feat: Concept Substrate — link repos by shared concepts (Pillar 3, Spec 2a)

.github/workflows/ci.yml

@@ -27,6 +27,27 @@ jobs:
       - name: Format check (advisory)
         run: npm run format:check
         continue-on-error: true
-      - name: Dependency audit (advisory)
+      - name: Dependency audit
         run: npm audit --audit-level=high
+
+  website:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-node@v5
+        with:
+          node-version: '20'
+          cache: 'npm'
+          cache-dependency-path: website/package-lock.json
+      - run: npm ci
+        working-directory: website
+      - name: Website lint
+        run: npm run lint
+        working-directory: website
+      - name: Website build
+        run: npm run build
+        working-directory: website
+      - name: Website dependency audit (advisory)
+        run: npm audit --audit-level=moderate
+        working-directory: website
         continue-on-error: true

.github/workflows/deploy-pages.yml

@@ -34,7 +34,7 @@ jobs:
           cache-dependency-path: website/package-lock.json
       - name: Install deps
         working-directory: website
-        run: npm install
+        run: npm ci
       - name: Build static export
         working-directory: website
         env:

.github/workflows/release.yml

@@ -0,0 +1,54 @@
+name: Release extension zip
+
+on:
+  push:
+    tags:
+      - 'v*.*.*'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  package:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-node@v5
+        with:
+          node-version: '20'
+          cache: 'npm'
+      - run: npm ci
+      - name: Verify version matches tag
+        if: startsWith(github.ref, 'refs/tags/')
+        run: |
+          VERSION="${GITHUB_REF_NAME#v}"
+          VERSION="$VERSION" node - <<'NODE'
+          const fs = require('fs');
+          const version = process.env.VERSION;
+          const pkg = JSON.parse(fs.readFileSync('package.json', 'utf8')).version;
+          const manifest = JSON.parse(fs.readFileSync('manifest.json', 'utf8')).version;
+          if (pkg !== version || manifest !== version) {
+            console.error(`Version mismatch: tag=${version} package=${pkg} manifest=${manifest}`);
+            process.exit(1);
+          }
+          NODE
+      - name: Verify
+        run: |
+          npm test
+          npm run lint
+          npm run check:html
+          npm audit --audit-level=high
+      - name: Package Chrome extension
+        run: |
+          VERSION=$(node -p "require('./manifest.json').version")
+          mkdir -p dist repolens-release
+          cp manifest.json README.md CHANGELOG.md repolens-release/
+          cp batch.html library.html options.html output-tab.html share.html stack-tab.html whats-new.html repolens-release/
+          cp ./*.js ./*.css repolens-release/
+          cp -R icons assets store migrate vendor repolens-release/
+          (cd repolens-release && zip -r "../dist/repolens-v${VERSION}.zip" . -x '*.DS_Store')
+      - uses: actions/upload-artifact@v4
+        with:
+          name: repolens-extension-zip
+          path: dist/*.zip

.prettierignore

@@ -1,6 +1,8 @@
 node_modules
 coverage
 website
+docs/audits
+docs/superpowers
 package-lock.json
 *.min.js
 icons

CHANGELOG.md

@@ -1,21 +1,42 @@
 # Changelog
 
 Every release of RepoLens, newest first. Want the friendly highlights instead of
-the full detail? See **[What's new](README.md)** in the README.
+the full detail? Open **What's New** in the extension, or read `whats-new.html`.
 
 This project follows [Semantic Versioning](https://semver.org/) and groups changes
 by theme. Dates are when the release landed on `main`. 1.1.0 through 1.6.0 shipped
 the same day, as a rapid burst of improvements, so they share a date.
 
-## [Unreleased]
+## [Unreleased] — 2026-06-19 · _Actionable Scans · Smooth Loading · Provider Refresh · Stability_
 
 ### Added
 
-- **Mono Ink identity.** RepoLens ships a new dark-tile lens icon, a "Mono Ink" default theme (cool near-black, white, and cobalt), and a wordmark lockup. The toolbar icon now animates only while a scan runs: the aperture grows and spins and the ring breathes grey to blue, then it resets to static. Turn the animation off in **Options**, and it honors your OS reduced-motion setting. The other 13 themes stay one click away.
+- **More consistent scan start.** Clicking the extension icon now opens the loading tab immediately, then checks cache/provider setup in parallel, so first-press feedback is instant and cached scans swap in cleanly.
+- **More tolerant long scans.** The output tab now watches the scan heartbeat instead of failing at a fixed 90 seconds, so slow provider calls can finish instead of showing a false timeout.
+- **More playful scan loading.** The loading screen now has scan stages, live phase labels, rotating signal copy, and a livelier reduced-motion-safe lens animation.
+- **Smoother navigation.** Scan tabs now use reduced-motion-safe view transitions, restore per-tab scroll position, avoid quick-verdict re-renders while loading, and make large Library grids cheaper to scroll.
+- **Structured scan schema.** Core scans now ask for a mental model, risk register, adoption simulation, and learning path — with parser fallbacks so older scans still render useful structured sections.
+- **Decision-grade Verdict tab.** The Verdict view now leads with a best next action, confidence, evidence, and a 30-minute trial plan so every scan tells you what to do next — not just what the repo is.
+- **DESIGN.md-inspired theme pack.** Added six more CSS-only themes researched from DESIGN.md catalogs: **Command Blue**, **Aubergine Trace**, **Emerald DB**, **Paperline**, **Toybox Red**, and **Gradient Aurora**.
+- **Liquid Glass theme.** Inspired by `liquid-dom`'s liquid-glass direction without adding its WebGPU/React runtime, RepoLens now has a CSS-only **Liquid Glass** theme: translucent surfaces, icy blue highlights, glassy panels, and no new dependency or browser flag.
+- **Live first-class model catalogs.** Google Gemini, OpenRouter, and Nous now load their live model lists in **Options** instead of relying on stale hard-coded dropdowns. RepoLens filters those catalogs to text-capable models, preserves a **Custom…** escape hatch, and reuses the live list in **Models per scan part**.
+- **Claude sign-in is back, using the Claude Code / Pi OAuth flow.** The Anthropic card now supports **Sign in with Claude** for Claude Pro/Max-style accounts and still supports a Console API key (`sk-ant-api…`). OAuth tokens are stored only in this browser, refreshed automatically, and excluded from settings export.
+- **Gemini Ultra-ready picker.** The Google card loads newer Gemini entries when your API key exposes them, while the scan fallback stays on a stable Gemini 2.5 default so a fresh install does not hang on a preview model.
+- **Mono Ink identity.** RepoLens ships a new dark-tile lens icon, a "Mono Ink" default theme (cool near-black, white, and cobalt), and a wordmark lockup. The toolbar icon now animates only while a scan runs: the aperture grows and spins and the ring breathes grey to blue, then it resets to static. Turn the animation off in **Options**, and it honors your OS reduced-motion setting. The other themes stay one click away.
 - **A warmer Vee.** Vee's onboarding copy reads like a person now. The repo also vendors the stop-slop writing standard under `docs/style/` so the voice stays consistent.
 - **Vee-guided first-run walkthrough.** New users are met by Vee on their first Library open; the coachmark steps through a seeded demo repo (Library card → Verdict tab → Blueprint canvas) with plain narration and a spotlight on each target element. Implemented in `onboarding.js` / `coachmark.js`; copy lives in `onboarding-copy.js`.
 - **Milestone "power tour"** offered after approximately five real scans: a second coachmark sequence introducing the cross-library tools: Ask, Corkboard (Alternatives / Synergies), multi-select Compare, Radar / auto-organize, and Discover.
 
+### Changed
+
+- **Model IDs are canonicalized before calls.** Legacy saved values such as `Hermes-4-405B`, `anthropic/claude-opus-4-8`, or Google `models/...` IDs are normalized to the IDs the provider APIs expect.
+- **Provider docs and settings copy now match reality.** Claude can use OAuth or a key, Gemini model options come from your key, and OpenRouter/Nous names reflect their `/models` catalogs.
+
+### Fixed
+
+- **Stuck scan recovery.** Output tabs now keep the MV3 service worker warm while a scan is loading, repository metadata fetches have a 20s timeout, and output pages render a timeout/retry state instead of spinning forever if the background scan stops responding.
+- **Library load/save hangs after updates.** IndexedDB connections now close on version upgrades and blocked opens reject instead of hanging forever, so stale RepoLens tabs can no longer leave the Library blank or a scan stuck on “Saving…”.
+
 ---
 
 ## [3.1.0] — 2026-06-16 · _Interactive Canvas (Blueprint · Guided Tour · Corkboard · Stack Studio)_
@@ -28,7 +49,7 @@ the same day, as a rapid burst of improvements, so they share a date.
 - **Persistent arrangements.** Node positions and canvas state are stored in a new `scenes` IndexedDB store and round-trip through the library backup/export envelope, so layouts travel with your library.
 - **Corkboard (Library-wide canvas).** A toggle in the Library page switches your whole collection into a red-string board: every scanned repo is a draggable manila card, and related repos are joined by colored string keyed to relationship type (alternatives, synergies, head-to-heads, combined ideas) and shaded by fit score. Filter by Collection to focus a board, and the arrangement is saved so it's exactly where you left it next session. Reuses the same canvas engine as Blueprint — zero new dependencies, theme-aware, reduced-motion safe.
 - **Stack Studio (canvas view of a tech-stack).** The Tech-Stack Builder result gains a **View on canvas** toggle: the repos you wired together render as layer-coloured cards in adoption order, joined by their integrations, with any gaps shown as dashed cards — the same engine, turning "how these fit together" into a living diagram.
-- **Zero-build, zero dependencies.** Plain ES modules only — no bundler, no new npm packages. Theme-aware across all 13 themes and reduced-motion safe throughout.
+- **Zero-build, zero dependencies.** Plain ES modules only — no bundler, no new npm packages. Theme-aware across all themes and reduced-motion safe throughout.
 
 ## [3.0.1] — 2026-06-15 · _Audit hardening_
 
@@ -80,7 +101,7 @@ behavioural changes to features, just fixes and guardrails.
 - **"Vee", a lens mascot** _(optional)_. A small telescope/aperture character that reacts
   to your scans — scanning as it reads, wide open on a **strong** fit, eyes narrowed on a
   **risky** one, thinking during a Deep Dive, resting on an empty Library. One token-aware
-  inline SVG that re-skins across all 13 themes; purely decorative (`aria-hidden`) and
+  inline SVG that re-skins across every theme; purely decorative (`aria-hidden`) and
   reduced-motion-safe. Turn it off in **Options → Interface** (`mascotEnabled`, on by
   default; it travels with your settings backup).
 - **A shared motion vocabulary** (`--dur-*` / `--ease-*` tokens in `themes.css`) and a
@@ -102,24 +123,18 @@ behavioural changes to features, just fixes and guardrails.
 - Still 100% client-side: Collections live in your in-browser IndexedDB and round-trip
   through the library backup; no server, no accounts, no telemetry.
 
-## [1.6.0] — 2026-06-13 · _Claude is API-key only_
+## [1.6.0] — 2026-06-13 · _Claude API-key fallback_
+
+> Superseded by the current Unreleased provider refresh: Claude OAuth is available again via the Claude Code / Pi flow, with Console API keys still supported.
 
 ### Removed
 
-- **The Claude *subscription* sign-in ("Sign in with Claude").** It never reliably
-  worked, and it can't: Anthropic binds Claude Pro/Max OAuth tokens to their own
-  **Claude Code** client (validated server-side via an identity system prompt + beta
-  flags) and, as of 2026, its terms **prohibit using subscription authentication in
-  third-party products**. The only way to make it "work" is to impersonate Claude
-  Code — which is a terms violation that risks getting **the user's own Anthropic
-  account banned** and breaks whenever Anthropic rotates a flag. So we took it out
-  rather than ship spoofing.
+- **The earlier Claude _subscription_ sign-in ("Sign in with Claude").** That implementation was removed because it did not match the Claude Code flow closely enough to be reliable. Current builds restore Claude sign-in using the same shape Pi uses, while keeping the Console API key path as a fallback.
 
 ### Changed
 
-- **Claude now connects with a Console API key only** (`sk-ant-api…` from
-  console.anthropic.com). The Anthropic card's *Connect* opens the key field directly;
-  `callAnthropic` is a clean `x-api-key` request with no OAuth/exchange branches.
+- **Claude gained an explicit Console API key path** (`sk-ant-api…` from
+  console.anthropic.com). At the time, the Anthropic card's _Connect_ opened the key field directly and `callAnthropic` used a clean `x-api-key` request with no OAuth/exchange branches.
 - Dropped the now-unused `claude.ai`, `platform.claude.com`, and
   `console.anthropic.com` host permissions (kept `api.anthropic.com` for inference).
 - Deleted the dead `oauth-anthropic.js` module and its callback interception.
@@ -128,7 +143,7 @@ behavioural changes to features, just fixes and guardrails.
 
 - **This does not affect the working sign-ins.** **Grok** (Grok CLI device flow),
   **OpenRouter**, and **OpenAI** (Sign in with ChatGPT, added in 1.5.0) still use
-  one-click OAuth — those vendors *support* third-party OAuth. Anthropic is the one
+  one-click OAuth — those vendors _support_ third-party OAuth. Anthropic is the one
   that doesn't.
 - **Free is still easy:** local **Ollama** (no key) or **Gemini's** free tier.
 
@@ -137,8 +152,8 @@ behavioural changes to features, just fixes and guardrails.
 ### Added
 
 - **Sign in with ChatGPT for OpenAI.** Connect OpenAI without pasting a key —
-  RepoLens performs the **same OAuth login the Codex CLI uses**. Click *Sign in
-  with ChatGPT*, approve it on OpenAI's page, and RepoLens captures the redirect
+  RepoLens performs the **same OAuth login the Codex CLI uses**. Click _Sign in
+  with ChatGPT_, approve it on OpenAI's page, and RepoLens captures the redirect
   and turns it into a working OpenAI key for you, behind the scenes. This rounds
   out the one-click sign-ins: **Claude** already uses the Claude Code login and
   **Grok** the Grok CLI login, so the three big coding-CLI logins are now all here.
@@ -152,7 +167,7 @@ behavioural changes to features, just fixes and guardrails.
   access. If it doesn't, RepoLens tells you plainly and you can paste an OpenAI
   API key — or use any other provider — instead.
 - Still **no spawning of a local `claude` / `codex` binary** — a browser extension
-  can't launch a process. What's new is the *OAuth* those CLIs use, not the CLI.
+  can't launch a process. What's new is the _OAuth_ those CLIs use, not the CLI.
   Your ChatGPT credentials never touch RepoLens; the login happens on OpenAI's site
   and only tokens come back, stored in this browser and never exported.
 
@@ -173,17 +188,17 @@ behavioural changes to features, just fixes and guardrails.
   exported with your settings.
 - **Per-vendor model pickers** (with a recommended ★) plus a free-form Custom
   model, and an **Advanced endpoint override** for proxies/regional gateways.
-- **Provider self-tests** — *Test connection* checks the endpoint answers;
-  *Test function* asks the model to follow a tiny instruction.
+- **Provider self-tests** — _Test connection_ checks the endpoint answers;
+  _Test function_ asks the model to follow a tiny instruction.
 - Compatible providers also appear in the **per-scan-part router**, and any one
-  you connect becomes a valid fallback in the smart chain — so connecting *only*
+  you connect becomes a valid fallback in the smart chain — so connecting _only_
   (say) DeepSeek or a local Ollama just works.
 
 ### Notes
 
 - When you connect a custom AI address, Chrome asks you to approve that site once —
   that's expected. Only secure `http(s)` addresses are accepted.
-- Local *CLI* providers (a `claude` / `codex` binary) aren't offered: a browser
+- Local _CLI_ providers (a `claude` / `codex` binary) aren't offered: a browser
   extension is sandboxed and cannot launch a local process. Local **Ollama**
   (an HTTP server) is supported instead.