renma 0.15.2 → 0.17.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (126) hide show
  1. package/CHANGELOG.md +54 -1
  2. package/README.md +216 -655
  3. package/architecture.md +523 -0
  4. package/design.md +458 -0
  5. package/dist/agent-skills.d.ts +77 -0
  6. package/dist/agent-skills.d.ts.map +1 -0
  7. package/dist/agent-skills.js +468 -0
  8. package/dist/agent-skills.js.map +1 -0
  9. package/dist/catalog.d.ts.map +1 -1
  10. package/dist/catalog.js +38 -5
  11. package/dist/catalog.js.map +1 -1
  12. package/dist/cli-help.d.ts +13 -11
  13. package/dist/cli-help.d.ts.map +1 -1
  14. package/dist/cli-help.js +36 -11
  15. package/dist/cli-help.js.map +1 -1
  16. package/dist/cli.d.ts.map +1 -1
  17. package/dist/cli.js +139 -40
  18. package/dist/cli.js.map +1 -1
  19. package/dist/commands/catalog.d.ts.map +1 -1
  20. package/dist/commands/catalog.js +4 -3
  21. package/dist/commands/catalog.js.map +1 -1
  22. package/dist/commands/graph.d.ts.map +1 -1
  23. package/dist/commands/graph.js +7 -12
  24. package/dist/commands/graph.js.map +1 -1
  25. package/dist/commands/readiness.d.ts.map +1 -1
  26. package/dist/commands/readiness.js +7 -6
  27. package/dist/commands/readiness.js.map +1 -1
  28. package/dist/commands/scaffold.d.ts.map +1 -1
  29. package/dist/commands/scaffold.js +59 -16
  30. package/dist/commands/scaffold.js.map +1 -1
  31. package/dist/commands/suggest-metadata.d.ts +3 -1
  32. package/dist/commands/suggest-metadata.d.ts.map +1 -1
  33. package/dist/commands/suggest-metadata.js +226 -7
  34. package/dist/commands/suggest-metadata.js.map +1 -1
  35. package/dist/commands/suggest-semantic-split.js +3 -3
  36. package/dist/commands/suggest-semantic-split.js.map +1 -1
  37. package/dist/dependency-resolution.d.ts +6 -0
  38. package/dist/dependency-resolution.d.ts.map +1 -0
  39. package/dist/dependency-resolution.js +11 -0
  40. package/dist/dependency-resolution.js.map +1 -0
  41. package/dist/diagnostic-ids.d.ts +29 -0
  42. package/dist/diagnostic-ids.d.ts.map +1 -1
  43. package/dist/diagnostic-ids.js +28 -0
  44. package/dist/diagnostic-ids.js.map +1 -1
  45. package/dist/discovery.d.ts +50 -0
  46. package/dist/discovery.d.ts.map +1 -1
  47. package/dist/discovery.js +183 -25
  48. package/dist/discovery.js.map +1 -1
  49. package/dist/metadata.d.ts +3 -1
  50. package/dist/metadata.d.ts.map +1 -1
  51. package/dist/metadata.js +166 -29
  52. package/dist/metadata.js.map +1 -1
  53. package/dist/model.d.ts +1 -0
  54. package/dist/model.d.ts.map +1 -1
  55. package/dist/report.d.ts.map +1 -1
  56. package/dist/report.js +16 -1
  57. package/dist/report.js.map +1 -1
  58. package/dist/repository-paths.d.ts +13 -0
  59. package/dist/repository-paths.d.ts.map +1 -1
  60. package/dist/repository-paths.js +60 -2
  61. package/dist/repository-paths.js.map +1 -1
  62. package/dist/rules.d.ts.map +1 -1
  63. package/dist/rules.js +97 -107
  64. package/dist/rules.js.map +1 -1
  65. package/dist/scanner.d.ts.map +1 -1
  66. package/dist/scanner.js +3 -1
  67. package/dist/scanner.js.map +1 -1
  68. package/dist/security-diagnostics.d.ts.map +1 -1
  69. package/dist/security-diagnostics.js +98 -35
  70. package/dist/security-diagnostics.js.map +1 -1
  71. package/dist/security-policy-inventory.js +11 -4
  72. package/dist/security-policy-inventory.js.map +1 -1
  73. package/dist/security-policy.d.ts +27 -1
  74. package/dist/security-policy.d.ts.map +1 -1
  75. package/dist/security-policy.js +247 -34
  76. package/dist/security-policy.js.map +1 -1
  77. package/dist/skill-migration.d.ts +30 -0
  78. package/dist/skill-migration.d.ts.map +1 -0
  79. package/dist/skill-migration.js +566 -0
  80. package/dist/skill-migration.js.map +1 -0
  81. package/dist/trust-graph.d.ts.map +1 -1
  82. package/dist/trust-graph.js +7 -11
  83. package/dist/trust-graph.js.map +1 -1
  84. package/dist/types.d.ts +3 -1
  85. package/dist/types.d.ts.map +1 -1
  86. package/dist/yaml-frontmatter.d.ts +26 -0
  87. package/dist/yaml-frontmatter.d.ts.map +1 -0
  88. package/dist/yaml-frontmatter.js +114 -0
  89. package/dist/yaml-frontmatter.js.map +1 -0
  90. package/docs/README.md +55 -0
  91. package/docs/advanced-skill-authoring.md +140 -0
  92. package/docs/agent-skills-compatibility.md +500 -0
  93. package/docs/authoring-guide.md +324 -0
  94. package/docs/context-conflict-diagnostics.md +32 -0
  95. package/docs/context-language-diagnostics.md +99 -0
  96. package/docs/context-lens.md +253 -0
  97. package/docs/context-lifecycle-diagnostics.md +55 -0
  98. package/docs/diagnostics.md +373 -0
  99. package/docs/metadata-budget.md +14 -0
  100. package/docs/repository-context-bom.md +113 -0
  101. package/docs/security-policy.md +338 -0
  102. package/docs/user-manual.md +813 -0
  103. package/examples/context-lens/README.md +101 -0
  104. package/examples/context-lens/contexts/testing/boundary-value-analysis.md +23 -0
  105. package/examples/context-lens/lenses/testing/spec-review-boundary-values.md +29 -0
  106. package/examples/context-lens/lenses/testing/test-design-boundary-values.md +29 -0
  107. package/examples/context-lens/skills/testing/spec-review/SKILL.md +49 -0
  108. package/examples/context-repo/README.md +149 -0
  109. package/examples/context-repo/contexts/domain/payment/idempotency.md +20 -0
  110. package/examples/context-repo/contexts/testing/boundary-value-analysis.md +19 -0
  111. package/examples/context-repo/contexts/testing/negative-testing.md +19 -0
  112. package/examples/context-repo/lenses/testing/spec-review-boundary-values.md +35 -0
  113. package/examples/context-repo/renma.config.json +12 -0
  114. package/examples/context-repo/skills/testing/spec-review/SKILL.md +66 -0
  115. package/examples/context-repo/tools/appium/README.md +14 -0
  116. package/examples/github-actions/renma-ci-report.yml +36 -0
  117. package/examples/interactive-placeholder/README.md +104 -0
  118. package/examples/interactive-placeholder/assets/template.txt +1 -0
  119. package/examples/interactive-placeholder/renma.config.json +6 -0
  120. package/examples/interactive-placeholder/skills/replace-placeholder/SKILL.md +54 -0
  121. package/examples/interactive-placeholder/tools/README.md +48 -0
  122. package/examples/interactive-placeholder/tools/placeholder-demo.mjs +99 -0
  123. package/package.json +11 -1
  124. package/plan-discovery.md +740 -0
  125. package/plan.md +150 -0
  126. package/scripts/verify-package.mjs +97 -0
@@ -0,0 +1,55 @@
1
+ # Context Lifecycle Diagnostics
2
+
3
+ Renma checks shared context lifecycle metadata so deprecated context assets remain traceable and do not point at stale replacements.
4
+
5
+ These diagnostics are deterministic catalog diagnostics. They do not choose replacement context at runtime, infer migration intent, create scan finding IDs, or rewrite metadata.
6
+
7
+ ## Scope
8
+
9
+ These diagnostics apply to governed shared context assets: context assets with a `context.*` id, owner metadata, and usage-boundary metadata (`when_to_use` and `when_not_to_use`). Lightweight fixtures or unmanaged context-like files are ignored.
10
+
11
+ ## Deprecated context without replacement
12
+
13
+ Renma warns when a deprecated shared context asset has no `superseded_by` metadata:
14
+
15
+ ```text
16
+ Deprecated shared context asset is missing superseded_by metadata.
17
+ ```
18
+
19
+ Prefer linking deprecated context to the current replacement:
20
+
21
+ ```yaml
22
+ status: deprecated
23
+ superseded_by:
24
+ - context.testing.boundary-value-analysis
25
+ ```
26
+
27
+ If there is intentionally no replacement, keep that rationale in the Markdown body and consider whether `archived` is more appropriate than `deprecated`.
28
+
29
+ ## Invalid superseded_by targets
30
+
31
+ Renma warns when `superseded_by` points at itself, points at a missing catalog entry, or points at another inactive asset.
32
+
33
+ Example messages:
34
+
35
+ ```text
36
+ Shared context asset superseded_by references itself: "context.testing.old-boundary-analysis".
37
+ Shared context asset superseded_by target "context.testing.missing" does not match a catalog entry.
38
+ Shared context asset superseded_by target "context.testing.old-target" resolves to an inactive asset with status "deprecated".
39
+ ```
40
+
41
+ `superseded_by` should point at a stable or experimental catalog asset that can serve as the reviewed replacement.
42
+
43
+ ## Supersession cycles
44
+
45
+ Renma warns when deprecated context assets form a replacement cycle:
46
+
47
+ ```text
48
+ Shared context asset superseded_by chain forms a cycle involving "context.testing.old-a".
49
+ ```
50
+
51
+ Break the cycle by pointing each deprecated asset at the actual current replacement, or by archiving assets that have no replacement.
52
+
53
+ ## Relationship to context lens
54
+
55
+ These checks are useful before adding purpose-oriented lens assets. A lens should not have to reason through stale replacement chains or cycles when it depends on base context.
@@ -0,0 +1,373 @@
1
+ # Diagnostics Reference
2
+
3
+ This page documents diagnostics and finding identifiers emitted by the current renma implementation. It does not list planned diagnostics.
4
+
5
+ ## Diagnostic Types
6
+
7
+ renma uses two severity systems:
8
+
9
+ - Discovery, metadata, catalog, and readiness diagnostics use `info`, `warning`, and `error`.
10
+ - Scan findings use rule severities such as `low`, `medium`, `high`, and `critical`.
11
+
12
+ In JSON output, diagnostics usually appear as structured objects with a `severity`, a `message`, and, when available, a `path`.
13
+
14
+ ## LLM-Actionable Diagnostics V2
15
+
16
+ `renma scan --json` includes an additive `diagnosticsV2` array. Existing
17
+ `findings` and `diagnostics` fields remain compatible; v2 is a normalized view
18
+ for LLM-assisted repair, code review tools, and humans who want explicit repair
19
+ guardrails.
20
+
21
+ Each v2 diagnostic includes:
22
+
23
+ - `version`: currently `2`.
24
+ - `code`: stable diagnostic or finding code.
25
+ - `severity`: `error`, `warning`, or `info`. Scan finding severities are mapped
26
+ into this simpler diagnostic scale, while the original `findingSeverity`
27
+ remains in `details`.
28
+ - `message`: concise human-readable issue summary.
29
+ - `repairPolicy`: currently `preserve_semantics` when repairs must preserve the
30
+ intended behavior rather than merely satisfying the scanner.
31
+ - `location`: repository path, line range, and snippet when available.
32
+ - `repairConstraints`: typed guardrails for what must be preserved, what must
33
+ not change, allowed repair shapes, human decisions, and risks.
34
+ - `verificationSteps`: concrete follow-up checks. When a command is known,
35
+ Renma uses real project commands such as `renma scan`, `renma catalog`,
36
+ `renma readiness`, `renma graph`, or `npm test`.
37
+ - `llmHint`: short practical guidance for an LLM or coding agent. It is not a
38
+ source of truth; the diagnostic evidence and repair constraints remain
39
+ authoritative.
40
+ - `details`: compatibility metadata plus stable structured facts when known,
41
+ such as asset IDs, lens IDs, source paths, targets, duplicate paths, reference
42
+ kinds, and target lifecycle status.
43
+
44
+ Structured facts in `details` are the authoritative inputs for review tooling.
45
+ `llmHint` is guidance only; changing hint wording should not change bundle
46
+ grouping, affected files, affected assets, or repair decisions.
47
+
48
+ Example:
49
+
50
+ ```json
51
+ {
52
+ "version": 2,
53
+ "code": "META-DUPLICATE-ASSET-ID",
54
+ "severity": "warning",
55
+ "message": "Duplicate asset id",
56
+ "repairPolicy": "preserve_semantics",
57
+ "location": {
58
+ "path": "contexts/alpha/overview.md",
59
+ "startLine": 2,
60
+ "endLine": 2,
61
+ "snippet": "id: context.demo.duplicate"
62
+ },
63
+ "repairConstraints": [
64
+ {
65
+ "kind": "must_preserve",
66
+ "text": "Preserve existing references where possible and update only references affected by the chosen canonical id."
67
+ },
68
+ {
69
+ "kind": "must_not_change",
70
+ "text": "Do not rename every duplicate blindly; identify the canonical asset or ask for review when intent is ambiguous."
71
+ }
72
+ ],
73
+ "verificationSteps": [
74
+ {
75
+ "text": "Run renma scan.",
76
+ "command": "renma scan",
77
+ "expected": "No diagnostics with code META-DUPLICATE-ASSET-ID are reported."
78
+ }
79
+ ],
80
+ "llmHint": "Find all assets with id \"context.demo.duplicate\", compare their scope and metadata, and propose a merge/deprecation path or unique replacement ids.",
81
+ "details": {
82
+ "assetId": "context.demo.duplicate",
83
+ "duplicatePaths": [
84
+ "contexts/alpha/overview.md",
85
+ "contexts/beta/overview.md"
86
+ ],
87
+ "sourcePath": "contexts/alpha/overview.md"
88
+ }
89
+ }
90
+ ```
91
+
92
+ `repairConstraints` are deliberately conservative. A `must_preserve` constraint
93
+ names repository intent or content that should survive the repair.
94
+ `must_not_change` names unsafe shortcuts, such as creating fake dependencies or
95
+ deleting orphaned context assets automatically. `allowed_change` describes safe
96
+ edit shapes. `requires_human_decision` marks ambiguity that should not be guessed
97
+ by automation. `risk` highlights security, data-handling, or destructive-action
98
+ concerns.
99
+
100
+ ## Review Bundles
101
+
102
+ `renma scan --json` also includes `reviewBundles`, a deterministic grouping of
103
+ related v2 diagnostics. Bundles help reviewers decide what to inspect together,
104
+ which files or assets are involved, and what order to follow.
105
+
106
+ Renma currently groups duplicate IDs by duplicated id, unresolved references by
107
+ source, orphaned context assets separately from hard validation errors, and
108
+ dependency/reference issues by affected source. Bundles are generated from
109
+ structured `details` facts and source locations first, with human-facing prose
110
+ parsing used only as a legacy fallback. Suppressed findings are omitted from both
111
+ `diagnosticsV2` and `reviewBundles`.
112
+
113
+ Example:
114
+
115
+ ```json
116
+ {
117
+ "id": "duplicate-id:context.demo.duplicate",
118
+ "title": "Duplicate id review: context.demo.duplicate",
119
+ "summary": "2 diagnostics report the same declared id and should be reviewed together before renaming or merging assets.",
120
+ "severity": "warning",
121
+ "diagnosticCodes": ["META-DUPLICATE-ASSET-ID"],
122
+ "affectedAssets": ["context.demo.duplicate"],
123
+ "affectedFiles": ["contexts/alpha/overview.md", "contexts/beta/overview.md"],
124
+ "suggestedReviewOrder": [
125
+ "Inspect duplicate declaration in contexts/alpha/overview.md",
126
+ "Inspect duplicate declaration in contexts/beta/overview.md",
127
+ "Choose canonical id before editing references.",
128
+ "Update references and rerun Renma scan."
129
+ ],
130
+ "llmHint": "Pick one canonical asset id before editing references; do not rename every duplicate in one blind pass."
131
+ }
132
+ ```
133
+
134
+ ## Scan Review Signals
135
+
136
+ Renma scan findings always include `severity` and `confidence`. Security findings may also include `riskClass`, a human security-review interpretation.
137
+
138
+ - `severity`: CI gating, urgency, and impact. Values are `low`, `medium`, `high`, and `critical`.
139
+ - `confidence`: detector certainty. Values are `low`, `medium`, and `high`.
140
+ - `riskClass`: human security-review interpretation for security findings. Values are `violation`, `suspicious`, and `advisory`.
141
+
142
+ `violation` means a rule or safety contract is broken. Examples include unapproved network or upload destinations, policy contradictions, forbidden inputs, literal secrets, private keys, secret exposure, and dangerous commands.
143
+
144
+ `suspicious` means a risky or ambiguous instruction should be reviewed but is not necessarily a direct policy violation. Examples include external upload instructions, cloud upload instructions, broad data sharing, overbroad context collection, unpinned remote scripts, unpinned dependency installs, privileged commands without guardrails, and risky temporary paths.
145
+
146
+ `advisory` means a governance or hardening recommendation. For example, `SEC-MISSING-POLICY-METADATA` advises adding explicit policy metadata.
147
+
148
+ `riskClass` also powers aggregate security posture summaries in readiness and CI reports.
149
+
150
+ `riskClass` does not replace `severity` and does not change `fail_on` behavior. Severity remains the CI threshold signal.
151
+
152
+ Readiness and CI reports may include two security summaries: security posture from static findings, and security policy inventory from effective asset metadata, security profiles, and repository security config. The inventory is reporting-only and does not change scan `fail_on`, readiness scoring, or CI status.
153
+
154
+ Semantic diff and CI reports may include security deltas, including added/resolved security findings grouped by `riskClass` and effective policy inventory count changes. These summaries are reporting-only and do not change scan `fail_on`, readiness scoring, or CI status.
155
+
156
+ ## Discovery Diagnostics
157
+
158
+ These diagnostics are emitted while renma discovers files.
159
+
160
+ | Severity | Message | Meaning | Fix |
161
+ | --------- | ---------------------------------------------------------- | --------------------------------------------------- | --------------------------------------------------------------------------- |
162
+ | `error` | `Could not evaluate glob "<pattern>": <error>` | A configured discovery glob could not be evaluated. | Fix or remove the glob pattern in config or CLI input. |
163
+ | `warning` | `Skipping symbolic link.` | renma found a symlink and skipped it. | Point config at the real file or directory if the target should be scanned. |
164
+ | `warning` | `Skipping file larger than max_file_size_bytes (<bytes>).` | A file exceeded the configured size limit. | Raise `max_file_size_bytes`, exclude the file, or split the asset. |
165
+ | `error` | `Could not read file: <error>` | The file matched discovery but could not be read. | Fix permissions, remove the bad path, or exclude the file. |
166
+
167
+ ## Metadata And Catalog Diagnostics
168
+
169
+ These diagnostics are emitted after files are parsed into catalog entries. For shared-context wording details, see [Context Language Diagnostics](context-language-diagnostics.md).
170
+
171
+ Owner absence is handled as ownership coverage information. Assets without `owner` are accepted and reported as unowned by `renma ownership`; Renma does not infer owners automatically.
172
+
173
+ | Severity | Message | Meaning | Fix |
174
+ | --------- | ------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------- |
175
+ | `warning` | `Invalid status "<status>". Expected one of: experimental, stable, deprecated, archived.` | An asset status does not match the accepted status values. | Replace the status with a supported value. |
176
+ | `warning` | `Invalid last_reviewed_at "<date>". Expected ISO date YYYY-MM-DD.` | Freshness metadata has an invalid human review date. | Replace it with a real ISO date such as `2026-06-28`. |
177
+ | `warning` | `Invalid expires_at "<date>". Expected ISO date YYYY-MM-DD.` | Freshness metadata has an invalid expiration date. | Replace it with a real ISO date such as `2026-12-31`. |
178
+ | `warning` | `Invalid review_cycle "<duration>". Expected supported ISO 8601 day duration such as P90D.` | Freshness metadata uses a review cycle renma cannot evaluate. | Use a day-based duration such as `P90D` or `P180D`. |
179
+ | `warning` | `Metadata dependency "<to>" from "<from>" does not match a catalog entry.` | A metadata dependency points at an asset renma did not discover. | Correct the reference, add the missing asset, or update include/exclude config. |
180
+ | `warning` | `Metadata dependency "<to>" from "<from>" targets a <status> asset.` | A dependency points at a deprecated or archived catalog target. | Retarget the dependency to a stable replacement or document the migration. |
181
+ | `warning` | `Asset is missing an id.` | A cataloged asset has no stable ID. | Add an `id` metadata field. |
182
+ | `warning` | `Asset is missing an owner.` | A cataloged asset has no declared owner metadata. Missing owner is allowed and appears as unowned in ownership coverage; it is not converted into a scan finding by default. | If ownership matters for this repository, choose an `owner` through human review or team policy. Do not infer or invent an owner automatically. |
183
+ | `warning` | `Shared context asset is missing when_to_use metadata.` | An active, owned shared context asset has no positive usage boundary. | Add compact `when_to_use` metadata that states when humans or agents should apply the context. |
184
+ | `warning` | `Shared context asset is missing when_not_to_use metadata.` | An active, owned shared context asset has no negative usage boundary. | Add compact `when_not_to_use` metadata so agents do not over-apply the context. |
185
+ | `warning` | `Shared context asset usage-boundary metadata contains placeholder values in <field>.` | Usage-boundary metadata is present but still says TODO, TBD, unknown, none, or similar. | Replace placeholders with reviewed scope boundaries, or remove the field until it can be completed. |
186
+ | `warning` | `Shared context asset contains vague wording "<term>".` | A canonical active shared context uses broad English wording such as usually, often, quickly, soon, as needed, or major. | Replace it with concrete applicability conditions, evidence, thresholds, or explicit uncertainty handling. |
187
+ | `warning` | `Shared context asset contains currentness wording "<term>" without an explicit date or version.` | A canonical active shared context uses relative English currentness wording such as recently, latest, currently, or as of now. | Add an explicit date, version, freshness metadata, or stable wording. |
188
+ | `warning` | `Shared context asset contains prompt or runtime-selection wording "<term>".` | A canonical active shared context looks like a prompt artifact or runtime context-selection rule. | Move prompt assembly, assistant role instructions, and runtime context selection outside shared context assets. |
189
+
190
+ ## Context Lens Diagnostics
191
+
192
+ Context Lens governance diagnostics use stable `code` values in JSON output. `error` diagnostics are blocking for readiness; `warning` diagnostics are reported by default for review.
193
+
194
+ | Code | Severity | Meaning | Fix |
195
+ | ------------------------------------------ | -------------------- | ------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------- |
196
+ | `CONTEXT-LENS-DEPRECATED-FIELD` | `warning` | A lens uses an old field alias such as `target`, `targets`, `output`, or `outputs`. | Use `applies_to` or `expected_outputs`. |
197
+ | `CONTEXT-LENS-DUPLICATE-ID` | `error` | Two or more lens definitions declare the same `id`. | Give each lens a unique stable ID and update references. |
198
+ | `CONTEXT-LENS-EMPTY-DEFINITION` | `error` | A discovered lens file is empty. | Add required metadata and body guidance, or remove the file. |
199
+ | `CONTEXT-LENS-GOVERNANCE-MEANINGLESS` | `warning` | A lens has no purpose, target, focus, expected output, or body guidance. | Add compact governance metadata or reviewed interpretation guidance. |
200
+ | `CONTEXT-LENS-MISSING-REQUIRED-FIELD` | `error` | A lens is missing `id`, `owner`, `purpose`, or `applies_to`. | Add the required field in frontmatter. |
201
+ | `CONTEXT-LENS-PATH-NORMALIZATION-MISMATCH` | `warning` | A path target normalizes to a different repository-relative path. | Use the normalized path shown by the diagnostic. |
202
+ | `CONTEXT-LENS-TARGET-NOT-FOUND` | `error` | An `applies_to` target does not resolve to a cataloged asset ID or path. | Correct the target, add the missing context asset, or update discovery config. |
203
+ | `CONTEXT-LENS-UNPARSEABLE-FRONTMATTER` | `error` | A lens frontmatter block starts with `---` but does not close. | Add the closing `---` delimiter or remove malformed frontmatter. |
204
+ | `CONTEXT-LENS-UNSUPPORTED-KIND` | `warning` or `error` | `type: context_lens` appears under an unsupported artifact kind, or a lens file declares an unsupported type. | Store lens definitions under `lenses/**`, `context/**`, or `contexts/**`, and use `type: context_lens`. |
205
+ | `CONTEXT-LENS-UNSUPPORTED-SCOPE` | `error` | A lens declares a value outside the supported `context` scope. | Use `scope: context` or omit the field. |
206
+ | `CONTEXT-LENS-UNSUPPORTED-VERSION` | `error` | A lens declares a value outside supported schema version `1`. | Use `version: 1` or omit the field. |
207
+
208
+ ## Readiness Diagnostics
209
+
210
+ `renma readiness` converts lower-level data into workflow checks. These messages are produced by readiness checks and may wrap discovery, catalog, graph, ownership, status, or scan-finding data.
211
+
212
+ | Severity | Message | Meaning | Fix |
213
+ | -------------------- | ---------------------------------------------------------------- | ------------------------------------------------------ | ---------------------------------------------------- |
214
+ | `error` | discovery or catalog diagnostic message | A lower-level error diagnostic was present. | Fix the original diagnostic first. |
215
+ | `warning` | discovery or catalog diagnostic message | A lower-level warning diagnostic was present. | Review and fix if it affects automation reliability. |
216
+ | `warning` | `Missing owner metadata.` | A catalog asset has no declared owner metadata. | If ownership matters, choose an owner through human review or team policy. |
217
+ | `error` | `<kind> reference "<target>" does not resolve.` | A graph edge points to a missing target. | Correct the reference or add the target asset. |
218
+ | `error` | `Required context reference "<target>" does not resolve.` | A required context reference is missing. | Add the context asset or correct `requires_context`. |
219
+ | `error` | `Required context "<target>" resolves to <status> asset <path>.` | Required context exists but is deprecated or archived. | Move the dependency to a stable context asset. |
220
+ | `warning` | `Optional context reference "<target>" does not resolve.` | An optional context reference is missing. | Correct it or remove it if it is no longer useful. |
221
+ | `warning` | `Optional context "<target>" resolves to <status> asset <path>.` | Optional context exists but is deprecated or archived. | Retarget or remove the optional dependency. |
222
+ | `warning` | `Asset status is <status>.` | A catalog asset is deprecated or archived. | Migrate dependents or update the asset status. |
223
+ | `error` or `warning` | scan finding remediation text | A scan finding is severe enough to affect readiness. | Fix the finding listed in the readiness detail. |
224
+
225
+ ## Scan Finding Identifiers
226
+
227
+ `renma scan` emits finding IDs from the rule engine. A scan finding identifier is a machine-readable label for the kind of issue found during a scan.
228
+
229
+ It is different from:
230
+
231
+ - an asset ID, which identifies a context asset or other catalog entry
232
+ - a file path, which identifies where the issue was found
233
+ - a diagnostic message, which is written for humans and may contain contextual details
234
+
235
+ Finding identifiers are useful when you want to group, filter, document, or automate responses to scan results. CI systems, editor integrations, docs, and LLM-assisted repair workflows can use the identifier to understand the category of problem without relying on the exact wording of the human-readable message.
236
+
237
+ The identifiers below are part of the current scan output. The current implementation does not declare them as a permanent public API, so integrations should avoid assuming stronger stability than the project documents. If renma adopts long-term stability guarantees later, identifier changes should come with documented migrations.
238
+
239
+ Security diagnostics focus on high-signal heuristics for agent-facing or context-bearing artifacts Renma already discovers, such as skills, contexts, `AGENTS.md`, references, profiles, examples, and tool guidance. Defensive wording and nearby human approval, dry-run, backup, or rollback guidance may reduce or avoid command-risk findings when they are local to the risky instruction. When the effective human-approval policy is true, dry-run, backup, rollback, or restore guidance does not replace explicit human approval. Renma does not scan `package.json`, GitHub Actions workflows, Dockerfiles, or repository-wide supply-chain metadata by default.
240
+
241
+ ### Security Policy Metadata
242
+
243
+ Security policy diagnostics use two explicit syntax boundaries. Skills must be
244
+ specification-valid Agent Skills and declare policy through string-valued
245
+ `metadata.renma.*` keys. Contexts and other non-Skill assets retain the
246
+ top-level snake_case syntax.
247
+
248
+ Canonical Skill keys are `renma.allowed-data`, `renma.network-allowed`,
249
+ `renma.external-upload-allowed`, `renma.secrets-allowed`,
250
+ `renma.requires-human-approval`, `renma.forbidden-inputs`,
251
+ `renma.approved-network-destinations`,
252
+ `renma.approved-upload-destinations`, and `renma.security-profile`. Skill
253
+ booleans must be the exact strings `"true"` or `"false"`; Skill lists must be
254
+ JSON-array strings containing strings only. Invalid recognized values emit
255
+ `SEC-INVALID-CANONICAL-POLICY-METADATA` and fail closed. Renma preserves
256
+ already-reviewed restrictive inherited policy while preventing permissive
257
+ inheritance: allowed-data permissions remain unresolved, inherited forbidden
258
+ inputs remain active, and invalid destination allowlists continue reporting
259
+ concrete destinations as unapproved.
260
+
261
+ Non-Skill assets continue to use `allowed_data`, `network_allowed`,
262
+ `external_upload_allowed`, `secrets_allowed`, `requires_human_approval`,
263
+ `forbidden_inputs`, `approved_network_destinations`,
264
+ `approved_upload_destinations`, and `security_profile`. Their existing scalar,
265
+ inline-list, and block-list behavior is unchanged. Pre-0.16 top-level Skill
266
+ security fields are migration input only.
267
+
268
+ Security profiles in `renma.config.json` retain the existing JSON schema.
269
+ Artifact-local explicit denials remain stricter than inherited profile or
270
+ repository allowances, and network approvals remain separate from upload
271
+ approvals. See the [Security Policy Guide](security-policy.md) for complete
272
+ examples by asset kind.
273
+
274
+ | Identifier | Meaning | Typical cause | How to fix |
275
+ | ------------------------------------------------ | ---------------------------------------------------- | -------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------ |
276
+ | `DOCS-LAYOUT-INCONSISTENT` | Documentation contradicts the supported repository model. | Docs use deprecated roots, old prompt-library framing, or another independently stale statement. | Describe canonical Skill roots and valid local support separately from governed `contexts/**` assets and shared `tools/**` helpers. |
277
+ | `LAYOUT-CONTEXT-LEGACY-ROOT` | Context lives under the legacy `context/**` root. | Shared context is stored under the compatibility root instead of `contexts/**`. | Move the shared Context Asset to `contexts/**` and update its references. |
278
+ | `LAYOUT-CONTEXT-REFERENCE-NON_CANONICAL` | Declared dependency uses a non-canonical reference root. | A declared dependency points outside accepted `contexts/**`, `skills/**`, `.agents/skills/**`, or `tools/**` reference paths. | Rewrite the dependency to an accepted repository-relative asset path or ID. |
279
+ | `LAYOUT-DISALLOWED-SKILL-ASSET` | Compatibility identifier for specific local-policy violations. | Valid Agent Skills support paths do not emit this finding solely because of location. Reusable knowledge is handled by evidence-based maintenance advisories. | Review the specific evidence; keep genuinely local support in place or promote reusable knowledge through human review. |
280
+ | `LAYOUT-HELPER-NON_TOOLS` | Helper file is outside supported helper locations. | A helper script is neither under `tools/**` nor a valid Skill-local `scripts/` directory. | Move shared helper code under `tools/**`, or keep a genuinely Skill-specific helper in local `scripts/`. |
281
+ | `LAYOUT-SKILL-EXECUTABLE-COMMAND` | `SKILL.md` includes executable command detail. | A skill entrypoint contains shell commands instead of delegating to helpers. | Move commands to approved helpers and keep `SKILL.md` as routing guidance. |
282
+ | `LAYOUT-SKILL-NOT-THIN` | Skill entrypoint is too large or procedural. | `SKILL.md` contains long procedures, setup, or troubleshooting content. | Split detailed material into references, profiles, examples, or tools. |
283
+ | `MAINT-ASSET-REFERENCES-SUPERSEDED-ASSET` | Asset references superseded context. | Metadata or content points at an asset marked superseded. | Retarget the reference to the stable replacement. |
284
+ | `MAINT-ASSET-EXPIRED` | Asset freshness metadata is expired. | `expires_at` is before today's date. | Review the asset with its owner, then update freshness metadata, status, or references. |
285
+ | `MAINT-CONTEXT-LENS-APPLIES-TO-INACTIVE-CONTEXT` | Context lens applies to inactive context. | An active context lens applies to a deprecated or archived context asset. | Point `applies_to` at an active replacement, or update the lens lifecycle after review. |
286
+ | `MAINT-CONTEXT-PATH-NON-SEMANTIC` | Context path is not semantically grouped. | Context is stored under vague folders such as misc or general. | Move it under a meaningful path such as `contexts/tools/`, `contexts/domain/`, or `contexts/testing/`. |
287
+ | `MAINT-ASSET-REVIEW-OVERDUE` | Asset freshness review is overdue. | `last_reviewed_at + review_cycle` is before today's date. | Revalidate the asset with a human owner, then update `last_reviewed_at` or review cadence. |
288
+ | `MAINT-ORPHANED-CONTEXT-ASSET` | Shared context has no incoming references. | A first-class context asset is not used by skills or other assets. | Link it from consumers, archive it, or remove it after review. |
289
+ | `MAINT-ORPHANED-CONTEXT-LENS` | Context lens has no skill references. | An active context lens is not referenced by any skill through `requires_lens` or `optional_lens`. | Link it from a skill, archive it, or leave it staged with reviewed lifecycle metadata. |
290
+ | `MAINT-REFERENCE-DEPRECATED-ASSET` | Reference targets deprecated context. | Metadata dependency resolves to a deprecated asset. | Point dependents at a stable asset or finish the migration. |
291
+ | `MAINT-REPEATED-CODE-BLOCK` | Duplicate code block appears across assets. | Copy-pasted examples or procedures repeat in multiple files. | Extract shared guidance or consolidate the repeated block. |
292
+ | `MAINT-REPEATED-CONTEXT-PATTERN` | Repeated context-like wording appears. | Multiple assets duplicate the same reusable context pattern. | Promote the shared pattern into a context asset and reference it. |
293
+ | `MAINT-REPEATED-HEADING` | Same heading repeats across assets. | Similar sections are copied through several files. | Consolidate or reference a shared source of truth. |
294
+ | `MAINT-REPEATED-LINK` | Same link repeats across assets. | Repeated references suggest duplicated guidance. | Centralize the reference or keep only necessary local links. |
295
+ | `MAINT-REPEATED-SECTION` | Similar section text repeats. | A section has been copied into multiple assets. | Extract common material or reduce duplication. |
296
+ | `MAINT-SKILL-CONTEXT-REFERENCE-NOT-DECLARED` | Skill mentions context without metadata. | Body text references `contexts/...` but `requires_context` omits it. | Add the context to `requires_context` or remove the stale mention. |
297
+ | `MAINT-SKILL-REFERENCES-SUPERSEDED-ASSET` | Skill refers to superseded context. | Skill content names a superseded context asset. | Update the skill to the stable replacement context asset. |
298
+ | `MAINT-SKILL-REUSABLE-CONTEXT-CANDIDATE` | Skill contains reusable context. | `SKILL.md` includes broadly reusable setup, troubleshooting, or risk guidance. | Move reusable content to shared context and reference it. |
299
+ | `MAINT-SUPPORT-ASSET-SHARED-CONTEXT-CANDIDATE` | Support asset looks reusable. | A reference, profile, or example contains content useful beyond one skill. | Promote it to shared context when reuse is intended. |
300
+ | `META-CATALOG-DIAGNOSTIC` | Catalog diagnostic was promoted to a scan finding. | Catalog validation emitted a lower-level diagnostic. | Fix the original catalog diagnostic shown in the finding evidence. |
301
+ | `META-CONTEXT-MISSING-WHEN-TO-USE` | Shared context usage boundary is missing. | An active, owned shared context asset lacks `when_to_use`. | Add compact positive scope guidance. |
302
+ | `META-CONTEXT-MISSING-WHEN-NOT-TO-USE` | Shared context negative boundary is missing. | An active, owned shared context asset lacks `when_not_to_use`. | Add compact exclusions so agents do not over-apply the context. |
303
+ | `META-CONTEXT-PLACEHOLDER-USAGE-BOUNDARY` | Shared context usage boundary contains placeholders. | `when_to_use` or `when_not_to_use` contains TODO, TBD, unknown, none, or similar placeholder text. | Replace placeholders with reviewed boundaries. |
304
+ | `META-DUPLICATE-ASSET-ID` | Asset ID is not unique. | Two catalog entries declare the same ID. | Give each asset a unique ID and update references. |
305
+ | `META-FRONTMATTER-TOO-LARGE` | Frontmatter metadata is too large. | Frontmatter has too many lines or characters to stay a compact index. | Move long prose, examples, procedures, or rationale into the body or referenced context assets. |
306
+ | `META-UNKNOWN-REFERENCE` | Metadata reference does not resolve. | A dependency points to a missing asset ID or path. | Fix the reference, add the missing asset, or remove the dependency. |
307
+ | `PATH-HELPER-COMMAND-NON_TOOLS` | Helper command points outside supported helper locations. | A command references a script that is neither in the owning Skill's `scripts/**` nor under `tools/**`. | Keep a Skill-specific helper local or move a helper shared across workflows to `tools/**`, then update the command. |
308
+ | `PATH-HELPER-COMMAND-SKILL-SCRIPTS` | Compatibility identifier for the former path-only policy. | Valid commands may point to resolvable Skill-local `scripts/`; location alone no longer emits this finding. | Keep Skill-specific helpers local, or move shared helpers to `tools/**` after review. |
309
+ | `PATH-HELPER-COMMAND-UNRESOLVED` | Helper command path is missing or unsafe. | A referenced `tools/**` helper or Skill-local script is missing, or a relative path escapes its owning Skill. | Add the helper, correct the command path, or keep a relative local path inside the owning Skill. |
310
+ | `PROF-MISSING-BASE` | Profile lacks base guidance. | A profile does not clearly relate to base skill behavior. | Add base-profile context or inheritance guidance. |
311
+ | `QUAL-LOW-HEADING-DENSITY` | Asset has too little structure. | Long content has few headings. | Add meaningful headings or split the asset. |
312
+ | `QUAL-MISSING-COMPLETION-CRITERIA` | Completion criteria are missing. | The asset does not say when work is done. | Add explicit completion or acceptance criteria. |
313
+ | `QUAL-MISSING-DESCRIPTION` | Description is missing. | Metadata or introductory purpose is absent. | Add a concise description. |
314
+ | `QUAL-MISSING-EXAMPLES` | Examples are missing. | Instructional content has no concrete example. | Add representative positive examples. |
315
+ | `QUAL-MISSING-NEGATIVE-ROUTING` | Negative routing is missing. | Skill guidance omits when not to use it. | Add exclusions or handoff guidance. |
316
+ | `QUAL-MISSING-PREFLIGHT` | Preflight guidance is missing. | The asset omits checks to run before acting. | Add required inputs, checks, or setup steps. |
317
+ | `QUAL-MISSING-REQUIRED-INPUTS` | Required inputs are unclear. | The asset does not state what information is needed. | Add an explicit required-inputs section. |
318
+ | `QUAL-MISSING-ROUTING-CLARITY` | Routing guidance is unclear. | A skill does not clearly say when to use it. | Clarify triggers, audience, and handoffs. |
319
+ | `QUAL-MISSING-VERIFICATION` | Verification guidance is missing. | The asset lacks checks for validating the result. | Add verification steps or expected evidence. |
320
+ | `QUAL-SHORT-DESCRIPTION` | Description is too short. | Metadata description is present but not informative. | Expand it enough to explain purpose and scope. |
321
+ | `QUAL-SKILL-TOKEN-BUDGET` | Skill content is too large. | A skill exceeds the configured token budget. | Split support content out of the skill entrypoint. |
322
+ | `QUAL-SUPPORT-ASSET-TOKEN-BUDGET` | Support asset is too large. | A reference, profile, or example exceeds its token budget. | Split the asset or shorten nonessential material. |
323
+ | `QUAL-USER-LOCAL-PATHS` | User-local path appears in content. | Guidance includes machine-specific paths such as home directories. | Replace local paths with repository-relative or configurable paths. |
324
+ | `SEC-DESTRUCTIVE-COMMAND` | Destructive command appears. | Content includes risky commands such as forced deletion or reset. | Remove it, gate it with explicit safety guidance, or use a safer command. |
325
+ | `SEC-ENV-COPY` | Environment copying is suggested. | Content copies broad environment or secret-bearing files. | Narrow the copied data and document secret handling. |
326
+ | `SEC-LITERAL-SECRET` | Literal secret-like value appears. | Content includes token, password, key, or credential patterns. | Remove the secret and replace it with a placeholder. |
327
+ | `SEC-PRIVATE-KEY` | Private key material appears. | Content includes a private key block. | Remove the key and rotate it if it was real. |
328
+ | `SEC-REMOTE-DEFAULT` | Remote command default is unsafe. | Guidance defaults to network commands, prod hosts, or insecure flags. | Use safe examples and require explicit approval for risky remotes. |
329
+ | `SUPPORT-MISSING-REACHABILITY-GUIDANCE` | Support docs are not discoverable. | A skill has local profiles, references, or examples without routing guidance. | Add guidance that explains when to load each support asset. |
330
+ | `SUPPORT-UNREACHABLE-EXAMPLE` | Example is unreachable. | A skill-local example is not referenced by the skill. | Link it from the skill or move/remove it. |
331
+ | `SUPPORT-UNREACHABLE-PROFILE` | Profile is unreachable. | A skill-local profile is not referenced by the skill. | Link it from the skill or move/remove it. |
332
+ | `SUPPORT-UNREACHABLE-REFERENCE` | Reference is unreachable. | A skill-local reference is not referenced by the skill. | Link it from the skill or move/remove it. |
333
+ | `META-CATALOG-DIAGNOSTIC` | Catalog diagnostic was promoted to a scan finding. | Catalog validation emitted a lower-level diagnostic. | Fix the original catalog diagnostic shown in the finding evidence. |
334
+ | `META-INACTIVE-DEPENDENCY` | Metadata points to an inactive asset. | A dependency targets a deprecated or archived asset. | Retarget the dependency to a stable asset or update asset status intentionally. |
335
+ | `META-INVALID-EXPIRES-AT` | Freshness expiration date is invalid. | `expires_at` is present but is not a real `YYYY-MM-DD` date. | Replace it with a valid ISO date or remove the field until reviewed. |
336
+ | `META-INVALID-LAST-REVIEWED-AT` | Freshness review date is invalid. | `last_reviewed_at` is present but is not a real `YYYY-MM-DD` date. | Replace it with a valid ISO date or remove the field until reviewed. |
337
+ | `META-INVALID-REVIEW-CYCLE` | Freshness review cycle is unsupported. | `review_cycle` is present but is not a supported day duration. | Use a duration such as `P90D` or `P180D`. |
338
+ | `META-INVALID-STATUS` | Metadata status is invalid. | An asset declares an unsupported status value. | Replace it with a supported lifecycle status. |
339
+ | `META-LIST-ITEM-TOO-LONG` | Metadata list item is too long. | A block-list metadata item contains routing prose or detailed conditions. | Keep the item short and move detailed guidance into body sections or referenced context assets. |
340
+ | `META-MISSING-ID` | Metadata is missing an asset ID. | A cataloged asset has no stable `id`. | Add an `id` metadata field. |
341
+ | `META-UNKNOWN-DEPENDENCY` | Metadata dependency is unresolved. | A dependency points at an asset renma did not discover. | Correct the dependency, add the missing asset, or update discovery config. |
342
+ | `SEC-BODY-POLICY-CONTRADICTION` | Body text contradicts a security policy. | Asset instructions override or weaken policy expectations. | Align the asset content with the active policy profile. |
343
+ | `SEC-BULK-DATA-SHARING-INSTRUCTION` | Instructions allow broad data sharing. | Content tells an agent to share large or sensitive data without bounds. | Narrow the sharing scope and add approval or redaction guidance. |
344
+ | `SEC-CLOUD-UPLOAD-INSTRUCTION` | Instructions allow cloud upload. | Content sends files or data to cloud storage without policy controls. | Add approved destinations, limits, and approval requirements. |
345
+ | `SEC-CREDENTIAL-IN-COMMAND-ARG` | Command embeds a credential-like value. | Example commands include secrets in arguments. | Move credentials to secure environment or secret-management guidance. |
346
+ | `SEC-DANGEROUS-TOOL-INSTRUCTION` | Instructions permit dangerous tool use. | Content allows destructive or high-risk commands without guardrails. | Require review, dry runs, or explicit user approval before execution. |
347
+ | `SEC-EXTERNAL-UPLOAD-INSTRUCTION` | Instructions allow external upload. | Content sends artifacts to external services without controls. | Restrict uploads to approved destinations and document review steps. |
348
+ | `SEC-FORBIDDEN-INPUT-INSTRUCTION` | Instructions request forbidden input. | Content asks for secrets or other disallowed sensitive values. | Remove the request or replace it with safe placeholder guidance. |
349
+ | `SEC-INSTRUCTION-VIOLATES-POLICY` | Instruction conflicts with active policy. | Asset content violates a configured security profile. | Update the instruction or policy metadata so they agree. |
350
+ | `SEC-INVALID-CANONICAL-POLICY-METADATA` | Canonical Skill security metadata is invalid. | A recognized `metadata.renma.*` field has an invalid boolean, list, or profile encoding. | Confirm the intended policy and replace it with the exact documented string encoding; do not guess. |
351
+ | `SEC-MISSING-HUMAN-APPROVAL-GUARD` | High-risk operation lacks approval guidance. | Content describes sensitive actions without human confirmation. | Add explicit approval requirements before the action. |
352
+ | `SEC-MISSING-POLICY-METADATA` | Security policy metadata is missing. | Asset content needs a policy profile but does not declare one. | Add the appropriate security policy metadata. |
353
+ | `SEC-NO-REDACTION-INSTRUCTION` | Sensitive data flow lacks redaction guidance. | Content shares logs, files, or context without redaction steps. | Add instructions to redact or minimize sensitive data before sharing. |
354
+ | `SEC-OVERBROAD-CONTEXT-INSTRUCTION` | Instructions request excessive context. | Content tells an agent to include broad repository or user data. | Scope context collection to the minimum required files and fields. |
355
+ | `SEC-POLICY-CONTRADICTION` | Security policy settings contradict each other. | Profile rules define incompatible requirements. | Resolve the conflicting policy fields. |
356
+ | `SEC-POLICY-OVERRIDE-CONTRADICTION` | Policy override contradicts inherited policy. | An override weakens or conflicts with the base profile. | Adjust the override or split the profile intentionally. |
357
+ | `SEC-POLICY-PROFILE-CYCLE` | Policy profiles form a cycle. | Profile inheritance refers back to itself. | Break the cycle in policy profile inheritance. |
358
+ | `SEC-POLICY-PROFILE-NOT-FOUND` | Referenced policy profile is missing. | Metadata names a profile renma cannot resolve. | Add the profile or correct the reference. |
359
+ | `SEC-PREDICTABLE-TEMP-PATH` | Command uses a predictable temp path. | Examples write to fixed `/tmp` paths or similar locations. | Use a unique temporary directory or safe temp-file helper. |
360
+ | `SEC-PRIVILEGED-COMMAND-WITHOUT-GUARD` | Privileged command lacks guardrails. | Content runs `sudo` or equivalent privileged actions without checks. | Add prerequisites, confirmation, and rollback guidance. |
361
+ | `SEC-SECRET-MATERIAL-INSTRUCTION` | Instructions expose or request secret material. | Content includes or asks for private keys, tokens, or credentials. | Remove secret material and describe secure handling instead. |
362
+ | `SEC-SENSITIVE-FILE-REFERENCE` | Instructions reference sensitive files. | Content points at credentials, keys, or local secret paths. | Replace with safe examples or redacted placeholders. |
363
+ | `SEC-UNAPPROVED-NETWORK-DESTINATION` | Network destination is not approved. | Instructions contact a host outside the allowed list. | Enumerate the actual required domains in approved network destinations after review. |
364
+ | `SEC-UNAPPROVED-UPLOAD-DESTINATION` | Upload destination is not approved. | Instructions upload data to an unapproved service or host. | Use an approved destination or update policy intentionally. |
365
+ | `SEC-UNPINNED-DEPENDENCY-INSTALL` | Dependency install is not pinned. | Examples install packages without exact versions or digests. | Pin package versions or use a reproducible install source. |
366
+ | `SEC-UNPINNED-REMOTE-SCRIPT` | Remote script execution is unpinned. | Commands pipe or execute remote scripts without an immutable reference. | Pin the script source and verify it before execution. |
367
+
368
+ ## How To Fix Results
369
+
370
+ 1. Fix `error` diagnostics first. They usually mean renma could not build a deterministic view of the repository.
371
+ 2. Fix unresolved references before quality findings. Reference failures can hide or distort later reports.
372
+ 3. For scan findings, use the finding ID, evidence path, line number, snippet, and remediation text in the JSON output.
373
+ 4. Re-run the same command with `--format json` when a markdown or text report does not contain enough detail.
@@ -0,0 +1,14 @@
1
+ # Metadata Budget Guidance
2
+
3
+ Renma intentionally keeps asset frontmatter small. Frontmatter should work as a deterministic index for cataloging, graph checks, readiness checks, and security diagnostics. It should not become a second copy of the asset body.
4
+
5
+ Use frontmatter for concise fields such as `id`, `owner`, `status`, `tags`, `when_to_use`, `when_not_to_use`, and declared context relationships. Put detailed guidance, examples, procedures, policy rationale, and long routing prose in the markdown body or in referenced context assets.
6
+
7
+ Current metadata budget diagnostics:
8
+
9
+ | Finding | Meaning | Typical fix |
10
+ | --- | --- | --- |
11
+ | `META-FRONTMATTER-TOO-LARGE` | Frontmatter has grown beyond the compact index budget. | Move long prose, examples, procedures, or rationale into the body or referenced context assets. |
12
+ | `META-LIST-ITEM-TOO-LONG` | A block-list metadata item is too long to serve as concise routing/index metadata. | Keep the list item short and move detailed conditions into body sections. |
13
+
14
+ These diagnostics are intentionally advisory. They should help reduce LLM-facing catalog noise and token usage without deleting substantive knowledge.
@@ -0,0 +1,113 @@
1
+ # Repository Context BOM
2
+
3
+ `renma bom` emits the Repository Context BOM: a declared repository manifest for review and CI consumers. It is generated from Renma's local repository evidence and keeps `schemaVersion` at `renma.repository-context-bom.v1`.
4
+
5
+ The BOM is not a runtime usage report. It does not describe what an LLM actually consumed, assemble prompts, choose task-specific context, inject context into agents, execute agents, call an LLM, import consumed-context evidence, or collect telemetry.
6
+
7
+ ```mermaid
8
+ flowchart TD
9
+ Sources["Repository files and configuration"]
10
+ Snapshot["One collected in-memory repository snapshot"]
11
+ Catalog["Catalog and dependency graph"]
12
+ Diagnostics["Diagnostics and Readiness"]
13
+ Governance["Lifecycle and ownership evidence"]
14
+ Security["Security posture and policy inventory"]
15
+ Bom["Repository Context BOM v1"]
16
+ Json["Authoritative JSON"]
17
+ Markdown["Markdown review projection"]
18
+ Revision["Git, CI, or PR context supplies revision identity"]
19
+ Runtime["Future runtime consumed-context evidence — separate artifact"]
20
+ Sources --> Snapshot
21
+ Snapshot --> Catalog
22
+ Snapshot --> Diagnostics
23
+ Snapshot --> Governance
24
+ Snapshot --> Security
25
+ Catalog --> Bom
26
+ Diagnostics --> Bom
27
+ Governance --> Bom
28
+ Security --> Bom
29
+ Bom --> Json
30
+ Bom --> Markdown
31
+ Revision -.-> Bom
32
+ ```
33
+
34
+ The diagram separates collection from projection: every BOM section is derived
35
+ from one collected snapshot, JSON is authoritative, and Markdown is a review
36
+ view. `--omit-generated-at` removes generation-time noise only. Revision
37
+ identity stays in the surrounding Git, CI, or pull-request context, and any
38
+ runtime consumed-context evidence remains a separate future artifact.
39
+
40
+ ## Snapshot Contract
41
+
42
+ One BOM execution is derived from one in-memory repository snapshot:
43
+
44
+ 1. Resolve configuration once.
45
+ 2. Discover and read repository artifacts once.
46
+ 3. Parse documents once.
47
+ 4. Build the catalog once.
48
+ 5. Derive graph, findings, diagnostics, Context Lens evidence, readiness, security posture, and security policy inventory from that same snapshot.
49
+ 6. Format JSON or Markdown only after the complete report has been built.
50
+
51
+ Renma does not freeze the working tree while another process is modifying it. If files change during collection, the BOM reflects the artifacts Renma read for that execution; after collection, all report sections are derived from the collected snapshot.
52
+
53
+ ## Output Authority
54
+
55
+ JSON is the authoritative BOM output. Markdown is a compact review projection for pull requests and humans; it is not the canonical serialization.
56
+
57
+ Array ordering is deterministic and part of Renma's output contract. Asset `sourcePath` values remain repository-relative. `root` and `configPath` remain absolute paths from the current environment.
58
+
59
+ ## Reproducibility
60
+
61
+ `--omit-generated-at` means only:
62
+
63
+ - omit the run-time `generatedAt` field;
64
+ - remove clock-based differences caused by that field.
65
+
66
+ It does not mean:
67
+
68
+ - ignore `lastReviewedAt`, `reviewCycle`, or `expiresAt`;
69
+ - suppress freshness diagnostics;
70
+ - normalize `root` or `configPath`;
71
+ - make output portable across different checkout directories;
72
+ - hide file moves;
73
+ - guarantee identical output across different evaluation dates;
74
+ - freeze a repository while another process is modifying it.
75
+
76
+ Supported guarantee:
77
+
78
+ > With the same checkout path, config path, repository contents, Renma version, and UTC evaluation date, repeated `--omit-generated-at` runs should produce byte-identical JSON.
79
+
80
+ Freshness evaluation uses the UTC calendar date. Metadata dates remain part of the snapshot and must not be removed as timestamp noise. A real file move is a meaningful BOM change because `sourcePath` is repository evidence. Portable byte-for-byte output across different runners is not a v1 guarantee.
81
+
82
+ ## Schema Evolution
83
+
84
+ `schemaVersion` represents the consumer-facing BOM schema. `generator.version` represents the Renma implementation version and is not the schema version.
85
+
86
+ Within BOM v1, changes should be backward-compatible and additive:
87
+
88
+ - existing fields must not be removed, renamed, or given incompatible types or meanings;
89
+ - new optional fields may be added when a real consumer requires them;
90
+ - enum additions are consumer-visible changes and must be documented;
91
+ - a future breaking contract requires a new schema version rather than silently changing v1 semantics.
92
+
93
+ `--omit-generated-at` does not make the report a generic canonical JSON format or a portable artifact.
94
+
95
+ ## Source Provenance
96
+
97
+ BOM v1 provenance is deliberately repository-local:
98
+
99
+ - repository-relative source paths;
100
+ - per-asset content hashes;
101
+ - generator name and version;
102
+ - current absolute `root` and `configPath` information when available;
103
+ - lifecycle, dependency, diagnostic, readiness, security posture, and security policy inventory evidence.
104
+
105
+ Renma does not automatically invoke Git or add Git commit, branch, tag, or dirty-state fields in BOM v1. Git revision identity is expected to come from the surrounding Git, CI, artifact, or pull-request context. Native Git provenance fields and a BOM digest may be considered later if external artifact storage or cross-run consumers require them.
106
+
107
+ ## Consumed-Context Evidence
108
+
109
+ BOM v1 describes declared repository state. Future consumed-context evidence must not redefine or mutate that meaning.
110
+
111
+ Runtime evidence should be a separate artifact or explicitly separate attachment. A future evidence record should relate back to a BOM using stable values such as a BOM digest or snapshot identity, asset ID, asset content hash, producer identity and version, and observation timestamp.
112
+
113
+ External agents, editor integrations, wrappers, or CI tools may produce those signals. Renma may later validate imported signals against the repository model, but Renma must not become the telemetry collector, runtime wrapper, dashboard, or provider gateway.