renma 0.17.0 → 0.18.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (171) hide show
  1. package/CHANGELOG.md +152 -1
  2. package/README.md +11 -1
  3. package/architecture.md +21 -10
  4. package/design.md +52 -34
  5. package/dist/agent-skills.d.ts +1 -1
  6. package/dist/agent-skills.d.ts.map +1 -1
  7. package/dist/agent-skills.js +28 -8
  8. package/dist/agent-skills.js.map +1 -1
  9. package/dist/catalog.d.ts +1 -1
  10. package/dist/catalog.d.ts.map +1 -1
  11. package/dist/catalog.js +120 -12
  12. package/dist/catalog.js.map +1 -1
  13. package/dist/cli-help.d.ts +12 -8
  14. package/dist/cli-help.d.ts.map +1 -1
  15. package/dist/cli-help.js +23 -1
  16. package/dist/cli-help.js.map +1 -1
  17. package/dist/cli.d.ts.map +1 -1
  18. package/dist/cli.js +23 -0
  19. package/dist/cli.js.map +1 -1
  20. package/dist/commands/bom.d.ts +6 -3
  21. package/dist/commands/bom.d.ts.map +1 -1
  22. package/dist/commands/bom.js +27 -7
  23. package/dist/commands/bom.js.map +1 -1
  24. package/dist/commands/catalog.d.ts +1 -1
  25. package/dist/commands/catalog.d.ts.map +1 -1
  26. package/dist/commands/catalog.js +7 -1
  27. package/dist/commands/catalog.js.map +1 -1
  28. package/dist/commands/ci-report.d.ts.map +1 -1
  29. package/dist/commands/ci-report.js +18 -5
  30. package/dist/commands/ci-report.js.map +1 -1
  31. package/dist/commands/diff.js +8 -2
  32. package/dist/commands/diff.js.map +1 -1
  33. package/dist/commands/graph.d.ts +6 -2
  34. package/dist/commands/graph.d.ts.map +1 -1
  35. package/dist/commands/graph.js +23 -2
  36. package/dist/commands/graph.js.map +1 -1
  37. package/dist/commands/inspect.d.ts.map +1 -1
  38. package/dist/commands/inspect.js +2 -0
  39. package/dist/commands/inspect.js.map +1 -1
  40. package/dist/commands/ownership.d.ts +4 -3
  41. package/dist/commands/ownership.d.ts.map +1 -1
  42. package/dist/commands/ownership.js +27 -23
  43. package/dist/commands/ownership.js.map +1 -1
  44. package/dist/commands/readiness.d.ts +2 -1
  45. package/dist/commands/readiness.d.ts.map +1 -1
  46. package/dist/commands/readiness.js +98 -30
  47. package/dist/commands/readiness.js.map +1 -1
  48. package/dist/commands/scaffold.d.ts +3 -0
  49. package/dist/commands/scaffold.d.ts.map +1 -1
  50. package/dist/commands/scaffold.js +44 -9
  51. package/dist/commands/scaffold.js.map +1 -1
  52. package/dist/commands/suggest-metadata.d.ts.map +1 -1
  53. package/dist/commands/suggest-metadata.js +2 -0
  54. package/dist/commands/suggest-metadata.js.map +1 -1
  55. package/dist/commands/trust-graph.d.ts.map +1 -1
  56. package/dist/commands/trust-graph.js +12 -0
  57. package/dist/commands/trust-graph.js.map +1 -1
  58. package/dist/config.d.ts.map +1 -1
  59. package/dist/config.js +10 -3
  60. package/dist/config.js.map +1 -1
  61. package/dist/context-lens.d.ts +1 -0
  62. package/dist/context-lens.d.ts.map +1 -1
  63. package/dist/context-lens.js +19 -1
  64. package/dist/context-lens.js.map +1 -1
  65. package/dist/diagnostic-ids.d.ts +9 -0
  66. package/dist/diagnostic-ids.d.ts.map +1 -1
  67. package/dist/diagnostic-ids.js +9 -0
  68. package/dist/diagnostic-ids.js.map +1 -1
  69. package/dist/discovery.d.ts +5 -0
  70. package/dist/discovery.d.ts.map +1 -1
  71. package/dist/discovery.js +108 -65
  72. package/dist/discovery.js.map +1 -1
  73. package/dist/markdown.d.ts.map +1 -1
  74. package/dist/markdown.js +15 -0
  75. package/dist/markdown.js.map +1 -1
  76. package/dist/metadata.d.ts +15 -1
  77. package/dist/metadata.d.ts.map +1 -1
  78. package/dist/metadata.js +235 -0
  79. package/dist/metadata.js.map +1 -1
  80. package/dist/model.d.ts +20 -1
  81. package/dist/model.d.ts.map +1 -1
  82. package/dist/model.js +4 -1
  83. package/dist/model.js.map +1 -1
  84. package/dist/quality-profile.d.ts +91 -0
  85. package/dist/quality-profile.d.ts.map +1 -0
  86. package/dist/quality-profile.js +91 -0
  87. package/dist/quality-profile.js.map +1 -0
  88. package/dist/repeated-context.d.ts.map +1 -1
  89. package/dist/repeated-context.js +38 -83
  90. package/dist/repeated-context.js.map +1 -1
  91. package/dist/repository-boundary.d.ts +30 -0
  92. package/dist/repository-boundary.d.ts.map +1 -0
  93. package/dist/repository-boundary.js +116 -0
  94. package/dist/repository-boundary.js.map +1 -0
  95. package/dist/repository-evidence.d.ts +2 -0
  96. package/dist/repository-evidence.d.ts.map +1 -1
  97. package/dist/repository-evidence.js +6 -4
  98. package/dist/repository-evidence.js.map +1 -1
  99. package/dist/repository-paths.d.ts +6 -2
  100. package/dist/repository-paths.d.ts.map +1 -1
  101. package/dist/repository-paths.js +75 -24
  102. package/dist/repository-paths.js.map +1 -1
  103. package/dist/rules.d.ts +2 -0
  104. package/dist/rules.d.ts.map +1 -1
  105. package/dist/rules.js +322 -189
  106. package/dist/rules.js.map +1 -1
  107. package/dist/scanner.d.ts.map +1 -1
  108. package/dist/scanner.js +5 -1
  109. package/dist/scanner.js.map +1 -1
  110. package/dist/security-diagnostics.d.ts.map +1 -1
  111. package/dist/security-diagnostics.js +95 -30
  112. package/dist/security-diagnostics.js.map +1 -1
  113. package/dist/security-diff.d.ts +5 -2
  114. package/dist/security-diff.d.ts.map +1 -1
  115. package/dist/security-diff.js +20 -4
  116. package/dist/security-diff.js.map +1 -1
  117. package/dist/security-policy-inventory.d.ts +15 -3
  118. package/dist/security-policy-inventory.d.ts.map +1 -1
  119. package/dist/security-policy-inventory.js +123 -26
  120. package/dist/security-policy-inventory.js.map +1 -1
  121. package/dist/security-policy.d.ts +7 -0
  122. package/dist/security-policy.d.ts.map +1 -1
  123. package/dist/security-policy.js +70 -7
  124. package/dist/security-policy.js.map +1 -1
  125. package/dist/security-posture.d.ts.map +1 -1
  126. package/dist/security-posture.js +2 -1
  127. package/dist/security-posture.js.map +1 -1
  128. package/dist/skill-migration.js +2 -0
  129. package/dist/skill-migration.js.map +1 -1
  130. package/dist/static-support.d.ts +13 -0
  131. package/dist/static-support.d.ts.map +1 -0
  132. package/dist/static-support.js +284 -0
  133. package/dist/static-support.js.map +1 -0
  134. package/dist/token-estimator.d.ts +21 -0
  135. package/dist/token-estimator.d.ts.map +1 -0
  136. package/dist/token-estimator.js +84 -0
  137. package/dist/token-estimator.js.map +1 -0
  138. package/dist/trust-graph.d.ts +3 -3
  139. package/dist/trust-graph.d.ts.map +1 -1
  140. package/dist/trust-graph.js +69 -10
  141. package/dist/trust-graph.js.map +1 -1
  142. package/dist/types.d.ts +6 -1
  143. package/dist/types.d.ts.map +1 -1
  144. package/docs/README.md +15 -8
  145. package/docs/advanced-skill-authoring.md +16 -9
  146. package/docs/agent-skills-compatibility.md +10 -2
  147. package/docs/authoring-guide.md +89 -6
  148. package/docs/context-lens.md +319 -153
  149. package/docs/diagnostics.md +46 -11
  150. package/docs/metadata-budget.md +32 -0
  151. package/docs/quality-profile.md +135 -0
  152. package/docs/repository-context-bom.md +67 -8
  153. package/docs/schemas/repository-context-bom-v2.schema.json +648 -0
  154. package/docs/schemas/trust-graph-v2.schema.json +301 -0
  155. package/docs/security-policy.md +21 -5
  156. package/docs/trust-graph.md +47 -0
  157. package/docs/user-manual.md +48 -7
  158. package/examples/context-lens/README.md +8 -3
  159. package/examples/context-lens/contexts/testing/boundary-value-analysis.md +6 -2
  160. package/examples/context-lens/lenses/testing/spec-review-boundary-values.md +27 -5
  161. package/examples/context-lens/lenses/testing/test-design-boundary-values.md +27 -5
  162. package/examples/context-lens/skills/testing/spec-review/SKILL.md +33 -4
  163. package/examples/context-repo/README.md +6 -7
  164. package/examples/context-repo/contexts/domain/payment/idempotency.md +7 -0
  165. package/examples/context-repo/contexts/testing/boundary-value-analysis.md +7 -0
  166. package/examples/context-repo/contexts/testing/negative-testing.md +7 -0
  167. package/examples/context-repo/skills/testing/spec-review/SKILL.md +5 -0
  168. package/package.json +3 -1
  169. package/plan-discovery.md +24 -15
  170. package/plan.md +59 -119
  171. package/scripts/verify-package.mjs +8 -1
@@ -11,8 +11,15 @@ tags:
11
11
  purpose: test_design
12
12
  applies_to:
13
13
  - context.testing.boundary-value-analysis
14
- focus: inclusive limits, empty and zero values, overflow behavior, retry limits
15
- expected_outputs: test cases, edge-case checklist, coverage notes
14
+ focus:
15
+ - inclusive limits
16
+ - empty and zero values
17
+ - overflow behavior
18
+ - retry limits
19
+ expected_outputs:
20
+ - test cases
21
+ - edge-case checklist
22
+ - coverage notes
16
23
  allowed_data:
17
24
  - repo-local-files
18
25
  network_allowed: false
@@ -22,8 +29,23 @@ requires_human_approval: false
22
29
  ---
23
30
  # Test Design Lens for Boundary Values
24
31
 
25
- Use this lens when turning boundary value analysis context into concrete test coverage.
32
+ Interpret the applied boundary-value Context for test design that provides
33
+ reviewable evidence of behavior at and around material limits.
26
34
 
27
- Emphasize lower and upper bounds, inclusive and exclusive behavior, empty input, zero values, overflow, maximum retries, and expected failure modes.
35
+ ## Interpretation Criteria
28
36
 
29
- The lens should help produce test cases and coverage notes. It should not select runtime context, assemble a prompt, or duplicate the base boundary value analysis context.
37
+ - Map each declared limit to cases below, at, and above the boundary when those
38
+ states are valid for the system.
39
+ - Distinguish inclusive from exclusive behavior and cover empty input, zero
40
+ values, overflow, maximum retries, and expected failure modes when applicable.
41
+ - Trace each proposed case to a stated requirement and identify any expected
42
+ result that the specification leaves unresolved.
43
+ - Prefer deterministic cases whose setup, assertion, and failure evidence can
44
+ distinguish product behavior from a test defect.
45
+
46
+ ## Evidence And Output
47
+
48
+ Produce test cases, an edge-case checklist, and coverage notes with requirement
49
+ citations. Keep unresolved expected results explicit. Do not select runtime
50
+ Context, assemble a prompt, define the Skill workflow, or duplicate the base
51
+ Context.
@@ -19,7 +19,15 @@ metadata:
19
19
 
20
20
  Use this skill to review a specification before implementation or test design.
21
21
 
22
- The skill stays thin. It declares the reusable base context and the purpose-oriented lens, while the detailed knowledge remains in context assets and lens assets.
22
+ This Skill owns the focused review workflow. The declared Context Asset owns
23
+ reusable boundary-value knowledge, and the declared Lenses own purpose-specific
24
+ interpretation of that knowledge.
25
+
26
+ ## Selection Boundaries
27
+
28
+ Use this workflow when a specification needs evidence-backed analysis of
29
+ implementation or test-design boundaries. Do not use it to implement the
30
+ change, approve product decisions, or perform unrelated editorial review.
23
31
 
24
32
  ## Required Inputs
25
33
 
@@ -28,9 +36,28 @@ The skill stays thin. It declares the reusable base context and the purpose-orie
28
36
 
29
37
  ## Instructions
30
38
 
31
- 1. Read the declared context assets.
32
- 2. Apply the declared context lens to focus the review.
33
- 3. Produce unresolved questions, risk notes, and clarification suggestions.
39
+ 1. Confirm that the supplied specification and its sources are available. If a
40
+ required source is missing, record the gap rather than inventing behavior.
41
+ 2. Read the declared boundary-value Context Asset and the required spec-review
42
+ Lens. Apply the optional test-design Lens only when test coverage is also in
43
+ scope for the requested review.
44
+ 3. Extract stated behavior, limits, assumptions, and sources from the supplied
45
+ specification. Keep facts separate from inferences and unresolved questions.
46
+ 4. Apply the required Lens's interpretation criteria to the reusable Context.
47
+ Cite the reusable guidance where relevant instead of reproducing it in this
48
+ Skill or output.
49
+ 5. Prioritize findings by implementation or release risk. Cite the relevant
50
+ specification section or repository evidence for every finding.
51
+ 6. Produce the expected output below and leave decisions with the accountable
52
+ human owner.
53
+
54
+ ## Expected Output
55
+
56
+ - A short scope and evidence summary.
57
+ - Prioritized unresolved questions and risk notes.
58
+ - Clarification suggestions tied to cited source gaps.
59
+ - The Context and Lens IDs applied, including why the optional Lens was or was
60
+ not used.
34
61
 
35
62
  ## When Not To Use
36
63
 
@@ -41,6 +68,8 @@ approval, or an editorial workflow for copy-only review.
41
68
 
42
69
  - The output distinguishes known facts from open questions.
43
70
  - The output cites the source-of-truth gaps it found.
71
+ - Each finding has an impact or risk and an evidence-backed rationale.
72
+ - Use of the optional Lens matches the requested review scope.
44
73
  - The skill does not copy reusable testing guidance into this file.
45
74
 
46
75
  ## Completion Criteria
@@ -85,7 +85,7 @@ Run these commands from the renma repository root after building the CLI:
85
85
 
86
86
  ```bash
87
87
  npm run build
88
- node dist/index.js scan examples/context-repo
88
+ node dist/index.js scan examples/context-repo --fail-on high
89
89
  node dist/index.js catalog examples/context-repo --format markdown
90
90
  node dist/index.js ownership examples/context-repo --format markdown
91
91
  node dist/index.js graph examples/context-repo --view layered --format mermaid
@@ -99,7 +99,7 @@ node dist/index.js inspect examples/context-repo/skills/testing/spec-review/SKIL
99
99
  With an installed CLI, replace `node dist/index.js` with `renma`:
100
100
 
101
101
  ```bash
102
- renma scan examples/context-repo
102
+ renma scan examples/context-repo --fail-on high
103
103
  renma catalog examples/context-repo --format markdown
104
104
  renma ownership examples/context-repo --format markdown
105
105
  renma graph examples/context-repo --view layered --format mermaid
@@ -118,11 +118,10 @@ evidence into authoritative JSON or a Markdown review projection. `inspect`
118
118
  shows the structure of the workflow entrypoint.
119
119
 
120
120
  The example is structurally ready: its Skill and Lens validate, every declared
121
- relationship resolves, and every cataloged asset has an owner. `scan` also
122
- keeps advisory missing-security-policy findings visible for the fixture's
123
- Skill and Context Assets. The example does not invent security policy merely to
124
- produce an empty finding list; fixture owners would need to review and declare
125
- that policy.
121
+ relationship resolves, and every cataloged asset has an owner. Its Skill and
122
+ Context Assets declare a local-only security policy for repository files,
123
+ explicitly disclosed user inputs, and the Context bundled with the Skill, so
124
+ `scan` completes without diagnostics or security findings.
126
125
 
127
126
  ## Intentionally Not Demonstrated
128
127
 
@@ -11,6 +11,13 @@ when_to_use:
11
11
  - Reviewing payment write retry behavior or duplicate request handling
12
12
  when_not_to_use:
13
13
  - Reviewing non-payment retries or read-only request behavior
14
+ allowed_data:
15
+ - repo-local-files
16
+ - disclosed-user-provided-data
17
+ network_allowed: false
18
+ external_upload_allowed: false
19
+ secrets_allowed: false
20
+ requires_human_approval: true
14
21
  ---
15
22
 
16
23
  # Payment Idempotency
@@ -10,6 +10,13 @@ when_to_use:
10
10
  - Designing test cases around numeric, date, count, length, or pagination limits
11
11
  when_not_to_use:
12
12
  - Testing invalid inputs that are not tied to explicit boundary values
13
+ allowed_data:
14
+ - repo-local-files
15
+ - disclosed-user-provided-data
16
+ network_allowed: false
17
+ external_upload_allowed: false
18
+ secrets_allowed: false
19
+ requires_human_approval: true
13
20
  ---
14
21
 
15
22
  # Boundary Value Analysis
@@ -10,6 +10,13 @@ when_to_use:
10
10
  - Designing validation, unsupported-state, or error-handling test cases
11
11
  when_not_to_use:
12
12
  - Designing accepted boundary-value cases for valid limits
13
+ allowed_data:
14
+ - repo-local-files
15
+ - disclosed-user-provided-data
16
+ network_allowed: false
17
+ external_upload_allowed: false
18
+ secrets_allowed: false
19
+ requires_human_approval: true
13
20
  ---
14
21
 
15
22
  # Negative Testing
@@ -11,6 +11,11 @@ metadata:
11
11
  renma.requires-context: '["contexts/testing/negative-testing.md"]'
12
12
  renma.optional-context: '["context.domain.payment.idempotency"]'
13
13
  renma.requires-lens: '["lens.testing.spec-review.boundary-values"]'
14
+ renma.allowed-data: '["repo-local-files","skill-bundled-context","disclosed-user-provided-data"]'
15
+ renma.network-allowed: "false"
16
+ renma.external-upload-allowed: "false"
17
+ renma.secrets-allowed: "false"
18
+ renma.requires-human-approval: "true"
14
19
  ---
15
20
 
16
21
  # Spec Review
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "renma",
3
- "version": "0.17.0",
3
+ "version": "0.18.1",
4
4
  "description": "Manage human-curated context assets for LLMs and agents in Git.",
5
5
  "license": "MIT",
6
6
  "repository": {
@@ -57,6 +57,8 @@
57
57
  "devDependencies": {
58
58
  "@eslint/js": "^10.0.1",
59
59
  "@types/node": "^22.15.30",
60
+ "ajv": "^8.20.0",
61
+ "ajv-formats": "^3.0.1",
60
62
  "eslint": "^10.5.0",
61
63
  "eslint-config-prettier": "10.1.8",
62
64
  "prettier": "^3.5.3",
package/plan-discovery.md CHANGED
@@ -1,24 +1,26 @@
1
1
  # Renma Skill Discovery Plan
2
2
 
3
- Status: proposed
3
+ Status: deferred exploratory design
4
4
 
5
- Target: 0.18.0
5
+ Target: unassigned (post-0.18.0)
6
6
 
7
7
  Scope: optional, backward-compatible skill discovery for large single repositories
8
8
 
9
- Only **Current Baseline** describes implemented behavior. Route metadata,
10
- `skill-index`, discovery diagnostics, and the integrations proposed elsewhere in
11
- this document are not implemented in 0.17.0. This plan is intentionally outside
12
- the 0.17.0 usability and documentation-consolidation release.
9
+ Only **Current Baseline** describes implemented behavior. `routes_to`,
10
+ `skill-index`, discovery aliases, explicit routing entrypoints, generated
11
+ indexes, and related diagnostics are deferred proposals. They are not Renma
12
+ 0.18.0 behavior and have no assigned release. Runtime Skill selection remains
13
+ outside Renma.
13
14
 
14
15
  ## Summary
15
16
 
16
17
  Renma should add a static skill discovery projection for repositories that have grown beyond the point where an agent can reliably inspect every `SKILL.md` before choosing where to start.
17
18
 
18
- The implementation should preserve Renma's current model and boundaries:
19
+ Any future implementation must be reconsidered against Renma's focused-workflow
20
+ model and boundaries:
19
21
 
20
22
  ```text
21
- Skill = agent-facing entrypoint / routing contract / usage guide
23
+ Skill = focused, bounded workflow entrypoint and usage guide
22
24
  Context Lens = purpose-oriented interpretation layer over context assets
23
25
  Context Asset = independently owned source-of-truth knowledge
24
26
  ```
@@ -43,23 +45,30 @@ LLM proposes. Renma verifies. Human approves.
43
45
 
44
46
  ## Current Baseline
45
47
 
46
- The current 0.16.0 product model provides most of the infrastructure needed for
47
- this work, and 0.17.0 improves the usability of that baseline without
48
- implementing discovery:
48
+ The implemented 0.18.0 product provides infrastructure that a future design
49
+ could reuse without implementing Skill-to-Skill routing:
49
50
 
50
- - Repository discovery for skills, context assets, context lenses, profiles, references, examples, agents, config, and supporting files.
51
+ - Repository file discovery for Skills, Context Assets, Context Lenses,
52
+ profiles, references, examples, scripts, assets, agents, and config.
53
+ - First-class Skill-local support discovery, static reachability and ownership
54
+ relationships, and no-follow symlink handling.
51
55
  - A normalized catalog model with deterministic IDs, paths, hashes, owners, lifecycle metadata, tags, and declared dependencies.
52
56
  - A shared `RepositoryEvidence` collection path used by catalog, graph, and Repository Context BOM work.
53
57
  - Static graph relationships for required and optional context, required and optional lenses, lens application, conflicts, supersession references, and coverage evidence.
54
58
  - Markdown, JSON, and Mermaid reports for human review, CI, and downstream tooling.
55
- - Readiness, semantic diff, ownership, Trust Graph, diagnostics v2, review bundles, scaffold, and metadata suggestions.
59
+ - Readiness, semantic diff, ownership, Trust Graph v2, Repository Context BOM
60
+ v2, diagnostics v2, review bundles, scaffold, and metadata suggestions.
61
+ - Effective security-policy provenance across local metadata, profiles,
62
+ repository configuration, and owning-Skill inheritance.
56
63
  - A compact metadata parser that supports scalar values and selected block-list fields while intentionally discouraging large nested frontmatter.
57
64
 
58
- Skill discovery should extend this baseline. It should not create a parallel scanner, a second catalog, a new runtime service, or a separate source of truth.
65
+ Deferred Skill-to-Skill discovery is distinct from this implemented repository
66
+ and support-resource discovery. Any future work must not create a parallel
67
+ scanner, second catalog, runtime service, or separate source of truth.
59
68
 
60
69
  ## Decision Status
61
70
 
62
- Accepted constraints for 0.18.0 design are:
71
+ Constraints for any future design are:
63
72
 
64
73
  - Renma remains a deterministic repository-governance layer, not a runtime
65
74
  selector.
package/plan.md CHANGED
@@ -2,149 +2,89 @@
2
2
 
3
3
  ## Current Product Definition
4
4
 
5
- Renma is a Git-native context repository and deterministic governance CLI for
6
- agent-consumable Skills, Context Lenses, Context Assets, references, policies,
7
- ownership, lifecycle, dependencies, and evidence.
5
+ Renma 0.18.0 is the current shipped baseline: a Git-native context repository
6
+ and deterministic governance CLI for agent-consumable Skills, Context Lenses,
7
+ Context Assets, local support resources, policies, ownership, lifecycle,
8
+ dependencies, and review evidence.
8
9
 
9
10
  ```text
10
- Skill = agent-facing entrypoint, routing contract, and workflow guide
11
+ Skill = focused, bounded workflow entrypoint
11
12
  Context Lens = purpose-oriented interpretation over Context Assets
12
13
  Context Asset = independently owned source-of-truth knowledge
13
14
  ```
14
15
 
15
- Use platform-native Skill authoring guidance for general Skill design, then use
16
- Renma for repository-specific governance and validation. Renma keeps repository
17
- assets discoverable, compatible, owned, linked, validated, reviewable, and
18
- measurable in Git and CI.
19
-
20
- Renma's deterministic core follows:
16
+ Use platform-native guidance for general Skill authoring, then use Renma for
17
+ repository-specific governance. Renma follows the deterministic boundary:
21
18
 
22
19
  ```text
23
20
  LLM proposes. Renma verifies. Human approves.
24
21
  ```
25
22
 
26
- No-LLM workflows remain first-class.
27
-
28
- ## Stable Product Boundaries
23
+ ## Implemented 0.18.0 Baseline
29
24
 
30
- Renma owns:
25
+ The shipped baseline includes:
31
26
 
32
- - repository discovery and parsing;
33
- - a normalized asset and relationship model;
34
- - Agent Skills compatibility checks;
35
- - catalog, ownership, graph, Trust Graph, Readiness, and BOM projections;
36
- - deterministic workflow, metadata, lifecycle, relationship, maintenance, and
37
- security diagnostics;
38
- - semantic diff and CI review evidence; and
39
- - deterministic scaffold and non-editing suggestion output.
27
+ - focused workflow Skills with explicit usage boundaries rather than thin
28
+ routing-only entrypoints;
29
+ - progressive disclosure through static, reviewable references;
30
+ - first-class Skill-local `references/`, `profiles/`, `examples/`, `scripts/`,
31
+ and `assets/` resources under `skills/**` and `.agents/skills/**`;
32
+ - deterministic ownership, reachability, helper-command, and static support
33
+ relationships, including ambiguity that fails closed;
34
+ - repository-bounded discovery that never follows leaf or directory symlinks,
35
+ with actionable evidence for referenced unusable paths;
36
+ - canonical Agent Skills compatibility, migration guidance, scaffold, inspect,
37
+ and non-editing suggestion workflows;
38
+ - catalog, graph, ownership, Readiness, semantic diff, CI, diagnostics v2, and
39
+ review-bundle projections;
40
+ - security diagnostics, reusable profiles, effective-policy inventory, and
41
+ deterministic compositional policy provenance; and
42
+ - Repository Context BOM v2 and Trust Graph v2 as the first supported
43
+ long-term contracts and the only emitted BOM/Trust Graph schemas.
44
+
45
+ Repository Context BOM v2 is a declared repository manifest, not a record of
46
+ what an LLM consumed. Trust Graph v2 is deterministic review evidence, not a
47
+ subjective score or runtime enforcement system.
48
+
49
+ Historical release detail belongs in [CHANGELOG.md](CHANGELOG.md). Contract
50
+ details live in [architecture.md](architecture.md), [design.md](design.md), and
51
+ the focused documents under [docs/](docs/README.md).
40
52
 
41
- Renma does not own:
53
+ ## Stable Product Boundaries
42
54
 
43
- - general Skill authoring logic supplied by platforms;
44
- - live Skill or Context selection;
45
- - prompt assembly or Context injection;
46
- - Skill, agent, or tool execution;
47
- - runtime telemetry collection;
48
- - hosted dashboards or provider gateways;
49
- - automatic semantic rewriting; or
50
- - automatic policy weakening or suppression creation.
55
+ Renma owns repository discovery and parsing, normalized static evidence,
56
+ validation, deterministic projections, and review-oriented authoring support.
57
+ It does not own live Skill or Context selection, prompt assembly, execution,
58
+ runtime telemetry, hosted gateways, automatic semantic rewriting, or automatic
59
+ policy weakening.
51
60
 
52
- Repository Context BOM v1 remains a declared repository manifest, not a record
53
- of what an LLM consumed. Trust Graph remains deterministic review evidence, not
54
- a subjective trust score or runtime enforcement system.
61
+ ## Deferred Skill-to-Skill Discovery Design
55
62
 
56
- ## Completed Baseline Through 0.16.0
63
+ Graph-based Skill-to-Skill route discovery is not a 0.18.0 feature and has no
64
+ assigned release. The exploratory design in
65
+ [plan-discovery.md](plan-discovery.md) discusses possible `routes_to` metadata,
66
+ discovery aliases, generated routing indexes, and a `skill-index` projection.
67
+ None is an implemented contract.
57
68
 
58
- The shipped baseline includes:
59
-
60
- - deterministic repository scanning, catalog, ownership, graph, focused graph,
61
- Readiness, semantic diff, and CI reports;
62
- - first-class Context Assets and Context Lenses with graph-backed validation;
63
- - repeated-context and workflow diagnostics;
64
- - security diagnostics, reusable policy profiles, posture summaries, and
65
- effective policy inventory;
66
- - Trust Graph evidence and Repository Context BOM v1;
67
- - `inspect`, `scaffold`, `suggest-metadata`, and
68
- `suggest-semantic-split` authoring support;
69
- - LLM-actionable diagnostics v2 and review bundles; and
70
- - the canonical Agent Skills-compatible Skill format introduced in 0.16.0,
71
- with flat string-valued `metadata.renma.*` governance and security fields and
72
- a conservative one-way migration path.
73
-
74
- Historical release detail belongs in [CHANGELOG.md](CHANGELOG.md). Authoritative
75
- technical contracts remain in [architecture.md](architecture.md),
76
- [design.md](design.md), and the focused documents under [docs/](docs/README.md).
77
-
78
- ## 0.17.0: Usability And Documentation Consolidation
79
-
80
- Renma 0.17.0 improves the usability and consistency of the authoring and
81
- governance workflows established in 0.16.0. It clarifies documentation, CLI
82
- guidance, and the handoff between platform-native Skill authoring and Renma's
83
- repository-specific validation.
84
-
85
- The release focuses on:
86
-
87
- - making the new-Skill authoring → scaffold → scan → refine loop discoverable;
88
- - making the existing-Skill review → suggest-metadata → scan → refine loop
89
- discoverable;
90
- - keeping generic CLI guidance platform-neutral;
91
- - preserving conservative blocked migration and non-editing behavior;
92
- - consolidating README, user-manual, authoring, compatibility, architecture,
93
- design, and roadmap responsibilities; and
94
- - retaining detailed BOM, security, migration, diagnostic, and repository-model
95
- contracts in focused documents.
96
-
97
- This release does not add a major command, new schema, discovery model, runtime
98
- capability, packaging system, or telemetry import.
99
-
100
- ## 0.18.0: Graph-Based Skill Discovery
101
-
102
- The next proposed capability is a static Skill discovery projection for large
103
- single repositories. The target is 0.18.0, not 0.17.0.
104
-
105
- The proposal may add exact Skill-to-Skill route evidence, a static
106
- `skill-index` report, conservative entrypoint inference, deterministic
107
- discovery diagnostics, and later Readiness/diff integrations. It must preserve
108
- the source `SKILL.md` files, the non-runtime boundary, deterministic outputs,
109
- and backward compatibility.
110
-
111
- The design is proposed rather than implemented. See
112
- [plan-discovery.md](plan-discovery.md) for prototype knowledge, open decisions,
113
- phases, and non-goals.
69
+ Any future proposal must be reconsidered against the focused-workflow model
70
+ introduced in 0.18.0. It must remain deterministic and static, avoid runtime
71
+ selection, preserve source Skills, and receive an explicit version and contract
72
+ decision before implementation.
114
73
 
115
74
  ## Later Candidates
116
75
 
117
- Later work may consider:
118
-
119
- - importing separately produced consumed-context evidence after a stable,
120
- versioned contract exists;
121
- - additive BOM or Trust Graph projections for stable discovery evidence;
122
- - optional semantic review helpers that consume explicit deterministic bundles;
123
- - multi-repository or distribution workflows after the single-repository model
124
- is stable; and
125
- - review visualizations derived from versioned report contracts.
126
-
127
- These candidates require explicit product decisions. They are not commitments
128
- and must not blur repository governance with runtime execution or telemetry
129
- ownership.
76
+ Future product decisions may consider imported external consumed-context
77
+ evidence, additive projections over stable evidence, optional semantic-review
78
+ helpers, multi-repository workflows, or review visualizations. These are not
79
+ commitments and have no assigned version.
130
80
 
131
81
  ## Explicitly Out Of Scope
132
82
 
133
- The current roadmap excludes:
134
-
135
83
  - accepting task text and automatically selecting or ranking a Skill;
136
84
  - fuzzy, embedding, or LLM-based runtime routing;
137
- - runtime Context selection, loading, injection, or prompt assembly;
138
- - Skill or agent execution and tool orchestration;
139
- - automatic Skill body rewriting;
140
- - platform-native authoring logic inside Renma;
141
- - arbitrary Skill roots without a separately reviewed compatibility decision;
142
- - package publication, Context materialization, or repository distribution;
85
+ - runtime Context loading, injection, prompt assembly, or execution;
143
86
  - runtime telemetry collection or hidden consumed-context import;
144
- - BOM v2 without a demonstrated breaking-contract need;
145
- - automatic policy relaxation or suppression generation; and
146
- - new metadata semantics without an implemented deterministic consumer.
147
-
148
- The roadmap should stay current-facing. Completed behavior belongs in the
149
- baseline and changelog; detailed semantics belong in their canonical technical
150
- documents; proposed discovery remains isolated in the 0.18.0 plan.
87
+ - automatic Skill-body rewriting or policy relaxation;
88
+ - arbitrary Skill roots without a reviewed compatibility decision; and
89
+ - advertising deferred `routes_to`, `skill-index`, aliases, or generated
90
+ routing indexes as current behavior.
@@ -23,7 +23,14 @@ try {
23
23
  }
24
24
  const files = new Set(report.files.map((file) => file.path));
25
25
 
26
- for (const required of ["package.json", "README.md", "dist/index.js"]) {
26
+ for (const required of [
27
+ "package.json",
28
+ "README.md",
29
+ "dist/index.js",
30
+ "docs/trust-graph.md",
31
+ "docs/schemas/repository-context-bom-v2.schema.json",
32
+ "docs/schemas/trust-graph-v2.schema.json",
33
+ ]) {
27
34
  requirePackagedPath(files, required);
28
35
  }
29
36