Statically detectable package capabilities
Like capslock but for detecting capabilites in package metadata and archive structure rather than callgraph analysis.
- C extensions declared (
extensionsfield in gemspec)
Andrew Nesbitt andrew
🚙
andrew
/ pacslock.md
Created
April 21, 2026 09:52
andrew
/ brief-prd.md
Created
March 14, 2026 11:44
`brief` is a single-binary CLI tool written in Go that deterministically detects a software project's toolchain, configuration, and conventions, then outputs a structured report of what the project is and how to work with it.
brief is a single-binary CLI tool written in Go that deterministically detects a software project's toolchain, configuration, and conventions, then outputs a structured report of what the project is and how to work with it.
It lives in the git-pkgs GitHub org alongside forge, git-pkgs, and shared Go modules that provide low-level ecosystem mapping — manifest parsing, package URL handling, version range resolution, and ecosyste.ms API integration. By building on these shared modules, brief launches with support for 30+ package ecosystems from day one.
The first consumer is Upkeep, the Forgejo-based autonomous package maintenance bot swarm. brief is one of several deterministic tools that Upkeep runs to provide structured context to AI coding agents before they begin work — replacing the trial-and-error exploration loop that burns turns and tokens. Beyond Upkeep, brief is useful for any AI coding agent (Claude Code, Copilot, Cursor
Forgejo has a package registry that handles 23 ecosystems. Packages are uploaded directly -- there's no pull-through cache from upstream registries like npmjs.org or crates.io. git-pkgs/proxy is a standalone caching proxy for 16 ecosystems that already solves this problem. The question is what can be reused.
This has been requested multiple times in the Gitea tracker (forgejo inherits these):
andrew
/ eu-feedback.txt
Created
January 29, 2026 11:48
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| The Commission's call for evidence rightly identifies European reliance on non-EU digital technologies, but focuses primarily on cloud infrastructure, AI, and end-user applications. There's a critical layer missing: the dependency intelligence infrastructure that sits between source code hosting and application deployment. | |
| Open source software underpins 70-90% of all code in the digital economy. But the infrastructure that tracks, analyses, and secures that software is almost entirely US-controlled: package registries, vulnerability databases, dependency graphs, software composition analysis tools, and automated update services. A European company can self-host Forgejo for code hosting and still depend entirely on US services for vulnerability scanning, dependency updates, license compliance, and SBOM generation. | |
| The M×N Problem | |
| Package management has an M×N problem. Every tool implements support for every ecosystem separately. When a new language ships a package manager, it goes to the back of every queue |
andrew
/ mastodon_followers.rb
Created
January 27, 2026 13:26
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| require "net/http" | |
| require "json" | |
| require "uri" | |
| require "digest" | |
| require "fileutils" | |
| INSTANCE = "https://mastodon.social" | |
| USERNAME = "andrewnez" | |
| CACHE_DIR = File.join(__dir__, ".cache") |
andrew
/ gittuff-git-pkgs.md
Last active
January 24, 2026 07:53
This document explores how git-pkgs and gittuf could integrate to enable dependency-aware security policies for Git repositories. The goal: let gittuf enforce policies like "adding new runtime dependencies requires two approvals" or "block dependencies with critical CVEs" by leveraging git-pkgs' understanding of package ecosystems.
git-pkgs is a Git subcommand for tracking package dependencies across git history. It answers questions like "when was this dependency added?", "who added it?", and "what changed between these two commits?" with a unified interface across 40+ package ecosystems.
git-pkgs was recently rewritten from Ruby into Go, partly to enable this kind of integration (importable as a Go library) and partly to simplify deployment as a single binary. It's in early development and can be adapted to work well with gittuf based on feedback.
andrew
/ Toss a Coin to Your Maintainer.txt
Created
January 18, 2026 11:39
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Toss a coin to your maintainer, | |
| O guardian of the tree, | |
| For the forests of dependency | |
| Are darker than they seem. | |
| He patches through the nightfall, | |
| He merges through the dawn, | |
| While the auditors ride eastward | |
| To demand another form. |
andrew
/ threat_models.csv
Created
July 2, 2025 18:41
threat model files and documentation found in public github repos
We can make this file beautiful and searchable if this error is corrected: It looks like row 6 should actually have 6 columns, instead of 4 in line 5.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Repository,Owner,File Path,HTML URL,Size,Downloaded | |
| jaegertracing/jaeger,jaegertracing,THREAT-MODEL.md,https://github.com/jaegertracing/jaeger/blob/0cf2b7bc16f8acb94fa0f427c12f7868de667cfa/THREAT-MODEL.md,,Yes | |
| backstage/backstage,backstage,docs/overview/threat-model.md,https://github.com/backstage/backstage/blob/9f67ede0651a187ed890df3de4caee941e078c95/docs/overview/threat-model.md,,Yes | |
| dotnet/msbuild,dotnet,documentation/specs/BuildCheck/BuildCheck-feature-threat-model.md,https://github.com/dotnet/msbuild/blob/e4dc6152ef4332d8736cadc189044aa3446956f4/documentation/specs/BuildCheck/BuildCheck-feature-threat-model.md,,Yes | |
| projectcontour/contour,projectcontour,site/content/resources/security-threat-model.md,https://github.com/projectcontour/contour/blob/0119d761110441ad3a4ed9406e339eb28ead5da7/site/content/resources/security-threat-model.md,,Yes | |
| cncf/tag-security,cncf,community/assessments/projects/tikv/tikv-threat-model.md,https://github.com/cncf/tag-security/blob/e9e846978149d349300fccb15feff43e58def8ad/commu |
andrew
/ ruby-travis.md
Last active
September 22, 2024 15:27
critical ruby gems with .travis.yml files
- https://github.com/adzap/timeliness
- https://github.com/aetherknight/recursive-open-struct
- https://github.com/apotonick/declarative
- https://github.com/apotonick/uber
- https://github.com/aquasync/ruby-ole
- https://github.com/assaf/uuid
- https://github.com/attr-encrypted/encryptor
- https://github.com/awesome-print/awesome_print
- https://github.com/babel/ruby-babel-transpiler
- https://github.com/brianmario/charlock_holmes
andrew
/ oss-tiers.md
Last active
March 24, 2024 21:40
Initial thought: https://mastodon.social/@andrewnez/112151957657701569
Based on https://en.wikipedia.org/wiki/Tier_list
Comments and critiques welcome
Usage ideas:
- Browser extension: detect you're looking at a webpage of a package or repo, show you the project's Tier for quick and easy classification
NewerOlder