Feat/browser extension docs

[Sajjad21990]

Description

Testing (ignore for documentation update)

Type of change

• Bug fix
• New feature
• Breaking change
• Documentation update

Checklist:

• I have read and agree to the Code of Conduct.
• I have signed the Contributor License Agreement (CLA).
• I have considered the Security Policy.
• I have self-reviewed and tested my code.
• I have updated documentation as needed.
• I agree to the project's custom license.

Additional Notes:

Summary by CodeRabbit

Release Notes

• Documentation
  • Added comprehensive Browser Extension SDK documentation suite including installation steps, dual integration paths (extension and web), setup guides with code examples, API reference, troubleshooting guide, and security best practices for developers implementing Reclaim verification in browser extensions.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
docs	Ready	Preview	Comment	Oct 30, 2025 5:24am

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

Walkthrough

This pull request adds comprehensive documentation for the Reclaim Browser Extension SDK, introducing guides for both Extension Integration and Web Integration paths. New pages cover installation, manifest configuration, setup, usage, troubleshooting, and security best practices with code examples and architecture diagrams.

Changes

Cohort / File(s)	Summary
Browser Extension SDK Core Documentation content/docs/browser-extension/index.mdx, content/docs/browser-extension/installation.mdx, content/docs/browser-extension/troubleshooting.mdx, content/docs/browser-extension/meta.json	Introduces main SDK documentation overview, prerequisite installation steps for npm/yarn, comprehensive troubleshooting guide covering common issues and debugging tools, and metadata structure for the browser extension section.
Extension Integration Documentation content/docs/browser-extension/extension-integration/index.mdx, content/docs/browser-extension/extension-integration/manifest-configuration.mdx, content/docs/browser-extension/extension-integration/setup.mdx, content/docs/browser-extension/extension-integration/usage.mdx, content/docs/browser-extension/extension-integration/meta.json	Provides complete extension integration guidance including MV3 manifest configuration with CSP and permissions, background service worker and content script initialization, verification flow implementation with event handling, security considerations, and integration metadata.
Web Integration Documentation (Optional) content/docs/browser-extension/web-integration/index.mdx, content/docs/browser-extension/web-integration/setup.mdx, content/docs/browser-extension/web-integration/usage.mdx, content/docs/browser-extension/web-integration/meta.json	Documents web-based verification flow with both development (quick start) and production (server-side) setup paths, environment variable configuration, backend Express/Next.js examples, React components and custom hooks, and comprehensive API reference.
Documentation Index Update content/docs/meta.json	Updates main documentation index to include new browser-extension, oauth, and apis sections.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

• All changes are documentation-only (MDX and JSON metadata files) with homogeneous, repetitive structure
• Content is primarily instructional with code examples and diagrams rather than complex logic
• Minimal complexity in review: verify accuracy of instructions, code examples, and cross-references
• No code logic, APIs, or functional changes to assess

Possibly related PRs

• Browser Extension Docs for JS SDK #56: Prior Browser Extension SDK documentation updates covering integration, usage, and configuration guidance.

Suggested labels

documentation

Suggested reviewers

• ChinmayMhatre
• Kushal7788
• kryptocodes

Poem

🐰 Hopping through docs with care and cheer,
Extension guides now crystal clear!
Web and manifest, setup and more,
Browser magic we explore!
~CodeRabbit's documentation tour 🚀

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The pull request title "Feat/browser extension docs" directly corresponds to the main change in this changeset, which introduces comprehensive documentation for the Reclaim Browser Extension SDK. The title clearly indicates that this is a feature addition (denoted by "Feat/") related to browser extension documentation. A developer reviewing the commit history would immediately understand that this PR adds browser extension-related documentation. While the title could arguably be slightly more specific about the scope (e.g., mentioning that it covers installation, configuration, integration, and troubleshooting guides), it is not vague or misleading and accurately represents the primary content of the changeset.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/browserExtensionDocs

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (8)

content/docs/browser-extension/extension-integration/manifest-configuration.mdx (1)

186-186: Minor grammar suggestion at line 186.

Consider adding "the" before "offscreen" for better flow: "Manages the offscreen document lifecycle" (or review context for correct phrasing).

content/docs/browser-extension/extension-integration/usage.mdx (1)

587-587: Explain why proofs are URL-encoded in the callback.

Line 587 includes a comment stating proofs are "urlencoded proof object that is returned to the callback url," but there's no explanation for developers about why this encoding happens or when to expect it. Add a brief note clarifying:

• Why proofs come URL-encoded (protocol/transport reason)
• When to use decodeURIComponent() (always for callback, or conditionally?)
• Whether this applies to other SDK usage patterns or only callbacks

This will help developers understand the pattern rather than blindly copy-pasting the decode logic.

Also applies to: 632-632

content/docs/browser-extension/troubleshooting.mdx (3)

223-223: Clarify run_at: "document_start" requirement.

Line 223 states the requirement as "Must be document_start!" but doesn't explain the consequences of not using it. Add clarity on:

• Why this timing is critical (proofs generation, interception)?
• What breaks if "document_end" or "document_idle" is used instead?
• Whether there are any trade-offs (performance, etc.) to running at document start?

This helps developers understand the constraint rather than just follow a rule.

---

411-425: Clarify when CORS is needed for server-side config.

Line 411–425 shows CORS configuration in the debugging section, but it's unclear whether CORS is:

• Always required when using server-side config?
• Only needed if backend and frontend are on different domains?
• Required for production but optional for development?

Add a note explaining the CORS requirement context (e.g., "CORS is required if your backend API is on a different domain than your website").

---

256-264: Clarify world: "ISOLATED" recommendation.

Line 260 recommends using "world": "ISOLATED" for content scripts as the "Recommended" option, but doesn't explain:

• What the default is if not specified?
• Why isolated world is recommended (security? compatibility?)?
• Are there scenarios where the default world is preferable?

Add context so developers understand when and why to use this setting.

content/docs/browser-extension/web-integration/usage.mdx (1)

596-719: Well-structured custom hook for verification logic.

The useReclaimVerification hook cleanly extracts verification logic and state management, making it reusable across components. The hook includes:

• Proper cleanup and state reset
• Memoized callbacks to prevent unnecessary re-renders
• Comprehensive state tracking

Consider adding a TypeScript version or at least JSDoc type hints (e.g., @param {string} providerId) for better IDE support and discoverability.

content/docs/browser-extension/web-integration/index.mdx (1)

1-12: Clarify "Optional" vs. "Alternative" integration path.

Lines 1–7 label web integration as "Optional Integration," which might suggest it's a lesser or secondary path. However, web integration is a legitimate and valuable integration pattern for websites. Consider reframing the language to be clearer:

• "Web Integration (Optional)" → "Web Integration: Website Integration Path" or "Web Integration: For Websites"
• The callout could say: "This section is for websites that want to integrate with a compatible extension" rather than framing it as optional.

This avoids potentially discouraging developers who legitimately need web integration (non-extension developers).

content/docs/browser-extension/web-integration/setup.mdx (1)

226-317: Backend API examples are comprehensive but lack error details.

Both Express.js (lines 226–317) and Next.js (lines 328–406) backend examples provide solid foundations, but they lack:

1. Input validation: Beyond checking if providerId is present, the examples don't validate that it's a valid provider from the Reclaim platform. Should add validation or a comment noting this should be done.

2. Error codes: Callback handlers return generic 500 errors without distinguishing between different failure modes (config generation failure vs. proof validation failure vs. database storage failure).

3. Rate limiting: The examples don't show rate limiting or abuse prevention, which should be implemented before production.

Add a comment in each example suggesting these production-ready enhancements, or consider creating a "Production Hardening" section before these examples.

Also applies to: 328-406

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c3d0462 and 269a024.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (14)

• content/docs/browser-extension/extension-integration/index.mdx (1 hunks)
• content/docs/browser-extension/extension-integration/manifest-configuration.mdx (1 hunks)
• content/docs/browser-extension/extension-integration/meta.json (1 hunks)
• content/docs/browser-extension/extension-integration/setup.mdx (1 hunks)
• content/docs/browser-extension/extension-integration/usage.mdx (1 hunks)
• content/docs/browser-extension/index.mdx (1 hunks)
• content/docs/browser-extension/installation.mdx (1 hunks)
• content/docs/browser-extension/meta.json (1 hunks)
• content/docs/browser-extension/troubleshooting.mdx (1 hunks)
• content/docs/browser-extension/web-integration/index.mdx (1 hunks)
• content/docs/browser-extension/web-integration/meta.json (1 hunks)
• content/docs/browser-extension/web-integration/setup.mdx (1 hunks)
• content/docs/browser-extension/web-integration/usage.mdx (1 hunks)
• content/docs/meta.json (1 hunks)

🧰 Additional context used

🪛 LanguageTool

content/docs/browser-extension/extension-integration/manifest-configuration.mdx

[grammar] ~186-~186: Ensure spelling is correct
Context: ...alization occurs in this file - Manages offscreen document lifecycle - Handles message ro...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

🔇 Additional comments (12)

content/docs/browser-extension/extension-integration/manifest-configuration.mdx (5)

14-61: Verify manifest JSON examples are complete and valid.

The complete manifest configuration is well-structured and detailed. Ensure that:

1. All JSON paths match the actual SDK asset structure after running the installation setup script
2. The "run_at": "document_start" setting is correct for all use cases mentioned in the guide

---

65-95: Excellent CSP explanation.

The Content Security Policy section clearly explains why 'wasm-unsafe-eval' is required and provides good context for security trade-offs. The warning callout appropriately contextualizes this as an approved and necessary exception.

---

97-135: Permissions section is well-documented with comprehensive rationale.

Each permission (offscreen, cookies, scripting) is explained with clear context about purpose, usage, and security implications. The scripting permission rationale particularly helps users understand why this broad permission is required.

---

136-173: Host permissions approach is well-balanced.

The guide appropriately presents both the broad <all_urls> approach and the alternative of listing specific provider domains, with clear trade-offs explained. The security implications and user trust callout is helpful.

---

292-321: Validation checklist and testing section provide excellent practical guidance.

The checklist (lines 292-301) is comprehensive and covers all critical configuration points. The testing section (lines 305-321) provides clear step-by-step verification procedures that developers can follow immediately.

content/docs/browser-extension/extension-integration/usage.mdx (2)

541-562: Well-documented security best practice guidance.

The production security section clearly articulates why server-side configuration is essential, and the distinction between @reclaimprotocol/js-sdk (backend) and @reclaimprotocol/browser-extension-sdk (frontend) is helpful for developers. However, consider clarifying earlier in the document (perhaps in the "Overview" section) that the dev-only quick-start example is strictly for learning and prototyping.

---

770-877: Comprehensive testing and debugging guidance.

The section covers manual testing, debugging tips, and common issues well. The state-tracking pattern for preventing concurrent verification attempts (lines 849–876) is especially valuable and could be promoted to the "Basic Popup Implementation" section as a best practice.

content/docs/browser-extension/extension-integration/index.mdx (1)

146-146: Resolve incomplete link references.

Line 146 references server-side configuration with [server-side configuration](#) (coming soon) — the empty fragment link should either:

• Point to the actual path /web/backend/usage (or wherever the backend guide lives)
• Or remove the placeholder link if the backend integration guide isn't ready

Similarly, line 164 includes a comment (link to be added) for the sample extension. Ensure the URL is populated before merge, or document how developers can find the sample.

Also applies to: 164-164

content/docs/browser-extension/web-integration/usage.mdx (1)

302-494: Excellent production-ready React component example.

The component demonstrates best practices including:

• Proper state initialization and management
• Extension installation checking on mount
• Graceful fallback UI for missing extension
• Full event lifecycle handling
• Error boundary-like states
• Loading indicators

This is a strong reference implementation. Consider adding a note about accessibility (ARIA labels, keyboard navigation) or a link to WCAG guidelines if the project has accessibility requirements.

content/docs/browser-extension/web-integration/index.mdx (1)

62-71: Comparison table provides clear integration decision framework.

The table comparing Extension Integration vs. Web Integration effectively communicates the key differences in control, complexity, and user experience. Developers can quickly determine which path matches their use case.

content/docs/browser-extension/web-integration/setup.mdx (2)

45-49: Well-demonstrated security-first environment variable pattern for Next.js.

Lines 45–49 correctly show separating public and private environment variables for Next.js:

• NEXT_PUBLIC_* for extension ID (safe for client)
• Plain RECLAIM_APP_SECRET stored server-side only

This pattern is a best practice and serves as a good model for developers. Clear comments (# Server-side only, # NEVER put secret...) reinforce the security intent.

---

738-823: Extension installation checking examples are practical and complete.

Lines 738–823 provide two solid patterns for detecting and prompting users to install the extension:

1. Vanilla JS approach with manual error handling
2. React component approach with state management

Both handle the null state (checking), installed state (proceed), and not-installed state (prompt) clearly. Consider highlighting this pattern in the troubleshooting guide as a best practice.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Critical: API reference is triplicatedacross three documentation files.

The API reference (lines 508–823) appears verbatim in:

1. extension-integration/usage.mdx (lines 245–440)
2. web-integration/usage.mdx (lines 72–300)
3. web-integration/setup.mdx (lines 508–823)

Maintenance risk: Any future SDK API changes must be synchronized across three separate locations, increasing the likelihood of documentation drift and inconsistency.

Recommended solution:

• Create a shared MDX partial (e.g., _api-reference.mdx)
• Include it in all three files using a component like: <ApiReference />
• Or create a single canonical reference page and link to it from all three files

This ensures a single source of truth for API documentation.

🤖 Prompt for AI Agents

In content/docs/browser-extension/web-integration/setup.mdx around lines 508–823
the SDK API reference is duplicated across three docs, causing maintenance risk;
extract the entire API reference content into a single shared MDX partial (e.g.,
content/docs/browser-extension/_api-reference.mdx) or a canonical doc page,
remove the duplicated block from this file and replace it with a single include
or component reference (e.g., <ApiReference /> or a link to the canonical page),
then update the other two files (extension-integration/usage.mdx and
web-integration/usage.mdx) to import or link to the same shared partial so all
three pages reference the single source of truth.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Consolidate duplicated API reference documentation.

The API reference for initialization methods (lines 72–300) duplicates content from extension-integration/usage.mdx (lines 245–440) with only minor parameter differences (extensionID added). This creates a maintenance burden—any future SDK API changes must be updated in both files.

Consider:

1. Extract to shared file: Create a common _api-reference.mdx partial and include it in both places.
2. Reference model: Add a note like: "See Extension Integration API Reference for full API documentation. The main difference for web integration is passing extensionID option."
3. Web-specific override: Keep only web-integration-specific examples, link to full reference for shared methods.

This pattern will reduce maintenance overhead as the SDK evolves.