replen 1.0.13 → 1.0.15
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -52,6 +52,29 @@ Parse the JSON response. Note:
|
|
|
52
52
|
- `leap` — on quiet days the response may carry ONE portfolio connection
|
|
53
53
|
(a cross-project / adjacency / cross-user leap) instead of candidates.
|
|
54
54
|
`displayText` already words it; relay that and offer to explore it.
|
|
55
|
+
- `queuedActions` — work the user queued from their weekly brief / alert
|
|
56
|
+
emails (or a past session). The footnote offers the oldest one; if the
|
|
57
|
+
user says yes, DO the work (bump the dep, handle the deprecation,
|
|
58
|
+
evaluate the repo), then call `replen_queue` with `action: "done"` and
|
|
59
|
+
the item's id. If they decline for good, `action: "dismiss"`. Never
|
|
60
|
+
leave a handled item queued — it will keep reminding.
|
|
61
|
+
- `candidates[].alternatives` — on health/security stakes ("your upstream
|
|
62
|
+
is dying / has a CVE"), maintained catalogue libraries similar to the
|
|
63
|
+
flagged repo, with cross-user adoption counts. Use them in the writeup:
|
|
64
|
+
the verdict isn't just "X is risky" but "X is risky; Y is the maintained
|
|
65
|
+
replacement, N similar projects adopted it".
|
|
66
|
+
|
|
67
|
+
### Step 2b — Keep the version picture fresh (cheap, do it)
|
|
68
|
+
|
|
69
|
+
If `git status` shows the lockfile changed since you last reported, or you
|
|
70
|
+
have never reported for this repo, call `replen_set_versions` with the
|
|
71
|
+
resolved DIRECT dependency versions from the lockfile (package-lock.json /
|
|
72
|
+
poetry.lock / uv.lock / Cargo.lock) plus runtimes under canonical keys
|
|
73
|
+
(`node` from .nvmrc/engines/Dockerfile, `python` from .python-version /
|
|
74
|
+
requires-python, `postgres`/`redis` when pinned in docker-compose). Names
|
|
75
|
+
and versions ONLY — never code. This is what turns Replen's deadline and
|
|
76
|
+
security lines from "worth checking your pins" into "affects `aegis`
|
|
77
|
+
(3.10.12)" — and silences alarms for versions this repo verifiably isn't on.
|
|
55
78
|
|
|
56
79
|
If `candidates.length === 0`, tell the user "No new candidates today for
|
|
57
80
|
`<owner/name>`. Calm-cadence working as designed — 1-3 actionable
|
|
@@ -62,6 +62,13 @@ already onboarded (it already has capabilities/facets). Re-running is always
|
|
|
62
62
|
safe — pushing again just overwrites — so an interrupted sweep resumes cleanly by
|
|
63
63
|
re-running and skipping repos already done.
|
|
64
64
|
|
|
65
|
+
**"Done" includes a version report.** A repo that has capabilities but has
|
|
66
|
+
never reported versions is NOT done — give it the lightweight backfill pass:
|
|
67
|
+
skip the doc work and re-profiling entirely, just read the lockfile + runtime
|
|
68
|
+
pins and call `replen_set_versions` (Step 2e.4). This is how an existing
|
|
69
|
+
portfolio gets version-aware deadlines/security awareness after upgrading
|
|
70
|
+
Replen — a re-run backfills versions across every repo in minutes.
|
|
71
|
+
|
|
65
72
|
For each in-scope repo, do this contract:
|
|
66
73
|
|
|
67
74
|
### 2a. Read the code (not just the README)
|
|
@@ -128,6 +135,14 @@ specific — `cloudflare bypass`/`proxy rotation`, not just `web scraping`.
|
|
|
128
135
|
grounded `capabilities` array AND the `report` from 2c. The server builds the
|
|
129
136
|
facet vectors immediately and stores the report as grounding for its own
|
|
130
137
|
summarization. Use the MCP tools, not hand-rolled `curl`.
|
|
138
|
+
4. **Report pinned versions** with `replen_set_versions` — the resolved DIRECT
|
|
139
|
+
dependency versions from the lockfile (package-lock.json / poetry.lock /
|
|
140
|
+
uv.lock / Cargo.lock), plus runtimes under canonical keys (`node` from
|
|
141
|
+
.nvmrc/engines/Dockerfile, `python` from .python-version/requires-python,
|
|
142
|
+
`postgres`/`redis` when pinned in docker-compose). Names + versions ONLY,
|
|
143
|
+
never code. This makes EOL/deprecation/security awareness name the affected
|
|
144
|
+
repos with certainty — and suppresses alarms for versions the repo
|
|
145
|
+
verifiably isn't on.
|
|
131
146
|
|
|
132
147
|
## Step 3 — Group multi-repo products
|
|
133
148
|
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "replen",
|
|
3
|
-
"version": "1.0.
|
|
3
|
+
"version": "1.0.15",
|
|
4
4
|
"description": "Make your AI coding tools smarter. One command, no API keys, free. Replen watches what your projects actually do and surfaces a few things worth bringing in each month. Use one as is, port a piece of another, cherry pick an idea, or build it clean room. The match happens inside your AI tool's session. A few actionable matches a month, by design.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"bin": {
|