Add local frontend validation of app manifest fields

[lkostrowski]

Summary

Added client-side validation of app manifest fields during the installation flow. This provides early feedback to users while making the installation process more permissive - converting some API-level validation errors into warnings that don't block installation.

Changes

• New validation domain: Created app manifest validation logic to validate manifest structure, required fields, mount availability, and target compatibility
• Integration: Integrated validation into the install extension flow with detailed error and warning messages
• Tests: Added comprehensive test coverage for all validation scenarios

Benefits

• Early error detection before submitting to API
• Better UX with non-blocking warnings for non-critical issues
• Clear validation messaging to guide users
• Proper error categorization (errors vs warnings)

Next steps

• After having this on main and 3.22, I will drop validation on Core side.

[changeset-bot]

🦋 Changeset detected

Latest commit: 5b708a1

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
saleor-dashboard	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Preview	Comments	Updated (UTC)
saleor-dashboard-storybook	Ignored	Preview		Oct 24, 2025 6:32am

[Copilot]

Pull Request Overview

This PR implements local validation for app extension manifests using Zod schemas. The validation covers extension configurations, mount points, targets, and ensures proper relationships between URLs, targets, and permissions before submitting to Saleor's backend validation.

Key Changes

• Added ExtensionManifestValidator class to validate app manifests with Zod schemas
• Implemented comprehensive schema definitions for app manifests, extensions, targets, options, and mount points
• Added validation rules for URL patterns, permission subsets, and target-specific configurations

Reviewed Changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
src/extensions/extension-manifest-validator.ts	Core validator class that parses and validates app manifests
src/extensions/domain/app-manifest.ts	Schema for app manifest with validation for relative URLs and permission inheritance
src/extensions/domain/app-extension-manifest.ts	Schema for individual extensions with target/mount/URL validation rules
src/extensions/domain/app-extension-manifest-target.ts	Enum schema defining valid extension targets
src/extensions/domain/app-extension-manifest-options.ts	Schema for target-specific options with mutual exclusivity validation
src/extensions/domain/app-extension-manifest-available-mounts.ts	Constants defining valid mount points and widget-compatible mounts

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[codecov]

Codecov Report

❌ Patch coverage is 95.12195% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 39.63%. Comparing base (ce21daf) to head (5b708a1).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
...nsionManifestData/InstallExtensionManifestData.tsx	57.14%	3 Missing ⚠️
src/extensions/domain/app-manifest.ts	91.66%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5997      +/-   ##
==========================================
+ Coverage   39.52%   39.63%   +0.11%     
==========================================
  Files        2428     2434       +6     
  Lines       39532    39613      +81     
  Branches     8721     9058     +337     
==========================================
+ Hits        15624    15701      +77     
+ Misses      23882    22713    -1169     
- Partials       26     1199    +1173     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Differences Found

✅ No packages or licenses were added.

Summary

Expand

License Name	Package Count	Packages
0BSD	1	Packages tslib
CC-BY-3.0	1	Packages spdx-exceptions
MIT/X11	1	Packages nub
MPL-1.1	1	Packages harmony-reflect
MPL-2.0	1	Packages dompurify
Public Domain	1	Packages jsonify
Python-2.0	1	Packages argparse
WTFPL	1	Packages utf8-byte-length
<<missing>>	2	Packages busboy streamsearch
CC-BY-4.0	2	Packages @saleor/macaw-ui caniuse-lite
CC0-1.0	2	Packages spdx-license-ids type-fest
SEE LICENSE IN LICENSE	2	Packages posthog-js spawndamnit
BlueOak-1.0.0	3	Packages jackspeak package-json-from-dist path-scurry
BSD-2-Clause	24	Packages browser-process-hrtime css-select css-what domelementtype domhandler domutils dotenv dotenv-expand entities escodegen eslint-scope espree esprima esrecurse estraverse esutils normalize-package-data nth-check regjsparser stringify-object And 4 more...
BSD-3-Clause	43	Packages @saleor/app-sdk @sentry/cli @sentry/cli-darwin @sentry/cli-linux-arm @sentry/cli-linux-arm64 @sentry/cli-linux-i686 @sentry/cli-linux-x64 @sentry/cli-win32-arm64 @sentry/cli-win32-i686 @sentry/cli-win32-x64 @sinonjs/commons @sinonjs/fake-timers abab asn1js babel-plugin-istanbul chroma-js dataloader diff esquery exenv And 23 more...
ISC	50	Packages @isaacs/cliui @istanbuljs/load-nyc-config anymatch boolbase cli-width cliui electron-to-chromium fastq flatted foreground-child fs.realpath get-caller-file get-own-enumerable-property-symbols glob glob-parent graceful-fs hosted-git-info inflight inherits ini And 30 more...
Apache-2.0	57	Packages @ampproject/remapping @editorjs/editorjs @eslint/config-array @eslint/config-helpers @eslint/core @eslint/object-schema @eslint/plugin-kit @humanfs/core @humanfs/node @humanwhocodes/module-importer @humanwhocodes/retry @opentelemetry/api @opentelemetry/semantic-conventions @playwright/test @pollyjs/adapter @pollyjs/core @pollyjs/persister @pollyjs/utils @swc/core @swc/core-darwin-arm64 And 37 more...
MIT	1283	Packages @adobe/css-tools @apollo/client @ardatan/relay-compiler @ardatan/sync-fetch @babel/code-frame @babel/compat-data @babel/core @babel/generator @babel/helper-annotate-as-pure @babel/helper-compilation-targets @babel/helper-create-class-features-plugin @babel/helper-globals @babel/helper-member-expression-to-functions @babel/helper-module-imports @babel/helper-module-transforms @babel/helper-optimise-call-expression @babel/helper-plugin-utils @babel/helper-replace-supers @babel/helper-skip-transparent-expression-wrappers @babel/helper-string-parser And 1263 more...

[Copilot]

Pull Request Overview

Copilot reviewed 19 out of 21 changed files in this pull request and generated 13 comments.

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

Pull Request Overview

Copilot reviewed 22 out of 24 changed files in this pull request and generated 2 comments.

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

Pull Request Overview

Copilot reviewed 23 out of 25 changed files in this pull request and generated 2 comments.

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}