memento-mori-jester 0.1.65 → 0.1.67

package/CHANGELOG.md

@@ -4,6 +4,18 @@ All notable changes to Memento Mori Jester are tracked here.
 
 ## Unreleased
 
+## 0.1.67
+
+- Added six real-world quiet-pass fixtures for security, web, node, and python preset slices, growing the corpus to 166 fixtures.
+- Strengthened safe near-miss evidence for static analysis commands, checksum commands, accessible frontend markup, static internal links, Node linting, and Python linting.
+- Refreshed demo, roadmap, fixture docs, and release notes for the expanded preset curation batch.
+
+## 0.1.66
+
+- Added real-world preset fixtures for node, python, infra, and AI slices, growing the corpus to 160 fixtures.
+- Added Kubernetes delete coverage for the infra preset, including a second firing and a read-only near-miss so thin and quiet-pass coverage stay clean.
+- Refreshed demo, roadmap, fixture docs, and release notes for the expanded low-count preset coverage.
+
 ## 0.1.65
 
 - Added matched-pass fixtures for low-severity `vibes-based-plan` and `handwave-final` rule boundaries.

package/ROADMAP.md

@@ -6,6 +6,8 @@ Memento Mori Jester is usable today as a CLI, MCP server, GitHub Action, and git
 
 ## Recently Shipped
 
+- Security/web/node/python preset fixture curation in v0.1.67, adding real-world quiet-pass examples while keeping thin, quiet-pass, feasible pass-case, and preset-kind gaps at zero.
+- Real-world low-count preset fixture batch in v0.1.66, adding node, python, infra, and AI examples while keeping thin, quiet-pass, and feasible pass-case gaps at zero.
 - Feasible pass-case fixture curation in v0.1.65, adding matched-pass examples for low-severity tone/planning rules and stopping curation from asking for impossible pass cases on hard rules.
 - Final thin-rule fixture precision pass in v0.1.64, clearing all remaining thin coverage gaps across built-in, structural, custom, configured sensitive-domain, and blocked-command rule families.
 - Framework custom-rule fixture precision pass in v0.1.63, clearing custom-rule thin coverage and reducing total thin fixture coverage from 16 rules to 7.
@@ -54,7 +56,7 @@ Memento Mori Jester is usable today as a CLI, MCP server, GitHub Action, and git
 
 ## Product Ideas
 
-- Collect real-world reports for the lowest-count preset slices: node, python, infra, and AI.
+- Collect real-world reports for the next lowest-count preset slices: AI first, then node, python, and security.
 - Add more framework-specific false-positive examples from real reports so tuning guidance keeps getting sharper.
 - Add a Markdown export for fixture reports so maintainers can paste coverage snapshots into issues or release notes.
 

package/docs/DEMO.md

@@ -192,8 +192,8 @@ Project config: none loaded
 Fixture tuning evidence:
 Support: limited
 Confidence: medium
-Total fixtures checked: 154
-Weighted fixtures checked: 296.9
+Total fixtures checked: 166
+Weighted fixtures checked: 317.9
 Matching fixtures: 11
 Weighted matches: 23
 Expected-match weight: 18
@@ -202,7 +202,7 @@ Edge-case matches: 0
 Quiet-pass fixtures: 5
 Quiet-pass weight: 3.6
 By kind: command 0, plan 5, diff 5, final 1
-Fixture coverage: 11/154 (7.7% weighted)
+Fixture coverage: 11/166 (7.2% weighted)
 By verdict: pass 0, caution 3, block 8
 Matched fixture samples:
   infra-public-ingress-block: Public ingress should block in low-risk-tolerance infra repos.
@@ -353,7 +353,7 @@ Preset packs:
 
 ## 13. Review Fixtures
 
-The fixture suite in `examples/fixtures/preset-review-cases.json` captures small real-usage examples with expected `pass`, `caution`, or `block` verdicts. It also includes matched-pass examples for low-severity rules, quiet-pass `absentRuleIds` examples that prove noisy rules stay silent for safe near-misses, stack-specific coverage for every built-in preset, quiet-pass boundaries across built-in, structural, custom, and preset/config-derived rules, second firing examples for preset blocked-command rules, and second examples for AI/API, framework custom, built-in, and configured sensitive-domain rules. These examples are run by `npm test`, so preset tuning changes stay visible.
+The fixture suite in `examples/fixtures/preset-review-cases.json` captures small real-usage examples with expected `pass`, `caution`, or `block` verdicts. It also includes matched-pass examples for low-severity rules, quiet-pass `absentRuleIds` examples that prove noisy rules stay silent for safe near-misses, stack-specific coverage for every built-in preset, quiet-pass boundaries across built-in, structural, custom, and preset/config-derived rules, second firing examples for preset blocked-command rules, second examples for AI/API, framework custom, built-in, and configured sensitive-domain rules, and real-world low-count preset examples across node, python, web, infra, AI, and security slices. These examples are run by `npm test`, so preset tuning changes stay visible.
 
 Maintainers can run `npm run fixtures:report` to see coverage by verdict, kind, preset, rule family, and preset slice. The report also includes a `Curation next` section that points at the next useful fixture batch, such as thin rules, feasible pass-case evidence, rule-family gaps, or lower-count presets.
 

package/docs/RELEASE_NOTES_v0.1.66.md

@@ -0,0 +1,37 @@
+# Memento Mori Jester v0.1.66
+
+This release follows the fixture report's real-world preset curation guidance. It adds practical examples for low-count node, python, infra, and AI slices while preserving the cleaned-up coverage baseline from v0.1.64 and v0.1.65.
+
+## What Changed
+
+- Added 6 fixture cases, growing the corpus from 154 to 160 fixtures.
+- Added quiet real-world examples for:
+  - Node focused test commands.
+  - Python focused pytest commands.
+  - AI retrieved-context schema validation plans.
+- Added infra Kubernetes delete coverage for:
+  - `blocked-command-kubectl-delete`
+  - `custom-infra-production-change`
+- Added a read-only `kubectl get` near-miss so the new infra rules immediately have quiet-pass boundary evidence.
+- Kept thin rule coverage, quiet-pass gaps, and feasible pass-case gaps at zero.
+
+## Public Interface
+
+- No CLI command changes.
+- No config schema changes.
+- No rule matching, scoring, or verdict behavior changes.
+- No MCP, playground, GitHub Action, or npm publishing changes.
+
+## Release Validation
+
+```powershell
+npm.cmd test
+npm.cmd run demo:svg:check
+npm.cmd run fixtures:report
+npm.cmd run fixtures:report -- --json
+npm.cmd run pack:dry
+git diff --check
+node .\dist\cli.js tune coverage --no-config
+node .\dist\cli.js tune risky-domain --json --no-config
+git diff | node .\dist\cli.js diff --fail-on block --subject "v0.1.66 low-count preset fixtures"
+```

package/docs/RELEASE_NOTES_v0.1.67.md

@@ -0,0 +1,38 @@
+# Memento Mori Jester v0.1.67
+
+This release continues the fixture-report curation track. It adds practical quiet-pass examples for the lowest preset slices after v0.1.66 while keeping review behavior unchanged.
+
+## What Changed
+
+- Added 6 fixture cases, growing the corpus from 160 to 166 fixtures.
+- Added security preset quiet-pass examples for:
+  - Static analysis scan commands.
+  - Checksum verification commands.
+- Added web preset quiet-pass examples for:
+  - Accessible button markup.
+  - Static internal route links.
+- Added node and python quiet-pass examples for:
+  - Node lint commands.
+  - Python ruff checks.
+- Kept thin rule coverage, quiet-pass gaps, feasible pass-case gaps, and preset/kind gaps at zero.
+
+## Public Interface
+
+- No CLI command changes.
+- No config schema changes.
+- No rule matching, scoring, or verdict behavior changes.
+- No MCP, playground, GitHub Action, or npm publishing changes.
+
+## Release Validation
+
+```powershell
+npm.cmd test
+npm.cmd run demo:svg:check
+npm.cmd run fixtures:report
+npm.cmd run fixtures:report -- --json
+npm.cmd run pack:dry
+git diff --check
+node .\dist\cli.js tune coverage --no-config
+node .\dist\cli.js tune risky-domain --json --no-config
+git diff | node .\dist\cli.js diff --fail-on block --subject "v0.1.67 preset quiet-pass fixtures"
+```

package/examples/fixtures/README.md

@@ -21,6 +21,7 @@ Maintainer triage guidance lives in [docs/MAINTAINER_TRIAGE.md](../../docs/MAINT
 - Second firing examples for AI and API custom rules around provider keys, model-output execution, raw SQL, and webhook signature checks.
 - Second firing examples for remaining framework custom rules across security, infra, node, python, and web presets.
 - Second firing examples for remaining built-in and configured sensitive-domain thin rules, leaving no thin coverage gaps.
+- Real-world low-count preset examples for node, python, web, infra, AI, and security workflows.
 - Fixture metadata like `weight` and `edgeCase` to support precision-weighted tuning evidence.
 
 ## Local Check

package/examples/fixtures/preset-review-cases.json

@@ -1377,6 +1377,46 @@
       "blocked-command-terraform-destroy"
     ]
   },
+  {
+    "id": "infra-kubectl-delete-command-block",
+    "preset": "infra",
+    "kind": "command",
+    "description": "Kubernetes delete commands should block through the infra preset blocked-command path.",
+    "content": "kubectl delete deployment checkout-api -n staging",
+    "expectedVerdict": "block",
+    "weight": 2,
+    "expectedRuleIds": [
+      "blocked-command-kubectl-delete",
+      "custom-infra-production-change"
+    ]
+  },
+  {
+    "id": "infra-kubectl-delete-job-command-block",
+    "preset": "infra",
+    "kind": "command",
+    "description": "A second Kubernetes delete command should keep kubectl delete coverage from being thin.",
+    "content": "kubectl delete job stale-worker -n staging",
+    "expectedVerdict": "block",
+    "weight": 2,
+    "expectedRuleIds": [
+      "blocked-command-kubectl-delete",
+      "custom-infra-production-change"
+    ]
+  },
+  {
+    "id": "infra-kubectl-get-command-pass",
+    "preset": "infra",
+    "kind": "command",
+    "description": "Read-only Kubernetes inspection should not trip infra delete/apply checks.",
+    "content": "kubectl get deployment checkout-api -n staging",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "blocked-command-kubectl-delete",
+      "custom-infra-production-change"
+    ]
+  },
   {
     "id": "sec-chmod-recursive-secrets-command-block",
     "preset": "security",
@@ -1626,6 +1666,20 @@
       "configured-sensitive-domain-production"
     ]
   },
+  {
+    "id": "node-test-run-command-pass",
+    "preset": "node",
+    "kind": "command",
+    "description": "Focused Node test commands should give the node preset another realistic quiet command.",
+    "content": "node --test test/cli.test.js",
+    "expectedVerdict": "pass",
+    "weight": 1,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "blocked-command-npm-publish-force",
+      "custom-node-install-script-change"
+    ]
+  },
   {
     "id": "python-json-loader-plan-pass",
     "preset": "python",
@@ -1652,6 +1706,20 @@
       "custom-python-eval-exec"
     ]
   },
+  {
+    "id": "python-pytest-command-pass",
+    "preset": "python",
+    "kind": "command",
+    "description": "Focused pytest commands should give the python preset another realistic quiet command.",
+    "content": "python -m pytest tests/test_loader.py",
+    "expectedVerdict": "pass",
+    "weight": 1,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "blocked-command-pip-install-break-system-packages",
+      "custom-python-eval-exec"
+    ]
+  },
   {
     "id": "web-safe-render-plan-pass",
     "preset": "web",
@@ -1792,6 +1860,20 @@
       "configured-sensitive-domain-eval"
     ]
   },
+  {
+    "id": "ai-retrieved-context-schema-plan-pass",
+    "preset": "ai",
+    "kind": "plan",
+    "description": "Schema-checking retrieved context should give the AI preset another realistic quiet plan.",
+    "content": "Validate retrieved context against a schema before allowlisted dispatch.",
+    "expectedVerdict": "pass",
+    "weight": 1,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "custom-ai-user-controlled-tool-dispatch",
+      "custom-ai-model-output-execution"
+    ]
+  },
   {
     "id": "sec-tls-verification-plan-pass",
     "preset": "security",
@@ -1973,5 +2055,95 @@
     "absentRuleIds": [
       "untested-final"
     ]
+  },
+  {
+    "id": "sec-semgrep-scan-command-pass",
+    "preset": "security",
+    "kind": "command",
+    "description": "Static analysis scan commands should not trip security preset danger checks.",
+    "content": "semgrep scan --config p/ci --sarif --output semgrep.sarif",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "blocked-command-chmod-r-777",
+      "custom-broad-cors",
+      "custom-insecure-tls-disabled"
+    ]
+  },
+  {
+    "id": "sec-checksum-command-pass",
+    "preset": "security",
+    "kind": "command",
+    "description": "Checksum verification commands should stay quiet in security preset repos.",
+    "content": "shasum -a 256 dist/memento-mori-jester.tgz",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "blocked-command-chmod-r-777",
+      "custom-insecure-tls-disabled",
+      "pipe-to-shell"
+    ]
+  },
+  {
+    "id": "web-accessible-button-diff-pass",
+    "preset": "web",
+    "kind": "diff",
+    "description": "Accessible button markup should not trip web HTML or storage risk checks.",
+    "content": "diff --git a/src/Button.tsx b/src/Button.tsx\n--- a/src/Button.tsx\n+++ b/src/Button.tsx\n@@ -1 +1,2 @@\n+export function SaveButton() { return <button type=\"button\" aria-label=\"Save changes\">Save</button>; }\n",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "custom-web-public-secret-name",
+      "custom-web-storage-sensitive-value",
+      "custom-web-unsafe-html-injection"
+    ]
+  },
+  {
+    "id": "web-static-route-link-diff-pass",
+    "preset": "web",
+    "kind": "diff",
+    "description": "Static internal route links should not look like open redirect changes.",
+    "content": "diff --git a/src/Nav.tsx b/src/Nav.tsx\n--- a/src/Nav.tsx\n+++ b/src/Nav.tsx\n@@ -1 +1,2 @@\n+export const settingsHref = \"/settings/profile\";\n",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "custom-web-open-redirect-shape",
+      "custom-web-public-secret-name",
+      "custom-web-storage-sensitive-value"
+    ]
+  },
+  {
+    "id": "node-lint-command-pass",
+    "preset": "node",
+    "kind": "command",
+    "description": "Node lint commands should stay quiet around install-script and publish checks.",
+    "content": "npm run lint -- --max-warnings=0",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "blocked-command-npm-publish-force",
+      "custom-node-install-script-change",
+      "custom-node-env-production-change"
+    ]
+  },
+  {
+    "id": "python-ruff-check-command-pass",
+    "preset": "python",
+    "kind": "command",
+    "description": "Python lint commands should not trip eval, pickle, or break-system package checks.",
+    "content": "python -m ruff check src tests",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "blocked-command-pip-install-break-system-packages",
+      "custom-python-eval-exec",
+      "custom-python-pickle-load"
+    ]
   }
 ]

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "memento-mori-jester",
-  "version": "0.1.65",
+  "version": "0.1.67",
   "description": "A local court-jester sidecar for AI coding agents: review plans, commands, diffs, and final claims before they get too pleased with themselves.",
   "type": "module",
   "repository": {