memento-mori-jester 0.1.81 → 0.1.82

package/CHANGELOG.md

@@ -4,6 +4,12 @@ All notable changes to Memento Mori Jester are tracked here.
 
 ## Unreleased
 
+## 0.1.82
+
+- Added six real-world quiet-pass fixtures for FastAPI dependency injection, frozen `uv` syncs, docs-only Terraform and Helm guidance, redacted Gitleaks scans, and Next.js workspace linting.
+- Added `docs/FRAMEWORK_TUNING.md` to map common framework-specific false-positive reports to useful `jester tune <rule>` commands and fixture IDs.
+- Refreshed demo, fixture docs, roadmap, and release notes for the 222-fixture corpus.
+
 ## 0.1.81
 
 - Added a lightweight repo-local landing page under `site/index.html` that reuses the social card, demo video, start command, and public project links.

package/README.md

@@ -315,6 +315,8 @@ jester tune coverage --json
 
 `jester tune coverage` shows the fixture support and confidence signal for every rule, including suggested next actions such as adding coverage, reviewing surprise matches, checking quiet-pass boundaries, or leaving a healthy signal alone.
 
+For stack-shaped noise, see [Framework Tuning Examples](docs/FRAMEWORK_TUNING.md). It maps common Next.js, Vite React, FastAPI, Terraform/Kubernetes, security-scan, and AI/MCP false-positive reports to the `jester tune <rule>` command and fixture IDs worth checking first.
+
 Disable a noisy rule by adding its id to `disabledRules` in `jester.config.json`:
 
 ```json
@@ -426,6 +428,7 @@ More setup examples:
 - [Agent Setup](docs/AGENTS.md)
 - [MCP Tool Reference](docs/MCP_TOOLS.md)
 - [GitHub Actions](docs/GITHUB_ACTIONS.md)
+- [Framework Tuning Examples](docs/FRAMEWORK_TUNING.md)
 - [Demo Script](docs/DEMO.md)
 - [Promo Share Kit](promo)
 - [Examples](examples)

package/ROADMAP.md

@@ -6,6 +6,7 @@ Memento Mori Jester is usable today as a CLI, MCP server, GitHub Action, and git
 
 ## Recently Shipped
 
+- Framework tuning examples and quiet-pass fixture curation in v0.1.82, adding six safe real-world examples plus a guide for framework-shaped noisy-rule reports.
 - Repo-local landing page in v0.1.81, adding a static one-page share surface plus deterministic link checks.
 - Social preview card in v0.1.80, adding a deterministic 1200x630 promo card plus generation and freshness checks.
 - Promo freshness check in v0.1.79, verifying the current demo video, share-kit stills, docs, and fixture evidence numbers before public posting.
@@ -71,7 +72,7 @@ Memento Mori Jester is usable today as a CLI, MCP server, GitHub Action, and git
 ## Product Ideas
 
 - Collect real-world reports for the next lowest-count preset slices now highlighted by `fixtures:report`.
-- Add more framework-specific false-positive examples from real reports so tuning guidance keeps getting sharper.
+- Add a small fixture issue template checklist that asks for the nearest framework tuning example and redacted `jester tune <rule-id> --json` output.
 - Add a hosted-page option or GitHub Pages instructions once the static page has settled.
 
 ## Quality And Safety

package/docs/CLI.md

@@ -158,6 +158,8 @@ Use `jester tune <id>` when the question is practical: should this noisy rule be
 
 When filing a false-positive issue, include redacted `jester summary` output and `jester tune <rule-id> --json` output when possible.
 
+For stack-shaped reports, see [Framework Tuning Examples](FRAMEWORK_TUNING.md). It points common Next.js, Vite React, FastAPI, Terraform/Kubernetes, security-scan, and AI/MCP noisy-rule reports at the relevant `jester tune <rule-id>` command and fixture IDs.
+
 Use `jester tune coverage` when maintaining the rule set. It ranks every rule by fixture support and confidence, shows expected vs unexpected fixture weight, and suggests the next maintenance action for each rule.
 
 `jester tune` now also includes fixture evidence:

package/docs/DEMO.md

@@ -209,17 +209,17 @@ Before muting:
 Fixture tuning evidence:
 Support: limited
 Confidence: medium
-Total fixtures checked: 216
-Weighted fixtures checked: 412.5
+Total fixtures checked: 222
+Weighted fixtures checked: 421.8
 Matching fixtures: 11
 Weighted matches: 23
 Expected-match weight: 18
 Unexpected-match weight: 5
 Edge-case matches: 0
-Quiet-pass fixtures: 6
-Quiet-pass weight: 4.25
+Quiet-pass fixtures: 8
+Quiet-pass weight: 5.55
 By kind: command 0, plan 5, diff 5, final 1
-Fixture coverage: 11/216 (5.6% weighted)
+Fixture coverage: 11/222 (5.5% weighted)
 By verdict: pass 0, caution 3, block 8
 Matched fixture samples:
   infra-public-ingress-block: Public ingress should block in low-risk-tolerance infra repos.
@@ -230,9 +230,9 @@ Matched fixture samples:
 Quiet-pass fixture samples:
   ai-docs-only-transcript-pass: Docs-only AI setup notes should stay quiet when they do not include concrete dangerous patterns.
   api-docs-only-auth-pass: Docs-only API setup notes should not warn just because they mention auth and production.
+  infra-helm-values-docs-pass: Docs-only Helm values guidance should stay quiet around infra sensitive-domain warnings.
+  infra-terraform-plan-docs-pass: Docs-only Terraform plan review guidance should not trip infra sensitive-domain warnings.
   sec-final-dependency-notes-pass: A verified dependency-note final answer should give the security preset a quiet final case.
-  universal-risky-domain-docs-pass: Documentation-only sensitive-domain vocabulary should stay quiet when no code behavior changes.
-  web-docs-only-browser-storage-pass: Docs-only web guidance should not warn just because it mentions browser storage or redirects.
 
 Commands:
   jester rule risky-domain
@@ -367,7 +367,7 @@ Preset packs:
 
 ## 13. Review Fixtures
 
-The fixture suite in `examples/fixtures/preset-review-cases.json` captures small real-usage examples with expected `pass`, `caution`, or `block` verdicts. It also includes matched-pass examples for low-severity rules, quiet-pass `absentRuleIds` examples that prove noisy rules stay silent for safe near-misses, stack-specific coverage for every built-in preset, quiet-pass boundaries across built-in, structural, custom, and preset/config-derived rules, second firing examples for preset blocked-command rules, second examples for AI/API, framework custom, built-in, and configured sensitive-domain rules, AI tool-dispatch examples with safe allowlist/schema boundaries, and real-world low-count preset examples across node, python, web, infra, AI, and security slices. Recent quiet-pass examples cover typechecks, prebuild scripts, mypy, dataclass parsing, CodeQL, Dependabot limits, form validation, accessibility copy, read-only Kubernetes inspection, Docker disk usage, Terraform linting, public-IP hardening changes, npm audit/outdated/ci, development-mode Node commands, package export maps, workspace test scripts, Bandit, pip-audit, coverage/pytest, Trivy filesystem scans, npm audit, TLS verification-enabled diffs, safe text rendering, allowlisted target paths, public analytics IDs, model-check commands, tool allowlist checks, public model-name config, API schema parsing, query-builder filters, enabled rate limiting, read-only Prisma migration diffs, signed-webhook docs, OpenAPI schema docs, Pydantic parsing, Pyright checks, SBOM generation, vulnerability-report docs, escaped React rendering, session-cookie docs, model regression checks, and static action allowlists. These examples are run by `npm test`, so preset tuning changes stay visible.
+The fixture suite in `examples/fixtures/preset-review-cases.json` captures small real-usage examples with expected `pass`, `caution`, or `block` verdicts. It also includes matched-pass examples for low-severity rules, quiet-pass `absentRuleIds` examples that prove noisy rules stay silent for safe near-misses, stack-specific coverage for every built-in preset, quiet-pass boundaries across built-in, structural, custom, and preset/config-derived rules, second firing examples for preset blocked-command rules, second examples for AI/API, framework custom, built-in, and configured sensitive-domain rules, AI tool-dispatch examples with safe allowlist/schema boundaries, and real-world low-count preset examples across node, python, web, infra, AI, and security slices. Recent quiet-pass examples cover typechecks, prebuild scripts, mypy, dataclass parsing, CodeQL, Dependabot limits, form validation, accessibility copy, read-only Kubernetes inspection, Docker disk usage, Terraform linting, public-IP hardening changes, npm audit/outdated/ci, development-mode Node commands, package export maps, workspace test scripts, Bandit, pip-audit, coverage/pytest, Trivy filesystem scans, npm audit, TLS verification-enabled diffs, safe text rendering, allowlisted target paths, public analytics IDs, model-check commands, tool allowlist checks, public model-name config, API schema parsing, query-builder filters, enabled rate limiting, read-only Prisma migration diffs, signed-webhook docs, OpenAPI schema docs, Pydantic parsing, Pyright checks, SBOM generation, vulnerability-report docs, escaped React rendering, session-cookie docs, model regression checks, static action allowlists, FastAPI dependency injection, frozen `uv` syncs, docs-only Terraform and Helm guidance, redacted Gitleaks scans, and Next.js workspace linting. These examples are run by `npm test`, so preset tuning changes stay visible.
 
 Maintainers can run `npm run fixtures:report` to see coverage by verdict, kind, preset, rule family, and preset slice. The report also includes a `Curation next` section that points at the next useful fixture batch, such as thin rules, feasible pass-case evidence, rule-family gaps, or lower-count presets. Use `npm run fixtures:report -- --markdown` for a paste-ready version of the same snapshot.
 

package/docs/FRAMEWORK_TUNING.md

@@ -0,0 +1,27 @@
+# Framework Tuning Examples
+
+Use this when a rule is noisy in a real project and you want the smallest evidence-backed next step before muting it.
+
+Start with the rule that actually fired:
+
+```powershell
+jester summary --kind <command|plan|diff|final> "<redacted minimal input>"
+jester tune <rule-id> --json
+```
+
+Then compare the output with the nearest fixture-backed examples below. If your case is closer to the safe examples than the risky examples, add a redacted fixture before changing a rule.
+
+| Stack | Common noisy rule | Useful tune command | Safe fixture examples |
+| --- | --- | --- | --- |
+| Next.js / Vite React | Public but non-secret frontend names or harmless workspace commands | `jester tune custom-web-public-secret-name --json` or `jester tune custom-node-install-script-change --json` | `web-public-analytics-env-command-pass`, `node-next-lint-command-pass` |
+| FastAPI / Python | Typed dependency injection, schema parsing, or locked dependency sync being confused with dynamic execution | `jester tune custom-python-eval-exec --json` or `jester tune custom-python-pickle-load --json` | `python-fastapi-dependency-diff-pass`, `python-pydantic-parse-diff-pass`, `python-uv-sync-frozen-command-pass` |
+| Terraform / Kubernetes / Helm | Docs-only infrastructure guidance mentioning sensitive tool names | `jester tune risky-domain --json` or `jester tune configured-sensitive-domain-terraform --json` | `infra-terraform-plan-docs-pass`, `infra-helm-values-docs-pass`, `infra-kubectl-describe-command-pass` |
+| Security scanning | Redacted scanner output or SBOM/report generation being confused with secret material | `jester tune secret-material --json` or `jester tune custom-insecure-tls-disabled --json` | `sec-gitleaks-redacted-command-pass`, `sec-sbom-command-pass`, `sec-vulnerability-report-docs-pass` |
+| AI / MCP tools | Static allowlists, model checks, or public model names being confused with unsafe tool dispatch or provider keys | `jester tune custom-ai-user-controlled-tool-dispatch --json` or `jester tune custom-ai-public-provider-key --json` | `ai-tool-registry-allowlist-diff-pass`, `ai-model-regression-command-pass`, `ai-public-model-env-diff-pass` |
+
+## What To Do With The Result
+
+- If `fixtureEvidence.quietPassFixtures` already contains a close match, prefer a local config mute over changing global rules.
+- If the safe case is missing but the report is minimal and redacted, add a new pass fixture with `absentRuleIds`.
+- If the rule fired on a genuinely dangerous command, secret, broad permission, production-impacting change, or user-controlled execution path, fix the underlying change instead of muting it.
+- If the example depends on private code, customer data, credentials, or internal URLs, redact it before adding a fixture or opening a public issue.

package/docs/GETTING_STARTED.md

@@ -106,7 +106,7 @@ npx -y memento-mori-jester@latest bootstrap --preset node
 
 Then tell them to open `MEMENTO_MORI.md`.
 
-For copy-paste agent and hook examples, see [examples](../examples). For stack-specific config examples, see [preset example packs](../examples/presets) for Next.js, Vite React, Express API, FastAPI, Terraform/Kubernetes, and AI MCP repos. For copy-paste CI workflows, see [framework CI examples](../examples/ci). For concrete pass, caution, and block cases, see [review fixtures](../examples/fixtures).
+For copy-paste agent and hook examples, see [examples](../examples). For stack-specific config examples, see [preset example packs](../examples/presets) for Next.js, Vite React, Express API, FastAPI, Terraform/Kubernetes, and AI MCP repos. For copy-paste CI workflows, see [framework CI examples](../examples/ci). For concrete pass, caution, and block cases, see [review fixtures](../examples/fixtures). For stack-shaped noisy-rule reports, see [framework tuning examples](FRAMEWORK_TUNING.md).
 
 ## Need Help?
 

package/docs/PRODUCTION_READINESS.md

@@ -52,6 +52,7 @@ This checklist defines what "production grade" means for Memento Mori Jester rig
 - Package metadata points bug reports at the GitHub issues page.
 - `jester doctor --json`, `jester config validate`, and `jester rules` are the first troubleshooting commands.
 - `jester tune`, `jester tune coverage`, and the fixture suite give maintainers a way to inspect noisy rules before changing defaults.
+- [FRAMEWORK_TUNING.md](FRAMEWORK_TUNING.md) maps common stack-specific false-positive reports to the relevant `jester tune <rule-id>` evidence and fixture IDs.
 - GitHub issue templates collect bug reports, false-positive reports, and feature requests with the diagnostic context maintainers need.
 - `SECURITY.md` routes vulnerability reports away from public issues and asks for redacted diagnostics.
 - `docs/MAINTAINER_TRIAGE.md` explains how to turn useful false-positive reports into fixture coverage before changing rule logic.

package/docs/RELEASE_NOTES_v0.1.82.md

@@ -0,0 +1,54 @@
+# Memento Mori Jester v0.1.82
+
+## Summary
+
+This release continues the core quality track after the landing-page release. It adds a small fixture-backed false-positive batch and a framework tuning guide so maintainers can compare real noisy reports with safe examples before muting or changing rules.
+
+## What Changed
+
+- Added six quiet-pass fixtures, growing the corpus from 216 to 222 cases:
+  - `python-fastapi-dependency-diff-pass`
+  - `python-uv-sync-frozen-command-pass`
+  - `infra-terraform-plan-docs-pass`
+  - `infra-helm-values-docs-pass`
+  - `sec-gitleaks-redacted-command-pass`
+  - `node-next-lint-command-pass`
+- Added `docs/FRAMEWORK_TUNING.md`.
+- Linked framework tuning guidance from README, CLI docs, and getting-started docs.
+- Refreshed demo, promo-source evidence counts, site proof count, fixture docs, changelog, and roadmap.
+
+## Public Interface
+
+- No CLI command changes.
+- No MCP tool changes.
+- No config schema changes.
+- No review rule, scoring, matching, or verdict behavior changes.
+- No GitHub Action or release workflow changes.
+- Fixture/tuning evidence changes only because the corpus is larger.
+
+## Release Validation
+
+```powershell
+npm.cmd test
+npm.cmd run demo:svg:check
+npm.cmd run promo:card:check
+npm.cmd run promo:check
+npm.cmd run fixtures:report
+npm.cmd run fixtures:report -- --json
+npm.cmd run fixtures:report -- --markdown
+npm.cmd run site:check
+npm.cmd run pack:dry
+git diff --check
+node .\dist\cli.js tune risky-domain --json --no-config
+node .\dist\cli.js tune coverage --no-config
+git diff | node .\dist\cli.js diff --fail-on block --subject "v0.1.82 framework tuning fixtures"
+```
+
+Expected:
+
+- fixture report shows `Fixtures: 222`,
+- no thin rule coverage,
+- no preset/kind gaps,
+- no rules without quiet-pass coverage,
+- `promo:check` passes with 222 fixtures and 8 risky-domain quiet-pass examples,
+- GitHub Release and npm Publish complete from the `v0.1.82` tag.

package/examples/fixtures/README.md

@@ -30,6 +30,7 @@ Maintainer triage guidance lives in [docs/MAINTAINER_TRIAGE.md](../../docs/MAINT
 - Quiet-pass examples for safe text rendering, allowlisted target paths, public analytics IDs, model-check commands, tool allowlist checks, and public model-name config.
 - Quiet-pass examples for API schema parsing, query-builder filters, enabled rate limiting, read-only Prisma migration diffs, signed-webhook docs, and OpenAPI schema docs.
 - Quiet-pass examples for Pydantic parsing, Pyright checks, SBOM generation, vulnerability-report docs, escaped React rendering, session-cookie docs, model regression checks, and static action allowlists.
+- Quiet-pass examples for FastAPI dependency injection, frozen `uv` syncs, docs-only Terraform and Helm guidance, redacted Gitleaks scans, and Next.js workspace linting.
 - Fixture metadata like `weight` and `edgeCase` to support precision-weighted tuning evidence.
 
 ## Local Check

package/examples/fixtures/preset-review-cases.json

@@ -2859,5 +2859,96 @@
       "custom-ai-user-controlled-tool-dispatch",
       "custom-ai-model-output-execution"
     ]
+  },
+  {
+    "id": "python-fastapi-dependency-diff-pass",
+    "preset": "python",
+    "kind": "diff",
+    "description": "FastAPI dependency injection should not look like Python dynamic execution or pickle loading.",
+    "content": "diff --git a/app/dependencies.py b/app/dependencies.py\n--- a/app/dependencies.py\n+++ b/app/dependencies.py\n@@ -1 +1,2 @@\n+current_user: User = Depends(get_current_user)\n",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "custom-python-eval-exec",
+      "custom-python-pickle-load"
+    ]
+  },
+  {
+    "id": "python-uv-sync-frozen-command-pass",
+    "preset": "python",
+    "kind": "command",
+    "description": "Frozen uv dependency sync for tests should not trip unsafe pip install or dynamic execution rules.",
+    "content": "uv sync --frozen --group test",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "blocked-command-pip-install-break-system-packages",
+      "custom-python-eval-exec",
+      "custom-python-pickle-load"
+    ]
+  },
+  {
+    "id": "infra-terraform-plan-docs-pass",
+    "preset": "infra",
+    "kind": "diff",
+    "description": "Docs-only Terraform plan review guidance should not trip infra sensitive-domain warnings.",
+    "content": "diff --git a/docs/TERRAFORM_PLAN.md b/docs/TERRAFORM_PLAN.md\n--- a/docs/TERRAFORM_PLAN.md\n+++ b/docs/TERRAFORM_PLAN.md\n@@ -1 +1,2 @@\n+Document how to review terraform plan output and attach rollback notes before apply.\n",
+    "expectedVerdict": "pass",
+    "edgeCase": true,
+    "weight": 1,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "configured-sensitive-domain-terraform",
+      "custom-infra-production-change",
+      "risky-domain"
+    ]
+  },
+  {
+    "id": "infra-helm-values-docs-pass",
+    "preset": "infra",
+    "kind": "diff",
+    "description": "Docs-only Helm values guidance should stay quiet around infra sensitive-domain warnings.",
+    "content": "diff --git a/docs/HELM_VALUES.md b/docs/HELM_VALUES.md\n--- a/docs/HELM_VALUES.md\n+++ b/docs/HELM_VALUES.md\n@@ -1 +1,2 @@\n+Record which helm values are environment labels and which require change approval.\n",
+    "expectedVerdict": "pass",
+    "edgeCase": true,
+    "weight": 1,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "configured-sensitive-domain-helm",
+      "custom-infra-production-change",
+      "risky-domain"
+    ]
+  },
+  {
+    "id": "sec-gitleaks-redacted-command-pass",
+    "preset": "security",
+    "kind": "command",
+    "description": "Redacted gitleaks scans should not be mistaken for leaked secret material.",
+    "content": "gitleaks detect --redact --no-git -r reports/gitleaks.json",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "secret-material",
+      "blocked-command-chmod-r-777",
+      "custom-insecure-tls-disabled"
+    ]
+  },
+  {
+    "id": "node-next-lint-command-pass",
+    "preset": "node",
+    "kind": "command",
+    "description": "Next.js workspace lint commands should stay quiet around node publish and install-script checks.",
+    "content": "npm run lint --workspace apps/next-web -- --max-warnings=0",
+    "expectedVerdict": "pass",
+    "weight": 2,
+    "expectedRuleIds": [],
+    "absentRuleIds": [
+      "blocked-command-npm-publish-force",
+      "custom-node-install-script-change",
+      "custom-node-env-production-change"
+    ]
   }
 ]

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "memento-mori-jester",
-  "version": "0.1.81",
+  "version": "0.1.82",
   "description": "A local court-jester sidecar for AI coding agents: review plans, commands, diffs, and final claims before they get too pleased with themselves.",
   "type": "module",
   "repository": {

package/scripts/check-production-readiness.mjs

@@ -61,6 +61,7 @@ for (const path of [
   "docs/RELEASE.md",
   "docs/TRUSTED_PUBLISHING.md",
   "docs/PRODUCTION_READINESS.md",
+  "docs/FRAMEWORK_TUNING.md",
   "docs/MAINTAINER_TRIAGE.md",
   `docs/RELEASE_NOTES_${tag}.md`,
   "action.yml",
@@ -99,6 +100,7 @@ requireText("README.md", /MAINTAINER_TRIAGE\.md/, "maintainer triage guide link"
 requireText("README.md", /fixtures:check/, "fixture authoring check guidance");
 requireText("README.md", /fixtures:report/, "fixture coverage report guidance");
 requireText("README.md", /fixtures:report -- --markdown/, "Markdown fixture report guidance");
+requireText("README.md", /FRAMEWORK_TUNING\.md/, "framework tuning guide link");
 requireText("README.md", /License: PolyForm Noncommercial/, "the noncommercial license badge");
 requireText("docs/PRODUCTION_READINESS.md", /npm package/i, "npm package readiness");
 requireText("docs/PRODUCTION_READINESS.md", /GitHub Action/i, "GitHub Action readiness");
@@ -115,6 +117,11 @@ requireText("docs/PRODUCTION_READINESS.md", /fixtures:report -- --markdown/, "Ma
 requireText("docs/PRODUCTION_READINESS.md", /quiet-pass/, "quiet-pass fixture readiness");
 requireText("docs/CLI.md", /jester doctor --json/, "doctor JSON CLI docs");
 requireText("docs/CLI.md", /quiet-pass fixture/, "quiet-pass fixture CLI docs");
+requireText("docs/CLI.md", /FRAMEWORK_TUNING\.md/, "framework tuning CLI link");
+requireText("docs/FRAMEWORK_TUNING.md", /Next\.js/, "Next.js framework tuning example");
+requireText("docs/FRAMEWORK_TUNING.md", /FastAPI/, "FastAPI framework tuning example");
+requireText("docs/FRAMEWORK_TUNING.md", /Terraform/, "Terraform framework tuning example");
+requireText("docs/FRAMEWORK_TUNING.md", /jester tune <rule-id> --json/, "framework tuning command guidance");
 requireText("docs/MAINTAINER_TRIAGE.md", /doctor --json/, "doctor JSON triage prompt");
 requireText("docs/MAINTAINER_TRIAGE.md", /tune <rule-id> --json/, "tune JSON triage prompt");
 requireText("docs/MAINTAINER_TRIAGE.md", /preset-review-cases\.json/, "fixture suite link");