chore(deps): pin Playwright + jsonschema as dev dependencies (#95 / #94 follow-up)

[sgwannabe]

Summary

Closes the Dev tooling pinning cluster from #95 (1 item deferred from #94).

• Adds requirements-dev.txt pinning the two third-party Python packages the repo's tooling actually imports:
  • playwright>=1.54,<2.0 — used by tools/capture-gallery-hero.py to regen docs/assets/v1.6-gallery-hero.png (🟡 I-5: README hero is text-first — violates Godin gallery-first guidance #67 / docs(readme): gallery-first hero shot above the fold (#67) #94).
  • jsonschema>=4.0,<5.0 — used by verify-plugin.sh, verify-security.sh, verify-seed-expectations.sh, mock-bootstrap.sh, and generate-spec-anchor-audit.py.
• Adds a "Python dev setup" subsection to CONTRIBUTING.md explaining install (incl. optional playwright install --with-deps firefox chromium).
• Updates tools/capture-gallery-hero.py docstring to reference the new install contract.

File-format choice

Picked requirements-dev.txt over pyproject.toml:

• The repo is not a Python package — no installable source, no __init__.py, no entry points.
• Python files are scripts/hooks/tools invoked by shell harnesses (bash scripts/verify-plugin.sh, bash tests/e2e/mock-bootstrap.sh).
• Plain text is the lowest-overhead contract that matches the script-driven nature without forcing a package layout.
• JS-side tooling stays in package.json / pnpm-workspace.yaml (unchanged).

Side-effect / breaking-change assessment

Side-effect	Status	Verification
pip install -r requirements-dev.txt on fresh clone	OK	Verified in fresh python3 -m venv /tmp/pf-i95-venv — installs cleanly; import playwright, jsonschema both succeed.
tools/capture-gallery-hero.py after the pin	No behavior change	Already worked locally pre-pin; pin only documents the contract. Did NOT regenerate the PNG (per task scope).
bash scripts/verify-plugin.sh	OK	Pass: 57 / Fail: 0.
bash tests/fixtures/security/verify-security.sh	OK	All Phase 1 defenses holding (#95-L1, L1-wire, L3, S-5, S-6, I-9).
bash tests/e2e/mock-bootstrap.sh {standard,pro,max}	OK	PASS x3, schemas valid, iframe counts 9/18/26 as expected.
CI workflows	No change required	CI didn't get a pip install -r requirements-dev.txt step in this PR — current CI already installs jsonschema ambiently (or scripts degrade gracefully); changing CI is out of scope. P3 below.
macOS vs Linux	OK	playwright>=1.54 works on both; jsonschema is pure-Python.
Pre-existing pyenv/venv collision	None	pip install is additive; no system-level changes.
Breaking change	None	New file + docstring + docs section; no removals or behavior change.

Codex review (1 pass)

• P1 applied: 0 (codex returned no P1 findings)
• P2 deferred to follow-up: 1
• P3 deferred: 1

P2 — pin exact versions (deferred)

Codex flagged playwright>=1.54,<2.0 / jsonschema>=4.0,<5.0 as ranges, not exact pins, arguing reproducibility could drift across new Playwright 1.x releases (browser revisions ship with the package). Counter-arguments for keeping the ranges in this PR:

1. The byte-stable PNG promise in capture-gallery-hero.py is "same Playwright + same gallery.html → same PNG", not "stable across Playwright upgrades". The pin does not regress that contract.
2. Exact pins (playwright==1.54.0) would force lockstep upgrades across contributors and require a requirements-dev.lock workflow, which is out of scope for a 30-min PR.
3. We do not currently pin browser binaries either (playwright install resolves to whatever's bundled), so an exact pip pin would be a half-measure without playwright install --version.

Suggested follow-up: introduce pip-tools / uv pip compile and a requirements-dev.lock if/when the hero PNG drifts.

P3 — CI integration (deferred)

Add python3 -m pip install -r requirements-dev.txt to .github/workflows/ci.yml before any Python-using job. Current CI works because GitHub-hosted runners ship jsonschema (or scripts no-op). Worth doing for explicit-contract reasons but not required to land this PR.

Test plan

• python3 -m venv /tmp/pf-i95-venv && /tmp/pf-i95-venv/bin/pip install -r requirements-dev.txt succeeds
• bash scripts/verify-plugin.sh — Pass: 57 / Fail: 0
• bash tests/fixtures/security/verify-security.sh — all defenses holding
• bash tests/e2e/mock-bootstrap.sh standard — PASS
• bash tests/e2e/mock-bootstrap.sh pro — PASS
• bash tests/e2e/mock-bootstrap.sh max — PASS
• CI green on PR

Refs

• Closes the Playwright-pinning item in 📋 v1.11 review umbrella follow-ups — codex P2/P3 from PR #81~#94 #95
• Follow-up to docs(readme): gallery-first hero shot above the fold (#67) #94 (gallery-first README hero)

[coderabbitai]

Warning

Rate limit exceeded

@sgwannabe has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 32 minutes and 25 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 32 minutes and 25 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 628a39a3-095c-44e7-87f1-8a6dd46ff903

📥 Commits

Reviewing files that changed from the base of the PR and between 2136c56 and 532d52d.

📒 Files selected for processing (3)

• CONTRIBUTING.md
• requirements-dev.txt
• tools/capture-gallery-hero.py

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/i95-pin-playwright-dev-dep

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request establishes a Python development environment for tooling by pinning dependencies in a new requirements-dev.txt and updating documentation in CONTRIBUTING.md and capture-gallery-hero.py. A review comment points out that the documentation incorrectly claims verify-plugin.sh is fail-closed in CI, suggesting a correction to align the text with the actual script behavior.

[gemini-code-assist]

The documentation states that verify-plugin.sh is fail-closed in CI when jsonschema is missing, but the current implementation of scripts/verify-plugin.sh (lines 100-109) only prints a warning and does not trigger a failure or exit with a non-zero code. This creates a risk of silent validation regressions in CI, which violates the general rule requiring hard failures for missing validation dependencies in CI environments. Please either update the script to enforce this failure in CI or update the documentation to reflect the current behavior.

Suggested change

	installed by `bash scripts/verify-plugin.sh` itself (it degrades gracefully
	when `jsonschema` is missing, except in CI where it is fail-closed).
	installed by bash scripts/verify-plugin.sh itself (it degrades gracefully
	when jsonschema is missing).

References

1. In CI environments, treat missing optional dependencies required for validation checks (like schema validation) as hard failures to prevent silent regressions.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 532d52daf2

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Pin Playwright to an exact version

Use an exact Playwright version instead of a range here. With >=1.54,<2.0, pip install -r requirements-dev.txt can resolve to different Playwright builds over time, and Playwright releases carry browser/runtime changes that can alter screenshot rendering. In practice, two fresh clones run on different dates can produce different v1.6-gallery-hero.png output, which breaks the reproducibility goal described in this commit.

Useful? React with 👍 / 👎.