renma 0.16.0 → 0.18.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (182) hide show
  1. package/CHANGELOG.md +157 -1
  2. package/README.md +219 -748
  3. package/architecture.md +533 -0
  4. package/design.md +469 -0
  5. package/dist/agent-skills.d.ts +1 -1
  6. package/dist/agent-skills.d.ts.map +1 -1
  7. package/dist/agent-skills.js +28 -8
  8. package/dist/agent-skills.js.map +1 -1
  9. package/dist/catalog.d.ts +1 -1
  10. package/dist/catalog.d.ts.map +1 -1
  11. package/dist/catalog.js +120 -12
  12. package/dist/catalog.js.map +1 -1
  13. package/dist/cli-help.d.ts +15 -9
  14. package/dist/cli-help.d.ts.map +1 -1
  15. package/dist/cli-help.js +32 -9
  16. package/dist/cli-help.js.map +1 -1
  17. package/dist/cli.d.ts.map +1 -1
  18. package/dist/cli.js +162 -40
  19. package/dist/cli.js.map +1 -1
  20. package/dist/commands/bom.d.ts +6 -3
  21. package/dist/commands/bom.d.ts.map +1 -1
  22. package/dist/commands/bom.js +27 -7
  23. package/dist/commands/bom.js.map +1 -1
  24. package/dist/commands/catalog.d.ts +1 -1
  25. package/dist/commands/catalog.d.ts.map +1 -1
  26. package/dist/commands/catalog.js +11 -4
  27. package/dist/commands/catalog.js.map +1 -1
  28. package/dist/commands/ci-report.d.ts.map +1 -1
  29. package/dist/commands/ci-report.js +18 -5
  30. package/dist/commands/ci-report.js.map +1 -1
  31. package/dist/commands/diff.js +8 -2
  32. package/dist/commands/diff.js.map +1 -1
  33. package/dist/commands/graph.d.ts +6 -2
  34. package/dist/commands/graph.d.ts.map +1 -1
  35. package/dist/commands/graph.js +30 -14
  36. package/dist/commands/graph.js.map +1 -1
  37. package/dist/commands/inspect.d.ts.map +1 -1
  38. package/dist/commands/inspect.js +2 -0
  39. package/dist/commands/inspect.js.map +1 -1
  40. package/dist/commands/ownership.d.ts +4 -3
  41. package/dist/commands/ownership.d.ts.map +1 -1
  42. package/dist/commands/ownership.js +27 -23
  43. package/dist/commands/ownership.js.map +1 -1
  44. package/dist/commands/readiness.d.ts +2 -1
  45. package/dist/commands/readiness.d.ts.map +1 -1
  46. package/dist/commands/readiness.js +105 -36
  47. package/dist/commands/readiness.js.map +1 -1
  48. package/dist/commands/scaffold.d.ts +3 -0
  49. package/dist/commands/scaffold.d.ts.map +1 -1
  50. package/dist/commands/scaffold.js +28 -2
  51. package/dist/commands/scaffold.js.map +1 -1
  52. package/dist/commands/suggest-metadata.d.ts.map +1 -1
  53. package/dist/commands/suggest-metadata.js +56 -8
  54. package/dist/commands/suggest-metadata.js.map +1 -1
  55. package/dist/commands/suggest-semantic-split.js +3 -3
  56. package/dist/commands/suggest-semantic-split.js.map +1 -1
  57. package/dist/commands/trust-graph.d.ts.map +1 -1
  58. package/dist/commands/trust-graph.js +12 -0
  59. package/dist/commands/trust-graph.js.map +1 -1
  60. package/dist/config.d.ts.map +1 -1
  61. package/dist/config.js +10 -3
  62. package/dist/config.js.map +1 -1
  63. package/dist/dependency-resolution.d.ts +6 -0
  64. package/dist/dependency-resolution.d.ts.map +1 -0
  65. package/dist/dependency-resolution.js +11 -0
  66. package/dist/dependency-resolution.js.map +1 -0
  67. package/dist/diagnostic-ids.d.ts +8 -0
  68. package/dist/diagnostic-ids.d.ts.map +1 -1
  69. package/dist/diagnostic-ids.js +8 -0
  70. package/dist/diagnostic-ids.js.map +1 -1
  71. package/dist/discovery.d.ts +33 -0
  72. package/dist/discovery.d.ts.map +1 -1
  73. package/dist/discovery.js +178 -80
  74. package/dist/discovery.js.map +1 -1
  75. package/dist/markdown.d.ts.map +1 -1
  76. package/dist/markdown.js +15 -0
  77. package/dist/markdown.js.map +1 -1
  78. package/dist/model.d.ts +17 -1
  79. package/dist/model.d.ts.map +1 -1
  80. package/dist/model.js +4 -1
  81. package/dist/model.js.map +1 -1
  82. package/dist/quality-profile.d.ts +91 -0
  83. package/dist/quality-profile.d.ts.map +1 -0
  84. package/dist/quality-profile.js +91 -0
  85. package/dist/quality-profile.js.map +1 -0
  86. package/dist/repeated-context.d.ts.map +1 -1
  87. package/dist/repeated-context.js +38 -83
  88. package/dist/repeated-context.js.map +1 -1
  89. package/dist/repository-boundary.d.ts +30 -0
  90. package/dist/repository-boundary.d.ts.map +1 -0
  91. package/dist/repository-boundary.js +116 -0
  92. package/dist/repository-boundary.js.map +1 -0
  93. package/dist/repository-evidence.d.ts +2 -0
  94. package/dist/repository-evidence.d.ts.map +1 -1
  95. package/dist/repository-evidence.js +6 -4
  96. package/dist/repository-evidence.js.map +1 -1
  97. package/dist/repository-paths.d.ts +19 -2
  98. package/dist/repository-paths.d.ts.map +1 -1
  99. package/dist/repository-paths.js +123 -14
  100. package/dist/repository-paths.js.map +1 -1
  101. package/dist/rules.d.ts +2 -0
  102. package/dist/rules.d.ts.map +1 -1
  103. package/dist/rules.js +322 -256
  104. package/dist/rules.js.map +1 -1
  105. package/dist/scanner.d.ts.map +1 -1
  106. package/dist/scanner.js +5 -1
  107. package/dist/scanner.js.map +1 -1
  108. package/dist/security-diagnostics.d.ts.map +1 -1
  109. package/dist/security-diagnostics.js +95 -30
  110. package/dist/security-diagnostics.js.map +1 -1
  111. package/dist/security-diff.d.ts +5 -2
  112. package/dist/security-diff.d.ts.map +1 -1
  113. package/dist/security-diff.js +20 -4
  114. package/dist/security-diff.js.map +1 -1
  115. package/dist/security-policy-inventory.d.ts +15 -3
  116. package/dist/security-policy-inventory.d.ts.map +1 -1
  117. package/dist/security-policy-inventory.js +123 -26
  118. package/dist/security-policy-inventory.js.map +1 -1
  119. package/dist/security-policy.d.ts +7 -0
  120. package/dist/security-policy.d.ts.map +1 -1
  121. package/dist/security-policy.js +70 -7
  122. package/dist/security-policy.js.map +1 -1
  123. package/dist/security-posture.d.ts.map +1 -1
  124. package/dist/security-posture.js +2 -1
  125. package/dist/security-posture.js.map +1 -1
  126. package/dist/skill-migration.js +2 -0
  127. package/dist/skill-migration.js.map +1 -1
  128. package/dist/static-support.d.ts +13 -0
  129. package/dist/static-support.d.ts.map +1 -0
  130. package/dist/static-support.js +284 -0
  131. package/dist/static-support.js.map +1 -0
  132. package/dist/token-estimator.d.ts +21 -0
  133. package/dist/token-estimator.d.ts.map +1 -0
  134. package/dist/token-estimator.js +84 -0
  135. package/dist/token-estimator.js.map +1 -0
  136. package/dist/trust-graph.d.ts +3 -3
  137. package/dist/trust-graph.d.ts.map +1 -1
  138. package/dist/trust-graph.js +76 -21
  139. package/dist/trust-graph.js.map +1 -1
  140. package/dist/types.d.ts +7 -2
  141. package/dist/types.d.ts.map +1 -1
  142. package/docs/README.md +61 -0
  143. package/docs/advanced-skill-authoring.md +147 -0
  144. package/docs/agent-skills-compatibility.md +508 -0
  145. package/docs/authoring-guide.md +382 -0
  146. package/docs/context-conflict-diagnostics.md +32 -0
  147. package/docs/context-language-diagnostics.md +99 -0
  148. package/docs/context-lens.md +253 -0
  149. package/docs/context-lifecycle-diagnostics.md +55 -0
  150. package/docs/diagnostics.md +406 -0
  151. package/docs/metadata-budget.md +14 -0
  152. package/docs/quality-profile.md +123 -0
  153. package/docs/repository-context-bom.md +172 -0
  154. package/docs/schemas/repository-context-bom-v2.schema.json +648 -0
  155. package/docs/schemas/trust-graph-v2.schema.json +301 -0
  156. package/docs/security-policy.md +354 -0
  157. package/docs/trust-graph.md +47 -0
  158. package/docs/user-manual.md +842 -0
  159. package/examples/context-lens/README.md +101 -0
  160. package/examples/context-lens/contexts/testing/boundary-value-analysis.md +23 -0
  161. package/examples/context-lens/lenses/testing/spec-review-boundary-values.md +29 -0
  162. package/examples/context-lens/lenses/testing/test-design-boundary-values.md +29 -0
  163. package/examples/context-lens/skills/testing/spec-review/SKILL.md +49 -0
  164. package/examples/context-repo/README.md +148 -0
  165. package/examples/context-repo/contexts/domain/payment/idempotency.md +27 -0
  166. package/examples/context-repo/contexts/testing/boundary-value-analysis.md +26 -0
  167. package/examples/context-repo/contexts/testing/negative-testing.md +26 -0
  168. package/examples/context-repo/lenses/testing/spec-review-boundary-values.md +35 -0
  169. package/examples/context-repo/renma.config.json +12 -0
  170. package/examples/context-repo/skills/testing/spec-review/SKILL.md +71 -0
  171. package/examples/context-repo/tools/appium/README.md +14 -0
  172. package/examples/github-actions/renma-ci-report.yml +36 -0
  173. package/examples/interactive-placeholder/README.md +104 -0
  174. package/examples/interactive-placeholder/assets/template.txt +1 -0
  175. package/examples/interactive-placeholder/renma.config.json +6 -0
  176. package/examples/interactive-placeholder/skills/replace-placeholder/SKILL.md +54 -0
  177. package/examples/interactive-placeholder/tools/README.md +48 -0
  178. package/examples/interactive-placeholder/tools/placeholder-demo.mjs +99 -0
  179. package/package.json +10 -1
  180. package/plan-discovery.md +749 -0
  181. package/plan.md +90 -0
  182. package/scripts/verify-package.mjs +104 -0
@@ -0,0 +1,172 @@
1
+ # Repository Context BOM
2
+
3
+ `renma bom` emits a declared repository manifest for review and CI consumers. Renma 0.18.0 supports only the v2 BOM and Trust Graph schemas. It does not provide a v1 compatibility mode. V2 is the first supported long-term contract; earlier v1 output was an experimental pre-contract surface removed before broader adoption.
4
+
5
+ The BOM is not a runtime usage report. It does not describe what an LLM actually consumed, assemble prompts, choose task-specific context, inject context into agents, execute agents, call an LLM, import consumed-context evidence, or collect telemetry.
6
+
7
+ ```mermaid
8
+ flowchart TD
9
+ Sources["Repository files and configuration"]
10
+ Snapshot["One collected in-memory repository snapshot"]
11
+ Catalog["Catalog and dependency graph"]
12
+ Diagnostics["Diagnostics and Readiness"]
13
+ Governance["Lifecycle and ownership evidence"]
14
+ Security["Security posture and policy inventory"]
15
+ Bom["Repository Context BOM v2"]
16
+ Json["Authoritative JSON"]
17
+ Markdown["Markdown review projection"]
18
+ Revision["Git, CI, or PR context supplies revision identity"]
19
+ Runtime["Future runtime consumed-context evidence — separate artifact"]
20
+ Sources --> Snapshot
21
+ Snapshot --> Catalog
22
+ Snapshot --> Diagnostics
23
+ Snapshot --> Governance
24
+ Snapshot --> Security
25
+ Catalog --> Bom
26
+ Diagnostics --> Bom
27
+ Governance --> Bom
28
+ Security --> Bom
29
+ Bom --> Json
30
+ Bom --> Markdown
31
+ Revision -.-> Bom
32
+ ```
33
+
34
+ The diagram separates collection from projection: every BOM section is derived
35
+ from one collected snapshot, JSON is authoritative, and Markdown is a review
36
+ view. `--omit-generated-at` removes generation-time noise only. Revision
37
+ identity stays in the surrounding Git, CI, or pull-request context, and any
38
+ runtime consumed-context evidence remains a separate future artifact.
39
+
40
+ ## Snapshot Contract
41
+
42
+ One BOM execution is derived from one in-memory repository snapshot:
43
+
44
+ 1. Resolve configuration once.
45
+ 2. Discover and read repository artifacts once.
46
+ 3. Parse documents once.
47
+ 4. Build the catalog once.
48
+ 5. Derive graph, findings, diagnostics, Context Lens evidence, readiness, security posture, and security policy inventory from that same snapshot.
49
+ 6. Format JSON or Markdown only after the complete report has been built.
50
+
51
+ Renma does not freeze the working tree while another process is modifying it. If files change during collection, the BOM reflects the artifacts Renma read for that execution; after collection, all report sections are derived from the collected snapshot.
52
+
53
+ ## Output Authority
54
+
55
+ JSON is the authoritative BOM output. Markdown is a compact review projection for pull requests and humans; it is not the canonical serialization.
56
+
57
+ Array ordering is deterministic and part of Renma's output contract. Asset `sourcePath` values remain repository-relative. `root` and `configPath` remain absolute paths from the current environment.
58
+
59
+ Assets use `ownership.declaredOwner`, `ownership.effectiveOwner`,
60
+ `ownership.source`, and optional `ownership.inheritedFrom`. Readiness uses the
61
+ effective owner.
62
+
63
+ ## Reproducibility
64
+
65
+ `--omit-generated-at` means only:
66
+
67
+ - omit the run-time `generatedAt` field;
68
+ - remove clock-based differences caused by that field.
69
+
70
+ It does not mean:
71
+
72
+ - ignore `lastReviewedAt`, `reviewCycle`, or `expiresAt`;
73
+ - suppress freshness diagnostics;
74
+ - normalize `root` or `configPath`;
75
+ - make output portable across different checkout directories;
76
+ - hide file moves;
77
+ - guarantee identical output across different evaluation dates;
78
+ - freeze a repository while another process is modifying it.
79
+
80
+ Supported guarantee:
81
+
82
+ > With the same checkout path, config path, repository contents, Renma version, and UTC evaluation date, repeated `--omit-generated-at` runs should produce byte-identical JSON.
83
+
84
+ Freshness evaluation uses the UTC calendar date. Metadata dates remain part of the snapshot and must not be removed as timestamp noise. A real file move is a meaningful BOM change because `sourcePath` is repository evidence. Portable byte-for-byte output across different runners is not a v2 guarantee.
85
+
86
+ ## Schema Evolution
87
+
88
+ `schemaVersion` represents the consumer-facing BOM schema. `generator.version` represents the Renma implementation version and is not the schema version.
89
+
90
+ V2 is the first supported long-term contract for normalized ownership,
91
+ first-class support assets, and static support relationships. Consumers must
92
+ inspect `schemaVersion` independently from `generator.version`. A future
93
+ incompatible contract may intentionally introduce v3.
94
+
95
+ Within a schema, changes should be backward-compatible and additive:
96
+
97
+ - existing fields must not be removed, renamed, or given incompatible types or meanings;
98
+ - new optional fields may be added when a real consumer requires them;
99
+ - enum additions are consumer-visible changes and must be documented;
100
+ - a future breaking contract requires a new schema version rather than silently changing existing semantics.
101
+
102
+ Treat `owns_local_resource`, `statically_references`, `inherits_owner`, and
103
+ `inherits_policy` as static repository evidence, not runtime behavior. Branch
104
+ on `schemaVersion`; `generator.version` is provenance only.
105
+
106
+ The published [BOM v2 JSON Schema](schemas/repository-context-bom-v2.schema.json)
107
+ is the machine-readable contract. `generatedAt` is required when `outputMode`
108
+ is `default` and forbidden when `outputMode` is `omit_generated_at`.
109
+ `configPath` remains optional and is absent when no configuration file was
110
+ loaded. Every other top-level field is required. Optional lifecycle, version,
111
+ status, target-resolution, and inherited-ownership fields appear only when
112
+ their evidence exists. Owner values are explicitly nullable; missing optional
113
+ fields are omitted rather than serialized as `null`.
114
+
115
+ Arrays are deterministically ordered by their identity/path keys, and count
116
+ fields are non-negative integers. Count maps contain every declared enum
117
+ member, including zero counts. Policy source ordering is `local`,
118
+ `security_profile`, `repository_config`, `owning_skill`. Static support
119
+ relationships use `owns_local_resource`, `statically_references`,
120
+ `inherits_owner`, and `inherits_policy`.
121
+
122
+ The Readiness summary is a closed contract for asset, ownership, graph,
123
+ diagnostic, workflow, Context Lens, security posture, and security policy
124
+ inventory evidence. Coverage and readiness percentages are constrained to
125
+ `0..100`. Security posture top-finding entries require an ID, non-negative
126
+ count, and maximum severity. Security policy `assetKinds` is a complete count
127
+ map containing every generated artifact kind, including zero values.
128
+
129
+ Representative top-level JSON (nested objects are shortened for readability;
130
+ the schema defines every nested field):
131
+
132
+ ```json
133
+ {
134
+ "schemaVersion": "renma.repository-context-bom.v2",
135
+ "outputMode": "omit_generated_at",
136
+ "generator": { "name": "renma", "version": "0.18.0" },
137
+ "root": "/checkout/repository",
138
+ "scope": { "type": "declared_repository_manifest", "runtimeUsage": false, "telemetryCollected": false },
139
+ "summary": { "scannedFileCount": 0, "assetCount": 0, "dependencyCount": 0, "resolvedDependencyCount": 0, "unresolvedDependencyCount": 0, "ownedAssetCount": 0, "unownedAssetCount": 0, "readinessScore": 100, "readinessLevel": "ready", "diagnosticCounts": { "error": 0, "warning": 0, "info": 0 } },
140
+ "assets": [],
141
+ "dependencies": [],
142
+ "readiness": { "score": 100, "level": "ready", "checks": [], "summary": {} },
143
+ "securityPosture": { "totalSecurityFindings": 0, "riskClasses": { "violation": 0, "suspicious": 0, "advisory": 0, "unclassified": 0 }, "severities": { "critical": 0, "high": 0, "medium": 0, "low": 0 }, "highOrCritical": 0, "topFindingIds": [] },
144
+ "securityPolicyInventory": {},
145
+ "diagnostics": []
146
+ }
147
+ ```
148
+
149
+ Generated representative reports are validated against the published schema in
150
+ the contract test suite.
151
+
152
+ `--omit-generated-at` does not make the report a generic canonical JSON format or a portable artifact.
153
+
154
+ ## Source Provenance
155
+
156
+ BOM v2 provenance is deliberately repository-local:
157
+
158
+ - repository-relative source paths;
159
+ - per-asset content hashes;
160
+ - generator name and version;
161
+ - current absolute `root` and `configPath` information when available;
162
+ - lifecycle, dependency, diagnostic, readiness, security posture, and security policy inventory evidence.
163
+
164
+ Renma does not automatically invoke Git or add Git commit, branch, tag, or dirty-state fields. Git revision identity is expected to come from the surrounding Git, CI, artifact, or pull-request context. Native Git provenance fields and a BOM digest may be considered later if external artifact storage or cross-run consumers require them.
165
+
166
+ ## Consumed-Context Evidence
167
+
168
+ The BOM v2 schema describes declared repository state. Future consumed-context evidence must not redefine or mutate that meaning.
169
+
170
+ Runtime evidence should be a separate artifact or explicitly separate attachment. A future evidence record should relate back to a BOM using stable values such as a BOM digest or snapshot identity, asset ID, asset content hash, producer identity and version, and observation timestamp.
171
+
172
+ External agents, editor integrations, wrappers, or CI tools may produce those signals. Renma may later validate imported signals against the repository model, but Renma must not become the telemetry collector, runtime wrapper, dashboard, or provider gateway.