refactor: decouple installation and validation logic from DetailsViewModel

- Extract APK validation, fingerprint checking, and database persistence into a new `InstallationManager` interface and implementation.
- Introduce `AttestationVerifier` to handle GitHub supply-chain security verification independently.
- Move version normalization and semantic comparison logic to a pure `VersionHelper` utility.
- Refactor `DetailsViewModel` to utilize the new managers, significantly reducing its complexity and size.
- Define sealed interfaces for `ApkValidationResult` and `FingerprintCheckResult` to handle installation edge cases more robustly.
- Update Koin dependency injection modules to include the new domain and data layer components.
- Standardize parameters for saving and updating installed apps using new data models (`SaveInstalledAppParams`, `UpdateInstalledAppParams`).

Author: rainxchzed

feature/details/data/src/commonMain/kotlin/zed/rainxch/details/data/di/SharedModule.kt

@@ -3,8 +3,12 @@ package zed.rainxch.details.data.di
 import org.koin.dsl.module
 import zed.rainxch.details.data.repository.DetailsRepositoryImpl
 import zed.rainxch.details.data.repository.TranslationRepositoryImpl
+import zed.rainxch.details.data.system.AttestationVerifierImpl
+import zed.rainxch.details.data.system.InstallationManagerImpl
 import zed.rainxch.details.domain.repository.DetailsRepository
 import zed.rainxch.details.domain.repository.TranslationRepository
+import zed.rainxch.details.domain.system.AttestationVerifier
+import zed.rainxch.details.domain.system.InstallationManager
 
 val detailsModule =
     module {
@@ -22,4 +26,20 @@ val detailsModule =
                 localizationManager = get(),
             )
         }
+
+        single<AttestationVerifier> {
+            AttestationVerifierImpl(
+                detailsRepository = get(),
+                logger = get(),
+            )
+        }
+
+        single<InstallationManager> {
+            InstallationManagerImpl(
+                installer = get(),
+                installedAppsRepository = get(),
+                favouritesRepository = get(),
+                logger = get(),
+            )
+        }
     }

feature/details/data/src/commonMain/kotlin/zed/rainxch/details/data/system/AttestationVerifierImpl.kt

@@ -0,0 +1,38 @@
+package zed.rainxch.details.data.system
+
+import zed.rainxch.core.domain.logging.GitHubStoreLogger
+import zed.rainxch.details.domain.repository.DetailsRepository
+import zed.rainxch.details.domain.system.AttestationVerifier
+import java.io.File
+import java.io.FileInputStream
+import java.security.MessageDigest
+
+class AttestationVerifierImpl(
+    private val detailsRepository: DetailsRepository,
+    private val logger: GitHubStoreLogger,
+) : AttestationVerifier {
+    override suspend fun verify(
+        owner: String,
+        repoName: String,
+        filePath: String,
+    ): Boolean =
+        try {
+            val digest = computeSha256(filePath)
+            detailsRepository.checkAttestations(owner, repoName, digest)
+        } catch (e: Exception) {
+            logger.debug("Attestation check error: ${e.message}")
+            false
+        }
+
+    private fun computeSha256(filePath: String): String {
+        val digest = MessageDigest.getInstance("SHA-256")
+        val buffer = ByteArray(8192)
+        FileInputStream(File(filePath)).use { fis ->
+            var bytesRead: Int
+            while (fis.read(buffer).also { bytesRead = it } != -1) {
+                digest.update(buffer, 0, bytesRead)
+            }
+        }
+        return digest.digest().joinToString("") { "%02x".format(it) }
+    }
+}

feature/details/data/src/commonMain/kotlin/zed/rainxch/details/data/system/InstallationManagerImpl.kt

@@ -0,0 +1,133 @@
+package zed.rainxch.details.data.system
+
+import kotlinx.coroutines.delay
+import zed.rainxch.core.domain.logging.GitHubStoreLogger
+import zed.rainxch.core.domain.model.ApkPackageInfo
+import zed.rainxch.core.domain.model.InstallSource
+import zed.rainxch.core.domain.model.InstalledApp
+import zed.rainxch.core.domain.repository.FavouritesRepository
+import zed.rainxch.core.domain.repository.InstalledAppsRepository
+import zed.rainxch.core.domain.system.Installer
+import zed.rainxch.details.domain.system.ApkValidationResult
+import zed.rainxch.details.domain.system.FingerprintCheckResult
+import zed.rainxch.details.domain.system.InstallationManager
+import zed.rainxch.details.domain.system.SaveInstalledAppParams
+import zed.rainxch.details.domain.system.UpdateInstalledAppParams
+import kotlin.time.Clock.System
+import kotlin.time.ExperimentalTime
+
+class InstallationManagerImpl(
+    private val installer: Installer,
+    private val installedAppsRepository: InstalledAppsRepository,
+    private val favouritesRepository: FavouritesRepository,
+    private val logger: GitHubStoreLogger,
+) : InstallationManager {
+    override suspend fun validateApk(
+        filePath: String,
+        isUpdate: Boolean,
+        trackedPackageName: String?,
+    ): ApkValidationResult {
+        val apkInfo = installer.getApkInfoExtractor().extractPackageInfo(filePath)
+            ?: return ApkValidationResult.ExtractionFailed
+
+        if (isUpdate && trackedPackageName != null && apkInfo.packageName != trackedPackageName) {
+            return ApkValidationResult.PackageMismatch(
+                apkPackageName = apkInfo.packageName,
+                installedPackageName = trackedPackageName,
+            )
+        }
+
+        return ApkValidationResult.Valid(apkInfo)
+    }
+
+    override suspend fun checkSigningFingerprint(apkInfo: ApkPackageInfo): FingerprintCheckResult {
+        val existingApp =
+            installedAppsRepository.getAppByPackage(apkInfo.packageName)
+                ?: return FingerprintCheckResult.Ok
+
+        val expectedFp = existingApp.signingFingerprint ?: return FingerprintCheckResult.Ok
+        val actualFp = apkInfo.signingFingerprint ?: return FingerprintCheckResult.Ok
+
+        return if (expectedFp == actualFp) {
+            FingerprintCheckResult.Ok
+        } else {
+            FingerprintCheckResult.Mismatch(
+                expectedFingerprint = expectedFp,
+                actualFingerprint = actualFp,
+            )
+        }
+    }
+
+    @OptIn(ExperimentalTime::class)
+    override suspend fun saveNewInstalledApp(params: SaveInstalledAppParams): InstalledApp? =
+        try {
+            val apkInfo = params.apkInfo
+            val repo = params.repo
+
+            val installedApp =
+                InstalledApp(
+                    packageName = apkInfo.packageName,
+                    repoId = repo.id,
+                    repoName = repo.name,
+                    repoOwner = repo.owner.login,
+                    repoOwnerAvatarUrl = repo.owner.avatarUrl,
+                    repoDescription = repo.description,
+                    primaryLanguage = repo.language,
+                    repoUrl = repo.htmlUrl,
+                    installedVersion = params.releaseTag,
+                    installedAssetName = params.assetName,
+                    installedAssetUrl = params.assetUrl,
+                    latestVersion = params.releaseTag,
+                    latestAssetName = params.assetName,
+                    latestAssetUrl = params.assetUrl,
+                    latestAssetSize = params.assetSize,
+                    appName = apkInfo.appName,
+                    installSource = InstallSource.THIS_APP,
+                    installedAt = System.now().toEpochMilliseconds(),
+                    lastCheckedAt = System.now().toEpochMilliseconds(),
+                    lastUpdatedAt = System.now().toEpochMilliseconds(),
+                    isUpdateAvailable = false,
+                    updateCheckEnabled = true,
+                    releaseNotes = "",
+                    systemArchitecture = installer.detectSystemArchitecture().name,
+                    fileExtension = params.assetName.substringAfterLast('.', ""),
+                    isPendingInstall = params.isPendingInstall,
+                    installedVersionName = apkInfo.versionName,
+                    installedVersionCode = apkInfo.versionCode,
+                    latestVersionName = apkInfo.versionName,
+                    latestVersionCode = apkInfo.versionCode,
+                    signingFingerprint = apkInfo.signingFingerprint,
+                )
+
+            installedAppsRepository.saveInstalledApp(installedApp)
+
+            if (params.isFavourite) {
+                favouritesRepository.updateFavoriteInstallStatus(
+                    repoId = repo.id,
+                    installed = true,
+                    packageName = apkInfo.packageName,
+                )
+            }
+
+            delay(1000)
+            val reloaded = installedAppsRepository.getAppByPackage(apkInfo.packageName)
+            logger.debug("Successfully saved and reloaded app: ${reloaded?.packageName}")
+            reloaded
+        } catch (t: Throwable) {
+            logger.error("Failed to save installed app to database: ${t.message}")
+            t.printStackTrace()
+            null
+        }
+
+    override suspend fun updateInstalledAppVersion(params: UpdateInstalledAppParams) {
+        installedAppsRepository.updateAppVersion(
+            packageName = params.apkInfo.packageName,
+            newTag = params.releaseTag,
+            newAssetName = params.assetName,
+            newAssetUrl = params.assetUrl,
+            newVersionName = params.apkInfo.versionName,
+            newVersionCode = params.apkInfo.versionCode,
+            signingFingerprint = params.apkInfo.signingFingerprint,
+        )
+    }
+}

feature/details/domain/src/commonMain/kotlin/zed/rainxch/details/domain/model/ApkValidationResult.kt

@@ -0,0 +1,19 @@
+package zed.rainxch.details.domain.model
+
+import zed.rainxch.core.domain.model.ApkPackageInfo
+
+sealed interface ApkValidationResult {
+    /** APK is valid and ready to install. */
+    data class Valid(
+        val apkInfo: ApkPackageInfo,
+    ) : ApkValidationResult
+
+    /** Could not extract package information from the APK. */
+    data object ExtractionFailed : ApkValidationResult
+
+    /** Package name in the APK does not match the currently installed app. */
+    data class PackageMismatch(
+        val apkPackageName: String,
+        val installedPackageName: String,
+    ) : ApkValidationResult
+}

feature/details/domain/src/commonMain/kotlin/zed/rainxch/details/domain/model/FingerprintCheckResult.kt

@@ -0,0 +1,12 @@
+package zed.rainxch.details.domain.model
+
+sealed interface FingerprintCheckResult {
+    /** Fingerprint matches or no prior fingerprint is recorded. */
+    data object Ok : FingerprintCheckResult
+
+    /** Signing key has changed compared to the previously installed version. */
+    data class Mismatch(
+        val expectedFingerprint: String,
+        val actualFingerprint: String,
+    ) : FingerprintCheckResult
+}

feature/details/domain/src/commonMain/kotlin/zed/rainxch/details/domain/model/SaveInstalledAppParams.kt

@@ -0,0 +1,15 @@
+package zed.rainxch.details.domain.model
+
+import zed.rainxch.core.domain.model.ApkPackageInfo
+import zed.rainxch.core.domain.model.GithubRepoSummary
+
+data class SaveInstalledAppParams(
+    val repo: GithubRepoSummary,
+    val apkInfo: ApkPackageInfo,
+    val assetName: String,
+    val assetUrl: String,
+    val assetSize: Long,
+    val releaseTag: String,
+    val isPendingInstall: Boolean,
+    val isFavourite: Boolean,
+)

feature/details/domain/src/commonMain/kotlin/zed/rainxch/details/domain/model/UpdateInstalledAppParams.kt

@@ -0,0 +1,10 @@
+package zed.rainxch.details.domain.model
+
+import zed.rainxch.core.domain.model.ApkPackageInfo
+
+data class UpdateInstalledAppParams(
+    val apkInfo: ApkPackageInfo,
+    val assetName: String,
+    val assetUrl: String,
+    val releaseTag: String,
+)

feature/details/domain/src/commonMain/kotlin/zed/rainxch/details/domain/system/AttestationVerifier.kt

@@ -0,0 +1,19 @@
+package zed.rainxch.details.domain.system
+
+/**
+ * Verifies build attestations for downloaded assets using GitHub's
+ * supply-chain security API.
+ */
+interface AttestationVerifier {
+    /**
+     * Computes the SHA-256 digest of [filePath] and checks whether
+     * the repository [owner]/[repoName] has a matching attestation.
+     *
+     * @return `true` if a valid attestation exists, `false` otherwise.
+     */
+    suspend fun verify(
+        owner: String,
+        repoName: String,
+        filePath: String,
+    ): Boolean
+}

feature/details/domain/src/commonMain/kotlin/zed/rainxch/details/domain/system/InstallationManager.kt

@@ -0,0 +1,44 @@
+package zed.rainxch.details.domain.system
+
+import zed.rainxch.core.domain.model.ApkPackageInfo
+import zed.rainxch.core.domain.model.GithubRepoSummary
+import zed.rainxch.core.domain.model.InstalledApp
+import zed.rainxch.details.domain.model.ApkValidationResult
+import zed.rainxch.details.domain.model.FingerprintCheckResult
+import zed.rainxch.details.domain.model.SaveInstalledAppParams
+import zed.rainxch.details.domain.model.UpdateInstalledAppParams
+
+/**
+ * Encapsulates APK validation, fingerprint checking, and
+ * installed-app database persistence so the ViewModel stays thin.
+ */
+interface InstallationManager {
+    /**
+     * Extracts [ApkPackageInfo] from [filePath] and validates it.
+     * On an update, verifies the package name matches [trackedPackageName].
+     */
+    suspend fun validateApk(
+        filePath: String,
+        isUpdate: Boolean,
+        trackedPackageName: String?,
+    ): ApkValidationResult
+
+    /**
+     * Checks whether the signing fingerprint of [apkInfo] matches
+     * the fingerprint previously recorded for the same package.
+     */
+    suspend fun checkSigningFingerprint(apkInfo: ApkPackageInfo): FingerprintCheckResult
+
+    /**
+     * Saves a freshly installed app to the database and optionally
+     * updates the favourite install status.
+     *
+     * @return the reloaded [InstalledApp], or `null` on failure.
+     */
+    suspend fun saveNewInstalledApp(params: SaveInstalledAppParams): InstalledApp?
+
+    /**
+     * Updates the version metadata of an already-tracked app.
+     */
+    suspend fun updateInstalledAppVersion(params: UpdateInstalledAppParams)
+}