memento-mori-jester 0.1.61 → 0.1.63

package/CHANGELOG.md

@@ -4,6 +4,18 @@ All notable changes to Memento Mori Jester are tracked here.
 
 ## Unreleased
 
+## 0.1.63
+
+- Added second firing fixtures for the remaining framework custom-rule thin examples across security, infra, node, python, and web presets.
+- Cleared custom-rule thin coverage in `npm run fixtures:report`, reducing total thin fixture coverage from 16 rules to 7.
+- Refreshed demo, roadmap, fixture docs, and release notes for the 145-fixture corpus.
+
+## 0.1.62
+
+- Added second firing fixtures for the remaining AI/API custom-rule thin examples: model-output execution, public AI provider keys, raw SQL from request input, and disabled webhook signature checks.
+- Reduced total thin fixture coverage from 21 rules to 16 while keeping review behavior unchanged.
+- Refreshed demo, roadmap, fixture docs, and release notes for the 138-fixture corpus.
+
 ## 0.1.61
 
 - Added a focused fixture curation batch based on `fixtures:report` curation-next guidance.

package/ROADMAP.md

@@ -6,6 +6,8 @@ Memento Mori Jester is usable today as a CLI, MCP server, GitHub Action, and git
 
 ## Recently Shipped
 
+- Framework custom-rule fixture precision pass in v0.1.63, clearing custom-rule thin coverage and reducing total thin fixture coverage from 16 rules to 7.
+- AI/API custom-rule fixture precision pass in v0.1.62, reducing total thin fixture coverage from 21 rules to 16 while keeping review behavior unchanged.
 - Curation-next fixture batch in v0.1.61 that removed blocked-command thin coverage, strengthened stack-specific sensitive-domain examples, and reduced total thin fixture coverage from 37 rules to 21.
 - Fixture report rule-family slices, preset slices, and curation-next guidance in v0.1.60 so maintainers can see which fixture areas need real-world examples next.
 - Quiet-pass boundaries for remaining sparse built-in and structural rules in v0.1.59 so the fixture report now has no rules without quiet-pass coverage.
@@ -51,7 +53,7 @@ Memento Mori Jester is usable today as a CLI, MCP server, GitHub Action, and git
 ## Product Ideas
 
 - Add more framework-specific false-positive examples from real reports so tuning guidance keeps getting sharper.
-- Add another fixture precision batch for the remaining AI/API custom-rule thin examples surfaced by `fixtures:report`.
+- Add the final fixture precision pass for the remaining built-in and configured-domain thin examples surfaced by `fixtures:report`.
 - Add a Markdown export for fixture reports so maintainers can paste coverage snapshots into issues or release notes.
 
 ## Quality And Safety

package/docs/DEMO.md

@@ -192,18 +192,18 @@ Project config: none loaded
 Fixture tuning evidence:
 Support: limited
 Confidence: medium
-Total fixtures checked: 134
-Weighted fixtures checked: 254.9
-Matching fixtures: 9
-Weighted matches: 19
+Total fixtures checked: 145
+Weighted fixtures checked: 276.9
+Matching fixtures: 10
+Weighted matches: 21
 Expected-match weight: 16
-Unexpected-match weight: 3
+Unexpected-match weight: 5
 Edge-case matches: 0
 Quiet-pass fixtures: 5
 Quiet-pass weight: 3.6
-By kind: command 0, plan 4, diff 4, final 1
-Fixture coverage: 9/134 (7.5% weighted)
-By verdict: pass 0, caution 3, block 6
+By kind: command 0, plan 4, diff 5, final 1
+Fixture coverage: 10/145 (7.6% weighted)
+By verdict: pass 0, caution 3, block 7
 Matched fixture samples:
   infra-public-ingress-block: Public ingress should block in low-risk-tolerance infra repos.
   node-plan-production-mode-block: Node production-mode planning should cover node-specific and sensitive-domain signals.
@@ -353,7 +353,7 @@ Preset packs:
 
 ## 13. Review Fixtures
 
-The fixture suite in `examples/fixtures/preset-review-cases.json` captures small real-usage examples with expected `pass`, `caution`, or `block` verdicts. It also includes quiet-pass `absentRuleIds` examples that prove noisy rules stay silent for safe near-misses, stack-specific coverage for every built-in preset, quiet-pass boundaries across built-in, structural, custom, and preset/config-derived rules, and second firing examples for preset blocked-command rules. These examples are run by `npm test`, so preset tuning changes stay visible.
+The fixture suite in `examples/fixtures/preset-review-cases.json` captures small real-usage examples with expected `pass`, `caution`, or `block` verdicts. It also includes quiet-pass `absentRuleIds` examples that prove noisy rules stay silent for safe near-misses, stack-specific coverage for every built-in preset, quiet-pass boundaries across built-in, structural, custom, and preset/config-derived rules, second firing examples for preset blocked-command rules, and second examples for AI/API and framework custom rules. These examples are run by `npm test`, so preset tuning changes stay visible.
 
 Maintainers can run `npm run fixtures:report` to see coverage by verdict, kind, preset, rule family, and preset slice. The report also includes a `Curation next` section that points at the next useful fixture batch, such as thin rules, no-pass evidence, rule-family gaps, or lower-count presets.
 

package/docs/RELEASE_NOTES_v0.1.62.md

@@ -0,0 +1,34 @@
+# Memento Mori Jester v0.1.62
+
+This release continues the fixture precision work from v0.1.61, focusing on the remaining AI/API custom-rule thin examples surfaced by `npm run fixtures:report`. It does not change review logic, scoring, matching, CLI output shape, MCP tools, GitHub Action behavior, or release automation.
+
+## What Changed
+
+- Added 4 fixture cases, growing the corpus from 134 to 138 fixtures.
+- Added second firing examples for:
+  - `custom-ai-model-output-execution`
+  - `custom-ai-public-provider-key`
+  - `custom-api-raw-sql-user-input`
+  - `custom-api-webhook-signature-disabled`
+- Reduced total thin fixture coverage from 21 rules to 16.
+- Removed the AI/API custom-rule items from the custom-rule thin coverage list.
+
+## Public Interface
+
+- No CLI command changes.
+- No config schema changes.
+- No rule matching, scoring, or verdict behavior changes.
+- No MCP, playground, GitHub Action, or npm publishing changes.
+
+## Release Validation
+
+```powershell
+npm.cmd test
+npm.cmd run demo:svg:check
+npm.cmd run fixtures:report
+npm.cmd run fixtures:report -- --json
+npm.cmd run pack:dry
+git diff --check
+node .\dist\cli.js tune coverage --no-config
+git diff | node .\dist\cli.js diff --fail-on block --subject "v0.1.62 AI/API fixture precision"
+```

package/docs/RELEASE_NOTES_v0.1.63.md

@@ -0,0 +1,37 @@
+# Memento Mori Jester v0.1.63
+
+This release completes the current custom-rule fixture precision pass. It adds second firing examples for the remaining framework custom-rule thin cases surfaced by `npm run fixtures:report`. It does not change review logic, scoring, matching, CLI output shape, MCP tools, GitHub Action behavior, or release automation.
+
+## What Changed
+
+- Added 7 fixture cases, growing the corpus from 138 to 145 fixtures.
+- Added second firing examples for:
+  - `custom-broad-cors`
+  - `custom-infra-public-exposure`
+  - `custom-insecure-tls-disabled`
+  - `custom-node-env-production-change`
+  - `custom-python-eval-exec`
+  - `custom-python-pickle-load`
+  - `custom-web-storage-sensitive-value`
+- Cleared custom-rule thin coverage entirely in `npm run fixtures:report`.
+- Reduced total thin fixture coverage from 16 rules to 7.
+
+## Public Interface
+
+- No CLI command changes.
+- No config schema changes.
+- No rule matching, scoring, or verdict behavior changes.
+- No MCP, playground, GitHub Action, or npm publishing changes.
+
+## Release Validation
+
+```powershell
+npm.cmd test
+npm.cmd run demo:svg:check
+npm.cmd run fixtures:report
+npm.cmd run fixtures:report -- --json
+npm.cmd run pack:dry
+git diff --check
+node .\dist\cli.js tune coverage --no-config
+git diff | node .\dist\cli.js diff --fail-on block --subject "v0.1.63 framework fixture precision"
+```

package/examples/fixtures/README.md

@@ -17,6 +17,8 @@ Maintainer triage guidance lives in [docs/MAINTAINER_TRIAGE.md](../../docs/MAINT
 - Quiet-pass boundaries for thin custom, configured sensitive-domain, and preset blocked-command rules.
 - Quiet-pass boundaries for built-in and structural rules such as missing verification, TypeScript suppressions, large removals, wildcard operations, destructive commands, and untested finals.
 - Second firing examples for preset blocked-command rules and high-value stack-specific sensitive-domain rules.
+- Second firing examples for AI and API custom rules around provider keys, model-output execution, raw SQL, and webhook signature checks.
+- Second firing examples for remaining framework custom rules across security, infra, node, python, and web presets.
 - Fixture metadata like `weight` and `edgeCase` to support precision-weighted tuning evidence.
 
 ## Local Check

package/examples/fixtures/preset-review-cases.json

@@ -134,6 +134,31 @@
       "configured-sensitive-domain-webhook"
     ]
   },
+  {
+    "id": "api-raw-sql-body-diff-block",
+    "preset": "api",
+    "kind": "diff",
+    "description": "Raw SQL built from request body input should give API SQL-injection coverage a second example.",
+    "content": "diff --git a/src/search.ts b/src/search.ts\n--- a/src/search.ts\n+++ b/src/search.ts\n@@ -1 +1,2 @@\n+const rows = await db.raw(req.body.filter);\n",
+    "expectedVerdict": "block",
+    "weight": 2,
+    "expectedRuleIds": [
+      "custom-api-raw-sql-user-input"
+    ]
+  },
+  {
+    "id": "api-webhook-signature-diff-block",
+    "preset": "api",
+    "kind": "diff",
+    "description": "Disabling webhook signature verification in a diff should give webhook coverage a second example.",
+    "content": "diff --git a/src/webhooks.ts b/src/webhooks.ts\n--- a/src/webhooks.ts\n+++ b/src/webhooks.ts\n@@ -1 +1,2 @@\n+// webhook replay path should skip signature verification during tests\n",
+    "expectedVerdict": "block",
+    "weight": 2,
+    "expectedRuleIds": [
+      "custom-api-webhook-signature-disabled",
+      "configured-sensitive-domain-webhook"
+    ]
+  },
   {
     "id": "api-migrate-reset-command-block",
     "preset": "api",
@@ -264,6 +289,30 @@
       "custom-ai-public-provider-key"
     ]
   },
+  {
+    "id": "ai-public-openai-key-diff-block",
+    "preset": "ai",
+    "kind": "diff",
+    "description": "Client-exposed OpenAI key names should give AI provider-key coverage a second example.",
+    "content": "diff --git a/src/env.ts b/src/env.ts\n--- a/src/env.ts\n+++ b/src/env.ts\n@@ -1 +1,2 @@\n+export const publicKeyName = \"VITE_OPENAI_API_KEY\";\n",
+    "expectedVerdict": "block",
+    "weight": 2,
+    "expectedRuleIds": [
+      "custom-ai-public-provider-key"
+    ]
+  },
+  {
+    "id": "ai-model-output-shell-plan-block",
+    "preset": "ai",
+    "kind": "plan",
+    "description": "Executing generated model text through child_process should give model-output execution a second example.",
+    "content": "Run child_process.exec on generatedText after the model chooses a maintenance command and log the smoke test.",
+    "expectedVerdict": "block",
+    "weight": 2,
+    "expectedRuleIds": [
+      "custom-ai-model-output-execution"
+    ]
+  },
   {
     "id": "ai-evals-skipped-final-block",
     "preset": "ai",
@@ -1272,6 +1321,93 @@
       "configured-sensitive-domain-iam"
     ]
   },
+  {
+    "id": "sec-broad-cors-plan-block",
+    "preset": "security",
+    "kind": "plan",
+    "description": "Wildcard CORS planning should give the security preset broad-CORS rule a second firing example.",
+    "content": "Set cors({ origin: \"*\" }) for the admin preview after running the browser smoke test.",
+    "expectedVerdict": "block",
+    "weight": 2,
+    "expectedRuleIds": [
+      "custom-broad-cors",
+      "configured-sensitive-domain-cors"
+    ]
+  },
+  {
+    "id": "infra-public-bucket-plan-block",
+    "preset": "infra",
+    "kind": "plan",
+    "description": "Public bucket planning should give infra public-exposure coverage a second example.",
+    "content": "Set public_access_block = false for the artifact bucket after checking the reviewed plan output.",
+    "expectedVerdict": "block",
+    "weight": 2,
+    "expectedRuleIds": [
+      "custom-infra-public-exposure"
+    ]
+  },
+  {
+    "id": "sec-reject-unauthorized-diff-block",
+    "preset": "security",
+    "kind": "diff",
+    "description": "Disabling TLS verification with rejectUnauthorized should give security TLS coverage a second example.",
+    "content": "diff --git a/src/client.ts b/src/client.ts\n--- a/src/client.ts\n+++ b/src/client.ts\n@@ -1 +1,2 @@\n+const agent = new https.Agent({ rejectUnauthorized: false });\n",
+    "expectedVerdict": "block",
+    "weight": 2,
+    "expectedRuleIds": [
+      "custom-insecure-tls-disabled"
+    ]
+  },
+  {
+    "id": "node-env-production-diff-block",
+    "preset": "node",
+    "kind": "diff",
+    "description": "Production Node environment changes in diffs should give node env coverage a second example.",
+    "content": "diff --git a/scripts/smoke.sh b/scripts/smoke.sh\n--- a/scripts/smoke.sh\n+++ b/scripts/smoke.sh\n@@ -1 +1,2 @@\n+NODE_ENV=production npm run smoke\n",
+    "expectedVerdict": "block",
+    "weight": 2,
+    "expectedRuleIds": [
+      "custom-node-env-production-change",
+      "configured-sensitive-domain-production"
+    ]
+  },
+  {
+    "id": "python-exec-plan-caution",
+    "preset": "python",
+    "kind": "plan",
+    "description": "Python exec planning should give dynamic-execution coverage a second example.",
+    "content": "Use exec(user_supplied_code) for the loader helper after adding pytest coverage.",
+    "expectedVerdict": "caution",
+    "weight": 2,
+    "expectedRuleIds": [
+      "custom-python-eval-exec"
+    ]
+  },
+  {
+    "id": "python-pickle-loads-diff-caution",
+    "preset": "python",
+    "kind": "diff",
+    "description": "Python pickle.loads in a diff should give pickle deserialization coverage a second example.",
+    "content": "diff --git a/src/cache.py b/src/cache.py\n--- a/src/cache.py\n+++ b/src/cache.py\n@@ -1 +1,2 @@\n+payload = pickle.loads(request_body)\n",
+    "expectedVerdict": "caution",
+    "weight": 2,
+    "expectedRuleIds": [
+      "custom-python-pickle-load"
+    ]
+  },
+  {
+    "id": "web-session-password-storage-diff-block",
+    "preset": "web",
+    "kind": "diff",
+    "description": "Password storage in sessionStorage should give web storage coverage a second example.",
+    "content": "diff --git a/src/session.ts b/src/session.ts\n--- a/src/session.ts\n+++ b/src/session.ts\n@@ -1 +1,2 @@\n+sessionStorage.setItem(\"password\", password);\n",
+    "expectedVerdict": "block",
+    "weight": 2,
+    "expectedRuleIds": [
+      "custom-web-storage-sensitive-value",
+      "configured-sensitive-domain-session"
+    ]
+  },
   {
     "id": "node-pack-dry-run-command-pass",
     "preset": "node",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "memento-mori-jester",
-  "version": "0.1.61",
+  "version": "0.1.63",
   "description": "A local court-jester sidecar for AI coding agents: review plans, commands, diffs, and final claims before they get too pleased with themselves.",
   "type": "module",
   "repository": {