Skip to content

docs(peek): align plugin listing + skill with the shipped act capability and real action schema#138

Merged
harry-harish merged 1 commit into
mainfrom
worktree-peek-plugin-listing-polish
Jul 2, 2026
Merged

docs(peek): align plugin listing + skill with the shipped act capability and real action schema#138
harry-harish merged 1 commit into
mainfrom
worktree-peek-plugin-listing-polish

Conversation

@harry-harish

@harry-harish harry-harish commented Jul 2, 2026

Copy link
Copy Markdown
Member

What & why

Optional polish from the pre-approval review of the peek Claude Code plugin
(submitted to the Anthropic claude-community marketplace). That review found
0 approval blockers; these are 3 of the 7 low-severity items — the ones
worth fixing before the listing is pinned. Nothing here is required for
approval; because CI re-pins the marketplace SHA as main advances, the fixes
reach users without a re-submission.

Changes

  • Listing accuracy (plugin.json, marketplace.json) — the one-liner
    descriptions read as read-only-only. They now name peek's consent-gated
    live-browser act capability (execute_action et al.) so the shortest
    listing text matches the tool surface a safety screener enumerates. Fully
    disclosed already in the README + skill; this just aligns the summary.
  • SKILL.md consent-flow example — the old example used a flat, invalid
    shape (action: 'click', selector, no sessionId) that returns
    MCP error -32602. Corrected to the real schema —
    request_authorization / execute_action take
    { sessionId, action: { type, ref } } (+ confirmToken) — and it now uses
    a get_page_view ref, per the skill's own ref-first guidance.
  • SKILL.md privacy wording — "runs entirely on the user's machine" now
    carries the same honest caveat the READMEs do: peek uploads nothing, but
    what your MCP client does with the returned session data is up to you.

The bundled plugins/peek/skills/peek/SKILL.md is kept byte-identical to
the canonical packages/peek-cli/skills/peek-skill.md (the verify:plugin
drift guard enforces this).

Verification

  • pnpm verify:plugin → OK (marketplace + plugin manifest + mcp parity + skill sync)
  • claude plugin validate ./plugins/peek and claude plugin validate . → ✔ passed
  • pnpm lint (biome, 520 files) → clean
  • Empirical: the old example args return -32602 (missing sessionId,
    action expected object); the new args pass input validation and reach
    the permission layer (verdict: deny … level-0-off) — a downstream denial,
    not a schema error.

No TypeScript, tests, or recipes touched (doc/metadata only).

🤖 Generated with Claude Code

Summary by CodeRabbit

  • New Features

    • Clarified that Peek can interact with a live page with consent, including actions like click, type, and navigate.
    • Added clearer guidance for using session-based live browser actions.
  • Documentation

    • Updated product descriptions to better explain privacy, local-only behavior, and no telemetry/account requirements.
    • Revised the example consent flow to show the recommended step-by-step workflow and approval handling.

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@harry-harish, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 39 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: bf2cef35-f599-465f-ad68-74a21e550278

📥 Commits

Reviewing files that changed from the base of the PR and between 4683ce4 and 65c3fe3.

📒 Files selected for processing (4)
  • .claude-plugin/marketplace.json
  • packages/peek-cli/skills/peek-skill.md
  • plugins/peek/.claude-plugin/plugin.json
  • plugins/peek/skills/peek/SKILL.md
📝 Walkthrough

Walkthrough

This PR updates documentation and description strings across the peek plugin/marketplace metadata and skill guides. Descriptions now mention per-origin consent and live-page actions. Skill docs are rewritten to describe a no-upload privacy stance and a new session-based consent flow using list_recent_sessions, get_page_view, request_authorization, and execute_action.

Changes

Documentation and description updates

Layer / File(s) Summary
Plugin and marketplace description updates
.claude-plugin/marketplace.json, plugins/peek/.claude-plugin/plugin.json
Description strings updated to mention per-origin consent and the ability to act in the live page (click/type/navigate).
Skill documentation privacy notes and consent-flow examples
packages/peek-cli/skills/peek-skill.md, plugins/peek/skills/peek/SKILL.md
Privacy notes reworded to state peek uploads nothing; consent-flow examples rewritten to use list_recent_sessions, get_page_view (stable ref), request_authorization({sessionId, action}), and execute_action({sessionId, action, confirmToken}), with explicit stop-on-decline guidance replacing the prior origin/selector-based flow.

Estimated code review effort: 1 (Trivial) | ~5 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Agent
  participant MCP
  participant User

  Agent->>MCP: list_recent_sessions()
  MCP-->>Agent: sessionId
  Agent->>MCP: get_page_view(sessionId)
  MCP-->>Agent: stable ref
  Agent->>MCP: request_authorization({sessionId, action: {type: 'click', ref}})
  MCP->>User: request consent
  User-->>MCP: approve/decline
  MCP-->>Agent: confirmToken (if approved)
  Agent->>MCP: execute_action({sessionId, action, confirmToken})
Loading

Possibly related PRs

  • Cubenest/rrweb-stack#63: Both PRs update the consent/live-page flow messaging for the same MCP tools (list_recent_sessions, get_page_view, request_authorization, execute_action).
  • Cubenest/rrweb-stack#94: Both PRs revise packages/peek-cli/skills/peek-skill.md for the same session-based consent/authorization flow.
  • Cubenest/rrweb-stack#133: Both PRs touch the "live page" tool surface documentation, including use of get_page_view for stable refs.

Poem

A rabbit hops through docs anew,
"No uploads here," it says, "it's true!"
Session, ref, and token bright,
Consent asked before each click or write,
Words refined, but code stays snug and tight. 🐇

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the docs-only update to the plugin listing and skill, including the live act capability and corrected action schema.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch worktree-peek-plugin-listing-polish

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/peek-cli/skills/peek-skill.md`:
- Around line 154-167: The session authorization example is ambiguous because it
uses confirmToken as if it already exists; update the walkthrough in
peek-skill.md to explicitly show that request_authorization returns the one-shot
confirmToken and then pass that returned value into execute_action. Keep the
flow clear using the existing symbols request_authorization, execute_action,
sessionId, and confirmToken so the example is copy-pastable and unambiguous.
- Line 16: The bootstrap install command in peek-skill.md is unpinned and
currently references npx `@peekdev/cli` init, which should be changed to a fixed
version or local install reference. Update the command text to use the specific
CLI version already intended for this workflow (or an equivalent local path) so
the init step is deterministic; use the existing init instruction in the
markdown as the place to make this change.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 8e6ce677-a200-489a-bc4a-b2f254f73042

📥 Commits

Reviewing files that changed from the base of the PR and between f9fc8c3 and 8b54eae.

📒 Files selected for processing (4)
  • .claude-plugin/marketplace.json
  • packages/peek-cli/skills/peek-skill.md
  • plugins/peek/.claude-plugin/plugin.json
  • plugins/peek/skills/peek/SKILL.md

Comment thread packages/peek-cli/skills/peek-skill.md
Comment thread packages/peek-cli/skills/peek-skill.md
@harry-harish

Copy link
Copy Markdown
Member Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

harry-harish added a commit that referenced this pull request Jul 2, 2026
Address CodeRabbit review on #138: bind confirmToken to the
request_authorization return in the consent-flow sketch so its provenance
is explicit and the example is copy-pastable. Both skill copies kept
byte-identical (verify:plugin green).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: harry-harish <22562634+harry-harish@users.noreply.github.com>
@harry-harish

Copy link
Copy Markdown
Member Author

@coderabbitai full review

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown
✅ Action performed

Full review finished.

…real action schema

Optional polish from the community-marketplace pre-approval review (0
blockers). Rebased onto #137 (verify_audit_log / 17 tools); these edits are
independent of it.

- plugin.json / marketplace.json: the listing one-liners omitted peek's
  consent-gated live-browser act capability (execute_action et al.). Add a
  short "with per-origin consent, act in the live page" clause so the shortest
  listing text matches the tool surface a screener enumerates.
- SKILL.md consent-flow example used a flat, invalid shape (action: 'click',
  selector, no sessionId) that returns MCP -32602. Fix it to the real schema
  (request_authorization / execute_action take { sessionId, action: { type,
  ref } }), bind the returned confirmToken explicitly, and prefer a
  get_page_view ref per the skill's own guidance.
- SKILL.md "runs entirely on the user's machine" now carries the READMEs'
  honest caveat (peek uploads nothing; what your MCP client does with returned
  session data is up to you).

Both skill copies kept byte-identical (verify:plugin green). Verified: claude
plugin validate (plugin + marketplace) passes, biome clean, and the corrected
example shape passes live input validation.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: harry-harish <22562634+harry-harish@users.noreply.github.com>
@harry-harish harry-harish force-pushed the worktree-peek-plugin-listing-polish branch from 89a757d to 65c3fe3 Compare July 2, 2026 04:36
@harry-harish

Copy link
Copy Markdown
Member Author

@coderabbitai full review

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown
✅ Action performed

Full review finished.

@harry-harish harry-harish merged commit 0b534c0 into main Jul 2, 2026
7 checks passed
@harry-harish harry-harish deleted the worktree-peek-plugin-listing-polish branch July 2, 2026 04:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant