memento-mori-jester 0.1.69 → 0.1.71

package/CHANGELOG.md

@@ -4,6 +4,19 @@ All notable changes to Memento Mori Jester are tracked here.
 
 ## Unreleased
 
+## 0.1.71
+
+- Added six Node quiet-pass fixtures, growing the corpus to 190 fixtures.
+- Strengthened safe near-miss evidence for npm audit/outdated/ci, development-mode Node commands, package export maps, and workspace test scripts.
+- Added a repo-local X demo video asset under `promo/x-demo-v0.1.70` while keeping it outside the npm package.
+- Refreshed demo, roadmap, fixture docs, and release notes for the Node-focused curation batch.
+
+## 0.1.70
+
+- Added six infra quiet-pass fixtures, growing the corpus to 184 fixtures.
+- Strengthened safe near-miss evidence for read-only Kubernetes inspection, Docker disk usage, Terraform linting, and disabling public IP assignment.
+- Refreshed demo, roadmap, fixture docs, and release notes for the infra-focused curation batch.
+
 ## 0.1.69
 
 - Added eight real-world quiet-pass fixtures across node, python, security, and web preset slices, growing the corpus to 178 fixtures.

package/ROADMAP.md

@@ -6,6 +6,8 @@ Memento Mori Jester is usable today as a CLI, MCP server, GitHub Action, and git
 
 ## Recently Shipped
 
+- Node preset fixture curation in v0.1.71, adding six quiet-pass examples for npm audit/outdated/ci, development-mode Node commands, package export maps, and workspace test scripts, plus a repo-local X demo video asset.
+- Infra preset fixture curation in v0.1.70, adding six quiet-pass operational examples for read-only Kubernetes, Docker, Terraform linting, and public-IP hardening changes.
 - Node/python/security/web preset fixture curation in v0.1.69, adding eight quiet-pass real-world examples while keeping all fixture coverage gates clean.
 - AI tool-dispatch fixture curation in v0.1.68, adding request-body and URL-parameter caution examples plus allowlist/schema quiet-pass boundaries.
 - Security/web/node/python preset fixture curation in v0.1.67, adding real-world quiet-pass examples while keeping thin, quiet-pass, feasible pass-case, and preset-kind gaps at zero.
@@ -58,7 +60,7 @@ Memento Mori Jester is usable today as a CLI, MCP server, GitHub Action, and git
 
 ## Product Ideas
 
-- Collect real-world reports for the next lowest-count preset slices: infra first, then node, python, and security.
+- Collect real-world reports for the next lowest-count preset slices: python, security, then web.
 - Add more framework-specific false-positive examples from real reports so tuning guidance keeps getting sharper.
 - Add a Markdown export for fixture reports so maintainers can paste coverage snapshots into issues or release notes.
 

package/docs/DEMO.md

@@ -192,8 +192,8 @@ Project config: none loaded
 Fixture tuning evidence:
 Support: limited
 Confidence: medium
-Total fixtures checked: 178
-Weighted fixtures checked: 341.9
+Total fixtures checked: 190
+Weighted fixtures checked: 365.9
 Matching fixtures: 11
 Weighted matches: 23
 Expected-match weight: 18
@@ -202,7 +202,7 @@ Edge-case matches: 0
 Quiet-pass fixtures: 5
 Quiet-pass weight: 3.6
 By kind: command 0, plan 5, diff 5, final 1
-Fixture coverage: 11/178 (6.7% weighted)
+Fixture coverage: 11/190 (6.3% weighted)
 By verdict: pass 0, caution 3, block 8
 Matched fixture samples:
   infra-public-ingress-block: Public ingress should block in low-risk-tolerance infra repos.
@@ -353,7 +353,7 @@ Preset packs:
 
 ## 13. Review Fixtures
 
-The fixture suite in `examples/fixtures/preset-review-cases.json` captures small real-usage examples with expected `pass`, `caution`, or `block` verdicts. It also includes matched-pass examples for low-severity rules, quiet-pass `absentRuleIds` examples that prove noisy rules stay silent for safe near-misses, stack-specific coverage for every built-in preset, quiet-pass boundaries across built-in, structural, custom, and preset/config-derived rules, second firing examples for preset blocked-command rules, second examples for AI/API, framework custom, built-in, and configured sensitive-domain rules, AI tool-dispatch examples with safe allowlist/schema boundaries, and real-world low-count preset examples across node, python, web, infra, AI, and security slices. Recent quiet-pass examples cover typechecks, prebuild scripts, mypy, dataclass parsing, CodeQL, Dependabot limits, form validation, and accessibility copy. These examples are run by `npm test`, so preset tuning changes stay visible.
+The fixture suite in `examples/fixtures/preset-review-cases.json` captures small real-usage examples with expected `pass`, `caution`, or `block` verdicts. It also includes matched-pass examples for low-severity rules, quiet-pass `absentRuleIds` examples that prove noisy rules stay silent for safe near-misses, stack-specific coverage for every built-in preset, quiet-pass boundaries across built-in, structural, custom, and preset/config-derived rules, second firing examples for preset blocked-command rules, second examples for AI/API, framework custom, built-in, and configured sensitive-domain rules, AI tool-dispatch examples with safe allowlist/schema boundaries, and real-world low-count preset examples across node, python, web, infra, AI, and security slices. Recent quiet-pass examples cover typechecks, prebuild scripts, mypy, dataclass parsing, CodeQL, Dependabot limits, form validation, accessibility copy, read-only Kubernetes inspection, Docker disk usage, Terraform linting, public-IP hardening changes, npm audit/outdated/ci, development-mode Node commands, package export maps, and workspace test scripts. These examples are run by `npm test`, so preset tuning changes stay visible.
 
 Maintainers can run `npm run fixtures:report` to see coverage by verdict, kind, preset, rule family, and preset slice. The report also includes a `Curation next` section that points at the next useful fixture batch, such as thin rules, feasible pass-case evidence, rule-family gaps, or lower-count presets.
 

package/docs/RELEASE_NOTES_v0.1.70.md

@@ -0,0 +1,36 @@
+# Memento Mori Jester v0.1.70
+
+This release follows the fixture report's infra-first curation guidance. It adds practical quiet-pass infra examples only; review behavior is unchanged.
+
+## What Changed
+
+- Added 6 fixture cases, growing the corpus from 178 to 184 fixtures.
+- Added infra quiet-pass examples for:
+  - `kubectl diff`.
+  - `kubectl logs`.
+  - `kubectl describe`.
+  - Docker disk-usage inspection.
+  - Terraform linting.
+  - Disabling automatic public IP assignment.
+- Kept thin rule coverage, quiet-pass gaps, feasible pass-case gaps, and preset/kind gaps at zero.
+
+## Public Interface
+
+- No CLI command changes.
+- No config schema changes.
+- No rule matching, scoring, or verdict behavior changes.
+- No MCP, playground, GitHub Action, or npm publishing changes.
+
+## Release Validation
+
+```powershell
+npm.cmd test
+npm.cmd run demo:svg:check
+npm.cmd run fixtures:report
+npm.cmd run fixtures:report -- --json
+npm.cmd run pack:dry
+git diff --check
+node .\dist\cli.js tune coverage --no-config
+node .\dist\cli.js tune risky-domain --json --no-config
+git diff | node .\dist\cli.js diff --fail-on block --subject "v0.1.70 infra quiet-pass curation"
+```

package/docs/RELEASE_NOTES_v0.1.71.md

@@ -0,0 +1,39 @@
+# Memento Mori Jester v0.1.71
+
+## Summary
+
+This release continues fixture-report curation for the Node preset and adds a repo-local X demo video asset. Review behavior, rule matching, scoring, MCP behavior, and release automation are unchanged.
+
+## Changes
+
+- Added six Node quiet-pass fixtures:
+  - `npm audit --audit-level=high`
+  - `npm outdated --long`
+  - `npm ci --ignore-scripts`
+  - `NODE_ENV=development npm test`
+  - package export map diffs
+  - workspace test script diffs
+- Grew the fixture corpus from 184 to 190 examples.
+- Added editable HyperFrames source and a final vertical MP4 under `promo/x-demo-v0.1.70`.
+- Kept `promo/` outside the npm package `files` list so the published CLI remains small.
+
+## Public Interface
+
+- No CLI command changes.
+- No config schema changes.
+- No rule matching, scoring, or verdict behavior changes.
+- No MCP, playground, GitHub Action, or npm publishing changes.
+- New repo-local promo files live under `promo/`, which is not included in the npm package.
+
+## Release Validation
+
+```powershell
+npm.cmd test
+npm.cmd run demo:svg:check
+npm.cmd run fixtures:report -- --json
+npm.cmd run pack:dry
+git diff --check
+node .\dist\cli.js tune coverage --no-config
+node .\dist\cli.js tune risky-domain --json --no-config
+git diff | node .\dist\cli.js diff --fail-on block --subject "v0.1.71 node quiet-pass curation and promo asset"
+```

package/examples/fixtures/README.md

@@ -24,6 +24,8 @@ Maintainer triage guidance lives in [docs/MAINTAINER_TRIAGE.md](../../docs/MAINT
 - Second firing examples for remaining built-in and configured sensitive-domain thin rules, leaving no thin coverage gaps.
 - Real-world low-count preset examples for node, python, web, infra, AI, and security workflows.
 - Quiet-pass examples for typechecking, prebuild scripts, mypy, dataclass parsing, CodeQL, Dependabot limits, form validation, and accessibility copy.
+- Quiet-pass examples for read-only Kubernetes inspection, Docker disk usage, Terraform linting, and public-IP hardening changes.
+- Quiet-pass examples for npm audit/outdated/ci, development-mode Node commands, package export maps, and workspace test scripts.
 - Fixture metadata like `weight` and `edgeCase` to support precision-weighted tuning evidence.
 
 ## Local Check

package/examples/fixtures/preset-review-cases.json

@@ -2313,5 +2313,176 @@
       "custom-web-public-secret-name",
       "custom-web-unsafe-html-injection"
     ]
+  },
+  {
+    "id": "infra-kubectl-diff-command-pass",
+    "preset": "infra",
+    "kind": "command",
+    "description": "Read-only Kubernetes diff commands should not trip delete or apply-style infra checks.",
+    "content": "kubectl diff -f k8s/deployment.yaml",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "blocked-command-kubectl-delete",
+      "custom-infra-production-change"
+    ]
+  },
+  {
+    "id": "infra-kubectl-logs-command-pass",
+    "preset": "infra",
+    "kind": "command",
+    "description": "Kubernetes log inspection should stay quiet around destructive infra commands.",
+    "content": "kubectl logs deployment/api --tail=100",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "blocked-command-kubectl-delete",
+      "custom-infra-production-change"
+    ]
+  },
+  {
+    "id": "infra-docker-system-df-command-pass",
+    "preset": "infra",
+    "kind": "command",
+    "description": "Docker disk-usage inspection should not trip destructive prune checks.",
+    "content": "docker system df",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "custom-infra-production-change"
+    ]
+  },
+  {
+    "id": "infra-kubectl-describe-command-pass",
+    "preset": "infra",
+    "kind": "command",
+    "description": "Kubernetes describe commands should stay quiet around delete checks.",
+    "content": "kubectl describe deployment api",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "blocked-command-kubectl-delete",
+      "custom-infra-production-change"
+    ]
+  },
+  {
+    "id": "infra-tflint-command-pass",
+    "preset": "infra",
+    "kind": "command",
+    "description": "Terraform linting commands should not trip terraform destroy checks.",
+    "content": "tflint --chdir=infra",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "blocked-command-terraform-destroy",
+      "custom-infra-production-change"
+    ]
+  },
+  {
+    "id": "infra-public-ip-disabled-diff-pass",
+    "preset": "infra",
+    "kind": "diff",
+    "description": "Disabling automatic public IP assignment should stay quiet around public exposure checks.",
+    "content": "diff --git a/infra/network.tf b/infra/network.tf\n--- a/infra/network.tf\n+++ b/infra/network.tf\n@@ -1 +1,2 @@\n+map_public_ip_on_launch = false\n",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "custom-infra-public-exposure"
+    ]
+  },
+  {
+    "id": "node-npm-audit-command-pass",
+    "preset": "node",
+    "kind": "command",
+    "description": "npm audit commands should stay quiet around publish, production, and install-script checks.",
+    "content": "npm audit --audit-level=high",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "blocked-command-npm-publish-force",
+      "custom-node-env-production-change",
+      "custom-node-install-script-change"
+    ]
+  },
+  {
+    "id": "node-npm-outdated-command-pass",
+    "preset": "node",
+    "kind": "command",
+    "description": "npm outdated inspection should not look like forced publishing or install-script changes.",
+    "content": "npm outdated --long",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "blocked-command-npm-publish-force",
+      "custom-node-env-production-change",
+      "custom-node-install-script-change"
+    ]
+  },
+  {
+    "id": "node-npm-ci-ignore-scripts-command-pass",
+    "preset": "node",
+    "kind": "command",
+    "description": "Installing locked dependencies with scripts disabled should stay quiet for node preset guards.",
+    "content": "npm ci --ignore-scripts",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "blocked-command-npm-publish-force",
+      "custom-node-env-production-change",
+      "custom-node-install-script-change"
+    ]
+  },
+  {
+    "id": "node-env-development-command-pass",
+    "preset": "node",
+    "kind": "command",
+    "description": "Development-mode Node commands should not trip production-mode checks.",
+    "content": "NODE_ENV=development npm test",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "custom-node-env-production-change",
+      "configured-sensitive-domain-production"
+    ]
+  },
+  {
+    "id": "node-package-exports-diff-pass",
+    "preset": "node",
+    "kind": "diff",
+    "description": "Package export map additions should not be mistaken for install lifecycle scripts.",
+    "content": "diff --git a/package.json b/package.json\n--- a/package.json\n+++ b/package.json\n@@ -1,5 +1,6 @@\n {\n+  \"exports\": \"./dist/index.js\",\n   \"type\": \"module\"\n }\n",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "custom-node-install-script-change",
+      "package-install-script",
+      "configured-sensitive-domain-postinstall"
+    ]
+  },
+  {
+    "id": "node-workspace-test-script-diff-pass",
+    "preset": "node",
+    "kind": "diff",
+    "description": "Workspace test scripts should not trip install lifecycle script checks.",
+    "content": "diff --git a/package.json b/package.json\n--- a/package.json\n+++ b/package.json\n@@ -3,6 +3,7 @@\n   \"scripts\": {\n+    \"test:packages\": \"npm -ws test\",\n     \"test\": \"node --test\"\n   }\n",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "custom-node-install-script-change",
+      "package-install-script",
+      "configured-sensitive-domain-postinstall"
+    ]
   }
 ]

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "memento-mori-jester",
-  "version": "0.1.69",
+  "version": "0.1.71",
   "description": "A local court-jester sidecar for AI coding agents: review plans, commands, diffs, and final claims before they get too pleased with themselves.",
   "type": "module",
   "repository": {