[bug] HealthBar notify race: rapid toggle during async permission prompt

[fedorovvvv]

Source: PRD-018 SC-2 audit, Logic [W1] + Security [W1].

template/src/widgets/health-bar/ui/HealthBar.svelte:39-48

async function onToggleNotify(next: boolean) {
  if (next && permission === 'default') {
    const result = await Notification.requestPermission();
    permission = result;
    notify = result === 'granted';
    return;
  }
  notify = next && permission === 'granted';
}

Between await Notification.requestPermission() and the assignment to notify, the user can re-toggle the Toggle. The second invocation reads stale permission and may write the wrong final state. bits-ui will also optimistically flip pressed → true during the await, then snap back if denied — which feels glitchy.

Repro

1. Click "🔔 Notify" with permission === 'default'.
2. Before the permission prompt resolves, click again.
3. Observe inconsistent final state vs the actual permission outcome.

Fix

• Disable the Toggle while a request is in flight (disabled={requesting}); set requesting = true before await, false after.
• Bind pressed strictly to a $derived of notify && permission === 'granted' so it never optimistically flips.
• Confirm Toggle.pressed non-bindable usage matches the primitive's contract (declared pressed = $bindable(false) — see Logic [W2]).

Acceptance

• Rapid double-click on the Toggle during the permission prompt cannot produce a state where pressed and permission disagree.
• No visual flicker between optimistic pressed=true and the final value.

Audit traceability

• Reviewers: Logic, Security

[fedorovvvv]

Fixed in branch `develop` as part of PRD-019 Wave 1.

What changed (`template/src/widgets/health-bar/ui/HealthBar.svelte`)

```ts
let permission = $state<NotificationPermission | 'unsupported'>('default');
let requesting = $state(false);

const notifyPressed = $derived(notify && permission === 'granted');

async function onToggleNotify(next: boolean) {
if (requesting) return;
if (next) {
requesting = true;
try {
const result = await requestPermission();
permission = result;
notify = result === 'granted';
} finally {
requesting = false;
}
} else {
notify = false;
}
}
```

• Re-entry guard via `requesting` flag — second click during the await is ignored.
• Toggle is also `disabled={permission === 'denied' || requesting}` so it visually communicates the locked state.
• `pressed={notifyPressed}` is now driven by a `$derived` so it never optimistically flips during the await.

Acceptance

• Rapid double-click during the permission prompt cannot produce `pressed/permission` disagreement.
• No visual flicker between optimistic `pressed=true` and the final value.
• `npm run check` clean.

[fedorovvvv]

Resolved by PR #100 (merged into develop as merge commit 6f498b9). Will reach main with the next release/v* cycle.