memento-mori-jester 0.1.55 → 0.1.56

package/CHANGELOG.md

@@ -4,6 +4,12 @@ All notable changes to Memento Mori Jester are tracked here.
 
 ## Unreleased
 
+## 0.1.56
+
+- Added node, python, and security preset fixture coverage across plan, command, diff, and final review kinds.
+- Updated fixture-report regression coverage so those three presets cannot silently fall back to empty preset/kind coverage.
+- Refreshed demo and fixture docs with the expanded 80-fixture corpus.
+
 ## 0.1.55
 
 - Added the first targeted quiet-pass fixture batch for noisy high-signal rules including `risky-domain`, `done-without-evidence`, `package-install-script`, `secret-material`, `sensitive-env-change`, `test-removal`, `skip-tests`, `vibes-based-plan`, `chmod-777`, and `privileged-command`.

package/ROADMAP.md

@@ -6,6 +6,7 @@ Memento Mori Jester is usable today as a CLI, MCP server, GitHub Action, and git
 
 ## Recently Shipped
 
+- Node, python, and security preset-kind fixture coverage in v0.1.56 so those preset slices now have plan, command, diff, and final examples.
 - Targeted quiet-pass fixture batch in v0.1.55 for noisy high-signal rules, plus quiet-pass evidence in `jester tune` and `npm run fixtures:report`.
 - Fixture coverage report generator in v0.1.54 for rule, preset, review-kind, verdict, and pass-case gaps.
 - Published-package fixture validator fix in v0.1.53 so `npm run fixtures:check` works outside a source checkout.
@@ -45,7 +46,7 @@ Memento Mori Jester is usable today as a CLI, MCP server, GitHub Action, and git
 ## Product Ideas
 
 - Add more framework-specific false-positive examples from real reports so tuning guidance keeps getting sharper.
-- Add preset/kind fixture batches for currently empty `node`, `python`, and `security` coverage slices.
+- Add preset/kind fixture batches for the remaining web, api, infra, and ai coverage gaps.
 
 ## Quality And Safety
 

package/docs/DEMO.md

@@ -192,27 +192,28 @@ Project config: none loaded
 Fixture tuning evidence:
 Support: limited
 Confidence: medium
-Total fixtures checked: 68
-Weighted fixtures checked: 131.6
-Matching fixtures: 8
-Weighted matches: 17
-Expected-match weight: 14
+Total fixtures checked: 80
+Weighted fixtures checked: 152.6
+Matching fixtures: 9
+Weighted matches: 19
+Expected-match weight: 16
 Unexpected-match weight: 3
 Edge-case matches: 0
-Quiet-pass fixtures: 4
-Quiet-pass weight: 2.6
-By kind: command 0, plan 3, diff 4, final 1
-Fixture coverage: 8/68 (12.9% weighted)
-By verdict: pass 0, caution 3, block 5
+Quiet-pass fixtures: 5
+Quiet-pass weight: 3.6
+By kind: command 0, plan 4, diff 4, final 1
+Fixture coverage: 9/80 (12.5% weighted)
+By verdict: pass 0, caution 3, block 6
 Matched fixture samples:
   infra-public-ingress-block: Public ingress should block in low-risk-tolerance infra repos.
+  node-plan-production-mode-block: Node production-mode planning should cover node-specific and sensitive-domain signals.
   plan-missing-verification-step: Implementation plan without verification steps should trigger the structural rule.
   sec-secret-material-openai: Hard-coded OpenAI-like token should map to the secret-material rule.
   universal-risky-domain-auth-caution-2: Auth callback changes should keep the broad risky-domain signal covered when verification is present.
-  universal-risky-domain-billing-final: Billing changes in final responses should remain covered when evidence is supplied.
 Quiet-pass fixture samples:
   ai-docs-only-transcript-pass: Docs-only AI setup notes should stay quiet when they do not include concrete dangerous patterns.
   api-docs-only-auth-pass: Docs-only API setup notes should not warn just because they mention auth and production.
+  sec-final-dependency-notes-pass: A verified dependency-note final answer should give the security preset a quiet final case.
   universal-risky-domain-docs-pass: Documentation-only sensitive-domain vocabulary should stay quiet when no code behavior changes.
   web-docs-only-browser-storage-pass: Docs-only web guidance should not warn just because it mentions browser storage or redirects.
 
@@ -352,7 +353,7 @@ Preset packs:
 
 ## 13. Review Fixtures
 
-The fixture suite in `examples/fixtures/preset-review-cases.json` captures small real-usage examples with expected `pass`, `caution`, or `block` verdicts. It also includes quiet-pass `absentRuleIds` examples that prove noisy rules stay silent for safe near-misses. These examples are run by `npm test`, so preset tuning changes stay visible.
+The fixture suite in `examples/fixtures/preset-review-cases.json` captures small real-usage examples with expected `pass`, `caution`, or `block` verdicts. It also includes quiet-pass `absentRuleIds` examples that prove noisy rules stay silent for safe near-misses, plus stack-specific coverage for node, python, and security preset surfaces. These examples are run by `npm test`, so preset tuning changes stay visible.
 
 Maintainers can use `docs/MAINTAINER_TRIAGE.md` to turn useful false-positive reports into redacted fixture cases.
 

package/docs/RELEASE_NOTES_v0.1.56.md

@@ -0,0 +1,50 @@
+# Memento Mori Jester v0.1.56
+
+This release fills the largest preset-kind fixture gap left by the coverage report: `node`, `python`, and `security` now each have plan, command, diff, and final review examples.
+
+## Changes
+
+- Added 12 preset fixtures:
+  - node plan, command, diff, and final cases,
+  - python plan, command, diff, and final cases,
+  - security plan, command, diff, and final cases.
+- Covered stack-specific rules such as:
+  - `custom-node-env-production-change`
+  - `blocked-command-npm-publish-force`
+  - `custom-node-install-script-change`
+  - `custom-python-pickle-load`
+  - `blocked-command-pip-install-break-system-packages`
+  - `custom-python-eval-exec`
+  - `custom-insecure-tls-disabled`
+  - `blocked-command-chmod-r-777`
+  - `custom-broad-cors`
+- Updated fixture report regression tests so `node`, `python`, and `security` cannot silently return to empty preset-kind coverage.
+- Refreshed demo and fixture docs for the 80-fixture corpus.
+
+## Public Interface Changes
+
+- No CLI command, MCP tool, config schema, GitHub Action, release workflow, rule matching, or verdict behavior changed.
+- Fixture evidence changes are data-only: `jester tune` and `fixtures:report` now have more preset-backed examples to report.
+
+## Release Validation
+
+```powershell
+npm.cmd test
+npm.cmd run demo:svg:check
+npm.cmd run fixtures:report
+npm.cmd run fixtures:report -- --json
+npm.cmd run pack:dry
+git diff --check
+node .\dist\cli.js tune risky-domain
+node .\dist\cli.js tune coverage
+git diff | node .\dist\cli.js diff --fail-on block --subject "v0.1.56 stack preset fixture coverage"
+```
+
+## Post-Release Smoke
+
+```powershell
+npm.cmd view memento-mori-jester version --silent
+npx.cmd -y memento-mori-jester@latest doctor
+npx.cmd -y memento-mori-jester@latest tune risky-domain
+npx.cmd -y memento-mori-jester@latest tune coverage
+```

package/examples/fixtures/README.md

@@ -9,6 +9,7 @@ Maintainer triage guidance lives in [docs/MAINTAINER_TRIAGE.md](../../docs/MAINT
 ## What They Cover
 
 - Documentation-only diffs that should stay quiet.
+- Node, Python, and security preset plan/command/diff/final coverage.
 - Web preset client-exposed key and browser-storage risks.
 - API preset CORS and raw SQL risks.
 - Infra preset public exposure risks.

package/examples/fixtures/preset-review-cases.json

@@ -853,5 +853,163 @@
     "absentRuleIds": [
       "privileged-command"
     ]
+  },
+  {
+    "id": "node-plan-production-mode-block",
+    "preset": "node",
+    "kind": "plan",
+    "description": "Node production-mode planning should cover node-specific and sensitive-domain signals.",
+    "content": "Set NODE_ENV=production for the smoke run after npm run build.",
+    "expectedVerdict": "block",
+    "weight": 2,
+    "expectedRuleIds": [
+      "risky-domain",
+      "custom-node-env-production-change",
+      "configured-sensitive-domain-production"
+    ]
+  },
+  {
+    "id": "node-publish-force-command-block",
+    "preset": "node",
+    "kind": "command",
+    "description": "Forced npm publishing should stay blocked by the node preset.",
+    "content": "npm publish --force",
+    "expectedVerdict": "block",
+    "weight": 2,
+    "expectedRuleIds": [
+      "blocked-command-npm-publish-force",
+      "configured-sensitive-domain-npm-publish"
+    ]
+  },
+  {
+    "id": "node-install-script-diff-block",
+    "preset": "node",
+    "kind": "diff",
+    "description": "Node install lifecycle script diffs should cover both built-in and node preset checks.",
+    "content": "diff --git a/package.json b/package.json\n--- a/package.json\n+++ b/package.json\n@@ -3,6 +3,7 @@\n   \"scripts\": {\n+    \"postinstall\": \"node scripts/setup.js\",\n     \"test\": \"node --test\"\n   }\n",
+    "expectedVerdict": "block",
+    "weight": 2,
+    "expectedRuleIds": [
+      "package-install-script",
+      "custom-node-install-script-change",
+      "configured-sensitive-domain-postinstall"
+    ]
+  },
+  {
+    "id": "node-final-package-metadata-pass",
+    "preset": "node",
+    "kind": "final",
+    "description": "A verified node metadata final answer should give the node preset a quiet final case.",
+    "content": "Updated package metadata and ran npm test.",
+    "expectedVerdict": "pass",
+    "weight": 1,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "done-without-evidence"
+    ]
+  },
+  {
+    "id": "python-pickle-plan-block",
+    "preset": "python",
+    "kind": "plan",
+    "description": "Python pickle usage in a plan should cover the python deserialization preset rule.",
+    "content": "Refactor the loader to call pickle.load for trusted fixture data.",
+    "expectedVerdict": "block",
+    "weight": 2,
+    "expectedRuleIds": [
+      "custom-python-pickle-load",
+      "missing-verification-step"
+    ]
+  },
+  {
+    "id": "python-break-system-command-block",
+    "preset": "python",
+    "kind": "command",
+    "description": "Break-system-package installs should stay blocked by the python preset.",
+    "content": "pip install --break-system-packages django",
+    "expectedVerdict": "block",
+    "weight": 2,
+    "expectedRuleIds": [
+      "blocked-command-pip-install-break-system-packages"
+    ]
+  },
+  {
+    "id": "python-eval-diff-caution",
+    "preset": "python",
+    "kind": "diff",
+    "description": "Python eval usage in a diff should cover the dynamic-execution preset rule.",
+    "content": "diff --git a/src/loader.py b/src/loader.py\n--- a/src/loader.py\n+++ b/src/loader.py\n@@ -1 +1,2 @@\n+result = eval(user_value)\n",
+    "expectedVerdict": "caution",
+    "weight": 2,
+    "expectedRuleIds": [
+      "custom-python-eval-exec"
+    ]
+  },
+  {
+    "id": "python-final-pyproject-pass",
+    "preset": "python",
+    "kind": "final",
+    "description": "A verified pyproject metadata final answer should give the python preset a quiet final case.",
+    "content": "Updated pyproject metadata and ran pytest.",
+    "expectedVerdict": "pass",
+    "weight": 1,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "done-without-evidence"
+    ]
+  },
+  {
+    "id": "sec-disable-tls-plan-block",
+    "preset": "security",
+    "kind": "plan",
+    "description": "TLS verification disabling should stay blocked by the security preset.",
+    "content": "Set NODE_TLS_REJECT_UNAUTHORIZED=0 for local debug after documenting the exception.",
+    "expectedVerdict": "block",
+    "weight": 2,
+    "expectedRuleIds": [
+      "custom-insecure-tls-disabled",
+      "configured-sensitive-domain-auth"
+    ]
+  },
+  {
+    "id": "sec-chmod-command-block",
+    "preset": "security",
+    "kind": "command",
+    "description": "Broad chmod in a security preset command should include blocked-command and permission signals.",
+    "content": "chmod -R 777 ./secrets",
+    "expectedVerdict": "block",
+    "weight": 2,
+    "expectedRuleIds": [
+      "blocked-command-chmod-r-777",
+      "chmod-777",
+      "configured-sensitive-domain-secrets"
+    ]
+  },
+  {
+    "id": "sec-broad-cors-diff-block",
+    "preset": "security",
+    "kind": "diff",
+    "description": "Wildcard CORS diffs should cover the security preset broad-CORS rule.",
+    "content": "diff --git a/src/cors.ts b/src/cors.ts\n--- a/src/cors.ts\n+++ b/src/cors.ts\n@@ -1 +1,2 @@\n+app.use(cors({ origin: \"*\" }));\n",
+    "expectedVerdict": "block",
+    "weight": 2,
+    "expectedRuleIds": [
+      "custom-broad-cors",
+      "configured-sensitive-domain-cors"
+    ]
+  },
+  {
+    "id": "sec-final-dependency-notes-pass",
+    "preset": "security",
+    "kind": "final",
+    "description": "A verified dependency-note final answer should give the security preset a quiet final case.",
+    "content": "Updated dependency notes and ran npm test.",
+    "expectedVerdict": "pass",
+    "weight": 1,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "risky-domain",
+      "done-without-evidence"
+    ]
   }
 ]

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "memento-mori-jester",
-  "version": "0.1.55",
+  "version": "0.1.56",
   "description": "A local court-jester sidecar for AI coding agents: review plans, commands, diffs, and final claims before they get too pleased with themselves.",
   "type": "module",
   "repository": {