@colixsystems/widget-sdk 0.14.1 → 0.15.0

package/dist/contract.js

@@ -241,6 +241,42 @@ const HOOKS = [
     ],
     scopes: ["groups.read:*"],
   },
+  // REQ-WSDK-PLATFORM §6 — Tier A SDK hooks.
+  {
+    name: "useClipboard",
+    signature: "useClipboard()",
+    description:
+      "Cross-platform clipboard access. Returns { copy, paste, hasContent }. " +
+      "All methods return Promises; rejections surface a structured ClipboardError " +
+      "with .code in PERMISSION_DENIED | INTERNAL. On web the browser may " +
+      "require a user gesture for read access — surface the error to the " +
+      "user as a 'try again after clicking' prompt when code === PERMISSION_DENIED.",
+    returnShape: {
+      copy:
+        "(text: string) => Promise<void>  // rejects with ClipboardError",
+      paste:
+        "() => Promise<string>  // rejects with ClipboardError",
+      hasContent: "() => Promise<boolean>  // best-effort, never throws",
+    },
+    requiredContextSlice: [],
+    scopes: null,
+  },
+  {
+    name: "useToast",
+    signature: "useToast()",
+    description:
+      "Surfaces a short auto-dismissing notification. Returns { showToast }. " +
+      "showToast({ kind: 'success' | 'error' | 'info' | 'warning', message }) " +
+      "asks the host to render a workspace-themed toast. If the host hasn't " +
+      "wired a renderer, the web variant dispatches an 'appstudio:widget-toast' " +
+      "CustomEvent on window; native logs to the console. The widget never " +
+      "owns the toast UI — that's the host's responsibility.",
+    returnShape: {
+      showToast: "({ kind, message }) => void",
+    },
+    requiredContextSlice: ["toast.showToast"],
+    scopes: null,
+  },
 ];
 
 // REQ-WSDK-RN-WEB: see contract.cjs for the source-of-truth comment.
@@ -329,6 +365,22 @@ const PRIMITIVES = [
     rnComponent: "Linking",
     docsUrl: "https://reactnative.dev/docs/linking",
   },
+  // REQ-WSDK-PLATFORM §6 — Tier A SDK primitive.
+  {
+    name: "Icon",
+    description:
+      'Lucide icon. `<Icon name="check" size={16} color="..." />`. Unknown names render the Square fallback so the canvas always shows something visible. Names are the lucide icon ids (`https://lucide.dev/icons`). Works on both web and native.',
+    rnComponent: "lucide-react-native",
+    docsUrl: "https://lucide.dev/icons",
+  },
+  // REQ-WSDK-PLATFORM §6 — Tier A SDK primitive.
+  {
+    name: "DateTimePicker",
+    description:
+      'Cross-platform date / time / datetime picker. `<DateTimePicker value={iso} onChange={iso => …} mode="date" | "time" | "datetime" />`. The value prop and the onChange callback both speak ISO 8601 strings (the datastore wire format) — authors never round-trip through `new Date()`. Web renders the browser\'s native input via react-native-web; native uses @react-native-community/datetimepicker.',
+    rnComponent: "@react-native-community/datetimepicker",
+    docsUrl: "https://github.com/react-native-datetimepicker/datetimepicker",
+  },
 ];
 
 const CATEGORIES = [
@@ -545,6 +597,20 @@ const WIDGET_CONTEXT_SHAPE = {
       error: "function",
     },
   },
+  // REQ-WSDK-PLATFORM §6 — backs useToast(). The host installs its own
+  // workspace-themed toast renderer here; if omitted, the SDK's useToast
+  // hook falls back to a CustomEvent on web / console.log on native so
+  // widget code still runs without a host integration.
+  toast: {
+    description:
+      "Optional host toast slot. { showToast({ kind, message }): void }. " +
+      "The host populates this to render workspace-themed notifications " +
+      "from any widget that calls useToast(). When omitted the SDK falls " +
+      "back to dispatching an 'appstudio:widget-toast' CustomEvent on web " +
+      "and console.log on native.",
+    required: false,
+    fields: { showToast: "function" },
+  },
 };
 
 const BUNDLE_EXPORT_CONTRACT = [
@@ -567,6 +633,9 @@ const BUNDLE_EXPORT_CONTRACT = [
   },
 ];
 
+// REQ-WSDK-PLATFORM (docs/design/req-widget-sdk-cross-platform-primitives.md
+// §3.5, §8): `fetch` and `XMLHttpRequest` are NOT banned. See contract.cjs
+// for the source-of-truth comment.
 const BANNED_APIS = [
   { identifier: "eval", reason: "Arbitrary code evaluation." },
   {
@@ -595,21 +664,119 @@ const BANNED_APIS = [
     reason: "Same reason as localStorage.",
   },
   {
-    identifier: "fetch",
-    reason: "Direct network calls bypass the datastore client + tenant auth.",
+    identifier: "import(",
+    reason: "Dynamic import bypasses the loader's allowlist.",
+  },
+  { identifier: "globalThis", reason: "Host environment escape." },
+];
+
+// REQ-WSDK-PLATFORM §3.4, §5: vetted package allowlist. See contract.cjs
+// for the source-of-truth comment.
+const VETTED_IMPORTS = [
+  {
+    specifier: "react",
+    platforms: ["web", "native"],
+    category: "core",
+    description: "React. Hooks, JSX, lifecycle. Unchanged.",
   },
   {
-    identifier: "XMLHttpRequest",
-    reason: "Direct network calls bypass the datastore client + tenant auth.",
+    specifier: "@colixsystems/widget-sdk",
+    platforms: ["web", "native"],
+    category: "core",
+    description:
+      "The AppStudio widget SDK — primitives, hooks, manifest helpers. Unchanged.",
   },
   {
-    identifier: "import(",
-    reason: "Dynamic import bypasses the loader's allowlist.",
+    specifier: "react-native",
+    platforms: ["web", "native"],
+    category: "primitive",
+    description:
+      "Direct RN imports for APIs the SDK hasn't re-exported yet. On web the host bundler aliases this to react-native-web; on native Metro resolves the real library.",
+  },
+  {
+    specifier: "axios",
+    platforms: ["web", "native"],
+    category: "network",
+    description:
+      "HTTP client for third-party APIs. Calls to the host's /api/* surface are blocked at runtime — widgets get no JWT token, so use SDK hooks for workspace data.",
+  },
+  {
+    specifier: "date-fns",
+    platforms: ["web", "native"],
+    category: "utility",
+    description: "Pure-JS date math. Works on both platforms unchanged.",
+  },
+  {
+    specifier: "react-native-svg",
+    platforms: ["web", "native"],
+    category: "drawing",
+    description:
+      "Cross-platform SVG drawing primitives. Used by the built-in Chart widget; works on both platforms.",
+  },
+  {
+    specifier: "lucide-react-native",
+    platforms: ["web", "native"],
+    category: "iconography",
+    description:
+      "Lucide icon set as React components. Used by the built-in Icon widget; works on both platforms.",
+  },
+  {
+    specifier: "react-native-maps",
+    platforms: ["native"],
+    category: "geo",
+    description:
+      "Native map view + markers. Native-only; pair with leaflet/react-leaflet in widget.web.jsx for a web variant.",
+  },
+  {
+    specifier: "leaflet",
+    platforms: ["web"],
+    category: "geo",
+    description:
+      "Web-only mapping library. Use alongside react-leaflet in widget.web.jsx as the web counterpart to react-native-maps.",
+  },
+  {
+    specifier: "react-leaflet",
+    platforms: ["web"],
+    category: "geo",
+    description: "React bindings for leaflet. Web-only.",
+  },
+  {
+    specifier: "expo-av",
+    platforms: ["native"],
+    category: "media",
+    description:
+      "Native audio + video playback. Native-only; pair with browser <audio>/<video> in widget.web.jsx.",
+  },
+  {
+    specifier: "@react-native-community/datetimepicker",
+    platforms: ["native"],
+    category: "input",
+    description:
+      "Native date/time picker. The SDK's <DateTimePicker> primitive already wraps this; reach for it directly only if you need RN-specific options.",
+  },
+  {
+    specifier: "expo-clipboard",
+    platforms: ["native"],
+    category: "system",
+    description:
+      "Native clipboard. The SDK's useClipboard() hook already wraps this; reach for it directly only if you need RN-specific options.",
+  },
+  {
+    specifier: "expo-haptics",
+    platforms: ["native"],
+    category: "system",
+    description:
+      "Native haptic feedback. Pair with navigator.vibrate in widget.web.jsx.",
   },
-  { identifier: "globalThis", reason: "Host environment escape." },
 ];
 
-const ALLOWED_BARE_IMPORTS = ["react", "@colixsystems/widget-sdk"];
+const ALLOWED_BARE_IMPORTS = VETTED_IMPORTS.map((v) => v.specifier);
+
+const HOST_API_URL_PATTERNS = [
+  "/api/v1",
+  "/uploads/",
+  "Authorization: Bearer",
+];
 
 function deepFreeze(value) {
   if (value === null || typeof value !== "object") return value;
@@ -619,7 +786,7 @@ function deepFreeze(value) {
 }
 
 const CONTRACT = deepFreeze({
-  version: "1.4.0",
+  version: "1.5.0",
   hooks: HOOKS,
   primitives: PRIMITIVES,
   manifestSchema: MANIFEST_SCHEMA,
@@ -629,7 +796,9 @@ const CONTRACT = deepFreeze({
   widgetContextShape: WIDGET_CONTEXT_SHAPE,
   bundleExportContract: BUNDLE_EXPORT_CONTRACT,
   bannedApis: BANNED_APIS,
+  vettedImports: VETTED_IMPORTS,
   allowedBareImports: ALLOWED_BARE_IMPORTS,
+  hostApiUrlPatterns: HOST_API_URL_PATTERNS,
 });
 
 function isHookAllowed(name) {

package/dist/datetimepicker.js

@@ -0,0 +1,102 @@
+// REQ-WSDK-PLATFORM §6 — `<DateTimePicker>` SDK primitive.
+//
+// Cross-platform date / time / datetime picker. Wraps
+// `@react-native-community/datetimepicker` (works on both web and native:
+// on web it renders the browser's native `<input type="date|time">`
+// surface through react-native-web's mapping). The wire format is ISO
+// 8601 strings — the same format the datastore speaks, so widget authors
+// never round-trip through `new Date()`.
+//
+// Props:
+//   value: string | null   — ISO 8601 (`2026-05-28` for date mode,
+//                            `2026-05-28T14:30:00.000Z` for datetime).
+//                            `null` defaults to "now".
+//   onChange: (iso: string) => void
+//   mode:    "date" | "time" | "datetime"  — default "date"
+//   minimumDate / maximumDate: string | null  — ISO bounds
+//   disabled: boolean
+//
+// The author writes:
+//   const [day, setDay] = useState(null);
+//   <DateTimePicker value={day} onChange={setDay} mode="date" />
+//
+// …and `day` ends up as an ISO string suitable for storing directly into
+// a DATE column. The previous pattern of importing the RN library
+// directly and managing `Date` objects in widget state is gone — the
+// primitive normalizes both ends.
+
+import React, { useMemo } from "react";
+// eslint-disable-next-line no-restricted-syntax
+import RNDateTimePicker from "@react-native-community/datetimepicker";
+
+function _parseToDate(value) {
+  if (value == null || value === "") return new Date();
+  if (value instanceof Date) return Number.isNaN(value.getTime()) ? new Date() : value;
+  if (typeof value === "string") {
+    const d = new Date(value);
+    return Number.isNaN(d.getTime()) ? new Date() : d;
+  }
+  return new Date();
+}
+
+function _formatToIso(date, mode) {
+  if (!(date instanceof Date) || Number.isNaN(date.getTime())) return null;
+  if (mode === "date") {
+    // Local-date ISO (yyyy-mm-dd) — calendar dates should be timezone-free
+    // so a "May 28" picked in Stockholm doesn't read as "May 27" in NYC.
+    const y = date.getFullYear();
+    const m = String(date.getMonth() + 1).padStart(2, "0");
+    const d = String(date.getDate()).padStart(2, "0");
+    return `${y}-${m}-${d}`;
+  }
+  if (mode === "time") {
+    // Local-time ISO (hh:mm) — time-of-day is timezone-free for the same
+    // reason. Authors who want a full datetime get mode="datetime".
+    const h = String(date.getHours()).padStart(2, "0");
+    const mm = String(date.getMinutes()).padStart(2, "0");
+    return `${h}:${mm}`;
+  }
+  // datetime — full UTC ISO so the wire format round-trips through the
+  // datastore's DATE column unchanged.
+  return date.toISOString();
+}
+
+export function DateTimePicker({
+  value,
+  onChange,
+  mode,
+  minimumDate,
+  maximumDate,
+  disabled,
+}) {
+  const effectiveMode = mode === "time" || mode === "datetime" ? mode : "date";
+  const dateValue = useMemo(() => _parseToDate(value), [value]);
+  const min = useMemo(
+    () => (minimumDate ? _parseToDate(minimumDate) : undefined),
+    [minimumDate],
+  );
+  const max = useMemo(
+    () => (maximumDate ? _parseToDate(maximumDate) : undefined),
+    [maximumDate],
+  );
+
+  const handleChange = (_event, picked) => {
+    if (typeof onChange !== "function") return;
+    if (!(picked instanceof Date)) return;
+    const iso = _formatToIso(picked, effectiveMode);
+    if (iso != null) onChange(iso);
+  };
+
+  // The RN library's `mode` accepts "date" / "time"; for "datetime" we
+  // ask for "datetime" on iOS / Android and let the picker's
+  // implementation handle it. react-native-web's mapping interprets
+  // "datetime" as `<input type="datetime-local">`.
+  return React.createElement(RNDateTimePicker, {
+    value: dateValue,
+    mode: effectiveMode,
+    minimumDate: min,
+    maximumDate: max,
+    disabled: !!disabled,
+    onChange: handleChange,
+  });
+}

package/dist/hooks.js

@@ -61,7 +61,9 @@ export function WidgetContextProvider({ value, children }) {
   return React.createElement(HostWidgetContext.Provider, { value }, children);
 }
 
-function useWidgetContextOrThrow(hookName) {
+// Exported for ./toast.js + future hook modules outside hooks.js. Internal
+// utility — widget code should not import this directly.
+export function useWidgetContextOrThrow(hookName) {
   const ctx = useContext(HostWidgetContext);
   if (ctx == null) {
     throw new Error(

package/dist/icon.js

@@ -0,0 +1,29 @@
+// REQ-WSDK-PLATFORM §6 — `<Icon>` SDK primitive.
+//
+// Wraps lucide-react-native's name-keyed component map behind a small
+// stable API: `<Icon name="check" size={16} color="..." />`. Same source
+// runs on both platforms — lucide-react-native ships a working web build
+// (via the host's Vite shim) and a native build (Metro picks it
+// straight). Unknown names fall back to the `Square` glyph so the
+// canvas always shows something visible.
+//
+// The built-in `Icon` widget at frontend/src/components/widgets/Icon/
+// already implements this exact pattern. Marketplace widgets reach for
+// the SDK primitive instead of importing lucide-react-native directly,
+// keeping the import-surface of a typical widget small (and avoiding the
+// `import * as LucideIcons` pattern which trips eslint's
+// no-restricted-syntax in some configs).
+
+import React from "react";
+import * as LucideIcons from "lucide-react-native";
+
+export function Icon({ name, size, color }) {
+  const candidate =
+    typeof name === "string" && name.length > 0 ? LucideIcons[name] : null;
+  const Component = candidate || LucideIcons.Square;
+  const pixelSize = Number.isFinite(size) && size > 0 ? size : 24;
+  return React.createElement(Component, {
+    size: pixelSize,
+    color: color || "#0f172a",
+  });
+}

package/dist/index.d.ts

@@ -607,9 +607,29 @@ export const ActivityIndicator: any;
 export const Switch: any;
 export const StyleSheet: any;
 
+/**
+ * REQ-WSDK-PLATFORM §6 — Lucide icon primitive. Unknown names fall back
+ * to the `Square` glyph so the canvas always shows something visible.
+ *
+ * @example
+ *   import { Icon } from '@colixsystems/widget-sdk';
+ *   <Icon name="check" size={16} color={theme.colors.primary} />
+ */
+export const Icon: (props: {
+  name?: string;
+  size?: number;
+  color?: string;
+}) => any;
+
 // Linter
 export interface LintFinding {
   rule: string;
+  /**
+   * REQ-WSDK-PLATFORM update: findings can now carry a `severity`. The
+   * lint's `ok` flag is true iff no `severity: "error"` finding exists.
+   * `severity: "warning"` findings surface to reviewers but do not block.
+   */
+  severity?: "error" | "warning";
   label: string;
   line: number;
   snippet: string;

package/dist/index.js

@@ -26,6 +26,11 @@ export {
   useChildRenderer,
   WidgetTree,
 } from "./hooks.js";
+// REQ-WSDK-PLATFORM §6 — Tier A hooks. Each ships in a per-platform file
+// (./clipboard.js / .native.js, ./toast.js / .native.js); index.js picks
+// the web variant and index.native.js picks the native variant.
+export { useClipboard, ClipboardError } from "./clipboard.js";
+export { useToast } from "./toast.js";
 export {
   Text,
   View,
@@ -39,6 +44,8 @@ export {
   Switch,
   StyleSheet,
   Linking,
+  Icon,
+  DateTimePicker,
 } from "./primitives.js";
 export { lintSource, bannedIdentifiers } from "./linter.js";
 export { CONTRACT, isHookAllowed, requiredContextKeys } from "./contract.js";

package/dist/index.native.js

@@ -26,6 +26,9 @@ export {
   useChildRenderer,
   WidgetTree,
 } from "./hooks.js";
+// REQ-WSDK-PLATFORM §6 — Tier A hooks (native variants).
+export { useClipboard, ClipboardError } from "./clipboard.native.js";
+export { useToast } from "./toast.native.js";
 export {
   Text,
   View,
@@ -39,6 +42,8 @@ export {
   Switch,
   StyleSheet,
   Linking,
+  Icon,
+  DateTimePicker,
 } from "./primitives.native.js";
 export { lintSource, bannedIdentifiers } from "./linter.js";
 export { CONTRACT, isHookAllowed, requiredContextKeys } from "./contract.js";

package/dist/linter.cjs

@@ -54,18 +54,15 @@ const CONTRACT_RULES = CONTRACT.bannedApis.map((b) =>
   _ruleForIdentifier(b.identifier, b.reason),
 );
 
+// REQ-WSDK-PLATFORM: `no-axios-import` is GONE. axios is on the vetted
+// import list now (`CONTRACT.vettedImports`). See linter.js for the
+// source-of-truth comment.
 const EXTRA_RULES = [
   {
     id: "no-auth-store-import",
     label: "widgets must not import the host's auth store",
     pattern: /useAuthStore/,
   },
-  {
-    id: "no-axios-import",
-    label:
-      "widgets must not import axios directly; use the injected datastore client",
-    pattern: /from\s+['"]axios['"]|require\s*\(\s*['"]axios['"]\s*\)/,
-  },
 ];
 
 const RULES = [...CONTRACT_RULES, ...EXTRA_RULES];
@@ -74,6 +71,128 @@ function bannedIdentifiers() {
   return CONTRACT.bannedApis.map((b) => b.identifier);
 }
 
+// REQ-WSDK-PLATFORM §3.4, §8: import-specifier validation. See linter.js
+// for the source-of-truth comment.
+const IMPORT_SPECIFIER_RE =
+  /(?:^|[\s;])(?:import(?:\s+[^"';]+from)?|require)\s*\(?\s*['"]([^'"]+)['"]/g;
+
+function _classifySpecifier(spec) {
+  if (
+    spec.startsWith("./") ||
+    (spec.startsWith(".") && !spec.startsWith(".."))
+  ) {
+    return "relative-ok";
+  }
+  if (spec.startsWith("../")) return "relative-escape";
+  if (
+    spec.startsWith("/") ||
+    spec.startsWith("http:") ||
+    spec.startsWith("https:") ||
+    spec.startsWith("blob:") ||
+    spec.startsWith("data:")
+  ) {
+    return "absolute";
+  }
+  return "bare";
+}
+
+function _importRules(source, manifest) {
+  const findings = [];
+  const allowed = new Map(
+    CONTRACT.vettedImports.map((v) => [v.specifier, v]),
+  );
+  const declaredPlatforms =
+    manifest &&
+    Array.isArray(manifest.supportedPlatforms) &&
+    manifest.supportedPlatforms.length > 0
+      ? new Set(manifest.supportedPlatforms)
+      : null;
+
+  const lines = source.split(/\r?\n/);
+  for (let i = 0; i < lines.length; i += 1) {
+    const line = lines[i];
+    IMPORT_SPECIFIER_RE.lastIndex = 0;
+    let m;
+    while ((m = IMPORT_SPECIFIER_RE.exec(line))) {
+      const spec = m[1];
+      const kind = _classifySpecifier(spec);
+      if (kind === "relative-ok") continue;
+      if (kind === "relative-escape") {
+        findings.push({
+          rule: "no-parent-relative-import",
+          label: `relative import "${spec}" escapes the bundle (\`../\`) — only sibling-file imports (\`./foo.js\`) are allowed`,
+          line: i + 1,
+          snippet: line.trim().slice(0, 200),
+        });
+        continue;
+      }
+      if (kind === "absolute") {
+        findings.push({
+          rule: "no-absolute-import",
+          label: `absolute import "${spec}" is not allowed — use a vetted bare specifier or a sibling-file (\`./foo.js\`) import`,
+          line: i + 1,
+          snippet: line.trim().slice(0, 200),
+        });
+        continue;
+      }
+      const entry = allowed.get(spec);
+      if (!entry) {
+        findings.push({
+          rule: "import-not-vetted",
+          label:
+            `import "${spec}" is not on the vetted package list — see ` +
+            `CONTRACT.vettedImports for the current set or open a request to add it`,
+          line: i + 1,
+          snippet: line.trim().slice(0, 200),
+        });
+        continue;
+      }
+      if (declaredPlatforms) {
+        for (const wanted of declaredPlatforms) {
+          if (!entry.platforms.includes(wanted)) {
+            findings.push({
+              rule: "import-platform-mismatch",
+              label:
+                `"${spec}" supports [${entry.platforms.join(", ")}] but the ` +
+                `manifest claims supportedPlatforms includes "${wanted}". ` +
+                `Move this import into widget.${wanted === "web" ? "native" : "web"}.jsx, ` +
+                `or drop "${wanted}" from manifest.supportedPlatforms.`,
+              line: i + 1,
+              snippet: line.trim().slice(0, 200),
+            });
+          }
+        }
+      }
+    }
+  }
+  return findings;
+}
+
+function _hostApiUrlRules(source) {
+  const findings = [];
+  const patterns = CONTRACT.hostApiUrlPatterns || [];
+  const lines = source.split(/\r?\n/);
+  for (let i = 0; i < lines.length; i += 1) {
+    const line = lines[i];
+    for (const needle of patterns) {
+      if (line.includes(needle)) {
+        findings.push({
+          rule: "no-host-api-url",
+          severity: "warning",
+          label:
+            `source contains "${needle}" — calls to the AppStudio host API ` +
+            `are blocked at runtime (widgets get no JWT token). Use SDK ` +
+            `hooks for workspace data; \`axios\`/\`fetch\` for third-party APIs.`,
+          line: i + 1,
+          snippet: line.trim().slice(0, 200),
+        });
+        break;
+      }
+    }
+  }
+  return findings;
+}
+
 // REQ-USERMGMT / REQ-ACL-SYS M3 — scope-required-for-user-mutation. See
 // linter.js for the rationale comment. The two files must stay in
 // lockstep (the contract test asserts behaviour-equivalence).
@@ -173,7 +292,13 @@ function lintSource(source, options) {
     return {
       ok: false,
       findings: [
-        { rule: "input", label: "source must be a string", line: 0, snippet: "" },
+        {
+          rule: "input",
+          severity: "error",
+          label: "source must be a string",
+          line: 0,
+          snippet: "",
+        },
       ],
     };
   }
@@ -185,6 +310,7 @@ function lintSource(source, options) {
       if (rule.pattern.test(line)) {
         findings.push({
           rule: rule.id,
+          severity: "error",
           label: rule.label,
           line: i + 1,
           snippet: line.trim().slice(0, 200),
@@ -192,8 +318,21 @@ function lintSource(source, options) {
       }
     }
   }
-  findings.push(..._scopeRules(source, options && options.manifest));
-  return { ok: findings.length === 0, findings };
+  findings.push(
+    ..._importRules(source, options && options.manifest).map((f) => ({
+      ...f,
+      severity: f.severity || "error",
+    })),
+  );
+  findings.push(..._hostApiUrlRules(source));
+  findings.push(
+    ..._scopeRules(source, options && options.manifest).map((f) => ({
+      ...f,
+      severity: f.severity || "error",
+    })),
+  );
+  const hasErrors = findings.some((f) => f.severity !== "warning");
+  return { ok: !hasErrors, findings };
 }
 
 module.exports = { lintSource, bannedIdentifiers };