memento-mori-jester 0.1.74 → 0.1.76

package/CHANGELOG.md

@@ -4,6 +4,18 @@ All notable changes to Memento Mori Jester are tracked here.
 
 ## Unreleased
 
+## 0.1.76
+
+- Added eight real-world quiet-pass fixtures across python, security, web, and AI preset slices, growing the corpus to 216 fixtures.
+- Strengthened safe near-miss evidence for Pydantic parsing, Pyright checks, SBOM generation, vulnerability-report docs, escaped React rendering, session-cookie docs, model regression checks, and static action allowlists.
+- Refreshed demo, roadmap, fixture docs, and release notes for the expanded preset curation batch.
+
+## 0.1.75
+
+- Added `npm run fixtures:report -- --markdown` for paste-ready fixture coverage snapshots.
+- Added Markdown tables for totals, counts, rule-family slices, preset slices, gaps, quiet-pass coverage, curation-next guidance, and next commands.
+- Updated maintainer docs, release docs, and production-readiness checks for the Markdown fixture report export.
+
 ## 0.1.74
 
 - Added six API quiet-pass fixtures, growing the corpus to 208 fixtures.

package/README.md

@@ -501,7 +501,7 @@ Use the false-positive template for noisy cautions or blocks. Include `jester su
 
 Maintainers can use [docs/MAINTAINER_TRIAGE.md](docs/MAINTAINER_TRIAGE.md) to turn useful false-positive reports into redacted fixtures.
 Run `npm run fixtures:check` before merging fixture changes; it catches duplicate IDs, missing rule metadata, weak descriptions, unsafe-looking content, and duplicate content.
-Run `npm run fixtures:report` to see fixture coverage by rule, rule family, preset slice, kind, verdict, quiet-pass boundaries, feasible pass-case gaps, and curation-next guidance before choosing the next fixture.
+Run `npm run fixtures:report` to see fixture coverage by rule, rule family, preset slice, kind, verdict, quiet-pass boundaries, feasible pass-case gaps, and curation-next guidance before choosing the next fixture. Use `npm run fixtures:report -- --markdown` when you want a paste-ready summary for release notes or GitHub issues.
 
 For vulnerabilities, private code exposure, or credential-handling concerns, follow [SECURITY.md](SECURITY.md) instead of opening a public issue with sensitive details.
 

package/ROADMAP.md

@@ -6,6 +6,8 @@ Memento Mori Jester is usable today as a CLI, MCP server, GitHub Action, and git
 
 ## Recently Shipped
 
+- Real-world preset quiet-pass curation in v0.1.76, adding eight safe examples across python, security, web, and AI workflows while keeping fixture coverage gaps clean.
+- Markdown fixture report export in v0.1.75 for paste-ready coverage snapshots in release notes, GitHub issues, and maintainer updates.
 - API fixture curation in v0.1.74, adding six quiet-pass examples for schema parsing, query-builder filters, enabled rate limiting, read-only Prisma migration diffs, signed-webhook docs, and OpenAPI schema docs.
 - Web/AI fixture curation in v0.1.73, adding six quiet-pass examples for safe text rendering, allowlisted target paths, public analytics IDs, model-check commands, tool allowlist checks, and public model-name config.
 - Python/security fixture curation in v0.1.72, adding six quiet-pass examples for Bandit, pip-audit, coverage/pytest, Trivy, npm audit, and TLS verification-enabled diffs.
@@ -63,9 +65,9 @@ Memento Mori Jester is usable today as a CLI, MCP server, GitHub Action, and git
 
 ## Product Ideas
 
-- Collect real-world reports for the next lowest-count preset slices: python, security, web, then AI.
+- Collect real-world reports for the next lowest-count preset slices now highlighted by `fixtures:report`.
 - Add more framework-specific false-positive examples from real reports so tuning guidance keeps getting sharper.
-- Add a Markdown export for fixture reports so maintainers can paste coverage snapshots into issues or release notes.
+- Add a promo/share kit with X post copy, still images, and a simple sharing checklist.
 
 ## Quality And Safety
 

package/docs/DEMO.md

@@ -353,9 +353,9 @@ Preset packs:
 
 ## 13. Review Fixtures
 
-The fixture suite in `examples/fixtures/preset-review-cases.json` captures small real-usage examples with expected `pass`, `caution`, or `block` verdicts. It also includes matched-pass examples for low-severity rules, quiet-pass `absentRuleIds` examples that prove noisy rules stay silent for safe near-misses, stack-specific coverage for every built-in preset, quiet-pass boundaries across built-in, structural, custom, and preset/config-derived rules, second firing examples for preset blocked-command rules, second examples for AI/API, framework custom, built-in, and configured sensitive-domain rules, AI tool-dispatch examples with safe allowlist/schema boundaries, and real-world low-count preset examples across node, python, web, infra, AI, and security slices. Recent quiet-pass examples cover typechecks, prebuild scripts, mypy, dataclass parsing, CodeQL, Dependabot limits, form validation, accessibility copy, read-only Kubernetes inspection, Docker disk usage, Terraform linting, public-IP hardening changes, npm audit/outdated/ci, development-mode Node commands, package export maps, workspace test scripts, Bandit, pip-audit, coverage/pytest, Trivy filesystem scans, npm audit, TLS verification-enabled diffs, safe text rendering, allowlisted target paths, public analytics IDs, model-check commands, tool allowlist checks, public model-name config, API schema parsing, query-builder filters, enabled rate limiting, read-only Prisma migration diffs, signed-webhook docs, and OpenAPI schema docs. These examples are run by `npm test`, so preset tuning changes stay visible.
+The fixture suite in `examples/fixtures/preset-review-cases.json` captures small real-usage examples with expected `pass`, `caution`, or `block` verdicts. It also includes matched-pass examples for low-severity rules, quiet-pass `absentRuleIds` examples that prove noisy rules stay silent for safe near-misses, stack-specific coverage for every built-in preset, quiet-pass boundaries across built-in, structural, custom, and preset/config-derived rules, second firing examples for preset blocked-command rules, second examples for AI/API, framework custom, built-in, and configured sensitive-domain rules, AI tool-dispatch examples with safe allowlist/schema boundaries, and real-world low-count preset examples across node, python, web, infra, AI, and security slices. Recent quiet-pass examples cover typechecks, prebuild scripts, mypy, dataclass parsing, CodeQL, Dependabot limits, form validation, accessibility copy, read-only Kubernetes inspection, Docker disk usage, Terraform linting, public-IP hardening changes, npm audit/outdated/ci, development-mode Node commands, package export maps, workspace test scripts, Bandit, pip-audit, coverage/pytest, Trivy filesystem scans, npm audit, TLS verification-enabled diffs, safe text rendering, allowlisted target paths, public analytics IDs, model-check commands, tool allowlist checks, public model-name config, API schema parsing, query-builder filters, enabled rate limiting, read-only Prisma migration diffs, signed-webhook docs, OpenAPI schema docs, Pydantic parsing, Pyright checks, SBOM generation, vulnerability-report docs, escaped React rendering, session-cookie docs, model regression checks, and static action allowlists. These examples are run by `npm test`, so preset tuning changes stay visible.
 
-Maintainers can run `npm run fixtures:report` to see coverage by verdict, kind, preset, rule family, and preset slice. The report also includes a `Curation next` section that points at the next useful fixture batch, such as thin rules, feasible pass-case evidence, rule-family gaps, or lower-count presets.
+Maintainers can run `npm run fixtures:report` to see coverage by verdict, kind, preset, rule family, and preset slice. The report also includes a `Curation next` section that points at the next useful fixture batch, such as thin rules, feasible pass-case evidence, rule-family gaps, or lower-count presets. Use `npm run fixtures:report -- --markdown` for a paste-ready version of the same snapshot.
 
 Maintainers can use `docs/MAINTAINER_TRIAGE.md` to turn useful false-positive reports into redacted fixture cases.
 

package/docs/MAINTAINER_TRIAGE.md

@@ -77,13 +77,14 @@ npm.cmd test
 npm.cmd run fixtures:check
 npm.cmd run fixtures:report
 npm.cmd run fixtures:report -- --json
+npm.cmd run fixtures:report -- --markdown
 node .\dist\cli.js tune <rule-id>
 node .\dist\cli.js tune <rule-id> --json
 node .\dist\cli.js tune coverage
 ```
 
 5. Fix any duplicate IDs, missing expected rule metadata, weak descriptions, unsafe content, or duplicate content reported by `fixtures:check`.
-6. Use `fixtures:report` to check whether the change improves feasible pass-case, quiet-pass, preset, kind, rule-family, or verdict coverage. Start with the report's `Curation next` section when deciding which fixture batch to add first.
+6. Use `fixtures:report` to check whether the change improves feasible pass-case, quiet-pass, preset, kind, rule-family, or verdict coverage. Start with the report's `Curation next` section when deciding which fixture batch to add first, and use `fixtures:report -- --markdown` when you need a paste-ready snapshot for an issue or release note.
 7. Check whether support/confidence changed in the expected direction.
 8. If the fixture changes verdict behavior, mention the exact rule impact in `CHANGELOG.md`.
 

package/docs/PRODUCTION_READINESS.md

@@ -53,7 +53,7 @@ This checklist defines what "production grade" means for Memento Mori Jester rig
 - `SECURITY.md` routes vulnerability reports away from public issues and asks for redacted diagnostics.
 - `docs/MAINTAINER_TRIAGE.md` explains how to turn useful false-positive reports into fixture coverage before changing rule logic.
 - `npm run fixtures:check` validates fixture IDs, metadata, unsafe-looking content, duplicate content, and explicit expected/absent rule intent.
-- `npm run fixtures:report` shows fixture coverage by rule, rule family, preset slice, kind, verdict, quiet-pass rule boundaries, and feasible pass-case gaps so maintainers can pick the next fixture target.
+- `npm run fixtures:report` shows fixture coverage by rule, rule family, preset slice, kind, verdict, quiet-pass rule boundaries, and feasible pass-case gaps so maintainers can pick the next fixture target; `npm run fixtures:report -- --markdown` produces a paste-ready maintainer snapshot.
 - npm publish has a manual workflow fallback, but the normal release path is tag-driven trusted publishing.
 
 ## Static Guard

package/docs/RELEASE.md

@@ -11,6 +11,7 @@ npm.cmd run production:check
 npm.cmd run fixtures:check
 npm.cmd run fixtures:report
 npm.cmd run fixtures:report -- --json
+npm.cmd run fixtures:report -- --markdown
 npm.cmd run pack:dry
 git diff --check
 ```

package/docs/RELEASE_NOTES_v0.1.75.md

@@ -0,0 +1,42 @@
+# Memento Mori Jester v0.1.75
+
+This release adds a Markdown export for the fixture coverage report so maintainers can paste stable quality snapshots into release notes, GitHub issues, and project updates. Review behavior is unchanged.
+
+## What Changed
+
+- Added `npm run fixtures:report -- --markdown`.
+- Added Markdown sections for:
+  - summary totals.
+  - verdict, kind, and preset counts.
+  - rule-family slices.
+  - preset slices.
+  - gap sections.
+  - quiet-pass rule coverage.
+  - quiet-pass fixture samples.
+  - curation-next guidance.
+  - next commands.
+- Added a guard that rejects combining `--json` and `--markdown`.
+- Updated maintainer docs, release docs, demo docs, README support notes, and production-readiness checks.
+
+## Public Interface
+
+- New maintainer script mode: `npm run fixtures:report -- --markdown`.
+- No CLI command changes.
+- No config schema changes.
+- No rule matching, scoring, or verdict behavior changes.
+- No MCP, playground, GitHub Action, or npm publishing changes.
+
+## Release Validation
+
+```powershell
+npm.cmd test
+npm.cmd run demo:svg:check
+npm.cmd run fixtures:report
+npm.cmd run fixtures:report -- --json
+npm.cmd run fixtures:report -- --markdown
+npm.cmd run pack:dry
+git diff --check
+node .\dist\cli.js tune coverage --no-config
+node .\dist\cli.js tune risky-domain --json --no-config
+git diff | node .\dist\cli.js diff --fail-on block --subject "v0.1.75 markdown fixture report export"
+```

package/docs/RELEASE_NOTES_v0.1.76.md

@@ -0,0 +1,43 @@
+# Memento Mori Jester v0.1.76
+
+## Summary
+
+This release expands the real-world quiet-pass fixture corpus for the lowest-count preset slices: `python`, `security`, `web`, and `ai`.
+
+## What Changed
+
+- Added eight pass fixtures, growing the fixture suite from 208 to 216 cases.
+- Added python safe-boundary examples for Pydantic model validation and Pyright type checks.
+- Added security safe-boundary examples for SBOM generation and vulnerability-report documentation.
+- Added web safe-boundary examples for escaped React rendering and docs-only session-cookie guidance.
+- Added AI safe-boundary examples for model regression checks and static action allowlists.
+- Refreshed the fixture docs, demo transcript, changelog, and roadmap.
+
+## Public Interface
+
+- No CLI command changes.
+- No MCP tool changes.
+- No config schema changes.
+- No review rule, scoring, or verdict behavior changes.
+- Fixture reports now reflect 216 total fixtures and the updated preset counts.
+
+## Release Validation
+
+```powershell
+npm.cmd test
+npm.cmd run demo:svg:check
+npm.cmd run fixtures:report
+npm.cmd run fixtures:report -- --json
+npm.cmd run fixtures:report -- --markdown
+npm.cmd run pack:dry
+git diff --check
+git diff | node .\dist\cli.js diff --fail-on block --subject "v0.1.76 real-world preset quiet-pass curation"
+```
+
+Expected fixture report checks:
+
+- `Fixtures: 216`
+- no thin rule coverage
+- no preset/kind gaps
+- no rules without quiet-pass coverage
+- deterministic `Curation next` guidance

package/examples/fixtures/README.md

@@ -29,6 +29,7 @@ Maintainer triage guidance lives in [docs/MAINTAINER_TRIAGE.md](../../docs/MAINT
 - Quiet-pass examples for Bandit, pip-audit, coverage/pytest, Trivy filesystem scans, npm audit, and TLS verification-enabled diffs.
 - Quiet-pass examples for safe text rendering, allowlisted target paths, public analytics IDs, model-check commands, tool allowlist checks, and public model-name config.
 - Quiet-pass examples for API schema parsing, query-builder filters, enabled rate limiting, read-only Prisma migration diffs, signed-webhook docs, and OpenAPI schema docs.
+- Quiet-pass examples for Pydantic parsing, Pyright checks, SBOM generation, vulnerability-report docs, escaped React rendering, session-cookie docs, model regression checks, and static action allowlists.
 - Fixture metadata like `weight` and `edgeCase` to support precision-weighted tuning evidence.
 
 ## Local Check
@@ -38,6 +39,7 @@ npm.cmd test
 npm.cmd run fixtures:check
 npm.cmd run fixtures:report
 npm.cmd run fixtures:report -- --json
+npm.cmd run fixtures:report -- --markdown
 ```
 
 For one-off manual review, paste a fixture `content` value into:
@@ -63,4 +65,4 @@ Do not add secrets, private code, customer data, complete logs, or machine-speci
 
 `npm run fixtures:report` summarizes coverage by rule, rule family, preset slice, review kind, verdict, and quiet-pass rule boundaries. Use it to find rules without pass-case coverage, pass-eligible rules without pass-case coverage, rules without quiet-pass coverage, thin rule coverage, preset/kind gaps, quiet pass fixtures, and the next curation target.
 
-The `Curation next` section is a maintainer shortcut: start there when deciding whether the next fixture batch should focus on thin rules, feasible pass-case evidence, a specific rule family, or lower-count presets. The `--json` output includes the same `ruleFamilySlices`, `presetSlices`, `passEligibleRulesWithoutPassCases`, and `curationNext` fields for scripts.
+The `Curation next` section is a maintainer shortcut: start there when deciding whether the next fixture batch should focus on thin rules, feasible pass-case evidence, a specific rule family, or lower-count presets. The `--json` output includes the same `ruleFamilySlices`, `presetSlices`, `passEligibleRulesWithoutPassCases`, and `curationNext` fields for scripts. The `--markdown` output renders the same snapshot as paste-ready Markdown tables for release notes, GitHub issues, or maintainer updates.

package/examples/fixtures/preset-review-cases.json

@@ -2737,5 +2737,127 @@
     "absentRuleIds": [
       "configured-sensitive-domain-openapi"
     ]
+  },
+  {
+    "id": "python-pydantic-parse-diff-pass",
+    "preset": "python",
+    "kind": "diff",
+    "description": "Pydantic model validation should stay quiet around Python dynamic execution checks.",
+    "content": "diff --git a/app/settings.py b/app/settings.py\n--- a/app/settings.py\n+++ b/app/settings.py\n@@ -1 +1,2 @@\n+settings = SettingsModel.model_validate(raw_settings)\n",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "custom-python-eval-exec",
+      "custom-python-pickle-load"
+    ]
+  },
+  {
+    "id": "python-pyright-command-pass",
+    "preset": "python",
+    "kind": "command",
+    "description": "Python type-check commands should not trip eval, pickle, or unsafe package checks.",
+    "content": "python -m pyright app tests",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "blocked-command-pip-install-break-system-packages",
+      "custom-python-eval-exec",
+      "custom-python-pickle-load"
+    ]
+  },
+  {
+    "id": "sec-sbom-command-pass",
+    "preset": "security",
+    "kind": "command",
+    "description": "SBOM generation commands should stay quiet around security preset danger checks.",
+    "content": "syft dir:. -o cyclonedx-json > sbom.json",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "blocked-command-chmod-r-777",
+      "custom-broad-cors",
+      "custom-insecure-tls-disabled",
+      "secret-material"
+    ]
+  },
+  {
+    "id": "sec-vulnerability-report-docs-pass",
+    "preset": "security",
+    "kind": "diff",
+    "description": "Docs for vulnerability reports should stay quiet when they only say not to paste sensitive material.",
+    "content": "diff --git a/docs/VULNERABILITY_REPORTS.md b/docs/VULNERABILITY_REPORTS.md\n--- a/docs/VULNERABILITY_REPORTS.md\n+++ b/docs/VULNERABILITY_REPORTS.md\n@@ -1 +1,2 @@\n+Ask reporters to redact tokens, private keys, and exploit logs before filing public issues.\n",
+    "expectedVerdict": "pass",
+    "edgeCase": true,
+    "weight": 1,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "configured-sensitive-domain-token",
+      "configured-sensitive-domain-private-key",
+      "secret-material"
+    ]
+  },
+  {
+    "id": "web-react-escaped-output-diff-pass",
+    "preset": "web",
+    "kind": "diff",
+    "description": "Escaped React text rendering should not trip unsafe HTML injection checks.",
+    "content": "diff --git a/src/components/UserName.tsx b/src/components/UserName.tsx\n--- a/src/components/UserName.tsx\n+++ b/src/components/UserName.tsx\n@@ -1 +1,2 @@\n+return <span>{displayName}</span>;\n",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "custom-web-unsafe-html-injection",
+      "configured-sensitive-domain-dangerouslysetinnerhtml",
+      "configured-sensitive-domain-innerhtml"
+    ]
+  },
+  {
+    "id": "web-session-cookie-docs-pass",
+    "preset": "web",
+    "kind": "diff",
+    "description": "Docs-only browser session guidance should not trip storage, redirect, or cookie noise.",
+    "content": "diff --git a/docs/WEB_SESSIONS.md b/docs/WEB_SESSIONS.md\n--- a/docs/WEB_SESSIONS.md\n+++ b/docs/WEB_SESSIONS.md\n@@ -1 +1,2 @@\n+Prefer httpOnly cookies for sessions and keep redirects limited to same-origin paths.\n",
+    "expectedVerdict": "pass",
+    "edgeCase": true,
+    "weight": 1,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "configured-sensitive-domain-cookies",
+      "configured-sensitive-domain-redirect",
+      "configured-sensitive-domain-session",
+      "custom-web-open-redirect-shape",
+      "custom-web-storage-sensitive-value",
+      "risky-domain"
+    ]
+  },
+  {
+    "id": "ai-model-regression-command-pass",
+    "preset": "ai",
+    "kind": "command",
+    "description": "Running model regression checks should not look like skipped AI safety checks.",
+    "content": "npm run model:checks -- --suite prompt-regression",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "custom-ai-evals-skipped"
+    ]
+  },
+  {
+    "id": "ai-tool-registry-allowlist-diff-pass",
+    "preset": "ai",
+    "kind": "diff",
+    "description": "Static action allowlists should not trip user-controlled dispatch checks.",
+    "content": "diff --git a/src/actions/registry.ts b/src/actions/registry.ts\n--- a/src/actions/registry.ts\n+++ b/src/actions/registry.ts\n@@ -1 +1,2 @@\n+export const allowedActions = new Set([\"search_docs\", \"summarize_ticket\"]);\n",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "custom-ai-user-controlled-tool-dispatch",
+      "custom-ai-model-output-execution"
+    ]
   }
 ]

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "memento-mori-jester",
-  "version": "0.1.74",
+  "version": "0.1.76",
   "description": "A local court-jester sidecar for AI coding agents: review plans, commands, diffs, and final claims before they get too pleased with themselves.",
   "type": "module",
   "repository": {

package/scripts/check-production-readiness.mjs

@@ -94,6 +94,7 @@ requireText("README.md", /false-positive/i, "false-positive support guidance");
 requireText("README.md", /MAINTAINER_TRIAGE\.md/, "maintainer triage guide link");
 requireText("README.md", /fixtures:check/, "fixture authoring check guidance");
 requireText("README.md", /fixtures:report/, "fixture coverage report guidance");
+requireText("README.md", /fixtures:report -- --markdown/, "Markdown fixture report guidance");
 requireText("README.md", /License: PolyForm Noncommercial/, "the noncommercial license badge");
 requireText("docs/PRODUCTION_READINESS.md", /npm package/i, "npm package readiness");
 requireText("docs/PRODUCTION_READINESS.md", /GitHub Action/i, "GitHub Action readiness");
@@ -106,6 +107,7 @@ requireText("docs/PRODUCTION_READINESS.md", /issue templates/i, "issue template
 requireText("docs/PRODUCTION_READINESS.md", /MAINTAINER_TRIAGE\.md/, "maintainer triage readiness");
 requireText("docs/PRODUCTION_READINESS.md", /fixtures:check/, "fixture authoring check readiness");
 requireText("docs/PRODUCTION_READINESS.md", /fixtures:report/, "fixture coverage report readiness");
+requireText("docs/PRODUCTION_READINESS.md", /fixtures:report -- --markdown/, "Markdown fixture report readiness");
 requireText("docs/PRODUCTION_READINESS.md", /quiet-pass/, "quiet-pass fixture readiness");
 requireText("docs/CLI.md", /jester doctor --json/, "doctor JSON CLI docs");
 requireText("docs/CLI.md", /quiet-pass fixture/, "quiet-pass fixture CLI docs");
@@ -118,6 +120,7 @@ requireText("examples/fixtures/README.md", /MAINTAINER_TRIAGE\.md/, "maintainer
 requireText("examples/fixtures/README.md", /Adding A Fixture From A Report/, "fixture report conversion guidance");
 requireText("examples/fixtures/README.md", /fixtures:check/, "fixture authoring check guidance");
 requireText("examples/fixtures/README.md", /fixtures:report/, "fixture coverage report guidance");
+requireText("examples/fixtures/README.md", /fixtures:report -- --markdown/, "Markdown fixture report guidance");
 requireText("scripts/check-fixtures.mjs", /duplicated/, "duplicate fixture id check");
 requireText("scripts/check-fixtures.mjs", /unsafeContentPatterns/, "unsafe fixture content checks");
 forbidText("scripts/check-fixtures.mjs", /src\/config\.ts|src\/types\.ts/, "source-only fixture validator dependencies");
@@ -125,6 +128,7 @@ requireText("scripts/report-fixtures.mjs", /rulesWithoutPassCases/, "rules witho
 requireText("scripts/report-fixtures.mjs", /rulesWithoutQuietPassCoverage/, "rules without quiet-pass coverage report");
 requireText("scripts/report-fixtures.mjs", /quietPassRuleCoverage/, "quiet-pass rule coverage report");
 requireText("scripts/report-fixtures.mjs", /presetKindGaps/, "preset and kind gap report");
+requireText("scripts/report-fixtures.mjs", /--markdown/, "Markdown fixture report output");
 forbidText("scripts/report-fixtures.mjs", /src\/config\.ts|src\/types\.ts/, "source-only fixture report dependencies");
 requireText("package.json", /"fixtures:check": "node scripts\/check-fixtures\.mjs"/, "fixture authoring check script");
 requireText("package.json", /"fixtures:report": "node scripts\/report-fixtures\.mjs"/, "fixture coverage report script");

package/scripts/report-fixtures.mjs

@@ -33,6 +33,12 @@ const ruleFamilyOrder = [
 
 const args = new Set(process.argv.slice(2));
 const json = args.has("--json");
+const markdown = args.has("--markdown");
+
+if (json && markdown) {
+  process.stderr.write("Use only one output format: --json or --markdown.\n");
+  process.exit(1);
+}
 
 function read(path) {
   return readFileSync(join(root, path), "utf8");
@@ -55,6 +61,8 @@ const report = buildFixtureReport(fixtures);
 
 if (json) {
   process.stdout.write(`${JSON.stringify(report, null, 2)}\n`);
+} else if (markdown) {
+  process.stdout.write(renderFixtureReportMarkdown(report));
 } else {
   process.stdout.write(renderFixtureReport(report));
 }
@@ -271,6 +279,91 @@ function renderFixtureReport(report) {
   return `${lines.join("\n")}\n`;
 }
 
+function renderFixtureReportMarkdown(report) {
+  const lines = [
+    "# Fixture Coverage Report",
+    "",
+    "Generated from `examples/fixtures/preset-review-cases.json`.",
+    "",
+    "## Summary",
+    "",
+    "| Metric | Value |",
+    "| --- | ---: |",
+    `| Fixtures | ${report.totalFixtures} |`,
+    `| Weighted fixtures | ${report.totalWeight} |`,
+    `| Edge-case fixtures | ${report.edgeCaseFixtures} |`,
+    `| Rules covered by expectedRuleIds | ${report.rules.length} |`,
+    "",
+    "## Counts",
+    "",
+    "### By Verdict",
+    "",
+    ...formatMarkdownCountTable("Verdict", report.byVerdict),
+    "",
+    "### By Kind",
+    "",
+    ...formatMarkdownCountTable("Kind", report.byKind),
+    "",
+    "### By Preset",
+    "",
+    ...formatMarkdownCountTable("Preset", report.byPreset),
+    "",
+    "## Rule Family Slices",
+    "",
+    ...formatMarkdownRuleFamilyTable(report.ruleFamilySlices),
+    "",
+    "## Preset Slices",
+    "",
+    ...formatMarkdownPresetTable(report.presetSlices),
+    "",
+    "## Gaps",
+    "",
+    "### Rules Without Pass-Case Coverage",
+    "",
+    ...formatMarkdownRuleGapList(report.gaps.rulesWithoutPassCases),
+    "",
+    "### Pass-Eligible Rules Without Pass-Case Coverage",
+    "",
+    ...formatMarkdownRuleGapList(report.gaps.passEligibleRulesWithoutPassCases),
+    "",
+    "### Rules Without Quiet-Pass Coverage",
+    "",
+    ...formatMarkdownRuleGapList(report.gaps.rulesWithoutQuietPassCoverage),
+    "",
+    "### Thin Rule Coverage",
+    "",
+    ...formatMarkdownRuleGapList(report.gaps.thinRuleCoverage),
+    "",
+    "### Preset/Kind Gaps",
+    "",
+    ...formatMarkdownPresetKindGaps(report.gaps.presetKindGaps),
+    "",
+    "## Quiet-Pass Rule Coverage",
+    "",
+    ...formatMarkdownQuietPassTable(report.gaps.quietPassRuleCoverage),
+    "",
+    "## Quiet-Pass Fixture Samples",
+    "",
+    ...formatMarkdownFixtureSamples(report.gaps.quietPassFixtures),
+    "",
+    "## Curation Next",
+    "",
+    ...formatMarkdownCurationNext(report.curationNext),
+    "",
+    "## Next Commands",
+    "",
+    "```powershell",
+    "npm run fixtures:check",
+    "npm run fixtures:report",
+    "npm run fixtures:report -- --json",
+    "npm run fixtures:report -- --markdown",
+    "node .\\dist\\cli.js tune coverage",
+    "```"
+  ];
+
+  return `${lines.join("\n")}\n`;
+}
+
 function createRuleEntry(ruleId) {
   return {
     ruleId,
@@ -575,6 +668,141 @@ function formatCounts(counts) {
     .join(", ");
 }
 
+function formatMarkdownCountTable(label, counts) {
+  return [
+    `| ${label} | Count |`,
+    "| --- | ---: |",
+    ...Object.entries(counts).map(([key, value]) => `| ${markdownCell(key)} | ${value} |`)
+  ];
+}
+
+function formatMarkdownRuleFamilyTable(entries) {
+  if (entries.length === 0) {
+    return ["None."];
+  }
+
+  return [
+    "| Family | Rules | Fixture Refs | Pass | Caution | Block | Quiet Pass | Thin |",
+    "| --- | ---: | ---: | ---: | ---: | ---: | ---: | ---: |",
+    ...entries.map((entry) =>
+      [
+        markdownCell(entry.family),
+        entry.ruleCount,
+        entry.fixtureReferences,
+        entry.passCases,
+        entry.cautionCases,
+        entry.blockCases,
+        entry.quietPassCases,
+        entry.thinRules.length
+      ].join(" | ")
+    ).map((row) => `| ${row} |`)
+  ];
+}
+
+function formatMarkdownPresetTable(entries) {
+  if (entries.length === 0) {
+    return ["None."];
+  }
+
+  return [
+    "| Preset | Fixtures | Weight | Pass | Caution | Block | Quiet Pass | Rule Refs | Absent Refs |",
+    "| --- | ---: | ---: | ---: | ---: | ---: | ---: | ---: | ---: |",
+    ...entries.map((entry) =>
+      [
+        markdownCell(entry.preset),
+        entry.total,
+        entry.weight,
+        entry.byVerdict.pass ?? 0,
+        entry.byVerdict.caution ?? 0,
+        entry.byVerdict.block ?? 0,
+        entry.quietPassFixtures,
+        entry.expectedRuleReferences,
+        entry.quietPassRuleReferences
+      ].join(" | ")
+    ).map((row) => `| ${row} |`)
+  ];
+}
+
+function formatMarkdownRuleGapList(entries) {
+  if (entries.length === 0) {
+    return ["None."];
+  }
+
+  return entries
+    .slice(0, 12)
+    .map((entry) => `- \`${entry.ruleId}\`: ${entry.total} fixture(s), pass ${entry.passCases}, caution ${entry.cautionCases}, block ${entry.blockCases}, quiet-pass ${entry.quietPassCases}`);
+}
+
+function formatMarkdownPresetKindGaps(entries) {
+  if (entries.length === 0) {
+    return ["None."];
+  }
+
+  return entries.map((entry) => `- \`${entry.preset}\`: ${entry.missingKinds.map((kind) => `\`${kind}\``).join(", ")}`);
+}
+
+function formatMarkdownQuietPassTable(entries) {
+  if (entries.length === 0) {
+    return ["None."];
+  }
+
+  return [
+    "| Rule | Quiet-Pass Fixtures | Weight |",
+    "| --- | ---: | ---: |",
+    ...entries
+      .slice(0, 12)
+      .map((entry) => `| \`${markdownCell(entry.ruleId)}\` | ${entry.total} | ${entry.weight} |`)
+  ];
+}
+
+function formatMarkdownFixtureSamples(entries) {
+  if (entries.length === 0) {
+    return ["None."];
+  }
+
+  return entries
+    .slice(0, 8)
+    .map((entry) => `- \`${entry.id}\`: ${markdownCell(entry.description)}`);
+}
+
+function formatMarkdownCurationNext(entries) {
+  if (entries.length === 0) {
+    return ["None."];
+  }
+
+  return [
+    "| Priority | Area | Count | Details |",
+    "| --- | --- | ---: | --- |",
+    ...entries.map((entry) =>
+      `| ${markdownCell(entry.priority)} | ${markdownCell(entry.area)} | ${entry.count} | ${markdownCell(markdownCurationDetails(entry))} |`
+    )
+  ];
+}
+
+function markdownCurationDetails(entry) {
+  if (Array.isArray(entry.ruleIds) && entry.ruleIds.length > 0) {
+    return entry.ruleIds.join(", ");
+  }
+
+  if (Array.isArray(entry.details) && entry.details.length > 0) {
+    return entry.details.join("; ");
+  }
+
+  if (Array.isArray(entry.families) && entry.families.length > 0) {
+    return entry.families.map((family) => `${family.family} ${family.thinRules}`).join(", ");
+  }
+
+  if (Array.isArray(entry.presets) && entry.presets.length > 0) {
+    return entry.presets.map((preset) => `${preset.preset} ${preset.total}`).join(", ");
+  }
+
+  return "";
+}
+
+function markdownCell(value) {
+  return String(value).replace(/\|/g, "\\|").replace(/\r?\n/g, " ");
+}
+
 function formatRuleGaps(entries) {
   if (entries.length === 0) {
     return ["- none"];