissing": "This application is missing required security metadata and cannot be loaded."
 }

package/esm/translations/it-IT.json

@@ -30,5 +30,8 @@
     "messages.genAi.visualisation.link.copied": "Il link di visualizzazione è stato copiato negli appunti.",
     "messages.showMore": "Mostra di più",
     "messages.showLess": "Mostra di meno",
-    "gen-ai.ask-assistant.search": "Costruire nuove visualizzazioni basate su: {question}"
+    "gen-ai.ask-assistant.search": "Costruire nuove visualizzazioni basate su: {question}",
+    "gs.host.error.appNotAllowedForOrganization": "This application is not available for your organization.",
+    "gs.host.error.appBuildExpired": "This application is out of date and must be rebuilt by its author before it can run again.",
+    "gs.host.error.appSecurityMetadataMissing": "This application is missing required security metadata and cannot be loaded."
 }

package/esm/translations/ja-JP.json

@@ -30,5 +30,8 @@
     "messages.genAi.visualisation.link.copied": "視覚化リンクがクリップボードにコピーされました。",
     "messages.showMore": "もっと表示",
     "messages.showLess": "表示を減らす",
-    "gen-ai.ask-assistant.search": "新しいビジュアライゼーションを構築する：{question}"
+    "gen-ai.ask-assistant.search": "新しいビジュアライゼーションを構築する：{question}",
+    "gs.host.error.appNotAllowedForOrganization": "This application is not available for your organization.",
+    "gs.host.error.appBuildExpired": "This application is out of date and must be rebuilt by its author before it can run again.",
+    "gs.host.error.appSecurityMetadataMissing": "This application is missing required security metadata and cannot be loaded."
 }

package/esm/translations/ko-KR.json

@@ -30,5 +30,8 @@
     "messages.genAi.visualisation.link.copied": "시각화 링크가 클립보드에 복사되었습니다.",
     "messages.showMore": "더 보기",
     "messages.showLess": "간단히 보기",
-    "gen-ai.ask-assistant.search": "새 시각화 생성 기준: {question}"
+    "gen-ai.ask-assistant.search": "새 시각화 생성 기준: {question}",
+    "gs.host.error.appNotAllowedForOrganization": "This application is not available for your organization.",
+    "gs.host.error.appBuildExpired": "This application is out of date and must be rebuilt by its author before it can run again.",
+    "gs.host.error.appSecurityMetadataMissing": "This application is missing required security metadata and cannot be loaded."
 }

package/esm/translations/nl-NL.json

@@ -30,5 +30,8 @@
     "messages.genAi.visualisation.link.copied": "De visualisatielink is gekopieerd naar je klembord.",
     "messages.showMore": "Meer tonen",
     "messages.showLess": "Minder tonen",
-    "gen-ai.ask-assistant.search": "Bouw nieuwe visualisatie gebaseerd op: {question}"
+    "gen-ai.ask-assistant.search": "Bouw nieuwe visualisatie gebaseerd op: {question}",
+    "gs.host.error.appNotAllowedForOrganization": "This application is not available for your organization.",
+    "gs.host.error.appBuildExpired": "This application is out of date and must be rebuilt by its author before it can run again.",
+    "gs.host.error.appSecurityMetadataMissing": "This application is missing required security metadata and cannot be loaded."
 }

package/esm/translations/pl-PL.json

@@ -30,5 +30,8 @@
     "messages.genAi.visualisation.link.copied": "Link do Wizualizacji został skopiowany do schowka.",
     "messages.showMore": "Pokaż więcej",
     "messages.showLess": "Pokaż mniej",
-    "gen-ai.ask-assistant.search": "Utwórz nową wizualizację na podstawie: {question}"
+    "gen-ai.ask-assistant.search": "Utwórz nową wizualizację na podstawie: {question}",
+    "gs.host.error.appNotAllowedForOrganization": "This application is not available for your organization.",
+    "gs.host.error.appBuildExpired": "This application is out of date and must be rebuilt by its author before it can run again.",
+    "gs.host.error.appSecurityMetadataMissing": "This application is missing required security metadata and cannot be loaded."
 }

package/esm/translations/pt-BR.json

@@ -30,5 +30,8 @@
     "messages.genAi.visualisation.link.copied": "O link de visualização foi copiado para a área de transferência.",
     "messages.showMore": "Exibir mais",
     "messages.showLess": "Exibir menos",
-    "gen-ai.ask-assistant.search": "Crie uma nova visualização com base em: {question}"
+    "gen-ai.ask-assistant.search": "Crie uma nova visualização com base em: {question}",
+    "gs.host.error.appNotAllowedForOrganization": "This application is not available for your organization.",
+    "gs.host.error.appBuildExpired": "This application is out of date and must be rebuilt by its author before it can run again.",
+    "gs.host.error.appSecurityMetadataMissing": "This application is missing required security metadata and cannot be loaded."
 }

package/esm/translations/pt-PT.json

@@ -30,5 +30,8 @@
     "messages.genAi.visualisation.link.copied": "O link de visualização foi copiado para a área de transferência.",
     "messages.showMore": "Mostrar mais",
     "messages.showLess": "Mostrar menos",
-    "gen-ai.ask-assistant.search": "Crie uma nova visualização com base em: {question}"
+    "gen-ai.ask-assistant.search": "Crie uma nova visualização com base em: {question}",
+    "gs.host.error.appNotAllowedForOrganization": "This application is not available for your organization.",
+    "gs.host.error.appBuildExpired": "This application is out of date and must be rebuilt by its author before it can run again.",
+    "gs.host.error.appSecurityMetadataMissing": "This application is missing required security metadata and cannot be loaded."
 }

package/esm/translations/ru-RU.json

@@ -30,5 +30,8 @@
     "messages.genAi.visualisation.link.copied": "Ссылка на визуализацию скопирована в буфер обмена.",
     "messages.showMore": "Раскрыть",
     "messages.showLess": "Скрыть",
-    "gen-ai.ask-assistant.search": "Создайте новую визуализацию на основе: {question}"
+    "gen-ai.ask-assistant.search": "Создайте новую визуализацию на основе: {question}",
+    "gs.host.error.appNotAllowedForOrganization": "This application is not available for your organization.",
+    "gs.host.error.appBuildExpired": "This application is out of date and must be rebuilt by its author before it can run again.",
+    "gs.host.error.appSecurityMetadataMissing": "This application is missing required security metadata and cannot be loaded."
 }

package/esm/translations/sl-SI.json

@@ -30,5 +30,8 @@
     "messages.genAi.visualisation.link.copied": "Povezava vizualizacije je bila kopirana v vašo odlagališče.",
     "messages.showMore": "Prikaži več",
     "messages.showLess": "Prikaži manj",
-    "gen-ai.ask-assistant.search": "Ustvarite novo vizualizacijo na osnovi: {question}"
+    "gen-ai.ask-assistant.search": "Ustvarite novo vizualizacijo na osnovi: {question}",
+    "gs.host.error.appNotAllowedForOrganization": "This application is not available for your organization.",
+    "gs.host.error.appBuildExpired": "This application is out of date and must be rebuilt by its author before it can run again.",
+    "gs.host.error.appSecurityMetadataMissing": "This application is missing required security metadata and cannot be loaded."
 }

package/esm/translations/th-TH.json

@@ -30,5 +30,8 @@
     "messages.genAi.visualisation.link.copied": "คัดลอกลิงก์การแสดงภาพข้อมูลไปยังคลิปบอร์ดของคุณแล้ว",
     "messages.showMore": "แสดงเพิ่มเติม",
     "messages.showLess": "แสดงน้อยลง",
-    "gen-ai.ask-assistant.search": "สร้างการแสดงภาพข้อมูลใหม่โดยอิงตาม: {question}"
+    "gen-ai.ask-assistant.search": "สร้างการแสดงภาพข้อมูลใหม่โดยอิงตาม: {question}",
+    "gs.host.error.appNotAllowedForOrganization": "This application is not available for your organization.",
+    "gs.host.error.appBuildExpired": "This application is out of date and must be rebuilt by its author before it can run again.",
+    "gs.host.error.appSecurityMetadataMissing": "This application is missing required security metadata and cannot be loaded."
 }

package/esm/translations/tr-TR.json

@@ -30,5 +30,8 @@
     "messages.genAi.visualisation.link.copied": "Görselleştirme bağlantısı panonuza kopyalandı.",
     "messages.showMore": "Daha fazla göster",
     "messages.showLess": "Daha az göster",
-    "gen-ai.ask-assistant.search": "Yeni görselleştirme oluştur: {question}"
+    "gen-ai.ask-assistant.search": "Yeni görselleştirme oluştur: {question}",
+    "gs.host.error.appNotAllowedForOrganization": "This application is not available for your organization.",
+    "gs.host.error.appBuildExpired": "This application is out of date and must be rebuilt by its author before it can run again.",
+    "gs.host.error.appSecurityMetadataMissing": "This application is missing required security metadata and cannot be loaded."
 }

package/esm/translations/uk-UA.json

@@ -30,5 +30,8 @@
     "messages.genAi.visualisation.link.copied": "Посилання на візуалізацію скопійовано до буфера обміну.",
     "messages.showMore": "Показати більше",
     "messages.showLess": "Показати менше",
-    "gen-ai.ask-assistant.search": "Створити нову візуалізацію на основі: {question}"
+    "gen-ai.ask-assistant.search": "Створити нову візуалізацію на основі: {question}",
+    "gs.host.error.appNotAllowedForOrganization": "This application is not available for your organization.",
+    "gs.host.error.appBuildExpired": "This application is out of date and must be rebuilt by its author before it can run again.",
+    "gs.host.error.appSecurityMetadataMissing": "This application is missing required security metadata and cannot be loaded."
 }

package/esm/translations/vi-VN.json

@@ -30,5 +30,8 @@
     "messages.genAi.visualisation.link.copied": "Liên kết trực quan hóa đã được sao chép vào bảng nhớ tạm của bạn.",
     "messages.showMore": "Hiện thêm",
     "messages.showLess": "Hiện ít",
-    "gen-ai.ask-assistant.search": "Tạo trực quan hóa mới dựa trên: {question}"
+    "gen-ai.ask-assistant.search": "Tạo trực quan hóa mới dựa trên: {question}",
+    "gs.host.error.appNotAllowedForOrganization": "This application is not available for your organization.",
+    "gs.host.error.appBuildExpired": "This application is out of date and must be rebuilt by its author before it can run again.",
+    "gs.host.error.appSecurityMetadataMissing": "This application is missing required security metadata and cannot be loaded."
 }

package/esm/translations/zh-HK.json

@@ -30,5 +30,8 @@
     "messages.genAi.visualisation.link.copied": "可視化連結已複製到剪貼板。",
     "messages.showMore": "顯示更多",
     "messages.showLess": "顯示簡要信息",
-    "gen-ai.ask-assistant.search": "根據以下條件構建新嘅可視化： {question}"
+    "gen-ai.ask-assistant.search": "根據以下條件構建新嘅可視化： {question}",
+    "gs.host.error.appNotAllowedForOrganization": "This application is not available for your organization.",
+    "gs.host.error.appBuildExpired": "This application is out of date and must be rebuilt by its author before it can run again.",
+    "gs.host.error.appSecurityMetadataMissing": "This application is missing required security metadata and cannot be loaded."
 }

package/esm/translations/zh-Hans.json

@@ -30,5 +30,8 @@
     "messages.genAi.visualisation.link.copied": "可视化链接已复制到您的剪贴板。",
     "messages.showMore": "显示更多",
     "messages.showLess": "显示更少",
-    "gen-ai.ask-assistant.search": "根据以下内容构建新的可视化：{question}"
+    "gen-ai.ask-assistant.search": "根据以下内容构建新的可视化：{question}",
+    "gs.host.error.appNotAllowedForOrganization": "This application is not available for your organization.",
+    "gs.host.error.appBuildExpired": "This application is out of date and must be rebuilt by its author before it can run again.",
+    "gs.host.error.appSecurityMetadataMissing": "This application is missing required security metadata and cannot be loaded."
 }

package/esm/translations/zh-Hant.json

@@ -30,5 +30,8 @@
     "messages.genAi.visualisation.link.copied": "視覺化連結已複製到您的剪貼簿。",
     "messages.showMore": "展示更多",
     "messages.showLess": "顯示較少",
-    "gen-ai.ask-assistant.search": "根據以下內容建立新的視覺化：{question}"
+    "gen-ai.ask-assistant.search": "根據以下內容建立新的視覺化：{question}",
+    "gs.host.error.appNotAllowedForOrganization": "This application is not available for your organization.",
+    "gs.host.error.appBuildExpired": "This application is out of date and must be rebuilt by its author before it can run again.",
+    "gs.host.error.appSecurityMetadataMissing": "This application is missing required security metadata and cannot be loaded."
 }

package/esm/ui/HostChrome.d.ts

@@ -15,8 +15,8 @@ export interface IHostChromeProps {
     headerOptions?: IAppHeaderOptions;
     notification?: IHostUiNotification | null;
     /**
-     * Page-title segment set by the active pluggable application via its `onDocumentTitleChange`
-     * callback. When omitted, the active application's manifest title is used instead.
+     * Page-title segment set by the active pluggable application via a document-title-changed
+     * event. When omitted, the active application's manifest title is used instead.
      */
     appPageTitle?: string;
     children?: ReactNode;

package/esm/ui/HostChrome.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"HostChrome.d.ts","sourceRoot":"","sources":["../../src/ui/HostChrome.tsx"],"names":[],"mappings":"AAEA,OAAO,EAAuC,KAAK,SAAS,EAAwB,MAAM,OAAO,CAAC;AAElG,OAAO,EAEH,KAAK,gCAAgC,EACxC,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACH,KAAK,iBAAiB,EACtB,KAAK,mBAAmB,EACxB,KAAK,gBAAgB,EACxB,MAAM,2CAA2C,CAAC;AA+BnD,OAAO,mBAAmB,CAAC;AAK3B,OAAO,0CAA0C,CAAC;AAClD,OAAO,6CAA6C,CAAC;AACrD,OAAO,sDAAsD,CAAC;AAC9D,OAAO,0DAA0D,CAAC;AAIlE,MAAM,WAAW,gBAAgB;IAC7B,GAAG,EAAE,gBAAgB,CAAC;IACtB,oBAAoB,EAAE,gCAAgC,EAAE,CAAC;IACzD,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAClC,SAAS,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IACjC,aAAa,CAAC,EAAE,iBAAiB,CAAC;IAClC,YAAY,CAAC,EAAE,mBAAmB,GAAG,IAAI,CAAC;IAC1C;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,SAAS,CAAC;CACxB;AAED,wBAAgB,UAAU,CAAC,EACvB,GAAG,EACH,oBAAoB,EACpB,QAAQ,EACR,UAAU,EACV,SAAS,EAAE,UAAU,EACrB,aAAa,EACb,YAAmB,EACnB,YAAY,EACZ,QAAQ,EACX,EAAE,gBAAgB,2CAsNlB"}
+{"version":3,"file":"HostChrome.d.ts","sourceRoot":"","sources":["../../src/ui/HostChrome.tsx"],"names":[],"mappings":"AAEA,OAAO,EAAuC,KAAK,SAAS,EAAwB,MAAM,OAAO,CAAC;AAElG,OAAO,EAGH,KAAK,gCAAgC,EACxC,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACH,KAAK,iBAAiB,EACtB,KAAK,mBAAmB,EACxB,KAAK,gBAAgB,EACxB,MAAM,2CAA2C,CAAC;AAgCnD,OAAO,mBAAmB,CAAC;AAK3B,OAAO,0CAA0C,CAAC;AAClD,OAAO,6CAA6C,CAAC;AACrD,OAAO,sDAAsD,CAAC;AAC9D,OAAO,0DAA0D,CAAC;AAIlE,MAAM,WAAW,gBAAgB;IAC7B,GAAG,EAAE,gBAAgB,CAAC;IACtB,oBAAoB,EAAE,gCAAgC,EAAE,CAAC;IACzD,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAClC,SAAS,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IACjC,aAAa,CAAC,EAAE,iBAAiB,CAAC;IAClC,YAAY,CAAC,EAAE,mBAAmB,GAAG,IAAI,CAAC;IAC1C;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,SAAS,CAAC;CACxB;AAED,wBAAgB,UAAU,CAAC,EACvB,GAAG,EACH,oBAAoB,EACpB,QAAQ,EACR,UAAU,EACV,SAAS,EAAE,UAAU,EACrB,aAAa,EACb,YAAmB,EACnB,YAAY,EACZ,QAAQ,EACX,EAAE,gBAAgB,2CAwNlB"}

package/esm/ui/HostChrome.js

@@ -4,7 +4,7 @@ import { useCallback, useMemo } from "react";
 import { isExternalPluggableApplicationRegistryItem, } from "@gooddata/sdk-model";
 import { BackendProvider, resolveLocale } from "@gooddata/sdk-ui";
 import { AppHeaderNotifications } from "@gooddata/sdk-ui-application-header";
-import { AppHeader, DocumentHeader, ToastsCenterContextProvider, generateHeaderStaticHelpMenuItems, } from "@gooddata/sdk-ui-kit";
+import { AppHeader, DocumentHeader, ToastsCenterContextProvider, generateHeaderAccountMenuItems, generateHeaderStaticHelpMenuItems, } from "@gooddata/sdk-ui-kit";
 import { defaultHeaderTheme } from "@gooddata/sdk-ui-theme-provider";
 import defaultLogoUrl from "../assets/logo-white.svg";
 import { getAppLifecycleCallbacks, preloadPluggableApplication, } from "../loader/pluggableApplicationsLoader.js";
@@ -50,20 +50,17 @@ export function HostChrome({ ctx, resolvedApplications, pathname, onNavigate, on
     // menu. Apps may still supply their own help items via headerOptions.
     const helpMenuItems = useMemo(() => headerOptions?.helpMenuItems ??
         (ctx.whiteLabeling?.enabled ? [] : generateHeaderStaticHelpMenuItems()), [headerOptions, ctx.whiteLabeling?.enabled]);
-    const accountMenuItems = useMemo(() => [
-        {
-            key: LOGOUT_MENU_ITEM_KEY,
-            onClick: () => {
-                void getBackend().deauthenticate();
-            },
-        },
-    ], []);
+    const accountMenuItems = useMemo(() => generateHeaderAccountMenuItems(ctx.workspacePermissions ?? {}, features.workspaceId, ctx.settings), [ctx.workspacePermissions, features.workspaceId, ctx.settings]);
     const handleMenuItemClick = useCallback((item, e) => {
         e?.preventDefault();
         if (item.onClick) {
             item.onClick(e ?? null);
             return;
         }
+        if (item.key === LOGOUT_MENU_ITEM_KEY) {
+            void getBackend().deauthenticate();
+            return;
+        }
         if (item.href) {
             if (item.target === "_blank") {
                 window.open(item.href, "_blank", "noopener,noreferrer");
@@ -114,8 +111,8 @@ export function HostChrome({ ctx, resolvedApplications, pathname, onNavigate, on
     // URL is cleared, instead of leaving the stale icon in place.
     const faviconUrl = ctx.whiteLabeling?.faviconUrl || "/favicon.ico";
     // The host owns the browser tab title as "{page} - {brand}". The page segment defaults to the
-    // active application's manifest title, but an embedded app can override it dynamically via its
-    // mount `onDocumentTitleChange` callback (surfaced here as `appPageTitle`). When white-labeling
+    // active application's manifest title, but an embedded app can override it dynamically by emitting
+    // a document-title-changed event (surfaced here as `appPageTitle`). When white-labeling
     // is enabled the brand is the organization name — preferring the user profile's name, then the
     // resolved organization descriptor title (the profile field is optional) — and is omitted (so
     // DocumentHeader drops the " - " separator) only when neither is set. The GoodData product name

package/esm/ui/PluggableApplicationRenderer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"PluggableApplicationRenderer.d.ts","sourceRoot":"","sources":["../../src/ui/PluggableApplicationRenderer.tsx"],"names":[],"mappings":"AAMA,OAAO,EAAE,KAAK,gCAAgC,EAAE,MAAM,qBAAqB,CAAC;AAC5E,OAAO,EACH,KAAK,iBAAiB,EACtB,KAAK,gBAAgB,EAIxB,MAAM,2CAA2C,CAAC;AASnD,OAAO,qCAAqC,CAAC;AAM7C,MAAM,WAAW,kCAAkC;IAC/C,GAAG,EAAE,gCAAgC,CAAC;IACtC,GAAG,EAAE,gBAAgB,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,cAAc,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,iBAAiB,KAAK,IAAI,CAAC;IACpE,qBAAqB,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,SAAS,KAAK,IAAI,CAAC;CAClF;AAED,wBAAgB,4BAA4B,CAAC,EACzC,GAAG,EACH,GAAG,EACH,QAAQ,EACR,cAAc,EACd,qBAAqB,EACxB,EAAE,kCAAkC,2CAqIpC"}
+{"version":3,"file":"PluggableApplicationRenderer.d.ts","sourceRoot":"","sources":["../../src/ui/PluggableApplicationRenderer.tsx"],"names":[],"mappings":"AAMA,OAAO,EAAE,KAAK,gCAAgC,EAAE,MAAM,qBAAqB,CAAC;AAC5E,OAAO,EACH,KAAK,iBAAiB,EACtB,KAAK,gBAAgB,EAMxB,MAAM,2CAA2C,CAAC;AAcnD,OAAO,qCAAqC,CAAC;AAkB7C,MAAM,WAAW,kCAAkC;IAC/C,GAAG,EAAE,gCAAgC,CAAC;IACtC,GAAG,EAAE,gBAAgB,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,cAAc,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,iBAAiB,KAAK,IAAI,CAAC;IACpE,qBAAqB,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,SAAS,KAAK,IAAI,CAAC;CAClF;AAED,wBAAgB,4BAA4B,CAAC,EACzC,GAAG,EACH,GAAG,EACH,QAAQ,EACR,cAAc,EACd,qBAAqB,EACxB,EAAE,kCAAkC,2CAsMpC"}

package/esm/ui/PluggableApplicationRenderer.js

@@ -1,22 +1,36 @@
 import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
 // (C) 2026 GoodData Corporation
 import { useCallback, useEffect, useMemo, useRef, useState } from "react";
-import { FormattedMessage } from "react-intl";
-import { isReloadPlatformContextRequestedEvent, } from "@gooddata/sdk-pluggable-application-model";
+import { FormattedMessage, defineMessage, useIntl } from "react-intl";
+import { isDocumentTitleChangedEvent, isReloadPlatformContextRequestedEvent, } from "@gooddata/sdk-pluggable-application-model";
 import { LoadingComponent, useAutoupdateRef } from "@gooddata/sdk-ui";
 import { bemFactory } from "@gooddata/sdk-ui-kit";
 import { now } from "../debug.js";
+import { getSecuredRemoteAppValidUntil, validateAppSecurity, } from "../loader/appSecurityValidation.js";
 import { getAppLifecycleCallbacks, loadPluggableApplication } from "../loader/pluggableApplicationsLoader.js";
 import { getApplicationHref } from "../loader/routing.js";
 import { BackendPlatformContextProvider } from "../platformContext/useLoadPlatformContext.js";
 import "./PluggableApplicationRenderer.scss";
 const { b, e } = bemFactory("gd-pluggable-application-renderer");
+// Use `defineMessage` for each id so the intl extractor and validator can statically
+// match them against the locale JSON files. A plain `{ id }` literal passed to
+// `intl.formatMessage` is opaque to the tooling.
+const SECURITY_FAILURE_MESSAGES = {
+    "organization-not-allowed": defineMessage({ id: "gs.host.error.appNotAllowedForOrganization" }),
+    "build-expired": defineMessage({ id: "gs.host.error.appBuildExpired" }),
+    "metadata-missing": defineMessage({ id: "gs.host.error.appSecurityMetadataMissing" }),
+};
 export function PluggableApplicationRenderer({ app, ctx, pathname, onHeaderChange, onDocumentTitleChange, }) {
+    const intl = useIntl();
+    const intlRef = useAutoupdateRef(intl);
     const ctxRef = useAutoupdateRef(ctx);
     const onHeaderChangeRef = useAutoupdateRef(onHeaderChange);
     const onDocumentTitleChangeRef = useAutoupdateRef(onDocumentTitleChange);
     const containerRef = useRef(null);
     const mountHandleRef = useRef(undefined);
+    // The app/module pair currently mounted. Held so the context-change effect can
+    // re-run the security check against the live organization without reloading.
+    const mountedAppRef = useRef(undefined);
     const [viewState, setViewState] = useState({ state: "loading" });
     const baseHref = getApplicationHref(app, ctx, pathname);
     const appBasePath = ctx.embeddingMode === "iframe" ? `/embedded${baseHref}` : baseHref;
@@ -25,17 +39,23 @@ export function PluggableApplicationRenderer({ app, ctx, pathname, onHeaderChang
     // onEvent is intentionally stable (empty deps) — pluggable apps capture it at mount time
     // and do not update it when the host re-renders. Do not make this callback depend on
     // any value that can change after mount, or the mounted app will silently call a stale closure.
+    // Values that change after mount are read through refs (e.g. onDocumentTitleChangeRef).
     const onEvent = useCallback((event) => {
         if (isReloadPlatformContextRequestedEvent(event)) {
             void BackendPlatformContextProvider.load();
+            return;
         }
-    }, []);
+        if (isDocumentTitleChangedEvent(event)) {
+            onDocumentTitleChangeRef.current?.(app.id, event.payload.pageTitle);
+        }
+    }, [app.id, onDocumentTitleChangeRef]);
     useEffect(() => {
         let cancelled = false;
         const mountId = `${app.id}:${Date.now()}`;
         const totalStart = now();
         const prevHandle = mountHandleRef.current;
         mountHandleRef.current = undefined;
+        mountedAppRef.current = undefined;
         setViewState({ state: "loading" });
         // Defer unmount of the previous app to avoid synchronously unmounting
         // a React root while React is already rendering (race in strict mode).
@@ -49,6 +69,17 @@ export function PluggableApplicationRenderer({ app, ctx, pathname, onHeaderChang
             if (cancelled) {
                 return;
             }
+            const securityFailure = validateAppSecurity(app, loadedApp, ctxRef.current);
+            if (securityFailure) {
+                const message = intlRef.current.formatMessage(SECURITY_FAILURE_MESSAGES[securityFailure.kind]);
+                console.error(`[host-runtime/renderer] Refusing to mount app "${app.id}": ${securityFailure.kind}.`, securityFailure);
+                lifecycle?.onLoadFailed?.(app.id, securityFailure.kind);
+                setViewState({ state: "error", message });
+                return;
+            }
+            // Report load success only after the security check passes, so a rejected
+            // app never produces both an onLoadCompleted and an onLoadFailed for the
+            // same attempt.
             lifecycle?.onLoadCompleted?.(app.id, now() - loadStart);
             const container = containerRef.current;
             if (!container) {
@@ -63,11 +94,11 @@ export function PluggableApplicationRenderer({ app, ctx, pathname, onHeaderChang
                 onEvent,
                 onTelemetryEvent,
                 onHeaderChange: (header) => onHeaderChangeRef.current?.(app.id, header),
-                onDocumentTitleChange: (pageTitle) => onDocumentTitleChangeRef.current?.(app.id, pageTitle),
             });
+            mountedAppRef.current = { app, loadedApp };
             lifecycle?.onMountCompleted?.(app.id, now() - mountStart);
             lifecycle?.onRendered?.(app.id, now() - totalStart);
-            setViewState({ state: "ready" });
+            setViewState({ state: "ready", validUntil: getSecuredRemoteAppValidUntil(app, loadedApp) });
         })
             .catch((mountError) => {
             if (cancelled) {
@@ -86,27 +117,45 @@ export function PluggableApplicationRenderer({ app, ctx, pathname, onHeaderChang
             const handle = mountHandleRef.current;
             if (handle) {
                 mountHandleRef.current = undefined;
+                mountedAppRef.current = undefined;
                 queueMicrotask(() => {
                     handle.unmount();
                     lifecycle?.onUnmounted?.(app.id);
                 });
             }
         };
-    }, [
-        app,
-        appBasePath,
-        ctxRef,
-        onHeaderChangeRef,
-        onDocumentTitleChangeRef,
-        onTelemetryEvent,
-        lifecycle,
-        onEvent,
-    ]);
+    }, [app, appBasePath, ctxRef, intlRef, onHeaderChangeRef, onTelemetryEvent, lifecycle, onEvent]);
     useEffect(() => {
-        mountHandleRef.current?.updateContext?.(ctx);
-    }, [ctx]);
+        const mounted = mountedAppRef.current;
+        const handle = mountHandleRef.current;
+        if (!mounted || !handle) {
+            return;
+        }
+        // Re-run the security check against the new context. The app's base path does not
+        // encode the organization id, so an organization change does not re-run the mount
+        // effect — without this an app could stay mounted under an organization that is no
+        // longer in its allowlist (or with a now-expired build).
+        const securityFailure = validateAppSecurity(mounted.app, mounted.loadedApp, ctx);
+        if (securityFailure) {
+            const message = intlRef.current.formatMessage(SECURITY_FAILURE_MESSAGES[securityFailure.kind]);
+            console.error(`[host-runtime/renderer] Unmounting app "${mounted.app.id}" after context change: ${securityFailure.kind}.`, securityFailure);
+            mountHandleRef.current = undefined;
+            mountedAppRef.current = undefined;
+            handle.unmount();
+            lifecycle?.onUnmounted?.(mounted.app.id);
+            lifecycle?.onLoadFailed?.(mounted.app.id, securityFailure.kind);
+            setViewState({ state: "error", message });
+            return;
+        }
+        handle.updateContext?.(ctx);
+    }, [ctx, intlRef, lifecycle]);
     return (_jsxs("section", { className: b(), children: [viewState.state === "loading" ? (_jsx("div", { className: e("loading"), children: _jsx(LoadingComponent, { height: 40 }) })) : null, viewState.state === "error" ? (_jsxs("div", { className: e("error"), children: [
                     _jsx("h2", { children: _jsx(FormattedMessage, { id: "gs.host.error.applicationFailedToLoad" }) }), _jsx("p", { children: viewState.message })
-                ] })) : null, _jsx("div", { ref: containerRef, className: e("container", { visible: viewState.state === "ready" }) })
-        ] }));
+                ] })) : null, _jsx("div", { ref: containerRef, className: e("container", { visible: viewState.state === "ready" }) }), viewState.state === "ready" && viewState.validUntil !== undefined ? (_jsx("div", { className: e("demoBadge"), role: "status", children: _jsx(FormattedMessage, { id: "gs.host.demoApp.validUntil", values: {
+                        date: intl.formatDate(viewState.validUntil, {
+                            year: "numeric",
+                            month: "long",
+                            day: "numeric",
+                        }),
+                    } }) })) : null] }));
 }

package/esm/ui/PluggableApplicationRenderer.scss

@@ -12,10 +12,20 @@
 
     &__error {
         min-height: 240px;
+        height: 100%;
         display: flex;
         flex-direction: column;
-        justify-content: center;
+        align-items: center;
+        text-align: center;
         gap: 8px;
+
+        // Push the error block to roughly one third from the top. The spacer's
+        // flex-basis is a percentage of this column's height (resolves against
+        // the 100% height above), so it stays proportional as the area resizes.
+        &::before {
+            content: "";
+            flex: 0 0 33%;
+        }
     }
 
     &__container {
@@ -26,4 +36,24 @@
         display: block;
         height: 100%;
     }
+
+    // Small semi-transparent floating badge pinned to the bottom-right of the
+    // page, shown only for validated demo-bucket apps. Non-interactive so it
+    // never intercepts clicks meant for the app beneath it.
+    &__demoBadge {
+        position: fixed;
+        right: 16px;
+        bottom: 16px;
+        z-index: 100;
+        padding: 6px 12px;
+        border-radius: 6px;
+        font-size: 12px;
+        line-height: 1.4;
+        color: #fff;
+        background: rgba(20, 35, 49, 0.16);
+        backdrop-filter: blur(4px);
+        box-shadow: 0 1px 4px rgba(0, 0, 0, 0.2);
+        pointer-events: none;
+        user-select: none;
+    }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gooddata/sdk-ui-pluggable-host",
-  "version": "11.41.0-alpha.5",
+  "version": "11.41.0",
   "description": "GoodData SDK runtime for hosting pluggable applications — registry, loader, routing, platform context, default UI chrome",
   "license": "MIT",
   "author": "GoodData Corporation",
@@ -29,20 +29,20 @@
   "dependencies": {
     "@module-federation/runtime": "2.3.1",
     "lodash-es": "^4.17.23",
-    "@gooddata/sdk-backend-base": "11.41.0-alpha.5",
-    "@gooddata/sdk-backend-spi": "11.41.0-alpha.5",
-    "@gooddata/sdk-backend-tiger": "11.41.0-alpha.5",
-    "@gooddata/sdk-model": "11.41.0-alpha.5",
-    "@gooddata/sdk-embedding": "11.41.0-alpha.5",
-    "@gooddata/sdk-pluggable-application-model": "11.41.0-alpha.5",
-    "@gooddata/sdk-ui": "11.41.0-alpha.5",
-    "@gooddata/sdk-ui-ext": "11.41.0-alpha.5",
-    "@gooddata/sdk-ui-application-header": "11.41.0-alpha.5",
-    "@gooddata/sdk-ui-gen-ai": "11.41.0-alpha.5",
-    "@gooddata/sdk-ui-kit": "11.41.0-alpha.5",
-    "@gooddata/sdk-ui-semantic-search": "11.41.0-alpha.5",
-    "@gooddata/sdk-ui-theme-provider": "11.41.0-alpha.5",
-    "@gooddata/util": "11.41.0-alpha.5"
+    "@gooddata/sdk-backend-spi": "11.41.0",
+    "@gooddata/sdk-backend-tiger": "11.41.0",
+    "@gooddata/sdk-backend-base": "11.41.0",
+    "@gooddata/sdk-embedding": "11.41.0",
+    "@gooddata/sdk-model": "11.41.0",
+    "@gooddata/sdk-pluggable-application-model": "11.41.0",
+    "@gooddata/sdk-ui-ext": "11.41.0",
+    "@gooddata/sdk-ui-application-header": "11.41.0",
+    "@gooddata/sdk-ui": "11.41.0",
+    "@gooddata/sdk-ui-kit": "11.41.0",
+    "@gooddata/sdk-ui-theme-provider": "11.41.0",
+    "@gooddata/sdk-ui-semantic-search": "11.41.0",
+    "@gooddata/util": "11.41.0",
+    "@gooddata/sdk-ui-gen-ai": "11.41.0"
   },
   "devDependencies": {
     "@microsoft/api-documenter": "^7.17.0",
@@ -85,8 +85,8 @@
     "vite": "8.0.16",
     "vitest": "4.1.8",
     "vitest-dom": "0.1.1",
-    "@gooddata/eslint-config": "11.41.0-alpha.5",
-    "@gooddata/oxlint-config": "11.41.0-alpha.5"
+    "@gooddata/oxlint-config": "11.41.0",
+    "@gooddata/eslint-config": "11.41.0"
   },
   "peerDependencies": {
     "react": ">=18.3.1",