User-created apps (agent-built or hand-written) need a proper home and lifecycle, separate from store apps.
The model:
- A dedicated safe area. Apps a user creates live in their own sandboxed userspace, isolated from the immutable core and from store apps. Surviving OS upgrades and even reinstalls is a requirement: the area lives with user data, not with the code checkout, and the installer must treat it like agent workspaces (preserved, never regenerated).
- Private by default. A user's apps are visible and runnable only by them. Nothing is shared unless they choose to share it.
- A My Apps manager. A small app that lists your own apps with enable/disable toggles, basic info (what it can access, when it was made, by which agent), and remove. Think of it as the user-side counterpart of the Store: the Store manages community apps, My Apps manages yours.
- Share to the store, later. From My Apps, a Share action submits an app into the distribution flow (repo created, review, store listing) once the site accounts and submission pipeline exist. Until then the button can sit disabled with a note.
- Widgets count as apps. A user-made desktop widget (e.g. a personal stats widget) should be deliverable through the same runtime and managed in the same place, just with a widget surface instead of a window.
Relationship to existing work: the sandboxed runtime and container tier that this needs already exist in draft #476 (App Runtime v1, userspace + 58 tests). This issue is the user-facing layer on top: the storage location guarantees, the My Apps manager, and the private-by-default policy. The agent-driven creation flow (ask an agent to make an app and have it land here) is the App Builder track and depends on both.
Acceptance for the first cut: a user app placed in the safe area survives a taOS upgrade and a reinstall, appears in My Apps, can be toggled off and on, and is invisible to other users on the same instance.
User-created apps (agent-built or hand-written) need a proper home and lifecycle, separate from store apps.
The model:
Relationship to existing work: the sandboxed runtime and container tier that this needs already exist in draft #476 (App Runtime v1, userspace + 58 tests). This issue is the user-facing layer on top: the storage location guarantees, the My Apps manager, and the private-by-default policy. The agent-driven creation flow (ask an agent to make an app and have it land here) is the App Builder track and depends on both.
Acceptance for the first cut: a user app placed in the safe area survives a taOS upgrade and a reinstall, appears in My Apps, can be toggled off and on, and is invisible to other users on the same instance.