renma 0.16.0 → 0.18.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +157 -1
- package/README.md +219 -748
- package/architecture.md +533 -0
- package/design.md +469 -0
- package/dist/agent-skills.d.ts +1 -1
- package/dist/agent-skills.d.ts.map +1 -1
- package/dist/agent-skills.js +28 -8
- package/dist/agent-skills.js.map +1 -1
- package/dist/catalog.d.ts +1 -1
- package/dist/catalog.d.ts.map +1 -1
- package/dist/catalog.js +120 -12
- package/dist/catalog.js.map +1 -1
- package/dist/cli-help.d.ts +15 -9
- package/dist/cli-help.d.ts.map +1 -1
- package/dist/cli-help.js +32 -9
- package/dist/cli-help.js.map +1 -1
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +162 -40
- package/dist/cli.js.map +1 -1
- package/dist/commands/bom.d.ts +6 -3
- package/dist/commands/bom.d.ts.map +1 -1
- package/dist/commands/bom.js +27 -7
- package/dist/commands/bom.js.map +1 -1
- package/dist/commands/catalog.d.ts +1 -1
- package/dist/commands/catalog.d.ts.map +1 -1
- package/dist/commands/catalog.js +11 -4
- package/dist/commands/catalog.js.map +1 -1
- package/dist/commands/ci-report.d.ts.map +1 -1
- package/dist/commands/ci-report.js +18 -5
- package/dist/commands/ci-report.js.map +1 -1
- package/dist/commands/diff.js +8 -2
- package/dist/commands/diff.js.map +1 -1
- package/dist/commands/graph.d.ts +6 -2
- package/dist/commands/graph.d.ts.map +1 -1
- package/dist/commands/graph.js +30 -14
- package/dist/commands/graph.js.map +1 -1
- package/dist/commands/inspect.d.ts.map +1 -1
- package/dist/commands/inspect.js +2 -0
- package/dist/commands/inspect.js.map +1 -1
- package/dist/commands/ownership.d.ts +4 -3
- package/dist/commands/ownership.d.ts.map +1 -1
- package/dist/commands/ownership.js +27 -23
- package/dist/commands/ownership.js.map +1 -1
- package/dist/commands/readiness.d.ts +2 -1
- package/dist/commands/readiness.d.ts.map +1 -1
- package/dist/commands/readiness.js +105 -36
- package/dist/commands/readiness.js.map +1 -1
- package/dist/commands/scaffold.d.ts +3 -0
- package/dist/commands/scaffold.d.ts.map +1 -1
- package/dist/commands/scaffold.js +28 -2
- package/dist/commands/scaffold.js.map +1 -1
- package/dist/commands/suggest-metadata.d.ts.map +1 -1
- package/dist/commands/suggest-metadata.js +56 -8
- package/dist/commands/suggest-metadata.js.map +1 -1
- package/dist/commands/suggest-semantic-split.js +3 -3
- package/dist/commands/suggest-semantic-split.js.map +1 -1
- package/dist/commands/trust-graph.d.ts.map +1 -1
- package/dist/commands/trust-graph.js +12 -0
- package/dist/commands/trust-graph.js.map +1 -1
- package/dist/config.d.ts.map +1 -1
- package/dist/config.js +10 -3
- package/dist/config.js.map +1 -1
- package/dist/dependency-resolution.d.ts +6 -0
- package/dist/dependency-resolution.d.ts.map +1 -0
- package/dist/dependency-resolution.js +11 -0
- package/dist/dependency-resolution.js.map +1 -0
- package/dist/diagnostic-ids.d.ts +8 -0
- package/dist/diagnostic-ids.d.ts.map +1 -1
- package/dist/diagnostic-ids.js +8 -0
- package/dist/diagnostic-ids.js.map +1 -1
- package/dist/discovery.d.ts +33 -0
- package/dist/discovery.d.ts.map +1 -1
- package/dist/discovery.js +178 -80
- package/dist/discovery.js.map +1 -1
- package/dist/markdown.d.ts.map +1 -1
- package/dist/markdown.js +15 -0
- package/dist/markdown.js.map +1 -1
- package/dist/model.d.ts +17 -1
- package/dist/model.d.ts.map +1 -1
- package/dist/model.js +4 -1
- package/dist/model.js.map +1 -1
- package/dist/quality-profile.d.ts +91 -0
- package/dist/quality-profile.d.ts.map +1 -0
- package/dist/quality-profile.js +91 -0
- package/dist/quality-profile.js.map +1 -0
- package/dist/repeated-context.d.ts.map +1 -1
- package/dist/repeated-context.js +38 -83
- package/dist/repeated-context.js.map +1 -1
- package/dist/repository-boundary.d.ts +30 -0
- package/dist/repository-boundary.d.ts.map +1 -0
- package/dist/repository-boundary.js +116 -0
- package/dist/repository-boundary.js.map +1 -0
- package/dist/repository-evidence.d.ts +2 -0
- package/dist/repository-evidence.d.ts.map +1 -1
- package/dist/repository-evidence.js +6 -4
- package/dist/repository-evidence.js.map +1 -1
- package/dist/repository-paths.d.ts +19 -2
- package/dist/repository-paths.d.ts.map +1 -1
- package/dist/repository-paths.js +123 -14
- package/dist/repository-paths.js.map +1 -1
- package/dist/rules.d.ts +2 -0
- package/dist/rules.d.ts.map +1 -1
- package/dist/rules.js +322 -256
- package/dist/rules.js.map +1 -1
- package/dist/scanner.d.ts.map +1 -1
- package/dist/scanner.js +5 -1
- package/dist/scanner.js.map +1 -1
- package/dist/security-diagnostics.d.ts.map +1 -1
- package/dist/security-diagnostics.js +95 -30
- package/dist/security-diagnostics.js.map +1 -1
- package/dist/security-diff.d.ts +5 -2
- package/dist/security-diff.d.ts.map +1 -1
- package/dist/security-diff.js +20 -4
- package/dist/security-diff.js.map +1 -1
- package/dist/security-policy-inventory.d.ts +15 -3
- package/dist/security-policy-inventory.d.ts.map +1 -1
- package/dist/security-policy-inventory.js +123 -26
- package/dist/security-policy-inventory.js.map +1 -1
- package/dist/security-policy.d.ts +7 -0
- package/dist/security-policy.d.ts.map +1 -1
- package/dist/security-policy.js +70 -7
- package/dist/security-policy.js.map +1 -1
- package/dist/security-posture.d.ts.map +1 -1
- package/dist/security-posture.js +2 -1
- package/dist/security-posture.js.map +1 -1
- package/dist/skill-migration.js +2 -0
- package/dist/skill-migration.js.map +1 -1
- package/dist/static-support.d.ts +13 -0
- package/dist/static-support.d.ts.map +1 -0
- package/dist/static-support.js +284 -0
- package/dist/static-support.js.map +1 -0
- package/dist/token-estimator.d.ts +21 -0
- package/dist/token-estimator.d.ts.map +1 -0
- package/dist/token-estimator.js +84 -0
- package/dist/token-estimator.js.map +1 -0
- package/dist/trust-graph.d.ts +3 -3
- package/dist/trust-graph.d.ts.map +1 -1
- package/dist/trust-graph.js +76 -21
- package/dist/trust-graph.js.map +1 -1
- package/dist/types.d.ts +7 -2
- package/dist/types.d.ts.map +1 -1
- package/docs/README.md +61 -0
- package/docs/advanced-skill-authoring.md +147 -0
- package/docs/agent-skills-compatibility.md +508 -0
- package/docs/authoring-guide.md +382 -0
- package/docs/context-conflict-diagnostics.md +32 -0
- package/docs/context-language-diagnostics.md +99 -0
- package/docs/context-lens.md +253 -0
- package/docs/context-lifecycle-diagnostics.md +55 -0
- package/docs/diagnostics.md +406 -0
- package/docs/metadata-budget.md +14 -0
- package/docs/quality-profile.md +123 -0
- package/docs/repository-context-bom.md +172 -0
- package/docs/schemas/repository-context-bom-v2.schema.json +648 -0
- package/docs/schemas/trust-graph-v2.schema.json +301 -0
- package/docs/security-policy.md +354 -0
- package/docs/trust-graph.md +47 -0
- package/docs/user-manual.md +842 -0
- package/examples/context-lens/README.md +101 -0
- package/examples/context-lens/contexts/testing/boundary-value-analysis.md +23 -0
- package/examples/context-lens/lenses/testing/spec-review-boundary-values.md +29 -0
- package/examples/context-lens/lenses/testing/test-design-boundary-values.md +29 -0
- package/examples/context-lens/skills/testing/spec-review/SKILL.md +49 -0
- package/examples/context-repo/README.md +148 -0
- package/examples/context-repo/contexts/domain/payment/idempotency.md +27 -0
- package/examples/context-repo/contexts/testing/boundary-value-analysis.md +26 -0
- package/examples/context-repo/contexts/testing/negative-testing.md +26 -0
- package/examples/context-repo/lenses/testing/spec-review-boundary-values.md +35 -0
- package/examples/context-repo/renma.config.json +12 -0
- package/examples/context-repo/skills/testing/spec-review/SKILL.md +71 -0
- package/examples/context-repo/tools/appium/README.md +14 -0
- package/examples/github-actions/renma-ci-report.yml +36 -0
- package/examples/interactive-placeholder/README.md +104 -0
- package/examples/interactive-placeholder/assets/template.txt +1 -0
- package/examples/interactive-placeholder/renma.config.json +6 -0
- package/examples/interactive-placeholder/skills/replace-placeholder/SKILL.md +54 -0
- package/examples/interactive-placeholder/tools/README.md +48 -0
- package/examples/interactive-placeholder/tools/placeholder-demo.mjs +99 -0
- package/package.json +10 -1
- package/plan-discovery.md +749 -0
- package/plan.md +90 -0
- package/scripts/verify-package.mjs +104 -0
package/README.md
CHANGED
|
@@ -3,818 +3,289 @@
|
|
|
3
3
|
[](https://npmjs.org/package/renma)
|
|
4
4
|
[](https://npmjs.org/package/renma)
|
|
5
5
|
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
6
|
+
Renma is a Git-native context repository and deterministic governance CLI for
|
|
7
|
+
LLM-facing knowledge. It keeps Skills, Context Lenses, Context Assets,
|
|
8
|
+
references, ownership, lifecycle, dependencies, security policy, and evidence
|
|
9
|
+
reviewable as maintainable software assets.
|
|
10
|
+
|
|
11
|
+
Agent-facing knowledge tends to spread across copied prompts, one-off Markdown,
|
|
12
|
+
and team-local instructions. Renma gives that material stable repository
|
|
13
|
+
identity, explicit relationships, deterministic validation, and CI-friendly
|
|
14
|
+
reports without becoming an agent runtime.
|
|
15
|
+
|
|
16
|
+
## Why A Context Repository?
|
|
17
|
+
|
|
18
|
+
A Context Repository is a Git-reviewed source of truth for reusable knowledge
|
|
19
|
+
that LLMs and agents can consume. Without that repository boundary, important
|
|
20
|
+
guidance is copied across prompts and Skills, buried in one-off instructions,
|
|
21
|
+
detached from an owner, difficult to review, and increasingly inconsistent as
|
|
22
|
+
teams and workflows evolve. It also becomes hard to tell maintained guidance
|
|
23
|
+
from obsolete or unofficial material.
|
|
24
|
+
|
|
25
|
+
Reusable context should be treated as a maintainable software asset: identified,
|
|
26
|
+
owned, versioned in Git, connected through explicit relationships, reviewed by
|
|
27
|
+
humans, validated deterministically, and usable across more than one Skill or
|
|
28
|
+
runtime. A Skill is an agent-facing entrypoint and workflow guide; the broader
|
|
29
|
+
Context Repository preserves knowledge that can outlive or serve multiple
|
|
30
|
+
Skills.
|
|
31
|
+
|
|
32
|
+
Renma operationalizes this model through deterministic repository governance.
|
|
33
|
+
It is not a prompt library, agent runtime, live Context selector, vector
|
|
34
|
+
database, agent memory, replacement for RAG, or generic Markdown linter. See the
|
|
35
|
+
[Context Repository notes](https://kazucocoa.blog/context-repository/) for the
|
|
36
|
+
broader product framing.
|
|
37
|
+
|
|
38
|
+
## Agent Skills And Renma
|
|
39
|
+
|
|
40
|
+
Use your platform's standard Skill authoring guidance for general Skill design,
|
|
41
|
+
then use Renma for repository-specific governance and validation.
|
|
42
|
+
|
|
43
|
+
Platform-native guidance owns the Skill's name, trigger description,
|
|
44
|
+
instructions, workflow, constraints, examples, and completion criteria. Renma
|
|
45
|
+
complements it with canonical metadata, Agent Skills compatibility, dependency
|
|
46
|
+
and graph validation, ownership and lifecycle governance, security policy
|
|
47
|
+
validation, workflow diagnostics, repository-wide scan, and readiness views.
|
|
48
|
+
Renma does not replace general Skill authoring guidance.
|
|
49
|
+
|
|
50
|
+
Renma is **Agent Skills-compatible, but not Agent Skills-defined**. Canonical Agent Skills entrypoints
|
|
51
|
+
are discovered under `skills/**/SKILL.md` and
|
|
52
|
+
`.agents/skills/**/SKILL.md`. Renma also discovers historical `skill.md` and
|
|
53
|
+
`*.skill.md` entrypoints for migration diagnostics, but discovery does not make those spellings Agent Skills-compatible.
|
|
54
|
+
The broader repository model also
|
|
55
|
+
includes independently governed Context Assets, Context Lenses, policies,
|
|
56
|
+
references, and evidence.
|
|
57
|
+
|
|
58
|
+
See [Agent Skills Compatibility and Migration](docs/agent-skills-compatibility.md)
|
|
59
|
+
for the exact format and one-way migration contract.
|
|
60
|
+
|
|
61
|
+
## Product Boundary
|
|
62
|
+
|
|
63
|
+
Renma discovers, parses, normalizes, and validates repository assets. It does
|
|
64
|
+
not:
|
|
65
|
+
|
|
66
|
+
- select a Skill or Context for a live task;
|
|
67
|
+
- assemble or inject prompts;
|
|
68
|
+
- execute Skills, agents, or tools;
|
|
69
|
+
- call an LLM for core analysis;
|
|
70
|
+
- collect runtime telemetry; or
|
|
71
|
+
- automatically rewrite Skill bodies or weaken policy.
|
|
67
72
|
|
|
68
73
|
```mermaid
|
|
69
74
|
flowchart TD
|
|
70
|
-
subgraph Repository["Git-reviewed
|
|
71
|
-
Skills["Skills:
|
|
72
|
-
Lenses["Context Lenses:
|
|
73
|
-
|
|
75
|
+
subgraph Repository["Git-reviewed repository"]
|
|
76
|
+
Skills["Skills: entrypoints and workflows"]
|
|
77
|
+
Lenses["Context Lenses: interpretation"]
|
|
78
|
+
Context["Context Assets: durable knowledge"]
|
|
74
79
|
Skills -->|may reference| Lenses
|
|
75
|
-
Skills -->|may reference directly|
|
|
76
|
-
Lenses -->|interprets|
|
|
80
|
+
Skills -->|may reference directly| Context
|
|
81
|
+
Lenses -->|interprets| Context
|
|
77
82
|
end
|
|
78
|
-
Renma["Renma:
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
Assets --> Renma
|
|
85
|
-
Renma --> Catalog
|
|
86
|
-
Renma --> Views
|
|
87
|
-
Consumers -->|consume according to their runtime behavior| Skills
|
|
88
|
-
Consumers -->|may also consume| Lenses
|
|
89
|
-
Consumers -->|may also consume| Assets
|
|
90
|
-
```
|
|
91
|
-
|
|
92
|
-
Skills may point through a Context Lens or directly to a Context Asset; a Lens
|
|
93
|
-
is not required for every asset. Renma generates the Catalog and other
|
|
94
|
-
governance projections from repository source assets and declarations; the
|
|
95
|
-
Catalog describes those assets rather than creating them. Renma validates
|
|
96
|
-
static declarations but does not select a Skill, choose or inject task Context,
|
|
97
|
-
assemble a prompt, or execute the consumer's workflow.
|
|
98
|
-
|
|
99
|
-
## Primary Workflows
|
|
100
|
-
|
|
101
|
-
Renma supports two common user journeys:
|
|
102
|
-
|
|
103
|
-
1. [Create a new Skill with `scaffold`](docs/user-manual.md#user-story-create-a-new-skill-with-scaffold), add reusable Context, validate the repository, and review the result.
|
|
104
|
-
2. [Improve an existing Skill or context repository](docs/user-manual.md#user-story-improve-existing-skills-with-diagnostics) from deterministic diagnostics, optionally using a coding agent to propose a patch that a human reviews.
|
|
105
|
-
|
|
106
|
-
The [`examples/context-repo`](examples/context-repo) fixture demonstrates the
|
|
107
|
-
second journey as a repository-aware, statically navigable specification review
|
|
108
|
-
with an explicit Renma, agent, and human responsibility boundary.
|
|
109
|
-
|
|
110
|
-
## How Renma Relates to RAG and Agent Memory
|
|
111
|
-
|
|
112
|
-
Renma does not replace RAG, vector databases, or agent memory.
|
|
113
|
-
|
|
114
|
-
RAG helps systems retrieve relevant information. Renma helps teams organize reusable knowledge before it is retrieved. Agent memory grows from an agent's experience. A Context Repository grows from human-curated knowledge.
|
|
115
|
-
|
|
116
|
-
These layers can work together:
|
|
117
|
-
|
|
118
|
-
```text
|
|
119
|
-
People create knowledge -> Renma organizes it -> RAG retrieves it -> agents consume it -> agent memory records experience
|
|
83
|
+
Renma["Renma: deterministic governance"]
|
|
84
|
+
Reports["Scan, Catalog, Graph, Trust Graph, Readiness, and BOM"]
|
|
85
|
+
Review["Human review"]
|
|
86
|
+
Runtime["External agents and runtimes"]
|
|
87
|
+
Repository --> Renma --> Reports --> Review
|
|
88
|
+
Runtime -->|consumes according to its own behavior| Repository
|
|
120
89
|
```
|
|
121
90
|
|
|
122
|
-
##
|
|
123
|
-
|
|
124
|
-
As AI-agent repositories grow, expertise often gets duplicated across skills and prompts. Testing heuristics, domain risks, tool usage notes, product decisions, and team-specific contracts drift apart. Ownership becomes unclear. References break. Deprecated guidance remains reachable. New engineers and agents cannot tell which knowledge is authoritative.
|
|
125
|
-
|
|
126
|
-
Renma gives that material the same operational posture teams expect from source code:
|
|
91
|
+
## Primary Skill Workflows
|
|
127
92
|
|
|
128
|
-
-
|
|
129
|
-
|
|
130
|
-
- Reviewable in pull requests
|
|
131
|
-
- Versioned in Git
|
|
132
|
-
- Composable through explicit references and dependencies
|
|
133
|
-
- Validated with deterministic checks
|
|
134
|
-
- Easy to inspect locally and in CI
|
|
135
|
-
|
|
136
|
-
For example, a testing organization can keep boundary value analysis, negative testing, regression risk, payment idempotency, duplicate charge prevention, refund edge cases, mobile offline behavior, mobile automation notes, and known team-specific risks as shared context assets instead of burying them inside individual skills.
|
|
137
|
-
|
|
138
|
-
## Repository Shape
|
|
139
|
-
|
|
140
|
-
Renma supports existing skill-local references, profiles, and examples. The preferred model is to give reusable knowledge first-class space under `contexts/`:
|
|
93
|
+
For a new Skill, use platform-native guidance to design the workflow, then run
|
|
94
|
+
one generator for the target file:
|
|
141
95
|
|
|
142
96
|
```text
|
|
143
|
-
|
|
144
|
-
|
|
145
|
-
|
|
146
|
-
|
|
147
|
-
|
|
148
|
-
|
|
149
|
-
|
|
150
|
-
SKILL.md
|
|
151
|
-
|
|
152
|
-
contexts/
|
|
153
|
-
testing/
|
|
154
|
-
boundary-value-analysis.md
|
|
155
|
-
negative-testing.md
|
|
156
|
-
regression-risk.md
|
|
157
|
-
domain/
|
|
158
|
-
payment/
|
|
159
|
-
idempotency.md
|
|
160
|
-
duplicate-charge.md
|
|
161
|
-
refund-risk.md
|
|
162
|
-
mobile/
|
|
163
|
-
offline-behavior.md
|
|
164
|
-
background-resume.md
|
|
165
|
-
tools/
|
|
166
|
-
appium/
|
|
167
|
-
usage-guideline.md
|
|
168
|
-
limitations.md
|
|
169
|
-
teams/
|
|
170
|
-
checkout/
|
|
171
|
-
payment-api-contracts.md
|
|
172
|
-
known-risk-patterns.md
|
|
173
|
-
|
|
174
|
-
lenses/
|
|
175
|
-
testing/
|
|
176
|
-
spec-review-boundary-values.md
|
|
177
|
-
```
|
|
178
|
-
|
|
179
|
-
This is an illustrative domain-oriented layout, not a required repository
|
|
180
|
-
schema. `contexts/` is preferred and `context/` is also scanned for
|
|
181
|
-
compatibility. Files under either root are cataloged as first-class `context`
|
|
182
|
-
assets, while `context_lens` assets live under `lenses/` or opt in from context
|
|
183
|
-
files with `type: context_lens`. Skill-local `references/` remain supported as
|
|
184
|
-
`reference` assets.
|
|
185
|
-
|
|
186
|
-
## What Renma Does Today
|
|
187
|
-
|
|
188
|
-
Renma is a minimal-dependency TypeScript CLI that scans local repositories and builds a deterministic catalog of agent-consumable assets.
|
|
189
|
-
|
|
190
|
-
It currently scans:
|
|
191
|
-
|
|
192
|
-
- AI-agent skills
|
|
193
|
-
- Repository instructions such as `AGENTS.md`
|
|
194
|
-
- Shared context Markdown under `context/` and `contexts/`
|
|
195
|
-
- Skill profiles, references, and examples
|
|
196
|
-
- Tool guidance and support files
|
|
197
|
-
- README-level repository documentation
|
|
198
|
-
|
|
199
|
-
It produces:
|
|
200
|
-
|
|
201
|
-
- File and line-level diagnostics
|
|
202
|
-
- Catalog reports with deterministic asset IDs
|
|
203
|
-
- Ownership coverage reports
|
|
204
|
-
- Dependency graph reports
|
|
205
|
-
- Trust Graph evidence reports
|
|
206
|
-
- Agent readiness reports
|
|
207
|
-
- Repository Context BOM manifests
|
|
208
|
-
- JSON output for CI and downstream tooling
|
|
209
|
-
- Text output designed to become actionable repair prompts for humans or agents
|
|
210
|
-
|
|
211
|
-
Findings are meant to explain what is wrong, why it matters, where the evidence is, what to preserve while fixing it, and how to verify the repair. Renma does not apply large semantic rewrites itself; it emits structured diagnostics so a human or coding agent can propose a reviewable patch and run Renma again.
|
|
212
|
-
|
|
213
|
-
JSON scan output also includes additive `diagnosticsV2` and `reviewBundles` fields for LLM-assisted repair and review tooling. These normalize findings and diagnostics into stable codes, locations, typed repair constraints, structured verification steps, concise `llmHint` guidance, and deterministic groups of related issues. See the [Diagnostics Reference](docs/diagnostics.md) for the schema and examples.
|
|
214
|
-
|
|
215
|
-
## Scan, Catalog, Graph, Readiness, And BOM
|
|
216
|
-
|
|
217
|
-
Renma exposes several deterministic views over the same repository evidence. They answer different questions.
|
|
218
|
-
|
|
219
|
-
| Command | Main question | Best for | Output shape |
|
|
220
|
-
| --- | --- | --- | --- |
|
|
221
|
-
| `scan` | What concrete problems were found? | Fixing diagnostics and CI checks | Finding list |
|
|
222
|
-
| `catalog` | What assets exist? | Reviewing IDs, owners, lifecycle metadata, hashes, tags, and declared dependencies | Asset inventory |
|
|
223
|
-
| `graph` | How are assets connected? | Inspecting dependencies and references | Asset relationship graph |
|
|
224
|
-
| `trust-graph` | What evidence helps reviewers decide whether assets are safe, owned, current, and usable enough? | Tracing owner, lifecycle, policy, dependency, reference, and diagnostic evidence per asset | Evidence graph |
|
|
225
|
-
| `readiness` | Is the repository broadly ready for agent-facing use? | Maintainer summary and CI reporting | Repository-level scorecard |
|
|
226
|
-
| `bom` | What declared repository context manifest should reviewers inspect? | Combining catalog, graph, readiness, diagnostics, lifecycle, hashes, and security posture evidence | Repository Context BOM |
|
|
227
|
-
|
|
228
|
-
`trust-graph` does not decide that an asset is trustworthy. It connects deterministic evidence that humans and downstream tools can review: owner, lifecycle status, dependency and reference relationships, selected security profiles, effective policy fingerprints, and diagnostics.
|
|
229
|
-
|
|
230
|
-
In short:
|
|
231
|
-
|
|
232
|
-
- `scan` lists problems.
|
|
233
|
-
- `catalog` lists what assets exist.
|
|
234
|
-
- `graph` shows structural relationships.
|
|
235
|
-
- `trust-graph` connects trust-relevant evidence.
|
|
236
|
-
- `readiness` summarizes repository health.
|
|
237
|
-
- `bom` combines declared asset inventory, dependencies, hashes, lifecycle, diagnostics, readiness, and security posture evidence into a reviewable repository manifest.
|
|
238
|
-
|
|
239
|
-
Useful command examples:
|
|
240
|
-
|
|
241
|
-
```bash
|
|
242
|
-
renma scan . --format json
|
|
243
|
-
renma catalog . --format json
|
|
244
|
-
renma graph . --format json
|
|
245
|
-
renma trust-graph . --format markdown
|
|
246
|
-
renma trust-graph . --format json
|
|
247
|
-
renma readiness . --format markdown
|
|
248
|
-
renma bom . --format json
|
|
249
|
-
renma bom . --format markdown
|
|
250
|
-
renma bom . --format json --omit-generated-at
|
|
97
|
+
platform-native Skill authoring guidance
|
|
98
|
+
-> renma scaffold skill
|
|
99
|
+
-> review and complete the generated Skill
|
|
100
|
+
-> renma scan . --fail-on high
|
|
101
|
+
-> fix relevant diagnostics
|
|
102
|
+
-> rerun validation
|
|
103
|
+
-> human review
|
|
251
104
|
```
|
|
252
105
|
|
|
253
|
-
|
|
254
|
-
|
|
255
|
-
`renma bom` prints a declared Repository Context BOM generated from existing Renma evidence. See the [Repository Context BOM contract](docs/repository-context-bom.md) for the authoritative v1 schema, snapshot, reproducibility, provenance, and future consumed-context evidence boundaries.
|
|
256
|
-
|
|
257
|
-
```bash
|
|
258
|
-
renma bom . --format json
|
|
259
|
-
renma bom . --format markdown
|
|
260
|
-
renma bom . --format json --omit-generated-at
|
|
261
|
-
```
|
|
262
|
-
|
|
263
|
-
The BOM is a repository manifest, not a runtime usage report. It combines the catalog asset inventory, content hashes, owners, lifecycle metadata, declared dependency graph evidence, diagnostics, readiness checks, security posture, and security policy inventory into one reviewable artifact.
|
|
264
|
-
|
|
265
|
-
Renma derives each BOM from one in-memory repository snapshot: configuration, discovered artifacts, parsed documents, catalog, graph evidence, diagnostics, readiness, and security summaries all come from the same collected state.
|
|
266
|
-
|
|
267
|
-
It does not describe what an LLM actually used, assemble prompts, select task-specific context, inject context into agents, import consumed-context evidence, or collect telemetry. JSON is the source of truth; Markdown is the compact pull-request review view.
|
|
268
|
-
|
|
269
|
-
By default, `generatedAt` records the actual generation time. Use `--omit-generated-at` when CI or review automation needs to avoid clock-based diffs. With the same checkout path, config path, repository contents, Renma version, and UTC evaluation date, repeated `--omit-generated-at` runs should produce byte-identical JSON. The option does not remove metadata freshness dates, suppress freshness diagnostics, normalize absolute `root` or `configPath`, hide file moves, or guarantee portable byte-for-byte output across runners.
|
|
270
|
-
|
|
271
|
-
### Repeated context diagnostics
|
|
272
|
-
|
|
273
|
-
`renma scan` reports deterministic repeated-context candidates across discovered skills, agents, profiles, references, examples, and shared context assets. These findings are evidence for consolidation, not automatic source-of-truth decisions:
|
|
106
|
+
For an existing Skill:
|
|
274
107
|
|
|
275
108
|
```text
|
|
276
|
-
|
|
277
|
-
|
|
278
|
-
|
|
279
|
-
|
|
280
|
-
|
|
281
|
-
|
|
282
|
-
|
|
283
|
-
|
|
284
|
-
|
|
285
|
-
- `MAINT-REPEATED-CONTEXT-PATTERN` for repeated token shingles.
|
|
286
|
-
|
|
287
|
-
Renma normalizes whitespace and only reports cross-file candidates with stable parser evidence. Remediation text asks maintainers to preserve ownership boundaries, procedural detail, and human approval while consolidating owned knowledge.
|
|
288
|
-
|
|
289
|
-
LLM-authored skills and context assets often converge on similar wording, structure, and safety boilerplate. That uniformity can make deterministic checks more useful, not less: Renma can catch repeated sections, duplicated guidance, stale ownership, risky commands, and policy drift without needing to call an LLM. The findings are evidence for review, not automatic rewrite decisions.
|
|
290
|
-
|
|
291
|
-
## How Renma differs from adjacent tools
|
|
292
|
-
|
|
293
|
-
Prompt-management and eval tools focus on prompts, traces, and model outputs.
|
|
294
|
-
|
|
295
|
-
Renma focuses one layer lower: the reusable context assets and skills that prompts, agents, and tools depend on.
|
|
296
|
-
|
|
297
|
-
Knowledge-management tools help humans organize notes and documents.
|
|
298
|
-
|
|
299
|
-
Renma focuses on machine-consumable repository knowledge that can be owned, referenced, validated, and reused in AI workflows.
|
|
300
|
-
|
|
301
|
-
Software catalogs track services, libraries, ownership, and lifecycle.
|
|
302
|
-
|
|
303
|
-
Renma applies a similar catalog model to context assets.
|
|
304
|
-
|
|
305
|
-
## First-Time Use
|
|
306
|
-
|
|
307
|
-
Try Renma against the current repository:
|
|
308
|
-
|
|
309
|
-
```bash
|
|
310
|
-
npx renma scan .
|
|
311
|
-
npx renma catalog . --format json
|
|
312
|
-
npx renma graph . --format mermaid
|
|
313
|
-
npx renma trust-graph . --format json
|
|
314
|
-
npx renma readiness .
|
|
315
|
-
npx renma diff . --from main --to HEAD --format markdown
|
|
109
|
+
review with platform-native Skill authoring guidance
|
|
110
|
+
-> renma scan . --fail-on high
|
|
111
|
+
-> inspect relevant diagnostics and repository evidence
|
|
112
|
+
-> use suggest-metadata only for metadata or migration work
|
|
113
|
+
-> prepare and review intended changes
|
|
114
|
+
-> renma scan . --fail-on high
|
|
115
|
+
-> fix relevant diagnostics
|
|
116
|
+
-> rerun validation
|
|
117
|
+
-> human review
|
|
316
118
|
```
|
|
317
119
|
|
|
318
|
-
|
|
120
|
+
Do not run two independent generators against the same target file. If a
|
|
121
|
+
platform-native tool can generate Skills, ask it to review or refine the Renma
|
|
122
|
+
scaffold, or ask it to use `renma scaffold skill` as its starting point.
|
|
123
|
+
`suggest-metadata` never edits the target and does not improve the Skill body.
|
|
319
124
|
|
|
320
|
-
|
|
125
|
+
The [Authoring Guide](docs/authoring-guide.md) is the canonical walkthrough for
|
|
126
|
+
both workflows.
|
|
321
127
|
|
|
322
|
-
|
|
128
|
+
Renma 0.18.0 uses focused workflows rather than a thin-router model. See the
|
|
129
|
+
[canonical quality profile](docs/quality-profile.md) for every fixed threshold,
|
|
130
|
+
unit, rationale, provenance, and diagnostic mapping. Quality thresholds are not
|
|
131
|
+
configurable through `renma.config.json` in this release.
|
|
323
132
|
|
|
324
|
-
|
|
325
|
-
npm install
|
|
326
|
-
npm run build
|
|
327
|
-
node dist/index.js scan .
|
|
328
|
-
```
|
|
133
|
+
## Install And Quick Start
|
|
329
134
|
|
|
330
|
-
|
|
135
|
+
Run Renma without installing it globally:
|
|
331
136
|
|
|
332
137
|
```bash
|
|
333
|
-
|
|
334
|
-
|
|
335
|
-
|
|
336
|
-
|
|
337
|
-
node dist/index.js diff . --from main --to HEAD --format markdown
|
|
138
|
+
npx renma scan . --fail-on high
|
|
139
|
+
npx renma catalog . --format markdown
|
|
140
|
+
npx renma graph . --format markdown
|
|
141
|
+
npx renma readiness . --format markdown
|
|
338
142
|
```
|
|
339
143
|
|
|
340
|
-
|
|
144
|
+
Create and complete a new Skill:
|
|
341
145
|
|
|
342
146
|
```bash
|
|
343
|
-
npx renma scaffold skill skills/testing/spec-review/SKILL.md --
|
|
344
|
-
|
|
345
|
-
npx renma
|
|
147
|
+
npx renma scaffold skill skills/testing/spec-review/SKILL.md --owner qa-platform
|
|
148
|
+
# Review the file with your platform's standard Skill authoring guidance.
|
|
149
|
+
npx renma scan . --fail-on high
|
|
346
150
|
```
|
|
347
151
|
|
|
348
|
-
|
|
349
|
-
|
|
350
|
-
|
|
351
|
-
|
|
352
|
-
Inspect a focused graph for the new skill:
|
|
152
|
+
Review an existing Skill without editing it automatically. Start with `scan`;
|
|
153
|
+
use `suggest-metadata` only when the evidence identifies metadata retrofit or
|
|
154
|
+
migration work:
|
|
353
155
|
|
|
354
156
|
```bash
|
|
355
|
-
npx renma
|
|
157
|
+
npx renma scan . --fail-on high
|
|
356
158
|
npx renma inspect skills/testing/spec-review/SKILL.md
|
|
159
|
+
# Conditional: metadata retrofit, explicit owner retrofit, or migration only.
|
|
160
|
+
npx renma suggest-metadata skills/testing/spec-review/SKILL.md
|
|
357
161
|
```
|
|
358
162
|
|
|
359
|
-
|
|
360
|
-
|
|
361
|
-
`scaffold --format prompt` emits a Codex/Claude-ready authoring prompt for `<asset-id-or-path>` without writing files. `scaffold --format json` emits structured scaffold data.
|
|
362
|
-
|
|
363
|
-
Semantic diff compares deterministic catalog, graph, readiness, and finding
|
|
364
|
-
snapshots across Git refs. It does not interpret arbitrary prose semantics,
|
|
365
|
-
assemble prompts, choose context, call an LLM, repair files, or check out or
|
|
366
|
-
mutate the working tree.
|
|
367
|
-
|
|
368
|
-
A practical first pass is:
|
|
369
|
-
|
|
370
|
-
1. Run `catalog` to see which skills, context assets, references, examples, and support files Renma discovered.
|
|
371
|
-
2. Run `scan` to find broken links, weak structure, risky instructions, missing lifecycle metadata, and other repairable issues.
|
|
372
|
-
3. Run `graph` to inspect dependencies and discover orphaned or overly coupled knowledge.
|
|
373
|
-
4. Run `trust-graph` to inspect deterministic owner, lifecycle, policy, dependency, and diagnostic evidence without introducing a trust score.
|
|
374
|
-
5. Run `readiness` to summarize whether the repository is healthy enough for agent use.
|
|
375
|
-
6. Run `ownership` to find assets without clear ownership.
|
|
376
|
-
7. Run `suggest-metadata` on existing assets that need a safe metadata retrofit prompt for a reviewed patch.
|
|
163
|
+
Inspect one file or an exact slice:
|
|
377
164
|
|
|
378
|
-
|
|
379
|
-
|
|
380
|
-
## Example repository
|
|
381
|
-
|
|
382
|
-
See [`examples/context-repo`](examples/context-repo) for a repository-aware
|
|
383
|
-
Skill and shared-context fixture you can inspect with Renma.
|
|
384
|
-
|
|
385
|
-
See [`examples/context-lens`](examples/context-lens) for a Context Lens governance example with valid lenses, readiness output, inspect output, and expected diagnostics for an invalid lens.
|
|
386
|
-
|
|
387
|
-
## CLI Commands
|
|
388
|
-
|
|
389
|
-
```bash
|
|
390
|
-
renma scan <path>
|
|
391
|
-
renma bom <path>
|
|
392
|
-
renma catalog <path>
|
|
393
|
-
renma ownership <path>
|
|
394
|
-
renma graph <path>
|
|
395
|
-
renma trust-graph <path>
|
|
396
|
-
renma readiness <path>
|
|
397
|
-
renma diff <path> --from <ref> --to <ref>
|
|
398
|
-
renma ci-report <path> --from <ref> --to <ref>
|
|
165
|
+
```text
|
|
399
166
|
renma inspect <file>
|
|
400
167
|
renma inspect <file> --lines L10-L42
|
|
401
|
-
renma scaffold <skill|context|context_lens> <path>
|
|
402
|
-
renma suggest-metadata <file>
|
|
403
|
-
renma suggest-semantic-split <file>
|
|
404
168
|
```
|
|
405
169
|
|
|
406
|
-
|
|
170
|
+
When developing from this checkout:
|
|
407
171
|
|
|
408
172
|
```bash
|
|
409
|
-
|
|
410
|
-
|
|
411
|
-
|
|
412
|
-
renma catalog . --format json
|
|
413
|
-
renma ownership . --include-owned
|
|
414
|
-
renma ownership . --owner qa-platform
|
|
415
|
-
renma graph . --format json
|
|
416
|
-
renma graph . --format mermaid
|
|
417
|
-
renma graph . --focus skill.testing.spec-review --view full
|
|
418
|
-
renma trust-graph . --format json
|
|
419
|
-
renma trust-graph . --format markdown
|
|
420
|
-
renma readiness . --format markdown
|
|
421
|
-
renma diff . --from main --to HEAD --format markdown
|
|
422
|
-
renma ci-report . --from main --to HEAD --format markdown
|
|
423
|
-
renma inspect contexts/testing/boundary-value-analysis.md
|
|
424
|
-
renma suggest-metadata skills/testing/spec-review/SKILL.md --format prompt
|
|
425
|
-
renma suggest-metadata skills/testing/spec-review/SKILL.md --owner qa-platform --format json
|
|
173
|
+
npm install
|
|
174
|
+
npm run build
|
|
175
|
+
node dist/index.js scan . --fail-on high
|
|
426
176
|
```
|
|
427
177
|
|
|
428
|
-
|
|
429
|
-
|
|
430
|
-
|
|
431
|
-
|
|
432
|
-
|
|
433
|
-
|
|
434
|
-
`
|
|
435
|
-
|
|
436
|
-
-
|
|
437
|
-
|
|
438
|
-
|
|
178
|
+
## Command Guide
|
|
179
|
+
|
|
180
|
+
| Command | Main question |
|
|
181
|
+
| --- | --- |
|
|
182
|
+
| `scan` | What concrete problems should be fixed? |
|
|
183
|
+
| `catalog` | What assets and metadata exist? |
|
|
184
|
+
| `graph` | How are assets structurally connected? |
|
|
185
|
+
| `trust-graph` | What trust-relevant evidence is connected to each asset? |
|
|
186
|
+
| `readiness` | Is the repository broadly prepared for agent-facing use? |
|
|
187
|
+
| `bom` | What declared repository context manifest should be reviewed? |
|
|
188
|
+
| `ownership` | Where is ownership missing or concentrated? |
|
|
189
|
+
| `diff` | What deterministic evidence changed between Git refs? |
|
|
190
|
+
| `ci-report` | What should a CI or pull-request reviewer inspect? |
|
|
191
|
+
| `inspect` | What is the outline or exact line slice of one file? |
|
|
192
|
+
| `scaffold` | How can a new asset start from a deterministic structure? |
|
|
193
|
+
| `suggest-metadata` | What metadata retrofit or one-way Skill migration is safe to review? |
|
|
194
|
+
| `suggest-semantic-split` | How can a mixed-purpose asset be split reviewably? |
|
|
195
|
+
|
|
196
|
+
Run `renma --help` and `renma <command> --help` for current options, output
|
|
197
|
+
contracts, and next steps. The [User Manual](docs/user-manual.md) is the
|
|
198
|
+
operational command reference.
|
|
439
199
|
|
|
440
|
-
##
|
|
441
|
-
|
|
442
|
-
Canonical Agent Skills entrypoints use the exact `SKILL.md` filename:
|
|
443
|
-
|
|
444
|
-
```text
|
|
445
|
-
skills/**/SKILL.md
|
|
446
|
-
.agents/skills/**/SKILL.md
|
|
447
|
-
```
|
|
448
|
-
|
|
449
|
-
Renma 0.16.0 requires Agent Skills format for operational Skills. Renma
|
|
450
|
-
governance and security values use flat, string-valued `metadata.renma.*`
|
|
451
|
-
entries; list values are JSON-array strings and booleans are the exact strings
|
|
452
|
-
`"true"` or `"false"`. Pre-0.16 top-level Skill metadata is discovered only as
|
|
453
|
-
migration input for `suggest-metadata`; catalog, ownership, graph, readiness,
|
|
454
|
-
BOM, Trust Graph, lifecycle, and security consumers do not use it. Contexts and
|
|
455
|
-
other non-Skill assets keep their existing top-level metadata syntax. See
|
|
456
|
-
[Agent Skills Compatibility and Migration](docs/agent-skills-compatibility.md)
|
|
457
|
-
for the normative boundary.
|
|
200
|
+
## Repository Shape
|
|
458
201
|
|
|
459
|
-
Renma
|
|
460
|
-
|
|
202
|
+
Renma supports independently owned knowledge rather than requiring every piece
|
|
203
|
+
of Context to live inside a Skill directory:
|
|
461
204
|
|
|
462
205
|
```text
|
|
463
|
-
skills
|
|
464
|
-
|
|
465
|
-
|
|
466
|
-
.
|
|
206
|
+
skills/
|
|
207
|
+
testing/
|
|
208
|
+
spec-review/
|
|
209
|
+
SKILL.md
|
|
210
|
+
contexts/
|
|
211
|
+
testing/
|
|
212
|
+
boundary-value-analysis.md
|
|
213
|
+
negative-testing.md
|
|
214
|
+
lenses/
|
|
215
|
+
testing/
|
|
216
|
+
spec-review-boundary-values.md
|
|
467
217
|
```
|
|
468
218
|
|
|
469
|
-
|
|
470
|
-
`
|
|
471
|
-
`
|
|
472
|
-
|
|
219
|
+
This is an illustrative layout, not a required domain hierarchy. `contexts/`
|
|
220
|
+
is preferred and `context/` remains supported. Skill-local `references/`,
|
|
221
|
+
`assets/`, `scripts/`, `examples/`, and `profiles/` are valid support material.
|
|
222
|
+
Local support without a declared owner inherits effective ownership from its
|
|
223
|
+
nearest owning Skill; reports distinguish inherited ownership from declarations.
|
|
224
|
+
When deterministic evidence shows that knowledge is reusable beyond one Skill,
|
|
225
|
+
promote it to an owned Context Asset rather than moving it based on location
|
|
226
|
+
alone.
|
|
473
227
|
|
|
474
|
-
|
|
228
|
+
The relationship model supports both:
|
|
475
229
|
|
|
476
230
|
```text
|
|
477
|
-
|
|
478
|
-
|
|
479
|
-
README.md
|
|
480
|
-
context/**/*.md
|
|
481
|
-
contexts/**/*.md
|
|
482
|
-
lenses/**/*.md
|
|
483
|
-
skills/**/profiles/**/*.md
|
|
484
|
-
skills/**/references/**/*.md
|
|
485
|
-
skills/**/examples/**/*.md
|
|
486
|
-
skills/**/scripts/**/*
|
|
487
|
-
tools/**/*
|
|
488
|
-
```
|
|
489
|
-
|
|
490
|
-
Skill-like files outside `skills/**` or `.agents/skills/**` are not treated as
|
|
491
|
-
Renma skill assets by default. Renma may emit an informational layout diagnostic
|
|
492
|
-
to suggest moving the file if it is intended to be a Renma skill.
|
|
493
|
-
|
|
494
|
-
Under explicit skill roots, the path segments `examples`, `profiles`,
|
|
495
|
-
`references`, and `scripts` are reserved for skill-local support files. These
|
|
496
|
-
are valid support paths:
|
|
497
|
-
|
|
498
|
-
- `skills/demo/examples/happy-path.md`
|
|
499
|
-
- `skills/demo/references/spec.md`
|
|
500
|
-
- `skills/demo/scripts/helper.sh`
|
|
501
|
-
- `skills/demo/profiles/local.md`
|
|
502
|
-
|
|
503
|
-
The same reserved names apply under `.agents/skills/**`.
|
|
504
|
-
|
|
505
|
-
Avoid using reserved support directory names as skill names. For example,
|
|
506
|
-
`skills/examples/SKILL.md`, `skills/references/SKILL.md`,
|
|
507
|
-
`skills/scripts/SKILL.md`, and `skills/profiles/SKILL.md` are not treated as
|
|
508
|
-
skill entrypoints by default. Rename the skill directory, such as
|
|
509
|
-
`skills/example-review/SKILL.md`, if the file is intended to define a Renma
|
|
510
|
-
skill.
|
|
511
|
-
|
|
512
|
-
Renma can still discover legacy skill-local support files for compatibility, but canonical reusable knowledge belongs in `contexts/`, experimental interpretation layers belong in `lenses/`, and helper implementations belong in `tools/`. Shared knowledge that is reused across skills should usually move into `contexts/` so it can have its own owner, lifecycle, dependencies, and review history.
|
|
513
|
-
|
|
514
|
-
## Configuration
|
|
515
|
-
|
|
516
|
-
Add `renma.config.json` at the repository root to tune discovery and CI behavior:
|
|
517
|
-
|
|
518
|
-
```json
|
|
519
|
-
{
|
|
520
|
-
"fail_on": "high",
|
|
521
|
-
"format": "json",
|
|
522
|
-
"globs": [
|
|
523
|
-
"skills/**/SKILL.md",
|
|
524
|
-
".agents/skills/**/SKILL.md",
|
|
525
|
-
"AGENTS.md",
|
|
526
|
-
"contexts/**/*.md"
|
|
527
|
-
],
|
|
528
|
-
"exclude": [
|
|
529
|
-
"node_modules",
|
|
530
|
-
"dist",
|
|
531
|
-
".git"
|
|
532
|
-
],
|
|
533
|
-
"suppressions": [
|
|
534
|
-
{
|
|
535
|
-
"id": "SEC-ENV-COPY",
|
|
536
|
-
"paths": ["skills/testing/**"],
|
|
537
|
-
"reason": "This skill intentionally documents env passthrough test cases.",
|
|
538
|
-
"expires": "2026-09-30"
|
|
539
|
-
},
|
|
540
|
-
{
|
|
541
|
-
"id": "LAYOUT-SKILL-NOT-THIN",
|
|
542
|
-
"paths": ["skills/legacy/**"],
|
|
543
|
-
"reason": "Legacy skill kept for compatibility with existing workflows.",
|
|
544
|
-
"expires": "never"
|
|
545
|
-
}
|
|
546
|
-
],
|
|
547
|
-
"max_file_size_bytes": 524288,
|
|
548
|
-
"max_depth": 16,
|
|
549
|
-
"concurrency": 16,
|
|
550
|
-
"layout": {
|
|
551
|
-
"workflow_aliases": {}
|
|
552
|
-
}
|
|
553
|
-
}
|
|
554
|
-
```
|
|
555
|
-
|
|
556
|
-
Use `exclude` only for paths Renma should not scan. Use `suppressions` when Renma should still scan a file, detect matching findings internally, then omit those findings from normal reports and failure thresholds. Suppressions apply only when both the finding `id` and at least one `paths` entry match, so keep path patterns narrow.
|
|
557
|
-
|
|
558
|
-
Each suppression requires a rule `id`, one or more path patterns, and an audit `reason` that stays in config for review. `expires` is optional, but audited suppressions should usually include either a date in `YYYY-MM-DD` for temporary workarounds or `"never"` for an intentionally permanent exception. Date-based expirations reactivate matching findings after the date passes. Suppression paths use repository-relative POSIX-style paths, exact matches, directory-prefix matches for non-glob patterns, and a small glob subset: `*` within a path segment and `**` across directories.
|
|
559
|
-
|
|
560
|
-
## Asset Metadata
|
|
561
|
-
|
|
562
|
-
Contexts and other non-Skill assets declare lightweight metadata in frontmatter
|
|
563
|
-
using the existing top-level syntax. Skills use canonical Agent Skills
|
|
564
|
-
frontmatter and `metadata.renma.*` as described above.
|
|
565
|
-
|
|
566
|
-
```markdown
|
|
567
|
-
---
|
|
568
|
-
id: context.testing.boundary-value-analysis
|
|
569
|
-
owner: qa-platform
|
|
570
|
-
status: stable
|
|
571
|
-
last_reviewed_at: 2026-06-28
|
|
572
|
-
review_cycle: P90D
|
|
573
|
-
expires_at: 2026-12-31
|
|
574
|
-
requires_context:
|
|
575
|
-
- context.testing.negative-testing
|
|
576
|
-
---
|
|
577
|
-
|
|
578
|
-
# Boundary Value Analysis
|
|
579
|
-
```
|
|
580
|
-
|
|
581
|
-
Useful metadata semantics include the following. The spellings shown here are
|
|
582
|
-
the top-level non-Skill form; canonical Skills use the corresponding
|
|
583
|
-
`metadata.renma.*` keys.
|
|
584
|
-
|
|
585
|
-
- `id`: Stable catalog ID
|
|
586
|
-
- `title`: Human-readable asset title
|
|
587
|
-
- `owner`: Recommended team, person, or group responsible for the asset
|
|
588
|
-
- `status`: Lifecycle state such as `experimental`, `stable`, `deprecated`, or `archived`
|
|
589
|
-
- `version`: Asset version when the repository uses explicit versioning
|
|
590
|
-
- `last_reviewed_at`: ISO date for the last human review, such as `2026-06-28`
|
|
591
|
-
- `review_cycle`: ISO 8601 day duration for expected review cadence, such as `P90D`
|
|
592
|
-
- `expires_at`: ISO date when the asset should be treated as expired
|
|
593
|
-
- `tags`: Search and grouping labels
|
|
594
|
-
- `requires_context`: Context assets this asset normally depends on
|
|
595
|
-
- `optional_context`: Context assets useful only in some cases
|
|
596
|
-
- `conflicts`: Context assets that should not be applied together
|
|
597
|
-
- `superseded_by`: Replacement asset when this asset is deprecated
|
|
598
|
-
|
|
599
|
-
Renma can infer some information from paths and headings, but explicit metadata makes ownership and dependency reports much more valuable.
|
|
600
|
-
|
|
601
|
-
### Ownership policy
|
|
602
|
-
|
|
603
|
-
Renma treats `owner` as governance metadata. Declaring an owner is recommended because it makes context assets easier to review, maintain, and share across teams.
|
|
604
|
-
|
|
605
|
-
However, owner metadata is not globally required yet. Assets without an owner are accepted and reported as unowned in the ownership coverage report.
|
|
606
|
-
|
|
607
|
-
Renma does not infer owners automatically. If an asset is unowned, choose an owner through human review or team policy.
|
|
608
|
-
|
|
609
|
-
To retrofit metadata onto an existing skill or context asset without overwriting its body, ask Renma for a deterministic prompt or JSON payload:
|
|
610
|
-
|
|
611
|
-
```bash
|
|
612
|
-
renma scan .
|
|
613
|
-
renma ownership .
|
|
614
|
-
renma suggest-metadata skills/testing/spec-review/SKILL.md --format prompt
|
|
231
|
+
Skill -> Context Lens -> Context Asset
|
|
232
|
+
Skill -> Context Asset
|
|
615
233
|
```
|
|
616
234
|
|
|
617
|
-
|
|
235
|
+
These are static governance relationships, not runtime Context selection.
|
|
618
236
|
|
|
619
|
-
|
|
620
|
-
metadata fields, which keeps authored metadata explicit and reviewable.
|
|
621
|
-
Pre-0.16 Skill fields may use this shape as migration input, but are not
|
|
622
|
-
operational in Renma 0.16.0:
|
|
237
|
+
## Canonical Skill Example
|
|
623
238
|
|
|
624
239
|
```yaml
|
|
625
240
|
---
|
|
626
|
-
|
|
627
|
-
|
|
628
|
-
|
|
629
|
-
|
|
630
|
-
|
|
631
|
-
|
|
632
|
-
|
|
633
|
-
|
|
634
|
-
|
|
635
|
-
-
|
|
636
|
-
- spec-review
|
|
637
|
-
when_to_use:
|
|
638
|
-
- Designing tests around numeric, date, quantity, or limit boundaries
|
|
639
|
-
when_not_to_use:
|
|
640
|
-
- For exploratory testing notes that do not depend on boundaries
|
|
641
|
-
requires_context:
|
|
642
|
-
- context.testing.negative-testing
|
|
643
|
-
optional_context:
|
|
644
|
-
- context.domain.payment.duplicate-charge
|
|
645
|
-
conflicts:
|
|
646
|
-
- context.testing.boundary-value-analysis-v1
|
|
647
|
-
superseded_by:
|
|
648
|
-
- context.testing.boundary-value-analysis-v3
|
|
241
|
+
name: spec-review
|
|
242
|
+
description: Review specifications for ambiguity and missing boundaries. Use when requirements need evidence-backed review before implementation.
|
|
243
|
+
metadata:
|
|
244
|
+
renma.id: skill.testing.spec-review
|
|
245
|
+
renma.title: Spec Review
|
|
246
|
+
renma.owner: qa-platform
|
|
247
|
+
renma.status: stable
|
|
248
|
+
renma.tags: '["testing","spec-review"]'
|
|
249
|
+
renma.requires-context: '["context.testing.boundary-value-analysis"]'
|
|
250
|
+
renma.optional-context: '[]'
|
|
649
251
|
---
|
|
650
252
|
```
|
|
651
253
|
|
|
652
|
-
|
|
653
|
-
|
|
654
|
-
|
|
655
|
-
|
|
656
|
-
missing dependencies with an LLM during `scan`.
|
|
254
|
+
Agent Skills owns the standard identity and body. Renma governance and security
|
|
255
|
+
values use flat, string-valued `metadata.renma.*` entries; list values are JSON
|
|
256
|
+
array strings. Context Assets and other non-Skill assets retain their documented
|
|
257
|
+
top-level metadata syntax.
|
|
657
258
|
|
|
658
|
-
|
|
659
|
-
|
|
660
|
-
|
|
661
|
-
diagnostic.
|
|
259
|
+
See the [Authoring Guide](docs/authoring-guide.md) for authoring responsibility
|
|
260
|
+
and the [compatibility guide](docs/agent-skills-compatibility.md) for the exact
|
|
261
|
+
canonical and migration rules.
|
|
662
262
|
|
|
663
|
-
##
|
|
263
|
+
## Examples And Documentation
|
|
664
264
|
|
|
665
|
-
|
|
666
|
-
|
|
667
|
-
```yaml
|
|
668
|
-
name: renma
|
|
669
|
-
|
|
670
|
-
on:
|
|
671
|
-
pull_request:
|
|
672
|
-
push:
|
|
673
|
-
branches:
|
|
674
|
-
- main
|
|
675
|
-
|
|
676
|
-
jobs:
|
|
677
|
-
renma:
|
|
678
|
-
runs-on: ubuntu-latest
|
|
679
|
-
steps:
|
|
680
|
-
- uses: actions/checkout@v4
|
|
681
|
-
- uses: actions/setup-node@v4
|
|
682
|
-
with:
|
|
683
|
-
node-version: 22
|
|
684
|
-
- run: npx renma scan . --fail-on high --format json
|
|
685
|
-
```
|
|
686
|
-
|
|
687
|
-
## Design Philosophy
|
|
688
|
-
|
|
689
|
-
Renma has an opinionated design.
|
|
690
|
-
|
|
691
|
-
It is built around the idea that reusable LLM context should be treated like a software asset: owned, versioned, referenced, reviewed, and checked for readiness.
|
|
692
|
-
|
|
693
|
-
This means Renma favors structured, Git-friendly context repositories over ad hoc prompt snippets or untracked notes.
|
|
694
|
-
|
|
695
|
-
## Design Boundaries
|
|
696
|
-
|
|
697
|
-
Renma intentionally stays below the agent runtime layer.
|
|
698
|
-
|
|
699
|
-
Renma does:
|
|
700
|
-
|
|
701
|
-
- Catalog LLM-consumable repository assets
|
|
702
|
-
- Validate links, structure, lifecycle state, safety signals, and ownership
|
|
703
|
-
- Emit deterministic reports with file and line evidence
|
|
704
|
-
- Help humans and agents repair knowledge repositories through reviewable patches
|
|
705
|
-
|
|
706
|
-
Renma does not:
|
|
707
|
-
|
|
708
|
-
- Choose task-specific context for a live agent session
|
|
709
|
-
- Assemble prompts
|
|
710
|
-
- Inject context into model calls
|
|
711
|
-
- Execute agent workflows
|
|
712
|
-
- Act as a provider gateway
|
|
713
|
-
- Own runtime telemetry collection
|
|
714
|
-
- Replace product, QA, platform, or documentation ownership
|
|
715
|
-
|
|
716
|
-
This boundary keeps Renma useful as repository infrastructure. Agent tools can consume its reports, but the catalog remains grounded in Git, code review, and deterministic checks.
|
|
717
|
-
|
|
718
|
-
## Security Diagnostics
|
|
719
|
-
|
|
720
|
-
Security diagnostics v2 extends the deterministic v1 command checks with
|
|
721
|
-
LLM-facing policy and data-handling diagnostics. Renma recognizes small policy
|
|
722
|
-
metadata such as `allowed_data`, `network_allowed`, `external_upload_allowed`,
|
|
723
|
-
`secrets_allowed`, and `requires_human_approval`; reports contradictory or
|
|
724
|
-
violated policy; flags sensitive file and secret-material instructions; and
|
|
725
|
-
detects external uploads, bulk sharing, cloud upload, overbroad context
|
|
726
|
-
collection, and instructions that disable or discourage redaction.
|
|
727
|
-
|
|
728
|
-
Security diagnostics v3 also enforces approved destination allowlists such as
|
|
729
|
-
`approved_network_destinations` for URL and domain-like network instructions.
|
|
730
|
-
|
|
731
|
-
Security diagnostics v4 can also read repository-wide security policy from
|
|
732
|
-
`renma.config.json`:
|
|
733
|
-
|
|
734
|
-
```json
|
|
735
|
-
{
|
|
736
|
-
"security": {
|
|
737
|
-
"approvedDomains": ["github.com", "registry.npmjs.org"],
|
|
738
|
-
"approvedUploadDomains": ["internal-artifacts.example.com"],
|
|
739
|
-
"disallowedCommands": ["gh gist create", "pastebin", "webhook.site", "nc"]
|
|
740
|
-
}
|
|
741
|
-
}
|
|
742
|
-
```
|
|
743
|
-
|
|
744
|
-
Global `approvedDomains` combine with artifact-local
|
|
745
|
-
`approved_network_destinations`. Upload destinations must be approved separately
|
|
746
|
-
with `approvedUploadDomains`.
|
|
747
|
-
|
|
748
|
-
Security profiles can be defined under `security.profiles` and selected by artifacts with `security_profile` or `securityProfile`. Artifact-local explicit denials such as `network_allowed: false` and `external_upload_allowed: false` remain stricter than inherited profile or repository allowances.
|
|
749
|
-
|
|
750
|
-
```json
|
|
751
|
-
{
|
|
752
|
-
"security": {
|
|
753
|
-
"profiles": {
|
|
754
|
-
"appium-local-diagnostics": {
|
|
755
|
-
"networkAllowed": true,
|
|
756
|
-
"externalUploadAllowed": false,
|
|
757
|
-
"secretsAllowed": false,
|
|
758
|
-
"humanApprovalRequired": true,
|
|
759
|
-
"allowedData": ["repo-local-files", "sanitized-ci-diagnostics"],
|
|
760
|
-
"forbiddenInputs": ["secrets", "credentials"],
|
|
761
|
-
"approvedDomains": ["github.com"],
|
|
762
|
-
"approvedUploadDomains": [],
|
|
763
|
-
"disallowedCommands": ["gh gist create"]
|
|
764
|
-
}
|
|
765
|
-
}
|
|
766
|
-
}
|
|
767
|
-
}
|
|
768
|
-
```
|
|
769
|
-
|
|
770
|
-
Renma reports deterministic safety findings for agent-facing operational instructions, such as unpinned remote scripts, unsafe privileged commands, predictable temporary paths, and credential-like command arguments.
|
|
771
|
-
|
|
772
|
-
These findings are guardrails for review. They do not replace secret scanning, SAST, dependency scanning, or human security review.
|
|
773
|
-
|
|
774
|
-
Renma summarizes security posture in Readiness and CI reports, and exposes
|
|
775
|
-
Trust Graph evidence for effective policy, security profile resolution,
|
|
776
|
-
approved destinations, forbidden inputs, human approval requirements, and
|
|
777
|
-
high-risk findings.
|
|
778
|
-
|
|
779
|
-
Trust Graph interprets existing catalog, graph, scan, and security evidence as deterministic repository evidence. It is not a runtime system, not enforcement, not context selection or prompt assembly, not telemetry collection, not an LLM call, and not a subjective trust score.
|
|
780
|
-
|
|
781
|
-
Repository Context BOM is a declared repository manifest of assets, hashes, owners, lifecycle states, dependencies, security posture, diagnostics, and readiness evidence. It does not claim what an LLM actually used at runtime. The v1 contract deliberately keeps Git revision identity in the surrounding CI/PR artifact context and keeps any future consumed-context evidence separate from the declared BOM meaning. See the [Repository Context BOM contract](docs/repository-context-bom.md).
|
|
782
|
-
|
|
783
|
-
## Design Notes
|
|
784
|
-
|
|
785
|
-
Renma is part of a broader idea: treating reusable LLM context as software-managed knowledge.
|
|
786
|
-
|
|
787
|
-
- [Beyond Prompt Engineering: Why We Need Context Repositories](https://kazucocoa.blog/2026/06/26/beyond-prompt-engineering-why-we-need-context-repositories/)
|
|
788
|
-
- [Introducing Renma: An Opinionated Context Repository for LLMs](https://kazucocoa.blog/2026/06/29/introducing-renma-an-opinionated-context-repository-for-llms/)
|
|
789
|
-
- [Where Does a Context Repository Fit in the AI Stack?](https://kazucocoa.blog/2026/07/01/where-does-a-context-repository-fit-in-the-ai-stack/)
|
|
790
|
-
- Context Engineering Is Software Engineering (planned)
|
|
791
|
-
|
|
792
|
-
([Context Repository Series](https://kazucocoa.blog/context-repository/))
|
|
793
|
-
|
|
794
|
-
## Development
|
|
795
|
-
|
|
796
|
-
```bash
|
|
797
|
-
npm install
|
|
798
|
-
npm run build
|
|
799
|
-
npm test
|
|
800
|
-
```
|
|
801
|
-
|
|
802
|
-
Run the local CLI after building:
|
|
803
|
-
|
|
804
|
-
```bash
|
|
805
|
-
node dist/index.js scan .
|
|
806
|
-
```
|
|
807
|
-
|
|
808
|
-
## Documentation
|
|
809
|
-
|
|
810
|
-
- [Agent Skills Compatibility and Migration](docs/agent-skills-compatibility.md)
|
|
265
|
+
- [Documentation index](docs/README.md)
|
|
811
266
|
- [User Manual](docs/user-manual.md)
|
|
812
267
|
- [Authoring Guide](docs/authoring-guide.md)
|
|
813
|
-
- [
|
|
268
|
+
- [Agent Skills Compatibility and Migration](docs/agent-skills-compatibility.md)
|
|
814
269
|
- [Diagnostics Reference](docs/diagnostics.md)
|
|
270
|
+
- [Renma Quality Profile](docs/quality-profile.md)
|
|
271
|
+
- [Security Policy Guide](docs/security-policy.md)
|
|
272
|
+
- [Repository Context BOM contract](docs/repository-context-bom.md)
|
|
273
|
+
- [Architecture](architecture.md)
|
|
274
|
+
- [Product Design](design.md)
|
|
275
|
+
- [Current Roadmap](plan.md)
|
|
276
|
+
- [Deferred Skill-to-Skill Discovery Design](plan-discovery.md): unassigned
|
|
277
|
+
exploratory route/index design, separate from implemented repository and
|
|
278
|
+
support-resource discovery.
|
|
279
|
+
- [Interactive Placeholder Example](examples/interactive-placeholder): minimal
|
|
280
|
+
hands-on clarify-before-act Skill interaction with a local tool.
|
|
281
|
+
- [Example Context Repository](examples/context-repo): richer repository-aware
|
|
282
|
+
Skill, Context Lens, and Context Asset governance.
|
|
283
|
+
- [Context Lens Example](examples/context-lens): focused Context Lens governance.
|
|
284
|
+
- [GitHub Actions Example](examples/github-actions/renma-ci-report.yml): CI report
|
|
285
|
+
integration.
|
|
286
|
+
|
|
287
|
+
The governing review loop remains:
|
|
815
288
|
|
|
816
|
-
|
|
817
|
-
|
|
818
|
-
|
|
819
|
-
- [design.md](design.md) for product and rule-design notes
|
|
820
|
-
- [plan.md](plan.md) for current implementation direction
|
|
289
|
+
```text
|
|
290
|
+
LLM proposes. Renma verifies. Human approves.
|
|
291
|
+
```
|