sh3-server 0.13.1 → 0.13.3

package/app/assets/workspace-rekey-DRgvbNY-.js

@@ -0,0 +1,2 @@
+const n="sh3:workspace:__app__:",a=":scope:";function r(l){if(typeof localStorage>"u")return;const t=[];for(let o=0;o<localStorage.length;o++){const e=localStorage.key(o);!e||!e.startsWith(n)||e.includes(a)||t.push([e,`${e}${a}${l}`])}for(const[o,e]of t){const c=localStorage.getItem(o);c!==null&&(localStorage.setItem(e,c),localStorage.removeItem(o))}}export{r as migrateLegacyWorkspaceKeys};
+//# sourceMappingURL=workspace-rekey-DRgvbNY-.js.map

package/app/assets/workspace-rekey-DRgvbNY-.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"workspace-rekey-DRgvbNY-.js","sources":["../../../sh3-core/src/apps/workspace-rekey.ts"],"sourcesContent":["/*\n * Workspace state-zone key migration.\n *\n * Per ADR-002 amendment (2026-05-04), the workspace zone is keyed by\n * `(scopeId, appId)`. Pre-existing localStorage entries written under\n * the old `sh3:workspace:__app__:<appId>` prefix are rewritten to\n * `sh3:workspace:__app__:<appId>:scope:<personalScopeId>` on first\n * boot after upgrade. Idempotent — re-running on already-migrated\n * entries is a no-op.\n *\n * Only entries whose shardId starts with the framework `__app__:`\n * marker are migrated; bare shard keys are left alone.\n */\n\nconst APP_PREFIX = 'sh3:workspace:__app__:';\nconst SCOPE_MARKER = ':scope:';\n\nexport function migrateLegacyWorkspaceKeys(personalScopeId: string): void {\n  if (typeof localStorage === 'undefined') return;\n  const toMove: Array<[string, string]> = [];\n  for (let i = 0; i < localStorage.length; i++) {\n    const key = localStorage.key(i);\n    if (!key || !key.startsWith(APP_PREFIX)) continue;\n    if (key.includes(SCOPE_MARKER)) continue;\n    toMove.push([key, `${key}${SCOPE_MARKER}${personalScopeId}`]);\n  }\n  for (const [oldKey, newKey] of toMove) {\n    const value = localStorage.getItem(oldKey);\n    if (value !== null) {\n      localStorage.setItem(newKey, value);\n      localStorage.removeItem(oldKey);\n    }\n  }\n}\n"],"names":["APP_PREFIX","SCOPE_MARKER","migrateLegacyWorkspaceKeys","personalScopeId","toMove","i","key","oldKey","newKey","value"],"mappings":"AAcA,MAAMA,EAAa,yBACbC,EAAe,UAEd,SAASC,EAA2BC,EAA+B,CACxE,GAAI,OAAO,aAAiB,IAAa,OACzC,MAAMC,EAAkC,CAAA,EACxC,QAASC,EAAI,EAAGA,EAAI,aAAa,OAAQA,IAAK,CAC5C,MAAMC,EAAM,aAAa,IAAID,CAAC,EAC1B,CAACC,GAAO,CAACA,EAAI,WAAWN,CAAU,GAClCM,EAAI,SAASL,CAAY,GAC7BG,EAAO,KAAK,CAACE,EAAK,GAAGA,CAAG,GAAGL,CAAY,GAAGE,CAAe,EAAE,CAAC,CAC9D,CACA,SAAW,CAACI,EAAQC,CAAM,IAAKJ,EAAQ,CACrC,MAAMK,EAAQ,aAAa,QAAQF,CAAM,EACrCE,IAAU,OACZ,aAAa,QAAQD,EAAQC,CAAK,EAClC,aAAa,WAAWF,CAAM,EAElC,CACF"}

package/app/index.html

@@ -5,8 +5,8 @@
   <meta name="viewport" content="width=device-width, initial-scale=1.0" />
   <link rel="icon" type="image/svg+xml" href="/favicon.svg" />
   <title>SH3</title>
-  <script type="module" crossorigin src="/assets/index-DgeU5PrI.js"></script>
-  <link rel="stylesheet" crossorigin href="/assets/index-AzWjqwzj.css">
+  <script type="module" crossorigin src="/assets/index-COeOnrKc.js"></script>
+  <link rel="stylesheet" crossorigin href="/assets/index-BRJE2HIy.css">
 </head>
 <body>
   <div id="app"></div>

package/dist/caller.d.ts

@@ -3,15 +3,22 @@
  *
  * Must be mounted after sessionAuth. Session wins over bearer when both
  * are present; bearer tokens are ignored on session-authenticated calls.
+ *
+ * accessibleScopes lists every scope the caller may read or write. For
+ * sessions, that's the user's personal scope plus every project they are
+ * a member of. For bearer keys, that's the key's bound scope (or empty
+ * for admin keys, which are management-only).
  */
 import type { MiddlewareHandler } from 'hono';
 import type { KeyStore } from './keys.js';
+import type { ProjectStore } from './projects.js';
 export interface CallerIdentity {
-    tenantId: string | null;
+    scopeId: string | null;
     userId: string | null;
     scopes: string[];
+    accessibleScopes: string[];
     peerRole?: 'primary' | 'replica';
     peerId?: string;
     source: 'session' | 'key' | 'none';
 }
-export declare function resolveCaller(keys: KeyStore): MiddlewareHandler;
+export declare function resolveCaller(keys: KeyStore, projects?: ProjectStore): MiddlewareHandler;

package/dist/caller.js

@@ -3,15 +3,21 @@
  *
  * Must be mounted after sessionAuth. Session wins over bearer when both
  * are present; bearer tokens are ignored on session-authenticated calls.
+ *
+ * accessibleScopes lists every scope the caller may read or write. For
+ * sessions, that's the user's personal scope plus every project they are
+ * a member of. For bearer keys, that's the key's bound scope (or empty
+ * for admin keys, which are management-only).
  */
-function identityFromSession(session) {
+function identityFromSession(session, projectIds) {
     const scopes = ['session:user'];
     if (session.role === 'admin')
         scopes.unshift('admin:*');
     return {
-        tenantId: session.userId,
+        scopeId: session.userId,
         userId: session.userId,
         scopes,
+        accessibleScopes: [session.userId, ...projectIds],
         source: 'session',
     };
 }
@@ -22,21 +28,24 @@ function extractBearerKey(authorization) {
         return null;
     return authorization.slice('Bearer '.length);
 }
-export function resolveCaller(keys) {
+export function resolveCaller(keys, projects) {
     return async (c, next) => {
         const session = c.get('session');
         if (session) {
-            c.set('caller', identityFromSession(session));
+            const projectIds = projects?.listForUser(session.userId).map((p) => p.id) ?? [];
+            c.set('caller', identityFromSession(session, projectIds));
             return next();
         }
         const token = extractBearerKey(c.req.header('Authorization'));
         if (token) {
             const row = keys.resolve(token);
             if (row) {
+                const isAdminKey = row.scopes.includes('admin:*');
                 c.set('caller', {
-                    tenantId: row.tenantId,
+                    scopeId: row.scopeId,
                     userId: row.ownerUserId,
                     scopes: [...row.scopes],
+                    accessibleScopes: isAdminKey ? [] : (row.scopeId ? [row.scopeId] : []),
                     peerRole: row.peerRole,
                     peerId: row.peerId,
                     source: 'key',
@@ -45,9 +54,10 @@ export function resolveCaller(keys) {
             }
         }
         c.set('caller', {
-            tenantId: null,
+            scopeId: null,
             userId: null,
             scopes: [],
+            accessibleScopes: [],
             source: 'none',
         });
         return next();

package/dist/doc-store/index.d.ts

@@ -7,5 +7,14 @@ export { ConflictBucket, type ConflictRef } from './conflicts.js';
 export { filterReservedMeta, RESERVED_META_KEYS } from './reserved.js';
 export { readMeta, writeMeta, deleteMeta, type DocMetadata } from './meta.js';
 import { TenantDocStore } from './store.js';
-/** Build a TenantDocStore with default dependencies wired to a data dir. */
-export declare function createTenantDocStore(dataDir: string): TenantDocStore;
+/**
+ * ScopedDocStore is the canonical name under the unified scope model
+ * (ADR-023). The class is still spelled TenantDocStore internally for
+ * change-budget reasons; callers should prefer the ScopedDocStore alias
+ * so the source vocabulary already reflects the unified naming.
+ */
+export type ScopedDocStore = TenantDocStore;
+/** Build a ScopedDocStore with default dependencies wired to a data dir. */
+export declare function createScopedDocStore(dataDir: string): ScopedDocStore;
+/** @deprecated use createScopedDocStore — kept while internal callers migrate. */
+export declare const createTenantDocStore: typeof createScopedDocStore;

package/dist/doc-store/index.js

@@ -10,8 +10,8 @@ import { PolicyCache } from './policy.js';
 import { TickCounter } from './tick.js';
 import { PeerRoles } from './roles.js';
 import { ConflictBucket } from './conflicts.js';
-/** Build a TenantDocStore with default dependencies wired to a data dir. */
-export function createTenantDocStore(dataDir) {
+/** Build a ScopedDocStore with default dependencies wired to a data dir. */
+export function createScopedDocStore(dataDir) {
     return new TenantDocStore({
         dataDir,
         policy: new PolicyCache(dataDir),
@@ -20,3 +20,5 @@ export function createTenantDocStore(dataDir) {
         conflicts: new ConflictBucket(dataDir),
     });
 }
+/** @deprecated use createScopedDocStore — kept while internal callers migrate. */
+export const createTenantDocStore = createScopedDocStore;

package/dist/index.js

@@ -18,19 +18,21 @@ import { KeyStore } from './keys.js';
 import { UserStore } from './users.js';
 import { SessionStore } from './sessions.js';
 import { SettingsStore } from './settings.js';
+import { ProjectStore } from './projects.js';
 import { sessionAuth, adminAuth } from './auth.js';
 import { resolveCaller } from './caller.js';
 import { createAuthRouter } from './routes/auth.js';
 import { createBootRouter } from './routes/boot.js';
 import { createAdminRouter } from './routes/admin.js';
 import { createDocsRouter } from './routes/docs.js';
-import { createTenantDocStore } from './doc-store/index.js';
+import { createScopedDocStore } from './doc-store/index.js';
 import { createEnvStateRouter } from './routes/env-state.js';
 import { createKeysRouter } from './routes/keys.js';
-import { loadPackages, scanPackages, servePackageBundles, createPackageManagementRoutes } from './packages.js';
+import { createProjectsRouter } from './routes/projects.js';
+import { loadPackages, scanPackages, servePackageBundles, createPackageManagementRoutes, getServerAppRegistry } from './packages.js';
 import { removeLegacyGrants } from './migrations/sync-grants.js';
 import { ShardRouter, adminOnly } from './shard-router.js';
-import { scopeRequired, tenantRequired } from './scope.js';
+import { scopeRequired, requireCallerScope } from './scope.js';
 import { registerTenantFsRoutes } from './tenant-fs/index.js';
 import shellShardServer from './shell-shard/index.js';
 export async function createServer(options = {}) {
@@ -50,6 +52,7 @@ export async function createServer(options = {}) {
     const keys = new KeyStore(dataDir);
     const users = new UserStore(dataDir);
     const settings = new SettingsStore(dataDir);
+    const projects = new ProjectStore(dataDir);
     // --no-auth: disable auth enforcement (Tauri sidecar / local-owner mode)
     if (options.noAuth) {
         settings.update({ auth: { required: false, guestAllowed: true } });
@@ -116,18 +119,24 @@ export async function createServer(options = {}) {
     app.route('/api/auth', createAuthRouter(keys, users, sessions, settings));
     // --- Session-gated routes ---
     app.use('/api/*', sessionAuth(sessions, settings, keys));
-    app.use('/api/*', resolveCaller(keys));
+    app.use('/api/*', resolveCaller(keys, projects));
     // Document backend API — gated by sessionAuth + resolveCaller (mounted above).
-    // The router itself enforces tenantParamMatch and the __-prefix reservation.
-    // Settings is threaded so tenantParamMatch respects open / no-auth mode.
-    const docStore = createTenantDocStore(dataDir);
-    app.route('/api/docs', createDocsRouter(docStore, settings));
+    // The router itself enforces scopeAccessMatch and the __-prefix reservation.
+    // Settings is threaded so scopeAccessMatch respects open / no-auth mode.
+    const docStore = createScopedDocStore(dataDir);
+    app.route('/api/docs', createDocsRouter(docStore, {
+        settings,
+        projectStore: projects,
+        appRegistry: getServerAppRegistry(dataDir),
+    }));
+    // Projects CRUD (member listing + admin management).
+    app.route('/api/projects', createProjectsRouter(projects, dataDir));
     // Environment state API (per-shard server-backed config)
     app.route('/api/env-state', createEnvStateRouter(dataDir));
     // User-tenant key management (list/revoke). Mint lives at /api/shards-keys.
     app.route('/api/keys', createKeysRouter(keys, async (event) => {
         // Broadcast will be wired in Task 10 once the shell has a consumer.
-        console.log(`[sh3] key revoked: tenant=${event.tenantId} id=${event.id}`);
+        console.log(`[sh3] key revoked: scope=${event.scopeId} id=${event.id}`);
     }));
     // Package listing (public read, writes need admin — handled by admin middleware on management routes)
     app.get('/api/packages', (c) => {
@@ -207,7 +216,7 @@ export async function createServer(options = {}) {
             permissions: [],
             adminOnly: adminOnly(keys, settings),
             scopeRequired,
-            tenantRequired,
+            tenantRequired: requireCallerScope,
             wsRegister,
         });
         app.route('/api/shell', shellSubApp);
@@ -237,7 +246,7 @@ export async function createServer(options = {}) {
             removeLegacyGrants(dataDir);
             // First-boot: generate admin key + admin user
             if (keys.isEmpty()) {
-                const initial = keys.generate({ label: 'Initial admin key', tenantId: null, ownerUserId: null, mintedByShardId: null, scopes: ['admin:*'] });
+                const initial = keys.generate({ label: 'Initial admin key', scopeId: null, ownerUserId: null, mintedByShardId: null, scopes: ['admin:*'] });
                 const tempPassword = UserStore.generatePassword();
                 await users.create({
                     username: 'admin',

package/dist/keys.d.ts

@@ -1,19 +1,23 @@
 /**
- * Unified API key store — admin, user-tenant, and connector-bound keys.
+ * Unified API key store — admin, user-scope, and connector-bound keys.
  *
  * Layout on disk:
- *   <dataDir>/admin-keys.json            — tenantId: null rows only
- *   <dataDir>/users/<tenantId>/__system__/keys.json — user-tenant rows
+ *   <dataDir>/admin-keys.json            — scopeId: null rows only
+ *   <dataDir>/users/<scopeId>/__system__/keys.json — user-scope rows
  *
  * Legacy migration: a pre-existing <dataDir>/keys.json is treated as admin
  * keys and moved to admin-keys.json on first load, with the original renamed
  * to keys.json.legacy.
+ *
+ * Field migration: rows with the legacy `tenantId` field are rewritten to
+ * `scopeId` on load (idempotent). The on-disk JSON is rewritten when any
+ * row is migrated.
  */
 export interface ApiKey {
     id: string;
     key: string;
     label: string;
-    tenantId: string | null;
+    scopeId: string | null;
     ownerUserId: string | null;
     mintedByShardId: string | null;
     scopes: string[];
@@ -25,7 +29,7 @@ export interface ApiKey {
 export type ApiKeyPublic = Omit<ApiKey, 'key'>;
 export interface GenerateInput {
     label: string;
-    tenantId: string | null;
+    scopeId: string | null;
     ownerUserId: string | null;
     mintedByShardId: string | null;
     scopes: string[];
@@ -38,12 +42,14 @@ export declare class KeyStore {
     constructor(dataDir: string);
     generate(input: GenerateInput): ApiKey;
     resolve(token: string): ApiKey | null;
-    listForTenant(tenantId: string): ApiKeyPublic[];
-    listForShard(tenantId: string, shardId: string): ApiKeyPublic[];
+    listForScope(scopeId: string): ApiKeyPublic[];
+    listForShard(scopeId: string, shardId: string): ApiKeyPublic[];
     listAdmin(): ApiKeyPublic[];
     listAll(): ApiKeyPublic[];
-    revoke(tenantId: string | null, id: string): ApiKeyPublic | null;
+    revoke(scopeId: string | null, id: string): ApiKeyPublic | null;
     isEmpty(): boolean;
     /** @deprecated use resolve() — kept until all callers migrate. */
     validate(token: string): boolean;
+    /** @deprecated use listForScope() — kept for one minor while callers migrate. */
+    listForTenant(scopeId: string): ApiKeyPublic[];
 }

package/dist/keys.js

@@ -1,13 +1,17 @@
 /**
- * Unified API key store — admin, user-tenant, and connector-bound keys.
+ * Unified API key store — admin, user-scope, and connector-bound keys.
  *
  * Layout on disk:
- *   <dataDir>/admin-keys.json            — tenantId: null rows only
- *   <dataDir>/users/<tenantId>/__system__/keys.json — user-tenant rows
+ *   <dataDir>/admin-keys.json            — scopeId: null rows only
+ *   <dataDir>/users/<scopeId>/__system__/keys.json — user-scope rows
  *
  * Legacy migration: a pre-existing <dataDir>/keys.json is treated as admin
  * keys and moved to admin-keys.json on first load, with the original renamed
  * to keys.json.legacy.
+ *
+ * Field migration: rows with the legacy `tenantId` field are rewritten to
+ * `scopeId` on load (idempotent). The on-disk JSON is rewritten when any
+ * row is migrated.
  */
 import { readFileSync, writeFileSync, existsSync, mkdirSync, readdirSync, renameSync, } from 'node:fs';
 import { dirname, join } from 'node:path';
@@ -16,15 +20,29 @@ function strip(k) {
     const { key: _drop, ...rest } = k;
     return rest;
 }
+function migrateRow(input) {
+    const row = input;
+    let migrated = false;
+    if ('tenantId' in row && !('scopeId' in row)) {
+        row.scopeId = row.tenantId ?? null;
+        delete row.tenantId;
+        migrated = true;
+    }
+    if ('connectorId' in row) {
+        delete row.connectorId;
+        migrated = true;
+    }
+    return { row: row, migrated };
+}
 export class KeyStore {
     #dataDir;
     #admin = [];
-    #byTenant = new Map();
+    #byScope = new Map();
     constructor(dataDir) {
         this.#dataDir = dataDir;
         this.#migrateLegacy();
         this.#loadAdmin();
-        this.#loadAllTenants();
+        this.#loadAllScopes();
     }
     // ---------- public API ----------
     generate(input) {
@@ -34,7 +52,7 @@ export class KeyStore {
             id,
             key,
             label: input.label,
-            tenantId: input.tenantId,
+            scopeId: input.scopeId,
             ownerUserId: input.ownerUserId,
             mintedByShardId: input.mintedByShardId,
             scopes: [...input.scopes],
@@ -43,15 +61,15 @@ export class KeyStore {
             createdAt: new Date().toISOString(),
             expiresAt: input.expiresAt,
         };
-        if (row.tenantId === null) {
+        if (row.scopeId === null) {
             this.#admin.push(row);
             this.#saveAdmin();
         }
         else {
-            const bucket = this.#byTenant.get(row.tenantId) ?? [];
+            const bucket = this.#byScope.get(row.scopeId) ?? [];
             bucket.push(row);
-            this.#byTenant.set(row.tenantId, bucket);
-            this.#saveTenant(row.tenantId);
+            this.#byScope.set(row.scopeId, bucket);
+            this.#saveScope(row.scopeId);
         }
         return { ...row, scopes: [...row.scopes] };
     }
@@ -67,30 +85,30 @@ export class KeyStore {
         const adminHit = this.#admin.find(match);
         if (adminHit)
             return adminHit;
-        for (const bucket of this.#byTenant.values()) {
+        for (const bucket of this.#byScope.values()) {
             const hit = bucket.find(match);
             if (hit)
                 return hit;
         }
         return null;
     }
-    listForTenant(tenantId) {
-        return (this.#byTenant.get(tenantId) ?? []).map(strip);
+    listForScope(scopeId) {
+        return (this.#byScope.get(scopeId) ?? []).map(strip);
     }
-    listForShard(tenantId, shardId) {
-        return this.listForTenant(tenantId).filter((k) => k.mintedByShardId === shardId);
+    listForShard(scopeId, shardId) {
+        return this.listForScope(scopeId).filter((k) => k.mintedByShardId === shardId);
     }
     listAdmin() {
         return this.#admin.map(strip);
     }
     listAll() {
         const out = this.#admin.map(strip);
-        for (const bucket of this.#byTenant.values())
+        for (const bucket of this.#byScope.values())
             out.push(...bucket.map(strip));
         return out;
     }
-    revoke(tenantId, id) {
-        if (tenantId === null) {
+    revoke(scopeId, id) {
+        if (scopeId === null) {
             const idx = this.#admin.findIndex((k) => k.id === id);
             if (idx < 0)
                 return null;
@@ -98,14 +116,14 @@ export class KeyStore {
             this.#saveAdmin();
             return strip(removed);
         }
-        const bucket = this.#byTenant.get(tenantId);
+        const bucket = this.#byScope.get(scopeId);
         if (!bucket)
             return null;
         const idx = bucket.findIndex((k) => k.id === id);
         if (idx < 0)
             return null;
         const [removed] = bucket.splice(idx, 1);
-        this.#saveTenant(tenantId);
+        this.#saveScope(scopeId);
         return strip(removed);
     }
     isEmpty() {
@@ -115,8 +133,8 @@ export class KeyStore {
     #adminPath() {
         return join(this.#dataDir, 'admin-keys.json');
     }
-    #tenantPath(tenantId) {
-        return join(this.#dataDir, 'users', tenantId, '__system__', 'keys.json');
+    #scopePath(scopeId) {
+        return join(this.#dataDir, 'users', scopeId, '__system__', 'keys.json');
     }
     #loadAdmin() {
         const p = this.#adminPath();
@@ -124,10 +142,12 @@ export class KeyStore {
             return;
         try {
             const raw = JSON.parse(readFileSync(p, 'utf-8'));
-            const dirty = raw.some((row) => 'connectorId' in row);
-            const cleaned = raw.map((row) => {
-                const { connectorId: _drop, ...rest } = row;
-                return rest;
+            let dirty = false;
+            const cleaned = raw.map((r) => {
+                const { row, migrated } = migrateRow(r);
+                if (migrated)
+                    dirty = true;
+                return row;
             });
             this.#admin.push(...cleaned);
             if (dirty)
@@ -137,30 +157,32 @@ export class KeyStore {
             // Corrupt admin file — leave empty; the next generate() overwrites.
         }
     }
-    #loadAllTenants() {
+    #loadAllScopes() {
         const usersDir = join(this.#dataDir, 'users');
         if (!existsSync(usersDir))
             return;
         for (const entry of readdirSync(usersDir, { withFileTypes: true })) {
             if (!entry.isDirectory())
                 continue;
-            const tenantId = entry.name;
-            const file = this.#tenantPath(tenantId);
+            const scopeId = entry.name;
+            const file = this.#scopePath(scopeId);
             if (!existsSync(file))
                 continue;
             try {
                 const raw = JSON.parse(readFileSync(file, 'utf-8'));
-                const dirty = raw.some((row) => 'connectorId' in row);
-                const cleaned = raw.map((row) => {
-                    const { connectorId: _drop, ...rest } = row;
-                    return rest;
+                let dirty = false;
+                const cleaned = raw.map((r) => {
+                    const { row, migrated } = migrateRow(r);
+                    if (migrated)
+                        dirty = true;
+                    return row;
                 });
-                this.#byTenant.set(tenantId, cleaned);
+                this.#byScope.set(scopeId, cleaned);
                 if (dirty)
-                    this.#saveTenant(tenantId);
+                    this.#saveScope(scopeId);
             }
             catch {
-                this.#byTenant.set(tenantId, []);
+                this.#byScope.set(scopeId, []);
             }
         }
     }
@@ -169,9 +191,9 @@ export class KeyStore {
         mkdirSync(dirname(p), { recursive: true });
         writeFileSync(p, JSON.stringify(this.#admin, null, 2));
     }
-    #saveTenant(tenantId) {
-        const bucket = this.#byTenant.get(tenantId) ?? [];
-        const p = this.#tenantPath(tenantId);
+    #saveScope(scopeId) {
+        const bucket = this.#byScope.get(scopeId) ?? [];
+        const p = this.#scopePath(scopeId);
         mkdirSync(dirname(p), { recursive: true });
         writeFileSync(p, JSON.stringify(bucket, null, 2));
     }
@@ -184,7 +206,7 @@ export class KeyStore {
             const legacy = JSON.parse(readFileSync(legacyPath, 'utf-8'));
             const migrated = legacy.map((row) => ({
                 ...row,
-                tenantId: null,
+                scopeId: null,
                 ownerUserId: null,
                 mintedByShardId: null,
                 scopes: ['admin:*'],
@@ -203,4 +225,8 @@ export class KeyStore {
         const hit = this.resolve(token);
         return !!hit && hit.scopes.includes('admin:*');
     }
+    /** @deprecated use listForScope() — kept for one minor while callers migrate. */
+    listForTenant(scopeId) {
+        return this.listForScope(scopeId);
+    }
 }

package/dist/middleware/project-allowlist.d.ts

@@ -0,0 +1,30 @@
+/**
+ * projectAppAllowlist — write-only enforcement of the project's app allowlist.
+ *
+ * For a project scope (URL :scope matches a ProjectStore entry), writes can
+ * only target shards owned by allowlisted apps, plus the framework shards
+ * listed in FRAMEWORK_SHARDS. Personal scopes are not subject to allowlists.
+ *
+ * Reads (GET / HEAD) are unrestricted; the membership check in
+ * scopeAccessMatch already gates access to project data. This middleware
+ * is layered on top to scope-down what apps can persist into the
+ * project's namespace.
+ *
+ * No admin bypass — admins authoring a write inside a project still hit
+ * the allowlist.
+ */
+import type { MiddlewareHandler } from 'hono';
+import type { ProjectStore } from '../projects.js';
+export declare const FRAMEWORK_SHARDS: readonly string[];
+interface AppRegistry {
+    get(id: string): {
+        manifest: {
+            requiredShards: string[];
+        };
+    } | null;
+}
+export declare function projectAppAllowlist(opts: {
+    projectStore: ProjectStore;
+    appRegistry: AppRegistry;
+}): MiddlewareHandler;
+export {};

package/dist/middleware/project-allowlist.js

@@ -0,0 +1,49 @@
+/**
+ * projectAppAllowlist — write-only enforcement of the project's app allowlist.
+ *
+ * For a project scope (URL :scope matches a ProjectStore entry), writes can
+ * only target shards owned by allowlisted apps, plus the framework shards
+ * listed in FRAMEWORK_SHARDS. Personal scopes are not subject to allowlists.
+ *
+ * Reads (GET / HEAD) are unrestricted; the membership check in
+ * scopeAccessMatch already gates access to project data. This middleware
+ * is layered on top to scope-down what apps can persist into the
+ * project's namespace.
+ *
+ * No admin bypass — admins authoring a write inside a project still hit
+ * the allowlist.
+ */
+export const FRAMEWORK_SHARDS = [
+    '__sh3core__',
+    '__projects__',
+];
+const WRITE_METHODS = new Set(['PUT', 'POST', 'DELETE']);
+export function projectAppAllowlist(opts) {
+    return async (c, next) => {
+        if (!WRITE_METHODS.has(c.req.method))
+            return next();
+        const scope = c.req.param('scope');
+        const shard = c.req.param('shard');
+        if (!scope || !shard)
+            return next(); // bad request — let the route handle it
+        const project = opts.projectStore.get(scope);
+        if (!project)
+            return next(); // personal scope — no allowlist applies
+        if (FRAMEWORK_SHARDS.includes(shard))
+            return next();
+        const allowed = new Set(FRAMEWORK_SHARDS);
+        for (const appId of project.appAllowlist) {
+            const app = opts.appRegistry.get(appId);
+            if (!app)
+                continue;
+            for (const s of app.manifest.requiredShards)
+                allowed.add(s);
+        }
+        if (allowed.has(shard))
+            return next();
+        return c.json({
+            error: `Shard "${shard}" is not in the project's app allowlist`,
+            project: project.id,
+        }, 403);
+    };
+}

package/dist/packages.d.ts

@@ -27,6 +27,19 @@ export declare function loadPackages(shardRouter: ShardRouter, dataDir: string,
  * manifests so the listing endpoint always reflects what is on disk.
  */
 export declare function scanPackages(dataDir: string): DiscoveredPackage[];
+/**
+ * Minimal lookup over installed app manifests, used by the project
+ * allowlist middleware to expand allowlisted app ids into their
+ * requiredShards lists. Re-reads `<dataDir>/packages/` on each call;
+ * the working set is small enough that per-request scanning is fine.
+ */
+export declare function getServerAppRegistry(dataDir: string): {
+    get(id: string): {
+        manifest: {
+            requiredShards: string[];
+        };
+    } | null;
+};
 /**
  * Register `GET /packages/:id/client.js` to serve client bundles from disk.
  * The `Cache-Control` header is read from settings on every request:

package/dist/packages.js

@@ -134,6 +134,34 @@ export function scanPackages(dataDir) {
     return result;
 }
 // ---------------------------------------------------------------------------
+// Server-side app registry (for project allowlist enforcement)
+// ---------------------------------------------------------------------------
+/**
+ * Minimal lookup over installed app manifests, used by the project
+ * allowlist middleware to expand allowlisted app ids into their
+ * requiredShards lists. Re-reads `<dataDir>/packages/` on each call;
+ * the working set is small enough that per-request scanning is fine.
+ */
+export function getServerAppRegistry(dataDir) {
+    return {
+        get(id) {
+            const manifestPath = join(dataDir, 'packages', id, 'manifest.json');
+            if (!existsSync(manifestPath))
+                return null;
+            try {
+                const manifest = JSON.parse(readFileSync(manifestPath, 'utf-8'));
+                if (manifest.type !== 'app')
+                    return null;
+                const requiredShards = Array.isArray(manifest.requiredShards) ? manifest.requiredShards : [];
+                return { manifest: { requiredShards } };
+            }
+            catch {
+                return null;
+            }
+        },
+    };
+}
+// ---------------------------------------------------------------------------
 // Client bundle serving
 // ---------------------------------------------------------------------------
 /**