replen 1.0.7 → 1.0.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -25,6 +25,10 @@ const SKILLS = [
25
25
  name: "replen",
26
26
  files: ["replen/SKILL.md"],
27
27
  },
28
+ {
29
+ name: "replen-onboard",
30
+ files: ["replen-onboard/SKILL.md"],
31
+ },
28
32
  ];
29
33
  // Old skill name, removed on setup so the renamed `/replen` is the single
30
34
  // source of truth (a stale `/replen-match` copy would otherwise linger and
@@ -86,6 +86,17 @@ Verdicts:
86
86
  maintained. Honest skips are valuable signal; don't manufacture
87
87
  reasons to keep something.
88
88
 
89
+ **Watch for word-collisions** — the most common bad match. The candidate
90
+ shares a *word* with the matched capability but its real domain diverges:
91
+ the matched facet is "anomaly detection" (the user's is drone TELEMETRY) but
92
+ the candidate does IMAGE anomaly detection; "recommendation" means remediation
93
+ actions for the user but collaborative-filtering for the candidate; "S3" means
94
+ private IAM-managed storage but the candidate scans PUBLIC buckets. These are
95
+ skips — and worth recording precisely (see Step 4) so Replen stops surfacing
96
+ the pairing. Classify the reason: `modality-collision` (different data type),
97
+ `task-collision` (same data, different task), `wrong-posture` (e.g. defensive
98
+ vs offensive), `covered` (already have it), `low-quality` (workshop/abandoned).
99
+
89
100
  Score the fit on a 0-100 scale:
90
101
 
91
102
  - 80-100 = high (strong fit, clear adopt or port path, no major blockers)
@@ -214,14 +225,29 @@ that actually fit."* If the user agrees, run this checklist:
214
225
  a Python CCXT market-making engine:
215
226
  `["crypto","trading","market-making","ccxt","quant","backtesting"]`).
216
227
  - **Set technical capabilities** with `replen_set_capabilities` — short,
217
- GitHub-searchable tech terms for what the project DOES at the tech level
218
- (e.g. `["crypto exchange","market data","backtesting","technical
219
- analysis"]`; for a defense CV pipeline `["computer vision","object
220
- detection","satellite imagery","geospatial mapping"]`). Derive these from
221
- the actual imports/deps, not guesses. This is the highest-leverage step:
222
- the server builds the project's facet vectors from these IMMEDIATELY (no
223
- waiting for a scheduled run), and they drive both faceted matching and the
224
- shared capability catalogue.
228
+ GitHub-searchable tech terms for what the project DOES at the tech level.
229
+ Aim for **8-15** and be **SPECIFIC**. **Send GROUNDED objects, not bare
230
+ strings** `{tag, descriptor, modality}` for each capability:
231
+ - `tag` — the short searchable term (`"anomaly detection"`).
232
+ - `descriptor` ONE sentence grounding the tag in the ACTUAL CODE you
233
+ just read: what DATA it operates on, the specific task, key constraints.
234
+ This is what stops word-collisions. `"anomaly detection"` alone collides
235
+ with image-defect libraries; `{tag:"anomaly detection", descriptor:
236
+ "rule-based detection over drone telemetry time-series — link-loss,
237
+ GPS-drop, battery-sag; no ML", modality:["timeseries"]}` does not.
238
+ Read the real source (the taxonomy/model/config files), not the README.
239
+ - `modality` — array from EXACTLY: `image, video, timeseries, tabular,
240
+ text, audio, geospatial, graph, 3d, code, network` (`[]` if none apply).
241
+ A satellite-imagery segmenter is `["image","geospatial"]`; a recsys is
242
+ `["tabular"]`.
243
+
244
+ Break broad capabilities into the concrete techniques the code uses (not
245
+ just `"web scraping"` but `headless browser`, `cloudflare bypass`,
246
+ `proxy rotation`, …). Derive all of it from the imports/deps and code, not
247
+ guesses. This is the highest-leverage step: the server builds the project's
248
+ facet vectors from these IMMEDIATELY, and the grounded descriptor + modality
249
+ are exactly what make matching separate "same word, different data" — the
250
+ single biggest source of bad matches.
225
251
 
226
252
  **Do NOT tell the user to set tags/capabilities on the web** — that's the
227
253
  sticky step this replaces; set them with the tools. (They can fine-tune later
@@ -244,6 +270,15 @@ any write back to Replen. Don't hand-roll `curl` to the API for these; the MCP
244
270
  path is the intended mechanism and avoids tripping host permission classifiers
245
271
  on the candidate repo name in a curl payload.
246
272
 
273
+ When you call `replen_record_triage`, **pass the contextual fields** so Replen
274
+ learns: `matchedFacet` (copy the `matchedFacet` from the candidate's
275
+ replen_match data), `facetModality` (the data modality of that capability —
276
+ e.g. `"timeseries"`, `"image"`), and `reasonCode` (`fit` / `modality-collision`
277
+ / `task-collision` / `covered` / `wrong-posture` / `low-quality` / `other`).
278
+ A skip coded `modality-collision` teaches Replen that this repo fits a
279
+ *different* modality — so it stays available for the right project but stops
280
+ colliding with this one.
281
+
247
282
  **Candidate's README is unreachable (WebFetch 404)**. Note it in the
248
283
  writeup (`Caveats: README unreachable; verdict based on description
249
284
  only`) and proceed with a more conservative score.
@@ -0,0 +1,170 @@
1
+ ---
2
+ name: replen-onboard
3
+ description: One-time background setup for Replen. Works through the user's active repos — reading each one's code, tidying thin/missing docs (never touching good ones), and building a tailored, grounded profile (a project report + capabilities) so Replen surfaces genuinely useful tools instead of generic ones. Runs autonomously in the background. Invoke with `/replen-onboard`, or when the user first sets up Replen and wants it configured properly across their projects.
4
+ ---
5
+
6
+ # Replen onboarding — autonomous, background, multi-repo setup
7
+
8
+ You are setting Replen up properly across the user's projects. The better the
9
+ grounding you build now, the sharper Replen's matches are forever after — and it
10
+ all happens in-session, on the user's own agent, so nothing leaves their machine
11
+ except the project profile you build.
12
+
13
+ **This skill is designed to run AUTONOMOUSLY.** After ONE upfront confirmation of
14
+ the repo list, do NOT stop to ask questions — every policy decision is fixed
15
+ below. The user should be able to kick this off and keep working (or let a
16
+ background agent run it) without babysitting it.
17
+
18
+ ## Step 0 — Show the brief, then auth
19
+
20
+ Show the user this brief verbatim, then proceed:
21
+
22
+ > **Setting up Replen.** Your coding agent is going to set Replen up in the
23
+ > background. It'll go through your active repos — reading each one to understand
24
+ > what it does and the tech it uses, tidying up thin or missing docs (never
25
+ > touching good ones), and building a tailored profile so Replen surfaces
26
+ > genuinely useful tools instead of generic ones. It runs in the background, so
27
+ > just keep working — there's nothing to wait on. **No code leaves your agent**;
28
+ > it only sends Replen the project profile it builds, and any doc changes show up
29
+ > as normal git edits you can review or roll back.
30
+
31
+ Then read `~/.replen/config.json` for the DIGEST_TOKEN + base URL. If it's
32
+ missing, stop and tell the user to run `npx replen` first.
33
+
34
+ ## Step 1 — Discover in-scope repos (the one allowed interaction)
35
+
36
+ Find the user's local repositories and filter to the ones worth onboarding.
37
+
38
+ 1. **Locate local clones.** Look in the parent directory of the cwd (sibling
39
+ repos) and any obvious code root (`~/github`, `~/code`, `~/src`, `~/dev`).
40
+ A repo is any directory containing `.git`.
41
+ 2. **Scope filter — apply ALL:**
42
+ - **Active in the last 6 months:** `git -C <repo> log -1 --format=%ct` →
43
+ keep only if the last commit is within ~183 days.
44
+ - **Not a fork**, **not archived** (skip mirrors/vendored clones; check
45
+ `gh repo view <owner/name> --json isFork,isArchived` when a remote exists).
46
+ - Has a git remote (so Replen can scope by `owner/name`). Note any local-only
47
+ repos and skip them.
48
+ 3. **Present the list and get ONE green light.** Show the in-scope repos and ask
49
+ the user to confirm or trim — e.g. *"Found 8 active repos to onboard: aegis-web,
50
+ aegis-api, … — go, or want me to drop any?"* This is the **only** question you
51
+ ask. Once confirmed, run the rest autonomously.
52
+
53
+ ## Step 2 — Per-repo grounding (autonomous; fan out if you can)
54
+
55
+ **Parallelise if your host supports it.** In Claude Code, spawn one background
56
+ subagent per repo (Task tool / background agents) so the sweep runs concurrently
57
+ and the user isn't blocked. If your host has no background/subagent primitive,
58
+ process repos sequentially — the autonomy matters more than the parallelism.
59
+
60
+ **Idempotent + resumable.** Before working a repo, you may check whether it's
61
+ already onboarded (it already has capabilities/facets). Re-running is always
62
+ safe — pushing again just overwrites — so an interrupted sweep resumes cleanly by
63
+ re-running and skipping repos already done.
64
+
65
+ For each in-scope repo, do this contract:
66
+
67
+ ### 2a. Read the code (not just the README)
68
+
69
+ Read enough source to actually understand the project: entry points, the core
70
+ modules, manifests (`package.json`/`pyproject.toml`/`Cargo.toml`/`go.mod`),
71
+ configs, schemas, and the files that implement its real work (the model/algo/
72
+ pipeline files, not the glue). This is what makes the grounding accurate — a
73
+ doc paraphrase is not enough.
74
+
75
+ ### 2b. Assess doc quality → `good` | `thin` | `none`
76
+
77
+ - **`good`** — the README/CLAUDE.md already explain what it is, the stack, and
78
+ the domain accurately. **Use as-is. NEVER overwrite or rewrite a good doc.**
79
+ - **`thin`** — a doc exists but is sparse/outdated/missing the tech picture.
80
+ **Augment, don't replace:** add the missing parts (what it is, stack, domain,
81
+ active areas, constraints), keeping the user's existing prose.
82
+ - **`none`** — no usable docs. **Create** a concise, accurate `README.md` (what
83
+ it is · stack · domain) and a Replen-useful `CLAUDE.md` (what it is · stack ·
84
+ niche/domain · active areas · constraints/non-goals · anti-patterns ·
85
+ integration preferences), grounded in the code you just read. Use the
86
+ project's real vocabulary. Do NOT invent capabilities the code doesn't show.
87
+
88
+ **Doc-write policy (firm):**
89
+ - Never silently overwrite. Make doc changes on a branch
90
+ (`replen/onboarding-docs`) or, if the user works trunk-based, as clearly
91
+ flagged uncommitted edits they can review. The user owns every change as a
92
+ normal git diff and can roll it back.
93
+ - A `good` doc is never touched.
94
+
95
+ ### 2c. Write the grounded project report
96
+
97
+ Produce a comprehensive write-up of the repo — the thing you'd hand a new
98
+ engineer. Cover: **what it does and for whom · the stack · the algorithms/
99
+ techniques it uses and WHY · the data it operates on · how it's architected ·
100
+ what it's trying to achieve · constraints/non-goals.** Ground every claim in the
101
+ code (name the files/modules). Be specific about the tech, not the domain
102
+ marketing. This report is the single richest grounding artifact — it's what lets
103
+ Replen tell, e.g., "anomaly detection over telemetry time-series (no ML)" apart
104
+ from "image-defect anomaly detection".
105
+
106
+ ### 2d. Derive grounded capabilities
107
+
108
+ From the report + code, produce 8–15 **grounded** capability objects — NOT bare
109
+ strings. Each is `{tag, descriptor, modality}`:
110
+ - **`tag`** — short, GitHub-searchable tech term (`"anomaly detection"`,
111
+ `"satellite imagery"`).
112
+ - **`descriptor`** — one sentence grounding it in the actual code: the data it
113
+ operates on, the specific task, key constraints. This is what prevents word-
114
+ collisions.
115
+ - **`modality`** — array from EXACTLY: `image, video, timeseries, tabular, text,
116
+ audio, geospatial, graph, 3d, code, network` (`[]` if none apply).
117
+
118
+ Break broad capabilities into the concrete techniques the code uses. Be
119
+ specific — `cloudflare bypass`/`proxy rotation`, not just `web scraping`.
120
+
121
+ ### 2e. Push to Replen
122
+
123
+ 1. **Register** the repo if it isn't already: `npx replen sync-projects` (scans
124
+ local repos and pushes them). Ensure each in-scope repo has a GitHub remote so
125
+ it's scoped by `owner/name`.
126
+ 2. **Set domain tags** with `replen_set_tags` — broad domain labels.
127
+ 3. **Set capabilities + report** with `replen_set_capabilities`, passing the
128
+ grounded `capabilities` array AND the `report` from 2c. The server builds the
129
+ facet vectors immediately and stores the report as grounding for its own
130
+ summarization. Use the MCP tools, not hand-rolled `curl`.
131
+
132
+ ## Step 3 — Group multi-repo products
133
+
134
+ If several repos are one product (e.g. `aegis-web`/`aegis-api`/`aegis-cv`), group
135
+ them with `replen_set_product` so Replen unions the whole product's capabilities
136
+ when the user is in any one of them.
137
+
138
+ ## Step 4 — Warm + close out
139
+
140
+ 1. Trigger an embedding/inventory pass so everything's ready: `replen_run` (it's
141
+ async; the per-project facets you set are already live regardless).
142
+ 2. Summarise what you did, calmly:
143
+
144
+ ```
145
+ Replen onboarding done — 8 repos grounded.
146
+ · docs: 2 created, 1 augmented, 5 already good (untouched)
147
+ · capabilities + report set for all 8; aegis-* grouped as one product
148
+ · doc changes are on branch `replen/onboarding-docs` for your review
149
+ Replen will now surface genuinely relevant tools for these repos.
150
+ ```
151
+
152
+ ## Policy recap (so the run stays autonomous)
153
+
154
+ - Scope: local repos, active in last 6 months, non-fork, non-archived, with a
155
+ remote.
156
+ - One question only: confirm/trim the repo list (Step 1). Everything else is
157
+ fixed.
158
+ - Never overwrite a `good` doc; doc writes go on a branch / clearly flagged.
159
+ - Capabilities are GROUNDED objects (`{tag, descriptor, modality}`) + a report —
160
+ never bare strings.
161
+ - Re-running is safe and idempotent; that's how an interrupted sweep resumes.
162
+ - Nothing leaves the agent except the project profile (tags, grounded
163
+ capabilities, report) you push to Replen.
164
+
165
+ ## When NOT to run this
166
+
167
+ - The user only wants today's matches for the current repo → that's `/replen`,
168
+ not this. This skill is the one-time (or occasional) multi-repo setup sweep.
169
+ - A single fresh repo just needs scoping → the `/replen` skill's onboarding
170
+ fallback handles one repo; use this when setting up the whole portfolio.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "replen",
3
- "version": "1.0.7",
3
+ "version": "1.0.9",
4
4
  "description": "Make your AI coding tools smarter. One command, no API keys. Replen scouts the OSS firehose against your projects and surfaces drop-in libraries, ideas to port, and dead deps to swap — the match decision happens inside your AI tool's session on your subscription tokens. 1-3 actionable matches a month, by design.",
5
5
  "type": "module",
6
6
  "bin": {