npm - @netsapiens/horizon-sdk - Versions diffs - 0.1.5 → 0.1.6 - Mend

@netsapiens/horizon-sdk 0.1.5 → 0.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/README.md CHANGED Viewed

@@ -19,9 +19,169 @@ This package is for **third-party developers**. It provides:
 npm install @netsapiens/horizon-sdk
 ```
-Peer deps: `react ^18 || ^19`, `react-dom ^18 || ^19`, `loglevel ^1.9`.
+Peer deps: `react ^19`, `react-dom ^19`, `loglevel ^1.9`.
-> Do **not** add `@mui/material`, `@emotion/*`, or `@mui/x-data-grid-pro` to your `package.json` or your webpack `shared` config. The host's federation loader does not expose them as shared modules — declaring them as singletons causes a version-mismatch crash at load time. Use all MUI components via `horizonContext.ui` instead; that is how Aurora theme and dark mode reach your app.
+> Do **not** add `@mui/material`, `@emotion/*`, or `@mui/x-data-grid-pro` to your `package.json` or your webpack `shared` config. The host's federation loader does not expose them as shared modules — declaring them as singletons causes a version-mismatch crash at load time. Use all MUI components via `horizonContext.ui` instead; that is how theme and dark mode reach your app.
+---
+## What's in `horizonContext`
+Your `App` component receives this object as props; page components read it with `useHorizonContext()`.
+| Field            | Notes                                                                                                   |
+| ---------------- | ------------------------------------------------------------------------------------------------------- |
+| `user`           | `displayName`, `domain`, `email?`, `extension?`, `scope?`, `department?`, `site?` (+ extras)            |
+| `auth`           | `isAuthenticated()`, plus the remote-auth methods (see [Remote authentication](#remote-authentication)) |
+| `api`            | Authenticated NetSapiens v2 client (`get`/`post`/`put`/`delete`/`getBaseUrl`)                           |
+| `theme`          | `'light'` \| `'dark'` (reactive)                                                                        |
+| `locale`         | e.g. `'en-US'` (reactive)                                                                               |
+| `t(key, opts?)`  | Host i18next translation function — all host strings are available, no setup needed                     |
+| `navigate(path)` | Pushes a route in the host router                                                                       |
+| `eventBus`       | `emit`/`on`/`off` for cross-app messages                                                                |
+| `ui`             | Pre-themed components and templates (see below)                                                         |
+| `breadcrumbs`    | Current breadcrumb trail (optional)                                                                     |
+---
+## Using `horizonContext.ui`
+Don't ship MUI yourself — render Horizon's themed components instead. They inherit the host's MUI theme, including automatic dark/light mode switching.
+> **Styling is handled by the SDK UI components.** They inherit the host theme (dark mode included) and sensible layout defaults, so you rarely set styling yourself.
+> **Renders are isolated.** Each extension and side panel you render is wrapped in an error boundary by the host — a render error in your component shows a fallback instead of crashing the host page.
+Page components read the context with `useHorizonContext()`; extension components receive it as a `context` prop:
+```tsx
+// Page component — read the context with the hook
+import { useHorizonContext } from "@netsapiens/horizon-sdk";
+export default function MyPage() {
+  const { ui, user } = useHorizonContext();
+  const { PageTemplate, DatagridTemplate } = ui.templates;
+  const { Button, Stack, Typography } = ui;
+  return (
+    <PageTemplate
+      title="My Page"
+      breadcrumbs={[{ label: "Apps", url: "/apps" }]}
+    >
+      <Stack spacing={2}>
+        <Typography variant="h5">Hello, {user.displayName}</Typography>
+        <Button variant="contained">Action</Button>
+      </Stack>
+    </PageTemplate>
+  );
+}
+```
+```tsx
+// Extension component — the host passes `context`
+function MyButton({ context }: ExtensionComponentProps) {
+  const { Button } = context.ui ?? {};
+  return <Button variant="contained">Click</Button>;
+}
+```
+Available under `horizonContext.ui` (or via `useHorizonContext().ui`):
+- `templates`: `PageTemplate`, `PageTemplateWithExtensions`, `FormTemplate`, `SidePanel`, `FormPanel`, `DatagridTemplate`
+> **`DatagridTemplate` and the MUI X Pro license** — `DatagridTemplate` wraps MUI's `DataGridPro` internally, which is a paid licensed component. The license is held by the Horizon host; **you do not need an MUI X Pro license** and must not import `@mui/x-data-grid-pro` directly in your remote app. Always use `DatagridTemplate` from the SDK.
+- Form: `Button`, `IconButton`, `TextField`, `Select`, `Checkbox`, `Radio`, `RadioGroup`, `Switch`, `ToggleButton`, `ToggleButtonGroup`, `FormLabel`, `FormControlLabel`
+- Display: `Typography`, `Chip`, `Avatar`, `Divider`, `Tooltip`, `Icon`
+- Layout: `Stack`, `Paper`
+- Feedback: `Alert`
+- `theme` (`'light' | 'dark'`, reactive via `useHorizonContext()`) and `styles` for derived tokens
+#### IconButton — shorthand-only API
+`IconButton` does **not** accept the standard MUI children pattern. It is a shorthand wrapper that takes the icon name as a string prop:
+```tsx
+// ✅ Correct — pass the Iconify name via the `icon` prop
+<IconButton icon="mdi:account" aria-label="Account" />
+<IconButton icon="material-symbols:bolt" iconSize={18} size="small" onClick={handleClick} />
+// ❌ Wrong — children are dropped, the button renders empty at 0×0
+<IconButton aria-label="Account">
+  <Icon icon="mdi:account" />
+</IconButton>
+```
+The TypeScript types reject the children pattern at compile time. If you ever see a 0×0 button in the DOM, this is the first thing to check.
+Other themed components (`Button`, `Stack`, `Paper`, etc.) follow the standard MUI children pattern.
+#### SidePanel & FormPanel — right-side drawers
+`SidePanel` and `FormPanel` are the shared right-drawer components Horizon uses for its own add/edit forms and detail panels. Reach for these when building a right-side drawer so it matches the host exactly and picks up the `form-section-*` extension zones automatically.
+**`SidePanel`** — the drawer shell (sticky header, scrollable body, optional sticky footer). Use for detail/view/settings panels:
+```tsx
+const { SidePanel } = ui.templates;
+<SidePanel
+  open={open}
+  onClose={() => setOpen(false)}
+  title="Details"
+  subtitle="Read-only"
+  width="lg" // 'sm' | 'md' | 'lg' | 'xl'
+  footer={<Button onClick={() => setOpen(false)}>Close</Button>}
+>
+  {/* body */}
+</SidePanel>;
+```
+**`FormPanel`** — `SidePanel` + a `<form>`, a Submit/Cancel footer, and the `form-section-before` / `form-section-after` extension zones built in:
+```tsx
+const { FormPanel } = ui.templates;
+<FormPanel
+  open={open}
+  onClose={() => setOpen(false)}
+  title="Add widget"
+  formType="widget" // identifies the form to extensions
+  mode="add" // 'add' | 'edit'
+  formData={values} // live values handed to extensions
+  onSubmit={(e) => {
+    e?.preventDefault();
+    save(values);
+  }}
+  submitLabel="Add"
+  isSubmitting={pending}
+  error={error}
+>
+  {/* field sections */}
+</FormPanel>;
+```
+**Multi-step wizard** — pass `steps` instead of `children`; FormPanel renders the stepper header and a Back/Next/Submit footer. Each step's optional `validate` gates forward navigation (return `boolean | Promise<boolean>`):
+```tsx
+<FormPanel
+  open={open}
+  onClose={() => setOpen(false)}
+  title="Setup"
+  formType="setup"
+  mode="add"
+  onSubmit={handleSubmit(onValid)}
+  isComplete={isValid} // offer Submit before the last step
+  steps={[
+    {
+      label: "Basics",
+      content: <BasicsStep />,
+      validate: () => trigger(["name"]),
+    },
+    { label: "Options", content: <OptionsStep /> },
+  ]}
+/>
+```
 ---
@@ -75,21 +235,6 @@ export default function MyButton({ context }: ExtensionComponentProps) {
 ---
-## What's in `horizonContext`
-| Field            | Notes                                                                         |
-| ---------------- | ----------------------------------------------------------------------------- |
-| `user`           | `displayName`, `domain`, `email?`, plus host-defined extras                   |
-| `auth`           | `isAuthenticated()`                                                           |
-| `api`            | Authenticated NetSapiens v2 client (`get`/`post`/`put`/`delete`/`getBaseUrl`) |
-| `theme`          | `'light'` \| `'dark'`                                                         |
-| `locale`         | e.g. `'en-US'`                                                                |
-| `navigate(path)` | Pushes a route in the host router                                             |
-| `eventBus`       | `emit`/`on`/`off` for cross-app messages                                      |
-| `ui`             | Pre-themed components and templates (see below)                               |
----
 ## Registration APIs
 ### Routes — full pages added to Horizon
@@ -119,7 +264,7 @@ const MySettingsRoute = useMemo(
 sdk.registerRoute({
   id: "my-app.settings",
-  parentPath: "/home", // attach under Apps menu
+  parentPath: "/home", // attach under the My Account menu
   path: "my-settings", // → /home/my-settings
   label: "My Settings",
   icon: "mdi:cog",
@@ -128,39 +273,14 @@ sdk.registerRoute({
 });
 ```
-#### Menu placement
-Use `placement` to control where your route appears in the menu. You can position relative to existing menu items using semantic anchors:
-```tsx
-sdk.registerRoute({
-  id: "my-app.settings",
-  parentPath: "/home",
-  path: "my-settings",
-  label: "My Settings",
-  icon: "mdi:cog",
-  placement: { after: "settings" }, // After the Settings item
-  component: MySettingsRoute,
-});
-```
-**Placement options:**
-- `{ after: 'anchor-id' }` — Place immediately after the specified item
-- `{ before: 'anchor-id' }` — Place immediately before the specified item
-- `{ first: true }` — Force to the start of the menu
-- `{ last: true }` — Force to the end of the menu (default if no placement specified)
-The system uses fuzzy matching with a 0.8 similarity threshold, so minor typos (e.g., `contats` instead of `contacts`) will still work. If the anchor isn't found, your item is placed at the end of the menu with a console warning.
-Inside the page component, read context with `useHorizonContext()` instead of accepting it as props:
+Inside the page component, read context with `useHorizonContext()`:
 ```tsx
 // src/pages/MySettingsPage.tsx
 import { useHorizonContext } from "@netsapiens/horizon-sdk";
 export default function MySettingsPage() {
-  const { ui, user, navigate, theme } = useHorizonContext();
+  const { ui, user, navigate } = useHorizonContext();
   const { PageTemplate } = ui.templates;
   const { Button, Stack, Typography } = ui;
@@ -186,7 +306,7 @@ The `useRoute` hook handles register + unregister automatically:
 useRoute(horizonContext.eventBus, 'my-app', { id: '...', /* ... */, component: MySettingsRoute });
 ```
-If your route component lives in a separate exposed module, use `useRouteFromModule`:
+If your route's page component is **exposed as a separate Module Federation module** in your own bundle (rather than imported into your entry `App`), use `useRouteFromModule` — it loads that exposed module from your container and registers it as a route. (This is for splitting up your _own_ app's code; it does not pull a component from another app.)
 ```tsx
 const { loading, error } = useRouteFromModule(
@@ -198,10 +318,21 @@ const { loading, error } = useRouteFromModule(
     path: "my-settings",
     label: "My Settings",
   },
-  { scope: "myApp", module: "./SettingsPage" },
+  { scope: "myApp", module: "./SettingsPage" }, // an exposed module in YOUR webpack config
 );
 ```
+#### Menu placement
+Use `placement` to control where your route appears in the menu, relative to existing menu items:
+- `{ after: 'anchor-id' }` — Place immediately after the specified item
+- `{ before: 'anchor-id' }` — Place immediately before the specified item
+- `{ first: true }` — Force to the start of the menu
+- `{ last: true }` — Force to the end of the menu (default if no placement specified)
+The anchor is the human-readable id/label of an existing item (e.g. `'contacts'`, `'devices'`, `'settings'`). The host resolves it with **fuzzy matching**, so minor differences and typos (e.g. `contats`) still match. If no anchor matches, your item is placed at the end of the menu with a console warning.
 ### Dynamic extensions — inject UI into host pages
 Extensions render at named **zones** on routes that match a **pattern**. You don't need the host page to opt in.
@@ -218,23 +349,22 @@ sdk.registerDynamicExtension({
 });
 ```
-**Available zones:**
+**Available zones** (the zones the host mounts today):
-| Zone                    | Where it renders                                                               |
-| ----------------------- | ------------------------------------------------------------------------------ |
-| `page-header-actions`   | Right side of any page header                                                  |
-| `page-header-secondary` | Subtitle row of page header (badges, status)                                   |
-| `page-content-after`    | Below main page content                                                        |
-| `sidetray`              | Side tray panel (open/close via host toggle)                                   |
-| `table-toolbar`         | Above any DataGrid                                                             |
-| `table-filter-bar`      | Filter chips inline with search bar; pass a row predicate via `onFilterChange` |
-| `table-row-actions`     | Per-row action column                                                          |
-| `detail-panel-tabs`     | Detail-panel tab strip                                                         |
-| `detail-panel-actions`  | Detail-panel action area                                                       |
-| `topbar-actions`        | Global top app bar (after comms, before utilities)                             |
-| `inbound-call-content`  | Incoming-call notification body                                                |
+| Zone                    | Where it renders                                                                   |
+| ----------------------- | ---------------------------------------------------------------------------------- |
+| `page-header-actions`   | Right side of any page header                                                      |
+| `page-header-secondary` | Subtitle row of the page header (badges, status)                                   |
+| `page-content-after`    | Below the main page content                                                        |
+| `topbar-actions`        | Global top app bar (after comms buttons, before utilities)                         |
+| `table-toolbar`         | Toolbar above any DataGrid                                                         |
+| `table-filter-bar`      | Filter chips inline with the search bar; pass a row predicate via `onFilterChange` |
+| `table-row-actions`     | Per-row action column                                                              |
+| `form-section-before`   | Above a form's field sections (`SidePanel`/`FormPanel`)                            |
+| `form-section-after`    | Below a form's fields, before the action buttons                                   |
+| `inbound-call-content`  | Incoming-call notification body                                                    |
-> **Note**: Check Platform → UI SDK Management → SDK Settings for the current list of available zones and their descriptions.
+> **Note**: Check Platform → UI SDK Management → SDK Settings for the live list of zones (a platform admin can disable individual zones).
 Custom zones (any string) work for pages that explicitly render `<DynamicExtensionRenderer zone="my-zone" />`.
@@ -260,11 +390,7 @@ useDynamicExtension(horizonContext.eventBus, "my-app", {
 #### table-filter-bar zone
-Pages that render a filter bar (e.g. active calls, hardphone devices) expose a
-`TableFilterBarContext` via `context.pageContext`. Extensions in this zone render
-alongside the host's built-in filter chips and can drive row-level filtering by
-passing a **predicate function** to `onFilterChange`. The host applies the function
-generically — your extension owns the filtering logic, not the host.
+Pages that render a filter bar expose a `TableFilterBarContext` via `context.pageContext`. Extensions in this zone render alongside the host's built-in filter chips and can drive row-level filtering by passing a **predicate function** to `onFilterChange`. The host applies the function generically — your extension owns the filtering logic, not the host.
 ```tsx
 import { useState } from "react";
@@ -282,10 +408,9 @@ export function VipFilter({ context }: ExtensionComponentProps) {
     const next = value === "vip";
     setActive(next);
     if (next) {
-      filterCtx?.onFilterChange((row) => {
-        const r = row as Record<string, unknown>;
-        return r["customer-tier"] === "vip";
-      });
+      filterCtx?.onFilterChange(
+        (row) => (row as Record<string, unknown>)["customer-tier"] === "vip",
+      );
     } else {
       filterCtx?.onFilterChange(null); // clear — show all rows
     }
@@ -302,14 +427,6 @@ export function VipFilter({ context }: ExtensionComponentProps) {
     />
   );
 }
-// Register against any page that exposes a filter bar
-sdk.registerDynamicExtension({
-  id: "my-app.vip-filter",
-  zone: "table-filter-bar",
-  routes: [{ pattern: "/manage/:domain/call-logs" }],
-  component: VipFilter,
-});
 ```
 `TableFilterBarContext` fields:
@@ -318,21 +435,16 @@ sdk.registerDynamicExtension({
 | ---------------- | --------------------------------------------------------- | ----------------------------------------------------- |
 | `onFilterChange` | `(filterFn: ((row: unknown) => boolean) \| null) => void` | Pass a predicate to filter rows; pass `null` to clear |
-**Important:** track active/inactive state locally with `useState` in your component —
-`TableFilterBarContext` does not expose the current filter state back to you.
+**Important:** track active/inactive state locally with `useState` — `TableFilterBarContext` does not expose the current filter state back to you.
 > **React `useState` gotcha** — never pass a filter function directly to `setState`:
 >
 > ```ts
-> // ❌ React treats functions as lazy initializers, calling fn(prevState)
-> setMyFilter(filterFn);
->
-> // ✅ Wrap in an arrow function so React stores the function, not its return value
-> setMyFilter(() => filterFn);
+> setMyFilter(filterFn); // ❌ React treats functions as lazy initializers, calling fn(prev)
+> setMyFilter(() => filterFn); // ✅ Wrap in an arrow so React stores the function itself
 > ```
 >
-> This only affects you if you're storing the filter function in your own component state.
-> The host DataTable handles this correctly internally.
+> This only affects you if you store the filter function in your own component state. The host DataTable handles this correctly internally.
 ### Dynamic table columns
@@ -357,149 +469,7 @@ sdk.registerDynamicColumn({
 Hook: `useDynamicColumn(eventBus, appId, config)`.
----
-## Using `horizonContext.ui`
-Don't ship MUI yourself — render Horizon's themed components instead. They inherit the host's Aurora MUI theme, including automatic dark/light mode switching.
-The recommended pattern uses `useHorizonContext()` (see Routes above). The old pattern of accepting `horizonContext` as props still works for extension components:
-```tsx
-// Recommended — page component using the hook (fully reactive theme)
-import { useHorizonContext } from "@netsapiens/horizon-sdk";
-export default function MyPage() {
-  const { ui, user } = useHorizonContext();
-  const { PageTemplate, DatagridTemplate } = ui.templates;
-  const { Button, Stack, Typography } = ui;
-  return (
-    <PageTemplate
-      title="My Page"
-      breadcrumbs={[{ label: "Apps", url: "/apps" }]}
-    >
-      <Stack spacing={2}>
-        <Typography variant="h5">Hello, {user.displayName}</Typography>
-        <Button variant="contained">Action</Button>
-      </Stack>
-    </PageTemplate>
-  );
-}
-```
-```tsx
-// Legacy — still works for extension components (not full pages)
-function MyButton({ context }: ExtensionComponentProps) {
-  const { Button } = context.ui ?? {};
-  return <Button variant="contained">Click</Button>;
-}
-```
-Available under `horizonContext.ui` (or via `useHorizonContext().ui`):
-- `templates`: `PageTemplate`, `PageTemplateWithExtensions`, `FormTemplate`, `SidePanel`, `FormPanel`, `DatagridTemplate`
-> **`DatagridTemplate` and the MUI X Pro license** — `DatagridTemplate` wraps MUI's `DataGridPro` internally, which is a paid licensed component. The license is held by the Horizon host; **you do not need an MUI X Pro license** and must not import `@mui/x-data-grid-pro` directly in your remote app. Always use `DatagridTemplate` from the SDK.
-- Form: `Button`, `IconButton`, `TextField`, `Select`, `Checkbox`, `Radio`, `RadioGroup`, `Switch`, `ToggleButton`, `ToggleButtonGroup`, `FormLabel`, `FormControlLabel`
-- Display: `Typography`, `Chip`, `Avatar`, `Divider`, `Tooltip`, `Icon`
-- Layout: `Stack`, `Paper`
-- Feedback: `Alert`
-- `theme` (`'light' | 'dark'`, reactive via `useHorizonContext()`) and `styles` for derived tokens
-#### IconButton — shorthand-only API
-`IconButton` does **not** accept the standard MUI children pattern. It is a shorthand wrapper that takes the icon name as a string prop:
-```tsx
-// ✅ Correct — pass the Iconify name via the `icon` prop
-<IconButton icon="mdi:account" aria-label="Account" />
-<IconButton icon="material-symbols:bolt" iconSize={18} size="small" onClick={handleClick} />
-// ❌ Wrong — children are dropped, the button renders empty at 0×0
-<IconButton aria-label="Account">
-  <Icon icon="mdi:account" />
-</IconButton>
-```
-The TypeScript types reject the children pattern at compile time. If you ever see a 0×0 button in the DOM, this is the first thing to check.
-Other themed components (`Button`, `Stack`, `Paper`, etc.) follow the standard MUI children pattern.
-#### SidePanel & FormPanel — right-side drawers
-`SidePanel` and `FormPanel` are the shared right-drawer components Horizon uses
-for its own add/edit forms and detail panels. Reach for these when building a
-right-side drawer so it matches the host exactly and picks up the
-`form-section-*` extension zones automatically.
-**`SidePanel`** — the drawer shell (sticky header, scrollable body, optional
-sticky footer). Use for detail/view/settings panels:
-```tsx
-const { SidePanel } = ui.templates;
-<SidePanel
-  open={open}
-  onClose={() => setOpen(false)}
-  title="Details"
-  subtitle="Read-only"
-  width="lg" // 'sm' | 'md' | 'lg' | 'xl'
-  footer={<Button onClick={() => setOpen(false)}>Close</Button>}
->
-  {/* body */}
-</SidePanel>;
-```
-**`FormPanel`** — `SidePanel` + a `<form>`, a Submit/Cancel footer, and the
-`form-section-before` / `form-section-after` extension zones built in:
-```tsx
-const { FormPanel } = ui.templates;
-<FormPanel
-  open={open}
-  onClose={() => setOpen(false)}
-  title="Add widget"
-  formType="widget" // identifies the form to extensions
-  mode="add" // 'add' | 'edit'
-  formData={values} // live values handed to extensions
-  onSubmit={(e) => {
-    e?.preventDefault();
-    save(values);
-  }}
-  submitLabel="Add"
-  isSubmitting={pending}
-  error={error}
->
-  {/* field sections */}
-</FormPanel>;
-```
-**Multi-step wizard** — pass `steps` instead of `children`; FormPanel renders the
-stepper header and a Back/Next/Submit footer. Each step's optional `validate`
-gates forward navigation (return `boolean | Promise<boolean>`):
-```tsx
-<FormPanel
-  open={open}
-  onClose={() => setOpen(false)}
-  title="Setup"
-  formType="setup"
-  mode="add"
-  onSubmit={handleSubmit(onValid)}
-  isComplete={isValid} // offer Submit before the last step
-  steps={[
-    {
-      label: "Basics",
-      content: <BasicsStep />,
-      validate: () => trigger(["name"]),
-    },
-    { label: "Options", content: <OptionsStep /> },
-  ]}
-/>
-```
+Registered columns **right-align by default** (header and cell) to match Horizon's native data-table columns — you don't need to set `align`. Override per column with `align`/`headerAlign: 'left' | 'center'`.
 ---
@@ -507,7 +477,7 @@ gates forward navigation (return `boolean | Promise<boolean>`):
 Dark mode is handled automatically — **you write no theme-switching code for MUI components**.
-MUI components (`Button`, `Paper`, `Stack`, `DatagridTemplate`, etc.) inherit the host's Aurora ThemeProvider via the shared module singleton and switch the moment the user toggles the theme. For any conditional logic that reads the theme string (custom colors, conditional icons, etc.), use `useTheme()`:
+MUI components (`Button`, `Paper`, `Stack`, `DatagridTemplate`, etc.) inherit the host's ThemeProvider via the shared module singleton and switch the moment the user toggles the theme. For any conditional logic that reads the theme string (custom colors, conditional icons, etc.), use `useTheme()`:
 ```tsx
 import { useTheme } from "@netsapiens/horizon-sdk";
@@ -522,19 +492,10 @@ import { useTheme } from "@netsapiens/horizon-sdk";
 ```tsx
 // Page component
-export default function MyPage() {
-  const { theme } = useTheme(); // no argument needed inside HorizonContextProvider
-  return (
-    <div style={{ background: theme === "dark" ? "#1B2124" : "#fff" }}>...</div>
-  );
-}
+const { theme } = useTheme(); // no argument needed inside HorizonContextProvider
 // Extension component
-export default function MyButton({ context }: ExtensionComponentProps) {
-  const { theme } = useTheme(context.eventBus); // pass eventBus for extensions
-  const { Button } = context.ui ?? {};
-  return <Button>{theme === "dark" ? "🌙" : "☀️"} Export</Button>;
-}
+const { theme } = useTheme(context.eventBus); // pass eventBus for extensions
 ```
 > Do not subscribe to `theme:changed` on the event bus manually. `useTheme()` handles the subscription and cleanup internally.
@@ -546,9 +507,9 @@ export default function MyButton({ context }: ExtensionComponentProps) {
 ```tsx
 const { api, user } = horizonContext;
 const devices = await api.get(
-  `/domains/${user.domain}/users/${user.displayName}/devices`,
+  `/domains/${user.domain}/users/${user.extension}/devices`,
 );
-await api.post(`/domains/${user.domain}/users/${user.displayName}/contacts`, {
+await api.post(`/domains/${user.domain}/users/${user.extension}/contacts`, {
   "name-first-name": "John",
 });
 ```
@@ -557,21 +518,54 @@ All calls run through Horizon's audited proxy — credentials never reach the re
 ---
+## Remote authentication
+When your app needs to call **your own backend** (or a third-party vendor) on behalf of the signed-in user, have the host broker a trusted identity handshake. This lets your server verify that a request genuinely represents the current Horizon user — without your app ever handling Horizon credentials.
+```tsx
+const { auth } = horizonContext;
+const token = await auth.requestRemoteAuth({
+  vendorId: "my-backend", // your system/vendor id
+  callbackUrl: "https://api.example.com/horizon/callback", // your backend webhook
+  scopes: ["contacts:read"], // optional
+});
+// token: { vendorId, accessToken, tokenType?, expiresAt?, refreshToken?, metadata? }
+```
+**Flow:**
+1. Your app calls `auth.requestRemoteAuth(...)`.
+2. The host validates the request — the app must have remote auth enabled and the `callbackUrl` host must be on the app's allowed-hostnames list — then brokers the handshake and delivers a signed auth code to your `callbackUrl`.
+3. **Your backend verifies authenticity** by checking the HMAC signature header (`X-NS-Signature`) against your app's shared callback secret. A valid signature proves the request came from Horizon, so you can trust the asserted user identity, then issue your own token.
+4. The promise resolves with a `RemoteAuthResponse` (your token), cached for the session; it rejects with a `RemoteAuthError` on failure or timeout.
+Retrieve or clear a cached token later:
+```tsx
+const cached = auth.getRemoteAuthToken("my-backend"); // RemoteAuthResponse | null
+auth.clearRemoteAuthToken("my-backend"); // sign out of the vendor
+```
+**Admin setup (per app, in Registered Apps):** enable remote auth, list the allowed callback hostname(s), and set the callback signing secret your backend uses to verify the `X-NS-Signature`.
+---
 ## Event bus
 For cross-app messages and host events:
 ```tsx
 useEffect(() => {
-  const handler = (data: unknown) => console.log("theme changed", data);
-  horizonContext.eventBus.on("theme:changed", handler);
-  return () => horizonContext.eventBus.off("theme:changed", handler);
+  const handler = (data: unknown) => console.log("call event", data);
+  horizonContext.eventBus.on("call-event", handler);
+  return () => horizonContext.eventBus.off("call-event", handler);
 }, []);
 ```
 Common host-emitted events: `theme:changed`, `call-event`, `routes:updated`. Apps can emit any custom event under their own namespace (`my-app:something`).
-> **You do not need to subscribe to `theme:changed` anywhere.** Use `useTheme()` from the SDK — it handles the subscription internally for both page components and extension components. See the Dark mode section.
+> There is **no generic `useEvent` hook** — subscribe directly with `context.eventBus.on(...)` / `.off(...)` and clean up in your effect. The SDK only wraps the specific events it manages for you: `useTheme()` (theme changes), `useLocale()` (locale changes), and `useSidePanel()`. In particular, **do not** subscribe to `theme:changed` yourself — use `useTheme()`.
 ---
@@ -586,7 +580,7 @@ Your app is delivered as a static bundle served over HTTPS. Before you can regis
 **CORS** — The Horizon host makes a cross-origin request to fetch your `remoteEntry.js`. Your server must respond with:
 ```
-Access-Control-Allow-Origin: https://your-horizon-instance.com
+Access-Control-Allow-Origin: https://your-horizon-instance.fqdn
 ```
 During local development the webpack dev server sets `Access-Control-Allow-Origin: *` (any origin) so you can test against any Horizon instance. Tighten this to the specific Horizon domain before deploying to production — `*` in production means any website could load your bundle.
@@ -622,7 +616,7 @@ module.exports = (_env, argv) => ({
         loglevel: { singleton: true, requiredVersion: "^1.9.0" },
         "@netsapiens/horizon-sdk": {
           singleton: true,
-          requiredVersion: "^1.0.0",
+          requiredVersion: "^0.1.0", // match the @netsapiens/horizon-sdk version you installed
         },
         // Do NOT add @mui/material, @emotion/*, or @mui/x-data-grid-pro here.
@@ -630,7 +624,7 @@ module.exports = (_env, argv) => ({
         // so declaring it as a singleton causes an "Unsatisfied version" crash.
         //
         // Instead, consume all MUI components via horizonContext.ui — this is
-        // what gives your components the Aurora theme and dark mode automatically.
+        // what gives your components the theme and dark mode automatically.
       },
     }),
   ],
@@ -655,7 +649,7 @@ curl -X POST "https://your-horizon-instance.com/ns-api/v2/ui-extensions" \
     "description": "Short description shown in the app list",
     "version": "1.0.0",
     "remote_entry_url": "https://cdn.example.com/my-app/remoteEntry.js",
-    "module_scope": "myApp",
+    "webpack_module": "myApp",
     "author": "Acme Corp",
     "enabled": true
   }'
@@ -675,7 +669,7 @@ curl -X POST "https://your-horizon-instance.com/ns-api/v2/ui-extensions" \
 ### Extension App ID
-The **Extension App ID** (stored as `module_scope`) is the single most important field to get right. It must **exactly match** the `name` value in your webpack `ModuleFederationPlugin` config:
+The **Extension App ID** (the API field `webpack_module`) is the single most important field to get right. It must **exactly match** the `name` value in your webpack `ModuleFederationPlugin` config:
 ```js
 // webpack.config.js
@@ -687,14 +681,14 @@ new ModuleFederationPlugin({
 ```json
 // Registration
-{ "module_scope": "myUcaasApp" }
+{ "webpack_module": "myUcaasApp" }
 ```
 **Why it matters:** At runtime, the platform loads your bundle and calls `window['myUcaasApp'].init(...)` to initialise the federation container. If the name doesn't match exactly — including case — the container won't be found and your app silently fails to load with no visible error.
 **Rules:**
-- Must be unique across every app registered on the platform — duplicate names cause both apps to fail
+- Must be **unique platform-wide**. The API enforces this with a database unique constraint and returns **HTTP `409 Conflict`** if the `webpack_module` is already taken — on both register and update. Pick a distinctive, namespaced value (e.g. `acmeCrmSync`, not `crm`).
 - Use camelCase (e.g. `myUcaasApp`, not `my-ucaas-app` or `MyUcaasApp`)
 - No spaces or special characters
@@ -713,15 +707,11 @@ If the domain is not approved, your app will silently fail to load. Check the br
 After registering and refreshing the browser:
-1. **Open DevTools → Console** and look for log lines starting with `[Demo App]` or your app name — your `App.tsx` runs on page load and any `console.log` calls appear here
-2. **Check the network tab** — filter by your domain and look for `remoteEntry.js`. A `200` response confirms the bundle was fetched. A `CORS error` or `net::ERR_*` means the domain isn't reachable or CORS headers are missing
+1. **Open DevTools → Console** and look for log lines from your app — your `App.tsx` runs on page load and any `console.log` calls appear here
+2. **Check the network tab** — filter by your domain and look for `remoteEntry.js`. A `200` confirms the bundle was fetched; a `CORS error` or `net::ERR_*` means the domain isn't reachable or CORS headers are missing
 3. **Look for your registered routes** — if you called `sdk.registerRoute`, your page should appear in the navigation sidebar immediately after the app loads
 4. **Look for your extensions** — visit the route pattern your extension targets (e.g. `/manage/call-logs`) and confirm the injected component appears
-5. **Check the Registered Apps page** (Platform → UI SDK Management → Registered Apps) — the **Extension Zones** column will show which zones your app has active extensions registered in once it has loaded
+5. **Check the Registered Apps page** (Platform → UI SDK Management → Registered Apps) — the **Extension Zones** column shows which zones your app has active extensions in once it has loaded
 If nothing appears after a full page refresh:
@@ -729,6 +719,17 @@ If nothing appears after a full page refresh:
 - Confirm your CDN domain is approved (see above)
 - Check for JavaScript errors in the console — a crash in your `App.tsx` before `sdk.registerRoute` is called means nothing gets registered
+**Live QA toggle:** from the browser console, `window.__horizonSDKDebug__` exposes session-local debug helpers — handy for isolating whether an issue comes from a remote app:
+```js
+window.__horizonSDKDebug__.help(); // list all commands
+window.__horizonSDKDebug__.disableExtensionApps(); // reload with ALL remote apps off (this session only)
+window.__horizonSDKDebug__.enableExtensionApps(); // re-enable and reload
+window.__horizonSDKDebug__.enable(); // turn on verbose SDK logging
+```
+The disable state is session-local (persisted in `localStorage`), so it only affects your own browser.
 ---
 ## After registration
@@ -737,7 +738,7 @@ If nothing appears after a full page refresh:
 **Per-session load:** Your app's `App.tsx` mounts once per browser session inside a hidden container. It runs for the lifetime of the session, keeping all registrations active. Navigating between pages does not reload the app.
-**Enabling and disabling:** Toggling the **Enabled** switch takes effect immediately for new sessions — the running app list is refreshed in the background. Users in active sessions will see the change on their next page load.
+**Enabling and disabling:** Toggling the **Enabled** switch takes effect immediately for new sessions — the running app list is refreshed in the background. Users in active sessions see the change on their next page load.
 ---
@@ -751,6 +752,16 @@ If you use version-specific URLs (e.g. `cdn.example.com/my-app/v1.2.0/remoteEntr
 Active sessions continue using the version that loaded when they started. Users see the new version on their next page refresh.
+> **Integrity (SRI) checking — opt-in.** You may register an `integrity_hash` (Subresource Integrity hash of your `remoteEntry.js`, encoded as `sha384-<base64>`). When present, the host verifies the fetched bundle against it and refuses to load on mismatch; when absent, the check is skipped. It is opt-in today and not yet enforced by the platform.
+>
+> Generate the hash from your **build** so it always matches the emitted bundle, e.g.:
+>
+> ```bash
+> echo "sha384-$(openssl dgst -sha384 -binary dist/remoteEntry.js | openssl base64 -A)"
+> ```
+>
+> Submit that value as `integrity_hash` on register/update. When you redeploy, **regenerate it for the new bundle and update the registration** — a stale hash makes the app fail the integrity check and refuse to load.
 ### Disable vs. Delete
 | Action      | Effect                                                                                                                                     | Reversible?             |
@@ -788,32 +799,15 @@ Codes: `PERMISSION_DENIED`, `RATE_LIMIT_EXCEEDED`, `API_ERROR`, `NETWORK_ERROR`,
 ---
-## Scaffolding a new app with Claude Code
-Run the slash command:
-```
-/create-horizon-app
-```
-(see `.claude/skills/create-horizon-app.md` for the full prompt.)
-Or paste this into a Claude Code session:
-> Scaffold a new remote app for NetSapiens Horizon called `<app-name>` with Extension App ID `<extensionAppId>` on port `<port>`. It should:
->
-> - Use webpack Module Federation, expose `./App`, and share react/react-dom/loglevel/@netsapiens/horizon-sdk as singletons
-> - Have an `App.tsx` that uses `useRemoteApp(horizonContext, '<app-id>')` and registers one route at `/home/<app-id>` plus one dynamic extension on `page-header-actions` for `/manage/*/users`
-> - Use `HorizonContextProvider` + `useHorizonContext()` for all page components so dark mode works automatically
-> - Do NOT share `@mui/material`, `@mui/x-data-grid-pro`, `@emotion/*` in webpack — these are not provided by the host's federation loader
-> - Render all UI through `horizonContext.ui` to get themed components
-> - Include a README with run + register instructions
-For one-off tasks inside an existing remote app, prompts like these work well:
+## Migration
-> Add a dynamic table column to the call-logs grid that shows call priority. Use `sdk.registerDynamicColumn` with zone `call-logs-columns` and route pattern `/manage/*/call-logs`. The column should sort and filter by computed priority (`high`/`medium`/`low`).
+The SDK is pre-release (`0.x`) and not yet published, so no released version is affected — but if you built against an earlier working copy, note these breaking changes:
-> Add an extension to `inbound-call-content` zone that fetches caller info from our CRM API and shows name + last contact date. Subscribe to `call-event` on the event bus and enrich the call data through `horizonContext.api`.
+- **Registration field renamed: `module_scope` → `webpack_module`.** The `/ui-extensions` API request and response now use `webpack_module`. Re-register or update your app with the new field name; the value itself (your `ModuleFederationPlugin` `name`) is unchanged. See [Extension App ID](#extension-app-id).
+- **`webpack_module` must be unique platform-wide.** Registration now fails with **HTTP `409 Conflict`** if the value is already taken (register and update). Choose a distinctive, namespaced id.
+- **React 19 only.** The `react` / `react-dom` peer dependency is now `^19` (was `^18 || ^19`). These are greenfield apps — target React 19.
+- **Anchor constants removed.** `MANAGE_ANCHORS` / `PLATFORM_ANCHORS` / `APPS_ANCHORS` / `MY_ACCOUNT_ANCHORS` / `ANCHORS` and the `AnchorId` type are gone. Pass placement targets as plain strings (e.g. `placement: { after: "contacts" }`) — the host resolves them with fuzzy matching. See [Menu placement](#menu-placement).
+- **`integrity_hash` (opt-in, additive).** You may now submit an SRI hash (`sha384-<base64>`) on registration. See [Updating a deployed app](#updating-a-deployed-app).
 ---