renma 0.15.2 → 0.17.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (126) hide show
  1. package/CHANGELOG.md +54 -1
  2. package/README.md +216 -655
  3. package/architecture.md +523 -0
  4. package/design.md +458 -0
  5. package/dist/agent-skills.d.ts +77 -0
  6. package/dist/agent-skills.d.ts.map +1 -0
  7. package/dist/agent-skills.js +468 -0
  8. package/dist/agent-skills.js.map +1 -0
  9. package/dist/catalog.d.ts.map +1 -1
  10. package/dist/catalog.js +38 -5
  11. package/dist/catalog.js.map +1 -1
  12. package/dist/cli-help.d.ts +13 -11
  13. package/dist/cli-help.d.ts.map +1 -1
  14. package/dist/cli-help.js +36 -11
  15. package/dist/cli-help.js.map +1 -1
  16. package/dist/cli.d.ts.map +1 -1
  17. package/dist/cli.js +139 -40
  18. package/dist/cli.js.map +1 -1
  19. package/dist/commands/catalog.d.ts.map +1 -1
  20. package/dist/commands/catalog.js +4 -3
  21. package/dist/commands/catalog.js.map +1 -1
  22. package/dist/commands/graph.d.ts.map +1 -1
  23. package/dist/commands/graph.js +7 -12
  24. package/dist/commands/graph.js.map +1 -1
  25. package/dist/commands/readiness.d.ts.map +1 -1
  26. package/dist/commands/readiness.js +7 -6
  27. package/dist/commands/readiness.js.map +1 -1
  28. package/dist/commands/scaffold.d.ts.map +1 -1
  29. package/dist/commands/scaffold.js +59 -16
  30. package/dist/commands/scaffold.js.map +1 -1
  31. package/dist/commands/suggest-metadata.d.ts +3 -1
  32. package/dist/commands/suggest-metadata.d.ts.map +1 -1
  33. package/dist/commands/suggest-metadata.js +226 -7
  34. package/dist/commands/suggest-metadata.js.map +1 -1
  35. package/dist/commands/suggest-semantic-split.js +3 -3
  36. package/dist/commands/suggest-semantic-split.js.map +1 -1
  37. package/dist/dependency-resolution.d.ts +6 -0
  38. package/dist/dependency-resolution.d.ts.map +1 -0
  39. package/dist/dependency-resolution.js +11 -0
  40. package/dist/dependency-resolution.js.map +1 -0
  41. package/dist/diagnostic-ids.d.ts +29 -0
  42. package/dist/diagnostic-ids.d.ts.map +1 -1
  43. package/dist/diagnostic-ids.js +28 -0
  44. package/dist/diagnostic-ids.js.map +1 -1
  45. package/dist/discovery.d.ts +50 -0
  46. package/dist/discovery.d.ts.map +1 -1
  47. package/dist/discovery.js +183 -25
  48. package/dist/discovery.js.map +1 -1
  49. package/dist/metadata.d.ts +3 -1
  50. package/dist/metadata.d.ts.map +1 -1
  51. package/dist/metadata.js +166 -29
  52. package/dist/metadata.js.map +1 -1
  53. package/dist/model.d.ts +1 -0
  54. package/dist/model.d.ts.map +1 -1
  55. package/dist/report.d.ts.map +1 -1
  56. package/dist/report.js +16 -1
  57. package/dist/report.js.map +1 -1
  58. package/dist/repository-paths.d.ts +13 -0
  59. package/dist/repository-paths.d.ts.map +1 -1
  60. package/dist/repository-paths.js +60 -2
  61. package/dist/repository-paths.js.map +1 -1
  62. package/dist/rules.d.ts.map +1 -1
  63. package/dist/rules.js +97 -107
  64. package/dist/rules.js.map +1 -1
  65. package/dist/scanner.d.ts.map +1 -1
  66. package/dist/scanner.js +3 -1
  67. package/dist/scanner.js.map +1 -1
  68. package/dist/security-diagnostics.d.ts.map +1 -1
  69. package/dist/security-diagnostics.js +98 -35
  70. package/dist/security-diagnostics.js.map +1 -1
  71. package/dist/security-policy-inventory.js +11 -4
  72. package/dist/security-policy-inventory.js.map +1 -1
  73. package/dist/security-policy.d.ts +27 -1
  74. package/dist/security-policy.d.ts.map +1 -1
  75. package/dist/security-policy.js +247 -34
  76. package/dist/security-policy.js.map +1 -1
  77. package/dist/skill-migration.d.ts +30 -0
  78. package/dist/skill-migration.d.ts.map +1 -0
  79. package/dist/skill-migration.js +566 -0
  80. package/dist/skill-migration.js.map +1 -0
  81. package/dist/trust-graph.d.ts.map +1 -1
  82. package/dist/trust-graph.js +7 -11
  83. package/dist/trust-graph.js.map +1 -1
  84. package/dist/types.d.ts +3 -1
  85. package/dist/types.d.ts.map +1 -1
  86. package/dist/yaml-frontmatter.d.ts +26 -0
  87. package/dist/yaml-frontmatter.d.ts.map +1 -0
  88. package/dist/yaml-frontmatter.js +114 -0
  89. package/dist/yaml-frontmatter.js.map +1 -0
  90. package/docs/README.md +55 -0
  91. package/docs/advanced-skill-authoring.md +140 -0
  92. package/docs/agent-skills-compatibility.md +500 -0
  93. package/docs/authoring-guide.md +324 -0
  94. package/docs/context-conflict-diagnostics.md +32 -0
  95. package/docs/context-language-diagnostics.md +99 -0
  96. package/docs/context-lens.md +253 -0
  97. package/docs/context-lifecycle-diagnostics.md +55 -0
  98. package/docs/diagnostics.md +373 -0
  99. package/docs/metadata-budget.md +14 -0
  100. package/docs/repository-context-bom.md +113 -0
  101. package/docs/security-policy.md +338 -0
  102. package/docs/user-manual.md +813 -0
  103. package/examples/context-lens/README.md +101 -0
  104. package/examples/context-lens/contexts/testing/boundary-value-analysis.md +23 -0
  105. package/examples/context-lens/lenses/testing/spec-review-boundary-values.md +29 -0
  106. package/examples/context-lens/lenses/testing/test-design-boundary-values.md +29 -0
  107. package/examples/context-lens/skills/testing/spec-review/SKILL.md +49 -0
  108. package/examples/context-repo/README.md +149 -0
  109. package/examples/context-repo/contexts/domain/payment/idempotency.md +20 -0
  110. package/examples/context-repo/contexts/testing/boundary-value-analysis.md +19 -0
  111. package/examples/context-repo/contexts/testing/negative-testing.md +19 -0
  112. package/examples/context-repo/lenses/testing/spec-review-boundary-values.md +35 -0
  113. package/examples/context-repo/renma.config.json +12 -0
  114. package/examples/context-repo/skills/testing/spec-review/SKILL.md +66 -0
  115. package/examples/context-repo/tools/appium/README.md +14 -0
  116. package/examples/github-actions/renma-ci-report.yml +36 -0
  117. package/examples/interactive-placeholder/README.md +104 -0
  118. package/examples/interactive-placeholder/assets/template.txt +1 -0
  119. package/examples/interactive-placeholder/renma.config.json +6 -0
  120. package/examples/interactive-placeholder/skills/replace-placeholder/SKILL.md +54 -0
  121. package/examples/interactive-placeholder/tools/README.md +48 -0
  122. package/examples/interactive-placeholder/tools/placeholder-demo.mjs +99 -0
  123. package/package.json +11 -1
  124. package/plan-discovery.md +740 -0
  125. package/plan.md +150 -0
  126. package/scripts/verify-package.mjs +97 -0
@@ -0,0 +1,813 @@
1
+ # renma User Manual
2
+
3
+ renma scans agent-facing repository assets and turns them into deterministic, agent-consumable reports. Use it to keep skills, shared context, prompts, docs, and ownership metadata reviewable in CI instead of relying on an LLM to infer repository intent.
4
+
5
+ ## What Renma Does And Does Not Do
6
+
7
+ Renma is deterministic repository governance for context assets, skills, and agent-facing documentation. It reads local repository files, builds reviewable evidence, and reports what humans or coding agents should inspect.
8
+
9
+ Renma does not call an LLM, choose runtime context, assemble prompts, inject context, execute agents, or collect telemetry.
10
+
11
+ Use your platform's standard Skill authoring guidance for general Skill design,
12
+ then use Renma for repository-specific governance and validation. Platform
13
+ guidance owns the trigger description, instructions, workflow, constraints,
14
+ examples, and completion criteria. Renma owns deterministic repository evidence
15
+ for compatibility, metadata, relationships, ownership, lifecycle, security
16
+ policy, diagnostics, and readiness.
17
+
18
+ ## Install And Build
19
+
20
+ From a checkout:
21
+
22
+ ```bash
23
+ npm install
24
+ npm run build
25
+ ```
26
+
27
+ Run the local CLI from the built entry point:
28
+
29
+ ```bash
30
+ node dist/index.js scan .
31
+ ```
32
+
33
+ When renma is installed as a package, use the `renma` binary:
34
+
35
+ ```bash
36
+ renma scan .
37
+ ```
38
+
39
+ For the breaking 0.16.0 Skill format, scan validation, and one-way migration
40
+ workflow, see [Agent Skills Compatibility and Migration](agent-skills-compatibility.md).
41
+ Agent Skills results appear inside `scan`; there is no separate Skill-validation
42
+ command.
43
+
44
+ Renma 0.16.0 requires specification-valid Agent Skills for operational Skills.
45
+ All Renma Skill governance and security metadata uses flat, string-valued
46
+ `metadata.renma.*` entries. Pre-0.16 top-level Skill metadata is accepted only
47
+ as migration input for `suggest-metadata`; non-Skill metadata behavior is
48
+ unchanged.
49
+
50
+ ## Repository Layout
51
+
52
+ renma is most useful when agent knowledge is stored in predictable places:
53
+
54
+ - `skills/**/SKILL.md` and `.agents/skills/**/SKILL.md` are the canonical Agent
55
+ Skills entrypoints. Renma still discovers historical `skill.md` and
56
+ `*.skill.md` spellings under those roots for migration diagnostics, but those
57
+ spellings are not Agent Skills-compatible.
58
+ - `contexts/**` for shared context assets.
59
+ - configurable prompt or documentation paths for reusable prompts and broader docs.
60
+ - `*.renma.json` for structured metadata assets.
61
+
62
+ Tool helper implementations usually belong under `tools/**`. They can be referenced from skills and commands, but they are not the same thing as user-facing documentation under `docs/**`.
63
+
64
+ Under explicit skill roots, `assets`, `examples`, `profiles`, `references`, and
65
+ `scripts` are reserved for skill-local support directories. These are valid
66
+ support paths:
67
+
68
+ - `skills/demo/assets/template.md`
69
+ - `skills/demo/examples/happy-path.md`
70
+ - `skills/demo/references/spec.md`
71
+ - `skills/demo/scripts/helper.sh`
72
+ - `skills/demo/profiles/local.md`
73
+
74
+ The same reserved names apply under `.agents/skills/**`.
75
+
76
+ These Skill-local support directories are valid. Keep material local when it is
77
+ specific to one Skill. Promote reusable source-of-truth knowledge to an owned
78
+ Context Asset, or a helper shared across workflows to `tools/**`, only when
79
+ repository evidence supports that change; Renma does not move files
80
+ automatically.
81
+
82
+ Avoid using reserved support directory names as skill names. Paths such as
83
+ `skills/assets/SKILL.md`, `skills/examples/SKILL.md`,
84
+ `skills/references/SKILL.md`, `skills/scripts/SKILL.md`, and
85
+ `skills/profiles/SKILL.md` are not treated as skill entrypoints by default. If
86
+ one of those files is intended to define a Renma skill, rename the directory, for example to
87
+ `skills/example-review/SKILL.md`.
88
+
89
+ Specification-valid Agent Skills declare governance and security values as
90
+ flat string-valued `metadata.renma.*` entries. JSON-array strings represent lists;
91
+ Renma does not treat comma-separated canonical values as lists. These canonical
92
+ values feed the same catalog, ownership, graph, readiness, BOM, Trust Graph,
93
+ lifecycle, and reporting behavior as the pre-0.16 fields they replace.
94
+
95
+ Renma does not fall back to top-level pre-0.16 Skill fields. Invalid, hybrid,
96
+ and pre-0.16 Skills can be scanned and migrated but contribute no operational
97
+ Skill metadata. Contexts, context lenses, profiles, references,
98
+ examples, agents, configuration files, and other non-Skill assets continue to
99
+ use their existing top-level metadata syntax.
100
+
101
+ ## Quick Start
102
+
103
+ For a first pass on an existing repository, run:
104
+
105
+ ```bash
106
+ renma scan .
107
+ renma catalog . --format markdown
108
+ renma graph . --format markdown
109
+ renma readiness . --format markdown
110
+ ```
111
+
112
+ Read these reports together:
113
+
114
+ - `scan` shows concrete problems to fix.
115
+ - `catalog` shows what assets and metadata Renma discovered.
116
+ - `graph` shows how skills and contexts are connected.
117
+ - `readiness` summarizes repository-level health and checks.
118
+
119
+ When creating a Skill, design it with platform-native authoring guidance, run
120
+ `scaffold skill` once, complete the generated file, and validate with
121
+ `renma scan . --fail-on high`. For deeper authoring guidance, see the
122
+ [Authoring Guide](authoring-guide.md). For rule details, see the
123
+ [Diagnostics Reference](diagnostics.md).
124
+
125
+ ## LLM-Assisted Skill Maintenance
126
+
127
+ Renma output can support a human or coding agent, but the authoring and
128
+ governance responsibilities remain separate. Review the Skill with the
129
+ platform's standard authoring guidance, then use Renma as deterministic
130
+ repository evidence. Do not treat a clean scan as permission to invent domain
131
+ knowledge or as proof that the workflow is semantically correct.
132
+
133
+ Recommended loop:
134
+
135
+ 1. Review triggers, instructions, workflow, constraints, and completion criteria
136
+ using platform-native authoring guidance.
137
+ 2. Run `renma --help` and the relevant deterministic inspection commands.
138
+ 3. Review diagnostics and repository evidence.
139
+ 4. Prepare a minimal patch without inventing domain knowledge, ownership,
140
+ references, product rules, or source-of-truth claims.
141
+ 5. Run `renma scan . --fail-on high`, fix relevant diagnostics, and rerun it.
142
+ 6. Summarize changed files, resolved findings, remaining uncertainty, and
143
+ verification commands.
144
+ 7. Require human review before merging meaningful semantic changes.
145
+
146
+ Example instruction for an agent:
147
+
148
+ ```text
149
+ Review the Skill with this platform's standard Skill authoring guidance, then use Renma to inspect its repository governance.
150
+
151
+ Start by running `renma --help` and use command-specific help to choose the appropriate workflow. Make only evidence-backed changes. Do not invent owners, references, product rules, or source-of-truth claims. Preserve existing semantics unless a diagnostic or explicit requirement supports a change. Run `renma scan . --fail-on high` after editing, fix relevant diagnostics, rerun it, and summarize both resolved and remaining findings.
152
+ ```
153
+
154
+ ## User Story: Create A New Skill With Scaffold
155
+
156
+ Use this flow when adding a new agent-facing Skill. Platform-native guidance
157
+ defines the Skill; Renma creates one repository-compatible starting point and
158
+ validates the result.
159
+
160
+ ```mermaid
161
+ flowchart LR
162
+ Design["Platform-native authoring guidance"] --> Scaffold["Run renma scaffold skill once"]
163
+ Scaffold --> Complete["Review and complete the Skill"]
164
+ Complete --> Validate["Run renma scan . --fail-on high"]
165
+ Validate --> Fix["Fix relevant diagnostics and rerun"]
166
+ Fix --> Review["Human review"]
167
+ ```
168
+
169
+ Renma creates and validates repository assets; the consuming agent follows the
170
+ finished Skill later according to its own runtime behavior.
171
+
172
+ 1. Use platform-native authoring guidance to design the Skill's purpose,
173
+ trigger, workflow, constraints, and completion criteria.
174
+
175
+ 2. Run the Renma generator once for the target path.
176
+
177
+ ```bash
178
+ renma scaffold skill skills/testing/spec-review/SKILL.md --owner qa-platform
179
+ ```
180
+
181
+ 3. Open and review the generated Skill.
182
+
183
+ `scaffold` creates a starter file, not a complete production-ready Skill. Use
184
+ platform-native guidance to complete the description, instructions, workflow,
185
+ constraints, completion criteria, and intended metadata.
186
+
187
+ The Skill scaffold writes canonical Agent Skills identity and
188
+ `metadata.renma.*` fields directly. Replace its placeholder prose and fill in
189
+ any required security policy before depending on it. Context and context-lens
190
+ scaffolds keep their existing top-level metadata shape. Preserve intended
191
+ repository behavior and do not invent owners, policies, dependencies, domain
192
+ rules, or source-of-truth claims.
193
+
194
+ Do not run a second independent generator against the same target. If a
195
+ platform-native tool can generate Skills, ask it to refine the existing Renma
196
+ scaffold or to use `renma scaffold skill` as its starting point.
197
+
198
+ 4. Add shared Context Assets when the Skill depends on reusable knowledge.
199
+
200
+ ```bash
201
+ renma scaffold context contexts/testing/boundary-value-analysis.md --owner qa-platform
202
+ ```
203
+
204
+ Reusable domain, testing, product, platform, and tool knowledge should usually live under `contexts/**` instead of being buried inside one skill. A context asset can have its own owner, lifecycle state, review history, tags, and dependencies.
205
+
206
+ 5. Connect the Skill to Context Assets.
207
+
208
+ In a canonical Skill, add `renma.requires-context` or
209
+ `renma.optional-context` under `metadata` as JSON-array strings. These fields
210
+ create static repository graph relationships. They do
211
+ not make Renma choose runtime context for an agent.
212
+
213
+ 6. Run repository validation.
214
+
215
+ ```bash
216
+ renma scan . --fail-on high
217
+ renma catalog . --format markdown
218
+ renma graph . --format markdown
219
+ renma readiness . --format markdown
220
+ ```
221
+
222
+ 7. Fix relevant diagnostics and rerun the scan.
223
+
224
+ Use `scan` for concrete problems, `catalog` for discovered assets and metadata,
225
+ `graph` for Skill-to-Context relationships, and `readiness` for repository-level
226
+ health. Do not weaken security policy or add suppressions merely to pass. After
227
+ fixes, rerun `renma scan . --fail-on high` and complete human review.
228
+
229
+ 8. Optionally generate a BOM for review or CI artifacts.
230
+
231
+ ```bash
232
+ renma bom . --format markdown
233
+ renma bom . --format json
234
+ ```
235
+
236
+ The BOM is a declared repository manifest. It combines catalog, graph, diagnostics, readiness, lifecycle, hash, and security posture evidence. It is not a record of actual LLM runtime usage. See the [Repository Context BOM contract](repository-context-bom.md) for the v1 boundaries.
237
+
238
+ ## User Story: Improve Existing Skills With Diagnostics
239
+
240
+ Use this flow when improving an existing Skill. Review the whole Skill with
241
+ platform-native guidance before treating metadata suggestions as complete.
242
+
243
+ ```mermaid
244
+ flowchart TD
245
+ Authoring["Platform-native authoring review"] --> Scan["Run renma scan . --fail-on high"]
246
+ Scan --> Evidence["Inspect relevant diagnostics and repository evidence"]
247
+ Evidence --> NeedMetadata{"Metadata or migration work needed?"}
248
+ NeedMetadata -- Yes --> Suggest["Run renma suggest-metadata and review the candidate"]
249
+ NeedMetadata -- No --> Prepare["Prepare and review intended changes, if any"]
250
+ Suggest --> Prepare
251
+ Prepare --> Validate["Rerun renma scan . --fail-on high"]
252
+ Validate --> Fix["Fix relevant diagnostics and rerun"]
253
+ Fix --> Review["Human review"]
254
+ ```
255
+
256
+ LLM assistance is optional. Renma does not rewrite files or accept a proposed
257
+ change automatically.
258
+
259
+ 1. Review the trigger description, instructions, workflow, constraints, and
260
+ completion criteria using the platform's standard Skill guidance.
261
+
262
+ 2. Run `scan` on the existing repository.
263
+
264
+ ```bash
265
+ renma scan . --fail-on high
266
+ ```
267
+
268
+ `scan` reports concrete findings such as broken references, risky instructions, missing or invalid metadata, unclear workflow structure, and layout issues.
269
+
270
+ 3. Inspect relevant repository evidence. Use only the views that answer the
271
+ current question; they are not mandatory ceremony.
272
+
273
+ Inspect the current asset inventory when needed:
274
+
275
+ ```bash
276
+ renma catalog . --format markdown
277
+ ```
278
+
279
+ `catalog` helps you see existing skills, contexts, references, profiles, examples, IDs, owners, lifecycle states, hashes, tags, and declared dependencies.
280
+
281
+ Check graph relationships when needed:
282
+
283
+ ```bash
284
+ renma graph . --format markdown
285
+ renma graph . --focus skill.testing.spec-review --format markdown
286
+ ```
287
+
288
+ `graph` helps find missing context, broken references, unexpected isolation, and unclear dependencies. Focused graph output keeps one asset and its direct neighborhood so you can inspect one skill or context without reading the whole graph.
289
+
290
+ Check readiness when needed:
291
+
292
+ ```bash
293
+ renma readiness . --format markdown
294
+ ```
295
+
296
+ `readiness` gives a repository-level health score and checks. It is a static repository review signal, not a runtime decision about which context an agent should use.
297
+
298
+ Use `inspect` for one file:
299
+
300
+ ```bash
301
+ renma inspect skills/testing/spec-review/SKILL.md
302
+ renma inspect skills/testing/spec-review/SKILL.md --lines L10-L42
303
+ ```
304
+
305
+ Use this when you want a compact outline or exact line slice before editing a specific asset.
306
+
307
+ 4. Use `suggest-metadata` only when metadata or migration work is needed.
308
+
309
+ ```bash
310
+ renma suggest-metadata skills/testing/spec-review/SKILL.md --owner qa-platform --format prompt
311
+ ```
312
+
313
+ `suggest-metadata` does not rewrite files. It emits a deterministic prompt or
314
+ JSON payload that a human or coding agent can use to prepare a reviewed metadata
315
+ or one-way migration patch while preserving the existing Markdown body. Review
316
+ the candidate and apply only intended changes.
317
+
318
+ For a `SKILL.md` target, the command proposes only the one-way transition from
319
+ pre-0.16 Renma Skill fields to Agent Skills identity plus flat
320
+ `metadata.renma.*` string values. Unsafe or ambiguous input blocks canonical
321
+ frontmatter output. When blocked, review the conflicts or invalid evidence,
322
+ confirm intent using platform-native guidance, do not apply a candidate, correct
323
+ the source evidence, and rerun `suggest-metadata`. See
324
+ [Agent Skills Compatibility and Migration](agent-skills-compatibility.md).
325
+
326
+ An already canonical Skill with no metadata or migration need should not pass
327
+ through `suggest-metadata` merely as ceremony.
328
+
329
+ 5. Use `suggest-semantic-split` when a file has grown too large or mixes multiple purposes.
330
+
331
+ ```bash
332
+ renma suggest-semantic-split docs/large-runbook.md
333
+ ```
334
+
335
+ `suggest-semantic-split` does not rewrite files either. It packages source context and guidance so a human or coding agent can draft a reviewable split.
336
+
337
+ 6. Prepare and review intended changes, then validate, fix relevant
338
+ diagnostics, and rerun.
339
+
340
+ ```bash
341
+ renma scan . --fail-on high
342
+ renma catalog . --format markdown
343
+ renma graph . --format markdown
344
+ renma readiness . --format markdown
345
+ ```
346
+
347
+ The loop ends with human review. A metadata suggestion or clean scan does not
348
+ replace semantic review of the Skill.
349
+
350
+ For a repository-aware specification-review example using a Skill, a Context
351
+ Lens, and direct Context Asset relationships, see
352
+ [`examples/context-repo`](../examples/context-repo). It is statically navigable
353
+ only for a consumer with the repository checkout that follows the Skill and
354
+ Lens relative links; Renma validates the relationships but does not load them.
355
+
356
+ ## Configuration
357
+
358
+ Use `--config <path>` with commands that scan the repository:
359
+
360
+ ```bash
361
+ renma scan . --config renma.config.json
362
+ ```
363
+
364
+ The JSON configuration supports the same names used by the implementation, including:
365
+
366
+ - `globs`: glob patterns to scan.
367
+ - `exclude`: paths or path prefixes to skip.
368
+ - `suppressions`: rule suppressions that remove matching findings from normal reports and failure thresholds.
369
+ - `max_file_size_bytes`: largest file renma will read.
370
+ - `max_depth`: maximum discovery depth.
371
+ - `concurrency`: scan concurrency.
372
+ - `fail_on`: scan exit threshold: `low`, `medium`, `high`, or `critical`.
373
+ - `format`: default report format.
374
+ - `layout`: compatibility-only `tool_namespace` and `workflow_aliases` input retained for existing configurations. These fields are validated and normalized but do not currently change findings or force Skill-local support migration.
375
+ - `security`: command, network, upload, and profile policy.
376
+
377
+ CLI flags override config values when both are provided.
378
+
379
+ Within a canonical Skill entrypoint or one of its classified support documents,
380
+ helper commands may use `scripts/helper.mjs` or `./scripts/helper.mjs`; Renma
381
+ resolves these paths against the owning Skill directory. `tools/helper.mjs` and
382
+ `./tools/helper.mjs` resolve from the repository root. Explicit repository-root
383
+ paths such as `skills/testing/demo/scripts/helper.mjs`,
384
+ `.agents/skills/testing/demo/scripts/helper.mjs`, and
385
+ `tools/testing/helper.mjs` remain valid. Renma rejects helper candidates whose
386
+ relative traversal would escape the owning Skill boundary and checks existence
387
+ against the collected repository snapshot. It validates the declared path but
388
+ does not execute the command. Non-Skill documents do not receive an inferred
389
+ Skill-relative base.
390
+
391
+ Use `exclude` for files Renma should not scan. Use `suppressions` for audited exceptions where Renma should scan the file, detect matching findings internally, then omit those findings from normal reports and failure decisions. A suppression applies only when both `id` and `paths` match. Each suppression includes `id`, `paths`, required `reason`, and optional `expires`; the reason lives in config for auditability.
392
+
393
+ Use a date in `YYYY-MM-DD` for temporary workarounds, or `"never"` when the exception is intentionally permanent. Permanent suppressions should still use narrow path patterns and a clear reason. Suppression path patterns are repository-relative and support exact paths, directory-prefix matches for non-glob patterns, `*` within one path segment, and `**` across directories.
394
+
395
+ If `--config` is not provided, renma looks for repository config files such as `renma.config.json` or `.renma.json` while resolving the scan target.
396
+
397
+ Canonical Agent Skills entrypoints are:
398
+
399
+ - `skills/**/SKILL.md`
400
+ - `.agents/skills/**/SKILL.md`
401
+
402
+ Renma also discovers these historical spellings for migration diagnostics:
403
+
404
+ - `skills/**/skill.md`
405
+ - `skills/**/*.skill.md`
406
+ - `.agents/skills/**/skill.md`
407
+ - `.agents/skills/**/*.skill.md`
408
+
409
+ Other default scan glob families are:
410
+
411
+ - `.agents/**/*.md`
412
+ - `AGENTS.md`
413
+ - `README.md`
414
+ - `context/**/*.md`
415
+ - `contexts/**/*.md`
416
+ - `lenses/**/*.md`
417
+ - `skills/**/profiles/**/*.md`
418
+ - `skills/**/references/**/*.md`
419
+ - `skills/**/examples/**/*.md`
420
+ - `skills/**/scripts/**/*`
421
+ - `tools/**/*`
422
+
423
+ ## Where To Go Next
424
+
425
+ - New to Renma? Start with [Authoring Guide](authoring-guide.md).
426
+ - Writing security-sensitive skills or context assets? Read [Security Policy Guide](security-policy.md).
427
+ - Fixing scan findings? See [Diagnostics Reference](diagnostics.md).
428
+ - Trying a minimal clarify-before-act Skill interaction? Use
429
+ [`examples/interactive-placeholder`](../examples/interactive-placeholder).
430
+ - Trying richer repository-aware Skill, Context Lens, and Context Asset
431
+ governance? See [`examples/context-repo`](../examples/context-repo).
432
+ - Focusing specifically on Context Lens governance? See
433
+ [`examples/context-lens`](../examples/context-lens).
434
+ - Adding Renma evidence to CI? See the
435
+ [GitHub Actions example](../examples/github-actions/renma-ci-report.yml).
436
+
437
+ ## Commands
438
+
439
+ For a mini-repository with a statically navigable Skill, a Context Lens, shared
440
+ Context Assets, ownership metadata, and graph relationships, see
441
+ [`examples/context-repo`](../examples/context-repo). The consumer must have the
442
+ checkout and follow the Skill and Lens relative links; the fixture is not a
443
+ portable self-contained Agent Skills package.
444
+
445
+ renma commands fall into a few groups:
446
+
447
+ - Inventory and ownership: `catalog` lists discovered assets and references, `ownership` summarizes owned and unowned assets, `graph` shows relationships between catalog nodes, `trust-graph` exposes deterministic trust evidence, and `bom` combines declared repository evidence into a reviewable Repository Context BOM.
448
+ - Local inspection and authoring: `inspect` reads one file as an outline or exact line slice, `scaffold` creates starter assets or authoring prompts, `suggest-metadata` emits safe metadata retrofit guidance for existing assets, and `suggest-semantic-split` packages source context and helper commands so a human or coding agent can draft a split for mixed-purpose Markdown.
449
+ - Review and CI: `scan` emits deterministic findings, `readiness` turns repository state into checks and a score, `diff` compares two refs, and `ci-report` formats the comparison for pull-request review.
450
+
451
+ ## Scan, Catalog, Graph, Trust Graph, Readiness, And BOM
452
+
453
+ These commands are related, but they answer different repository-review questions.
454
+
455
+ | Command | Main question | Best for | Output shape |
456
+ | --- | --- | --- | --- |
457
+ | `scan` | What concrete problems were found? | Fixing diagnostics and CI checks | Finding list |
458
+ | `catalog` | What assets exist? | Reviewing IDs, owners, lifecycle metadata, hashes, tags, and declared dependencies | Asset inventory |
459
+ | `graph` | How are assets connected? | Inspecting dependencies and references | Asset relationship graph |
460
+ | `trust-graph` | What evidence helps reviewers decide whether assets are safe, owned, current, and usable enough? | Tracing owner, lifecycle, policy, dependency, reference, and diagnostic evidence per asset | Evidence graph |
461
+ | `readiness` | Is the repository broadly ready for agent-facing use? | Maintainer summary and CI reporting | Repository-level scorecard |
462
+ | `bom` | What declared repository context manifest should reviewers inspect? | Combining catalog, graph, readiness, diagnostics, lifecycle, hashes, and security posture evidence | Repository Context BOM |
463
+
464
+ `catalog` is about what assets exist. `graph` is about how assets relate. `readiness` is about repository-level health score and checks. `trust-graph` is about traceability of trust-relevant evidence. `bom` is the reviewable declared repository manifest that combines asset inventory, dependencies, hashes, lifecycle, diagnostics, readiness, and security posture evidence.
465
+
466
+ Use `trust-graph` when a reviewer asks: "Why should this asset be considered safe, owned, current, and usable enough for an agent-facing repository?" The command does not decide that an asset is trustworthy. It connects deterministic evidence that humans and downstream tools can review: owner, lifecycle status, dependency and reference relationships, selected security profiles, effective policy fingerprints, and diagnostics.
467
+
468
+ In short:
469
+
470
+ - `scan` lists problems.
471
+ - `catalog` lists what assets exist.
472
+ - `graph` shows structural relationships.
473
+ - `trust-graph` connects trust-relevant evidence.
474
+ - `readiness` summarizes repository health.
475
+ - `bom` combines declared catalog, graph, readiness, diagnostics, lifecycle, hash, and security posture evidence.
476
+
477
+ Examples:
478
+
479
+ ```bash
480
+ renma scan . --format json
481
+ renma catalog . --format json
482
+ renma graph . --format json
483
+ renma trust-graph . --format markdown
484
+ renma trust-graph . --format json
485
+ renma readiness . --format markdown
486
+ renma bom . --format json
487
+ renma bom . --format markdown
488
+ ```
489
+
490
+ ### `scan`
491
+
492
+ Scans a target path and prints findings.
493
+
494
+ ```bash
495
+ renma scan .
496
+ renma scan . --format json
497
+ renma scan . --fail-on high
498
+ ```
499
+
500
+ Use `--fail-on` in CI when findings at or above a severity should fail the job. The JSON output includes findings, evidence, diagnostics, `diagnosticsV2`, `reviewBundles`, `trustGraph`, and summary data that other tools can consume.
501
+
502
+ Output includes scan findings, discovery or catalog diagnostics, the effective exit threshold, and evidence paths or snippets for each finding. `diagnosticsV2` adds typed repair constraints, structured verification steps, and concise LLM hints; `reviewBundles` groups related diagnostics for code review.
503
+
504
+ ### `catalog`
505
+
506
+ Builds a deterministic catalog of discovered assets.
507
+
508
+ ```bash
509
+ renma catalog . --format json
510
+ renma catalog . --format markdown
511
+ ```
512
+
513
+ Use the catalog to review asset IDs, owners, status, dependencies, and metadata-derived references.
514
+
515
+ Output includes catalog assets, dependency edges, owners, lifecycle status, tags, and diagnostics.
516
+
517
+ ### `bom`
518
+
519
+ Prints a declared Repository Context BOM.
520
+
521
+ ```bash
522
+ renma bom .
523
+ renma bom . --format json
524
+ renma bom . --format markdown
525
+ renma bom . --format json --omit-generated-at
526
+ ```
527
+
528
+ Use the BOM when reviewers or CI consumers need one repository evidence manifest that combines existing Renma evidence: catalog asset inventory, repository-relative source paths, content hashes, owners, lifecycle metadata, tags, declared dependencies, graph resolution, diagnostics, readiness score and checks, workflow readiness, context lens summary, security posture, and security policy inventory. See the [Repository Context BOM contract](repository-context-bom.md) for the authoritative v1 schema, snapshot, reproducibility, provenance, and future consumed-context evidence boundaries.
529
+
530
+ The BOM is not a record of actual LLM runtime usage. Renma does not collect telemetry, assemble prompts, choose task-specific context, inject context into agents, import consumed-context evidence, or claim what an LLM actually consumed.
531
+
532
+ JSON is the source of truth for automation. Markdown is a compact pull-request review view.
533
+
534
+ Renma derives each BOM from one in-memory repository snapshot: configuration, discovered artifacts, parsed documents, catalog, graph evidence, diagnostics, readiness, and security summaries all come from the same collected state.
535
+
536
+ By default, `generatedAt` records when the BOM was produced. Add `--omit-generated-at` when CI or review automation needs to avoid clock-based diffs. With the same checkout path, config path, repository contents, Renma version, and UTC evaluation date, repeated `--omit-generated-at` runs should produce byte-identical JSON. The option does not remove metadata freshness dates, suppress freshness diagnostics, normalize absolute `root` or `configPath`, hide file moves, or guarantee portable byte-for-byte output across runners.
537
+
538
+ ### `graph`
539
+
540
+ Prints the relationship graph between assets.
541
+
542
+ ```bash
543
+ renma graph . --view summary
544
+ renma graph . --view workflow --format markdown
545
+ renma graph . --view full --format mermaid
546
+ renma graph . --view layered --format mermaid
547
+ ```
548
+
549
+ Views are:
550
+
551
+ - `summary`: compact graph overview.
552
+ - `workflow`: workflow-oriented relationships.
553
+ - `full`: all known graph edges.
554
+ - `layered`: Mermaid-focused graph grouped by asset kind so skill-to-lens-to-context paths are easier to read. `lens` is accepted as an alias.
555
+
556
+ Layered Mermaid output groups skills, context lenses, contexts, support assets, and unresolved targets into separate subgraphs. JSON and Markdown keep the same node and edge detail while reporting the selected view.
557
+
558
+ #### Focusing The Graph
559
+
560
+ The graph command can be focused on one asset with `--focus <asset-id-or-path>`.
561
+
562
+ Use this when you want to inspect the local neighborhood around one context asset, skill, or other catalog entry instead of reading the entire repository graph. A focused graph is useful for answering questions such as:
563
+
564
+ - What does this asset depend on?
565
+ - What other assets reference this asset?
566
+ - Is this asset connected to the expected parts of the context repository?
567
+ - Is this asset isolated or unexpectedly central?
568
+
569
+ Examples:
570
+
571
+ ```bash
572
+ renma graph . --focus context.testing.boundary-value-analysis
573
+ renma graph . --focus contexts/testing/boundary-value-analysis.md --view full
574
+ ```
575
+
576
+ `--focus` accepts one value. The value must match either a catalog asset ID, a repository-relative source path such as `contexts/testing/boundary-value-analysis.md`, or an absolute source path. It does not match projected `summary` view node IDs such as `contexts/testing/*`.
577
+
578
+ When `--focus` is provided, renma keeps the matched asset, its directly connected incoming and outgoing graph edges, and the assets at the other ends of those edges. In other words, it filters graph contents to the focused asset's one-hop neighborhood; it does not only highlight or rearrange the full graph. If the focus value does not match an asset ID or source path, the command exits with usage code `2` and reports that `graph --focus did not match any asset id or source path`.
579
+
580
+ `--focus` runs before `--view` projection. For example, `--view summary --focus <asset>` first selects the focused neighborhood and then groups that smaller graph into the summary view. There is no separate depth option in the current graph command, and repeated `--focus` flags are not a multi-focus API.
581
+
582
+ Note: this graph `focus` argument is a CLI option. It is not a metadata field on an asset.
583
+
584
+ Output includes graph nodes, relationship edges, unresolved targets, and diagnostics. Mermaid output renders the same graph as a diagram definition.
585
+
586
+ ### `trust-graph`
587
+
588
+ Prints deterministic Trust Graph evidence derived from catalog, graph, scan, and security policy data.
589
+
590
+ ```bash
591
+ renma trust-graph . --format markdown
592
+ renma trust-graph . --format json
593
+ renma scan . --format json
594
+ ```
595
+
596
+ Use this when a reviewer or downstream tool needs one stable evidence layer that links assets to owners, lifecycle status, declared dependencies, selected security profiles, effective policy fingerprints, and diagnostics.
597
+
598
+ Trust Graph is repository evidence. It does not compute a trust score, select or inject runtime context, assemble prompts, call an LLM, collect telemetry, or enforce policy at runtime.
599
+
600
+ Output includes stable node IDs, stable edge IDs, source evidence where parser support exists, normalized effective policy fingerprints, diagnostic links, and compact summary counts. JSON is the source of truth for downstream tools; Markdown is for human review. `scan --format json` includes the same Trust Graph under `trustGraph` so CI consumers can read one scan report when they do not need a separate command.
601
+
602
+ Reviewers can use Trust Graph to find assets without owners, find assets without lifecycle status, inspect assets sharing the same effective policy fingerprint, and connect diagnostics back to asset evidence. `trust-graph` exits `0` when the report is generated successfully; use `scan --fail-on` when CI should fail on findings.
603
+
604
+ ### `inspect`
605
+
606
+ Inspects one file as an outline or exact line slice.
607
+
608
+ ```bash
609
+ renma inspect skills/testing/spec-review/SKILL.md
610
+ renma inspect contexts/testing/boundary-value-analysis.md --format json
611
+ renma inspect skills/testing/spec-review/SKILL.md --lines L10-L42
612
+ ```
613
+
614
+ Use this when editing one skill or context file and you want a deterministic outline without reading the whole repository catalog. Without `--lines`, output includes file size, line count, frontmatter range, headings, code fences, links, asset relationships, and a concise Context Lens governance summary when repository context can be inferred. Use `--lines <range>` for an exact source slice; ranges can look like `L10-L42` or `10-42`.
615
+
616
+ ### `readiness`
617
+
618
+ Prints a deterministic readiness report.
619
+
620
+ ```bash
621
+ renma readiness .
622
+ renma readiness . --format markdown
623
+ renma readiness . --format json
624
+ ```
625
+
626
+ Readiness combines catalog diagnostics, Context Lens governance diagnostics, ownership metadata, graph resolution, required and optional context references, asset status, and selected scan findings into an agent-readiness score.
627
+
628
+ Output includes a readiness score and level, workflow checks, Context Lens counts, diagnostics, scan findings that affect readiness, and graph or ownership summary data. JSON output includes `summary.contextLens`; Markdown output includes a `Context Lens` section.
629
+
630
+ Security posture and Context Lens summaries remain static repository evidence in this report. Readiness does not choose runtime context, assemble prompts, inject context, or describe what an LLM actually used.
631
+
632
+ ### `diff`
633
+
634
+ Compares deterministic readiness reports for two git refs.
635
+
636
+ ```bash
637
+ renma diff . --from main --to HEAD
638
+ renma diff . --from main --to HEAD --format markdown
639
+ ```
640
+
641
+ Use this to review what changed between branches or commits. The command builds readiness data for both refs and reports asset, graph, check, and finding deltas.
642
+
643
+ Output includes readiness deltas, changed assets, graph edge changes, check changes, and added or removed findings.
644
+
645
+ ### `ci-report`
646
+
647
+ Formats a diff result for CI or pull-request review.
648
+
649
+ ```bash
650
+ renma ci-report . --from main --to HEAD --format markdown
651
+ renma ci-report . --from main --to HEAD --format json
652
+ ```
653
+
654
+ The report summarizes readiness deltas, graph-resolution changes, added and removed findings, and policy-relevant status. It is CI-oriented: `PASS` and `WARN` exit `0`, `FAIL` exits `1`, and usage, command, or configuration errors exit `2`.
655
+
656
+ Output includes a CI status (`PASS`, `WARN`, or `FAIL`), a summary, readiness changes, graph changes, and review-focused finding changes.
657
+
658
+ Repository Context BOM artifacts describe declared repository state, not prompt assembly, context injection, agent execution, actual LLM runtime usage, or telemetry. Use `renma bom . --format json` when CI needs a machine-readable manifest and `renma bom . --format markdown` for review comments or artifacts. For v1 compatibility and reproducibility details, see the [Repository Context BOM contract](repository-context-bom.md).
659
+
660
+ ### `ownership`
661
+
662
+ Reports asset ownership.
663
+
664
+ ```bash
665
+ renma ownership .
666
+ renma ownership . --include-owned
667
+ renma ownership . --owner qa-platform
668
+ renma ownership . --format json
669
+ ```
670
+
671
+ Use this to find unowned assets, review what each owner is responsible for, and filter the report to assets owned by a specific owner.
672
+
673
+ Output includes total asset count, owned asset count, ownership coverage, owner groups, and assets without declared owner. `--owner <owner>` keeps the repository-level totals for context and adds filtered matched assets for that owner. Filtered JSON reports omit `unownedAssetList` so the repository-level `unownedAssets` count is not confused with owner-filtered asset details. `--include-owned` also includes the backward-compatible flat owned asset list.
674
+
675
+ #### Ownership policy
676
+
677
+ Renma treats `owner` as governance metadata. Declaring an owner is recommended because it makes context assets easier to review, maintain, and share across teams.
678
+
679
+ However, owner metadata is not globally required yet. Assets without an owner are accepted and reported as unowned in the ownership coverage report.
680
+
681
+ Renma does not infer owners automatically. If an asset is unowned, choose an owner through human review or team policy.
682
+
683
+ ### `scaffold`
684
+
685
+ Creates a starter skill or context asset.
686
+
687
+ ```bash
688
+ renma scaffold skill skills/testing/spec-review/SKILL.md --owner qa-platform
689
+ renma scaffold context contexts/testing/boundary-value-analysis.md --owner qa-platform
690
+ renma scaffold context_lens lenses/testing/spec-review-boundary-values.md --owner qa-platform
691
+ renma scaffold skill skills/testing/spec-review/SKILL.md --owner qa-platform --format prompt
692
+ ```
693
+
694
+ `scaffold --format file` writes a starter file, `--format prompt` emits an authoring prompt, and `--format json` emits structured scaffold data. The generated content is intentionally minimal; fill in metadata, dependencies, and verification steps before depending on it in automation.
695
+
696
+ For a Skill, use platform-native authoring guidance before and after scaffolding.
697
+ File mode prints concise Skill-only next steps after the `Created` line. Prompt
698
+ mode includes the same responsibility boundary and validation loop. Context and
699
+ Context Lens output does not receive Skill-specific guidance. JSON retains the
700
+ existing bundle shape.
701
+
702
+ After completing a Skill, run `renma scan . --fail-on high`, fix relevant
703
+ diagnostics, rerun the scan, and complete human review. Do not use a second
704
+ independent generator against the same target file.
705
+
706
+ ### `suggest-metadata`
707
+
708
+ Suggests a safe metadata retrofit workflow for an existing asset.
709
+
710
+ ```bash
711
+ renma scan .
712
+ renma ownership .
713
+ renma suggest-metadata skills/testing/spec-review/SKILL.md --format prompt
714
+ renma suggest-metadata skills/testing/spec-review/SKILL.md --owner qa-platform --format json
715
+ ```
716
+
717
+ Use this after `scan` detects metadata issues or `ownership` shows unowned assets. The command does not rewrite files. It emits a deterministic prompt or JSON payload that a human or coding agent can use to prepare a reviewed patch.
718
+
719
+ For Skill targets, the prompt also makes clear that metadata suggestion is not
720
+ the full authoring process. Review the trigger description, instructions,
721
+ workflow, constraints, and completion criteria with platform-native guidance;
722
+ apply only intended metadata or migration changes; run
723
+ `renma scan . --fail-on high`; fix relevant diagnostics; and rerun the scan.
724
+ Context Asset output does not receive this Skill-specific authoring guidance.
725
+ JSON retains the existing structured suggestion shape.
726
+
727
+ For Skill targets using the pre-0.16 Renma Skill format, the 0.16.0 metadata
728
+ migration path is one-way: recognized governance and security frontmatter
729
+ becomes Agent Skills identity plus `metadata.renma.*`. Separately, `skill.md` and `*.skill.md` targets
730
+ report any required entrypoint rename or move, even when their frontmatter
731
+ already uses Agent Skills fields. For a canonical Agent Skill, `--owner` may
732
+ instead propose an owner metadata retrofit; it never causes reverse migration.
733
+ The normative behavior is documented in
734
+ [Agent Skills Compatibility and Migration](agent-skills-compatibility.md).
735
+
736
+ Pre-0.16 security fields migrate with strict serialization: booleans become the
737
+ exact strings `"true"` or `"false"`, and lists become JSON-array strings of
738
+ strings. Unsafe or ambiguous values block canonical frontmatter generation.
739
+ For an already canonical Skill, `suggest-metadata` proposes neither migration
740
+ nor an unnecessary rewrite unless an explicit supported retrofit is requested.
741
+
742
+ When migration is blocked, do not apply a candidate. Review the conflict or
743
+ invalid evidence, confirm the Skill's intent with platform-native authoring
744
+ guidance, correct the source evidence, rerun `suggest-metadata`, then validate
745
+ intended corrections with `renma scan . --fail-on high`.
746
+
747
+ Owner metadata remains recommended but not required. Without `--owner`, `suggest-metadata` blocks owner as a suggested addition and says not to add one unless the asset already declares an owner or a maintainer provides one. With `--owner <owner>`, the command may include that owner because it was explicitly provided. If an existing asset already declares an owner, `suggest-metadata` preserves it; a different `--owner` value is treated as a human-review ownership change, not an automatic metadata suggestion. Renma does not infer owners from Git history, file paths, prose, or authors.
748
+
749
+ ### `suggest-semantic-split`
750
+
751
+ Suggests a semantic split for large or mixed-purpose assets.
752
+
753
+ ```bash
754
+ renma suggest-semantic-split docs/large-runbook.md
755
+ renma suggest-semantic-split docs/large-runbook.md --format json
756
+ renma suggest-semantic-split docs/large-runbook.md --max-context-bytes 32768
757
+ ```
758
+
759
+ Use this as an editing aid when an asset has grown beyond one clear responsibility.
760
+
761
+ Output is a prompt by default. With `--format json`, output includes source context, sibling-file context, helper commands, and a structured review bundle. The command does not apply a split itself; it gives a human or coding agent enough context to draft a proposal.
762
+
763
+ ## Output Formats
764
+
765
+ Use `--format <format>` to select output and `--json` as a shortcut where the command supports JSON.
766
+
767
+ | Command | Formats |
768
+ | --- | --- |
769
+ | `scan` | `text`, `json` |
770
+ | `bom` | `json`, `markdown` |
771
+ | `catalog` | `json`, `markdown` |
772
+ | `ownership` | `json`, `markdown` |
773
+ | `readiness` | `json`, `markdown` |
774
+ | `diff` | `json`, `markdown` |
775
+ | `ci-report` | `json`, `markdown` |
776
+ | `graph` | `json`, `markdown`, `mermaid` |
777
+ | `trust-graph` | `json`, `markdown` |
778
+ | `inspect` | `text`, `json` |
779
+ | `scaffold` | `file`, `prompt`, `json` |
780
+ | `suggest-metadata` | `prompt`, `json` |
781
+ | `suggest-semantic-split` | `prompt`, `json` |
782
+
783
+ Prefer JSON in automation and markdown for human review in pull requests. Use Mermaid when you want to render a graph diagram.
784
+
785
+ ## CI Workflow
786
+
787
+ A typical CI flow is:
788
+
789
+ 1. Build renma.
790
+ 2. Run `renma scan . --fail-on high`.
791
+ 3. Run `renma readiness . --format json` and store the result as an artifact.
792
+ 4. Compare refs with `renma diff . --from main --to HEAD`.
793
+ 5. Publish `renma ci-report` in the pull-request summary.
794
+
795
+ Example:
796
+
797
+ ```bash
798
+ npm run build
799
+ renma scan . --fail-on high
800
+ renma readiness . --format json > renma-readiness.json
801
+ ```
802
+
803
+ `renma readiness` exits `1` when blocking diagnostics make the repository not ready, including Context Lens governance errors such as duplicate lens IDs, missing required fields, or unresolved `applies_to` targets.
804
+
805
+ ## Interpreting Results
806
+
807
+ renma reports three related but different kinds of output:
808
+
809
+ - Diagnostics: problems reading files, parsing metadata, or resolving catalog data. See [Diagnostics Reference](diagnostics.md).
810
+ - Scan findings: rule results from `scan`, such as layout, security, maintenance, quality, profile, and support issues. Each scan finding has a finding identifier, such as `SEC-LITERAL-SECRET`, that labels the kind of issue independently from the file path, asset ID, or human-readable message.
811
+ - Readiness checks: workflow-level pass, warning, or error states derived from catalog, graph, ownership, and finding data.
812
+
813
+ Treat errors as blockers for deterministic automation. Treat warnings as review items that can become blockers when they affect agent reliability.