@colixsystems/widget-sdk 0.13.0 → 0.15.0

package/dist/linter.cjs

@@ -54,18 +54,15 @@ const CONTRACT_RULES = CONTRACT.bannedApis.map((b) =>
   _ruleForIdentifier(b.identifier, b.reason),
 );
 
+// REQ-WSDK-PLATFORM: `no-axios-import` is GONE. axios is on the vetted
+// import list now (`CONTRACT.vettedImports`). See linter.js for the
+// source-of-truth comment.
 const EXTRA_RULES = [
   {
     id: "no-auth-store-import",
     label: "widgets must not import the host's auth store",
     pattern: /useAuthStore/,
   },
-  {
-    id: "no-axios-import",
-    label:
-      "widgets must not import axios directly; use the injected datastore client",
-    pattern: /from\s+['"]axios['"]|require\s*\(\s*['"]axios['"]\s*\)/,
-  },
 ];
 
 const RULES = [...CONTRACT_RULES, ...EXTRA_RULES];
@@ -74,12 +71,234 @@ function bannedIdentifiers() {
   return CONTRACT.bannedApis.map((b) => b.identifier);
 }
 
-function lintSource(source) {
+// REQ-WSDK-PLATFORM §3.4, §8: import-specifier validation. See linter.js
+// for the source-of-truth comment.
+const IMPORT_SPECIFIER_RE =
+  /(?:^|[\s;])(?:import(?:\s+[^"';]+from)?|require)\s*\(?\s*['"]([^'"]+)['"]/g;
+
+function _classifySpecifier(spec) {
+  if (
+    spec.startsWith("./") ||
+    (spec.startsWith(".") && !spec.startsWith(".."))
+  ) {
+    return "relative-ok";
+  }
+  if (spec.startsWith("../")) return "relative-escape";
+  if (
+    spec.startsWith("/") ||
+    spec.startsWith("http:") ||
+    spec.startsWith("https:") ||
+    spec.startsWith("blob:") ||
+    spec.startsWith("data:")
+  ) {
+    return "absolute";
+  }
+  return "bare";
+}
+
+function _importRules(source, manifest) {
+  const findings = [];
+  const allowed = new Map(
+    CONTRACT.vettedImports.map((v) => [v.specifier, v]),
+  );
+  const declaredPlatforms =
+    manifest &&
+    Array.isArray(manifest.supportedPlatforms) &&
+    manifest.supportedPlatforms.length > 0
+      ? new Set(manifest.supportedPlatforms)
+      : null;
+
+  const lines = source.split(/\r?\n/);
+  for (let i = 0; i < lines.length; i += 1) {
+    const line = lines[i];
+    IMPORT_SPECIFIER_RE.lastIndex = 0;
+    let m;
+    while ((m = IMPORT_SPECIFIER_RE.exec(line))) {
+      const spec = m[1];
+      const kind = _classifySpecifier(spec);
+      if (kind === "relative-ok") continue;
+      if (kind === "relative-escape") {
+        findings.push({
+          rule: "no-parent-relative-import",
+          label: `relative import "${spec}" escapes the bundle (\`../\`) — only sibling-file imports (\`./foo.js\`) are allowed`,
+          line: i + 1,
+          snippet: line.trim().slice(0, 200),
+        });
+        continue;
+      }
+      if (kind === "absolute") {
+        findings.push({
+          rule: "no-absolute-import",
+          label: `absolute import "${spec}" is not allowed — use a vetted bare specifier or a sibling-file (\`./foo.js\`) import`,
+          line: i + 1,
+          snippet: line.trim().slice(0, 200),
+        });
+        continue;
+      }
+      const entry = allowed.get(spec);
+      if (!entry) {
+        findings.push({
+          rule: "import-not-vetted",
+          label:
+            `import "${spec}" is not on the vetted package list — see ` +
+            `CONTRACT.vettedImports for the current set or open a request to add it`,
+          line: i + 1,
+          snippet: line.trim().slice(0, 200),
+        });
+        continue;
+      }
+      if (declaredPlatforms) {
+        for (const wanted of declaredPlatforms) {
+          if (!entry.platforms.includes(wanted)) {
+            findings.push({
+              rule: "import-platform-mismatch",
+              label:
+                `"${spec}" supports [${entry.platforms.join(", ")}] but the ` +
+                `manifest claims supportedPlatforms includes "${wanted}". ` +
+                `Move this import into widget.${wanted === "web" ? "native" : "web"}.jsx, ` +
+                `or drop "${wanted}" from manifest.supportedPlatforms.`,
+              line: i + 1,
+              snippet: line.trim().slice(0, 200),
+            });
+          }
+        }
+      }
+    }
+  }
+  return findings;
+}
+
+function _hostApiUrlRules(source) {
+  const findings = [];
+  const patterns = CONTRACT.hostApiUrlPatterns || [];
+  const lines = source.split(/\r?\n/);
+  for (let i = 0; i < lines.length; i += 1) {
+    const line = lines[i];
+    for (const needle of patterns) {
+      if (line.includes(needle)) {
+        findings.push({
+          rule: "no-host-api-url",
+          severity: "warning",
+          label:
+            `source contains "${needle}" — calls to the AppStudio host API ` +
+            `are blocked at runtime (widgets get no JWT token). Use SDK ` +
+            `hooks for workspace data; \`axios\`/\`fetch\` for third-party APIs.`,
+          line: i + 1,
+          snippet: line.trim().slice(0, 200),
+        });
+        break;
+      }
+    }
+  }
+  return findings;
+}
+
+// REQ-USERMGMT / REQ-ACL-SYS M3 — scope-required-for-user-mutation. See
+// linter.js for the rationale comment. The two files must stay in
+// lockstep (the contract test asserts behaviour-equivalence).
+const USER_MUTATION_METHODS = ["invite", "deactivate", "reactivate", "remove"];
+const GROUP_MUTATION_METHODS = ["create", "remove", "addMember", "removeMember"];
+const SKIP_COMMENT = /\/\/[^\n]*@appstudio-skip-scope-check/;
+
+function _scopeRules(source, manifest) {
+  const findings = [];
+  if (!manifest || typeof manifest !== "object") return findings;
+  const declared = new Set(
+    Array.isArray(manifest.requestedScopes)
+      ? manifest.requestedScopes.filter((s) => typeof s === "string")
+      : [],
+  );
+  const usesUsersHook = /\buseUsers\s*\(/.test(source);
+  const usesGroupsHook = /\buseGroups\s*\(/.test(source);
+
+  if (usesUsersHook) {
+    const reads = declared.has("users.read:*") || declared.has("users.read");
+    if (!reads) {
+      findings.push({
+        rule: "scope-required-for-useUsers",
+        label:
+          "useUsers() requires `users.read:*` in manifest.requestedScopes",
+        line: 0,
+        snippet: "",
+      });
+    }
+  }
+  if (usesGroupsHook) {
+    const reads = declared.has("groups.read:*") || declared.has("groups.read");
+    if (!reads) {
+      findings.push({
+        rule: "scope-required-for-useGroups",
+        label:
+          "useGroups() requires `groups.read:*` in manifest.requestedScopes",
+        line: 0,
+        snippet: "",
+      });
+    }
+  }
+
+  const lines = source.split(/\r?\n/);
+  let firedUsersWrite = false;
+  let firedGroupsWrite = false;
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (SKIP_COMMENT.test(line)) continue;
+    if (usesUsersHook && !firedUsersWrite) {
+      for (const m of USER_MUTATION_METHODS) {
+        const re = new RegExp(`\\.${m}\\s*\\(`);
+        if (re.test(line)) {
+          if (
+            !declared.has("users.write:*") &&
+            !declared.has("users.write")
+          ) {
+            findings.push({
+              rule: "scope-required-for-user-mutation",
+              label: `useUsers().${m}() requires \`users.write:*\` in manifest.requestedScopes`,
+              line: i + 1,
+              snippet: line.trim().slice(0, 200),
+            });
+          }
+          firedUsersWrite = true;
+          break;
+        }
+      }
+    }
+    if (usesGroupsHook && !firedGroupsWrite) {
+      for (const m of GROUP_MUTATION_METHODS) {
+        const re = new RegExp(`\\.${m}\\s*\\(`);
+        if (re.test(line)) {
+          if (m === "remove" && usesUsersHook) continue;
+          if (
+            !declared.has("groups.write:*") &&
+            !declared.has("groups.write")
+          ) {
+            findings.push({
+              rule: "scope-required-for-group-mutation",
+              label: `useGroups().${m}() requires \`groups.write:*\` in manifest.requestedScopes`,
+              line: i + 1,
+              snippet: line.trim().slice(0, 200),
+            });
+          }
+          firedGroupsWrite = true;
+          break;
+        }
+      }
+    }
+  }
+  return findings;
+}
+
+function lintSource(source, options) {
   if (typeof source !== "string") {
     return {
       ok: false,
       findings: [
-        { rule: "input", label: "source must be a string", line: 0, snippet: "" },
+        {
+          rule: "input",
+          severity: "error",
+          label: "source must be a string",
+          line: 0,
+          snippet: "",
+        },
       ],
     };
   }
@@ -91,6 +310,7 @@ function lintSource(source) {
       if (rule.pattern.test(line)) {
         findings.push({
           rule: rule.id,
+          severity: "error",
           label: rule.label,
           line: i + 1,
           snippet: line.trim().slice(0, 200),
@@ -98,7 +318,21 @@ function lintSource(source) {
       }
     }
   }
-  return { ok: findings.length === 0, findings };
+  findings.push(
+    ..._importRules(source, options && options.manifest).map((f) => ({
+      ...f,
+      severity: f.severity || "error",
+    })),
+  );
+  findings.push(..._hostApiUrlRules(source));
+  findings.push(
+    ..._scopeRules(source, options && options.manifest).map((f) => ({
+      ...f,
+      severity: f.severity || "error",
+    })),
+  );
+  const hasErrors = findings.some((f) => f.severity !== "warning");
+  return { ok: !hasErrors, findings };
 }
 
 module.exports = { lintSource, bannedIdentifiers };

package/dist/linter.js

@@ -57,18 +57,19 @@ const CONTRACT_RULES = CONTRACT.bannedApis.map((b) =>
 
 // Extra rules that don't map 1:1 to a banned identifier in the contract:
 // host-internal imports that widgets must never touch.
+//
+// REQ-WSDK-PLATFORM: `no-axios-import` is GONE. axios is on the vetted
+// import list now (`CONTRACT.vettedImports`) — widgets may call third-party
+// APIs directly. Calls to the host's own /api/* surface are blocked at
+// runtime by the WidgetContextProvider's network gate; the soft
+// `no-host-api-url` rule below flags obvious host-URL substrings so
+// authors learn the rule statically.
 const EXTRA_RULES = [
   {
     id: "no-auth-store-import",
     label: "widgets must not import the host's auth store",
     pattern: /useAuthStore/,
   },
-  {
-    id: "no-axios-import",
-    label:
-      "widgets must not import axios directly; use the injected datastore client",
-    pattern: /from\s+['"]axios['"]|require\s*\(\s*['"]axios['"]\s*\)/,
-  },
 ];
 
 const RULES = [...CONTRACT_RULES, ...EXTRA_RULES];
@@ -83,17 +84,295 @@ export function bannedIdentifiers() {
   return CONTRACT.bannedApis.map((b) => b.identifier);
 }
 
+// REQ-WSDK-PLATFORM §3.4, §8: scan the source for every bare import
+// specifier and validate it against `CONTRACT.vettedImports`.
+//
+// Recognised forms (string-level, no AST):
+//   import X from "spec"
+//   import { … } from "spec"
+//   import * as X from "spec"
+//   import "spec"
+//   const X = require("spec")  // CJS — for completeness
+//
+// Relative imports within the bundle (`./foo.js`, `./shared/util.js`) are
+// allowed — REQ-WSDK-PLATFORM §4.2 lets a split-impl widget share helpers
+// between `widget.web.jsx` and `widget.native.jsx`. Parent-directory
+// (`../`) and absolute (`/`, `http(s):`) paths are rejected to keep the
+// bundle scope sealed.
+const IMPORT_SPECIFIER_RE =
+  /(?:^|[\s;])(?:import(?:\s+[^"';]+from)?|require)\s*\(?\s*['"]([^'"]+)['"]/g;
+
+function _classifySpecifier(spec) {
+  if (
+    spec.startsWith("./") ||
+    (spec.startsWith(".") && !spec.startsWith(".."))
+  ) {
+    return "relative-ok";
+  }
+  if (spec.startsWith("../")) return "relative-escape";
+  if (
+    spec.startsWith("/") ||
+    spec.startsWith("http:") ||
+    spec.startsWith("https:") ||
+    spec.startsWith("blob:") ||
+    spec.startsWith("data:")
+  ) {
+    return "absolute";
+  }
+  return "bare";
+}
+
+function _importRules(source, manifest) {
+  const findings = [];
+  const allowed = new Map(
+    CONTRACT.vettedImports.map((v) => [v.specifier, v]),
+  );
+  // Track declared `supportedPlatforms` so a widget that claims "web only"
+  // doesn't import a native-only package (and vice versa) without the
+  // marketplace listing being honest about which platforms ship.
+  const declaredPlatforms =
+    manifest &&
+    Array.isArray(manifest.supportedPlatforms) &&
+    manifest.supportedPlatforms.length > 0
+      ? new Set(manifest.supportedPlatforms)
+      : null;
+
+  const lines = source.split(/\r?\n/);
+  for (let i = 0; i < lines.length; i += 1) {
+    const line = lines[i];
+    // Reset lastIndex — the regex is /g and shared across lines.
+    IMPORT_SPECIFIER_RE.lastIndex = 0;
+    let m;
+    while ((m = IMPORT_SPECIFIER_RE.exec(line))) {
+      const spec = m[1];
+      const kind = _classifySpecifier(spec);
+      if (kind === "relative-ok") continue;
+      if (kind === "relative-escape") {
+        findings.push({
+          rule: "no-parent-relative-import",
+          label: `relative import "${spec}" escapes the bundle (\`../\`) — only sibling-file imports (\`./foo.js\`) are allowed`,
+          line: i + 1,
+          snippet: line.trim().slice(0, 200),
+        });
+        continue;
+      }
+      if (kind === "absolute") {
+        findings.push({
+          rule: "no-absolute-import",
+          label: `absolute import "${spec}" is not allowed — use a vetted bare specifier or a sibling-file (\`./foo.js\`) import`,
+          line: i + 1,
+          snippet: line.trim().slice(0, 200),
+        });
+        continue;
+      }
+      // Bare specifier — validate against the vetted list.
+      const entry = allowed.get(spec);
+      if (!entry) {
+        findings.push({
+          rule: "import-not-vetted",
+          label:
+            `import "${spec}" is not on the vetted package list — see ` +
+            `CONTRACT.vettedImports for the current set or open a request to add it`,
+          line: i + 1,
+          snippet: line.trim().slice(0, 200),
+        });
+        continue;
+      }
+      // If the manifest declares supportedPlatforms, every imported
+      // specifier must support every declared platform. A widget that
+      // imports react-native-maps (native-only) cannot honestly claim
+      // supportedPlatforms: ["web", "native"] from a single source file —
+      // it must either drop "web" from the manifest, OR move that import
+      // into widget.native.jsx so the web bundle doesn't see it.
+      if (declaredPlatforms) {
+        for (const wanted of declaredPlatforms) {
+          if (!entry.platforms.includes(wanted)) {
+            findings.push({
+              rule: "import-platform-mismatch",
+              label:
+                `"${spec}" supports [${entry.platforms.join(", ")}] but the ` +
+                `manifest claims supportedPlatforms includes "${wanted}". ` +
+                `Move this import into widget.${wanted === "web" ? "native" : "web"}.jsx, ` +
+                `or drop "${wanted}" from manifest.supportedPlatforms.`,
+              line: i + 1,
+              snippet: line.trim().slice(0, 200),
+            });
+          }
+        }
+      }
+    }
+  }
+  return findings;
+}
+
+// REQ-WSDK-PLATFORM §3.5: soft warning when source contains host-API URL
+// substrings. NOT a hard block — false positives are possible (a widget
+// that happens to call a third-party API also located at `/api`). The
+// marketplace review queue surfaces the warning for a human pass.
+function _hostApiUrlRules(source) {
+  const findings = [];
+  const patterns = CONTRACT.hostApiUrlPatterns || [];
+  const lines = source.split(/\r?\n/);
+  for (let i = 0; i < lines.length; i += 1) {
+    const line = lines[i];
+    for (const needle of patterns) {
+      if (line.includes(needle)) {
+        findings.push({
+          rule: "no-host-api-url",
+          severity: "warning",
+          label:
+            `source contains "${needle}" — calls to the AppStudio host API ` +
+            `are blocked at runtime (widgets get no JWT token). Use SDK ` +
+            `hooks for workspace data; \`axios\`/\`fetch\` for third-party APIs.`,
+          line: i + 1,
+          snippet: line.trim().slice(0, 200),
+        });
+        // Only fire once per line — repeated needle hits on the same line
+        // are noise.
+        break;
+      }
+    }
+  }
+  return findings;
+}
+
+// REQ-USERMGMT / REQ-ACL-SYS M3 — scope-required-for-user-mutation.
+//
+// A widget that calls `useUsers().invite()` / `.deactivate()` /
+// `.reactivate()` / `.remove()` MUST declare `users.write:*` in its
+// manifest's `requestedScopes`; similarly `useGroups()` mutation methods
+// require `groups.write:*`. The rule is enforced statically so a manifest
+// that drifts from the source (e.g. an author forgot to add the scope
+// after wiring up the mutation) is rejected at submission time.
+//
+// The check is pattern-based: scan the source for `.invite(`, `.deactivate(`
+// etc. and only fire when the source ALSO contains `useUsers(` / `useGroups(`
+// nearby (i.e. the destructured callee likely originated from the hook).
+// False positives are accepted in exchange for keeping the linter
+// AST-free; an author whose code happened to spell `.invite(` for an
+// unrelated reason can opt out with a `// @appstudio-skip-scope-check`
+// trailing comment on the offending line.
+const USER_MUTATION_METHODS = ["invite", "deactivate", "reactivate", "remove"];
+const GROUP_MUTATION_METHODS = ["create", "remove", "addMember", "removeMember"];
+const SKIP_COMMENT = /\/\/[^\n]*@appstudio-skip-scope-check/;
+
+function _scopeRules(source, manifest) {
+  const findings = [];
+  if (!manifest || typeof manifest !== "object") return findings;
+  const declared = new Set(
+    Array.isArray(manifest.requestedScopes)
+      ? manifest.requestedScopes.filter((s) => typeof s === "string")
+      : [],
+  );
+  const usesUsersHook = /\buseUsers\s*\(/.test(source);
+  const usesGroupsHook = /\buseGroups\s*\(/.test(source);
+
+  if (usesUsersHook) {
+    const reads = declared.has("users.read:*") || declared.has("users.read");
+    if (!reads) {
+      findings.push({
+        rule: "scope-required-for-useUsers",
+        label:
+          "useUsers() requires `users.read:*` in manifest.requestedScopes",
+        line: 0,
+        snippet: "",
+      });
+    }
+  }
+  if (usesGroupsHook) {
+    const reads = declared.has("groups.read:*") || declared.has("groups.read");
+    if (!reads) {
+      findings.push({
+        rule: "scope-required-for-useGroups",
+        label:
+          "useGroups() requires `groups.read:*` in manifest.requestedScopes",
+        line: 0,
+        snippet: "",
+      });
+    }
+  }
+
+  const lines = source.split(/\r?\n/);
+  let firedUsersWrite = false;
+  let firedGroupsWrite = false;
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (SKIP_COMMENT.test(line)) continue;
+    if (usesUsersHook && !firedUsersWrite) {
+      for (const m of USER_MUTATION_METHODS) {
+        const re = new RegExp(`\\.${m}\\s*\\(`);
+        if (re.test(line)) {
+          if (
+            !declared.has("users.write:*") &&
+            !declared.has("users.write")
+          ) {
+            findings.push({
+              rule: "scope-required-for-user-mutation",
+              label: `useUsers().${m}() requires \`users.write:*\` in manifest.requestedScopes`,
+              line: i + 1,
+              snippet: line.trim().slice(0, 200),
+            });
+          }
+          firedUsersWrite = true;
+          break;
+        }
+      }
+    }
+    if (usesGroupsHook && !firedGroupsWrite) {
+      for (const m of GROUP_MUTATION_METHODS) {
+        const re = new RegExp(`\\.${m}\\s*\\(`);
+        if (re.test(line)) {
+          // `.remove(` is also a useUsers method; only blame groups
+          // when the source also uses the groups hook AND the source
+          // doesn't ALSO use the users hook (an ambiguous .remove(
+          // is best left to the user-mutation rule above).
+          if (m === "remove" && usesUsersHook) continue;
+          if (
+            !declared.has("groups.write:*") &&
+            !declared.has("groups.write")
+          ) {
+            findings.push({
+              rule: "scope-required-for-group-mutation",
+              label: `useGroups().${m}() requires \`groups.write:*\` in manifest.requestedScopes`,
+              line: i + 1,
+              snippet: line.trim().slice(0, 200),
+            });
+          }
+          firedGroupsWrite = true;
+          break;
+        }
+      }
+    }
+  }
+  return findings;
+}
+
 /**
  * Lint a JavaScript source string.
+ *
+ * REQ-WSDK-PLATFORM update: findings can now carry a `severity` field
+ * (`"error"` | `"warning"`). The `ok` flag is true iff NO `severity:
+ * "error"` finding exists — warnings (currently just `no-host-api-url`)
+ * surface to the reviewer but do not block publish. Findings without an
+ * explicit `severity` are treated as errors for back-compat with existing
+ * rules.
+ *
  * @param {string} source
- * @returns {{ ok: boolean, findings: Array<{ rule: string, label: string, line: number, snippet: string }> }}
+ * @param {{ manifest?: { requestedScopes?: string[], supportedPlatforms?: string[] } }} [options]
+ * @returns {{ ok: boolean, findings: Array<{ rule: string, severity?: "error" | "warning", label: string, line: number, snippet: string }> }}
  */
-export function lintSource(source) {
+export function lintSource(source, options) {
   if (typeof source !== "string") {
     return {
       ok: false,
       findings: [
-        { rule: "input", label: "source must be a string", line: 0, snippet: "" },
+        {
+          rule: "input",
+          severity: "error",
+          label: "source must be a string",
+          line: 0,
+          snippet: "",
+        },
       ],
     };
   }
@@ -105,6 +384,7 @@ export function lintSource(source) {
       if (rule.pattern.test(line)) {
         findings.push({
           rule: rule.id,
+          severity: "error",
           label: rule.label,
           line: i + 1,
           snippet: line.trim().slice(0, 200),
@@ -112,5 +392,24 @@ export function lintSource(source) {
       }
     }
   }
-  return { ok: findings.length === 0, findings };
+  // REQ-WSDK-PLATFORM §3.4: import-specifier validation.
+  findings.push(
+    ..._importRules(source, options && options.manifest).map((f) => ({
+      ...f,
+      severity: f.severity || "error",
+    })),
+  );
+  // REQ-WSDK-PLATFORM §3.5: soft host-API URL warning (does not block).
+  findings.push(..._hostApiUrlRules(source));
+  // REQ-USERMGMT / REQ-ACL-SYS M3 — scope-aware rules. Run after the
+  // line-by-line scan so banned-identifier findings stay first in the
+  // output.
+  findings.push(
+    ..._scopeRules(source, options && options.manifest).map((f) => ({
+      ...f,
+      severity: f.severity || "error",
+    })),
+  );
+  const hasErrors = findings.some((f) => f.severity !== "warning");
+  return { ok: !hasErrors, findings };
 }

package/dist/primitives.js

@@ -60,3 +60,11 @@ export const StyleSheet = ReactNative.StyleSheet;
 // the OS hands it off to the system handler. `canOpenURL` reports whether
 // the URL scheme is registered.
 export const Linking = ReactNative.Linking;
+// REQ-WSDK-PLATFORM §6 — `<Icon>` wraps lucide-react-native. Same source
+// runs on both platforms; see ./icon.js.
+export { Icon } from "./icon.js";
+// REQ-WSDK-PLATFORM §6 — `<DateTimePicker>` wraps
+// @react-native-community/datetimepicker and normalizes its value to
+// ISO 8601 strings. Same source runs on both platforms; see
+// ./datetimepicker.js.
+export { DateTimePicker } from "./datetimepicker.js";

package/dist/primitives.native.js

@@ -20,3 +20,12 @@ export {
   StyleSheet,
   Linking,
 } from "react-native";
+
+// REQ-WSDK-PLATFORM §6 — `<Icon>` is implemented in one file that runs on
+// both platforms (lucide-react-native ships a working build for both).
+export { Icon } from "./icon.js";
+// REQ-WSDK-PLATFORM §6 — `<DateTimePicker>` ditto. The underlying
+// @react-native-community/datetimepicker handles its own
+// per-platform rendering; the SDK wrapper just normalizes the value
+// to ISO strings.
+export { DateTimePicker } from "./datetimepicker.js";

package/dist/property-schema.js

@@ -6,6 +6,12 @@ const VALID_TYPES = new Set([
   "color", "icon", "image",
   "select", "multiselect",
   "tableRef", "columnRef", "recordBinding",
+  // REQ-USERMGMT M4 / §4.8: `groupRef` is a Group picker that emits a bare
+  // AppUserGroup UUID into the page JSON. Renders via `GroupSelector` in
+  // the Studio Properties Panel. REQ-GEN-07 compliance: no typed UUIDs —
+  // value is the raw uuid string so the tenant-copy walker can remap it
+  // through `_remapJson` without per-prop hooks.
+  "groupRef",
   "expression", "eventBinding",
   "object", "array",
 ]);
@@ -87,6 +93,7 @@ function coerceLeaf(def, value, path, errors) {
     case "tableRef":
     case "columnRef":
     case "recordBinding":
+    case "groupRef":
     case "expression":
     case "eventBinding":
       if (typeof value !== "string") errors.push(`${path}: expected string`);