memento-mori-jester 0.1.57 → 0.1.59

package/CHANGELOG.md

@@ -4,6 +4,18 @@ All notable changes to Memento Mori Jester are tracked here.
 
 ## Unreleased
 
+## 0.1.59
+
+- Added quiet-pass fixtures for remaining sparse built-in and structural rules including missing verification, confidence theater, TypeScript suppressions, large removals, wildcard file operations, destructive commands, and untested finals.
+- Updated fixture-report regression coverage so every rule family now has quiet-pass coverage.
+- Refreshed demo and fixture docs with the expanded 125-fixture corpus.
+
+## 0.1.58
+
+- Added quiet-pass fixtures for thin custom, configured sensitive-domain, and preset blocked-command rules.
+- Updated fixture-report regression coverage so thin preset/config-derived rules cannot silently lose quiet-pass coverage.
+- Refreshed demo and fixture docs with the expanded 112-fixture corpus.
+
 ## 0.1.57
 
 - Added web, API, infra, and AI preset fixture coverage across the remaining plan, command, and final review-kind gaps.

package/ROADMAP.md

@@ -6,6 +6,8 @@ Memento Mori Jester is usable today as a CLI, MCP server, GitHub Action, and git
 
 ## Recently Shipped
 
+- Quiet-pass boundaries for remaining sparse built-in and structural rules in v0.1.59 so the fixture report now has no rules without quiet-pass coverage.
+- Quiet-pass boundaries for thin custom/preset rules in v0.1.58 so preset blocked commands, sensitive-domain checks, and custom stack rules now have safe near-miss examples.
 - Completed preset-kind fixture coverage in v0.1.57 so `default`, `node`, `python`, `web`, `api`, `infra`, `ai`, and `security` now all have plan, command, diff, and final examples.
 - Node, python, and security preset-kind fixture coverage in v0.1.56 so those preset slices now have plan, command, diff, and final examples.
 - Targeted quiet-pass fixture batch in v0.1.55 for noisy high-signal rules, plus quiet-pass evidence in `jester tune` and `npm run fixtures:report`.
@@ -46,8 +48,8 @@ Memento Mori Jester is usable today as a CLI, MCP server, GitHub Action, and git
 
 ## Product Ideas
 
-- Add quiet-pass boundaries for thin custom/preset rules that still only have one-sided fixture evidence.
 - Add more framework-specific false-positive examples from real reports so tuning guidance keeps getting sharper.
+- Add fixture report slices by rule family and preset so maintainers can spot which areas need real-world curation next.
 
 ## Quality And Safety
 

package/docs/DEMO.md

@@ -192,8 +192,8 @@ Project config: none loaded
 Fixture tuning evidence:
 Support: limited
 Confidence: medium
-Total fixtures checked: 90
-Weighted fixtures checked: 169.6
+Total fixtures checked: 125
+Weighted fixtures checked: 236.9
 Matching fixtures: 9
 Weighted matches: 19
 Expected-match weight: 16
@@ -202,7 +202,7 @@ Edge-case matches: 0
 Quiet-pass fixtures: 5
 Quiet-pass weight: 3.6
 By kind: command 0, plan 4, diff 4, final 1
-Fixture coverage: 9/90 (11.2% weighted)
+Fixture coverage: 9/125 (8.0% weighted)
 By verdict: pass 0, caution 3, block 6
 Matched fixture samples:
   infra-public-ingress-block: Public ingress should block in low-risk-tolerance infra repos.
@@ -353,7 +353,7 @@ Preset packs:
 
 ## 13. Review Fixtures
 
-The fixture suite in `examples/fixtures/preset-review-cases.json` captures small real-usage examples with expected `pass`, `caution`, or `block` verdicts. It also includes quiet-pass `absentRuleIds` examples that prove noisy rules stay silent for safe near-misses, plus stack-specific coverage for node, python, and security preset surfaces. These examples are run by `npm test`, so preset tuning changes stay visible.
+The fixture suite in `examples/fixtures/preset-review-cases.json` captures small real-usage examples with expected `pass`, `caution`, or `block` verdicts. It also includes quiet-pass `absentRuleIds` examples that prove noisy rules stay silent for safe near-misses, stack-specific coverage for every built-in preset, and quiet-pass boundaries across built-in, structural, custom, and preset/config-derived rules. These examples are run by `npm test`, so preset tuning changes stay visible.
 
 Maintainers can use `docs/MAINTAINER_TRIAGE.md` to turn useful false-positive reports into redacted fixture cases.
 

package/docs/RELEASE_NOTES_v0.1.58.md

@@ -0,0 +1,39 @@
+# Memento Mori Jester v0.1.58
+
+This release adds quiet-pass evidence for thin preset/config-derived rules. The goal is better tuning guidance: maintainers can now see safe near-misses for many custom preset rules, configured sensitive-domain checks, and preset blocked commands instead of only seeing examples where those rules fire.
+
+## Changes
+
+- Added 22 quiet-pass fixtures covering safe near-misses for:
+  - preset blocked commands such as forced npm publish, Terraform destroy, Prisma reset, broad chmod, and break-system pip installs,
+  - configured sensitive-domain checks such as CORS, IAM, postinstall, session, webhook, eval, and public secret wording,
+  - custom stack rules across node, python, web, API, infra, AI, and security presets.
+- Updated fixture-report regression coverage so thin custom/config-derived rules cannot silently return to zero quiet-pass coverage.
+- Refreshed demo and fixture docs for the 112-fixture corpus.
+
+## Public Interface Changes
+
+- No CLI command, MCP tool, config schema, GitHub Action, release workflow, rule matching, or verdict behavior changed.
+- Fixture evidence changes are data-only: `jester tune` and `fixtures:report` now have more safe near-miss evidence to report.
+
+## Release Validation
+
+```powershell
+npm.cmd test
+npm.cmd run demo:svg:check
+npm.cmd run fixtures:report
+npm.cmd run fixtures:report -- --json
+npm.cmd run pack:dry
+git diff --check
+node .\dist\cli.js tune risky-domain --no-config
+node .\dist\cli.js tune coverage --no-config
+git diff | node .\dist\cli.js diff --fail-on block --subject "v0.1.58 quiet-pass precision fixtures"
+```
+
+## Post-Release Smoke
+
+```powershell
+npm.cmd view memento-mori-jester version --silent
+npx.cmd -y memento-mori-jester@latest doctor --no-config
+npx.cmd -y memento-mori-jester@latest tune coverage --no-config
+```

package/docs/RELEASE_NOTES_v0.1.59.md

@@ -0,0 +1,49 @@
+# Memento Mori Jester v0.1.59
+
+This release completes the quiet-pass coverage pass for the fixture suite. After v0.1.58 covered thin custom and preset/config-derived rules, v0.1.59 adds safe near-misses for the remaining sparse built-in and structural rules.
+
+## Changes
+
+- Added 13 quiet-pass fixtures covering safe near-misses for:
+  - `missing-verification-step`
+  - `confidence-theater`
+  - `temporary-marker`
+  - `ts-ignore`
+  - `console-log`
+  - `large-removal`
+  - `wildcard-file-operation`
+  - `database-destruction`
+  - `destructive-git-history`
+  - `handwave-final`
+  - `pipe-to-shell`
+  - `recursive-force-delete`
+  - `untested-final`
+- Updated fixture-report regression coverage so `rulesWithoutQuietPassCoverage` must stay empty.
+- Refreshed demo and fixture docs for the 125-fixture corpus.
+
+## Public Interface Changes
+
+- No CLI command, MCP tool, config schema, GitHub Action, release workflow, rule matching, or verdict behavior changed.
+- Fixture evidence changes are data-only: `jester tune` and `fixtures:report` now have safe near-miss evidence for every rule family.
+
+## Release Validation
+
+```powershell
+npm.cmd test
+npm.cmd run demo:svg:check
+npm.cmd run fixtures:report
+npm.cmd run fixtures:report -- --json
+npm.cmd run pack:dry
+git diff --check
+node .\dist\cli.js tune risky-domain --no-config
+node .\dist\cli.js tune coverage --no-config
+git diff | node .\dist\cli.js diff --fail-on block --subject "v0.1.59 built-in quiet-pass fixtures"
+```
+
+## Post-Release Smoke
+
+```powershell
+npm.cmd view memento-mori-jester version --silent
+npx.cmd -y memento-mori-jester@latest doctor --no-config
+npx.cmd -y memento-mori-jester@latest tune coverage --no-config
+```

package/examples/fixtures/README.md

@@ -14,6 +14,8 @@ Maintainer triage guidance lives in [docs/MAINTAINER_TRIAGE.md](../../docs/MAINT
 - API preset CORS, raw SQL, webhook, and migration-command risks.
 - Infra preset public exposure, IAM wildcard, and destructive command risks.
 - AI preset eval-skipping and model-output execution risks.
+- Quiet-pass boundaries for thin custom, configured sensitive-domain, and preset blocked-command rules.
+- Quiet-pass boundaries for built-in and structural rules such as missing verification, TypeScript suppressions, large removals, wildcard operations, destructive commands, and untested finals.
 - Fixture metadata like `weight` and `edgeCase` to support precision-weighted tuning evidence.
 
 ## Local Check

package/examples/fixtures/preset-review-cases.json

@@ -1139,5 +1139,476 @@
       "risky-domain",
       "done-without-evidence"
     ]
+  },
+  {
+    "id": "sec-chmod-narrow-command-pass",
+    "preset": "security",
+    "kind": "command",
+    "description": "Narrow chmod commands should not trip security preset blocked-command rules.",
+    "content": "chmod -R 755 ./public-assets",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "blocked-command-chmod-r-777",
+      "chmod-777",
+      "configured-sensitive-domain-secrets"
+    ]
+  },
+  {
+    "id": "node-pack-dry-run-command-pass",
+    "preset": "node",
+    "kind": "command",
+    "description": "Package dry runs should not be mistaken for forced npm publishing.",
+    "content": "npm pack --dry-run",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "blocked-command-npm-publish-force",
+      "configured-sensitive-domain-npm-publish"
+    ]
+  },
+  {
+    "id": "python-normal-pip-install-command-pass",
+    "preset": "python",
+    "kind": "command",
+    "description": "Normal pip installs should not trip the break-system-packages command rule.",
+    "content": "pip install django",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "blocked-command-pip-install-break-system-packages"
+    ]
+  },
+  {
+    "id": "api-prisma-status-command-pass",
+    "preset": "api",
+    "kind": "command",
+    "description": "Prisma status checks should not be mistaken for destructive migration resets.",
+    "content": "prisma migrate status",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "blocked-command-prisma-migrate-reset-force"
+    ]
+  },
+  {
+    "id": "infra-harmless-command-pass",
+    "preset": "infra",
+    "kind": "command",
+    "description": "Harmless shell commands in infra repos should not trip destroy-command checks.",
+    "content": "pwd",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "blocked-command-terraform-destroy"
+    ]
+  },
+  {
+    "id": "web-public-nonsecret-command-pass",
+    "preset": "web",
+    "kind": "command",
+    "description": "Public non-secret frontend variable names should not trip secret-name checks.",
+    "content": "echo NEXT_PUBLIC_FEATURE_FLAG",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "custom-web-public-secret-name"
+    ]
+  },
+  {
+    "id": "ai-public-model-command-pass",
+    "preset": "ai",
+    "kind": "command",
+    "description": "Public non-secret AI model names should not trip provider-key checks.",
+    "content": "echo NEXT_PUBLIC_MODEL_NAME",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "custom-ai-public-provider-key"
+    ]
+  },
+  {
+    "id": "node-posttest-script-diff-pass",
+    "preset": "node",
+    "kind": "diff",
+    "description": "Non-install package lifecycle scripts should not trip node install-script checks.",
+    "content": "diff --git a/package.json b/package.json\n--- a/package.json\n+++ b/package.json\n@@ -3,6 +3,7 @@\n   \"scripts\": {\n+    \"posttest\": \"node scripts/check.js\",\n     \"test\": \"node --test\"\n   }\n",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "package-install-script",
+      "custom-node-install-script-change",
+      "configured-sensitive-domain-postinstall"
+    ]
+  },
+  {
+    "id": "node-development-env-plan-pass",
+    "preset": "node",
+    "kind": "plan",
+    "description": "Development-mode Node plans should not trip production-mode checks.",
+    "content": "Run NODE_ENV=development for the local smoke test.",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "custom-node-env-production-change",
+      "configured-sensitive-domain-production"
+    ]
+  },
+  {
+    "id": "python-json-loader-plan-pass",
+    "preset": "python",
+    "kind": "plan",
+    "description": "JSON loader plans should not be mistaken for Python pickle deserialization.",
+    "content": "Use json.loads for fixture data after running pytest.",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "custom-python-pickle-load"
+    ]
+  },
+  {
+    "id": "python-literal-eval-diff-pass",
+    "preset": "python",
+    "kind": "diff",
+    "description": "Python literal_eval usage should not be mistaken for raw eval execution.",
+    "content": "diff --git a/src/loader.py b/src/loader.py\n--- a/src/loader.py\n+++ b/src/loader.py\n@@ -1 +1,2 @@\n+value = ast.literal_eval(raw_value)\n",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "custom-python-eval-exec"
+    ]
+  },
+  {
+    "id": "web-safe-render-plan-pass",
+    "preset": "web",
+    "kind": "plan",
+    "description": "Plain-text rendering plans should not trip web HTML injection checks.",
+    "content": "Render CMS snippets as plain text after an XSS smoke test.",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "custom-web-unsafe-html-injection",
+      "configured-sensitive-domain-dangerouslysetinnerhtml",
+      "configured-sensitive-domain-innerhtml"
+    ]
+  },
+  {
+    "id": "web-theme-storage-diff-pass",
+    "preset": "web",
+    "kind": "diff",
+    "description": "Non-sensitive browser preference storage should not trip token-storage checks.",
+    "content": "diff --git a/src/preferences.ts b/src/preferences.ts\n--- a/src/preferences.ts\n+++ b/src/preferences.ts\n@@ -1 +1,2 @@\n+localStorage.setItem(\"theme\", theme);\n",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "custom-web-storage-sensitive-value",
+      "configured-sensitive-domain-session"
+    ]
+  },
+  {
+    "id": "api-origin-header-pass",
+    "preset": "api",
+    "kind": "diff",
+    "description": "Specific API origin headers should not trip wildcard-origin checks.",
+    "content": "diff --git a/src/headers.ts b/src/headers.ts\n--- a/src/headers.ts\n+++ b/src/headers.ts\n@@ -1 +1,2 @@\n+response.setHeader(\"Access-Control-Allow-Origin\", trustedOrigin);\n",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "custom-api-broad-cors",
+      "configured-sensitive-domain-cors"
+    ]
+  },
+  {
+    "id": "sec-origin-header-pass",
+    "preset": "security",
+    "kind": "diff",
+    "description": "Specific security origin headers should not trip wildcard-origin checks.",
+    "content": "diff --git a/src/headers.ts b/src/headers.ts\n--- a/src/headers.ts\n+++ b/src/headers.ts\n@@ -1 +1,2 @@\n+response.setHeader(\"Access-Control-Allow-Origin\", trustedOrigin);\n",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "custom-broad-cors",
+      "configured-sensitive-domain-cors"
+    ]
+  },
+  {
+    "id": "api-parameterized-query-diff-pass",
+    "preset": "api",
+    "kind": "diff",
+    "description": "Parameterized API queries should not trip raw user-input SQL checks.",
+    "content": "diff --git a/src/users.ts b/src/users.ts\n--- a/src/users.ts\n+++ b/src/users.ts\n@@ -1 +1,2 @@\n+db.query(\"select * from users where id = $1\", [validatedId]);\n",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "custom-api-raw-sql-user-input"
+    ]
+  },
+  {
+    "id": "api-webhook-docs-pass",
+    "preset": "api",
+    "kind": "diff",
+    "description": "Docs about verifying webhook signatures should not trip disabled-webhook checks.",
+    "content": "diff --git a/docs/API.md b/docs/API.md\n--- a/docs/API.md\n+++ b/docs/API.md\n@@ -1 +1,2 @@\n+Document verifying webhook signatures before parsing provider events.\n",
+    "expectedVerdict": "pass",
+    "edgeCase": true,
+    "weight": 1,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "custom-api-webhook-signature-disabled",
+      "configured-sensitive-domain-webhook"
+    ]
+  },
+  {
+    "id": "infra-iam-docs-pass",
+    "preset": "infra",
+    "kind": "diff",
+    "description": "Docs about narrowing IAM policies should not trip wildcard-permission checks.",
+    "content": "diff --git a/docs/INFRA.md b/docs/INFRA.md\n--- a/docs/INFRA.md\n+++ b/docs/INFRA.md\n@@ -1 +1,2 @@\n+Document narrowing IAM policies to named actions and resources.\n",
+    "expectedVerdict": "pass",
+    "edgeCase": true,
+    "weight": 1,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "custom-infra-iam-wildcard-permission",
+      "configured-sensitive-domain-iam"
+    ]
+  },
+  {
+    "id": "infra-private-network-diff-pass",
+    "preset": "infra",
+    "kind": "diff",
+    "description": "Private network ranges should not trip public exposure checks.",
+    "content": "diff --git a/infra/network.tf b/infra/network.tf\n--- a/infra/network.tf\n+++ b/infra/network.tf\n@@ -1 +1,2 @@\n+cidr_blocks = [\"10.0.0.0/8\"]\n",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "custom-infra-public-exposure"
+    ]
+  },
+  {
+    "id": "ai-schema-output-plan-pass",
+    "preset": "ai",
+    "kind": "plan",
+    "description": "Schema parsing plans should not trip model-output execution checks.",
+    "content": "Parse modelOutputJson into a schema before using it.",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "custom-ai-model-output-execution"
+    ]
+  },
+  {
+    "id": "ai-model-checks-final-pass",
+    "preset": "ai",
+    "kind": "final",
+    "description": "Running model checks should not trip AI eval-skipping checks.",
+    "content": "Ran model checks for the prompt update.",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "custom-ai-evals-skipped",
+      "configured-sensitive-domain-eval"
+    ]
+  },
+  {
+    "id": "sec-tls-verification-plan-pass",
+    "preset": "security",
+    "kind": "plan",
+    "description": "Keeping TLS verification enabled should not trip insecure-TLS checks.",
+    "content": "Keep TLS verification on while testing the certificate fixture.",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "custom-insecure-tls-disabled"
+    ]
+  },
+  {
+    "id": "plan-verified-implementation-pass",
+    "preset": "default",
+    "kind": "plan",
+    "description": "Plans with an explicit test step should not trip missing-verification checks.",
+    "content": "Refactor the toolbar state and run npm test.",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "missing-verification-step"
+    ]
+  },
+  {
+    "id": "plan-measured-change-pass",
+    "preset": "default",
+    "kind": "plan",
+    "description": "Measured planning language should not trip confidence-theater checks.",
+    "content": "Rename the config field after checking the fixture output.",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "confidence-theater"
+    ]
+  },
+  {
+    "id": "diff-followup-note-pass",
+    "preset": "default",
+    "kind": "diff",
+    "description": "Tracked follow-up comments should not trip temporary marker checks.",
+    "content": "diff --git a/src/helpers.ts b/src/helpers.ts\n--- a/src/helpers.ts\n+++ b/src/helpers.ts\n@@ -1 +1,2 @@\n+// Follow-up tracked in issue 123 before release.\n",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "temporary-marker"
+    ]
+  },
+  {
+    "id": "diff-typed-boundary-pass",
+    "preset": "default",
+    "kind": "diff",
+    "description": "Typed boundary changes should not trip TypeScript suppression checks.",
+    "content": "diff --git a/src/bridge.ts b/src/bridge.ts\n--- a/src/bridge.ts\n+++ b/src/bridge.ts\n@@ -1 +1,2 @@\n+const value = payload satisfies BridgePayload;\n",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "ts-ignore"
+    ]
+  },
+  {
+    "id": "diff-logger-debug-pass",
+    "preset": "default",
+    "kind": "diff",
+    "description": "Project logger debug calls should not trip raw console logging checks.",
+    "content": "diff --git a/src/trace.ts b/src/trace.ts\n--- a/src/trace.ts\n+++ b/src/trace.ts\n@@ -1 +1,2 @@\n+logger.debug(\"Trace path entered\");\n",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "console-log"
+    ]
+  },
+  {
+    "id": "diff-small-removal-pass",
+    "preset": "default",
+    "kind": "diff",
+    "description": "Small removals should not trip large-removal structural checks.",
+    "content": "diff --git a/src/cleanup.ts b/src/cleanup.ts\n--- a/src/cleanup.ts\n+++ b/src/cleanup.ts\n@@ -1,5 +1,3 @@\n-old-a\n-old-b\n keep-c\n keep-d\n keep-e\n",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "large-removal"
+    ]
+  },
+  {
+    "id": "command-explicit-copy-pass",
+    "preset": "default",
+    "kind": "command",
+    "description": "Explicit file copy commands should not trip wildcard operation checks.",
+    "content": "cp README.md ./docs/README.md",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "wildcard-file-operation"
+    ]
+  },
+  {
+    "id": "command-select-query-pass",
+    "preset": "default",
+    "kind": "command",
+    "description": "Read-only SQL queries should not trip database destruction checks.",
+    "content": "SELECT * FROM users;",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "database-destruction"
+    ]
+  },
+  {
+    "id": "command-git-status-pass",
+    "preset": "default",
+    "kind": "command",
+    "description": "Read-only git inspection should not trip destructive git history checks.",
+    "content": "git status --short",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "destructive-git-history"
+    ]
+  },
+  {
+    "id": "final-specific-verification-pass",
+    "preset": "default",
+    "kind": "final",
+    "description": "Specific verification evidence should not trip hand-wavy final checks.",
+    "content": "Ran npm test and verified the parser output.",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "handwave-final"
+    ]
+  },
+  {
+    "id": "command-download-script-pass",
+    "preset": "default",
+    "kind": "command",
+    "description": "Downloading a script without executing it should not trip pipe-to-shell checks.",
+    "content": "curl -L https://example.org/install.sh -o install.sh",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "pipe-to-shell"
+    ]
+  },
+  {
+    "id": "command-narrow-recursive-delete-pass",
+    "preset": "default",
+    "kind": "command",
+    "description": "Recursive deletion without force should not trip forced-delete checks.",
+    "content": "rm -r ./build/cache",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "recursive-force-delete"
+    ]
+  },
+  {
+    "id": "final-tested-parser-pass",
+    "preset": "default",
+    "kind": "final",
+    "description": "Final answers with test evidence should not trip untested-final checks.",
+    "content": "Ran npm test after the parser update.",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "untested-final"
+    ]
   }
 ]

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "memento-mori-jester",
-  "version": "0.1.57",
+  "version": "0.1.59",
   "description": "A local court-jester sidecar for AI coding agents: review plans, commands, diffs, and final claims before they get too pleased with themselves.",
   "type": "module",
   "repository": {