Andrew Nesbitt andrew

brief — Project Recognition & Inspection Engine Format

Overview

brief is a single-binary CLI tool written in Go that deterministically detects a software project's toolchain, configuration, and conventions, then outputs a structured report of what the project is and how to work with it.

It lives in the git-pkgs GitHub org alongside forge, git-pkgs, and shared Go modules that provide low-level ecosystem mapping — manifest parsing, package URL handling, version range resolution, and ecosyste.ms API integration. By building on these shared modules, brief launches with support for 30+ package ecosystems from day one.

The first consumer is Upkeep, the Forgejo-based autonomous package maintenance bot swarm. brief is one of several deterministic tools that Upkeep runs to provide structured context to AI coding agents before they begin work — replacing the trial-and-error exploration loop that burns turns and tokens. Beyond Upkeep, brief is useful for any AI coding agent (Claude Code, Copilot, Cursor

Adding proxy cache to forgejo using git-pkgs/proxy internals

Context

Forgejo has a package registry that handles 23 ecosystems. Packages are uploaded directly -- there's no pull-through cache from upstream registries like npmjs.org or crates.io. git-pkgs/proxy is a standalone caching proxy for 16 ecosystems that already solves this problem. The question is what can be reused.

Prior art / related issues

This has been requested multiple times in the Gitea tracker (forgejo inherits these):

git-pkgs+ gittuf integration investigation

This document explores how git-pkgs and gittuf could integrate to enable dependency-aware security policies for Git repositories. The goal: let gittuf enforce policies like "adding new runtime dependencies requires two approvals" or "block dependencies with critical CVEs" by leveraging git-pkgs' understanding of package ecosystems.

What git-pkgs does

git-pkgs is a Git subcommand for tracking package dependencies across git history. It answers questions like "when was this dependency added?", "who added it?", and "what changed between these two commits?" with a unified interface across 40+ package ecosystems.

git-pkgs was recently rewritten from Ruby into Go, partly to enable this kind of integration (importable as a Go library) and partly to simplify deployment as a single binary. It's in early development and can be adapted to work well with gittuf based on feedback.

OSS Tier List

Initial thought: https://mastodon.social/@andrewnez/112151957657701569

Based on https://en.wikipedia.org/wiki/Tier_list

Comments and critiques welcome

Usage ideas:

Browser extension: detect you're looking at a webpage of a package or repo, show you the project's Tier for quick and easy classification

	The Commission's call for evidence rightly identifies European reliance on non-EU digital technologies, but focuses primarily on cloud infrastructure, AI, and end-user applications. There's a critical layer missing: the dependency intelligence infrastructure that sits between source code hosting and application deployment.

	Open source software underpins 70-90% of all code in the digital economy. But the infrastructure that tracks, analyses, and secures that software is almost entirely US-controlled: package registries, vulnerability databases, dependency graphs, software composition analysis tools, and automated update services. A European company can self-host Forgejo for code hosting and still depend entirely on US services for vulnerability scanning, dependency updates, license compliance, and SBOM generation.

	The M×N Problem

	Package management has an M×N problem. Every tool implements support for every ecosystem separately. When a new language ships a package manager, it goes to the back of every queue

	require "net/http"
	require "json"
	require "uri"
	require "digest"
	require "fileutils"

	INSTANCE = "https://mastodon.social"
	USERNAME = "andrewnez"
	CACHE_DIR = File.join(__dir__, ".cache")

	Toss a coin to your maintainer,
	O guardian of the tree,
	For the forests of dependency
	Are darker than they seem.

	He patches through the nightfall,
	He merges through the dawn,
	While the auditors ride eastward
	To demand another form.

	Repository,Owner,File Path,HTML URL,Size,Downloaded
	jaegertracing/jaeger,jaegertracing,THREAT-MODEL.md,https://github.com/jaegertracing/jaeger/blob/0cf2b7bc16f8acb94fa0f427c12f7868de667cfa/THREAT-MODEL.md,,Yes
	backstage/backstage,backstage,docs/overview/threat-model.md,https://github.com/backstage/backstage/blob/9f67ede0651a187ed890df3de4caee941e078c95/docs/overview/threat-model.md,,Yes
	dotnet/msbuild,dotnet,documentation/specs/BuildCheck/BuildCheck-feature-threat-model.md,https://github.com/dotnet/msbuild/blob/e4dc6152ef4332d8736cadc189044aa3446956f4/documentation/specs/BuildCheck/BuildCheck-feature-threat-model.md,,Yes
	projectcontour/contour,projectcontour,site/content/resources/security-threat-model.md,https://github.com/projectcontour/contour/blob/0119d761110441ad3a4ed9406e339eb28ead5da7/site/content/resources/security-threat-model.md,,Yes
	cncf/tag-security,cncf,community/assessments/projects/tikv/tikv-threat-model.md,https://github.com/cncf/tag-security/blob/e9e846978149d349300fccb15feff43e58def8ad/commu

	[["github.com", 3114781],
	["gitlab.com", 32138],
	["bitbucket.org", 25904],
	["gitee.com", 20218],
	["gitbox.apache.org", 6262],
	["svn.apache.org", 5852],
	["git-wip-us.apache.org", 3167],
	["wiki.opendaylight.org", 3108],
	["code.google.com", 2217],
	["git.eclipse.org", 1772],