@colixsystems/widget-sdk 0.2.0 → 0.4.1

package/dist/hooks.js

@@ -1,15 +1,58 @@
-// Widget hooks per docs/architecture/widget-marketplace.md §3.1.
-// Each hook reads from the host-provided WidgetContext via React context, then
-// delegates to the host implementation. Bodies are intentionally slim — the
-// hosts (Studio, Player, exported app) own the runtime semantics.
+// Widget hooks per docs/architecture/widget-marketplace.md §3.1 and the
+// CONTRACT in ./contract.js (the single source of truth — when a hook's
+// signature or return shape changes, update both this file and the
+// CONTRACT entry in lockstep).
+//
+// Each hook reads from the host-provided WidgetContext via React context,
+// then delegates to the host implementation. The hosts (Studio, Player,
+// exported app) own the runtime semantics — this file is the SDK surface
+// widgets call.
 //
 // This file avoids JSX so it can ship as a plain .js without a transform.
 
-import React, { createContext, useContext, useCallback } from "react";
+import React, {
+  createContext,
+  useContext,
+  useCallback,
+  useEffect,
+  useRef,
+  useState,
+} from "react";
 
 /** @internal — host-injected context value of shape WidgetContext (see index.d.ts). */
 const HostWidgetContext = createContext(null);
 
+/**
+ * Structured error thrown by `useDatastoreMutation` callbacks (and surfaced
+ * by `useDatastoreQuery` in its `error` slot). Carries a stable `code` so
+ * widgets can branch on the error class without parsing axios message
+ * strings.
+ *
+ * `code` is one of:
+ *   - "VALIDATION"            — 400 / 422 from the datastore
+ *   - "CONSTRAINT_VIOLATION"  — 409 from the datastore
+ *   - "FORBIDDEN"             — 403 from the datastore
+ *   - "NOT_FOUND"             — 404 from the datastore
+ *   - "INTERNAL"              — anything else (network, 5xx, axios timeout)
+ *
+ * `fieldErrors` (when present) is a flat map of field name to per-field
+ * error message, populated when the datastore returned a structured
+ * 400/422 payload with `errors: [{ field, code }, ...]`.
+ */
+export class DatastoreError extends Error {
+  constructor(code, message, opts) {
+    super(message);
+    this.name = "DatastoreError";
+    this.code = code;
+    if (opts && opts.fieldErrors && typeof opts.fieldErrors === "object") {
+      this.fieldErrors = opts.fieldErrors;
+    }
+    if (opts && opts.cause) {
+      this.cause = opts.cause;
+    }
+  }
+}
+
 /**
  * Wraps children with the host-provided WidgetContext.
  * The host (Studio/Player/native shell) builds the value and renders this provider.
@@ -29,19 +72,147 @@ function useWidgetContextOrThrow(hookName) {
   return ctx;
 }
 
-// v0.1 scope: returns the host's datastore-backed query result.
-// The host owns suspense/caching; this hook is a passthrough to ctx.datastore.
+// --------------------------------------------------------------- helpers
+
+/**
+ * Coerce an arbitrary thrown value (axios error, plain Error, string) into
+ * a DatastoreError with a stable `.code`. Reads `error.response.status` if
+ * present (axios shape) and falls back to inspecting the message string.
+ */
+function toDatastoreError(err) {
+  if (err instanceof DatastoreError) return err;
+  const status =
+    err && err.response && typeof err.response.status === "number"
+      ? err.response.status
+      : null;
+  const bodyMessage =
+    err && err.response && err.response.data && typeof err.response.data.error === "string"
+      ? err.response.data.error
+      : null;
+  const fallbackMessage =
+    bodyMessage ||
+    (err && typeof err.message === "string" ? err.message : "Datastore call failed");
+  let code = "INTERNAL";
+  if (status === 400 || status === 422) code = "VALIDATION";
+  else if (status === 409) code = "CONSTRAINT_VIOLATION";
+  else if (status === 403) code = "FORBIDDEN";
+  else if (status === 404) code = "NOT_FOUND";
+  // Surface a structured fieldErrors map when the server emitted one
+  // (record.controller.js shapes 422 bodies as `{ errors: [{ field, code }] }`).
+  let fieldErrors;
+  if (err && err.response && err.response.data && Array.isArray(err.response.data.errors)) {
+    const map = {};
+    for (const entry of err.response.data.errors) {
+      if (entry && typeof entry.field === "string") {
+        map[entry.field] = entry.message || entry.code || "Invalid value";
+      }
+    }
+    if (Object.keys(map).length > 0) fieldErrors = map;
+  }
+  return new DatastoreError(code, fallbackMessage, {
+    cause: err,
+    fieldErrors,
+  });
+}
+
+// --------------------------------------------------------------- hooks
+
+/**
+ * Stateful datastore query hook. Returns { data, loading, error, refetch }.
+ *
+ * The host's datastore client exposes `records(table).list(query)` which
+ * returns a Promise<Record[]>. We hold the result in component state and
+ * re-fetch when [table, JSON.stringify(query)] changes. `refetch` re-runs
+ * the same call on demand.
+ *
+ * When `table` is falsy (e.g. the user hasn't bound a `tableRef` property
+ * yet), the hook resolves to { data: [], loading: false, error: null,
+ * refetch } so the widget can render its empty state without throwing.
+ */
 export function useDatastoreQuery(table, query) {
   const ctx = useWidgetContextOrThrow("useDatastoreQuery");
   if (!ctx.datastore || typeof ctx.datastore.records !== "function") {
     throw new Error("useDatastoreQuery: host did not inject a datastore client");
   }
-  // The host-injected datastore is expected to expose a `useRecords(table, query)` hook;
-  // v0.1 stub returns the raw promise interface and lets the host wire React Query.
-  return ctx.datastore.records(table).list(query);
+  const [data, setData] = useState([]);
+  const [loading, setLoading] = useState(Boolean(table));
+  const [error, setError] = useState(null);
+
+  // Capture the latest table + query in refs so refetch() — a stable
+  // callback identity — always reads the current arguments without having
+  // to be re-bound on every render.
+  //
+  // We hold ctx.datastore.records in a ref for the same reason: the
+  // Studio / Player / PageRenderer rebuild the WidgetContext value
+  // inside their render closure on every render, so `ctx` is a fresh
+  // object identity every render. If `doFetch` listed `[ctx]` in its
+  // dep array, the callback identity (and therefore the `refetch`
+  // surface) would change every render and any widget that put
+  // `refetch` in a useEffect dep array would loop forever. The effect
+  // that drives the actual initial fetch keeps `[table, queryKey]` so
+  // it only re-runs when the bound table or the query payload changes.
+  const tableRef = useRef(table);
+  const queryRef = useRef(query);
+  const recordsRef = useRef(ctx.datastore.records);
+  tableRef.current = table;
+  queryRef.current = query;
+  recordsRef.current = ctx.datastore.records;
+
+  const runRef = useRef(0);
+
+  const doFetch = useCallback(async () => {
+    const myRun = ++runRef.current;
+    const t = tableRef.current;
+    if (!t) {
+      // No table bound yet — collapse to a stable empty result without
+      // a network round-trip.
+      setLoading(false);
+      setError(null);
+      setData([]);
+      return;
+    }
+    setLoading(true);
+    setError(null);
+    try {
+      const ns = recordsRef.current(t);
+      const rows = await ns.list(queryRef.current);
+      // Discard the result if a newer fetch has started since we kicked off.
+      if (runRef.current !== myRun) return;
+      setData(Array.isArray(rows) ? rows : []);
+      setLoading(false);
+    } catch (err) {
+      if (runRef.current !== myRun) return;
+      setError(toDatastoreError(err));
+      setLoading(false);
+    }
+  }, []);
+
+  // Re-run on mount and whenever [table, JSON.stringify(query)] changes.
+  const queryKey = (() => {
+    try {
+      return JSON.stringify(query);
+    } catch (_e) {
+      return null;
+    }
+  })();
+  useEffect(() => {
+    doFetch();
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, [table, queryKey]);
+
+  const refetch = useCallback(async () => {
+    await doFetch();
+  }, [doFetch]);
+
+  return { data, loading, error, refetch };
 }
 
-// v0.1 scope: returns { create, update, delete } from the injected datastore client.
+/**
+ * Datastore mutation hook. Returns { create, update, delete }, each method
+ * returning a Promise. Rejected promises throw a DatastoreError carrying a
+ * stable `.code` (`VALIDATION`, `CONSTRAINT_VIOLATION`, `FORBIDDEN`,
+ * `NOT_FOUND`, `INTERNAL`) plus an optional `fieldErrors` map.
+ */
 export function useDatastoreMutation(table) {
   const ctx = useWidgetContextOrThrow("useDatastoreMutation");
   if (!ctx.datastore || typeof ctx.datastore.records !== "function") {
@@ -49,28 +220,79 @@ export function useDatastoreMutation(table) {
   }
   const ns = ctx.datastore.records(table);
   return {
-    create: (values) => ns.create(values),
-    update: (id, values) => ns.update(id, values),
-    delete: (id) => ns.delete(id),
+    create: async (values) => {
+      try {
+        return await ns.create(values);
+      } catch (err) {
+        throw toDatastoreError(err);
+      }
+    },
+    update: async (id, values) => {
+      try {
+        return await ns.update(id, values);
+      } catch (err) {
+        throw toDatastoreError(err);
+      }
+    },
+    delete: async (id) => {
+      try {
+        return await ns.delete(id);
+      } catch (err) {
+        throw toDatastoreError(err);
+      }
+    },
   };
 }
 
-// v0.1 scope: emits a named event through ctx.events.emit. Page-level event
-// bindings (subscribed by the host) decide what happens next.
+/**
+ * Emit a named widget event through ctx.events.emit. Page-level event
+ * bindings (subscribed by the host) decide what happens next.
+ */
 export function useWidgetEvent(name) {
   const ctx = useWidgetContextOrThrow("useWidgetEvent");
   return useCallback((payload) => ctx.events.emit(name, payload), [ctx, name]);
 }
 
-// v0.1 scope: returns ThemeTokens. Host owns theme resolution per workspace.
+/**
+ * Returns the host-provided theme tokens. The host guarantees every field
+ * documented in CONTRACT.themeTokens is present (defaults merged with
+ * tenant overrides), so widgets read `theme.colors.primary` without
+ * optional chaining.
+ */
 export function useTheme() {
   const ctx = useWidgetContextOrThrow("useTheme");
   return ctx.workspace.theme;
 }
 
-// v0.1 scope: returns { locale, t }. Host owns translation tables;
-// the SDK does not bundle a translation engine.
+/**
+ * Returns { t, locale }. `t(key, fallback)` resolves `{{t:key}}` against
+ * the host's translation table and falls back to `fallback ?? key` when
+ * the key is missing. The host's i18n.t may or may not honour the two-arg
+ * form; we degrade gracefully either way.
+ */
 export function useI18n() {
   const ctx = useWidgetContextOrThrow("useI18n");
-  return ctx.i18n;
+  const i18n = ctx.i18n || {};
+  const locale = typeof i18n.locale === "string" ? i18n.locale : "en";
+  const hostT = typeof i18n.t === "function" ? i18n.t : null;
+  const t = useCallback(
+    (key, fallback) => {
+      if (typeof key !== "string" || !key) {
+        return typeof fallback === "string" ? fallback : "";
+      }
+      if (hostT) {
+        // Try the two-arg form first; if the host's `t` ignores `fallback`
+        // and returns the bare key on a miss, swap in the fallback.
+        const out = hostT(key, fallback);
+        if (typeof out === "string" && out.length > 0 && out !== key) {
+          return out;
+        }
+        // Host returned the key (unresolved) or nothing usable.
+        return typeof fallback === "string" ? fallback : key;
+      }
+      return typeof fallback === "string" ? fallback : key;
+    },
+    [hostT]
+  );
+  return { t, locale };
 }

package/dist/index.d.ts

@@ -54,6 +54,71 @@ export interface WidgetEventDescriptor {
   payloadSchema?: WidgetPropertySchema;
 }
 
+/**
+ * Optional datastore template a widget can ship in its manifest. When the
+ * tenant installs the widget, every declared table is created in their
+ * workspace alongside the WidgetInstallation row, named
+ * `<widgetDisplayName>_<suffix>` (auto-suffixed `_2`/`_3`/... on name
+ * collisions). The tables persist when the widget is uninstalled — the
+ * tenant may have authored records into them.
+ *
+ * The shape mirrors the built-in template registry on the backend, with
+ * two limits a third-party widget must satisfy (enforced at submission
+ * time by the static analyzer):
+ *
+ *   - At most 8 tables per widget. Templates exist to seed schema, not
+ *     to be a full database design tool.
+ *   - At most 24 columns per table. Same reason.
+ *
+ * RELATION columns reference siblings within the same template via
+ * `targetSuffix` — that suffix MUST belong to a table declared earlier
+ * in the array. There is intentionally no way to reference a table
+ * outside the widget's own template.
+ */
+export interface WidgetDatastoreTemplateColumn {
+  name: string;
+  dataType:
+    | "STRING"
+    | "TEXT"
+    | "NUMBER"
+    | "FLOAT"
+    | "BOOL"
+    | "DATE"
+    | "FILE"
+    | "STRING_ARRAY"
+    | "INT_ARRAY"
+    | "RELATION"
+    | "USER"
+    | "USER_GROUP";
+  required?: boolean;
+  /** For RELATION columns only — points at a sibling table's `suffix`. */
+  targetSuffix?: string;
+  /** For RELATION columns only. */
+  relationType?: "ONE_TO_ONE" | "ONE_TO_MANY" | "MANY_TO_MANY";
+  /** REQ-ACL-RELINHERIT: opt this RELATION column into row-level ACL inheritance. */
+  inheritAcl?: boolean;
+}
+
+export interface WidgetDatastoreTemplateTable {
+  /** Stable identifier within the template; appears in the created table name. */
+  suffix: string;
+  /** REQ-ACL-05: when true, the row creator gets full RWD+G on the new record. */
+  grantCreatorPermissions?: boolean;
+  /**
+   * REQ-TEMPLATES-ACL: optional table-level public grant. Omitted means
+   * the table starts purely per-record (record-level grants are the only
+   * access path). canRead opens reads to everyone (including anonymous);
+   * canWrite only lets authenticated APP_USERs insert; canDelete remains
+   * studio-owner only regardless.
+   */
+  publicGrant?: { canRead?: boolean; canWrite?: boolean; canDelete?: boolean };
+  columns: WidgetDatastoreTemplateColumn[];
+}
+
+export interface WidgetDatastoreTemplate {
+  tables: WidgetDatastoreTemplateTable[];
+}
+
 export interface WidgetManifest {
   id: string;
   name: string;
@@ -67,6 +132,14 @@ export interface WidgetManifest {
   requestedScopes: WidgetScope[];
   propertySchema: WidgetPropertySchema;
   events: WidgetEventDescriptor[];
+  /**
+   * Optional datastore template seeded into the tenant's workspace when
+   * the widget is installed. The author wires the resulting tables into
+   * the widget's `tableRef` properties via the Properties Panel — the
+   * SDK does not auto-bind them. See `WidgetDatastoreTemplate` for the
+   * structural constraints enforced at submission time.
+   */
+  datastoreTemplate?: WidgetDatastoreTemplate;
 }
 
 export interface ThemeTokens {
@@ -202,9 +275,28 @@ export function useTheme(): ThemeTokens;
 
 export function useI18n(): {
   locale: string;
-  t(key: string, vars?: Record<string, unknown>): string;
+  t(key: string, fallback?: string): string;
 };
 
+/**
+ * Error class thrown by useDatastoreMutation callbacks (and surfaced by
+ * useDatastoreQuery in its `error` slot). The `code` is a stable
+ * categorisation widgets can branch on.
+ */
+export class DatastoreError extends Error {
+  code:
+    | "VALIDATION"
+    | "CONSTRAINT_VIOLATION"
+    | "FORBIDDEN"
+    | "NOT_FOUND"
+    | "INTERNAL";
+  fieldErrors?: Record<string, string>;
+  constructor(code: DatastoreError["code"], message: string, opts?: {
+    fieldErrors?: Record<string, string>;
+    cause?: unknown;
+  });
+}
+
 export function WidgetContextProvider(props: {
   value: WidgetContext;
   children?: ReactNode;
@@ -228,3 +320,69 @@ export function lintSource(source: string): {
   ok: boolean;
   findings: LintFinding[];
 };
+
+// --------------------------------------------------------------- CONTRACT
+//
+// Single-source-of-truth contract artefact. See docs/design/ai-widget-contract.md.
+// The runtime value is `Object.freeze`d; the type below describes the
+// public shape consumers can read.
+
+export interface ContractHookEntry {
+  name: string;
+  signature: string;
+  returnShape: Record<string, string>;
+  requiredContextSlice: string[];
+  scopes: string[] | null;
+}
+
+export interface ContractPrimitiveEntry {
+  name: string;
+  description: string;
+  props: Record<
+    string,
+    { type: string; required?: boolean; description?: string }
+  >;
+}
+
+export interface ContractManifestField {
+  type: string;
+  required: boolean;
+  description?: string;
+  default?: unknown;
+  values?: readonly string[];
+  example?: unknown;
+}
+
+export interface ContractBundleShape {
+  name: string;
+  description: string;
+  predicate: string;
+  manifestSource: string;
+  audience: string;
+}
+
+export interface ContractBannedApi {
+  identifier: string;
+  reason: string;
+}
+
+export interface AiWidgetContract {
+  readonly version: string;
+  readonly hooks: ReadonlyArray<ContractHookEntry>;
+  readonly primitives: ReadonlyArray<ContractPrimitiveEntry>;
+  readonly manifestSchema: Readonly<Record<string, ContractManifestField>>;
+  readonly manifestCategories: ReadonlyArray<string>;
+  readonly manifestPlatforms: ReadonlyArray<string>;
+  readonly themeTokens: ThemeTokens;
+  readonly widgetContextShape: Readonly<
+    Record<string, { description: string; required: boolean; fields: Record<string, unknown> }>
+  >;
+  readonly bundleExportContract: ReadonlyArray<ContractBundleShape>;
+  readonly bannedApis: ReadonlyArray<ContractBannedApi>;
+  readonly allowedBareImports: ReadonlyArray<string>;
+}
+
+export const CONTRACT: AiWidgetContract;
+
+export function isHookAllowed(name: string): boolean;
+export function requiredContextKeys(): string[];

package/dist/index.js

@@ -7,6 +7,7 @@ export { validateManifest, canonicalCategory } from "./manifest.js";
 export { validatePropertySchema, validateProps } from "./property-schema.js";
 export {
   WidgetContextProvider,
+  DatastoreError,
   useDatastoreQuery,
   useDatastoreMutation,
   useWidgetEvent,
@@ -14,4 +15,5 @@ export {
   useI18n,
 } from "./hooks.js";
 export { Text, View, Pressable, Image, ScrollView } from "./primitives.js";
-export { lintSource } from "./linter.js";
+export { lintSource, bannedIdentifiers } from "./linter.js";
+export { CONTRACT, isHookAllowed, requiredContextKeys } from "./contract.js";

package/dist/index.native.js

@@ -7,6 +7,7 @@ export { validateManifest, canonicalCategory } from "./manifest.js";
 export { validatePropertySchema, validateProps } from "./property-schema.js";
 export {
   WidgetContextProvider,
+  DatastoreError,
   useDatastoreQuery,
   useDatastoreMutation,
   useWidgetEvent,
@@ -14,4 +15,5 @@ export {
   useI18n,
 } from "./hooks.js";
 export { Text, View, Pressable, Image, ScrollView } from "./primitives.native.js";
-export { lintSource } from "./linter.js";
+export { lintSource, bannedIdentifiers } from "./linter.js";
+export { CONTRACT, isHookAllowed, requiredContextKeys } from "./contract.js";

package/dist/linter.js

@@ -2,29 +2,62 @@
 // Scans widget source for banned patterns. Pure text scanning — no AST parsing
 // dep — which is sufficient to gate v0.1 submissions and gives clear pointers
 // to humans during review.
+//
+// The banned-identifier list is derived from `CONTRACT.bannedApis` so the
+// system prompt, the linter, and the runtime allowlist agree.
 
-const RULES = [
-  {
-    id: "no-eval",
-    label: "eval() is forbidden",
-    pattern: /\beval\s*\(/,
-  },
-  {
-    id: "no-new-function",
-    label: "new Function() is forbidden",
-    pattern: /\bnew\s+Function\s*\(/,
-  },
-  {
-    id: "no-function-constructor",
-    label: "Function() constructor is forbidden",
-    // Bare Function( call not preceded by identifier/property char.
-    pattern: /(^|[^A-Za-z0-9_$.])Function\s*\(/,
-  },
-  {
-    id: "no-dynamic-import",
-    label: "dynamic import() is forbidden",
-    pattern: /(^|[^A-Za-z0-9_$.])import\s*\(/,
-  },
+import { CONTRACT } from "./contract.js";
+
+// Per-identifier match rule. Most banned identifiers compile to a
+// whole-word match; a few have special syntax (`Function(`, `new Function`,
+// `import(`) that needs a tighter regex.
+function _ruleForIdentifier(identifier, reason) {
+  const id = identifier;
+  if (id === "Function") {
+    return {
+      id: "no-function-constructor",
+      label: `${reason} (banned: Function() constructor)`,
+      pattern: /(^|[^A-Za-z0-9_$.])Function\s*\(/,
+    };
+  }
+  if (id === "new Function") {
+    return {
+      id: "no-new-function",
+      label: `${reason} (banned: new Function())`,
+      pattern: /\bnew\s+Function\s*\(/,
+    };
+  }
+  if (id === "import(") {
+    return {
+      id: "no-dynamic-import",
+      label: `${reason} (banned: dynamic import())`,
+      pattern: /(^|[^A-Za-z0-9_$.])import\s*\(/,
+    };
+  }
+  if (id === "eval") {
+    return {
+      id: "no-eval",
+      label: `${reason} (banned: eval)`,
+      pattern: /\beval\s*\(/,
+    };
+  }
+  // Default: word-boundary anchored. Used for the simple identifier
+  // forms (`window`, `document`, `process`, ...).
+  const escaped = id.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+  return {
+    id: `no-${id.toLowerCase()}`,
+    label: `${reason} (banned: ${id})`,
+    pattern: new RegExp(`\\b${escaped}\\b`),
+  };
+}
+
+const CONTRACT_RULES = CONTRACT.bannedApis.map((b) =>
+  _ruleForIdentifier(b.identifier, b.reason),
+);
+
+// Extra rules that don't map 1:1 to a banned identifier in the contract:
+// host-internal imports that widgets must never touch.
+const EXTRA_RULES = [
   {
     id: "no-auth-store-import",
     label: "widgets must not import the host's auth store",
@@ -32,11 +65,24 @@ const RULES = [
   },
   {
     id: "no-axios-import",
-    label: "widgets must not import axios directly; use the injected datastore client",
+    label:
+      "widgets must not import axios directly; use the injected datastore client",
     pattern: /from\s+['"]axios['"]|require\s*\(\s*['"]axios['"]\s*\)/,
   },
 ];
 
+const RULES = [...CONTRACT_RULES, ...EXTRA_RULES];
+
+/**
+ * Returns the contract-derived list of banned identifiers. Exposed so the
+ * SDK contract test (and any host build step that wants to surface the
+ * list to humans) can read the canonical set without re-parsing the
+ * source.
+ */
+export function bannedIdentifiers() {
+  return CONTRACT.bannedApis.map((b) => b.identifier);
+}
+
 /**
  * Lint a JavaScript source string.
  * @param {string} source
@@ -46,7 +92,9 @@ export function lintSource(source) {
   if (typeof source !== "string") {
     return {
       ok: false,
-      findings: [{ rule: "input", label: "source must be a string", line: 0, snippet: "" }],
+      findings: [
+        { rule: "input", label: "source must be a string", line: 0, snippet: "" },
+      ],
     };
   }
   const findings = [];