renma 0.16.0 → 0.18.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +157 -1
- package/README.md +219 -748
- package/architecture.md +533 -0
- package/design.md +469 -0
- package/dist/agent-skills.d.ts +1 -1
- package/dist/agent-skills.d.ts.map +1 -1
- package/dist/agent-skills.js +28 -8
- package/dist/agent-skills.js.map +1 -1
- package/dist/catalog.d.ts +1 -1
- package/dist/catalog.d.ts.map +1 -1
- package/dist/catalog.js +120 -12
- package/dist/catalog.js.map +1 -1
- package/dist/cli-help.d.ts +15 -9
- package/dist/cli-help.d.ts.map +1 -1
- package/dist/cli-help.js +32 -9
- package/dist/cli-help.js.map +1 -1
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +162 -40
- package/dist/cli.js.map +1 -1
- package/dist/commands/bom.d.ts +6 -3
- package/dist/commands/bom.d.ts.map +1 -1
- package/dist/commands/bom.js +27 -7
- package/dist/commands/bom.js.map +1 -1
- package/dist/commands/catalog.d.ts +1 -1
- package/dist/commands/catalog.d.ts.map +1 -1
- package/dist/commands/catalog.js +11 -4
- package/dist/commands/catalog.js.map +1 -1
- package/dist/commands/ci-report.d.ts.map +1 -1
- package/dist/commands/ci-report.js +18 -5
- package/dist/commands/ci-report.js.map +1 -1
- package/dist/commands/diff.js +8 -2
- package/dist/commands/diff.js.map +1 -1
- package/dist/commands/graph.d.ts +6 -2
- package/dist/commands/graph.d.ts.map +1 -1
- package/dist/commands/graph.js +30 -14
- package/dist/commands/graph.js.map +1 -1
- package/dist/commands/inspect.d.ts.map +1 -1
- package/dist/commands/inspect.js +2 -0
- package/dist/commands/inspect.js.map +1 -1
- package/dist/commands/ownership.d.ts +4 -3
- package/dist/commands/ownership.d.ts.map +1 -1
- package/dist/commands/ownership.js +27 -23
- package/dist/commands/ownership.js.map +1 -1
- package/dist/commands/readiness.d.ts +2 -1
- package/dist/commands/readiness.d.ts.map +1 -1
- package/dist/commands/readiness.js +105 -36
- package/dist/commands/readiness.js.map +1 -1
- package/dist/commands/scaffold.d.ts +3 -0
- package/dist/commands/scaffold.d.ts.map +1 -1
- package/dist/commands/scaffold.js +28 -2
- package/dist/commands/scaffold.js.map +1 -1
- package/dist/commands/suggest-metadata.d.ts.map +1 -1
- package/dist/commands/suggest-metadata.js +56 -8
- package/dist/commands/suggest-metadata.js.map +1 -1
- package/dist/commands/suggest-semantic-split.js +3 -3
- package/dist/commands/suggest-semantic-split.js.map +1 -1
- package/dist/commands/trust-graph.d.ts.map +1 -1
- package/dist/commands/trust-graph.js +12 -0
- package/dist/commands/trust-graph.js.map +1 -1
- package/dist/config.d.ts.map +1 -1
- package/dist/config.js +10 -3
- package/dist/config.js.map +1 -1
- package/dist/dependency-resolution.d.ts +6 -0
- package/dist/dependency-resolution.d.ts.map +1 -0
- package/dist/dependency-resolution.js +11 -0
- package/dist/dependency-resolution.js.map +1 -0
- package/dist/diagnostic-ids.d.ts +8 -0
- package/dist/diagnostic-ids.d.ts.map +1 -1
- package/dist/diagnostic-ids.js +8 -0
- package/dist/diagnostic-ids.js.map +1 -1
- package/dist/discovery.d.ts +33 -0
- package/dist/discovery.d.ts.map +1 -1
- package/dist/discovery.js +178 -80
- package/dist/discovery.js.map +1 -1
- package/dist/markdown.d.ts.map +1 -1
- package/dist/markdown.js +15 -0
- package/dist/markdown.js.map +1 -1
- package/dist/model.d.ts +17 -1
- package/dist/model.d.ts.map +1 -1
- package/dist/model.js +4 -1
- package/dist/model.js.map +1 -1
- package/dist/quality-profile.d.ts +91 -0
- package/dist/quality-profile.d.ts.map +1 -0
- package/dist/quality-profile.js +91 -0
- package/dist/quality-profile.js.map +1 -0
- package/dist/repeated-context.d.ts.map +1 -1
- package/dist/repeated-context.js +38 -83
- package/dist/repeated-context.js.map +1 -1
- package/dist/repository-boundary.d.ts +30 -0
- package/dist/repository-boundary.d.ts.map +1 -0
- package/dist/repository-boundary.js +116 -0
- package/dist/repository-boundary.js.map +1 -0
- package/dist/repository-evidence.d.ts +2 -0
- package/dist/repository-evidence.d.ts.map +1 -1
- package/dist/repository-evidence.js +6 -4
- package/dist/repository-evidence.js.map +1 -1
- package/dist/repository-paths.d.ts +19 -2
- package/dist/repository-paths.d.ts.map +1 -1
- package/dist/repository-paths.js +123 -14
- package/dist/repository-paths.js.map +1 -1
- package/dist/rules.d.ts +2 -0
- package/dist/rules.d.ts.map +1 -1
- package/dist/rules.js +322 -256
- package/dist/rules.js.map +1 -1
- package/dist/scanner.d.ts.map +1 -1
- package/dist/scanner.js +5 -1
- package/dist/scanner.js.map +1 -1
- package/dist/security-diagnostics.d.ts.map +1 -1
- package/dist/security-diagnostics.js +95 -30
- package/dist/security-diagnostics.js.map +1 -1
- package/dist/security-diff.d.ts +5 -2
- package/dist/security-diff.d.ts.map +1 -1
- package/dist/security-diff.js +20 -4
- package/dist/security-diff.js.map +1 -1
- package/dist/security-policy-inventory.d.ts +15 -3
- package/dist/security-policy-inventory.d.ts.map +1 -1
- package/dist/security-policy-inventory.js +123 -26
- package/dist/security-policy-inventory.js.map +1 -1
- package/dist/security-policy.d.ts +7 -0
- package/dist/security-policy.d.ts.map +1 -1
- package/dist/security-policy.js +70 -7
- package/dist/security-policy.js.map +1 -1
- package/dist/security-posture.d.ts.map +1 -1
- package/dist/security-posture.js +2 -1
- package/dist/security-posture.js.map +1 -1
- package/dist/skill-migration.js +2 -0
- package/dist/skill-migration.js.map +1 -1
- package/dist/static-support.d.ts +13 -0
- package/dist/static-support.d.ts.map +1 -0
- package/dist/static-support.js +284 -0
- package/dist/static-support.js.map +1 -0
- package/dist/token-estimator.d.ts +21 -0
- package/dist/token-estimator.d.ts.map +1 -0
- package/dist/token-estimator.js +84 -0
- package/dist/token-estimator.js.map +1 -0
- package/dist/trust-graph.d.ts +3 -3
- package/dist/trust-graph.d.ts.map +1 -1
- package/dist/trust-graph.js +76 -21
- package/dist/trust-graph.js.map +1 -1
- package/dist/types.d.ts +7 -2
- package/dist/types.d.ts.map +1 -1
- package/docs/README.md +61 -0
- package/docs/advanced-skill-authoring.md +147 -0
- package/docs/agent-skills-compatibility.md +508 -0
- package/docs/authoring-guide.md +382 -0
- package/docs/context-conflict-diagnostics.md +32 -0
- package/docs/context-language-diagnostics.md +99 -0
- package/docs/context-lens.md +253 -0
- package/docs/context-lifecycle-diagnostics.md +55 -0
- package/docs/diagnostics.md +406 -0
- package/docs/metadata-budget.md +14 -0
- package/docs/quality-profile.md +123 -0
- package/docs/repository-context-bom.md +172 -0
- package/docs/schemas/repository-context-bom-v2.schema.json +648 -0
- package/docs/schemas/trust-graph-v2.schema.json +301 -0
- package/docs/security-policy.md +354 -0
- package/docs/trust-graph.md +47 -0
- package/docs/user-manual.md +842 -0
- package/examples/context-lens/README.md +101 -0
- package/examples/context-lens/contexts/testing/boundary-value-analysis.md +23 -0
- package/examples/context-lens/lenses/testing/spec-review-boundary-values.md +29 -0
- package/examples/context-lens/lenses/testing/test-design-boundary-values.md +29 -0
- package/examples/context-lens/skills/testing/spec-review/SKILL.md +49 -0
- package/examples/context-repo/README.md +148 -0
- package/examples/context-repo/contexts/domain/payment/idempotency.md +27 -0
- package/examples/context-repo/contexts/testing/boundary-value-analysis.md +26 -0
- package/examples/context-repo/contexts/testing/negative-testing.md +26 -0
- package/examples/context-repo/lenses/testing/spec-review-boundary-values.md +35 -0
- package/examples/context-repo/renma.config.json +12 -0
- package/examples/context-repo/skills/testing/spec-review/SKILL.md +71 -0
- package/examples/context-repo/tools/appium/README.md +14 -0
- package/examples/github-actions/renma-ci-report.yml +36 -0
- package/examples/interactive-placeholder/README.md +104 -0
- package/examples/interactive-placeholder/assets/template.txt +1 -0
- package/examples/interactive-placeholder/renma.config.json +6 -0
- package/examples/interactive-placeholder/skills/replace-placeholder/SKILL.md +54 -0
- package/examples/interactive-placeholder/tools/README.md +48 -0
- package/examples/interactive-placeholder/tools/placeholder-demo.mjs +99 -0
- package/package.json +10 -1
- package/plan-discovery.md +749 -0
- package/plan.md +90 -0
- package/scripts/verify-package.mjs +104 -0
|
@@ -0,0 +1,842 @@
|
|
|
1
|
+
# renma User Manual
|
|
2
|
+
|
|
3
|
+
renma scans agent-facing repository assets and turns them into deterministic, agent-consumable reports. Use it to keep skills, shared context, prompts, docs, and ownership metadata reviewable in CI instead of relying on an LLM to infer repository intent.
|
|
4
|
+
|
|
5
|
+
## What Renma Does And Does Not Do
|
|
6
|
+
|
|
7
|
+
Renma is deterministic repository governance for context assets, skills, and agent-facing documentation. It reads local repository files, builds reviewable evidence, and reports what humans or coding agents should inspect.
|
|
8
|
+
|
|
9
|
+
Renma does not call an LLM, choose runtime context, assemble prompts, inject context, execute agents, or collect telemetry.
|
|
10
|
+
|
|
11
|
+
Use your platform's standard Skill authoring guidance for general Skill design,
|
|
12
|
+
then use Renma for repository-specific governance and validation. Platform
|
|
13
|
+
guidance owns the trigger description, instructions, workflow, constraints,
|
|
14
|
+
examples, and completion criteria. Renma owns deterministic repository evidence
|
|
15
|
+
for compatibility, metadata, relationships, ownership, lifecycle, security
|
|
16
|
+
policy, diagnostics, and readiness.
|
|
17
|
+
|
|
18
|
+
## Install And Build
|
|
19
|
+
|
|
20
|
+
From a checkout:
|
|
21
|
+
|
|
22
|
+
```bash
|
|
23
|
+
npm install
|
|
24
|
+
npm run build
|
|
25
|
+
```
|
|
26
|
+
|
|
27
|
+
Run the local CLI from the built entry point:
|
|
28
|
+
|
|
29
|
+
```bash
|
|
30
|
+
node dist/index.js scan .
|
|
31
|
+
```
|
|
32
|
+
|
|
33
|
+
When renma is installed as a package, use the `renma` binary:
|
|
34
|
+
|
|
35
|
+
```bash
|
|
36
|
+
renma scan .
|
|
37
|
+
```
|
|
38
|
+
|
|
39
|
+
For the breaking 0.16.0 Skill format, scan validation, and one-way migration
|
|
40
|
+
workflow, see [Agent Skills Compatibility and Migration](agent-skills-compatibility.md).
|
|
41
|
+
Agent Skills results appear inside `scan`; there is no separate Skill-validation
|
|
42
|
+
command.
|
|
43
|
+
|
|
44
|
+
Renma 0.16.0 requires specification-valid Agent Skills for operational Skills.
|
|
45
|
+
All Renma Skill governance and security metadata uses flat, string-valued
|
|
46
|
+
`metadata.renma.*` entries. Pre-0.16 top-level Skill metadata is accepted only
|
|
47
|
+
as migration input for `suggest-metadata`; non-Skill metadata behavior is
|
|
48
|
+
unchanged.
|
|
49
|
+
|
|
50
|
+
## Repository Layout
|
|
51
|
+
|
|
52
|
+
renma is most useful when agent knowledge is stored in predictable places:
|
|
53
|
+
|
|
54
|
+
- `skills/**/SKILL.md` and `.agents/skills/**/SKILL.md` are the canonical Agent
|
|
55
|
+
Skills entrypoints. Renma still discovers historical `skill.md` and
|
|
56
|
+
`*.skill.md` spellings under those roots for migration diagnostics, but those
|
|
57
|
+
spellings are not Agent Skills-compatible.
|
|
58
|
+
- `contexts/**` for shared context assets.
|
|
59
|
+
- configurable prompt or documentation paths for reusable prompts and broader docs.
|
|
60
|
+
- `*.renma.json` for structured metadata assets.
|
|
61
|
+
|
|
62
|
+
Tool helper implementations usually belong under `tools/**`. They can be referenced from skills and commands, but they are not the same thing as user-facing documentation under `docs/**`.
|
|
63
|
+
|
|
64
|
+
Under explicit skill roots, `assets`, `examples`, `profiles`, `references`, and
|
|
65
|
+
`scripts` are reserved for skill-local support directories. These are valid
|
|
66
|
+
support paths:
|
|
67
|
+
|
|
68
|
+
- `skills/demo/assets/template.md`
|
|
69
|
+
- `skills/demo/examples/happy-path.md`
|
|
70
|
+
- `skills/demo/references/spec.md`
|
|
71
|
+
- `skills/demo/scripts/helper.sh`
|
|
72
|
+
- `skills/demo/profiles/local.md`
|
|
73
|
+
|
|
74
|
+
The same reserved names apply under `.agents/skills/**`.
|
|
75
|
+
|
|
76
|
+
These Skill-local support directories are valid. Keep material local when it is
|
|
77
|
+
specific to one Skill. Promote reusable source-of-truth knowledge to an owned
|
|
78
|
+
Context Asset, or a helper shared across workflows to `tools/**`, only when
|
|
79
|
+
repository evidence supports that change; Renma does not move files
|
|
80
|
+
automatically.
|
|
81
|
+
|
|
82
|
+
Skill-local support belongs only to the nearest Skill directory. When a local
|
|
83
|
+
support artifact does not declare an owner, ownership, Readiness, graph, Trust
|
|
84
|
+
Graph, and BOM reporting use the nearest Skill's owner as deterministic
|
|
85
|
+
effective ownership and mark it as inherited. This does not invent ownership
|
|
86
|
+
for shared Context Assets or unrelated repository files.
|
|
87
|
+
|
|
88
|
+
Only files marked Markdown-parser eligible contribute frontmatter metadata,
|
|
89
|
+
headings, links, code fences, and repeated-context evidence. Text scripts and
|
|
90
|
+
data assets remain raw text for dedicated static path or security analysis;
|
|
91
|
+
binary assets remain opaque.
|
|
92
|
+
|
|
93
|
+
Avoid using reserved support directory names as skill names. Paths such as
|
|
94
|
+
`skills/assets/SKILL.md`, `skills/examples/SKILL.md`,
|
|
95
|
+
`skills/references/SKILL.md`, `skills/scripts/SKILL.md`, and
|
|
96
|
+
`skills/profiles/SKILL.md` are not treated as skill entrypoints by default. If
|
|
97
|
+
one of those files is intended to define a Renma skill, rename the directory, for example to
|
|
98
|
+
`skills/example-review/SKILL.md`.
|
|
99
|
+
|
|
100
|
+
Specification-valid Agent Skills declare governance and security values as
|
|
101
|
+
flat string-valued `metadata.renma.*` entries. JSON-array strings represent lists;
|
|
102
|
+
Renma does not treat comma-separated canonical values as lists. These canonical
|
|
103
|
+
values feed the same catalog, ownership, graph, readiness, BOM, Trust Graph,
|
|
104
|
+
lifecycle, and reporting behavior as the pre-0.16 fields they replace.
|
|
105
|
+
|
|
106
|
+
Renma does not fall back to top-level pre-0.16 Skill fields. Invalid, hybrid,
|
|
107
|
+
and pre-0.16 Skills can be scanned and migrated but contribute no operational
|
|
108
|
+
Skill metadata. Contexts, context lenses, profiles, references,
|
|
109
|
+
examples, agents, configuration files, and other non-Skill assets continue to
|
|
110
|
+
use their existing top-level metadata syntax.
|
|
111
|
+
|
|
112
|
+
## Quick Start
|
|
113
|
+
|
|
114
|
+
For a first pass on an existing repository, run:
|
|
115
|
+
|
|
116
|
+
```bash
|
|
117
|
+
renma scan .
|
|
118
|
+
renma catalog . --format markdown
|
|
119
|
+
renma graph . --format markdown
|
|
120
|
+
renma readiness . --format markdown
|
|
121
|
+
```
|
|
122
|
+
|
|
123
|
+
Read these reports together:
|
|
124
|
+
|
|
125
|
+
- `scan` shows concrete problems to fix.
|
|
126
|
+
- `catalog` shows what assets and metadata Renma discovered.
|
|
127
|
+
- `graph` shows how skills and contexts are connected.
|
|
128
|
+
- `readiness` summarizes repository-level health and checks.
|
|
129
|
+
|
|
130
|
+
When creating a Skill, design it with platform-native authoring guidance, run
|
|
131
|
+
`scaffold skill` once, complete the generated file, and validate with
|
|
132
|
+
`renma scan . --fail-on high`. For deeper authoring guidance, see the
|
|
133
|
+
[Authoring Guide](authoring-guide.md). For rule details, see the
|
|
134
|
+
[Diagnostics Reference](diagnostics.md).
|
|
135
|
+
|
|
136
|
+
## LLM-Assisted Skill Maintenance
|
|
137
|
+
|
|
138
|
+
Renma output can support a human or coding agent, but the authoring and
|
|
139
|
+
governance responsibilities remain separate. Review the Skill with the
|
|
140
|
+
platform's standard authoring guidance, then use Renma as deterministic
|
|
141
|
+
repository evidence. Do not treat a clean scan as permission to invent domain
|
|
142
|
+
knowledge or as proof that the workflow is semantically correct.
|
|
143
|
+
|
|
144
|
+
Recommended loop:
|
|
145
|
+
|
|
146
|
+
1. Review triggers, instructions, workflow, constraints, and completion criteria
|
|
147
|
+
using platform-native authoring guidance.
|
|
148
|
+
2. Run `renma --help` and the relevant deterministic inspection commands.
|
|
149
|
+
3. Review diagnostics and repository evidence.
|
|
150
|
+
4. Prepare a minimal patch without inventing domain knowledge, ownership,
|
|
151
|
+
references, product rules, or source-of-truth claims.
|
|
152
|
+
5. Run `renma scan . --fail-on high`, fix relevant diagnostics, and rerun it.
|
|
153
|
+
6. Summarize changed files, resolved findings, remaining uncertainty, and
|
|
154
|
+
verification commands.
|
|
155
|
+
7. Require human review before merging meaningful semantic changes.
|
|
156
|
+
|
|
157
|
+
Example instruction for an agent:
|
|
158
|
+
|
|
159
|
+
```text
|
|
160
|
+
Review the Skill with this platform's standard Skill authoring guidance, then use Renma to inspect its repository governance.
|
|
161
|
+
|
|
162
|
+
Start by running `renma --help` and use command-specific help to choose the appropriate workflow. Make only evidence-backed changes. Do not invent owners, references, product rules, or source-of-truth claims. Preserve existing semantics unless a diagnostic or explicit requirement supports a change. Run `renma scan . --fail-on high` after editing, fix relevant diagnostics, rerun it, and summarize both resolved and remaining findings.
|
|
163
|
+
```
|
|
164
|
+
|
|
165
|
+
## User Story: Create A New Skill With Scaffold
|
|
166
|
+
|
|
167
|
+
Use this flow when adding a new agent-facing Skill. Platform-native guidance
|
|
168
|
+
defines the Skill; Renma creates one repository-compatible starting point and
|
|
169
|
+
validates the result.
|
|
170
|
+
|
|
171
|
+
```mermaid
|
|
172
|
+
flowchart LR
|
|
173
|
+
Design["Platform-native authoring guidance"] --> Scaffold["Run renma scaffold skill once"]
|
|
174
|
+
Scaffold --> Complete["Review and complete the Skill"]
|
|
175
|
+
Complete --> Validate["Run renma scan . --fail-on high"]
|
|
176
|
+
Validate --> Fix["Fix relevant diagnostics and rerun"]
|
|
177
|
+
Fix --> Review["Human review"]
|
|
178
|
+
```
|
|
179
|
+
|
|
180
|
+
Renma creates and validates repository assets; the consuming agent follows the
|
|
181
|
+
finished Skill later according to its own runtime behavior.
|
|
182
|
+
|
|
183
|
+
1. Use platform-native authoring guidance to design the Skill's purpose,
|
|
184
|
+
trigger, workflow, constraints, and completion criteria.
|
|
185
|
+
|
|
186
|
+
2. Run the Renma generator once for the target path.
|
|
187
|
+
|
|
188
|
+
```bash
|
|
189
|
+
renma scaffold skill skills/testing/spec-review/SKILL.md --owner qa-platform
|
|
190
|
+
```
|
|
191
|
+
|
|
192
|
+
3. Open and review the generated Skill.
|
|
193
|
+
|
|
194
|
+
`scaffold` creates a starter file, not a complete production-ready Skill. Use
|
|
195
|
+
platform-native guidance to complete the description, instructions, workflow,
|
|
196
|
+
constraints, completion criteria, and intended metadata.
|
|
197
|
+
|
|
198
|
+
The Skill scaffold writes canonical Agent Skills identity and
|
|
199
|
+
`metadata.renma.*` fields directly. Replace its placeholder prose and fill in
|
|
200
|
+
any required security policy before depending on it. Context and context-lens
|
|
201
|
+
scaffolds keep their existing top-level metadata shape. Preserve intended
|
|
202
|
+
repository behavior and do not invent owners, policies, dependencies, domain
|
|
203
|
+
rules, or source-of-truth claims.
|
|
204
|
+
|
|
205
|
+
Do not run a second independent generator against the same target. If a
|
|
206
|
+
platform-native tool can generate Skills, ask it to refine the existing Renma
|
|
207
|
+
scaffold or to use `renma scaffold skill` as its starting point.
|
|
208
|
+
|
|
209
|
+
4. Add shared Context Assets when the Skill depends on reusable knowledge.
|
|
210
|
+
|
|
211
|
+
```bash
|
|
212
|
+
renma scaffold context contexts/testing/boundary-value-analysis.md --owner qa-platform
|
|
213
|
+
```
|
|
214
|
+
|
|
215
|
+
Reusable domain, testing, product, platform, and tool knowledge should usually live under `contexts/**` instead of being buried inside one skill. A context asset can have its own owner, lifecycle state, review history, tags, and dependencies.
|
|
216
|
+
|
|
217
|
+
5. Connect the Skill to Context Assets.
|
|
218
|
+
|
|
219
|
+
In a canonical Skill, add `renma.requires-context` or
|
|
220
|
+
`renma.optional-context` under `metadata` as JSON-array strings. These fields
|
|
221
|
+
create static repository graph relationships. They do
|
|
222
|
+
not make Renma choose runtime context for an agent.
|
|
223
|
+
|
|
224
|
+
6. Run repository validation.
|
|
225
|
+
|
|
226
|
+
```bash
|
|
227
|
+
renma scan . --fail-on high
|
|
228
|
+
renma catalog . --format markdown
|
|
229
|
+
renma graph . --format markdown
|
|
230
|
+
renma readiness . --format markdown
|
|
231
|
+
```
|
|
232
|
+
|
|
233
|
+
7. Fix relevant diagnostics and rerun the scan.
|
|
234
|
+
|
|
235
|
+
Use `scan` for concrete problems, `catalog` for discovered assets and metadata,
|
|
236
|
+
`graph` for Skill-to-Context relationships, and `readiness` for repository-level
|
|
237
|
+
health. Do not weaken security policy or add suppressions merely to pass. After
|
|
238
|
+
fixes, rerun `renma scan . --fail-on high` and complete human review.
|
|
239
|
+
|
|
240
|
+
8. Optionally generate a BOM for review or CI artifacts.
|
|
241
|
+
|
|
242
|
+
```bash
|
|
243
|
+
renma bom . --format markdown
|
|
244
|
+
renma bom . --format json
|
|
245
|
+
```
|
|
246
|
+
|
|
247
|
+
The BOM is a declared repository manifest. It combines catalog, graph, diagnostics, readiness, lifecycle, hash, and security posture evidence. It is not a record of actual LLM runtime usage. See the [Repository Context BOM contract](repository-context-bom.md) for v2 boundaries.
|
|
248
|
+
|
|
249
|
+
## User Story: Improve Existing Skills With Diagnostics
|
|
250
|
+
|
|
251
|
+
Use this flow when improving an existing Skill. Review the whole Skill with
|
|
252
|
+
platform-native guidance before treating metadata suggestions as complete.
|
|
253
|
+
|
|
254
|
+
```mermaid
|
|
255
|
+
flowchart TD
|
|
256
|
+
Authoring["Platform-native authoring review"] --> Scan["Run renma scan . --fail-on high"]
|
|
257
|
+
Scan --> Evidence["Inspect relevant diagnostics and repository evidence"]
|
|
258
|
+
Evidence --> NeedMetadata{"Metadata or migration work needed?"}
|
|
259
|
+
NeedMetadata -- Yes --> Suggest["Run renma suggest-metadata and review the candidate"]
|
|
260
|
+
NeedMetadata -- No --> Prepare["Prepare and review intended changes, if any"]
|
|
261
|
+
Suggest --> Prepare
|
|
262
|
+
Prepare --> Validate["Rerun renma scan . --fail-on high"]
|
|
263
|
+
Validate --> Fix["Fix relevant diagnostics and rerun"]
|
|
264
|
+
Fix --> Review["Human review"]
|
|
265
|
+
```
|
|
266
|
+
|
|
267
|
+
LLM assistance is optional. Renma does not rewrite files or accept a proposed
|
|
268
|
+
change automatically.
|
|
269
|
+
|
|
270
|
+
1. Review the trigger description, instructions, workflow, constraints, and
|
|
271
|
+
completion criteria using the platform's standard Skill guidance.
|
|
272
|
+
|
|
273
|
+
2. Run `scan` on the existing repository.
|
|
274
|
+
|
|
275
|
+
```bash
|
|
276
|
+
renma scan . --fail-on high
|
|
277
|
+
```
|
|
278
|
+
|
|
279
|
+
`scan` reports concrete findings such as broken references, risky instructions, missing or invalid metadata, unclear workflow structure, and layout issues.
|
|
280
|
+
|
|
281
|
+
3. Inspect relevant repository evidence. Use only the views that answer the
|
|
282
|
+
current question; they are not mandatory ceremony.
|
|
283
|
+
|
|
284
|
+
Inspect the current asset inventory when needed:
|
|
285
|
+
|
|
286
|
+
```bash
|
|
287
|
+
renma catalog . --format markdown
|
|
288
|
+
```
|
|
289
|
+
|
|
290
|
+
`catalog` helps you see existing skills, contexts, references, profiles, examples, IDs, owners, lifecycle states, hashes, tags, and declared dependencies.
|
|
291
|
+
|
|
292
|
+
Check graph relationships when needed:
|
|
293
|
+
|
|
294
|
+
```bash
|
|
295
|
+
renma graph . --format markdown
|
|
296
|
+
renma graph . --focus skill.testing.spec-review --format markdown
|
|
297
|
+
```
|
|
298
|
+
|
|
299
|
+
`graph` helps find missing context, broken references, unexpected isolation, and unclear dependencies. Focused graph output keeps one asset and its direct neighborhood so you can inspect one skill or context without reading the whole graph.
|
|
300
|
+
|
|
301
|
+
Check readiness when needed:
|
|
302
|
+
|
|
303
|
+
```bash
|
|
304
|
+
renma readiness . --format markdown
|
|
305
|
+
```
|
|
306
|
+
|
|
307
|
+
`readiness` gives a repository-level health score and checks. It is a static repository review signal, not a runtime decision about which context an agent should use.
|
|
308
|
+
|
|
309
|
+
Use `inspect` for one file:
|
|
310
|
+
|
|
311
|
+
```bash
|
|
312
|
+
renma inspect skills/testing/spec-review/SKILL.md
|
|
313
|
+
renma inspect skills/testing/spec-review/SKILL.md --lines L10-L42
|
|
314
|
+
```
|
|
315
|
+
|
|
316
|
+
Use this when you want a compact outline or exact line slice before editing a specific asset.
|
|
317
|
+
|
|
318
|
+
4. Use `suggest-metadata` only when metadata or migration work is needed.
|
|
319
|
+
|
|
320
|
+
```bash
|
|
321
|
+
renma suggest-metadata skills/testing/spec-review/SKILL.md --owner qa-platform --format prompt
|
|
322
|
+
```
|
|
323
|
+
|
|
324
|
+
`suggest-metadata` does not rewrite files. It emits a deterministic prompt or
|
|
325
|
+
JSON payload that a human or coding agent can use to prepare a reviewed metadata
|
|
326
|
+
or one-way migration patch while preserving the existing Markdown body. Review
|
|
327
|
+
the candidate and apply only intended changes.
|
|
328
|
+
|
|
329
|
+
For a `SKILL.md` target, the command proposes only the one-way transition from
|
|
330
|
+
pre-0.16 Renma Skill fields to Agent Skills identity plus flat
|
|
331
|
+
`metadata.renma.*` string values. Unsafe or ambiguous input blocks canonical
|
|
332
|
+
frontmatter output. When blocked, review the conflicts or invalid evidence,
|
|
333
|
+
confirm intent using platform-native guidance, do not apply a candidate, correct
|
|
334
|
+
the source evidence, and rerun `suggest-metadata`. See
|
|
335
|
+
[Agent Skills Compatibility and Migration](agent-skills-compatibility.md).
|
|
336
|
+
|
|
337
|
+
An already canonical Skill with no metadata or migration need should not pass
|
|
338
|
+
through `suggest-metadata` merely as ceremony.
|
|
339
|
+
|
|
340
|
+
5. Use `suggest-semantic-split` when a file has grown too large or mixes multiple purposes.
|
|
341
|
+
|
|
342
|
+
```bash
|
|
343
|
+
renma suggest-semantic-split docs/large-runbook.md
|
|
344
|
+
```
|
|
345
|
+
|
|
346
|
+
`suggest-semantic-split` does not rewrite files either. It packages source context and guidance so a human or coding agent can draft a reviewable split.
|
|
347
|
+
|
|
348
|
+
6. Prepare and review intended changes, then validate, fix relevant
|
|
349
|
+
diagnostics, and rerun.
|
|
350
|
+
|
|
351
|
+
```bash
|
|
352
|
+
renma scan . --fail-on high
|
|
353
|
+
renma catalog . --format markdown
|
|
354
|
+
renma graph . --format markdown
|
|
355
|
+
renma readiness . --format markdown
|
|
356
|
+
```
|
|
357
|
+
|
|
358
|
+
The loop ends with human review. A metadata suggestion or clean scan does not
|
|
359
|
+
replace semantic review of the Skill.
|
|
360
|
+
|
|
361
|
+
For a repository-aware specification-review example using a Skill, a Context
|
|
362
|
+
Lens, and direct Context Asset relationships, see
|
|
363
|
+
[`examples/context-repo`](../examples/context-repo). It is statically navigable
|
|
364
|
+
only for a consumer with the repository checkout that follows the Skill and
|
|
365
|
+
Lens relative links; Renma validates the relationships but does not load them.
|
|
366
|
+
|
|
367
|
+
## Configuration
|
|
368
|
+
|
|
369
|
+
Use `--config <path>` with commands that scan the repository:
|
|
370
|
+
|
|
371
|
+
```bash
|
|
372
|
+
renma scan . --config renma.config.json
|
|
373
|
+
```
|
|
374
|
+
|
|
375
|
+
The JSON configuration supports the same names used by the implementation, including:
|
|
376
|
+
|
|
377
|
+
- `globs`: glob patterns to scan.
|
|
378
|
+
- `exclude`: paths or path prefixes to skip.
|
|
379
|
+
- `suppressions`: rule suppressions that remove matching findings from normal reports and failure thresholds.
|
|
380
|
+
- `max_file_size_bytes`: largest file renma will read for content analysis. A
|
|
381
|
+
larger discovered file remains repository existence evidence, so a valid
|
|
382
|
+
reference is not also reported as missing.
|
|
383
|
+
- `max_depth`: maximum discovery depth.
|
|
384
|
+
- `concurrency`: scan concurrency.
|
|
385
|
+
- `fail_on`: scan exit threshold: `low`, `medium`, `high`, or `critical`.
|
|
386
|
+
- `format`: default report format.
|
|
387
|
+
- `layout`: compatibility-only `tool_namespace` and `workflow_aliases` input retained for existing configurations. These fields are validated and normalized but do not currently change findings or force Skill-local support migration.
|
|
388
|
+
- `security`: command, network, upload, and profile policy.
|
|
389
|
+
|
|
390
|
+
CLI flags override config values when both are provided.
|
|
391
|
+
|
|
392
|
+
Within a canonical Skill entrypoint or one of its classified support documents,
|
|
393
|
+
helper commands may use `scripts/helper.mjs` or `./scripts/helper.mjs`; Renma
|
|
394
|
+
resolves these paths against the owning Skill directory. `tools/helper.mjs` and
|
|
395
|
+
`./tools/helper.mjs` resolve from the repository root. Explicit repository-root
|
|
396
|
+
paths such as `skills/testing/demo/scripts/helper.mjs`,
|
|
397
|
+
`.agents/skills/testing/demo/scripts/helper.mjs`, and
|
|
398
|
+
`tools/testing/helper.mjs` remain valid. Renma rejects helper candidates whose
|
|
399
|
+
relative traversal would escape the owning Skill boundary and checks existence
|
|
400
|
+
against the collected repository snapshot. It validates the declared path but
|
|
401
|
+
does not execute the command. Non-Skill documents do not receive an inferred
|
|
402
|
+
Skill-relative base.
|
|
403
|
+
|
|
404
|
+
Static support reachability accepts explicit Skill-relative paths, explicit
|
|
405
|
+
basenames, Markdown link targets, quoted/code-form paths, and one additional
|
|
406
|
+
hop through a directly referenced index/reference. Free-prose matches against
|
|
407
|
+
generic filename stems such as `run`, `check`, or `logo` are not evidence.
|
|
408
|
+
Extensionless executables and quoted or linked asset paths with spaces are
|
|
409
|
+
valid; `..` traversal outside the Skill root remains invalid.
|
|
410
|
+
|
|
411
|
+
Use `exclude` for files Renma should not scan. Use `suppressions` for audited exceptions where Renma should scan the file, detect matching findings internally, then omit those findings from normal reports and failure decisions. A suppression applies only when both `id` and `paths` match. Each suppression includes `id`, `paths`, required `reason`, and optional `expires`; the reason lives in config for auditability.
|
|
412
|
+
|
|
413
|
+
Use a date in `YYYY-MM-DD` for temporary workarounds, or `"never"` when the exception is intentionally permanent. Permanent suppressions should still use narrow path patterns and a clear reason. Suppression path patterns are repository-relative and support exact paths, directory-prefix matches for non-glob patterns, `*` within one path segment, and `**` across directories.
|
|
414
|
+
|
|
415
|
+
If `--config` is not provided, renma looks for repository config files such as `renma.config.json` or `.renma.json` while resolving the scan target.
|
|
416
|
+
|
|
417
|
+
Canonical Agent Skills entrypoints are:
|
|
418
|
+
|
|
419
|
+
- `skills/**/SKILL.md`
|
|
420
|
+
- `.agents/skills/**/SKILL.md`
|
|
421
|
+
|
|
422
|
+
Renma also discovers these historical spellings for migration diagnostics:
|
|
423
|
+
|
|
424
|
+
- `skills/**/skill.md`
|
|
425
|
+
- `skills/**/*.skill.md`
|
|
426
|
+
- `.agents/skills/**/skill.md`
|
|
427
|
+
- `.agents/skills/**/*.skill.md`
|
|
428
|
+
|
|
429
|
+
Other default scan glob families are:
|
|
430
|
+
|
|
431
|
+
- `.agents/**/*.md`
|
|
432
|
+
- `AGENTS.md`
|
|
433
|
+
- `README.md`
|
|
434
|
+
- `context/**/*.md`
|
|
435
|
+
- `contexts/**/*.md`
|
|
436
|
+
- `lenses/**/*.md`
|
|
437
|
+
- `skills/**/profiles/**/*.md`
|
|
438
|
+
- `skills/**/references/**/*.md`
|
|
439
|
+
- `skills/**/examples/**/*.md`
|
|
440
|
+
- `skills/**/scripts/**/*`
|
|
441
|
+
- `skills/**/assets/**/*`
|
|
442
|
+
- `.agents/skills/**/profiles/**/*.md`
|
|
443
|
+
- `.agents/skills/**/references/**/*`
|
|
444
|
+
- `.agents/skills/**/examples/**/*.md`
|
|
445
|
+
- `.agents/skills/**/scripts/**/*`
|
|
446
|
+
- `.agents/skills/**/assets/**/*`
|
|
447
|
+
- `tools/**/*`
|
|
448
|
+
|
|
449
|
+
## Where To Go Next
|
|
450
|
+
|
|
451
|
+
- New to Renma? Start with [Authoring Guide](authoring-guide.md).
|
|
452
|
+
- Writing security-sensitive skills or context assets? Read [Security Policy Guide](security-policy.md).
|
|
453
|
+
- Fixing scan findings? See [Diagnostics Reference](diagnostics.md).
|
|
454
|
+
- Reviewing thresholds? See [Renma Quality Profile](quality-profile.md).
|
|
455
|
+
- Trying a minimal clarify-before-act Skill interaction? Use
|
|
456
|
+
[`examples/interactive-placeholder`](../examples/interactive-placeholder).
|
|
457
|
+
- Trying richer repository-aware Skill, Context Lens, and Context Asset
|
|
458
|
+
governance? See [`examples/context-repo`](../examples/context-repo).
|
|
459
|
+
- Focusing specifically on Context Lens governance? See
|
|
460
|
+
[`examples/context-lens`](../examples/context-lens).
|
|
461
|
+
- Adding Renma evidence to CI? See the
|
|
462
|
+
[GitHub Actions example](../examples/github-actions/renma-ci-report.yml).
|
|
463
|
+
|
|
464
|
+
## Commands
|
|
465
|
+
|
|
466
|
+
For a mini-repository with a statically navigable Skill, a Context Lens, shared
|
|
467
|
+
Context Assets, ownership metadata, and graph relationships, see
|
|
468
|
+
[`examples/context-repo`](../examples/context-repo). The consumer must have the
|
|
469
|
+
checkout and follow the Skill and Lens relative links; the fixture is not a
|
|
470
|
+
portable self-contained Agent Skills package.
|
|
471
|
+
|
|
472
|
+
renma commands fall into a few groups:
|
|
473
|
+
|
|
474
|
+
- Inventory and ownership: `catalog` lists discovered assets and references, `ownership` summarizes owned and unowned assets, `graph` shows relationships between catalog nodes, `trust-graph` exposes deterministic trust evidence, and `bom` combines declared repository evidence into a reviewable Repository Context BOM.
|
|
475
|
+
- Local inspection and authoring: `inspect` reads one file as an outline or exact line slice, `scaffold` creates starter assets or authoring prompts, `suggest-metadata` emits safe metadata retrofit guidance for existing assets, and `suggest-semantic-split` packages source context and helper commands so a human or coding agent can draft a split for mixed-purpose Markdown.
|
|
476
|
+
- Review and CI: `scan` emits deterministic findings, `readiness` turns repository state into checks and a score, `diff` compares two refs, and `ci-report` formats the comparison for pull-request review.
|
|
477
|
+
|
|
478
|
+
## Scan, Catalog, Graph, Trust Graph, Readiness, And BOM
|
|
479
|
+
|
|
480
|
+
These commands are related, but they answer different repository-review questions.
|
|
481
|
+
|
|
482
|
+
| Command | Main question | Best for | Output shape |
|
|
483
|
+
| --- | --- | --- | --- |
|
|
484
|
+
| `scan` | What concrete problems were found? | Fixing diagnostics and CI checks | Finding list |
|
|
485
|
+
| `catalog` | What assets exist? | Reviewing IDs, owners, lifecycle metadata, hashes, tags, and declared dependencies | Asset inventory |
|
|
486
|
+
| `graph` | How are assets connected? | Inspecting dependencies and references | Asset relationship graph |
|
|
487
|
+
| `trust-graph` | What evidence helps reviewers decide whether assets are safe, owned, current, and usable enough? | Tracing owner, lifecycle, policy, dependency, reference, and diagnostic evidence per asset | Evidence graph |
|
|
488
|
+
| `readiness` | Is the repository broadly ready for agent-facing use? | Maintainer summary and CI reporting | Repository-level scorecard |
|
|
489
|
+
| `bom` | What declared repository context manifest should reviewers inspect? | Combining catalog, graph, readiness, diagnostics, lifecycle, hashes, and security posture evidence | Repository Context BOM |
|
|
490
|
+
|
|
491
|
+
`catalog` is about what assets exist. `graph` is about how assets relate. `readiness` is about repository-level health score and checks. `trust-graph` is about traceability of trust-relevant evidence. `bom` is the reviewable declared repository manifest that combines asset inventory, dependencies, hashes, lifecycle, diagnostics, readiness, and security posture evidence.
|
|
492
|
+
|
|
493
|
+
Use `trust-graph` when a reviewer asks: "Why should this asset be considered safe, owned, current, and usable enough for an agent-facing repository?" The command does not decide that an asset is trustworthy. It connects deterministic evidence that humans and downstream tools can review: owner, lifecycle status, dependency and reference relationships, selected security profiles, effective policy fingerprints, and diagnostics.
|
|
494
|
+
|
|
495
|
+
In short:
|
|
496
|
+
|
|
497
|
+
- `scan` lists problems.
|
|
498
|
+
- `catalog` lists what assets exist.
|
|
499
|
+
- `graph` shows structural relationships.
|
|
500
|
+
- `trust-graph` connects trust-relevant evidence.
|
|
501
|
+
- `readiness` summarizes repository health.
|
|
502
|
+
- `bom` combines declared catalog, graph, readiness, diagnostics, lifecycle, hash, and security posture evidence.
|
|
503
|
+
|
|
504
|
+
Examples:
|
|
505
|
+
|
|
506
|
+
```bash
|
|
507
|
+
renma scan . --format json
|
|
508
|
+
renma catalog . --format json
|
|
509
|
+
renma graph . --format json
|
|
510
|
+
renma trust-graph . --format markdown
|
|
511
|
+
renma trust-graph . --format json
|
|
512
|
+
renma readiness . --format markdown
|
|
513
|
+
renma bom . --format json
|
|
514
|
+
renma bom . --format markdown
|
|
515
|
+
```
|
|
516
|
+
|
|
517
|
+
### `scan`
|
|
518
|
+
|
|
519
|
+
Scans a target path and prints findings.
|
|
520
|
+
|
|
521
|
+
```bash
|
|
522
|
+
renma scan .
|
|
523
|
+
renma scan . --format json
|
|
524
|
+
renma scan . --fail-on high
|
|
525
|
+
```
|
|
526
|
+
|
|
527
|
+
Use `--fail-on` in CI when findings at or above a severity should fail the job. The JSON output includes findings, evidence, diagnostics, `diagnosticsV2`, `reviewBundles`, `trustGraph`, and summary data that other tools can consume.
|
|
528
|
+
|
|
529
|
+
Output includes scan findings, discovery or catalog diagnostics, the effective exit threshold, and evidence paths or snippets for each finding. `diagnosticsV2` adds typed repair constraints, structured verification steps, and concise LLM hints; `reviewBundles` groups related diagnostics for code review.
|
|
530
|
+
|
|
531
|
+
### `catalog`
|
|
532
|
+
|
|
533
|
+
Builds a deterministic catalog of discovered assets.
|
|
534
|
+
|
|
535
|
+
```bash
|
|
536
|
+
renma catalog . --format json
|
|
537
|
+
renma catalog . --format markdown
|
|
538
|
+
```
|
|
539
|
+
|
|
540
|
+
Use the catalog to review asset IDs, owners, status, dependencies, and metadata-derived references.
|
|
541
|
+
|
|
542
|
+
Output includes catalog assets, dependency edges, owners, lifecycle status, tags, and diagnostics.
|
|
543
|
+
|
|
544
|
+
### `bom`
|
|
545
|
+
|
|
546
|
+
Prints a declared Repository Context BOM.
|
|
547
|
+
|
|
548
|
+
```bash
|
|
549
|
+
renma bom .
|
|
550
|
+
renma bom . --format json
|
|
551
|
+
renma bom . --format markdown
|
|
552
|
+
renma bom . --format json --omit-generated-at
|
|
553
|
+
```
|
|
554
|
+
|
|
555
|
+
Use the BOM when reviewers or CI consumers need one repository evidence manifest that combines existing Renma evidence. Renma 0.18.0 supports only v2, the first supported long-term BOM contract. It does not provide a v1 compatibility mode. V2 includes normalized declared/effective ownership plus static support relationships. See the [Repository Context BOM contract](repository-context-bom.md).
|
|
556
|
+
|
|
557
|
+
The BOM is not a record of actual LLM runtime usage. Renma does not collect telemetry, assemble prompts, choose task-specific context, inject context into agents, import consumed-context evidence, or claim what an LLM actually consumed.
|
|
558
|
+
|
|
559
|
+
JSON is the source of truth for automation. Markdown is a compact pull-request review view.
|
|
560
|
+
|
|
561
|
+
Renma derives each BOM from one in-memory repository snapshot: configuration, discovered artifacts, parsed documents, catalog, graph evidence, diagnostics, readiness, and security summaries all come from the same collected state.
|
|
562
|
+
|
|
563
|
+
By default, `generatedAt` records when the BOM was produced. Add `--omit-generated-at` when CI or review automation needs to avoid clock-based diffs. With the same checkout path, config path, repository contents, Renma version, and UTC evaluation date, repeated `--omit-generated-at` runs should produce byte-identical JSON. The option does not remove metadata freshness dates, suppress freshness diagnostics, normalize absolute `root` or `configPath`, hide file moves, or guarantee portable byte-for-byte output across runners.
|
|
564
|
+
|
|
565
|
+
### `graph`
|
|
566
|
+
|
|
567
|
+
Prints the relationship graph between assets.
|
|
568
|
+
|
|
569
|
+
```bash
|
|
570
|
+
renma graph . --view summary
|
|
571
|
+
renma graph . --view workflow --format markdown
|
|
572
|
+
renma graph . --view full --format mermaid
|
|
573
|
+
renma graph . --view layered --format mermaid
|
|
574
|
+
```
|
|
575
|
+
|
|
576
|
+
Views are:
|
|
577
|
+
|
|
578
|
+
- `summary`: compact graph overview.
|
|
579
|
+
- `workflow`: workflow-oriented relationships.
|
|
580
|
+
- `full`: all known graph edges.
|
|
581
|
+
- `layered`: Mermaid-focused graph grouped by asset kind so skill-to-lens-to-context paths are easier to read. `lens` is accepted as an alias.
|
|
582
|
+
|
|
583
|
+
Layered Mermaid output groups skills, context lenses, contexts, support assets, and unresolved targets into separate subgraphs. JSON and Markdown keep the same node and edge detail while reporting the selected view.
|
|
584
|
+
|
|
585
|
+
#### Focusing The Graph
|
|
586
|
+
|
|
587
|
+
The graph command can be focused on one asset with `--focus <asset-id-or-path>`.
|
|
588
|
+
|
|
589
|
+
Use this when you want to inspect the local neighborhood around one context asset, skill, or other catalog entry instead of reading the entire repository graph. A focused graph is useful for answering questions such as:
|
|
590
|
+
|
|
591
|
+
- What does this asset depend on?
|
|
592
|
+
- What other assets reference this asset?
|
|
593
|
+
- Is this asset connected to the expected parts of the context repository?
|
|
594
|
+
- Is this asset isolated or unexpectedly central?
|
|
595
|
+
|
|
596
|
+
Examples:
|
|
597
|
+
|
|
598
|
+
```bash
|
|
599
|
+
renma graph . --focus context.testing.boundary-value-analysis
|
|
600
|
+
renma graph . --focus contexts/testing/boundary-value-analysis.md --view full
|
|
601
|
+
```
|
|
602
|
+
|
|
603
|
+
`--focus` accepts one value. The value must match either a catalog asset ID, a repository-relative source path such as `contexts/testing/boundary-value-analysis.md`, or an absolute source path. It does not match projected `summary` view node IDs such as `contexts/testing/*`.
|
|
604
|
+
|
|
605
|
+
When `--focus` is provided, renma keeps the matched asset, its directly connected incoming and outgoing graph edges, and the assets at the other ends of those edges. In other words, it filters graph contents to the focused asset's one-hop neighborhood; it does not only highlight or rearrange the full graph. If the focus value does not match an asset ID or source path, the command exits with usage code `2` and reports that `graph --focus did not match any asset id or source path`.
|
|
606
|
+
|
|
607
|
+
`--focus` runs before `--view` projection. For example, `--view summary --focus <asset>` first selects the focused neighborhood and then groups that smaller graph into the summary view. There is no separate depth option in the current graph command, and repeated `--focus` flags are not a multi-focus API.
|
|
608
|
+
|
|
609
|
+
Note: this graph `focus` argument is a CLI option. It is not a metadata field on an asset.
|
|
610
|
+
|
|
611
|
+
Output includes graph nodes, relationship edges, unresolved targets, and diagnostics. Mermaid output renders the same graph as a diagram definition.
|
|
612
|
+
|
|
613
|
+
### `trust-graph`
|
|
614
|
+
|
|
615
|
+
Prints deterministic Trust Graph evidence derived from catalog, graph, scan, and security policy data.
|
|
616
|
+
|
|
617
|
+
```bash
|
|
618
|
+
renma trust-graph . --format markdown
|
|
619
|
+
renma trust-graph . --format json
|
|
620
|
+
renma scan . --format json
|
|
621
|
+
```
|
|
622
|
+
|
|
623
|
+
Use this when a reviewer or downstream tool needs one stable evidence layer that links assets to owners, lifecycle status, declared dependencies, selected security profiles, effective policy fingerprints, and diagnostics.
|
|
624
|
+
|
|
625
|
+
Trust Graph is repository evidence. It does not compute a trust score, select or inject runtime context, assemble prompts, call an LLM, collect telemetry, or enforce policy at runtime.
|
|
626
|
+
|
|
627
|
+
Renma 0.18.0 supports only Trust Graph v2, the first supported long-term contract. It includes normalized ownership and static `owns_local_resource`, `statically_references`, `inherits_owner`, and `inherits_policy` evidence. JSON is the source of truth; Markdown is for human review. `scan --format json` includes the same v2 contract under `trustGraph`.
|
|
628
|
+
|
|
629
|
+
Consumers must branch on `schemaVersion`, not on the Renma package version. A future incompatible contract may intentionally introduce v3.
|
|
630
|
+
|
|
631
|
+
Reviewers can use Trust Graph to find assets without owners, find assets without lifecycle status, inspect assets sharing the same effective policy fingerprint, and connect diagnostics back to asset evidence. `trust-graph` exits `0` when the report is generated successfully; use `scan --fail-on` when CI should fail on findings.
|
|
632
|
+
|
|
633
|
+
### `inspect`
|
|
634
|
+
|
|
635
|
+
Inspects one file as an outline or exact line slice.
|
|
636
|
+
|
|
637
|
+
```bash
|
|
638
|
+
renma inspect skills/testing/spec-review/SKILL.md
|
|
639
|
+
renma inspect contexts/testing/boundary-value-analysis.md --format json
|
|
640
|
+
renma inspect skills/testing/spec-review/SKILL.md --lines L10-L42
|
|
641
|
+
```
|
|
642
|
+
|
|
643
|
+
Use this when editing one skill or context file and you want a deterministic outline without reading the whole repository catalog. Without `--lines`, output includes file size, line count, frontmatter range, headings, code fences, links, asset relationships, and a concise Context Lens governance summary when repository context can be inferred. Use `--lines <range>` for an exact source slice; ranges can look like `L10-L42` or `10-42`.
|
|
644
|
+
|
|
645
|
+
### `readiness`
|
|
646
|
+
|
|
647
|
+
Prints a deterministic readiness report.
|
|
648
|
+
|
|
649
|
+
```bash
|
|
650
|
+
renma readiness .
|
|
651
|
+
renma readiness . --format markdown
|
|
652
|
+
renma readiness . --format json
|
|
653
|
+
```
|
|
654
|
+
|
|
655
|
+
Readiness combines catalog diagnostics, Context Lens governance diagnostics, ownership metadata, graph resolution, required and optional context references, asset status, and selected scan findings into an agent-readiness score.
|
|
656
|
+
|
|
657
|
+
Output includes a readiness score and level, workflow checks, Context Lens counts, diagnostics, scan findings that affect readiness, and graph or ownership summary data. JSON output includes `summary.contextLens`; Markdown output includes a `Context Lens` section.
|
|
658
|
+
|
|
659
|
+
Security posture and Context Lens summaries remain static repository evidence in this report. Readiness does not choose runtime context, assemble prompts, inject context, or describe what an LLM actually used.
|
|
660
|
+
|
|
661
|
+
### `diff`
|
|
662
|
+
|
|
663
|
+
Compares deterministic readiness reports for two git refs.
|
|
664
|
+
|
|
665
|
+
```bash
|
|
666
|
+
renma diff . --from main --to HEAD
|
|
667
|
+
renma diff . --from main --to HEAD --format markdown
|
|
668
|
+
```
|
|
669
|
+
|
|
670
|
+
Use this to review what changed between branches or commits. The command builds readiness data for both refs and reports asset, graph, check, and finding deltas.
|
|
671
|
+
|
|
672
|
+
Output includes readiness deltas, changed assets, graph edge changes, check changes, and added or removed findings.
|
|
673
|
+
|
|
674
|
+
### `ci-report`
|
|
675
|
+
|
|
676
|
+
Formats a diff result for CI or pull-request review.
|
|
677
|
+
|
|
678
|
+
```bash
|
|
679
|
+
renma ci-report . --from main --to HEAD --format markdown
|
|
680
|
+
renma ci-report . --from main --to HEAD --format json
|
|
681
|
+
```
|
|
682
|
+
|
|
683
|
+
The report summarizes readiness deltas, graph-resolution changes, added and removed findings, and policy-relevant status. It is CI-oriented: `PASS` and `WARN` exit `0`, `FAIL` exits `1`, and usage, command, or configuration errors exit `2`.
|
|
684
|
+
|
|
685
|
+
Output includes a CI status (`PASS`, `WARN`, or `FAIL`), a summary, readiness changes, graph changes, and review-focused finding changes.
|
|
686
|
+
|
|
687
|
+
Repository Context BOM artifacts describe declared repository state, not prompt assembly, context injection, agent execution, actual LLM runtime usage, or telemetry. Use `renma bom . --format json` when CI needs a machine-readable manifest and `renma bom . --format markdown` for review comments or artifacts. For v2 compatibility and reproducibility details, see the [Repository Context BOM contract](repository-context-bom.md).
|
|
688
|
+
|
|
689
|
+
### `ownership`
|
|
690
|
+
|
|
691
|
+
Reports asset ownership.
|
|
692
|
+
|
|
693
|
+
```bash
|
|
694
|
+
renma ownership .
|
|
695
|
+
renma ownership . --include-owned
|
|
696
|
+
renma ownership . --owner qa-platform
|
|
697
|
+
renma ownership . --format json
|
|
698
|
+
```
|
|
699
|
+
|
|
700
|
+
Use this to find unowned assets, review what each owner is responsible for, and filter the report to assets owned by a specific owner.
|
|
701
|
+
|
|
702
|
+
Output includes total asset count, owned asset count, ownership coverage, owner groups, and assets without declared owner. `--owner <owner>` keeps the repository-level totals for context and adds filtered matched assets for that owner. Filtered JSON reports omit `unownedAssetList` so the repository-level `unownedAssets` count is not confused with owner-filtered asset details. `--include-owned` also includes the backward-compatible flat owned asset list.
|
|
703
|
+
|
|
704
|
+
#### Ownership policy
|
|
705
|
+
|
|
706
|
+
Renma treats `owner` as governance metadata. Declaring an owner is recommended because it makes context assets easier to review, maintain, and share across teams.
|
|
707
|
+
|
|
708
|
+
However, owner metadata is not globally required yet. Assets without an owner are accepted and reported as unowned in the ownership coverage report.
|
|
709
|
+
|
|
710
|
+
Renma does not infer owners automatically. If an asset is unowned, choose an owner through human review or team policy.
|
|
711
|
+
|
|
712
|
+
### `scaffold`
|
|
713
|
+
|
|
714
|
+
Creates a starter skill or context asset.
|
|
715
|
+
|
|
716
|
+
```bash
|
|
717
|
+
renma scaffold skill skills/testing/spec-review/SKILL.md --owner qa-platform
|
|
718
|
+
renma scaffold context contexts/testing/boundary-value-analysis.md --owner qa-platform
|
|
719
|
+
renma scaffold context_lens lenses/testing/spec-review-boundary-values.md --owner qa-platform
|
|
720
|
+
renma scaffold skill skills/testing/spec-review/SKILL.md --owner qa-platform --format prompt
|
|
721
|
+
```
|
|
722
|
+
|
|
723
|
+
`scaffold --format file` writes a starter file, `--format prompt` emits an authoring prompt, and `--format json` emits structured scaffold data. The generated content is intentionally minimal; fill in metadata, dependencies, and verification steps before depending on it in automation.
|
|
724
|
+
|
|
725
|
+
For a Skill, use platform-native authoring guidance before and after scaffolding.
|
|
726
|
+
File mode prints concise Skill-only next steps after the `Created` line. Prompt
|
|
727
|
+
mode includes the same responsibility boundary and validation loop. Context and
|
|
728
|
+
Context Lens output does not receive Skill-specific guidance. JSON retains the
|
|
729
|
+
existing bundle shape.
|
|
730
|
+
|
|
731
|
+
After completing a Skill, run `renma scan . --fail-on high`, fix relevant
|
|
732
|
+
diagnostics, rerun the scan, and complete human review. Do not use a second
|
|
733
|
+
independent generator against the same target file.
|
|
734
|
+
|
|
735
|
+
### `suggest-metadata`
|
|
736
|
+
|
|
737
|
+
Suggests a safe metadata retrofit workflow for an existing asset.
|
|
738
|
+
|
|
739
|
+
```bash
|
|
740
|
+
renma scan .
|
|
741
|
+
renma ownership .
|
|
742
|
+
renma suggest-metadata skills/testing/spec-review/SKILL.md --format prompt
|
|
743
|
+
renma suggest-metadata skills/testing/spec-review/SKILL.md --owner qa-platform --format json
|
|
744
|
+
```
|
|
745
|
+
|
|
746
|
+
Use this after `scan` detects metadata issues or `ownership` shows unowned assets. The command does not rewrite files. It emits a deterministic prompt or JSON payload that a human or coding agent can use to prepare a reviewed patch.
|
|
747
|
+
|
|
748
|
+
For Skill targets, the prompt also makes clear that metadata suggestion is not
|
|
749
|
+
the full authoring process. Review the trigger description, instructions,
|
|
750
|
+
workflow, constraints, and completion criteria with platform-native guidance;
|
|
751
|
+
apply only intended metadata or migration changes; run
|
|
752
|
+
`renma scan . --fail-on high`; fix relevant diagnostics; and rerun the scan.
|
|
753
|
+
Context Asset output does not receive this Skill-specific authoring guidance.
|
|
754
|
+
JSON retains the existing structured suggestion shape.
|
|
755
|
+
|
|
756
|
+
For Skill targets using the pre-0.16 Renma Skill format, the 0.16.0 metadata
|
|
757
|
+
migration path is one-way: recognized governance and security frontmatter
|
|
758
|
+
becomes Agent Skills identity plus `metadata.renma.*`. Separately, `skill.md` and `*.skill.md` targets
|
|
759
|
+
report any required entrypoint rename or move, even when their frontmatter
|
|
760
|
+
already uses Agent Skills fields. For a canonical Agent Skill, `--owner` may
|
|
761
|
+
instead propose an owner metadata retrofit; it never causes reverse migration.
|
|
762
|
+
The normative behavior is documented in
|
|
763
|
+
[Agent Skills Compatibility and Migration](agent-skills-compatibility.md).
|
|
764
|
+
|
|
765
|
+
Pre-0.16 security fields migrate with strict serialization: booleans become the
|
|
766
|
+
exact strings `"true"` or `"false"`, and lists become JSON-array strings of
|
|
767
|
+
strings. Unsafe or ambiguous values block canonical frontmatter generation.
|
|
768
|
+
For an already canonical Skill, `suggest-metadata` proposes neither migration
|
|
769
|
+
nor an unnecessary rewrite unless an explicit supported retrofit is requested.
|
|
770
|
+
|
|
771
|
+
When migration is blocked, do not apply a candidate. Review the conflict or
|
|
772
|
+
invalid evidence, confirm the Skill's intent with platform-native authoring
|
|
773
|
+
guidance, correct the source evidence, rerun `suggest-metadata`, then validate
|
|
774
|
+
intended corrections with `renma scan . --fail-on high`.
|
|
775
|
+
|
|
776
|
+
Owner metadata remains recommended but not required. Without `--owner`, `suggest-metadata` blocks owner as a suggested addition and says not to add one unless the asset already declares an owner or a maintainer provides one. With `--owner <owner>`, the command may include that owner because it was explicitly provided. If an existing asset already declares an owner, `suggest-metadata` preserves it; a different `--owner` value is treated as a human-review ownership change, not an automatic metadata suggestion. Renma does not infer owners from Git history, file paths, prose, or authors.
|
|
777
|
+
|
|
778
|
+
### `suggest-semantic-split`
|
|
779
|
+
|
|
780
|
+
Suggests a semantic split for large or mixed-purpose assets.
|
|
781
|
+
|
|
782
|
+
```bash
|
|
783
|
+
renma suggest-semantic-split docs/large-runbook.md
|
|
784
|
+
renma suggest-semantic-split docs/large-runbook.md --format json
|
|
785
|
+
renma suggest-semantic-split docs/large-runbook.md --max-context-bytes 32768
|
|
786
|
+
```
|
|
787
|
+
|
|
788
|
+
Use this as an editing aid when an asset has grown beyond one clear responsibility.
|
|
789
|
+
|
|
790
|
+
Output is a prompt by default. With `--format json`, output includes source context, sibling-file context, helper commands, and a structured review bundle. The command does not apply a split itself; it gives a human or coding agent enough context to draft a proposal.
|
|
791
|
+
|
|
792
|
+
## Output Formats
|
|
793
|
+
|
|
794
|
+
Use `--format <format>` to select output and `--json` as a shortcut where the command supports JSON.
|
|
795
|
+
|
|
796
|
+
| Command | Formats |
|
|
797
|
+
| --- | --- |
|
|
798
|
+
| `scan` | `text`, `json` |
|
|
799
|
+
| `bom` | `json`, `markdown` |
|
|
800
|
+
| `catalog` | `json`, `markdown` |
|
|
801
|
+
| `ownership` | `json`, `markdown` |
|
|
802
|
+
| `readiness` | `json`, `markdown` |
|
|
803
|
+
| `diff` | `json`, `markdown` |
|
|
804
|
+
| `ci-report` | `json`, `markdown` |
|
|
805
|
+
| `graph` | `json`, `markdown`, `mermaid` |
|
|
806
|
+
| `trust-graph` | `json`, `markdown` |
|
|
807
|
+
| `inspect` | `text`, `json` |
|
|
808
|
+
| `scaffold` | `file`, `prompt`, `json` |
|
|
809
|
+
| `suggest-metadata` | `prompt`, `json` |
|
|
810
|
+
| `suggest-semantic-split` | `prompt`, `json` |
|
|
811
|
+
|
|
812
|
+
Prefer JSON in automation and markdown for human review in pull requests. Use Mermaid when you want to render a graph diagram.
|
|
813
|
+
|
|
814
|
+
## CI Workflow
|
|
815
|
+
|
|
816
|
+
A typical CI flow is:
|
|
817
|
+
|
|
818
|
+
1. Build renma.
|
|
819
|
+
2. Run `renma scan . --fail-on high`.
|
|
820
|
+
3. Run `renma readiness . --format json` and store the result as an artifact.
|
|
821
|
+
4. Compare refs with `renma diff . --from main --to HEAD`.
|
|
822
|
+
5. Publish `renma ci-report` in the pull-request summary.
|
|
823
|
+
|
|
824
|
+
Example:
|
|
825
|
+
|
|
826
|
+
```bash
|
|
827
|
+
npm run build
|
|
828
|
+
renma scan . --fail-on high
|
|
829
|
+
renma readiness . --format json > renma-readiness.json
|
|
830
|
+
```
|
|
831
|
+
|
|
832
|
+
`renma readiness` exits `1` when blocking diagnostics make the repository not ready, including Context Lens governance errors such as duplicate lens IDs, missing required fields, or unresolved `applies_to` targets.
|
|
833
|
+
|
|
834
|
+
## Interpreting Results
|
|
835
|
+
|
|
836
|
+
renma reports three related but different kinds of output:
|
|
837
|
+
|
|
838
|
+
- Diagnostics: problems reading files, parsing metadata, or resolving catalog data. See [Diagnostics Reference](diagnostics.md).
|
|
839
|
+
- Scan findings: rule results from `scan`, such as layout, security, maintenance, quality, profile, and support issues. Each scan finding has a finding identifier, such as `SEC-LITERAL-SECRET`, that labels the kind of issue independently from the file path, asset ID, or human-readable message.
|
|
840
|
+
- Readiness checks: workflow-level pass, warning, or error states derived from catalog, graph, ownership, and finding data.
|
|
841
|
+
|
|
842
|
+
Treat errors as blockers for deterministic automation. Treat warnings as review items that can become blockers when they affect agent reliability.
|