renma 0.16.0 → 0.18.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +157 -1
- package/README.md +219 -748
- package/architecture.md +533 -0
- package/design.md +469 -0
- package/dist/agent-skills.d.ts +1 -1
- package/dist/agent-skills.d.ts.map +1 -1
- package/dist/agent-skills.js +28 -8
- package/dist/agent-skills.js.map +1 -1
- package/dist/catalog.d.ts +1 -1
- package/dist/catalog.d.ts.map +1 -1
- package/dist/catalog.js +120 -12
- package/dist/catalog.js.map +1 -1
- package/dist/cli-help.d.ts +15 -9
- package/dist/cli-help.d.ts.map +1 -1
- package/dist/cli-help.js +32 -9
- package/dist/cli-help.js.map +1 -1
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +162 -40
- package/dist/cli.js.map +1 -1
- package/dist/commands/bom.d.ts +6 -3
- package/dist/commands/bom.d.ts.map +1 -1
- package/dist/commands/bom.js +27 -7
- package/dist/commands/bom.js.map +1 -1
- package/dist/commands/catalog.d.ts +1 -1
- package/dist/commands/catalog.d.ts.map +1 -1
- package/dist/commands/catalog.js +11 -4
- package/dist/commands/catalog.js.map +1 -1
- package/dist/commands/ci-report.d.ts.map +1 -1
- package/dist/commands/ci-report.js +18 -5
- package/dist/commands/ci-report.js.map +1 -1
- package/dist/commands/diff.js +8 -2
- package/dist/commands/diff.js.map +1 -1
- package/dist/commands/graph.d.ts +6 -2
- package/dist/commands/graph.d.ts.map +1 -1
- package/dist/commands/graph.js +30 -14
- package/dist/commands/graph.js.map +1 -1
- package/dist/commands/inspect.d.ts.map +1 -1
- package/dist/commands/inspect.js +2 -0
- package/dist/commands/inspect.js.map +1 -1
- package/dist/commands/ownership.d.ts +4 -3
- package/dist/commands/ownership.d.ts.map +1 -1
- package/dist/commands/ownership.js +27 -23
- package/dist/commands/ownership.js.map +1 -1
- package/dist/commands/readiness.d.ts +2 -1
- package/dist/commands/readiness.d.ts.map +1 -1
- package/dist/commands/readiness.js +105 -36
- package/dist/commands/readiness.js.map +1 -1
- package/dist/commands/scaffold.d.ts +3 -0
- package/dist/commands/scaffold.d.ts.map +1 -1
- package/dist/commands/scaffold.js +28 -2
- package/dist/commands/scaffold.js.map +1 -1
- package/dist/commands/suggest-metadata.d.ts.map +1 -1
- package/dist/commands/suggest-metadata.js +56 -8
- package/dist/commands/suggest-metadata.js.map +1 -1
- package/dist/commands/suggest-semantic-split.js +3 -3
- package/dist/commands/suggest-semantic-split.js.map +1 -1
- package/dist/commands/trust-graph.d.ts.map +1 -1
- package/dist/commands/trust-graph.js +12 -0
- package/dist/commands/trust-graph.js.map +1 -1
- package/dist/config.d.ts.map +1 -1
- package/dist/config.js +10 -3
- package/dist/config.js.map +1 -1
- package/dist/dependency-resolution.d.ts +6 -0
- package/dist/dependency-resolution.d.ts.map +1 -0
- package/dist/dependency-resolution.js +11 -0
- package/dist/dependency-resolution.js.map +1 -0
- package/dist/diagnostic-ids.d.ts +8 -0
- package/dist/diagnostic-ids.d.ts.map +1 -1
- package/dist/diagnostic-ids.js +8 -0
- package/dist/diagnostic-ids.js.map +1 -1
- package/dist/discovery.d.ts +33 -0
- package/dist/discovery.d.ts.map +1 -1
- package/dist/discovery.js +178 -80
- package/dist/discovery.js.map +1 -1
- package/dist/markdown.d.ts.map +1 -1
- package/dist/markdown.js +15 -0
- package/dist/markdown.js.map +1 -1
- package/dist/model.d.ts +17 -1
- package/dist/model.d.ts.map +1 -1
- package/dist/model.js +4 -1
- package/dist/model.js.map +1 -1
- package/dist/quality-profile.d.ts +91 -0
- package/dist/quality-profile.d.ts.map +1 -0
- package/dist/quality-profile.js +91 -0
- package/dist/quality-profile.js.map +1 -0
- package/dist/repeated-context.d.ts.map +1 -1
- package/dist/repeated-context.js +38 -83
- package/dist/repeated-context.js.map +1 -1
- package/dist/repository-boundary.d.ts +30 -0
- package/dist/repository-boundary.d.ts.map +1 -0
- package/dist/repository-boundary.js +116 -0
- package/dist/repository-boundary.js.map +1 -0
- package/dist/repository-evidence.d.ts +2 -0
- package/dist/repository-evidence.d.ts.map +1 -1
- package/dist/repository-evidence.js +6 -4
- package/dist/repository-evidence.js.map +1 -1
- package/dist/repository-paths.d.ts +19 -2
- package/dist/repository-paths.d.ts.map +1 -1
- package/dist/repository-paths.js +123 -14
- package/dist/repository-paths.js.map +1 -1
- package/dist/rules.d.ts +2 -0
- package/dist/rules.d.ts.map +1 -1
- package/dist/rules.js +322 -256
- package/dist/rules.js.map +1 -1
- package/dist/scanner.d.ts.map +1 -1
- package/dist/scanner.js +5 -1
- package/dist/scanner.js.map +1 -1
- package/dist/security-diagnostics.d.ts.map +1 -1
- package/dist/security-diagnostics.js +95 -30
- package/dist/security-diagnostics.js.map +1 -1
- package/dist/security-diff.d.ts +5 -2
- package/dist/security-diff.d.ts.map +1 -1
- package/dist/security-diff.js +20 -4
- package/dist/security-diff.js.map +1 -1
- package/dist/security-policy-inventory.d.ts +15 -3
- package/dist/security-policy-inventory.d.ts.map +1 -1
- package/dist/security-policy-inventory.js +123 -26
- package/dist/security-policy-inventory.js.map +1 -1
- package/dist/security-policy.d.ts +7 -0
- package/dist/security-policy.d.ts.map +1 -1
- package/dist/security-policy.js +70 -7
- package/dist/security-policy.js.map +1 -1
- package/dist/security-posture.d.ts.map +1 -1
- package/dist/security-posture.js +2 -1
- package/dist/security-posture.js.map +1 -1
- package/dist/skill-migration.js +2 -0
- package/dist/skill-migration.js.map +1 -1
- package/dist/static-support.d.ts +13 -0
- package/dist/static-support.d.ts.map +1 -0
- package/dist/static-support.js +284 -0
- package/dist/static-support.js.map +1 -0
- package/dist/token-estimator.d.ts +21 -0
- package/dist/token-estimator.d.ts.map +1 -0
- package/dist/token-estimator.js +84 -0
- package/dist/token-estimator.js.map +1 -0
- package/dist/trust-graph.d.ts +3 -3
- package/dist/trust-graph.d.ts.map +1 -1
- package/dist/trust-graph.js +76 -21
- package/dist/trust-graph.js.map +1 -1
- package/dist/types.d.ts +7 -2
- package/dist/types.d.ts.map +1 -1
- package/docs/README.md +61 -0
- package/docs/advanced-skill-authoring.md +147 -0
- package/docs/agent-skills-compatibility.md +508 -0
- package/docs/authoring-guide.md +382 -0
- package/docs/context-conflict-diagnostics.md +32 -0
- package/docs/context-language-diagnostics.md +99 -0
- package/docs/context-lens.md +253 -0
- package/docs/context-lifecycle-diagnostics.md +55 -0
- package/docs/diagnostics.md +406 -0
- package/docs/metadata-budget.md +14 -0
- package/docs/quality-profile.md +123 -0
- package/docs/repository-context-bom.md +172 -0
- package/docs/schemas/repository-context-bom-v2.schema.json +648 -0
- package/docs/schemas/trust-graph-v2.schema.json +301 -0
- package/docs/security-policy.md +354 -0
- package/docs/trust-graph.md +47 -0
- package/docs/user-manual.md +842 -0
- package/examples/context-lens/README.md +101 -0
- package/examples/context-lens/contexts/testing/boundary-value-analysis.md +23 -0
- package/examples/context-lens/lenses/testing/spec-review-boundary-values.md +29 -0
- package/examples/context-lens/lenses/testing/test-design-boundary-values.md +29 -0
- package/examples/context-lens/skills/testing/spec-review/SKILL.md +49 -0
- package/examples/context-repo/README.md +148 -0
- package/examples/context-repo/contexts/domain/payment/idempotency.md +27 -0
- package/examples/context-repo/contexts/testing/boundary-value-analysis.md +26 -0
- package/examples/context-repo/contexts/testing/negative-testing.md +26 -0
- package/examples/context-repo/lenses/testing/spec-review-boundary-values.md +35 -0
- package/examples/context-repo/renma.config.json +12 -0
- package/examples/context-repo/skills/testing/spec-review/SKILL.md +71 -0
- package/examples/context-repo/tools/appium/README.md +14 -0
- package/examples/github-actions/renma-ci-report.yml +36 -0
- package/examples/interactive-placeholder/README.md +104 -0
- package/examples/interactive-placeholder/assets/template.txt +1 -0
- package/examples/interactive-placeholder/renma.config.json +6 -0
- package/examples/interactive-placeholder/skills/replace-placeholder/SKILL.md +54 -0
- package/examples/interactive-placeholder/tools/README.md +48 -0
- package/examples/interactive-placeholder/tools/placeholder-demo.mjs +99 -0
- package/package.json +10 -1
- package/plan-discovery.md +749 -0
- package/plan.md +90 -0
- package/scripts/verify-package.mjs +104 -0
|
@@ -0,0 +1,172 @@
|
|
|
1
|
+
# Repository Context BOM
|
|
2
|
+
|
|
3
|
+
`renma bom` emits a declared repository manifest for review and CI consumers. Renma 0.18.0 supports only the v2 BOM and Trust Graph schemas. It does not provide a v1 compatibility mode. V2 is the first supported long-term contract; earlier v1 output was an experimental pre-contract surface removed before broader adoption.
|
|
4
|
+
|
|
5
|
+
The BOM is not a runtime usage report. It does not describe what an LLM actually consumed, assemble prompts, choose task-specific context, inject context into agents, execute agents, call an LLM, import consumed-context evidence, or collect telemetry.
|
|
6
|
+
|
|
7
|
+
```mermaid
|
|
8
|
+
flowchart TD
|
|
9
|
+
Sources["Repository files and configuration"]
|
|
10
|
+
Snapshot["One collected in-memory repository snapshot"]
|
|
11
|
+
Catalog["Catalog and dependency graph"]
|
|
12
|
+
Diagnostics["Diagnostics and Readiness"]
|
|
13
|
+
Governance["Lifecycle and ownership evidence"]
|
|
14
|
+
Security["Security posture and policy inventory"]
|
|
15
|
+
Bom["Repository Context BOM v2"]
|
|
16
|
+
Json["Authoritative JSON"]
|
|
17
|
+
Markdown["Markdown review projection"]
|
|
18
|
+
Revision["Git, CI, or PR context supplies revision identity"]
|
|
19
|
+
Runtime["Future runtime consumed-context evidence — separate artifact"]
|
|
20
|
+
Sources --> Snapshot
|
|
21
|
+
Snapshot --> Catalog
|
|
22
|
+
Snapshot --> Diagnostics
|
|
23
|
+
Snapshot --> Governance
|
|
24
|
+
Snapshot --> Security
|
|
25
|
+
Catalog --> Bom
|
|
26
|
+
Diagnostics --> Bom
|
|
27
|
+
Governance --> Bom
|
|
28
|
+
Security --> Bom
|
|
29
|
+
Bom --> Json
|
|
30
|
+
Bom --> Markdown
|
|
31
|
+
Revision -.-> Bom
|
|
32
|
+
```
|
|
33
|
+
|
|
34
|
+
The diagram separates collection from projection: every BOM section is derived
|
|
35
|
+
from one collected snapshot, JSON is authoritative, and Markdown is a review
|
|
36
|
+
view. `--omit-generated-at` removes generation-time noise only. Revision
|
|
37
|
+
identity stays in the surrounding Git, CI, or pull-request context, and any
|
|
38
|
+
runtime consumed-context evidence remains a separate future artifact.
|
|
39
|
+
|
|
40
|
+
## Snapshot Contract
|
|
41
|
+
|
|
42
|
+
One BOM execution is derived from one in-memory repository snapshot:
|
|
43
|
+
|
|
44
|
+
1. Resolve configuration once.
|
|
45
|
+
2. Discover and read repository artifacts once.
|
|
46
|
+
3. Parse documents once.
|
|
47
|
+
4. Build the catalog once.
|
|
48
|
+
5. Derive graph, findings, diagnostics, Context Lens evidence, readiness, security posture, and security policy inventory from that same snapshot.
|
|
49
|
+
6. Format JSON or Markdown only after the complete report has been built.
|
|
50
|
+
|
|
51
|
+
Renma does not freeze the working tree while another process is modifying it. If files change during collection, the BOM reflects the artifacts Renma read for that execution; after collection, all report sections are derived from the collected snapshot.
|
|
52
|
+
|
|
53
|
+
## Output Authority
|
|
54
|
+
|
|
55
|
+
JSON is the authoritative BOM output. Markdown is a compact review projection for pull requests and humans; it is not the canonical serialization.
|
|
56
|
+
|
|
57
|
+
Array ordering is deterministic and part of Renma's output contract. Asset `sourcePath` values remain repository-relative. `root` and `configPath` remain absolute paths from the current environment.
|
|
58
|
+
|
|
59
|
+
Assets use `ownership.declaredOwner`, `ownership.effectiveOwner`,
|
|
60
|
+
`ownership.source`, and optional `ownership.inheritedFrom`. Readiness uses the
|
|
61
|
+
effective owner.
|
|
62
|
+
|
|
63
|
+
## Reproducibility
|
|
64
|
+
|
|
65
|
+
`--omit-generated-at` means only:
|
|
66
|
+
|
|
67
|
+
- omit the run-time `generatedAt` field;
|
|
68
|
+
- remove clock-based differences caused by that field.
|
|
69
|
+
|
|
70
|
+
It does not mean:
|
|
71
|
+
|
|
72
|
+
- ignore `lastReviewedAt`, `reviewCycle`, or `expiresAt`;
|
|
73
|
+
- suppress freshness diagnostics;
|
|
74
|
+
- normalize `root` or `configPath`;
|
|
75
|
+
- make output portable across different checkout directories;
|
|
76
|
+
- hide file moves;
|
|
77
|
+
- guarantee identical output across different evaluation dates;
|
|
78
|
+
- freeze a repository while another process is modifying it.
|
|
79
|
+
|
|
80
|
+
Supported guarantee:
|
|
81
|
+
|
|
82
|
+
> With the same checkout path, config path, repository contents, Renma version, and UTC evaluation date, repeated `--omit-generated-at` runs should produce byte-identical JSON.
|
|
83
|
+
|
|
84
|
+
Freshness evaluation uses the UTC calendar date. Metadata dates remain part of the snapshot and must not be removed as timestamp noise. A real file move is a meaningful BOM change because `sourcePath` is repository evidence. Portable byte-for-byte output across different runners is not a v2 guarantee.
|
|
85
|
+
|
|
86
|
+
## Schema Evolution
|
|
87
|
+
|
|
88
|
+
`schemaVersion` represents the consumer-facing BOM schema. `generator.version` represents the Renma implementation version and is not the schema version.
|
|
89
|
+
|
|
90
|
+
V2 is the first supported long-term contract for normalized ownership,
|
|
91
|
+
first-class support assets, and static support relationships. Consumers must
|
|
92
|
+
inspect `schemaVersion` independently from `generator.version`. A future
|
|
93
|
+
incompatible contract may intentionally introduce v3.
|
|
94
|
+
|
|
95
|
+
Within a schema, changes should be backward-compatible and additive:
|
|
96
|
+
|
|
97
|
+
- existing fields must not be removed, renamed, or given incompatible types or meanings;
|
|
98
|
+
- new optional fields may be added when a real consumer requires them;
|
|
99
|
+
- enum additions are consumer-visible changes and must be documented;
|
|
100
|
+
- a future breaking contract requires a new schema version rather than silently changing existing semantics.
|
|
101
|
+
|
|
102
|
+
Treat `owns_local_resource`, `statically_references`, `inherits_owner`, and
|
|
103
|
+
`inherits_policy` as static repository evidence, not runtime behavior. Branch
|
|
104
|
+
on `schemaVersion`; `generator.version` is provenance only.
|
|
105
|
+
|
|
106
|
+
The published [BOM v2 JSON Schema](schemas/repository-context-bom-v2.schema.json)
|
|
107
|
+
is the machine-readable contract. `generatedAt` is required when `outputMode`
|
|
108
|
+
is `default` and forbidden when `outputMode` is `omit_generated_at`.
|
|
109
|
+
`configPath` remains optional and is absent when no configuration file was
|
|
110
|
+
loaded. Every other top-level field is required. Optional lifecycle, version,
|
|
111
|
+
status, target-resolution, and inherited-ownership fields appear only when
|
|
112
|
+
their evidence exists. Owner values are explicitly nullable; missing optional
|
|
113
|
+
fields are omitted rather than serialized as `null`.
|
|
114
|
+
|
|
115
|
+
Arrays are deterministically ordered by their identity/path keys, and count
|
|
116
|
+
fields are non-negative integers. Count maps contain every declared enum
|
|
117
|
+
member, including zero counts. Policy source ordering is `local`,
|
|
118
|
+
`security_profile`, `repository_config`, `owning_skill`. Static support
|
|
119
|
+
relationships use `owns_local_resource`, `statically_references`,
|
|
120
|
+
`inherits_owner`, and `inherits_policy`.
|
|
121
|
+
|
|
122
|
+
The Readiness summary is a closed contract for asset, ownership, graph,
|
|
123
|
+
diagnostic, workflow, Context Lens, security posture, and security policy
|
|
124
|
+
inventory evidence. Coverage and readiness percentages are constrained to
|
|
125
|
+
`0..100`. Security posture top-finding entries require an ID, non-negative
|
|
126
|
+
count, and maximum severity. Security policy `assetKinds` is a complete count
|
|
127
|
+
map containing every generated artifact kind, including zero values.
|
|
128
|
+
|
|
129
|
+
Representative top-level JSON (nested objects are shortened for readability;
|
|
130
|
+
the schema defines every nested field):
|
|
131
|
+
|
|
132
|
+
```json
|
|
133
|
+
{
|
|
134
|
+
"schemaVersion": "renma.repository-context-bom.v2",
|
|
135
|
+
"outputMode": "omit_generated_at",
|
|
136
|
+
"generator": { "name": "renma", "version": "0.18.0" },
|
|
137
|
+
"root": "/checkout/repository",
|
|
138
|
+
"scope": { "type": "declared_repository_manifest", "runtimeUsage": false, "telemetryCollected": false },
|
|
139
|
+
"summary": { "scannedFileCount": 0, "assetCount": 0, "dependencyCount": 0, "resolvedDependencyCount": 0, "unresolvedDependencyCount": 0, "ownedAssetCount": 0, "unownedAssetCount": 0, "readinessScore": 100, "readinessLevel": "ready", "diagnosticCounts": { "error": 0, "warning": 0, "info": 0 } },
|
|
140
|
+
"assets": [],
|
|
141
|
+
"dependencies": [],
|
|
142
|
+
"readiness": { "score": 100, "level": "ready", "checks": [], "summary": {} },
|
|
143
|
+
"securityPosture": { "totalSecurityFindings": 0, "riskClasses": { "violation": 0, "suspicious": 0, "advisory": 0, "unclassified": 0 }, "severities": { "critical": 0, "high": 0, "medium": 0, "low": 0 }, "highOrCritical": 0, "topFindingIds": [] },
|
|
144
|
+
"securityPolicyInventory": {},
|
|
145
|
+
"diagnostics": []
|
|
146
|
+
}
|
|
147
|
+
```
|
|
148
|
+
|
|
149
|
+
Generated representative reports are validated against the published schema in
|
|
150
|
+
the contract test suite.
|
|
151
|
+
|
|
152
|
+
`--omit-generated-at` does not make the report a generic canonical JSON format or a portable artifact.
|
|
153
|
+
|
|
154
|
+
## Source Provenance
|
|
155
|
+
|
|
156
|
+
BOM v2 provenance is deliberately repository-local:
|
|
157
|
+
|
|
158
|
+
- repository-relative source paths;
|
|
159
|
+
- per-asset content hashes;
|
|
160
|
+
- generator name and version;
|
|
161
|
+
- current absolute `root` and `configPath` information when available;
|
|
162
|
+
- lifecycle, dependency, diagnostic, readiness, security posture, and security policy inventory evidence.
|
|
163
|
+
|
|
164
|
+
Renma does not automatically invoke Git or add Git commit, branch, tag, or dirty-state fields. Git revision identity is expected to come from the surrounding Git, CI, artifact, or pull-request context. Native Git provenance fields and a BOM digest may be considered later if external artifact storage or cross-run consumers require them.
|
|
165
|
+
|
|
166
|
+
## Consumed-Context Evidence
|
|
167
|
+
|
|
168
|
+
The BOM v2 schema describes declared repository state. Future consumed-context evidence must not redefine or mutate that meaning.
|
|
169
|
+
|
|
170
|
+
Runtime evidence should be a separate artifact or explicitly separate attachment. A future evidence record should relate back to a BOM using stable values such as a BOM digest or snapshot identity, asset ID, asset content hash, producer identity and version, and observation timestamp.
|
|
171
|
+
|
|
172
|
+
External agents, editor integrations, wrappers, or CI tools may produce those signals. Renma may later validate imported signals against the repository model, but Renma must not become the telemetry collector, runtime wrapper, dashboard, or provider gateway.
|