replen 1.0.13 → 1.0.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -52,6 +52,29 @@ Parse the JSON response. Note:
52
52
  - `leap` — on quiet days the response may carry ONE portfolio connection
53
53
  (a cross-project / adjacency / cross-user leap) instead of candidates.
54
54
  `displayText` already words it; relay that and offer to explore it.
55
+ - `queuedActions` — work the user queued from their weekly brief / alert
56
+ emails (or a past session). The footnote offers the oldest one; if the
57
+ user says yes, DO the work (bump the dep, handle the deprecation,
58
+ evaluate the repo), then call `replen_queue` with `action: "done"` and
59
+ the item's id. If they decline for good, `action: "dismiss"`. Never
60
+ leave a handled item queued — it will keep reminding.
61
+ - `candidates[].alternatives` — on health/security stakes ("your upstream
62
+ is dying / has a CVE"), maintained catalogue libraries similar to the
63
+ flagged repo, with cross-user adoption counts. Use them in the writeup:
64
+ the verdict isn't just "X is risky" but "X is risky; Y is the maintained
65
+ replacement, N similar projects adopted it".
66
+
67
+ ### Step 2b — Keep the version picture fresh (cheap, do it)
68
+
69
+ If `git status` shows the lockfile changed since you last reported, or you
70
+ have never reported for this repo, call `replen_set_versions` with the
71
+ resolved DIRECT dependency versions from the lockfile (package-lock.json /
72
+ poetry.lock / uv.lock / Cargo.lock) plus runtimes under canonical keys
73
+ (`node` from .nvmrc/engines/Dockerfile, `python` from .python-version /
74
+ requires-python, `postgres`/`redis` when pinned in docker-compose). Names
75
+ and versions ONLY — never code. This is what turns Replen's deadline and
76
+ security lines from "worth checking your pins" into "affects `aegis`
77
+ (3.10.12)" — and silences alarms for versions this repo verifiably isn't on.
55
78
 
56
79
  If `candidates.length === 0`, tell the user "No new candidates today for
57
80
  `<owner/name>`. Calm-cadence working as designed — 1-3 actionable
@@ -128,6 +128,14 @@ specific — `cloudflare bypass`/`proxy rotation`, not just `web scraping`.
128
128
  grounded `capabilities` array AND the `report` from 2c. The server builds the
129
129
  facet vectors immediately and stores the report as grounding for its own
130
130
  summarization. Use the MCP tools, not hand-rolled `curl`.
131
+ 4. **Report pinned versions** with `replen_set_versions` — the resolved DIRECT
132
+ dependency versions from the lockfile (package-lock.json / poetry.lock /
133
+ uv.lock / Cargo.lock), plus runtimes under canonical keys (`node` from
134
+ .nvmrc/engines/Dockerfile, `python` from .python-version/requires-python,
135
+ `postgres`/`redis` when pinned in docker-compose). Names + versions ONLY,
136
+ never code. This makes EOL/deprecation/security awareness name the affected
137
+ repos with certainty — and suppresses alarms for versions the repo
138
+ verifiably isn't on.
131
139
 
132
140
  ## Step 3 — Group multi-repo products
133
141
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "replen",
3
- "version": "1.0.13",
3
+ "version": "1.0.14",
4
4
  "description": "Make your AI coding tools smarter. One command, no API keys, free. Replen watches what your projects actually do and surfaces a few things worth bringing in each month. Use one as is, port a piece of another, cherry pick an idea, or build it clean room. The match happens inside your AI tool's session. A few actionable matches a month, by design.",
5
5
  "type": "module",
6
6
  "bin": {