renma 0.15.2 → 0.17.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +54 -1
- package/README.md +216 -655
- package/architecture.md +523 -0
- package/design.md +458 -0
- package/dist/agent-skills.d.ts +77 -0
- package/dist/agent-skills.d.ts.map +1 -0
- package/dist/agent-skills.js +468 -0
- package/dist/agent-skills.js.map +1 -0
- package/dist/catalog.d.ts.map +1 -1
- package/dist/catalog.js +38 -5
- package/dist/catalog.js.map +1 -1
- package/dist/cli-help.d.ts +13 -11
- package/dist/cli-help.d.ts.map +1 -1
- package/dist/cli-help.js +36 -11
- package/dist/cli-help.js.map +1 -1
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +139 -40
- package/dist/cli.js.map +1 -1
- package/dist/commands/catalog.d.ts.map +1 -1
- package/dist/commands/catalog.js +4 -3
- package/dist/commands/catalog.js.map +1 -1
- package/dist/commands/graph.d.ts.map +1 -1
- package/dist/commands/graph.js +7 -12
- package/dist/commands/graph.js.map +1 -1
- package/dist/commands/readiness.d.ts.map +1 -1
- package/dist/commands/readiness.js +7 -6
- package/dist/commands/readiness.js.map +1 -1
- package/dist/commands/scaffold.d.ts.map +1 -1
- package/dist/commands/scaffold.js +59 -16
- package/dist/commands/scaffold.js.map +1 -1
- package/dist/commands/suggest-metadata.d.ts +3 -1
- package/dist/commands/suggest-metadata.d.ts.map +1 -1
- package/dist/commands/suggest-metadata.js +226 -7
- package/dist/commands/suggest-metadata.js.map +1 -1
- package/dist/commands/suggest-semantic-split.js +3 -3
- package/dist/commands/suggest-semantic-split.js.map +1 -1
- package/dist/dependency-resolution.d.ts +6 -0
- package/dist/dependency-resolution.d.ts.map +1 -0
- package/dist/dependency-resolution.js +11 -0
- package/dist/dependency-resolution.js.map +1 -0
- package/dist/diagnostic-ids.d.ts +29 -0
- package/dist/diagnostic-ids.d.ts.map +1 -1
- package/dist/diagnostic-ids.js +28 -0
- package/dist/diagnostic-ids.js.map +1 -1
- package/dist/discovery.d.ts +50 -0
- package/dist/discovery.d.ts.map +1 -1
- package/dist/discovery.js +183 -25
- package/dist/discovery.js.map +1 -1
- package/dist/metadata.d.ts +3 -1
- package/dist/metadata.d.ts.map +1 -1
- package/dist/metadata.js +166 -29
- package/dist/metadata.js.map +1 -1
- package/dist/model.d.ts +1 -0
- package/dist/model.d.ts.map +1 -1
- package/dist/report.d.ts.map +1 -1
- package/dist/report.js +16 -1
- package/dist/report.js.map +1 -1
- package/dist/repository-paths.d.ts +13 -0
- package/dist/repository-paths.d.ts.map +1 -1
- package/dist/repository-paths.js +60 -2
- package/dist/repository-paths.js.map +1 -1
- package/dist/rules.d.ts.map +1 -1
- package/dist/rules.js +97 -107
- package/dist/rules.js.map +1 -1
- package/dist/scanner.d.ts.map +1 -1
- package/dist/scanner.js +3 -1
- package/dist/scanner.js.map +1 -1
- package/dist/security-diagnostics.d.ts.map +1 -1
- package/dist/security-diagnostics.js +98 -35
- package/dist/security-diagnostics.js.map +1 -1
- package/dist/security-policy-inventory.js +11 -4
- package/dist/security-policy-inventory.js.map +1 -1
- package/dist/security-policy.d.ts +27 -1
- package/dist/security-policy.d.ts.map +1 -1
- package/dist/security-policy.js +247 -34
- package/dist/security-policy.js.map +1 -1
- package/dist/skill-migration.d.ts +30 -0
- package/dist/skill-migration.d.ts.map +1 -0
- package/dist/skill-migration.js +566 -0
- package/dist/skill-migration.js.map +1 -0
- package/dist/trust-graph.d.ts.map +1 -1
- package/dist/trust-graph.js +7 -11
- package/dist/trust-graph.js.map +1 -1
- package/dist/types.d.ts +3 -1
- package/dist/types.d.ts.map +1 -1
- package/dist/yaml-frontmatter.d.ts +26 -0
- package/dist/yaml-frontmatter.d.ts.map +1 -0
- package/dist/yaml-frontmatter.js +114 -0
- package/dist/yaml-frontmatter.js.map +1 -0
- package/docs/README.md +55 -0
- package/docs/advanced-skill-authoring.md +140 -0
- package/docs/agent-skills-compatibility.md +500 -0
- package/docs/authoring-guide.md +324 -0
- package/docs/context-conflict-diagnostics.md +32 -0
- package/docs/context-language-diagnostics.md +99 -0
- package/docs/context-lens.md +253 -0
- package/docs/context-lifecycle-diagnostics.md +55 -0
- package/docs/diagnostics.md +373 -0
- package/docs/metadata-budget.md +14 -0
- package/docs/repository-context-bom.md +113 -0
- package/docs/security-policy.md +338 -0
- package/docs/user-manual.md +813 -0
- package/examples/context-lens/README.md +101 -0
- package/examples/context-lens/contexts/testing/boundary-value-analysis.md +23 -0
- package/examples/context-lens/lenses/testing/spec-review-boundary-values.md +29 -0
- package/examples/context-lens/lenses/testing/test-design-boundary-values.md +29 -0
- package/examples/context-lens/skills/testing/spec-review/SKILL.md +49 -0
- package/examples/context-repo/README.md +149 -0
- package/examples/context-repo/contexts/domain/payment/idempotency.md +20 -0
- package/examples/context-repo/contexts/testing/boundary-value-analysis.md +19 -0
- package/examples/context-repo/contexts/testing/negative-testing.md +19 -0
- package/examples/context-repo/lenses/testing/spec-review-boundary-values.md +35 -0
- package/examples/context-repo/renma.config.json +12 -0
- package/examples/context-repo/skills/testing/spec-review/SKILL.md +66 -0
- package/examples/context-repo/tools/appium/README.md +14 -0
- package/examples/github-actions/renma-ci-report.yml +36 -0
- package/examples/interactive-placeholder/README.md +104 -0
- package/examples/interactive-placeholder/assets/template.txt +1 -0
- package/examples/interactive-placeholder/renma.config.json +6 -0
- package/examples/interactive-placeholder/skills/replace-placeholder/SKILL.md +54 -0
- package/examples/interactive-placeholder/tools/README.md +48 -0
- package/examples/interactive-placeholder/tools/placeholder-demo.mjs +99 -0
- package/package.json +11 -1
- package/plan-discovery.md +740 -0
- package/plan.md +150 -0
- package/scripts/verify-package.mjs +97 -0
package/plan.md
ADDED
|
@@ -0,0 +1,150 @@
|
|
|
1
|
+
# Renma Roadmap
|
|
2
|
+
|
|
3
|
+
## Current Product Definition
|
|
4
|
+
|
|
5
|
+
Renma is a Git-native context repository and deterministic governance CLI for
|
|
6
|
+
agent-consumable Skills, Context Lenses, Context Assets, references, policies,
|
|
7
|
+
ownership, lifecycle, dependencies, and evidence.
|
|
8
|
+
|
|
9
|
+
```text
|
|
10
|
+
Skill = agent-facing entrypoint, routing contract, and workflow guide
|
|
11
|
+
Context Lens = purpose-oriented interpretation over Context Assets
|
|
12
|
+
Context Asset = independently owned source-of-truth knowledge
|
|
13
|
+
```
|
|
14
|
+
|
|
15
|
+
Use platform-native Skill authoring guidance for general Skill design, then use
|
|
16
|
+
Renma for repository-specific governance and validation. Renma keeps repository
|
|
17
|
+
assets discoverable, compatible, owned, linked, validated, reviewable, and
|
|
18
|
+
measurable in Git and CI.
|
|
19
|
+
|
|
20
|
+
Renma's deterministic core follows:
|
|
21
|
+
|
|
22
|
+
```text
|
|
23
|
+
LLM proposes. Renma verifies. Human approves.
|
|
24
|
+
```
|
|
25
|
+
|
|
26
|
+
No-LLM workflows remain first-class.
|
|
27
|
+
|
|
28
|
+
## Stable Product Boundaries
|
|
29
|
+
|
|
30
|
+
Renma owns:
|
|
31
|
+
|
|
32
|
+
- repository discovery and parsing;
|
|
33
|
+
- a normalized asset and relationship model;
|
|
34
|
+
- Agent Skills compatibility checks;
|
|
35
|
+
- catalog, ownership, graph, Trust Graph, Readiness, and BOM projections;
|
|
36
|
+
- deterministic workflow, metadata, lifecycle, relationship, maintenance, and
|
|
37
|
+
security diagnostics;
|
|
38
|
+
- semantic diff and CI review evidence; and
|
|
39
|
+
- deterministic scaffold and non-editing suggestion output.
|
|
40
|
+
|
|
41
|
+
Renma does not own:
|
|
42
|
+
|
|
43
|
+
- general Skill authoring logic supplied by platforms;
|
|
44
|
+
- live Skill or Context selection;
|
|
45
|
+
- prompt assembly or Context injection;
|
|
46
|
+
- Skill, agent, or tool execution;
|
|
47
|
+
- runtime telemetry collection;
|
|
48
|
+
- hosted dashboards or provider gateways;
|
|
49
|
+
- automatic semantic rewriting; or
|
|
50
|
+
- automatic policy weakening or suppression creation.
|
|
51
|
+
|
|
52
|
+
Repository Context BOM v1 remains a declared repository manifest, not a record
|
|
53
|
+
of what an LLM consumed. Trust Graph remains deterministic review evidence, not
|
|
54
|
+
a subjective trust score or runtime enforcement system.
|
|
55
|
+
|
|
56
|
+
## Completed Baseline Through 0.16.0
|
|
57
|
+
|
|
58
|
+
The shipped baseline includes:
|
|
59
|
+
|
|
60
|
+
- deterministic repository scanning, catalog, ownership, graph, focused graph,
|
|
61
|
+
Readiness, semantic diff, and CI reports;
|
|
62
|
+
- first-class Context Assets and Context Lenses with graph-backed validation;
|
|
63
|
+
- repeated-context and workflow diagnostics;
|
|
64
|
+
- security diagnostics, reusable policy profiles, posture summaries, and
|
|
65
|
+
effective policy inventory;
|
|
66
|
+
- Trust Graph evidence and Repository Context BOM v1;
|
|
67
|
+
- `inspect`, `scaffold`, `suggest-metadata`, and
|
|
68
|
+
`suggest-semantic-split` authoring support;
|
|
69
|
+
- LLM-actionable diagnostics v2 and review bundles; and
|
|
70
|
+
- the canonical Agent Skills-compatible Skill format introduced in 0.16.0,
|
|
71
|
+
with flat string-valued `metadata.renma.*` governance and security fields and
|
|
72
|
+
a conservative one-way migration path.
|
|
73
|
+
|
|
74
|
+
Historical release detail belongs in [CHANGELOG.md](CHANGELOG.md). Authoritative
|
|
75
|
+
technical contracts remain in [architecture.md](architecture.md),
|
|
76
|
+
[design.md](design.md), and the focused documents under [docs/](docs/README.md).
|
|
77
|
+
|
|
78
|
+
## 0.17.0: Usability And Documentation Consolidation
|
|
79
|
+
|
|
80
|
+
Renma 0.17.0 improves the usability and consistency of the authoring and
|
|
81
|
+
governance workflows established in 0.16.0. It clarifies documentation, CLI
|
|
82
|
+
guidance, and the handoff between platform-native Skill authoring and Renma's
|
|
83
|
+
repository-specific validation.
|
|
84
|
+
|
|
85
|
+
The release focuses on:
|
|
86
|
+
|
|
87
|
+
- making the new-Skill authoring → scaffold → scan → refine loop discoverable;
|
|
88
|
+
- making the existing-Skill review → suggest-metadata → scan → refine loop
|
|
89
|
+
discoverable;
|
|
90
|
+
- keeping generic CLI guidance platform-neutral;
|
|
91
|
+
- preserving conservative blocked migration and non-editing behavior;
|
|
92
|
+
- consolidating README, user-manual, authoring, compatibility, architecture,
|
|
93
|
+
design, and roadmap responsibilities; and
|
|
94
|
+
- retaining detailed BOM, security, migration, diagnostic, and repository-model
|
|
95
|
+
contracts in focused documents.
|
|
96
|
+
|
|
97
|
+
This release does not add a major command, new schema, discovery model, runtime
|
|
98
|
+
capability, packaging system, or telemetry import.
|
|
99
|
+
|
|
100
|
+
## 0.18.0: Graph-Based Skill Discovery
|
|
101
|
+
|
|
102
|
+
The next proposed capability is a static Skill discovery projection for large
|
|
103
|
+
single repositories. The target is 0.18.0, not 0.17.0.
|
|
104
|
+
|
|
105
|
+
The proposal may add exact Skill-to-Skill route evidence, a static
|
|
106
|
+
`skill-index` report, conservative entrypoint inference, deterministic
|
|
107
|
+
discovery diagnostics, and later Readiness/diff integrations. It must preserve
|
|
108
|
+
the source `SKILL.md` files, the non-runtime boundary, deterministic outputs,
|
|
109
|
+
and backward compatibility.
|
|
110
|
+
|
|
111
|
+
The design is proposed rather than implemented. See
|
|
112
|
+
[plan-discovery.md](plan-discovery.md) for prototype knowledge, open decisions,
|
|
113
|
+
phases, and non-goals.
|
|
114
|
+
|
|
115
|
+
## Later Candidates
|
|
116
|
+
|
|
117
|
+
Later work may consider:
|
|
118
|
+
|
|
119
|
+
- importing separately produced consumed-context evidence after a stable,
|
|
120
|
+
versioned contract exists;
|
|
121
|
+
- additive BOM or Trust Graph projections for stable discovery evidence;
|
|
122
|
+
- optional semantic review helpers that consume explicit deterministic bundles;
|
|
123
|
+
- multi-repository or distribution workflows after the single-repository model
|
|
124
|
+
is stable; and
|
|
125
|
+
- review visualizations derived from versioned report contracts.
|
|
126
|
+
|
|
127
|
+
These candidates require explicit product decisions. They are not commitments
|
|
128
|
+
and must not blur repository governance with runtime execution or telemetry
|
|
129
|
+
ownership.
|
|
130
|
+
|
|
131
|
+
## Explicitly Out Of Scope
|
|
132
|
+
|
|
133
|
+
The current roadmap excludes:
|
|
134
|
+
|
|
135
|
+
- accepting task text and automatically selecting or ranking a Skill;
|
|
136
|
+
- fuzzy, embedding, or LLM-based runtime routing;
|
|
137
|
+
- runtime Context selection, loading, injection, or prompt assembly;
|
|
138
|
+
- Skill or agent execution and tool orchestration;
|
|
139
|
+
- automatic Skill body rewriting;
|
|
140
|
+
- platform-native authoring logic inside Renma;
|
|
141
|
+
- arbitrary Skill roots without a separately reviewed compatibility decision;
|
|
142
|
+
- package publication, Context materialization, or repository distribution;
|
|
143
|
+
- runtime telemetry collection or hidden consumed-context import;
|
|
144
|
+
- BOM v2 without a demonstrated breaking-contract need;
|
|
145
|
+
- automatic policy relaxation or suppression generation; and
|
|
146
|
+
- new metadata semantics without an implemented deterministic consumer.
|
|
147
|
+
|
|
148
|
+
The roadmap should stay current-facing. Completed behavior belongs in the
|
|
149
|
+
baseline and changelog; detailed semantics belong in their canonical technical
|
|
150
|
+
documents; proposed discovery remains isolated in the 0.18.0 plan.
|
|
@@ -0,0 +1,97 @@
|
|
|
1
|
+
import { mkdtemp, readFile, rm } from "node:fs/promises";
|
|
2
|
+
import os from "node:os";
|
|
3
|
+
import path from "node:path";
|
|
4
|
+
import { spawnSync } from "node:child_process";
|
|
5
|
+
|
|
6
|
+
const cache = await mkdtemp(path.join(os.tmpdir(), "renma-npm-pack-"));
|
|
7
|
+
|
|
8
|
+
try {
|
|
9
|
+
const packed = spawnSync(
|
|
10
|
+
"npm",
|
|
11
|
+
["pack", "--dry-run", "--json", "--cache", cache],
|
|
12
|
+
{ cwd: process.cwd(), encoding: "utf8" },
|
|
13
|
+
);
|
|
14
|
+
if (packed.error) throw packed.error;
|
|
15
|
+
if (packed.status !== 0) {
|
|
16
|
+
throw new Error(packed.stderr.trim() || "npm pack --dry-run failed.");
|
|
17
|
+
}
|
|
18
|
+
|
|
19
|
+
const reports = JSON.parse(packed.stdout);
|
|
20
|
+
const report = reports[0];
|
|
21
|
+
if (!report || !Array.isArray(report.files)) {
|
|
22
|
+
throw new Error("npm pack --dry-run returned no package file list.");
|
|
23
|
+
}
|
|
24
|
+
const files = new Set(report.files.map((file) => file.path));
|
|
25
|
+
|
|
26
|
+
for (const required of ["package.json", "README.md", "dist/index.js"]) {
|
|
27
|
+
requirePackagedPath(files, required);
|
|
28
|
+
}
|
|
29
|
+
|
|
30
|
+
const readme = await readFile("README.md", "utf8");
|
|
31
|
+
for (const rawTarget of markdownLinkTargets(readme)) {
|
|
32
|
+
const target = repositoryRelativeTarget(rawTarget);
|
|
33
|
+
if (!target) continue;
|
|
34
|
+
requirePackagedPath(files, target);
|
|
35
|
+
}
|
|
36
|
+
|
|
37
|
+
for (const forbiddenPrefix of [
|
|
38
|
+
"node_modules/",
|
|
39
|
+
"dist-test/",
|
|
40
|
+
"test/",
|
|
41
|
+
"src/",
|
|
42
|
+
"coverage/",
|
|
43
|
+
".git/",
|
|
44
|
+
]) {
|
|
45
|
+
if ([...files].some((file) => file.startsWith(forbiddenPrefix))) {
|
|
46
|
+
throw new Error(`Package unexpectedly includes ${forbiddenPrefix}`);
|
|
47
|
+
}
|
|
48
|
+
}
|
|
49
|
+
for (const forbidden of [
|
|
50
|
+
"examples/interactive-placeholder/workspace/output.txt",
|
|
51
|
+
"npm-debug.log",
|
|
52
|
+
]) {
|
|
53
|
+
if (files.has(forbidden)) {
|
|
54
|
+
throw new Error(`Package unexpectedly includes ${forbidden}`);
|
|
55
|
+
}
|
|
56
|
+
}
|
|
57
|
+
|
|
58
|
+
process.stdout.write(
|
|
59
|
+
`Verified ${files.size} packaged files and every README-relative target.\n`,
|
|
60
|
+
);
|
|
61
|
+
} finally {
|
|
62
|
+
await rm(cache, { recursive: true, force: true });
|
|
63
|
+
}
|
|
64
|
+
|
|
65
|
+
function requirePackagedPath(files, target) {
|
|
66
|
+
const normalized = path.posix.normalize(target).replace(/^\.\//, "");
|
|
67
|
+
const present =
|
|
68
|
+
files.has(normalized) ||
|
|
69
|
+
[...files].some((file) => file.startsWith(`${normalized}/`));
|
|
70
|
+
if (!present) {
|
|
71
|
+
throw new Error(`Packaged README target is missing: ${target}`);
|
|
72
|
+
}
|
|
73
|
+
}
|
|
74
|
+
|
|
75
|
+
function markdownLinkTargets(markdown) {
|
|
76
|
+
return [...markdown.matchAll(/!?\[[^\]]*\]\(([^)]+)\)/g)].map(
|
|
77
|
+
(match) => match[1]?.trim() ?? "",
|
|
78
|
+
);
|
|
79
|
+
}
|
|
80
|
+
|
|
81
|
+
function repositoryRelativeTarget(rawTarget) {
|
|
82
|
+
if (
|
|
83
|
+
!rawTarget ||
|
|
84
|
+
rawTarget.startsWith("#") ||
|
|
85
|
+
/^[a-z][a-z0-9+.-]*:/i.test(rawTarget)
|
|
86
|
+
) {
|
|
87
|
+
return undefined;
|
|
88
|
+
}
|
|
89
|
+
const withoutTitle = rawTarget.startsWith("<")
|
|
90
|
+
? rawTarget.slice(1, rawTarget.indexOf(">"))
|
|
91
|
+
: (rawTarget.split(/\s+["']/)[0] ?? rawTarget);
|
|
92
|
+
const target = decodeURIComponent(withoutTitle.split("#", 1)[0] ?? "");
|
|
93
|
+
if (!target || target === ".." || target.startsWith("../")) {
|
|
94
|
+
throw new Error(`README link escapes the package root: ${rawTarget}`);
|
|
95
|
+
}
|
|
96
|
+
return target;
|
|
97
|
+
}
|