refactor: switch to packumeta for trust levels

[43081j]

🔗 Linked issue

N/A

🧭 Context

Unifying trust level scales across ecosystem tools.

📚 Description

This switches our trust level logic to use the new packumeta package,
so we can share the same scale as other tools in the space (e.g. e18e
tools already use this).

Once staging signals are added to npm, this package will be updated to
expose them as the existing stagedPublish level.

NOTE: This does not fix the current problem of staged packages showing
up as a "downgrade".

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
npmx.dev	Ready	Preview, Comment	May 28, 2026 7:56am

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
docs.npmx.dev	Ignored	Preview	May 28, 2026 7:56am
npmx-lunaria	Ignored		May 28, 2026 7:56am

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b2eaab45-a9f8-4d3e-b4f8-67cf95f9372a

📥 Commits

Reviewing files that changed from the base of the PR and between 3926881 and 4207e0c.

📒 Files selected for processing (1)

• test/nuxt/composables/use-package-transform.spec.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• test/nuxt/composables/use-package-transform.spec.ts

---

📝 Walkthrough

Summary by CodeRabbit

• Refactor

  • Package version metadata now uses a richer trustStatus object (provenance, trustedPublisher, stagedPublish) across UI and security logic.
  • Trust-level handling and downgrade detection updated to operate from trustStatus.

• Chores

  • Added the packumeta runtime dependency for standardised trust status utilities.

• Tests

  • Updated unit and integration tests/fixtures to the new trustStatus shape and adjusted assertions.

Walkthrough

This PR migrates trust metadata handling from a legacy hasProvenance/trustLevel model to packumeta's TrustStatus across types, composables, utilities, components and tests.

Changes

Trust Status Migration to packumeta

Layer / File(s)	Summary
Type definitions and dependency package.json, shared/types/npm-registry.ts	Adds packumeta v0.4.0. SlimVersion and PackageVersionInfo now use trustStatus?: TrustStatus; legacy PublishTrustLevel removed.
Trust resolution utilities app/utils/publish-security.ts	Uses getTrustLevel/getTrustLevelName and TrustLevelName; computes trustRank/trustLevelName from version.trustStatus; PublishSecurityDowngrade fields now use TrustLevelName.
Version data transformation app/composables/npm/usePackage.ts	Imports packumeta helpers; security metadata entries include trustStatus; filteredVersions payloads carry trustStatus instead of hasProvenance/trustLevel.
Component integration with TrustStatus app/components/Package/Versions.vue, app/pages/package/[[org]]/[name].vue, app/pages/package/[[org]]/[name]/versions.vue	VersionDisplay now holds trustStatus?: TrustStatus. Version row construction populates trustStatus. ProvenanceBadge rendering checks trustStatus?.provenance across visible rows, expanded children and grouped "Other versions"; fullVersionMap typed to Map<string, PackageVersionInfo>.
Test suite updates test/nuxt/*, test/unit/*	Fixtures and mocks updated to use trustStatus objects (provenance/trustedPublisher/stagedPublish booleans). Assertions updated; two legacy hasProvenance-fallback tests removed.

Suggested reviewers

• ghostdevv
• serhalp
• MatteoGabriele

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: refactoring trust level logic to use the packumeta package.
Description check	✅ Passed	The description directly relates to the changeset by explaining the rationale for switching to packumeta and clarifying what is and is not addressed.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch packumeta-magic

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

e18e dependency analysis

No dependency warnings found.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

📢 Thoughts on this report? Let us know!

[coderabbitai]

🧹 Nitpick comments (1)

test/nuxt/components/Package/Versions.spec.ts (1)

16-30: ⚡ Quick win

Align the fixture helper with the migrated trustStatus contract.

createVersion still uses legacy hasProvenance and can omit trustStatus entirely, which makes fixtures drift from the new schema and weakens contract coverage.

[recommendation]

♻️ Proposed refactor

 function createVersion(
   version: string,
   options: {
     deprecated?: string
-    hasProvenance?: boolean
+    trustStatus?: SlimVersion['trustStatus']
   } = {},
 ): SlimVersion {
   return {
     version,
     deprecated: options.deprecated,
     tags: undefined,
-    ...(options.hasProvenance
-      ? { trustStatus: { provenance: true, trustedPublisher: false, stagedPublish: false } }
-      : {}),
+    trustStatus: options.trustStatus ?? {
+      provenance: false,
+      trustedPublisher: false,
+      stagedPublish: false,
+    },
   } as SlimVersion
 }

As per coding guidelines: Ensure you write strictly type-safe code.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/nuxt/components/Package/Versions.spec.ts` around lines 16 - 30, The
fixture helper createVersion currently uses the legacy hasProvenance boolean and
sometimes omits trustStatus, drifting from the migrated trustStatus contract;
update createVersion to accept an explicit trustStatus parameter (e.g.,
trustStatus?: { provenance: boolean; trustedPublisher: boolean; stagedPublish:
boolean } or the project's TrustStatus type) and always include a properly typed
trustStatus property in the returned SlimVersion, removing hasProvenance and
ensuring the return value is strictly type-safe and conforms to SlimVersion's
new schema.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/nuxt/components/Package/Versions.spec.ts`:
- Around line 16-30: The fixture helper createVersion currently uses the legacy
hasProvenance boolean and sometimes omits trustStatus, drifting from the
migrated trustStatus contract; update createVersion to accept an explicit
trustStatus parameter (e.g., trustStatus?: { provenance: boolean;
trustedPublisher: boolean; stagedPublish: boolean } or the project's TrustStatus
type) and always include a properly typed trustStatus property in the returned
SlimVersion, removing hasProvenance and ensuring the return value is strictly
type-safe and conforms to SlimVersion's new schema.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 0df840f6-7bfe-44b6-9759-28eefc5a7148

📥 Commits

Reviewing files that changed from the base of the PR and between 6cb4350 and 9a0b7f3.

📒 Files selected for processing (1)

• test/nuxt/components/Package/Versions.spec.ts

[serhalp]

LGTM

[serhalp]

maybe not a feat: if it's a pure refactor / dep change?

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	packumeta@​0.4.0

View full report

[43081j]

this now actually fixes the trust scale problem too - through a terrible but working hack...

basically, we now detect something as having used staging if _id is the first field in the document. surprisingly, no packuments exist with _id at the start in the registry other than those which used staging.

@serhalp its a true hack but im happy with it if you are, and it'll fix the false downgrade errors people are seeing in the timeline.

once npm expose a real signal, we can update the library

EDIT:

npm are now going to ship the fix, so im going to merge this and do a follow up once they have.