renma 0.16.0 → 0.18.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (182) hide show
  1. package/CHANGELOG.md +157 -1
  2. package/README.md +219 -748
  3. package/architecture.md +533 -0
  4. package/design.md +469 -0
  5. package/dist/agent-skills.d.ts +1 -1
  6. package/dist/agent-skills.d.ts.map +1 -1
  7. package/dist/agent-skills.js +28 -8
  8. package/dist/agent-skills.js.map +1 -1
  9. package/dist/catalog.d.ts +1 -1
  10. package/dist/catalog.d.ts.map +1 -1
  11. package/dist/catalog.js +120 -12
  12. package/dist/catalog.js.map +1 -1
  13. package/dist/cli-help.d.ts +15 -9
  14. package/dist/cli-help.d.ts.map +1 -1
  15. package/dist/cli-help.js +32 -9
  16. package/dist/cli-help.js.map +1 -1
  17. package/dist/cli.d.ts.map +1 -1
  18. package/dist/cli.js +162 -40
  19. package/dist/cli.js.map +1 -1
  20. package/dist/commands/bom.d.ts +6 -3
  21. package/dist/commands/bom.d.ts.map +1 -1
  22. package/dist/commands/bom.js +27 -7
  23. package/dist/commands/bom.js.map +1 -1
  24. package/dist/commands/catalog.d.ts +1 -1
  25. package/dist/commands/catalog.d.ts.map +1 -1
  26. package/dist/commands/catalog.js +11 -4
  27. package/dist/commands/catalog.js.map +1 -1
  28. package/dist/commands/ci-report.d.ts.map +1 -1
  29. package/dist/commands/ci-report.js +18 -5
  30. package/dist/commands/ci-report.js.map +1 -1
  31. package/dist/commands/diff.js +8 -2
  32. package/dist/commands/diff.js.map +1 -1
  33. package/dist/commands/graph.d.ts +6 -2
  34. package/dist/commands/graph.d.ts.map +1 -1
  35. package/dist/commands/graph.js +30 -14
  36. package/dist/commands/graph.js.map +1 -1
  37. package/dist/commands/inspect.d.ts.map +1 -1
  38. package/dist/commands/inspect.js +2 -0
  39. package/dist/commands/inspect.js.map +1 -1
  40. package/dist/commands/ownership.d.ts +4 -3
  41. package/dist/commands/ownership.d.ts.map +1 -1
  42. package/dist/commands/ownership.js +27 -23
  43. package/dist/commands/ownership.js.map +1 -1
  44. package/dist/commands/readiness.d.ts +2 -1
  45. package/dist/commands/readiness.d.ts.map +1 -1
  46. package/dist/commands/readiness.js +105 -36
  47. package/dist/commands/readiness.js.map +1 -1
  48. package/dist/commands/scaffold.d.ts +3 -0
  49. package/dist/commands/scaffold.d.ts.map +1 -1
  50. package/dist/commands/scaffold.js +28 -2
  51. package/dist/commands/scaffold.js.map +1 -1
  52. package/dist/commands/suggest-metadata.d.ts.map +1 -1
  53. package/dist/commands/suggest-metadata.js +56 -8
  54. package/dist/commands/suggest-metadata.js.map +1 -1
  55. package/dist/commands/suggest-semantic-split.js +3 -3
  56. package/dist/commands/suggest-semantic-split.js.map +1 -1
  57. package/dist/commands/trust-graph.d.ts.map +1 -1
  58. package/dist/commands/trust-graph.js +12 -0
  59. package/dist/commands/trust-graph.js.map +1 -1
  60. package/dist/config.d.ts.map +1 -1
  61. package/dist/config.js +10 -3
  62. package/dist/config.js.map +1 -1
  63. package/dist/dependency-resolution.d.ts +6 -0
  64. package/dist/dependency-resolution.d.ts.map +1 -0
  65. package/dist/dependency-resolution.js +11 -0
  66. package/dist/dependency-resolution.js.map +1 -0
  67. package/dist/diagnostic-ids.d.ts +8 -0
  68. package/dist/diagnostic-ids.d.ts.map +1 -1
  69. package/dist/diagnostic-ids.js +8 -0
  70. package/dist/diagnostic-ids.js.map +1 -1
  71. package/dist/discovery.d.ts +33 -0
  72. package/dist/discovery.d.ts.map +1 -1
  73. package/dist/discovery.js +178 -80
  74. package/dist/discovery.js.map +1 -1
  75. package/dist/markdown.d.ts.map +1 -1
  76. package/dist/markdown.js +15 -0
  77. package/dist/markdown.js.map +1 -1
  78. package/dist/model.d.ts +17 -1
  79. package/dist/model.d.ts.map +1 -1
  80. package/dist/model.js +4 -1
  81. package/dist/model.js.map +1 -1
  82. package/dist/quality-profile.d.ts +91 -0
  83. package/dist/quality-profile.d.ts.map +1 -0
  84. package/dist/quality-profile.js +91 -0
  85. package/dist/quality-profile.js.map +1 -0
  86. package/dist/repeated-context.d.ts.map +1 -1
  87. package/dist/repeated-context.js +38 -83
  88. package/dist/repeated-context.js.map +1 -1
  89. package/dist/repository-boundary.d.ts +30 -0
  90. package/dist/repository-boundary.d.ts.map +1 -0
  91. package/dist/repository-boundary.js +116 -0
  92. package/dist/repository-boundary.js.map +1 -0
  93. package/dist/repository-evidence.d.ts +2 -0
  94. package/dist/repository-evidence.d.ts.map +1 -1
  95. package/dist/repository-evidence.js +6 -4
  96. package/dist/repository-evidence.js.map +1 -1
  97. package/dist/repository-paths.d.ts +19 -2
  98. package/dist/repository-paths.d.ts.map +1 -1
  99. package/dist/repository-paths.js +123 -14
  100. package/dist/repository-paths.js.map +1 -1
  101. package/dist/rules.d.ts +2 -0
  102. package/dist/rules.d.ts.map +1 -1
  103. package/dist/rules.js +322 -256
  104. package/dist/rules.js.map +1 -1
  105. package/dist/scanner.d.ts.map +1 -1
  106. package/dist/scanner.js +5 -1
  107. package/dist/scanner.js.map +1 -1
  108. package/dist/security-diagnostics.d.ts.map +1 -1
  109. package/dist/security-diagnostics.js +95 -30
  110. package/dist/security-diagnostics.js.map +1 -1
  111. package/dist/security-diff.d.ts +5 -2
  112. package/dist/security-diff.d.ts.map +1 -1
  113. package/dist/security-diff.js +20 -4
  114. package/dist/security-diff.js.map +1 -1
  115. package/dist/security-policy-inventory.d.ts +15 -3
  116. package/dist/security-policy-inventory.d.ts.map +1 -1
  117. package/dist/security-policy-inventory.js +123 -26
  118. package/dist/security-policy-inventory.js.map +1 -1
  119. package/dist/security-policy.d.ts +7 -0
  120. package/dist/security-policy.d.ts.map +1 -1
  121. package/dist/security-policy.js +70 -7
  122. package/dist/security-policy.js.map +1 -1
  123. package/dist/security-posture.d.ts.map +1 -1
  124. package/dist/security-posture.js +2 -1
  125. package/dist/security-posture.js.map +1 -1
  126. package/dist/skill-migration.js +2 -0
  127. package/dist/skill-migration.js.map +1 -1
  128. package/dist/static-support.d.ts +13 -0
  129. package/dist/static-support.d.ts.map +1 -0
  130. package/dist/static-support.js +284 -0
  131. package/dist/static-support.js.map +1 -0
  132. package/dist/token-estimator.d.ts +21 -0
  133. package/dist/token-estimator.d.ts.map +1 -0
  134. package/dist/token-estimator.js +84 -0
  135. package/dist/token-estimator.js.map +1 -0
  136. package/dist/trust-graph.d.ts +3 -3
  137. package/dist/trust-graph.d.ts.map +1 -1
  138. package/dist/trust-graph.js +76 -21
  139. package/dist/trust-graph.js.map +1 -1
  140. package/dist/types.d.ts +7 -2
  141. package/dist/types.d.ts.map +1 -1
  142. package/docs/README.md +61 -0
  143. package/docs/advanced-skill-authoring.md +147 -0
  144. package/docs/agent-skills-compatibility.md +508 -0
  145. package/docs/authoring-guide.md +382 -0
  146. package/docs/context-conflict-diagnostics.md +32 -0
  147. package/docs/context-language-diagnostics.md +99 -0
  148. package/docs/context-lens.md +253 -0
  149. package/docs/context-lifecycle-diagnostics.md +55 -0
  150. package/docs/diagnostics.md +406 -0
  151. package/docs/metadata-budget.md +14 -0
  152. package/docs/quality-profile.md +123 -0
  153. package/docs/repository-context-bom.md +172 -0
  154. package/docs/schemas/repository-context-bom-v2.schema.json +648 -0
  155. package/docs/schemas/trust-graph-v2.schema.json +301 -0
  156. package/docs/security-policy.md +354 -0
  157. package/docs/trust-graph.md +47 -0
  158. package/docs/user-manual.md +842 -0
  159. package/examples/context-lens/README.md +101 -0
  160. package/examples/context-lens/contexts/testing/boundary-value-analysis.md +23 -0
  161. package/examples/context-lens/lenses/testing/spec-review-boundary-values.md +29 -0
  162. package/examples/context-lens/lenses/testing/test-design-boundary-values.md +29 -0
  163. package/examples/context-lens/skills/testing/spec-review/SKILL.md +49 -0
  164. package/examples/context-repo/README.md +148 -0
  165. package/examples/context-repo/contexts/domain/payment/idempotency.md +27 -0
  166. package/examples/context-repo/contexts/testing/boundary-value-analysis.md +26 -0
  167. package/examples/context-repo/contexts/testing/negative-testing.md +26 -0
  168. package/examples/context-repo/lenses/testing/spec-review-boundary-values.md +35 -0
  169. package/examples/context-repo/renma.config.json +12 -0
  170. package/examples/context-repo/skills/testing/spec-review/SKILL.md +71 -0
  171. package/examples/context-repo/tools/appium/README.md +14 -0
  172. package/examples/github-actions/renma-ci-report.yml +36 -0
  173. package/examples/interactive-placeholder/README.md +104 -0
  174. package/examples/interactive-placeholder/assets/template.txt +1 -0
  175. package/examples/interactive-placeholder/renma.config.json +6 -0
  176. package/examples/interactive-placeholder/skills/replace-placeholder/SKILL.md +54 -0
  177. package/examples/interactive-placeholder/tools/README.md +48 -0
  178. package/examples/interactive-placeholder/tools/placeholder-demo.mjs +99 -0
  179. package/package.json +10 -1
  180. package/plan-discovery.md +749 -0
  181. package/plan.md +90 -0
  182. package/scripts/verify-package.mjs +104 -0
@@ -0,0 +1,842 @@
1
+ # renma User Manual
2
+
3
+ renma scans agent-facing repository assets and turns them into deterministic, agent-consumable reports. Use it to keep skills, shared context, prompts, docs, and ownership metadata reviewable in CI instead of relying on an LLM to infer repository intent.
4
+
5
+ ## What Renma Does And Does Not Do
6
+
7
+ Renma is deterministic repository governance for context assets, skills, and agent-facing documentation. It reads local repository files, builds reviewable evidence, and reports what humans or coding agents should inspect.
8
+
9
+ Renma does not call an LLM, choose runtime context, assemble prompts, inject context, execute agents, or collect telemetry.
10
+
11
+ Use your platform's standard Skill authoring guidance for general Skill design,
12
+ then use Renma for repository-specific governance and validation. Platform
13
+ guidance owns the trigger description, instructions, workflow, constraints,
14
+ examples, and completion criteria. Renma owns deterministic repository evidence
15
+ for compatibility, metadata, relationships, ownership, lifecycle, security
16
+ policy, diagnostics, and readiness.
17
+
18
+ ## Install And Build
19
+
20
+ From a checkout:
21
+
22
+ ```bash
23
+ npm install
24
+ npm run build
25
+ ```
26
+
27
+ Run the local CLI from the built entry point:
28
+
29
+ ```bash
30
+ node dist/index.js scan .
31
+ ```
32
+
33
+ When renma is installed as a package, use the `renma` binary:
34
+
35
+ ```bash
36
+ renma scan .
37
+ ```
38
+
39
+ For the breaking 0.16.0 Skill format, scan validation, and one-way migration
40
+ workflow, see [Agent Skills Compatibility and Migration](agent-skills-compatibility.md).
41
+ Agent Skills results appear inside `scan`; there is no separate Skill-validation
42
+ command.
43
+
44
+ Renma 0.16.0 requires specification-valid Agent Skills for operational Skills.
45
+ All Renma Skill governance and security metadata uses flat, string-valued
46
+ `metadata.renma.*` entries. Pre-0.16 top-level Skill metadata is accepted only
47
+ as migration input for `suggest-metadata`; non-Skill metadata behavior is
48
+ unchanged.
49
+
50
+ ## Repository Layout
51
+
52
+ renma is most useful when agent knowledge is stored in predictable places:
53
+
54
+ - `skills/**/SKILL.md` and `.agents/skills/**/SKILL.md` are the canonical Agent
55
+ Skills entrypoints. Renma still discovers historical `skill.md` and
56
+ `*.skill.md` spellings under those roots for migration diagnostics, but those
57
+ spellings are not Agent Skills-compatible.
58
+ - `contexts/**` for shared context assets.
59
+ - configurable prompt or documentation paths for reusable prompts and broader docs.
60
+ - `*.renma.json` for structured metadata assets.
61
+
62
+ Tool helper implementations usually belong under `tools/**`. They can be referenced from skills and commands, but they are not the same thing as user-facing documentation under `docs/**`.
63
+
64
+ Under explicit skill roots, `assets`, `examples`, `profiles`, `references`, and
65
+ `scripts` are reserved for skill-local support directories. These are valid
66
+ support paths:
67
+
68
+ - `skills/demo/assets/template.md`
69
+ - `skills/demo/examples/happy-path.md`
70
+ - `skills/demo/references/spec.md`
71
+ - `skills/demo/scripts/helper.sh`
72
+ - `skills/demo/profiles/local.md`
73
+
74
+ The same reserved names apply under `.agents/skills/**`.
75
+
76
+ These Skill-local support directories are valid. Keep material local when it is
77
+ specific to one Skill. Promote reusable source-of-truth knowledge to an owned
78
+ Context Asset, or a helper shared across workflows to `tools/**`, only when
79
+ repository evidence supports that change; Renma does not move files
80
+ automatically.
81
+
82
+ Skill-local support belongs only to the nearest Skill directory. When a local
83
+ support artifact does not declare an owner, ownership, Readiness, graph, Trust
84
+ Graph, and BOM reporting use the nearest Skill's owner as deterministic
85
+ effective ownership and mark it as inherited. This does not invent ownership
86
+ for shared Context Assets or unrelated repository files.
87
+
88
+ Only files marked Markdown-parser eligible contribute frontmatter metadata,
89
+ headings, links, code fences, and repeated-context evidence. Text scripts and
90
+ data assets remain raw text for dedicated static path or security analysis;
91
+ binary assets remain opaque.
92
+
93
+ Avoid using reserved support directory names as skill names. Paths such as
94
+ `skills/assets/SKILL.md`, `skills/examples/SKILL.md`,
95
+ `skills/references/SKILL.md`, `skills/scripts/SKILL.md`, and
96
+ `skills/profiles/SKILL.md` are not treated as skill entrypoints by default. If
97
+ one of those files is intended to define a Renma skill, rename the directory, for example to
98
+ `skills/example-review/SKILL.md`.
99
+
100
+ Specification-valid Agent Skills declare governance and security values as
101
+ flat string-valued `metadata.renma.*` entries. JSON-array strings represent lists;
102
+ Renma does not treat comma-separated canonical values as lists. These canonical
103
+ values feed the same catalog, ownership, graph, readiness, BOM, Trust Graph,
104
+ lifecycle, and reporting behavior as the pre-0.16 fields they replace.
105
+
106
+ Renma does not fall back to top-level pre-0.16 Skill fields. Invalid, hybrid,
107
+ and pre-0.16 Skills can be scanned and migrated but contribute no operational
108
+ Skill metadata. Contexts, context lenses, profiles, references,
109
+ examples, agents, configuration files, and other non-Skill assets continue to
110
+ use their existing top-level metadata syntax.
111
+
112
+ ## Quick Start
113
+
114
+ For a first pass on an existing repository, run:
115
+
116
+ ```bash
117
+ renma scan .
118
+ renma catalog . --format markdown
119
+ renma graph . --format markdown
120
+ renma readiness . --format markdown
121
+ ```
122
+
123
+ Read these reports together:
124
+
125
+ - `scan` shows concrete problems to fix.
126
+ - `catalog` shows what assets and metadata Renma discovered.
127
+ - `graph` shows how skills and contexts are connected.
128
+ - `readiness` summarizes repository-level health and checks.
129
+
130
+ When creating a Skill, design it with platform-native authoring guidance, run
131
+ `scaffold skill` once, complete the generated file, and validate with
132
+ `renma scan . --fail-on high`. For deeper authoring guidance, see the
133
+ [Authoring Guide](authoring-guide.md). For rule details, see the
134
+ [Diagnostics Reference](diagnostics.md).
135
+
136
+ ## LLM-Assisted Skill Maintenance
137
+
138
+ Renma output can support a human or coding agent, but the authoring and
139
+ governance responsibilities remain separate. Review the Skill with the
140
+ platform's standard authoring guidance, then use Renma as deterministic
141
+ repository evidence. Do not treat a clean scan as permission to invent domain
142
+ knowledge or as proof that the workflow is semantically correct.
143
+
144
+ Recommended loop:
145
+
146
+ 1. Review triggers, instructions, workflow, constraints, and completion criteria
147
+ using platform-native authoring guidance.
148
+ 2. Run `renma --help` and the relevant deterministic inspection commands.
149
+ 3. Review diagnostics and repository evidence.
150
+ 4. Prepare a minimal patch without inventing domain knowledge, ownership,
151
+ references, product rules, or source-of-truth claims.
152
+ 5. Run `renma scan . --fail-on high`, fix relevant diagnostics, and rerun it.
153
+ 6. Summarize changed files, resolved findings, remaining uncertainty, and
154
+ verification commands.
155
+ 7. Require human review before merging meaningful semantic changes.
156
+
157
+ Example instruction for an agent:
158
+
159
+ ```text
160
+ Review the Skill with this platform's standard Skill authoring guidance, then use Renma to inspect its repository governance.
161
+
162
+ Start by running `renma --help` and use command-specific help to choose the appropriate workflow. Make only evidence-backed changes. Do not invent owners, references, product rules, or source-of-truth claims. Preserve existing semantics unless a diagnostic or explicit requirement supports a change. Run `renma scan . --fail-on high` after editing, fix relevant diagnostics, rerun it, and summarize both resolved and remaining findings.
163
+ ```
164
+
165
+ ## User Story: Create A New Skill With Scaffold
166
+
167
+ Use this flow when adding a new agent-facing Skill. Platform-native guidance
168
+ defines the Skill; Renma creates one repository-compatible starting point and
169
+ validates the result.
170
+
171
+ ```mermaid
172
+ flowchart LR
173
+ Design["Platform-native authoring guidance"] --> Scaffold["Run renma scaffold skill once"]
174
+ Scaffold --> Complete["Review and complete the Skill"]
175
+ Complete --> Validate["Run renma scan . --fail-on high"]
176
+ Validate --> Fix["Fix relevant diagnostics and rerun"]
177
+ Fix --> Review["Human review"]
178
+ ```
179
+
180
+ Renma creates and validates repository assets; the consuming agent follows the
181
+ finished Skill later according to its own runtime behavior.
182
+
183
+ 1. Use platform-native authoring guidance to design the Skill's purpose,
184
+ trigger, workflow, constraints, and completion criteria.
185
+
186
+ 2. Run the Renma generator once for the target path.
187
+
188
+ ```bash
189
+ renma scaffold skill skills/testing/spec-review/SKILL.md --owner qa-platform
190
+ ```
191
+
192
+ 3. Open and review the generated Skill.
193
+
194
+ `scaffold` creates a starter file, not a complete production-ready Skill. Use
195
+ platform-native guidance to complete the description, instructions, workflow,
196
+ constraints, completion criteria, and intended metadata.
197
+
198
+ The Skill scaffold writes canonical Agent Skills identity and
199
+ `metadata.renma.*` fields directly. Replace its placeholder prose and fill in
200
+ any required security policy before depending on it. Context and context-lens
201
+ scaffolds keep their existing top-level metadata shape. Preserve intended
202
+ repository behavior and do not invent owners, policies, dependencies, domain
203
+ rules, or source-of-truth claims.
204
+
205
+ Do not run a second independent generator against the same target. If a
206
+ platform-native tool can generate Skills, ask it to refine the existing Renma
207
+ scaffold or to use `renma scaffold skill` as its starting point.
208
+
209
+ 4. Add shared Context Assets when the Skill depends on reusable knowledge.
210
+
211
+ ```bash
212
+ renma scaffold context contexts/testing/boundary-value-analysis.md --owner qa-platform
213
+ ```
214
+
215
+ Reusable domain, testing, product, platform, and tool knowledge should usually live under `contexts/**` instead of being buried inside one skill. A context asset can have its own owner, lifecycle state, review history, tags, and dependencies.
216
+
217
+ 5. Connect the Skill to Context Assets.
218
+
219
+ In a canonical Skill, add `renma.requires-context` or
220
+ `renma.optional-context` under `metadata` as JSON-array strings. These fields
221
+ create static repository graph relationships. They do
222
+ not make Renma choose runtime context for an agent.
223
+
224
+ 6. Run repository validation.
225
+
226
+ ```bash
227
+ renma scan . --fail-on high
228
+ renma catalog . --format markdown
229
+ renma graph . --format markdown
230
+ renma readiness . --format markdown
231
+ ```
232
+
233
+ 7. Fix relevant diagnostics and rerun the scan.
234
+
235
+ Use `scan` for concrete problems, `catalog` for discovered assets and metadata,
236
+ `graph` for Skill-to-Context relationships, and `readiness` for repository-level
237
+ health. Do not weaken security policy or add suppressions merely to pass. After
238
+ fixes, rerun `renma scan . --fail-on high` and complete human review.
239
+
240
+ 8. Optionally generate a BOM for review or CI artifacts.
241
+
242
+ ```bash
243
+ renma bom . --format markdown
244
+ renma bom . --format json
245
+ ```
246
+
247
+ The BOM is a declared repository manifest. It combines catalog, graph, diagnostics, readiness, lifecycle, hash, and security posture evidence. It is not a record of actual LLM runtime usage. See the [Repository Context BOM contract](repository-context-bom.md) for v2 boundaries.
248
+
249
+ ## User Story: Improve Existing Skills With Diagnostics
250
+
251
+ Use this flow when improving an existing Skill. Review the whole Skill with
252
+ platform-native guidance before treating metadata suggestions as complete.
253
+
254
+ ```mermaid
255
+ flowchart TD
256
+ Authoring["Platform-native authoring review"] --> Scan["Run renma scan . --fail-on high"]
257
+ Scan --> Evidence["Inspect relevant diagnostics and repository evidence"]
258
+ Evidence --> NeedMetadata{"Metadata or migration work needed?"}
259
+ NeedMetadata -- Yes --> Suggest["Run renma suggest-metadata and review the candidate"]
260
+ NeedMetadata -- No --> Prepare["Prepare and review intended changes, if any"]
261
+ Suggest --> Prepare
262
+ Prepare --> Validate["Rerun renma scan . --fail-on high"]
263
+ Validate --> Fix["Fix relevant diagnostics and rerun"]
264
+ Fix --> Review["Human review"]
265
+ ```
266
+
267
+ LLM assistance is optional. Renma does not rewrite files or accept a proposed
268
+ change automatically.
269
+
270
+ 1. Review the trigger description, instructions, workflow, constraints, and
271
+ completion criteria using the platform's standard Skill guidance.
272
+
273
+ 2. Run `scan` on the existing repository.
274
+
275
+ ```bash
276
+ renma scan . --fail-on high
277
+ ```
278
+
279
+ `scan` reports concrete findings such as broken references, risky instructions, missing or invalid metadata, unclear workflow structure, and layout issues.
280
+
281
+ 3. Inspect relevant repository evidence. Use only the views that answer the
282
+ current question; they are not mandatory ceremony.
283
+
284
+ Inspect the current asset inventory when needed:
285
+
286
+ ```bash
287
+ renma catalog . --format markdown
288
+ ```
289
+
290
+ `catalog` helps you see existing skills, contexts, references, profiles, examples, IDs, owners, lifecycle states, hashes, tags, and declared dependencies.
291
+
292
+ Check graph relationships when needed:
293
+
294
+ ```bash
295
+ renma graph . --format markdown
296
+ renma graph . --focus skill.testing.spec-review --format markdown
297
+ ```
298
+
299
+ `graph` helps find missing context, broken references, unexpected isolation, and unclear dependencies. Focused graph output keeps one asset and its direct neighborhood so you can inspect one skill or context without reading the whole graph.
300
+
301
+ Check readiness when needed:
302
+
303
+ ```bash
304
+ renma readiness . --format markdown
305
+ ```
306
+
307
+ `readiness` gives a repository-level health score and checks. It is a static repository review signal, not a runtime decision about which context an agent should use.
308
+
309
+ Use `inspect` for one file:
310
+
311
+ ```bash
312
+ renma inspect skills/testing/spec-review/SKILL.md
313
+ renma inspect skills/testing/spec-review/SKILL.md --lines L10-L42
314
+ ```
315
+
316
+ Use this when you want a compact outline or exact line slice before editing a specific asset.
317
+
318
+ 4. Use `suggest-metadata` only when metadata or migration work is needed.
319
+
320
+ ```bash
321
+ renma suggest-metadata skills/testing/spec-review/SKILL.md --owner qa-platform --format prompt
322
+ ```
323
+
324
+ `suggest-metadata` does not rewrite files. It emits a deterministic prompt or
325
+ JSON payload that a human or coding agent can use to prepare a reviewed metadata
326
+ or one-way migration patch while preserving the existing Markdown body. Review
327
+ the candidate and apply only intended changes.
328
+
329
+ For a `SKILL.md` target, the command proposes only the one-way transition from
330
+ pre-0.16 Renma Skill fields to Agent Skills identity plus flat
331
+ `metadata.renma.*` string values. Unsafe or ambiguous input blocks canonical
332
+ frontmatter output. When blocked, review the conflicts or invalid evidence,
333
+ confirm intent using platform-native guidance, do not apply a candidate, correct
334
+ the source evidence, and rerun `suggest-metadata`. See
335
+ [Agent Skills Compatibility and Migration](agent-skills-compatibility.md).
336
+
337
+ An already canonical Skill with no metadata or migration need should not pass
338
+ through `suggest-metadata` merely as ceremony.
339
+
340
+ 5. Use `suggest-semantic-split` when a file has grown too large or mixes multiple purposes.
341
+
342
+ ```bash
343
+ renma suggest-semantic-split docs/large-runbook.md
344
+ ```
345
+
346
+ `suggest-semantic-split` does not rewrite files either. It packages source context and guidance so a human or coding agent can draft a reviewable split.
347
+
348
+ 6. Prepare and review intended changes, then validate, fix relevant
349
+ diagnostics, and rerun.
350
+
351
+ ```bash
352
+ renma scan . --fail-on high
353
+ renma catalog . --format markdown
354
+ renma graph . --format markdown
355
+ renma readiness . --format markdown
356
+ ```
357
+
358
+ The loop ends with human review. A metadata suggestion or clean scan does not
359
+ replace semantic review of the Skill.
360
+
361
+ For a repository-aware specification-review example using a Skill, a Context
362
+ Lens, and direct Context Asset relationships, see
363
+ [`examples/context-repo`](../examples/context-repo). It is statically navigable
364
+ only for a consumer with the repository checkout that follows the Skill and
365
+ Lens relative links; Renma validates the relationships but does not load them.
366
+
367
+ ## Configuration
368
+
369
+ Use `--config <path>` with commands that scan the repository:
370
+
371
+ ```bash
372
+ renma scan . --config renma.config.json
373
+ ```
374
+
375
+ The JSON configuration supports the same names used by the implementation, including:
376
+
377
+ - `globs`: glob patterns to scan.
378
+ - `exclude`: paths or path prefixes to skip.
379
+ - `suppressions`: rule suppressions that remove matching findings from normal reports and failure thresholds.
380
+ - `max_file_size_bytes`: largest file renma will read for content analysis. A
381
+ larger discovered file remains repository existence evidence, so a valid
382
+ reference is not also reported as missing.
383
+ - `max_depth`: maximum discovery depth.
384
+ - `concurrency`: scan concurrency.
385
+ - `fail_on`: scan exit threshold: `low`, `medium`, `high`, or `critical`.
386
+ - `format`: default report format.
387
+ - `layout`: compatibility-only `tool_namespace` and `workflow_aliases` input retained for existing configurations. These fields are validated and normalized but do not currently change findings or force Skill-local support migration.
388
+ - `security`: command, network, upload, and profile policy.
389
+
390
+ CLI flags override config values when both are provided.
391
+
392
+ Within a canonical Skill entrypoint or one of its classified support documents,
393
+ helper commands may use `scripts/helper.mjs` or `./scripts/helper.mjs`; Renma
394
+ resolves these paths against the owning Skill directory. `tools/helper.mjs` and
395
+ `./tools/helper.mjs` resolve from the repository root. Explicit repository-root
396
+ paths such as `skills/testing/demo/scripts/helper.mjs`,
397
+ `.agents/skills/testing/demo/scripts/helper.mjs`, and
398
+ `tools/testing/helper.mjs` remain valid. Renma rejects helper candidates whose
399
+ relative traversal would escape the owning Skill boundary and checks existence
400
+ against the collected repository snapshot. It validates the declared path but
401
+ does not execute the command. Non-Skill documents do not receive an inferred
402
+ Skill-relative base.
403
+
404
+ Static support reachability accepts explicit Skill-relative paths, explicit
405
+ basenames, Markdown link targets, quoted/code-form paths, and one additional
406
+ hop through a directly referenced index/reference. Free-prose matches against
407
+ generic filename stems such as `run`, `check`, or `logo` are not evidence.
408
+ Extensionless executables and quoted or linked asset paths with spaces are
409
+ valid; `..` traversal outside the Skill root remains invalid.
410
+
411
+ Use `exclude` for files Renma should not scan. Use `suppressions` for audited exceptions where Renma should scan the file, detect matching findings internally, then omit those findings from normal reports and failure decisions. A suppression applies only when both `id` and `paths` match. Each suppression includes `id`, `paths`, required `reason`, and optional `expires`; the reason lives in config for auditability.
412
+
413
+ Use a date in `YYYY-MM-DD` for temporary workarounds, or `"never"` when the exception is intentionally permanent. Permanent suppressions should still use narrow path patterns and a clear reason. Suppression path patterns are repository-relative and support exact paths, directory-prefix matches for non-glob patterns, `*` within one path segment, and `**` across directories.
414
+
415
+ If `--config` is not provided, renma looks for repository config files such as `renma.config.json` or `.renma.json` while resolving the scan target.
416
+
417
+ Canonical Agent Skills entrypoints are:
418
+
419
+ - `skills/**/SKILL.md`
420
+ - `.agents/skills/**/SKILL.md`
421
+
422
+ Renma also discovers these historical spellings for migration diagnostics:
423
+
424
+ - `skills/**/skill.md`
425
+ - `skills/**/*.skill.md`
426
+ - `.agents/skills/**/skill.md`
427
+ - `.agents/skills/**/*.skill.md`
428
+
429
+ Other default scan glob families are:
430
+
431
+ - `.agents/**/*.md`
432
+ - `AGENTS.md`
433
+ - `README.md`
434
+ - `context/**/*.md`
435
+ - `contexts/**/*.md`
436
+ - `lenses/**/*.md`
437
+ - `skills/**/profiles/**/*.md`
438
+ - `skills/**/references/**/*.md`
439
+ - `skills/**/examples/**/*.md`
440
+ - `skills/**/scripts/**/*`
441
+ - `skills/**/assets/**/*`
442
+ - `.agents/skills/**/profiles/**/*.md`
443
+ - `.agents/skills/**/references/**/*`
444
+ - `.agents/skills/**/examples/**/*.md`
445
+ - `.agents/skills/**/scripts/**/*`
446
+ - `.agents/skills/**/assets/**/*`
447
+ - `tools/**/*`
448
+
449
+ ## Where To Go Next
450
+
451
+ - New to Renma? Start with [Authoring Guide](authoring-guide.md).
452
+ - Writing security-sensitive skills or context assets? Read [Security Policy Guide](security-policy.md).
453
+ - Fixing scan findings? See [Diagnostics Reference](diagnostics.md).
454
+ - Reviewing thresholds? See [Renma Quality Profile](quality-profile.md).
455
+ - Trying a minimal clarify-before-act Skill interaction? Use
456
+ [`examples/interactive-placeholder`](../examples/interactive-placeholder).
457
+ - Trying richer repository-aware Skill, Context Lens, and Context Asset
458
+ governance? See [`examples/context-repo`](../examples/context-repo).
459
+ - Focusing specifically on Context Lens governance? See
460
+ [`examples/context-lens`](../examples/context-lens).
461
+ - Adding Renma evidence to CI? See the
462
+ [GitHub Actions example](../examples/github-actions/renma-ci-report.yml).
463
+
464
+ ## Commands
465
+
466
+ For a mini-repository with a statically navigable Skill, a Context Lens, shared
467
+ Context Assets, ownership metadata, and graph relationships, see
468
+ [`examples/context-repo`](../examples/context-repo). The consumer must have the
469
+ checkout and follow the Skill and Lens relative links; the fixture is not a
470
+ portable self-contained Agent Skills package.
471
+
472
+ renma commands fall into a few groups:
473
+
474
+ - Inventory and ownership: `catalog` lists discovered assets and references, `ownership` summarizes owned and unowned assets, `graph` shows relationships between catalog nodes, `trust-graph` exposes deterministic trust evidence, and `bom` combines declared repository evidence into a reviewable Repository Context BOM.
475
+ - Local inspection and authoring: `inspect` reads one file as an outline or exact line slice, `scaffold` creates starter assets or authoring prompts, `suggest-metadata` emits safe metadata retrofit guidance for existing assets, and `suggest-semantic-split` packages source context and helper commands so a human or coding agent can draft a split for mixed-purpose Markdown.
476
+ - Review and CI: `scan` emits deterministic findings, `readiness` turns repository state into checks and a score, `diff` compares two refs, and `ci-report` formats the comparison for pull-request review.
477
+
478
+ ## Scan, Catalog, Graph, Trust Graph, Readiness, And BOM
479
+
480
+ These commands are related, but they answer different repository-review questions.
481
+
482
+ | Command | Main question | Best for | Output shape |
483
+ | --- | --- | --- | --- |
484
+ | `scan` | What concrete problems were found? | Fixing diagnostics and CI checks | Finding list |
485
+ | `catalog` | What assets exist? | Reviewing IDs, owners, lifecycle metadata, hashes, tags, and declared dependencies | Asset inventory |
486
+ | `graph` | How are assets connected? | Inspecting dependencies and references | Asset relationship graph |
487
+ | `trust-graph` | What evidence helps reviewers decide whether assets are safe, owned, current, and usable enough? | Tracing owner, lifecycle, policy, dependency, reference, and diagnostic evidence per asset | Evidence graph |
488
+ | `readiness` | Is the repository broadly ready for agent-facing use? | Maintainer summary and CI reporting | Repository-level scorecard |
489
+ | `bom` | What declared repository context manifest should reviewers inspect? | Combining catalog, graph, readiness, diagnostics, lifecycle, hashes, and security posture evidence | Repository Context BOM |
490
+
491
+ `catalog` is about what assets exist. `graph` is about how assets relate. `readiness` is about repository-level health score and checks. `trust-graph` is about traceability of trust-relevant evidence. `bom` is the reviewable declared repository manifest that combines asset inventory, dependencies, hashes, lifecycle, diagnostics, readiness, and security posture evidence.
492
+
493
+ Use `trust-graph` when a reviewer asks: "Why should this asset be considered safe, owned, current, and usable enough for an agent-facing repository?" The command does not decide that an asset is trustworthy. It connects deterministic evidence that humans and downstream tools can review: owner, lifecycle status, dependency and reference relationships, selected security profiles, effective policy fingerprints, and diagnostics.
494
+
495
+ In short:
496
+
497
+ - `scan` lists problems.
498
+ - `catalog` lists what assets exist.
499
+ - `graph` shows structural relationships.
500
+ - `trust-graph` connects trust-relevant evidence.
501
+ - `readiness` summarizes repository health.
502
+ - `bom` combines declared catalog, graph, readiness, diagnostics, lifecycle, hash, and security posture evidence.
503
+
504
+ Examples:
505
+
506
+ ```bash
507
+ renma scan . --format json
508
+ renma catalog . --format json
509
+ renma graph . --format json
510
+ renma trust-graph . --format markdown
511
+ renma trust-graph . --format json
512
+ renma readiness . --format markdown
513
+ renma bom . --format json
514
+ renma bom . --format markdown
515
+ ```
516
+
517
+ ### `scan`
518
+
519
+ Scans a target path and prints findings.
520
+
521
+ ```bash
522
+ renma scan .
523
+ renma scan . --format json
524
+ renma scan . --fail-on high
525
+ ```
526
+
527
+ Use `--fail-on` in CI when findings at or above a severity should fail the job. The JSON output includes findings, evidence, diagnostics, `diagnosticsV2`, `reviewBundles`, `trustGraph`, and summary data that other tools can consume.
528
+
529
+ Output includes scan findings, discovery or catalog diagnostics, the effective exit threshold, and evidence paths or snippets for each finding. `diagnosticsV2` adds typed repair constraints, structured verification steps, and concise LLM hints; `reviewBundles` groups related diagnostics for code review.
530
+
531
+ ### `catalog`
532
+
533
+ Builds a deterministic catalog of discovered assets.
534
+
535
+ ```bash
536
+ renma catalog . --format json
537
+ renma catalog . --format markdown
538
+ ```
539
+
540
+ Use the catalog to review asset IDs, owners, status, dependencies, and metadata-derived references.
541
+
542
+ Output includes catalog assets, dependency edges, owners, lifecycle status, tags, and diagnostics.
543
+
544
+ ### `bom`
545
+
546
+ Prints a declared Repository Context BOM.
547
+
548
+ ```bash
549
+ renma bom .
550
+ renma bom . --format json
551
+ renma bom . --format markdown
552
+ renma bom . --format json --omit-generated-at
553
+ ```
554
+
555
+ Use the BOM when reviewers or CI consumers need one repository evidence manifest that combines existing Renma evidence. Renma 0.18.0 supports only v2, the first supported long-term BOM contract. It does not provide a v1 compatibility mode. V2 includes normalized declared/effective ownership plus static support relationships. See the [Repository Context BOM contract](repository-context-bom.md).
556
+
557
+ The BOM is not a record of actual LLM runtime usage. Renma does not collect telemetry, assemble prompts, choose task-specific context, inject context into agents, import consumed-context evidence, or claim what an LLM actually consumed.
558
+
559
+ JSON is the source of truth for automation. Markdown is a compact pull-request review view.
560
+
561
+ Renma derives each BOM from one in-memory repository snapshot: configuration, discovered artifacts, parsed documents, catalog, graph evidence, diagnostics, readiness, and security summaries all come from the same collected state.
562
+
563
+ By default, `generatedAt` records when the BOM was produced. Add `--omit-generated-at` when CI or review automation needs to avoid clock-based diffs. With the same checkout path, config path, repository contents, Renma version, and UTC evaluation date, repeated `--omit-generated-at` runs should produce byte-identical JSON. The option does not remove metadata freshness dates, suppress freshness diagnostics, normalize absolute `root` or `configPath`, hide file moves, or guarantee portable byte-for-byte output across runners.
564
+
565
+ ### `graph`
566
+
567
+ Prints the relationship graph between assets.
568
+
569
+ ```bash
570
+ renma graph . --view summary
571
+ renma graph . --view workflow --format markdown
572
+ renma graph . --view full --format mermaid
573
+ renma graph . --view layered --format mermaid
574
+ ```
575
+
576
+ Views are:
577
+
578
+ - `summary`: compact graph overview.
579
+ - `workflow`: workflow-oriented relationships.
580
+ - `full`: all known graph edges.
581
+ - `layered`: Mermaid-focused graph grouped by asset kind so skill-to-lens-to-context paths are easier to read. `lens` is accepted as an alias.
582
+
583
+ Layered Mermaid output groups skills, context lenses, contexts, support assets, and unresolved targets into separate subgraphs. JSON and Markdown keep the same node and edge detail while reporting the selected view.
584
+
585
+ #### Focusing The Graph
586
+
587
+ The graph command can be focused on one asset with `--focus <asset-id-or-path>`.
588
+
589
+ Use this when you want to inspect the local neighborhood around one context asset, skill, or other catalog entry instead of reading the entire repository graph. A focused graph is useful for answering questions such as:
590
+
591
+ - What does this asset depend on?
592
+ - What other assets reference this asset?
593
+ - Is this asset connected to the expected parts of the context repository?
594
+ - Is this asset isolated or unexpectedly central?
595
+
596
+ Examples:
597
+
598
+ ```bash
599
+ renma graph . --focus context.testing.boundary-value-analysis
600
+ renma graph . --focus contexts/testing/boundary-value-analysis.md --view full
601
+ ```
602
+
603
+ `--focus` accepts one value. The value must match either a catalog asset ID, a repository-relative source path such as `contexts/testing/boundary-value-analysis.md`, or an absolute source path. It does not match projected `summary` view node IDs such as `contexts/testing/*`.
604
+
605
+ When `--focus` is provided, renma keeps the matched asset, its directly connected incoming and outgoing graph edges, and the assets at the other ends of those edges. In other words, it filters graph contents to the focused asset's one-hop neighborhood; it does not only highlight or rearrange the full graph. If the focus value does not match an asset ID or source path, the command exits with usage code `2` and reports that `graph --focus did not match any asset id or source path`.
606
+
607
+ `--focus` runs before `--view` projection. For example, `--view summary --focus <asset>` first selects the focused neighborhood and then groups that smaller graph into the summary view. There is no separate depth option in the current graph command, and repeated `--focus` flags are not a multi-focus API.
608
+
609
+ Note: this graph `focus` argument is a CLI option. It is not a metadata field on an asset.
610
+
611
+ Output includes graph nodes, relationship edges, unresolved targets, and diagnostics. Mermaid output renders the same graph as a diagram definition.
612
+
613
+ ### `trust-graph`
614
+
615
+ Prints deterministic Trust Graph evidence derived from catalog, graph, scan, and security policy data.
616
+
617
+ ```bash
618
+ renma trust-graph . --format markdown
619
+ renma trust-graph . --format json
620
+ renma scan . --format json
621
+ ```
622
+
623
+ Use this when a reviewer or downstream tool needs one stable evidence layer that links assets to owners, lifecycle status, declared dependencies, selected security profiles, effective policy fingerprints, and diagnostics.
624
+
625
+ Trust Graph is repository evidence. It does not compute a trust score, select or inject runtime context, assemble prompts, call an LLM, collect telemetry, or enforce policy at runtime.
626
+
627
+ Renma 0.18.0 supports only Trust Graph v2, the first supported long-term contract. It includes normalized ownership and static `owns_local_resource`, `statically_references`, `inherits_owner`, and `inherits_policy` evidence. JSON is the source of truth; Markdown is for human review. `scan --format json` includes the same v2 contract under `trustGraph`.
628
+
629
+ Consumers must branch on `schemaVersion`, not on the Renma package version. A future incompatible contract may intentionally introduce v3.
630
+
631
+ Reviewers can use Trust Graph to find assets without owners, find assets without lifecycle status, inspect assets sharing the same effective policy fingerprint, and connect diagnostics back to asset evidence. `trust-graph` exits `0` when the report is generated successfully; use `scan --fail-on` when CI should fail on findings.
632
+
633
+ ### `inspect`
634
+
635
+ Inspects one file as an outline or exact line slice.
636
+
637
+ ```bash
638
+ renma inspect skills/testing/spec-review/SKILL.md
639
+ renma inspect contexts/testing/boundary-value-analysis.md --format json
640
+ renma inspect skills/testing/spec-review/SKILL.md --lines L10-L42
641
+ ```
642
+
643
+ Use this when editing one skill or context file and you want a deterministic outline without reading the whole repository catalog. Without `--lines`, output includes file size, line count, frontmatter range, headings, code fences, links, asset relationships, and a concise Context Lens governance summary when repository context can be inferred. Use `--lines <range>` for an exact source slice; ranges can look like `L10-L42` or `10-42`.
644
+
645
+ ### `readiness`
646
+
647
+ Prints a deterministic readiness report.
648
+
649
+ ```bash
650
+ renma readiness .
651
+ renma readiness . --format markdown
652
+ renma readiness . --format json
653
+ ```
654
+
655
+ Readiness combines catalog diagnostics, Context Lens governance diagnostics, ownership metadata, graph resolution, required and optional context references, asset status, and selected scan findings into an agent-readiness score.
656
+
657
+ Output includes a readiness score and level, workflow checks, Context Lens counts, diagnostics, scan findings that affect readiness, and graph or ownership summary data. JSON output includes `summary.contextLens`; Markdown output includes a `Context Lens` section.
658
+
659
+ Security posture and Context Lens summaries remain static repository evidence in this report. Readiness does not choose runtime context, assemble prompts, inject context, or describe what an LLM actually used.
660
+
661
+ ### `diff`
662
+
663
+ Compares deterministic readiness reports for two git refs.
664
+
665
+ ```bash
666
+ renma diff . --from main --to HEAD
667
+ renma diff . --from main --to HEAD --format markdown
668
+ ```
669
+
670
+ Use this to review what changed between branches or commits. The command builds readiness data for both refs and reports asset, graph, check, and finding deltas.
671
+
672
+ Output includes readiness deltas, changed assets, graph edge changes, check changes, and added or removed findings.
673
+
674
+ ### `ci-report`
675
+
676
+ Formats a diff result for CI or pull-request review.
677
+
678
+ ```bash
679
+ renma ci-report . --from main --to HEAD --format markdown
680
+ renma ci-report . --from main --to HEAD --format json
681
+ ```
682
+
683
+ The report summarizes readiness deltas, graph-resolution changes, added and removed findings, and policy-relevant status. It is CI-oriented: `PASS` and `WARN` exit `0`, `FAIL` exits `1`, and usage, command, or configuration errors exit `2`.
684
+
685
+ Output includes a CI status (`PASS`, `WARN`, or `FAIL`), a summary, readiness changes, graph changes, and review-focused finding changes.
686
+
687
+ Repository Context BOM artifacts describe declared repository state, not prompt assembly, context injection, agent execution, actual LLM runtime usage, or telemetry. Use `renma bom . --format json` when CI needs a machine-readable manifest and `renma bom . --format markdown` for review comments or artifacts. For v2 compatibility and reproducibility details, see the [Repository Context BOM contract](repository-context-bom.md).
688
+
689
+ ### `ownership`
690
+
691
+ Reports asset ownership.
692
+
693
+ ```bash
694
+ renma ownership .
695
+ renma ownership . --include-owned
696
+ renma ownership . --owner qa-platform
697
+ renma ownership . --format json
698
+ ```
699
+
700
+ Use this to find unowned assets, review what each owner is responsible for, and filter the report to assets owned by a specific owner.
701
+
702
+ Output includes total asset count, owned asset count, ownership coverage, owner groups, and assets without declared owner. `--owner <owner>` keeps the repository-level totals for context and adds filtered matched assets for that owner. Filtered JSON reports omit `unownedAssetList` so the repository-level `unownedAssets` count is not confused with owner-filtered asset details. `--include-owned` also includes the backward-compatible flat owned asset list.
703
+
704
+ #### Ownership policy
705
+
706
+ Renma treats `owner` as governance metadata. Declaring an owner is recommended because it makes context assets easier to review, maintain, and share across teams.
707
+
708
+ However, owner metadata is not globally required yet. Assets without an owner are accepted and reported as unowned in the ownership coverage report.
709
+
710
+ Renma does not infer owners automatically. If an asset is unowned, choose an owner through human review or team policy.
711
+
712
+ ### `scaffold`
713
+
714
+ Creates a starter skill or context asset.
715
+
716
+ ```bash
717
+ renma scaffold skill skills/testing/spec-review/SKILL.md --owner qa-platform
718
+ renma scaffold context contexts/testing/boundary-value-analysis.md --owner qa-platform
719
+ renma scaffold context_lens lenses/testing/spec-review-boundary-values.md --owner qa-platform
720
+ renma scaffold skill skills/testing/spec-review/SKILL.md --owner qa-platform --format prompt
721
+ ```
722
+
723
+ `scaffold --format file` writes a starter file, `--format prompt` emits an authoring prompt, and `--format json` emits structured scaffold data. The generated content is intentionally minimal; fill in metadata, dependencies, and verification steps before depending on it in automation.
724
+
725
+ For a Skill, use platform-native authoring guidance before and after scaffolding.
726
+ File mode prints concise Skill-only next steps after the `Created` line. Prompt
727
+ mode includes the same responsibility boundary and validation loop. Context and
728
+ Context Lens output does not receive Skill-specific guidance. JSON retains the
729
+ existing bundle shape.
730
+
731
+ After completing a Skill, run `renma scan . --fail-on high`, fix relevant
732
+ diagnostics, rerun the scan, and complete human review. Do not use a second
733
+ independent generator against the same target file.
734
+
735
+ ### `suggest-metadata`
736
+
737
+ Suggests a safe metadata retrofit workflow for an existing asset.
738
+
739
+ ```bash
740
+ renma scan .
741
+ renma ownership .
742
+ renma suggest-metadata skills/testing/spec-review/SKILL.md --format prompt
743
+ renma suggest-metadata skills/testing/spec-review/SKILL.md --owner qa-platform --format json
744
+ ```
745
+
746
+ Use this after `scan` detects metadata issues or `ownership` shows unowned assets. The command does not rewrite files. It emits a deterministic prompt or JSON payload that a human or coding agent can use to prepare a reviewed patch.
747
+
748
+ For Skill targets, the prompt also makes clear that metadata suggestion is not
749
+ the full authoring process. Review the trigger description, instructions,
750
+ workflow, constraints, and completion criteria with platform-native guidance;
751
+ apply only intended metadata or migration changes; run
752
+ `renma scan . --fail-on high`; fix relevant diagnostics; and rerun the scan.
753
+ Context Asset output does not receive this Skill-specific authoring guidance.
754
+ JSON retains the existing structured suggestion shape.
755
+
756
+ For Skill targets using the pre-0.16 Renma Skill format, the 0.16.0 metadata
757
+ migration path is one-way: recognized governance and security frontmatter
758
+ becomes Agent Skills identity plus `metadata.renma.*`. Separately, `skill.md` and `*.skill.md` targets
759
+ report any required entrypoint rename or move, even when their frontmatter
760
+ already uses Agent Skills fields. For a canonical Agent Skill, `--owner` may
761
+ instead propose an owner metadata retrofit; it never causes reverse migration.
762
+ The normative behavior is documented in
763
+ [Agent Skills Compatibility and Migration](agent-skills-compatibility.md).
764
+
765
+ Pre-0.16 security fields migrate with strict serialization: booleans become the
766
+ exact strings `"true"` or `"false"`, and lists become JSON-array strings of
767
+ strings. Unsafe or ambiguous values block canonical frontmatter generation.
768
+ For an already canonical Skill, `suggest-metadata` proposes neither migration
769
+ nor an unnecessary rewrite unless an explicit supported retrofit is requested.
770
+
771
+ When migration is blocked, do not apply a candidate. Review the conflict or
772
+ invalid evidence, confirm the Skill's intent with platform-native authoring
773
+ guidance, correct the source evidence, rerun `suggest-metadata`, then validate
774
+ intended corrections with `renma scan . --fail-on high`.
775
+
776
+ Owner metadata remains recommended but not required. Without `--owner`, `suggest-metadata` blocks owner as a suggested addition and says not to add one unless the asset already declares an owner or a maintainer provides one. With `--owner <owner>`, the command may include that owner because it was explicitly provided. If an existing asset already declares an owner, `suggest-metadata` preserves it; a different `--owner` value is treated as a human-review ownership change, not an automatic metadata suggestion. Renma does not infer owners from Git history, file paths, prose, or authors.
777
+
778
+ ### `suggest-semantic-split`
779
+
780
+ Suggests a semantic split for large or mixed-purpose assets.
781
+
782
+ ```bash
783
+ renma suggest-semantic-split docs/large-runbook.md
784
+ renma suggest-semantic-split docs/large-runbook.md --format json
785
+ renma suggest-semantic-split docs/large-runbook.md --max-context-bytes 32768
786
+ ```
787
+
788
+ Use this as an editing aid when an asset has grown beyond one clear responsibility.
789
+
790
+ Output is a prompt by default. With `--format json`, output includes source context, sibling-file context, helper commands, and a structured review bundle. The command does not apply a split itself; it gives a human or coding agent enough context to draft a proposal.
791
+
792
+ ## Output Formats
793
+
794
+ Use `--format <format>` to select output and `--json` as a shortcut where the command supports JSON.
795
+
796
+ | Command | Formats |
797
+ | --- | --- |
798
+ | `scan` | `text`, `json` |
799
+ | `bom` | `json`, `markdown` |
800
+ | `catalog` | `json`, `markdown` |
801
+ | `ownership` | `json`, `markdown` |
802
+ | `readiness` | `json`, `markdown` |
803
+ | `diff` | `json`, `markdown` |
804
+ | `ci-report` | `json`, `markdown` |
805
+ | `graph` | `json`, `markdown`, `mermaid` |
806
+ | `trust-graph` | `json`, `markdown` |
807
+ | `inspect` | `text`, `json` |
808
+ | `scaffold` | `file`, `prompt`, `json` |
809
+ | `suggest-metadata` | `prompt`, `json` |
810
+ | `suggest-semantic-split` | `prompt`, `json` |
811
+
812
+ Prefer JSON in automation and markdown for human review in pull requests. Use Mermaid when you want to render a graph diagram.
813
+
814
+ ## CI Workflow
815
+
816
+ A typical CI flow is:
817
+
818
+ 1. Build renma.
819
+ 2. Run `renma scan . --fail-on high`.
820
+ 3. Run `renma readiness . --format json` and store the result as an artifact.
821
+ 4. Compare refs with `renma diff . --from main --to HEAD`.
822
+ 5. Publish `renma ci-report` in the pull-request summary.
823
+
824
+ Example:
825
+
826
+ ```bash
827
+ npm run build
828
+ renma scan . --fail-on high
829
+ renma readiness . --format json > renma-readiness.json
830
+ ```
831
+
832
+ `renma readiness` exits `1` when blocking diagnostics make the repository not ready, including Context Lens governance errors such as duplicate lens IDs, missing required fields, or unresolved `applies_to` targets.
833
+
834
+ ## Interpreting Results
835
+
836
+ renma reports three related but different kinds of output:
837
+
838
+ - Diagnostics: problems reading files, parsing metadata, or resolving catalog data. See [Diagnostics Reference](diagnostics.md).
839
+ - Scan findings: rule results from `scan`, such as layout, security, maintenance, quality, profile, and support issues. Each scan finding has a finding identifier, such as `SEC-LITERAL-SECRET`, that labels the kind of issue independently from the file path, asset ID, or human-readable message.
840
+ - Readiness checks: workflow-level pass, warning, or error states derived from catalog, graph, ownership, and finding data.
841
+
842
+ Treat errors as blockers for deterministic automation. Treat warnings as review items that can become blockers when they affect agent reliability.