memento-mori-jester 0.1.49 → 0.1.50

package/CHANGELOG.md

@@ -4,6 +4,12 @@ All notable changes to Memento Mori Jester are tracked here.
 
 ## Unreleased
 
+## 0.1.50
+
+- Added `SECURITY.md` with vulnerability reporting guidance, supported-version expectations, scope, and redacted diagnostic guidance.
+- Added GitHub issue templates for bug reports, false-positive/noisy-rule reports, and feature requests.
+- Expanded the production readiness guard so `SECURITY.md`, issue templates, and support-intake docs stay present in future releases.
+
 ## 0.1.49
 
 - Expanded `jester doctor` into a support-focused diagnostic report covering package version, Node, MCP server file, review engine, config loading, git hook status, and generated GitHub Action status.

package/README.md

@@ -430,6 +430,7 @@ More setup examples:
 - [Preset Example Packs](examples/presets)
 - [Review Fixtures](examples/fixtures)
 - [Framework CI Examples](examples/ci)
+- [Security Policy](SECURITY.md)
 - [Changelog](CHANGELOG.md)
 - [Roadmap](ROADMAP.md)
 - [Trusted npm Publishing](docs/TRUSTED_PUBLISHING.md)
@@ -491,6 +492,14 @@ Both scripts check Node 20+, run a smoke `doctor`, and print MCP config.
 - Final answers with "done/fixed/works" claims that do not mention evidence, or that admit tests were not run.
 - Project-specific commands, domains, and regex rules from `jester.config.json`.
 
+## Support
+
+When filing a bug, include redacted `jester doctor --json` output. The GitHub issue templates ask for the command, workflow step, config, and observed output so support does not start with guesswork.
+
+Use the false-positive template for noisy cautions or blocks. Include `jester summary` and `jester tune <rule-id> --json` output when possible so rule changes can be backed by evidence.
+
+For vulnerabilities, private code exposure, or credential-handling concerns, follow [SECURITY.md](SECURITY.md) instead of opening a public issue with sensitive details.
+
 ## Publishing
 
 Release checklist:

package/ROADMAP.md

@@ -6,6 +6,7 @@ Memento Mori Jester is usable today as a CLI, MCP server, GitHub Action, and git
 
 ## Recently Shipped
 
+- Security policy and GitHub issue templates in v0.1.50 for bug reports, false positives, feature requests, and vulnerability intake.
 - Support-focused `doctor --json` diagnostics in v0.1.49 for package, config, hook, MCP, and GitHub Action state.
 - Production readiness checklist and static guard in v0.1.48 for package, workflow, docs, release, and support drift.
 - README onboarding polish in v0.1.47 around the shortest path from `npx` to playground, agent setup, hooks, and CI.
@@ -38,7 +39,8 @@ Memento Mori Jester is usable today as a CLI, MCP server, GitHub Action, and git
 
 ## Product Ideas
 
-- Add `SECURITY.md` and issue templates so diagnostics and bug reports are easier to collect.
+- Add more framework-specific false-positive examples from real reports so tuning guidance keeps getting sharper.
+- Add a lightweight maintainer triage guide for turning noisy-rule reports into fixtures.
 
 ## Quality And Safety
 

package/SECURITY.md

@@ -0,0 +1,48 @@
+# Security Policy
+
+Memento Mori Jester is a local CLI, MCP server, GitHub Action, and git-hook helper. It is designed to review text you provide locally; it should not send project code to a hosted service.
+
+## Supported Versions
+
+Security fixes target the latest npm release and the `main` branch.
+
+If you are using an older version, first confirm the issue still appears on the latest package:
+
+```powershell
+npx -y memento-mori-jester@latest doctor
+```
+
+## Reporting A Vulnerability
+
+Please do not put secrets, exploit details, private repository content, or live credentials in a public issue.
+
+Use GitHub's private vulnerability report flow when available:
+
+<https://github.com/Martin123132/Memento-Mori/security/advisories/new>
+
+If that flow is unavailable, open a minimal public issue asking for a private security contact, but do not include sensitive details.
+
+Helpful report details:
+
+- affected package version and install method,
+- operating system and Node version,
+- the command, GitHub Action, MCP setup, hook, or installer path involved,
+- the expected behavior and the observed behavior,
+- whether credentials, private code, generated SARIF, or CI logs are involved,
+- redacted `jester doctor --json` output.
+
+## Scope
+
+Useful security reports include:
+
+- command execution or shell-injection risks in CLI, hooks, installers, or GitHub Action paths,
+- unexpected network access or code disclosure,
+- unsafe handling of config, SARIF, fixture, or diagnostic output,
+- supply-chain or package-publishing concerns,
+- MCP server behavior that could expose more data than the caller provided.
+
+Reports about noisy rules or false positives are welcome too, but use the false-positive issue template unless there is a concrete vulnerability.
+
+## Handling Notes
+
+This is a small project, so response times are best effort. Security reports get priority over normal bugs, and fixes should preserve the project's local-first, deterministic behavior wherever possible.

package/docs/CLI.md

@@ -51,6 +51,8 @@ jester doctor --json
 
 Use `jester doctor --json` when filing an issue or debugging automation. It includes stable keys for package version, Node version, MCP server path, review-engine health, config mode/path, hook status, and generated workflow status.
 
+The bug-report issue template asks for this redacted JSON so maintainers can separate install, config, hook, MCP, and GitHub Action problems quickly.
+
 ## Playground
 
 Start a local-only paste-in playground:
@@ -154,6 +156,8 @@ Use `jester rule <id>` before muting a rule. It explains why the rule exists, co
 
 Use `jester tune <id>` when the question is practical: should this noisy rule be muted here, and what exact commands do I run? It is read-only and prints a before-muting checklist, a recommendation, and `disable-rule` / `enable-rule` commands.
 
+When filing a false-positive issue, include redacted `jester summary` output and `jester tune <rule-id> --json` output when possible.
+
 Use `jester tune coverage` when maintaining the rule set. It ranks every rule by fixture support and confidence, shows expected vs unexpected fixture weight, and suggests the next maintenance action for each rule.
 
 `jester tune` now also includes fixture evidence:

package/docs/GETTING_STARTED.md

@@ -108,4 +108,14 @@ Then tell them to open `MEMENTO_MORI.md`.
 
 For copy-paste agent and hook examples, see [examples](../examples). For stack-specific config examples, see [preset example packs](../examples/presets) for Next.js, Vite React, Express API, FastAPI, Terraform/Kubernetes, and AI MCP repos. For copy-paste CI workflows, see [framework CI examples](../examples/ci). For concrete pass, caution, and block cases, see [review fixtures](../examples/fixtures).
 
+## Need Help?
+
+Run this before opening a bug report:
+
+```powershell
+npx -y memento-mori-jester@latest doctor --json
+```
+
+Use the GitHub false-positive template for noisy rules and include `jester tune <rule-id> --json` when possible. For vulnerabilities, private code exposure, or credential-handling concerns, follow [SECURITY.md](../SECURITY.md) instead of posting sensitive details publicly.
+
 For where this is going next, see [ROADMAP.md](../ROADMAP.md).

package/docs/PRODUCTION_READINESS.md

@@ -15,6 +15,7 @@ This checklist defines what "production grade" means for Memento Mori Jester rig
 - `package.json` includes repository, homepage, bugs, binaries, exports, public package files, and public publish access.
 - `package-lock.json` version matches `package.json`.
 - `npm run pack:dry` confirms the package includes `dist`, `docs`, `examples`, `scripts`, `README.md`, `CHANGELOG.md`, `ROADMAP.md`, and `LICENSE`.
+- `SECURITY.md` ships with the package so vulnerability reporting guidance is visible from the repository and npm tarball.
 - `prepublishOnly` runs tests and a package dry run for local publish attempts.
 
 ## GitHub Action
@@ -48,6 +49,8 @@ This checklist defines what "production grade" means for Memento Mori Jester rig
 - Package metadata points bug reports at the GitHub issues page.
 - `jester doctor --json`, `jester config validate`, and `jester rules` are the first troubleshooting commands.
 - `jester tune`, `jester tune coverage`, and the fixture suite give maintainers a way to inspect noisy rules before changing defaults.
+- GitHub issue templates collect bug reports, false-positive reports, and feature requests with the diagnostic context maintainers need.
+- `SECURITY.md` routes vulnerability reports away from public issues and asks for redacted diagnostics.
 - npm publish has a manual workflow fallback, but the normal release path is tag-driven trusted publishing.
 
 ## Static Guard
@@ -58,11 +61,12 @@ This checklist defines what "production grade" means for Memento Mori Jester rig
 - package metadata and public package files are present,
 - CI, release, publish, and composite action workflows use the expected runtime and steps,
 - onboarding docs mention the important adoption paths,
-- production readiness documentation covers package, GitHub Action, MCP, git hooks, docs, and support.
+- production readiness documentation covers package, GitHub Action, MCP, git hooks, docs, and support,
+- `SECURITY.md` and GitHub issue templates exist and ask for the right diagnostics.
 
 `npm test` runs this check after the TypeScript build and unit tests.
 
 ## Known Next Gaps
 
-- Add `SECURITY.md` and issue templates for clearer support intake.
 - Continue expanding pass-case fixtures from real-world usage so false-positive tuning remains evidence-based.
+- Add more framework-specific false-positive examples as people report real noisy cases.

package/docs/RELEASE.md

@@ -17,7 +17,7 @@ Move the current changelog bullets into a matching version section and add `docs
 ## 2. Tag And Push
 
 ```powershell
-git add package.json package-lock.json CHANGELOG.md docs/RELEASE_NOTES_v0.1.x.md
+git add package.json package-lock.json CHANGELOG.md docs/RELEASE_NOTES_v0.1.x.md docs/PRODUCTION_READINESS.md SECURITY.md .github/ISSUE_TEMPLATE
 git commit -m "Release v0.1.x"
 git tag -a v0.1.x -m "Memento Mori Jester v0.1.x"
 git push origin main

package/docs/RELEASE_NOTES_v0.1.50.md

@@ -0,0 +1,28 @@
+# v0.1.50 Release Notes
+
+This release adds clearer public support intake so bug reports, false-positive reports, feature requests, and security reports arrive with the context maintainers need.
+
+## What Changed
+
+- Added `SECURITY.md` with vulnerability reporting guidance, scope, and safe redaction expectations.
+- Added GitHub issue templates for bug reports, false positives/noisy rules, and feature requests.
+- Added GitHub issue-template contact links for security reports and getting-started docs.
+- Updated README and production-readiness docs so `jester doctor --json` and issue templates are part of the support contract.
+- Expanded `npm run production:check` so future releases keep the security policy and issue templates in place.
+
+## Behavior Notes
+
+- No CLI, MCP, config, rule, playground, GitHub Action runtime, or release automation behavior changed.
+- `SECURITY.md` is now included in the npm package file list.
+
+## Release Validation
+
+```powershell
+npm.cmd test
+npm.cmd run production:check
+npm.cmd run demo:svg:check
+npm.cmd run pack:dry
+git diff --check
+node .\dist\cli.js doctor --json
+git diff | node .\dist\cli.js diff --fail-on block --subject "v0.1.50 support intake"
+```

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "memento-mori-jester",
-  "version": "0.1.49",
+  "version": "0.1.50",
   "description": "A local court-jester sidecar for AI coding agents: review plans, commands, diffs, and final claims before they get too pleased with themselves.",
   "type": "module",
   "repository": {
@@ -32,6 +32,7 @@
     "scripts",
     "CHANGELOG.md",
     "LICENSE",
+    "SECURITY.md",
     "README.md",
     "ROADMAP.md"
   ],

package/scripts/check-production-readiness.mjs

@@ -50,11 +50,16 @@ for (const path of [
   "CHANGELOG.md",
   "ROADMAP.md",
   "LICENSE",
+  "SECURITY.md",
   "docs/RELEASE.md",
   "docs/TRUSTED_PUBLISHING.md",
   "docs/PRODUCTION_READINESS.md",
   `docs/RELEASE_NOTES_${tag}.md`,
   "action.yml",
+  ".github/ISSUE_TEMPLATE/bug_report.yml",
+  ".github/ISSUE_TEMPLATE/false_positive.yml",
+  ".github/ISSUE_TEMPLATE/feature_request.yml",
+  ".github/ISSUE_TEMPLATE/config.yml",
   ".github/workflows/ci.yml",
   ".github/workflows/npm-publish.yml",
   ".github/workflows/release.yml",
@@ -74,6 +79,8 @@ requireText("README.md", /doctor --json/, "doctor JSON support guidance");
 requireText("README.md", /config recommend/, "preset recommendation onboarding");
 requireText("README.md", /setup --agent codex/, "Codex setup onboarding");
 requireText("README.md", /github-action --write/, "GitHub Action onboarding");
+requireText("README.md", /SECURITY\.md/, "security policy link");
+requireText("README.md", /false-positive/i, "false-positive support guidance");
 requireText("README.md", /License: PolyForm Noncommercial/, "the noncommercial license badge");
 requireText("docs/PRODUCTION_READINESS.md", /npm package/i, "npm package readiness");
 requireText("docs/PRODUCTION_READINESS.md", /GitHub Action/i, "GitHub Action readiness");
@@ -81,9 +88,19 @@ requireText("docs/PRODUCTION_READINESS.md", /MCP/i, "MCP readiness");
 requireText("docs/PRODUCTION_READINESS.md", /git hooks/i, "git hook readiness");
 requireText("docs/PRODUCTION_READINESS.md", /support/i, "support readiness");
 requireText("docs/PRODUCTION_READINESS.md", /doctor --json/, "doctor JSON support diagnostics");
+requireText("docs/PRODUCTION_READINESS.md", /SECURITY\.md/, "security policy readiness");
+requireText("docs/PRODUCTION_READINESS.md", /issue templates/i, "issue template readiness");
 requireText("docs/CLI.md", /jester doctor --json/, "doctor JSON CLI docs");
-
-for (const publicFile of ["dist", "docs", "examples", "scripts", "CHANGELOG.md", "LICENSE", "README.md", "ROADMAP.md"]) {
+requireText("SECURITY.md", /doctor --json/, "doctor JSON redaction guidance");
+requireText("SECURITY.md", /security\/advisories\/new/, "private vulnerability report link");
+requireText(".github/ISSUE_TEMPLATE/bug_report.yml", /doctor --json/, "doctor JSON support prompt");
+requireText(".github/ISSUE_TEMPLATE/bug_report.yml", /SECURITY\.md|security policy/i, "security redirect");
+requireText(".github/ISSUE_TEMPLATE/false_positive.yml", /jester tune <rule-id> --json/, "tune JSON prompt");
+requireText(".github/ISSUE_TEMPLATE/false_positive.yml", /false-positive|noisy rule/i, "false-positive scope");
+requireText(".github/ISSUE_TEMPLATE/feature_request.yml", /local-first and deterministic/, "project constraint prompt");
+requireText(".github/ISSUE_TEMPLATE/config.yml", /security\/advisories\/new/, "security contact link");
+
+for (const publicFile of ["dist", "docs", "examples", "scripts", "CHANGELOG.md", "LICENSE", "SECURITY.md", "README.md", "ROADMAP.md"]) {
   requirePackageFile(packageJson, publicFile);
 }