Releases: instancelabs/foresights
v0.9.8
v0.9.7
What's new
RSS community cards render clean prose (#20) — snippet() decodes HTML
entities and strips Reddit boilerplate (byline, [link]/[comments],
preview.redd.it URLs, zero-width chars). Still escHtml-safe; non-Reddit
feeds unchanged.
Deterministic spotlight → service Claude Code briefs (#21) — optional
Spotlight.productId forces a deterministic flag badge for the mapped service.
Absent/unknown → unchanged regex auto-match; product-less dashboards build
byte-identically.
Strictly additive — no API/schema changes. 732 tests pass.
v0.9.6 — Context-refresh fetch fix + richer Claude Code prompts
v0.9.6 — Context-refresh fetch fix + richer Claude Code prompts
Two fixes to the closed-loop Claude Code workflow. Strictly additive — no API or schema changes; the v0.9.3 security pass is intact.
Fixed
- Context refresh now loads file contents.
↻ Refresh from repowas reporting "could not be fetched" for every file (CLAUDE.md, README, etc.) while only directory listings worked. The GitHub MCP returns a text file as a prefixed plain string rather than a{ content }object, sonormaliseResponsedropped it. It now parses the string (and strips thesuccessfully downloaded text file (SHA: …)prefix) and stores the file body. (PR #19)
Improved
- Self-contained Claude Code prompts. Each per-item "Generate Claude Code prompt" now includes the source link, the reason Foresights flagged the item, the "why it matters", and the integration suggestions — so the prompt is paste-and-go instead of making Claude Code rediscover the context.
- Repo context is now references, not dumps. The prompt lists the tracked repo paths instead of inlining full file bodies. Claude Code auto-loads
CLAUDE.mdand reads files live, so this keeps prompts compact and avoids baking in stale file content. (Context refresh still captures file content internally — now only for the change-detection fingerprint.)
Verification
727 tests pass; tsc and targeted biome clean; the build reproduces the live aws-cdk-news dashboard byte-for-byte plus the fixes.
v0.9.5 — Brand mark consistency
Tiny but visible fix to PR #16's brand rollout. Strictly additive — no API, no schema, v0.9.3 security pass intact.
What's new
- Hero mark stays purple regardless of per-topic accent. The dashboard's hero glyph used the currentColor variant (which adopted
var(--accent)), so the brand mark went orange on a CDK dashboard, blue on a Node dashboard, etc. Now it's locked to the full iris-gradient logomark (#8E7DFF → #6450E6) on every dashboard. - Per-topic accent still personalises every other piece of chrome — hl-card border-left, badge variants, section-nav hover, spotlight refresh button, links — so dashboards still feel topic-specific.
See PR #17 for the diff.
v0.9.4 — Brand rollout
Visually material rebrand. Strictly additive — no breaking changes, no API or schema changes, v0.9.3 security pass intact.
What's new
- Brand mark —
foresights/assets/mark.svg+glyph.svg(converging-sightline logomark). Inlined into the dashboard hero and used as the README hero across the marketplace card. - Tri-family typography — Instrument Serif for tagline gravitas, JetBrains Mono UPPERCASE .14em for section eyebrows + tags + card chips, SF Pro Display for UI body. Loaded via Google Fonts.
/foresights-designskill — the Foresights design system shipped as a discoverable plugin skill (tokens, components, brand guidelines, UI kits). Drop-in tokens for anyone building on-brand dashboards.- Marketing landing — dark-brand surface with the animated radar visual, lives at the repo root for GitHub Pages.
- Cyan signal token —
--signal #5EEAD4available in the dashboard template for live-data UI touches. - Per-topic accent still personalised — wizard's
{{ACCENT}}placeholder keeps working; brand identity is the type system + glyph + tokens, not a colour lockdown.
Compatibility
- Every existing dashboard rebuilds byte-for-byte equivalently except for the visual changes documented above.
- Security pass from v0.9.3 untouched:
safeHref×7,safeUrl×3, embeddedforesights-configblock, build-time validators (validateAllTrustedHtml,stressTestProductRegexes, SSRF guard) all still fire. - 723 tests pass; tsc + biome clean.
See PR #16 for the full diff.
v0.9.3 — Security pass
Addresses every actionable finding from the v0.9.2 security + privacy review. All 723 tests pass; tsc + biome clean.
Findings closed
- H1
javascript:URLs in<a href>— newsafeHrefhelper at all 9 emission sites. - H2 Trusted-HTML XSS via prompt injection — wizard build-time allowlist on spotlight + tip code fields.
- M1 Regex-DoS — wizard stress-tests every product regex pre-flight.
- M2 Markdown link scheme in
mdToHtml— covered by H1. - M3 Build-time SSRF —
fetch-feeds.tsrejects loopback / link-local / RFC1918. - L1
escHtmlbacktick — added; digestmdToHtmlrestores before parsing. - L2 Digest filename slug —
digest-save.mdrejects..,/,\\, null bytes.
Dependencies
vitest2.1.4 → 4.1.8. Clears all 5npm auditadvisories (4 moderate + 1 critical). All dev-tooling vulns — never shipped in the .plugin.
Deferred to v0.10
- Tokenised structure for spotlight
code(deeper H2). safe-regex2static analysis (deeper M1).- README paragraph on
localStoragestorage (informational I1).
See PR #13 for the full diff.
v0.7.2
Foresights v0.7.2
First published release. Foresights spins up a live, product-customised news
dashboard from Cowork — GitHub releases / PRs / issues plus RSS / Atom feeds,
curated highlights, a rotating spotlight, per-product relevance flagging, and
built-in Claude Code upgrade prompts.
Install
Download foresights-0.7.2.plugin from the assets below and drag it into
Cowork. Start a fresh message so the skills register, then run
/create-dashboard (also included: /refresh-dashboard, /setup-cc).
Since v0.7.0
v0.7.1 — packaging fix. v0.7.0 shipped a structurally incomplete template
tree: 14 source modules were missing and 61 imports were broken, so the
/create-dashboard build crashed before producing anything. v0.7.1 restores
the 14 modules and adds an import-completeness guard to the packaging script
so an incomplete tree can never ship again.
v0.7.2 — wizard build speed-ups.
- The build orchestrator fetches RSS feeds itself, in Node, all feeds in
parallel — no wizard-agent round-trips. - New
--fastbuild flag (esbuild only, ~2s). - Build-recipe fixes in the skill docs: read-only plugin dir handling,
/tmpstaging, synchronous install.
Verification
tsc strict clean · biome clean · 558 / 558 tests green · end-to-end
dashboard build confirmed.