Skip to content

lamemustafa/pack

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

38 Commits
.github
.github
 
 
docs
docs
 
 
policies
policies
 
 
public
public
 
 
scripts
scripts
 
 
src
src
 
 
tests
tests
 
 
.editorconfig
.editorconfig
 
 
.gitignore
.gitignore
 
 
.nvmrc
.nvmrc
 
 
.prettierignore
.prettierignore
 
 
.prettierrc
.prettierrc
 
 
AGENTS.md
AGENTS.md
 
 
CHANGELOG.md
CHANGELOG.md
 
 
CODE_OF_CONDUCT.md
CODE_OF_CONDUCT.md
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
LICENSE
LICENSE
 
 
NOTICE
NOTICE
 
 
README.md
README.md
 
 
SECURITY.md
SECURITY.md
 
 
TRADEMARKS.md
TRADEMARKS.md
 
 
eslint.config.mjs
eslint.config.mjs
 
 
package.json
package.json
 
 
pnpm-lock.yaml
pnpm-lock.yaml
 
 
pnpm-workspace.yaml
pnpm-workspace.yaml
 
 
tsconfig.json
tsconfig.json
 
 
vitest.config.ts
vitest.config.ts
 
 
wxt.config.ts
wxt.config.ts
 
 

Repository files navigation

ComplyEaze Pack

License CI

ComplyEaze Pack is a local-first Chrome MV3 browser extension for collecting compliance portal documents from an authorised browser session. V0 starts with filed GSTR-3B PDFs from the GST Portal.

V0 is intentionally narrow:

  • no ComplyEaze, Axal, or Pack login;
  • no GST Portal credential, OTP, CAPTCHA, cookie, or session-token capture;
  • no GST document upload in the local-download workflow;
  • no extension analytics or telemetry;
  • exact GST host permissions only;
  • live local PDF downloads for selected filed GSTR-3B periods.

ComplyEaze Pack is an independent third-party tool. It is not affiliated with, endorsed by, or operated by GSTN, CBIC, or the Government of India.

Status

This public repository is an open-source alpha and is not Chrome Web Store ready. The extension has a local demo and a live GSTR-3B PDF download path. Live manifest/index/exception-file generation is outside the current alpha. Public launch requires the manual gates in docs/PUBLICATION_READINESS.md.

Full fiscal year download is available in source-build alpha as a local per-period ledger. It expands the selected financial year into eligible GSTR-3B periods and runs them one at a time through the single-period path. It remains outside Chrome Web Store readiness until real-browser restart, resume, and privacy-review gates are complete.

Install

Chrome Web Store

No Chrome Web Store listing is published. Install from source only while Chrome Web Store review, legal review, and release sign-off remain incomplete.

From Source

nvm use
corepack enable
pnpm install --frozen-lockfile
pnpm exec wxt prepare
pnpm exec wxt build

Load the unpacked Chrome build from:

.output/chrome-mv3

Use a separate Chrome profile for development or manual QA.

Development

pnpm install --frozen-lockfile
pnpm audit --audit-level high
pnpm exec wxt prepare
pnpm exec prettier --check .
pnpm exec eslint . --max-warnings 0
pnpm exec tsc --noEmit
pnpm exec vitest run
pnpm exec wxt build
node scripts/verify-extension-package.mjs .output/chrome-mv3

The full release gate is:

pnpm install --frozen-lockfile
pnpm audit --audit-level high
pnpm exec wxt prepare
pnpm exec prettier --check .
pnpm exec eslint . --max-warnings 0
pnpm exec tsc --noEmit
pnpm exec vitest run
pnpm exec wxt build
node scripts/verify-extension-package.mjs .output/chrome-mv3
pnpm verify:clean
pnpm exec wxt zip
node scripts/verify-extension-zip.mjs
git diff --check

Package scripts are also available:

pnpm verify
pnpm verify:release

Direct commands are preferred in constrained agent terminals if chained package scripts hang or hide failure details.

Architecture

ComplyEaze Pack uses WXT, Vite, React, and TypeScript.

  • src/entrypoints/background.ts: service worker, local demo downloads, and bounded filed-return PDF flow orchestration.
  • src/entrypoints/content.ts: passive GST context detection.
  • src/entrypoints/popup: React popup.
  • src/entrypoints/options: React options page.
  • src/core: portal-neutral contracts, manifest, naming, CSV, and messages.
  • src/connectors/gst: GST-specific detection, GSTR-3B filed-return navigation, download triggering, and local demo data.
  • src/extension/manifest-policy.ts: canonical extension metadata, permissions, host allow-list, CSP, homepage, and icons.
  • scripts/verify-extension-package.mjs: built-package policy verification.

The reusable UCP-facing surface is the Pack plan/result/archive-manifest contract, not shared credential or session handling. In the current alpha, that contract is exercised by the local demo; the live GST path downloads PDFs without persisting per-target DownloadResult records or a live manifest.

Extension Storage

Pack uses Chrome extension storage only inside the current browser profile.

chrome.storage.local:

  • pack:install: install/update metadata with product version, install timestamp, and localOnly: true;
  • pack:active-filed-returns-run: a short-lived local run lease used to prevent overlapping filed-return downloads in the same browser profile;
  • pack:full-fiscal-year-ledger: local-only full fiscal year run status with financial year, period, return type, target status, safe messages/signals, attempts, and timestamps only;
  • pack:filed-returns-target-review: local-only single-period unresolved download review state with financial year, period, return type, safe messages/signals, and timestamps only;
  • pack:last-manifest: the last local demo archive manifest summary. The live GST download path does not write a live manifest in this alpha.

chrome.storage.session:

  • pack:last-context: the latest safe GST page support context;
  • pack:last-filed-returns-observation: the latest safe filed-returns page observation;
  • pack:last-filed-returns-flow-summary: the latest temporary filed-return flow status.

The Options page "Clear local Pack data" control removes the local keys above and clears Pack session storage. Pack does not store GST Portal credentials, OTPs, CAPTCHA values, cookies, GSTIN/PAN, taxpayer names, downloaded PDFs, portal HTML, raw URLs/referrers, local download paths, filenames, or raw network captures.

During a user-initiated live download, Pack temporarily observes browser download metadata such as download ID, origin, MIME type, filename, start time, state, and byte counts to decide whether the browser reported a non-empty GST Portal PDF. This observation is bounded to the active run. Pack does not transmit this metadata, and the current live path does not persist raw URLs, referrers, absolute local paths, or filenames.

Privacy Invariants

ComplyEaze Pack V0 must not:

  • collect credentials, OTPs, CAPTCHA responses, cookies, or session tokens;
  • upload GST files or document contents in the local-download workflow;
  • access unrelated websites;
  • use GST data for advertising, lending, creditworthiness, or profiling;
  • load remote executable code.

Public issues, pull requests, screenshots, and support messages must not contain real GSTIN, PAN, Aadhaar, taxpayer/client names, credentials, portal HTML, raw network captures, or downloaded GST files.

Release Notes And Reviewer Docs

Contributing

Read CONTRIBUTING.md, SECURITY.md, and TRADEMARKS.md before opening issues or pull requests.

License

Source code and documentation are licensed under the Apache License, Version 2.0. See LICENSE and NOTICE. ComplyEaze names, marks, logos, icons, and official store identity are governed by TRADEMARKS.md.

About

Local first browser extension for collecting compliance portal documents from the comfort, privacy and security of your own browser session. Starting with GSTR-3B where we don't capture any credentials.

github.com/lamemustafa/pack

Topics

chrome-extension typescript browser-extension compliance india gst wxt privacy-first local-first manifest-v3 document-downloader gstr-3b

Resources

Readme

License

View license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages

 
 
 

Contributors

Languages