[eric_bullington]

You know, if this takes off -- and I hope it does -- you may be in a good position to help solve some of the client-side JS security issues/concerns, particularly in combination with the upcoming webcrypto standard.

I'm thinking in particular about publishing a registry of library hashes and possibly signatures (specified in your json config), and then validating them before your users install.

In fact, if this becomes popular, I think you may have to do this, otherwise you could well become a hive of malware purveyors impersonating popular apps (or whatever you end up calling them -- btw, I don't think "widget" is a bad idea for what you're doing, or even coming up with a new term).

Looking forward to watching this.