memento-mori-jester 0.1.77 → 0.1.79

package/CHANGELOG.md

@@ -4,6 +4,18 @@ All notable changes to Memento Mori Jester are tracked here.
 
 ## Unreleased
 
+## 0.1.79
+
+- Added `npm run promo:check` to verify the current repo-local promo video, stills, docs, and fixture evidence numbers stay aligned.
+- Wired promo freshness validation into `npm test` and the production-readiness guard.
+- Updated release, readiness, roadmap, and promo docs with the new maintainer check.
+
+## 0.1.78
+
+- Added a refreshed HyperFrames X demo render under `promo/x-demo-v0.1.78` with current version and fixture-evidence numbers.
+- Updated the promo share-kit stills from the fresh render so public images show `v0.1.78`, 216 fixtures, and 6 quiet-pass examples.
+- Updated promo docs, demo transcript, roadmap, and release notes while keeping `promo/` outside the npm package.
+
 ## 0.1.77
 
 - Added a repo-local promo/share kit with X post copy, a 30-second demo script, posting checklist, and asset guidance.

package/README.md

@@ -503,6 +503,7 @@ Use the false-positive template for noisy cautions or blocks. Include `jester su
 Maintainers can use [docs/MAINTAINER_TRIAGE.md](docs/MAINTAINER_TRIAGE.md) to turn useful false-positive reports into redacted fixtures.
 Run `npm run fixtures:check` before merging fixture changes; it catches duplicate IDs, missing rule metadata, weak descriptions, unsafe-looking content, and duplicate content.
 Run `npm run fixtures:report` to see fixture coverage by rule, rule family, preset slice, kind, verdict, quiet-pass boundaries, feasible pass-case gaps, and curation-next guidance before choosing the next fixture. Use `npm run fixtures:report -- --markdown` when you want a paste-ready summary for release notes or GitHub issues.
+Run `npm run promo:check` after editing promo assets; it checks the current demo video, stills, docs, and fixture evidence numbers stay in sync.
 
 For vulnerabilities, private code exposure, or credential-handling concerns, follow [SECURITY.md](SECURITY.md) instead of opening a public issue with sensitive details.
 
@@ -512,6 +513,7 @@ Release checklist:
 
 ```powershell
 npm.cmd test
+npm.cmd run promo:check
 npm.cmd run production:check
 npm.cmd run pack:dry
 git tag -a v0.1.x -m "Memento Mori Jester v0.1.x"

package/ROADMAP.md

@@ -6,6 +6,8 @@ Memento Mori Jester is usable today as a CLI, MCP server, GitHub Action, and git
 
 ## Recently Shipped
 
+- Promo freshness check in v0.1.79, verifying the current demo video, share-kit stills, docs, and fixture evidence numbers before public posting.
+- Fresh demo render in v0.1.78, updating the repo-local X video and share-kit stills to current version and fixture totals.
 - Promo/share kit in v0.1.77, adding X post copy, a short demo script, a posting checklist, and still images from the existing demo video.
 - Real-world preset quiet-pass curation in v0.1.76, adding eight safe examples across python, security, web, and AI workflows while keeping fixture coverage gaps clean.
 - Markdown fixture report export in v0.1.75 for paste-ready coverage snapshots in release notes, GitHub issues, and maintainer updates.
@@ -68,7 +70,7 @@ Memento Mori Jester is usable today as a CLI, MCP server, GitHub Action, and git
 
 - Collect real-world reports for the next lowest-count preset slices now highlighted by `fixtures:report`.
 - Add more framework-specific false-positive examples from real reports so tuning guidance keeps getting sharper.
-- Add a fresh demo render that reflects the latest release number and fixture totals.
+- Add a lightweight social preview card or landing-page still for GitHub and X link previews.
 
 ## Quality And Safety
 

package/docs/DEMO.md

@@ -189,20 +189,37 @@ Source: built-in
 Kinds: plan, command, diff, final
 Project config: none loaded
 
+Why it exists:
+Auth, billing, production, migrations, and similar domains have outsized user or business impact.
+
+When it may be noisy:
+It can be noisy in docs, release notes, or rule text that merely mentions a sensitive word.
+
+Safer move:
+Add targeted tests, a manual verification note, or a rollback path for the sensitive area.
+
+Recommendation:
+If repeated hits are harmless for this repo, disable the rule and validate the config.
+
+Before muting:
+- Confirm the latest hit is harmless, documentation-only, example-only, or already covered by another guard.
+- Prefer fixing the risky change or adding verification when the rule found real risk.
+- Prefer muting only after repeated false positives in this repo.
+
 Fixture tuning evidence:
 Support: limited
 Confidence: medium
-Total fixtures checked: 208
-Weighted fixtures checked: 399.2
+Total fixtures checked: 216
+Weighted fixtures checked: 412.5
 Matching fixtures: 11
 Weighted matches: 23
 Expected-match weight: 18
 Unexpected-match weight: 5
 Edge-case matches: 0
-Quiet-pass fixtures: 5
-Quiet-pass weight: 3.6
+Quiet-pass fixtures: 6
+Quiet-pass weight: 4.25
 By kind: command 0, plan 5, diff 5, final 1
-Fixture coverage: 11/208 (5.8% weighted)
+Fixture coverage: 11/216 (5.6% weighted)
 By verdict: pass 0, caution 3, block 8
 Matched fixture samples:
   infra-public-ingress-block: Public ingress should block in low-risk-tolerance infra repos.
@@ -217,9 +234,6 @@ Quiet-pass fixture samples:
   universal-risky-domain-docs-pass: Documentation-only sensitive-domain vocabulary should stay quiet when no code behavior changes.
   web-docs-only-browser-storage-pass: Docs-only web guidance should not warn just because it mentions browser storage or redirects.
 
-When it may be noisy:
-It can be noisy in docs, release notes, or rule text that merely mentions a sensitive word.
-
 Commands:
   jester rule risky-domain
   jester config disable-rule risky-domain

package/docs/PRODUCTION_READINESS.md

@@ -9,6 +9,7 @@ This checklist defines what "production grade" means for Memento Mori Jester rig
 - GitHub Releases and npm publishing are automated from annotated `v*` tags through GitHub Actions trusted publishing.
 - CI runs tests and a package dry run on every push to `main` and pull request.
 - The local playground, GitHub Action, MCP setup snippets, preset examples, fixtures, and release notes ship in the npm package.
+- Repo-local promo assets stay outside the npm package, but `npm run promo:check` keeps the current demo video, stills, docs, and fixture evidence numbers aligned.
 
 ## npm Package
 
@@ -54,6 +55,7 @@ This checklist defines what "production grade" means for Memento Mori Jester rig
 - `docs/MAINTAINER_TRIAGE.md` explains how to turn useful false-positive reports into fixture coverage before changing rule logic.
 - `npm run fixtures:check` validates fixture IDs, metadata, unsafe-looking content, duplicate content, and explicit expected/absent rule intent.
 - `npm run fixtures:report` shows fixture coverage by rule, rule family, preset slice, kind, verdict, quiet-pass rule boundaries, and feasible pass-case gaps so maintainers can pick the next fixture target; `npm run fixtures:report -- --markdown` produces a paste-ready maintainer snapshot.
+- `npm run promo:check` verifies current repo-local promo assets against the current fixture evidence before maintainers post or refresh the demo.
 - npm publish has a manual workflow fallback, but the normal release path is tag-driven trusted publishing.
 
 ## Static Guard
@@ -69,6 +71,7 @@ This checklist defines what "production grade" means for Memento Mori Jester rig
 - maintainer triage docs exist and link noisy-rule reports back to fixture coverage.
 - fixture authoring checks are wired into `npm test`.
 - fixture coverage reports are wired into `npm test`.
+- promo freshness checks are wired into `npm test`.
 
 `npm test` runs this check after the TypeScript build and unit tests.
 

package/docs/RELEASE.md

@@ -12,6 +12,7 @@ npm.cmd run fixtures:check
 npm.cmd run fixtures:report
 npm.cmd run fixtures:report -- --json
 npm.cmd run fixtures:report -- --markdown
+npm.cmd run promo:check
 npm.cmd run pack:dry
 git diff --check
 ```

package/docs/RELEASE_NOTES_v0.1.78.md

@@ -0,0 +1,49 @@
+# Memento Mori Jester v0.1.78
+
+## Summary
+
+This release refreshes the repo-local X demo video and share-kit stills so public promo assets show the current release number and fixture evidence.
+
+## What Changed
+
+- Added `promo/x-demo-v0.1.78` as the current editable HyperFrames demo source.
+- Rendered `promo/x-demo-v0.1.78/renders/memento-mori-jester-x-demo-v0.1.78.mp4`.
+- Updated the share-kit stills from the fresh render.
+- Updated promo docs, demo transcript, roadmap, changelog, and release notes for the refreshed demo asset.
+
+## Public Interface
+
+- No CLI command changes.
+- No MCP tool changes.
+- No config schema changes.
+- No review rule, scoring, or verdict behavior changes.
+- No GitHub Action behavior changes.
+- `promo/` remains outside the npm package `files` list.
+
+## Release Validation
+
+```powershell
+npm.cmd test
+npm.cmd run demo:svg:check
+Push-Location promo\x-demo-v0.1.78
+npm.cmd run check
+Pop-Location
+npm.cmd run pack:dry
+git diff --check
+git diff | node .\dist\cli.js diff --fail-on block --subject "v0.1.78 fresh demo render"
+```
+
+Additional media checks:
+
+```powershell
+$ffprobe = Resolve-Path promo\x-demo-v0.1.78\node_modules\ffprobe-static\bin\win32\x64\ffprobe.exe
+& $ffprobe -v error -select_streams v:0 -show_entries stream=width,height,r_frame_rate,duration -of default=noprint_wrappers=1 promo\x-demo-v0.1.78\renders\memento-mori-jester-x-demo-v0.1.78.mp4
+```
+
+Expected:
+
+- video is 1080x1920, 42 seconds, 30fps,
+- share-kit stills render clearly with `v0.1.78`, 216 fixtures, and 6 quiet-pass examples,
+- promo files are tracked in Git,
+- promo files are not included in the npm tarball,
+- GitHub Release and npm Publish complete from the `v0.1.78` tag.

package/docs/RELEASE_NOTES_v0.1.79.md

@@ -0,0 +1,47 @@
+# Memento Mori Jester v0.1.79
+
+## Summary
+
+This release adds a repo-local promo freshness check so maintainers can verify the current demo video, stills, docs, and fixture evidence numbers before posting or refreshing public assets.
+
+## What Changed
+
+- Added `scripts/check-promo-freshness.mjs`.
+- Added `npm run promo:check`.
+- Wired `promo:check` into `npm test`.
+- Updated production-readiness checks so the promo freshness guard cannot silently disappear.
+- Updated README, release docs, production-readiness docs, promo docs, roadmap, changelog, and release notes.
+
+## Public Interface
+
+- No CLI command changes.
+- No MCP tool changes.
+- No config schema changes.
+- No review rule, scoring, or verdict behavior changes.
+- No GitHub Action behavior changes.
+- `promo/` remains outside the npm package `files` list.
+
+## Release Validation
+
+```powershell
+npm.cmd test
+npm.cmd run demo:svg:check
+npm.cmd run promo:check
+npm.cmd run pack:dry
+git diff --check
+git diff | node .\dist\cli.js diff --fail-on block --subject "v0.1.79 promo freshness check"
+```
+
+For a future same-version promo refresh, maintainers can run:
+
+```powershell
+npm.cmd run promo:check -- --require-package-version
+```
+
+This release does not require that strict mode because the current public demo snapshot remains `x-demo-v0.1.78`.
+
+Expected:
+
+- default `promo:check` passes for the current published demo snapshot,
+- `--require-package-version` is available for intentional same-version promo refreshes,
+- GitHub Release and npm Publish complete from the `v0.1.79` tag.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "memento-mori-jester",
-  "version": "0.1.77",
+  "version": "0.1.79",
   "description": "A local court-jester sidecar for AI coding agents: review plans, commands, diffs, and final claims before they get too pleased with themselves.",
   "type": "module",
   "repository": {
@@ -40,12 +40,13 @@
     "build": "tsc -p tsconfig.json",
     "start": "node dist/server.js",
     "start:mcp": "node dist/server.js",
-    "test": "npm run build && node scripts/run-tests.mjs && npm run fixtures:check && npm run fixtures:report && npm run production:check",
+    "test": "npm run build && node scripts/run-tests.mjs && npm run fixtures:check && npm run fixtures:report && npm run promo:check && npm run production:check",
     "doctor": "node dist/cli.js doctor",
     "demo:svg": "node scripts/render-demo-svg.mjs",
     "demo:svg:check": "node scripts/render-demo-svg.mjs --check",
     "fixtures:check": "node scripts/check-fixtures.mjs",
     "fixtures:report": "node scripts/report-fixtures.mjs",
+    "promo:check": "node scripts/check-promo-freshness.mjs",
     "production:check": "node scripts/check-production-readiness.mjs",
     "pack:dry": "npm pack --dry-run",
     "prepare": "npm run build",

package/scripts/check-production-readiness.mjs

@@ -64,6 +64,7 @@ for (const path of [
   "docs/MAINTAINER_TRIAGE.md",
   `docs/RELEASE_NOTES_${tag}.md`,
   "action.yml",
+  "scripts/check-promo-freshness.mjs",
   "scripts/check-fixtures.mjs",
   "scripts/report-fixtures.mjs",
   ".github/ISSUE_TEMPLATE/bug_report.yml",
@@ -132,8 +133,11 @@ requireText("scripts/report-fixtures.mjs", /--markdown/, "Markdown fixture repor
 forbidText("scripts/report-fixtures.mjs", /src\/config\.ts|src\/types\.ts/, "source-only fixture report dependencies");
 requireText("package.json", /"fixtures:check": "node scripts\/check-fixtures\.mjs"/, "fixture authoring check script");
 requireText("package.json", /"fixtures:report": "node scripts\/report-fixtures\.mjs"/, "fixture coverage report script");
+requireText("package.json", /"promo:check": "node scripts\/check-promo-freshness\.mjs"/, "promo freshness check script");
 requireText("package.json", /npm run fixtures:check/, "fixture authoring check in npm test");
 requireText("package.json", /npm run fixtures:report/, "fixture coverage report in npm test");
+requireText("package.json", /npm run promo:check/, "promo freshness check in npm test");
+requireText("scripts/check-promo-freshness.mjs", /--require-package-version/, "optional strict package-version promo check");
 requireText("SECURITY.md", /doctor --json/, "doctor JSON redaction guidance");
 requireText("SECURITY.md", /security\/advisories\/new/, "private vulnerability report link");
 requireText(".github/ISSUE_TEMPLATE/bug_report.yml", /doctor --json/, "doctor JSON support prompt");

package/scripts/check-promo-freshness.mjs

@@ -0,0 +1,201 @@
+#!/usr/bin/env node
+import { existsSync, readFileSync, statSync } from "node:fs";
+import { join } from "node:path";
+import { spawnSync } from "node:child_process";
+
+const root = process.cwd();
+const failures = [];
+const args = new Set(process.argv.slice(2));
+const requirePackageVersion = args.has("--require-package-version");
+
+for (const arg of args) {
+  if (arg !== "--require-package-version") {
+    failures.push(`Unknown option: ${arg}`);
+  }
+}
+
+function read(path) {
+  return readFileSync(join(root, path), "utf8");
+}
+
+function readJson(path) {
+  return JSON.parse(read(path));
+}
+
+function escapeRegExp(value) {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+
+function requireFile(path, description, minBytes = 1) {
+  const fullPath = join(root, path);
+  if (!existsSync(fullPath)) {
+    failures.push(`${description} is missing: ${path}`);
+    return;
+  }
+  const size = statSync(fullPath).size;
+  if (size < minBytes) {
+    failures.push(`${description} looks too small: ${path} (${size} bytes).`);
+  }
+}
+
+function requireText(path, pattern, description) {
+  const content = read(path);
+  if (!pattern.test(content)) {
+    failures.push(`${path} should include ${description}.`);
+  }
+}
+
+function failJson(path, error) {
+  failures.push(`${path} could not be parsed: ${error instanceof Error ? error.message : String(error)}.`);
+}
+
+function loadRiskyDomainEvidence() {
+  const cliPath = join(root, "dist", "cli.js");
+  if (!existsSync(cliPath)) {
+    failures.push("dist/cli.js is missing; run `npm run build` before `npm run promo:check`.");
+    return null;
+  }
+
+  const result = spawnSync(
+    process.execPath,
+    [cliPath, "tune", "risky-domain", "--json", "--no-config"],
+    { cwd: root, encoding: "utf8" }
+  );
+
+  if (result.status !== 0) {
+    failures.push(`Could not load risky-domain fixture evidence: ${result.stderr || result.stdout}`.trim());
+    return null;
+  }
+
+  try {
+    const parsed = JSON.parse(result.stdout);
+    return parsed.fixtureEvidence ?? null;
+  } catch (error) {
+    failures.push(`Could not parse risky-domain fixture evidence JSON: ${error instanceof Error ? error.message : String(error)}.`);
+    return null;
+  }
+}
+
+let packageJson;
+try {
+  packageJson = readJson("package.json");
+} catch (error) {
+  failJson("package.json", error);
+  packageJson = {};
+}
+
+let fixtures;
+try {
+  fixtures = readJson("examples/fixtures/preset-review-cases.json");
+} catch (error) {
+  failJson("examples/fixtures/preset-review-cases.json", error);
+  fixtures = [];
+}
+
+const promoReadmePath = "promo/README.md";
+const promoReadme = read(promoReadmePath);
+const currentVideo = promoReadme.match(/Final vertical demo video:\s*\[([^\]]+)\]\(([^)]+)\)/);
+
+if (!currentVideo) {
+  failures.push(`${promoReadmePath} should link the final vertical demo video.`);
+}
+
+const linkedLabel = currentVideo?.[1] ?? "";
+const linkedTarget = currentVideo?.[2] ?? "";
+if (linkedLabel && linkedTarget && linkedLabel !== linkedTarget) {
+  failures.push(`${promoReadmePath} video link label and target should match.`);
+}
+
+const videoMatch = linkedTarget.match(/^x-demo-v(\d+\.\d+\.\d+)\/renders\/memento-mori-jester-x-demo-v\1\.mp4$/);
+if (!videoMatch) {
+  failures.push(`${promoReadmePath} video should point at x-demo-vX.Y.Z/renders/memento-mori-jester-x-demo-vX.Y.Z.mp4.`);
+}
+
+const promoVersion = videoMatch?.[1] ?? "unknown";
+const demoId = `x-demo-v${promoVersion}`;
+const demoDir = `promo/${demoId}`;
+const demoVideoPath = linkedTarget ? `promo/${linkedTarget}` : "";
+const fixtureTotal = Array.isArray(fixtures) ? fixtures.length : 0;
+const riskyEvidence = loadRiskyDomainEvidence();
+
+if (requirePackageVersion && packageJson.version !== promoVersion) {
+  failures.push(`Current promo version v${promoVersion} should match package.json ${packageJson.version} when --require-package-version is used.`);
+}
+
+if (promoVersion !== "unknown") {
+  requireFile(`${demoDir}/index.html`, "current promo demo HTML");
+  requireFile(`${demoDir}/README.md`, "current promo demo README");
+  requireFile(`${demoDir}/package.json`, "current promo demo package.json");
+  requireFile(`${demoDir}/package-lock.json`, "current promo demo package-lock.json");
+  requireFile(`${demoDir}/meta.json`, "current promo demo metadata");
+  requireFile(demoVideoPath, "current promo demo video", 100_000);
+
+  for (const still of ["01-opener.jpg", "02-command-block.jpg", "03-tuning-evidence.jpg", "04-try-it.jpg"]) {
+    requireFile(`promo/share-kit/stills/${still}`, `share-kit still ${still}`, 50_000);
+  }
+
+  try {
+    const demoPackage = readJson(`${demoDir}/package.json`);
+    if (demoPackage.name !== demoId) {
+      failures.push(`${demoDir}/package.json name should be ${demoId}.`);
+    }
+  } catch (error) {
+    failJson(`${demoDir}/package.json`, error);
+  }
+
+  try {
+    const demoLock = readJson(`${demoDir}/package-lock.json`);
+    if (demoLock.name !== demoId || demoLock.packages?.[""]?.name !== demoId) {
+      failures.push(`${demoDir}/package-lock.json root name should be ${demoId}.`);
+    }
+  } catch (error) {
+    failJson(`${demoDir}/package-lock.json`, error);
+  }
+
+  try {
+    const demoMeta = readJson(`${demoDir}/meta.json`);
+    if (demoMeta.id !== demoId || demoMeta.name !== demoId) {
+      failures.push(`${demoDir}/meta.json id and name should be ${demoId}.`);
+    }
+  } catch (error) {
+    failJson(`${demoDir}/meta.json`, error);
+  }
+
+  const escapedVersion = escapeRegExp(promoVersion);
+  requireText(`${demoDir}/README.md`, new RegExp(`# Memento Mori Jester X Demo v${escapedVersion}`), `demo title v${promoVersion}`);
+  requireText(`${demoDir}/README.md`, new RegExp(`renders/memento-mori-jester-x-demo-v${escapedVersion}\\.mp4`), "current render path");
+  requireText(`${demoDir}/index.html`, new RegExp(`<span>v${escapedVersion}</span>`), `visible version v${promoVersion}`);
+  requireText(`${demoDir}/index.html`, new RegExp(`PASS package-version: ${escapedVersion}`), `doctor package version ${promoVersion}`);
+  requireText(`${demoDir}/index.html`, new RegExp(`<strong>${fixtureTotal}</strong>\\s*<span>fixtures checked</span>`), `${fixtureTotal} fixture count`);
+  requireText("promo/share-kit/README.md", new RegExp(escapeRegExp(`../${linkedTarget}`)), "current promo video path");
+
+  if (riskyEvidence) {
+    requireText(
+      `${demoDir}/index.html`,
+      new RegExp(`<strong>${riskyEvidence.matchCount}</strong>\\s*<span>risky-domain matches</span>`),
+      `${riskyEvidence.matchCount} risky-domain match count`
+    );
+    requireText(
+      `${demoDir}/index.html`,
+      new RegExp(`<strong>${riskyEvidence.quietPassCount}</strong>\\s*<span>quiet-pass examples</span>`),
+      `${riskyEvidence.quietPassCount} quiet-pass count`
+    );
+    requireText("docs/DEMO.md", new RegExp(`Total fixtures checked: ${riskyEvidence.totalFixtures}`), "current tune fixture total");
+    requireText("docs/DEMO.md", new RegExp(`Matching fixtures: ${riskyEvidence.matchCount}`), "current tune match count");
+    requireText("docs/DEMO.md", new RegExp(`Quiet-pass fixtures: ${riskyEvidence.quietPassCount}`), "current tune quiet-pass count");
+  }
+}
+
+if (failures.length > 0) {
+  process.stderr.write("Promo freshness check failed:\n");
+  for (const failure of failures) {
+    process.stderr.write(`- ${failure}\n`);
+  }
+  process.exit(1);
+}
+
+process.stdout.write(
+  `Promo freshness check passed for ${demoId}: ${fixtureTotal} fixtures, ` +
+    `${riskyEvidence?.matchCount ?? "unknown"} risky-domain matches, ` +
+    `${riskyEvidence?.quietPassCount ?? "unknown"} quiet-pass examples.\n`
+);