fix(discovery): tighten safe-install trust predicates

[JSONbored]

Motivation

• Prevent entries with only registry-visible source metadata from being promoted as "Safe install" or "Install trust", because source URLs alone do not guarantee a verified or first-party install surface.
• The previous predicate treated trustSignals.sourceStatus === "available" plus the absence of downloadUrl as a safe signal, allowing arbitrary installCommand or configSnippet to be surfaced under a misleading trust label.

Description

• Tighten the safe-install predicate by removing the source-status fallback and only accepting downloadTrust === "first-party" or packageVerified === true in hasSafeInstallSignal in apps/web/src/lib/growth-surface-rules.ts.
• Apply the same stricter trusted-install check to SEO cluster gating in apps/web/src/lib/seo-clusters.ts so cluster inclusion matches the trusted-package semantics.
• Update the homepage rail copy in apps/web/src/app/page.tsx to accurately describe the rail as "first-party package or verified package" installs.
• Update the discovery test in tests/discovery-surfaces.test.ts to remove the prior expectation that source-backed copyable/config entries qualify as safe-install.

Testing

• Ran the discovery surface unit tests with pnpm exec vitest run tests/discovery-surfaces.test.ts, and all tests passed (1 file, 5 tests passed).
• Ran git diff --check to validate no whitespace/diff issues and it reported clean.

---

Codex Task

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 5e464873-e105-4c3e-88f4-c6d405cc8882

📥 Commits

Reviewing files that changed from the base of the PR and between 9aa3e7b and b0bf806.

📒 Files selected for processing (4)

• apps/web/src/app/page.tsx
• apps/web/src/lib/growth-surface-rules.ts
• apps/web/src/lib/seo-clusters.ts
• tests/discovery-surfaces.test.ts

💤 Files with no reviewable changes (1)

• tests/discovery-surfaces.test.ts

📜 Recent review details

⏰ Context from checks skipped due to timeout of 900000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: validate-pr-preview
• GitHub Check: validate-web
• GitHub Check: pipelock-advisory-scan
• GitHub Check: Analyze (javascript-typescript)

🧰 Additional context used

📓 Path-based instructions (2)

apps/web/src/**/*.{ts,tsx}

📄 CodeRabbit inference engine (Custom checks)

apps/web/src/**/*.{ts,tsx}: Client components ('use client') must not import server-only utilities (unstable_cache, headers, cookies)
Client components ('use client') must not use Node.js APIs (fs, path, etc.)
Client components ('use client') must use client-safe logging (logClientError, not logger from server)
Server components must not use browser APIs (window, document, localStorage)
Server components must not use React hooks (useState, useEffect, etc.)
Server components must use server logging from @heyclaude/web-runtime/logging/server
Server components and pages must track duration with withDuration()
Server components and pages must include requestId in all logs
Server components and pages must use normalizeError() in catch blocks
Server components and pages must have a final summary log
Client components with async operations must use useLoggedAsync hook
Client components with async operations must never use raw try/catch without logging
Do not use user input in database queries without sanitization
Do not construct URLs without validation
Do not perform file path operations without sanitization
Server actions must have auth checks before executing operations
Do not perform direct database mutations without permission checks
Do not log PII without hashing (userId, email, etc.)
Do not expose sensitive data in error messages
Do not include API keys or secrets in code
Do not use unsanitized user input in HTML rendering
Do not use dangerous eval() or Function() with user input
Do not use unsanitized user input in database queries (SQL/NoSQL injection prevention)

Files:

• apps/web/src/lib/growth-surface-rules.ts
• apps/web/src/app/page.tsx
• apps/web/src/lib/seo-clusters.ts

apps/web/src/**/*

📄 CodeRabbit inference engine (AGENTS.md)

Website/API behavior must live under apps/web/src/

Files:

• apps/web/src/lib/growth-surface-rules.ts
• apps/web/src/app/page.tsx
• apps/web/src/lib/seo-clusters.ts

🔇 Additional comments (3)

apps/web/src/lib/growth-surface-rules.ts (1)

62-66: LGTM!

apps/web/src/lib/seo-clusters.ts (1)

226-229: LGTM!

apps/web/src/app/page.tsx (1)

149-153: LGTM!

---

📝 Walkthrough

Summary by CodeRabbit

• Improvements
  • Refined "Safe install" signal detection to prioritize verified packages as the primary trust indicator for installability assessments.
  • Updated package visibility and trust evaluation rules in discovery surfaces to enforce more consistent standards.
  • Enhanced clarity of "Safe install" rail descriptions to better communicate what qualifies as safe and installable.

Walkthrough

This PR consolidates install-trust signal evaluation by treating verified packages (packageVerified === true) as the sole safe-install indicator, removing fallback logic that previously accepted source-available entries without download URLs. The logic changes are applied in discovery-surface rules and SEO-cluster gating, with corresponding test and UI updates.

Changes

Install trust signal consolidation

Layer / File(s)	Summary
Safe and trusted install signal logic apps/web/src/lib/growth-surface-rules.ts, apps/web/src/lib/seo-clusters.ts, tests/discovery-surfaces.test.ts	hasSafeInstallSignal and hasTrustedInstall now require only packageVerified === true, removing the prior fallback that treated "source available without downloadUrl" as trusted. Test fixtures shift from source-copyable to verified-package to validate the narrower criteria.
Home page safe install rail description apps/web/src/app/page.tsx	Rail description text is updated to match the tightened install-trust requirements.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• JSONbored/awesome-claude#392: Earlier refactor introduced growth-surface-rules/seo-clusters gating for discovery lists; this PR further adjusts the exact safe-install/trusted-install boolean logic in hasSafeInstallSignal and matchesClusterRequirements.
• JSONbored/awesome-claude#413: Related changes to how entry.packageVerified is interpreted in trust/verification contexts (affects verified-package badge display in that PR versus safe-install/SEO inclusion here).

Suggested labels

security, risk-high

---

📦 A package verified is worth a thousand signals,
Source without download, now deemed subliminal.
Trust consolidated, logic made lean,
Safe install sharpened—clean and serene. 🎯

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 2 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	❌ Error	Docstring coverage is 0.00% which is insufficient. The required threshold is 90.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	❓ Inconclusive	The PR description provides clear motivation, detailed changes across four files, and testing results. However, it deviates significantly from the repository's template structure and lacks required checklist items.	Consider reorganizing the description to match the repository template with explicit sections (Summary, Schema/Quality Checks, Validation, etc.) and checking off relevant items.
Logging Standards Compliance	❓ Inconclusive	The referenced logging standards file .cursor/rules/logging-instrumentation.mdc doesn't exist, and described logging utilities are unused in the codebase.	Verify if logging standards apply to this project and provide the correct location of the standards document.

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix(discovery): tighten safe-install trust predicates' accurately describes the main change: stricter validation logic for safe-install and install-trust signals across multiple files.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Security Pattern Review	✅ Passed	No security anti-patterns found. Changes tighten trust predicates by removing unsafe fallback condition. No input validation, auth, data exposure, or XSS/injection risks introduced.
Client/Server Boundary Validation	✅ Passed	Modified files correctly enforce Next.js boundaries: async server component, server-only declarations, pure utility functions, no client hooks or browser APIs.

✨ Finishing Touches

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch codex/investigate-safe-install-vulnerability

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}