Skip to content

lamemustafa/pack

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

66 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

ComplyEaze Pack

License CI

ComplyEaze Pack is a local-first Chrome MV3 browser extension for collecting compliance portal documents from an authorised browser session. V0 starts with filed GSTR-3B PDFs, filed GSTR-1 summary PDFs, and optional GSTR-1 e-invoice details Excel downloads from the GST Portal where the portal provides them.

V0 is intentionally narrow:

  • no ComplyEaze, Axal, or Pack login;
  • no GST Portal credential, OTP, CAPTCHA, cookie, or session-token capture;
  • no GST document upload in the local-download workflow;
  • no extension analytics or telemetry;
  • exact GST host permissions only;
  • live local downloads for selected filed GSTR-3B and GSTR-1 periods, with GSTR-1 Excel available only when the GST Portal provides the selected e-invoice details file.

ComplyEaze Pack is an independent third-party tool. It is not affiliated with, endorsed by, or operated by GSTN, CBIC, or the Government of India.

Status

This public repository and the Chrome Web Store V0 listing are open-source alpha surfaces. The reviewed source has live local download support for filed GSTR-3B PDFs, filed GSTR-1 summary PDFs, and optional GSTR-1 e-invoice details Excel files where the GST Portal provides them. The verified GitHub pre-release for this source state is v0.3.2, with Chrome ZIP SHA-256 6bd41a364a2466f0f255bef1b44e93694cc8d95431e7661fea5be3d52c9cdddb.

The Chrome Web Store package update for this GSTR-1 source release was submitted through the protected workflow on 2026-07-04. Run 28704776806 uploaded v0.3.2 with upload state SUCCEEDED, publish state PENDING_REVIEW, and no warnings. Dashboard listing assets/privacy declarations and final Chrome Web Store publication confirmation are still pending. Live manifest/index/exception-file generation is outside the current alpha. Future store updates require the release gates in docs/PUBLICATION_READINESS.md and docs/RELEASE.md. Release PR titles use Conventional Commits so Release Please can decide the next Pack version from each merge.

Full fiscal year download is available in source-build alpha as a local per-period ledger. It expands the selected financial year into eligible GSTR-3B or GSTR-1 periods and runs them one at a time through the single-period path. It remains outside store-facing claims until exact-ZIP clean-profile evidence, restart/resume evidence, and privacy-review evidence are recorded for the release.

Install

Chrome Web Store

The existing V0 listing is available on the Chrome Web Store:

https://chromewebstore.google.com/detail/complyeaze-pack-gst-gstr/nfnbhekccajjfgkppolomflaeledoccb

The v0.3.2 GitHub release has the verified GSTR-1 source package. The package update was submitted to Chrome Web Store review through workflow run 28704776806; dashboard listing assets/privacy declarations and final publication confirmation are still pending.

Review the source, release notes, permissions, and privacy boundaries before using Pack for GST records. The public Pack site is:

https://pack.complyeaze.com/gst

From Source

nvm use
corepack enable
pnpm install --frozen-lockfile
pnpm exec wxt prepare
pnpm exec wxt build

Load the unpacked Chrome build from:

.output/chrome-mv3

Use a separate Chrome profile for development or manual QA.

Development

pnpm install --frozen-lockfile
node scripts/run-dependency-audit.mjs
pnpm exec wxt prepare
pnpm exec prettier --check .
pnpm exec eslint . --max-warnings 0
pnpm exec tsc --noEmit
pnpm exec vitest run
pnpm exec wxt build
node scripts/verify-extension-package.mjs .output/chrome-mv3

The full release gate is:

pnpm install --frozen-lockfile
node scripts/run-dependency-audit.mjs
pnpm exec wxt prepare
pnpm exec prettier --check .
pnpm exec eslint . --max-warnings 0
pnpm exec tsc --noEmit
pnpm exec vitest run
pnpm exec wxt build
node scripts/verify-extension-package.mjs .output/chrome-mv3
pnpm verify:clean
pnpm exec wxt zip
node scripts/verify-extension-zip.mjs
git diff --check

Package scripts are also available:

pnpm verify
pnpm verify:release

Direct commands are preferred in constrained agent terminals if chained package scripts hang or hide failure details. node scripts/run-dependency-audit.mjs runs pnpm audit --audit-level high with a timeout so local release verification fails clearly instead of hanging indefinitely when the registry is unavailable.

Architecture

ComplyEaze Pack uses WXT, Vite, React, and TypeScript.

  • src/entrypoints/background.ts: service worker, local demo downloads, and bounded filed-return download flow orchestration.
  • src/entrypoints/content.ts: passive GST context detection.
  • src/entrypoints/popup: React popup.
  • src/entrypoints/options: React options page.
  • src/core: portal-neutral contracts, manifest, naming, CSV, and messages.
  • src/connectors/gst: GST-specific detection, filed-return navigation, download triggering, and local demo data.
  • src/extension/manifest-policy.ts: canonical extension metadata, permissions, host allow-list, CSP, homepage, and icons.
  • scripts/verify-extension-package.mjs: built-package policy verification.

The reusable UCP-facing surface is the Pack plan/result/archive-manifest contract, not shared credential or session handling. In the current alpha, that contract is exercised by the local demo; the live GST path downloads PDFs without persisting per-target DownloadResult records or a live manifest.

Extension Storage

Pack uses Chrome extension storage only inside the current browser profile.

chrome.storage.local:

  • pack:install: install/update metadata with product version, install timestamp, and localOnly: true;
  • pack:active-filed-returns-run: a short-lived local run lease used to prevent overlapping filed-return downloads in the same browser profile;
  • pack:full-fiscal-year-ledger: local-only full fiscal year run status with financial year, period, return type, target status, safe messages/signals, attempts, and timestamps only;
  • pack:filed-returns-target-review: local-only single-period unresolved download review state with financial year, period, return type, safe messages/signals, and timestamps only;
  • pack:last-manifest: the last local demo archive manifest summary. The live GST download path does not write a live manifest in this alpha.

chrome.storage.session:

  • pack:last-context: the latest safe GST page support context;
  • pack:last-filed-returns-observation: the latest safe filed-returns page observation;
  • pack:last-filed-returns-flow-summary: the latest temporary filed-return flow status.

The Options page "Clear local Pack data" control removes the local keys above and clears Pack session storage. Pack does not store GST Portal credentials, OTPs, CAPTCHA values, cookies, GSTIN/PAN, taxpayer names, downloaded PDFs, portal HTML, raw URLs/referrers, local download paths, filenames, or raw network captures.

During a user-initiated live download, Pack temporarily observes browser download metadata such as download ID, origin, MIME type, filename, start time, state, and byte counts to decide whether the browser reported a non-empty GST Portal file for the selected artifact. This observation is bounded to the active run. Pack does not transmit this metadata, and the current live path does not persist raw URLs, referrers, absolute local paths, or filenames.

Privacy Invariants

ComplyEaze Pack V0 must not:

  • collect credentials, OTPs, CAPTCHA responses, cookies, or session tokens;
  • upload GST files or document contents in the local-download workflow;
  • access unrelated websites;
  • use GST data for advertising, lending, creditworthiness, or profiling;
  • load remote executable code.

Public issues, pull requests, screenshots, and support messages must not contain real GSTIN, PAN, Aadhaar, taxpayer/client names, credentials, portal HTML, raw network captures, or downloaded GST files.

Release Notes And Reviewer Docs

Contributing

Read CONTRIBUTING.md, SECURITY.md, and TRADEMARKS.md before opening issues or pull requests.

License

Source code and documentation are licensed under the Apache License, Version 2.0. See LICENSE and NOTICE. ComplyEaze names, marks, logos, icons, and official store identity are governed by TRADEMARKS.md.

About

Local first browser extension for collecting compliance portal documents from the comfort, privacy and security of your own browser session. Starting with GSTR-3B where we don't capture any credentials.

Topics

Resources

License

Code of conduct

Contributing

Security policy

Stars

Watchers

Forks

Packages

 
 
 

Contributors