renma 0.17.0 → 0.18.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +123 -1
- package/README.md +11 -1
- package/architecture.md +14 -4
- package/design.md +13 -2
- package/dist/agent-skills.d.ts +1 -1
- package/dist/agent-skills.d.ts.map +1 -1
- package/dist/agent-skills.js +28 -8
- package/dist/agent-skills.js.map +1 -1
- package/dist/catalog.d.ts +1 -1
- package/dist/catalog.d.ts.map +1 -1
- package/dist/catalog.js +120 -12
- package/dist/catalog.js.map +1 -1
- package/dist/cli-help.d.ts +9 -5
- package/dist/cli-help.d.ts.map +1 -1
- package/dist/cli-help.js +9 -0
- package/dist/cli-help.js.map +1 -1
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +23 -0
- package/dist/cli.js.map +1 -1
- package/dist/commands/bom.d.ts +6 -3
- package/dist/commands/bom.d.ts.map +1 -1
- package/dist/commands/bom.js +27 -7
- package/dist/commands/bom.js.map +1 -1
- package/dist/commands/catalog.d.ts +1 -1
- package/dist/commands/catalog.d.ts.map +1 -1
- package/dist/commands/catalog.js +7 -1
- package/dist/commands/catalog.js.map +1 -1
- package/dist/commands/ci-report.d.ts.map +1 -1
- package/dist/commands/ci-report.js +18 -5
- package/dist/commands/ci-report.js.map +1 -1
- package/dist/commands/diff.js +8 -2
- package/dist/commands/diff.js.map +1 -1
- package/dist/commands/graph.d.ts +6 -2
- package/dist/commands/graph.d.ts.map +1 -1
- package/dist/commands/graph.js +23 -2
- package/dist/commands/graph.js.map +1 -1
- package/dist/commands/inspect.d.ts.map +1 -1
- package/dist/commands/inspect.js +2 -0
- package/dist/commands/inspect.js.map +1 -1
- package/dist/commands/ownership.d.ts +4 -3
- package/dist/commands/ownership.d.ts.map +1 -1
- package/dist/commands/ownership.js +27 -23
- package/dist/commands/ownership.js.map +1 -1
- package/dist/commands/readiness.d.ts +2 -1
- package/dist/commands/readiness.d.ts.map +1 -1
- package/dist/commands/readiness.js +98 -30
- package/dist/commands/readiness.js.map +1 -1
- package/dist/commands/scaffold.d.ts +3 -0
- package/dist/commands/scaffold.d.ts.map +1 -1
- package/dist/commands/scaffold.js +14 -0
- package/dist/commands/scaffold.js.map +1 -1
- package/dist/commands/suggest-metadata.d.ts.map +1 -1
- package/dist/commands/suggest-metadata.js +2 -0
- package/dist/commands/suggest-metadata.js.map +1 -1
- package/dist/commands/trust-graph.d.ts.map +1 -1
- package/dist/commands/trust-graph.js +12 -0
- package/dist/commands/trust-graph.js.map +1 -1
- package/dist/config.d.ts.map +1 -1
- package/dist/config.js +10 -3
- package/dist/config.js.map +1 -1
- package/dist/diagnostic-ids.d.ts +8 -0
- package/dist/diagnostic-ids.d.ts.map +1 -1
- package/dist/diagnostic-ids.js +8 -0
- package/dist/diagnostic-ids.js.map +1 -1
- package/dist/discovery.d.ts +5 -0
- package/dist/discovery.d.ts.map +1 -1
- package/dist/discovery.js +108 -65
- package/dist/discovery.js.map +1 -1
- package/dist/markdown.d.ts.map +1 -1
- package/dist/markdown.js +15 -0
- package/dist/markdown.js.map +1 -1
- package/dist/model.d.ts +17 -1
- package/dist/model.d.ts.map +1 -1
- package/dist/model.js +4 -1
- package/dist/model.js.map +1 -1
- package/dist/quality-profile.d.ts +91 -0
- package/dist/quality-profile.d.ts.map +1 -0
- package/dist/quality-profile.js +91 -0
- package/dist/quality-profile.js.map +1 -0
- package/dist/repeated-context.d.ts.map +1 -1
- package/dist/repeated-context.js +38 -83
- package/dist/repeated-context.js.map +1 -1
- package/dist/repository-boundary.d.ts +30 -0
- package/dist/repository-boundary.d.ts.map +1 -0
- package/dist/repository-boundary.js +116 -0
- package/dist/repository-boundary.js.map +1 -0
- package/dist/repository-evidence.d.ts +2 -0
- package/dist/repository-evidence.d.ts.map +1 -1
- package/dist/repository-evidence.js +6 -4
- package/dist/repository-evidence.js.map +1 -1
- package/dist/repository-paths.d.ts +6 -2
- package/dist/repository-paths.d.ts.map +1 -1
- package/dist/repository-paths.js +75 -24
- package/dist/repository-paths.js.map +1 -1
- package/dist/rules.d.ts +2 -0
- package/dist/rules.d.ts.map +1 -1
- package/dist/rules.js +263 -176
- package/dist/rules.js.map +1 -1
- package/dist/scanner.d.ts.map +1 -1
- package/dist/scanner.js +5 -1
- package/dist/scanner.js.map +1 -1
- package/dist/security-diagnostics.d.ts.map +1 -1
- package/dist/security-diagnostics.js +95 -30
- package/dist/security-diagnostics.js.map +1 -1
- package/dist/security-diff.d.ts +5 -2
- package/dist/security-diff.d.ts.map +1 -1
- package/dist/security-diff.js +20 -4
- package/dist/security-diff.js.map +1 -1
- package/dist/security-policy-inventory.d.ts +15 -3
- package/dist/security-policy-inventory.d.ts.map +1 -1
- package/dist/security-policy-inventory.js +123 -26
- package/dist/security-policy-inventory.js.map +1 -1
- package/dist/security-policy.d.ts +7 -0
- package/dist/security-policy.d.ts.map +1 -1
- package/dist/security-policy.js +70 -7
- package/dist/security-policy.js.map +1 -1
- package/dist/security-posture.d.ts.map +1 -1
- package/dist/security-posture.js +2 -1
- package/dist/security-posture.js.map +1 -1
- package/dist/skill-migration.js +2 -0
- package/dist/skill-migration.js.map +1 -1
- package/dist/static-support.d.ts +13 -0
- package/dist/static-support.d.ts.map +1 -0
- package/dist/static-support.js +284 -0
- package/dist/static-support.js.map +1 -0
- package/dist/token-estimator.d.ts +21 -0
- package/dist/token-estimator.d.ts.map +1 -0
- package/dist/token-estimator.js +84 -0
- package/dist/token-estimator.js.map +1 -0
- package/dist/trust-graph.d.ts +3 -3
- package/dist/trust-graph.d.ts.map +1 -1
- package/dist/trust-graph.js +69 -10
- package/dist/trust-graph.js.map +1 -1
- package/dist/types.d.ts +6 -1
- package/dist/types.d.ts.map +1 -1
- package/docs/README.md +13 -7
- package/docs/advanced-skill-authoring.md +16 -9
- package/docs/agent-skills-compatibility.md +10 -2
- package/docs/authoring-guide.md +62 -4
- package/docs/diagnostics.md +44 -11
- package/docs/quality-profile.md +123 -0
- package/docs/repository-context-bom.md +67 -8
- package/docs/schemas/repository-context-bom-v2.schema.json +648 -0
- package/docs/schemas/trust-graph-v2.schema.json +301 -0
- package/docs/security-policy.md +21 -5
- package/docs/trust-graph.md +47 -0
- package/docs/user-manual.md +34 -5
- package/examples/context-repo/README.md +6 -7
- package/examples/context-repo/contexts/domain/payment/idempotency.md +7 -0
- package/examples/context-repo/contexts/testing/boundary-value-analysis.md +7 -0
- package/examples/context-repo/contexts/testing/negative-testing.md +7 -0
- package/examples/context-repo/skills/testing/spec-review/SKILL.md +5 -0
- package/package.json +3 -1
- package/plan-discovery.md +24 -15
- package/plan.md +59 -119
- package/scripts/verify-package.mjs +8 -1
|
@@ -0,0 +1,123 @@
|
|
|
1
|
+
# Renma Quality Profile
|
|
2
|
+
|
|
3
|
+
`renma-quality` is Renma's internal quality-profile family. Reports identify
|
|
4
|
+
the active profile as `renma-quality@<Renma package version>`, derived from
|
|
5
|
+
`package.json` at build time. The source is `src/quality-profile.ts`. The current
|
|
6
|
+
implementation does not expose quality overrides in `renma.config.json`; fixed
|
|
7
|
+
defaults preserve comparable repository reports. The internal shape is
|
|
8
|
+
versioned so later releases can add reviewed overrides without scattering
|
|
9
|
+
constants across rules.
|
|
10
|
+
|
|
11
|
+
`estimated_tokens` means Renma's deterministic, model-neutral estimate. Latin
|
|
12
|
+
words, identifiers, URLs, and paths are lexical units; consecutive CJK text is
|
|
13
|
+
grouped in two-code-point units; other punctuation is grouped in units of up to
|
|
14
|
+
three code points. It is not an exact token count for any model. Skill budgets
|
|
15
|
+
measure Markdown after frontmatter. Content-asset budgets measure the full file.
|
|
16
|
+
|
|
17
|
+
## Agent Skills requirements and recommendations
|
|
18
|
+
|
|
19
|
+
| Field | Value | Unit and trigger | Severity | Source | Rationale and false-positive risk | Diagnostic | Reviewed | Configurable later |
|
|
20
|
+
| --- | ---: | --- | --- | --- | --- | --- | --- | --- |
|
|
21
|
+
| `agentSkills.nameMaxChars` | 64 | characters; above is invalid | error | Agent Skills specification | Portable identity limit | `AS-SKILL-INVALID-NAME` | 0.18.0 | no |
|
|
22
|
+
| `agentSkills.descriptionMinChars` | 1 | characters; below is invalid | error | Agent Skills specification | Required discovery metadata | `AS-SKILL-MISSING-DESCRIPTION` / `AS-SKILL-INVALID-DESCRIPTION` | 0.18.0 | no |
|
|
23
|
+
| `agentSkills.descriptionMaxChars` | 1,024 | characters; above is invalid | error | Agent Skills specification | Portable hard limit | `AS-SKILL-DESCRIPTION-TOO-LONG` | 0.18.0 | no |
|
|
24
|
+
| `agentSkills.compatibilityMaxChars` | 500 | characters; above is invalid | error | Agent Skills specification | Keeps optional environment requirements concise | `AS-SKILL-COMPATIBILITY-TOO-LONG` | 0.18.0 | no |
|
|
25
|
+
| `agentSkills.skillBodyRecommendedMaxTokens` | 5,000 | recommended body tokens | medium Renma advisory above | Agent Skills recommendation | Large focused workflows can still be valid | `QUAL-SKILL-TOKEN-BUDGET` | 0.18.0 | no |
|
|
26
|
+
| `agentSkills.skillRecommendedMaxLines` | 500 | recommended `SKILL.md` lines | documented review evidence | Agent Skills recommendation | Line count alone does not prove mixed responsibility | none | 0.18.0 | no |
|
|
27
|
+
| `agentSkills.recommendedReferenceDepth` | 1 | resource hop from `SKILL.md`; Renma accepts one additional index hop | low beyond two static hops | Agent Skills recommendation plus Renma reachability policy | An index may be useful; deep chains are easy to miss | `SUPPORT-DEEP-REFERENCE-CHAIN` | 0.18.0 | possibly |
|
|
28
|
+
|
|
29
|
+
The Agent Skills body has no prescribed format. Step-by-step instructions,
|
|
30
|
+
examples, edge cases, short commands, and the optional `scripts/`, `references/`,
|
|
31
|
+
and `assets/` directories are valid. See the official
|
|
32
|
+
[specification](https://agentskills.io/specification) and
|
|
33
|
+
[description guidance](https://agentskills.io/skill-creation/optimizing-descriptions).
|
|
34
|
+
|
|
35
|
+
## Renma workflow and content advisories
|
|
36
|
+
|
|
37
|
+
| Field | Value | Unit and trigger | Severity | Source | Rationale and false-positive risk | Diagnostic | Reviewed | Configurable later |
|
|
38
|
+
| --- | ---: | --- | --- | --- | --- | --- | --- | --- |
|
|
39
|
+
| `descriptionMinChars` | 0 | characters; disabled | none | Renma | Length does not establish selection clarity | `QUAL-SHORT-DESCRIPTION` removed from default behavior | 0.18.0 | possibly |
|
|
40
|
+
| `skillTokenWarn` | 2,000 | `estimated_tokens`; body above | low | Renma | Early progressive-disclosure review; focused workflows may exceed it | `QUAL-SKILL-TOKEN-BUDGET` | 0.18.0 | possibly |
|
|
41
|
+
| `skillTokenStrongWarn` | 5,000 | `estimated_tokens`; body above | medium | Agent Skills recommendation with Renma severity | Stronger review, not a required split | `QUAL-SKILL-TOKEN-BUDGET` | 0.18.0 | possibly |
|
|
42
|
+
| `contentTokenWarn.context` | 4,000 | `estimated_tokens`; full file above | low | Renma | Review coherent scope; size alone is insufficient | `QUAL-SUPPORT-ASSET-TOKEN-BUDGET` | 0.18.0 | possibly |
|
|
43
|
+
| `contentTokenWarn.reference` | 5,000 | same | low | Renma | Detailed local references may legitimately be long | same | 0.18.0 | possibly |
|
|
44
|
+
| `contentTokenWarn.profile` | 2,000 | same | low | Renma | Profiles should remain reviewable overlays | same | 0.18.0 | possibly |
|
|
45
|
+
| `contentTokenWarn.example` | 2,500 | same | low | Renma | Complete examples may legitimately be long | same | 0.18.0 | possibly |
|
|
46
|
+
| `lowHeadingDensityMinTokens` | 400 | body `estimated_tokens`, with fewer than 2 headings | low | Renma | Long prose can still be intentionally linear | `QUAL-LOW-HEADING-DENSITY` | 0.18.0 | possibly |
|
|
47
|
+
| `lowHeadingDensityMinHeadings` | 2 | headings | low | Renma | Navigation heuristic only | same | 0.18.0 | possibly |
|
|
48
|
+
|
|
49
|
+
## Metadata advisories
|
|
50
|
+
|
|
51
|
+
| Field | Value | Unit and trigger | Severity | Source | Rationale and false-positive risk | Diagnostic | Reviewed | Configurable later |
|
|
52
|
+
| --- | ---: | --- | --- | --- | --- | --- | --- | --- |
|
|
53
|
+
| `frontmatterMaxLines` | 48 | lines; above | low | Renma | Metadata should be a compact index | `META-FRONTMATTER-TOO-LARGE` | 0.18.0 | possibly |
|
|
54
|
+
| `frontmatterMaxChars` | 4,096 | characters; above | low | Renma | Separate from Agent Skills validity | same | 0.18.0 | possibly |
|
|
55
|
+
| `metadataListItemMaxChars` | 256 | characters per JSON-array or YAML-list element; above | low | Renma | Tags and prose routing should be compact; IDs, URLs, and paths are exempt where practical | `META-LIST-ITEM-TOO-LONG` | 0.18.0 | possibly |
|
|
56
|
+
|
|
57
|
+
## Reuse candidate advisories
|
|
58
|
+
|
|
59
|
+
| Detector | Eligibility and evidence | Severity | Source | Rationale and false-positive risk | Diagnostic | Reviewed | Configurable later |
|
|
60
|
+
| --- | --- | --- | --- | --- | --- | --- | --- |
|
|
61
|
+
| `reusableContextCandidate` | 60 lines **or** 800 body `estimated_tokens`; 4 distinct reusable signals; at least one reusable-knowledge signal | low | Renma | Verification, Examples, Edge Cases, Risks, Do not, Always, Never, and procedure headings do not qualify by themselves | `QUAL-SKILL-MIXED-RESPONSIBILITY` | 0.18.0 | possibly |
|
|
62
|
+
| `sharedSupportCandidate` | 80 lines **or** 1,200 full-file `estimated_tokens`; 3 reusable headings; 4 reusable phrases | low | Renma | Promotion still requires cross-Skill use, duplication, independent lifecycle, or source-of-truth evidence | `MAINT-SUPPORT-ASSET-SHARED-CONTEXT-CANDIDATE` | 0.18.0 | possibly |
|
|
63
|
+
|
|
64
|
+
## Repeated-context evidence
|
|
65
|
+
|
|
66
|
+
| Field | Default | Trigger | Severity | Source | False-positive control | Diagnostic | Reviewed | Configurable later |
|
|
67
|
+
| --- | ---: | --- | --- | --- | --- | --- | --- | --- |
|
|
68
|
+
| `repeatedContext.exactSectionMinTokens` | 40 | normalized section estimated tokens at or above | medium | Renma | combined with character and file floors | `MAINT-REPEATED-SECTION` | 0.18.0 | possibly |
|
|
69
|
+
| `repeatedContext.exactSectionMinChars` | 240 | normalized section characters at or above | medium | Renma | combined with token and file floors | same | 0.18.0 | possibly |
|
|
70
|
+
| `repeatedContext.exactSectionMinFiles` | 2 | files containing the exact section | medium | Renma | requires maintained duplication | same | 0.18.0 | possibly |
|
|
71
|
+
| `repeatedContext.exactCodeMinChars` | 80 | normalized fenced-code characters at or above | medium | Renma | combined with token and file floors | `MAINT-REPEATED-CODE-BLOCK` | 0.18.0 | possibly |
|
|
72
|
+
| `repeatedContext.exactCodeMinTokens` | 10 | normalized fenced-code estimated tokens at or above | medium | Renma | combined with character and file floors | same | 0.18.0 | possibly |
|
|
73
|
+
| `repeatedContext.exactCodeMinFiles` | 2 | files containing the exact block | medium | Renma | requires maintained duplication | same | 0.18.0 | possibly |
|
|
74
|
+
| `repeatedContext.headingMinChars` | 24 | normalized heading characters at or above | low | Renma | excludes short generic headings | `MAINT-REPEATED-HEADING` | 0.18.0 | possibly |
|
|
75
|
+
| `repeatedContext.headingMinTokens` | 3 | normalized heading estimated tokens at or above | low | Renma | excludes terse boilerplate | same | 0.18.0 | possibly |
|
|
76
|
+
| `repeatedContext.headingMinFiles` | 3 | files containing the same heading | low | Renma | heading equality is review evidence only | same | 0.18.0 | possibly |
|
|
77
|
+
| `repeatedContext.tokenShingleTokens` | 40 | estimated tokens in one normalized sequence | medium | Renma | common boilerplate excluded; near duplicates collapsed | `MAINT-REPEATED-CONTEXT-PATTERN` | 0.18.0 | possibly |
|
|
78
|
+
| `repeatedContext.tokenShingleMinFiles` | 3 | files containing the sequence | medium | Renma | requires broader repeated evidence | same | 0.18.0 | possibly |
|
|
79
|
+
| `repeatedContext.tokenShingleNearbyLineWindow` | 8 | source lines | n/a | Renma | collapses overlapping nearby matches from the same repeated passage | same | 0.18.0 | possibly |
|
|
80
|
+
| `repeatedContext.tokenShingleMinUniqueTokens` | 12 | unique estimated-token units | medium | Renma | excludes repetitive boilerplate sequences | same | 0.18.0 | possibly |
|
|
81
|
+
| `repeatedContext.tokenShingleMinUsefulTokens` | 14 | non-boilerplate estimated-token units | medium | Renma | requires meaningful lexical evidence | same | 0.18.0 | possibly |
|
|
82
|
+
| `repeatedContext.tokenShingleMinChars` | 140 | normalized characters | medium | Renma | excludes compact coincidental matches | same | 0.18.0 | possibly |
|
|
83
|
+
| `repeatedContext.findingCap` | 10 | findings per repeated-context category | n/a | Renma | presentation only; prevents category domination | all repeated-context IDs | 0.18.0 | possibly |
|
|
84
|
+
| repeated links | disabled | same target repeated | none | Renma | links to the same official source are normal | `MAINT-REPEATED-LINK` removed from default findings | 0.18.0 | possibly |
|
|
85
|
+
|
|
86
|
+
## Readiness policy
|
|
87
|
+
|
|
88
|
+
Readiness starts at 100. Specification failures, high or critical security
|
|
89
|
+
findings, diagnostic errors, and unresolved required graph closure remain
|
|
90
|
+
blocking even when the numeric score would otherwise pass. Deprecated or
|
|
91
|
+
archived assets have no existence penalty.
|
|
92
|
+
|
|
93
|
+
| Field | Default | Unit and trigger | Effect | Source | Rationale and false-positive risk | Related check or diagnostic | Reviewed | Configurable later |
|
|
94
|
+
| --- | ---: | --- | --- | --- | --- | --- | --- | --- |
|
|
95
|
+
| `readiness.blockingDiagnosticPenalty` | 40 | points; one or more diagnostic errors | subtract once and fail check | Renma | Structural errors require correction; diagnostic aggregation avoids multiplying one root cause | `diagnostics.errors` | 0.18.0 | possibly |
|
|
96
|
+
| `readiness.unresolvedRequiredGraphPenalty` | 30 | points; one or more unresolved required edges | subtract once and fail check | Renma | Required context closure is operationally necessary; optional edges are excluded | `graph.unresolved_edges` | 0.18.0 | possibly |
|
|
97
|
+
| `readiness.ownershipMaximumPenalty` | 20 | points; proportional to unowned assets | subtract 0-20 | Renma | Ownership supports review, but small or imported repositories may intentionally omit it | `ownership.coverage` | 0.18.0 | possibly |
|
|
98
|
+
| `readiness.emptyInventoryPenalty` | 10 | points; no cataloged assets | subtract once | Renma | Usually signals a wrong root or incomplete repository; an intentionally empty repository can be valid | `assets.minimum_inventory` | 0.18.0 | possibly |
|
|
99
|
+
| `readiness.workflowClarityPenalty` | 10 | points; workflow clarity warning | subtract once | Renma | Missing routing clarity impairs use; prose phrasing may evade static recognition | `workflow.clarity` and related `RN-SKILL-*` diagnostics | 0.18.0 | possibly |
|
|
100
|
+
| `readiness.workflowOptionalContextPenalty` | 5 | points; unusable optional context | subtract once | Renma | Optional context should resolve but does not block the core workflow | `workflow.optional_context` | 0.18.0 | possibly |
|
|
101
|
+
| `readiness.workflowRequiredInputsPenalty` | 5 | points; required inputs are unclear | subtract once | Renma | Review signal only because some Skills require no external inputs | `workflow.required_inputs` | 0.18.0 | possibly |
|
|
102
|
+
| `readiness.workflowCompletionCriteriaPenalty` | 10 | points; completion criteria are unclear | subtract once | Renma | Review signal only because completion language varies by workflow | `workflow.completion_criteria` | 0.18.0 | possibly |
|
|
103
|
+
| `readiness.layoutWarningPenalty` | 5 | points per warning layout/path check | subtract per check | Renma | Keeps resolvable path and layout debt visible without making one advisory blocking | `layout.*` / `paths.helper_commands` | 0.18.0 | possibly |
|
|
104
|
+
| `readiness.layoutFailurePenalty` | 15 | points per failing layout/path check | subtract per check and fail | Renma | Strict layout failures can make repository evidence unusable | `layout.*` / `paths.helper_commands` | 0.18.0 | possibly |
|
|
105
|
+
| `readiness.readyMinimumScore` | 90 | score; at or above with no failing check | `ready` | Renma | Maintains a high bar without making subjective advisories blocking | Readiness `level` | 0.18.0 | possibly |
|
|
106
|
+
| `readiness.needsAttentionMinimumScore` | 70 | score; below | `not_ready`; 70-89 is `needs_attention` | Renma | Separates accumulated review debt from isolated advisories | Readiness `level` | 0.18.0 | possibly |
|
|
107
|
+
|
|
108
|
+
## Security proximity, scan operations, and presentation
|
|
109
|
+
|
|
110
|
+
| Field | Default | Unit and trigger | Effect | Source | Rationale and false-positive risk | Related check or diagnostic | Reviewed | Configurable later |
|
|
111
|
+
| --- | ---: | --- | --- | --- | --- | --- | --- | --- |
|
|
112
|
+
| `security.precedingLineFastPath` | 2 | preceding source lines | supplements structural guard association | Renma | Preserves nearby-guard detection while headings, paragraphs, and list structure reduce formatting false positives | applicable `SEC-*` command diagnostics | 0.18.0 | no |
|
|
113
|
+
| `scan.defaultMaxFileSizeBytes` | 524,288 | bytes per discovered file | bound reading and hashing work | Renma operational default | Protects scans from unexpectedly large files; larger legitimate files may require existing scan configuration | discovery diagnostic | 0.18.0 | already configurable |
|
|
114
|
+
| `scan.defaultMaxDepth` | 16 | directory levels | bound discovery depth | Renma operational default | Prevents runaway traversal; unusually deep repositories may need existing scan configuration | discovery diagnostic | 0.18.0 | already configurable |
|
|
115
|
+
| `scan.defaultConcurrency` | 16 | concurrent file operations | bound scan concurrency | Renma operational default | Balances throughput and file-descriptor pressure | none | 0.18.0 | already configurable |
|
|
116
|
+
| `presentation.markdownReadinessFindingCap` | 50 | findings in Readiness Markdown | truncate presentation only | Renma | Keeps human reports readable without changing JSON evidence or score | Readiness Markdown | 0.18.0 | possibly |
|
|
117
|
+
| `presentation.topSummaryItemCap` | 10 | items in compact summaries | truncate presentation only | Renma | Avoids unbounded summaries; reviewers can use full reports | report summaries | 0.18.0 | possibly |
|
|
118
|
+
|
|
119
|
+
Structural guard proximity includes the same constraint or safety section, the
|
|
120
|
+
same list item, a directly associated paragraph, or a parent Human Approval,
|
|
121
|
+
Safety, or Constraints heading. Binary snippets are never exposed. Scan
|
|
122
|
+
operational limits retain their existing public config fields; none of the
|
|
123
|
+
quality or Readiness thresholds above are currently configurable.
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
# Repository Context BOM
|
|
2
2
|
|
|
3
|
-
`renma bom` emits
|
|
3
|
+
`renma bom` emits a declared repository manifest for review and CI consumers. Renma 0.18.0 supports only the v2 BOM and Trust Graph schemas. It does not provide a v1 compatibility mode. V2 is the first supported long-term contract; earlier v1 output was an experimental pre-contract surface removed before broader adoption.
|
|
4
4
|
|
|
5
5
|
The BOM is not a runtime usage report. It does not describe what an LLM actually consumed, assemble prompts, choose task-specific context, inject context into agents, execute agents, call an LLM, import consumed-context evidence, or collect telemetry.
|
|
6
6
|
|
|
@@ -12,7 +12,7 @@ flowchart TD
|
|
|
12
12
|
Diagnostics["Diagnostics and Readiness"]
|
|
13
13
|
Governance["Lifecycle and ownership evidence"]
|
|
14
14
|
Security["Security posture and policy inventory"]
|
|
15
|
-
Bom["Repository Context BOM
|
|
15
|
+
Bom["Repository Context BOM v2"]
|
|
16
16
|
Json["Authoritative JSON"]
|
|
17
17
|
Markdown["Markdown review projection"]
|
|
18
18
|
Revision["Git, CI, or PR context supplies revision identity"]
|
|
@@ -56,6 +56,10 @@ JSON is the authoritative BOM output. Markdown is a compact review projection fo
|
|
|
56
56
|
|
|
57
57
|
Array ordering is deterministic and part of Renma's output contract. Asset `sourcePath` values remain repository-relative. `root` and `configPath` remain absolute paths from the current environment.
|
|
58
58
|
|
|
59
|
+
Assets use `ownership.declaredOwner`, `ownership.effectiveOwner`,
|
|
60
|
+
`ownership.source`, and optional `ownership.inheritedFrom`. Readiness uses the
|
|
61
|
+
effective owner.
|
|
62
|
+
|
|
59
63
|
## Reproducibility
|
|
60
64
|
|
|
61
65
|
`--omit-generated-at` means only:
|
|
@@ -77,24 +81,79 @@ Supported guarantee:
|
|
|
77
81
|
|
|
78
82
|
> With the same checkout path, config path, repository contents, Renma version, and UTC evaluation date, repeated `--omit-generated-at` runs should produce byte-identical JSON.
|
|
79
83
|
|
|
80
|
-
Freshness evaluation uses the UTC calendar date. Metadata dates remain part of the snapshot and must not be removed as timestamp noise. A real file move is a meaningful BOM change because `sourcePath` is repository evidence. Portable byte-for-byte output across different runners is not a
|
|
84
|
+
Freshness evaluation uses the UTC calendar date. Metadata dates remain part of the snapshot and must not be removed as timestamp noise. A real file move is a meaningful BOM change because `sourcePath` is repository evidence. Portable byte-for-byte output across different runners is not a v2 guarantee.
|
|
81
85
|
|
|
82
86
|
## Schema Evolution
|
|
83
87
|
|
|
84
88
|
`schemaVersion` represents the consumer-facing BOM schema. `generator.version` represents the Renma implementation version and is not the schema version.
|
|
85
89
|
|
|
86
|
-
|
|
90
|
+
V2 is the first supported long-term contract for normalized ownership,
|
|
91
|
+
first-class support assets, and static support relationships. Consumers must
|
|
92
|
+
inspect `schemaVersion` independently from `generator.version`. A future
|
|
93
|
+
incompatible contract may intentionally introduce v3.
|
|
94
|
+
|
|
95
|
+
Within a schema, changes should be backward-compatible and additive:
|
|
87
96
|
|
|
88
97
|
- existing fields must not be removed, renamed, or given incompatible types or meanings;
|
|
89
98
|
- new optional fields may be added when a real consumer requires them;
|
|
90
99
|
- enum additions are consumer-visible changes and must be documented;
|
|
91
|
-
- a future breaking contract requires a new schema version rather than silently changing
|
|
100
|
+
- a future breaking contract requires a new schema version rather than silently changing existing semantics.
|
|
101
|
+
|
|
102
|
+
Treat `owns_local_resource`, `statically_references`, `inherits_owner`, and
|
|
103
|
+
`inherits_policy` as static repository evidence, not runtime behavior. Branch
|
|
104
|
+
on `schemaVersion`; `generator.version` is provenance only.
|
|
105
|
+
|
|
106
|
+
The published [BOM v2 JSON Schema](schemas/repository-context-bom-v2.schema.json)
|
|
107
|
+
is the machine-readable contract. `generatedAt` is required when `outputMode`
|
|
108
|
+
is `default` and forbidden when `outputMode` is `omit_generated_at`.
|
|
109
|
+
`configPath` remains optional and is absent when no configuration file was
|
|
110
|
+
loaded. Every other top-level field is required. Optional lifecycle, version,
|
|
111
|
+
status, target-resolution, and inherited-ownership fields appear only when
|
|
112
|
+
their evidence exists. Owner values are explicitly nullable; missing optional
|
|
113
|
+
fields are omitted rather than serialized as `null`.
|
|
114
|
+
|
|
115
|
+
Arrays are deterministically ordered by their identity/path keys, and count
|
|
116
|
+
fields are non-negative integers. Count maps contain every declared enum
|
|
117
|
+
member, including zero counts. Policy source ordering is `local`,
|
|
118
|
+
`security_profile`, `repository_config`, `owning_skill`. Static support
|
|
119
|
+
relationships use `owns_local_resource`, `statically_references`,
|
|
120
|
+
`inherits_owner`, and `inherits_policy`.
|
|
121
|
+
|
|
122
|
+
The Readiness summary is a closed contract for asset, ownership, graph,
|
|
123
|
+
diagnostic, workflow, Context Lens, security posture, and security policy
|
|
124
|
+
inventory evidence. Coverage and readiness percentages are constrained to
|
|
125
|
+
`0..100`. Security posture top-finding entries require an ID, non-negative
|
|
126
|
+
count, and maximum severity. Security policy `assetKinds` is a complete count
|
|
127
|
+
map containing every generated artifact kind, including zero values.
|
|
128
|
+
|
|
129
|
+
Representative top-level JSON (nested objects are shortened for readability;
|
|
130
|
+
the schema defines every nested field):
|
|
131
|
+
|
|
132
|
+
```json
|
|
133
|
+
{
|
|
134
|
+
"schemaVersion": "renma.repository-context-bom.v2",
|
|
135
|
+
"outputMode": "omit_generated_at",
|
|
136
|
+
"generator": { "name": "renma", "version": "0.18.0" },
|
|
137
|
+
"root": "/checkout/repository",
|
|
138
|
+
"scope": { "type": "declared_repository_manifest", "runtimeUsage": false, "telemetryCollected": false },
|
|
139
|
+
"summary": { "scannedFileCount": 0, "assetCount": 0, "dependencyCount": 0, "resolvedDependencyCount": 0, "unresolvedDependencyCount": 0, "ownedAssetCount": 0, "unownedAssetCount": 0, "readinessScore": 100, "readinessLevel": "ready", "diagnosticCounts": { "error": 0, "warning": 0, "info": 0 } },
|
|
140
|
+
"assets": [],
|
|
141
|
+
"dependencies": [],
|
|
142
|
+
"readiness": { "score": 100, "level": "ready", "checks": [], "summary": {} },
|
|
143
|
+
"securityPosture": { "totalSecurityFindings": 0, "riskClasses": { "violation": 0, "suspicious": 0, "advisory": 0, "unclassified": 0 }, "severities": { "critical": 0, "high": 0, "medium": 0, "low": 0 }, "highOrCritical": 0, "topFindingIds": [] },
|
|
144
|
+
"securityPolicyInventory": {},
|
|
145
|
+
"diagnostics": []
|
|
146
|
+
}
|
|
147
|
+
```
|
|
148
|
+
|
|
149
|
+
Generated representative reports are validated against the published schema in
|
|
150
|
+
the contract test suite.
|
|
92
151
|
|
|
93
152
|
`--omit-generated-at` does not make the report a generic canonical JSON format or a portable artifact.
|
|
94
153
|
|
|
95
154
|
## Source Provenance
|
|
96
155
|
|
|
97
|
-
BOM
|
|
156
|
+
BOM v2 provenance is deliberately repository-local:
|
|
98
157
|
|
|
99
158
|
- repository-relative source paths;
|
|
100
159
|
- per-asset content hashes;
|
|
@@ -102,11 +161,11 @@ BOM v1 provenance is deliberately repository-local:
|
|
|
102
161
|
- current absolute `root` and `configPath` information when available;
|
|
103
162
|
- lifecycle, dependency, diagnostic, readiness, security posture, and security policy inventory evidence.
|
|
104
163
|
|
|
105
|
-
Renma does not automatically invoke Git or add Git commit, branch, tag, or dirty-state fields
|
|
164
|
+
Renma does not automatically invoke Git or add Git commit, branch, tag, or dirty-state fields. Git revision identity is expected to come from the surrounding Git, CI, artifact, or pull-request context. Native Git provenance fields and a BOM digest may be considered later if external artifact storage or cross-run consumers require them.
|
|
106
165
|
|
|
107
166
|
## Consumed-Context Evidence
|
|
108
167
|
|
|
109
|
-
BOM
|
|
168
|
+
The BOM v2 schema describes declared repository state. Future consumed-context evidence must not redefine or mutate that meaning.
|
|
110
169
|
|
|
111
170
|
Runtime evidence should be a separate artifact or explicitly separate attachment. A future evidence record should relate back to a BOM using stable values such as a BOM digest or snapshot identity, asset ID, asset content hash, producer identity and version, and observation timestamp.
|
|
112
171
|
|