sh3-core 0.22.5 → 0.23.2

package/dist/api.d.ts

@@ -38,7 +38,7 @@ export type { ConflictItem, ConflictBranch as ConflictManagerBranch, ResolveOpti
 export { CONFLICT_RENDERER_POINT, ConflictPermissionError, ConflictSessionOrphanedError, } from './conflicts/api';
 export type { ColorPickOptions, ColorContribution, ColorApi, } from './color/api';
 export { COLOR_PICKER_POINT } from './color/api';
-export { registeredShards, activeShards, erroredShards } from './shards/lifecycle.svelte';
+export { registeredShards, activeShards, erroredShards, listRegisteredShards } from './shards/lifecycle.svelte';
 export type { ShardErrorEntry } from './shards/lifecycle.svelte';
 export type { RegistryIndex, PackageEntry, PackageVersion, RequiredDependency, InstalledPackage, InstallResult, PackageMeta, RemoteInstallRequest, } from './registry/types';
 export type { ResolvedPackage } from './registry/client';

package/dist/api.js

@@ -42,7 +42,7 @@ export { COLOR_PICKER_POINT } from './color/api';
 // and tooling shards that need to visualize framework state. Phase 9
 // addition: diagnostic used to reach `activate.svelte` directly via $lib;
 // the package boundary requires routing through the public surface.
-export { registeredShards, activeShards, erroredShards } from './shards/lifecycle.svelte';
+export { registeredShards, activeShards, erroredShards, listRegisteredShards } from './shards/lifecycle.svelte';
 export { fetchRegistries, fetchArchive, buildPackageMeta } from './registry/client';
 export { validateRegistryIndex } from './registry/schema';
 // Key mint/revoke types — client shards that declare `keys:mint` get ctx.keys.

package/dist/app/admin/adminApp.js

@@ -8,6 +8,8 @@ export const adminApp = {
     manifest: {
         id: 'sh3-admin-app',
         label: 'Admin',
+        icon: 'cpu',
+        color: '#D16F19',
         version: VERSION,
         requiredShards: ['sh3-admin'],
         layoutVersion: 1,

package/dist/app/admin/adminShard.svelte.js

@@ -24,6 +24,7 @@ export const adminShard = {
         id: 'sh3-admin',
         label: 'Admin',
         version: VERSION,
+        kind: 'system',
         permissions: ['documents:mount'],
         views: [
             { id: 'sh3-admin:users', label: 'Users' },

package/dist/app/store/storeApp.js

@@ -10,7 +10,9 @@ import { VERSION } from '../../version';
 export const storeApp = {
     manifest: {
         id: 'sh3-store-app',
-        label: 'Package Store',
+        label: 'Package Manager',
+        icon: 'file-archive',
+        color: '#D16F19',
         version: VERSION,
         requiredShards: ['sh3-store'],
         layoutVersion: 1,

package/dist/app/store/storeShard.svelte.js

@@ -65,6 +65,7 @@ export const storeShard = {
         id: 'sh3-store',
         label: 'Package Store',
         version: VERSION,
+        kind: 'system',
         views: [
             { id: 'sh3-store:browse', label: 'Store' },
         ],

package/dist/app-appearance/appearanceShard.svelte.js

@@ -47,6 +47,7 @@ export const appearanceShard = {
         id: '__app-appearance__',
         label: 'App Appearance',
         version: VERSION,
+        kind: 'system',
         views: [],
     },
     register(ctx) {

package/dist/apps/lifecycle.js

@@ -11,11 +11,13 @@
  * `{ id: string | null }`. Writing happens on launch (id) and on
  * return-to-home (null). Boot reads it to decide whether to auto-launch.
  */
+import { flushSync } from 'svelte';
 import { createStateZones } from '../state/zones.svelte';
 import { createGestureRegistry } from '../gestures';
 import { registeredShards, } from '../shards/lifecycle.svelte';
 import { shardEntries, runAppActivate, runAppDeactivate, registerAllShards, erroredShards } from '../shards/lifecycle.svelte';
 import { attachApp, acquireAppSlotHolds, detachApp, switchToApp, switchToHome, getActiveAppTree, } from '../layout/store.svelte';
+import { flushPendingDestroys } from '../layout/slotHostPool.svelte';
 import { activeApp, breadcrumbApp, getRegisteredApp, registeredApps } from './registry.svelte';
 import { createZoneManager } from '../state/manage';
 import { PERMISSION_STATE_MANAGE } from '../state/types';
@@ -227,19 +229,29 @@ export function unloadApp(id, skipSwitchToHome = false) {
     if (!app)
         return;
     void ((_a = app.deactivate) === null || _a === void 0 ? void 0 : _a.call(app));
-    // v3: call runAppDeactivate for every required shard. The shard stays
-    // active (its register() output is intact); only its per-app bindings
-    // and per-app contribution registrations are torn down.
-    for (const shardId of app.manifest.requiredShards) {
-        void runAppDeactivate(shardId, id);
-    }
-    // Detach layout (releases the refcount holds; pool cleanup runs on
-    // the next microtask for any slots that no longer have a renderer).
-    // Switch to home first so LayoutRenderer stops reading the app's
-    // tree before detachApp drops its references.
+    // Teardown order is load-bearing. Views must be fully unmounted before
+    // any shard's onAppDeactivate runs, so shards can safely close stores /
+    // nullify reactive state in onAppDeactivate without tripping leaked
+    // $derived references in still-mounted views (the leaked-pool bug).
+    //
+    // 1) switchToHome flips the rendered root so LayoutRenderer stops
+    //    reading the app's tree. SlotContainer cleanups are scheduled.
+    // 2) flushSync forces Svelte to run those cleanups now (drops the
+    //    renderer's refcount on every app slot).
+    // 3) detachApp releases the per-app refcount holds. Pool entries for
+    //    the app's slots are now at refcount 0 and queued in pendingDestroy.
+    // 4) flushPendingDestroys synchronously runs the destroy body for
+    //    those entries — the Svelte components for the app's views are
+    //    unmounted now, not on a deferred microtask.
+    // 5) Only now do we call runAppDeactivate on each required shard.
     if (!skipSwitchToHome)
         switchToHome();
+    flushSync();
     detachApp();
+    flushPendingDestroys();
+    for (const shardId of app.manifest.requiredShards) {
+        void runAppDeactivate(shardId, id);
+    }
     activeApp.id = null;
     setActiveApp(null, new Set());
     clearSelectionUnconditional();

package/dist/apps/lifecycle.test.js

@@ -1,7 +1,7 @@
 import { describe, it, expect, beforeEach, vi } from 'vitest';
 import { resetFramework } from '../__test__/reset';
 import { makeApp, makeShard, makeAppManifest, makeShardManifest, makeTabsNode, makeTabEntry, makeSlotNode, makeTree, } from '../__test__/fixtures';
-import { launchApp, returnToHome, unregisterApp } from './lifecycle';
+import { launchApp, returnToHome, unloadApp, unregisterApp } from './lifecycle';
 import { registerApp } from './registry.svelte';
 import { registerShard } from '../shards/lifecycle.svelte';
 import { presetManager } from '../overlays/presets';
@@ -703,6 +703,58 @@ describe('unloadApp — onAppDeactivate hook', () => {
         expect(deactivated).toEqual(['deact-app']);
     });
 });
+describe('unloadApp — view unmount happens before onAppDeactivate', () => {
+    beforeEach(resetFramework);
+    it('unmounts all of the app\'s pooled views before any shard\'s onAppDeactivate fires', async () => {
+        const order = [];
+        const shard = makeShard({
+            manifest: makeShardManifest({ id: 'order-shard' }),
+            register() { },
+            onAppDeactivate() { order.push('onAppDeactivate'); },
+        });
+        registerShard(shard);
+        // Register two views so the assertion covers an active slot AND an
+        // inactive-but-held slot. Both must unmount before deactivate.
+        registerView('order:view-a', {
+            mount: () => ({ unmount: () => order.push('view-a:unmount') }),
+        });
+        registerView('order:view-b', {
+            mount: () => ({ unmount: () => order.push('view-b:unmount') }),
+        });
+        const app = makeApp({
+            manifest: makeAppManifest({ id: 'order-app', requiredShards: ['order-shard'] }),
+            initialLayout: [
+                {
+                    name: 'default',
+                    tree: makeTree({
+                        type: 'split',
+                        direction: 'horizontal',
+                        children: [
+                            makeSlotNode('a-slot', 'order:view-a'),
+                            makeSlotNode('b-slot', 'order:view-b'),
+                        ],
+                        sizes: [0.5, 0.5],
+                    }),
+                },
+            ],
+        });
+        registerApp(app);
+        await launchApp('order-app');
+        // Let the mount microtasks settle so factories have run.
+        await Promise.resolve();
+        await Promise.resolve();
+        unloadApp('order-app');
+        // Both views must have unmounted BEFORE onAppDeactivate ran.
+        const deactivateIdx = order.indexOf('onAppDeactivate');
+        const unmountAIdx = order.indexOf('view-a:unmount');
+        const unmountBIdx = order.indexOf('view-b:unmount');
+        expect(deactivateIdx).toBeGreaterThanOrEqual(0);
+        expect(unmountAIdx).toBeGreaterThanOrEqual(0);
+        expect(unmountBIdx).toBeGreaterThanOrEqual(0);
+        expect(unmountAIdx).toBeLessThan(deactivateIdx);
+        expect(unmountBIdx).toBeLessThan(deactivateIdx);
+    });
+});
 describe('launchApp — onLayoutWillRestore / onLayoutRestored hooks', () => {
     beforeEach(resetFramework);
     it('calls onLayoutWillRestore before slot acquisition and onLayoutRestored after switchToApp', async () => {

package/dist/apps/types.d.ts

@@ -46,6 +46,15 @@ export interface AppManifest {
      * starting shards (diagnostic, __sh3core__) stay running.
      */
     requiredShards: string[];
+    /**
+     * Optional list of shard ids that ship in the same bundle as this app
+     * (combo packages). Mirrors the server-side `project-allowlist`
+     * middleware's resolution rule — these are part of the project-scope
+     * closure when the app is allowlisted, but they are NOT activated
+     * automatically (use `requiredShards` for that). Defaults to empty
+     * when omitted.
+     */
+    bundledShards?: string[];
     /**
      * Bump to invalidate persisted layouts. On launch, a persisted blob
      * whose version doesn't match this is discarded and `initialLayout`

package/dist/chrome/CompactChrome.svelte

@@ -89,16 +89,20 @@
   function toggleFloatsSheet() {
     if (floatsOpen) return;
     floatsOpen = true;
-    const handle = sh3.modal.open(
+    sh3.modal.open(
       FloatsSheet,
       {},
-      { dismissOnBackdrop: true, boxStyle: 'max-width: 320px;' },
+      {
+        dismissOnBackdrop: true,
+        boxStyle: 'max-width: 320px;',
+        // Reset on every dismissal path. Wrapping handle.close after
+        // open() returns doesn't work — ModalFrame captured the close
+        // reference at mount and bypasses any later monkey-patch.
+        onClose: () => {
+          floatsOpen = false;
+        },
+      },
     );
-    const origClose = handle.close;
-    handle.close = () => {
-      origClose();
-      floatsOpen = false;
-    };
   }
 
   function toggleDrawer(anchor: DrawerAnchor) {

package/dist/createShell.js

@@ -23,6 +23,9 @@ import { attachGlobalListeners } from './actions/listeners';
 import { detectSatelliteMode } from './boot/satelliteMode';
 import { MemoryBackend } from './state/backends';
 import { sessionState, readPendingScope, PENDING_SCOPE_KEY } from './projects/session-state.svelte';
+import { projectsApi } from './projects-shard/projectsApi';
+import { projectsState } from './projects-shard/projectsShard.svelte';
+import { toastManager } from './overlays/toast';
 import SatelliteShell from './satellite/SatelliteShell.svelte';
 export async function createShell(config) {
     var _a, _b;
@@ -87,6 +90,19 @@ export async function createShell(config) {
         if (satellite.payload.projectId) {
             sessionState.activeProjectId = satellite.payload.projectId;
         }
+        // Mirror main-mode: eager-fetch the active project so the register
+        // gate computed in bootstrapSatellite has the allowlist. Fail-closed
+        // identically — drop to personal scope on error.
+        if (sessionState.activeProjectId !== null) {
+            try {
+                const record = await projectsApi.get(sessionState.activeProjectId);
+                projectsState.projects = [record];
+            }
+            catch (err) {
+                console.warn(`[sh3] Satellite: failed to load project "${sessionState.activeProjectId}"; dropping to personal scope:`, err instanceof Error ? err.message : err);
+                sessionState.activeProjectId = null;
+            }
+        }
         __setScopeResolver(() => sessionState.activeProjectId);
         __setShardScopeResolver(() => sessionState.activeProjectId ? 'project' : 'tenant');
         if (config === null || config === void 0 ? void 0 : config.shards)
@@ -154,6 +170,30 @@ export async function createShell(config) {
             }
         }
     }
+    // 4b. Eager-fetch the active project record so the register gate
+    //     (computed in bootstrap()) has the appAllowlist available.
+    //     Fail-closed: a failed fetch drops us to personal scope rather
+    //     than booting with no gate (which would leak shards into the
+    //     project). The user sees a toast on next paint.
+    if (sessionState.activeProjectId !== null) {
+        try {
+            const record = await projectsApi.get(sessionState.activeProjectId);
+            projectsState.projects = [record];
+        }
+        catch (err) {
+            console.warn(`[sh3] Failed to load project "${sessionState.activeProjectId}"; dropping to personal scope:`, err instanceof Error ? err.message : err);
+            sessionState.activeProjectId = null;
+            if (typeof sessionStorage !== 'undefined') {
+                sessionStorage.removeItem(PENDING_SCOPE_KEY);
+            }
+            queueMicrotask(() => {
+                try {
+                    toastManager.notify('Could not load that project; dropped to personal scope.', { level: 'error', duration: 6000 });
+                }
+                catch ( /* overlay not ready; swallow */_a) { /* overlay not ready; swallow */ }
+            });
+        }
+    }
     // 5. Load server-discovered packages
     await loadDiscoveredPackages(config === null || config === void 0 ? void 0 : config.discoveredPackages);
     // 6. Register consumer-provided shards and apps

package/dist/documents/picker-api.test.js

@@ -44,6 +44,46 @@ beforeEach(() => {
 });
 describe('createDocumentPicker', () => {
     const sampleDoc = { shardId: 'my-shard', path: 'readme.md', kind: 'file' };
+    describe('options forwarding to browser modal', () => {
+        it('threads listFolders/handle/readOnlyShard/initialShardId into the modal props', async () => {
+            const listFn = async () => [];
+            const listFolders = vi.fn(async () => ['empty']);
+            const handle = {
+                mkdir: vi.fn(async () => { }),
+                rmdir: vi.fn(async () => { }),
+                renameFolder: vi.fn(async () => { }),
+                rename: vi.fn(async () => { }),
+                delete: vi.fn(async () => { }),
+            };
+            const readOnlyShard = vi.fn(() => false);
+            const picker = createDocumentPicker(listFn, {
+                listFolders, handle, readOnlyShard,
+                initialShardId: 'svg-designer', lockToShard: true,
+            });
+            mockModal();
+            picker.save();
+            await vi.waitFor(() => expect(mockModalOpen).toHaveBeenCalledOnce());
+            const props = mockModalOpen.mock.calls[0][1];
+            expect(props.listFolders).toBe(listFolders);
+            expect(props.handle).toBe(handle);
+            expect(props.readOnlyShard).toBe(readOnlyShard);
+            expect(props.initialShardId).toBe('svg-designer');
+            expect(props.lockToShard).toBe(true);
+        });
+        it('omits options when none provided (backward-compatible single-arg call)', async () => {
+            const listFn = async () => [];
+            const picker = createDocumentPicker(listFn);
+            mockModal();
+            picker.open();
+            await vi.waitFor(() => expect(mockModalOpen).toHaveBeenCalledOnce());
+            const props = mockModalOpen.mock.calls[0][1];
+            expect(props.listFolders).toBeUndefined();
+            expect(props.handle).toBeUndefined();
+            expect(props.readOnlyShard).toBeUndefined();
+            expect(props.initialShardId).toBeUndefined();
+            expect(props.lockToShard).toBeUndefined();
+        });
+    });
     describe('open() — modal (no anchor)', () => {
         it('resolves with OpenerValue when user commits', async () => {
             const listFn = async () => [{ shardId: 'my-shard', path: 'readme.md', size: 100, lastModified: 0 }];

package/dist/documents/picker-primitive.d.ts

@@ -1,4 +1,42 @@
 import type { DocumentPickerApi, DocListFn } from './picker-api';
+/**
+ * Folder mutation surface forwarded to the document browser modal.
+ * Mirrors the `handle` prop of `_DocumentBrowser.svelte`.
+ */
+export interface PickerHandleOps {
+    mkdir: (shardId: string, path: string) => Promise<void>;
+    rmdir: (shardId: string, path: string, opts: {
+        recursive: boolean;
+    }) => Promise<void>;
+    renameFolder: (shardId: string, oldPath: string, newPath: string) => Promise<void>;
+    rename: (shardId: string, oldPath: string, newPath: string) => Promise<void>;
+    delete: (shardId: string, path: string) => Promise<void>;
+}
+/**
+ * Construction-time options for `createDocumentPicker`. All optional —
+ * absent values fall back to a read-only listing of `listFn`.
+ */
+export interface DocumentPickerOptions {
+    /** Enumerates immediate child folders of `prefix` in `shardId`. When set,
+     *  empty folders (with no documents underneath) appear in the browser. */
+    listFolders?: (shardId: string, prefix: string) => Promise<string[]>;
+    /** Folder/file mutation surface. When set, the browser exposes a toolbar
+     *  with new-folder / rename / delete actions (gated per shard by
+     *  `readOnlyShard`). */
+    handle?: PickerHandleOps;
+    /** Returns true for shards the caller cannot mutate. The browser hides
+     *  the edit toolbar while navigated into such shards. */
+    readOnlyShard?: (shardId: string) => boolean;
+    /** When set, the browser opens pre-navigated into this shard's namespace
+     *  instead of the (often empty) tenant-wide shard list. The "SH3" crumb
+     *  still lets the user back out — useful in browse mode. */
+    initialShardId?: string;
+    /** When true, the browser is hard-scoped to `initialShardId`: the "SH3"
+     *  breadcrumb is hidden and Backspace at the shard root is a no-op.
+     *  Use this for non-browse shards that can only ever work within their
+     *  own namespace, so the user can't navigate into a dead-end root. */
+    lockToShard?: boolean;
+}
 /**
  * Create a document picker API bound to a document listing function.
  * The listFn is derived from the shard's document zone + browse permission
@@ -8,4 +46,4 @@ import type { DocumentPickerApi, DocListFn } from './picker-api';
  * (anchored near the element). Without an anchor it opens as a centered
  * modal (the expected default for file-browser dialogs).
  */
-export declare function createDocumentPicker(listFn: DocListFn): DocumentPickerApi;
+export declare function createDocumentPicker(listFn: DocListFn, options?: DocumentPickerOptions): DocumentPickerApi;

package/dist/documents/picker-primitive.js

@@ -11,14 +11,15 @@ const MODAL_OPTS = { dismissOnBackdrop: true, boxStyle: BOX_STYLE };
  * (anchored near the element). Without an anchor it opens as a centered
  * modal (the expected default for file-browser dialogs).
  */
-export function createDocumentPicker(listFn) {
-    /** Resolve handle for either popup (anchored) or modal (centered) path. */
+export function createDocumentPicker(listFn, options = {}) {
+    const { listFolders, handle, readOnlyShard, initialShardId, lockToShard } = options;
     function openBrowser(browserProps, anchor) {
+        const props = Object.assign(Object.assign({}, browserProps), { listFolders, handle, readOnlyShard, initialShardId, lockToShard });
         if (anchor) {
             const rect = anchor.getBoundingClientRect();
-            return sh3.popup.show(DocumentBrowser, { anchor: { x: rect.left + rect.width / 2, y: rect.top } }, browserProps);
+            return sh3.popup.show(DocumentBrowser, { anchor: { x: rect.left + rect.width / 2, y: rect.top } }, props);
         }
-        return sh3.modal.open(DocumentBrowser, browserProps, MODAL_OPTS);
+        return sh3.modal.open(DocumentBrowser, props, MODAL_OPTS);
     }
     function wrapHandle(handle, resolve) {
         const origClose = handle.close;

package/dist/host.js

@@ -15,7 +15,7 @@
  * import-hygiene rule is: shards and apps import from `api.ts`, the host
  * imports from `host.ts`.
  */
-import { registerShard as registerShardInternal, registerAllShards, } from './shards/lifecycle.svelte';
+import { registerShard as registerShardInternal, registerAllShards, listRegisteredShards, } from './shards/lifecycle.svelte';
 import { registerApp, registeredApps } from './apps/registry.svelte';
 import { launchApp, readLastApp, clearLastApp } from './apps/lifecycle';
 import { sh3coreShard } from './sh3core-shard/sh3coreShard.svelte';
@@ -35,6 +35,9 @@ import { runModeIdRenameMigration } from './migrations/mode-id-rename';
 import { setLifecycleHandlers } from './navigation/back-stack';
 import { installWebEmitter } from './navigation/platform-web';
 import { returnToHome } from './apps/lifecycle';
+import { resolveAllowedShardIds } from './projects/scope-gate';
+import { sessionState } from './projects/session-state.svelte';
+import { projectsState } from './projects-shard/projectsShard.svelte';
 export { __setBackend };
 export { setLocalOwner };
 export { __setActiveScope, __setDocumentBackend } from './documents/config';
@@ -58,6 +61,7 @@ function createWorkspaceZoneAdapter() {
     };
 }
 export async function bootstrap(config) {
+    var _a;
     // Run before anything touches the workspace zone so renamed keys are
     // already in place when shards activate.
     if (typeof globalThis.localStorage !== 'undefined') {
@@ -83,10 +87,22 @@ export async function bootstrap(config) {
     }
     // 3. Load any packages installed in a previous session from IndexedDB
     await loadInstalledPackages();
-    // 4. v3: run register(ctx) on every registered shard. Lifecycle module
-    //    handles error isolation; one failing shard does not block boot.
-    await registerAllShards();
-    // 5. Read the last-active app from the user zone. If auto-launch fails,
+    // 4. Compute the project-scope register gate. Null when in personal
+    //    scope or when the active project has an empty allowlist; otherwise
+    //    a Set of shard ids whose register() may run. Shards not in the
+    //    set are skipped — they remain in `registeredShards` so the apps
+    //    registry can still display their manifests, but their boot
+    //    side-effects (verbs, contributions, gestures, network calls)
+    //    are suppressed.
+    const activeProject = sessionState.activeProjectId
+        ? (_a = projectsState.projects.find((p) => p.id === sessionState.activeProjectId)) !== null && _a !== void 0 ? _a : null
+        : null;
+    const allowed = resolveAllowedShardIds(activeProject, registeredApps, listRegisteredShards());
+    // 5. v3: run register(ctx) on every registered shard (gated by allowed).
+    //    Lifecycle module handles error isolation; one failing shard does
+    //    not block boot.
+    await registerAllShards(allowed);
+    // 6. Read the last-active app from the user zone. If auto-launch fails,
     // clear the slot so the next reload lands on home instead of looping
     // into the same failure. No toast — the user did not initiate this.
     const lastId = readLastApp();
@@ -99,7 +115,7 @@ export async function bootstrap(config) {
             clearLastApp();
         }
     }
-    // 6. Wire navigation lifecycle handlers and install the web back/forward
+    // 7. Wire navigation lifecycle handlers and install the web back/forward
     // emitter. Order: after autostart shards and the optional last-app
     // launch, so the emitter's synthetic history entries don't interleave
     // with boot-time launches. The window/history guard makes bootstrap
@@ -118,6 +134,7 @@ export async function bootstrap(config) {
  *   - lastApp auto-launch (satellites have no last-app concept)
  */
 export async function bootstrapSatellite(config) {
+    var _a;
     // 1. Framework-owned shards (same list as bootstrap, no excludes for satellites)
     const frameworkShards = [sh3coreShard, shellShard, storeShard, adminShard, projectsShard, appearanceShard, layoutsShard];
     for (const shard of frameworkShards) {
@@ -133,7 +150,13 @@ export async function bootstrapSatellite(config) {
     // 4. v3: one-pass register sweep replaces the old autostart + satellite
     //    passes. `config.activateShardIds` is now a no-op (the field is
     //    retained on the interface for back-compat; Phase 6 deletes it).
+    //    Satellites inherit the host's project scope, so apply the same
+    //    register gate.
     void config;
-    await registerAllShards();
+    const activeProject = sessionState.activeProjectId
+        ? (_a = projectsState.projects.find((p) => p.id === sessionState.activeProjectId)) !== null && _a !== void 0 ? _a : null
+        : null;
+    const allowed = resolveAllowedShardIds(activeProject, registeredApps, listRegisteredShards());
+    await registerAllShards(allowed);
 }
 export { installPackage, listInstalledPackages } from './registry/installer';

package/dist/layout/slotHostPool.svelte.d.ts

@@ -19,6 +19,17 @@ export declare function acquireSlotHost(slotId: string, viewId: string | null, l
  * unconditional detach would yank the host out of its new home.
  */
 export declare function releaseSlotHost(slotId: string, fromWrapper?: HTMLElement): void;
+/**
+ * Synchronously drain `pendingDestroy`: for every slot id queued for
+ * deferred destruction, run the destroy body immediately if refcount is
+ * 0. Called by `unloadApp` so that all of the unloading app's views are
+ * unmounted before `onAppDeactivate` runs — preventing leaked `$derived`s
+ * in still-mounted views from tripping on state the shard nullifies.
+ *
+ * Safe to call when `pendingDestroy` is empty (no-op). Safe to call
+ * multiple times in succession.
+ */
+export declare function flushPendingDestroys(): void;
 /**
  * Test / teardown helper — destroys every pooled host immediately. Used
  * by HMR boundaries and tests; not part of normal runtime flow.

package/dist/layout/slotHostPool.svelte.js

@@ -279,23 +279,47 @@ export function releaseSlotHost(slotId, fromWrapper) {
         return;
     }
     pendingDestroy.add(slotId);
-    queueMicrotask(() => {
-        var _a, _b;
-        if (!pendingDestroy.has(slotId))
-            return;
-        pendingDestroy.delete(slotId);
-        const current = pool.get(slotId);
-        if (!current || current.refcount > 0)
-            return; // re-acquired, keep
-        (_a = current.resizeObserver) === null || _a === void 0 ? void 0 : _a.disconnect();
-        __disposeSlotContributions(slotId);
-        (_b = current.handle) === null || _b === void 0 ? void 0 : _b.unmount();
-        current.cancelPendingMount();
-        current.host.remove();
-        pool.delete(slotId);
-        delete dirtyState[slotId];
-        delete closableState[slotId];
-    });
+    queueMicrotask(() => destroyIfPending(slotId));
+}
+/**
+ * Internal: run the destroy body for one slotId if it is still pending
+ * and its refcount is 0. Shared between the microtask deferred destroy
+ * and the synchronous `flushPendingDestroys`.
+ */
+function destroyIfPending(slotId) {
+    var _a, _b;
+    if (!pendingDestroy.has(slotId))
+        return;
+    pendingDestroy.delete(slotId);
+    const current = pool.get(slotId);
+    if (!current || current.refcount > 0)
+        return; // re-acquired, keep
+    (_a = current.resizeObserver) === null || _a === void 0 ? void 0 : _a.disconnect();
+    __disposeSlotContributions(slotId);
+    (_b = current.handle) === null || _b === void 0 ? void 0 : _b.unmount();
+    current.cancelPendingMount();
+    current.host.remove();
+    pool.delete(slotId);
+    delete dirtyState[slotId];
+    delete closableState[slotId];
+}
+/**
+ * Synchronously drain `pendingDestroy`: for every slot id queued for
+ * deferred destruction, run the destroy body immediately if refcount is
+ * 0. Called by `unloadApp` so that all of the unloading app's views are
+ * unmounted before `onAppDeactivate` runs — preventing leaked `$derived`s
+ * in still-mounted views from tripping on state the shard nullifies.
+ *
+ * Safe to call when `pendingDestroy` is empty (no-op). Safe to call
+ * multiple times in succession.
+ */
+export function flushPendingDestroys() {
+    // Snapshot the set so destroyIfPending's `pendingDestroy.delete(slotId)`
+    // doesn't mutate the iteration source.
+    const ids = [...pendingDestroy];
+    for (const slotId of ids) {
+        destroyIfPending(slotId);
+    }
 }
 /**
  * Test / teardown helper — destroys every pooled host immediately. Used