Skip to content

[STG-2487] feat: static multi-marketplace manifest catalog (browse-only, CLI-only)#3

Merged
shrey150 merged 22 commits into
mainfrom
shrey/all-marketplace-manifests
Jul 16, 2026
Merged

[STG-2487] feat: static multi-marketplace manifest catalog (browse-only, CLI-only)#3
shrey150 merged 22 commits into
mainfrom
shrey/all-marketplace-manifests

Conversation

@shrey150

@shrey150 shrey150 commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

What

Repurposes browserbase/browse-plugin into the dedicated, static (no-codebase) repo that external agent marketplaces SHA-pin. Ships only the browse plugin, in all 5 marketplace formats, CLI-only — a browse CLI skill that shells out via Bash/run_shell_command, no bundled MCP server.

Added — root marketplace manifests (one per format)

File Format
.claude-plugin/marketplace.json Claude Code marketplace
.codex-plugin/plugin.json Codex plugin
.cursor-plugin/marketplace.json Cursor marketplace (browse-only)
.agents/plugins/marketplace.json Generic .agents marketplace
.grok-plugin/plugin.json Grok plugin
gemini-extension.json + GEMINI.md Gemini CLI extension (context-file skill, no MCP)
plugin.json (repo root) Open Plugin spec v1.0.0 manifest — lets vendor-neutral installers (e.g. npx plugins add browserbase/browse-plugin, Vercel's cross-client CLI) discover this repo directly instead of relying on its skills/-directory fallback heuristic. No mcp.json added alongside it — optional per spec, and this plugin intentionally ships no MCP servers (see "Why CLI-only" below).

Added — per-plugin manifests under plugins/browse/

.claude-plugin/, .codex-plugin/, .cursor-plugin/, .grok-plugin/ plugin.json each referencing ./skills/ and assets/logo.svg. The canonical browse CLI SKILL.md (copied from stagehand/packages/cli/skills/browse/) lands at skills/browse/SKILL.md (repo root, post-flatten) with its name/description frontmatter intact.

SKILL.md freshness

There's no auto-sync yet (stagehand#2330 is still a draft proposal), so skills/browse/SKILL.md is a manual, point-in-time copy of stagehand/packages/cli/skills/browse/SKILL.md. Refreshed once more (2026-07-09) to pull in container/CI --remote guidance, BROWSE_SESSION precedence, and the named-contexts surface (cloud contexts create --name) that had shipped in browse@0.9.1+ but wasn't in this repo's earlier copy. Re-sync by hand until the auto-sync PR lands.

browse@0.9.5 published the same day (npm + ghcr.io/browserbase/browse) — diffed this repo's skills/browse/SKILL.md against stagehand's origin/main copy after that release and they're byte-identical, so this file matches what npm i -g browse actually installs today, not a bleeding-edge main that's ahead of the published package.

Naming and copy fixes (review feedback)

  • Dropped the "Browserbase" prefix from "Browserbase browse CLI" everywhere it appeared — just Browse CLI now, across every manifest format and the root plugin.json.
  • Renamed the .agents/plugins/marketplace.json marketplace from browserbase-plugins to browserbase, matching the Claude and Cursor marketplace names.
  • Aligned Cursor's plugin displayName to "Browse" (was "Browserbase Browse"), matching Codex's.
  • Rewrote the shared long description. Surveyed what Exa, Kernel, Parallel, and AgentMail actually ship in their own server.json/plugin.json (not their marketing pages) — all lead with the capability noun and list concrete verbs rather than opening with an imperative. Old: "Automate web browsers with natural language via the Browse CLI." New: "Browser automation for AI agents: navigate, extract, screenshot, and interact with real web pages via a single CLI."
  • Dropped a stripe/link-cli reference from the docs — wasn't pulling any weight for a reader trying to understand this repo's layout.
  • Rewrote a few passages in README.md/docs/add-a-plugin.md that read as "how we got here" development narrative (earlier revisions, dated sync status) into present-tense statements of the current layout and constraints.

CI: validate on every PR, and keep GEMINI.md from going stale

scripts/validate-template.mjs previously only ran on tag push (release) — a broken manifest or a stale GEMINI.md had no automated signal on a PR. That's exactly how the next item was found: a reviewer happened to read the diff, not because anything enforced it.

  • Added .github/workflows/validate.yml: runs the existing validator on every pull_request and on push to main.
  • Added a drift check: GEMINI.md's body is generated verbatim from skills/browse/SKILL.md (confirmed byte-identical — Gemini's extension format has no way to reference an external skill file, so the instructions have to live directly in GEMINI.md). scripts/sync-gemini.mjs regenerates it; node scripts/sync-gemini.mjs --check and the main validator both fail if the two drift, with the fix command in the error message. Both sides of the comparison normalize CRLF, so a Windows-checked-out GEMINI.md doesn't false-positive.
  • Bugbot caught GEMINI.md itself lagging SKILL.md on this branch (missing container/CI --remote fallback guidance, BROWSE_SESSION precedence, and named cloud contexts) — fixed by porting the missing text verbatim from SKILL.md, which is also what proved the two files are meant to be byte-identical.
  • Bugbot also caught two gaps in the check itself: the comparison normalized CRLF on the SKILL.md side only (fixed, tested with a real CRLF-converted GEMINI.md), and validateGeminiSync silently passed if GEMINI.md was missing entirely even though gemini-extension.json requires it (fixed to error in that case, tested by actually deleting the file).
  • docs/add-a-plugin.md's layout tree hadn't been updated for either the root plugin.json or the new scripts/ files added earlier in this same PR, so it was already out of sync with the repo it documents. Fixed.
  • A final staleness sweep found the same class of bug in every manifest's version field: all five were stuck at 0.9.1, matching neither the browse CLI's actual published npm version (0.9.5) nor this repo's own release tags (v0.1.0v0.2.4). First fix pointed plugin.json's version at the CLI's npm version — wrong call, reverted. Checked the actual mechanics: a prior live audit confirmed Cursor's official marketplace listing is built by release.yml, which only runs on a tag push — merging to main alone never updates what Cursor serves. That same audit had already flagged the old repo's in-manifest version disagreeing with its own git tag as a source of confusion; pointing at the CLI's version would have reintroduced exactly that. Checked xAI's and Anthropic's actual draft PR content directly: neither's marketplace format uses a version field in any load-bearing way (xAI has none at all; 240 of 254 real entries in Anthropic's official directory have none, and the 14 that do are frozen at 1.0.0). So plugin.json's version now tracks this repo's own release line instead, bumped to 0.3.0 (next after v0.2.4). scripts/sync-version.mjs propagates it to the other four manifests, and the validator fails CI if they drift or if a required manifest is missing entirely.
  • Automated the tagging itself, mirroring a proven pattern already used in stagehand's own release workflow for browse-cli (including the same branch-protection gotcha it hit there): a new tag-release CI job checks plugin.json's currently-committed version against existing tags on every push to main, and pushes a matching vX.Y.Z tag if one doesn't exist yet — no one runs git tag by hand again. It only ever pushes a tag ref, never a commit to main, so it's safe under branch protection. Bugbot caught a real gap in the first version (diffed against the immediate parent commit only, so a version bump split across multiple commits could land without ever getting tagged) — fixed by checking tag existence against the current state directly instead of any commit diff, which structurally can't have that gap.

README rewrite to match house voice

Compared against browserbase/stagehand's top-level README and the browse CLI's own README: both stay benefit-first (what it does, how to use it) and never defend a design decision or reference a tracked-elsewhere roadmap item. Dropped the "Why CLI-only, not MCP" rationale from README.md (redundant with the plain fact already stated a line above it, and out of place in a README aimed at someone installing the plugin). Trimmed the repo-layout tree and third-party-tool caveat that duplicated docs/add-a-plugin.md verbatim, linking there instead of maintaining the same content in two places. Also removed em dashes from README.md specifically, since it's the human landing point for the repo.

Removed — the de-Playwright, and (later) the de-MCP

Deleted the custom TypeScript MCP server and all app code (plugins/browse/{src,scripts,agent,package.json,package-lock.json,tsconfig.json}, plugins/browse/skills/browser-automation/, plugins/browse/rules/, plugins/functions/). Then, after live-testing the hosted-MCP wiring (see "Why CLI-only" below), removed it too: mcpServers stripped from every plugin.json, .mcp.json (root + per-plugin) and server.json deleted, gemini-extension.json rewritten to a plain CLI-context extension. Net across both changes: +926 / −3932.

Why CLI-only, not MCP

The plugin originally bundled both a CLI-shelling skill and a hosted-MCP reference (.mcp.jsonhttps://mcp.browserbase.com/mcp) side by side, letting the agent pick either at runtime. Live-testing that MCP path (real marketplace installs, real headless invocations — not just schema validators) found it's currently broken for every client, and not fixable within this PR's scope:

  • Every manifest shipped a bare URL with zero auth — no Authorization: Bearer, no x-bb-api-key header, no ?browserbaseApiKey= query param.
  • The hosted MCP server accepts all three of those, but requires one for actual tool execution (initialize/tools/list are unauthenticated by design; start/navigate/etc. are not). With none supplied, every real tool call was rejected: {"jsonrpc":"2.0","error":{"code":-32000,"message":"Invalid query parameters"}}. Confirmed independently through two different real clients (Claude Code, Gemini CLI) — same error, same root cause both times.
  • Full OAuth 2.1 — which would let each user authenticate without a manifest ever holding a secret — isn't deployed: live-checked https://mcp.browserbase.com/.well-known/oauth-protected-resource and oauth-authorization-server, both 404; zero oauth/authorize|token|register routes exist anywhere in browserbase/core's origin/main.
  • This repo is a static, git-pinned, public catalog every external marketplace SHA-pins — there's no safe way to embed a real Browserbase API key in it, and no field in most of these manifest formats for a user to supply their own per-install.

Given that, and that this audience already has shell access (Claude Code, Codex, Cursor, Gemini CLI, Grok all run with a sandbox), a bundled MCP server adds no reach for these clients while introducing a broken/confusing fallback path — in testing, the agent would sometimes pick the (broken) MCP tool over the (working) CLI skill when both were present. CLI-only removes that ambiguity and matches what's actually proven to work. The hosted MCP remains the right integration for shell-less surfaces (ChatGPT, claude.ai) — that's a separate initiative, gated on OAuth for those specific directories, tracked outside this PR.

E2E Test Matrix

Manifest validators (all formats, run against this branch)

Command / flow Observed output Confidence / sufficiency
node scripts/validate-template.mjs Validation passed. (exit 0) + 2 benign warnings: no hooks/hooks.json, no mcp.json (expected now — CLI-only) Sufficient — Cursor marketplace name kebab-case, owner.name set, non-empty plugins[], source-dir/name match, referenced logo/skills paths + SKILL.md frontmatter all exist. Re-ran clean after the 2026-07-09 SKILL.md refresh.
claude plugin validate . / claude plugin validate . --strict ✔ Validation passed (both) Sufficient — Claude Code marketplace manifest valid, strict clean.
claude plugin validate plugins/browse / ... --strict ✔ Validation passed (both) Sufficient — per-plugin manifest valid strict.
gemini extensions validate . Extension . has been successfully validated. Sufficient — Gemini CLI accepts the CLI-only extension shape.
codex plugin marketplace add <abs>codex plugin list → remove add/list/remove all succeeded, browse@browserbase-plugins resolved at plugins/browse Sufficient — registration path works.
Grok: catalog validator + index generator (run in the xAI plugin-marketplace clone) Catalog OK, generated browse entry resolves skills: [{browse, ...}], no mcpServers key Sufficient for the SHA-pin catalog path. grok CLI itself isn't installed locally — not live-invocation-tested.
npx plugins discover . (Vercel's Open Plugin CLI), before and after adding root plugin.json Both: Found 1 local plugin(s) — browse, 1 skill Sufficient — confirms the new manifest is additive only; discovery result is identical with or without it, and node scripts/validate-template.mjs still passes with the same 2 pre-existing benign warnings.
Cursor deeplink encode/decode round-trips correctly Sufficient for encoding correctness; not click-tested in a running Cursor instance (GUI, not automatable here).
GEMINI.md/SKILL.md drift check: introduced a real content diff, then a CRLF-only diff Real diff → Validation failed: GEMINI.md is out of sync... (exit 1). CRLF-only diff → Validation passed. and sync-gemini.mjs --check reports in-sync (no rewrite) Sufficient — proves the check catches genuine drift (this is what Bugbot's finding on this branch demonstrated live) without false-positiving on line-ending differences.
.github/workflows/validate.yml, triggered by this PR's own commits validate check: COMPLETED SUCCESS on every push after it was added Sufficient — the new PR-time CI gate is exercised by this very PR, not just described.

Real install-and-invoke (live, this session — not just validators)

Client What ran Result
Claude Code Real claude plugin marketplace addinstall → headless claude -p task ("navigate to example.com, report the title") against the actual repo files Clean pass. claude plugin details reported MCP servers (0). Transcript shows only Skill/Bash tool calls — the model shelled out to browse open ... --local, got back "title": "Example Domain", answered correctly. Zero mcp__* calls anywhere.
Gemini CLI Real gemini extensions install ~/Developer/browse-plugin → headless gemini --yolo task, same prompt Clean pass. Extension shows a Context file (GEMINI.md), no MCP servers. Two run_shell_command calls (browse open ... --local, browse stop), correct answer, zero MCP calls.
Codex Real codex plugin marketplace addcodex plugin add → headless codex exec, same prompt ⚠️ Partial. Registration and install verified clean (browse@browserbase-plugins installed/enabled). Invocation blocked by this machine's local codex login having an expired OpenAI API key (401 invalid_api_key) — an environment issue unrelated to the plugin; the turn never started so no tool call was attempted. Needs a valid local Codex login to complete.

All three live tests ran against the real, post-change repo files (not scratch copies), with full install → invoke → cleanup, and confirmed the working tree was left unmodified by testing.

Not proven / left for review

  • Cursor and Grok are validator/encoding-verified only — no live click-test in a running Cursor instance, and no live grok CLI invocation (not installed locally).
  • Codex tool-invocation is unproven on this machine specifically due to a local auth issue, not a plugin defect — worth a quick re-run once codex login is refreshed.

🤖 Generated with Claude Code


Note

Medium Risk
Large behavioral change for installers (MCP and in-repo server removed; agents must use shell + external browse CLI), but the diff is manifests, skills, and CI with no in-repo runtime code.

Overview
This PR restructures the repo from a nested plugins/browse TypeScript MCP/Playwright package (plus a separate functions plugin) into a static, root-level browse catalog with no build step or bundled servers.

Distribution model: New per-client manifests at the repo root (Claude, Cursor, Codex, Grok, .agents, Open Plugin plugin.json, and Gemini gemini-extension.json + GEMINI.md). Marketplaces now point "source" at "." instead of plugins/browse; the functions marketplace entry is removed. Agents are expected to use skills/browse/SKILL.md (allowed-tools: Bash) and the globally installed browse CLI, not MCP tools.

Removed: The entire plugins/browse app (mcp-server, bb-browser, package.json/lockfile, mcp.json, old skills/rules) and plugins/functions/. Release workflow no longer runs npm ci/build in plugins/browse; it only validates and tarballs static files.

CI and consistency: Adds .github/workflows/validate.yml (validate on every PR and main push) plus a tag-release job that tags v{plugin.json version} when missing, which triggers release. scripts/validate-template.mjs now enforces GEMINI.mdskills/browse/SKILL.md sync and version alignment across manifests via sync-gemini.mjs / sync-version.mjs. Plugin release version is set to 0.3.0 (repo tags, not npm CLI version).

Docs: README.md and docs/add-a-plugin.md describe the single-plugin, CLI-only layout; CODEOWNERS added for @browserbase/gtm.

Reviewed by Cursor Bugbot for commit 03b38b7. Bugbot is set up for automated code reviews on this repo. Configure here.

shrey150 and others added 2 commits July 7, 2026 01:51
…MCP)

Repurpose browse-plugin into a dedicated, static (no-codebase) repo that
external agent marketplaces can SHA-pin. Ships only the `browse` plugin,
in all 5 marketplace formats, pointed at the hosted Browserbase MCP.

Add root marketplace manifests for every format:
- .claude-plugin/marketplace.json (Claude Code)
- .codex-plugin/plugin.json (Codex)
- .cursor-plugin/marketplace.json (Cursor, browse-only)
- .agents/plugins/marketplace.json (generic .agents)
- .grok-plugin/plugin.json (Grok)
- gemini-extension.json (Gemini CLI)
- .mcp.json + server.json (hosted MCP: https://mcp.browserbase.com/mcp)

Per-plugin manifests under plugins/browse/{.claude-plugin,.codex-plugin,
.cursor-plugin,.grok-plugin}/plugin.json + plugins/browse/.mcp.json, all
referencing ./skills/, ./.mcp.json, and assets/logo.svg.

De-Playwright: remove the custom TypeScript MCP server, npm build, agent
runtime dirs, the browser-automation skill, rules, and the entire
functions plugin. Ship the canonical browse CLI SKILL.md instead.

Add .github/CODEOWNERS (* @browserbase/gtm), rewrite README + add-a-plugin
docs for the static hosted-MCP layout, drop build steps from release.yml.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Every manifest shipped a bare https://mcp.browserbase.com/mcp URL with
no auth (no header, no query param). Live-tested via real
marketplace installs in Claude Code and Gemini CLI: the model reaches
the hosted MCP tool but every call is rejected server-side with
"Invalid query parameters" (no browserbaseApiKey in header or query
string; full OAuth 2.1 isn't deployed either). A static, git-pinned
public repo can't safely embed a real API key, so there's no
one-click fix available for this distribution path today.

This audience (devs pulling the marketplace into Claude Code, Codex,
Cursor, Gemini CLI) already has shell access, so MCP added no reach
CLI doesn't already cover. Scope to CLI-only: strip mcpServers from
all plugin manifests, delete .mcp.json/server.json, and give Gemini
a real CLI path via a GEMINI.md context file (Gemini's SKILL.md
equivalent) instead of its MCP-only extension.

Live end-to-end verified against the real repo files post-change:
Claude Code (zero MCP tools registered, real browse CLI call, correct
result) and Gemini CLI (real shell calls via GEMINI.md, correct
result). Codex install/registration verified clean; invocation
untestable on this machine due to an unrelated expired local OpenAI
API key.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
@shrey150 shrey150 changed the title [STG-2487] feat: static multi-marketplace manifest catalog (browse-only, hosted MCP) [STG-2487] feat: static multi-marketplace manifest catalog (browse-only, CLI-only) Jul 8, 2026
The nested plugins/browse/ layout was scaffolding for when this repo
held two plugins (browse + functions). Now that it's committed to
shipping a single browse plugin, the nesting has no remaining
beneficiary and breaks third-party tools with a simpler root-scan
convention — confirmed with Hermes Agent's skill "tap" mechanism,
which hardcodes looking for skills/ at repo root and can't find our
skill nested under plugins/browse/skills/.

Moves skills/browse/SKILL.md and the per-format plugin.json files up
to repo root, updates every marketplace file's source/path from
"./plugins/browse" to ".", and removes the now-redundant duplicate
Codex/Grok plugin.json files that existed at both root and nested
paths. Matches link-cli's own flat layout, the reference this repo
was modeled on from the start.

node scripts/validate-template.mjs passes clean (same benign
hooks/mcp warnings as before).

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
This repo's copy was from 2026-07-07 (pre-STG-2513) and was missing:
- --local vs --remote guidance for Chrome-less containers/CI/sandboxes
- BROWSE_SESSION env-var precedence rule (don't pass --session if
  it's already set)
- Named contexts (cloud contexts create --name / list), which
  shipped in browse@0.9.1 and is live in the current published
  browse@0.9.4 -- this repo still had the old ID-only surface

Pulled verbatim from origin/main (stagehand#82c489bd). Auto-sync
(stagehand#2330) is still a draft proposal, so this is a manual,
one-time pull -- re-sync by hand until that lands.
Leftover from before the CLI-only scoping (a1b3d03) deleted .mcp.json
and server.json -- this repo doesn't ship an MCP config anymore.
Lets vendor-neutral installers (e.g. npx plugins) discover this repo
without relying on the skills/ fallback heuristic.
Comment thread .agents/plugins/marketplace.json Outdated
Comment thread .claude-plugin/marketplace.json Outdated
Comment thread .claude-plugin/marketplace.json Outdated
shrey150 added 3 commits July 14, 2026 13:23
Addresses PR review: drop the "Browserbase" prefix from "Browserbase
browse CLI" everywhere (just Browse CLI), rename .agents marketplace
from browserbase-plugins to browserbase to match the Claude/Cursor
marketplace names, and align Cursor's plugin displayName ("Browse")
with Codex's.
Surveyed Exa, Kernel, Parallel, and AgentMail's own MCP/plugin
manifest descriptions: all lead with the capability noun and list
concrete verbs, rather than opening with an imperative like
"Automate...". Replaces the long description everywhere with the
same pattern.
Rewrites a few passages that read as "how we got here" development
narrative (earlier revisions, dated sync status, "the reference this
repo is modeled on") into present-tense statements of the current
layout and constraints. History like this belongs in the PR/commit
log, not in a doc that's permanent once merged.
Comment thread GEMINI.md
shrey150 added 3 commits July 14, 2026 13:44
…edence, named contexts

GEMINI.md lagged skills/browse/SKILL.md on three points that affect
correctness in sandboxes: no guidance to fall back to --remote when
no local Chrome is available, no BROWSE_SESSION override-precedence
rule, and no named-context alias workflow. Ports the same text
verbatim from SKILL.md.
Wasn't pulling any weight for a contributor trying to understand
this repo's layout.
Validation only ran on tag push (release), so a broken manifest or a
stale GEMINI.md had no automated signal on a PR — the GEMINI.md gap
Bugbot just caught here was only found because a reviewer happened to
read the diff, not because anything enforced it.

Adds a pull_request-triggered workflow that runs the existing
validator on every PR, plus a new check: GEMINI.md's body is
generated verbatim from skills/browse/SKILL.md (confirmed
byte-identical), so scripts/sync-gemini.mjs regenerates it and the
validator fails if they diverge.
Comment thread scripts/validate-template.mjs
shrey150 added 2 commits July 14, 2026 14:13
The comparison normalized line endings on the SKILL.md side only, so
a CRLF GEMINI.md would report false-positive drift, and sync-gemini
would needlessly rewrite it.
README is the human landing point for this repo; em dashes read as
AI-generated. Rewrote as separate clauses/commas instead.
Comment thread scripts/validate-template.mjs
shrey150 added 4 commits July 14, 2026 15:21
Compared against browserbase/stagehand's top-level README and the
browse CLI's own README: both stay benefit-first (what it does, how
to use it) and never defend a design decision or reference a
tracked-elsewhere roadmap item.

Drops the "Why CLI-only, not MCP" rationale (redundant with the plain
fact already stated a line above, and out of place in a README).
Trims the repo-layout tree and third-party-tool caveat that
duplicated docs/add-a-plugin.md verbatim, linking there instead so
there's one source for that detail rather than two that can drift.
Leads with what the repo lets you do, not its internal
classification ("static, no-codebase catalog").
gemini-extension.json requires GEMINI.md as its context file, but
validateGeminiSync silently no-op'd when the file was absent instead
of erroring, so deleting it would leave CI green.
Both were added earlier in this PR but never made it into the
documented layout, so the tree was already out of sync with the
repo it describes.
plugin.json's version tracks the browse CLI's own npm version, since
the plugin has no independent feature surface beyond the CLI it
wraps. All five manifests were stuck at 0.9.1, matching neither the
CLI's current published version (0.9.5) nor this repo's own release
tags. Same fix shape as the GEMINI.md sync check: plugin.json is the
source of truth, scripts/sync-version.mjs propagates it to the other
four manifests, and validate-template.mjs fails CI if they drift.
Corrected course from the previous commit: Cursor's marketplace is
confirmed (via a prior live audit) to be driven strictly by this
repo's own git tag pushes -- release.yml only runs on push: tags,
so merging to main alone never updates what Cursor serves. A prior
audit had already flagged the old repo's manifest version (2.x)
disagreeing with its own git tag (v0.2.x) as confusing -- pointing
plugin.json at browse's npm version would have reintroduced exactly
that. xAI's and Anthropic's marketplace formats don't use a version
field at all in any meaningful way (verified against their actual
draft PR content), so this only mattered for Cursor.

plugin.json now tracks this repo's own release line (0.3.0, next
after v0.2.4). Added a tag-release job to validate.yml, mirroring
the proven pattern already used in stagehand's own release.yml for
browse-cli: on push to main, diff plugin.json's version against the
parent commit, and if it changed, push a matching vX.Y.Z tag --
never a direct commit to main, so it works regardless of branch
protection. That tag push is what triggers the existing release.yml.
Verified the diff/tag-existence logic directly against real commits
in this repo's history before relying on it in CI.
Comment thread .github/workflows/validate.yml Outdated
The previous version only compared plugin.json's version against its
immediate parent commit, so a version bump split across multiple
commits (e.g. an unsquashed merge, or separate bump/sync commits)
could land on main without ever getting tagged. Checking the current
committed version against tag existence directly is simpler and
can't have that gap -- it doesn't matter which commit introduced the
final state.

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 40bcef3. Configure here.

Comment thread scripts/validate-template.mjs
validateVersionSync silently skipped a deleted .claude-plugin/plugin.json,
.cursor-plugin/plugin.json, .grok-plugin/plugin.json, or
gemini-extension.json instead of erroring, so CI could pass with a
required manifest missing entirely. Same class of bug as the earlier
GEMINI.md fix.
Comment thread .cursor-plugin/plugin.json Outdated
Comment thread .codex-plugin/plugin.json Outdated
…ntity field

Every marketplace-level identity field in this repo (Claude/Cursor
marketplace owner, .agents displayName, root plugin.json author)
already says Browserbase. These two plugin-level displayName fields
were the only outliers saying "Browse" instead -- fixes that, and
matches how other real entries in these marketplaces (Vercel,
Sentry, MongoDB, Cloudflare) lead with the company brand in the
title slot, not a sub-product name.
@shrey150
shrey150 merged commit 059df09 into main Jul 16, 2026
3 checks passed
shrey150 added a commit that referenced this pull request Jul 16, 2026
Confirmed live: merging PR #3 pushed tag v0.3.0 correctly, but
release.yml never ran and no GitHub Release was created. Root cause
is a documented GitHub Actions behavior -- a tag pushed using the
default GITHUB_TOKEN from within a workflow run does not trigger
other workflows' push events, to prevent infinite loops. That
exemption does not apply to workflow_dispatch, so tag-release now
explicitly dispatches release.yml instead of relying on push:tags.

release.yml's workflow_dispatch trigger only exists on main, not on
the tag itself, and softprops/action-gh-release can't infer the
right tag from a workflow_dispatch context (it falls back to
github.ref_name, which would be "main"). So the dispatch passes an
explicit tag input, and both the checkout step and the release step
use it to check out and tag the correct ref.
shrey150 added a commit that referenced this pull request Jul 16, 2026
#4)

Confirmed live: merging PR #3 pushed tag v0.3.0 correctly, but
release.yml never ran and no GitHub Release was created. Root cause
is a documented GitHub Actions behavior -- a tag pushed using the
default GITHUB_TOKEN from within a workflow run does not trigger
other workflows' push events, to prevent infinite loops. That
exemption does not apply to workflow_dispatch, so tag-release now
explicitly dispatches release.yml instead of relying on push:tags.

release.yml's workflow_dispatch trigger only exists on main, not on
the tag itself, and softprops/action-gh-release can't infer the
right tag from a workflow_dispatch context (it falls back to
github.ref_name, which would be "main"). So the dispatch passes an
explicit tag input, and both the checkout step and the release step
use it to check out and tag the correct ref.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants