renma 0.16.0 → 0.18.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (182) hide show
  1. package/CHANGELOG.md +157 -1
  2. package/README.md +219 -748
  3. package/architecture.md +533 -0
  4. package/design.md +469 -0
  5. package/dist/agent-skills.d.ts +1 -1
  6. package/dist/agent-skills.d.ts.map +1 -1
  7. package/dist/agent-skills.js +28 -8
  8. package/dist/agent-skills.js.map +1 -1
  9. package/dist/catalog.d.ts +1 -1
  10. package/dist/catalog.d.ts.map +1 -1
  11. package/dist/catalog.js +120 -12
  12. package/dist/catalog.js.map +1 -1
  13. package/dist/cli-help.d.ts +15 -9
  14. package/dist/cli-help.d.ts.map +1 -1
  15. package/dist/cli-help.js +32 -9
  16. package/dist/cli-help.js.map +1 -1
  17. package/dist/cli.d.ts.map +1 -1
  18. package/dist/cli.js +162 -40
  19. package/dist/cli.js.map +1 -1
  20. package/dist/commands/bom.d.ts +6 -3
  21. package/dist/commands/bom.d.ts.map +1 -1
  22. package/dist/commands/bom.js +27 -7
  23. package/dist/commands/bom.js.map +1 -1
  24. package/dist/commands/catalog.d.ts +1 -1
  25. package/dist/commands/catalog.d.ts.map +1 -1
  26. package/dist/commands/catalog.js +11 -4
  27. package/dist/commands/catalog.js.map +1 -1
  28. package/dist/commands/ci-report.d.ts.map +1 -1
  29. package/dist/commands/ci-report.js +18 -5
  30. package/dist/commands/ci-report.js.map +1 -1
  31. package/dist/commands/diff.js +8 -2
  32. package/dist/commands/diff.js.map +1 -1
  33. package/dist/commands/graph.d.ts +6 -2
  34. package/dist/commands/graph.d.ts.map +1 -1
  35. package/dist/commands/graph.js +30 -14
  36. package/dist/commands/graph.js.map +1 -1
  37. package/dist/commands/inspect.d.ts.map +1 -1
  38. package/dist/commands/inspect.js +2 -0
  39. package/dist/commands/inspect.js.map +1 -1
  40. package/dist/commands/ownership.d.ts +4 -3
  41. package/dist/commands/ownership.d.ts.map +1 -1
  42. package/dist/commands/ownership.js +27 -23
  43. package/dist/commands/ownership.js.map +1 -1
  44. package/dist/commands/readiness.d.ts +2 -1
  45. package/dist/commands/readiness.d.ts.map +1 -1
  46. package/dist/commands/readiness.js +105 -36
  47. package/dist/commands/readiness.js.map +1 -1
  48. package/dist/commands/scaffold.d.ts +3 -0
  49. package/dist/commands/scaffold.d.ts.map +1 -1
  50. package/dist/commands/scaffold.js +28 -2
  51. package/dist/commands/scaffold.js.map +1 -1
  52. package/dist/commands/suggest-metadata.d.ts.map +1 -1
  53. package/dist/commands/suggest-metadata.js +56 -8
  54. package/dist/commands/suggest-metadata.js.map +1 -1
  55. package/dist/commands/suggest-semantic-split.js +3 -3
  56. package/dist/commands/suggest-semantic-split.js.map +1 -1
  57. package/dist/commands/trust-graph.d.ts.map +1 -1
  58. package/dist/commands/trust-graph.js +12 -0
  59. package/dist/commands/trust-graph.js.map +1 -1
  60. package/dist/config.d.ts.map +1 -1
  61. package/dist/config.js +10 -3
  62. package/dist/config.js.map +1 -1
  63. package/dist/dependency-resolution.d.ts +6 -0
  64. package/dist/dependency-resolution.d.ts.map +1 -0
  65. package/dist/dependency-resolution.js +11 -0
  66. package/dist/dependency-resolution.js.map +1 -0
  67. package/dist/diagnostic-ids.d.ts +8 -0
  68. package/dist/diagnostic-ids.d.ts.map +1 -1
  69. package/dist/diagnostic-ids.js +8 -0
  70. package/dist/diagnostic-ids.js.map +1 -1
  71. package/dist/discovery.d.ts +33 -0
  72. package/dist/discovery.d.ts.map +1 -1
  73. package/dist/discovery.js +178 -80
  74. package/dist/discovery.js.map +1 -1
  75. package/dist/markdown.d.ts.map +1 -1
  76. package/dist/markdown.js +15 -0
  77. package/dist/markdown.js.map +1 -1
  78. package/dist/model.d.ts +17 -1
  79. package/dist/model.d.ts.map +1 -1
  80. package/dist/model.js +4 -1
  81. package/dist/model.js.map +1 -1
  82. package/dist/quality-profile.d.ts +91 -0
  83. package/dist/quality-profile.d.ts.map +1 -0
  84. package/dist/quality-profile.js +91 -0
  85. package/dist/quality-profile.js.map +1 -0
  86. package/dist/repeated-context.d.ts.map +1 -1
  87. package/dist/repeated-context.js +38 -83
  88. package/dist/repeated-context.js.map +1 -1
  89. package/dist/repository-boundary.d.ts +30 -0
  90. package/dist/repository-boundary.d.ts.map +1 -0
  91. package/dist/repository-boundary.js +116 -0
  92. package/dist/repository-boundary.js.map +1 -0
  93. package/dist/repository-evidence.d.ts +2 -0
  94. package/dist/repository-evidence.d.ts.map +1 -1
  95. package/dist/repository-evidence.js +6 -4
  96. package/dist/repository-evidence.js.map +1 -1
  97. package/dist/repository-paths.d.ts +19 -2
  98. package/dist/repository-paths.d.ts.map +1 -1
  99. package/dist/repository-paths.js +123 -14
  100. package/dist/repository-paths.js.map +1 -1
  101. package/dist/rules.d.ts +2 -0
  102. package/dist/rules.d.ts.map +1 -1
  103. package/dist/rules.js +322 -256
  104. package/dist/rules.js.map +1 -1
  105. package/dist/scanner.d.ts.map +1 -1
  106. package/dist/scanner.js +5 -1
  107. package/dist/scanner.js.map +1 -1
  108. package/dist/security-diagnostics.d.ts.map +1 -1
  109. package/dist/security-diagnostics.js +95 -30
  110. package/dist/security-diagnostics.js.map +1 -1
  111. package/dist/security-diff.d.ts +5 -2
  112. package/dist/security-diff.d.ts.map +1 -1
  113. package/dist/security-diff.js +20 -4
  114. package/dist/security-diff.js.map +1 -1
  115. package/dist/security-policy-inventory.d.ts +15 -3
  116. package/dist/security-policy-inventory.d.ts.map +1 -1
  117. package/dist/security-policy-inventory.js +123 -26
  118. package/dist/security-policy-inventory.js.map +1 -1
  119. package/dist/security-policy.d.ts +7 -0
  120. package/dist/security-policy.d.ts.map +1 -1
  121. package/dist/security-policy.js +70 -7
  122. package/dist/security-policy.js.map +1 -1
  123. package/dist/security-posture.d.ts.map +1 -1
  124. package/dist/security-posture.js +2 -1
  125. package/dist/security-posture.js.map +1 -1
  126. package/dist/skill-migration.js +2 -0
  127. package/dist/skill-migration.js.map +1 -1
  128. package/dist/static-support.d.ts +13 -0
  129. package/dist/static-support.d.ts.map +1 -0
  130. package/dist/static-support.js +284 -0
  131. package/dist/static-support.js.map +1 -0
  132. package/dist/token-estimator.d.ts +21 -0
  133. package/dist/token-estimator.d.ts.map +1 -0
  134. package/dist/token-estimator.js +84 -0
  135. package/dist/token-estimator.js.map +1 -0
  136. package/dist/trust-graph.d.ts +3 -3
  137. package/dist/trust-graph.d.ts.map +1 -1
  138. package/dist/trust-graph.js +76 -21
  139. package/dist/trust-graph.js.map +1 -1
  140. package/dist/types.d.ts +7 -2
  141. package/dist/types.d.ts.map +1 -1
  142. package/docs/README.md +61 -0
  143. package/docs/advanced-skill-authoring.md +147 -0
  144. package/docs/agent-skills-compatibility.md +508 -0
  145. package/docs/authoring-guide.md +382 -0
  146. package/docs/context-conflict-diagnostics.md +32 -0
  147. package/docs/context-language-diagnostics.md +99 -0
  148. package/docs/context-lens.md +253 -0
  149. package/docs/context-lifecycle-diagnostics.md +55 -0
  150. package/docs/diagnostics.md +406 -0
  151. package/docs/metadata-budget.md +14 -0
  152. package/docs/quality-profile.md +123 -0
  153. package/docs/repository-context-bom.md +172 -0
  154. package/docs/schemas/repository-context-bom-v2.schema.json +648 -0
  155. package/docs/schemas/trust-graph-v2.schema.json +301 -0
  156. package/docs/security-policy.md +354 -0
  157. package/docs/trust-graph.md +47 -0
  158. package/docs/user-manual.md +842 -0
  159. package/examples/context-lens/README.md +101 -0
  160. package/examples/context-lens/contexts/testing/boundary-value-analysis.md +23 -0
  161. package/examples/context-lens/lenses/testing/spec-review-boundary-values.md +29 -0
  162. package/examples/context-lens/lenses/testing/test-design-boundary-values.md +29 -0
  163. package/examples/context-lens/skills/testing/spec-review/SKILL.md +49 -0
  164. package/examples/context-repo/README.md +148 -0
  165. package/examples/context-repo/contexts/domain/payment/idempotency.md +27 -0
  166. package/examples/context-repo/contexts/testing/boundary-value-analysis.md +26 -0
  167. package/examples/context-repo/contexts/testing/negative-testing.md +26 -0
  168. package/examples/context-repo/lenses/testing/spec-review-boundary-values.md +35 -0
  169. package/examples/context-repo/renma.config.json +12 -0
  170. package/examples/context-repo/skills/testing/spec-review/SKILL.md +71 -0
  171. package/examples/context-repo/tools/appium/README.md +14 -0
  172. package/examples/github-actions/renma-ci-report.yml +36 -0
  173. package/examples/interactive-placeholder/README.md +104 -0
  174. package/examples/interactive-placeholder/assets/template.txt +1 -0
  175. package/examples/interactive-placeholder/renma.config.json +6 -0
  176. package/examples/interactive-placeholder/skills/replace-placeholder/SKILL.md +54 -0
  177. package/examples/interactive-placeholder/tools/README.md +48 -0
  178. package/examples/interactive-placeholder/tools/placeholder-demo.mjs +99 -0
  179. package/package.json +10 -1
  180. package/plan-discovery.md +749 -0
  181. package/plan.md +90 -0
  182. package/scripts/verify-package.mjs +104 -0
@@ -0,0 +1,533 @@
1
+ # Renma Architecture Direction
2
+
3
+ Renma is a Git-native context repository and deterministic governance layer for
4
+ LLM-facing knowledge. It keeps Skills, Context Lenses, Context Assets,
5
+ references, ownership, lifecycle, dependencies, and evidence reviewable as
6
+ maintainable software assets.
7
+
8
+ The current CLI surface covers `scan`, `catalog`, `ownership`, `graph`, focused
9
+ graph views, `trust-graph`, `readiness`, Repository Context BOM reports,
10
+ repeated-context diagnostics, semantic diff, `ci-report`, `inspect`, `scaffold`,
11
+ `suggest-metadata`, and `suggest-semantic-split`. Agent Skills validation and
12
+ security diagnostics are deterministic repository checks; they do not execute
13
+ commands or call external services.
14
+
15
+ Renma sits at the repository governance layer, not the runtime layer.
16
+
17
+ ```mermaid
18
+ flowchart TD
19
+ Repository["Git-reviewed repository assets"]
20
+ Renma["Renma: deterministic governance and repository health"]
21
+ Reports["Catalog, graph, diagnostics, Readiness, and BOM"]
22
+ Review["Human or coding-agent review"]
23
+ Runtimes["Agents and runtimes — outside Renma"]
24
+ Producers["External signal producers — outside Renma"]
25
+ Evidence["Separately produced evidence — future input"]
26
+ Repository --> Renma
27
+ Renma --> Reports
28
+ Reports --> Review
29
+ Repository -->|consumed according to runtime behavior| Runtimes
30
+ Producers -.-> Evidence
31
+ Evidence -.-> Renma
32
+ ```
33
+
34
+ Renma does not select Skills for live tasks, select or inject task Context,
35
+ assemble prompts, or execute workflows. Agents and runtimes decide how to use
36
+ repository assets for a task. Future evidence validation does not make Renma a
37
+ runtime telemetry collector; signal production and collection remain external.
38
+
39
+ Provenance remains repository-level. Repository Context BOM v2 is a manifest of declared assets, hashes, owners, lifecycle states, dependencies, security posture, diagnostics, and readiness evidence; it is not a report of actual LLM runtime usage. BOM v2 keeps Git revision identity in the surrounding Git/CI/PR artifact context and keeps any future consumed-context evidence separate from the declared repository manifest contract.
40
+
41
+ ## Goals
42
+
43
+ - Keep skills and context assets discoverable, owned, and reviewable.
44
+ - Treat shared context as a first-class repository asset outside individual skill directories.
45
+ - Validate references, metadata, lifecycle, and dependency graph health.
46
+ - Detect orphaned, deprecated, conflicting, missing, and repeated context.
47
+ - Provide deterministic catalog and graph snapshots for Git review and CI.
48
+ - Produce repository-level deterministic readiness reports.
49
+ - Allow optional LLM assistance for suggestions and semantic review without making LLMs required for core analysis.
50
+
51
+ ## Non-Goals
52
+
53
+ - Task-specific context choice
54
+ - Prompt assembly
55
+ - Agent execution
56
+ - Provider gateways
57
+ - Hosted dashboards
58
+ - Package synchronization
59
+ - Organization-wide distribution transport
60
+ - Runtime telemetry ownership
61
+
62
+ Renma is telemetry-aware, but not telemetry-responsible. It may import external signals later as evidence for repository review.
63
+
64
+ ## Source Layout
65
+
66
+ One illustrative repository layout is:
67
+
68
+ ```text
69
+ skills/
70
+ testing/
71
+ test-case-generation/
72
+ SKILL.md
73
+ spec-review/
74
+ SKILL.md
75
+ regression-planning/
76
+ SKILL.md
77
+ contexts/
78
+ testing/
79
+ boundary-value-analysis.md
80
+ negative-testing.md
81
+ regression-risk.md
82
+ domain/
83
+ payment/
84
+ idempotency.md
85
+ duplicate-charge.md
86
+ refund-risk.md
87
+ mobile/
88
+ offline-behavior.md
89
+ background-resume.md
90
+ tools/
91
+ appium/
92
+ usage-guideline.md
93
+ limitations.md
94
+ teams/
95
+ checkout/
96
+ payment-api-contracts.md
97
+ known-risk-patterns.md
98
+ metadata/
99
+ graph/
100
+ catalog/
101
+ ```
102
+
103
+ This tree is not a required layout for every repository asset. Context Assets,
104
+ Context Lenses, policies, references, and other knowledge may be organized by
105
+ domain, product, team, or workflow. Canonical Skill entrypoints in 0.16.0 are
106
+ nevertheless discovered only under `skills/**/SKILL.md` and
107
+ `.agents/skills/**/SKILL.md`. A custom scan glob does not turn an arbitrary path
108
+ such as `docs/skills/demo/SKILL.md` into a Skill. Renma's normalized repository
109
+ model is broader than the Agent Skills format, but arbitrary Skill roots are not
110
+ implemented.
111
+
112
+ `contexts/` is preferred. `context/` is also scanned for compatibility.
113
+
114
+ Skill-local `assets/`, `profiles/`, `references/`, `examples/`, and `scripts/`
115
+ remain supported. Shared Context Assets should become the durable source of
116
+ truth when knowledge is reused across Skills, teams, tools, or agents; shared
117
+ helper implementations belong under `tools/**`. Location alone does not prove
118
+ that local support should be promoted.
119
+
120
+ ## Core Concepts
121
+
122
+ ### Skill
123
+
124
+ A Skill is an agent-facing entrypoint, routing contract, and usage guide. It
125
+ tells a consuming agent when and how to use a capability, what preflight
126
+ questions matter, which safety and verification steps apply, and which Context
127
+ Assets or Context Lenses are relevant. Renma recognizes Agent Skills-compatible
128
+ syntax as the portable authoring boundary without reducing its internal model
129
+ to the Agent Skills data model.
130
+
131
+ A skill should not be the only source of truth for reusable expert knowledge.
132
+
133
+ ### Context Lens
134
+
135
+ A Context Lens is a purpose-oriented interpretation layer over one or more
136
+ Context Assets. It records a static repository relationship for governance and
137
+ review; Renma does not select a Lens at runtime, automatically load Context, or
138
+ assemble a prompt.
139
+
140
+ ### Context Asset
141
+
142
+ A context asset is an independently owned knowledge unit. It may be maintained by QA, domain teams, tooling teams, product teams, or platform teams.
143
+
144
+ Good context assets have:
145
+
146
+ - Stable ID
147
+ - Clear owner
148
+ - Lifecycle status
149
+ - Usage guidance
150
+ - Scope boundaries
151
+ - References or dependencies where needed
152
+
153
+ ### Asset
154
+
155
+ An asset is any repository object Renma can catalog, validate, reference, or include in graph checks.
156
+
157
+ Normalized asset kinds:
158
+
159
+ - `skill`
160
+ - `context`
161
+ - `context_lens`
162
+ - `profile`
163
+ - `reference`
164
+ - `example`
165
+ - `script`
166
+ - `asset`
167
+ - `agent`
168
+ - `config`
169
+ - `unknown`
170
+
171
+ Shared Markdown under `contexts/` or `context/` uses the dedicated `context`
172
+ kind. Skill-local scripts and assets are first-class inventory. Repository files
173
+ carry original-byte size and hash, text or binary classification, and Markdown
174
+ parser eligibility. Only artifacts explicitly eligible for Markdown parsing
175
+ contribute frontmatter, headings, links, fences, or repeated-context evidence.
176
+ Opaque files are never decoded into diagnostic snippets. Skill-local support
177
+ inherits effective ownership from its nearest owning Skill when it has no local
178
+ owner; catalog, graph, ownership, Readiness, Trust Graph, and BOM retain
179
+ `inherited` provenance instead of presenting that owner as locally declared.
180
+
181
+ ### Dependency
182
+
183
+ A dependency is a typed edge between assets.
184
+
185
+ Initial edge kinds:
186
+
187
+ - `requires`
188
+ - `optional`
189
+ - `conflicts`
190
+ - `extends`
191
+ - `references`
192
+
193
+ `references` is a declared static repository relationship used for graph analysis and repository validation; it does not mean Renma chooses task context.
194
+
195
+ Edges should carry source evidence: source path, line range, declaration form, and reason where available.
196
+
197
+ Declared reference validation is deterministic. Renma resolves references by exact asset ID or repository-relative path, with only a leading `./` normalized away for path compatibility. Unknown declared references, duplicate asset IDs, references to deprecated or archived assets, and orphaned first-class shared context assets are reported as repository-governance findings. Renma does not use fuzzy matching, semantic search, LLM inference, or runtime context selection for these checks.
198
+
199
+ ## Architecture
200
+
201
+ ```mermaid
202
+ flowchart TD
203
+ Inputs["Markdown, frontmatter, configuration, and documentation snapshots"]
204
+ Parsers["Importers and parsers"]
205
+ Model["Normalized repository model"]
206
+ Projections["Catalog and graph projections"]
207
+ Analysis["Validation, repeated-context analysis, and semantic diff"]
208
+ Outputs["Reports, Readiness, and repository manifests"]
209
+ Review["Human or coding-agent review"]
210
+ Inputs --> Parsers --> Model --> Projections --> Analysis --> Outputs --> Review
211
+ ```
212
+
213
+ The normalized model is the contract between files and higher-level features. Users work with Markdown and small metadata blocks. Renma uses the model internally to keep output deterministic and testable.
214
+
215
+ ## LLM-Actionable Diagnostics
216
+
217
+ Renma diagnostics are repository evidence and repair guidance. They should be
218
+ structured enough for humans to review and for LLM coding agents to turn into a
219
+ safe patch. A diagnostic should carry the rule code, severity, source evidence,
220
+ why the issue matters, the recommended repair direction, constraints to
221
+ preserve, and verification steps when available.
222
+
223
+ Renma core remains deterministic: scan, catalog, validate, and emit structured
224
+ findings. Optional helpers may produce LLM-friendly suggestions, but core
225
+ validation does not call an LLM or apply semantic rewrites.
226
+
227
+ ## Optional LLM Evaluation Boundary
228
+
229
+ Renma core is deterministic. LLM evaluation is optional and advisory.
230
+ Repository repair remains outside Renma.
231
+
232
+ Core commands such as `scan`, catalog construction, and rule evaluation should
233
+ not require or call an LLM. Given the same repository, configuration, and Renma
234
+ version, core validation should produce the same diagnostics. This keeps Renma
235
+ suitable for CI, code review, reproducible governance checks, and trustable
236
+ repository health reports.
237
+
238
+ Some repository improvement tasks are semantic by nature: finding similar or
239
+ overlapping knowledge across skills and contexts, deciding whether a
240
+ skill-local reference should be promoted to `contexts/`, evaluating whether two
241
+ context assets are duplicates, suggesting context asset names and boundaries, or
242
+ reviewing a semantic split proposal. Renma may support optional LLM-assisted
243
+ evaluation for these tasks, but those workflows should operate on explicit
244
+ inputs such as scan findings, catalog snapshots, selected files, or generated
245
+ review bundles. `suggest-semantic-split` is an example: it prepares a bounded
246
+ review bundle or prompt, does not call a provider, and does not rewrite files.
247
+
248
+ LLM-assisted workflows should produce suggestions, review bundles, or patch
249
+ guidance. They must not silently rewrite the repository, select task context,
250
+ assemble prompt packages, execute tools, orchestrate agents, or become required
251
+ for validation. Diagnostics such as
252
+ `MAINT-SKILL-REUSABLE-CONTEXT-CANDIDATE` and
253
+ `MAINT-SUPPORT-ASSET-SHARED-CONTEXT-CANDIDATE` can guide a calling LLM or human
254
+ toward semantic review, but Renma itself remains the deterministic evaluator.
255
+
256
+ The repair loop stays reviewable: Renma emits evidence, a human or calling
257
+ agent may propose a patch, a human reviews it, and Renma validates the updated
258
+ repository. An LLM is optional throughout this loop.
259
+
260
+ ```text
261
+ renma scan/catalog -> deterministic diagnostics or review bundle
262
+ human or calling agent -> proposes a repository patch
263
+ human review -> accepts or edits the patch
264
+ renma scan/catalog -> validates the result deterministically
265
+ ```
266
+
267
+ ## Metadata
268
+
269
+ Renma validates a small stable metadata subset. Canonical Skills serialize
270
+ Renma fields as flat, string-valued `metadata.renma.*` entries; this top-level
271
+ example is the retained syntax for Context Assets and other non-Skill assets:
272
+
273
+ ```yaml
274
+ id: domain.payment.idempotency
275
+ version: 1.0.0
276
+ owner: payments
277
+ status: stable
278
+ tags:
279
+ - payment
280
+ - qa
281
+ when_to_use:
282
+ - Testing payment retry or duplicate-submit behavior
283
+ when_not_to_use:
284
+ - Non-payment checkout UI copy review
285
+ requires_context:
286
+ - testing.negative-testing
287
+ optional_context:
288
+ - testing.regression-risk
289
+ conflicts:
290
+ - archived.payment.retry-v0
291
+ ```
292
+
293
+ The parser supports scalar values and YAML-style block lists for selected
294
+ non-Skill metadata fields. Canonical Skill list metadata uses JSON-array
295
+ strings. See `docs/agent-skills-compatibility.md` for the exact 0.16.0 boundary.
296
+
297
+ Status values:
298
+
299
+ - `experimental`
300
+ - `stable`
301
+ - `deprecated`
302
+ - `archived`
303
+
304
+ Fields should be added only when a command or rule uses them.
305
+
306
+ ## Catalog Snapshot
307
+
308
+ `renma catalog` should provide deterministic inventory.
309
+
310
+ Catalog entries should include:
311
+
312
+ - ID
313
+ - Kind
314
+ - Source path
315
+ - Content hash
316
+ - Owner
317
+ - Status
318
+ - Tags
319
+ - Declared dependencies
320
+ - Dependents
321
+ - Diagnostics
322
+
323
+ Catalog output should be stable across filesystems and Node versions.
324
+
325
+ ## Context Graph Snapshot
326
+
327
+ The graph should represent assets and typed dependencies. It should power:
328
+
329
+ - Missing reference checks
330
+ - Deprecated or archived dependency checks
331
+ - Orphaned context detection
332
+ - Conflict visibility
333
+ - Affected asset reporting
334
+ - Catalog enrichment
335
+ - Semantic diff
336
+ - Future visualization
337
+
338
+ Current commands:
339
+
340
+ ```bash
341
+ renma graph . --format json
342
+ renma graph . --format markdown
343
+ renma graph . --format mermaid
344
+ ```
345
+
346
+ The graph is not a runtime selection engine. It is repository evidence.
347
+
348
+ ## Validation
349
+
350
+ Validation should combine local file checks and graph-backed checks.
351
+
352
+ Rule areas:
353
+
354
+ - Repeated context maintenance:
355
+ - `MAINT-REPEATED-SECTION` detects exact repeated sections after whitespace normalization.
356
+ - `MAINT-REPEATED-HEADING` detects repeated non-generic headings across files.
357
+ - `MAINT-REPEATED-CODE-BLOCK` detects substantial repeated fenced code blocks.
358
+ - `MAINT-REPEATED-LINK` detects repeated repository context link targets.
359
+ - `MAINT-REPEATED-CONTEXT-PATTERN` detects repeated token shingles as deterministic consolidation evidence.
360
+ - These findings do not decide semantic source of truth. They provide stable evidence so an LLM or maintainer can propose a consolidation and a human can approve it.
361
+
362
+ - Missing or weak skill description
363
+ - Missing negative routing
364
+ - Missing usage guidance
365
+ - Missing preflight guidance
366
+ - Missing verification guidance
367
+ - Oversized skills or context assets
368
+ - Reusable context candidates inside SKILL.md files
369
+ - Missing shared context owner or ID
370
+ - Invalid status values
371
+ - Unknown dependencies
372
+ - Deprecated or archived referenced context
373
+ - Orphaned context assets
374
+ - Conflicting context declarations
375
+ - Repeated or duplicate knowledge
376
+ - Secret-like literal values
377
+ - Private key material
378
+ - Destructive commands without confirmation or recovery context
379
+ - Risky remote defaults
380
+ - Broad environment copying into subprocesses
381
+ - Hardcoded user-local paths
382
+
383
+ Static checks are evidence. Passing a scan does not prove an agent workflow is safe.
384
+
385
+ ## Repeated Context Discovery
386
+
387
+ Repeated context discovery is a bridge from "what exists" to "what should become shared context."
388
+
389
+ Deterministic signals:
390
+
391
+ - Normalized section hashes
392
+ - Token shingles
393
+ - Repeated headings
394
+ - Repeated command blocks
395
+ - Repeated links
396
+ - Repeated tool, domain, path, or product terms
397
+ - Similar workflow skeletons
398
+
399
+ Output should be a human-reviewable set of candidates with source paths, line ranges, signal kinds, confidence, and suggested context boundaries.
400
+
401
+ Optional LLM support may label clusters or draft refactors, but deterministic evidence remains authoritative.
402
+
403
+ ## Semantic Diff
404
+
405
+ Semantic diff should explain repository-health changes that normal Git diffs make hard to see.
406
+
407
+ Categories:
408
+
409
+ - Ownership changes
410
+ - Lifecycle status changes
411
+ - Dependency changes
412
+ - Conflict changes
413
+ - Missing reference changes
414
+ - Orphaned context changes
415
+ - Repeated-context candidate changes
416
+ - Safety and risk changes
417
+
418
+ Current command:
419
+
420
+ ```bash
421
+ renma diff . --from main --to HEAD
422
+ ```
423
+
424
+ ## Repository Health Reports
425
+
426
+ Readiness v1 is a deterministic static report that describes whether a repository is healthy enough for agents to consume.
427
+
428
+ Current v1 command:
429
+
430
+ ```bash
431
+ renma readiness [path] [--format json|markdown]
432
+ ```
433
+
434
+ The report summarizes level, score, workflow readiness, graph resolution, ownership coverage, diagnostics, and layout status. Markdown output is intentionally compact for PR descriptions, while JSON output keeps the same deterministic data available for CI.
435
+
436
+ The v1 report includes:
437
+
438
+ - Broken references
439
+ - Missing owners
440
+ - Missing usage boundaries
441
+ - Deprecated or archived reachable context
442
+ - Orphaned context
443
+ - Oversized assets
444
+ - Repeated knowledge
445
+ - Risk findings
446
+ - Affected skills and context assets
447
+
448
+ It should not choose task context for an agent run.
449
+
450
+ It does not call an LLM, select runtime context, assemble prompts, auto-repair files, perform cross-document semantic consistency analysis, score repairability, or plan per-skill patches.
451
+
452
+ ## External Signals
453
+
454
+ External tools may later emit signals into Renma:
455
+
456
+ - Context assets loaded by agents
457
+ - Context assets ignored by agents
458
+ - Repeated confusion around an asset
459
+ - Runtime failures mapped back to source paths
460
+ - CI findings attached to owners
461
+
462
+ Renma may later import these as repository evidence. Ownership of telemetry collection, storage, runtime tracing, and dashboards remains outside Renma.
463
+
464
+ Consumed-context evidence from external agents, editor integrations, prompt wrappers, or CI tools may be useful later, but it should be a separate artifact or explicitly separate attachment. It should relate back to declared repository evidence using stable values such as BOM digest or snapshot identity, asset ID, asset content hash, producer identity/version, and observation timestamp. Renma should validate that evidence against the catalog, graph, readiness, and security model instead of becoming the telemetry producer.
465
+
466
+ ## Architecture Stability
467
+
468
+ The scanner, normalized asset model, graph-backed governance, ownership,
469
+ Readiness, repeated-context evidence, semantic diff, security diagnostics,
470
+ Trust Graph v2 and Repository Context BOM v2 are implemented architecture. New
471
+ projections should reuse the shared repository-evidence snapshot and remain
472
+ additive unless a separately versioned contract requires a breaking change.
473
+
474
+ Release sequencing belongs in [plan.md](plan.md). Proposed Skill discovery is
475
+ isolated in [plan-discovery.md](plan-discovery.md) and is not implemented by the
476
+ current processing pipeline.
477
+
478
+ ## Implementation Notes
479
+
480
+ Representative current CLI commands:
481
+
482
+ ```bash
483
+ renma scan [path]
484
+ renma bom [path]
485
+ renma catalog [path]
486
+ renma graph [path]
487
+ renma trust-graph [path]
488
+ renma ownership [path]
489
+ renma readiness [path]
490
+ renma diff [path] --from <ref> --to <ref>
491
+ renma ci-report [path] --from <ref> --to <ref>
492
+ renma inspect <file>
493
+ renma scaffold <skill|context|context_lens> <path>
494
+ renma suggest-metadata <file>
495
+ renma suggest-semantic-split <file>
496
+ ```
497
+
498
+ `renma readiness` summarizes static repository health for human and external-agent review. It composes the graph/catalog model into deterministic score, level, metric, check, and diagnostic output; it does not call LLMs, select runtime context, assemble prompts, or repair files.
499
+
500
+ `renma inspect` inspects repository files and context assets by outline or line range. It does not choose task context or assemble prompts.
501
+
502
+ Baseline now in place:
503
+
504
+ - Dedicated `context` artifact kind.
505
+ - Default discovery for top-level `contexts/**/*.md` and `context/**/*.md`.
506
+ - Skill-local `references/` remain distinct from shared context assets.
507
+ - `SupportAsset` names non-skill catalog assets.
508
+ - `skill-local-support-reachability` validates static skill-local support files.
509
+ - `renma inspect` provides repository file inspection by outline or line range.
510
+ - Basic shared context metadata diagnostics.
511
+ - Duplicate asset ID detection.
512
+ - Unknown dependency and reference detection.
513
+ - Deprecated or archived dependency validation.
514
+ - Orphaned context asset detection.
515
+ - Readiness v1 repository-health report.
516
+ - Repeated context discovery across shared contexts, Skills, agents,
517
+ references, profiles, and examples.
518
+ - Security diagnostics, security posture summaries, and effective policy
519
+ inventory for agent-facing repository content.
520
+ - Trust Graph v2 evidence and Repository Context BOM v2.
521
+ - CI integration examples and optional LLM-assisted review bundles.
522
+
523
+ Future work may add imported external evidence after its contract is defined;
524
+ that does not move runtime selection, execution, or telemetry collection into
525
+ Renma.
526
+
527
+ ## Principle
528
+
529
+ ```text
530
+ LLM proposes. Renma verifies. Human approves.
531
+ ```
532
+
533
+ No-LLM workflows stay first-class. Renma's core value is deterministic repository evidence.