replen 1.0.13 → 1.0.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -52,6 +52,29 @@ Parse the JSON response. Note:
52
52
  - `leap` — on quiet days the response may carry ONE portfolio connection
53
53
  (a cross-project / adjacency / cross-user leap) instead of candidates.
54
54
  `displayText` already words it; relay that and offer to explore it.
55
+ - `queuedActions` — work the user queued from their weekly brief / alert
56
+ emails (or a past session). The footnote offers the oldest one; if the
57
+ user says yes, DO the work (bump the dep, handle the deprecation,
58
+ evaluate the repo), then call `replen_queue` with `action: "done"` and
59
+ the item's id. If they decline for good, `action: "dismiss"`. Never
60
+ leave a handled item queued — it will keep reminding.
61
+ - `candidates[].alternatives` — on health/security stakes ("your upstream
62
+ is dying / has a CVE"), maintained catalogue libraries similar to the
63
+ flagged repo, with cross-user adoption counts. Use them in the writeup:
64
+ the verdict isn't just "X is risky" but "X is risky; Y is the maintained
65
+ replacement, N similar projects adopted it".
66
+
67
+ ### Step 2b — Keep the version picture fresh (cheap, do it)
68
+
69
+ If `git status` shows the lockfile changed since you last reported, or you
70
+ have never reported for this repo, call `replen_set_versions` with the
71
+ resolved DIRECT dependency versions from the lockfile (package-lock.json /
72
+ poetry.lock / uv.lock / Cargo.lock) plus runtimes under canonical keys
73
+ (`node` from .nvmrc/engines/Dockerfile, `python` from .python-version /
74
+ requires-python, `postgres`/`redis` when pinned in docker-compose). Names
75
+ and versions ONLY — never code. This is what turns Replen's deadline and
76
+ security lines from "worth checking your pins" into "affects `aegis`
77
+ (3.10.12)" — and silences alarms for versions this repo verifiably isn't on.
55
78
 
56
79
  If `candidates.length === 0`, tell the user "No new candidates today for
57
80
  `<owner/name>`. Calm-cadence working as designed — 1-3 actionable
@@ -62,6 +62,13 @@ already onboarded (it already has capabilities/facets). Re-running is always
62
62
  safe — pushing again just overwrites — so an interrupted sweep resumes cleanly by
63
63
  re-running and skipping repos already done.
64
64
 
65
+ **"Done" includes a version report.** A repo that has capabilities but has
66
+ never reported versions is NOT done — give it the lightweight backfill pass:
67
+ skip the doc work and re-profiling entirely, just read the lockfile + runtime
68
+ pins and call `replen_set_versions` (Step 2e.4). This is how an existing
69
+ portfolio gets version-aware deadlines/security awareness after upgrading
70
+ Replen — a re-run backfills versions across every repo in minutes.
71
+
65
72
  For each in-scope repo, do this contract:
66
73
 
67
74
  ### 2a. Read the code (not just the README)
@@ -128,6 +135,14 @@ specific — `cloudflare bypass`/`proxy rotation`, not just `web scraping`.
128
135
  grounded `capabilities` array AND the `report` from 2c. The server builds the
129
136
  facet vectors immediately and stores the report as grounding for its own
130
137
  summarization. Use the MCP tools, not hand-rolled `curl`.
138
+ 4. **Report pinned versions** with `replen_set_versions` — the resolved DIRECT
139
+ dependency versions from the lockfile (package-lock.json / poetry.lock /
140
+ uv.lock / Cargo.lock), plus runtimes under canonical keys (`node` from
141
+ .nvmrc/engines/Dockerfile, `python` from .python-version/requires-python,
142
+ `postgres`/`redis` when pinned in docker-compose). Names + versions ONLY,
143
+ never code. This makes EOL/deprecation/security awareness name the affected
144
+ repos with certainty — and suppresses alarms for versions the repo
145
+ verifiably isn't on.
131
146
 
132
147
  ## Step 3 — Group multi-repo products
133
148
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "replen",
3
- "version": "1.0.13",
3
+ "version": "1.0.15",
4
4
  "description": "Make your AI coding tools smarter. One command, no API keys, free. Replen watches what your projects actually do and surfaces a few things worth bringing in each month. Use one as is, port a piece of another, cherry pick an idea, or build it clean room. The match happens inside your AI tool's session. A few actionable matches a month, by design.",
5
5
  "type": "module",
6
6
  "bin": {