Feature: support npm extension publish (#62)

* feat: npm package registry API * refactor: move package registry files * refactor: move jsr and npm api to a new package * ci: add verify-package-export * test: implement tests for npm package validation as kunkun extension * chore: add missing dep for package-registry pkg * feat: make provenance an optional input for npm validation function * ci: add verify-package-export as dev dep to 2 packages that uses it * feat: add rekor log API, and return commit from jsr & npm package in validation function * feat: return github repo info from validation function of jsr and npm * feat: extend ExtPublishMetadata to include optional GitHub repository details * fix: eslint for ui package * refactor: format desktop * fix: eslint errors in desktop * format: all code * ci: add lint to CI * feat: add more info to validation function returned from package-registry npm jsr * pnpm lock * feat: add 2 more variables to supabase extension metadata model * format * feat: add provenance card * feat: add workflow path to ExtPublishMetadata and jsr/npm validation * update provenance * feat: make store extension and provenance more responsive * chore: add globals to ui package * fix: remove unnecessary any to fix eslint * fix: svg sanitize * chore: add @typescript-eslint/eslint-plugin to ui package to fix eslint * fix: update eslint dep to fix error * fix: try fixing eslint * fix: update eslint configuration for improved compatibility * chore: add globals package and update README for Discord invite * fix: update eslint rules and upgrade typescript-eslint dependency - Disabled additional eslint rules to resolve errors: - @typescript-eslint/no-unused-expressions - svelte/no-inner-declarations - Upgraded typescript-eslint from version 8.19.1 to 8.20.0 for improved compatibility. * update pnpm lock --------- Co-authored-by: Huakun Shen <huaukun.shen@huakunshen.com>
2025-04-03 22:26:43 +00:00 · 2025-01-16 06:00:07 -05:00 · 2025-01-16 06:00:07 -05:00 · e4d1441d73
commit e4d1441d73
parent de00107972
73 changed files with 2665 additions and 1046 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -56,7 +56,9 @@ jobs:
        run: pnpm build
      - name: JS Test
        if: matrix.os == 'ubuntu-24.04'
-        run: pnpm test
+        run: |
+          pnpm test
+          pnpm lint
      - name: Cargo Build and Test
        if: matrix.os == 'ubuntu-24.04'
        run: |
--- a/README.md
+++ b/README.md
@ -8,10 +8,9 @@
 - https://docs.kunkun.sh/guides/demo/
 - Download extension from https://kunkun.sh/download

-[![wakatime](https://wakatime.com/badge/user/94be0fbf-cb9d-411d-8526-d0c4a4e82e1a/project/455bfd3f-4faf-4c2a-afe9-556d9ee1a0f7.svg)](https://wakatime.com/badge/user/94be0fbf-cb9d-411d-8526-d0c4a4e82e1a/project/455bfd3f-4faf-4c2a-afe9-556d9ee1a0f7)
 ![GitHub last commit](https://img.shields.io/github/last-commit/kunkunsh/kunkun)
 [![YouTube badge][]][YouTube link]
-[![Discord Invite](https://dcbadge.limes.pink/api/server/7dzw3TYeTU)](https://discord.gg/7dzw3TYeTU)
+[Discord Invite](https://discord.gg/7dzw3TYeTU)

 - Website: https://kunkun.sh/
 - Documentation: https://docs.kunkun.sh/
--- a/apps/desktop/.prettierignore
+++ b/apps/desktop/.prettierignore
@ -0,0 +1 @@
+src-tauri
--- a/apps/desktop/app.d.ts
+++ b/apps/desktop/app.d.ts
@ -1,7 +1,7 @@
 import type { AttributifyAttributes } from "@unocss/preset-attributify"

 declare module "svelte/elements" {
-	// eslint-disable-next-line @typescript-eslint/no-empty-object-type, @typescript-eslint/no-unused-vars
+	// eslint-disable-next-line @typescript-eslint/no-empty-object-type
 	interface HTMLAttributes<T> extends AttributifyAttributes {}
 }

--- a/apps/desktop/components.json
+++ b/apps/desktop/components.json
@ -14,4 +14,4 @@
 	},
 	"typescript": true,
 	"registry": "https://next.shadcn-svelte.com/registry"
-}
+}
--- a/apps/desktop/eslint.config.js
+++ b/apps/desktop/eslint.config.js
@ -0,0 +1,42 @@
+import js from "@eslint/js"
+import prettier from "eslint-config-prettier"
+import svelte from "eslint-plugin-svelte"
+import globals from "globals"
+import ts from "typescript-eslint"
+
+export default ts.config(
+	js.configs.recommended,
+	...ts.configs.recommended,
+	...svelte.configs["flat/recommended"],
+	prettier,
+	...svelte.configs["flat/prettier"],
+	{
+		languageOptions: {
+			globals: {
+				...globals.browser,
+				...globals.node
+			}
+		}
+	},
+	{
+		files: ["**/*.svelte"],
+
+		languageOptions: {
+			parserOptions: {
+				parser: ts.parser
+			}
+		}
+	},
+	{
+		ignores: ["build/", ".svelte-kit/", "dist/"]
+	},
+	{
+		rules: {
+			"no-unused-vars": "off",
+			"@typescript-eslint/no-unused-vars": "off",
+			// The following 2 rules are disabled because they cause errors that I am unable to solve
+			"@typescript-eslint/no-unused-expressions": "off",
+			"svelte/no-inner-declarations": "off"
+		}
+	}
+)
--- a/apps/desktop/package.json
+++ b/apps/desktop/package.json
@ -8,6 +8,7 @@
 		"dev": "vite dev",
 		"build": "vite build",
 		"preview": "vite preview",
+		"lint": "prettier --check . && eslint .",
 		"check": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json",
 		"check:watch": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json --watch",
 		"tauri": "tauri"
@ -22,7 +23,6 @@
 		"@std/semver": "npm:@jsr/std__semver@^1.0.3",
 		"@tanstack/table-core": "^8.20.5",
 		"@tauri-apps/api": "^2.1.1",
-		"tauri-plugin-user-input-api": "workspace:*",
 		"@tauri-apps/plugin-shell": "^2.2.0",
 		"@tauri-apps/plugin-stronghold": "^2.2.0",
 		"dompurify": "^3.2.3",
@ -34,9 +34,11 @@
 		"svelte-sonner": "^0.3.28",
 		"sveltekit-superforms": "^2.22.1",
 		"tauri-plugin-clipboard-api": "^2.1.11",
+		"tauri-plugin-user-input-api": "workspace:*",
 		"uuid": "^11.0.3"
 	},
 	"devDependencies": {
+		"@eslint/js": "^9.18.0",
 		"@kksh/types": "workspace:*",
 		"@sveltejs/adapter-static": "^3.0.6",
 		"@sveltejs/kit": "^2.12.1",
@ -48,10 +50,16 @@
 		"@tauri-apps/cli": "^2.1.0",
 		"@types/bun": "latest",
 		"@types/semver": "^7.5.8",
+		"@typescript-eslint/eslint-plugin": "^8.20.0",
+		"@typescript-eslint/parser": "^8.20.0",
 		"autoprefixer": "^10.4.20",
 		"bits-ui": "1.0.0-next.72",
 		"clsx": "^2.1.1",
+		"eslint-config-prettier": "^9.1.0",
+		"eslint-plugin-svelte": "^2.46.1",
+		"globals": "^15.14.0",
 		"lucide-svelte": "^0.469.0",
+		"prettier": "^3.4.2",
 		"svelte-radix": "^2.0.1",
 		"tailwind-merge": "^2.5.5",
 		"tailwind-variants": "^0.3.0",
@ -59,6 +67,7 @@
 		"tailwindcss-animate": "^1.0.7",
 		"tslib": "^2.8.1",
 		"typescript": "^5.6.3",
+		"typescript-eslint": "^8.20.0",
 		"vite": "^6.0.3"
 	}
 }
--- a/apps/desktop/postcss.config.js
+++ b/apps/desktop/postcss.config.js
@ -1,9 +1,9 @@
 export default {
-  plugins: {
+	plugins: {
 		tailwindcss: {
 			config: "tailwind.config.ts"
 			// config: "../../packages/ui/tailwind.config.ts"
 		},
 		autoprefixer: {}
-  }
-};
+	}
+}
--- a/apps/desktop/src/app.html
+++ b/apps/desktop/src/app.html
@ -1,13 +1,13 @@
 <!doctype html>
 <html lang="en">
-  <head>
-    <meta charset="utf-8" />
-    <link rel="icon" href="%sveltekit.assets%/favicon.png" />
-    <meta name="viewport" content="width=device-width, initial-scale=1" />
-    <title>Kunkun Desktop App</title>
-    %sveltekit.head%
-  </head>
-  <body data-sveltekit-preload-data="hover">
-    <div style="display: contents">%sveltekit.body%</div>
-  </body>
+	<head>
+		<meta charset="utf-8" />
+		<link rel="icon" href="%sveltekit.assets%/favicon.png" />
+		<meta name="viewport" content="width=device-width, initial-scale=1" />
+		<title>Kunkun Desktop App</title>
+		%sveltekit.head%
+	</head>
+	<body data-sveltekit-preload-data="hover">
+		<div style="display: contents">%sveltekit.body%</div>
+	</body>
 </html>
--- a/apps/desktop/src/lib/cmds/ext.ts
+++ b/apps/desktop/src/lib/cmds/ext.ts
@ -61,7 +61,7 @@ export async function onHeadlessCmdSelect(
 	if (!extInfoInDB) {
 		return
 	}
-	const serverAPI: Record<string, any> = constructJarvisServerAPIWithPermissions(
+	const serverAPI: IKunkunFullServerAPI = constructJarvisServerAPIWithPermissions(
 		loadedExt.kunkun.permissions,
 		loadedExt.extPath
 	)
--- a/apps/desktop/src/lib/components/common/DragNDrop.svelte
+++ b/apps/desktop/src/lib/components/common/DragNDrop.svelte
@ -4,6 +4,7 @@
 	import { onDestroy, onMount, type Snippet } from "svelte"

 	let unlisteners: UnlistenFn[] = []
+	type Payload = { paths: string[]; position: { x: number; y: number } }
 	const {
 		children,
 		onEnter,
@ -12,10 +13,10 @@
 		onOver
 	}: {
 		children: Snippet
-		onEnter?: (event: any) => void
+		onEnter?: EventCallback<Payload>
 		onDrop?: EventCallback<{ paths: string[] }>
-		onCancelled?: (event: any) => void
-		onOver?: (event: any) => void
+		onCancelled?: EventCallback<Payload>
+		onOver?: EventCallback<void>
 	} = $props()
 	const appWin = getCurrentWebviewWindow()

--- a/apps/desktop/src/lib/components/standalone/settings/AddDevExtForm.svelte
+++ b/apps/desktop/src/lib/components/standalone/settings/AddDevExtForm.svelte
@ -120,9 +120,17 @@
 <Layouts.Center>
 	<DragNDrop
 		onDrop={(e) => {
+			console.log(e)
+
 			handleDragNDropInstall(e.payload.paths)
 		}}
-		onEnter={() => (dragging = true)}
+		onEnter={(evt) => {
+			console.log(evt)
+			dragging = true
+		}}
+		onOver={(evt) => {
+			console.log(evt)
+		}}
 		onCancelled={() => (dragging = false)}
 	>
 		<Card.Root
--- a/apps/desktop/src/lib/constants.ts
+++ b/apps/desktop/src/lib/constants.ts
@ -17,4 +17,5 @@ export function getExtensionsFolder() {
 		})
 }
 export const IS_IN_TAURI =
+	// eslint-disable-next-line @typescript-eslint/no-explicit-any
 	typeof window !== "undefined" && (window as any).__TAURI_INTERNALS__ !== undefined
--- a/apps/desktop/src/lib/utils/js.ts
+++ b/apps/desktop/src/lib/utils/js.ts
@ -1,6 +1,6 @@
 export function setsEqual<T>(set1: Set<T>, set2: Set<T>) {
 	if (set1.size !== set2.size) return false
-	for (let item of set1) {
+	for (const item of set1) {
 		if (!set2.has(item)) return false
 	}
 	return true
--- a/apps/desktop/src/lib/utils/key.ts
+++ b/apps/desktop/src/lib/utils/key.ts
@ -107,7 +107,7 @@ export function isShortcut(letters: string[]): boolean {
 	let hasModifier = false
 	let hasNonModifier = false

-	for (let letter of letters) {
+	for (const letter of letters) {
 		if (modifierKeySet.has(letter)) {
 			hasModifier = true
 		} else {
--- a/apps/desktop/src/routes/app/+layout.svelte
+++ b/apps/desktop/src/routes/app/+layout.svelte
@ -92,7 +92,6 @@
 					winExtMap.unregisterProcess(event.payload.pid)
 				})
 			)
-		} else {
 		}
 		getCurrentWebviewWindow().show()
 	})
--- a/apps/desktop/src/routes/app/auth/+page.svelte
+++ b/apps/desktop/src/routes/app/auth/+page.svelte
@ -26,7 +26,7 @@
 		if (error) {
 			toast.error("Failed to sign in with OAuth", { description: error.message })
 		} else {
-			data.url && open(data.url)
+			if (data.url) open(data.url)
 		}
 	}

--- a/apps/desktop/src/routes/app/extension/clipboard/+page.svelte
+++ b/apps/desktop/src/routes/app/extension/clipboard/+page.svelte
@ -75,7 +75,7 @@

 	$effect(() => {
 		// search sqlite when searchTerm changes
-		searchTerm
+		void searchTerm
 		;(async () => {
 			// console.log("searchTerm", searchTerm)
 			if (searchTerm === "") {
--- a/apps/desktop/src/routes/app/extension/clipboard/content-preview.svelte
+++ b/apps/desktop/src/routes/app/extension/clipboard/content-preview.svelte
@ -67,6 +67,7 @@
 			<div class="text-sm">{txtData}</div>
 		{:else if highlighted.dataType === "Html"}
 			<div class="">
+				<!-- eslint-disable-next-line svelte/no-at-html-tags -->
 				{@html DOMPurify.sanitize(txtData)}
 			</div>
 		{:else}
--- a/apps/desktop/src/routes/app/extension/pin-screenshot/+page.svelte
+++ b/apps/desktop/src/routes/app/extension/pin-screenshot/+page.svelte
@ -47,9 +47,10 @@
 		scale += (e.deltaY < 0 ? 1 : -1) * 0.05
 	}

-	function onGestureChange(e: any) {
+	function onGestureChange(e: Event) {
 		e.preventDefault()
-		scale = e.scale
+		// eslint-disable-next-line @typescript-eslint/no-explicit-any
+		scale = (e as any).scale
 	}

 	$effect(() => {
--- a/apps/desktop/src/routes/app/extension/store/[identifier]/+page.svelte
+++ b/apps/desktop/src/routes/app/extension/store/[identifier]/+page.svelte
@ -60,7 +60,7 @@
 	let imageDialogOpen = $state(false)
 	let delayedImageDialogOpen = $state(false)
 	$effect(() => {
-		imageDialogOpen // do not remove this line, $effect only subscribe to synchronous variable inside it
+		void imageDialogOpen // do not remove this line, $effect only subscribe to synchronous variable inside it
 		setTimeout(() => {
 			delayedImageDialogOpen = imageDialogOpen
 		}, 500)
--- a/apps/desktop/src/routes/app/extension/ui-iframe/+page.svelte
+++ b/apps/desktop/src/routes/app/extension/ui-iframe/+page.svelte
@ -13,9 +13,10 @@
 		type IApp,
 		type IUiIframe
 	} from "@kksh/api/ui"
-	import { toast, type IUiIframeServer2 } from "@kksh/api/ui/iframe"
+	import { toast, type IUiIframeServer1, type IUiIframeServer2 } from "@kksh/api/ui/iframe"
 	import { Button } from "@kksh/svelte5"
 	import { cn } from "@kksh/ui/utils"
+	import type { IKunkunFullServerAPI } from "@kunkunapi/src/api/server"
 	import { getCurrentWindow } from "@tauri-apps/api/window"
 	import { goto } from "$app/navigation"
 	import { IframeParentIO, RPCChannel } from "kkrpc/browser"
@ -102,19 +103,22 @@
 		}
 	}

-	const serverAPI: Record<string, any> = constructJarvisServerAPIWithPermissions(
+	const serverAPI: IKunkunFullServerAPI = constructJarvisServerAPIWithPermissions(
 		loadedExt.kunkun.permissions,
 		loadedExt.extPath
 	)
-	serverAPI.iframeUi = {
-		...serverAPI.iframeUi,
-		...iframeUiAPI
-	} satisfies IUiIframe
-	serverAPI.db = new db.JarvisExtDB(extInfoInDB.extId)
-	serverAPI.kv = new db.KV(extInfoInDB.extId)
-	serverAPI.app = {
-		language: () => Promise.resolve("en") // TODO: get locale
-	} satisfies IApp
+	const serverAPI2 = {
+		...serverAPI,
+		iframeUi: {
+			...serverAPI.iframeUi,
+			...iframeUiAPI
+		} satisfies IUiIframeServer1 & IUiIframeServer2,
+		db: new db.JarvisExtDB(extInfoInDB.extId),
+		kv: new db.KV(extInfoInDB.extId),
+		app: {
+			language: () => Promise.resolve("en") // TODO: get locale
+		} satisfies IApp
+	}

 	function onBackBtnClicked() {
 		if (isInMainWindow()) {
@ -137,8 +141,7 @@
 		}, 200)
 		if (iframeRef?.contentWindow) {
 			const io = new IframeParentIO(iframeRef.contentWindow)
-			const rpc = new RPCChannel(io, { expose: serverAPI })
-			// exposeApiToWindow(iframeRef.contentWindow, serverAPI)
+			const rpc = new RPCChannel(io, { expose: serverAPI2 })
 		} else {
 			toast.warning("iframeRef.contentWindow not available")
 		}
--- a/apps/desktop/src/routes/app/extension/ui-worker/+page.svelte
+++ b/apps/desktop/src/routes/app/extension/ui-worker/+page.svelte
@ -3,31 +3,22 @@
 	import { winExtMap } from "@/stores/winExtMap.js"
 	import { listenToFileDrop, listenToRefreshDevExt } from "@/utils/tauri-events.js"
 	import { isInMainWindow } from "@/utils/window.js"
-	// import { type Remote } from "@huakunshen/comlink"
 	import { db } from "@kksh/api/commands"
+	import { constructJarvisServerAPIWithPermissions, type IApp, type IUiWorker } from "@kksh/api/ui"
 	import {
-		constructJarvisServerAPIWithPermissions,
-		// exposeApiToWorker,
-		type IApp,
-		type IUiWorker
-	} from "@kksh/api/ui"
-	import {
-		clipboard,
-		// constructJarvisExtDBToServerDbAPI,
 		FormNodeNameEnum,
 		FormSchema,
 		ListSchema,
-		Markdown,
 		MarkdownSchema,
 		NodeNameEnum,
 		toast,
-		// wrap,
 		type IComponent,
 		type WorkerExtension
 	} from "@kksh/api/ui/worker"
 	import { LoadingBar } from "@kksh/ui"
 	import { Templates } from "@kksh/ui/extension"
 	import { GlobalCommandPaletteFooter } from "@kksh/ui/main"
+	import type { IKunkunFullServerAPI } from "@kunkunapi/src/api/server"
 	import type { UnlistenFn } from "@tauri-apps/api/event"
 	import { getCurrentWebviewWindow } from "@tauri-apps/api/webviewWindow"
 	import { readTextFile } from "@tauri-apps/plugin-fs"
@ -200,24 +191,26 @@
 		const blob = new Blob([workerScript], { type: "application/javascript" })
 		const blobURL = URL.createObjectURL(blob)
 		worker = new Worker(blobURL)
-		const serverAPI: Record<string, any> = constructJarvisServerAPIWithPermissions(
+		const serverAPI: IKunkunFullServerAPI = constructJarvisServerAPIWithPermissions(
 			loadedExt.kunkun.permissions,
 			loadedExt.extPath
 		)
-		serverAPI.iframeUi = undefined
-		serverAPI.workerUi = extUiAPI
-		serverAPI.db = new db.JarvisExtDB(extInfoInDB.extId)
-		serverAPI.kv = new db.KV(extInfoInDB.extId)
-		serverAPI.app = {
-			language: () => Promise.resolve("en")
-		} satisfies IApp
+		const serverAPI2 = {
+			...serverAPI,
+			iframeUi: undefined,
+			workerUi: extUiAPI,
+			db: new db.JarvisExtDB(extInfoInDB.extId),
+			kv: new db.KV(extInfoInDB.extId),
+			app: {
+				language: () => Promise.resolve("en")
+			} satisfies IApp
+		}
+
 		const io = new WorkerParentIO(worker)
-		const rpc = new RPCChannel<typeof serverAPI, WorkerExtension>(io, {
-			expose: serverAPI
+		const rpc = new RPCChannel<typeof serverAPI2, WorkerExtension>(io, {
+			expose: serverAPI2
 		})
 		workerAPI = rpc.getAPI()
-		// exposeApiToWorker(worker, serverAPI)
-		// workerAPI = wrap<WorkerExtension>(worker)
 		await workerAPI.load()
 	}

--- a/apps/desktop/src/routes/app/troubleshooters/extension-loading/+page.svelte
+++ b/apps/desktop/src/routes/app/troubleshooters/extension-loading/+page.svelte
@ -45,8 +45,8 @@
 			}
 			try {
 				const manifest = await loadExtensionManifestFromDisk(pkgJsonPath)
-			} catch (err: any) {
-				error = `Failed to load manifest from ${pkgJsonPath}: ${err.message}`
+			} catch (err) {
+				error = `Failed to load manifest from ${pkgJsonPath}: ${err}`
 			}

 			tmpResults.push({
--- a/apps/desktop/svelte.config.js
+++ b/apps/desktop/svelte.config.js
@ -14,6 +14,7 @@ const config = {
 		}),
 		alias: {
 			"@/*": "./src/lib/*",
+			"@kunkunapi/*": "../../packages/api/*"
 			// "@kksh/ui/*": "../../packages/ui/*",
 			// "@kksh/svelte5/*": "../../node_modules/@kksh/svelte5/src/lib/*"
 		}
--- a/package.json
+++ b/package.json
@ -20,7 +20,8 @@
 		"svelte": "^5.16.6",
 		"svelte-check": "^4.1.1",
 		"turbo": "^2.3.3",
-		"typescript": "5.7.2"
+		"typescript": "5.7.2",
+		"verify-package-export": "^0.0.2"
 	},
 	"packageManager": "pnpm@9.15.3",
 	"engines": {
@ -45,8 +46,8 @@
 		"@tauri-apps/plugin-store": "^2.2.0",
 		"@tauri-apps/plugin-updater": "^2.3.1",
 		"supabase": "^2.2.1",
-		"tauri-plugin-network-api": "workspace:*",
 		"tauri-plugin-keyring-api": "workspace:*",
+		"tauri-plugin-network-api": "workspace:*",
 		"tauri-plugin-shellx-api": "^2.0.14",
 		"tauri-plugin-system-info-api": "workspace:*",
 		"valibot": "^1.0.0-beta.11",
--- a/packages/api/tests/verify-package-export.test.ts
+++ b/packages/api/tests/verify-package-export.test.ts
@ -29,6 +29,7 @@ describe("Verify Bundled Package", () => {
 			if (typeof exportPaths === "string") {
 				// special case for "./package.json"
 				const resolvedPath = path.join(pkgRoot, exportPaths)
+				console.log("resolvedPath", resolvedPath)
 				expect(await Bun.file(resolvedPath).exists()).toBe(true)
 			} else {
 				Object.values(exportPaths).forEach(async (_path: string) => {
--- a/packages/api/package.json
+++ b/packages/api/package.json
@ -16,12 +16,12 @@
 		"./events": "./src/events.ts",
 		"./supabase": "./src/supabase/index.ts",
 		"./supabase/types": "./src/supabase/database.types.ts",
-		"./package.json": "./package.json",
-		"./extensions/jsr": "./src/extensions/jsr/index.ts"
+		"./package.json": "./package.json"
 	},
 	"license": "MIT",
 	"scripts": {
 		"test": "bun test --coverage",
+		"postbuild": "verify-package-export verify",
 		"gen:deno:types": "deno types > deno.d.ts",
 		"build:docs": "npx typedoc",
 		"check-types": "tsc --noEmit",
@ -39,7 +39,8 @@
 		"fs-extra": "^11.2.0",
 		"madge": "^8.0.0",
 		"typedoc": "^0.27.6",
-		"typescript": "^5.0.0"
+		"typescript": "^5.0.0",
+		"verify-package-export": "^0.0.2"
 	},
 	"dependencies": {
 		"@huakunshen/jsr-client": "^0.1.5",
--- a/packages/api/src/extensions/jsr/tests/api.test.ts
+++ b/packages/api/src/extensions/jsr/tests/api.test.ts
@ -1,133 +0,0 @@
-import { describe, expect, test } from "bun:test";
-import * as v from "valibot";
-import { ExtPackageJson } from "../../../models/manifest";
-import {
-	getAllVersionsOfJsrPackage,
-	getJsrNpmPackageVersionMetadata,
-	getJsrNpmPkgMetadata,
-	getJsrPackageGitHubRepo,
-	getJsrPackageHtml,
-	getJsrPackageMetadata,
-	getJsrPackageSrcFile,
-	getNpmPackageTarballUrl,
-	isSignedByGitHubAction,
-	jsrPackageExists,
-	splitRawJsrPkgName,
-	translateJsrToNpmPkgName,
-} from "../index";
-import { JsrPackageMetadata, NpmPkgMetadata } from "../models";
-
-describe("Test the helper functions", () => {
-	test("Get Package Html", async () => {
-		const html = await getJsrPackageHtml("kunkun", "kkrpc");
-		expect(html).toBeDefined();
-	});
-
-	test("Signed By GitHub Action", async () => {
-		const kkrpcSigned = await isSignedByGitHubAction(
-			"kunkun",
-			"kkrpc",
-			"0.0.14",
-		);
-		expect(kkrpcSigned).toBe(true);
-		const kkrpcSignedVersion = await isSignedByGitHubAction(
-			"kunkun",
-			"kkrpc",
-			"0.0.14",
-		);
-		expect(kkrpcSignedVersion).toBe(true);
-		expect(kkrpcSignedVersion).toBe(true);
-		const kunkunApiSigned = await isSignedByGitHubAction(
-			"kunkun",
-			"api",
-			"0.0.47",
-		);
-		expect(kunkunApiSigned).toBe(false);
-	});
-
-	test("Get Linked GitHub Repo", async () => {
-		const repo = await getJsrPackageGitHubRepo("kunkun", "kkrpc");
-		expect(repo).toBeDefined();
-		expect(repo?.owner).toBe("kunkunsh");
-		expect(repo?.name).toBe("kkrpc");
-	});
-
-	test("Get Package Metadata", async () => {
-		const metadata = await getJsrPackageMetadata("kunkun", "api");
-		const parsed = v.parse(JsrPackageMetadata, metadata);
-		expect(parsed).toBeDefined();
-	});
-
-	test("Get Package's package.json", async () => {
-		const packageJson = await getJsrPackageSrcFile(
-			"kunkun",
-			"ext-image-processing",
-			"0.0.6",
-			"package.json",
-		);
-		expect(packageJson).toBeDefined();
-		const parsed = v.parse(ExtPackageJson, JSON.parse(packageJson!));
-		expect(parsed).toBeDefined();
-	});
-
-	test("Get Package's README.md", async () => {
-		const readme = await getJsrPackageSrcFile(
-			"kunkun",
-			"api",
-			"0.0.47",
-			"README.md",
-		);
-		expect(readme).toBeDefined();
-	});
-
-	test("Translate Jsr Package Name to Npm Package Name", () => {
-		const npmPkgName = translateJsrToNpmPkgName("kunkun", "api");
-		expect(npmPkgName).toBe("kunkun__api");
-	});
-
-	test("Split Jsr Package Name", async () => {
-		const { scope, name } = await splitRawJsrPkgName("@kunkun/api");
-		expect(scope).toBe("kunkun");
-		expect(name).toBe("api");
-		expect(splitRawJsrPkgName("kunkun/api")).rejects.toThrow();
-	});
-
-	test("Get Npm Package Metadata", async () => {
-		const metadata = await getJsrNpmPkgMetadata("kunkun", "api");
-		const parsed = v.parse(NpmPkgMetadata, metadata);
-		expect(parsed).toBeDefined();
-	});
-
-	test("Get Npm Package Version Metadata", async () => {
-		const metadata = await getJsrNpmPackageVersionMetadata(
-			"kunkun",
-			"api",
-			"0.0.47",
-		);
-		expect(metadata).toBeDefined();
-	});
-
-	test("Get Npm Package Tarball Url", async () => {
-		const url = await getNpmPackageTarballUrl("kunkun", "api", "0.0.47");
-		expect(url).toBeDefined();
-	});
-
-	test("Get All Versions Of Jsr Package", async () => {
-		const versions = await getAllVersionsOfJsrPackage("kunkun", "api");
-		expect(versions).toBeDefined();
-		// verify: versions should match npm api
-		const npmPkgMetadata = await getJsrNpmPkgMetadata("kunkun", "api");
-		expect(versions).toEqual(Object.keys(npmPkgMetadata.versions));
-	});
-
-	test("Jsr Package Exists", async () => {
-		expect(await jsrPackageExists("kunkun", "api")).toBe(true);
-		expect(await jsrPackageExists("hk", "non-existent-package")).toBe(
-			false,
-		);
-		expect(await jsrPackageExists("hk", "jsr-client", "0.1.2")).toBe(true);
-		expect(await jsrPackageExists("hk", "jsr-client", "0.1.500")).toBe(
-			false,
-		);
-	});
-});
--- a/packages/api/src/extensions/jsr/models.ts
+++ b/packages/api/src/extensions/jsr/models.ts
@ -1,42 +0,0 @@
-import * as v from "valibot"
-
-export const JsrPackageMetadata = v.object({
-	scope: v.string(),
-	name: v.string(),
-	latest: v.string(),
-	versions: v.record(
-		v.string(),
-		v.object({
-			yanked: v.optional(v.boolean())
-		})
-	)
-})
-export type JsrPackageMetadata = v.InferOutput<typeof JsrPackageMetadata>
-
-export const NpmPkgMetadata = v.object({
-	name: v.string(),
-	description: v.optional(v.string()),
-	"dist-tags": v.record(v.string(), v.string()), // latest, next, beta, rc
-	versions: v.record(
-		v.string(),
-		v.object({
-			name: v.string(),
-			version: v.string(),
-			description: v.optional(v.string()),
-			dist: v.object({
-				tarball: v.string(),
-				shasum: v.string(),
-				integrity: v.string()
-			}),
-			dependencies: v.record(v.string(), v.string())
-		})
-	),
-	time: v.objectWithRest(
-		{
-			created: v.string(),
-			modified: v.string()
-		},
-		v.string()
-	)
-})
-export type NpmPkgMetadata = v.InferOutput<typeof NpmPkgMetadata>
--- a/packages/api/src/models/manifest.ts
+++ b/packages/api/src/models/manifest.ts
@ -1,36 +1,36 @@
-import { FsPermissionSchema } from "tauri-api-adapter/permissions";
-import * as v from "valibot";
+import { FsPermissionSchema } from "tauri-api-adapter/permissions"
+import * as v from "valibot"
 import {
 	AllKunkunPermission,
 	FsPermissionScopedSchema,
 	KunkunFsPermissionSchema,
 	KunkunManifestPermission,
 	OpenPermissionScopedSchema,
-	ShellPermissionScopedSchema,
-} from "../permissions";
-import { CmdType } from "./extension";
-import { Icon } from "./icon";
+	ShellPermissionScopedSchema
+} from "../permissions"
+import { CmdType } from "./extension"
+import { Icon } from "./icon"

 export enum OSPlatformEnum {
 	linux = "linux",
 	macos = "macos",
-	windows = "windows",
+	windows = "windows"
 }

-export const OSPlatform = v.enum_(OSPlatformEnum);
-export type OSPlatform = v.InferOutput<typeof OSPlatform>;
-const allPlatforms = Object.values(OSPlatformEnum);
+export const OSPlatform = v.enum_(OSPlatformEnum)
+export type OSPlatform = v.InferOutput<typeof OSPlatform>
+const allPlatforms = Object.values(OSPlatformEnum)
 export const TriggerCmd = v.object({
 	type: v.union([v.literal("text"), v.literal("regex")]),
-	value: v.string(),
-});
-export type TriggerCmd = v.InferOutput<typeof TriggerCmd>;
+	value: v.string()
+})
+export type TriggerCmd = v.InferOutput<typeof TriggerCmd>
 export enum TitleBarStyleEnum {
 	"visible" = "visible",
 	"transparent" = "transparent",
-	"overlay" = "overlay",
+	"overlay" = "overlay"
 }
-export const TitleBarStyle = v.enum_(TitleBarStyleEnum);
+export const TitleBarStyle = v.enum_(TitleBarStyleEnum)
 // JS new WebViewWindow only accepts lowercase, while manifest loaded from Rust is capitalized. I run toLowerCase() on the value before passing it to the WebViewWindow.
 // This lowercase title bar style schema is used to validate and set the type so TypeScript won't complaint
 // export const TitleBarStyleAllLower = z.enum(["visible", "transparent", "overlay"]);
@ -66,101 +66,85 @@ export const WindowConfig = v.object({
 	minimizable: v.optional(v.nullable(v.boolean())),
 	closable: v.optional(v.nullable(v.boolean())),
 	parent: v.optional(v.nullable(v.string())),
-	visibleOnAllWorkspaces: v.optional(v.nullable(v.boolean())),
-});
-export type WindowConfig = v.InferOutput<typeof WindowConfig>;
+	visibleOnAllWorkspaces: v.optional(v.nullable(v.boolean()))
+})
+export type WindowConfig = v.InferOutput<typeof WindowConfig>
 export const BaseCmd = v.object({
 	main: v.string("HTML file to load, e.g. dist/index.html"),
-	description: v.optional(
-		v.nullable(v.string("Description of the Command"), ""),
-		"",
-	),
+	description: v.optional(v.nullable(v.string("Description of the Command"), ""), ""),
 	name: v.string("Name of the command"),
 	cmds: v.array(TriggerCmd, "Commands to trigger the UI"),
 	icon: v.optional(Icon),
 	platforms: v.optional(
 		v.nullable(
-			v.array(
-				OSPlatform,
-				"Platforms available on. Leave empty for all platforms.",
-			),
-			allPlatforms,
+			v.array(OSPlatform, "Platforms available on. Leave empty for all platforms."),
+			allPlatforms
 		),
-		allPlatforms,
-	),
-});
+		allPlatforms
+	)
+})
 export const CustomUiCmd = v.object({
 	...BaseCmd.entries,
 	type: v.optional(CmdType, CmdType.enum.UiIframe),
 	dist: v.string("Dist folder to load, e.g. dist, build, out"),
 	devMain: v.string(
-		"URL to load in development to support live reload, e.g. http://localhost:5173/",
+		"URL to load in development to support live reload, e.g. http://localhost:5173/"
 	),
-	window: v.optional(v.nullable(WindowConfig)),
-});
-export type CustomUiCmd = v.InferOutput<typeof CustomUiCmd>;
+	window: v.optional(v.nullable(WindowConfig))
+})
+export type CustomUiCmd = v.InferOutput<typeof CustomUiCmd>

 export const TemplateUiCmd = v.object({
 	...BaseCmd.entries,
 	type: v.optional(CmdType, CmdType.enum.UiWorker),
-	window: v.optional(v.nullable(WindowConfig)),
-});
+	window: v.optional(v.nullable(WindowConfig))
+})
 export const HeadlessCmd = v.object({
 	...BaseCmd.entries,
-	type: v.optional(CmdType, CmdType.enum.HeadlessWorker),
-});
-export type HeadlessCmd = v.InferOutput<typeof HeadlessCmd>;
-export type TemplateUiCmd = v.InferOutput<typeof TemplateUiCmd>;
+	type: v.optional(CmdType, CmdType.enum.HeadlessWorker)
+})
+export type HeadlessCmd = v.InferOutput<typeof HeadlessCmd>
+export type TemplateUiCmd = v.InferOutput<typeof TemplateUiCmd>
 export const PermissionUnion = v.union([
 	KunkunManifestPermission,
 	FsPermissionScopedSchema,
 	OpenPermissionScopedSchema,
-	ShellPermissionScopedSchema,
-]);
-export type PermissionUnion = v.InferOutput<typeof PermissionUnion>;
+	ShellPermissionScopedSchema
+])
+export type PermissionUnion = v.InferOutput<typeof PermissionUnion>
 export const KunkunExtManifest = v.object({
 	name: v.string("Name of the extension (Human Readable)"),
-	shortDescription: v.string(
-		"Description of the extension (Will be displayed in store)",
-	),
-	longDescription: v.string(
-		"Long description of the extension (Will be displayed in store)",
-	),
+	shortDescription: v.string("Description of the extension (Will be displayed in store)"),
+	longDescription: v.string("Long description of the extension (Will be displayed in store)"),
 	identifier: v.string(
-		"Unique identifier for the extension, must be the same as extension folder name",
+		"Unique identifier for the extension, must be the same as extension folder name"
 	),
 	icon: Icon,
 	permissions: v.array(
 		PermissionUnion,
-		"Permissions Declared by the extension. e.g. clipboard-all. Not declared APIs will be blocked.",
+		"Permissions Declared by the extension. e.g. clipboard-all. Not declared APIs will be blocked."
 	),
 	demoImages: v.array(v.string("Demo images for the extension")),
 	customUiCmds: v.optional(v.array(CustomUiCmd, "Custom UI Commands")),
 	templateUiCmds: v.optional(v.array(TemplateUiCmd, "Template UI Commands")),
-	headlessCmds: v.optional(v.array(HeadlessCmd, "Headless Commands")),
-});
-export type KunkunExtManifest = v.InferOutput<typeof KunkunExtManifest>;
+	headlessCmds: v.optional(v.array(HeadlessCmd, "Headless Commands"))
+})
+export type KunkunExtManifest = v.InferOutput<typeof KunkunExtManifest>

 const Person = v.union([
 	v.object({
 		name: v.string("GitHub Username"),
 		email: v.string("Email of the person"),
-		url: v.optional(v.nullable(v.string("URL of the person"))),
+		url: v.optional(v.nullable(v.string("URL of the person")))
 	}),
-	v.string("GitHub Username"),
-]);
+	v.string("GitHub Username")
+])

 export const ExtPackageJson = v.object({
-	name: v.string(
-		"Package name for the extension (just a regular npm package name)",
-	),
+	name: v.string("Package name for the extension (just a regular npm package name)"),
 	version: v.string("Version of the extension"),
 	author: v.optional(Person),
-	draft: v.optional(
-		v.boolean(
-			"Whether the extension is a draft, draft will not be published",
-		),
-	),
+	draft: v.optional(v.boolean("Whether the extension is a draft, draft will not be published")),
 	contributors: v.optional(v.array(Person, "Contributors of the extension")),
 	repository: v.optional(
 		v.union([
@ -168,17 +152,15 @@ export const ExtPackageJson = v.object({
 			v.object({
 				type: v.string("Type of the repository"),
 				url: v.string("URL of the repository"),
-				directory: v.string("Directory of the repository"),
-			}),
-		]),
+				directory: v.optional(v.string("Directory of the repository"))
+			})
+		])
 	),
 	dependencies: v.optional(v.record(v.string(), v.string())),
 	kunkun: KunkunExtManifest,
-	files: v.array(
-		v.string("Files to include in the extension. e.g. ['dist']"),
-	),
-});
-export type ExtPackageJson = v.InferOutput<typeof ExtPackageJson>;
+	files: v.optional(v.array(v.string("Files to include in the extension. e.g. ['dist']")))
+})
+export type ExtPackageJson = v.InferOutput<typeof ExtPackageJson>
 /**
 * Extra fields for ExtPackageJson
 * e.g. path to the extension
@ -187,8 +169,8 @@ export const ExtPackageJsonExtra = v.object({
 	...ExtPackageJson.entries,
 	...{
 		extPath: v.string(),
-		extFolderName: v.string(),
-	},
-});
+		extFolderName: v.string()
+	}
+})

-export type ExtPackageJsonExtra = v.InferOutput<typeof ExtPackageJsonExtra>;
+export type ExtPackageJsonExtra = v.InferOutput<typeof ExtPackageJsonExtra>
--- a/packages/api/src/supabase/database.types.ts
+++ b/packages/api/src/supabase/database.types.ts
@ -1,288 +1,274 @@
-export type Json =
-  | string
-  | number
-  | boolean
-  | null
-  | { [key: string]: Json | undefined }
-  | Json[]
+export type Json = string | number | boolean | null | { [key: string]: Json | undefined } | Json[]

 export type Database = {
-  public: {
-    Tables: {
-      events: {
-        Row: {
-          created_at: string
-          data: Json | null
-          event_type: Database["public"]["Enums"]["event_type"]
-          id: number
-          ip: string
-        }
-        Insert: {
-          created_at?: string
-          data?: Json | null
-          event_type: Database["public"]["Enums"]["event_type"]
-          id?: number
-          ip: string
-        }
-        Update: {
-          created_at?: string
-          data?: Json | null
-          event_type?: Database["public"]["Enums"]["event_type"]
-          id?: number
-          ip?: string
-        }
-        Relationships: []
-      }
-      ext_images: {
-        Row: {
-          created_at: string
-          image_path: string
-          sha512: string
-        }
-        Insert: {
-          created_at?: string
-          image_path: string
-          sha512: string
-        }
-        Update: {
-          created_at?: string
-          image_path?: string
-          sha512?: string
-        }
-        Relationships: []
-      }
-      ext_publish: {
-        Row: {
-          api_version: string | null
-          cmd_count: number
-          created_at: string
-          demo_images: string[]
-          downloads: number
-          id: number
-          identifier: string
-          manifest: Json
-          metadata: Json | null
-          name: string
-          shasum: string
-          size: number
-          tarball_path: string
-          version: string
-        }
-        Insert: {
-          api_version?: string | null
-          cmd_count: number
-          created_at?: string
-          demo_images: string[]
-          downloads: number
-          id?: number
-          identifier: string
-          manifest: Json
-          metadata?: Json | null
-          name: string
-          shasum: string
-          size: number
-          tarball_path: string
-          version: string
-        }
-        Update: {
-          api_version?: string | null
-          cmd_count?: number
-          created_at?: string
-          demo_images?: string[]
-          downloads?: number
-          id?: number
-          identifier?: string
-          manifest?: Json
-          metadata?: Json | null
-          name?: string
-          shasum?: string
-          size?: number
-          tarball_path?: string
-          version?: string
-        }
-        Relationships: [
-          {
-            foreignKeyName: "ext_publish_identifier_fkey"
-            columns: ["identifier"]
-            isOneToOne: false
-            referencedRelation: "extensions"
-            referencedColumns: ["identifier"]
-          },
-        ]
-      }
-      extensions: {
-        Row: {
-          api_version: string
-          author_id: string | null
-          created_at: string
-          downloads: number
-          icon: Json | null
-          identifier: string
-          long_description: string | null
-          name: string
-          readme: string | null
-          short_description: string
-          version: string
-        }
-        Insert: {
-          api_version: string
-          author_id?: string | null
-          created_at?: string
-          downloads: number
-          icon?: Json | null
-          identifier: string
-          long_description?: string | null
-          name: string
-          readme?: string | null
-          short_description: string
-          version: string
-        }
-        Update: {
-          api_version?: string
-          author_id?: string | null
-          created_at?: string
-          downloads?: number
-          icon?: Json | null
-          identifier?: string
-          long_description?: string | null
-          name?: string
-          readme?: string | null
-          short_description?: string
-          version?: string
-        }
-        Relationships: []
-      }
-    }
-    Views: {
-      [_ in never]: never
-    }
-    Functions: {
-      get_aggregated_downloads: {
-        Args: Record<PropertyKey, never>
-        Returns: {
-          identifier: string
-          total_downloads: number
-        }[]
-      }
-      get_aggregated_downloads_with_details: {
-        Args: Record<PropertyKey, never>
-        Returns: {
-          identifier: string
-          total_downloads: number
-          name: string
-          short_description: string
-        }[]
-      }
-      increment_downloads: {
-        Args: {
-          t_identifier: string
-          t_version: string
-        }
-        Returns: number
-      }
-    }
-    Enums: {
-      event_type: "download" | "updater" | "schema" | "nightly_schema"
-    }
-    CompositeTypes: {
-      [_ in never]: never
-    }
-  }
+	public: {
+		Tables: {
+			events: {
+				Row: {
+					created_at: string
+					data: Json | null
+					event_type: Database["public"]["Enums"]["event_type"]
+					id: number
+					ip: string
+				}
+				Insert: {
+					created_at?: string
+					data?: Json | null
+					event_type: Database["public"]["Enums"]["event_type"]
+					id?: number
+					ip: string
+				}
+				Update: {
+					created_at?: string
+					data?: Json | null
+					event_type?: Database["public"]["Enums"]["event_type"]
+					id?: number
+					ip?: string
+				}
+				Relationships: []
+			}
+			ext_images: {
+				Row: {
+					created_at: string
+					image_path: string
+					sha512: string
+				}
+				Insert: {
+					created_at?: string
+					image_path: string
+					sha512: string
+				}
+				Update: {
+					created_at?: string
+					image_path?: string
+					sha512?: string
+				}
+				Relationships: []
+			}
+			ext_publish: {
+				Row: {
+					api_version: string | null
+					cmd_count: number
+					created_at: string
+					demo_images: string[]
+					downloads: number
+					id: number
+					identifier: string
+					manifest: Json
+					metadata: Json | null
+					name: string
+					shasum: string
+					size: number
+					tarball_path: string
+					version: string
+				}
+				Insert: {
+					api_version?: string | null
+					cmd_count: number
+					created_at?: string
+					demo_images: string[]
+					downloads: number
+					id?: number
+					identifier: string
+					manifest: Json
+					metadata?: Json | null
+					name: string
+					shasum: string
+					size: number
+					tarball_path: string
+					version: string
+				}
+				Update: {
+					api_version?: string | null
+					cmd_count?: number
+					created_at?: string
+					demo_images?: string[]
+					downloads?: number
+					id?: number
+					identifier?: string
+					manifest?: Json
+					metadata?: Json | null
+					name?: string
+					shasum?: string
+					size?: number
+					tarball_path?: string
+					version?: string
+				}
+				Relationships: [
+					{
+						foreignKeyName: "ext_publish_identifier_fkey"
+						columns: ["identifier"]
+						isOneToOne: false
+						referencedRelation: "extensions"
+						referencedColumns: ["identifier"]
+					}
+				]
+			}
+			extensions: {
+				Row: {
+					api_version: string
+					author_id: string | null
+					created_at: string
+					downloads: number
+					icon: Json | null
+					identifier: string
+					long_description: string | null
+					name: string
+					readme: string | null
+					short_description: string
+					version: string
+				}
+				Insert: {
+					api_version: string
+					author_id?: string | null
+					created_at?: string
+					downloads: number
+					icon?: Json | null
+					identifier: string
+					long_description?: string | null
+					name: string
+					readme?: string | null
+					short_description: string
+					version: string
+				}
+				Update: {
+					api_version?: string
+					author_id?: string | null
+					created_at?: string
+					downloads?: number
+					icon?: Json | null
+					identifier?: string
+					long_description?: string | null
+					name?: string
+					readme?: string | null
+					short_description?: string
+					version?: string
+				}
+				Relationships: []
+			}
+		}
+		Views: {
+			[_ in never]: never
+		}
+		Functions: {
+			get_aggregated_downloads: {
+				Args: Record<PropertyKey, never>
+				Returns: {
+					identifier: string
+					total_downloads: number
+				}[]
+			}
+			get_aggregated_downloads_with_details: {
+				Args: Record<PropertyKey, never>
+				Returns: {
+					identifier: string
+					total_downloads: number
+					name: string
+					short_description: string
+				}[]
+			}
+			increment_downloads: {
+				Args: {
+					t_identifier: string
+					t_version: string
+				}
+				Returns: number
+			}
+		}
+		Enums: {
+			event_type: "download" | "updater" | "schema" | "nightly_schema"
+		}
+		CompositeTypes: {
+			[_ in never]: never
+		}
+	}
 }

 type PublicSchema = Database[Extract<keyof Database, "public">]

 export type Tables<
-  PublicTableNameOrOptions extends
-    | keyof (PublicSchema["Tables"] & PublicSchema["Views"])
-    | { schema: keyof Database },
-  TableName extends PublicTableNameOrOptions extends { schema: keyof Database }
-    ? keyof (Database[PublicTableNameOrOptions["schema"]]["Tables"] &
-        Database[PublicTableNameOrOptions["schema"]]["Views"])
-    : never = never,
+	PublicTableNameOrOptions extends
+		| keyof (PublicSchema["Tables"] & PublicSchema["Views"])
+		| { schema: keyof Database },
+	TableName extends PublicTableNameOrOptions extends { schema: keyof Database }
+		? keyof (Database[PublicTableNameOrOptions["schema"]]["Tables"] &
+				Database[PublicTableNameOrOptions["schema"]]["Views"])
+		: never = never
 > = PublicTableNameOrOptions extends { schema: keyof Database }
-  ? (Database[PublicTableNameOrOptions["schema"]]["Tables"] &
-      Database[PublicTableNameOrOptions["schema"]]["Views"])[TableName] extends {
-      Row: infer R
-    }
-    ? R
-    : never
-  : PublicTableNameOrOptions extends keyof (PublicSchema["Tables"] &
-        PublicSchema["Views"])
-    ? (PublicSchema["Tables"] &
-        PublicSchema["Views"])[PublicTableNameOrOptions] extends {
-        Row: infer R
-      }
-      ? R
-      : never
-    : never
+	? (Database[PublicTableNameOrOptions["schema"]]["Tables"] &
+			Database[PublicTableNameOrOptions["schema"]]["Views"])[TableName] extends {
+			Row: infer R
+		}
+		? R
+		: never
+	: PublicTableNameOrOptions extends keyof (PublicSchema["Tables"] & PublicSchema["Views"])
+		? (PublicSchema["Tables"] & PublicSchema["Views"])[PublicTableNameOrOptions] extends {
+				Row: infer R
+			}
+			? R
+			: never
+		: never

 export type TablesInsert<
-  PublicTableNameOrOptions extends
-    | keyof PublicSchema["Tables"]
-    | { schema: keyof Database },
-  TableName extends PublicTableNameOrOptions extends { schema: keyof Database }
-    ? keyof Database[PublicTableNameOrOptions["schema"]]["Tables"]
-    : never = never,
+	PublicTableNameOrOptions extends keyof PublicSchema["Tables"] | { schema: keyof Database },
+	TableName extends PublicTableNameOrOptions extends { schema: keyof Database }
+		? keyof Database[PublicTableNameOrOptions["schema"]]["Tables"]
+		: never = never
 > = PublicTableNameOrOptions extends { schema: keyof Database }
-  ? Database[PublicTableNameOrOptions["schema"]]["Tables"][TableName] extends {
-      Insert: infer I
-    }
-    ? I
-    : never
-  : PublicTableNameOrOptions extends keyof PublicSchema["Tables"]
-    ? PublicSchema["Tables"][PublicTableNameOrOptions] extends {
-        Insert: infer I
-      }
-      ? I
-      : never
-    : never
+	? Database[PublicTableNameOrOptions["schema"]]["Tables"][TableName] extends {
+			Insert: infer I
+		}
+		? I
+		: never
+	: PublicTableNameOrOptions extends keyof PublicSchema["Tables"]
+		? PublicSchema["Tables"][PublicTableNameOrOptions] extends {
+				Insert: infer I
+			}
+			? I
+			: never
+		: never

 export type TablesUpdate<
-  PublicTableNameOrOptions extends
-    | keyof PublicSchema["Tables"]
-    | { schema: keyof Database },
-  TableName extends PublicTableNameOrOptions extends { schema: keyof Database }
-    ? keyof Database[PublicTableNameOrOptions["schema"]]["Tables"]
-    : never = never,
+	PublicTableNameOrOptions extends keyof PublicSchema["Tables"] | { schema: keyof Database },
+	TableName extends PublicTableNameOrOptions extends { schema: keyof Database }
+		? keyof Database[PublicTableNameOrOptions["schema"]]["Tables"]
+		: never = never
 > = PublicTableNameOrOptions extends { schema: keyof Database }
-  ? Database[PublicTableNameOrOptions["schema"]]["Tables"][TableName] extends {
-      Update: infer U
-    }
-    ? U
-    : never
-  : PublicTableNameOrOptions extends keyof PublicSchema["Tables"]
-    ? PublicSchema["Tables"][PublicTableNameOrOptions] extends {
-        Update: infer U
-      }
-      ? U
-      : never
-    : never
+	? Database[PublicTableNameOrOptions["schema"]]["Tables"][TableName] extends {
+			Update: infer U
+		}
+		? U
+		: never
+	: PublicTableNameOrOptions extends keyof PublicSchema["Tables"]
+		? PublicSchema["Tables"][PublicTableNameOrOptions] extends {
+				Update: infer U
+			}
+			? U
+			: never
+		: never

 export type Enums<
-  PublicEnumNameOrOptions extends
-    | keyof PublicSchema["Enums"]
-    | { schema: keyof Database },
-  EnumName extends PublicEnumNameOrOptions extends { schema: keyof Database }
-    ? keyof Database[PublicEnumNameOrOptions["schema"]]["Enums"]
-    : never = never,
+	PublicEnumNameOrOptions extends keyof PublicSchema["Enums"] | { schema: keyof Database },
+	EnumName extends PublicEnumNameOrOptions extends { schema: keyof Database }
+		? keyof Database[PublicEnumNameOrOptions["schema"]]["Enums"]
+		: never = never
 > = PublicEnumNameOrOptions extends { schema: keyof Database }
-  ? Database[PublicEnumNameOrOptions["schema"]]["Enums"][EnumName]
-  : PublicEnumNameOrOptions extends keyof PublicSchema["Enums"]
-    ? PublicSchema["Enums"][PublicEnumNameOrOptions]
-    : never
+	? Database[PublicEnumNameOrOptions["schema"]]["Enums"][EnumName]
+	: PublicEnumNameOrOptions extends keyof PublicSchema["Enums"]
+		? PublicSchema["Enums"][PublicEnumNameOrOptions]
+		: never

 export type CompositeTypes<
-  PublicCompositeTypeNameOrOptions extends
-    | keyof PublicSchema["CompositeTypes"]
-    | { schema: keyof Database },
-  CompositeTypeName extends PublicCompositeTypeNameOrOptions extends {
-    schema: keyof Database
-  }
-    ? keyof Database[PublicCompositeTypeNameOrOptions["schema"]]["CompositeTypes"]
-    : never = never,
+	PublicCompositeTypeNameOrOptions extends
+		| keyof PublicSchema["CompositeTypes"]
+		| { schema: keyof Database },
+	CompositeTypeName extends PublicCompositeTypeNameOrOptions extends {
+		schema: keyof Database
+	}
+		? keyof Database[PublicCompositeTypeNameOrOptions["schema"]]["CompositeTypes"]
+		: never = never
 > = PublicCompositeTypeNameOrOptions extends { schema: keyof Database }
-  ? Database[PublicCompositeTypeNameOrOptions["schema"]]["CompositeTypes"][CompositeTypeName]
-  : PublicCompositeTypeNameOrOptions extends keyof PublicSchema["CompositeTypes"]
-    ? PublicSchema["CompositeTypes"][PublicCompositeTypeNameOrOptions]
-    : never
+	? Database[PublicCompositeTypeNameOrOptions["schema"]]["CompositeTypes"][CompositeTypeName]
+	: PublicCompositeTypeNameOrOptions extends keyof PublicSchema["CompositeTypes"]
+		? PublicSchema["CompositeTypes"][PublicCompositeTypeNameOrOptions]
+		: never
--- a/packages/config-eslint/package.json
+++ b/packages/config-eslint/package.json
@ -2,11 +2,11 @@
 	"name": "@kksh/eslint-config",
 	"version": "0.0.0",
 	"dependencies": {
-		"@typescript-eslint/eslint-plugin": "^8.15.0",
-		"@typescript-eslint/parser": "^8.15.0",
-		"eslint-config-prettier": "^9.1.0",
-		"eslint-config-turbo": "^2.3.0",
-		"eslint-plugin-svelte": "^2.46.0"
+		"@typescript-eslint/eslint-plugin": "^8.20.0",
+		"@typescript-eslint/parser": "^8.20.0",
+		"eslint-config-prettier": "^10.0.1",
+		"eslint-config-turbo": "^2.3.3",
+		"eslint-plugin-svelte": "^2.46.1"
 	},
 	"publishConfig": {
 		"access": "public"
--- a/packages/extensions/ext-sveltekit-exp/components.json
+++ b/packages/extensions/ext-sveltekit-exp/components.json
@ -11,4 +11,4 @@
 		"utils": "$lib/utils"
 	},
 	"typescript": true
-}
+}
--- a/packages/extensions/ext-sveltekit-exp/deno-src/deno.json
+++ b/packages/extensions/ext-sveltekit-exp/deno-src/deno.json
@ -1,9 +1,9 @@
 {
-  "tasks": {
-    "dev": "deno run --watch main.ts"
-  },
-  "imports": {
-    "@kunkun/api": "jsr:@kunkun/api@^0.0.40",
-    "@std/assert": "jsr:@std/assert@1"
-  }
+	"tasks": {
+		"dev": "deno run --watch main.ts"
+	},
+	"imports": {
+		"@kunkun/api": "jsr:@kunkun/api@^0.0.40",
+		"@std/assert": "jsr:@std/assert@1"
+	}
 }
--- a/packages/extensions/ext-sveltekit-exp/package.json
+++ b/packages/extensions/ext-sveltekit-exp/package.json
@ -43,7 +43,6 @@
 		"preview": "vite preview",
 		"check": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json",
 		"check:watch": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json --watch",
-		"lint": "prettier --check . && eslint .",
 		"format": "prettier --write ."
 	},
 	"dependencies": {
--- a/packages/extensions/ext-sveltekit-exp/src/app.css
+++ b/packages/extensions/ext-sveltekit-exp/src/app.css
@ -1,4 +1,4 @@
-@import url("@kksh/svelte5/themes");
+@import url('@kksh/svelte5/themes');
@tailwind base;
@tailwind components;
@tailwind utilities;
@ -77,4 +77,4 @@
 	body {
 		@apply bg-background text-foreground;
 	}
-}
+}
--- a/packages/package-registry/.gitignore
+++ b/packages/package-registry/.gitignore
@ -0,0 +1,175 @@
+# Based on https://raw.githubusercontent.com/github/gitignore/main/Node.gitignore
+
+# Logs
+
+logs
+_.log
+npm-debug.log_
+yarn-debug.log*
+yarn-error.log*
+lerna-debug.log*
+.pnpm-debug.log*
+
+# Caches
+
+.cache
+
+# Diagnostic reports (https://nodejs.org/api/report.html)
+
+report.[0-9]_.[0-9]_.[0-9]_.[0-9]_.json
+
+# Runtime data
+
+pids
+_.pid
+_.seed
+*.pid.lock
+
+# Directory for instrumented libs generated by jscoverage/JSCover
+
+lib-cov
+
+# Coverage directory used by tools like istanbul
+
+coverage
+*.lcov
+
+# nyc test coverage
+
+.nyc_output
+
+# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
+
+.grunt
+
+# Bower dependency directory (https://bower.io/)
+
+bower_components
+
+# node-waf configuration
+
+.lock-wscript
+
+# Compiled binary addons (https://nodejs.org/api/addons.html)
+
+build/Release
+
+# Dependency directories
+
+node_modules/
+jspm_packages/
+
+# Snowpack dependency directory (https://snowpack.dev/)
+
+web_modules/
+
+# TypeScript cache
+
+*.tsbuildinfo
+
+# Optional npm cache directory
+
+.npm
+
+# Optional eslint cache
+
+.eslintcache
+
+# Optional stylelint cache
+
+.stylelintcache
+
+# Microbundle cache
+
+.rpt2_cache/
+.rts2_cache_cjs/
+.rts2_cache_es/
+.rts2_cache_umd/
+
+# Optional REPL history
+
+.node_repl_history
+
+# Output of 'npm pack'
+
+*.tgz
+
+# Yarn Integrity file
+
+.yarn-integrity
+
+# dotenv environment variable files
+
+.env
+.env.development.local
+.env.test.local
+.env.production.local
+.env.local
+
+# parcel-bundler cache (https://parceljs.org/)
+
+.parcel-cache
+
+# Next.js build output
+
+.next
+out
+
+# Nuxt.js build / generate output
+
+.nuxt
+dist
+
+# Gatsby files
+
+# Comment in the public line in if your project uses Gatsby and not Next.js
+
+# https://nextjs.org/blog/next-9-1#public-directory-support
+
+# public
+
+# vuepress build output
+
+.vuepress/dist
+
+# vuepress v2.x temp and cache directory
+
+.temp
+
+# Docusaurus cache and generated files
+
+.docusaurus
+
+# Serverless directories
+
+.serverless/
+
+# FuseBox cache
+
+.fusebox/
+
+# DynamoDB Local files
+
+.dynamodb/
+
+# TernJS port file
+
+.tern-port
+
+# Stores VSCode versions used for testing VSCode extensions
+
+.vscode-test
+
+# yarn v2
+
+.yarn/cache
+.yarn/unplugged
+.yarn/build-state.yml
+.yarn/install-state.gz
+.pnp.*
+
+# IntelliJ based IDEs
+.idea
+
+# Finder (MacOS) folder config
+.DS_Store
--- a/packages/package-registry/README.md
+++ b/packages/package-registry/README.md
@ -0,0 +1,3 @@
+# @kksh/package-registry
+
+This package contains helper functions for interacting with js package registries.
--- a/packages/package-registry/package.json
+++ b/packages/package-registry/package.json
@ -0,0 +1,25 @@
+{
+	"name": "@kksh/package-registry",
+	"type": "module",
+	"scripts": {
+		"test": "bun test --coverage",
+		"posttest": "verify-package-export verify"
+	},
+	"exports": {
+		"./jsr": "./src/jsr/index.ts",
+		"./npm": "./src/npm/index.ts",
+		"./github": "./src/github.ts"
+	},
+	"devDependencies": {
+		"@types/bun": "latest",
+		"verify-package-export": "^0.0.2"
+	},
+	"peerDependencies": {
+		"typescript": "^5.0.0"
+	},
+	"dependencies": {
+		"@huakunshen/jsr-client": "^0.1.5",
+		"@kksh/api": "workspace:*",
+		"@octokit/rest": "^21.1.0"
+	}
+}
--- a/packages/package-registry/src/tests/github.test.ts
+++ b/packages/package-registry/src/tests/github.test.ts
@ -0,0 +1,9 @@
+import { expect, test } from "bun:test"
+import { parseGitHubRepoFromUri } from "../github"
+
+test("parse github repo from uri", () => {
+	expect(parseGitHubRepoFromUri("https://github.com/huakunshen/kunkun-ext-ossinsight")).toEqual({
+		owner: "huakunshen",
+		repo: "kunkun-ext-ossinsight"
+	})
+})
--- a/packages/package-registry/src/tests/sigstore.test.ts
+++ b/packages/package-registry/src/tests/sigstore.test.ts
@ -0,0 +1,35 @@
+import { describe, expect, test } from "bun:test"
+import * as v from "valibot"
+import { RawRekorLog } from "../models"
+import {
+	getInfoFromRekorLog,
+	getRekorLogId,
+	parseAttestation,
+	parseTheOnlyRecord
+} from "../sigstore"
+
+describe("sigstore", async () => {
+	const log = await getRekorLogId("162240358")
+	const parsed = v.safeParse(RawRekorLog, log)
+
+	test("get rekor log", async () => {
+		expect(parsed.success).toBe(true)
+	})
+
+	test("parse attestation", async () => {
+		if (parsed.success) {
+			const parsed2 = parseTheOnlyRecord(parsed.output)
+			const attestation = parseAttestation(parsed2)
+			expect(attestation).toBeDefined()
+		}
+	})
+
+	test("parse all commits from rekor log", async () => {
+		const git = await getInfoFromRekorLog("162240358")
+		expect(git).toBeDefined()
+		expect(git.commit).toBe("48b7dff528bc6a175ce9ee99e6d8de0c718e70a0")
+		expect(git.githubActionInvocationId).toBe(
+			"https://github.com/kunkunsh/kunkun-ext-image-processing/actions/runs/12763976478/attempts/1"
+		)
+	})
+})
--- a/packages/api/src/extensions/jsr/github.ts
+++ b/packages/api/src/extensions/jsr/github.ts
@ -32,3 +32,17 @@ export function authenticatedUserIsMemberOfGitHubOrg(
 		return res.data.some((org) => org.login === orgName)
 	})
 }
+
+export function parseGitHubRepoFromUri(uri: string): {
+	owner: string
+	repo: string
+} {
+	// check regex
+	const regex = /https?:\/\/github\.com\/([^\/]+)\/([^\/]+)/
+	const match = uri.match(regex)
+	if (!match) {
+		throw new Error("Invalid GitHub repository URI")
+	}
+	const [, owner, repo] = match
+	return { owner, repo }
+}
--- a/packages/package-registry/src/jsr/tests/api.test.ts
+++ b/packages/package-registry/src/jsr/tests/api.test.ts
@ -0,0 +1,124 @@
+import { getPackageVersion } from "@huakunshen/jsr-client/hey-api-client"
+import { describe, expect, test } from "bun:test"
+import * as v from "valibot"
+import { ExtPackageJson } from "../../../../api/src/models/manifest"
+import { NpmPkgMetadata } from "../../npm/models"
+import {
+	getAllVersionsOfJsrPackage,
+	getJsrNpmPackageVersionMetadata,
+	getJsrNpmPkgMetadata,
+	getJsrPackageGitHubRepo,
+	getJsrPackageHtml,
+	getJsrPackageMetadata,
+	getJsrPackageSrcFile,
+	getNpmPackageTarballUrl,
+	isSignedByGitHubAction,
+	jsrPackageExists,
+	splitRawJsrPkgName,
+	translateJsrToNpmPkgName
+} from "../index"
+import { JsrPackageMetadata } from "../models"
+
+describe("Test the helper functions", () => {
+	test("Get Package Html", async () => {
+		const html = await getJsrPackageHtml("kunkun", "kkrpc")
+		expect(html).toBeDefined()
+	})
+
+	test("Signed By GitHub Action", async () => {
+		const kkrpcSigned = await isSignedByGitHubAction("kunkun", "kkrpc", "0.0.14")
+		expect(kkrpcSigned).toBeDefined()
+		const kkrpcSignedVersion = await isSignedByGitHubAction("kunkun", "kkrpc", "0.0.14")
+		expect(kkrpcSignedVersion).toBeDefined()
+		expect(kkrpcSignedVersion).toBeDefined()
+		const kunkunApiSigned = await isSignedByGitHubAction("kunkun", "api", "0.0.47")
+		expect(kunkunApiSigned).toBeNull()
+	})
+
+	test("Get Linked GitHub Repo", async () => {
+		const repo = await getJsrPackageGitHubRepo("kunkun", "kkrpc")
+		expect(repo).toBeDefined()
+		expect(repo?.owner).toBe("kunkunsh")
+		expect(repo?.name).toBe("kkrpc")
+	})
+
+	test("Get Package Metadata", async () => {
+		const metadata = await getJsrPackageMetadata("kunkun", "api")
+		const parsed = v.parse(JsrPackageMetadata, metadata)
+		expect(parsed).toBeDefined()
+	})
+
+	test("Get Package's package.json", async () => {
+		const packageJson = await getJsrPackageSrcFile(
+			"kunkun",
+			"ext-image-processing",
+			"0.0.6",
+			"package.json"
+		)
+		expect(packageJson).toBeDefined()
+		const parsed = v.parse(ExtPackageJson, JSON.parse(packageJson!))
+		expect(parsed).toBeDefined()
+	})
+
+	test("Get Package's README.md", async () => {
+		const readme = await getJsrPackageSrcFile("kunkun", "api", "0.0.47", "README.md")
+		expect(readme).toBeDefined()
+	})
+
+	test("Translate Jsr Package Name to Npm Package Name", () => {
+		const npmPkgName = translateJsrToNpmPkgName("kunkun", "api")
+		expect(npmPkgName).toBe("kunkun__api")
+	})
+
+	test("Split Jsr Package Name", async () => {
+		const { scope, name } = await splitRawJsrPkgName("@kunkun/api")
+		expect(scope).toBe("kunkun")
+		expect(name).toBe("api")
+		expect(splitRawJsrPkgName("kunkun/api")).rejects.toThrow()
+	})
+
+	test("Get Npm Package Metadata", async () => {
+		const metadata = await getJsrNpmPkgMetadata("kunkun", "api")
+		const parsed = v.safeParse(NpmPkgMetadata, metadata)
+		if (!parsed.success) {
+			throw new Error("Failed to parse NpmPkgMetadata")
+		}
+		expect(parsed.output).toBeDefined()
+	})
+
+	test("Get Npm Package Version Metadata", async () => {
+		const metadata = await getJsrNpmPackageVersionMetadata("kunkun", "api", "0.0.47")
+		expect(metadata).toBeDefined()
+	})
+
+	test("Get Npm Package Tarball Url", async () => {
+		const url = await getNpmPackageTarballUrl("kunkun", "api", "0.0.47")
+		expect(url).toBeDefined()
+	})
+
+	test("Get All Versions Of Jsr Package", async () => {
+		const versions = await getAllVersionsOfJsrPackage("kunkun", "api")
+		expect(versions).toBeDefined()
+		// verify: versions should match npm api
+		const npmPkgMetadata = await getJsrNpmPkgMetadata("kunkun", "api")
+		expect(versions).toEqual(Object.keys(npmPkgMetadata.versions))
+	})
+
+	test("Jsr Package Exists", async () => {
+		expect(await jsrPackageExists("kunkun", "api")).toBe(true)
+		expect(await jsrPackageExists("hk", "non-existent-package")).toBe(false)
+		expect(await jsrPackageExists("hk", "jsr-client", "0.1.2")).toBe(true)
+		expect(await jsrPackageExists("hk", "jsr-client", "0.1.500")).toBe(false)
+	})
+
+	test("get package version info", async () => {
+		const pkgVersion = await getPackageVersion({
+			path: {
+				scope: "kunkun",
+				package: "ext-ossinsight",
+				version: "0.0.1"
+			}
+		})
+		expect(pkgVersion).toBeDefined()
+	})
+})
--- a/packages/package-registry/src/jsr/tests/ext-pkg.test.ts
+++ b/packages/package-registry/src/jsr/tests/ext-pkg.test.ts
@ -62,7 +62,7 @@ describe("Validate Jsr package as Kunkun extension", () => {
 	})

 	test("A valid extension package", async () => {
-		const res = await await validateJsrPackageAsKunkunExtension({
+		const res = await validateJsrPackageAsKunkunExtension({
 			jsrPackage: {
 				scope: "kunkun",
 				name: "ext-image-processing",
@ -71,5 +71,10 @@ describe("Validate Jsr package as Kunkun extension", () => {
 			githubUsername: "HuakunShen"
 		})
 		expect(res.data).toBeDefined()
+		expect(res.data?.rekorLogIndex).toBe("161854127")
+		expect(res.data?.github.commit).toBe("4db8d65b5e3fa115da6e31bd945f5c610c4a21cb")
+		expect(res.data?.github.owner).toBe("kunkunsh")
+		expect(res.data?.github.repo).toBe("kunkun-ext-image-processing")
+		// expect(res.data?.github.githubActionInvocationId).toBe("48b7dff528bc6a175ce9ee99e6d8de0c718e70a0")
 	})
 })
--- a/packages/package-registry/src/jsr/index.ts
+++ b/packages/package-registry/src/jsr/index.ts
@ -4,12 +4,13 @@ import {
 	getPackageVersion,
 	type GitHubRepository
 } from "@huakunshen/jsr-client/hey-api-client"
+import { ExtPackageJson } from "@kksh/api/models"
 import * as v from "valibot"
-import { ExtPackageJson } from "../../models/manifest"
-import { authenticatedUserIsMemberOfGitHubOrg, userIsPublicMemberOfGitHubOrg } from "./github"
-import type { JsrPackageMetadata, NpmPkgMetadata } from "./models"
-
-export * from "./github"
+import { authenticatedUserIsMemberOfGitHubOrg, userIsPublicMemberOfGitHubOrg } from "../github"
+import type { NpmPkgMetadata } from "../npm/models"
+import { getInfoFromRekorLog } from "../sigstore"
+import { getTarballSize } from "../utils"
+import type { JsrPackageMetadata } from "./models"

 client.setConfig({
 	baseUrl: "https://api.jsr.io"
@ -57,13 +58,13 @@ export function getJsrPackageHtml(scope: string, name: string, version?: string)

 /**
 * Check if a Jsr package is signed by GitHub Actions
- * @returns
+ * @returns rekor log index if signed, undefined if not signed
 */
 export async function isSignedByGitHubAction(
 	scope: string,
 	name: string,
 	version: string
-): Promise<boolean> {
+): Promise<string | null> {
 	const pkgVersion = await getPackageVersion({
 		path: {
 			scope,
@ -71,7 +72,7 @@ export async function isSignedByGitHubAction(
 			version
 		}
 	})
-	return !!pkgVersion.data?.rekorLogId
+	return pkgVersion.data?.rekorLogId ?? null
 }

 export async function getJsrPackageGitHubRepo(
@ -159,7 +160,7 @@ export async function getNpmPackageTarballUrl(
 	version: string
 ): Promise<string | undefined> {
 	const metadata = await getJsrNpmPackageVersionMetadata(scope, name, version)
-	const tarballUrl: string | undefined = metadata?.dist.tarball
+	const tarballUrl: string | undefined = metadata?.dist?.tarball
 	return tarballUrl
 }

@ -198,20 +199,6 @@ export function jsrPackageExists(scope: string, name: string, version?: string):
 	}).then((res) => res.response.ok && res.response.status === 200)
 }

-/**
- * Get the tarball size of a Jsr package
- * @param url tarball url, can technically be any url
- * @returns tarball size in bytes
- */
-export function getTarballSize(url: string): Promise<number> {
-	return fetch(url, { method: "HEAD" }).then((res) => {
-		if (!(res.ok && res.status === 200)) {
-			throw new Error("Failed to fetch tarball size")
-		}
-		return Number(res.headers.get("Content-Length"))
-	})
-}
-
 /**
 * Validate a Jsr package as a Kunkun extension
 * - check if jsr pkg is linked to a github repo
@ -239,9 +226,19 @@ export async function validateJsrPackageAsKunkunExtension(payload: {
 		shasum: string
 		apiVersion: string
 		tarballSize: number
+		rekorLogIndex: string
+		github: {
+			githubActionInvocationId: string
+			commit: string
+			repo: string
+			owner: string
+			workflowPath: string
+		}
 	}
 }> {
-	// check if jsr package exists
+	/* -------------------------------------------------------------------------- */
+	/*                         check if jsr package exists                        */
+	/* -------------------------------------------------------------------------- */
 	const jsrExists = await jsrPackageExists(
 		payload.jsrPackage.scope,
 		payload.jsrPackage.name,
@ -263,12 +260,12 @@ export async function validateJsrPackageAsKunkunExtension(payload: {
 	/* -------------------------------------------------------------------------- */
 	/*                check if jsr pkg is signed with github action               */
 	/* -------------------------------------------------------------------------- */
-	const signed = await isSignedByGitHubAction(
+	const rekorLogId = await isSignedByGitHubAction(
 		payload.jsrPackage.scope,
 		payload.jsrPackage.name,
 		payload.jsrPackage.version
 	)
-	if (!signed) {
+	if (!rekorLogId) {
 		return { error: "JSR package is not signed by GitHub Actions" }
 	}
 	/* -------------------------------------------------------------------------- */
@ -277,6 +274,9 @@ export async function validateJsrPackageAsKunkunExtension(payload: {
 	if (!githubRepo.owner) {
 		return { error: "Package's Linked GitHub repository owner is not found." }
 	}
+	if (!githubRepo.name) {
+		return { error: "Package's Linked GitHub repository name is not found." }
+	}
 	if (githubRepo.owner.toLowerCase() !== payload.githubUsername.toLowerCase()) {
 		const isPublicMemeber = await userIsPublicMemberOfGitHubOrg(
 			githubRepo.owner,
@ -332,8 +332,11 @@ export async function validateJsrPackageAsKunkunExtension(payload: {
 		payload.jsrPackage.name,
 		payload.jsrPackage.version
 	)
-	const tarballUrl = npmPkgVersionMetadata.dist.tarball
-	const shasum = npmPkgVersionMetadata.dist.shasum
+	const tarballUrl = npmPkgVersionMetadata.dist?.tarball
+	const shasum = npmPkgVersionMetadata.dist?.shasum
+	if (!shasum) {
+		return { error: "Could not get shasum for JSR package" }
+	}
 	if (!tarballUrl) {
 		return { error: "Could not get tarball URL for JSR package" }
 	}
@ -354,14 +357,22 @@ export async function validateJsrPackageAsKunkunExtension(payload: {
 			error: `Extension ${packageJson.kunkun.identifier} doesn't not have @kksh/api as a dependency`
 		}
 	}
-
+	const rekorInfo = await getInfoFromRekorLog(rekorLogId)
 	return {
 		data: {
 			pkgJson: parseResult.output,
 			tarballUrl,
 			shasum,
 			apiVersion,
-			tarballSize
+			tarballSize,
+			rekorLogIndex: rekorLogId,
+			github: {
+				githubActionInvocationId: rekorInfo.githubActionInvocationId,
+				commit: rekorInfo.commit,
+				repo: githubRepo.name,
+				owner: githubRepo.owner,
+				workflowPath: rekorInfo.workflowPath
+			}
 		}
 	}
 }
--- a/packages/package-registry/src/jsr/models.ts
+++ b/packages/package-registry/src/jsr/models.ts
@ -0,0 +1,14 @@
+import * as v from "valibot"
+
+export const JsrPackageMetadata = v.object({
+	scope: v.string(),
+	name: v.string(),
+	latest: v.string(),
+	versions: v.record(
+		v.string(),
+		v.object({
+			yanked: v.optional(v.boolean())
+		})
+	)
+})
+export type JsrPackageMetadata = v.InferOutput<typeof JsrPackageMetadata>
--- a/packages/package-registry/src/models.ts
+++ b/packages/package-registry/src/models.ts
@ -0,0 +1,60 @@
+import * as v from "valibot"
+
+export const RawRekorLogEntry = v.object({
+	attestation: v.object({ data: v.string() }),
+	body: v.string(),
+	integratedTime: v.number(),
+	logID: v.string(),
+	logIndex: v.number(),
+	verification: v.object({
+		inclusionProof: v.object({
+			checkpoint: v.string(),
+			hashes: v.array(v.string()),
+			logIndex: v.number(),
+			rootHash: v.string(),
+			treeSize: v.number()
+		}),
+		signedEntryTimestamp: v.string()
+	})
+})
+export type RawRekorLogEntry = v.InferOutput<typeof RawRekorLogEntry>
+export const RawRekorLog = v.record(v.string(), RawRekorLogEntry)
+export type RawRekorLog = v.InferOutput<typeof RawRekorLog>
+
+export const SigstoreAttestation = v.object({
+	type: v.optional(v.string()),
+	subject: v.array(
+		v.object({ name: v.string(), digest: v.object({ sha256: v.optional(v.string()) }) })
+	),
+	predicateType: v.string(),
+	predicate: v.object({
+		buildDefinition: v.object({
+			buildType: v.string(),
+			resolvedDependencies: v.array(
+				v.object({
+					uri: v.string(),
+					digest: v.object({ gitCommit: v.string() })
+				})
+			),
+			internalParameters: v.object({
+				github: v.object({
+					eventName: v.optional(v.string()),
+					repositoryId: v.optional(v.string()),
+					repositoryOwnerId: v.optional(v.string())
+				})
+			}),
+			externalParameters: v.object({
+				workflow: v.object({
+					ref: v.string(),
+					repository: v.string(),
+					path: v.string()
+				})
+			})
+		}),
+		runDetails: v.object({
+			builder: v.object({ id: v.string() }),
+			metadata: v.object({ invocationId: v.string() })
+		})
+	})
+})
+export type SigstoreAttestation = v.InferOutput<typeof SigstoreAttestation>
--- a/packages/package-registry/src/npm/tests/api.test.ts
+++ b/packages/package-registry/src/npm/tests/api.test.ts
@ -0,0 +1,62 @@
+import { describe, expect, test } from "bun:test"
+import * as v from "valibot"
+import {
+	getFullNpmPackageInfo,
+	getNpmPackageInfoByVersion,
+	getNpmPackageTarballUrl,
+	getNpmPkgProvenance,
+	listPackagesOfMaintainer,
+	listPackagesOfScope,
+	npmPackageExists,
+	validateNpmPackageAsKunkunExtension
+} from ".."
+import { getTarballSize } from "../../utils"
+import { NpmPkgMetadata, NpmPkgVersionMetadata, NpmSearchResultObject, Provenance } from "../models"
+
+describe("NPM API", () => {
+	const testPackages: string[] = [
+		"react",
+		"axios",
+		"express",
+		"@tauri-apps/api",
+		"tauri-plugin-clipboard-api"
+	]
+	test("get full npm package info", async () => {
+		for (const pkg of testPackages) {
+			const parsed = v.safeParse(NpmPkgMetadata, await getFullNpmPackageInfo(pkg))
+			if (!parsed.success) {
+				console.log(v.flatten(parsed.issues))
+			}
+		}
+	})
+
+	test("get npm package version info", async () => {
+		for (const pkg of testPackages) {
+			v.parse(NpmPkgVersionMetadata, await getNpmPackageInfoByVersion(pkg, "latest"))
+		}
+	})
+
+	test("get npm package provenance", async () => {
+		const provenance = await getNpmPkgProvenance("axios", "1.7.9")
+		expect(provenance).toBeDefined()
+		console.log(provenance?.summary.transparencyLogUri)
+		v.parse(Provenance, provenance)
+	})
+
+	test("list packages of maintainer", async () => {
+		const packages = await listPackagesOfMaintainer("huakunshen")
+		v.parse(v.array(NpmSearchResultObject), packages)
+		expect(packages.length).toBeGreaterThan(0)
+	})
+
+	test("list packages of scope", async () => {
+		const packages = await listPackagesOfScope("kksh")
+		v.parse(v.array(NpmSearchResultObject), packages)
+		expect(packages.length).toBeGreaterThan(0)
+	})
+
+	test("npm package exists", async () => {
+		expect(await npmPackageExists("kunkun-ext-ossinsight", "0.0.1")).toBe(true)
+		expect(await npmPackageExists("kunkun-ext-non-existing", "0.0.1")).toBe(false)
+	})
+})
--- a/packages/package-registry/src/npm/tests/ext.test.ts
+++ b/packages/package-registry/src/npm/tests/ext.test.ts
@ -0,0 +1,55 @@
+import { describe, expect, test } from "bun:test"
+import { validateNpmPackageAsKunkunExtension } from ".."
+
+describe("validate kunkun extension", () => {
+	test("A working extension", async () => {
+		const res = await validateNpmPackageAsKunkunExtension({
+			pkgName: "kunkun-ext-ossinsight",
+			version: "0.0.1",
+			githubUsername: "huakunshen"
+		})
+		expect(res.error).toBeUndefined()
+		expect(res.data?.github.commit).toBe("8af7eced43a5d240fa3390c7e297178ecb63c344")
+		expect(res.data?.github.owner).toBe("kunkunsh")
+		expect(res.data?.rekorLogIndex).toBe("162214778")
+		expect(res.data?.github.repo).toBe("kunkun-ext-ossinsight")
+	})
+
+	test("Extension without provenance", async () => {
+		expect(
+			(
+				await validateNpmPackageAsKunkunExtension({
+					pkgName: "tauri-plugin-clipboard-api",
+					version: "2.1.11",
+					githubUsername: "huakunshen"
+				})
+			).error
+		).toBe("Package doesn't have provenance, not signed by github action")
+	})
+
+	test("Extension with wrong github username", async () => {
+		expect(
+			(
+				await validateNpmPackageAsKunkunExtension({
+					pkgName: "kunkun-ext-ossinsight",
+					version: "0.0.1",
+					githubUsername: "huakun"
+				})
+			).error
+		).toBe(
+			"You (huakun) are not authorized to publish this package. Only kunkunsh or its organization members can publish it."
+		)
+	})
+
+	test("Non existing package", async () => {
+		expect(
+			(
+				await validateNpmPackageAsKunkunExtension({
+					pkgName: "@kksh/non-existing-package",
+					version: "0.0.1",
+					githubUsername: "huakunshen"
+				})
+			).error
+		).toBe("Package does not exist")
+	})
+})
--- a/packages/package-registry/src/npm/index.ts
+++ b/packages/package-registry/src/npm/index.ts
@ -0,0 +1,253 @@
+import { ExtPackageJson } from "@kksh/api/models"
+import * as v from "valibot"
+import {
+	authenticatedUserIsMemberOfGitHubOrg,
+	parseGitHubRepoFromUri,
+	userIsPublicMemberOfGitHubOrg
+} from "../github"
+import { getInfoFromRekorLog } from "../sigstore"
+import {
+	NpmPkgMetadata,
+	NpmPkgVersionMetadata,
+	NpmSearchResultObject,
+	NpmSearchResults,
+	Provenance
+} from "./models"
+
+export * from "./models"
+
+/**
+ * Get the full metadata of an npm package
+ * @param pkgName
+ * @returns
+ */
+export function getFullNpmPackageInfo(pkgName: string): Promise<NpmPkgMetadata | null> {
+	return fetch(`https://registry.npmjs.org/${pkgName}`).then((res) => (res.ok ? res.json() : null))
+}
+
+/**
+ * Fetch the package.json data of an npm package
+ * @param pkgName
+ * @param version
+ * @returns
+ */
+export function getNpmPackageInfoByVersion(
+	pkgName: string,
+	version: string
+): Promise<NpmPkgVersionMetadata | null> {
+	return fetch(`https://registry.npmjs.org/${pkgName}/${version}`).then((res) =>
+		res.ok ? res.json() : null
+	)
+}
+
+/**
+ * Get the provenance of an npm package
+ * If a package has no provenance, return null
+ * @param pkgName
+ * @param version
+ * @returns
+ */
+export function getNpmPkgProvenance(pkgName: string, version: string): Promise<Provenance | null> {
+	return fetch(`https://www.npmjs.com/package/${pkgName}/v/${version}/provenance`)
+		.then((res) => res.json())
+		.catch((err) => null)
+}
+
+/**
+ * List all packages under a scope
+ * @example
+ * To get package names under a scope, you can do:
+ * ```ts
+ * (await listPackagesOfMaintainer("huakunshen")).map((pkg) => pkg.package.name)
+ * ```
+ * @param username npm organization or username
+ * @returns
+ */
+export function listPackagesOfMaintainer(username: string): Promise<NpmSearchResultObject[]> {
+	return fetch(`https://registry.npmjs.org/-/v1/search?text=maintainer:${username}&size=250`, {
+		headers: {
+			"sec-fetch-dest": "document"
+		}
+	})
+		.then((res) => res.json())
+		.then((res) => v.parse(NpmSearchResults, res).objects)
+}
+
+export function listPackagesOfScope(scope: string): Promise<NpmSearchResultObject[]> {
+	return fetch(`https://registry.npmjs.org/-/v1/search?text=${scope}&size=250`, {
+		headers: {
+			"sec-fetch-dest": "document"
+		}
+	})
+		.then((res) => res.json())
+		.then((res) => v.parse(NpmSearchResults, res).objects)
+}
+
+export function getNpmPackageTarballUrl(
+	pkgName: string,
+	version: string
+): Promise<string | undefined> {
+	return getNpmPackageInfoByVersion(pkgName, version).then((res) => res?.dist?.tarball)
+}
+
+export function npmPackageExists(pkgName: string, version: string): Promise<boolean> {
+	return getNpmPackageInfoByVersion(pkgName, version).then((res) => res !== null)
+}
+
+/**
+ * @param url Sample URL: https://search.sigstore.dev/?logIndex=153252145
+ * @returns
+ */
+function parseLogIdFromSigstoreSearchUrl(url: string): string {
+	const urlObj = new URL(url)
+	const logIndex = urlObj.searchParams.get("logIndex")
+	if (!logIndex) {
+		throw new Error("Could not parse log index from sigstore search url")
+	}
+	return logIndex
+}
+
+export async function validateNpmPackageAsKunkunExtension(payload: {
+	pkgName: string
+	version: string
+	githubUsername: string
+	tarballSizeLimit?: number
+	githubToken?: string
+	provenance?: Provenance // provenance API has cors policy, when we run this validation on client side, a provenance should be passed in
+}): Promise<{
+	error?: string
+	data?: {
+		pkgJson: ExtPackageJson
+		tarballUrl: string
+		shasum: string
+		apiVersion: string
+		rekorLogIndex: string
+		tarballSize: number
+		github: {
+			githubActionInvocationId: string
+			commit: string
+			repo: string
+			owner: string
+			workflowPath: string
+		}
+	}
+}> {
+	/* -------------------------------------------------------------------------- */
+	/*                         check if npm package exist                         */
+	/* -------------------------------------------------------------------------- */
+	const pkgExists = await npmPackageExists(payload.pkgName, payload.version)
+	if (!pkgExists) {
+		return { error: "Package does not exist" }
+	}
+	if (!pkgExists) {
+		return { error: "NPM package does not exist" }
+	}
+
+	/* -------------------------------------------------------------------------- */
+	/*                     check if npm package has provenance                    */
+	/* -------------------------------------------------------------------------- */
+	const provenance =
+		payload.provenance ?? (await getNpmPkgProvenance(payload.pkgName, payload.version))
+	if (!provenance) {
+		return {
+			error: "Package doesn't have provenance, not signed by github action"
+		}
+	}
+	if (provenance.sourceCommitUnreachable) {
+		return { error: "Package's source commit is unreachable" }
+	}
+	if (provenance.sourceCommitNotFound) {
+		return { error: "Package's source commit is not found" }
+	}
+
+	/* -------------------------------------------------------------------------- */
+	/*                             get rekor sigstore                             */
+	/* -------------------------------------------------------------------------- */
+	if (!provenance?.summary.transparencyLogUri) {
+		return { error: "Package's rekor log is not found" }
+	}
+	const logIndex = parseLogIdFromSigstoreSearchUrl(provenance.summary.transparencyLogUri)
+	const rekorGit = await getInfoFromRekorLog(logIndex)
+	if (rekorGit.commit !== provenance.summary.sourceRepositoryDigest) {
+		return { error: "Package's rekor log commit is not the same as the source commit" }
+	}
+
+	/* -------------------------------------------------------------------------- */
+	/*                  check if npm pkg is linked to github repo                 */
+	/* -------------------------------------------------------------------------- */
+	const repoUri = provenance.summary.sourceRepositoryUri
+	const githubRepo = parseGitHubRepoFromUri(repoUri)
+
+	/* -------------------------------------------------------------------------- */
+	/*                            Verify Repo Ownership                           */
+	/* -------------------------------------------------------------------------- */
+	if (githubRepo.owner !== payload.githubUsername) {
+		const isPublicMemeber = await userIsPublicMemberOfGitHubOrg(
+			githubRepo.owner,
+			payload.githubUsername
+		)
+		let isOrgMember = false
+		if (payload.githubToken) {
+			isOrgMember = await authenticatedUserIsMemberOfGitHubOrg(
+				githubRepo.owner,
+				payload.githubToken
+			)
+		}
+		if (!isPublicMemeber && !isOrgMember) {
+			return {
+				error: `You (${payload.githubUsername}) are not authorized to publish this package. Only ${githubRepo.owner} or its organization members can publish it.`
+			}
+		}
+	}
+
+	/* -------------------------------------------------------------------------- */
+	/*             validate package.json format against latest schema             */
+	/* -------------------------------------------------------------------------- */
+
+	const packageJson = await getNpmPackageInfoByVersion(payload.pkgName, payload.version)
+	if (!packageJson) {
+		return { error: "Could not find package.json in NPM package" }
+	}
+
+	const parseResult = v.safeParse(ExtPackageJson, packageJson)
+	if (!parseResult.success) {
+		console.log(v.flatten(parseResult.issues))
+		return { error: `package.json format not valid` }
+	}
+	/* -------------------------------------------------------------------------- */
+	/*                            get more package info                           */
+	/* -------------------------------------------------------------------------- */
+	const tarballUrl = packageJson.dist?.tarball
+	if (!tarballUrl) {
+		return { error: "Could not get tarball URL for NPM package" }
+	}
+	const shasum = packageJson.dist?.shasum
+	if (!shasum) {
+		return { error: "Could not get shasum for NPM package" }
+	}
+
+	const apiVersion = parseResult.output.dependencies?.["@kksh/api"]
+	if (!apiVersion) {
+		return {
+			error: `Extension ${parseResult.output.kunkun.identifier} doesn't not have @kksh/api as a dependency`
+		}
+	}
+
+	return {
+		data: {
+			pkgJson: parseResult.output,
+			tarballUrl,
+			shasum,
+			apiVersion,
+			tarballSize: 0,
+			rekorLogIndex: logIndex,
+			github: {
+				githubActionInvocationId: rekorGit.githubActionInvocationId,
+				commit: provenance.summary.sourceRepositoryDigest,
+				repo: githubRepo.repo,
+				owner: githubRepo.owner,
+				workflowPath: rekorGit.workflowPath
+			}
+		}
+	}
+}
--- a/packages/package-registry/src/npm/models.ts
+++ b/packages/package-registry/src/npm/models.ts
@ -0,0 +1,142 @@
+import * as v from "valibot"
+
+export const NpmPkgVersionMetadata = v.object({
+	name: v.string(),
+	type: v.optional(v.string()),
+	license: v.optional(v.string()),
+	version: v.string(),
+	description: v.optional(v.string()),
+	dist: v.optional(
+		v.object({
+			integrity: v.string(),
+			shasum: v.optional(v.string()),
+			tarball: v.string(),
+			fileCount: v.optional(v.number()),
+			unpackedSize: v.optional(v.number()),
+			attestations: v.optional(
+				v.object({
+					url: v.string(),
+					provenance: v.object({
+						predicateType: v.string()
+					})
+				})
+			),
+			signatures: v.optional(
+				v.array(
+					v.object({
+						keyid: v.string(),
+						sig: v.string()
+					})
+				)
+			)
+		})
+	),
+	gitHead: v.optional(v.string()),
+	_npmUser: v.optional(
+		v.object({
+			name: v.string(),
+			email: v.string()
+		})
+	),
+	maintainers: v.optional(
+		v.array(
+			v.object({
+				name: v.string(),
+				email: v.string()
+			})
+		)
+	)
+})
+export type NpmPkgVersionMetadata = v.InferOutput<typeof NpmPkgVersionMetadata>
+
+/**
+ * Full metadata of an npm package
+ * Sample URL: https://registry.npmjs.org/@huakunshen/jsr-client
+ */
+export const NpmPkgMetadata = v.object({
+	name: v.string(),
+	description: v.optional(v.string()),
+	"dist-tags": v.record(v.string(), v.string()), // latest, next, beta, rc
+	versions: v.record(v.string(), NpmPkgVersionMetadata),
+	time: v.objectWithRest(
+		{
+			created: v.string(),
+			modified: v.string()
+		},
+		v.string()
+	)
+})
+export type NpmPkgMetadata = v.InferOutput<typeof NpmPkgMetadata>
+
+export const Provenance = v.object({
+	summary: v.object({
+		subjectAlternativeName: v.string(),
+		certificateIssuer: v.string(),
+		issuer: v.string(),
+		issuerDisplayName: v.string(),
+		buildTrigger: v.string(),
+		buildConfigUri: v.string(),
+		sourceRepositoryUri: v.string(),
+		sourceRepositoryDigest: v.string(),
+		sourceRepositoryRef: v.string(),
+		runInvocationUri: v.string(),
+		expiresAt: v.string(),
+		includedAt: v.string(),
+		resolvedSourceRepositoryCommitUri: v.string(),
+		transparencyLogUri: v.string(),
+		buildConfigDisplayName: v.string(),
+		resolvedBuildConfigUri: v.string(),
+		artifactName: v.string()
+	}),
+	sourceCommitResponseCode: v.number(),
+	sourceCommitUnreachable: v.boolean(),
+	sourceCommitNotFound: v.boolean()
+})
+export type Provenance = v.InferOutput<typeof Provenance>
+
+export const NpmSearchResultObject = v.object({
+	downloads: v.object({
+		monthly: v.number(),
+		weekly: v.number()
+	}),
+	dependents: v.number(),
+	updated: v.string(),
+	searchScore: v.number(),
+	package: v.object({
+		name: v.string(),
+		keywords: v.array(v.string()),
+		version: v.string(),
+		description: v.optional(v.string()),
+		publisher: v.object({
+			email: v.string(),
+			username: v.string()
+		}),
+		maintainers: v.array(
+			v.object({
+				email: v.string(),
+				username: v.string()
+			})
+		),
+		license: v.optional(v.string()),
+		date: v.string(),
+		links: v.object({
+			npm: v.string()
+		})
+	}),
+	score: v.object({
+		final: v.number(),
+		detail: v.object({
+			popularity: v.number(),
+			quality: v.number(),
+			maintenance: v.number()
+		}),
+		flags: v.optional(
+			v.object({
+				insecure: v.number()
+			})
+		)
+	})
+})
+export type NpmSearchResultObject = v.InferOutput<typeof NpmSearchResultObject>
+export const NpmSearchResults = v.object({ objects: v.array(NpmSearchResultObject) })
+export type NpmSearchResults = v.InferOutput<typeof NpmSearchResults>
--- a/packages/package-registry/src/sigstore.ts
+++ b/packages/package-registry/src/sigstore.ts
@ -0,0 +1,67 @@
+import * as v from "valibot"
+import { SigstoreAttestation, type RawRekorLog, type RawRekorLogEntry } from "./models"
+
+export function getRekorLogId(logIndex: string): Promise<RawRekorLog> {
+	return fetch(`https://rekor.sigstore.dev/api/v1/log/entries?logIndex=${logIndex}`).then((res) =>
+		res.json()
+	)
+}
+
+/**
+ * For our use case (JSR), we expect only one entry in the rekor log, so we can just return the first one
+ * If there are multiple entries, we throw an error
+ * @param rekorLog
+ * @returns
+ */
+export function parseTheOnlyRecord(rekorLog: RawRekorLog): RawRekorLogEntry {
+	const entryUUIDs = Object.keys(rekorLog)
+	if (entryUUIDs.length !== 1) {
+		throw new Error("Expected exactly one entry in the rekor log")
+	}
+	return rekorLog[entryUUIDs[0]]
+}
+
+/**
+ * Attestation data is base64 encoded, so we need to decode it and parse it with valibot
+ * @param rekorLog
+ * @returns
+ */
+export function parseAttestation(rekorLog: RawRekorLogEntry): SigstoreAttestation {
+	const attestationData = rekorLog.attestation.data
+	const decoded = atob(attestationData)
+	const decodedJson = JSON.parse(decoded)
+	const parsed = v.safeParse(SigstoreAttestation, decodedJson)
+	if (!parsed.success) {
+		console.error(v.flatten(parsed.issues))
+		throw new Error("Failed to parse rekor log attestation")
+	}
+	return parsed.output
+}
+
+/**
+ * We expect only one entry in the rekor log, and there should be only one commit in the attestation
+ * @param logIndex
+ * @returns
+ */
+export async function getInfoFromRekorLog(logIndex: string): Promise<{
+	commit: string
+	githubActionInvocationId: string
+	workflowPath: string
+	workflowRepository: string
+}> {
+	const rawLog = await getRekorLogId(logIndex)
+	const record = parseTheOnlyRecord(rawLog)
+	const attestation = parseAttestation(record)
+	if (attestation.predicate.buildDefinition.resolvedDependencies.length !== 1) {
+		throw new Error(
+			`Expected exactly one commit in the attestation, got: ${attestation.predicate.buildDefinition.resolvedDependencies.length}`
+		)
+	}
+
+	return {
+		commit: attestation.predicate.buildDefinition.resolvedDependencies[0].digest.gitCommit,
+		githubActionInvocationId: attestation.predicate.runDetails.metadata.invocationId,
+		workflowPath: attestation.predicate.buildDefinition.externalParameters.workflow.path,
+		workflowRepository: attestation.predicate.buildDefinition.externalParameters.workflow.repository
+	}
+}
--- a/packages/package-registry/src/utils.ts
+++ b/packages/package-registry/src/utils.ts
@ -0,0 +1,13 @@
+/**
+ * Get the tarball size of a package
+ * @param url tarball url, can technically be any url
+ * @returns tarball size in bytes
+ */
+export function getTarballSize(url: string): Promise<number> {
+	return fetch(url, { method: "HEAD" }).then((res) => {
+		if (!(res.ok && res.status === 200)) {
+			throw new Error("Failed to fetch tarball size")
+		}
+		return Number(res.headers.get("Content-Length"))
+	})
+}
--- a/packages/package-registry/tsconfig.json
+++ b/packages/package-registry/tsconfig.json
@ -0,0 +1,27 @@
+{
+  "compilerOptions": {
+    // Enable latest features
+    "lib": ["ESNext", "DOM"],
+    "target": "ESNext",
+    "module": "ESNext",
+    "moduleDetection": "force",
+    "jsx": "react-jsx",
+    "allowJs": true,
+
+    // Bundler mode
+    "moduleResolution": "bundler",
+    "allowImportingTsExtensions": true,
+    "verbatimModuleSyntax": true,
+    "noEmit": true,
+
+    // Best practices
+    "strict": true,
+    "skipLibCheck": true,
+    "noFallthroughCasesInSwitch": true,
+
+    // Some stricter flags (disabled by default)
+    "noUnusedLocals": false,
+    "noUnusedParameters": false,
+    "noPropertyAccessFromIndexSignature": false
+  }
+}
--- a/packages/supabase/src/models.ts
+++ b/packages/supabase/src/models.ts
@ -2,17 +2,25 @@
 * @module @kksh/supabase/models
 * This module contains some models for supabase database that cannot be code generated, such as JSON fields.
 */
-import * as v from "valibot";
+import * as v from "valibot"

 export enum ExtPublishSourceTypeEnum {
-    jsr = "jsr",
-    npm = "npm",
+	jsr = "jsr",
+	npm = "npm"
 }

 export const ExtPublishMetadata = v.object({
-    source: v.optional(
-        v.string("Source of the extension (e.g. url to package)"),
-    ),
-    sourceType: v.optional(v.enum(ExtPublishSourceTypeEnum)),
-});
-export type ExtPublishMetadata = v.InferOutput<typeof ExtPublishMetadata>;
+	source: v.optional(v.string("Source of the extension (e.g. url to package)")),
+	sourceType: v.optional(v.enum(ExtPublishSourceTypeEnum)),
+	rekorLogIndex: v.optional(v.string("Rekor log index of the extension")),
+	git: v.optional(
+		v.object({
+			githubActionInvocationId: v.string("GitHub action invocation ID"),
+			repo: v.string("GitHub repo of the extension"),
+			owner: v.string("GitHub owner of the extension"),
+			commit: v.string("Commit hash of the extension"),
+			workflowPath: v.string("Workflow path of the extension")
+		})
+	)
+})
+export type ExtPublishMetadata = v.InferOutput<typeof ExtPublishMetadata>
--- a/packages/templates/template-ext-react/src/App.tsx
+++ b/packages/templates/template-ext-react/src/App.tsx
@ -3,7 +3,6 @@ import {
 	ActionPanel,
 	Button,
 	Command,
-	CommandDemo,
 	CommandEmpty,
 	CommandFooter,
 	CommandGroup,
@ -12,10 +11,7 @@ import {
 	CommandList,
 	CommandSeparator,
 	CommandShortcut,
-	ThemeCustomizer,
 	ThemeProvider,
-	ThemeWrapper,
-	TooltipProvider,
 	VertifcalSeparator
 } from "@kksh/react"
 import {
--- a/packages/templates/template-ext-sveltekit/components.json
+++ b/packages/templates/template-ext-sveltekit/components.json
@ -11,4 +11,4 @@
 		"utils": "$lib/utils"
 	},
 	"typescript": true
-}
+}
--- a/packages/templates/template-ext-sveltekit/src/app.css
+++ b/packages/templates/template-ext-sveltekit/src/app.css
@ -1,4 +1,4 @@
-@import url("@kksh/svelte5/themes");
+@import url('@kksh/svelte5/themes');
@tailwind base;
@tailwind components;
@tailwind utilities;
@ -77,4 +77,4 @@
 	body {
 		@apply bg-background text-foreground;
 	}
-}
+}
--- a/packages/ui/eslint.config.js
+++ b/packages/ui/eslint.config.js
@ -0,0 +1,42 @@
+import js from "@eslint/js"
+import prettier from "eslint-config-prettier"
+import svelte from "eslint-plugin-svelte"
+import globals from "globals"
+import ts from "typescript-eslint"
+
+export default ts.config(
+	js.configs.recommended,
+	...ts.configs.recommended,
+	...svelte.configs["flat/recommended"],
+	prettier,
+	...svelte.configs["flat/prettier"],
+	{
+		languageOptions: {
+			globals: {
+				...globals.browser,
+				...globals.node
+			}
+		}
+	},
+	{
+		files: ["**/*.svelte"],
+
+		languageOptions: {
+			parserOptions: {
+				parser: ts.parser
+			}
+		}
+	},
+	{
+		ignores: ["build/", ".svelte-kit/", "dist/", "src/components/ui/"]
+	},
+	{
+		rules: {
+			"no-unused-vars": "off",
+			"@typescript-eslint/no-unused-vars": "off",
+			// The following 2 rules are disabled because they cause errors that I am unable to solve
+			"@typescript-eslint/no-unused-expressions": "off",
+			"svelte/no-inner-declarations": "off",
+		}
+	}
+)
--- a/packages/ui/package.json
+++ b/packages/ui/package.json
@ -37,17 +37,23 @@
 		"svelte": "^5.0.0"
 	},
 	"devDependencies": {
+		"@eslint/js": "^9.18.0",
 		"@iconify/svelte": "^4.2.0",
 		"@kksh/api": "workspace:*",
 		"@kksh/svelte5": "^0.1.14",
 		"@types/bun": "latest",
+		"@typescript-eslint/eslint-plugin": "^8.20.0",
+		"@typescript-eslint/parser": "^8.20.0",
 		"bits-ui": "1.0.0-next.77",
 		"clsx": "^2.1.1",
+		"eslint-config-prettier": "^10.0.1",
+		"eslint-plugin-svelte": "^2.46.1",
 		"formsnap": "2.0.0-next.1",
-		"lucide-svelte": "^0.469.0",
+		"globals": "^15.14.0",
+		"lucide-svelte": "^0.471.0",
 		"mode-watcher": "^0.5.0",
 		"paneforge": "1.0.0-next.2",
-		"shiki": "^1.26.1",
+		"shiki": "^1.27.2",
 		"svelte-radix": "^2.0.1",
 		"svelte-sonner": "^0.3.28",
 		"sveltekit-superforms": "^2.22.1",
@ -56,14 +62,18 @@
 		"tailwindcss": "^3.4.17",
 		"tailwindcss-animate": "^1.0.7",
 		"tauri-plugin-shellx-api": "^2.0.14",
+		"typescript-eslint": "^8.20.0",
 		"zod": "^3.24.1"
 	},
 	"dependencies": {
 		"@formkit/auto-animate": "^0.8.2",
-		"@internationalized/date": "^3.6.0",
+		"@internationalized/date": "^3.7.0",
+		"@kksh/supabase": "workspace:*",
 		"@std/semver": "npm:@jsr/std__semver@^1.0.3",
-		"gsap": "^3.12.5",
+		"dompurify": "^3.2.3",
+		"gsap": "^3.12.7",
 		"shiki-magic-move": "^0.5.2",
-		"svelte-markdown": "^0.4.1"
+		"svelte-markdown": "^0.4.1",
+		"valibot": "1.0.0-beta.12"
 	}
 }
--- a/packages/ui/src/components/common/ElementAlert.svelte
+++ b/packages/ui/src/components/common/ElementAlert.svelte
@ -112,7 +112,6 @@
 				onclick={() => {
 					if (onClose) {
 						onClose()
-					} else {
 					}
 					show = false
 				}}
--- a/packages/ui/src/components/common/IconMultiplexer.svelte
+++ b/packages/ui/src/components/common/IconMultiplexer.svelte
@ -3,6 +3,8 @@
 	import { IconEnum, IconType, Icon as TIcon } from "@kksh/api/models"
 	import { Button } from "@kksh/svelte5"
 	import { cn } from "@kksh/ui/utils"
+	import DOMPurify from "dompurify"
+	import { onMount } from "svelte"
 	import * as v from "valibot"
 	import { styleObjectToString } from "../../utils/style"

@ -12,8 +14,8 @@
 		icon,
 		class: className,
 		...restProps
-	}: { icon: TIcon; class?: string; [key: string]: any } = $props()
-
+	}: { icon: TIcon; class?: string; "data-flip-id"?: string } = $props()
+	let cleanedSvg: string | undefined = $state()
 	let remoteIconError = $state(false)

 	function fillHexColor(style: Record<string, string>, key: string, value?: string) {
@ -34,6 +36,12 @@
 	})

 	let style = $derived(styleObjectToString(customStyle))
+
+	onMount(() => {
+		if (icon.type === IconEnum.Svg) {
+			cleanedSvg = DOMPurify.sanitize(icon.value)
+		}
+	})
 </script>

 {#if icon.type === IconEnum.RemoteUrl}
@ -89,8 +97,11 @@
 	<span
 		{...restProps}
 		class={cn(className, { invert: icon.invert, "dark:invert": icon.darkInvert })}
-		{style}>{@html icon.value}</span
+		{style}
 	>
+		<!-- eslint-disable svelte/no-at-html-tags -->
+		{@html cleanedSvg}
+	</span>
 {:else}
 	<Icon
 		icon="mingcute:appstore-fill"
--- a/packages/ui/src/components/extension/GitHubProvenanceCard.svelte
+++ b/packages/ui/src/components/extension/GitHubProvenanceCard.svelte
@ -0,0 +1,65 @@
+<script lang="ts">
+	import { Card } from "@kksh/svelte5"
+	import { BadgeCheckIcon } from "lucide-svelte"
+
+	let {
+		repoOwner,
+		repoName,
+		githubActionInvocationId,
+		commit,
+		rekorLogIndex,
+		workflowPath
+	}: {
+		repoOwner: string
+		repoName: string
+		githubActionInvocationId: string
+		commit: string
+		rekorLogIndex: string
+		workflowPath: string
+	} = $props()
+	const workflowRunId = githubActionInvocationId.split("/").at(-3)
+	const workflowRunUrl = `https://github.com/${repoOwner}/${repoName}/actions/runs/${workflowRunId}/workflow`
+</script>
+
+<Card.Root>
+	<Card.Content class="flex flex-col md:flex-row items-center justify-between space-x-4">
+		<div class="flex items-center space-x-4 w-60">
+			<BadgeCheckIcon class="h-8 w-8 text-green-500" />
+			<div>
+				<span class="text-sm text-gray-200">Built and signed on</span>
+				<h1 class="text-xl font-bold">GitHub Actions</h1>
+				<a href={githubActionInvocationId} class="text-sm underline" target="_blank">
+					View build summary
+				</a>
+			</div>
+		</div>
+		<div>
+			<p class="text-sm flex flex-col sm:flex-row">
+				<strong class="inline-block w-28 mt-2 md:mt-0">Source Commit</strong>
+				<a
+					href={`https://github.com/${repoOwner}/${repoName}/tree/${commit}`}
+					target="_blank"
+					rel="noreferrer" 
+					class="font-mono underline"
+				>
+					github.com/{repoOwner}/{repoName}/{commit.slice(0, 8)}
+				</a>
+			</p>
+			<p class="text-sm flex flex-col sm:flex-row">
+				<strong class="inline-block w-28 mt-2 md:mt-0">Build File</strong>
+				<a href={workflowRunUrl} target="_blank" rel="noreferrer" class="font-mono underline">
+					{workflowPath}
+				</a>
+			</p>
+			<p class="text-sm flex flex-col sm:flex-row">
+				<strong class="inline-block w-28 mt-2 md:mt-0">Public Ledger</strong>
+				<a
+					href={`https://search.sigstore.dev/?logIndex=${rekorLogIndex}`}
+					target="_blank"
+					rel="noreferrer"
+					class="underline">Transparentcy log entry</a
+				>
+			</p>
+		</div>
+	</Card.Content>
+</Card.Root>
--- a/packages/ui/src/components/extension/StoreExtDetail.svelte
+++ b/packages/ui/src/components/extension/StoreExtDetail.svelte
@ -3,12 +3,15 @@
 	import Icon from "@iconify/svelte"
 	import { ExtPackageJson, IconEnum, KunkunExtManifest } from "@kksh/api/models"
 	import { type Tables } from "@kksh/api/supabase/types"
-	import { Button, ScrollArea, Separator } from "@kksh/svelte5"
+	import { ExtPublishMetadata, ExtPublishSourceTypeEnum } from "@kksh/supabase/models"
+	import { Badge, Button, ScrollArea, Separator } from "@kksh/svelte5"
 	import { Constants, IconMultiplexer } from "@kksh/ui"
 	import { cn } from "@kksh/ui/utils"
 	import { CircleCheckBigIcon, MoveRightIcon, Trash2Icon } from "lucide-svelte"
+	import * as v from "valibot"
 	import DialogImageCarousel from "../common/DialogImageCarousel.svelte"
 	import PlatformsIcons from "../common/PlatformsIcons.svelte"
+	import GitHubProvenanceCard from "./GitHubProvenanceCard.svelte"
 	import PermissionInspector from "./PermissionInspector.svelte"

 	let {
@ -55,6 +58,15 @@
 			onEnterPressed?.()
 		}
 	}
+
+	const metadata = $derived.by(() => {
+		const parseRes = v.safeParse(ExtPublishMetadata, ext.metadata)
+		if (!parseRes.success) {
+			console.error(v.flatten(parseRes.issues))
+			return
+		}
+		return parseRes.output
+	})
 </script>

 <svelte:window on:keydown={handleKeyDown} />
@ -114,28 +126,62 @@
 		{/if}
 	</Button>
 {/snippet}
-
 <div data-tauri-drag-region class="h-14"></div>
 <ScrollArea class={cn("w-full pb-12", className)}>
-	<div class="flex items-center gap-4">
-		<span class="h-12 w-12">
-			<IconMultiplexer
-				icon={manifest.icon}
-				class={cn(Constants.CLASSNAMES.EXT_LOGO, "h-full w-full")}
-				data-flip-id={`${Constants.CLASSNAMES.EXT_LOGO}-${ext.identifier}`}
-			/>
-		</span>
-		<div class="w-full">
-			<span class="flex w-full items-center" use:autoAnimate>
-				<strong class="ext-name text-xl">{manifest?.name}</strong>
-				{#if isInstalled}
-					<CircleCheckBigIcon class="ml-2 inline text-green-400" />
-				{/if}
+	<div class="flex flex-col items-center justify-between gap-4 sm:flex-row">
+		<div class="flex items-center gap-4">
+			<span class="h-12 w-12">
+				<IconMultiplexer
+					icon={manifest.icon}
+					class={cn(Constants.CLASSNAMES.EXT_LOGO, "h-full w-full")}
+					data-flip-id={`${Constants.CLASSNAMES.EXT_LOGO}-${ext.identifier}`}
+				/>
 			</span>
-			<pre class="text-muted-foreground text-xs">{ext.identifier}</pre>
-			<pre class="text-muted-foreground text-xs">Version: {ext.version}</pre>
+			<div class="flex flex-col justify-center">
+				<span class="flex w-full items-center" use:autoAnimate>
+					<strong class="ext-name text-xl">{manifest?.name}</strong>
+					{#if isInstalled}
+						<CircleCheckBigIcon class="ml-2 inline text-green-400" />
+					{/if}
+				</span>
+				<pre class="text-muted-foreground text-xs">{ext.identifier}</pre>
+				<pre class="text-muted-foreground text-xs">Version: {ext.version}</pre>
+			</div>
+		</div>
+		<div class="flex items-center space-x-2">
+			{#if metadata && metadata.sourceType === ExtPublishSourceTypeEnum.jsr}
+				<a href={metadata.source} target="_blank">
+					<Icon class="h-10 w-10" icon="vscode-icons:file-type-jsr" />
+				</a>
+			{:else if metadata && metadata.sourceType === ExtPublishSourceTypeEnum.npm}
+				<a href={metadata.source} target="_blank">
+					<Icon class="h-10 w-10" icon="vscode-icons:file-type-npm" />
+				</a>
+			{/if}
+			{#if metadata && metadata?.git?.commit && metadata?.rekorLogIndex && metadata?.git?.owner && metadata?.git?.repo}
+				<a
+					href={`https://github.com/${metadata.git.owner}/${metadata.git.repo}/tree/${metadata.git.commit}`}
+					target="_blank"
+				>
+					<Badge class="h-8 space-x-2">
+						<Icon class="h-6 w-6" icon="mdi:github" />
+						<span>{metadata.git.owner}/{metadata.git.repo}</span>
+					</Badge>
+				</a>
+			{/if}
 		</div>
 	</div>
+	{#if metadata && metadata?.git?.commit && metadata?.rekorLogIndex && metadata?.git?.owner && metadata?.git?.repo}
+		<Separator class="my-3" />
+		<GitHubProvenanceCard
+			repoOwner={metadata.git.owner}
+			repoName={metadata.git.repo}
+			githubActionInvocationId={metadata.git.githubActionInvocationId}
+			commit={metadata.git.commit}
+			rekorLogIndex={metadata.rekorLogIndex}
+			workflowPath={metadata.git.workflowPath}
+		/>
+	{/if}
 	{#if demoImages.length > 0}
 		<Separator class="my-3" />
 		<DialogImageCarousel
@ -176,7 +222,7 @@

 	<ul>
 		{#if manifest}
-			{#each [...manifest.customUiCmds, ...manifest.templateUiCmds] as cmd}
+			{#each [...(manifest.customUiCmds ?? []), ...(manifest.templateUiCmds ?? [])] as cmd}
 				<li>
 					<div class="flex items-center space-x-3">
 						{#if manifest}
--- a/packages/ui/src/components/extension/index.ts
+++ b/packages/ui/src/components/extension/index.ts
@ -2,4 +2,5 @@ export { default as ExtListItem } from "./ExtListItem.svelte"
 export { default as StoreExtDetail } from "./StoreExtDetail.svelte"
 export { default as PermissionInspector } from "./PermissionInspector.svelte"
 export { default as JsrPackageVersionTable } from "./publish/jsr/jsr-package-version-table.svelte"
+export { default as NpmPackageVersionTable } from "./publish/npm/npm-package-version-table.svelte"
 export * as Templates from "./templates"
--- a/packages/ui/src/components/extension/publish/jsr/jsr-package-version-table.svelte
+++ b/packages/ui/src/components/extension/publish/jsr/jsr-package-version-table.svelte
@ -23,6 +23,7 @@
 		publishedVersions: string[]
 	} = $props()
 </script>
+
 <Table.Root class={className}>
 	<Table.Caption>All versions of the package</Table.Caption>
 	<Table.Header>
--- a/packages/ui/src/components/extension/publish/npm/npm-package-version-table.svelte
+++ b/packages/ui/src/components/extension/publish/npm/npm-package-version-table.svelte
@ -0,0 +1,2 @@
+<script lang="ts">
+</script>
--- a/packages/ui/src/components/extension/templates/form.svelte
+++ b/packages/ui/src/components/extension/templates/form.svelte
@ -18,7 +18,7 @@
 	}: {
 		formViewContent: FormSchema.Form
 		class?: string
-		onSubmit?: (formData: Record<string, any>) => void
+		onSubmit?: (formData: Record<string, string | number | boolean>) => void
 	} = $props()
 	const formSchema = $derived(buildFormSchema(formViewContent))
 	onMount(() => {
--- a/packages/ui/src/components/layouts/center.svelte
+++ b/packages/ui/src/components/layouts/center.svelte
@ -6,6 +6,7 @@
 		children,
 		class: className,
 		...restProps
+		// eslint-disable-next-line @typescript-eslint/no-explicit-any
 	}: { children: Snippet; class?: string; [key: string]: any } = $props()
 </script>

--- a/packages/ui/src/utils/command-score.ts
+++ b/packages/ui/src/utils/command-score.ts
@ -1,6 +1,6 @@
 // This file is taken from https://github.com/huntabyte/bits-ui/blob/7f7bf6f6b736cf34e57a0d87aab01074c33efd46/packages/bits-ui/src/lib/bits/command/command.svelte.ts#L1

-// eslint-disable-next-line ts/ban-ts-comment
+// eslint-disable-next-line
 // @ts-nocheck
 // The scores are arranged so that a continuous match of characters will
 // result in a total score of 1.
--- a/packages/ui/src/utils/form.ts
+++ b/packages/ui/src/utils/form.ts
@ -12,9 +12,11 @@ function addDefaultToSchema(
 	return schema
 }

+// eslint-disable-next-line @typescript-eslint/no-explicit-any
 export function buildFormSchema(form: FormSchema.Form): v.ObjectSchema<any, undefined> {
 	let schema = v.object({})
 	for (const field of form.fields) {
+		// eslint-disable-next-line @typescript-eslint/no-explicit-any
 		let fieldSchema: any = undefined
 		if (field.nodeName === FormNodeNameEnum.Input) {
 			fieldSchema = v.string()
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml