renma 0.15.2 → 0.17.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +54 -1
- package/README.md +216 -655
- package/architecture.md +523 -0
- package/design.md +458 -0
- package/dist/agent-skills.d.ts +77 -0
- package/dist/agent-skills.d.ts.map +1 -0
- package/dist/agent-skills.js +468 -0
- package/dist/agent-skills.js.map +1 -0
- package/dist/catalog.d.ts.map +1 -1
- package/dist/catalog.js +38 -5
- package/dist/catalog.js.map +1 -1
- package/dist/cli-help.d.ts +13 -11
- package/dist/cli-help.d.ts.map +1 -1
- package/dist/cli-help.js +36 -11
- package/dist/cli-help.js.map +1 -1
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +139 -40
- package/dist/cli.js.map +1 -1
- package/dist/commands/catalog.d.ts.map +1 -1
- package/dist/commands/catalog.js +4 -3
- package/dist/commands/catalog.js.map +1 -1
- package/dist/commands/graph.d.ts.map +1 -1
- package/dist/commands/graph.js +7 -12
- package/dist/commands/graph.js.map +1 -1
- package/dist/commands/readiness.d.ts.map +1 -1
- package/dist/commands/readiness.js +7 -6
- package/dist/commands/readiness.js.map +1 -1
- package/dist/commands/scaffold.d.ts.map +1 -1
- package/dist/commands/scaffold.js +59 -16
- package/dist/commands/scaffold.js.map +1 -1
- package/dist/commands/suggest-metadata.d.ts +3 -1
- package/dist/commands/suggest-metadata.d.ts.map +1 -1
- package/dist/commands/suggest-metadata.js +226 -7
- package/dist/commands/suggest-metadata.js.map +1 -1
- package/dist/commands/suggest-semantic-split.js +3 -3
- package/dist/commands/suggest-semantic-split.js.map +1 -1
- package/dist/dependency-resolution.d.ts +6 -0
- package/dist/dependency-resolution.d.ts.map +1 -0
- package/dist/dependency-resolution.js +11 -0
- package/dist/dependency-resolution.js.map +1 -0
- package/dist/diagnostic-ids.d.ts +29 -0
- package/dist/diagnostic-ids.d.ts.map +1 -1
- package/dist/diagnostic-ids.js +28 -0
- package/dist/diagnostic-ids.js.map +1 -1
- package/dist/discovery.d.ts +50 -0
- package/dist/discovery.d.ts.map +1 -1
- package/dist/discovery.js +183 -25
- package/dist/discovery.js.map +1 -1
- package/dist/metadata.d.ts +3 -1
- package/dist/metadata.d.ts.map +1 -1
- package/dist/metadata.js +166 -29
- package/dist/metadata.js.map +1 -1
- package/dist/model.d.ts +1 -0
- package/dist/model.d.ts.map +1 -1
- package/dist/report.d.ts.map +1 -1
- package/dist/report.js +16 -1
- package/dist/report.js.map +1 -1
- package/dist/repository-paths.d.ts +13 -0
- package/dist/repository-paths.d.ts.map +1 -1
- package/dist/repository-paths.js +60 -2
- package/dist/repository-paths.js.map +1 -1
- package/dist/rules.d.ts.map +1 -1
- package/dist/rules.js +97 -107
- package/dist/rules.js.map +1 -1
- package/dist/scanner.d.ts.map +1 -1
- package/dist/scanner.js +3 -1
- package/dist/scanner.js.map +1 -1
- package/dist/security-diagnostics.d.ts.map +1 -1
- package/dist/security-diagnostics.js +98 -35
- package/dist/security-diagnostics.js.map +1 -1
- package/dist/security-policy-inventory.js +11 -4
- package/dist/security-policy-inventory.js.map +1 -1
- package/dist/security-policy.d.ts +27 -1
- package/dist/security-policy.d.ts.map +1 -1
- package/dist/security-policy.js +247 -34
- package/dist/security-policy.js.map +1 -1
- package/dist/skill-migration.d.ts +30 -0
- package/dist/skill-migration.d.ts.map +1 -0
- package/dist/skill-migration.js +566 -0
- package/dist/skill-migration.js.map +1 -0
- package/dist/trust-graph.d.ts.map +1 -1
- package/dist/trust-graph.js +7 -11
- package/dist/trust-graph.js.map +1 -1
- package/dist/types.d.ts +3 -1
- package/dist/types.d.ts.map +1 -1
- package/dist/yaml-frontmatter.d.ts +26 -0
- package/dist/yaml-frontmatter.d.ts.map +1 -0
- package/dist/yaml-frontmatter.js +114 -0
- package/dist/yaml-frontmatter.js.map +1 -0
- package/docs/README.md +55 -0
- package/docs/advanced-skill-authoring.md +140 -0
- package/docs/agent-skills-compatibility.md +500 -0
- package/docs/authoring-guide.md +324 -0
- package/docs/context-conflict-diagnostics.md +32 -0
- package/docs/context-language-diagnostics.md +99 -0
- package/docs/context-lens.md +253 -0
- package/docs/context-lifecycle-diagnostics.md +55 -0
- package/docs/diagnostics.md +373 -0
- package/docs/metadata-budget.md +14 -0
- package/docs/repository-context-bom.md +113 -0
- package/docs/security-policy.md +338 -0
- package/docs/user-manual.md +813 -0
- package/examples/context-lens/README.md +101 -0
- package/examples/context-lens/contexts/testing/boundary-value-analysis.md +23 -0
- package/examples/context-lens/lenses/testing/spec-review-boundary-values.md +29 -0
- package/examples/context-lens/lenses/testing/test-design-boundary-values.md +29 -0
- package/examples/context-lens/skills/testing/spec-review/SKILL.md +49 -0
- package/examples/context-repo/README.md +149 -0
- package/examples/context-repo/contexts/domain/payment/idempotency.md +20 -0
- package/examples/context-repo/contexts/testing/boundary-value-analysis.md +19 -0
- package/examples/context-repo/contexts/testing/negative-testing.md +19 -0
- package/examples/context-repo/lenses/testing/spec-review-boundary-values.md +35 -0
- package/examples/context-repo/renma.config.json +12 -0
- package/examples/context-repo/skills/testing/spec-review/SKILL.md +66 -0
- package/examples/context-repo/tools/appium/README.md +14 -0
- package/examples/github-actions/renma-ci-report.yml +36 -0
- package/examples/interactive-placeholder/README.md +104 -0
- package/examples/interactive-placeholder/assets/template.txt +1 -0
- package/examples/interactive-placeholder/renma.config.json +6 -0
- package/examples/interactive-placeholder/skills/replace-placeholder/SKILL.md +54 -0
- package/examples/interactive-placeholder/tools/README.md +48 -0
- package/examples/interactive-placeholder/tools/placeholder-demo.mjs +99 -0
- package/package.json +11 -1
- package/plan-discovery.md +740 -0
- package/plan.md +150 -0
- package/scripts/verify-package.mjs +97 -0
|
@@ -0,0 +1,338 @@
|
|
|
1
|
+
# Renma Security Policy Guide
|
|
2
|
+
|
|
3
|
+
Use this guide when writing security-sensitive skills or context assets. It is a practical policy-authoring companion to the [User Manual](user-manual.md). For full finding definitions, see the [Diagnostics Reference](diagnostics.md).
|
|
4
|
+
|
|
5
|
+
Renma security diagnostics are deterministic repository checks for agent-facing operational instructions. They do not execute commands, call an LLM, enforce runtime behavior, inject context, or turn Renma into a broad supply-chain scanner.
|
|
6
|
+
|
|
7
|
+
## Security Policy Quickstart
|
|
8
|
+
|
|
9
|
+
Add small security policy metadata to agent-facing Skills or context assets when they include network, upload, secret-handling, command execution, or other sensitive operational instructions. Renma 0.16.0 uses different serialization boundaries for Skills and non-Skill assets.
|
|
10
|
+
|
|
11
|
+
### Canonical Skill security policy
|
|
12
|
+
|
|
13
|
+
Operational Skills must be specification-valid Agent Skills. Put every Renma
|
|
14
|
+
security field under `metadata` as a flat `renma.*` string entry. Boolean values
|
|
15
|
+
are the exact strings `"true"` or `"false"`; lists are JSON-array strings
|
|
16
|
+
containing strings only:
|
|
17
|
+
|
|
18
|
+
```yaml
|
|
19
|
+
---
|
|
20
|
+
name: local-triage
|
|
21
|
+
description: Review local diagnostics safely. Use when repository-local failure evidence needs deterministic security review.
|
|
22
|
+
metadata:
|
|
23
|
+
renma.id: skill.diagnostics.local-triage
|
|
24
|
+
renma.owner: qa-platform
|
|
25
|
+
renma.status: stable
|
|
26
|
+
renma.allowed-data: '["repo-local-files","sanitized-ci-diagnostics"]'
|
|
27
|
+
renma.network-allowed: "true"
|
|
28
|
+
renma.external-upload-allowed: "false"
|
|
29
|
+
renma.secrets-allowed: "false"
|
|
30
|
+
renma.requires-human-approval: "true"
|
|
31
|
+
renma.forbidden-inputs: '["secrets","credentials","tokens"]'
|
|
32
|
+
---
|
|
33
|
+
```
|
|
34
|
+
|
|
35
|
+
Canonical list fields also include
|
|
36
|
+
`renma.approved-network-destinations` and
|
|
37
|
+
`renma.approved-upload-destinations`. Invalid recognized canonical values fail
|
|
38
|
+
closed: Renma reports their exact evidence, preserves already-reviewed
|
|
39
|
+
restrictive inherited policy when that is safer, and prevents permissive
|
|
40
|
+
inheritance. Invalid allowed-data permissions remain unresolved, invalid
|
|
41
|
+
forbidden-input declarations do not remove inherited restrictions, and invalid
|
|
42
|
+
destination allowlists do not disable destination validation.
|
|
43
|
+
|
|
44
|
+
Asset-local explicit denials remain stricter than inherited profile or
|
|
45
|
+
repository allowances. For example, `renma.external-upload-allowed: "false"`
|
|
46
|
+
still blocks upload instructions even if a selected profile or repository
|
|
47
|
+
config allows uploads elsewhere.
|
|
48
|
+
|
|
49
|
+
### Non-Skill security policy
|
|
50
|
+
|
|
51
|
+
Contexts and other non-Skill assets retain the existing top-level syntax:
|
|
52
|
+
|
|
53
|
+
```yaml
|
|
54
|
+
---
|
|
55
|
+
id: context.diagnostics.local-triage
|
|
56
|
+
allowed_data:
|
|
57
|
+
- repo-local-files
|
|
58
|
+
- sanitized-ci-diagnostics
|
|
59
|
+
network_allowed: true
|
|
60
|
+
external_upload_allowed: false
|
|
61
|
+
secrets_allowed: false
|
|
62
|
+
requires_human_approval: true
|
|
63
|
+
forbidden_inputs:
|
|
64
|
+
- secrets
|
|
65
|
+
- credentials
|
|
66
|
+
- tokens
|
|
67
|
+
approved_network_destinations:
|
|
68
|
+
- github.com
|
|
69
|
+
approved_upload_destinations: []
|
|
70
|
+
security_profile: local-ci-diagnostics
|
|
71
|
+
---
|
|
72
|
+
```
|
|
73
|
+
|
|
74
|
+
These top-level fields are operational only for non-Skill assets. Pre-0.16
|
|
75
|
+
top-level Skill security fields are accepted only by `suggest-metadata` as
|
|
76
|
+
one-way migration input; normal scan consumers do not use them as Skill policy.
|
|
77
|
+
|
|
78
|
+
### Allowed data vocabulary
|
|
79
|
+
|
|
80
|
+
For Skills, `renma.allowed-data` describes the allowed input categories. For
|
|
81
|
+
non-Skill assets, the equivalent field is `allowed_data`. This vocabulary is
|
|
82
|
+
not a strict closed enum: projects may define their own
|
|
83
|
+
data-source categories when they need domain-specific names. Prefer descriptive,
|
|
84
|
+
stable values so humans, diagnostics, trust graph output, readiness checks, and
|
|
85
|
+
future automation can reason about declared data boundaries consistently.
|
|
86
|
+
|
|
87
|
+
Recommended vocabulary:
|
|
88
|
+
|
|
89
|
+
| Value | Meaning |
|
|
90
|
+
| --- | --- |
|
|
91
|
+
| `repo-local-files` | Files inside the target repository or scan root. |
|
|
92
|
+
| `skill-bundled-context` | Context files bundled with or explicitly declared by the skill. |
|
|
93
|
+
| `referenced-authenticated-internal-docs` | Authenticated internal documents explicitly referenced by the skill or its context assets. |
|
|
94
|
+
| `sanitized-ci-diagnostics` | CI logs, test results, and failure diagnostics that have been sanitized or redacted before being provided to the LLM. |
|
|
95
|
+
| `public-docs` | Publicly available documentation, specifications, or references. |
|
|
96
|
+
| `disclosed-user-provided-data` | Data explicitly provided or disclosed by the user for the current task. |
|
|
97
|
+
|
|
98
|
+
Important: allowed-data metadata does not grant broad access to all matching data. For
|
|
99
|
+
example, `referenced-authenticated-internal-docs` means authenticated internal
|
|
100
|
+
documents that are explicitly referenced by the skill or its context assets. It
|
|
101
|
+
does not mean that the skill may freely search all internal documents.
|
|
102
|
+
|
|
103
|
+
Legacy or coarse values such as `public` and `disclosed` are still accepted, but
|
|
104
|
+
prefer values such as `public-docs` and `disclosed-user-provided-data` in new or
|
|
105
|
+
updated assets.
|
|
106
|
+
|
|
107
|
+
Common patterns:
|
|
108
|
+
|
|
109
|
+
Basic repo-local Skill:
|
|
110
|
+
|
|
111
|
+
```yaml
|
|
112
|
+
metadata:
|
|
113
|
+
renma.allowed-data: '["repo-local-files","skill-bundled-context"]'
|
|
114
|
+
```
|
|
115
|
+
|
|
116
|
+
Internal-doc-backed review skill:
|
|
117
|
+
|
|
118
|
+
```yaml
|
|
119
|
+
metadata:
|
|
120
|
+
renma.allowed-data: '["repo-local-files","skill-bundled-context","referenced-authenticated-internal-docs"]'
|
|
121
|
+
```
|
|
122
|
+
|
|
123
|
+
CI failure diagnosis skill:
|
|
124
|
+
|
|
125
|
+
```yaml
|
|
126
|
+
metadata:
|
|
127
|
+
renma.allowed-data: '["repo-local-files","sanitized-ci-diagnostics"]'
|
|
128
|
+
```
|
|
129
|
+
|
|
130
|
+
OSS or public documentation skill:
|
|
131
|
+
|
|
132
|
+
```yaml
|
|
133
|
+
metadata:
|
|
134
|
+
renma.allowed-data: '["repo-local-files","public-docs"]'
|
|
135
|
+
```
|
|
136
|
+
|
|
137
|
+
User-provided input skill:
|
|
138
|
+
|
|
139
|
+
```yaml
|
|
140
|
+
metadata:
|
|
141
|
+
renma.allowed-data: '["disclosed-user-provided-data","skill-bundled-context"]'
|
|
142
|
+
```
|
|
143
|
+
|
|
144
|
+
### Reusable security profiles
|
|
145
|
+
|
|
146
|
+
Use a security profile when many assets share the same policy, a team wants a reusable security contract, or policy should be centrally updated in `renma.config.json`.
|
|
147
|
+
|
|
148
|
+
Configure profiles under `security.profiles`:
|
|
149
|
+
|
|
150
|
+
```json
|
|
151
|
+
{
|
|
152
|
+
"security": {
|
|
153
|
+
"profiles": {
|
|
154
|
+
"local-ci-diagnostics": {
|
|
155
|
+
"allowedData": ["repo-local-files", "sanitized-ci-diagnostics"],
|
|
156
|
+
"networkAllowed": true,
|
|
157
|
+
"externalUploadAllowed": false,
|
|
158
|
+
"secretsAllowed": false,
|
|
159
|
+
"humanApprovalRequired": true,
|
|
160
|
+
"forbiddenInputs": ["secrets", "credentials", "tokens"],
|
|
161
|
+
"approvedDomains": ["github.com"],
|
|
162
|
+
"approvedUploadDomains": []
|
|
163
|
+
}
|
|
164
|
+
}
|
|
165
|
+
}
|
|
166
|
+
}
|
|
167
|
+
```
|
|
168
|
+
|
|
169
|
+
Select the profile from a Skill with canonical metadata:
|
|
170
|
+
|
|
171
|
+
```yaml
|
|
172
|
+
---
|
|
173
|
+
name: local-triage
|
|
174
|
+
description: Review local diagnostics safely. Use when repository-local failure evidence needs deterministic security review.
|
|
175
|
+
metadata:
|
|
176
|
+
renma.security-profile: local-ci-diagnostics
|
|
177
|
+
---
|
|
178
|
+
```
|
|
179
|
+
|
|
180
|
+
For a non-Skill asset, use the existing top-level
|
|
181
|
+
`security_profile: local-ci-diagnostics` field.
|
|
182
|
+
|
|
183
|
+
### Repository-level security config
|
|
184
|
+
|
|
185
|
+
Use repo-level `security.approvedDomains`, `security.approvedUploadDomains`, or `security.disallowedCommands` when the policy applies across the repository and common destinations or disallowed commands should be shared.
|
|
186
|
+
|
|
187
|
+
```json
|
|
188
|
+
{
|
|
189
|
+
"security": {
|
|
190
|
+
"approvedDomains": ["github.com"],
|
|
191
|
+
"approvedUploadDomains": [],
|
|
192
|
+
"disallowedCommands": ["gh gist create"],
|
|
193
|
+
"profiles": {}
|
|
194
|
+
}
|
|
195
|
+
}
|
|
196
|
+
```
|
|
197
|
+
|
|
198
|
+
### Choosing where to put policy
|
|
199
|
+
|
|
200
|
+
Prefer the narrowest policy location that matches the decision:
|
|
201
|
+
|
|
202
|
+
- Use asset-local fields for one-off restrictions, explicit denials, or sensitive instructions that need nearby review.
|
|
203
|
+
- Use `renma.security-profile` for a Skill or top-level `security_profile` for a non-Skill asset when selecting reusable team contracts.
|
|
204
|
+
- Use repository-level security config for common approved network destinations, upload destinations, or disallowed commands that apply broadly.
|
|
205
|
+
|
|
206
|
+
If settings disagree, keep the stricter effective policy. Do not relax asset-local denials through a profile or repository allowance.
|
|
207
|
+
|
|
208
|
+
### Human approval semantics
|
|
209
|
+
|
|
210
|
+
For a Skill, `renma.requires-human-approval: "true"` requires explicit nearby
|
|
211
|
+
approval wording for sensitive actions. The non-Skill equivalent is top-level
|
|
212
|
+
`requires_human_approval: true`. Dry-run, backup, rollback, or restore guidance
|
|
213
|
+
is useful, but it does not replace explicit approval when approval is required.
|
|
214
|
+
|
|
215
|
+
Keep approval wording close to the action it guards, especially for uploads, external sharing, privileged commands, destructive commands, or secret-handling workflows.
|
|
216
|
+
|
|
217
|
+
### Network approval vs upload approval
|
|
218
|
+
|
|
219
|
+
`approvedDomains` does not imply upload approval. Network access and upload permission are separate decisions.
|
|
220
|
+
|
|
221
|
+
For Skills, use `renma.approved-network-destinations` and
|
|
222
|
+
`renma.approved-upload-destinations` JSON-array strings. For non-Skill assets,
|
|
223
|
+
use top-level `approved_network_destinations` and
|
|
224
|
+
`approved_upload_destinations`. Profile `approvedDomains` and
|
|
225
|
+
`approvedUploadDomains`, and repository `security.approvedDomains` and
|
|
226
|
+
`security.approvedUploadDomains`, keep their existing config syntax.
|
|
227
|
+
|
|
228
|
+
### Forbidden inputs
|
|
229
|
+
|
|
230
|
+
Use `renma.forbidden-inputs` for a Skill and top-level `forbidden_inputs` for a
|
|
231
|
+
non-Skill asset to name data classes it must not request, copy, upload,
|
|
232
|
+
summarize, or include in prompts. Common examples are `secrets`, `credentials`,
|
|
233
|
+
`tokens`, `private keys`, `.env files`, customer data, and production logs.
|
|
234
|
+
|
|
235
|
+
Safe negative wording is useful:
|
|
236
|
+
|
|
237
|
+
```markdown
|
|
238
|
+
Never copy private keys, tokens, credentials, or `.env` files into prompts, logs, uploads, or diagnostics.
|
|
239
|
+
```
|
|
240
|
+
|
|
241
|
+
### Defensive guidance and false positives
|
|
242
|
+
|
|
243
|
+
Renma security diagnostics are conservative heuristics for discovered agent-facing assets. Defensive wording can avoid false positives when it is specific and close to the risky instruction.
|
|
244
|
+
|
|
245
|
+
Unsafe upload:
|
|
246
|
+
|
|
247
|
+
```markdown
|
|
248
|
+
Upload the full repository to S3.
|
|
249
|
+
```
|
|
250
|
+
|
|
251
|
+
Safer:
|
|
252
|
+
|
|
253
|
+
```markdown
|
|
254
|
+
Do not upload repository files externally. If sharing diagnostics is required, provide only redacted snippets after explicit human approval.
|
|
255
|
+
```
|
|
256
|
+
|
|
257
|
+
Unsafe secret handling:
|
|
258
|
+
|
|
259
|
+
```markdown
|
|
260
|
+
Copy ~/.ssh/id_ed25519 into the prompt.
|
|
261
|
+
```
|
|
262
|
+
|
|
263
|
+
Safer:
|
|
264
|
+
|
|
265
|
+
```markdown
|
|
266
|
+
Never copy private keys, tokens, credentials, or `.env` files into prompts, logs, uploads, or diagnostics.
|
|
267
|
+
```
|
|
268
|
+
|
|
269
|
+
Unsafe destructive command:
|
|
270
|
+
|
|
271
|
+
```bash
|
|
272
|
+
rm -rf /tmp/renma-output
|
|
273
|
+
```
|
|
274
|
+
|
|
275
|
+
Safer:
|
|
276
|
+
|
|
277
|
+
```markdown
|
|
278
|
+
Only after explicit human approval, run a scoped cleanup command. Use dry-run where available, keep a backup or rollback path, and verify the affected path before execution.
|
|
279
|
+
```
|
|
280
|
+
|
|
281
|
+
## Security Review Taxonomy
|
|
282
|
+
|
|
283
|
+
Renma remains a static, compile-time-style scanner. It reads repository text and metadata, emits deterministic findings, and does not become a runtime network blocker, sandbox, or policy enforcement layer.
|
|
284
|
+
|
|
285
|
+
Security findings may include `riskClass` so reviewers can distinguish clear violations from suspicious patterns and advisory hardening:
|
|
286
|
+
|
|
287
|
+
- `violation`: a rule or safety contract is broken.
|
|
288
|
+
- `suspicious`: risky or ambiguous guidance needs review but is not necessarily a direct violation.
|
|
289
|
+
- `advisory`: governance or hardening guidance, such as missing policy metadata.
|
|
290
|
+
|
|
291
|
+
`riskClass` helps humans triage security review. Runtime network enforcement remains the responsibility of the sandbox, execution environment, MCP server, network policy, or other controls around the agent.
|
|
292
|
+
|
|
293
|
+
## Security Posture Summaries
|
|
294
|
+
|
|
295
|
+
Renma can summarize security posture from existing static security findings. The summary groups findings by `riskClass` (`violation`, `suspicious`, `advisory`, and `unclassified`) and by severity, and reports high/critical security finding counts.
|
|
296
|
+
|
|
297
|
+
This is reporting-only in v1:
|
|
298
|
+
|
|
299
|
+
- it does not add new detectors
|
|
300
|
+
- it does not change scan `fail_on`
|
|
301
|
+
- it does not change readiness score or readiness level
|
|
302
|
+
- it does not change CI pass/warn/fail status
|
|
303
|
+
- it does not enforce runtime network, upload, sandbox, or tool behavior
|
|
304
|
+
|
|
305
|
+
Runtime enforcement remains outside Renma.
|
|
306
|
+
|
|
307
|
+
### Effective policy inventory
|
|
308
|
+
|
|
309
|
+
Renma can also summarize the effective static policy surface across discovered assets. The inventory is derived from asset-local policy metadata, selected security-profile chains, and repository-level `security` config.
|
|
310
|
+
|
|
311
|
+
The inventory reports policy coverage, network/upload/secrets booleans, human approval requirements, approved destinations, forbidden inputs, disallowed commands, and profile resolution counts. It is reporting-only in v1 and does not enforce runtime behavior.
|
|
312
|
+
|
|
313
|
+
`renma trust-graph` also includes effective policy evidence. Each effective policy node uses a deterministic fingerprint over normalized allowed data, forbidden inputs, network/upload/secrets booleans, human approval requirement, approved destinations, and disallowed commands. The graph links assets to selected security-profile values and to their effective policy fingerprint; it does not enforce the policy at runtime.
|
|
314
|
+
|
|
315
|
+
### Security-aware semantic diff
|
|
316
|
+
|
|
317
|
+
`renma diff` and `renma ci-report` can summarize how security posture and effective security policy inventory changed between two revisions.
|
|
318
|
+
|
|
319
|
+
The diff uses existing static findings and existing policy metadata/config summaries. It does not add new detectors, change runtime behavior, change scan `fail_on`, change readiness scoring, or change CI pass/warn/fail status in v1.
|
|
320
|
+
|
|
321
|
+
## Common Security Diagnostics
|
|
322
|
+
|
|
323
|
+
Use this table to choose the right kind of fix. For full finding definitions, see [Diagnostics Reference](diagnostics.md).
|
|
324
|
+
|
|
325
|
+
| Finding | Usually means | What to change | Fix area |
|
|
326
|
+
| --- | --- | --- | --- |
|
|
327
|
+
| `SEC-INVALID-CANONICAL-POLICY-METADATA` | A recognized Skill `metadata.renma.*` security value has an invalid encoding. | Confirm the intended policy, then replace it with the exact documented string encoding; do not guess a permissive value. | Skill metadata |
|
|
328
|
+
| `SEC-MISSING-POLICY-METADATA` | Sensitive instructions lack a declared policy. | Add local policy fields or select a configured security profile using the syntax for that asset kind. | Metadata |
|
|
329
|
+
| `SEC-INSTRUCTION-VIOLATES-POLICY` | Body text asks for behavior denied by policy. | Rewrite the instruction or adjust policy only after review. | Body text and metadata |
|
|
330
|
+
| `SEC-MISSING-HUMAN-APPROVAL-GUARD` | A sensitive action lacks nearby approval wording. | Add explicit human approval close to the action. | Body text |
|
|
331
|
+
| `SEC-UNAPPROVED-NETWORK-DESTINATION` | An instruction contacts a host outside approved network destinations. | Enumerate the actual required domains in asset/profile/repo network approvals after review. | Body text, metadata, or config |
|
|
332
|
+
| `SEC-UNAPPROVED-UPLOAD-DESTINATION` | An upload target is not in upload approvals. | Use an approved upload target or update upload approvals intentionally. | Body text, metadata, or config |
|
|
333
|
+
| `SEC-FORBIDDEN-INPUT-INSTRUCTION` | The asset asks for data listed in its forbidden-input policy. | Remove the request or replace it with redaction and placeholder guidance. | Body text and metadata |
|
|
334
|
+
| `SEC-SECRET-MATERIAL-INSTRUCTION` | Instructions may expose private keys, tokens, credentials, or secret files. | Remove secret collection or disclosure instructions. | Body text |
|
|
335
|
+
| `SEC-DESTRUCTIVE-COMMAND` | A destructive command appears without enough local safety context. | Remove it, scope it tightly, or add explicit approval and recovery guidance. | Body text |
|
|
336
|
+
| `SEC-PRIVILEGED-COMMAND-WITHOUT-GUARD` | `sudo` or similar privileged action lacks guardrails. | Add prerequisites, confirmation, rollback, and verification guidance. | Body text |
|
|
337
|
+
| `SEC-UNPINNED-REMOTE-SCRIPT` | A remote script is executed without an immutable source or verification. | Pin and verify the source, or avoid remote execution. | Body text |
|
|
338
|
+
| `SEC-UNPINNED-DEPENDENCY-INSTALL` | An install example lacks exact version or digest pinning. | Pin package versions or use a reproducible install source. | Body text |
|