memento-mori-jester 0.1.44 → 0.1.45

package/CHANGELOG.md

@@ -4,6 +4,12 @@ All notable changes to Memento Mori Jester are tracked here.
 
 ## Unreleased
 
+## 0.1.45
+
+- Added eight focused preset review fixtures for `risky-domain`, `missing-verification-step`, `confidence-theater`, and `done-without-evidence`.
+- Curated intentional overlap expectations for existing fixtures so `jester tune coverage` no longer treats auth, security-group, eval, skip-tests, and migration intersections as surprise matches.
+- Improved the fixture coverage baseline from low/thin families to medium-or-better support across the built-in and structural rule set.
+
 ## 0.1.44
 
 - Added `jester tune coverage` and `jester tune coverage --json` as read-only maintenance reports for fixture support across every rule.

package/ROADMAP.md

@@ -6,6 +6,7 @@ Memento Mori Jester is usable today as a CLI, MCP server, GitHub Action, and git
 
 ## Recently Shipped
 
+- Fixture curation pass in v0.1.45 that moved all built-in and structural rule evidence to medium-or-better confidence.
 - Additional precision pass for fixture-driven tuning signals (scoped to high-signal rule families first).
 - Fixture-informed `jester tune` evidence from preset review cases, including matched fixture IDs and verdict buckets.
 - Framework-specific GitHub Actions examples for Next.js, Vite React, Express API, FastAPI, Terraform/Kubernetes, and AI MCP repos.
@@ -33,7 +34,7 @@ Memento Mori Jester is usable today as a CLI, MCP server, GitHub Action, and git
 
 ## Product Ideas
 
-- Use the coverage report to add example-backed fixtures for the weakest important rule families, then improve playground onboarding samples.
+- Improve playground onboarding samples so users can try realistic command, plan, diff, and final-answer reviews without inventing input.
 
 ## Quality And Safety
 

package/docs/DEMO.md

@@ -176,24 +176,31 @@ Typical output:
 Memento Mori Jester tuning advice
 
 Rule: risky-domain [enabled]
+Title: High-risk domain touched
 Severity: S3
+Source: built-in
+Kinds: plan, command, diff, final
+Project config: none loaded
+
 Fixture tuning evidence:
-Support: thin
-Confidence: low
-Total fixtures checked: 50
-Weighted fixtures checked: 96.95
-Matching fixtures: 6
-Weighted matches: 13
-Expected-match weight: 2
-Unexpected-match weight: 11
+Support: limited
+Confidence: medium
+Total fixtures checked: 58
+Weighted fixtures checked: 112.95
+Matching fixtures: 8
+Weighted matches: 17
+Expected-match weight: 14
+Unexpected-match weight: 3
 Edge-case matches: 0
-Fixture coverage: 6/40 (16.9% weighted)
-By kind: command 0, plan 2, diff 4, final 0
-By verdict: pass 0, caution 5, block 1
+By kind: command 0, plan 3, diff 4, final 1
+Fixture coverage: 8/58 (15.1% weighted)
+By verdict: pass 0, caution 3, block 5
 Matched fixture samples:
-  web-token-localstorage-block: Token storage in localStorage should block.
   infra-public-ingress-block: Public ingress should block in low-risk-tolerance infra repos.
+  plan-missing-verification-step: Implementation plan without verification steps should trigger the structural rule.
   sec-secret-material-openai: Hard-coded OpenAI-like token should map to the secret-material rule.
+  universal-risky-domain-auth-caution-2: Auth callback changes should keep the broad risky-domain signal covered when verification is present.
+  universal-risky-domain-billing-final: Billing changes in final responses should remain covered when evidence is supplied.
 
 When it may be noisy:
 It can be noisy in docs, release notes, or rule text that merely mentions a sensitive word.

package/docs/RELEASE_NOTES_v0.1.45.md

@@ -0,0 +1,22 @@
+# v0.1.45 Release Notes
+
+This release improves the fixture evidence behind `jester tune` and `jester tune coverage`. It does not change review matching, scoring, verdicts, config, MCP tools, or GitHub Action behavior.
+
+## Changed
+
+- Added focused fixtures for `risky-domain`, `missing-verification-step`, `confidence-theater`, and `done-without-evidence`.
+- Marked intentional overlaps in existing fixtures so the coverage report can distinguish real surprise matches from expected multi-rule risk.
+- Raised built-in and structural rule coverage to medium-or-better confidence in the default coverage report.
+
+## Release Validation
+
+```powershell
+npm.cmd test
+npm.cmd run demo:svg:check
+npm.cmd run pack:dry
+git diff --check
+node .\dist\cli.js tune coverage --json --no-config
+node .\dist\cli.js tune risky-domain --no-config
+node .\dist\cli.js tune missing-verification-step --no-config
+git diff | node .\dist\cli.js diff --fail-on block --subject "v0.1.45 fixture curation"
+```

package/examples/fixtures/preset-review-cases.json

@@ -36,7 +36,10 @@
     "weight": 2,
     "expectedVerdict": "block",
     "expectedRuleIds": [
-      "custom-web-storage-sensitive-value"
+      "custom-web-storage-sensitive-value",
+      "risky-domain",
+      "configured-sensitive-domain-auth",
+      "configured-sensitive-domain-session"
     ]
   },
   {
@@ -88,7 +91,8 @@
     "expectedVerdict": "block",
     "weight": 2,
     "expectedRuleIds": [
-      "custom-infra-public-exposure"
+      "custom-infra-public-exposure",
+      "risky-domain"
     ]
   },
   {
@@ -128,7 +132,9 @@
     "expectedVerdict": "block",
     "weight": 2,
     "expectedRuleIds": [
-      "custom-ai-evals-skipped"
+      "custom-ai-evals-skipped",
+      "configured-sensitive-domain-eval",
+      "missing-verification-step"
     ]
   },
   {
@@ -152,7 +158,9 @@
     "weight": 2,
     "expectedVerdict": "block",
     "expectedRuleIds": [
-      "secret-material"
+      "secret-material",
+      "risky-domain",
+      "configured-sensitive-domain-auth"
     ]
   },
   {
@@ -272,7 +280,8 @@
     "weight": 2,
     "expectedVerdict": "caution",
     "expectedRuleIds": [
-      "risky-domain"
+      "risky-domain",
+      "missing-verification-step"
     ]
   },
   {
@@ -344,7 +353,8 @@
     "weight": 2,
     "expectedVerdict": "block",
     "expectedRuleIds": [
-      "skip-tests"
+      "skip-tests",
+      "missing-verification-step"
     ]
   },
   {
@@ -356,7 +366,8 @@
     "expectedVerdict": "caution",
     "weight": 2,
     "expectedRuleIds": [
-      "missing-verification-step"
+      "missing-verification-step",
+      "risky-domain"
     ]
   },
   {
@@ -610,5 +621,103 @@
     "expectedRuleIds": [
       "large-removal"
     ]
+  },
+  {
+    "id": "universal-risky-domain-auth-caution-2",
+    "preset": "default",
+    "kind": "plan",
+    "description": "Auth callback changes should keep the broad risky-domain signal covered when verification is present.",
+    "content": "Change the auth callback after running the focused login smoke test.",
+    "weight": 2,
+    "expectedVerdict": "block",
+    "expectedRuleIds": [
+      "risky-domain",
+      "configured-sensitive-domain-auth"
+    ]
+  },
+  {
+    "id": "universal-risky-domain-billing-final",
+    "preset": "default",
+    "kind": "final",
+    "description": "Billing changes in final responses should remain covered when evidence is supplied.",
+    "content": "Completed the billing label update after running the smoke check.",
+    "weight": 2,
+    "expectedVerdict": "block",
+    "expectedRuleIds": [
+      "risky-domain",
+      "configured-sensitive-domain-billing"
+    ]
+  },
+  {
+    "id": "plan-missing-verification-step-2",
+    "preset": "default",
+    "kind": "plan",
+    "description": "Implementation plans without a verification step should have a clean missing-verification example.",
+    "content": "Implement the toolbar state cleanup.",
+    "weight": 2,
+    "expectedVerdict": "pass",
+    "expectedRuleIds": [
+      "missing-verification-step"
+    ]
+  },
+  {
+    "id": "plan-missing-verification-step-3",
+    "preset": "default",
+    "kind": "plan",
+    "description": "Refactor plans that omit validation should keep missing-verification coverage separate from domain wording.",
+    "content": "Refactor the account menu routing.",
+    "weight": 2,
+    "expectedVerdict": "pass",
+    "expectedRuleIds": [
+      "missing-verification-step"
+    ]
+  },
+  {
+    "id": "plan-confidence-theater-2",
+    "preset": "default",
+    "kind": "plan",
+    "description": "Overconfident certainty language should have a direct confidence-theater fixture.",
+    "content": "This is definitely straightforward.",
+    "weight": 2,
+    "expectedVerdict": "pass",
+    "expectedRuleIds": [
+      "confidence-theater"
+    ]
+  },
+  {
+    "id": "plan-confidence-theater-3",
+    "preset": "default",
+    "kind": "plan",
+    "description": "Dismissive easy-language plans should keep confidence-theater coverage healthy.",
+    "content": "Obviously easy config rename.",
+    "weight": 2,
+    "expectedVerdict": "pass",
+    "expectedRuleIds": [
+      "confidence-theater"
+    ]
+  },
+  {
+    "id": "final-done-without-evidence-2",
+    "preset": "default",
+    "kind": "final",
+    "description": "Completion claims without test evidence should keep done-without-evidence coverage explicit.",
+    "content": "Implemented the parser cleanup.",
+    "weight": 2,
+    "expectedVerdict": "caution",
+    "expectedRuleIds": [
+      "done-without-evidence"
+    ]
+  },
+  {
+    "id": "final-done-without-evidence-3",
+    "preset": "default",
+    "kind": "final",
+    "description": "All-set final responses without evidence should remain covered as done-without-evidence.",
+    "content": "All set on the theme switcher.",
+    "weight": 2,
+    "expectedVerdict": "caution",
+    "expectedRuleIds": [
+      "done-without-evidence"
+    ]
   }
 ]

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "memento-mori-jester",
-  "version": "0.1.44",
+  "version": "0.1.45",
   "description": "A local court-jester sidecar for AI coding agents: review plans, commands, diffs, and final claims before they get too pleased with themselves.",
   "type": "module",
   "repository": {