minutework 0.1.19 → 0.1.21

package/assets/templates/mobile-app/eas.json

@@ -0,0 +1,24 @@
+{
+  "//": "DEVELOPER-OWNED — replace freely. Only src/mw/ is MinuteWork substrate. Distribution is YOUR EAS pipeline, not `minutework deploy`.",
+  "cli": {
+    "version": ">= 12.0.0",
+    "appVersionSource": "remote"
+  },
+  "build": {
+    "development": {
+      "developmentClient": true,
+      "distribution": "internal"
+    },
+    "preview": {
+      "distribution": "internal",
+      "channel": "preview"
+    },
+    "production": {
+      "channel": "production",
+      "autoIncrement": true
+    }
+  },
+  "submit": {
+    "production": {}
+  }
+}

package/assets/templates/mobile-app/expo-env.d.ts

@@ -0,0 +1,5 @@
+/// <reference types="expo/types" />
+
+// DEVELOPER-OWNED — replace freely. Only src/mw/ is MinuteWork substrate.
+// NOTE: This file should not be edited and should be committed; Expo regenerates
+// it. It gives `process.env.EXPO_PUBLIC_*` string typings for `src/mw/env.ts`.

package/assets/templates/mobile-app/metro.config.js

@@ -0,0 +1,7 @@
+// DEVELOPER-OWNED — replace freely. Only src/mw/ is MinuteWork substrate.
+// Default Expo Metro config. Customize bundling/resolver here if you need to.
+const { getDefaultConfig } = require("expo/metro-config");
+
+const config = getDefaultConfig(__dirname);
+
+module.exports = config;

package/assets/templates/mobile-app/package.json

@@ -0,0 +1,32 @@
+{
+  "//": "DEVELOPER-OWNED — replace freely. Only src/mw/ is MinuteWork substrate.",
+  "name": "mobile-app",
+  "version": "0.1.0",
+  "private": true,
+  "main": "expo-router/entry",
+  "scripts": {
+    "start": "expo start",
+    "ios": "expo start --ios",
+    "android": "expo start --android",
+    "typecheck": "tsc --noEmit"
+  },
+  "dependencies": {
+    "expo": "~52.0.0",
+    "expo-constants": "~17.0.0",
+    "expo-crypto": "~14.0.2",
+    "expo-linking": "~7.0.0",
+    "expo-router": "~4.0.0",
+    "expo-secure-store": "~14.0.0",
+    "expo-status-bar": "~2.0.0",
+    "expo-web-browser": "~14.0.0",
+    "react": "18.3.1",
+    "react-native": "0.76.0",
+    "react-native-safe-area-context": "4.12.0",
+    "react-native-screens": "~4.1.0",
+    "zod": "^3.23.8"
+  },
+  "devDependencies": {
+    "@types/react": "~18.3.12",
+    "typescript": "~5.6.0"
+  }
+}

package/assets/templates/mobile-app/src/mw/client.ts

@@ -0,0 +1,251 @@
+// MinuteWork substrate. Thin layer — do not put product UI/logic here.
+//
+// MinuteWork native token client. Implements the browser-assisted device flow
+// against the SHIPPED platform native-token endpoints (`/api/v1/native/session/*`).
+//
+// Authentication is owned by the MinuteWork platform. This client only *obtains
+// and uses* a platform-issued bearer token — there is NO JWT minting, NO password
+// handling, NO local user table, and NO parallel auth stack here. Token plaintext
+// is never logged.
+//
+// ----------------------------------------------------------------------------
+// Device flow (browser-assisted authorization):
+// ----------------------------------------------------------------------------
+//   1. authorize(): generate a PKCE code_verifier + S256 code_challenge, open the
+//      platform authorize URL in a system browser (`expo-web-browser`) with the
+//      app's deep-link redirect_uri + code_challenge + an anti-forgery `state`.
+//      The platform authenticates the human and redirects back to redirect_uri
+//      with a short-lived single-use `code` (and the echoed `state`).
+//   2. exchange(code, verifier): POST {code, code_verifier, redirect_uri} to
+//      `/token-exchange/`; the platform returns the access/refresh token pair.
+//   3. store the pair in the device keychain via `mwSession.setTokens(...)`.
+//   4. for every platform call, send `Authorization: Bearer <access>`. On a 401,
+//      POST the stored refresh token to `/refresh/`, persist the rotated pair,
+//      and retry once.
+//   5. logout(): POST `/logout/` to revoke, then `mwSession.clearTokens()`.
+//
+// This is the DIRECT platform path — there is no tenant-app BFF and no
+// server-owned cookie in front of the mobile client.
+
+import * as Crypto from "expo-crypto";
+import * as Linking from "expo-linking";
+import * as WebBrowser from "expo-web-browser";
+
+import {
+  nativeSessionSchema,
+  nativeTokenPairSchema,
+  type NativeSession,
+  type NativeTokenPair,
+} from "@/mw/contracts";
+import { platformNativeEndpoints } from "@/mw/endpoints";
+import { mwSession } from "@/mw/session";
+
+// The deep-link path the platform redirects back to. The scheme is read from
+// `app.json` ("scheme") by expo-linking; the dev configures that scheme.
+const REDIRECT_PATH = "auth/native-callback";
+
+// Result of a single authorize round-trip: the one-time code plus the PKCE
+// verifier that must be presented at exchange.
+export interface NativeAuthorizationResult {
+  code: string;
+  codeVerifier: string;
+  redirectUri: string;
+}
+
+function base64UrlFromBytes(bytes: Uint8Array): string {
+  let binary = "";
+  for (const byte of bytes) {
+    binary += String.fromCharCode(byte);
+  }
+  // btoa is available in the Hermes/React Native runtime.
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+
+// PKCE code_verifier: 32 random bytes -> base64url (43 chars, no padding). This
+// is URL-safe and whitespace-free, matching the platform's `.strip()`ed verifier
+// and its 255-char cap.
+function generateCodeVerifier(): string {
+  return base64UrlFromBytes(Crypto.getRandomBytes(32));
+}
+
+// S256 challenge: base64url(SHA-256(verifier)). Mirrors the platform's
+// `build_pkce_code_challenge` (sha256 digest -> urlsafe base64 -> strip "=").
+async function deriveCodeChallenge(codeVerifier: string): Promise<string> {
+  const digestBase64 = await Crypto.digestStringAsync(
+    Crypto.CryptoDigestAlgorithm.SHA256,
+    codeVerifier,
+    { encoding: Crypto.CryptoEncoding.BASE64 },
+  );
+  return digestBase64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+
+function buildAuthorizeUrl(params: {
+  redirectUri: string;
+  state: string;
+  codeChallenge: string;
+}): string {
+  const url = new URL(platformNativeEndpoints.authorize);
+  url.searchParams.set("redirect_uri", params.redirectUri);
+  url.searchParams.set("state", params.state);
+  url.searchParams.set("code_challenge", params.codeChallenge);
+  return url.toString();
+}
+
+async function postJson(url: string, body: Record<string, unknown>): Promise<Response> {
+  return fetch(url, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      Accept: "application/json",
+    },
+    body: JSON.stringify(body),
+  });
+}
+
+// Surface a platform error without leaking response internals. The platform
+// returns `{detail: "..."}` for native auth failures.
+async function readErrorDetail(response: Response, fallback: string): Promise<string> {
+  try {
+    const data = (await response.json()) as { detail?: unknown };
+    if (data && typeof data.detail === "string" && data.detail.length > 0) {
+      return data.detail;
+    }
+  } catch {
+    // ignore non-JSON bodies
+  }
+  return `${fallback} (HTTP ${response.status})`;
+}
+
+export const mwClient = {
+  // Step 1: open the platform authorize URL in a system browser and resolve with
+  // the single-use authorization code + the PKCE verifier to exchange it.
+  async authorize(): Promise<NativeAuthorizationResult> {
+    const redirectUri = Linking.createURL(REDIRECT_PATH);
+    const codeVerifier = generateCodeVerifier();
+    const codeChallenge = await deriveCodeChallenge(codeVerifier);
+    const state = base64UrlFromBytes(Crypto.getRandomBytes(16));
+
+    const authorizeUrl = buildAuthorizeUrl({ redirectUri, state, codeChallenge });
+    const result = await WebBrowser.openAuthSessionAsync(authorizeUrl, redirectUri);
+
+    if (result.type !== "success" || !result.url) {
+      throw new Error("Sign in was cancelled before the platform returned a code.");
+    }
+
+    const returned = new URL(result.url);
+    const returnedState = returned.searchParams.get("state");
+    if (returnedState !== state) {
+      // Anti-forgery: the platform must echo back the exact state we sent.
+      throw new Error("Sign in failed: callback state did not match the request.");
+    }
+    const code = returned.searchParams.get("code");
+    if (!code) {
+      throw new Error("Sign in failed: the platform callback did not include a code.");
+    }
+
+    return { code, codeVerifier, redirectUri };
+  },
+
+  // Step 2: exchange the authorization code for a platform-issued token pair and
+  // persist it to the device keychain.
+  async exchange(
+    code: string,
+    codeVerifier: string,
+    redirectUri: string,
+  ): Promise<NativeTokenPair> {
+    const response = await postJson(platformNativeEndpoints.tokenExchange, {
+      code,
+      code_verifier: codeVerifier,
+      redirect_uri: redirectUri,
+    });
+    if (!response.ok) {
+      throw new Error(await readErrorDetail(response, "Token exchange failed"));
+    }
+    const pair = nativeTokenPairSchema.parse(await response.json());
+    await mwSession.setTokens(
+      pair.access_token,
+      pair.refresh_token,
+      pair.access_token_expires_at,
+    );
+    return pair;
+  },
+
+  // Step 4 (on 401 / proactive): rotate the access token using the stored refresh
+  // token and persist the rotated pair.
+  async refresh(): Promise<NativeTokenPair> {
+    const stored = await mwSession.getTokens();
+    if (!stored) {
+      throw new Error("No stored session to refresh. Sign in again.");
+    }
+    const response = await postJson(platformNativeEndpoints.refresh, {
+      refresh_token: stored.refresh,
+    });
+    if (!response.ok) {
+      // Refresh failure means the session is dead; clear it so the app routes
+      // back to login.
+      await mwSession.clearTokens();
+      throw new Error(await readErrorDetail(response, "Session refresh failed"));
+    }
+    const pair = nativeTokenPairSchema.parse(await response.json());
+    await mwSession.setTokens(
+      pair.access_token,
+      pair.refresh_token,
+      pair.access_token_expires_at,
+    );
+    return pair;
+  },
+
+  // Resolve the active session (user + active tenant + memberships) from the
+  // stored token, auto-refreshing once on a 401 then retrying.
+  async loadSession(): Promise<NativeSession> {
+    const stored = await mwSession.getTokens();
+    if (!stored) {
+      throw new Error("Not signed in.");
+    }
+
+    const meOnce = async (accessToken: string): Promise<Response> =>
+      fetch(platformNativeEndpoints.me, {
+        method: "GET",
+        headers: {
+          Accept: "application/json",
+          Authorization: `Bearer ${accessToken}`,
+        },
+      });
+
+    let response = await meOnce(stored.access);
+    if (response.status === 401) {
+      // Single refresh-and-retry on an expired/invalid access token.
+      const rotated = await this.refresh();
+      response = await meOnce(rotated.access_token);
+    }
+    if (!response.ok) {
+      throw new Error(await readErrorDetail(response, "Failed to load session"));
+    }
+    return nativeSessionSchema.parse(await response.json());
+  },
+
+  // Step 5: revoke the token pair on the platform, then clear local secure
+  // storage. Local state is always cleared, even if the revoke call fails.
+  async logout(): Promise<void> {
+    const stored = await mwSession.getTokens();
+    try {
+      if (stored) {
+        await fetch(platformNativeEndpoints.logout, {
+          method: "POST",
+          headers: {
+            "Content-Type": "application/json",
+            Accept: "application/json",
+            Authorization: `Bearer ${stored.access}`,
+          },
+          body: JSON.stringify({}),
+        });
+      }
+    } catch {
+      // Best-effort revoke; never block local sign-out on a network error.
+    } finally {
+      await mwSession.clearTokens();
+    }
+  },
+};
+
+export type MwClient = typeof mwClient;

package/assets/templates/mobile-app/src/mw/contracts.ts

@@ -0,0 +1,79 @@
+// MinuteWork substrate. Thin layer — do not put product UI/logic here.
+//
+// Zod schemas for the MinuteWork platform *native* session payloads. These match
+// the SHIPPED platform native-token slice (`/api/v1/native/session/*`) response
+// shapes exactly (DRF emits snake_case). They describe API responses, not product
+// data. Keep them aligned with the platform serializers in
+// `apps/mwv3-platform-dj/apps/gateway_api/serializers.py`:
+//   - token pair  -> IssuedNativeAppSessionTokenPairSerializer
+//   - session/me  -> TenantSessionResponseSerializer
+//
+// Schemas use `.passthrough()` so additive platform fields never break parsing;
+// the client only depends on the fields it reads.
+
+import { z } from "zod";
+
+// A tenant the authenticated user belongs to. Mirrors `_serialize_membership`
+// on the platform; only the load-bearing fields are constrained, the rest pass
+// through. `role` may be an empty string for a membership with no role.
+export const nativeMembershipSchema = z
+  .object({
+    tenant_id: z.string().min(1),
+    tenant_slug: z.string(),
+    tenant_name: z.string(),
+    role: z.string(),
+  })
+  .passthrough();
+
+export const nativeActiveTenantSchema = nativeMembershipSchema;
+
+// Mirrors `_serialize_user`. `email` is not constrained to an email shape because
+// the platform may serialize a blank/non-email value.
+export const nativeUserSchema = z
+  .object({
+    id: z.string().min(1),
+    username: z.string(),
+    email: z.string(),
+  })
+  .passthrough();
+
+// Response of `/api/v1/native/session/me/` (and `/context/`):
+// `TenantSessionResponseSerializer`. `active_tenant_id` / `active_tenant` are
+// null when the user has no active membership.
+export const nativeSessionSchema = z
+  .object({
+    user: nativeUserSchema,
+    active_tenant_id: z.string().nullable(),
+    active_tenant: nativeActiveTenantSchema.nullable(),
+    memberships: z.array(nativeMembershipSchema),
+    onboarding_completed_for_active_workspace: z.boolean().nullable().optional(),
+  })
+  .passthrough();
+
+// Platform-issued bearer token pair returned by `/token-exchange/` and
+// `/refresh/`: `IssuedNativeAppSessionTokenPairSerializer`. `*_expires_at` are
+// ISO-8601 timestamps; the client uses the access expiry to refresh proactively.
+export const nativeTokenPairSchema = z
+  .object({
+    access_token: z.string().min(1),
+    refresh_token: z.string().min(1),
+    access_token_expires_at: z.string().min(1),
+    refresh_token_expires_at: z.string().min(1),
+  })
+  .passthrough();
+
+// What we persist in the device keychain: the two opaque tokens plus the access
+// token's expiry (ISO-8601). This is the on-device shape, distinct from the wire
+// shape above.
+export const storedTokensSchema = z.object({
+  access: z.string().min(1),
+  refresh: z.string().min(1),
+  expiresAt: z.string().min(1),
+});
+
+export type NativeMembership = z.infer<typeof nativeMembershipSchema>;
+export type NativeActiveTenant = z.infer<typeof nativeActiveTenantSchema>;
+export type NativeUser = z.infer<typeof nativeUserSchema>;
+export type NativeSession = z.infer<typeof nativeSessionSchema>;
+export type NativeTokenPair = z.infer<typeof nativeTokenPairSchema>;
+export type StoredTokens = z.infer<typeof storedTokensSchema>;

package/assets/templates/mobile-app/src/mw/endpoints.ts

@@ -0,0 +1,42 @@
+// MinuteWork substrate. Thin layer — do not put product UI/logic here.
+//
+// Builds absolute URLs for the MinuteWork *platform native* session endpoints.
+//
+// These endpoints are the DIRECT platform API surface for native clients
+// (`/api/v1/native/...`). The mobile app authenticates with a platform-issued
+// bearer token obtained through a browser-assisted device flow, then calls the
+// platform directly. This is intentionally NOT the tenant-app BFF cookie path
+// (the Next.js `platform_session_bff` profile) — there is no per-app server in
+// front of the mobile client.
+//
+// These routes are SHIPPED by the platform native-token slice and are called by
+// the real device-flow client in `src/mw/client.ts`.
+
+import { mwEnv } from "@/mw/env";
+
+const platformBaseUrl = new URL(
+  mwEnv.platformBaseUrl.endsWith("/")
+    ? mwEnv.platformBaseUrl
+    : `${mwEnv.platformBaseUrl}/`,
+);
+
+function buildPlatformEndpoint(path: string): string {
+  return new URL(path.replace(/^\//, ""), platformBaseUrl).toString();
+}
+
+export const platformNativeEndpoints = {
+  // Begin the browser-assisted device authorization flow.
+  authorize: buildPlatformEndpoint("/api/v1/native/session/authorize/"),
+  // Exchange the authorization result for an access/refresh token pair.
+  tokenExchange: buildPlatformEndpoint("/api/v1/native/session/token-exchange/"),
+  // Rotate an expired access token using the refresh token.
+  refresh: buildPlatformEndpoint("/api/v1/native/session/refresh/"),
+  // Resolve the current authenticated principal (user + active tenant).
+  me: buildPlatformEndpoint("/api/v1/native/session/me/"),
+  // Resolve / switch active tenant context for the session.
+  context: buildPlatformEndpoint("/api/v1/native/session/context/"),
+  // Revoke the current token pair.
+  logout: buildPlatformEndpoint("/api/v1/native/session/logout/"),
+} as const;
+
+export type PlatformNativeEndpoint = keyof typeof platformNativeEndpoints;

package/assets/templates/mobile-app/src/mw/env.ts

@@ -0,0 +1,59 @@
+// MinuteWork substrate. Thin layer — do not put product UI/logic here.
+//
+// Validates the EXPO_PUBLIC_* configuration the mobile app needs to talk to the
+// MinuteWork platform. Mirrors the spirit of the next-tenant-app
+// `env.server.ts`, but for Expo public env: in Expo, only `EXPO_PUBLIC_*`
+// variables are inlined into the client bundle, and they must be referenced as
+// *static* `process.env.EXPO_PUBLIC_FOO` property accesses so the Expo bundler
+// can replace them at build time. Do not read them via dynamic indexing.
+//
+// SECURITY: EXPO_PUBLIC_* values ship inside the app bundle and are readable by
+// anyone with the binary. Only put non-secret configuration here (a base URL,
+// a display name). Never put API keys, client secrets, or tokens in EXPO_PUBLIC_*.
+
+import { z } from "zod";
+
+const baseUrlSchema = z.preprocess((value) => {
+  if (typeof value !== "string") {
+    return value;
+  }
+  const normalized = value.trim();
+  return normalized.length > 0 ? normalized : undefined;
+}, z.string().url());
+
+const optionalNameSchema = z.preprocess((value) => {
+  if (typeof value !== "string") {
+    return value;
+  }
+  const normalized = value.trim();
+  return normalized.length > 0 ? normalized : undefined;
+}, z.string().min(1).default("MinuteWork"));
+
+const envSchema = z.object({
+  platformBaseUrl: baseUrlSchema,
+  appName: optionalNameSchema,
+});
+
+const parsed = envSchema.safeParse({
+  // Static accesses so the Expo bundler can inline these at build time.
+  platformBaseUrl: process.env.EXPO_PUBLIC_MW_PLATFORM_BASE_URL,
+  appName: process.env.EXPO_PUBLIC_MW_APP_NAME,
+});
+
+if (!parsed.success) {
+  const issues = parsed.error.issues
+    .map((issue) => {
+      const path = issue.path.join(".");
+      return path.length > 0 ? `${path}: ${issue.message}` : issue.message;
+    })
+    .join("; ");
+
+  throw new Error(
+    `Invalid Expo public environment for mobile-app: ${issues}. ` +
+      "Copy .env.example to .env and set EXPO_PUBLIC_MW_PLATFORM_BASE_URL.",
+  );
+}
+
+export type MwEnv = z.infer<typeof envSchema>;
+
+export const mwEnv: MwEnv = parsed.data;

package/assets/templates/mobile-app/src/mw/session.ts

@@ -0,0 +1,50 @@
+// MinuteWork substrate. Thin layer — do not put product UI/logic here.
+//
+// Secure-store wrapper for the platform-issued native token pair. Persists the
+// `{access, refresh, expiresAt}` triple in the device keychain/keystore via
+// `expo-secure-store` (JSON-encoded under a single key) so tokens survive app
+// restarts. Tokens MUST NOT be written to AsyncStorage or JS-readable cookie
+// storage, and their plaintext is never logged.
+
+import * as SecureStore from "expo-secure-store";
+
+import { storedTokensSchema, type StoredTokens } from "@/mw/contracts";
+
+const TOKEN_KEY = "mw.native.token_pair";
+
+// Require the device to be unlocked at least once after boot before the secret is
+// readable, and keep it bound to this device (no iCloud Keychain sync).
+const SECURE_STORE_OPTIONS: SecureStore.SecureStoreOptions = {
+  keychainAccessible: SecureStore.WHEN_UNLOCKED_THIS_DEVICE_ONLY,
+};
+
+export const mwSession = {
+  // Read + validate the stored pair. Returns null when absent or corrupt; a
+  // corrupt blob is cleared so the app fails closed back to the login flow.
+  async getTokens(): Promise<StoredTokens | null> {
+    const raw = await SecureStore.getItemAsync(TOKEN_KEY, SECURE_STORE_OPTIONS);
+    if (!raw) {
+      return null;
+    }
+    try {
+      return storedTokensSchema.parse(JSON.parse(raw));
+    } catch {
+      // Do not surface token bytes; just discard the unreadable blob.
+      await SecureStore.deleteItemAsync(TOKEN_KEY, SECURE_STORE_OPTIONS);
+      return null;
+    }
+  },
+
+  // Persist the pair. `expiresAt` is the access token's ISO-8601 expiry.
+  async setTokens(access: string, refresh: string, expiresAt: string): Promise<void> {
+    const value = JSON.stringify({ access, refresh, expiresAt } satisfies StoredTokens);
+    await SecureStore.setItemAsync(TOKEN_KEY, value, SECURE_STORE_OPTIONS);
+  },
+
+  // Remove the stored pair (sign-out / revoke).
+  async clearTokens(): Promise<void> {
+    await SecureStore.deleteItemAsync(TOKEN_KEY, SECURE_STORE_OPTIONS);
+  },
+};
+
+export type MwSession = typeof mwSession;

package/assets/templates/mobile-app/template.json

@@ -0,0 +1,18 @@
+{
+  "template_id": "mobile-app",
+  "template_kind": "mobile-app",
+  "template_profile": "platform_native_token",
+  "template_bundle_ref": "runtime/builder/templates/mobile-app",
+  "template_version": "0.1.0",
+  "materialize": {
+    "destination": "mobile"
+  },
+  "builder_edit_mode": "workspace_copy_only",
+  "seed_source": "runtime/builder/templates/mobile-app",
+  "required_bootstrap_steps": [],
+  "runtime_contract_refs": [
+    "reference/mwv3-dj6-docs/auth_and_credential_contract.md"
+  ],
+  "deployable": false,
+  "notes": "Bring-your-own-UI Expo (React Native + Expo Router) starter. Direct platform native API client (bearer token to /api/v1/native/...), NOT a tenant-app BFF cookie client. Distribution is the developer's EAS pipeline, not `minutework deploy`. Only src/mw/ is MinuteWork substrate; everything else is developer-owned. src/mw/client.ts implements the real browser-assisted PKCE device flow against the platform native session endpoints; the OAuth-style redirect target is the app.json expo.scheme. This manifest is validated by tools/template/validate-template.mjs, not the strict shared template.schema.json (mobile is not a web/sidecar deployable kind)."
+}

package/assets/templates/mobile-app/tools/template/validate-template.mjs

@@ -0,0 +1,69 @@
+// MinuteWork substrate — template governance tool (not part of the shipped app).
+//
+// Validates this template's `template.json`. The mobile starter is NOT a
+// web/sidecar deployable, so it intentionally does NOT validate against the
+// strict shared `runtime/builder/templates/template.schema.json` (whose
+// `template_kind` / `materialize.destination` enums only cover web + sidecar).
+// Instead it checks the required fields and the mobile-specific literals,
+// mirroring the bespoke validator pattern used by `vuilder-public-site`.
+//
+// Run from this directory:  node tools/template/validate-template.mjs
+import { readFileSync } from "node:fs";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+
+const here = path.dirname(fileURLToPath(import.meta.url));
+const templateRoot = path.resolve(here, "..", "..");
+const manifestPath = path.join(templateRoot, "template.json");
+const manifest = JSON.parse(readFileSync(manifestPath, "utf8"));
+
+const requiredFields = [
+  "template_id",
+  "template_kind",
+  "template_profile",
+  "template_version",
+  "materialize",
+  "builder_edit_mode",
+  "seed_source",
+  "required_bootstrap_steps",
+];
+
+for (const field of requiredFields) {
+  if (!(field in manifest)) {
+    throw new Error(`template.json is missing required field "${field}"`);
+  }
+}
+
+if (manifest.template_id !== "mobile-app") {
+  throw new Error('template_id must be "mobile-app"');
+}
+
+if (manifest.template_kind !== "mobile-app") {
+  throw new Error('template_kind must be "mobile-app"');
+}
+
+if (manifest.template_profile !== "platform_native_token") {
+  throw new Error('template_profile must be "platform_native_token"');
+}
+
+if (manifest.materialize?.destination !== "mobile") {
+  throw new Error('mobile-app must materialize to "mobile"');
+}
+
+if (manifest.builder_edit_mode !== "workspace_copy_only") {
+  throw new Error('builder_edit_mode must be "workspace_copy_only"');
+}
+
+if (manifest.deployable !== false) {
+  throw new Error("mobile-app must declare deployable: false (EAS pipeline, not `minutework deploy`)");
+}
+
+if (!Array.isArray(manifest.required_bootstrap_steps)) {
+  throw new Error("required_bootstrap_steps must be an array");
+}
+
+if (!/^\d+\.\d+\.\d+$/.test(String(manifest.template_version))) {
+  throw new Error("template_version must be semver (e.g. 0.1.0)");
+}
+
+console.log("template.json is valid (mobile-app)");

package/assets/templates/mobile-app/tsconfig.json

@@ -0,0 +1,16 @@
+{
+  "//": "DEVELOPER-OWNED — replace freely. Only src/mw/ is MinuteWork substrate.",
+  "extends": "expo/tsconfig.base",
+  "compilerOptions": {
+    "strict": true,
+    "paths": {
+      "@/*": ["./src/*"]
+    }
+  },
+  "include": [
+    "**/*.ts",
+    "**/*.tsx",
+    ".expo/types/**/*.ts",
+    "expo-env.d.ts"
+  ]
+}