renma 0.16.0 → 0.18.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (182) hide show
  1. package/CHANGELOG.md +157 -1
  2. package/README.md +219 -748
  3. package/architecture.md +533 -0
  4. package/design.md +469 -0
  5. package/dist/agent-skills.d.ts +1 -1
  6. package/dist/agent-skills.d.ts.map +1 -1
  7. package/dist/agent-skills.js +28 -8
  8. package/dist/agent-skills.js.map +1 -1
  9. package/dist/catalog.d.ts +1 -1
  10. package/dist/catalog.d.ts.map +1 -1
  11. package/dist/catalog.js +120 -12
  12. package/dist/catalog.js.map +1 -1
  13. package/dist/cli-help.d.ts +15 -9
  14. package/dist/cli-help.d.ts.map +1 -1
  15. package/dist/cli-help.js +32 -9
  16. package/dist/cli-help.js.map +1 -1
  17. package/dist/cli.d.ts.map +1 -1
  18. package/dist/cli.js +162 -40
  19. package/dist/cli.js.map +1 -1
  20. package/dist/commands/bom.d.ts +6 -3
  21. package/dist/commands/bom.d.ts.map +1 -1
  22. package/dist/commands/bom.js +27 -7
  23. package/dist/commands/bom.js.map +1 -1
  24. package/dist/commands/catalog.d.ts +1 -1
  25. package/dist/commands/catalog.d.ts.map +1 -1
  26. package/dist/commands/catalog.js +11 -4
  27. package/dist/commands/catalog.js.map +1 -1
  28. package/dist/commands/ci-report.d.ts.map +1 -1
  29. package/dist/commands/ci-report.js +18 -5
  30. package/dist/commands/ci-report.js.map +1 -1
  31. package/dist/commands/diff.js +8 -2
  32. package/dist/commands/diff.js.map +1 -1
  33. package/dist/commands/graph.d.ts +6 -2
  34. package/dist/commands/graph.d.ts.map +1 -1
  35. package/dist/commands/graph.js +30 -14
  36. package/dist/commands/graph.js.map +1 -1
  37. package/dist/commands/inspect.d.ts.map +1 -1
  38. package/dist/commands/inspect.js +2 -0
  39. package/dist/commands/inspect.js.map +1 -1
  40. package/dist/commands/ownership.d.ts +4 -3
  41. package/dist/commands/ownership.d.ts.map +1 -1
  42. package/dist/commands/ownership.js +27 -23
  43. package/dist/commands/ownership.js.map +1 -1
  44. package/dist/commands/readiness.d.ts +2 -1
  45. package/dist/commands/readiness.d.ts.map +1 -1
  46. package/dist/commands/readiness.js +105 -36
  47. package/dist/commands/readiness.js.map +1 -1
  48. package/dist/commands/scaffold.d.ts +3 -0
  49. package/dist/commands/scaffold.d.ts.map +1 -1
  50. package/dist/commands/scaffold.js +28 -2
  51. package/dist/commands/scaffold.js.map +1 -1
  52. package/dist/commands/suggest-metadata.d.ts.map +1 -1
  53. package/dist/commands/suggest-metadata.js +56 -8
  54. package/dist/commands/suggest-metadata.js.map +1 -1
  55. package/dist/commands/suggest-semantic-split.js +3 -3
  56. package/dist/commands/suggest-semantic-split.js.map +1 -1
  57. package/dist/commands/trust-graph.d.ts.map +1 -1
  58. package/dist/commands/trust-graph.js +12 -0
  59. package/dist/commands/trust-graph.js.map +1 -1
  60. package/dist/config.d.ts.map +1 -1
  61. package/dist/config.js +10 -3
  62. package/dist/config.js.map +1 -1
  63. package/dist/dependency-resolution.d.ts +6 -0
  64. package/dist/dependency-resolution.d.ts.map +1 -0
  65. package/dist/dependency-resolution.js +11 -0
  66. package/dist/dependency-resolution.js.map +1 -0
  67. package/dist/diagnostic-ids.d.ts +8 -0
  68. package/dist/diagnostic-ids.d.ts.map +1 -1
  69. package/dist/diagnostic-ids.js +8 -0
  70. package/dist/diagnostic-ids.js.map +1 -1
  71. package/dist/discovery.d.ts +33 -0
  72. package/dist/discovery.d.ts.map +1 -1
  73. package/dist/discovery.js +178 -80
  74. package/dist/discovery.js.map +1 -1
  75. package/dist/markdown.d.ts.map +1 -1
  76. package/dist/markdown.js +15 -0
  77. package/dist/markdown.js.map +1 -1
  78. package/dist/model.d.ts +17 -1
  79. package/dist/model.d.ts.map +1 -1
  80. package/dist/model.js +4 -1
  81. package/dist/model.js.map +1 -1
  82. package/dist/quality-profile.d.ts +91 -0
  83. package/dist/quality-profile.d.ts.map +1 -0
  84. package/dist/quality-profile.js +91 -0
  85. package/dist/quality-profile.js.map +1 -0
  86. package/dist/repeated-context.d.ts.map +1 -1
  87. package/dist/repeated-context.js +38 -83
  88. package/dist/repeated-context.js.map +1 -1
  89. package/dist/repository-boundary.d.ts +30 -0
  90. package/dist/repository-boundary.d.ts.map +1 -0
  91. package/dist/repository-boundary.js +116 -0
  92. package/dist/repository-boundary.js.map +1 -0
  93. package/dist/repository-evidence.d.ts +2 -0
  94. package/dist/repository-evidence.d.ts.map +1 -1
  95. package/dist/repository-evidence.js +6 -4
  96. package/dist/repository-evidence.js.map +1 -1
  97. package/dist/repository-paths.d.ts +19 -2
  98. package/dist/repository-paths.d.ts.map +1 -1
  99. package/dist/repository-paths.js +123 -14
  100. package/dist/repository-paths.js.map +1 -1
  101. package/dist/rules.d.ts +2 -0
  102. package/dist/rules.d.ts.map +1 -1
  103. package/dist/rules.js +322 -256
  104. package/dist/rules.js.map +1 -1
  105. package/dist/scanner.d.ts.map +1 -1
  106. package/dist/scanner.js +5 -1
  107. package/dist/scanner.js.map +1 -1
  108. package/dist/security-diagnostics.d.ts.map +1 -1
  109. package/dist/security-diagnostics.js +95 -30
  110. package/dist/security-diagnostics.js.map +1 -1
  111. package/dist/security-diff.d.ts +5 -2
  112. package/dist/security-diff.d.ts.map +1 -1
  113. package/dist/security-diff.js +20 -4
  114. package/dist/security-diff.js.map +1 -1
  115. package/dist/security-policy-inventory.d.ts +15 -3
  116. package/dist/security-policy-inventory.d.ts.map +1 -1
  117. package/dist/security-policy-inventory.js +123 -26
  118. package/dist/security-policy-inventory.js.map +1 -1
  119. package/dist/security-policy.d.ts +7 -0
  120. package/dist/security-policy.d.ts.map +1 -1
  121. package/dist/security-policy.js +70 -7
  122. package/dist/security-policy.js.map +1 -1
  123. package/dist/security-posture.d.ts.map +1 -1
  124. package/dist/security-posture.js +2 -1
  125. package/dist/security-posture.js.map +1 -1
  126. package/dist/skill-migration.js +2 -0
  127. package/dist/skill-migration.js.map +1 -1
  128. package/dist/static-support.d.ts +13 -0
  129. package/dist/static-support.d.ts.map +1 -0
  130. package/dist/static-support.js +284 -0
  131. package/dist/static-support.js.map +1 -0
  132. package/dist/token-estimator.d.ts +21 -0
  133. package/dist/token-estimator.d.ts.map +1 -0
  134. package/dist/token-estimator.js +84 -0
  135. package/dist/token-estimator.js.map +1 -0
  136. package/dist/trust-graph.d.ts +3 -3
  137. package/dist/trust-graph.d.ts.map +1 -1
  138. package/dist/trust-graph.js +76 -21
  139. package/dist/trust-graph.js.map +1 -1
  140. package/dist/types.d.ts +7 -2
  141. package/dist/types.d.ts.map +1 -1
  142. package/docs/README.md +61 -0
  143. package/docs/advanced-skill-authoring.md +147 -0
  144. package/docs/agent-skills-compatibility.md +508 -0
  145. package/docs/authoring-guide.md +382 -0
  146. package/docs/context-conflict-diagnostics.md +32 -0
  147. package/docs/context-language-diagnostics.md +99 -0
  148. package/docs/context-lens.md +253 -0
  149. package/docs/context-lifecycle-diagnostics.md +55 -0
  150. package/docs/diagnostics.md +406 -0
  151. package/docs/metadata-budget.md +14 -0
  152. package/docs/quality-profile.md +123 -0
  153. package/docs/repository-context-bom.md +172 -0
  154. package/docs/schemas/repository-context-bom-v2.schema.json +648 -0
  155. package/docs/schemas/trust-graph-v2.schema.json +301 -0
  156. package/docs/security-policy.md +354 -0
  157. package/docs/trust-graph.md +47 -0
  158. package/docs/user-manual.md +842 -0
  159. package/examples/context-lens/README.md +101 -0
  160. package/examples/context-lens/contexts/testing/boundary-value-analysis.md +23 -0
  161. package/examples/context-lens/lenses/testing/spec-review-boundary-values.md +29 -0
  162. package/examples/context-lens/lenses/testing/test-design-boundary-values.md +29 -0
  163. package/examples/context-lens/skills/testing/spec-review/SKILL.md +49 -0
  164. package/examples/context-repo/README.md +148 -0
  165. package/examples/context-repo/contexts/domain/payment/idempotency.md +27 -0
  166. package/examples/context-repo/contexts/testing/boundary-value-analysis.md +26 -0
  167. package/examples/context-repo/contexts/testing/negative-testing.md +26 -0
  168. package/examples/context-repo/lenses/testing/spec-review-boundary-values.md +35 -0
  169. package/examples/context-repo/renma.config.json +12 -0
  170. package/examples/context-repo/skills/testing/spec-review/SKILL.md +71 -0
  171. package/examples/context-repo/tools/appium/README.md +14 -0
  172. package/examples/github-actions/renma-ci-report.yml +36 -0
  173. package/examples/interactive-placeholder/README.md +104 -0
  174. package/examples/interactive-placeholder/assets/template.txt +1 -0
  175. package/examples/interactive-placeholder/renma.config.json +6 -0
  176. package/examples/interactive-placeholder/skills/replace-placeholder/SKILL.md +54 -0
  177. package/examples/interactive-placeholder/tools/README.md +48 -0
  178. package/examples/interactive-placeholder/tools/placeholder-demo.mjs +99 -0
  179. package/package.json +10 -1
  180. package/plan-discovery.md +749 -0
  181. package/plan.md +90 -0
  182. package/scripts/verify-package.mjs +104 -0
@@ -0,0 +1,382 @@
1
+ # Renma Authoring Guide
2
+
3
+ This is the canonical guide for authoring and improving Skills and Context
4
+ Assets in a Renma repository.
5
+
6
+ ## Responsibility Boundary
7
+
8
+ Use your platform's standard Skill authoring guidance for general Skill design,
9
+ then use Renma for repository-specific governance and validation.
10
+
11
+ Platform-native authoring guidance owns:
12
+
13
+ - name and trigger description;
14
+ - usage and exclusion boundaries;
15
+ - instructions and workflow;
16
+ - constraints and safety behavior;
17
+ - examples; and
18
+ - completion criteria.
19
+
20
+ Renma complements that guidance with:
21
+
22
+ - canonical metadata and Agent Skills compatibility;
23
+ - dependency and graph validation;
24
+ - ownership and lifecycle governance;
25
+ - security policy validation;
26
+ - workflow clarity diagnostics; and
27
+ - repository-wide scan and readiness evidence.
28
+
29
+ Renma does not replace platform-native authoring guidance, generate domain
30
+ intent, or automatically improve a Skill body. Human judgment remains required
31
+ for semantics, ownership, policy, dependencies, and source-of-truth claims.
32
+
33
+ ## Focused Workflow Model
34
+
35
+ A Skill is a focused workflow entrypoint, not a thin router. `SKILL.md` may own
36
+ positive and negative selection boundaries, required inputs, preflight checks,
37
+ ordered instructions, decisions, short Skill-specific commands, examples,
38
+ edge cases, safety constraints, completion criteria, and verification. Renma
39
+ does not warn merely because a Skill is procedural or includes an executable
40
+ command.
41
+
42
+ Use Agent Skills progressive disclosure deliberately:
43
+
44
+ 1. Metadata: `name` and `description` let a client decide whether to activate
45
+ the Skill.
46
+ 2. Instructions: the activated `SKILL.md` carries the focused workflow and
47
+ explicit read or execution conditions.
48
+ 3. Resources: local files are read or executed only when the workflow calls
49
+ for them.
50
+
51
+ Choose placement by responsibility, not size alone:
52
+
53
+ | Content | Place it in | Ownership test |
54
+ | --- | --- | --- |
55
+ | Selection boundaries, ordered workflow, constraints, completion | `SKILL.md` | Required to perform this focused workflow |
56
+ | Skill-specific detail, variants, edge cases | `references/` | Owned and loaded by one Skill |
57
+ | Deterministic repeatedly executed implementation | `scripts/` | Code is safer and more repeatable than prose |
58
+ | Templates, images, data, output resources | `assets/` | Consumed or copied as material, not instructions |
59
+ | Shared knowledge | `contexts/` | Used by multiple Skills or needs independent ownership, lifecycle, or source-of-truth status |
60
+ | Purpose-specific interpretation of Context | `lenses/` | A static governance view over Context Assets |
61
+ | Provider-specific UI metadata | provider-owned files such as `agents/openai.yaml` | Optional interface metadata, not Renma core schema |
62
+
63
+ The canonical defaults and their Agent Skills/Renma provenance are in the
64
+ [Quality Profile](quality-profile.md).
65
+
66
+ ## New Skill Workflow
67
+
68
+ Use this sequence for a new Skill:
69
+
70
+ ```text
71
+ platform-native Skill authoring guidance
72
+ -> renma scaffold skill
73
+ -> review and complete the generated Skill
74
+ -> renma scan . --fail-on high
75
+ -> fix relevant diagnostics
76
+ -> rerun validation
77
+ -> human review
78
+ ```
79
+
80
+ ### 1. Design the Skill
81
+
82
+ Before generating a file, use the standard guidance for your platform to define:
83
+
84
+ - the recurring task or decision;
85
+ - the trigger and nearby cases that should not use the Skill;
86
+ - required inputs and evidence;
87
+ - the ordered workflow and decision points;
88
+ - safety and repository constraints; and
89
+ - the output and completion criteria.
90
+
91
+ Write concrete positive and near-miss negative trigger examples before
92
+ scaffolding. Define the expected output and completion criteria early. Match
93
+ implementation freedom to fragility: use prose when judgment is central, a
94
+ parameterized script when a stable operation needs flexible inputs, and a fixed
95
+ script when ordering or exact behavior is safety-critical.
96
+
97
+ Do not guess missing owners, policies, dependencies, product behavior, domain
98
+ rules, or source-of-truth documents. Record gaps for a human to resolve.
99
+
100
+ ### 2. Generate one repository-compatible starting point
101
+
102
+ Run the Renma generator once:
103
+
104
+ ```bash
105
+ renma scaffold skill skills/testing/spec-review/SKILL.md \
106
+ --id skill.testing.spec-review \
107
+ --title "Spec Review" \
108
+ --owner qa-platform \
109
+ --tags testing,spec-review \
110
+ --resources references,scripts,assets
111
+ ```
112
+
113
+ The target must be a canonical `SKILL.md` under `skills/**` or
114
+ `.agents/skills/**`. File mode refuses to overwrite an existing file and
115
+ requires an explicit owner. The output is a deterministic starting point, not
116
+ a finished Skill.
117
+
118
+ `--resources` creates only the requested empty directories and no placeholder
119
+ files. In the completed Skill, state when each reference should be read, each
120
+ script should be run, and each asset should be used.
121
+
122
+ Do not run two independent generators against the same target file. Some
123
+ platform-native authoring tools create files themselves, so choose one of these
124
+ safe approaches:
125
+
126
+ 1. Run `renma scaffold skill`, then ask the platform tool to review and refine
127
+ that existing file.
128
+ 2. Ask the platform tool to use `renma scaffold skill` as the starting point
129
+ instead of independently generating the same target.
130
+
131
+ In a Codex workflow, use Renma as the one generator, then ask Codex's
132
+ `skill-creator` to semantically review the existing scaffold. Do not ask both
133
+ generators to independently create the same target.
134
+
135
+ `--format prompt` prints the deterministic scaffold and constraints without
136
+ writing the file. `--format json` prints the existing structured bundle. These
137
+ modes do not reserve or create the target path.
138
+
139
+ ### 3. Review and complete the scaffold
140
+
141
+ Use platform-native guidance to complete:
142
+
143
+ - `description`, including positive and negative trigger boundaries;
144
+ - required inputs and preflight evidence;
145
+ - instructions, decisions, and workflow;
146
+ - constraints and security behavior;
147
+ - completion criteria and validation; and
148
+ - intended Renma metadata and Context relationships.
149
+
150
+ Preserve the repository's intended behavior. Keep reusable domain, testing,
151
+ product, platform, or tool knowledge in independently owned Context Assets when
152
+ it should outlive one Skill.
153
+
154
+ Preserve Agent Skills optional fields, unknown `metadata.renma.*` values, and
155
+ other vendors' string metadata. Provider-specific `agents/openai.yaml` is
156
+ permitted but is not required by Renma core.
157
+
158
+ Execute and test every script. Forward-test complex Skills with raw user
159
+ prompts, outputs, and execution logs in the external runtime that consumes the
160
+ Skill. Do not leak expected answers, diagnoses, or intended fixes to evaluation
161
+ agents. Renma remains deterministic; runtime evaluation stays external.
162
+
163
+ ### 4. Validate, fix, and rerun
164
+
165
+ Start with the release gate:
166
+
167
+ ```bash
168
+ renma scan . --fail-on high
169
+ ```
170
+
171
+ Review every relevant diagnostic, correct the underlying wording, metadata, or
172
+ relationship, and rerun the same scan. Do not weaken security policy or add a
173
+ suppression merely to make validation pass.
174
+
175
+ Use other deterministic views when they answer a specific review question:
176
+
177
+ ```bash
178
+ renma inspect skills/testing/spec-review/SKILL.md
179
+ renma catalog . --format markdown
180
+ renma graph . --focus skill.testing.spec-review --format mermaid
181
+ renma ownership . --format markdown
182
+ renma readiness . --format markdown
183
+ ```
184
+
185
+ The final step is human review of the Skill's intent, workflow, policy,
186
+ relationships, and remaining uncertainty.
187
+
188
+ ## Existing Skill Workflow
189
+
190
+ Use this sequence for an existing Skill:
191
+
192
+ ```text
193
+ review with platform-native Skill authoring guidance
194
+ -> renma scan . --fail-on high
195
+ -> inspect relevant diagnostics and repository evidence
196
+ -> use suggest-metadata only for metadata or migration work
197
+ -> prepare and review intended changes
198
+ -> renma scan . --fail-on high
199
+ -> fix relevant diagnostics
200
+ -> rerun validation
201
+ -> human review
202
+ ```
203
+
204
+ ### 1. Review the whole Skill
205
+
206
+ Use platform-native authoring guidance to review the trigger description,
207
+ instructions, workflow, constraints, examples, and completion criteria. This is
208
+ semantic authoring review; `suggest-metadata` does not perform it.
209
+
210
+ ### 2. Scan and inspect repository evidence
211
+
212
+ ```bash
213
+ renma scan . --fail-on high
214
+ renma inspect skills/testing/spec-review/SKILL.md
215
+ ```
216
+
217
+ `scan` is the general deterministic starting point for an existing Skill. Use
218
+ `inspect`, `catalog`, `graph`, `ownership`, or `readiness` when one of those
219
+ commands answers a specific evidence question. Renma reports structural and
220
+ governance evidence; it does not perform the whole-Skill semantic review.
221
+
222
+ ### 3. Generate a metadata or migration suggestion when needed
223
+
224
+ ```bash
225
+ renma suggest-metadata skills/testing/spec-review/SKILL.md
226
+ ```
227
+
228
+ Optionally provide an owner only when a human has explicitly confirmed it:
229
+
230
+ ```bash
231
+ renma suggest-metadata skills/testing/spec-review/SKILL.md \
232
+ --owner qa-platform \
233
+ --format json
234
+ ```
235
+
236
+ `suggest-metadata` reads one target and prints a deterministic prompt or JSON
237
+ payload to stdout. It does not edit, rename, or move the file. Its supported
238
+ responsibilities are:
239
+
240
+ - compact canonical metadata suggestions;
241
+ - explicit owner retrofit and one-way migration of recognized pre-0.16
242
+ governance and security metadata;
243
+ - pre-0.16 to canonical Agent Skills migration candidates;
244
+ - conflict and unsafe-evidence detection; and
245
+ - validation of the rendered candidate.
246
+
247
+ It does not rewrite the body, infer ownership, choose between conflicting
248
+ semantic values, infer missing security policy, or propose reverse migration
249
+ for a canonical Skill. An owner candidate requires explicit human-provided
250
+ evidence. Security policy remains intentionally authored and deterministically
251
+ validated.
252
+
253
+ Do not route an already canonical Skill through `suggest-metadata` as ceremony.
254
+ Use it only for a metadata retrofit, explicit owner retrofit, recognized
255
+ pre-0.16 one-way migration, or blocked migration review.
256
+
257
+ ### 4. Review before applying
258
+
259
+ Treat the output as a candidate. Compare it with the source and apply only the
260
+ intended metadata, path migration, or migration changes. Preserve the Markdown
261
+ body and unknown vendor metadata unless a separately reviewed semantic change
262
+ requires otherwise.
263
+
264
+ If migration is blocked:
265
+
266
+ 1. Review the reported conflicts or invalid evidence.
267
+ 2. Confirm the Skill's intent using platform-native authoring guidance.
268
+ 3. Do not apply a candidate while Renma cannot generate it safely.
269
+ 4. Correct the source evidence.
270
+ 5. Rerun `renma suggest-metadata <SKILL.md>`.
271
+ 6. After intended corrections, run `renma scan . --fail-on high` and repeat the
272
+ fix-and-rerun loop.
273
+
274
+ Renma never chooses a semantic winner automatically. The detailed one-way
275
+ migration and blocking contract is in
276
+ [Agent Skills Compatibility and Migration](agent-skills-compatibility.md).
277
+
278
+ ## Canonical Skill Metadata
279
+
280
+ Agent Skills owns the standard Skill identity and body. Renma fields are flat,
281
+ string-valued `metadata.renma.*` entries. JSON-array strings encode lists:
282
+
283
+ ```yaml
284
+ ---
285
+ name: spec-review
286
+ description: Review specifications for ambiguity and missing boundaries. Use when requirements need evidence-backed review before implementation.
287
+ metadata:
288
+ renma.id: skill.testing.spec-review
289
+ renma.title: Spec Review
290
+ renma.owner: qa-platform
291
+ renma.status: stable
292
+ renma.tags: '["testing","spec-review"]'
293
+ renma.requires-context: '["context.testing.boundary-value-analysis"]'
294
+ renma.optional-context: '[]'
295
+ ---
296
+ ```
297
+
298
+ Do not use a nested `metadata.renma` mapping, native YAML booleans for canonical
299
+ security fields, or comma-separated canonical lists. See the compatibility and
300
+ security guides for the complete contracts.
301
+
302
+ ## Context Asset And Context Lens Authoring
303
+
304
+ Create a Context Asset when knowledge should be reusable and independently
305
+ owned:
306
+
307
+ ```bash
308
+ renma scaffold context contexts/testing/boundary-value-analysis.md \
309
+ --owner qa-platform
310
+ ```
311
+
312
+ A Context Asset should contain durable, source-backed domain knowledge,
313
+ testing heuristics, tool constraints, platform facts, or reviewed policy. Keep
314
+ task-specific prompt instructions and runtime selection rules out of shared
315
+ Context.
316
+
317
+ Create a Context Lens when one purpose needs a focused interpretation of one or
318
+ more Context Assets:
319
+
320
+ ```bash
321
+ renma scaffold context_lens \
322
+ lenses/testing/spec-review-boundary-values.md \
323
+ --owner qa-platform
324
+ ```
325
+
326
+ The repository can represent both:
327
+
328
+ ```text
329
+ Skill -> Context Lens -> Context Asset
330
+ Skill -> Context Asset
331
+ ```
332
+
333
+ These metadata relationships are static governance evidence. Renma does not
334
+ select, load, or inject Context at runtime.
335
+
336
+ Context and Context Lens scaffolds keep their top-level Renma metadata syntax;
337
+ the Agent Skills `metadata.renma.*` serialization boundary applies to Skills.
338
+
339
+ For current guidance on deriving several focused, bounded workflows from a broad
340
+ existing Skill—including focused `inspect`, graph, Context reuse, and Appium
341
+ examples—see [Advanced Skill Authoring](advanced-skill-authoring.md). That guide
342
+ keeps current focused-workflow authoring separate from deferred Skill-to-Skill
343
+ route and generated-index design. Repository and local support discovery are
344
+ already implemented; `routes_to` and `skill-index` are not.
345
+
346
+ ## Optional Codex Example
347
+
348
+ Codex `skill-creator` is one example of platform-native authoring guidance; it
349
+ is not a Renma dependency and is not named in generic CLI output.
350
+
351
+ After creating the Renma scaffold, a safe request is:
352
+
353
+ ```text
354
+ Use skill-creator to review and refine the existing
355
+ skills/testing/spec-review/SKILL.md scaffold. Preserve its intended Renma
356
+ metadata and repository behavior. Do not independently generate a second target
357
+ file. Do not invent owners, policy, dependencies, domain rules, or
358
+ source-of-truth claims. After the reviewed edits, run
359
+ `renma scan . --fail-on high`, fix relevant diagnostics, and rerun the scan.
360
+ ```
361
+
362
+ Alternatively, ask `skill-creator` to use `renma scaffold skill` as its
363
+ starting point. In both cases, only one generator creates the target file.
364
+
365
+ ## Review Checklist
366
+
367
+ Before human approval, confirm that:
368
+
369
+ - the description says when the Skill should and should not be selected;
370
+ - instructions, constraints, and completion criteria are explicit;
371
+ - owners, policies, dependencies, and domain claims are evidence-backed;
372
+ - reusable knowledge has an appropriate Context boundary;
373
+ - generated or suggested changes were reviewed rather than applied blindly;
374
+ - blocked migration evidence was resolved instead of bypassed;
375
+ - `renma scan . --fail-on high` was rerun after fixes; and
376
+ - no policy weakening or new suppression was used merely to pass validation.
377
+
378
+ The operating principle remains:
379
+
380
+ ```text
381
+ LLM proposes. Renma verifies. Human approves.
382
+ ```
@@ -0,0 +1,32 @@
1
+ # Context Conflict Graph Diagnostics
2
+
3
+ Renma checks declared `conflicts` metadata so incompatible context assets do not become required together without review.
4
+
5
+ These diagnostics are deterministic catalog diagnostics. They do not choose runtime context, infer conflict intent, create scan finding IDs, or rewrite metadata.
6
+
7
+ ## Invalid conflicts metadata
8
+
9
+ Renma warns when an asset's `conflicts` metadata points at itself or points at an asset that does not exist in the catalog.
10
+
11
+ Example messages:
12
+
13
+ ```text
14
+ Asset conflicts metadata references itself: "context.testing.boundary-analysis".
15
+ Asset conflicts target "context.testing.missing" does not match a catalog entry.
16
+ ```
17
+
18
+ Fix self references by removing the conflict entry. Fix missing targets by correcting the asset ID, adding the missing asset, or removing stale metadata.
19
+
20
+ ## Conflicting required context
21
+
22
+ Renma warns when a skill requires two context assets that are declared as conflicting:
23
+
24
+ ```text
25
+ Skill requires conflicting context assets "context.testing.boundary-analysis" and "context.testing.fuzz-testing".
26
+ ```
27
+
28
+ A skill should not require conflicting context assets as always-loaded base knowledge. Split the skill, move one context to `optional_context`, remove stale `conflicts` metadata, or document a safer static relationship.
29
+
30
+ ## Relationship to context lens
31
+
32
+ These checks are useful before adding purpose-oriented lens assets. A lens should not have to compensate for skills that require mutually conflicting base context.
@@ -0,0 +1,99 @@
1
+ # Context Language Diagnostics
2
+
3
+ Renma checks canonical active shared context assets for small English-only wording patterns that can make reusable context harder for humans and agents to apply safely.
4
+
5
+ These diagnostics are deterministic catalog diagnostics. They do not call an LLM, infer a replacement threshold, infer a date or version, create scan finding IDs, or rewrite context content.
6
+
7
+ ## Scope
8
+
9
+ The checks apply only to shared context assets that are active and canonical:
10
+
11
+ - the artifact kind is `context`
12
+ - the asset has an `id` that starts with `context.`
13
+ - the asset has an `owner`
14
+ - the asset status is not `deprecated` or `archived`
15
+
16
+ ## Vague wording
17
+
18
+ Renma warns when a shared context body contains broad English wording such as:
19
+
20
+ - `usually`
21
+ - `often`
22
+ - `quickly`
23
+ - `soon`
24
+ - `as needed`
25
+ - `where appropriate`
26
+ - `major`
27
+
28
+ These terms are not always wrong, but they often require a concrete condition, threshold, required evidence, or uncertainty-handling rule before the context is safe to reuse broadly.
29
+
30
+ Example warning message:
31
+
32
+ ```text
33
+ Shared context asset contains vague wording "often".
34
+ ```
35
+
36
+ Prefer replacing vague wording with concrete boundaries, or keep the uncertainty explicit:
37
+
38
+ ```md
39
+ WDA may be involved only when session startup logs show WDA build, launch, or connection errors.
40
+ ```
41
+
42
+ Do not invent thresholds or domain facts just to satisfy the diagnostic. Ask the context owner when the boundary is unknown.
43
+
44
+ ## Currentness wording
45
+
46
+ Renma warns when a shared context body contains relative English currentness wording without an explicit date or version on the same line, such as:
47
+
48
+ - `recently`
49
+ - `latest`
50
+ - `currently`
51
+ - `as of now`
52
+
53
+ Example warning message:
54
+
55
+ ```text
56
+ Shared context asset contains currentness wording "recently" without an explicit date or version.
57
+ ```
58
+
59
+ Prefer a stable date, version, or review boundary:
60
+
61
+ ```md
62
+ As of 2026-07-01, Appium driver installation guidance uses this path.
63
+ ```
64
+
65
+ Versioned wording is also acceptable when it makes the claim stable:
66
+
67
+ ```md
68
+ The latest Appium 2.8 behavior is covered here.
69
+ ```
70
+
71
+ ## Prompt or runtime-selection wording
72
+
73
+ Renma warns when a shared context body looks like a prompt artifact or runtime context-selection rule instead of reusable base knowledge. Examples include:
74
+
75
+ - role-prompt wording such as `You are an ... assistant`
76
+ - runtime selection wording such as `always load this context`
77
+ - priority wording such as `use this context first`
78
+ - direct runtime wording such as `select this context at runtime`
79
+ - prompt-artifact wording such as `system prompt`
80
+
81
+ Example warning message:
82
+
83
+ ```text
84
+ Shared context asset contains prompt or runtime-selection wording "role prompt".
85
+ ```
86
+
87
+ Prefer keeping the context as reusable knowledge:
88
+
89
+ ```md
90
+ This context describes Appium setup terminology and constraints for maintainers.
91
+ ```
92
+
93
+ Put prompt assembly, runtime context selection, and assistant role instructions outside shared context assets. Renma does not choose runtime context, assemble prompts, inject context into agents, or execute agent workflows.
94
+
95
+ ## Relationship to metadata diagnostics
96
+
97
+ These body-language diagnostics complement usage-boundary metadata diagnostics such as missing `when_to_use`, missing `when_not_to_use`, and placeholder usage-boundary metadata.
98
+
99
+ Keep `when_to_use` and `when_not_to_use` compact. Put detailed explanations, examples, and caveats in the Markdown body or referenced context assets.