feat(react): /react-doctor umbrella skill + in-house browser core + debug-agent debug job

[aidenybai]

Based on main. The diff is the skill umbrella + in-house browser core + the debug job, with the React DevTools profiler harness living inside @react-doctor/browser (no separate perf-agent package).

Grows React Doctor from a code scanner into one skill, /react-doctor, that helps the agent write better React, checks its own changes in the background, and can open a real browser to profile, debug, and review UI. Built to follow doc.md.

What's here

• /react-doctor umbrella skill — the existing scanner-only skill grows into one skill that routes across jobs. Ten always-on React baseline rules plus prose routing across doctor (static scan + 0–100 score, runs in the background), perf (React render + V8 CPU profiling), debug (reproduce in a real browser), design (measured UI review), and rule explain/configure. The command, package name, and brand stay React Doctor; the browser jobs only run when asked.
• @react-doctor/browser — a thin playwright-core wrapper that attaches to a running Chrome over CDP (logins/cookies come along), launching its own persistent, detached Chrome only as a fallback so the page survives across CLI invocations. playwright-core is an optional dependency and loaded lazily, so playwright never bundles into the CLI hot path. It also houses the React DevTools profiler harness in src/react-profiler.
• react-doctor browser commands:
  • open / snapshot (accessibility tree) / screenshot
  • eval — runs the expression with the Playwright page in scope, so an agent acts on what snapshot showed using Playwright's own selectors (page.locator("text=Login").click(), page.getByRole(...)), with page.evaluate(() => …) for raw DOM. No bespoke ref scheme.
  • console (console + uncaught errors on load) / network (request waterfall, failures flagged)
  • audit — axe-core accessibility
  • perf — long-animation-frame jank with per-script attribution, plus LCP/CLS. With a URL it measures a fresh load; with no URL it measures the live page without reloading, so jank from a preceding eval interaction is captured.
  • profile — one recording, two lenses: a React render profile (slowest commits, hottest components by self time, unnecessary re-render counts) and a Chrome DevTools CPU profile (V8 sampler over CDP, JS functions ranked by self time), returned as JSON for the agent — no files written. Pass --interaction '<playwright expr>' to record what it triggers; both lenses cover the post-load + interaction window.
  • report — captures console, network, performance, and accessibility in a single page load (one navigation, not four), ~2.6x faster than running the focused commands separately.
  • Shared --cdp, --no-launch, and a one-shot --viewport WxH emulation.
  • browser open injects the React DevTools profiler as window.__REACT_PERF__; browser profile is the one-shot record + analysis, or browser eval can start() / stop() it manually and pull the raw DevTools export.
• react-doctor debug + @react-doctor/debug — a local NDJSON logging server (react-doctor debug serve, the default subcommand) the debug job posts runtime evidence to. Handles lock reuse, dedup, and daemon/--json modes so the server outlives the spawning CLI process and the agent just gets back the endpoint.
• react-doctor mcp + @react-doctor/mcp — a Model Context Protocol server over stdio (the bin fast-paths mcp) that exposes the doctor scan and the browser/debug jobs as MCP tools, so any MCP-capable agent can call doctor_scan, the browser_* tools (including browser_profile), and the debug_* log server directly. Debug binds are loopback-only with a minted-endpoint allowlist.
• debug job = debug-agent — the debug playbook runs the runtime-evidence loop: hypothesize → instrument with NDJSON logs (posted to the server above) → reproduce in the live browser → fix only with log proof → verify → clean up.
• Playbooks — references/{debug,design,performance,explain}.md, followed per job.

Build / checks

• build, typecheck, lint, format green for @react-doctor/core, @react-doctor/browser, @react-doctor/debug, and react-doctor.
• @react-doctor/browser, @react-doctor/debug, install-react-doctor, install-agent-hooks, parse-viewport, and strip-unknown-cli-flags suites pass; full react-doctor suite green.
• The skill ships to dist/skills/react-doctor.
• Merged up to current main; repo-wide typecheck and lint are green.

Deliberately deferred (follow-ups)

• Ambient task-end static-scan hook (on by default, conservative threshold)
• Publishing story for @react-doctor/browser and @react-doctor/debug (workspace deps today)
• product-thinking pass for the browser / debug CLI surface

---

Note

Medium Risk
Large new surface area (local Chrome launch, CDP attach, debug HTTP server, MCP stdio) with thoughtful guards, but agents can drive live browsers and post runtime logs—operational and prompt-injection considerations beyond the existing static scan.

Overview
Expands React Doctor from a static scanner into a /react-doctor umbrella skill (v1.6) with ten always-on React writing rules, job routing (doctor / perf / debug / design), and new playbooks for browser-backed perf, debug-agent, design, and rule explain flows.

Adds @react-doctor/browser: CDP attach (optional persistent Chrome launch), BrowserSession for open/eval/snapshot/screenshot, axe audits, console/network capture, LoAF/LCP/CLS perf, combined profile (React DevTools export analysis + V8 CPU self-time), and one-load report. Ships a document-start React profiler inject and CLI react-doctor browser subcommands with --cdp, --no-launch, and --viewport.

Adds @react-doctor/debug and react-doctor debug serve (daemon/--json, project-scoped lock reuse) for NDJSON runtime logs, plus react-doctor mcp via @react-doctor/mcp (doctor_scan, browser_*, debug_* tools; loopback-only debug bind and minted-endpoint allowlist). The bin fast-paths mcp like the LSP entry; build copies the profiler inject asset into the published CLI bundle; playwright-core is optional and lazy-loaded.

^{Reviewed by Cursor Bugbot for commit c4e5658. Bugbot is set up for automated code reviews on this repo. Configure here.}

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/eslint-plugin-react-doctor@853

npm i https://pkg.pr.new/oxlint-plugin-react-doctor@853

npm i https://pkg.pr.new/react-doctor@853

commit: c4e5658

[github-actions]

React Doctor skipped this pull request — it changed no React files.

_{Reviewed by React Doctor for commit c4e5658.}

[devin-ai-integration]

Devin Review found 3 potential issues.

View 1 additional finding in Devin Review.

[aidenybai]

/rde parity

[react-doctor-evals]

❌ Parity failed — trace d4ed45083ac35e225cd9a55783f6c52b. Check server logs for that trace ID.

[aidenybai]

/rde parity

[cursor]

Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit c4e5658. Configure here.}

[cursor]

Profiler not stopped on failure

Medium Severity

In profile, when --interaction (or browser_profile’s interaction) throws, the finally block only calls CDP Profiler.disable and never Profiler.stop, and it never calls __REACT_PERF__.stop(). On the persistent Chrome session, a failed profile can leave the React and V8 profilers mid-recording and skew later browser profile runs until the page is reloaded.

 

^{Reviewed by Cursor Bugbot for commit c4e5658. Configure here.}