renma 0.16.0 → 0.17.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (85) hide show
  1. package/CHANGELOG.md +35 -1
  2. package/README.md +210 -749
  3. package/architecture.md +523 -0
  4. package/design.md +458 -0
  5. package/dist/cli-help.d.ts +7 -5
  6. package/dist/cli-help.d.ts.map +1 -1
  7. package/dist/cli-help.js +23 -9
  8. package/dist/cli-help.js.map +1 -1
  9. package/dist/cli.d.ts.map +1 -1
  10. package/dist/cli.js +139 -40
  11. package/dist/cli.js.map +1 -1
  12. package/dist/commands/catalog.d.ts.map +1 -1
  13. package/dist/commands/catalog.js +4 -3
  14. package/dist/commands/catalog.js.map +1 -1
  15. package/dist/commands/graph.d.ts.map +1 -1
  16. package/dist/commands/graph.js +7 -12
  17. package/dist/commands/graph.js.map +1 -1
  18. package/dist/commands/readiness.d.ts.map +1 -1
  19. package/dist/commands/readiness.js +7 -6
  20. package/dist/commands/readiness.js.map +1 -1
  21. package/dist/commands/scaffold.d.ts.map +1 -1
  22. package/dist/commands/scaffold.js +14 -2
  23. package/dist/commands/scaffold.js.map +1 -1
  24. package/dist/commands/suggest-metadata.d.ts.map +1 -1
  25. package/dist/commands/suggest-metadata.js +54 -8
  26. package/dist/commands/suggest-metadata.js.map +1 -1
  27. package/dist/commands/suggest-semantic-split.js +3 -3
  28. package/dist/commands/suggest-semantic-split.js.map +1 -1
  29. package/dist/dependency-resolution.d.ts +6 -0
  30. package/dist/dependency-resolution.d.ts.map +1 -0
  31. package/dist/dependency-resolution.js +11 -0
  32. package/dist/dependency-resolution.js.map +1 -0
  33. package/dist/discovery.d.ts +28 -0
  34. package/dist/discovery.d.ts.map +1 -1
  35. package/dist/discovery.js +70 -15
  36. package/dist/discovery.js.map +1 -1
  37. package/dist/repository-paths.d.ts +13 -0
  38. package/dist/repository-paths.d.ts.map +1 -1
  39. package/dist/repository-paths.js +60 -2
  40. package/dist/repository-paths.js.map +1 -1
  41. package/dist/rules.d.ts.map +1 -1
  42. package/dist/rules.js +64 -85
  43. package/dist/rules.js.map +1 -1
  44. package/dist/trust-graph.d.ts.map +1 -1
  45. package/dist/trust-graph.js +7 -11
  46. package/dist/trust-graph.js.map +1 -1
  47. package/dist/types.d.ts +1 -1
  48. package/dist/types.d.ts.map +1 -1
  49. package/docs/README.md +55 -0
  50. package/docs/advanced-skill-authoring.md +140 -0
  51. package/docs/agent-skills-compatibility.md +500 -0
  52. package/docs/authoring-guide.md +324 -0
  53. package/docs/context-conflict-diagnostics.md +32 -0
  54. package/docs/context-language-diagnostics.md +99 -0
  55. package/docs/context-lens.md +253 -0
  56. package/docs/context-lifecycle-diagnostics.md +55 -0
  57. package/docs/diagnostics.md +373 -0
  58. package/docs/metadata-budget.md +14 -0
  59. package/docs/repository-context-bom.md +113 -0
  60. package/docs/security-policy.md +338 -0
  61. package/docs/user-manual.md +813 -0
  62. package/examples/context-lens/README.md +101 -0
  63. package/examples/context-lens/contexts/testing/boundary-value-analysis.md +23 -0
  64. package/examples/context-lens/lenses/testing/spec-review-boundary-values.md +29 -0
  65. package/examples/context-lens/lenses/testing/test-design-boundary-values.md +29 -0
  66. package/examples/context-lens/skills/testing/spec-review/SKILL.md +49 -0
  67. package/examples/context-repo/README.md +149 -0
  68. package/examples/context-repo/contexts/domain/payment/idempotency.md +20 -0
  69. package/examples/context-repo/contexts/testing/boundary-value-analysis.md +19 -0
  70. package/examples/context-repo/contexts/testing/negative-testing.md +19 -0
  71. package/examples/context-repo/lenses/testing/spec-review-boundary-values.md +35 -0
  72. package/examples/context-repo/renma.config.json +12 -0
  73. package/examples/context-repo/skills/testing/spec-review/SKILL.md +66 -0
  74. package/examples/context-repo/tools/appium/README.md +14 -0
  75. package/examples/github-actions/renma-ci-report.yml +36 -0
  76. package/examples/interactive-placeholder/README.md +104 -0
  77. package/examples/interactive-placeholder/assets/template.txt +1 -0
  78. package/examples/interactive-placeholder/renma.config.json +6 -0
  79. package/examples/interactive-placeholder/skills/replace-placeholder/SKILL.md +54 -0
  80. package/examples/interactive-placeholder/tools/README.md +48 -0
  81. package/examples/interactive-placeholder/tools/placeholder-demo.mjs +99 -0
  82. package/package.json +8 -1
  83. package/plan-discovery.md +740 -0
  84. package/plan.md +150 -0
  85. package/scripts/verify-package.mjs +97 -0
package/README.md CHANGED
@@ -3,818 +3,279 @@
3
3
  [![NPM version](http://img.shields.io/npm/v/renma.svg)](https://npmjs.org/package/renma)
4
4
  [![Downloads](http://img.shields.io/npm/dm/renma.svg)](https://npmjs.org/package/renma)
5
5
 
6
-
7
- Renma is a Git-native context repository and deterministic governance tool for
8
- LLM-facing knowledge. It manages reusable Skills, Context Lenses, Context
9
- Assets, references, ownership, lifecycle, dependencies, and evidence as
10
- maintainable software assets.
11
-
12
- Instead of letting critical knowledge get copied into prompts or buried in
13
- one-off Markdown files, Renma keeps it named, owned, versioned, linked, checked
14
- in CI, and reviewed through deterministic diagnostics. Agents, coding tools,
15
- and other runtimes consume those repository assets according to their own
16
- runtime behavior.
17
-
18
- Renma now supports `scan`, `catalog`, `ownership`, `graph`, focused graph views, `trust-graph`, `readiness`, Repository Context BOM reports, repeated-context diagnostics, semantic diff, `ci-report`, `inspect`, `scaffold`, `suggest-metadata`, `suggest-semantic-split`, and security diagnostics.
19
-
20
- Renma is especially useful when a repository contains agent-facing material such as:
21
-
22
- - Codex, Claude, Cursor, or other agent skills
23
- - `AGENTS.md` and repository instructions
24
- - Shared product, domain, QA, platform, or tool guidance
25
- - Team-owned context assets that should outlive a single prompt
26
- - References and examples that agents should be able to cite or inspect
27
-
28
- Renma is not an agent runtime, prompt builder, live context selector, workflow
29
- engine, telemetry collector, vector database, or general Markdown linter.
30
- Markdown is the storage format today; the product is the repository model and
31
- the deterministic governance views around agent-consumable knowledge.
32
-
33
- Use Renma when you need to answer repository-level questions such as:
34
-
35
- - What agent-consumable knowledge exists in this repo?
36
- - Which skills, context assets, examples, and tool notes are reusable?
37
- - Which assets are unowned, stale, orphaned, incomplete, deprecated, or broken?
38
- - Which product decisions, bug history, testing strategy, or platform guidance should be promoted from one-off prompt text into shared context?
39
- - What changed in the agent-facing knowledge catalog during this pull request?
40
-
41
- ## What Is a Context Repository?
42
-
43
- A Context Repository is a Git-reviewed source of truth for reusable knowledge that LLMs and agents can consume.
44
-
45
- It is not a prompt library. It is not a vector database. It is not an agent memory.
46
-
47
- It is a place where teams maintain context assets with ownership, lifecycle state, dependencies, references, and review history.
48
-
49
- ## Agent Skills Compatibility
50
-
51
- Renma recognizes and validates [Agent Skills-compatible syntax](https://agentskills.io/specification)
52
- as a familiar, portable authoring entrypoint. This lowers adoption cost without
53
- making the Agent Skills format Renma's complete repository model: shared
54
- Context Assets, Context Lenses, policies, references, ownership, lifecycle,
55
- dependencies, and evidence remain independently governed repository assets.
56
-
57
- In short, Renma is **Agent Skills-compatible, but not Agent Skills-defined**. A
58
- repository may organize its broader knowledge assets around domains, products,
59
- teams, or workflows without embedding them inside Skill directories. Canonical
60
- Skill entrypoints in 0.16.0 are still discovered only under
61
- `skills/**/SKILL.md` and `.agents/skills/**/SKILL.md`; arbitrary Skill roots are
62
- not implemented. Renma is not an Agent Skills runtime, registry, or live
63
- router. For the exact 0.16.0 syntax and migration boundary, see
64
- [Agent Skills Compatibility and Migration](docs/agent-skills-compatibility.md).
65
-
66
- ## The Layer Model
6
+ Renma is a Git-native context repository and deterministic governance CLI for
7
+ LLM-facing knowledge. It keeps Skills, Context Lenses, Context Assets,
8
+ references, ownership, lifecycle, dependencies, security policy, and evidence
9
+ reviewable as maintainable software assets.
10
+
11
+ Agent-facing knowledge tends to spread across copied prompts, one-off Markdown,
12
+ and team-local instructions. Renma gives that material stable repository
13
+ identity, explicit relationships, deterministic validation, and CI-friendly
14
+ reports without becoming an agent runtime.
15
+
16
+ ## Why A Context Repository?
17
+
18
+ A Context Repository is a Git-reviewed source of truth for reusable knowledge
19
+ that LLMs and agents can consume. Without that repository boundary, important
20
+ guidance is copied across prompts and Skills, buried in one-off instructions,
21
+ detached from an owner, difficult to review, and increasingly inconsistent as
22
+ teams and workflows evolve. It also becomes hard to tell maintained guidance
23
+ from obsolete or unofficial material.
24
+
25
+ Reusable context should be treated as a maintainable software asset: identified,
26
+ owned, versioned in Git, connected through explicit relationships, reviewed by
27
+ humans, validated deterministically, and usable across more than one Skill or
28
+ runtime. A Skill is an agent-facing entrypoint and workflow guide; the broader
29
+ Context Repository preserves knowledge that can outlive or serve multiple
30
+ Skills.
31
+
32
+ Renma operationalizes this model through deterministic repository governance.
33
+ It is not a prompt library, agent runtime, live Context selector, vector
34
+ database, agent memory, replacement for RAG, or generic Markdown linter. See the
35
+ [Context Repository notes](https://kazucocoa.blog/context-repository/) for the
36
+ broader product framing.
37
+
38
+ ## Agent Skills And Renma
39
+
40
+ Use your platform's standard Skill authoring guidance for general Skill design,
41
+ then use Renma for repository-specific governance and validation.
42
+
43
+ Platform-native guidance owns the Skill's name, trigger description,
44
+ instructions, workflow, constraints, examples, and completion criteria. Renma
45
+ complements it with canonical metadata, Agent Skills compatibility, dependency
46
+ and graph validation, ownership and lifecycle governance, security policy
47
+ validation, workflow diagnostics, repository-wide scan, and readiness views.
48
+ Renma does not replace general Skill authoring guidance.
49
+
50
+ Renma is **Agent Skills-compatible, but not Agent Skills-defined**. Canonical Agent Skills entrypoints
51
+ are discovered under `skills/**/SKILL.md` and
52
+ `.agents/skills/**/SKILL.md`. Renma also discovers historical `skill.md` and
53
+ `*.skill.md` entrypoints for migration diagnostics, but discovery does not make those spellings Agent Skills-compatible.
54
+ The broader repository model also
55
+ includes independently governed Context Assets, Context Lenses, policies,
56
+ references, and evidence.
57
+
58
+ See [Agent Skills Compatibility and Migration](docs/agent-skills-compatibility.md)
59
+ for the exact format and one-way migration contract.
60
+
61
+ ## Product Boundary
62
+
63
+ Renma discovers, parses, normalizes, and validates repository assets. It does
64
+ not:
65
+
66
+ - select a Skill or Context for a live task;
67
+ - assemble or inject prompts;
68
+ - execute Skills, agents, or tools;
69
+ - call an LLM for core analysis;
70
+ - collect runtime telemetry; or
71
+ - automatically rewrite Skill bodies or weaken policy.
67
72
 
68
73
  ```mermaid
69
74
  flowchart TD
70
- subgraph Repository["Git-reviewed Repository — source of truth"]
71
- Skills["Skills: agent-facing entrypoints and usage guides"]
72
- Lenses["Context Lenses: purpose-oriented interpretation"]
73
- Assets["Context Assets: reusable source-of-truth knowledge"]
75
+ subgraph Repository["Git-reviewed repository"]
76
+ Skills["Skills: entrypoints and workflows"]
77
+ Lenses["Context Lenses: interpretation"]
78
+ Context["Context Assets: durable knowledge"]
74
79
  Skills -->|may reference| Lenses
75
- Skills -->|may reference directly| Assets
76
- Lenses -->|interprets| Assets
80
+ Skills -->|may reference directly| Context
81
+ Lenses -->|interprets| Context
77
82
  end
78
- Renma["Renma: discover, parse, normalize, and validate"]
79
- Catalog["Catalog: generated projection of IDs, ownership, lifecycle, dependencies, evidence"]
80
- Views["Graph, Trust Graph, Readiness, and BOM projections"]
81
- Consumers["External tools and agents — runtime behavior outside Renma"]
82
- Skills --> Renma
83
- Lenses --> Renma
84
- Assets --> Renma
85
- Renma --> Catalog
86
- Renma --> Views
87
- Consumers -->|consume according to their runtime behavior| Skills
88
- Consumers -->|may also consume| Lenses
89
- Consumers -->|may also consume| Assets
90
- ```
91
-
92
- Skills may point through a Context Lens or directly to a Context Asset; a Lens
93
- is not required for every asset. Renma generates the Catalog and other
94
- governance projections from repository source assets and declarations; the
95
- Catalog describes those assets rather than creating them. Renma validates
96
- static declarations but does not select a Skill, choose or inject task Context,
97
- assemble a prompt, or execute the consumer's workflow.
98
-
99
- ## Primary Workflows
100
-
101
- Renma supports two common user journeys:
102
-
103
- 1. [Create a new Skill with `scaffold`](docs/user-manual.md#user-story-create-a-new-skill-with-scaffold), add reusable Context, validate the repository, and review the result.
104
- 2. [Improve an existing Skill or context repository](docs/user-manual.md#user-story-improve-existing-skills-with-diagnostics) from deterministic diagnostics, optionally using a coding agent to propose a patch that a human reviews.
105
-
106
- The [`examples/context-repo`](examples/context-repo) fixture demonstrates the
107
- second journey as a repository-aware, statically navigable specification review
108
- with an explicit Renma, agent, and human responsibility boundary.
109
-
110
- ## How Renma Relates to RAG and Agent Memory
111
-
112
- Renma does not replace RAG, vector databases, or agent memory.
113
-
114
- RAG helps systems retrieve relevant information. Renma helps teams organize reusable knowledge before it is retrieved. Agent memory grows from an agent's experience. A Context Repository grows from human-curated knowledge.
115
-
116
- These layers can work together:
117
-
118
- ```text
119
- People create knowledge -> Renma organizes it -> RAG retrieves it -> agents consume it -> agent memory records experience
83
+ Renma["Renma: deterministic governance"]
84
+ Reports["Scan, Catalog, Graph, Trust Graph, Readiness, and BOM"]
85
+ Review["Human review"]
86
+ Runtime["External agents and runtimes"]
87
+ Repository --> Renma --> Reports --> Review
88
+ Runtime -->|consumes according to its own behavior| Repository
120
89
  ```
121
90
 
122
- ## Why Renma?
123
-
124
- As AI-agent repositories grow, expertise often gets duplicated across skills and prompts. Testing heuristics, domain risks, tool usage notes, product decisions, and team-specific contracts drift apart. Ownership becomes unclear. References break. Deprecated guidance remains reachable. New engineers and agents cannot tell which knowledge is authoritative.
125
-
126
- Renma gives that material the same operational posture teams expect from source code:
91
+ ## Primary Skill Workflows
127
92
 
128
- - Reusable across skills and agents
129
- - Owned by a team or maintainer
130
- - Reviewable in pull requests
131
- - Versioned in Git
132
- - Composable through explicit references and dependencies
133
- - Validated with deterministic checks
134
- - Easy to inspect locally and in CI
135
-
136
- For example, a testing organization can keep boundary value analysis, negative testing, regression risk, payment idempotency, duplicate charge prevention, refund edge cases, mobile offline behavior, mobile automation notes, and known team-specific risks as shared context assets instead of burying them inside individual skills.
137
-
138
- ## Repository Shape
139
-
140
- Renma supports existing skill-local references, profiles, and examples. The preferred model is to give reusable knowledge first-class space under `contexts/`:
93
+ For a new Skill, use platform-native guidance to design the workflow, then run
94
+ one generator for the target file:
141
95
 
142
96
  ```text
143
- skills/
144
- testing/
145
- test-case-generation/
146
- SKILL.md
147
- spec-review/
148
- SKILL.md
149
- regression-planning/
150
- SKILL.md
151
-
152
- contexts/
153
- testing/
154
- boundary-value-analysis.md
155
- negative-testing.md
156
- regression-risk.md
157
- domain/
158
- payment/
159
- idempotency.md
160
- duplicate-charge.md
161
- refund-risk.md
162
- mobile/
163
- offline-behavior.md
164
- background-resume.md
165
- tools/
166
- appium/
167
- usage-guideline.md
168
- limitations.md
169
- teams/
170
- checkout/
171
- payment-api-contracts.md
172
- known-risk-patterns.md
173
-
174
- lenses/
175
- testing/
176
- spec-review-boundary-values.md
177
- ```
178
-
179
- This is an illustrative domain-oriented layout, not a required repository
180
- schema. `contexts/` is preferred and `context/` is also scanned for
181
- compatibility. Files under either root are cataloged as first-class `context`
182
- assets, while `context_lens` assets live under `lenses/` or opt in from context
183
- files with `type: context_lens`. Skill-local `references/` remain supported as
184
- `reference` assets.
185
-
186
- ## What Renma Does Today
187
-
188
- Renma is a minimal-dependency TypeScript CLI that scans local repositories and builds a deterministic catalog of agent-consumable assets.
189
-
190
- It currently scans:
191
-
192
- - AI-agent skills
193
- - Repository instructions such as `AGENTS.md`
194
- - Shared context Markdown under `context/` and `contexts/`
195
- - Skill profiles, references, and examples
196
- - Tool guidance and support files
197
- - README-level repository documentation
198
-
199
- It produces:
200
-
201
- - File and line-level diagnostics
202
- - Catalog reports with deterministic asset IDs
203
- - Ownership coverage reports
204
- - Dependency graph reports
205
- - Trust Graph evidence reports
206
- - Agent readiness reports
207
- - Repository Context BOM manifests
208
- - JSON output for CI and downstream tooling
209
- - Text output designed to become actionable repair prompts for humans or agents
210
-
211
- Findings are meant to explain what is wrong, why it matters, where the evidence is, what to preserve while fixing it, and how to verify the repair. Renma does not apply large semantic rewrites itself; it emits structured diagnostics so a human or coding agent can propose a reviewable patch and run Renma again.
212
-
213
- JSON scan output also includes additive `diagnosticsV2` and `reviewBundles` fields for LLM-assisted repair and review tooling. These normalize findings and diagnostics into stable codes, locations, typed repair constraints, structured verification steps, concise `llmHint` guidance, and deterministic groups of related issues. See the [Diagnostics Reference](docs/diagnostics.md) for the schema and examples.
214
-
215
- ## Scan, Catalog, Graph, Readiness, And BOM
216
-
217
- Renma exposes several deterministic views over the same repository evidence. They answer different questions.
218
-
219
- | Command | Main question | Best for | Output shape |
220
- | --- | --- | --- | --- |
221
- | `scan` | What concrete problems were found? | Fixing diagnostics and CI checks | Finding list |
222
- | `catalog` | What assets exist? | Reviewing IDs, owners, lifecycle metadata, hashes, tags, and declared dependencies | Asset inventory |
223
- | `graph` | How are assets connected? | Inspecting dependencies and references | Asset relationship graph |
224
- | `trust-graph` | What evidence helps reviewers decide whether assets are safe, owned, current, and usable enough? | Tracing owner, lifecycle, policy, dependency, reference, and diagnostic evidence per asset | Evidence graph |
225
- | `readiness` | Is the repository broadly ready for agent-facing use? | Maintainer summary and CI reporting | Repository-level scorecard |
226
- | `bom` | What declared repository context manifest should reviewers inspect? | Combining catalog, graph, readiness, diagnostics, lifecycle, hashes, and security posture evidence | Repository Context BOM |
227
-
228
- `trust-graph` does not decide that an asset is trustworthy. It connects deterministic evidence that humans and downstream tools can review: owner, lifecycle status, dependency and reference relationships, selected security profiles, effective policy fingerprints, and diagnostics.
229
-
230
- In short:
231
-
232
- - `scan` lists problems.
233
- - `catalog` lists what assets exist.
234
- - `graph` shows structural relationships.
235
- - `trust-graph` connects trust-relevant evidence.
236
- - `readiness` summarizes repository health.
237
- - `bom` combines declared asset inventory, dependencies, hashes, lifecycle, diagnostics, readiness, and security posture evidence into a reviewable repository manifest.
238
-
239
- Useful command examples:
240
-
241
- ```bash
242
- renma scan . --format json
243
- renma catalog . --format json
244
- renma graph . --format json
245
- renma trust-graph . --format markdown
246
- renma trust-graph . --format json
247
- renma readiness . --format markdown
248
- renma bom . --format json
249
- renma bom . --format markdown
250
- renma bom . --format json --omit-generated-at
97
+ platform-native Skill authoring guidance
98
+ -> renma scaffold skill
99
+ -> review and complete the generated Skill
100
+ -> renma scan . --fail-on high
101
+ -> fix relevant diagnostics
102
+ -> rerun validation
103
+ -> human review
251
104
  ```
252
105
 
253
- ### Repository Context BOM
254
-
255
- `renma bom` prints a declared Repository Context BOM generated from existing Renma evidence. See the [Repository Context BOM contract](docs/repository-context-bom.md) for the authoritative v1 schema, snapshot, reproducibility, provenance, and future consumed-context evidence boundaries.
256
-
257
- ```bash
258
- renma bom . --format json
259
- renma bom . --format markdown
260
- renma bom . --format json --omit-generated-at
261
- ```
262
-
263
- The BOM is a repository manifest, not a runtime usage report. It combines the catalog asset inventory, content hashes, owners, lifecycle metadata, declared dependency graph evidence, diagnostics, readiness checks, security posture, and security policy inventory into one reviewable artifact.
264
-
265
- Renma derives each BOM from one in-memory repository snapshot: configuration, discovered artifacts, parsed documents, catalog, graph evidence, diagnostics, readiness, and security summaries all come from the same collected state.
266
-
267
- It does not describe what an LLM actually used, assemble prompts, select task-specific context, inject context into agents, import consumed-context evidence, or collect telemetry. JSON is the source of truth; Markdown is the compact pull-request review view.
268
-
269
- By default, `generatedAt` records the actual generation time. Use `--omit-generated-at` when CI or review automation needs to avoid clock-based diffs. With the same checkout path, config path, repository contents, Renma version, and UTC evaluation date, repeated `--omit-generated-at` runs should produce byte-identical JSON. The option does not remove metadata freshness dates, suppress freshness diagnostics, normalize absolute `root` or `configPath`, hide file moves, or guarantee portable byte-for-byte output across runners.
270
-
271
- ### Repeated context diagnostics
272
-
273
- `renma scan` reports deterministic repeated-context candidates across discovered skills, agents, profiles, references, examples, and shared context assets. These findings are evidence for consolidation, not automatic source-of-truth decisions:
106
+ For an existing Skill:
274
107
 
275
108
  ```text
276
- LLM proposes. Renma verifies. Human approves.
277
- ```
278
-
279
- The MVP rule IDs are:
280
-
281
- - `MAINT-REPEATED-SECTION` for repeated normalized section hashes.
282
- - `MAINT-REPEATED-HEADING` for repeated non-generic headings.
283
- - `MAINT-REPEATED-CODE-BLOCK` for repeated substantial code fences.
284
- - `MAINT-REPEATED-LINK` for repeated repository context link targets.
285
- - `MAINT-REPEATED-CONTEXT-PATTERN` for repeated token shingles.
286
-
287
- Renma normalizes whitespace and only reports cross-file candidates with stable parser evidence. Remediation text asks maintainers to preserve ownership boundaries, procedural detail, and human approval while consolidating owned knowledge.
288
-
289
- LLM-authored skills and context assets often converge on similar wording, structure, and safety boilerplate. That uniformity can make deterministic checks more useful, not less: Renma can catch repeated sections, duplicated guidance, stale ownership, risky commands, and policy drift without needing to call an LLM. The findings are evidence for review, not automatic rewrite decisions.
290
-
291
- ## How Renma differs from adjacent tools
292
-
293
- Prompt-management and eval tools focus on prompts, traces, and model outputs.
294
-
295
- Renma focuses one layer lower: the reusable context assets and skills that prompts, agents, and tools depend on.
296
-
297
- Knowledge-management tools help humans organize notes and documents.
298
-
299
- Renma focuses on machine-consumable repository knowledge that can be owned, referenced, validated, and reused in AI workflows.
300
-
301
- Software catalogs track services, libraries, ownership, and lifecycle.
302
-
303
- Renma applies a similar catalog model to context assets.
304
-
305
- ## First-Time Use
306
-
307
- Try Renma against the current repository:
308
-
309
- ```bash
310
- npx renma scan .
311
- npx renma catalog . --format json
312
- npx renma graph . --format mermaid
313
- npx renma trust-graph . --format json
314
- npx renma readiness .
315
- npx renma diff . --from main --to HEAD --format markdown
109
+ review with platform-native Skill authoring guidance
110
+ -> renma scan . --fail-on high
111
+ -> inspect relevant diagnostics and repository evidence
112
+ -> use suggest-metadata only for metadata or migration work
113
+ -> prepare and review intended changes
114
+ -> renma scan . --fail-on high
115
+ -> fix relevant diagnostics
116
+ -> rerun validation
117
+ -> human review
316
118
  ```
317
119
 
318
- The first command does not require you to design a knowledge architecture up front. It scans the repository, builds a local catalog, and reports obvious health issues such as broken links, unclear ownership, risky instructions, weak structure, and context that may be hard for agents to trust.
120
+ Do not run two independent generators against the same target file. If a
121
+ platform-native tool can generate Skills, ask it to review or refine the Renma
122
+ scaffold, or ask it to use `renma scaffold skill` as its starting point.
123
+ `suggest-metadata` never edits the target and does not improve the Skill body.
319
124
 
320
- Command-specific help is designed for both humans and coding agents: start with `renma --help`, then run `renma <command> --help` before choosing a workflow. For guided workflows, see the User Manual sections on [LLM-assisted skill maintenance](docs/user-manual.md#llm-assisted-skill-maintenance), [creating a new skill with scaffold](docs/user-manual.md#user-story-create-a-new-skill-with-scaffold), and [improving existing skills with diagnostics](docs/user-manual.md#user-story-improve-existing-skills-with-diagnostics).
125
+ The [Authoring Guide](docs/authoring-guide.md) is the canonical walkthrough for
126
+ both workflows.
321
127
 
322
- If you are developing Renma from source:
128
+ ## Install And Quick Start
323
129
 
324
- ```bash
325
- npm install
326
- npm run build
327
- node dist/index.js scan .
328
- ```
329
-
330
- Then inspect the catalog and graph:
130
+ Run Renma without installing it globally:
331
131
 
332
132
  ```bash
333
- node dist/index.js catalog . --format json
334
- node dist/index.js graph . --format mermaid
335
- node dist/index.js trust-graph . --format json
336
- node dist/index.js readiness .
337
- node dist/index.js diff . --from main --to HEAD --format markdown
133
+ npx renma scan . --fail-on high
134
+ npx renma catalog . --format markdown
135
+ npx renma graph . --format markdown
136
+ npx renma readiness . --format markdown
338
137
  ```
339
138
 
340
- Author a skill, context asset, or context lens with `scaffold`:
139
+ Create and complete a new Skill:
341
140
 
342
141
  ```bash
343
- npx renma scaffold skill skills/testing/spec-review/SKILL.md --id skill.testing.spec-review --title "Spec Review" --owner qa-platform --tags testing,spec-review
344
- npx renma scaffold context contexts/testing/boundary-value-analysis.md --id context.testing.boundary-value-analysis --title "Boundary Value Analysis" --owner qa-platform --tags testing
345
- npx renma scaffold context_lens lenses/testing/spec-review-boundary-values.md --id lens.testing.spec-review.boundary-values --title "Spec Review Boundary Values Lens" --owner qa-platform --tags testing,spec-review
142
+ npx renma scaffold skill skills/testing/spec-review/SKILL.md --owner qa-platform
143
+ # Review the file with your platform's standard Skill authoring guidance.
144
+ npx renma scan . --fail-on high
346
145
  ```
347
146
 
348
- The Skill scaffold writes a canonical Agent Skills `SKILL.md` directly, with
349
- Renma governance values under flat, string-valued `metadata.renma.*` keys.
350
- Context and context-lens scaffolds retain their existing top-level metadata.
351
-
352
- Inspect a focused graph for the new skill:
147
+ Review an existing Skill without editing it automatically. Start with `scan`;
148
+ use `suggest-metadata` only when the evidence identifies metadata retrofit or
149
+ migration work:
353
150
 
354
151
  ```bash
355
- npx renma graph . --focus skill.testing.spec-review --format mermaid
152
+ npx renma scan . --fail-on high
356
153
  npx renma inspect skills/testing/spec-review/SKILL.md
154
+ # Conditional: metadata retrofit, explicit owner retrofit, or migration only.
155
+ npx renma suggest-metadata skills/testing/spec-review/SKILL.md
357
156
  ```
358
157
 
359
- Focused graph views are inspection tools; they do not choose, inject, or load runtime context for an agent.
360
-
361
- `scaffold --format prompt` emits a Codex/Claude-ready authoring prompt for `<asset-id-or-path>` without writing files. `scaffold --format json` emits structured scaffold data.
362
-
363
- Semantic diff compares deterministic catalog, graph, readiness, and finding
364
- snapshots across Git refs. It does not interpret arbitrary prose semantics,
365
- assemble prompts, choose context, call an LLM, repair files, or check out or
366
- mutate the working tree.
367
-
368
- A practical first pass is:
158
+ Inspect one file or an exact slice:
369
159
 
370
- 1. Run `catalog` to see which skills, context assets, references, examples, and support files Renma discovered.
371
- 2. Run `scan` to find broken links, weak structure, risky instructions, missing lifecycle metadata, and other repairable issues.
372
- 3. Run `graph` to inspect dependencies and discover orphaned or overly coupled knowledge.
373
- 4. Run `trust-graph` to inspect deterministic owner, lifecycle, policy, dependency, and diagnostic evidence without introducing a trust score.
374
- 5. Run `readiness` to summarize whether the repository is healthy enough for agent use.
375
- 6. Run `ownership` to find assets without clear ownership.
376
- 7. Run `suggest-metadata` on existing assets that need a safe metadata retrofit prompt for a reviewed patch.
377
-
378
- Renma does not require an LLM for this loop. Its core analysis is deterministic so the same repository state produces stable evidence in local development, CI, and code review.
379
-
380
- ## Example repository
381
-
382
- See [`examples/context-repo`](examples/context-repo) for a repository-aware
383
- Skill and shared-context fixture you can inspect with Renma.
384
-
385
- See [`examples/context-lens`](examples/context-lens) for a Context Lens governance example with valid lenses, readiness output, inspect output, and expected diagnostics for an invalid lens.
386
-
387
- ## CLI Commands
388
-
389
- ```bash
390
- renma scan <path>
391
- renma bom <path>
392
- renma catalog <path>
393
- renma ownership <path>
394
- renma graph <path>
395
- renma trust-graph <path>
396
- renma readiness <path>
397
- renma diff <path> --from <ref> --to <ref>
398
- renma ci-report <path> --from <ref> --to <ref>
160
+ ```text
399
161
  renma inspect <file>
400
162
  renma inspect <file> --lines L10-L42
401
- renma scaffold <skill|context|context_lens> <path>
402
- renma suggest-metadata <file>
403
- renma suggest-semantic-split <file>
404
163
  ```
405
164
 
406
- Common examples:
165
+ When developing from this checkout:
407
166
 
408
167
  ```bash
409
- renma scan .
410
- renma scan . --format json
411
- renma scan . --fail-on high
412
- renma catalog . --format json
413
- renma ownership . --include-owned
414
- renma ownership . --owner qa-platform
415
- renma graph . --format json
416
- renma graph . --format mermaid
417
- renma graph . --focus skill.testing.spec-review --view full
418
- renma trust-graph . --format json
419
- renma trust-graph . --format markdown
420
- renma readiness . --format markdown
421
- renma diff . --from main --to HEAD --format markdown
422
- renma ci-report . --from main --to HEAD --format markdown
423
- renma inspect contexts/testing/boundary-value-analysis.md
424
- renma suggest-metadata skills/testing/spec-review/SKILL.md --format prompt
425
- renma suggest-metadata skills/testing/spec-review/SKILL.md --owner qa-platform --format json
168
+ npm install
169
+ npm run build
170
+ node dist/index.js scan . --fail-on high
426
171
  ```
427
172
 
428
- Use JSON output when Renma is part of CI or another tool. Use markdown output for PR-review artifacts. Use text output when a person or coding agent needs a concise repair list.
429
-
430
- `renma trust-graph . --format markdown` is useful for human review. `renma trust-graph . --format json` is the source of truth for downstream Trust Graph consumers, and `renma scan . --format json` includes the same data under `trustGraph`.
431
-
432
- Trust Graph helps reviewers inspect owner evidence, lifecycle status evidence, dependency and reference evidence, selected security profiles, effective policy fingerprints, and diagnostics in one deterministic layer. Common review questions include finding assets without owners or lifecycle status, identifying assets that share the same effective policy fingerprint, and connecting diagnostics back to asset evidence.
433
-
434
- `ci-report` exit behavior:
173
+ ## Command Guide
174
+
175
+ | Command | Main question |
176
+ | --- | --- |
177
+ | `scan` | What concrete problems should be fixed? |
178
+ | `catalog` | What assets and metadata exist? |
179
+ | `graph` | How are assets structurally connected? |
180
+ | `trust-graph` | What trust-relevant evidence is connected to each asset? |
181
+ | `readiness` | Is the repository broadly prepared for agent-facing use? |
182
+ | `bom` | What declared repository context manifest should be reviewed? |
183
+ | `ownership` | Where is ownership missing or concentrated? |
184
+ | `diff` | What deterministic evidence changed between Git refs? |
185
+ | `ci-report` | What should a CI or pull-request reviewer inspect? |
186
+ | `inspect` | What is the outline or exact line slice of one file? |
187
+ | `scaffold` | How can a new asset start from a deterministic structure? |
188
+ | `suggest-metadata` | What metadata retrofit or one-way Skill migration is safe to review? |
189
+ | `suggest-semantic-split` | How can a mixed-purpose asset be split reviewably? |
190
+
191
+ Run `renma --help` and `renma <command> --help` for current options, output
192
+ contracts, and next steps. The [User Manual](docs/user-manual.md) is the
193
+ operational command reference.
435
194
 
436
- - PASS/WARN: exit 0
437
- - FAIL: exit 1
438
- - command, runtime, or config error: exit 2
439
-
440
- ## What Gets Scanned
441
-
442
- Canonical Agent Skills entrypoints use the exact `SKILL.md` filename:
443
-
444
- ```text
445
- skills/**/SKILL.md
446
- .agents/skills/**/SKILL.md
447
- ```
448
-
449
- Renma 0.16.0 requires Agent Skills format for operational Skills. Renma
450
- governance and security values use flat, string-valued `metadata.renma.*`
451
- entries; list values are JSON-array strings and booleans are the exact strings
452
- `"true"` or `"false"`. Pre-0.16 top-level Skill metadata is discovered only as
453
- migration input for `suggest-metadata`; catalog, ownership, graph, readiness,
454
- BOM, Trust Graph, lifecycle, and security consumers do not use it. Contexts and
455
- other non-Skill assets keep their existing top-level metadata syntax. See
456
- [Agent Skills Compatibility and Migration](docs/agent-skills-compatibility.md)
457
- for the normative boundary.
195
+ ## Repository Shape
458
196
 
459
- Renma also discovers these historical spellings so `scan` can report migration
460
- diagnostics; they are not Agent Skills-compatible entrypoints:
197
+ Renma supports independently owned knowledge rather than requiring every piece
198
+ of Context to live inside a Skill directory:
461
199
 
462
200
  ```text
463
- skills/**/skill.md
464
- skills/**/*.skill.md
465
- .agents/skills/**/skill.md
466
- .agents/skills/**/*.skill.md
201
+ skills/
202
+ testing/
203
+ spec-review/
204
+ SKILL.md
205
+ contexts/
206
+ testing/
207
+ boundary-value-analysis.md
208
+ negative-testing.md
209
+ lenses/
210
+ testing/
211
+ spec-review-boundary-values.md
467
212
  ```
468
213
 
469
- For migration, `skills/demo/skill.md` targets `skills/demo/SKILL.md`, while
470
- `skills/testing/spec-review.skill.md` targets
471
- `skills/testing/spec-review/SKILL.md`. `suggest-metadata` reports these path
472
- changes explicitly and does not edit files.
214
+ This is an illustrative layout, not a required domain hierarchy. `contexts/`
215
+ is preferred and `context/` remains supported. Skill-local `references/`,
216
+ `assets/`, `scripts/`, `examples/`, and `profiles/` are valid support material.
217
+ When deterministic evidence shows that knowledge is reusable beyond one Skill,
218
+ promote it to an owned Context Asset rather than moving it based on location
219
+ alone.
473
220
 
474
- Other default scan inputs include:
221
+ The relationship model supports both:
475
222
 
476
223
  ```text
477
- .agents/**/*.md
478
- AGENTS.md
479
- README.md
480
- context/**/*.md
481
- contexts/**/*.md
482
- lenses/**/*.md
483
- skills/**/profiles/**/*.md
484
- skills/**/references/**/*.md
485
- skills/**/examples/**/*.md
486
- skills/**/scripts/**/*
487
- tools/**/*
488
- ```
489
-
490
- Skill-like files outside `skills/**` or `.agents/skills/**` are not treated as
491
- Renma skill assets by default. Renma may emit an informational layout diagnostic
492
- to suggest moving the file if it is intended to be a Renma skill.
493
-
494
- Under explicit skill roots, the path segments `examples`, `profiles`,
495
- `references`, and `scripts` are reserved for skill-local support files. These
496
- are valid support paths:
497
-
498
- - `skills/demo/examples/happy-path.md`
499
- - `skills/demo/references/spec.md`
500
- - `skills/demo/scripts/helper.sh`
501
- - `skills/demo/profiles/local.md`
502
-
503
- The same reserved names apply under `.agents/skills/**`.
504
-
505
- Avoid using reserved support directory names as skill names. For example,
506
- `skills/examples/SKILL.md`, `skills/references/SKILL.md`,
507
- `skills/scripts/SKILL.md`, and `skills/profiles/SKILL.md` are not treated as
508
- skill entrypoints by default. Rename the skill directory, such as
509
- `skills/example-review/SKILL.md`, if the file is intended to define a Renma
510
- skill.
511
-
512
- Renma can still discover legacy skill-local support files for compatibility, but canonical reusable knowledge belongs in `contexts/`, experimental interpretation layers belong in `lenses/`, and helper implementations belong in `tools/`. Shared knowledge that is reused across skills should usually move into `contexts/` so it can have its own owner, lifecycle, dependencies, and review history.
513
-
514
- ## Configuration
515
-
516
- Add `renma.config.json` at the repository root to tune discovery and CI behavior:
517
-
518
- ```json
519
- {
520
- "fail_on": "high",
521
- "format": "json",
522
- "globs": [
523
- "skills/**/SKILL.md",
524
- ".agents/skills/**/SKILL.md",
525
- "AGENTS.md",
526
- "contexts/**/*.md"
527
- ],
528
- "exclude": [
529
- "node_modules",
530
- "dist",
531
- ".git"
532
- ],
533
- "suppressions": [
534
- {
535
- "id": "SEC-ENV-COPY",
536
- "paths": ["skills/testing/**"],
537
- "reason": "This skill intentionally documents env passthrough test cases.",
538
- "expires": "2026-09-30"
539
- },
540
- {
541
- "id": "LAYOUT-SKILL-NOT-THIN",
542
- "paths": ["skills/legacy/**"],
543
- "reason": "Legacy skill kept for compatibility with existing workflows.",
544
- "expires": "never"
545
- }
546
- ],
547
- "max_file_size_bytes": 524288,
548
- "max_depth": 16,
549
- "concurrency": 16,
550
- "layout": {
551
- "workflow_aliases": {}
552
- }
553
- }
554
- ```
555
-
556
- Use `exclude` only for paths Renma should not scan. Use `suppressions` when Renma should still scan a file, detect matching findings internally, then omit those findings from normal reports and failure thresholds. Suppressions apply only when both the finding `id` and at least one `paths` entry match, so keep path patterns narrow.
557
-
558
- Each suppression requires a rule `id`, one or more path patterns, and an audit `reason` that stays in config for review. `expires` is optional, but audited suppressions should usually include either a date in `YYYY-MM-DD` for temporary workarounds or `"never"` for an intentionally permanent exception. Date-based expirations reactivate matching findings after the date passes. Suppression paths use repository-relative POSIX-style paths, exact matches, directory-prefix matches for non-glob patterns, and a small glob subset: `*` within a path segment and `**` across directories.
559
-
560
- ## Asset Metadata
561
-
562
- Contexts and other non-Skill assets declare lightweight metadata in frontmatter
563
- using the existing top-level syntax. Skills use canonical Agent Skills
564
- frontmatter and `metadata.renma.*` as described above.
565
-
566
- ```markdown
567
- ---
568
- id: context.testing.boundary-value-analysis
569
- owner: qa-platform
570
- status: stable
571
- last_reviewed_at: 2026-06-28
572
- review_cycle: P90D
573
- expires_at: 2026-12-31
574
- requires_context:
575
- - context.testing.negative-testing
576
- ---
577
-
578
- # Boundary Value Analysis
579
- ```
580
-
581
- Useful metadata semantics include the following. The spellings shown here are
582
- the top-level non-Skill form; canonical Skills use the corresponding
583
- `metadata.renma.*` keys.
584
-
585
- - `id`: Stable catalog ID
586
- - `title`: Human-readable asset title
587
- - `owner`: Recommended team, person, or group responsible for the asset
588
- - `status`: Lifecycle state such as `experimental`, `stable`, `deprecated`, or `archived`
589
- - `version`: Asset version when the repository uses explicit versioning
590
- - `last_reviewed_at`: ISO date for the last human review, such as `2026-06-28`
591
- - `review_cycle`: ISO 8601 day duration for expected review cadence, such as `P90D`
592
- - `expires_at`: ISO date when the asset should be treated as expired
593
- - `tags`: Search and grouping labels
594
- - `requires_context`: Context assets this asset normally depends on
595
- - `optional_context`: Context assets useful only in some cases
596
- - `conflicts`: Context assets that should not be applied together
597
- - `superseded_by`: Replacement asset when this asset is deprecated
598
-
599
- Renma can infer some information from paths and headings, but explicit metadata makes ownership and dependency reports much more valuable.
600
-
601
- ### Ownership policy
602
-
603
- Renma treats `owner` as governance metadata. Declaring an owner is recommended because it makes context assets easier to review, maintain, and share across teams.
604
-
605
- However, owner metadata is not globally required yet. Assets without an owner are accepted and reported as unowned in the ownership coverage report.
606
-
607
- Renma does not infer owners automatically. If an asset is unowned, choose an owner through human review or team policy.
608
-
609
- To retrofit metadata onto an existing skill or context asset without overwriting its body, ask Renma for a deterministic prompt or JSON payload:
610
-
611
- ```bash
612
- renma scan .
613
- renma ownership .
614
- renma suggest-metadata skills/testing/spec-review/SKILL.md --format prompt
224
+ Skill -> Context Lens -> Context Asset
225
+ Skill -> Context Asset
615
226
  ```
616
227
 
617
- `suggest-metadata` is not an auto-fixer. It tells a human or coding agent to inspect the existing asset, preserve existing frontmatter and Markdown body content, add only compact missing metadata that is clearly supported, and rerun `renma scan .` and `renma ownership .`. It does not infer owners. If you pass `--owner qa-platform`, the output may include that owner because it was explicitly provided; otherwise missing owner remains allowed and is reported as unowned by `ownership`. If an existing asset already declares an owner, `suggest-metadata` preserves it; a different `--owner` value is treated as a human-review ownership change, not an automatic metadata suggestion.
228
+ These are static governance relationships, not runtime Context selection.
618
229
 
619
- For non-Skill assets, YAML-style block lists are supported for selected
620
- metadata fields, which keeps authored metadata explicit and reviewable.
621
- Pre-0.16 Skill fields may use this shape as migration input, but are not
622
- operational in Renma 0.16.0:
230
+ ## Canonical Skill Example
623
231
 
624
232
  ```yaml
625
233
  ---
626
- id: context.testing.boundary-value-analysis-v2
627
- title: Boundary Value Analysis
628
- owner: qa-platform
629
- status: stable
630
- version: 1.0.0
631
- last_reviewed_at: 2026-06-28
632
- review_cycle: P180D
633
- expires_at: 2026-12-31
634
- tags:
635
- - testing
636
- - spec-review
637
- when_to_use:
638
- - Designing tests around numeric, date, quantity, or limit boundaries
639
- when_not_to_use:
640
- - For exploratory testing notes that do not depend on boundaries
641
- requires_context:
642
- - context.testing.negative-testing
643
- optional_context:
644
- - context.domain.payment.duplicate-charge
645
- conflicts:
646
- - context.testing.boundary-value-analysis-v1
647
- superseded_by:
648
- - context.testing.boundary-value-analysis-v3
234
+ name: spec-review
235
+ description: Review specifications for ambiguity and missing boundaries. Use when requirements need evidence-backed review before implementation.
236
+ metadata:
237
+ renma.id: skill.testing.spec-review
238
+ renma.title: Spec Review
239
+ renma.owner: qa-platform
240
+ renma.status: stable
241
+ renma.tags: '["testing","spec-review"]'
242
+ renma.requires-context: '["context.testing.boundary-value-analysis"]'
243
+ renma.optional-context: '[]'
649
244
  ---
650
245
  ```
651
246
 
652
- Supported YAML-style block-list fields in that syntax are `tags`,
653
- `when_to_use`, `when_not_to_use`, `requires_context`, `optional_context`,
654
- `conflicts`, and `superseded_by`. Canonical Skills instead encode the
655
- corresponding `renma.*` values as JSON-array strings. Renma does not infer
656
- missing dependencies with an LLM during `scan`.
657
-
658
- Catalog and scan diagnostics preserve field-level evidence for metadata. For
659
- block-list dependency fields such as `requires_context` and `optional_context`,
660
- findings point to the specific list item line that produced the edge or
661
- diagnostic.
662
-
663
- ## CI Example
664
-
665
- For PR review artifacts, see [`examples/github-actions/renma-ci-report.yml`](examples/github-actions/renma-ci-report.yml).
666
-
667
- ```yaml
668
- name: renma
669
-
670
- on:
671
- pull_request:
672
- push:
673
- branches:
674
- - main
675
-
676
- jobs:
677
- renma:
678
- runs-on: ubuntu-latest
679
- steps:
680
- - uses: actions/checkout@v4
681
- - uses: actions/setup-node@v4
682
- with:
683
- node-version: 22
684
- - run: npx renma scan . --fail-on high --format json
685
- ```
686
-
687
- ## Design Philosophy
688
-
689
- Renma has an opinionated design.
690
-
691
- It is built around the idea that reusable LLM context should be treated like a software asset: owned, versioned, referenced, reviewed, and checked for readiness.
692
-
693
- This means Renma favors structured, Git-friendly context repositories over ad hoc prompt snippets or untracked notes.
694
-
695
- ## Design Boundaries
696
-
697
- Renma intentionally stays below the agent runtime layer.
698
-
699
- Renma does:
700
-
701
- - Catalog LLM-consumable repository assets
702
- - Validate links, structure, lifecycle state, safety signals, and ownership
703
- - Emit deterministic reports with file and line evidence
704
- - Help humans and agents repair knowledge repositories through reviewable patches
705
-
706
- Renma does not:
707
-
708
- - Choose task-specific context for a live agent session
709
- - Assemble prompts
710
- - Inject context into model calls
711
- - Execute agent workflows
712
- - Act as a provider gateway
713
- - Own runtime telemetry collection
714
- - Replace product, QA, platform, or documentation ownership
715
-
716
- This boundary keeps Renma useful as repository infrastructure. Agent tools can consume its reports, but the catalog remains grounded in Git, code review, and deterministic checks.
717
-
718
- ## Security Diagnostics
719
-
720
- Security diagnostics v2 extends the deterministic v1 command checks with
721
- LLM-facing policy and data-handling diagnostics. Renma recognizes small policy
722
- metadata such as `allowed_data`, `network_allowed`, `external_upload_allowed`,
723
- `secrets_allowed`, and `requires_human_approval`; reports contradictory or
724
- violated policy; flags sensitive file and secret-material instructions; and
725
- detects external uploads, bulk sharing, cloud upload, overbroad context
726
- collection, and instructions that disable or discourage redaction.
727
-
728
- Security diagnostics v3 also enforces approved destination allowlists such as
729
- `approved_network_destinations` for URL and domain-like network instructions.
730
-
731
- Security diagnostics v4 can also read repository-wide security policy from
732
- `renma.config.json`:
733
-
734
- ```json
735
- {
736
- "security": {
737
- "approvedDomains": ["github.com", "registry.npmjs.org"],
738
- "approvedUploadDomains": ["internal-artifacts.example.com"],
739
- "disallowedCommands": ["gh gist create", "pastebin", "webhook.site", "nc"]
740
- }
741
- }
742
- ```
743
-
744
- Global `approvedDomains` combine with artifact-local
745
- `approved_network_destinations`. Upload destinations must be approved separately
746
- with `approvedUploadDomains`.
747
-
748
- Security profiles can be defined under `security.profiles` and selected by artifacts with `security_profile` or `securityProfile`. Artifact-local explicit denials such as `network_allowed: false` and `external_upload_allowed: false` remain stricter than inherited profile or repository allowances.
749
-
750
- ```json
751
- {
752
- "security": {
753
- "profiles": {
754
- "appium-local-diagnostics": {
755
- "networkAllowed": true,
756
- "externalUploadAllowed": false,
757
- "secretsAllowed": false,
758
- "humanApprovalRequired": true,
759
- "allowedData": ["repo-local-files", "sanitized-ci-diagnostics"],
760
- "forbiddenInputs": ["secrets", "credentials"],
761
- "approvedDomains": ["github.com"],
762
- "approvedUploadDomains": [],
763
- "disallowedCommands": ["gh gist create"]
764
- }
765
- }
766
- }
767
- }
768
- ```
769
-
770
- Renma reports deterministic safety findings for agent-facing operational instructions, such as unpinned remote scripts, unsafe privileged commands, predictable temporary paths, and credential-like command arguments.
771
-
772
- These findings are guardrails for review. They do not replace secret scanning, SAST, dependency scanning, or human security review.
773
-
774
- Renma summarizes security posture in Readiness and CI reports, and exposes
775
- Trust Graph evidence for effective policy, security profile resolution,
776
- approved destinations, forbidden inputs, human approval requirements, and
777
- high-risk findings.
778
-
779
- Trust Graph interprets existing catalog, graph, scan, and security evidence as deterministic repository evidence. It is not a runtime system, not enforcement, not context selection or prompt assembly, not telemetry collection, not an LLM call, and not a subjective trust score.
780
-
781
- Repository Context BOM is a declared repository manifest of assets, hashes, owners, lifecycle states, dependencies, security posture, diagnostics, and readiness evidence. It does not claim what an LLM actually used at runtime. The v1 contract deliberately keeps Git revision identity in the surrounding CI/PR artifact context and keeps any future consumed-context evidence separate from the declared BOM meaning. See the [Repository Context BOM contract](docs/repository-context-bom.md).
782
-
783
- ## Design Notes
784
-
785
- Renma is part of a broader idea: treating reusable LLM context as software-managed knowledge.
786
-
787
- - [Beyond Prompt Engineering: Why We Need Context Repositories](https://kazucocoa.blog/2026/06/26/beyond-prompt-engineering-why-we-need-context-repositories/)
788
- - [Introducing Renma: An Opinionated Context Repository for LLMs](https://kazucocoa.blog/2026/06/29/introducing-renma-an-opinionated-context-repository-for-llms/)
789
- - [Where Does a Context Repository Fit in the AI Stack?](https://kazucocoa.blog/2026/07/01/where-does-a-context-repository-fit-in-the-ai-stack/)
790
- - Context Engineering Is Software Engineering (planned)
791
-
792
- ([Context Repository Series](https://kazucocoa.blog/context-repository/))
793
-
794
- ## Development
795
-
796
- ```bash
797
- npm install
798
- npm run build
799
- npm test
800
- ```
801
-
802
- Run the local CLI after building:
247
+ Agent Skills owns the standard identity and body. Renma governance and security
248
+ values use flat, string-valued `metadata.renma.*` entries; list values are JSON
249
+ array strings. Context Assets and other non-Skill assets retain their documented
250
+ top-level metadata syntax.
803
251
 
804
- ```bash
805
- node dist/index.js scan .
806
- ```
252
+ See the [Authoring Guide](docs/authoring-guide.md) for authoring responsibility
253
+ and the [compatibility guide](docs/agent-skills-compatibility.md) for the exact
254
+ canonical and migration rules.
807
255
 
808
- ## Documentation
256
+ ## Examples And Documentation
809
257
 
810
- - [Agent Skills Compatibility and Migration](docs/agent-skills-compatibility.md)
258
+ - [Documentation index](docs/README.md)
811
259
  - [User Manual](docs/user-manual.md)
812
260
  - [Authoring Guide](docs/authoring-guide.md)
813
- - [Security Policy Guide](docs/security-policy.md)
261
+ - [Agent Skills Compatibility and Migration](docs/agent-skills-compatibility.md)
814
262
  - [Diagnostics Reference](docs/diagnostics.md)
263
+ - [Security Policy Guide](docs/security-policy.md)
264
+ - [Repository Context BOM contract](docs/repository-context-bom.md)
265
+ - [Architecture](architecture.md)
266
+ - [Product Design](design.md)
267
+ - [Current Roadmap](plan.md)
268
+ - [Proposed 0.18.0 Skill Discovery](plan-discovery.md)
269
+ - [Interactive Placeholder Example](examples/interactive-placeholder): minimal
270
+ hands-on clarify-before-act Skill interaction with a local tool.
271
+ - [Example Context Repository](examples/context-repo): richer repository-aware
272
+ Skill, Context Lens, and Context Asset governance.
273
+ - [Context Lens Example](examples/context-lens): focused Context Lens governance.
274
+ - [GitHub Actions Example](examples/github-actions/renma-ci-report.yml): CI report
275
+ integration.
276
+
277
+ The governing review loop remains:
815
278
 
816
- ## Related Docs
817
-
818
- - [architecture.md](architecture.md) for the deeper system model
819
- - [design.md](design.md) for product and rule-design notes
820
- - [plan.md](plan.md) for current implementation direction
279
+ ```text
280
+ LLM proposes. Renma verifies. Human approves.
281
+ ```