memento-mori-jester 0.1.68 → 0.1.70

package/CHANGELOG.md

@@ -4,6 +4,18 @@ All notable changes to Memento Mori Jester are tracked here.
 
 ## Unreleased
 
+## 0.1.70
+
+- Added six infra quiet-pass fixtures, growing the corpus to 184 fixtures.
+- Strengthened safe near-miss evidence for read-only Kubernetes inspection, Docker disk usage, Terraform linting, and disabling public IP assignment.
+- Refreshed demo, roadmap, fixture docs, and release notes for the infra-focused curation batch.
+
+## 0.1.69
+
+- Added eight real-world quiet-pass fixtures across node, python, security, and web preset slices, growing the corpus to 178 fixtures.
+- Strengthened safe near-miss evidence for typecheck/prebuild scripts, mypy/dataclass parsing, CodeQL/Dependabot checks, form validation, and image alt text.
+- Refreshed demo, roadmap, fixture docs, and release notes for the expanded preset curation batch.
+
 ## 0.1.68
 
 - Added AI preset fixtures for user-controlled tool dispatch from request body and URL search parameter inputs.

package/ROADMAP.md

@@ -6,6 +6,8 @@ Memento Mori Jester is usable today as a CLI, MCP server, GitHub Action, and git
 
 ## Recently Shipped
 
+- Infra preset fixture curation in v0.1.70, adding six quiet-pass operational examples for read-only Kubernetes, Docker, Terraform linting, and public-IP hardening changes.
+- Node/python/security/web preset fixture curation in v0.1.69, adding eight quiet-pass real-world examples while keeping all fixture coverage gates clean.
 - AI tool-dispatch fixture curation in v0.1.68, adding request-body and URL-parameter caution examples plus allowlist/schema quiet-pass boundaries.
 - Security/web/node/python preset fixture curation in v0.1.67, adding real-world quiet-pass examples while keeping thin, quiet-pass, feasible pass-case, and preset-kind gaps at zero.
 - Real-world low-count preset fixture batch in v0.1.66, adding node, python, infra, and AI examples while keeping thin, quiet-pass, and feasible pass-case gaps at zero.

package/docs/DEMO.md

@@ -192,8 +192,8 @@ Project config: none loaded
 Fixture tuning evidence:
 Support: limited
 Confidence: medium
-Total fixtures checked: 170
-Weighted fixtures checked: 325.9
+Total fixtures checked: 184
+Weighted fixtures checked: 353.9
 Matching fixtures: 11
 Weighted matches: 23
 Expected-match weight: 18
@@ -202,7 +202,7 @@ Edge-case matches: 0
 Quiet-pass fixtures: 5
 Quiet-pass weight: 3.6
 By kind: command 0, plan 5, diff 5, final 1
-Fixture coverage: 11/170 (7.1% weighted)
+Fixture coverage: 11/184 (6.5% weighted)
 By verdict: pass 0, caution 3, block 8
 Matched fixture samples:
   infra-public-ingress-block: Public ingress should block in low-risk-tolerance infra repos.
@@ -353,7 +353,7 @@ Preset packs:
 
 ## 13. Review Fixtures
 
-The fixture suite in `examples/fixtures/preset-review-cases.json` captures small real-usage examples with expected `pass`, `caution`, or `block` verdicts. It also includes matched-pass examples for low-severity rules, quiet-pass `absentRuleIds` examples that prove noisy rules stay silent for safe near-misses, stack-specific coverage for every built-in preset, quiet-pass boundaries across built-in, structural, custom, and preset/config-derived rules, second firing examples for preset blocked-command rules, second examples for AI/API, framework custom, built-in, and configured sensitive-domain rules, AI tool-dispatch examples with safe allowlist/schema boundaries, and real-world low-count preset examples across node, python, web, infra, AI, and security slices. These examples are run by `npm test`, so preset tuning changes stay visible.
+The fixture suite in `examples/fixtures/preset-review-cases.json` captures small real-usage examples with expected `pass`, `caution`, or `block` verdicts. It also includes matched-pass examples for low-severity rules, quiet-pass `absentRuleIds` examples that prove noisy rules stay silent for safe near-misses, stack-specific coverage for every built-in preset, quiet-pass boundaries across built-in, structural, custom, and preset/config-derived rules, second firing examples for preset blocked-command rules, second examples for AI/API, framework custom, built-in, and configured sensitive-domain rules, AI tool-dispatch examples with safe allowlist/schema boundaries, and real-world low-count preset examples across node, python, web, infra, AI, and security slices. Recent quiet-pass examples cover typechecks, prebuild scripts, mypy, dataclass parsing, CodeQL, Dependabot limits, form validation, accessibility copy, read-only Kubernetes inspection, Docker disk usage, Terraform linting, and public-IP hardening changes. These examples are run by `npm test`, so preset tuning changes stay visible.
 
 Maintainers can run `npm run fixtures:report` to see coverage by verdict, kind, preset, rule family, and preset slice. The report also includes a `Curation next` section that points at the next useful fixture batch, such as thin rules, feasible pass-case evidence, rule-family gaps, or lower-count presets.
 

package/docs/RELEASE_NOTES_v0.1.69.md

@@ -0,0 +1,41 @@
+# Memento Mori Jester v0.1.69
+
+This release continues the fixture-report curation track for the next lowest preset slices: node, python, security, and web. It adds practical quiet-pass examples only; review behavior is unchanged.
+
+## What Changed
+
+- Added 8 fixture cases, growing the corpus from 170 to 178 fixtures.
+- Added node quiet-pass examples for:
+  - Typecheck commands.
+  - Non-install prebuild scripts.
+- Added python quiet-pass examples for:
+  - Mypy commands.
+  - Dataclass parsing changes.
+- Added security quiet-pass examples for:
+  - CodeQL workflow commands.
+  - Dependabot limit changes.
+- Added web quiet-pass examples for:
+  - Client-side form validation copy.
+  - Accessible image alt text.
+- Kept thin rule coverage, quiet-pass gaps, feasible pass-case gaps, and preset/kind gaps at zero.
+
+## Public Interface
+
+- No CLI command changes.
+- No config schema changes.
+- No rule matching, scoring, or verdict behavior changes.
+- No MCP, playground, GitHub Action, or npm publishing changes.
+
+## Release Validation
+
+```powershell
+npm.cmd test
+npm.cmd run demo:svg:check
+npm.cmd run fixtures:report
+npm.cmd run fixtures:report -- --json
+npm.cmd run pack:dry
+git diff --check
+node .\dist\cli.js tune coverage --no-config
+node .\dist\cli.js tune risky-domain --json --no-config
+git diff | node .\dist\cli.js diff --fail-on block --subject "v0.1.69 preset quiet-pass curation"
+```

package/docs/RELEASE_NOTES_v0.1.70.md

@@ -0,0 +1,36 @@
+# Memento Mori Jester v0.1.70
+
+This release follows the fixture report's infra-first curation guidance. It adds practical quiet-pass infra examples only; review behavior is unchanged.
+
+## What Changed
+
+- Added 6 fixture cases, growing the corpus from 178 to 184 fixtures.
+- Added infra quiet-pass examples for:
+  - `kubectl diff`.
+  - `kubectl logs`.
+  - `kubectl describe`.
+  - Docker disk-usage inspection.
+  - Terraform linting.
+  - Disabling automatic public IP assignment.
+- Kept thin rule coverage, quiet-pass gaps, feasible pass-case gaps, and preset/kind gaps at zero.
+
+## Public Interface
+
+- No CLI command changes.
+- No config schema changes.
+- No rule matching, scoring, or verdict behavior changes.
+- No MCP, playground, GitHub Action, or npm publishing changes.
+
+## Release Validation
+
+```powershell
+npm.cmd test
+npm.cmd run demo:svg:check
+npm.cmd run fixtures:report
+npm.cmd run fixtures:report -- --json
+npm.cmd run pack:dry
+git diff --check
+node .\dist\cli.js tune coverage --no-config
+node .\dist\cli.js tune risky-domain --json --no-config
+git diff | node .\dist\cli.js diff --fail-on block --subject "v0.1.70 infra quiet-pass curation"
+```

package/examples/fixtures/README.md

@@ -23,6 +23,8 @@ Maintainer triage guidance lives in [docs/MAINTAINER_TRIAGE.md](../../docs/MAINT
 - Second firing examples for remaining framework custom rules across security, infra, node, python, and web presets.
 - Second firing examples for remaining built-in and configured sensitive-domain thin rules, leaving no thin coverage gaps.
 - Real-world low-count preset examples for node, python, web, infra, AI, and security workflows.
+- Quiet-pass examples for typechecking, prebuild scripts, mypy, dataclass parsing, CodeQL, Dependabot limits, form validation, and accessibility copy.
+- Quiet-pass examples for read-only Kubernetes inspection, Docker disk usage, Terraform linting, and public-IP hardening changes.
 - Fixture metadata like `weight` and `edgeCase` to support precision-weighted tuning evidence.
 
 ## Local Check

package/examples/fixtures/preset-review-cases.json

@@ -2195,5 +2195,205 @@
     "absentRuleIds": [
       "custom-ai-model-output-execution"
     ]
+  },
+  {
+    "id": "node-typecheck-command-pass",
+    "preset": "node",
+    "kind": "command",
+    "description": "Node typecheck commands should stay quiet around production and install-script checks.",
+    "content": "npm run typecheck",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "blocked-command-npm-publish-force",
+      "custom-node-env-production-change",
+      "custom-node-install-script-change"
+    ]
+  },
+  {
+    "id": "node-prebuild-script-diff-pass",
+    "preset": "node",
+    "kind": "diff",
+    "description": "Non-install prebuild scripts should not trip node install lifecycle checks.",
+    "content": "diff --git a/package.json b/package.json\n--- a/package.json\n+++ b/package.json\n@@ -3,6 +3,7 @@\n   \"scripts\": {\n+    \"prebuild\": \"node scripts/check-env.js\",\n     \"build\": \"tsc -p tsconfig.json\"\n   }\n",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "custom-node-install-script-change",
+      "package-install-script"
+    ]
+  },
+  {
+    "id": "python-mypy-command-pass",
+    "preset": "python",
+    "kind": "command",
+    "description": "Python type-checking commands should not trip eval, pickle, or package-install checks.",
+    "content": "python -m mypy src tests",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "blocked-command-pip-install-break-system-packages",
+      "custom-python-eval-exec",
+      "custom-python-pickle-load"
+    ]
+  },
+  {
+    "id": "python-dataclass-diff-pass",
+    "preset": "python",
+    "kind": "diff",
+    "description": "Typed Python dataclass parsing should stay quiet around dynamic execution checks.",
+    "content": "diff --git a/src/models.py b/src/models.py\n--- a/src/models.py\n+++ b/src/models.py\n@@ -1 +1,2 @@\n+@dataclass(frozen=True)\n+class ParsedEvent: pass\n",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "custom-python-eval-exec",
+      "custom-python-pickle-load"
+    ]
+  },
+  {
+    "id": "sec-codeql-command-pass",
+    "preset": "security",
+    "kind": "command",
+    "description": "Running CodeQL workflow checks should stay quiet in security preset repos.",
+    "content": "gh workflow run codeql.yml",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "blocked-command-chmod-r-777",
+      "custom-broad-cors",
+      "custom-insecure-tls-disabled"
+    ]
+  },
+  {
+    "id": "sec-dependabot-config-diff-pass",
+    "preset": "security",
+    "kind": "diff",
+    "description": "Dependabot limit changes should not trip TLS, CORS, or permission checks.",
+    "content": "diff --git a/.github/dependabot.yml b/.github/dependabot.yml\n--- a/.github/dependabot.yml\n+++ b/.github/dependabot.yml\n@@ -1 +1,2 @@\n+open-pull-requests-limit: 5\n",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "custom-broad-cors",
+      "custom-insecure-tls-disabled",
+      "chmod-777"
+    ]
+  },
+  {
+    "id": "web-form-validation-diff-pass",
+    "preset": "web",
+    "kind": "diff",
+    "description": "Client-side validation copy should not trip storage, HTML, or redirect checks.",
+    "content": "diff --git a/src/Form.tsx b/src/Form.tsx\n--- a/src/Form.tsx\n+++ b/src/Form.tsx\n@@ -1 +1,2 @@\n+const emailError = email.includes(\"@\") ? null : \"Enter a valid email\";\n",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "custom-web-open-redirect-shape",
+      "custom-web-storage-sensitive-value",
+      "custom-web-unsafe-html-injection"
+    ]
+  },
+  {
+    "id": "web-image-alt-diff-pass",
+    "preset": "web",
+    "kind": "diff",
+    "description": "Accessible image alt text should stay quiet around web risk checks.",
+    "content": "diff --git a/src/Hero.tsx b/src/Hero.tsx\n--- a/src/Hero.tsx\n+++ b/src/Hero.tsx\n@@ -1 +1,2 @@\n+export const heroAlt = \"Product dashboard overview\";\n",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "custom-web-open-redirect-shape",
+      "custom-web-public-secret-name",
+      "custom-web-unsafe-html-injection"
+    ]
+  },
+  {
+    "id": "infra-kubectl-diff-command-pass",
+    "preset": "infra",
+    "kind": "command",
+    "description": "Read-only Kubernetes diff commands should not trip delete or apply-style infra checks.",
+    "content": "kubectl diff -f k8s/deployment.yaml",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "blocked-command-kubectl-delete",
+      "custom-infra-production-change"
+    ]
+  },
+  {
+    "id": "infra-kubectl-logs-command-pass",
+    "preset": "infra",
+    "kind": "command",
+    "description": "Kubernetes log inspection should stay quiet around destructive infra commands.",
+    "content": "kubectl logs deployment/api --tail=100",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "blocked-command-kubectl-delete",
+      "custom-infra-production-change"
+    ]
+  },
+  {
+    "id": "infra-docker-system-df-command-pass",
+    "preset": "infra",
+    "kind": "command",
+    "description": "Docker disk-usage inspection should not trip destructive prune checks.",
+    "content": "docker system df",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "custom-infra-production-change"
+    ]
+  },
+  {
+    "id": "infra-kubectl-describe-command-pass",
+    "preset": "infra",
+    "kind": "command",
+    "description": "Kubernetes describe commands should stay quiet around delete checks.",
+    "content": "kubectl describe deployment api",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "blocked-command-kubectl-delete",
+      "custom-infra-production-change"
+    ]
+  },
+  {
+    "id": "infra-tflint-command-pass",
+    "preset": "infra",
+    "kind": "command",
+    "description": "Terraform linting commands should not trip terraform destroy checks.",
+    "content": "tflint --chdir=infra",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "blocked-command-terraform-destroy",
+      "custom-infra-production-change"
+    ]
+  },
+  {
+    "id": "infra-public-ip-disabled-diff-pass",
+    "preset": "infra",
+    "kind": "diff",
+    "description": "Disabling automatic public IP assignment should stay quiet around public exposure checks.",
+    "content": "diff --git a/infra/network.tf b/infra/network.tf\n--- a/infra/network.tf\n+++ b/infra/network.tf\n@@ -1 +1,2 @@\n+map_public_ip_on_launch = false\n",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "custom-infra-public-exposure"
+    ]
   }
 ]

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "memento-mori-jester",
-  "version": "0.1.68",
+  "version": "0.1.70",
   "description": "A local court-jester sidecar for AI coding agents: review plans, commands, diffs, and final claims before they get too pleased with themselves.",
   "type": "module",
   "repository": {