renma 0.15.2 → 0.17.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (126) hide show
  1. package/CHANGELOG.md +54 -1
  2. package/README.md +216 -655
  3. package/architecture.md +523 -0
  4. package/design.md +458 -0
  5. package/dist/agent-skills.d.ts +77 -0
  6. package/dist/agent-skills.d.ts.map +1 -0
  7. package/dist/agent-skills.js +468 -0
  8. package/dist/agent-skills.js.map +1 -0
  9. package/dist/catalog.d.ts.map +1 -1
  10. package/dist/catalog.js +38 -5
  11. package/dist/catalog.js.map +1 -1
  12. package/dist/cli-help.d.ts +13 -11
  13. package/dist/cli-help.d.ts.map +1 -1
  14. package/dist/cli-help.js +36 -11
  15. package/dist/cli-help.js.map +1 -1
  16. package/dist/cli.d.ts.map +1 -1
  17. package/dist/cli.js +139 -40
  18. package/dist/cli.js.map +1 -1
  19. package/dist/commands/catalog.d.ts.map +1 -1
  20. package/dist/commands/catalog.js +4 -3
  21. package/dist/commands/catalog.js.map +1 -1
  22. package/dist/commands/graph.d.ts.map +1 -1
  23. package/dist/commands/graph.js +7 -12
  24. package/dist/commands/graph.js.map +1 -1
  25. package/dist/commands/readiness.d.ts.map +1 -1
  26. package/dist/commands/readiness.js +7 -6
  27. package/dist/commands/readiness.js.map +1 -1
  28. package/dist/commands/scaffold.d.ts.map +1 -1
  29. package/dist/commands/scaffold.js +59 -16
  30. package/dist/commands/scaffold.js.map +1 -1
  31. package/dist/commands/suggest-metadata.d.ts +3 -1
  32. package/dist/commands/suggest-metadata.d.ts.map +1 -1
  33. package/dist/commands/suggest-metadata.js +226 -7
  34. package/dist/commands/suggest-metadata.js.map +1 -1
  35. package/dist/commands/suggest-semantic-split.js +3 -3
  36. package/dist/commands/suggest-semantic-split.js.map +1 -1
  37. package/dist/dependency-resolution.d.ts +6 -0
  38. package/dist/dependency-resolution.d.ts.map +1 -0
  39. package/dist/dependency-resolution.js +11 -0
  40. package/dist/dependency-resolution.js.map +1 -0
  41. package/dist/diagnostic-ids.d.ts +29 -0
  42. package/dist/diagnostic-ids.d.ts.map +1 -1
  43. package/dist/diagnostic-ids.js +28 -0
  44. package/dist/diagnostic-ids.js.map +1 -1
  45. package/dist/discovery.d.ts +50 -0
  46. package/dist/discovery.d.ts.map +1 -1
  47. package/dist/discovery.js +183 -25
  48. package/dist/discovery.js.map +1 -1
  49. package/dist/metadata.d.ts +3 -1
  50. package/dist/metadata.d.ts.map +1 -1
  51. package/dist/metadata.js +166 -29
  52. package/dist/metadata.js.map +1 -1
  53. package/dist/model.d.ts +1 -0
  54. package/dist/model.d.ts.map +1 -1
  55. package/dist/report.d.ts.map +1 -1
  56. package/dist/report.js +16 -1
  57. package/dist/report.js.map +1 -1
  58. package/dist/repository-paths.d.ts +13 -0
  59. package/dist/repository-paths.d.ts.map +1 -1
  60. package/dist/repository-paths.js +60 -2
  61. package/dist/repository-paths.js.map +1 -1
  62. package/dist/rules.d.ts.map +1 -1
  63. package/dist/rules.js +97 -107
  64. package/dist/rules.js.map +1 -1
  65. package/dist/scanner.d.ts.map +1 -1
  66. package/dist/scanner.js +3 -1
  67. package/dist/scanner.js.map +1 -1
  68. package/dist/security-diagnostics.d.ts.map +1 -1
  69. package/dist/security-diagnostics.js +98 -35
  70. package/dist/security-diagnostics.js.map +1 -1
  71. package/dist/security-policy-inventory.js +11 -4
  72. package/dist/security-policy-inventory.js.map +1 -1
  73. package/dist/security-policy.d.ts +27 -1
  74. package/dist/security-policy.d.ts.map +1 -1
  75. package/dist/security-policy.js +247 -34
  76. package/dist/security-policy.js.map +1 -1
  77. package/dist/skill-migration.d.ts +30 -0
  78. package/dist/skill-migration.d.ts.map +1 -0
  79. package/dist/skill-migration.js +566 -0
  80. package/dist/skill-migration.js.map +1 -0
  81. package/dist/trust-graph.d.ts.map +1 -1
  82. package/dist/trust-graph.js +7 -11
  83. package/dist/trust-graph.js.map +1 -1
  84. package/dist/types.d.ts +3 -1
  85. package/dist/types.d.ts.map +1 -1
  86. package/dist/yaml-frontmatter.d.ts +26 -0
  87. package/dist/yaml-frontmatter.d.ts.map +1 -0
  88. package/dist/yaml-frontmatter.js +114 -0
  89. package/dist/yaml-frontmatter.js.map +1 -0
  90. package/docs/README.md +55 -0
  91. package/docs/advanced-skill-authoring.md +140 -0
  92. package/docs/agent-skills-compatibility.md +500 -0
  93. package/docs/authoring-guide.md +324 -0
  94. package/docs/context-conflict-diagnostics.md +32 -0
  95. package/docs/context-language-diagnostics.md +99 -0
  96. package/docs/context-lens.md +253 -0
  97. package/docs/context-lifecycle-diagnostics.md +55 -0
  98. package/docs/diagnostics.md +373 -0
  99. package/docs/metadata-budget.md +14 -0
  100. package/docs/repository-context-bom.md +113 -0
  101. package/docs/security-policy.md +338 -0
  102. package/docs/user-manual.md +813 -0
  103. package/examples/context-lens/README.md +101 -0
  104. package/examples/context-lens/contexts/testing/boundary-value-analysis.md +23 -0
  105. package/examples/context-lens/lenses/testing/spec-review-boundary-values.md +29 -0
  106. package/examples/context-lens/lenses/testing/test-design-boundary-values.md +29 -0
  107. package/examples/context-lens/skills/testing/spec-review/SKILL.md +49 -0
  108. package/examples/context-repo/README.md +149 -0
  109. package/examples/context-repo/contexts/domain/payment/idempotency.md +20 -0
  110. package/examples/context-repo/contexts/testing/boundary-value-analysis.md +19 -0
  111. package/examples/context-repo/contexts/testing/negative-testing.md +19 -0
  112. package/examples/context-repo/lenses/testing/spec-review-boundary-values.md +35 -0
  113. package/examples/context-repo/renma.config.json +12 -0
  114. package/examples/context-repo/skills/testing/spec-review/SKILL.md +66 -0
  115. package/examples/context-repo/tools/appium/README.md +14 -0
  116. package/examples/github-actions/renma-ci-report.yml +36 -0
  117. package/examples/interactive-placeholder/README.md +104 -0
  118. package/examples/interactive-placeholder/assets/template.txt +1 -0
  119. package/examples/interactive-placeholder/renma.config.json +6 -0
  120. package/examples/interactive-placeholder/skills/replace-placeholder/SKILL.md +54 -0
  121. package/examples/interactive-placeholder/tools/README.md +48 -0
  122. package/examples/interactive-placeholder/tools/placeholder-demo.mjs +99 -0
  123. package/package.json +11 -1
  124. package/plan-discovery.md +740 -0
  125. package/plan.md +150 -0
  126. package/scripts/verify-package.mjs +97 -0
@@ -0,0 +1,338 @@
1
+ # Renma Security Policy Guide
2
+
3
+ Use this guide when writing security-sensitive skills or context assets. It is a practical policy-authoring companion to the [User Manual](user-manual.md). For full finding definitions, see the [Diagnostics Reference](diagnostics.md).
4
+
5
+ Renma security diagnostics are deterministic repository checks for agent-facing operational instructions. They do not execute commands, call an LLM, enforce runtime behavior, inject context, or turn Renma into a broad supply-chain scanner.
6
+
7
+ ## Security Policy Quickstart
8
+
9
+ Add small security policy metadata to agent-facing Skills or context assets when they include network, upload, secret-handling, command execution, or other sensitive operational instructions. Renma 0.16.0 uses different serialization boundaries for Skills and non-Skill assets.
10
+
11
+ ### Canonical Skill security policy
12
+
13
+ Operational Skills must be specification-valid Agent Skills. Put every Renma
14
+ security field under `metadata` as a flat `renma.*` string entry. Boolean values
15
+ are the exact strings `"true"` or `"false"`; lists are JSON-array strings
16
+ containing strings only:
17
+
18
+ ```yaml
19
+ ---
20
+ name: local-triage
21
+ description: Review local diagnostics safely. Use when repository-local failure evidence needs deterministic security review.
22
+ metadata:
23
+ renma.id: skill.diagnostics.local-triage
24
+ renma.owner: qa-platform
25
+ renma.status: stable
26
+ renma.allowed-data: '["repo-local-files","sanitized-ci-diagnostics"]'
27
+ renma.network-allowed: "true"
28
+ renma.external-upload-allowed: "false"
29
+ renma.secrets-allowed: "false"
30
+ renma.requires-human-approval: "true"
31
+ renma.forbidden-inputs: '["secrets","credentials","tokens"]'
32
+ ---
33
+ ```
34
+
35
+ Canonical list fields also include
36
+ `renma.approved-network-destinations` and
37
+ `renma.approved-upload-destinations`. Invalid recognized canonical values fail
38
+ closed: Renma reports their exact evidence, preserves already-reviewed
39
+ restrictive inherited policy when that is safer, and prevents permissive
40
+ inheritance. Invalid allowed-data permissions remain unresolved, invalid
41
+ forbidden-input declarations do not remove inherited restrictions, and invalid
42
+ destination allowlists do not disable destination validation.
43
+
44
+ Asset-local explicit denials remain stricter than inherited profile or
45
+ repository allowances. For example, `renma.external-upload-allowed: "false"`
46
+ still blocks upload instructions even if a selected profile or repository
47
+ config allows uploads elsewhere.
48
+
49
+ ### Non-Skill security policy
50
+
51
+ Contexts and other non-Skill assets retain the existing top-level syntax:
52
+
53
+ ```yaml
54
+ ---
55
+ id: context.diagnostics.local-triage
56
+ allowed_data:
57
+ - repo-local-files
58
+ - sanitized-ci-diagnostics
59
+ network_allowed: true
60
+ external_upload_allowed: false
61
+ secrets_allowed: false
62
+ requires_human_approval: true
63
+ forbidden_inputs:
64
+ - secrets
65
+ - credentials
66
+ - tokens
67
+ approved_network_destinations:
68
+ - github.com
69
+ approved_upload_destinations: []
70
+ security_profile: local-ci-diagnostics
71
+ ---
72
+ ```
73
+
74
+ These top-level fields are operational only for non-Skill assets. Pre-0.16
75
+ top-level Skill security fields are accepted only by `suggest-metadata` as
76
+ one-way migration input; normal scan consumers do not use them as Skill policy.
77
+
78
+ ### Allowed data vocabulary
79
+
80
+ For Skills, `renma.allowed-data` describes the allowed input categories. For
81
+ non-Skill assets, the equivalent field is `allowed_data`. This vocabulary is
82
+ not a strict closed enum: projects may define their own
83
+ data-source categories when they need domain-specific names. Prefer descriptive,
84
+ stable values so humans, diagnostics, trust graph output, readiness checks, and
85
+ future automation can reason about declared data boundaries consistently.
86
+
87
+ Recommended vocabulary:
88
+
89
+ | Value | Meaning |
90
+ | --- | --- |
91
+ | `repo-local-files` | Files inside the target repository or scan root. |
92
+ | `skill-bundled-context` | Context files bundled with or explicitly declared by the skill. |
93
+ | `referenced-authenticated-internal-docs` | Authenticated internal documents explicitly referenced by the skill or its context assets. |
94
+ | `sanitized-ci-diagnostics` | CI logs, test results, and failure diagnostics that have been sanitized or redacted before being provided to the LLM. |
95
+ | `public-docs` | Publicly available documentation, specifications, or references. |
96
+ | `disclosed-user-provided-data` | Data explicitly provided or disclosed by the user for the current task. |
97
+
98
+ Important: allowed-data metadata does not grant broad access to all matching data. For
99
+ example, `referenced-authenticated-internal-docs` means authenticated internal
100
+ documents that are explicitly referenced by the skill or its context assets. It
101
+ does not mean that the skill may freely search all internal documents.
102
+
103
+ Legacy or coarse values such as `public` and `disclosed` are still accepted, but
104
+ prefer values such as `public-docs` and `disclosed-user-provided-data` in new or
105
+ updated assets.
106
+
107
+ Common patterns:
108
+
109
+ Basic repo-local Skill:
110
+
111
+ ```yaml
112
+ metadata:
113
+ renma.allowed-data: '["repo-local-files","skill-bundled-context"]'
114
+ ```
115
+
116
+ Internal-doc-backed review skill:
117
+
118
+ ```yaml
119
+ metadata:
120
+ renma.allowed-data: '["repo-local-files","skill-bundled-context","referenced-authenticated-internal-docs"]'
121
+ ```
122
+
123
+ CI failure diagnosis skill:
124
+
125
+ ```yaml
126
+ metadata:
127
+ renma.allowed-data: '["repo-local-files","sanitized-ci-diagnostics"]'
128
+ ```
129
+
130
+ OSS or public documentation skill:
131
+
132
+ ```yaml
133
+ metadata:
134
+ renma.allowed-data: '["repo-local-files","public-docs"]'
135
+ ```
136
+
137
+ User-provided input skill:
138
+
139
+ ```yaml
140
+ metadata:
141
+ renma.allowed-data: '["disclosed-user-provided-data","skill-bundled-context"]'
142
+ ```
143
+
144
+ ### Reusable security profiles
145
+
146
+ Use a security profile when many assets share the same policy, a team wants a reusable security contract, or policy should be centrally updated in `renma.config.json`.
147
+
148
+ Configure profiles under `security.profiles`:
149
+
150
+ ```json
151
+ {
152
+ "security": {
153
+ "profiles": {
154
+ "local-ci-diagnostics": {
155
+ "allowedData": ["repo-local-files", "sanitized-ci-diagnostics"],
156
+ "networkAllowed": true,
157
+ "externalUploadAllowed": false,
158
+ "secretsAllowed": false,
159
+ "humanApprovalRequired": true,
160
+ "forbiddenInputs": ["secrets", "credentials", "tokens"],
161
+ "approvedDomains": ["github.com"],
162
+ "approvedUploadDomains": []
163
+ }
164
+ }
165
+ }
166
+ }
167
+ ```
168
+
169
+ Select the profile from a Skill with canonical metadata:
170
+
171
+ ```yaml
172
+ ---
173
+ name: local-triage
174
+ description: Review local diagnostics safely. Use when repository-local failure evidence needs deterministic security review.
175
+ metadata:
176
+ renma.security-profile: local-ci-diagnostics
177
+ ---
178
+ ```
179
+
180
+ For a non-Skill asset, use the existing top-level
181
+ `security_profile: local-ci-diagnostics` field.
182
+
183
+ ### Repository-level security config
184
+
185
+ Use repo-level `security.approvedDomains`, `security.approvedUploadDomains`, or `security.disallowedCommands` when the policy applies across the repository and common destinations or disallowed commands should be shared.
186
+
187
+ ```json
188
+ {
189
+ "security": {
190
+ "approvedDomains": ["github.com"],
191
+ "approvedUploadDomains": [],
192
+ "disallowedCommands": ["gh gist create"],
193
+ "profiles": {}
194
+ }
195
+ }
196
+ ```
197
+
198
+ ### Choosing where to put policy
199
+
200
+ Prefer the narrowest policy location that matches the decision:
201
+
202
+ - Use asset-local fields for one-off restrictions, explicit denials, or sensitive instructions that need nearby review.
203
+ - Use `renma.security-profile` for a Skill or top-level `security_profile` for a non-Skill asset when selecting reusable team contracts.
204
+ - Use repository-level security config for common approved network destinations, upload destinations, or disallowed commands that apply broadly.
205
+
206
+ If settings disagree, keep the stricter effective policy. Do not relax asset-local denials through a profile or repository allowance.
207
+
208
+ ### Human approval semantics
209
+
210
+ For a Skill, `renma.requires-human-approval: "true"` requires explicit nearby
211
+ approval wording for sensitive actions. The non-Skill equivalent is top-level
212
+ `requires_human_approval: true`. Dry-run, backup, rollback, or restore guidance
213
+ is useful, but it does not replace explicit approval when approval is required.
214
+
215
+ Keep approval wording close to the action it guards, especially for uploads, external sharing, privileged commands, destructive commands, or secret-handling workflows.
216
+
217
+ ### Network approval vs upload approval
218
+
219
+ `approvedDomains` does not imply upload approval. Network access and upload permission are separate decisions.
220
+
221
+ For Skills, use `renma.approved-network-destinations` and
222
+ `renma.approved-upload-destinations` JSON-array strings. For non-Skill assets,
223
+ use top-level `approved_network_destinations` and
224
+ `approved_upload_destinations`. Profile `approvedDomains` and
225
+ `approvedUploadDomains`, and repository `security.approvedDomains` and
226
+ `security.approvedUploadDomains`, keep their existing config syntax.
227
+
228
+ ### Forbidden inputs
229
+
230
+ Use `renma.forbidden-inputs` for a Skill and top-level `forbidden_inputs` for a
231
+ non-Skill asset to name data classes it must not request, copy, upload,
232
+ summarize, or include in prompts. Common examples are `secrets`, `credentials`,
233
+ `tokens`, `private keys`, `.env files`, customer data, and production logs.
234
+
235
+ Safe negative wording is useful:
236
+
237
+ ```markdown
238
+ Never copy private keys, tokens, credentials, or `.env` files into prompts, logs, uploads, or diagnostics.
239
+ ```
240
+
241
+ ### Defensive guidance and false positives
242
+
243
+ Renma security diagnostics are conservative heuristics for discovered agent-facing assets. Defensive wording can avoid false positives when it is specific and close to the risky instruction.
244
+
245
+ Unsafe upload:
246
+
247
+ ```markdown
248
+ Upload the full repository to S3.
249
+ ```
250
+
251
+ Safer:
252
+
253
+ ```markdown
254
+ Do not upload repository files externally. If sharing diagnostics is required, provide only redacted snippets after explicit human approval.
255
+ ```
256
+
257
+ Unsafe secret handling:
258
+
259
+ ```markdown
260
+ Copy ~/.ssh/id_ed25519 into the prompt.
261
+ ```
262
+
263
+ Safer:
264
+
265
+ ```markdown
266
+ Never copy private keys, tokens, credentials, or `.env` files into prompts, logs, uploads, or diagnostics.
267
+ ```
268
+
269
+ Unsafe destructive command:
270
+
271
+ ```bash
272
+ rm -rf /tmp/renma-output
273
+ ```
274
+
275
+ Safer:
276
+
277
+ ```markdown
278
+ Only after explicit human approval, run a scoped cleanup command. Use dry-run where available, keep a backup or rollback path, and verify the affected path before execution.
279
+ ```
280
+
281
+ ## Security Review Taxonomy
282
+
283
+ Renma remains a static, compile-time-style scanner. It reads repository text and metadata, emits deterministic findings, and does not become a runtime network blocker, sandbox, or policy enforcement layer.
284
+
285
+ Security findings may include `riskClass` so reviewers can distinguish clear violations from suspicious patterns and advisory hardening:
286
+
287
+ - `violation`: a rule or safety contract is broken.
288
+ - `suspicious`: risky or ambiguous guidance needs review but is not necessarily a direct violation.
289
+ - `advisory`: governance or hardening guidance, such as missing policy metadata.
290
+
291
+ `riskClass` helps humans triage security review. Runtime network enforcement remains the responsibility of the sandbox, execution environment, MCP server, network policy, or other controls around the agent.
292
+
293
+ ## Security Posture Summaries
294
+
295
+ Renma can summarize security posture from existing static security findings. The summary groups findings by `riskClass` (`violation`, `suspicious`, `advisory`, and `unclassified`) and by severity, and reports high/critical security finding counts.
296
+
297
+ This is reporting-only in v1:
298
+
299
+ - it does not add new detectors
300
+ - it does not change scan `fail_on`
301
+ - it does not change readiness score or readiness level
302
+ - it does not change CI pass/warn/fail status
303
+ - it does not enforce runtime network, upload, sandbox, or tool behavior
304
+
305
+ Runtime enforcement remains outside Renma.
306
+
307
+ ### Effective policy inventory
308
+
309
+ Renma can also summarize the effective static policy surface across discovered assets. The inventory is derived from asset-local policy metadata, selected security-profile chains, and repository-level `security` config.
310
+
311
+ The inventory reports policy coverage, network/upload/secrets booleans, human approval requirements, approved destinations, forbidden inputs, disallowed commands, and profile resolution counts. It is reporting-only in v1 and does not enforce runtime behavior.
312
+
313
+ `renma trust-graph` also includes effective policy evidence. Each effective policy node uses a deterministic fingerprint over normalized allowed data, forbidden inputs, network/upload/secrets booleans, human approval requirement, approved destinations, and disallowed commands. The graph links assets to selected security-profile values and to their effective policy fingerprint; it does not enforce the policy at runtime.
314
+
315
+ ### Security-aware semantic diff
316
+
317
+ `renma diff` and `renma ci-report` can summarize how security posture and effective security policy inventory changed between two revisions.
318
+
319
+ The diff uses existing static findings and existing policy metadata/config summaries. It does not add new detectors, change runtime behavior, change scan `fail_on`, change readiness scoring, or change CI pass/warn/fail status in v1.
320
+
321
+ ## Common Security Diagnostics
322
+
323
+ Use this table to choose the right kind of fix. For full finding definitions, see [Diagnostics Reference](diagnostics.md).
324
+
325
+ | Finding | Usually means | What to change | Fix area |
326
+ | --- | --- | --- | --- |
327
+ | `SEC-INVALID-CANONICAL-POLICY-METADATA` | A recognized Skill `metadata.renma.*` security value has an invalid encoding. | Confirm the intended policy, then replace it with the exact documented string encoding; do not guess a permissive value. | Skill metadata |
328
+ | `SEC-MISSING-POLICY-METADATA` | Sensitive instructions lack a declared policy. | Add local policy fields or select a configured security profile using the syntax for that asset kind. | Metadata |
329
+ | `SEC-INSTRUCTION-VIOLATES-POLICY` | Body text asks for behavior denied by policy. | Rewrite the instruction or adjust policy only after review. | Body text and metadata |
330
+ | `SEC-MISSING-HUMAN-APPROVAL-GUARD` | A sensitive action lacks nearby approval wording. | Add explicit human approval close to the action. | Body text |
331
+ | `SEC-UNAPPROVED-NETWORK-DESTINATION` | An instruction contacts a host outside approved network destinations. | Enumerate the actual required domains in asset/profile/repo network approvals after review. | Body text, metadata, or config |
332
+ | `SEC-UNAPPROVED-UPLOAD-DESTINATION` | An upload target is not in upload approvals. | Use an approved upload target or update upload approvals intentionally. | Body text, metadata, or config |
333
+ | `SEC-FORBIDDEN-INPUT-INSTRUCTION` | The asset asks for data listed in its forbidden-input policy. | Remove the request or replace it with redaction and placeholder guidance. | Body text and metadata |
334
+ | `SEC-SECRET-MATERIAL-INSTRUCTION` | Instructions may expose private keys, tokens, credentials, or secret files. | Remove secret collection or disclosure instructions. | Body text |
335
+ | `SEC-DESTRUCTIVE-COMMAND` | A destructive command appears without enough local safety context. | Remove it, scope it tightly, or add explicit approval and recovery guidance. | Body text |
336
+ | `SEC-PRIVILEGED-COMMAND-WITHOUT-GUARD` | `sudo` or similar privileged action lacks guardrails. | Add prerequisites, confirmation, rollback, and verification guidance. | Body text |
337
+ | `SEC-UNPINNED-REMOTE-SCRIPT` | A remote script is executed without an immutable source or verification. | Pin and verify the source, or avoid remote execution. | Body text |
338
+ | `SEC-UNPINNED-DEPENDENCY-INSTALL` | An install example lacks exact version or digest pinning. | Pin package versions or use a reproducible install source. | Body text |