feat(manager-core,orchestrator-core): multi-app scoping (Phase 3b)

Apps become the isolation boundary for scripts, routes, domains, and
later data. Doing this now — while the surface is small — avoids
several migrations on populated tables once v1.1 data-plane services
ship.

Schema (migration 0005_apps.sql):
- New tables: apps, app_domains (with shape_key UNIQUE for collision
  detection), app_slug_history (for permanent slug-rename redirects).
- app_id added to scripts, routes, execution_logs (non-null, cascading
  rules per row).
- Script-name uniqueness becomes per-app; the route unique index is
  swapped for an app-scoped version.
- The "default" app is seeded unconditionally with a localhost claim;
  existing scripts/routes backfill into it. Fresh installs additionally
  get the Hello World seed via seed_hello_world_if_fresh after
  migrations run (idempotent — only fires when the default app has no
  scripts).

Orchestrator dispatch is two-phase: AppDomainTable resolves Host →
app_id (most-specific match wins, exact beats wildcard), then the
existing route matcher runs against that app's partitioned slice via
RouteTable. Unknown hosts return 404 at the app layer with a clear
message; /api/v1/execute/{id} still works as the implicit
__internal__ claim, decoupled from any public domain.

Manager API: full CRUD for /api/v1/admin/apps/* and
/api/v1/admin/apps/{id_or_slug}/domains/*, with slug:check + force
takeover semantics implementing the rename-history flow (two-step
check → confirm, never a single endpoint). Script create requires
app_id; list accepts ?app= filter. Route create validates host
against the parent app's claims; conflict detection stays strictly
intra-app.

Dashboard: /admin/apps and /admin/apps/{slug} (overview + scripts +
domains + settings tabs, with slug-history-aware redirects). Root
path redirects to the apps list. Script detail page gains an app
breadcrumb and threads app_id into the route preview.

Deferred per design: per-app admin roles. The require_admin middleware
remains the seam where role checks will slot in later.

Blueprint §11.5 and roadmap updated to reflect what shipped; docs/
versioning.md notes the schema 3 → 5 bump.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

crates/manager-core/src/route_repo.rs

@@ -1,10 +1,10 @@
 //! CRUD over the `routes` table.
 //!
-//! The orchestrator's `RouteTable` is repopulated from this repo after
-//! every write — see the route_admin module for the binding.
+//! The orchestrator's `AppRouteTables` is repopulated from this repo
+//! after every write — see the route_admin module for the binding.
 
 use async_trait::async_trait;
-use picloud_shared::{HostKind, PathKind, Route, ScriptId};
+use picloud_shared::{AppId, HostKind, PathKind, Route, ScriptId};
 use sqlx::PgPool;
 use uuid::Uuid;
 
@@ -12,6 +12,7 @@ use crate::repo::ScriptRepositoryError;
 
 #[derive(Debug, Clone)]
 pub struct NewRoute {
+    pub app_id: AppId,
     pub script_id: ScriptId,
     pub host_kind: HostKind,
     pub host: String,
@@ -24,12 +25,21 @@ pub struct NewRoute {
 #[async_trait]
 pub trait RouteRepository: Send + Sync {
     async fn list_all(&self) -> Result<Vec<Route>, ScriptRepositoryError>;
+    async fn list_for_app(&self, app_id: AppId) -> Result<Vec<Route>, ScriptRepositoryError>;
     async fn list_for_script(
         &self,
         script_id: ScriptId,
     ) -> Result<Vec<Route>, ScriptRepositoryError>;
     async fn create(&self, input: NewRoute) -> Result<Route, ScriptRepositoryError>;
     async fn delete(&self, route_id: Uuid) -> Result<(), ScriptRepositoryError>;
+    /// Count routes whose host_kind/host pair matches a pattern in
+    /// `app_id`. Used by the domain-claim delete guard.
+    async fn count_for_app_host(
+        &self,
+        app_id: AppId,
+        host_kind: HostKind,
+        host: &str,
+    ) -> Result<i64, ScriptRepositoryError>;
 }
 
 pub struct PostgresRouteRepository {
@@ -47,7 +57,7 @@ impl PostgresRouteRepository {
 impl RouteRepository for PostgresRouteRepository {
     async fn list_all(&self) -> Result<Vec<Route>, ScriptRepositoryError> {
         let rows = sqlx::query_as::<_, RouteRow>(
-            "SELECT id, script_id, host_kind, host, host_param_name, \
+            "SELECT id, app_id, script_id, host_kind, host, host_param_name, \
                     path_kind, path, method, created_at \
              FROM routes ORDER BY created_at",
         )
@@ -56,12 +66,24 @@ impl RouteRepository for PostgresRouteRepository {
         Ok(rows.into_iter().map(Into::into).collect())
     }
 
+    async fn list_for_app(&self, app_id: AppId) -> Result<Vec<Route>, ScriptRepositoryError> {
+        let rows = sqlx::query_as::<_, RouteRow>(
+            "SELECT id, app_id, script_id, host_kind, host, host_param_name, \
+                    path_kind, path, method, created_at \
+             FROM routes WHERE app_id = $1 ORDER BY created_at",
+        )
+        .bind(app_id.into_inner())
+        .fetch_all(&self.pool)
+        .await?;
+        Ok(rows.into_iter().map(Into::into).collect())
+    }
+
     async fn list_for_script(
         &self,
         script_id: ScriptId,
     ) -> Result<Vec<Route>, ScriptRepositoryError> {
         let rows = sqlx::query_as::<_, RouteRow>(
-            "SELECT id, script_id, host_kind, host, host_param_name, \
+            "SELECT id, app_id, script_id, host_kind, host, host_param_name, \
                     path_kind, path, method, created_at \
              FROM routes WHERE script_id = $1 ORDER BY created_at",
         )
@@ -74,12 +96,13 @@ impl RouteRepository for PostgresRouteRepository {
     async fn create(&self, input: NewRoute) -> Result<Route, ScriptRepositoryError> {
         let res = sqlx::query_as::<_, RouteRow>(
             "INSERT INTO routes ( \
-                script_id, host_kind, host, host_param_name, \
+                app_id, script_id, host_kind, host, host_param_name, \
                 path_kind, path, method \
-             ) VALUES ($1, $2, $3, $4, $5, $6, $7) \
-             RETURNING id, script_id, host_kind, host, host_param_name, \
+             ) VALUES ($1, $2, $3, $4, $5, $6, $7, $8) \
+             RETURNING id, app_id, script_id, host_kind, host, host_param_name, \
                        path_kind, path, method, created_at",
         )
+        .bind(input.app_id.into_inner())
         .bind(input.script_id.into_inner())
         .bind(host_kind_str(input.host_kind))
         .bind(&input.host)
@@ -112,6 +135,24 @@ impl RouteRepository for PostgresRouteRepository {
         }
         Ok(())
     }
+
+    async fn count_for_app_host(
+        &self,
+        app_id: AppId,
+        host_kind: HostKind,
+        host: &str,
+    ) -> Result<i64, ScriptRepositoryError> {
+        let count: (i64,) = sqlx::query_as(
+            "SELECT COUNT(*) FROM routes \
+             WHERE app_id = $1 AND host_kind = $2 AND host = $3",
+        )
+        .bind(app_id.into_inner())
+        .bind(host_kind_str(host_kind))
+        .bind(host)
+        .fetch_one(&self.pool)
+        .await?;
+        Ok(count.0)
+    }
 }
 
 const fn host_kind_str(k: HostKind) -> &'static str {
@@ -133,6 +174,7 @@ const fn path_kind_str(k: PathKind) -> &'static str {
 #[derive(sqlx::FromRow)]
 struct RouteRow {
     id: Uuid,
+    app_id: Uuid,
     script_id: Uuid,
     host_kind: String,
     host: String,
@@ -147,6 +189,7 @@ impl From<RouteRow> for Route {
     fn from(r: RouteRow) -> Self {
         Self {
             id: r.id,
+            app_id: r.app_id.into(),
             script_id: r.script_id.into(),
             host_kind: match r.host_kind.as_str() {
                 "strict" => HostKind::Strict,