renma 0.15.2 → 0.17.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (126) hide show
  1. package/CHANGELOG.md +54 -1
  2. package/README.md +216 -655
  3. package/architecture.md +523 -0
  4. package/design.md +458 -0
  5. package/dist/agent-skills.d.ts +77 -0
  6. package/dist/agent-skills.d.ts.map +1 -0
  7. package/dist/agent-skills.js +468 -0
  8. package/dist/agent-skills.js.map +1 -0
  9. package/dist/catalog.d.ts.map +1 -1
  10. package/dist/catalog.js +38 -5
  11. package/dist/catalog.js.map +1 -1
  12. package/dist/cli-help.d.ts +13 -11
  13. package/dist/cli-help.d.ts.map +1 -1
  14. package/dist/cli-help.js +36 -11
  15. package/dist/cli-help.js.map +1 -1
  16. package/dist/cli.d.ts.map +1 -1
  17. package/dist/cli.js +139 -40
  18. package/dist/cli.js.map +1 -1
  19. package/dist/commands/catalog.d.ts.map +1 -1
  20. package/dist/commands/catalog.js +4 -3
  21. package/dist/commands/catalog.js.map +1 -1
  22. package/dist/commands/graph.d.ts.map +1 -1
  23. package/dist/commands/graph.js +7 -12
  24. package/dist/commands/graph.js.map +1 -1
  25. package/dist/commands/readiness.d.ts.map +1 -1
  26. package/dist/commands/readiness.js +7 -6
  27. package/dist/commands/readiness.js.map +1 -1
  28. package/dist/commands/scaffold.d.ts.map +1 -1
  29. package/dist/commands/scaffold.js +59 -16
  30. package/dist/commands/scaffold.js.map +1 -1
  31. package/dist/commands/suggest-metadata.d.ts +3 -1
  32. package/dist/commands/suggest-metadata.d.ts.map +1 -1
  33. package/dist/commands/suggest-metadata.js +226 -7
  34. package/dist/commands/suggest-metadata.js.map +1 -1
  35. package/dist/commands/suggest-semantic-split.js +3 -3
  36. package/dist/commands/suggest-semantic-split.js.map +1 -1
  37. package/dist/dependency-resolution.d.ts +6 -0
  38. package/dist/dependency-resolution.d.ts.map +1 -0
  39. package/dist/dependency-resolution.js +11 -0
  40. package/dist/dependency-resolution.js.map +1 -0
  41. package/dist/diagnostic-ids.d.ts +29 -0
  42. package/dist/diagnostic-ids.d.ts.map +1 -1
  43. package/dist/diagnostic-ids.js +28 -0
  44. package/dist/diagnostic-ids.js.map +1 -1
  45. package/dist/discovery.d.ts +50 -0
  46. package/dist/discovery.d.ts.map +1 -1
  47. package/dist/discovery.js +183 -25
  48. package/dist/discovery.js.map +1 -1
  49. package/dist/metadata.d.ts +3 -1
  50. package/dist/metadata.d.ts.map +1 -1
  51. package/dist/metadata.js +166 -29
  52. package/dist/metadata.js.map +1 -1
  53. package/dist/model.d.ts +1 -0
  54. package/dist/model.d.ts.map +1 -1
  55. package/dist/report.d.ts.map +1 -1
  56. package/dist/report.js +16 -1
  57. package/dist/report.js.map +1 -1
  58. package/dist/repository-paths.d.ts +13 -0
  59. package/dist/repository-paths.d.ts.map +1 -1
  60. package/dist/repository-paths.js +60 -2
  61. package/dist/repository-paths.js.map +1 -1
  62. package/dist/rules.d.ts.map +1 -1
  63. package/dist/rules.js +97 -107
  64. package/dist/rules.js.map +1 -1
  65. package/dist/scanner.d.ts.map +1 -1
  66. package/dist/scanner.js +3 -1
  67. package/dist/scanner.js.map +1 -1
  68. package/dist/security-diagnostics.d.ts.map +1 -1
  69. package/dist/security-diagnostics.js +98 -35
  70. package/dist/security-diagnostics.js.map +1 -1
  71. package/dist/security-policy-inventory.js +11 -4
  72. package/dist/security-policy-inventory.js.map +1 -1
  73. package/dist/security-policy.d.ts +27 -1
  74. package/dist/security-policy.d.ts.map +1 -1
  75. package/dist/security-policy.js +247 -34
  76. package/dist/security-policy.js.map +1 -1
  77. package/dist/skill-migration.d.ts +30 -0
  78. package/dist/skill-migration.d.ts.map +1 -0
  79. package/dist/skill-migration.js +566 -0
  80. package/dist/skill-migration.js.map +1 -0
  81. package/dist/trust-graph.d.ts.map +1 -1
  82. package/dist/trust-graph.js +7 -11
  83. package/dist/trust-graph.js.map +1 -1
  84. package/dist/types.d.ts +3 -1
  85. package/dist/types.d.ts.map +1 -1
  86. package/dist/yaml-frontmatter.d.ts +26 -0
  87. package/dist/yaml-frontmatter.d.ts.map +1 -0
  88. package/dist/yaml-frontmatter.js +114 -0
  89. package/dist/yaml-frontmatter.js.map +1 -0
  90. package/docs/README.md +55 -0
  91. package/docs/advanced-skill-authoring.md +140 -0
  92. package/docs/agent-skills-compatibility.md +500 -0
  93. package/docs/authoring-guide.md +324 -0
  94. package/docs/context-conflict-diagnostics.md +32 -0
  95. package/docs/context-language-diagnostics.md +99 -0
  96. package/docs/context-lens.md +253 -0
  97. package/docs/context-lifecycle-diagnostics.md +55 -0
  98. package/docs/diagnostics.md +373 -0
  99. package/docs/metadata-budget.md +14 -0
  100. package/docs/repository-context-bom.md +113 -0
  101. package/docs/security-policy.md +338 -0
  102. package/docs/user-manual.md +813 -0
  103. package/examples/context-lens/README.md +101 -0
  104. package/examples/context-lens/contexts/testing/boundary-value-analysis.md +23 -0
  105. package/examples/context-lens/lenses/testing/spec-review-boundary-values.md +29 -0
  106. package/examples/context-lens/lenses/testing/test-design-boundary-values.md +29 -0
  107. package/examples/context-lens/skills/testing/spec-review/SKILL.md +49 -0
  108. package/examples/context-repo/README.md +149 -0
  109. package/examples/context-repo/contexts/domain/payment/idempotency.md +20 -0
  110. package/examples/context-repo/contexts/testing/boundary-value-analysis.md +19 -0
  111. package/examples/context-repo/contexts/testing/negative-testing.md +19 -0
  112. package/examples/context-repo/lenses/testing/spec-review-boundary-values.md +35 -0
  113. package/examples/context-repo/renma.config.json +12 -0
  114. package/examples/context-repo/skills/testing/spec-review/SKILL.md +66 -0
  115. package/examples/context-repo/tools/appium/README.md +14 -0
  116. package/examples/github-actions/renma-ci-report.yml +36 -0
  117. package/examples/interactive-placeholder/README.md +104 -0
  118. package/examples/interactive-placeholder/assets/template.txt +1 -0
  119. package/examples/interactive-placeholder/renma.config.json +6 -0
  120. package/examples/interactive-placeholder/skills/replace-placeholder/SKILL.md +54 -0
  121. package/examples/interactive-placeholder/tools/README.md +48 -0
  122. package/examples/interactive-placeholder/tools/placeholder-demo.mjs +99 -0
  123. package/package.json +11 -1
  124. package/plan-discovery.md +740 -0
  125. package/plan.md +150 -0
  126. package/scripts/verify-package.mjs +97 -0
package/README.md CHANGED
@@ -3,718 +3,279 @@
3
3
  [![NPM version](http://img.shields.io/npm/v/renma.svg)](https://npmjs.org/package/renma)
4
4
  [![Downloads](http://img.shields.io/npm/dm/renma.svg)](https://npmjs.org/package/renma)
5
5
 
6
-
7
- Renma is an opinionated Context Repository toolkit for LLM-era software teams.
8
-
9
- It helps teams manage reusable, human-curated context assets in Git so agents, coding tools, and future AI runtimes can consume team knowledge more safely and consistently.
10
-
11
- Renma is the deterministic governance and health layer around that repository knowledge. Instead of letting critical knowledge get copied into many prompts or buried in one-off Markdown files, Renma treats it as a software asset: named, owned, versioned, linked, checked in CI, and reviewed with deterministic diagnostics and scan findings.
12
-
13
- Renma now supports `scan`, `catalog`, `ownership`, `graph`, focused graph views, `trust-graph`, `readiness`, Repository Context BOM reports, repeated-context diagnostics, semantic diff, `ci-report`, `inspect`, `scaffold`, `suggest-metadata`, `suggest-semantic-split`, and security diagnostics.
14
-
15
- Renma is especially useful when a repository contains agent-facing material such as:
16
-
17
- - Codex, Claude, Cursor, or other agent skills
18
- - `AGENTS.md` and repository instructions
19
- - Shared product, domain, QA, platform, or tool guidance
20
- - Team-owned context assets that should outlive a single prompt
21
- - References and examples that agents should be able to cite or inspect
22
-
23
- Renma is not an agent runtime, not a prompt library, not a vector database, and not a general Markdown linter. Markdown is the storage format today; the product is the catalog, dependency graph, ownership model, and readiness checks around agent-consumable repository knowledge.
24
-
25
- Use Renma when you need to answer repository-level questions such as:
26
-
27
- - What agent-consumable knowledge exists in this repo?
28
- - Which skills, context assets, examples, and tool notes are reusable?
29
- - Which assets are unowned, stale, orphaned, incomplete, deprecated, or broken?
30
- - Which product decisions, bug history, testing strategy, or platform guidance should be promoted from one-off prompt text into shared context?
31
- - What changed in the agent-facing knowledge catalog during this pull request?
32
-
33
- ## What Is a Context Repository?
34
-
35
- A Context Repository is a Git-reviewed source of truth for reusable knowledge that LLMs and agents can consume.
36
-
37
- It is not a prompt library. It is not a vector database. It is not an agent memory.
38
-
39
- It is a place where teams maintain context assets with ownership, lifecycle state, dependencies, references, and review history.
40
-
41
- ## The Layer Model
42
-
43
- ```text
44
- Tools
45
- Codex, Claude, Cursor, CI, editors, internal CLIs
46
-
47
- Skills
48
- agent-facing entrypoints that route an agent toward a task
49
-
50
- Context Lenses
51
- purpose-oriented interpretation layers over context assets
52
-
53
- Context Assets
54
- Shared domain, product, testing, platform, and tool knowledge
55
-
56
- Catalog
57
- Deterministic IDs, ownership, lifecycle state, dependencies, evidence
58
-
59
- Repository
60
- Git-reviewed source of truth for agent-consumable knowledge
61
- ```
62
-
63
- Tools decide what to do at runtime. Skills tell an agent when and how to use a capability. Context lenses describe purpose-oriented interpretation over reusable knowledge. Context assets hold that reusable knowledge. Renma catalogs and validates the layer underneath so tools and agents are not guessing from stale, orphaned, duplicated, or unowned files.
64
-
65
- ## How Renma Relates to RAG and Agent Memory
66
-
67
- Renma does not replace RAG, vector databases, or agent memory.
68
-
69
- RAG helps systems retrieve relevant information. Renma helps teams organize reusable knowledge before it is retrieved. Agent memory grows from an agent's experience. A Context Repository grows from human-curated knowledge.
70
-
71
- These layers can work together:
72
-
73
- ```text
74
- People create knowledge -> Renma organizes it -> RAG retrieves it -> agents consume it -> agent memory records experience
6
+ Renma is a Git-native context repository and deterministic governance CLI for
7
+ LLM-facing knowledge. It keeps Skills, Context Lenses, Context Assets,
8
+ references, ownership, lifecycle, dependencies, security policy, and evidence
9
+ reviewable as maintainable software assets.
10
+
11
+ Agent-facing knowledge tends to spread across copied prompts, one-off Markdown,
12
+ and team-local instructions. Renma gives that material stable repository
13
+ identity, explicit relationships, deterministic validation, and CI-friendly
14
+ reports without becoming an agent runtime.
15
+
16
+ ## Why A Context Repository?
17
+
18
+ A Context Repository is a Git-reviewed source of truth for reusable knowledge
19
+ that LLMs and agents can consume. Without that repository boundary, important
20
+ guidance is copied across prompts and Skills, buried in one-off instructions,
21
+ detached from an owner, difficult to review, and increasingly inconsistent as
22
+ teams and workflows evolve. It also becomes hard to tell maintained guidance
23
+ from obsolete or unofficial material.
24
+
25
+ Reusable context should be treated as a maintainable software asset: identified,
26
+ owned, versioned in Git, connected through explicit relationships, reviewed by
27
+ humans, validated deterministically, and usable across more than one Skill or
28
+ runtime. A Skill is an agent-facing entrypoint and workflow guide; the broader
29
+ Context Repository preserves knowledge that can outlive or serve multiple
30
+ Skills.
31
+
32
+ Renma operationalizes this model through deterministic repository governance.
33
+ It is not a prompt library, agent runtime, live Context selector, vector
34
+ database, agent memory, replacement for RAG, or generic Markdown linter. See the
35
+ [Context Repository notes](https://kazucocoa.blog/context-repository/) for the
36
+ broader product framing.
37
+
38
+ ## Agent Skills And Renma
39
+
40
+ Use your platform's standard Skill authoring guidance for general Skill design,
41
+ then use Renma for repository-specific governance and validation.
42
+
43
+ Platform-native guidance owns the Skill's name, trigger description,
44
+ instructions, workflow, constraints, examples, and completion criteria. Renma
45
+ complements it with canonical metadata, Agent Skills compatibility, dependency
46
+ and graph validation, ownership and lifecycle governance, security policy
47
+ validation, workflow diagnostics, repository-wide scan, and readiness views.
48
+ Renma does not replace general Skill authoring guidance.
49
+
50
+ Renma is **Agent Skills-compatible, but not Agent Skills-defined**. Canonical Agent Skills entrypoints
51
+ are discovered under `skills/**/SKILL.md` and
52
+ `.agents/skills/**/SKILL.md`. Renma also discovers historical `skill.md` and
53
+ `*.skill.md` entrypoints for migration diagnostics, but discovery does not make those spellings Agent Skills-compatible.
54
+ The broader repository model also
55
+ includes independently governed Context Assets, Context Lenses, policies,
56
+ references, and evidence.
57
+
58
+ See [Agent Skills Compatibility and Migration](docs/agent-skills-compatibility.md)
59
+ for the exact format and one-way migration contract.
60
+
61
+ ## Product Boundary
62
+
63
+ Renma discovers, parses, normalizes, and validates repository assets. It does
64
+ not:
65
+
66
+ - select a Skill or Context for a live task;
67
+ - assemble or inject prompts;
68
+ - execute Skills, agents, or tools;
69
+ - call an LLM for core analysis;
70
+ - collect runtime telemetry; or
71
+ - automatically rewrite Skill bodies or weaken policy.
72
+
73
+ ```mermaid
74
+ flowchart TD
75
+ subgraph Repository["Git-reviewed repository"]
76
+ Skills["Skills: entrypoints and workflows"]
77
+ Lenses["Context Lenses: interpretation"]
78
+ Context["Context Assets: durable knowledge"]
79
+ Skills -->|may reference| Lenses
80
+ Skills -->|may reference directly| Context
81
+ Lenses -->|interprets| Context
82
+ end
83
+ Renma["Renma: deterministic governance"]
84
+ Reports["Scan, Catalog, Graph, Trust Graph, Readiness, and BOM"]
85
+ Review["Human review"]
86
+ Runtime["External agents and runtimes"]
87
+ Repository --> Renma --> Reports --> Review
88
+ Runtime -->|consumes according to its own behavior| Repository
75
89
  ```
76
90
 
77
- ## Why Renma?
78
-
79
- As AI-agent repositories grow, expertise often gets duplicated across skills and prompts. Testing heuristics, domain risks, tool usage notes, product decisions, and team-specific contracts drift apart. Ownership becomes unclear. References break. Deprecated guidance remains reachable. New engineers and agents cannot tell which knowledge is authoritative.
91
+ ## Primary Skill Workflows
80
92
 
81
- Renma gives that material the same operational posture teams expect from source code:
82
-
83
- - Reusable across skills and agents
84
- - Owned by a team or maintainer
85
- - Reviewable in pull requests
86
- - Versioned in Git
87
- - Composable through explicit references and dependencies
88
- - Validated with deterministic checks
89
- - Easy to inspect locally and in CI
90
-
91
- For example, a testing organization can keep boundary value analysis, negative testing, regression risk, payment idempotency, duplicate charge prevention, refund edge cases, mobile offline behavior, mobile automation notes, and known team-specific risks as shared context assets instead of burying them inside individual skills.
92
-
93
- ## Repository Shape
94
-
95
- Renma supports existing skill-local references, profiles, and examples. The preferred model is to give reusable knowledge first-class space under `contexts/`:
93
+ For a new Skill, use platform-native guidance to design the workflow, then run
94
+ one generator for the target file:
96
95
 
97
96
  ```text
98
- skills/
99
- testing/
100
- test-case-generation.skill.md
101
- spec-review.skill.md
102
- regression-planning.skill.md
103
-
104
- contexts/
105
- testing/
106
- boundary-value-analysis.md
107
- negative-testing.md
108
- regression-risk.md
109
- domain/
110
- payment/
111
- idempotency.md
112
- duplicate-charge.md
113
- refund-risk.md
114
- mobile/
115
- offline-behavior.md
116
- background-resume.md
117
- tools/
118
- appium/
119
- usage-guideline.md
120
- limitations.md
121
- teams/
122
- checkout/
123
- payment-api-contracts.md
124
- known-risk-patterns.md
125
-
126
- lenses/
127
- testing/
128
- spec-review-boundary-values.md
129
- ```
130
-
131
- `contexts/` is preferred. `context/` is also scanned for compatibility. Files under either root are cataloged as first-class `context` assets, while experimental `context_lens` assets live under `lenses/` or opt in from context files with `type: context_lens`. Skill-local `references/` remain supported as `reference` assets.
132
-
133
- ## What Renma Does Today
134
-
135
- Renma is a minimal-dependency TypeScript CLI that scans local repositories and builds a deterministic catalog of agent-consumable assets.
136
-
137
- It currently scans:
138
-
139
- - AI-agent skills
140
- - Repository instructions such as `AGENTS.md`
141
- - Shared context Markdown under `context/` and `contexts/`
142
- - Skill profiles, references, and examples
143
- - Tool guidance and support files
144
- - README-level repository documentation
145
-
146
- It produces:
147
-
148
- - File and line-level diagnostics
149
- - Catalog reports with deterministic asset IDs
150
- - Ownership coverage reports
151
- - Dependency graph reports
152
- - Trust Graph evidence reports
153
- - Agent readiness reports
154
- - Repository Context BOM manifests
155
- - JSON output for CI and downstream tooling
156
- - Text output designed to become actionable repair prompts for humans or agents
157
-
158
- Findings are meant to explain what is wrong, why it matters, where the evidence is, what to preserve while fixing it, and how to verify the repair. Renma does not apply large semantic rewrites itself; it emits structured diagnostics so a human or coding agent can propose a reviewable patch and run Renma again.
159
-
160
- JSON scan output also includes additive `diagnosticsV2` and `reviewBundles` fields for LLM-assisted repair and review tooling. These normalize findings and diagnostics into stable codes, locations, typed repair constraints, structured verification steps, concise `llmHint` guidance, and deterministic groups of related issues. See the [Diagnostics Reference](docs/diagnostics.md) for the schema and examples.
161
-
162
- ## Scan, Catalog, Graph, Readiness, And BOM
163
-
164
- Renma exposes several deterministic views over the same repository evidence. They answer different questions.
165
-
166
- | Command | Main question | Best for | Output shape |
167
- | --- | --- | --- | --- |
168
- | `scan` | What concrete problems were found? | Fixing diagnostics and CI checks | Finding list |
169
- | `catalog` | What assets exist? | Reviewing IDs, owners, lifecycle metadata, hashes, tags, and declared dependencies | Asset inventory |
170
- | `graph` | How are assets connected? | Inspecting dependencies and references | Asset relationship graph |
171
- | `trust-graph` | What evidence helps reviewers decide whether assets are safe, owned, current, and usable enough? | Tracing owner, lifecycle, policy, dependency, reference, and diagnostic evidence per asset | Evidence graph |
172
- | `readiness` | Is the repository broadly ready for agent-facing use? | Maintainer summary and CI reporting | Repository-level scorecard |
173
- | `bom` | What declared repository context manifest should reviewers inspect? | Combining catalog, graph, readiness, diagnostics, lifecycle, hashes, and security posture evidence | Repository Context BOM |
174
-
175
- `trust-graph` does not decide that an asset is trustworthy. It connects deterministic evidence that humans and downstream tools can review: owner, lifecycle status, dependency and reference relationships, selected security profiles, effective policy fingerprints, and diagnostics.
176
-
177
- In short:
178
-
179
- - `scan` lists problems.
180
- - `catalog` lists what assets exist.
181
- - `graph` shows structural relationships.
182
- - `trust-graph` connects trust-relevant evidence.
183
- - `readiness` summarizes repository health.
184
- - `bom` combines declared asset inventory, dependencies, hashes, lifecycle, diagnostics, readiness, and security posture evidence into a reviewable repository manifest.
185
-
186
- Useful command examples:
187
-
188
- ```bash
189
- renma scan . --format json
190
- renma catalog . --format json
191
- renma graph . --format json
192
- renma trust-graph . --format markdown
193
- renma trust-graph . --format json
194
- renma readiness . --format markdown
195
- renma bom . --format json
196
- renma bom . --format markdown
197
- renma bom . --format json --omit-generated-at
198
- ```
199
-
200
- ### Repository Context BOM
201
-
202
- `renma bom` prints a declared Repository Context BOM generated from existing Renma evidence. See the [Repository Context BOM contract](docs/repository-context-bom.md) for the authoritative v1 schema, snapshot, reproducibility, provenance, and future consumed-context evidence boundaries.
203
-
204
- ```bash
205
- renma bom . --format json
206
- renma bom . --format markdown
207
- renma bom . --format json --omit-generated-at
97
+ platform-native Skill authoring guidance
98
+ -> renma scaffold skill
99
+ -> review and complete the generated Skill
100
+ -> renma scan . --fail-on high
101
+ -> fix relevant diagnostics
102
+ -> rerun validation
103
+ -> human review
208
104
  ```
209
105
 
210
- The BOM is a repository manifest, not a runtime usage report. It combines the catalog asset inventory, content hashes, owners, lifecycle metadata, declared dependency graph evidence, diagnostics, readiness checks, security posture, and security policy inventory into one reviewable artifact.
211
-
212
- Renma derives each BOM from one in-memory repository snapshot: configuration, discovered artifacts, parsed documents, catalog, graph evidence, diagnostics, readiness, and security summaries all come from the same collected state.
213
-
214
- It does not describe what an LLM actually used, assemble prompts, select task-specific context, inject context into agents, import consumed-context evidence, or collect telemetry. JSON is the source of truth; Markdown is the compact pull-request review view.
215
-
216
- By default, `generatedAt` records the actual generation time. Use `--omit-generated-at` when CI or review automation needs to avoid clock-based diffs. With the same checkout path, config path, repository contents, Renma version, and UTC evaluation date, repeated `--omit-generated-at` runs should produce byte-identical JSON. The option does not remove metadata freshness dates, suppress freshness diagnostics, normalize absolute `root` or `configPath`, hide file moves, or guarantee portable byte-for-byte output across runners.
217
-
218
- ### Repeated context diagnostics
219
-
220
- `renma scan` reports deterministic repeated-context candidates across discovered skills, agents, profiles, references, examples, and shared context assets. These findings are evidence for consolidation, not automatic source-of-truth decisions:
106
+ For an existing Skill:
221
107
 
222
108
  ```text
223
- LLM proposes. Renma verifies. Human approves.
224
- ```
225
-
226
- The MVP rule IDs are:
227
-
228
- - `MAINT-REPEATED-SECTION` for repeated normalized section hashes.
229
- - `MAINT-REPEATED-HEADING` for repeated non-generic headings.
230
- - `MAINT-REPEATED-CODE-BLOCK` for repeated substantial code fences.
231
- - `MAINT-REPEATED-LINK` for repeated repository context link targets.
232
- - `MAINT-REPEATED-CONTEXT-PATTERN` for repeated token shingles.
233
-
234
- Renma normalizes whitespace and only reports cross-file candidates with stable parser evidence. Remediation text asks maintainers to preserve ownership boundaries, procedural detail, and human approval while consolidating owned knowledge.
235
-
236
- LLM-authored skills and context assets often converge on similar wording, structure, and safety boilerplate. That uniformity can make deterministic checks more useful, not less: Renma can catch repeated sections, duplicated guidance, stale ownership, risky commands, and policy drift without needing to call an LLM. The findings are evidence for review, not automatic rewrite decisions.
237
-
238
- ## How Renma differs from adjacent tools
239
-
240
- Prompt-management and eval tools focus on prompts, traces, and model outputs.
241
-
242
- Renma focuses one layer lower: the reusable context assets and skills that prompts, agents, and tools depend on.
243
-
244
- Knowledge-management tools help humans organize notes and documents.
245
-
246
- Renma focuses on machine-consumable repository knowledge that can be owned, referenced, validated, and reused in AI workflows.
247
-
248
- Software catalogs track services, libraries, ownership, and lifecycle.
249
-
250
- Renma applies a similar catalog model to context assets.
251
-
252
- ## First-Time Use
253
-
254
- Try Renma against the current repository:
255
-
256
- ```bash
257
- npx renma scan .
258
- npx renma catalog . --format json
259
- npx renma graph . --format mermaid
260
- npx renma trust-graph . --format json
261
- npx renma readiness .
262
- npx renma diff . --from main --to HEAD --format markdown
109
+ review with platform-native Skill authoring guidance
110
+ -> renma scan . --fail-on high
111
+ -> inspect relevant diagnostics and repository evidence
112
+ -> use suggest-metadata only for metadata or migration work
113
+ -> prepare and review intended changes
114
+ -> renma scan . --fail-on high
115
+ -> fix relevant diagnostics
116
+ -> rerun validation
117
+ -> human review
263
118
  ```
264
119
 
265
- The first command does not require you to design a knowledge architecture up front. It scans the repository, builds a local catalog, and reports obvious health issues such as broken links, unclear ownership, risky instructions, weak structure, and context that may be hard for agents to trust.
266
-
267
- Command-specific help is designed for both humans and coding agents: start with `renma --help`, then run `renma <command> --help` before choosing a workflow. For guided workflows, see the User Manual sections on [LLM-assisted skill maintenance](docs/user-manual.md#llm-assisted-skill-maintenance), [creating a new skill with scaffold](docs/user-manual.md#user-story-create-a-new-skill-with-scaffold), and [improving existing skills with diagnostics](docs/user-manual.md#user-story-improve-existing-skills-with-diagnostics).
120
+ Do not run two independent generators against the same target file. If a
121
+ platform-native tool can generate Skills, ask it to review or refine the Renma
122
+ scaffold, or ask it to use `renma scaffold skill` as its starting point.
123
+ `suggest-metadata` never edits the target and does not improve the Skill body.
268
124
 
269
- If you are developing Renma from source:
125
+ The [Authoring Guide](docs/authoring-guide.md) is the canonical walkthrough for
126
+ both workflows.
270
127
 
271
- ```bash
272
- npm install
273
- npm run build
274
- node dist/index.js scan .
275
- ```
128
+ ## Install And Quick Start
276
129
 
277
- Then inspect the catalog and graph:
130
+ Run Renma without installing it globally:
278
131
 
279
132
  ```bash
280
- node dist/index.js catalog . --format json
281
- node dist/index.js graph . --format mermaid
282
- node dist/index.js trust-graph . --format json
283
- node dist/index.js readiness .
284
- node dist/index.js diff . --from main --to HEAD --format markdown
133
+ npx renma scan . --fail-on high
134
+ npx renma catalog . --format markdown
135
+ npx renma graph . --format markdown
136
+ npx renma readiness . --format markdown
285
137
  ```
286
138
 
287
- Author a skill, context asset, or context lens with `scaffold`:
139
+ Create and complete a new Skill:
288
140
 
289
141
  ```bash
290
- npx renma scaffold skill skills/testing/spec-review/SKILL.md --id skill.testing.spec-review --title "Spec Review" --owner qa-platform --tags testing,spec-review
291
- npx renma scaffold context contexts/testing/boundary-value-analysis.md --id context.testing.boundary-value-analysis --title "Boundary Value Analysis" --owner qa-platform --tags testing
292
- npx renma scaffold context_lens lenses/testing/spec-review-boundary-values.md --id lens.testing.spec-review.boundary-values --title "Spec Review Boundary Values Lens" --owner qa-platform --tags testing,spec-review
142
+ npx renma scaffold skill skills/testing/spec-review/SKILL.md --owner qa-platform
143
+ # Review the file with your platform's standard Skill authoring guidance.
144
+ npx renma scan . --fail-on high
293
145
  ```
294
146
 
295
- Inspect a focused graph for the new skill:
147
+ Review an existing Skill without editing it automatically. Start with `scan`;
148
+ use `suggest-metadata` only when the evidence identifies metadata retrofit or
149
+ migration work:
296
150
 
297
151
  ```bash
298
- npx renma graph . --focus skill.testing.spec-review --format mermaid
152
+ npx renma scan . --fail-on high
299
153
  npx renma inspect skills/testing/spec-review/SKILL.md
154
+ # Conditional: metadata retrofit, explicit owner retrofit, or migration only.
155
+ npx renma suggest-metadata skills/testing/spec-review/SKILL.md
300
156
  ```
301
157
 
302
- Focused graph views are inspection tools; they do not choose, inject, or load runtime context for an agent.
303
-
304
- `scaffold --format prompt` emits a Codex/Claude-ready authoring prompt for `<asset-id-or-path>` without writing files. `scaffold --format json` emits structured scaffold data.
305
-
306
- Semantic diff compares deterministic catalog, graph, readiness, and finding
307
- snapshots across Git refs. It does not interpret arbitrary prose semantics,
308
- assemble prompts, choose context, call an LLM, repair files, or check out or
309
- mutate the working tree.
310
-
311
- A practical first pass is:
312
-
313
- 1. Run `catalog` to see which skills, context assets, references, examples, and support files Renma discovered.
314
- 2. Run `scan` to find broken links, weak structure, risky instructions, missing lifecycle metadata, and other repairable issues.
315
- 3. Run `graph` to inspect dependencies and discover orphaned or overly coupled knowledge.
316
- 4. Run `trust-graph` to inspect deterministic owner, lifecycle, policy, dependency, and diagnostic evidence without introducing a trust score.
317
- 5. Run `readiness` to summarize whether the repository is healthy enough for agent use.
318
- 6. Run `ownership` to find assets without clear ownership.
319
- 7. Run `suggest-metadata` on existing assets that need a safe metadata retrofit prompt for a reviewed patch.
320
-
321
- Renma does not require an LLM for this loop. Its core analysis is deterministic so the same repository state produces stable evidence in local development, CI, and code review.
158
+ Inspect one file or an exact slice:
322
159
 
323
- ## Example repository
324
-
325
- See [`examples/context-repo`](examples/context-repo) for a small skill and shared-context repository you can scan with renma.
326
-
327
- See [`examples/context-lens`](examples/context-lens) for a Context Lens governance example with valid lenses, readiness output, inspect output, and expected diagnostics for an invalid lens.
328
-
329
- ## CLI Commands
330
-
331
- ```bash
332
- renma scan <path>
333
- renma catalog <path>
334
- renma ownership <path>
335
- renma graph <path>
336
- renma trust-graph <path>
337
- renma readiness <path>
338
- renma diff <path> --from <ref> --to <ref>
339
- renma ci-report <path> --from <ref> --to <ref>
160
+ ```text
340
161
  renma inspect <file>
341
162
  renma inspect <file> --lines L10-L42
342
- renma suggest-metadata <file>
343
- renma suggest-semantic-split <file>
344
163
  ```
345
164
 
346
- Common examples:
165
+ When developing from this checkout:
347
166
 
348
167
  ```bash
349
- renma scan .
350
- renma scan . --format json
351
- renma scan . --fail-on high
352
- renma catalog . --format json
353
- renma ownership . --include-owned
354
- renma ownership . --owner qa-platform
355
- renma graph . --format json
356
- renma graph . --format mermaid
357
- renma graph . --focus skill.testing.spec-review --view full
358
- renma trust-graph . --format json
359
- renma trust-graph . --format markdown
360
- renma readiness . --format markdown
361
- renma diff . --from main --to HEAD --format markdown
362
- renma ci-report . --from main --to HEAD --format markdown
363
- renma inspect contexts/testing/boundary-value-analysis.md
364
- renma suggest-metadata skills/testing/spec-review/SKILL.md --format prompt
365
- renma suggest-metadata skills/testing/spec-review/SKILL.md --owner qa-platform --format json
168
+ npm install
169
+ npm run build
170
+ node dist/index.js scan . --fail-on high
366
171
  ```
367
172
 
368
- Use JSON output when Renma is part of CI or another tool. Use markdown output for PR-review artifacts. Use text output when a person or coding agent needs a concise repair list.
369
-
370
- `renma trust-graph . --format markdown` is useful for human review. `renma trust-graph . --format json` is the source of truth for downstream Trust Graph consumers, and `renma scan . --format json` includes the same data under `trustGraph`.
371
-
372
- Trust Graph helps reviewers inspect owner evidence, lifecycle status evidence, dependency and reference evidence, selected security profiles, effective policy fingerprints, and diagnostics in one deterministic layer. Common review questions include finding assets without owners or lifecycle status, identifying assets that share the same effective policy fingerprint, and connecting diagnostics back to asset evidence.
373
-
374
- `ci-report` exit behavior:
375
-
376
- - PASS/WARN: exit 0
377
- - FAIL: exit 1
378
- - command, runtime, or config error: exit 2
173
+ ## Command Guide
174
+
175
+ | Command | Main question |
176
+ | --- | --- |
177
+ | `scan` | What concrete problems should be fixed? |
178
+ | `catalog` | What assets and metadata exist? |
179
+ | `graph` | How are assets structurally connected? |
180
+ | `trust-graph` | What trust-relevant evidence is connected to each asset? |
181
+ | `readiness` | Is the repository broadly prepared for agent-facing use? |
182
+ | `bom` | What declared repository context manifest should be reviewed? |
183
+ | `ownership` | Where is ownership missing or concentrated? |
184
+ | `diff` | What deterministic evidence changed between Git refs? |
185
+ | `ci-report` | What should a CI or pull-request reviewer inspect? |
186
+ | `inspect` | What is the outline or exact line slice of one file? |
187
+ | `scaffold` | How can a new asset start from a deterministic structure? |
188
+ | `suggest-metadata` | What metadata retrofit or one-way Skill migration is safe to review? |
189
+ | `suggest-semantic-split` | How can a mixed-purpose asset be split reviewably? |
190
+
191
+ Run `renma --help` and `renma <command> --help` for current options, output
192
+ contracts, and next steps. The [User Manual](docs/user-manual.md) is the
193
+ operational command reference.
379
194
 
380
- ## What Gets Scanned
195
+ ## Repository Shape
381
196
 
382
- By default, Renma looks for:
197
+ Renma supports independently owned knowledge rather than requiring every piece
198
+ of Context to live inside a Skill directory:
383
199
 
384
200
  ```text
385
- skills/**/SKILL.md
386
- skills/**/skill.md
387
- skills/**/*.skill.md
388
- .agents/skills/**/SKILL.md
389
- .agents/skills/**/skill.md
390
- .agents/skills/**/*.skill.md
391
- .agents/**/*.md
392
- AGENTS.md
393
- README.md
394
- context/**/*.md
395
- contexts/**/*.md
396
- lenses/**/*.md
397
- skills/**/profiles/**/*.md
398
- skills/**/references/**/*.md
399
- skills/**/examples/**/*.md
400
- skills/**/scripts/**/*
401
- tools/**/*
402
- ```
403
-
404
- Skill-like files outside `skills/**` or `.agents/skills/**` are not treated as
405
- Renma skill assets by default. Renma may emit an informational layout diagnostic
406
- to suggest moving the file if it is intended to be a Renma skill.
407
-
408
- Under explicit skill roots, the path segments `examples`, `profiles`,
409
- `references`, and `scripts` are reserved for skill-local support files. These
410
- are valid support paths:
411
-
412
- - `skills/demo/examples/happy-path.md`
413
- - `skills/demo/references/spec.md`
414
- - `skills/demo/scripts/helper.sh`
415
- - `skills/demo/profiles/local.md`
416
-
417
- The same reserved names apply under `.agents/skills/**`.
418
-
419
- Avoid using reserved support directory names as skill names. For example,
420
- `skills/examples/SKILL.md`, `skills/references/SKILL.md`,
421
- `skills/scripts/SKILL.md`, and `skills/profiles/SKILL.md` are not treated as
422
- skill entrypoints by default. Rename the skill directory, such as
423
- `skills/example-review/SKILL.md`, if the file is intended to define a Renma
424
- skill.
425
-
426
- Renma can still discover legacy skill-local support files for compatibility, but canonical reusable knowledge belongs in `contexts/`, experimental interpretation layers belong in `lenses/`, and helper implementations belong in `tools/`. Shared knowledge that is reused across skills should usually move into `contexts/` so it can have its own owner, lifecycle, dependencies, and review history.
427
-
428
- ## Configuration
429
-
430
- Add `renma.config.json` at the repository root to tune discovery and CI behavior:
431
-
432
- ```json
433
- {
434
- "fail_on": "high",
435
- "format": "json",
436
- "globs": [
437
- "skills/**/SKILL.md",
438
- "skills/**/skill.md",
439
- ".agents/skills/**/SKILL.md",
440
- "AGENTS.md",
441
- "contexts/**/*.md"
442
- ],
443
- "exclude": [
444
- "node_modules",
445
- "dist",
446
- ".git"
447
- ],
448
- "suppressions": [
449
- {
450
- "id": "SEC-ENV-COPY",
451
- "paths": ["skills/testing/**"],
452
- "reason": "This skill intentionally documents env passthrough test cases.",
453
- "expires": "2026-09-30"
454
- },
455
- {
456
- "id": "LAYOUT-SKILL-NOT-THIN",
457
- "paths": ["skills/legacy/**"],
458
- "reason": "Legacy skill kept for compatibility with existing workflows.",
459
- "expires": "never"
460
- }
461
- ],
462
- "max_file_size_bytes": 524288,
463
- "max_depth": 16,
464
- "concurrency": 16,
465
- "layout": {
466
- "workflow_aliases": {}
467
- }
468
- }
469
- ```
470
-
471
- Use `exclude` only for paths Renma should not scan. Use `suppressions` when Renma should still scan a file, detect matching findings internally, then omit those findings from normal reports and failure thresholds. Suppressions apply only when both the finding `id` and at least one `paths` entry match, so keep path patterns narrow.
472
-
473
- Each suppression requires a rule `id`, one or more path patterns, and an audit `reason` that stays in config for review. `expires` is optional, but audited suppressions should usually include either a date in `YYYY-MM-DD` for temporary workarounds or `"never"` for an intentionally permanent exception. Date-based expirations reactivate matching findings after the date passes. Suppression paths use repository-relative POSIX-style paths, exact matches, directory-prefix matches for non-glob patterns, and a small glob subset: `*` within a path segment and `**` across directories.
474
-
475
- ## Asset Metadata
476
-
477
- Renma works best when reusable assets declare lightweight metadata in front matter:
478
-
479
- ```markdown
480
- ---
481
- id: context.testing.boundary-value-analysis
482
- owner: qa-platform
483
- status: stable
484
- last_reviewed_at: 2026-06-28
485
- review_cycle: P90D
486
- expires_at: 2026-12-31
487
- requires_context:
488
- - context.testing.negative-testing
489
- ---
490
-
491
- # Boundary Value Analysis
201
+ skills/
202
+ testing/
203
+ spec-review/
204
+ SKILL.md
205
+ contexts/
206
+ testing/
207
+ boundary-value-analysis.md
208
+ negative-testing.md
209
+ lenses/
210
+ testing/
211
+ spec-review-boundary-values.md
492
212
  ```
493
213
 
494
- Useful metadata includes:
495
-
496
- - `id`: Stable catalog ID
497
- - `title`: Human-readable asset title
498
- - `owner`: Recommended team, person, or group responsible for the asset
499
- - `status`: Lifecycle state such as `experimental`, `stable`, `deprecated`, or `archived`
500
- - `version`: Asset version when the repository uses explicit versioning
501
- - `last_reviewed_at`: ISO date for the last human review, such as `2026-06-28`
502
- - `review_cycle`: ISO 8601 day duration for expected review cadence, such as `P90D`
503
- - `expires_at`: ISO date when the asset should be treated as expired
504
- - `tags`: Search and grouping labels
505
- - `requires_context`: Context assets this asset normally depends on
506
- - `optional_context`: Context assets useful only in some cases
507
- - `conflicts`: Context assets that should not be applied together
508
- - `superseded_by`: Replacement asset when this asset is deprecated
509
-
510
- Renma can infer some information from paths and headings, but explicit metadata makes ownership and dependency reports much more valuable.
511
-
512
- ### Ownership policy
214
+ This is an illustrative layout, not a required domain hierarchy. `contexts/`
215
+ is preferred and `context/` remains supported. Skill-local `references/`,
216
+ `assets/`, `scripts/`, `examples/`, and `profiles/` are valid support material.
217
+ When deterministic evidence shows that knowledge is reusable beyond one Skill,
218
+ promote it to an owned Context Asset rather than moving it based on location
219
+ alone.
513
220
 
514
- Renma treats `owner` as governance metadata. Declaring an owner is recommended because it makes context assets easier to review, maintain, and share across teams.
221
+ The relationship model supports both:
515
222
 
516
- However, owner metadata is not globally required yet. Assets without an owner are accepted and reported as unowned in the ownership coverage report.
517
-
518
- Renma does not infer owners automatically. If an asset is unowned, choose an owner through human review or team policy.
519
-
520
- To retrofit metadata onto an existing skill or context asset without overwriting its body, ask Renma for a deterministic prompt or JSON payload:
521
-
522
- ```bash
523
- renma scan .
524
- renma ownership .
525
- renma suggest-metadata skills/testing/spec-review/SKILL.md --format prompt
223
+ ```text
224
+ Skill -> Context Lens -> Context Asset
225
+ Skill -> Context Asset
526
226
  ```
527
227
 
528
- `suggest-metadata` is not an auto-fixer. It tells a human or coding agent to inspect the existing asset, preserve existing frontmatter and Markdown body content, add only compact missing metadata that is clearly supported, and rerun `renma scan .` and `renma ownership .`. It does not infer owners. If you pass `--owner qa-platform`, the output may include that owner because it was explicitly provided; otherwise missing owner remains allowed and is reported as unowned by `ownership`. If an existing asset already declares an owner, `suggest-metadata` preserves it; a different `--owner` value is treated as a human-review ownership change, not an automatic metadata suggestion.
228
+ These are static governance relationships, not runtime Context selection.
529
229
 
530
- Renma reads deterministic frontmatter from skills and context assets. YAML-style block lists are supported for selected metadata fields, which keeps authored metadata explicit and reviewable:
230
+ ## Canonical Skill Example
531
231
 
532
232
  ```yaml
533
233
  ---
534
- id: context.testing.boundary-value-analysis-v2
535
- title: Boundary Value Analysis
536
- owner: qa-platform
537
- status: stable
538
- version: 1.0.0
539
- last_reviewed_at: 2026-06-28
540
- review_cycle: P180D
541
- expires_at: 2026-12-31
542
- tags:
543
- - testing
544
- - spec-review
545
- when_to_use:
546
- - Designing tests around numeric, date, quantity, or limit boundaries
547
- when_not_to_use:
548
- - For exploratory testing notes that do not depend on boundaries
549
- requires_context:
550
- - context.testing.negative-testing
551
- optional_context:
552
- - context.domain.payment.duplicate-charge
553
- conflicts:
554
- - context.testing.boundary-value-analysis-v1
555
- superseded_by:
556
- - context.testing.boundary-value-analysis-v3
234
+ name: spec-review
235
+ description: Review specifications for ambiguity and missing boundaries. Use when requirements need evidence-backed review before implementation.
236
+ metadata:
237
+ renma.id: skill.testing.spec-review
238
+ renma.title: Spec Review
239
+ renma.owner: qa-platform
240
+ renma.status: stable
241
+ renma.tags: '["testing","spec-review"]'
242
+ renma.requires-context: '["context.testing.boundary-value-analysis"]'
243
+ renma.optional-context: '[]'
557
244
  ---
558
245
  ```
559
246
 
560
- Supported YAML-style block-list fields are `tags`, `when_to_use`, `when_not_to_use`, `requires_context`, `optional_context`, `conflicts`, and `superseded_by`. Renma supports lists for those metadata fields, not arbitrary nested maps; it does not infer missing dependencies with an LLM during `scan`.
561
-
562
- Catalog and scan diagnostics preserve field-level evidence for metadata. For
563
- block-list dependency fields such as `requires_context` and `optional_context`,
564
- findings point to the specific list item line that produced the edge or
565
- diagnostic.
566
-
567
- ## CI Example
568
-
569
- For PR review artifacts, see [`examples/github-actions/renma-ci-report.yml`](examples/github-actions/renma-ci-report.yml).
570
-
571
- ```yaml
572
- name: renma
573
-
574
- on:
575
- pull_request:
576
- push:
577
- branches:
578
- - main
579
-
580
- jobs:
581
- renma:
582
- runs-on: ubuntu-latest
583
- steps:
584
- - uses: actions/checkout@v4
585
- - uses: actions/setup-node@v4
586
- with:
587
- node-version: 22
588
- - run: npx renma scan . --fail-on high --format json
589
- ```
590
-
591
- ## Design Philosophy
592
-
593
- Renma has an opinionated design.
594
-
595
- It is built around the idea that reusable LLM context should be treated like a software asset: owned, versioned, referenced, reviewed, and checked for readiness.
596
-
597
- This means Renma favors structured, Git-friendly context repositories over ad hoc prompt snippets or untracked notes.
598
-
599
- ## Design Boundaries
600
-
601
- Renma intentionally stays below the agent runtime layer.
602
-
603
- Renma does:
604
-
605
- - Catalog LLM-consumable repository assets
606
- - Validate links, structure, lifecycle state, safety signals, and ownership
607
- - Emit deterministic reports with file and line evidence
608
- - Help humans and agents repair knowledge repositories through reviewable patches
609
-
610
- Renma does not:
611
-
612
- - Choose task-specific context for a live agent session
613
- - Assemble prompts
614
- - Inject context into model calls
615
- - Execute agent workflows
616
- - Act as a provider gateway
617
- - Own runtime telemetry collection
618
- - Replace product, QA, platform, or documentation ownership
619
-
620
- This boundary keeps Renma useful as repository infrastructure. Agent tools can consume its reports, but the catalog remains grounded in Git, code review, and deterministic checks.
621
-
622
- ## Security Diagnostics
623
-
624
- Security diagnostics v2 extends the deterministic v1 command checks with
625
- LLM-facing policy and data-handling diagnostics. Renma recognizes small policy
626
- metadata such as `allowed_data`, `network_allowed`, `external_upload_allowed`,
627
- `secrets_allowed`, and `requires_human_approval`; reports contradictory or
628
- violated policy; flags sensitive file and secret-material instructions; and
629
- detects external uploads, bulk sharing, cloud upload, overbroad context
630
- collection, and instructions that disable or discourage redaction.
631
-
632
- Security diagnostics v3 also enforces approved destination allowlists such as
633
- `approved_network_destinations` for URL and domain-like network instructions.
634
-
635
- Security diagnostics v4 can also read repository-wide security policy from
636
- `renma.config.json`:
637
-
638
- ```json
639
- {
640
- "security": {
641
- "approvedDomains": ["github.com", "registry.npmjs.org"],
642
- "approvedUploadDomains": ["internal-artifacts.example.com"],
643
- "disallowedCommands": ["gh gist create", "pastebin", "webhook.site", "nc"]
644
- }
645
- }
646
- ```
647
-
648
- Global `approvedDomains` combine with artifact-local
649
- `approved_network_destinations`. Upload destinations must be approved separately
650
- with `approvedUploadDomains`.
651
-
652
- Security profiles can be defined under `security.profiles` and selected by artifacts with `security_profile` or `securityProfile`. Artifact-local explicit denials such as `network_allowed: false` and `external_upload_allowed: false` remain stricter than inherited profile or repository allowances.
653
-
654
- ```json
655
- {
656
- "security": {
657
- "profiles": {
658
- "appium-local-diagnostics": {
659
- "networkAllowed": true,
660
- "externalUploadAllowed": false,
661
- "secretsAllowed": false,
662
- "humanApprovalRequired": true,
663
- "allowedData": ["repo-local-files", "sanitized-ci-diagnostics"],
664
- "forbiddenInputs": ["secrets", "credentials"],
665
- "approvedDomains": ["github.com"],
666
- "approvedUploadDomains": [],
667
- "disallowedCommands": ["gh gist create"]
668
- }
669
- }
670
- }
671
- }
672
- ```
673
-
674
- Renma reports deterministic safety findings for agent-facing operational instructions, such as unpinned remote scripts, unsafe privileged commands, predictable temporary paths, and credential-like command arguments.
675
-
676
- These findings are guardrails for review. They do not replace secret scanning, SAST, dependency scanning, or human security review.
677
-
678
- Near-term security work is focused on stabilizing these diagnostics for the 0.7.0 line. Renma now summarizes security posture in readiness and CI reports, and exposes Trust Graph evidence for effective policy, security profile resolution, approved destinations, forbidden inputs, human approval requirements, and high-risk findings.
679
-
680
- Trust Graph interprets existing catalog, graph, scan, and security evidence as deterministic repository evidence. It is not a runtime system, not enforcement, not context selection or prompt assembly, not telemetry collection, not an LLM call, and not a subjective trust score.
681
-
682
- Repository Context BOM is a declared repository manifest of assets, hashes, owners, lifecycle states, dependencies, security posture, diagnostics, and readiness evidence. It does not claim what an LLM actually used at runtime. The v1 contract deliberately keeps Git revision identity in the surrounding CI/PR artifact context and keeps any future consumed-context evidence separate from the declared BOM meaning. See the [Repository Context BOM contract](docs/repository-context-bom.md).
683
-
684
- ## Design Notes
685
-
686
- Renma is part of a broader idea: treating reusable LLM context as software-managed knowledge.
687
-
688
- - [Beyond Prompt Engineering: Why We Need Context Repositories](https://kazucocoa.blog/2026/06/26/beyond-prompt-engineering-why-we-need-context-repositories/)
689
- - [Introducing Renma: An Opinionated Context Repository for LLMs](https://kazucocoa.blog/2026/06/29/introducing-renma-an-opinionated-context-repository-for-llms/)
690
- - [Where Does a Context Repository Fit in the AI Stack?](https://kazucocoa.blog/2026/07/01/where-does-a-context-repository-fit-in-the-ai-stack/)
691
- - Context Engineering Is Software Engineering (planned)
692
-
693
- ([Context Repository Series](https://kazucocoa.blog/context-repository/))
694
-
695
- ## Development
696
-
697
- ```bash
698
- npm install
699
- npm run build
700
- npm test
701
- ```
702
-
703
- Run the local CLI after building:
247
+ Agent Skills owns the standard identity and body. Renma governance and security
248
+ values use flat, string-valued `metadata.renma.*` entries; list values are JSON
249
+ array strings. Context Assets and other non-Skill assets retain their documented
250
+ top-level metadata syntax.
704
251
 
705
- ```bash
706
- node dist/index.js scan .
707
- ```
252
+ See the [Authoring Guide](docs/authoring-guide.md) for authoring responsibility
253
+ and the [compatibility guide](docs/agent-skills-compatibility.md) for the exact
254
+ canonical and migration rules.
708
255
 
709
- ## Documentation
256
+ ## Examples And Documentation
710
257
 
258
+ - [Documentation index](docs/README.md)
711
259
  - [User Manual](docs/user-manual.md)
712
260
  - [Authoring Guide](docs/authoring-guide.md)
713
- - [Security Policy Guide](docs/security-policy.md)
261
+ - [Agent Skills Compatibility and Migration](docs/agent-skills-compatibility.md)
714
262
  - [Diagnostics Reference](docs/diagnostics.md)
263
+ - [Security Policy Guide](docs/security-policy.md)
264
+ - [Repository Context BOM contract](docs/repository-context-bom.md)
265
+ - [Architecture](architecture.md)
266
+ - [Product Design](design.md)
267
+ - [Current Roadmap](plan.md)
268
+ - [Proposed 0.18.0 Skill Discovery](plan-discovery.md)
269
+ - [Interactive Placeholder Example](examples/interactive-placeholder): minimal
270
+ hands-on clarify-before-act Skill interaction with a local tool.
271
+ - [Example Context Repository](examples/context-repo): richer repository-aware
272
+ Skill, Context Lens, and Context Asset governance.
273
+ - [Context Lens Example](examples/context-lens): focused Context Lens governance.
274
+ - [GitHub Actions Example](examples/github-actions/renma-ci-report.yml): CI report
275
+ integration.
276
+
277
+ The governing review loop remains:
715
278
 
716
- ## Related Docs
717
-
718
- - [architecture.md](architecture.md) for the deeper system model
719
- - [design.md](design.md) for product and rule-design notes
720
- - [plan.md](plan.md) for current implementation direction
279
+ ```text
280
+ LLM proposes. Renma verifies. Human approves.
281
+ ```