feat(raycast): surface trust and submission handoff

[jakearmstrong59]

Summary

• Surface source / package / safety / privacy / claim / verification metadata in the Raycast detail sidebar — the registry feed already emits these fields, the parser just dropped them.
• Add Report Stale Listing and Request Safety Review handoff actions that open the existing GitHub issue templates with prefilled category/slug/title/brand/source fields.
• Extension stays read-only — every new action is an Action.OpenInBrowser against an approved flow. No installs, no GitHub writes, no auth.
• Zero generator change — all surfaced data is already in raycast-index.json via buildEntryNoteFields / buildEntryProvenanceFields. The parser was the bottleneck; this PR opens it up.

What changed

• integrations/raycast/src/feed.ts — new EntryTrustSummary interface, 8 new optional fields on RaycastEntry (safetyNotes, privacyNotes, claimStatus, reviewedBy, submittedBy, packageVerified, sourceStatus, lastVerifiedAt), defensive normalizers, label formatters (formatSourceLabel, formatPackageLabel, formatReviewLabel, formatVerifiedDate), summarizeEntryTrust, and two new handoff URL builders (buildReportStaleUrl, buildSafetyReviewUrl).
• integrations/raycast/src/raycast-ui.tsx — entryDetailMetadata renders Source / Package / Review / Last verified / Safety notes / Privacy notes rows, gated on summarizeEntryTrust(entry).hasAnyTrustSignal so entries without metadata stay unchanged.
• integrations/raycast/src/registry-command.tsx — two new Action.OpenInBrowser items inside the existing "Contribute" ActionPanel.Section.
• integrations/raycast/test/feed.test.ts — 4 new describe suites, 11 new tests covering every helper, malformed-input rejection, fallback template behavior, and that the new URLs target the approved domains.

Acceptance criteria from #449

• Trust/safety/privacy fields render consistently where present.
• Missing metadata degrades gracefully (whole block gated on hasAnyTrustSignal).
• Submit / report / suggest-change links point to approved flows.
• pnpm validate:raycast-feed passes (386 entries).

Test plan

• cd integrations/raycast && npm test — 31/31 pass (20 existing + 11 new across 4 new suites)
• cd integrations/raycast && npx tsc --noEmit — clean
• pnpm type-check — clean
• pnpm exec prettier --check on the four touched files — clean
• pnpm validate:raycast-feed — Validated 386 Raycast feed entries.
• pnpm build — exit 0, Compiled successfully
• git diff --check — clean
• No churn under apps/web/public/data/** or apps/web/src/generated/** — regenerated artifacts reverted before committing.

CI status on the current tip

• required-pr-gate — success
• validate-raycast — success
• validate-content — success
• All other workflows either success or correctly skipped (this PR touches no content, no MCP server, no web code, no packages).

Screenshots (Raycast UI evidence)

Captured against an entry with rich metadata (e.g. hooks/cloud-backup-on-session-stop — safety + privacy notes, or mcp/airtable-mcp-server — packageVerified: true). Each thumbnail collapsed by default; click the caption to expand.

1 · Detail sidebar — new Source row (rendered by formatSourceLabel)

2 · Detail sidebar — new Package row (rendered by formatPackageLabel, shows "First-party (verified)" / "External" / "No package download")

3 · Detail sidebar — new Review row (rendered by formatReviewLabel, shows "Verified claim" / "Reviewed by …" / "Submitted by …" / "Unclaimed")

4 · Detail sidebar — new Last verified row (rendered by formatVerifiedDate, ISO-date trimmed)

5 · Detail sidebar — new Safety notes row (count + plural agreement)

6 · Detail sidebar — new Privacy notes row (count + plural agreement)

7 · Action Panel — new "Report Stale Listing" action under the Contribute section (opens buildReportStaleUrl(entry) → GitHub issue with category template prefilled, title prefixed "Stale …")

8 · Action Panel — new "Request Safety Review" action under the Contribute section (opens buildSafetyReviewUrl(entry) → GitHub issue with category template prefilled, title prefixed "Safety review: …")

Out of scope (per #449)

• No GitHub state is written from the extension
• No install or execution of content from Raycast
• No new authentication / account flows
• No unsupported safety or malware claims — rows surface only fields the entry itself declared

Notes for review

• The new sidebar block adds 6 rows max (Source / Package / Review / Last verified / Safety notes / Privacy notes); on entries without any trust signal, nothing is rendered. Existing Download trust and Verification rows are preserved.
• Handoff URL builders share applyHandoffEntryParams, so the prefill behavior matches buildSuggestChangeUrl.
• The parser change is additive; existing feeds with no trust fields are unaffected — see the degrades gracefully when no trust metadata is present test.

Closes #449

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR extends the Raycast integration to surface trust metadata and clean submission handoff paths. The feed entry model gains claim/source status, safety/privacy notes, reviewer attribution, package/source verification, and last-verified-date fields, which are parsed and normalized from the feed JSON. New utilities render human-readable trust labels and generate GitHub issue URLs for reporting stale entries and requesting safety reviews. The UI displays aggregated trust signals in entry details, and two new action buttons link users to GitHub submission flows.

Changes

Trust metadata and submission handoff

Layer / File(s)	Summary
Trust data model integrations/raycast/src/feed.ts	Exports ClaimStatus, SourceStatus types and EntryTrustSummary interface; extends RaycastEntry with optional trust metadata fields (notes, claim/review status, package/source verification, verification date).
Feed parsing and trust normalization integrations/raycast/src/feed.ts	Updates normalizeRaycastEntry to extract and normalize trust fields from feed JSON: sanitizes note arrays, maps claim/source strings to constrained enums, and populates optional reviewer/submitter/verification fields.
Trust formatters and utilities integrations/raycast/src/feed.ts	Exports label formatters (formatSourceLabel, formatPackageLabel, formatReviewLabel, formatVerifiedDate) and summarizeEntryTrust to aggregate trust signals; introduces shared URL parameter helper and handoff builders (buildReportStaleUrl, buildSafetyReviewUrl) for GitHub issue generation.
Entry detail metadata rendering integrations/raycast/src/raycast-ui.tsx	Adds local helpers for pluralized note summaries, computes trust summary in entry metadata, and conditionally renders trust context (source, package, review labels, optional verification date, note counts) when signals are present.
Contribute action buttons integrations/raycast/src/registry-command.tsx	Imports handoff URL builders and adds two new "Contribute" actions ("Report Stale Listing" and "Request Safety Review") that open GitHub issue forms.
Comprehensive test coverage integrations/raycast/test/feed.test.ts	Tests trust label formatters (source/package/review precedence), summarizeEntryTrust aggregation and graceful degradation, handoff URL builders (GitHub issue prefill, template fallback), and feed parsing (trust metadata extraction, malformed enum/array handling).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related issues

• feat(data): add source health and freshness signals #448: The PR implements deterministic trust signals (source health, package freshness, verification status) that provide the source-health/freshness indicators described in that issue.

Suggested labels

risk-low

Poem

Trust signals bloom in Raycast's view, 🌿
Source and safety, tried and true,
Package verified, notes in tow,
Report stale links—now users know.

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
Docstring Coverage	❌ Error	Docstring coverage is 0.00% which is insufficient. The required threshold is 90.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (7 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: adding trust metadata surfacing and handoff actions to the Raycast integration.
Linked Issues check	✅ Passed	All acceptance criteria from #449 are met: trust fields render consistently [evidenced by UI changes], graceful degradation via hasAnyTrustSignal gating, approved flow links via Action.OpenInBrowser, and raycast-feed validation passes.
Out of Scope Changes check	✅ Passed	All changes are in-scope per #449: trust field parsing, UI rendering, handoff URL builders, and test coverage—no out-of-scope modifications to unrelated systems or restricted files.
Security Pattern Review	✅ Passed	Feed metadata validated against whitelists; URLs use URL API with approved domains; no eval/innerHTML; Raycast safe components; read-only extension; no secrets.
Client/Server Boundary Validation	✅ Passed	This PR modifies only Raycast extension code (integrations/raycast/) which uses @raycast/api, not Next.js. The check applies to Next.js client/server boundaries, which are not applicable here.
Logging Standards Compliance	✅ Passed	PR modifies only integrations/raycast/* files; check scope is apps/web/src/* and packages/web-runtime/src/*. Check is not applicable to this PR.
Description check	✅ Passed	PR description is comprehensive, well-structured, and includes all key sections: summary, what changed, acceptance criteria, test plan with results, CI status, and notes for review.

✨ Finishing Touches

✨ Simplify code

• Create PR with simplified code

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[JSONbored]

#476 feat(raycast): surface trust and submission handoff
Action: request changes.

Required before merge:

• Add Raycast UI evidence for the changed detail sidebar and Contribute actions.
• Include screenshots showing Source, Package, Review, Last verified, Safety, Privacy, Report Stale Listing, and Request Safety Review.
• Ensure official PR Validation runs and passes, especially Raycast/feed checks and required-pr-gate.

Validation expected:
pnpm validate:raycast-feed
pnpm build
git diff --chec

[jakearmstrong59]

Hi @JSONbored how are you? I don't have macOS access locally, so I can't capture Raycast UI shots. The extension does build cleanly on Linux via ray develop (compile log attached) and the changes are TypeScript-only — the new rows in raycast-ui.tsx and Action Panel items in registry-command.tsx are pure JSX wired to existing Raycast primitives. Would you accept the test suite (31/31 with 11 new cases asserting the helpers and the URL builders' output) and a screen recording from a maintainer with the dev extension running, instead of contributor-captured screenshots?

[JSONbored]

@jakearmstrong59 hi there, I re-reviewed the Raycast PR and the previous review context.

---

Concrete blockers:

• This changes visible Raycast UI behavior, but the required Raycast UI screenshots/evidence are still missing.
• The previous requested evidence covered the detail sidebar and Contribute actions: Source, Package, Review, Last verified, Safety, Privacy, Report Stale Listing, and Request Safety Review.
• Your latest reply says you cannot capture the Raycast UI evidence, so the PR remains unreviewable for the maintainer standard.

Required change:

• Close this PR unless you can provide the required Raycast UI evidence.
• A new PR can be opened later with the same scope plus screenshots - unfortunately, these are mandatory as this is also required of me when I submit changes/updates for the extension upstream.

The Raycast extension documentation mentions how to accurately gather screenshots for the raycast extension - feel free to check it out.

[jakearmstrong59]

Hi @JSONbored how are you? Please review this.

[JSONbored]

Hi @JSONbored how are you? Please review this.

You can disregard this, I was testing out the Superagent CLA integration earlier.

[jakearmstrong59]

[jakearmstrong59]

Hi, @JSONbored please review this.

[JSONbored]

Action: request changes

• Thanks for adding Raycast screenshots; this is no longer blocked on total absence of UI evidence.
• The evidence is still incomplete for the previous review standard.
• The PR body still contains TODO placeholders in the screenshot section; please replace those with the actual labeled screenshots or link them under the matching headings.
• The posted screenshots show the Contribute actions and several Trust rows, but I still do not see complete evidence for Last verified and the full Privacy notes row/content.
• Please add labeled screenshots covering all requested states: Source, Package, Review, Last verified, Safety, Privacy, Report Stale Listing, and Request Safety Review. Current Raycast/required checks are green.
• Please make sure screenshots are in the PR body/description, as thumbnails with proper captions, so they're easy to review.

[JSONbored]

@jakearmstrong59 I reviewed the screenshot comment and the current Raycast extension screenshot requirements.

---

Concrete blockers:

• The screenshots are present in a PR comment, but they do not match Raycast extension screenshot requirements.
• Raycast’s store-prep docs expect extension screenshots to be captured through Raycast Window Capture in development mode with “Save to Metadata,” using 2000×1250 PNG images in 16:10 landscape format.
• The submitted images are GitHub comment attachments at much smaller sizes: 950×455, 640×407, 634×404, 627×409, 647×403, and 630×414.
• The PR body still contains TODO placeholders in the screenshot section instead of the actual labeled screenshots.
• The images are not clearly mapped to the requested review states: Source, Package, Review, Last verified, Safety notes, Privacy notes, Report Stale Listing, and Request Safety Review.
• I still cannot verify complete evidence for the Last verified row and full Privacy notes row/content from the submitted screenshots.

Required change:

• Replace the TODO screenshot placeholders in the PR body with properly labeled screenshots.
• Use Raycast Window Capture from the extension running in development mode and save/export screenshots as Raycast metadata-quality images.
• Provide up to six clear screenshots, ideally committed or attached in the same structure expected for Raycast extension metadata.
• Each screenshot should use a consistent background, focus only on the Raycast extension, and clearly show the relevant changed UI state.
• If you cannot capture Raycast screenshots because you do not have macOS access, this PR is not review-ready as-is. Please do not request another review until the required evidence can be provided.

Validation expected:

• Updated PR body with labeled screenshots replacing all TODO placeholders.
• Screenshots matching Raycast’s 2000×1250 PNG / 16:10 metadata screenshot standard.
• Evidence covering all changed visible UI states listed above.
• Existing Raycast checks should remain green after any branch update.