memento-mori-jester 0.1.75 → 0.1.77

package/CHANGELOG.md

@@ -4,6 +4,18 @@ All notable changes to Memento Mori Jester are tracked here.
 
 ## Unreleased
 
+## 0.1.77
+
+- Added a repo-local promo/share kit with X post copy, a 30-second demo script, posting checklist, and asset guidance.
+- Added four vertical still images extracted from the existing X demo video for single-post and thread use.
+- Linked the promo kit from the README while keeping `promo/` outside the npm package.
+
+## 0.1.76
+
+- Added eight real-world quiet-pass fixtures across python, security, web, and AI preset slices, growing the corpus to 216 fixtures.
+- Strengthened safe near-miss evidence for Pydantic parsing, Pyright checks, SBOM generation, vulnerability-report docs, escaped React rendering, session-cookie docs, model regression checks, and static action allowlists.
+- Refreshed demo, roadmap, fixture docs, and release notes for the expanded preset curation batch.
+
 ## 0.1.75
 
 - Added `npm run fixtures:report -- --markdown` for paste-ready fixture coverage snapshots.

package/README.md

@@ -12,7 +12,7 @@ It roasts the reasoning, not the human.
 
 [![Memento Mori Jester terminal demo](docs/demo-terminal.svg)](docs/DEMO.md)
 
-See the full [demo transcript](docs/DEMO.md).
+See the full [demo transcript](docs/DEMO.md), or use the [promo/share kit](promo) for X post copy, stills, and a 30-second demo script.
 
 ## Start Here
 
@@ -426,6 +426,7 @@ More setup examples:
 - [MCP Tool Reference](docs/MCP_TOOLS.md)
 - [GitHub Actions](docs/GITHUB_ACTIONS.md)
 - [Demo Script](docs/DEMO.md)
+- [Promo Share Kit](promo)
 - [Examples](examples)
 - [Preset Example Packs](examples/presets)
 - [Review Fixtures](examples/fixtures)

package/ROADMAP.md

@@ -6,6 +6,8 @@ Memento Mori Jester is usable today as a CLI, MCP server, GitHub Action, and git
 
 ## Recently Shipped
 
+- Promo/share kit in v0.1.77, adding X post copy, a short demo script, a posting checklist, and still images from the existing demo video.
+- Real-world preset quiet-pass curation in v0.1.76, adding eight safe examples across python, security, web, and AI workflows while keeping fixture coverage gaps clean.
 - Markdown fixture report export in v0.1.75 for paste-ready coverage snapshots in release notes, GitHub issues, and maintainer updates.
 - API fixture curation in v0.1.74, adding six quiet-pass examples for schema parsing, query-builder filters, enabled rate limiting, read-only Prisma migration diffs, signed-webhook docs, and OpenAPI schema docs.
 - Web/AI fixture curation in v0.1.73, adding six quiet-pass examples for safe text rendering, allowlisted target paths, public analytics IDs, model-check commands, tool allowlist checks, and public model-name config.
@@ -64,9 +66,9 @@ Memento Mori Jester is usable today as a CLI, MCP server, GitHub Action, and git
 
 ## Product Ideas
 
-- Collect real-world reports for the next lowest-count preset slices: python, security, web, then AI.
+- Collect real-world reports for the next lowest-count preset slices now highlighted by `fixtures:report`.
 - Add more framework-specific false-positive examples from real reports so tuning guidance keeps getting sharper.
-- Add a promo/share kit with X post copy, still images, and a simple sharing checklist.
+- Add a fresh demo render that reflects the latest release number and fixture totals.
 
 ## Quality And Safety
 

package/docs/DEMO.md

@@ -353,7 +353,7 @@ Preset packs:
 
 ## 13. Review Fixtures
 
-The fixture suite in `examples/fixtures/preset-review-cases.json` captures small real-usage examples with expected `pass`, `caution`, or `block` verdicts. It also includes matched-pass examples for low-severity rules, quiet-pass `absentRuleIds` examples that prove noisy rules stay silent for safe near-misses, stack-specific coverage for every built-in preset, quiet-pass boundaries across built-in, structural, custom, and preset/config-derived rules, second firing examples for preset blocked-command rules, second examples for AI/API, framework custom, built-in, and configured sensitive-domain rules, AI tool-dispatch examples with safe allowlist/schema boundaries, and real-world low-count preset examples across node, python, web, infra, AI, and security slices. Recent quiet-pass examples cover typechecks, prebuild scripts, mypy, dataclass parsing, CodeQL, Dependabot limits, form validation, accessibility copy, read-only Kubernetes inspection, Docker disk usage, Terraform linting, public-IP hardening changes, npm audit/outdated/ci, development-mode Node commands, package export maps, workspace test scripts, Bandit, pip-audit, coverage/pytest, Trivy filesystem scans, npm audit, TLS verification-enabled diffs, safe text rendering, allowlisted target paths, public analytics IDs, model-check commands, tool allowlist checks, public model-name config, API schema parsing, query-builder filters, enabled rate limiting, read-only Prisma migration diffs, signed-webhook docs, and OpenAPI schema docs. These examples are run by `npm test`, so preset tuning changes stay visible.
+The fixture suite in `examples/fixtures/preset-review-cases.json` captures small real-usage examples with expected `pass`, `caution`, or `block` verdicts. It also includes matched-pass examples for low-severity rules, quiet-pass `absentRuleIds` examples that prove noisy rules stay silent for safe near-misses, stack-specific coverage for every built-in preset, quiet-pass boundaries across built-in, structural, custom, and preset/config-derived rules, second firing examples for preset blocked-command rules, second examples for AI/API, framework custom, built-in, and configured sensitive-domain rules, AI tool-dispatch examples with safe allowlist/schema boundaries, and real-world low-count preset examples across node, python, web, infra, AI, and security slices. Recent quiet-pass examples cover typechecks, prebuild scripts, mypy, dataclass parsing, CodeQL, Dependabot limits, form validation, accessibility copy, read-only Kubernetes inspection, Docker disk usage, Terraform linting, public-IP hardening changes, npm audit/outdated/ci, development-mode Node commands, package export maps, workspace test scripts, Bandit, pip-audit, coverage/pytest, Trivy filesystem scans, npm audit, TLS verification-enabled diffs, safe text rendering, allowlisted target paths, public analytics IDs, model-check commands, tool allowlist checks, public model-name config, API schema parsing, query-builder filters, enabled rate limiting, read-only Prisma migration diffs, signed-webhook docs, OpenAPI schema docs, Pydantic parsing, Pyright checks, SBOM generation, vulnerability-report docs, escaped React rendering, session-cookie docs, model regression checks, and static action allowlists. These examples are run by `npm test`, so preset tuning changes stay visible.
 
 Maintainers can run `npm run fixtures:report` to see coverage by verdict, kind, preset, rule family, and preset slice. The report also includes a `Curation next` section that points at the next useful fixture batch, such as thin rules, feasible pass-case evidence, rule-family gaps, or lower-count presets. Use `npm run fixtures:report -- --markdown` for a paste-ready version of the same snapshot.
 

package/docs/RELEASE_NOTES_v0.1.76.md

@@ -0,0 +1,43 @@
+# Memento Mori Jester v0.1.76
+
+## Summary
+
+This release expands the real-world quiet-pass fixture corpus for the lowest-count preset slices: `python`, `security`, `web`, and `ai`.
+
+## What Changed
+
+- Added eight pass fixtures, growing the fixture suite from 208 to 216 cases.
+- Added python safe-boundary examples for Pydantic model validation and Pyright type checks.
+- Added security safe-boundary examples for SBOM generation and vulnerability-report documentation.
+- Added web safe-boundary examples for escaped React rendering and docs-only session-cookie guidance.
+- Added AI safe-boundary examples for model regression checks and static action allowlists.
+- Refreshed the fixture docs, demo transcript, changelog, and roadmap.
+
+## Public Interface
+
+- No CLI command changes.
+- No MCP tool changes.
+- No config schema changes.
+- No review rule, scoring, or verdict behavior changes.
+- Fixture reports now reflect 216 total fixtures and the updated preset counts.
+
+## Release Validation
+
+```powershell
+npm.cmd test
+npm.cmd run demo:svg:check
+npm.cmd run fixtures:report
+npm.cmd run fixtures:report -- --json
+npm.cmd run fixtures:report -- --markdown
+npm.cmd run pack:dry
+git diff --check
+git diff | node .\dist\cli.js diff --fail-on block --subject "v0.1.76 real-world preset quiet-pass curation"
+```
+
+Expected fixture report checks:
+
+- `Fixtures: 216`
+- no thin rule coverage
+- no preset/kind gaps
+- no rules without quiet-pass coverage
+- deterministic `Curation next` guidance

package/docs/RELEASE_NOTES_v0.1.77.md

@@ -0,0 +1,46 @@
+# Memento Mori Jester v0.1.77
+
+## Summary
+
+This release adds a repo-local promo/share kit so Memento Mori Jester is easier to explain and post publicly without changing runtime behavior.
+
+## What Changed
+
+- Added [promo/README.md](../promo/README.md) as the entry point for sharing assets.
+- Added [promo/share-kit/README.md](../promo/share-kit/README.md) with still-image guidance, alt text, thread order, and a posting checklist.
+- Added [promo/share-kit/x-posts.md](../promo/share-kit/x-posts.md) with short, medium, builder-focused, and thread-style X copy.
+- Added [promo/share-kit/demo-script.md](../promo/share-kit/demo-script.md) with a 30-second walkthrough and a 10-second reply version.
+- Added four vertical stills extracted from the existing X demo video.
+- Linked the promo kit from the README.
+
+## Public Interface
+
+- No CLI command changes.
+- No MCP tool changes.
+- No config schema changes.
+- No review rule, scoring, or verdict behavior changes.
+- No GitHub Action behavior changes.
+- `promo/` remains outside the npm package `files` list.
+
+## Release Validation
+
+```powershell
+npm.cmd test
+npm.cmd run demo:svg:check
+npm.cmd run pack:dry
+git diff --check
+git diff | node .\dist\cli.js diff --fail-on block --subject "v0.1.77 promo share kit"
+```
+
+Additional checks:
+
+```powershell
+git ls-files promo
+npm.cmd pack --dry-run | Select-String "promo/"
+```
+
+Expected:
+
+- promo files are tracked in Git,
+- promo files are not included in the npm tarball,
+- GitHub Release and npm Publish complete from the `v0.1.77` tag.

package/examples/fixtures/README.md

@@ -29,6 +29,7 @@ Maintainer triage guidance lives in [docs/MAINTAINER_TRIAGE.md](../../docs/MAINT
 - Quiet-pass examples for Bandit, pip-audit, coverage/pytest, Trivy filesystem scans, npm audit, and TLS verification-enabled diffs.
 - Quiet-pass examples for safe text rendering, allowlisted target paths, public analytics IDs, model-check commands, tool allowlist checks, and public model-name config.
 - Quiet-pass examples for API schema parsing, query-builder filters, enabled rate limiting, read-only Prisma migration diffs, signed-webhook docs, and OpenAPI schema docs.
+- Quiet-pass examples for Pydantic parsing, Pyright checks, SBOM generation, vulnerability-report docs, escaped React rendering, session-cookie docs, model regression checks, and static action allowlists.
 - Fixture metadata like `weight` and `edgeCase` to support precision-weighted tuning evidence.
 
 ## Local Check

package/examples/fixtures/preset-review-cases.json

@@ -2737,5 +2737,127 @@
     "absentRuleIds": [
       "configured-sensitive-domain-openapi"
     ]
+  },
+  {
+    "id": "python-pydantic-parse-diff-pass",
+    "preset": "python",
+    "kind": "diff",
+    "description": "Pydantic model validation should stay quiet around Python dynamic execution checks.",
+    "content": "diff --git a/app/settings.py b/app/settings.py\n--- a/app/settings.py\n+++ b/app/settings.py\n@@ -1 +1,2 @@\n+settings = SettingsModel.model_validate(raw_settings)\n",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "custom-python-eval-exec",
+      "custom-python-pickle-load"
+    ]
+  },
+  {
+    "id": "python-pyright-command-pass",
+    "preset": "python",
+    "kind": "command",
+    "description": "Python type-check commands should not trip eval, pickle, or unsafe package checks.",
+    "content": "python -m pyright app tests",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "blocked-command-pip-install-break-system-packages",
+      "custom-python-eval-exec",
+      "custom-python-pickle-load"
+    ]
+  },
+  {
+    "id": "sec-sbom-command-pass",
+    "preset": "security",
+    "kind": "command",
+    "description": "SBOM generation commands should stay quiet around security preset danger checks.",
+    "content": "syft dir:. -o cyclonedx-json > sbom.json",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "blocked-command-chmod-r-777",
+      "custom-broad-cors",
+      "custom-insecure-tls-disabled",
+      "secret-material"
+    ]
+  },
+  {
+    "id": "sec-vulnerability-report-docs-pass",
+    "preset": "security",
+    "kind": "diff",
+    "description": "Docs for vulnerability reports should stay quiet when they only say not to paste sensitive material.",
+    "content": "diff --git a/docs/VULNERABILITY_REPORTS.md b/docs/VULNERABILITY_REPORTS.md\n--- a/docs/VULNERABILITY_REPORTS.md\n+++ b/docs/VULNERABILITY_REPORTS.md\n@@ -1 +1,2 @@\n+Ask reporters to redact tokens, private keys, and exploit logs before filing public issues.\n",
+    "expectedVerdict": "pass",
+    "edgeCase": true,
+    "weight": 1,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "configured-sensitive-domain-token",
+      "configured-sensitive-domain-private-key",
+      "secret-material"
+    ]
+  },
+  {
+    "id": "web-react-escaped-output-diff-pass",
+    "preset": "web",
+    "kind": "diff",
+    "description": "Escaped React text rendering should not trip unsafe HTML injection checks.",
+    "content": "diff --git a/src/components/UserName.tsx b/src/components/UserName.tsx\n--- a/src/components/UserName.tsx\n+++ b/src/components/UserName.tsx\n@@ -1 +1,2 @@\n+return <span>{displayName}</span>;\n",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "custom-web-unsafe-html-injection",
+      "configured-sensitive-domain-dangerouslysetinnerhtml",
+      "configured-sensitive-domain-innerhtml"
+    ]
+  },
+  {
+    "id": "web-session-cookie-docs-pass",
+    "preset": "web",
+    "kind": "diff",
+    "description": "Docs-only browser session guidance should not trip storage, redirect, or cookie noise.",
+    "content": "diff --git a/docs/WEB_SESSIONS.md b/docs/WEB_SESSIONS.md\n--- a/docs/WEB_SESSIONS.md\n+++ b/docs/WEB_SESSIONS.md\n@@ -1 +1,2 @@\n+Prefer httpOnly cookies for sessions and keep redirects limited to same-origin paths.\n",
+    "expectedVerdict": "pass",
+    "edgeCase": true,
+    "weight": 1,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "configured-sensitive-domain-cookies",
+      "configured-sensitive-domain-redirect",
+      "configured-sensitive-domain-session",
+      "custom-web-open-redirect-shape",
+      "custom-web-storage-sensitive-value",
+      "risky-domain"
+    ]
+  },
+  {
+    "id": "ai-model-regression-command-pass",
+    "preset": "ai",
+    "kind": "command",
+    "description": "Running model regression checks should not look like skipped AI safety checks.",
+    "content": "npm run model:checks -- --suite prompt-regression",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "custom-ai-evals-skipped"
+    ]
+  },
+  {
+    "id": "ai-tool-registry-allowlist-diff-pass",
+    "preset": "ai",
+    "kind": "diff",
+    "description": "Static action allowlists should not trip user-controlled dispatch checks.",
+    "content": "diff --git a/src/actions/registry.ts b/src/actions/registry.ts\n--- a/src/actions/registry.ts\n+++ b/src/actions/registry.ts\n@@ -1 +1,2 @@\n+export const allowedActions = new Set([\"search_docs\", \"summarize_ticket\"]);\n",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "custom-ai-user-controlled-tool-dispatch",
+      "custom-ai-model-output-execution"
+    ]
   }
 ]

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "memento-mori-jester",
-  "version": "0.1.75",
+  "version": "0.1.77",
   "description": "A local court-jester sidecar for AI coding agents: review plans, commands, diffs, and final claims before they get too pleased with themselves.",
   "type": "module",
   "repository": {