renma 0.15.2 → 0.17.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (126) hide show
  1. package/CHANGELOG.md +54 -1
  2. package/README.md +216 -655
  3. package/architecture.md +523 -0
  4. package/design.md +458 -0
  5. package/dist/agent-skills.d.ts +77 -0
  6. package/dist/agent-skills.d.ts.map +1 -0
  7. package/dist/agent-skills.js +468 -0
  8. package/dist/agent-skills.js.map +1 -0
  9. package/dist/catalog.d.ts.map +1 -1
  10. package/dist/catalog.js +38 -5
  11. package/dist/catalog.js.map +1 -1
  12. package/dist/cli-help.d.ts +13 -11
  13. package/dist/cli-help.d.ts.map +1 -1
  14. package/dist/cli-help.js +36 -11
  15. package/dist/cli-help.js.map +1 -1
  16. package/dist/cli.d.ts.map +1 -1
  17. package/dist/cli.js +139 -40
  18. package/dist/cli.js.map +1 -1
  19. package/dist/commands/catalog.d.ts.map +1 -1
  20. package/dist/commands/catalog.js +4 -3
  21. package/dist/commands/catalog.js.map +1 -1
  22. package/dist/commands/graph.d.ts.map +1 -1
  23. package/dist/commands/graph.js +7 -12
  24. package/dist/commands/graph.js.map +1 -1
  25. package/dist/commands/readiness.d.ts.map +1 -1
  26. package/dist/commands/readiness.js +7 -6
  27. package/dist/commands/readiness.js.map +1 -1
  28. package/dist/commands/scaffold.d.ts.map +1 -1
  29. package/dist/commands/scaffold.js +59 -16
  30. package/dist/commands/scaffold.js.map +1 -1
  31. package/dist/commands/suggest-metadata.d.ts +3 -1
  32. package/dist/commands/suggest-metadata.d.ts.map +1 -1
  33. package/dist/commands/suggest-metadata.js +226 -7
  34. package/dist/commands/suggest-metadata.js.map +1 -1
  35. package/dist/commands/suggest-semantic-split.js +3 -3
  36. package/dist/commands/suggest-semantic-split.js.map +1 -1
  37. package/dist/dependency-resolution.d.ts +6 -0
  38. package/dist/dependency-resolution.d.ts.map +1 -0
  39. package/dist/dependency-resolution.js +11 -0
  40. package/dist/dependency-resolution.js.map +1 -0
  41. package/dist/diagnostic-ids.d.ts +29 -0
  42. package/dist/diagnostic-ids.d.ts.map +1 -1
  43. package/dist/diagnostic-ids.js +28 -0
  44. package/dist/diagnostic-ids.js.map +1 -1
  45. package/dist/discovery.d.ts +50 -0
  46. package/dist/discovery.d.ts.map +1 -1
  47. package/dist/discovery.js +183 -25
  48. package/dist/discovery.js.map +1 -1
  49. package/dist/metadata.d.ts +3 -1
  50. package/dist/metadata.d.ts.map +1 -1
  51. package/dist/metadata.js +166 -29
  52. package/dist/metadata.js.map +1 -1
  53. package/dist/model.d.ts +1 -0
  54. package/dist/model.d.ts.map +1 -1
  55. package/dist/report.d.ts.map +1 -1
  56. package/dist/report.js +16 -1
  57. package/dist/report.js.map +1 -1
  58. package/dist/repository-paths.d.ts +13 -0
  59. package/dist/repository-paths.d.ts.map +1 -1
  60. package/dist/repository-paths.js +60 -2
  61. package/dist/repository-paths.js.map +1 -1
  62. package/dist/rules.d.ts.map +1 -1
  63. package/dist/rules.js +97 -107
  64. package/dist/rules.js.map +1 -1
  65. package/dist/scanner.d.ts.map +1 -1
  66. package/dist/scanner.js +3 -1
  67. package/dist/scanner.js.map +1 -1
  68. package/dist/security-diagnostics.d.ts.map +1 -1
  69. package/dist/security-diagnostics.js +98 -35
  70. package/dist/security-diagnostics.js.map +1 -1
  71. package/dist/security-policy-inventory.js +11 -4
  72. package/dist/security-policy-inventory.js.map +1 -1
  73. package/dist/security-policy.d.ts +27 -1
  74. package/dist/security-policy.d.ts.map +1 -1
  75. package/dist/security-policy.js +247 -34
  76. package/dist/security-policy.js.map +1 -1
  77. package/dist/skill-migration.d.ts +30 -0
  78. package/dist/skill-migration.d.ts.map +1 -0
  79. package/dist/skill-migration.js +566 -0
  80. package/dist/skill-migration.js.map +1 -0
  81. package/dist/trust-graph.d.ts.map +1 -1
  82. package/dist/trust-graph.js +7 -11
  83. package/dist/trust-graph.js.map +1 -1
  84. package/dist/types.d.ts +3 -1
  85. package/dist/types.d.ts.map +1 -1
  86. package/dist/yaml-frontmatter.d.ts +26 -0
  87. package/dist/yaml-frontmatter.d.ts.map +1 -0
  88. package/dist/yaml-frontmatter.js +114 -0
  89. package/dist/yaml-frontmatter.js.map +1 -0
  90. package/docs/README.md +55 -0
  91. package/docs/advanced-skill-authoring.md +140 -0
  92. package/docs/agent-skills-compatibility.md +500 -0
  93. package/docs/authoring-guide.md +324 -0
  94. package/docs/context-conflict-diagnostics.md +32 -0
  95. package/docs/context-language-diagnostics.md +99 -0
  96. package/docs/context-lens.md +253 -0
  97. package/docs/context-lifecycle-diagnostics.md +55 -0
  98. package/docs/diagnostics.md +373 -0
  99. package/docs/metadata-budget.md +14 -0
  100. package/docs/repository-context-bom.md +113 -0
  101. package/docs/security-policy.md +338 -0
  102. package/docs/user-manual.md +813 -0
  103. package/examples/context-lens/README.md +101 -0
  104. package/examples/context-lens/contexts/testing/boundary-value-analysis.md +23 -0
  105. package/examples/context-lens/lenses/testing/spec-review-boundary-values.md +29 -0
  106. package/examples/context-lens/lenses/testing/test-design-boundary-values.md +29 -0
  107. package/examples/context-lens/skills/testing/spec-review/SKILL.md +49 -0
  108. package/examples/context-repo/README.md +149 -0
  109. package/examples/context-repo/contexts/domain/payment/idempotency.md +20 -0
  110. package/examples/context-repo/contexts/testing/boundary-value-analysis.md +19 -0
  111. package/examples/context-repo/contexts/testing/negative-testing.md +19 -0
  112. package/examples/context-repo/lenses/testing/spec-review-boundary-values.md +35 -0
  113. package/examples/context-repo/renma.config.json +12 -0
  114. package/examples/context-repo/skills/testing/spec-review/SKILL.md +66 -0
  115. package/examples/context-repo/tools/appium/README.md +14 -0
  116. package/examples/github-actions/renma-ci-report.yml +36 -0
  117. package/examples/interactive-placeholder/README.md +104 -0
  118. package/examples/interactive-placeholder/assets/template.txt +1 -0
  119. package/examples/interactive-placeholder/renma.config.json +6 -0
  120. package/examples/interactive-placeholder/skills/replace-placeholder/SKILL.md +54 -0
  121. package/examples/interactive-placeholder/tools/README.md +48 -0
  122. package/examples/interactive-placeholder/tools/placeholder-demo.mjs +99 -0
  123. package/package.json +11 -1
  124. package/plan-discovery.md +740 -0
  125. package/plan.md +150 -0
  126. package/scripts/verify-package.mjs +97 -0
package/plan.md ADDED
@@ -0,0 +1,150 @@
1
+ # Renma Roadmap
2
+
3
+ ## Current Product Definition
4
+
5
+ Renma is a Git-native context repository and deterministic governance CLI for
6
+ agent-consumable Skills, Context Lenses, Context Assets, references, policies,
7
+ ownership, lifecycle, dependencies, and evidence.
8
+
9
+ ```text
10
+ Skill = agent-facing entrypoint, routing contract, and workflow guide
11
+ Context Lens = purpose-oriented interpretation over Context Assets
12
+ Context Asset = independently owned source-of-truth knowledge
13
+ ```
14
+
15
+ Use platform-native Skill authoring guidance for general Skill design, then use
16
+ Renma for repository-specific governance and validation. Renma keeps repository
17
+ assets discoverable, compatible, owned, linked, validated, reviewable, and
18
+ measurable in Git and CI.
19
+
20
+ Renma's deterministic core follows:
21
+
22
+ ```text
23
+ LLM proposes. Renma verifies. Human approves.
24
+ ```
25
+
26
+ No-LLM workflows remain first-class.
27
+
28
+ ## Stable Product Boundaries
29
+
30
+ Renma owns:
31
+
32
+ - repository discovery and parsing;
33
+ - a normalized asset and relationship model;
34
+ - Agent Skills compatibility checks;
35
+ - catalog, ownership, graph, Trust Graph, Readiness, and BOM projections;
36
+ - deterministic workflow, metadata, lifecycle, relationship, maintenance, and
37
+ security diagnostics;
38
+ - semantic diff and CI review evidence; and
39
+ - deterministic scaffold and non-editing suggestion output.
40
+
41
+ Renma does not own:
42
+
43
+ - general Skill authoring logic supplied by platforms;
44
+ - live Skill or Context selection;
45
+ - prompt assembly or Context injection;
46
+ - Skill, agent, or tool execution;
47
+ - runtime telemetry collection;
48
+ - hosted dashboards or provider gateways;
49
+ - automatic semantic rewriting; or
50
+ - automatic policy weakening or suppression creation.
51
+
52
+ Repository Context BOM v1 remains a declared repository manifest, not a record
53
+ of what an LLM consumed. Trust Graph remains deterministic review evidence, not
54
+ a subjective trust score or runtime enforcement system.
55
+
56
+ ## Completed Baseline Through 0.16.0
57
+
58
+ The shipped baseline includes:
59
+
60
+ - deterministic repository scanning, catalog, ownership, graph, focused graph,
61
+ Readiness, semantic diff, and CI reports;
62
+ - first-class Context Assets and Context Lenses with graph-backed validation;
63
+ - repeated-context and workflow diagnostics;
64
+ - security diagnostics, reusable policy profiles, posture summaries, and
65
+ effective policy inventory;
66
+ - Trust Graph evidence and Repository Context BOM v1;
67
+ - `inspect`, `scaffold`, `suggest-metadata`, and
68
+ `suggest-semantic-split` authoring support;
69
+ - LLM-actionable diagnostics v2 and review bundles; and
70
+ - the canonical Agent Skills-compatible Skill format introduced in 0.16.0,
71
+ with flat string-valued `metadata.renma.*` governance and security fields and
72
+ a conservative one-way migration path.
73
+
74
+ Historical release detail belongs in [CHANGELOG.md](CHANGELOG.md). Authoritative
75
+ technical contracts remain in [architecture.md](architecture.md),
76
+ [design.md](design.md), and the focused documents under [docs/](docs/README.md).
77
+
78
+ ## 0.17.0: Usability And Documentation Consolidation
79
+
80
+ Renma 0.17.0 improves the usability and consistency of the authoring and
81
+ governance workflows established in 0.16.0. It clarifies documentation, CLI
82
+ guidance, and the handoff between platform-native Skill authoring and Renma's
83
+ repository-specific validation.
84
+
85
+ The release focuses on:
86
+
87
+ - making the new-Skill authoring → scaffold → scan → refine loop discoverable;
88
+ - making the existing-Skill review → suggest-metadata → scan → refine loop
89
+ discoverable;
90
+ - keeping generic CLI guidance platform-neutral;
91
+ - preserving conservative blocked migration and non-editing behavior;
92
+ - consolidating README, user-manual, authoring, compatibility, architecture,
93
+ design, and roadmap responsibilities; and
94
+ - retaining detailed BOM, security, migration, diagnostic, and repository-model
95
+ contracts in focused documents.
96
+
97
+ This release does not add a major command, new schema, discovery model, runtime
98
+ capability, packaging system, or telemetry import.
99
+
100
+ ## 0.18.0: Graph-Based Skill Discovery
101
+
102
+ The next proposed capability is a static Skill discovery projection for large
103
+ single repositories. The target is 0.18.0, not 0.17.0.
104
+
105
+ The proposal may add exact Skill-to-Skill route evidence, a static
106
+ `skill-index` report, conservative entrypoint inference, deterministic
107
+ discovery diagnostics, and later Readiness/diff integrations. It must preserve
108
+ the source `SKILL.md` files, the non-runtime boundary, deterministic outputs,
109
+ and backward compatibility.
110
+
111
+ The design is proposed rather than implemented. See
112
+ [plan-discovery.md](plan-discovery.md) for prototype knowledge, open decisions,
113
+ phases, and non-goals.
114
+
115
+ ## Later Candidates
116
+
117
+ Later work may consider:
118
+
119
+ - importing separately produced consumed-context evidence after a stable,
120
+ versioned contract exists;
121
+ - additive BOM or Trust Graph projections for stable discovery evidence;
122
+ - optional semantic review helpers that consume explicit deterministic bundles;
123
+ - multi-repository or distribution workflows after the single-repository model
124
+ is stable; and
125
+ - review visualizations derived from versioned report contracts.
126
+
127
+ These candidates require explicit product decisions. They are not commitments
128
+ and must not blur repository governance with runtime execution or telemetry
129
+ ownership.
130
+
131
+ ## Explicitly Out Of Scope
132
+
133
+ The current roadmap excludes:
134
+
135
+ - accepting task text and automatically selecting or ranking a Skill;
136
+ - fuzzy, embedding, or LLM-based runtime routing;
137
+ - runtime Context selection, loading, injection, or prompt assembly;
138
+ - Skill or agent execution and tool orchestration;
139
+ - automatic Skill body rewriting;
140
+ - platform-native authoring logic inside Renma;
141
+ - arbitrary Skill roots without a separately reviewed compatibility decision;
142
+ - package publication, Context materialization, or repository distribution;
143
+ - runtime telemetry collection or hidden consumed-context import;
144
+ - BOM v2 without a demonstrated breaking-contract need;
145
+ - automatic policy relaxation or suppression generation; and
146
+ - new metadata semantics without an implemented deterministic consumer.
147
+
148
+ The roadmap should stay current-facing. Completed behavior belongs in the
149
+ baseline and changelog; detailed semantics belong in their canonical technical
150
+ documents; proposed discovery remains isolated in the 0.18.0 plan.
@@ -0,0 +1,97 @@
1
+ import { mkdtemp, readFile, rm } from "node:fs/promises";
2
+ import os from "node:os";
3
+ import path from "node:path";
4
+ import { spawnSync } from "node:child_process";
5
+
6
+ const cache = await mkdtemp(path.join(os.tmpdir(), "renma-npm-pack-"));
7
+
8
+ try {
9
+ const packed = spawnSync(
10
+ "npm",
11
+ ["pack", "--dry-run", "--json", "--cache", cache],
12
+ { cwd: process.cwd(), encoding: "utf8" },
13
+ );
14
+ if (packed.error) throw packed.error;
15
+ if (packed.status !== 0) {
16
+ throw new Error(packed.stderr.trim() || "npm pack --dry-run failed.");
17
+ }
18
+
19
+ const reports = JSON.parse(packed.stdout);
20
+ const report = reports[0];
21
+ if (!report || !Array.isArray(report.files)) {
22
+ throw new Error("npm pack --dry-run returned no package file list.");
23
+ }
24
+ const files = new Set(report.files.map((file) => file.path));
25
+
26
+ for (const required of ["package.json", "README.md", "dist/index.js"]) {
27
+ requirePackagedPath(files, required);
28
+ }
29
+
30
+ const readme = await readFile("README.md", "utf8");
31
+ for (const rawTarget of markdownLinkTargets(readme)) {
32
+ const target = repositoryRelativeTarget(rawTarget);
33
+ if (!target) continue;
34
+ requirePackagedPath(files, target);
35
+ }
36
+
37
+ for (const forbiddenPrefix of [
38
+ "node_modules/",
39
+ "dist-test/",
40
+ "test/",
41
+ "src/",
42
+ "coverage/",
43
+ ".git/",
44
+ ]) {
45
+ if ([...files].some((file) => file.startsWith(forbiddenPrefix))) {
46
+ throw new Error(`Package unexpectedly includes ${forbiddenPrefix}`);
47
+ }
48
+ }
49
+ for (const forbidden of [
50
+ "examples/interactive-placeholder/workspace/output.txt",
51
+ "npm-debug.log",
52
+ ]) {
53
+ if (files.has(forbidden)) {
54
+ throw new Error(`Package unexpectedly includes ${forbidden}`);
55
+ }
56
+ }
57
+
58
+ process.stdout.write(
59
+ `Verified ${files.size} packaged files and every README-relative target.\n`,
60
+ );
61
+ } finally {
62
+ await rm(cache, { recursive: true, force: true });
63
+ }
64
+
65
+ function requirePackagedPath(files, target) {
66
+ const normalized = path.posix.normalize(target).replace(/^\.\//, "");
67
+ const present =
68
+ files.has(normalized) ||
69
+ [...files].some((file) => file.startsWith(`${normalized}/`));
70
+ if (!present) {
71
+ throw new Error(`Packaged README target is missing: ${target}`);
72
+ }
73
+ }
74
+
75
+ function markdownLinkTargets(markdown) {
76
+ return [...markdown.matchAll(/!?\[[^\]]*\]\(([^)]+)\)/g)].map(
77
+ (match) => match[1]?.trim() ?? "",
78
+ );
79
+ }
80
+
81
+ function repositoryRelativeTarget(rawTarget) {
82
+ if (
83
+ !rawTarget ||
84
+ rawTarget.startsWith("#") ||
85
+ /^[a-z][a-z0-9+.-]*:/i.test(rawTarget)
86
+ ) {
87
+ return undefined;
88
+ }
89
+ const withoutTitle = rawTarget.startsWith("<")
90
+ ? rawTarget.slice(1, rawTarget.indexOf(">"))
91
+ : (rawTarget.split(/\s+["']/)[0] ?? rawTarget);
92
+ const target = decodeURIComponent(withoutTitle.split("#", 1)[0] ?? "");
93
+ if (!target || target === ".." || target.startsWith("../")) {
94
+ throw new Error(`README link escapes the package root: ${rawTarget}`);
95
+ }
96
+ return target;
97
+ }