feat: install-source trust badges and source-change warning

SysAdminDoc · SysAdminDoc · commit e435ed0340a1 · 2026-05-24T14:33:15.000-04:00
- Added classifyInstallSource(url) helper in shared/utils.js mapping install/update URLs to known userscript registries with tone-coded trust signals (Greasy Fork good, Sleazy Fork warn, OpenUserJS good, GitHub release good/raw/repo neutral, etc.).
- installFromCode and applyUpdate persist script.installSource and flip settings.sourceIdentityChanged when the registry id rotates between install and update.
- Dashboard script rows render the source badge plus a Source changed warning; install confirmation page surfaces a Source registry changed review row when re-installing from a different registry.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,25 @@ All notable changes to ScriptVault will be documented in this file.
 
 ## Unreleased
 
+### 2026-05-24 — Install-source trust badges + source-change warning
+
+- Added shared `classifyInstallSource(url)` helper in `shared/utils.js` that
+  maps install/update URLs to known registries (Greasy Fork, Sleazy Fork
+  warn-tier, OpenUserJS, GitHub Gist / raw / repo / release with release
+  promoted to good-tier, GitLab, Codeberg, Bitbucket, Tampermonkey site,
+  and `other` for unknown hosts). Empty input returns the `local` shape.
+- `installFromCode` persists `script.installSource` on install; `applyUpdate`
+  reclassifies on update and sets `settings.sourceIdentityChanged = true`
+  plus `previousInstallSource` when the registry id changes.
+- Dashboard script rows render a tone-coded source badge near the name
+  (`script-health-badge .good`, `.neutral`, or `.alert`) and a "Source
+  changed" warning badge whenever `settings.sourceIdentityChanged` is true.
+- Install confirmation page's trust card surfaces a "Source registry
+  changed" review row when re-installing from a different registry than
+  the original install.
+- New `.script-health-badge.good` and `.neutral` CSS variants reuse the
+  existing 8px corner radius (never pill backdrops).
+
 ### 2026-05-24 — Dashboard search corpus widened + editor find history
 
 - Dashboard search now matches against a single flattened corpus per
diff --git a/ROADMAP.md b/ROADMAP.md
@@ -392,12 +392,13 @@ Scale: Fit `Y/M/N`, impact and effort `1-5`, novelty `P` parity or `L` leapfrog.
   - Verify: search regression tests and manual editor search session.
   - Status: Shipped 2026-05-24. Two surfaces. (1) Dashboard search corpus broadened: a new `buildScriptSearchCorpus(script)` helper flattens name/description/author/namespace/version, all URL pattern fields (`match`, `include`, `exclude`, `userMatches`, `userIncludes`, `userExcludes`), tags (`meta.tag` + `settings.tags`), grants, homepage/support/update/download URLs, and ISO yyyy-mm-dd renderings of `stats.lastRun` + `updatedAt` into a single lowercased string. The substring/regex/code branches of `getFilteredScripts` all hit this corpus, so plain queries now match URL keywords, GreasyFork/OpenUserJS source slugs, last-run dates, and tag values. Corpus is memoized per-script keyed on `updatedAt` so repeated keystrokes don't rebuild it. (2) Editor find-widget search history persists to `chrome.storage.local.editorFindHistory` (FIFO 20, dedup with most-recent-first). The Monaco sandbox forwards every `searchString` change via `postMessage({type:'find-search'})`; `monaco-adapter.js` records via `recordFindTerm`, then primes the next editor open by posting `prime-find` with the saved history so the find widget opens pre-filled with the most recent term across sessions. Verification: `npx vitest run tests/search-corpus-history.test.js tests/site-frame-invert.test.js tests/dashboard-modules.test.js --pool=vmThreads --maxWorkers=1` passed (51 tests across 3 files); `npm run typecheck` clean.
 
-- [ ] P2 - Add install-source trust badges without full marketplace scope
+- [x] P2 - Add install-source trust badges without full marketplace scope
   - Why: Registry source is a useful trust signal, but a full marketplace adds moderation risk.
   - Evidence: S50,S51,H047,H049.
   - Touches: `pages/install.js`, `pages/dashboard-store.js`, parser/source metadata, tests.
   - Acceptance: Scripts installed from known registries show durable source metadata and warnings when source identity changes.
   - Verify: local fixture URLs for GreasyFork/OpenUserJS/GitHub/raw.
+  - Status: Shipped 2026-05-24. New shared `classifyInstallSource(url)` helper (in `shared/utils.js`, accessible from background.js, dashboard, install page) returns a stable `{ id, name, hostname, tone, url }` shape for Greasy Fork, Sleazy Fork (warn), OpenUserJS, GitHub Gist / raw / repo / release (release is the strongest tier), GitLab, Codeberg, Bitbucket, Tampermonkey site, and `other` (warn) for unknown hosts. Empty input maps to `local`. `installFromCode` records `script.installSource` at install time; `applyUpdate` reclassifies on update and — when the registry id changes — flips `settings.sourceIdentityChanged = true` and preserves the prior record in `script.previousInstallSource`. Dashboard script rows render a tone-coded badge (`good`/`neutral`/`alert` — new `.script-health-badge.good`/`.neutral` CSS reusing the existing 8px corner radius to honor the no-pill-backdrops global rule). Install confirmation page's trust card embeds a `Source registry changed` review row when re-installing from a different registry than the original source. Verification: `npx vitest run tests/install-source.test.js tests/utils.test.js tests/core-flows.test.js tests/runtime-import-export.test.js --pool=vmThreads --maxWorkers=1` passed (79 tests across 4 files); `npm run typecheck` clean; `npm run build:bg` clean (background.js 21,474 lines).
 
 - [ ] P2 - Add locale coverage and forced language checks
   - Why: `_locales` exists, but coverage should be reported and not silently regress.
diff --git a/background.core.js b/background.core.js
@@ -634,6 +634,19 @@ const UpdateSystem = {
     script.updatedAt = Date.now();
     script.trustReceipt = trustReceipt;
 
+    // Re-classify the install source. If the update came from a different
+    // registry than the install, flag it for the dashboard banner.
+    const updateSourceUrl = sourceUrl || parsed.meta.downloadURL || parsed.meta.updateURL || '';
+    const updatedSource = classifyInstallSource(updateSourceUrl);
+    if (script.installSource?.id && updatedSource.id !== 'local'
+        && script.installSource.id !== updatedSource.id) {
+      script.settings = { ...(script.settings || {}), sourceIdentityChanged: true };
+      script.previousInstallSource = script.installSource;
+      script.installSource = updatedSource;
+    } else if (!script.installSource && updatedSource.id !== 'local') {
+      script.installSource = updatedSource;
+    }
+
     // Re-register FIRST so we can verify the new code works before persisting
     try {
       await unregisterScript(scriptId);
@@ -5877,6 +5890,17 @@ async function installFromCode(code, receiptOptions = {}) {
       });
     }
 
+    // Classify the install source (Greasy Fork / OpenUserJS / GitHub / ...)
+    // so the dashboard can render a durable trust badge and so a future
+    // update from a different registry surfaces as a "source changed" flag.
+    const effectiveSourceUrl = receiptOptions.sourceUrl || meta.downloadURL || meta.updateURL || '';
+    const installSource = classifyInstallSource(effectiveSourceUrl);
+    let sourceIdentityChanged = false;
+    if (existing && existing.installSource && existing.installSource.id && installSource.id !== 'local'
+        && existing.installSource.id !== installSource.id) {
+      sourceIdentityChanged = true;
+    }
+
     const script = {
       ...existing,
       id,
@@ -5886,8 +5910,15 @@ async function installFromCode(code, receiptOptions = {}) {
       position: existing ? existing.position : allScripts.length,
       createdAt: existing ? existing.createdAt : Date.now(),
       updatedAt: Date.now(),
-      trustReceipt
+      trustReceipt,
+      installSource: installSource.id === 'local' && existing?.installSource
+        ? existing.installSource
+        : installSource
     };
+    if (sourceIdentityChanged) {
+      script.settings = { ...(script.settings || existing?.settings || {}), sourceIdentityChanged: true };
+      script.previousInstallSource = existing.installSource;
+    }
     if (versionHistory.length > 0) script.versionHistory = versionHistory;
 
     await ScriptStorage.set(id, script);
diff --git a/background.js b/background.js
@@ -54,6 +54,68 @@ function sanitizeUrl(url) {
   return trimmed;
 }
 
+/**
+ * Classify an install/update URL into a known userscript registry. Returns a
+ * stable shape used by both the install confirmation page and the dashboard
+ * source-trust badge. Unknown URLs fall back to `id: 'other'` with their
+ * hostname preserved; falsy input returns the local-import shape.
+ *
+ * The `id` is what `script.installSource.id` is keyed on, so changing labels
+ * is safe but renaming an `id` will cause source-identity-change warnings to
+ * fire on every script.
+ *
+ * @param {string} url
+ * @returns {{ id: string, name: string, hostname: string, tone: 'good'|'neutral'|'warn', url: string }}
+ */
+function classifyInstallSource(url) {
+  if (typeof url !== 'string' || !url.trim()) {
+    return { id: 'local', name: 'Local import', hostname: '', tone: 'neutral', url: '' };
+  }
+  let host = '';
+  let path = '';
+  try {
+    const u = new URL(url);
+    host = (u.hostname || '').toLowerCase();
+    path = u.pathname || '';
+  } catch (_) {
+    return { id: 'other', name: 'Unknown source', hostname: '', tone: 'warn', url };
+  }
+  if (host === 'greasyfork.org' || host === 'www.greasyfork.org') {
+    return { id: 'greasyfork', name: 'Greasy Fork', hostname: host, tone: 'good', url };
+  }
+  if (host === 'sleazyfork.org' || host === 'www.sleazyfork.org') {
+    return { id: 'sleazyfork', name: 'Sleazy Fork', hostname: host, tone: 'warn', url };
+  }
+  if (host === 'openuserjs.org' || host === 'www.openuserjs.org') {
+    return { id: 'openuserjs', name: 'OpenUserJS', hostname: host, tone: 'good', url };
+  }
+  if (host === 'gist.github.com' || host === 'gist.githubusercontent.com') {
+    return { id: 'github-gist', name: 'GitHub Gist', hostname: host, tone: 'neutral', url };
+  }
+  if (host === 'raw.githubusercontent.com') {
+    return { id: 'github-raw', name: 'GitHub raw', hostname: host, tone: 'neutral', url };
+  }
+  if (host === 'github.com' || host === 'www.github.com') {
+    if (/\/releases\/(download|latest)/i.test(path)) {
+      return { id: 'github-release', name: 'GitHub release', hostname: host, tone: 'good', url };
+    }
+    return { id: 'github', name: 'GitHub', hostname: host, tone: 'neutral', url };
+  }
+  if (host === 'gitlab.com' || host === 'www.gitlab.com') {
+    return { id: 'gitlab', name: 'GitLab', hostname: host, tone: 'neutral', url };
+  }
+  if (host === 'codeberg.org') {
+    return { id: 'codeberg', name: 'Codeberg', hostname: host, tone: 'neutral', url };
+  }
+  if (host === 'bitbucket.org') {
+    return { id: 'bitbucket', name: 'Bitbucket', hostname: host, tone: 'neutral', url };
+  }
+  if (host === 'tampermonkey.net' || host === 'www.tampermonkey.net') {
+    return { id: 'tampermonkey', name: 'Tampermonkey site', hostname: host, tone: 'neutral', url };
+  }
+  return { id: 'other', name: host || 'Unknown source', hostname: host, tone: 'warn', url };
+}
+
 /**
  * Format byte count as human-readable string.
  * @param {number} bytes - The byte count to format
@@ -12569,6 +12631,19 @@ const UpdateSystem = {
     script.updatedAt = Date.now();
     script.trustReceipt = trustReceipt;
 
+    // Re-classify the install source. If the update came from a different
+    // registry than the install, flag it for the dashboard banner.
+    const updateSourceUrl = sourceUrl || parsed.meta.downloadURL || parsed.meta.updateURL || '';
+    const updatedSource = classifyInstallSource(updateSourceUrl);
+    if (script.installSource?.id && updatedSource.id !== 'local'
+        && script.installSource.id !== updatedSource.id) {
+      script.settings = { ...(script.settings || {}), sourceIdentityChanged: true };
+      script.previousInstallSource = script.installSource;
+      script.installSource = updatedSource;
+    } else if (!script.installSource && updatedSource.id !== 'local') {
+      script.installSource = updatedSource;
+    }
+
     // Re-register FIRST so we can verify the new code works before persisting
     try {
       await unregisterScript(scriptId);
@@ -17812,6 +17887,17 @@ async function installFromCode(code, receiptOptions = {}) {
       });
     }
 
+    // Classify the install source (Greasy Fork / OpenUserJS / GitHub / ...)
+    // so the dashboard can render a durable trust badge and so a future
+    // update from a different registry surfaces as a "source changed" flag.
+    const effectiveSourceUrl = receiptOptions.sourceUrl || meta.downloadURL || meta.updateURL || '';
+    const installSource = classifyInstallSource(effectiveSourceUrl);
+    let sourceIdentityChanged = false;
+    if (existing && existing.installSource && existing.installSource.id && installSource.id !== 'local'
+        && existing.installSource.id !== installSource.id) {
+      sourceIdentityChanged = true;
+    }
+
     const script = {
       ...existing,
       id,
@@ -17821,8 +17907,15 @@ async function installFromCode(code, receiptOptions = {}) {
       position: existing ? existing.position : allScripts.length,
       createdAt: existing ? existing.createdAt : Date.now(),
       updatedAt: Date.now(),
-      trustReceipt
+      trustReceipt,
+      installSource: installSource.id === 'local' && existing?.installSource
+        ? existing.installSource
+        : installSource
     };
+    if (sourceIdentityChanged) {
+      script.settings = { ...(script.settings || existing?.settings || {}), sourceIdentityChanged: true };
+      script.previousInstallSource = existing.installSource;
+    }
     if (versionHistory.length > 0) script.versionHistory = versionHistory;
 
     await ScriptStorage.set(id, script);
diff --git a/pages/dashboard.html b/pages/dashboard.html
@@ -4164,6 +4164,18 @@
             border: 1px solid rgba(239, 68, 68, 0.24);
             color: #fecaca;
         }
+
+        .script-health-badge.good {
+            background: rgba(34, 197, 94, 0.14);
+            border: 1px solid rgba(34, 197, 94, 0.24);
+            color: #bbf7d0;
+        }
+
+        .script-health-badge.neutral {
+            background: rgba(148, 163, 184, 0.14);
+            border: 1px solid rgba(148, 163, 184, 0.24);
+            color: #cbd5e1;
+        }
         .script-favicon {
             width: 16px;
             height: 16px;
diff --git a/pages/dashboard.js b/pages/dashboard.js
@@ -4876,6 +4876,21 @@
         const errorHtml = hasErrors
           ? `<span class="script-health-badge alert" title="${escapeHtml(String(script.stats?.errors || 0))} execution error(s) recorded.">Errors</span>`
           : '';
+        // Install-source trust badge — durable across edits and visible at a
+        // glance in the script list. `tone: 'warn'` paints alert, `'good'`
+        // paints success; otherwise neutral.
+        let sourceBadgeHtml = '';
+        if (script.installSource && script.installSource.id && script.installSource.id !== 'local') {
+          const src = script.installSource;
+          const cls = src.tone === 'warn' ? 'alert' : src.tone === 'good' ? 'good' : 'neutral';
+          const title = src.url
+            ? `Installed from ${src.name} (${src.hostname || ''}). Source URL: ${src.url}`
+            : `Installed from ${src.name}.`;
+          sourceBadgeHtml = `<span class="script-health-badge ${cls}" data-source-badge="${escapeHtml(src.id)}" title="${escapeHtml(title)}">${escapeHtml(src.name)}</span>`;
+        }
+        const sourceChangedHtml = script.settings?.sourceIdentityChanged
+          ? `<span class="script-health-badge alert" title="The update channel now points to a different registry than the original install (${escapeHtml(script.previousInstallSource?.name || 'unknown')} → ${escapeHtml(script.installSource?.name || 'unknown')}). Review before trusting future updates.">Source changed</span>`
+          : '';
         if (hasErrors) tr.classList.add('row-has-errors');
         if (isStale) tr.classList.add('row-stale');
         if (overBudget) tr.classList.add('row-over-budget');
@@ -4903,6 +4918,8 @@
                             ${script.metadata?.author ? `<span class="script-author">by ${escapeHtml(script.metadata.author)}</span>` : ''}
                         </div>
                         <div class="script-name-badges">
+                            ${sourceBadgeHtml}
+                            ${sourceChangedHtml}
                             ${localEditsHtml}
                             ${errorHtml}
                             ${slowHtml}
diff --git a/pages/install.js b/pages/install.js
@@ -644,13 +644,30 @@ function getProvenanceSummary(sourceUrl, meta) {
     detail = 'Local install with a remote update channel declared in metadata.';
   }
 
+  // Surface a source-registry change when the user is updating a script and
+  // the new install URL classifies to a different known registry than the
+  // existing record. Existing script lookup is shared with `pages/install.js`
+  // confirmation flow; we re-derive the classification here to avoid
+  // round-tripping through background for an idempotent computation.
+  let sourceChange = null;
+  if (typeof classifyInstallSource === 'function' && existingScript?.installSource?.id) {
+    const newSource = classifyInstallSource(sourceUrl || downloadUrl || updateUrl || '');
+    if (newSource.id !== 'local' && newSource.id !== existingScript.installSource.id) {
+      sourceChange = {
+        previous: existingScript.installSource,
+        next: newSource
+      };
+    }
+  }
+
   return {
     label,
     detail,
     installSource,
     updateUrl,
     downloadUrl,
-    homepageUrl
+    homepageUrl,
+    sourceChange
   };
 }
 
@@ -710,6 +727,15 @@ function renderTrustCard(sourceUrl) {
         </div>
         <span class="trust-link">${provenance.installSource.safeUrl ? renderExternalLink(provenance.installSource.label, 'Open') : 'Local'}</span>
       </div>
+      ${provenance.sourceChange ? `
+        <div class="trust-row" role="alert">
+          <div class="trust-copy">
+            <strong>Source registry changed</strong>
+            <span>Previous install came from ${escapeHtml(provenance.sourceChange.previous.name)} (${escapeHtml(provenance.sourceChange.previous.hostname || '—')}). This update is from ${escapeHtml(provenance.sourceChange.next.name)} (${escapeHtml(provenance.sourceChange.next.hostname || '—')}). Confirm you trust the new origin before installing.</span>
+          </div>
+          <span class="count status-warn">Review</span>
+        </div>
+      ` : ''}
       ${provenance.updateUrl ? `
         <div class="trust-row">
           <div class="trust-copy">
diff --git a/shared/utils.js b/shared/utils.js
diff --git a/tests/install-source.test.js b/tests/install-source.test.js
