renma 0.17.0 → 0.18.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (156) hide show
  1. package/CHANGELOG.md +123 -1
  2. package/README.md +11 -1
  3. package/architecture.md +14 -4
  4. package/design.md +13 -2
  5. package/dist/agent-skills.d.ts +1 -1
  6. package/dist/agent-skills.d.ts.map +1 -1
  7. package/dist/agent-skills.js +28 -8
  8. package/dist/agent-skills.js.map +1 -1
  9. package/dist/catalog.d.ts +1 -1
  10. package/dist/catalog.d.ts.map +1 -1
  11. package/dist/catalog.js +120 -12
  12. package/dist/catalog.js.map +1 -1
  13. package/dist/cli-help.d.ts +9 -5
  14. package/dist/cli-help.d.ts.map +1 -1
  15. package/dist/cli-help.js +9 -0
  16. package/dist/cli-help.js.map +1 -1
  17. package/dist/cli.d.ts.map +1 -1
  18. package/dist/cli.js +23 -0
  19. package/dist/cli.js.map +1 -1
  20. package/dist/commands/bom.d.ts +6 -3
  21. package/dist/commands/bom.d.ts.map +1 -1
  22. package/dist/commands/bom.js +27 -7
  23. package/dist/commands/bom.js.map +1 -1
  24. package/dist/commands/catalog.d.ts +1 -1
  25. package/dist/commands/catalog.d.ts.map +1 -1
  26. package/dist/commands/catalog.js +7 -1
  27. package/dist/commands/catalog.js.map +1 -1
  28. package/dist/commands/ci-report.d.ts.map +1 -1
  29. package/dist/commands/ci-report.js +18 -5
  30. package/dist/commands/ci-report.js.map +1 -1
  31. package/dist/commands/diff.js +8 -2
  32. package/dist/commands/diff.js.map +1 -1
  33. package/dist/commands/graph.d.ts +6 -2
  34. package/dist/commands/graph.d.ts.map +1 -1
  35. package/dist/commands/graph.js +23 -2
  36. package/dist/commands/graph.js.map +1 -1
  37. package/dist/commands/inspect.d.ts.map +1 -1
  38. package/dist/commands/inspect.js +2 -0
  39. package/dist/commands/inspect.js.map +1 -1
  40. package/dist/commands/ownership.d.ts +4 -3
  41. package/dist/commands/ownership.d.ts.map +1 -1
  42. package/dist/commands/ownership.js +27 -23
  43. package/dist/commands/ownership.js.map +1 -1
  44. package/dist/commands/readiness.d.ts +2 -1
  45. package/dist/commands/readiness.d.ts.map +1 -1
  46. package/dist/commands/readiness.js +98 -30
  47. package/dist/commands/readiness.js.map +1 -1
  48. package/dist/commands/scaffold.d.ts +3 -0
  49. package/dist/commands/scaffold.d.ts.map +1 -1
  50. package/dist/commands/scaffold.js +14 -0
  51. package/dist/commands/scaffold.js.map +1 -1
  52. package/dist/commands/suggest-metadata.d.ts.map +1 -1
  53. package/dist/commands/suggest-metadata.js +2 -0
  54. package/dist/commands/suggest-metadata.js.map +1 -1
  55. package/dist/commands/trust-graph.d.ts.map +1 -1
  56. package/dist/commands/trust-graph.js +12 -0
  57. package/dist/commands/trust-graph.js.map +1 -1
  58. package/dist/config.d.ts.map +1 -1
  59. package/dist/config.js +10 -3
  60. package/dist/config.js.map +1 -1
  61. package/dist/diagnostic-ids.d.ts +8 -0
  62. package/dist/diagnostic-ids.d.ts.map +1 -1
  63. package/dist/diagnostic-ids.js +8 -0
  64. package/dist/diagnostic-ids.js.map +1 -1
  65. package/dist/discovery.d.ts +5 -0
  66. package/dist/discovery.d.ts.map +1 -1
  67. package/dist/discovery.js +108 -65
  68. package/dist/discovery.js.map +1 -1
  69. package/dist/markdown.d.ts.map +1 -1
  70. package/dist/markdown.js +15 -0
  71. package/dist/markdown.js.map +1 -1
  72. package/dist/model.d.ts +17 -1
  73. package/dist/model.d.ts.map +1 -1
  74. package/dist/model.js +4 -1
  75. package/dist/model.js.map +1 -1
  76. package/dist/quality-profile.d.ts +91 -0
  77. package/dist/quality-profile.d.ts.map +1 -0
  78. package/dist/quality-profile.js +91 -0
  79. package/dist/quality-profile.js.map +1 -0
  80. package/dist/repeated-context.d.ts.map +1 -1
  81. package/dist/repeated-context.js +38 -83
  82. package/dist/repeated-context.js.map +1 -1
  83. package/dist/repository-boundary.d.ts +30 -0
  84. package/dist/repository-boundary.d.ts.map +1 -0
  85. package/dist/repository-boundary.js +116 -0
  86. package/dist/repository-boundary.js.map +1 -0
  87. package/dist/repository-evidence.d.ts +2 -0
  88. package/dist/repository-evidence.d.ts.map +1 -1
  89. package/dist/repository-evidence.js +6 -4
  90. package/dist/repository-evidence.js.map +1 -1
  91. package/dist/repository-paths.d.ts +6 -2
  92. package/dist/repository-paths.d.ts.map +1 -1
  93. package/dist/repository-paths.js +75 -24
  94. package/dist/repository-paths.js.map +1 -1
  95. package/dist/rules.d.ts +2 -0
  96. package/dist/rules.d.ts.map +1 -1
  97. package/dist/rules.js +263 -176
  98. package/dist/rules.js.map +1 -1
  99. package/dist/scanner.d.ts.map +1 -1
  100. package/dist/scanner.js +5 -1
  101. package/dist/scanner.js.map +1 -1
  102. package/dist/security-diagnostics.d.ts.map +1 -1
  103. package/dist/security-diagnostics.js +95 -30
  104. package/dist/security-diagnostics.js.map +1 -1
  105. package/dist/security-diff.d.ts +5 -2
  106. package/dist/security-diff.d.ts.map +1 -1
  107. package/dist/security-diff.js +20 -4
  108. package/dist/security-diff.js.map +1 -1
  109. package/dist/security-policy-inventory.d.ts +15 -3
  110. package/dist/security-policy-inventory.d.ts.map +1 -1
  111. package/dist/security-policy-inventory.js +123 -26
  112. package/dist/security-policy-inventory.js.map +1 -1
  113. package/dist/security-policy.d.ts +7 -0
  114. package/dist/security-policy.d.ts.map +1 -1
  115. package/dist/security-policy.js +70 -7
  116. package/dist/security-policy.js.map +1 -1
  117. package/dist/security-posture.d.ts.map +1 -1
  118. package/dist/security-posture.js +2 -1
  119. package/dist/security-posture.js.map +1 -1
  120. package/dist/skill-migration.js +2 -0
  121. package/dist/skill-migration.js.map +1 -1
  122. package/dist/static-support.d.ts +13 -0
  123. package/dist/static-support.d.ts.map +1 -0
  124. package/dist/static-support.js +284 -0
  125. package/dist/static-support.js.map +1 -0
  126. package/dist/token-estimator.d.ts +21 -0
  127. package/dist/token-estimator.d.ts.map +1 -0
  128. package/dist/token-estimator.js +84 -0
  129. package/dist/token-estimator.js.map +1 -0
  130. package/dist/trust-graph.d.ts +3 -3
  131. package/dist/trust-graph.d.ts.map +1 -1
  132. package/dist/trust-graph.js +69 -10
  133. package/dist/trust-graph.js.map +1 -1
  134. package/dist/types.d.ts +6 -1
  135. package/dist/types.d.ts.map +1 -1
  136. package/docs/README.md +13 -7
  137. package/docs/advanced-skill-authoring.md +16 -9
  138. package/docs/agent-skills-compatibility.md +10 -2
  139. package/docs/authoring-guide.md +62 -4
  140. package/docs/diagnostics.md +44 -11
  141. package/docs/quality-profile.md +123 -0
  142. package/docs/repository-context-bom.md +67 -8
  143. package/docs/schemas/repository-context-bom-v2.schema.json +648 -0
  144. package/docs/schemas/trust-graph-v2.schema.json +301 -0
  145. package/docs/security-policy.md +21 -5
  146. package/docs/trust-graph.md +47 -0
  147. package/docs/user-manual.md +34 -5
  148. package/examples/context-repo/README.md +6 -7
  149. package/examples/context-repo/contexts/domain/payment/idempotency.md +7 -0
  150. package/examples/context-repo/contexts/testing/boundary-value-analysis.md +7 -0
  151. package/examples/context-repo/contexts/testing/negative-testing.md +7 -0
  152. package/examples/context-repo/skills/testing/spec-review/SKILL.md +5 -0
  153. package/package.json +3 -1
  154. package/plan-discovery.md +24 -15
  155. package/plan.md +59 -119
  156. package/scripts/verify-package.mjs +8 -1
@@ -0,0 +1,123 @@
1
+ # Renma Quality Profile
2
+
3
+ `renma-quality` is Renma's internal quality-profile family. Reports identify
4
+ the active profile as `renma-quality@<Renma package version>`, derived from
5
+ `package.json` at build time. The source is `src/quality-profile.ts`. The current
6
+ implementation does not expose quality overrides in `renma.config.json`; fixed
7
+ defaults preserve comparable repository reports. The internal shape is
8
+ versioned so later releases can add reviewed overrides without scattering
9
+ constants across rules.
10
+
11
+ `estimated_tokens` means Renma's deterministic, model-neutral estimate. Latin
12
+ words, identifiers, URLs, and paths are lexical units; consecutive CJK text is
13
+ grouped in two-code-point units; other punctuation is grouped in units of up to
14
+ three code points. It is not an exact token count for any model. Skill budgets
15
+ measure Markdown after frontmatter. Content-asset budgets measure the full file.
16
+
17
+ ## Agent Skills requirements and recommendations
18
+
19
+ | Field | Value | Unit and trigger | Severity | Source | Rationale and false-positive risk | Diagnostic | Reviewed | Configurable later |
20
+ | --- | ---: | --- | --- | --- | --- | --- | --- | --- |
21
+ | `agentSkills.nameMaxChars` | 64 | characters; above is invalid | error | Agent Skills specification | Portable identity limit | `AS-SKILL-INVALID-NAME` | 0.18.0 | no |
22
+ | `agentSkills.descriptionMinChars` | 1 | characters; below is invalid | error | Agent Skills specification | Required discovery metadata | `AS-SKILL-MISSING-DESCRIPTION` / `AS-SKILL-INVALID-DESCRIPTION` | 0.18.0 | no |
23
+ | `agentSkills.descriptionMaxChars` | 1,024 | characters; above is invalid | error | Agent Skills specification | Portable hard limit | `AS-SKILL-DESCRIPTION-TOO-LONG` | 0.18.0 | no |
24
+ | `agentSkills.compatibilityMaxChars` | 500 | characters; above is invalid | error | Agent Skills specification | Keeps optional environment requirements concise | `AS-SKILL-COMPATIBILITY-TOO-LONG` | 0.18.0 | no |
25
+ | `agentSkills.skillBodyRecommendedMaxTokens` | 5,000 | recommended body tokens | medium Renma advisory above | Agent Skills recommendation | Large focused workflows can still be valid | `QUAL-SKILL-TOKEN-BUDGET` | 0.18.0 | no |
26
+ | `agentSkills.skillRecommendedMaxLines` | 500 | recommended `SKILL.md` lines | documented review evidence | Agent Skills recommendation | Line count alone does not prove mixed responsibility | none | 0.18.0 | no |
27
+ | `agentSkills.recommendedReferenceDepth` | 1 | resource hop from `SKILL.md`; Renma accepts one additional index hop | low beyond two static hops | Agent Skills recommendation plus Renma reachability policy | An index may be useful; deep chains are easy to miss | `SUPPORT-DEEP-REFERENCE-CHAIN` | 0.18.0 | possibly |
28
+
29
+ The Agent Skills body has no prescribed format. Step-by-step instructions,
30
+ examples, edge cases, short commands, and the optional `scripts/`, `references/`,
31
+ and `assets/` directories are valid. See the official
32
+ [specification](https://agentskills.io/specification) and
33
+ [description guidance](https://agentskills.io/skill-creation/optimizing-descriptions).
34
+
35
+ ## Renma workflow and content advisories
36
+
37
+ | Field | Value | Unit and trigger | Severity | Source | Rationale and false-positive risk | Diagnostic | Reviewed | Configurable later |
38
+ | --- | ---: | --- | --- | --- | --- | --- | --- | --- |
39
+ | `descriptionMinChars` | 0 | characters; disabled | none | Renma | Length does not establish selection clarity | `QUAL-SHORT-DESCRIPTION` removed from default behavior | 0.18.0 | possibly |
40
+ | `skillTokenWarn` | 2,000 | `estimated_tokens`; body above | low | Renma | Early progressive-disclosure review; focused workflows may exceed it | `QUAL-SKILL-TOKEN-BUDGET` | 0.18.0 | possibly |
41
+ | `skillTokenStrongWarn` | 5,000 | `estimated_tokens`; body above | medium | Agent Skills recommendation with Renma severity | Stronger review, not a required split | `QUAL-SKILL-TOKEN-BUDGET` | 0.18.0 | possibly |
42
+ | `contentTokenWarn.context` | 4,000 | `estimated_tokens`; full file above | low | Renma | Review coherent scope; size alone is insufficient | `QUAL-SUPPORT-ASSET-TOKEN-BUDGET` | 0.18.0 | possibly |
43
+ | `contentTokenWarn.reference` | 5,000 | same | low | Renma | Detailed local references may legitimately be long | same | 0.18.0 | possibly |
44
+ | `contentTokenWarn.profile` | 2,000 | same | low | Renma | Profiles should remain reviewable overlays | same | 0.18.0 | possibly |
45
+ | `contentTokenWarn.example` | 2,500 | same | low | Renma | Complete examples may legitimately be long | same | 0.18.0 | possibly |
46
+ | `lowHeadingDensityMinTokens` | 400 | body `estimated_tokens`, with fewer than 2 headings | low | Renma | Long prose can still be intentionally linear | `QUAL-LOW-HEADING-DENSITY` | 0.18.0 | possibly |
47
+ | `lowHeadingDensityMinHeadings` | 2 | headings | low | Renma | Navigation heuristic only | same | 0.18.0 | possibly |
48
+
49
+ ## Metadata advisories
50
+
51
+ | Field | Value | Unit and trigger | Severity | Source | Rationale and false-positive risk | Diagnostic | Reviewed | Configurable later |
52
+ | --- | ---: | --- | --- | --- | --- | --- | --- | --- |
53
+ | `frontmatterMaxLines` | 48 | lines; above | low | Renma | Metadata should be a compact index | `META-FRONTMATTER-TOO-LARGE` | 0.18.0 | possibly |
54
+ | `frontmatterMaxChars` | 4,096 | characters; above | low | Renma | Separate from Agent Skills validity | same | 0.18.0 | possibly |
55
+ | `metadataListItemMaxChars` | 256 | characters per JSON-array or YAML-list element; above | low | Renma | Tags and prose routing should be compact; IDs, URLs, and paths are exempt where practical | `META-LIST-ITEM-TOO-LONG` | 0.18.0 | possibly |
56
+
57
+ ## Reuse candidate advisories
58
+
59
+ | Detector | Eligibility and evidence | Severity | Source | Rationale and false-positive risk | Diagnostic | Reviewed | Configurable later |
60
+ | --- | --- | --- | --- | --- | --- | --- | --- |
61
+ | `reusableContextCandidate` | 60 lines **or** 800 body `estimated_tokens`; 4 distinct reusable signals; at least one reusable-knowledge signal | low | Renma | Verification, Examples, Edge Cases, Risks, Do not, Always, Never, and procedure headings do not qualify by themselves | `QUAL-SKILL-MIXED-RESPONSIBILITY` | 0.18.0 | possibly |
62
+ | `sharedSupportCandidate` | 80 lines **or** 1,200 full-file `estimated_tokens`; 3 reusable headings; 4 reusable phrases | low | Renma | Promotion still requires cross-Skill use, duplication, independent lifecycle, or source-of-truth evidence | `MAINT-SUPPORT-ASSET-SHARED-CONTEXT-CANDIDATE` | 0.18.0 | possibly |
63
+
64
+ ## Repeated-context evidence
65
+
66
+ | Field | Default | Trigger | Severity | Source | False-positive control | Diagnostic | Reviewed | Configurable later |
67
+ | --- | ---: | --- | --- | --- | --- | --- | --- | --- |
68
+ | `repeatedContext.exactSectionMinTokens` | 40 | normalized section estimated tokens at or above | medium | Renma | combined with character and file floors | `MAINT-REPEATED-SECTION` | 0.18.0 | possibly |
69
+ | `repeatedContext.exactSectionMinChars` | 240 | normalized section characters at or above | medium | Renma | combined with token and file floors | same | 0.18.0 | possibly |
70
+ | `repeatedContext.exactSectionMinFiles` | 2 | files containing the exact section | medium | Renma | requires maintained duplication | same | 0.18.0 | possibly |
71
+ | `repeatedContext.exactCodeMinChars` | 80 | normalized fenced-code characters at or above | medium | Renma | combined with token and file floors | `MAINT-REPEATED-CODE-BLOCK` | 0.18.0 | possibly |
72
+ | `repeatedContext.exactCodeMinTokens` | 10 | normalized fenced-code estimated tokens at or above | medium | Renma | combined with character and file floors | same | 0.18.0 | possibly |
73
+ | `repeatedContext.exactCodeMinFiles` | 2 | files containing the exact block | medium | Renma | requires maintained duplication | same | 0.18.0 | possibly |
74
+ | `repeatedContext.headingMinChars` | 24 | normalized heading characters at or above | low | Renma | excludes short generic headings | `MAINT-REPEATED-HEADING` | 0.18.0 | possibly |
75
+ | `repeatedContext.headingMinTokens` | 3 | normalized heading estimated tokens at or above | low | Renma | excludes terse boilerplate | same | 0.18.0 | possibly |
76
+ | `repeatedContext.headingMinFiles` | 3 | files containing the same heading | low | Renma | heading equality is review evidence only | same | 0.18.0 | possibly |
77
+ | `repeatedContext.tokenShingleTokens` | 40 | estimated tokens in one normalized sequence | medium | Renma | common boilerplate excluded; near duplicates collapsed | `MAINT-REPEATED-CONTEXT-PATTERN` | 0.18.0 | possibly |
78
+ | `repeatedContext.tokenShingleMinFiles` | 3 | files containing the sequence | medium | Renma | requires broader repeated evidence | same | 0.18.0 | possibly |
79
+ | `repeatedContext.tokenShingleNearbyLineWindow` | 8 | source lines | n/a | Renma | collapses overlapping nearby matches from the same repeated passage | same | 0.18.0 | possibly |
80
+ | `repeatedContext.tokenShingleMinUniqueTokens` | 12 | unique estimated-token units | medium | Renma | excludes repetitive boilerplate sequences | same | 0.18.0 | possibly |
81
+ | `repeatedContext.tokenShingleMinUsefulTokens` | 14 | non-boilerplate estimated-token units | medium | Renma | requires meaningful lexical evidence | same | 0.18.0 | possibly |
82
+ | `repeatedContext.tokenShingleMinChars` | 140 | normalized characters | medium | Renma | excludes compact coincidental matches | same | 0.18.0 | possibly |
83
+ | `repeatedContext.findingCap` | 10 | findings per repeated-context category | n/a | Renma | presentation only; prevents category domination | all repeated-context IDs | 0.18.0 | possibly |
84
+ | repeated links | disabled | same target repeated | none | Renma | links to the same official source are normal | `MAINT-REPEATED-LINK` removed from default findings | 0.18.0 | possibly |
85
+
86
+ ## Readiness policy
87
+
88
+ Readiness starts at 100. Specification failures, high or critical security
89
+ findings, diagnostic errors, and unresolved required graph closure remain
90
+ blocking even when the numeric score would otherwise pass. Deprecated or
91
+ archived assets have no existence penalty.
92
+
93
+ | Field | Default | Unit and trigger | Effect | Source | Rationale and false-positive risk | Related check or diagnostic | Reviewed | Configurable later |
94
+ | --- | ---: | --- | --- | --- | --- | --- | --- | --- |
95
+ | `readiness.blockingDiagnosticPenalty` | 40 | points; one or more diagnostic errors | subtract once and fail check | Renma | Structural errors require correction; diagnostic aggregation avoids multiplying one root cause | `diagnostics.errors` | 0.18.0 | possibly |
96
+ | `readiness.unresolvedRequiredGraphPenalty` | 30 | points; one or more unresolved required edges | subtract once and fail check | Renma | Required context closure is operationally necessary; optional edges are excluded | `graph.unresolved_edges` | 0.18.0 | possibly |
97
+ | `readiness.ownershipMaximumPenalty` | 20 | points; proportional to unowned assets | subtract 0-20 | Renma | Ownership supports review, but small or imported repositories may intentionally omit it | `ownership.coverage` | 0.18.0 | possibly |
98
+ | `readiness.emptyInventoryPenalty` | 10 | points; no cataloged assets | subtract once | Renma | Usually signals a wrong root or incomplete repository; an intentionally empty repository can be valid | `assets.minimum_inventory` | 0.18.0 | possibly |
99
+ | `readiness.workflowClarityPenalty` | 10 | points; workflow clarity warning | subtract once | Renma | Missing routing clarity impairs use; prose phrasing may evade static recognition | `workflow.clarity` and related `RN-SKILL-*` diagnostics | 0.18.0 | possibly |
100
+ | `readiness.workflowOptionalContextPenalty` | 5 | points; unusable optional context | subtract once | Renma | Optional context should resolve but does not block the core workflow | `workflow.optional_context` | 0.18.0 | possibly |
101
+ | `readiness.workflowRequiredInputsPenalty` | 5 | points; required inputs are unclear | subtract once | Renma | Review signal only because some Skills require no external inputs | `workflow.required_inputs` | 0.18.0 | possibly |
102
+ | `readiness.workflowCompletionCriteriaPenalty` | 10 | points; completion criteria are unclear | subtract once | Renma | Review signal only because completion language varies by workflow | `workflow.completion_criteria` | 0.18.0 | possibly |
103
+ | `readiness.layoutWarningPenalty` | 5 | points per warning layout/path check | subtract per check | Renma | Keeps resolvable path and layout debt visible without making one advisory blocking | `layout.*` / `paths.helper_commands` | 0.18.0 | possibly |
104
+ | `readiness.layoutFailurePenalty` | 15 | points per failing layout/path check | subtract per check and fail | Renma | Strict layout failures can make repository evidence unusable | `layout.*` / `paths.helper_commands` | 0.18.0 | possibly |
105
+ | `readiness.readyMinimumScore` | 90 | score; at or above with no failing check | `ready` | Renma | Maintains a high bar without making subjective advisories blocking | Readiness `level` | 0.18.0 | possibly |
106
+ | `readiness.needsAttentionMinimumScore` | 70 | score; below | `not_ready`; 70-89 is `needs_attention` | Renma | Separates accumulated review debt from isolated advisories | Readiness `level` | 0.18.0 | possibly |
107
+
108
+ ## Security proximity, scan operations, and presentation
109
+
110
+ | Field | Default | Unit and trigger | Effect | Source | Rationale and false-positive risk | Related check or diagnostic | Reviewed | Configurable later |
111
+ | --- | ---: | --- | --- | --- | --- | --- | --- | --- |
112
+ | `security.precedingLineFastPath` | 2 | preceding source lines | supplements structural guard association | Renma | Preserves nearby-guard detection while headings, paragraphs, and list structure reduce formatting false positives | applicable `SEC-*` command diagnostics | 0.18.0 | no |
113
+ | `scan.defaultMaxFileSizeBytes` | 524,288 | bytes per discovered file | bound reading and hashing work | Renma operational default | Protects scans from unexpectedly large files; larger legitimate files may require existing scan configuration | discovery diagnostic | 0.18.0 | already configurable |
114
+ | `scan.defaultMaxDepth` | 16 | directory levels | bound discovery depth | Renma operational default | Prevents runaway traversal; unusually deep repositories may need existing scan configuration | discovery diagnostic | 0.18.0 | already configurable |
115
+ | `scan.defaultConcurrency` | 16 | concurrent file operations | bound scan concurrency | Renma operational default | Balances throughput and file-descriptor pressure | none | 0.18.0 | already configurable |
116
+ | `presentation.markdownReadinessFindingCap` | 50 | findings in Readiness Markdown | truncate presentation only | Renma | Keeps human reports readable without changing JSON evidence or score | Readiness Markdown | 0.18.0 | possibly |
117
+ | `presentation.topSummaryItemCap` | 10 | items in compact summaries | truncate presentation only | Renma | Avoids unbounded summaries; reviewers can use full reports | report summaries | 0.18.0 | possibly |
118
+
119
+ Structural guard proximity includes the same constraint or safety section, the
120
+ same list item, a directly associated paragraph, or a parent Human Approval,
121
+ Safety, or Constraints heading. Binary snippets are never exposed. Scan
122
+ operational limits retain their existing public config fields; none of the
123
+ quality or Readiness thresholds above are currently configurable.
@@ -1,6 +1,6 @@
1
1
  # Repository Context BOM
2
2
 
3
- `renma bom` emits the Repository Context BOM: a declared repository manifest for review and CI consumers. It is generated from Renma's local repository evidence and keeps `schemaVersion` at `renma.repository-context-bom.v1`.
3
+ `renma bom` emits a declared repository manifest for review and CI consumers. Renma 0.18.0 supports only the v2 BOM and Trust Graph schemas. It does not provide a v1 compatibility mode. V2 is the first supported long-term contract; earlier v1 output was an experimental pre-contract surface removed before broader adoption.
4
4
 
5
5
  The BOM is not a runtime usage report. It does not describe what an LLM actually consumed, assemble prompts, choose task-specific context, inject context into agents, execute agents, call an LLM, import consumed-context evidence, or collect telemetry.
6
6
 
@@ -12,7 +12,7 @@ flowchart TD
12
12
  Diagnostics["Diagnostics and Readiness"]
13
13
  Governance["Lifecycle and ownership evidence"]
14
14
  Security["Security posture and policy inventory"]
15
- Bom["Repository Context BOM v1"]
15
+ Bom["Repository Context BOM v2"]
16
16
  Json["Authoritative JSON"]
17
17
  Markdown["Markdown review projection"]
18
18
  Revision["Git, CI, or PR context supplies revision identity"]
@@ -56,6 +56,10 @@ JSON is the authoritative BOM output. Markdown is a compact review projection fo
56
56
 
57
57
  Array ordering is deterministic and part of Renma's output contract. Asset `sourcePath` values remain repository-relative. `root` and `configPath` remain absolute paths from the current environment.
58
58
 
59
+ Assets use `ownership.declaredOwner`, `ownership.effectiveOwner`,
60
+ `ownership.source`, and optional `ownership.inheritedFrom`. Readiness uses the
61
+ effective owner.
62
+
59
63
  ## Reproducibility
60
64
 
61
65
  `--omit-generated-at` means only:
@@ -77,24 +81,79 @@ Supported guarantee:
77
81
 
78
82
  > With the same checkout path, config path, repository contents, Renma version, and UTC evaluation date, repeated `--omit-generated-at` runs should produce byte-identical JSON.
79
83
 
80
- Freshness evaluation uses the UTC calendar date. Metadata dates remain part of the snapshot and must not be removed as timestamp noise. A real file move is a meaningful BOM change because `sourcePath` is repository evidence. Portable byte-for-byte output across different runners is not a v1 guarantee.
84
+ Freshness evaluation uses the UTC calendar date. Metadata dates remain part of the snapshot and must not be removed as timestamp noise. A real file move is a meaningful BOM change because `sourcePath` is repository evidence. Portable byte-for-byte output across different runners is not a v2 guarantee.
81
85
 
82
86
  ## Schema Evolution
83
87
 
84
88
  `schemaVersion` represents the consumer-facing BOM schema. `generator.version` represents the Renma implementation version and is not the schema version.
85
89
 
86
- Within BOM v1, changes should be backward-compatible and additive:
90
+ V2 is the first supported long-term contract for normalized ownership,
91
+ first-class support assets, and static support relationships. Consumers must
92
+ inspect `schemaVersion` independently from `generator.version`. A future
93
+ incompatible contract may intentionally introduce v3.
94
+
95
+ Within a schema, changes should be backward-compatible and additive:
87
96
 
88
97
  - existing fields must not be removed, renamed, or given incompatible types or meanings;
89
98
  - new optional fields may be added when a real consumer requires them;
90
99
  - enum additions are consumer-visible changes and must be documented;
91
- - a future breaking contract requires a new schema version rather than silently changing v1 semantics.
100
+ - a future breaking contract requires a new schema version rather than silently changing existing semantics.
101
+
102
+ Treat `owns_local_resource`, `statically_references`, `inherits_owner`, and
103
+ `inherits_policy` as static repository evidence, not runtime behavior. Branch
104
+ on `schemaVersion`; `generator.version` is provenance only.
105
+
106
+ The published [BOM v2 JSON Schema](schemas/repository-context-bom-v2.schema.json)
107
+ is the machine-readable contract. `generatedAt` is required when `outputMode`
108
+ is `default` and forbidden when `outputMode` is `omit_generated_at`.
109
+ `configPath` remains optional and is absent when no configuration file was
110
+ loaded. Every other top-level field is required. Optional lifecycle, version,
111
+ status, target-resolution, and inherited-ownership fields appear only when
112
+ their evidence exists. Owner values are explicitly nullable; missing optional
113
+ fields are omitted rather than serialized as `null`.
114
+
115
+ Arrays are deterministically ordered by their identity/path keys, and count
116
+ fields are non-negative integers. Count maps contain every declared enum
117
+ member, including zero counts. Policy source ordering is `local`,
118
+ `security_profile`, `repository_config`, `owning_skill`. Static support
119
+ relationships use `owns_local_resource`, `statically_references`,
120
+ `inherits_owner`, and `inherits_policy`.
121
+
122
+ The Readiness summary is a closed contract for asset, ownership, graph,
123
+ diagnostic, workflow, Context Lens, security posture, and security policy
124
+ inventory evidence. Coverage and readiness percentages are constrained to
125
+ `0..100`. Security posture top-finding entries require an ID, non-negative
126
+ count, and maximum severity. Security policy `assetKinds` is a complete count
127
+ map containing every generated artifact kind, including zero values.
128
+
129
+ Representative top-level JSON (nested objects are shortened for readability;
130
+ the schema defines every nested field):
131
+
132
+ ```json
133
+ {
134
+ "schemaVersion": "renma.repository-context-bom.v2",
135
+ "outputMode": "omit_generated_at",
136
+ "generator": { "name": "renma", "version": "0.18.0" },
137
+ "root": "/checkout/repository",
138
+ "scope": { "type": "declared_repository_manifest", "runtimeUsage": false, "telemetryCollected": false },
139
+ "summary": { "scannedFileCount": 0, "assetCount": 0, "dependencyCount": 0, "resolvedDependencyCount": 0, "unresolvedDependencyCount": 0, "ownedAssetCount": 0, "unownedAssetCount": 0, "readinessScore": 100, "readinessLevel": "ready", "diagnosticCounts": { "error": 0, "warning": 0, "info": 0 } },
140
+ "assets": [],
141
+ "dependencies": [],
142
+ "readiness": { "score": 100, "level": "ready", "checks": [], "summary": {} },
143
+ "securityPosture": { "totalSecurityFindings": 0, "riskClasses": { "violation": 0, "suspicious": 0, "advisory": 0, "unclassified": 0 }, "severities": { "critical": 0, "high": 0, "medium": 0, "low": 0 }, "highOrCritical": 0, "topFindingIds": [] },
144
+ "securityPolicyInventory": {},
145
+ "diagnostics": []
146
+ }
147
+ ```
148
+
149
+ Generated representative reports are validated against the published schema in
150
+ the contract test suite.
92
151
 
93
152
  `--omit-generated-at` does not make the report a generic canonical JSON format or a portable artifact.
94
153
 
95
154
  ## Source Provenance
96
155
 
97
- BOM v1 provenance is deliberately repository-local:
156
+ BOM v2 provenance is deliberately repository-local:
98
157
 
99
158
  - repository-relative source paths;
100
159
  - per-asset content hashes;
@@ -102,11 +161,11 @@ BOM v1 provenance is deliberately repository-local:
102
161
  - current absolute `root` and `configPath` information when available;
103
162
  - lifecycle, dependency, diagnostic, readiness, security posture, and security policy inventory evidence.
104
163
 
105
- Renma does not automatically invoke Git or add Git commit, branch, tag, or dirty-state fields in BOM v1. Git revision identity is expected to come from the surrounding Git, CI, artifact, or pull-request context. Native Git provenance fields and a BOM digest may be considered later if external artifact storage or cross-run consumers require them.
164
+ Renma does not automatically invoke Git or add Git commit, branch, tag, or dirty-state fields. Git revision identity is expected to come from the surrounding Git, CI, artifact, or pull-request context. Native Git provenance fields and a BOM digest may be considered later if external artifact storage or cross-run consumers require them.
106
165
 
107
166
  ## Consumed-Context Evidence
108
167
 
109
- BOM v1 describes declared repository state. Future consumed-context evidence must not redefine or mutate that meaning.
168
+ The BOM v2 schema describes declared repository state. Future consumed-context evidence must not redefine or mutate that meaning.
110
169
 
111
170
  Runtime evidence should be a separate artifact or explicitly separate attachment. A future evidence record should relate back to a BOM using stable values such as a BOM digest or snapshot identity, asset ID, asset content hash, producer identity and version, and observation timestamp.
112
171