memento-mori-jester 0.1.82 → 0.1.83

package/CHANGELOG.md

@@ -4,6 +4,12 @@ All notable changes to Memento Mori Jester are tracked here.
 
 ## Unreleased
 
+## 0.1.83
+
+- Added `examples/tuning/framework-tuning-cookbook.json`, a small checked cookbook that maps framework-shaped noisy-rule reports to exact `jester tune <rule> --json` commands and fixture IDs.
+- Added `examples/tuning/README.md` and linked it from README, CLI docs, getting-started docs, demo docs, and the framework tuning guide.
+- Added `npm run framework:tuning:check` and wired it into `npm test` and production-readiness checks so cookbook recipes stay aligned with docs and fixtures.
+
 ## 0.1.82
 
 - Added six real-world quiet-pass fixtures for FastAPI dependency injection, frozen `uv` syncs, docs-only Terraform and Helm guidance, redacted Gitleaks scans, and Next.js workspace linting.

package/README.md

@@ -315,7 +315,7 @@ jester tune coverage --json
 
 `jester tune coverage` shows the fixture support and confidence signal for every rule, including suggested next actions such as adding coverage, reviewing surprise matches, checking quiet-pass boundaries, or leaving a healthy signal alone.
 
-For stack-shaped noise, see [Framework Tuning Examples](docs/FRAMEWORK_TUNING.md). It maps common Next.js, Vite React, FastAPI, Terraform/Kubernetes, security-scan, and AI/MCP false-positive reports to the `jester tune <rule>` command and fixture IDs worth checking first.
+For stack-shaped noise, see [Framework Tuning Examples](docs/FRAMEWORK_TUNING.md). It maps common Next.js, Vite React, FastAPI, Terraform/Kubernetes, security-scan, and AI/MCP false-positive reports to the `jester tune <rule>` command and fixture IDs worth checking first. The checked [framework tuning cookbook](examples/tuning) turns those rows into copy-paste recipes and a machine-readable JSON file.
 
 Disable a noisy rule by adding its id to `disabledRules` in `jester.config.json`:
 
@@ -429,6 +429,7 @@ More setup examples:
 - [MCP Tool Reference](docs/MCP_TOOLS.md)
 - [GitHub Actions](docs/GITHUB_ACTIONS.md)
 - [Framework Tuning Examples](docs/FRAMEWORK_TUNING.md)
+- [Framework Tuning Cookbook](examples/tuning)
 - [Demo Script](docs/DEMO.md)
 - [Promo Share Kit](promo)
 - [Examples](examples)

package/ROADMAP.md

@@ -6,6 +6,7 @@ Memento Mori Jester is usable today as a CLI, MCP server, GitHub Action, and git
 
 ## Recently Shipped
 
+- Framework tuning cookbook in v0.1.83, adding checked copy-paste recipes and a machine-readable JSON map for stack-shaped noisy-rule reports.
 - Framework tuning examples and quiet-pass fixture curation in v0.1.82, adding six safe real-world examples plus a guide for framework-shaped noisy-rule reports.
 - Repo-local landing page in v0.1.81, adding a static one-page share surface plus deterministic link checks.
 - Social preview card in v0.1.80, adding a deterministic 1200x630 promo card plus generation and freshness checks.
@@ -71,8 +72,8 @@ Memento Mori Jester is usable today as a CLI, MCP server, GitHub Action, and git
 
 ## Product Ideas
 
-- Collect real-world reports for the next lowest-count preset slices now highlighted by `fixtures:report`.
-- Add a small fixture issue template checklist that asks for the nearest framework tuning example and redacted `jester tune <rule-id> --json` output.
+- Collect real-world reports and fold the strongest redacted cases into more framework tuning cookbook recipes.
+- Add a small fixture issue template checklist that asks for the nearest framework tuning cookbook recipe and redacted `jester tune <rule-id> --json` output.
 - Add a hosted-page option or GitHub Pages instructions once the static page has settled.
 
 ## Quality And Safety

package/docs/CLI.md

@@ -158,7 +158,7 @@ Use `jester tune <id>` when the question is practical: should this noisy rule be
 
 When filing a false-positive issue, include redacted `jester summary` output and `jester tune <rule-id> --json` output when possible.
 
-For stack-shaped reports, see [Framework Tuning Examples](FRAMEWORK_TUNING.md). It points common Next.js, Vite React, FastAPI, Terraform/Kubernetes, security-scan, and AI/MCP noisy-rule reports at the relevant `jester tune <rule-id>` command and fixture IDs.
+For stack-shaped reports, see [Framework Tuning Examples](FRAMEWORK_TUNING.md). It points common Next.js, Vite React, FastAPI, Terraform/Kubernetes, security-scan, and AI/MCP noisy-rule reports at the relevant `jester tune <rule-id>` command and fixture IDs. The checked [framework tuning cookbook](../examples/tuning) keeps copy-paste recipes and fixture IDs in one machine-readable place.
 
 Use `jester tune coverage` when maintaining the rule set. It ranks every rule by fixture support and confidence, shows expected vs unexpected fixture weight, and suggests the next maintenance action for each rule.
 

package/docs/DEMO.md

@@ -373,6 +373,20 @@ Maintainers can run `npm run fixtures:report` to see coverage by verdict, kind,
 
 Maintainers can use `docs/MAINTAINER_TRIAGE.md` to turn useful false-positive reports into redacted fixture cases.
 
-## 14. Framework CI Examples
+## 14. Framework Tuning Cookbook
+
+For real repos with stack-shaped noisy rules, use [docs/FRAMEWORK_TUNING.md](FRAMEWORK_TUNING.md) and the checked cookbook in [examples/tuning](../examples/tuning).
+
+The cookbook maps recipe IDs such as `next-vite-public-config`, `terraform-kubernetes-docs-only`, and `ai-mcp-tooling` to the exact `jester tune <rule-id> --json` commands and fixture IDs worth comparing first.
+
+Maintainers can run:
+
+```powershell
+npm.cmd run framework:tuning:check
+```
+
+That validates [framework-tuning-cookbook.json](../examples/tuning/framework-tuning-cookbook.json) against this guide, the cookbook README, and `examples/fixtures/preset-review-cases.json`.
+
+## 15. Framework CI Examples
 
 The workflow examples in `examples/ci` show copy-paste GitHub Actions setups for Next.js, Vite React, Express API, FastAPI, Terraform/Kubernetes, and AI MCP repos. Each workflow uploads SARIF and writes the readable Jester job summary.

package/docs/FRAMEWORK_TUNING.md

@@ -2,6 +2,8 @@
 
 Use this when a rule is noisy in a real project and you want the smallest evidence-backed next step before muting it.
 
+For copy-pasteable recipes, see [examples/tuning](../examples/tuning). The machine-readable cookbook is [framework-tuning-cookbook.json](../examples/tuning/framework-tuning-cookbook.json), and `npm run framework:tuning:check` keeps it aligned with this guide and the fixture suite.
+
 Start with the rule that actually fired:
 
 ```powershell
@@ -11,13 +13,13 @@ jester tune <rule-id> --json
 
 Then compare the output with the nearest fixture-backed examples below. If your case is closer to the safe examples than the risky examples, add a redacted fixture before changing a rule.
 
-| Stack | Common noisy rule | Useful tune command | Safe fixture examples |
-| --- | --- | --- | --- |
-| Next.js / Vite React | Public but non-secret frontend names or harmless workspace commands | `jester tune custom-web-public-secret-name --json` or `jester tune custom-node-install-script-change --json` | `web-public-analytics-env-command-pass`, `node-next-lint-command-pass` |
-| FastAPI / Python | Typed dependency injection, schema parsing, or locked dependency sync being confused with dynamic execution | `jester tune custom-python-eval-exec --json` or `jester tune custom-python-pickle-load --json` | `python-fastapi-dependency-diff-pass`, `python-pydantic-parse-diff-pass`, `python-uv-sync-frozen-command-pass` |
-| Terraform / Kubernetes / Helm | Docs-only infrastructure guidance mentioning sensitive tool names | `jester tune risky-domain --json` or `jester tune configured-sensitive-domain-terraform --json` | `infra-terraform-plan-docs-pass`, `infra-helm-values-docs-pass`, `infra-kubectl-describe-command-pass` |
-| Security scanning | Redacted scanner output or SBOM/report generation being confused with secret material | `jester tune secret-material --json` or `jester tune custom-insecure-tls-disabled --json` | `sec-gitleaks-redacted-command-pass`, `sec-sbom-command-pass`, `sec-vulnerability-report-docs-pass` |
-| AI / MCP tools | Static allowlists, model checks, or public model names being confused with unsafe tool dispatch or provider keys | `jester tune custom-ai-user-controlled-tool-dispatch --json` or `jester tune custom-ai-public-provider-key --json` | `ai-tool-registry-allowlist-diff-pass`, `ai-model-regression-command-pass`, `ai-public-model-env-diff-pass` |
+| Cookbook recipe | Stack | Common noisy rule | Useful tune command | Safe fixture examples |
+| --- | --- | --- | --- | --- |
+| `next-vite-public-config` | Next.js / Vite React | Public but non-secret frontend names or harmless workspace commands | `jester tune custom-web-public-secret-name --json` or `jester tune custom-node-install-script-change --json` | `web-public-analytics-env-command-pass`, `node-next-lint-command-pass` |
+| `fastapi-python-execution-boundary` | FastAPI / Python | Typed dependency injection, schema parsing, or locked dependency sync being confused with dynamic execution | `jester tune custom-python-eval-exec --json` or `jester tune custom-python-pickle-load --json` | `python-fastapi-dependency-diff-pass`, `python-pydantic-parse-diff-pass`, `python-uv-sync-frozen-command-pass` |
+| `terraform-kubernetes-docs-only` | Terraform / Kubernetes / Helm | Docs-only infrastructure guidance mentioning sensitive tool names | `jester tune risky-domain --json` or `jester tune configured-sensitive-domain-terraform --json` | `infra-terraform-plan-docs-pass`, `infra-helm-values-docs-pass`, `infra-kubectl-describe-command-pass` |
+| `security-scan-reporting` | Security scanning | Redacted scanner output or SBOM/report generation being confused with secret material | `jester tune secret-material --json` or `jester tune custom-insecure-tls-disabled --json` | `sec-gitleaks-redacted-command-pass`, `sec-sbom-command-pass`, `sec-vulnerability-report-docs-pass` |
+| `ai-mcp-tooling` | AI / MCP tools | Static allowlists, model checks, or public model names being confused with unsafe tool dispatch or provider keys | `jester tune custom-ai-user-controlled-tool-dispatch --json` or `jester tune custom-ai-public-provider-key --json` | `ai-tool-registry-allowlist-diff-pass`, `ai-model-regression-command-pass`, `ai-public-model-env-diff-pass` |
 
 ## What To Do With The Result
 

package/docs/GETTING_STARTED.md

@@ -106,7 +106,7 @@ npx -y memento-mori-jester@latest bootstrap --preset node
 
 Then tell them to open `MEMENTO_MORI.md`.
 
-For copy-paste agent and hook examples, see [examples](../examples). For stack-specific config examples, see [preset example packs](../examples/presets) for Next.js, Vite React, Express API, FastAPI, Terraform/Kubernetes, and AI MCP repos. For copy-paste CI workflows, see [framework CI examples](../examples/ci). For concrete pass, caution, and block cases, see [review fixtures](../examples/fixtures). For stack-shaped noisy-rule reports, see [framework tuning examples](FRAMEWORK_TUNING.md).
+For copy-paste agent and hook examples, see [examples](../examples). For stack-specific config examples, see [preset example packs](../examples/presets) for Next.js, Vite React, Express API, FastAPI, Terraform/Kubernetes, and AI MCP repos. For copy-paste CI workflows, see [framework CI examples](../examples/ci). For concrete pass, caution, and block cases, see [review fixtures](../examples/fixtures). For stack-shaped noisy-rule reports, see [framework tuning examples](FRAMEWORK_TUNING.md) and the checked [framework tuning cookbook](../examples/tuning).
 
 ## Need Help?
 

package/docs/PRODUCTION_READINESS.md

@@ -52,12 +52,13 @@ This checklist defines what "production grade" means for Memento Mori Jester rig
 - Package metadata points bug reports at the GitHub issues page.
 - `jester doctor --json`, `jester config validate`, and `jester rules` are the first troubleshooting commands.
 - `jester tune`, `jester tune coverage`, and the fixture suite give maintainers a way to inspect noisy rules before changing defaults.
-- [FRAMEWORK_TUNING.md](FRAMEWORK_TUNING.md) maps common stack-specific false-positive reports to the relevant `jester tune <rule-id>` evidence and fixture IDs.
+- [FRAMEWORK_TUNING.md](FRAMEWORK_TUNING.md) maps common stack-specific false-positive reports to the relevant `jester tune <rule-id>` evidence and fixture IDs, while [examples/tuning](../examples/tuning) provides checked copy-paste recipes.
 - GitHub issue templates collect bug reports, false-positive reports, and feature requests with the diagnostic context maintainers need.
 - `SECURITY.md` routes vulnerability reports away from public issues and asks for redacted diagnostics.
 - `docs/MAINTAINER_TRIAGE.md` explains how to turn useful false-positive reports into fixture coverage before changing rule logic.
 - `npm run fixtures:check` validates fixture IDs, metadata, unsafe-looking content, duplicate content, and explicit expected/absent rule intent.
 - `npm run fixtures:report` shows fixture coverage by rule, rule family, preset slice, kind, verdict, quiet-pass rule boundaries, and feasible pass-case gaps so maintainers can pick the next fixture target; `npm run fixtures:report -- --markdown` produces a paste-ready maintainer snapshot.
+- `npm run framework:tuning:check` keeps the framework tuning guide, cookbook JSON, cookbook README, and fixture IDs aligned.
 - `npm run promo:card` regenerates the deterministic social preview card, and `npm run promo:check` verifies current repo-local promo assets against the current fixture evidence before maintainers post or refresh the demo.
 - `npm run site:check` verifies the static landing page before maintainers post or host it.
 - npm publish has a manual workflow fallback, but the normal release path is tag-driven trusted publishing.
@@ -75,6 +76,7 @@ This checklist defines what "production grade" means for Memento Mori Jester rig
 - maintainer triage docs exist and link noisy-rule reports back to fixture coverage.
 - fixture authoring checks are wired into `npm test`.
 - fixture coverage reports are wired into `npm test`.
+- framework tuning cookbook checks are wired into `npm test`.
 - promo freshness checks are wired into `npm test`.
 - site checks are wired into `npm test`.
 

package/docs/RELEASE.md

@@ -12,6 +12,7 @@ npm.cmd run fixtures:check
 npm.cmd run fixtures:report
 npm.cmd run fixtures:report -- --json
 npm.cmd run fixtures:report -- --markdown
+npm.cmd run framework:tuning:check
 npm.cmd run promo:card:check
 npm.cmd run promo:check
 npm.cmd run site:check
@@ -24,7 +25,7 @@ Move the current changelog bullets into a matching version section and add `docs
 ## 2. Tag And Push
 
 ```powershell
-git add package.json package-lock.json CHANGELOG.md docs/RELEASE_NOTES_v0.1.x.md docs/PRODUCTION_READINESS.md docs/MAINTAINER_TRIAGE.md SECURITY.md .github/ISSUE_TEMPLATE
+git add package.json package-lock.json CHANGELOG.md docs/RELEASE_NOTES_v0.1.x.md docs/PRODUCTION_READINESS.md docs/MAINTAINER_TRIAGE.md docs/FRAMEWORK_TUNING.md examples/tuning scripts/check-framework-tuning.mjs SECURITY.md .github/ISSUE_TEMPLATE
 git commit -m "Release v0.1.x"
 git tag -a v0.1.x -m "Memento Mori Jester v0.1.x"
 git push origin main

package/docs/RELEASE_NOTES_v0.1.83.md

@@ -0,0 +1,54 @@
+# Memento Mori Jester v0.1.83
+
+## Summary
+
+This release makes the framework tuning guide easier to execute from real repos. It adds a tiny checked cookbook that maps common stack-shaped noisy-rule reports to exact `jester tune <rule-id> --json` commands and fixture IDs.
+
+## What Changed
+
+- Added `examples/tuning/framework-tuning-cookbook.json`.
+- Added `examples/tuning/README.md` with copy-paste recipes for:
+  - Next.js / Vite React,
+  - FastAPI / Python,
+  - Terraform / Kubernetes / Helm,
+  - security scanning,
+  - AI / MCP tools.
+- Added `npm run framework:tuning:check`.
+- Wired the cookbook checker into `npm test` and production-readiness checks.
+- Linked the cookbook from README, CLI docs, getting-started docs, demo docs, release docs, production-readiness docs, and `docs/FRAMEWORK_TUNING.md`.
+
+## Public Interface
+
+- No CLI command changes.
+- No MCP tool changes.
+- No config schema changes.
+- No review rule, scoring, matching, or verdict behavior changes.
+- No GitHub Action or release workflow changes.
+- Fixture count remains `222`; this release adds checked cookbook assets, not new review cases.
+
+## Release Validation
+
+```powershell
+npm.cmd test
+npm.cmd run demo:svg:check
+npm.cmd run promo:card:check
+npm.cmd run promo:check
+npm.cmd run framework:tuning:check
+npm.cmd run fixtures:report
+npm.cmd run fixtures:report -- --json
+npm.cmd run fixtures:report -- --markdown
+npm.cmd run site:check
+npm.cmd run pack:dry
+git diff --check
+node .\dist\cli.js tune coverage --no-config
+git diff | node .\dist\cli.js diff --fail-on block --subject "v0.1.83 framework tuning cookbook"
+```
+
+Expected:
+
+- `framework:tuning:check` passes for five recipes,
+- fixture report still shows `Fixtures: 222`,
+- no thin rule coverage,
+- no preset/kind gaps,
+- no rules without quiet-pass coverage,
+- GitHub Release and npm Publish complete from the `v0.1.83` tag.

package/examples/tuning/README.md

@@ -0,0 +1,23 @@
+# Framework Tuning Cookbook
+
+These small recipes pair the [Framework Tuning Examples](../../docs/FRAMEWORK_TUNING.md) guide with checked, fixture-backed commands. Use them when a real repo reports a noisy rule and you want the smallest evidence-backed next step before changing config.
+
+The machine-readable source is [framework-tuning-cookbook.json](framework-tuning-cookbook.json). It is checked by `npm run framework:tuning:check`, so recipe commands and fixture IDs stay aligned with the public guide and fixture suite.
+
+## Recipes
+
+| Recipe | Stack | Preset | Tune commands | Fixture examples |
+| --- | --- | --- | --- | --- |
+| `next-vite-public-config` | Next.js / Vite React | `web` | `jester tune custom-web-public-secret-name --json`; `jester tune custom-node-install-script-change --json` | `web-public-analytics-env-command-pass`, `node-next-lint-command-pass` |
+| `fastapi-python-execution-boundary` | FastAPI / Python | `python` | `jester tune custom-python-eval-exec --json`; `jester tune custom-python-pickle-load --json` | `python-fastapi-dependency-diff-pass`, `python-pydantic-parse-diff-pass`, `python-uv-sync-frozen-command-pass` |
+| `terraform-kubernetes-docs-only` | Terraform / Kubernetes / Helm | `infra` | `jester tune risky-domain --json`; `jester tune configured-sensitive-domain-terraform --json` | `infra-terraform-plan-docs-pass`, `infra-helm-values-docs-pass`, `infra-kubectl-describe-command-pass` |
+| `security-scan-reporting` | Security scanning | `security` | `jester tune secret-material --json`; `jester tune custom-insecure-tls-disabled --json` | `sec-gitleaks-redacted-command-pass`, `sec-sbom-command-pass`, `sec-vulnerability-report-docs-pass` |
+| `ai-mcp-tooling` | AI / MCP tools | `ai` | `jester tune custom-ai-user-controlled-tool-dispatch --json`; `jester tune custom-ai-public-provider-key --json` | `ai-tool-registry-allowlist-diff-pass`, `ai-model-regression-command-pass`, `ai-public-model-env-diff-pass` |
+
+## How To Use A Recipe
+
+1. Run `jester summary --kind <command|plan|diff|final> "<redacted minimal input>"` and copy the rule id that fired.
+2. Run the nearest recipe command, such as `jester tune custom-ai-user-controlled-tool-dispatch --json`.
+3. Compare `fixtureEvidence.quietPassFixtures` and sample fixture descriptions with the local hit.
+4. If the local case is safe but missing from the fixture suite, add a redacted pass fixture before loosening a rule.
+5. If the local case includes a real secret, destructive command, broad permission, skipped eval, or user-controlled execution path, fix the change instead of muting the rule.

package/examples/tuning/framework-tuning-cookbook.json

@@ -0,0 +1,96 @@
+[
+  {
+    "id": "next-vite-public-config",
+    "stack": "Next.js / Vite React",
+    "preset": "web",
+    "when": "Public-but-non-secret frontend names or harmless workspace commands look similar to browser secret or install-script risks.",
+    "commands": [
+      "jester tune custom-web-public-secret-name --json",
+      "jester tune custom-node-install-script-change --json"
+    ],
+    "fixtures": [
+      "web-public-analytics-env-command-pass",
+      "node-next-lint-command-pass"
+    ],
+    "next": [
+      "Compare fixtureEvidence.quietPassFixtures with the redacted local hit.",
+      "Prefer a local disabledRules entry only after repeated harmless hits in the same repo."
+    ]
+  },
+  {
+    "id": "fastapi-python-execution-boundary",
+    "stack": "FastAPI / Python",
+    "preset": "python",
+    "when": "Typed dependency injection, schema parsing, or locked dependency sync is mistaken for dynamic execution or unsafe deserialization.",
+    "commands": [
+      "jester tune custom-python-eval-exec --json",
+      "jester tune custom-python-pickle-load --json"
+    ],
+    "fixtures": [
+      "python-fastapi-dependency-diff-pass",
+      "python-pydantic-parse-diff-pass",
+      "python-uv-sync-frozen-command-pass"
+    ],
+    "next": [
+      "Compare the local change with the safe FastAPI and Pydantic fixture descriptions first.",
+      "Add a redacted pass fixture before loosening Python execution or pickle-shaped rules."
+    ]
+  },
+  {
+    "id": "terraform-kubernetes-docs-only",
+    "stack": "Terraform / Kubernetes / Helm",
+    "preset": "infra",
+    "when": "Docs-only infrastructure guidance mentions Terraform, Helm, or other sensitive infra words without changing deploy behavior.",
+    "commands": [
+      "jester tune risky-domain --json",
+      "jester tune configured-sensitive-domain-terraform --json"
+    ],
+    "fixtures": [
+      "infra-terraform-plan-docs-pass",
+      "infra-helm-values-docs-pass",
+      "infra-kubectl-describe-command-pass"
+    ],
+    "next": [
+      "Check that the local hit is documentation-only before muting broad sensitive-domain noise.",
+      "Keep destructive command, IAM widening, public exposure, and deploy-changing rules active."
+    ]
+  },
+  {
+    "id": "security-scan-reporting",
+    "stack": "Security scanning",
+    "preset": "security",
+    "when": "Redacted scanner output, SBOM generation, or reporting docs look like exposed secret material or skipped verification.",
+    "commands": [
+      "jester tune secret-material --json",
+      "jester tune custom-insecure-tls-disabled --json"
+    ],
+    "fixtures": [
+      "sec-gitleaks-redacted-command-pass",
+      "sec-sbom-command-pass",
+      "sec-vulnerability-report-docs-pass"
+    ],
+    "next": [
+      "Verify the report uses placeholders or scanner-generated summaries rather than live tokens.",
+      "If a real credential appears, rotate it and treat the Jester hit as correct."
+    ]
+  },
+  {
+    "id": "ai-mcp-tooling",
+    "stack": "AI / MCP tools",
+    "preset": "ai",
+    "when": "Static allowlists, model checks, or public model names are mistaken for unsafe tool dispatch, skipped evals, or provider keys.",
+    "commands": [
+      "jester tune custom-ai-user-controlled-tool-dispatch --json",
+      "jester tune custom-ai-public-provider-key --json"
+    ],
+    "fixtures": [
+      "ai-tool-registry-allowlist-diff-pass",
+      "ai-model-regression-command-pass",
+      "ai-public-model-env-diff-pass"
+    ],
+    "next": [
+      "Compare the local tool path with the allowlist fixture before changing an AI preset rule.",
+      "Keep concrete model-output execution and client-exposed provider-key hits treated as dangerous."
+    ]
+  }
+]

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "memento-mori-jester",
-  "version": "0.1.82",
+  "version": "0.1.83",
   "description": "A local court-jester sidecar for AI coding agents: review plans, commands, diffs, and final claims before they get too pleased with themselves.",
   "type": "module",
   "repository": {
@@ -40,12 +40,13 @@
     "build": "tsc -p tsconfig.json",
     "start": "node dist/server.js",
     "start:mcp": "node dist/server.js",
-    "test": "npm run build && node scripts/run-tests.mjs && npm run fixtures:check && npm run fixtures:report && npm run promo:check && npm run site:check && npm run production:check",
+    "test": "npm run build && node scripts/run-tests.mjs && npm run fixtures:check && npm run fixtures:report && npm run framework:tuning:check && npm run promo:check && npm run site:check && npm run production:check",
     "doctor": "node dist/cli.js doctor",
     "demo:svg": "node scripts/render-demo-svg.mjs",
     "demo:svg:check": "node scripts/render-demo-svg.mjs --check",
     "fixtures:check": "node scripts/check-fixtures.mjs",
     "fixtures:report": "node scripts/report-fixtures.mjs",
+    "framework:tuning:check": "node scripts/check-framework-tuning.mjs",
     "promo:card": "node scripts/render-social-card.mjs",
     "promo:card:check": "node scripts/render-social-card.mjs --check",
     "promo:check": "node scripts/check-promo-freshness.mjs",

package/scripts/check-framework-tuning.mjs

@@ -0,0 +1,214 @@
+#!/usr/bin/env node
+import { readFileSync } from "node:fs";
+import { join } from "node:path";
+
+const root = process.cwd();
+const cookbookPath = "examples/tuning/framework-tuning-cookbook.json";
+const cookbookReadmePath = "examples/tuning/README.md";
+const guidePath = "docs/FRAMEWORK_TUNING.md";
+const fixturesPath = "examples/fixtures/preset-review-cases.json";
+const failures = [];
+
+const allowedPresets = new Set(["default", "node", "python", "web", "api", "infra", "ai", "security"]);
+const unsafeContentPatterns = [
+  { name: "private key block", pattern: /-----BEGIN [A-Z ]*PRIVATE KEY-----/ },
+  { name: "OpenAI-looking secret key", pattern: /\bsk-(?:proj-)?[A-Za-z0-9_-]{20,}\b/ },
+  { name: "Anthropic-looking secret key", pattern: /\bsk-ant-[A-Za-z0-9_-]{20,}\b/ },
+  { name: "GitHub-looking token", pattern: /\bgh[pousr]_[A-Za-z0-9_]{20,}\b/ },
+  { name: "AWS access key id", pattern: /\bAKIA[0-9A-Z]{16}\b/ },
+  { name: "Slack-looking token", pattern: /\bxox[baprs]-[A-Za-z0-9-]{20,}\b/ },
+  { name: "absolute Unix home path", pattern: /(?:^|[\s"'`])\/(?:Users|home)\/[A-Za-z0-9._-]+/ },
+  { name: "absolute Windows user path", pattern: /[A-Za-z]:\\Users\\[A-Za-z0-9._-]+\\/ }
+];
+
+function read(path) {
+  return readFileSync(join(root, path), "utf8");
+}
+
+function readJson(path) {
+  return JSON.parse(read(path));
+}
+
+function checkString(value, label, options = {}) {
+  if (typeof value !== "string" || value.trim().length === 0) {
+    failures.push(`${label} should be a non-empty string.`);
+    return;
+  }
+
+  if (options.kebab && !/^[a-z0-9]+(?:-[a-z0-9]+)*$/.test(value)) {
+    failures.push(`${label} should use stable kebab-case.`);
+  }
+
+  if (options.minLength && value.trim().length < options.minLength) {
+    failures.push(`${label} should be at least ${options.minLength} characters.`);
+  }
+}
+
+function checkStringArray(value, label, options = {}) {
+  if (!Array.isArray(value) || value.length === 0) {
+    failures.push(`${label} should be a non-empty array.`);
+    return [];
+  }
+
+  const seen = new Set();
+  for (const [index, item] of value.entries()) {
+    if (typeof item !== "string" || item.trim().length === 0) {
+      failures.push(`${label}[${index}] should be a non-empty string.`);
+      continue;
+    }
+
+    if (seen.has(item)) {
+      failures.push(`${label} repeats ${item}.`);
+    }
+    seen.add(item);
+
+    if (options.pattern && !options.pattern.test(item)) {
+      failures.push(`${label}[${index}] should match ${options.description}. Saw ${item}.`);
+    }
+  }
+
+  return value.filter((item) => typeof item === "string" && item.trim().length > 0);
+}
+
+function requireIncludes(content, file, value, description) {
+  if (!content.includes(value)) {
+    failures.push(`${file} should include ${description}: ${value}`);
+  }
+}
+
+let cookbook;
+let fixtures;
+try {
+  cookbook = readJson(cookbookPath);
+  fixtures = readJson(fixturesPath);
+} catch (error) {
+  console.error(`Could not parse framework tuning inputs: ${error instanceof Error ? error.message : String(error)}`);
+  process.exit(1);
+}
+
+const cookbookRaw = read(cookbookPath);
+const cookbookReadme = read(cookbookReadmePath);
+const frameworkGuide = read(guidePath);
+
+for (const [file, content] of [
+  [cookbookPath, cookbookRaw],
+  [cookbookReadmePath, cookbookReadme],
+  [guidePath, frameworkGuide]
+]) {
+  for (const unsafe of unsafeContentPatterns) {
+    if (unsafe.pattern.test(content)) {
+      failures.push(`${file} appears to contain ${unsafe.name}; tuning examples should stay public and redacted.`);
+    }
+  }
+}
+
+if (!Array.isArray(cookbook)) {
+  failures.push(`${cookbookPath} should contain a JSON array.`);
+} else if (cookbook.length < 5) {
+  failures.push(`${cookbookPath} should contain at least five framework recipes.`);
+}
+
+if (!Array.isArray(fixtures)) {
+  failures.push(`${fixturesPath} should contain a JSON array.`);
+  fixtures = [];
+}
+
+const fixtureIds = new Set();
+const fixtureRuleIds = new Set();
+for (const fixture of fixtures) {
+  if (typeof fixture?.id === "string") {
+    fixtureIds.add(fixture.id);
+  }
+  for (const field of ["expectedRuleIds", "absentRuleIds"]) {
+    if (Array.isArray(fixture?.[field])) {
+      for (const ruleId of fixture[field]) {
+        if (typeof ruleId === "string") {
+          fixtureRuleIds.add(ruleId);
+        }
+      }
+    }
+  }
+}
+
+requireIncludes(frameworkGuide, guidePath, "framework-tuning-cookbook.json", "the cookbook JSON link");
+requireIncludes(frameworkGuide, guidePath, "examples/tuning", "the tuning examples link");
+requireIncludes(cookbookReadme, cookbookReadmePath, "framework-tuning-cookbook.json", "the cookbook JSON link");
+requireIncludes(cookbookReadme, cookbookReadmePath, "npm run framework:tuning:check", "the checker command");
+
+const ids = new Set();
+const commandPattern = /^jester tune ([a-z0-9]+(?:-[a-z0-9]+)*) --json$/;
+
+for (const [index, recipe] of (Array.isArray(cookbook) ? cookbook : []).entries()) {
+  const label = typeof recipe?.id === "string" ? recipe.id : `recipe[${index}]`;
+
+  if (!recipe || typeof recipe !== "object" || Array.isArray(recipe)) {
+    failures.push(`${label} should be an object.`);
+    continue;
+  }
+
+  checkString(recipe.id, `${label}.id`, { kebab: true });
+  checkString(recipe.stack, `${label}.stack`);
+  checkString(recipe.preset, `${label}.preset`);
+  checkString(recipe.when, `${label}.when`, { minLength: 40 });
+
+  if (typeof recipe.id === "string") {
+    if (ids.has(recipe.id)) {
+      failures.push(`${label}.id is duplicated.`);
+    }
+    ids.add(recipe.id);
+  }
+
+  if (!allowedPresets.has(recipe.preset)) {
+    failures.push(`${label}.preset should be one of: ${[...allowedPresets].join(", ")}.`);
+  }
+
+  const commands = checkStringArray(recipe.commands, `${label}.commands`, {
+    pattern: commandPattern,
+    description: "`jester tune <rule-id> --json`"
+  });
+  const fixturesForRecipe = checkStringArray(recipe.fixtures, `${label}.fixtures`, {
+    pattern: /^[a-z0-9]+(?:-[a-z0-9]+)*$/,
+    description: "a kebab-case fixture id"
+  });
+  checkStringArray(recipe.next, `${label}.next`);
+
+  for (const command of commands) {
+    const match = command.match(commandPattern);
+    const ruleId = match?.[1];
+    if (ruleId && !fixtureRuleIds.has(ruleId)) {
+      failures.push(`${label}.commands references ${ruleId}, but no fixture currently names that rule in expectedRuleIds or absentRuleIds.`);
+    }
+
+    requireIncludes(frameworkGuide, guidePath, command, `${label} command`);
+    requireIncludes(cookbookReadme, cookbookReadmePath, command, `${label} command`);
+  }
+
+  for (const fixtureId of fixturesForRecipe) {
+    if (!fixtureIds.has(fixtureId)) {
+      failures.push(`${label}.fixtures references missing fixture ${fixtureId}.`);
+    }
+
+    requireIncludes(frameworkGuide, guidePath, fixtureId, `${label} fixture id`);
+    requireIncludes(cookbookReadme, cookbookReadmePath, fixtureId, `${label} fixture id`);
+  }
+
+  if (typeof recipe.id === "string") {
+    requireIncludes(frameworkGuide, guidePath, recipe.id, `${label} recipe id`);
+    requireIncludes(cookbookReadme, cookbookReadmePath, recipe.id, `${label} recipe id`);
+  }
+
+  if (typeof recipe.stack === "string") {
+    requireIncludes(frameworkGuide, guidePath, recipe.stack, `${label} stack`);
+    requireIncludes(cookbookReadme, cookbookReadmePath, recipe.stack, `${label} stack`);
+  }
+}
+
+if (failures.length > 0) {
+  console.error("Framework tuning check failed:");
+  for (const failure of failures) {
+    console.error(`- ${failure}`);
+  }
+  process.exit(1);
+}
+
+console.log(`Framework tuning check passed for ${Array.isArray(cookbook) ? cookbook.length : 0} recipes.`);

package/scripts/check-production-readiness.mjs

@@ -68,6 +68,7 @@ for (const path of [
   "scripts/check-promo-freshness.mjs",
   "scripts/render-social-card.mjs",
   "scripts/check-site.mjs",
+  "scripts/check-framework-tuning.mjs",
   "scripts/check-fixtures.mjs",
   "scripts/report-fixtures.mjs",
   ".github/ISSUE_TEMPLATE/bug_report.yml",
@@ -81,6 +82,8 @@ for (const path of [
   "examples/github-code-scanning.yml",
   "examples/ci/README.md",
   "examples/presets/README.md",
+  "examples/tuning/README.md",
+  "examples/tuning/framework-tuning-cookbook.json",
   "examples/fixtures/preset-review-cases.json",
   "site/index.html"
 ]) {
@@ -101,6 +104,7 @@ requireText("README.md", /fixtures:check/, "fixture authoring check guidance");
 requireText("README.md", /fixtures:report/, "fixture coverage report guidance");
 requireText("README.md", /fixtures:report -- --markdown/, "Markdown fixture report guidance");
 requireText("README.md", /FRAMEWORK_TUNING\.md/, "framework tuning guide link");
+requireText("README.md", /examples\/tuning/, "framework tuning cookbook link");
 requireText("README.md", /License: PolyForm Noncommercial/, "the noncommercial license badge");
 requireText("docs/PRODUCTION_READINESS.md", /npm package/i, "npm package readiness");
 requireText("docs/PRODUCTION_READINESS.md", /GitHub Action/i, "GitHub Action readiness");
@@ -114,14 +118,17 @@ requireText("docs/PRODUCTION_READINESS.md", /MAINTAINER_TRIAGE\.md/, "maintainer
 requireText("docs/PRODUCTION_READINESS.md", /fixtures:check/, "fixture authoring check readiness");
 requireText("docs/PRODUCTION_READINESS.md", /fixtures:report/, "fixture coverage report readiness");
 requireText("docs/PRODUCTION_READINESS.md", /fixtures:report -- --markdown/, "Markdown fixture report readiness");
+requireText("docs/PRODUCTION_READINESS.md", /framework:tuning:check/, "framework tuning cookbook readiness");
 requireText("docs/PRODUCTION_READINESS.md", /quiet-pass/, "quiet-pass fixture readiness");
 requireText("docs/CLI.md", /jester doctor --json/, "doctor JSON CLI docs");
 requireText("docs/CLI.md", /quiet-pass fixture/, "quiet-pass fixture CLI docs");
 requireText("docs/CLI.md", /FRAMEWORK_TUNING\.md/, "framework tuning CLI link");
+requireText("docs/CLI.md", /examples\/tuning/, "framework tuning cookbook CLI link");
 requireText("docs/FRAMEWORK_TUNING.md", /Next\.js/, "Next.js framework tuning example");
 requireText("docs/FRAMEWORK_TUNING.md", /FastAPI/, "FastAPI framework tuning example");
 requireText("docs/FRAMEWORK_TUNING.md", /Terraform/, "Terraform framework tuning example");
 requireText("docs/FRAMEWORK_TUNING.md", /jester tune <rule-id> --json/, "framework tuning command guidance");
+requireText("docs/FRAMEWORK_TUNING.md", /framework-tuning-cookbook\.json/, "framework tuning cookbook JSON link");
 requireText("docs/MAINTAINER_TRIAGE.md", /doctor --json/, "doctor JSON triage prompt");
 requireText("docs/MAINTAINER_TRIAGE.md", /tune <rule-id> --json/, "tune JSON triage prompt");
 requireText("docs/MAINTAINER_TRIAGE.md", /preset-review-cases\.json/, "fixture suite link");
@@ -132,6 +139,10 @@ requireText("examples/fixtures/README.md", /Adding A Fixture From A Report/, "fi
 requireText("examples/fixtures/README.md", /fixtures:check/, "fixture authoring check guidance");
 requireText("examples/fixtures/README.md", /fixtures:report/, "fixture coverage report guidance");
 requireText("examples/fixtures/README.md", /fixtures:report -- --markdown/, "Markdown fixture report guidance");
+requireText("examples/tuning/README.md", /framework-tuning-cookbook\.json/, "framework tuning cookbook JSON link");
+requireText("examples/tuning/README.md", /jester tune <rule-id> --json|jester tune [a-z0-9-]+ --json/, "framework tuning command guidance");
+requireText("examples/tuning/framework-tuning-cookbook.json", /next-vite-public-config/, "Next/Vite tuning recipe");
+requireText("examples/tuning/framework-tuning-cookbook.json", /ai-mcp-tooling/, "AI/MCP tuning recipe");
 requireText("scripts/check-fixtures.mjs", /duplicated/, "duplicate fixture id check");
 requireText("scripts/check-fixtures.mjs", /unsafeContentPatterns/, "unsafe fixture content checks");
 forbidText("scripts/check-fixtures.mjs", /src\/config\.ts|src\/types\.ts/, "source-only fixture validator dependencies");
@@ -141,14 +152,19 @@ requireText("scripts/report-fixtures.mjs", /quietPassRuleCoverage/, "quiet-pass
 requireText("scripts/report-fixtures.mjs", /presetKindGaps/, "preset and kind gap report");
 requireText("scripts/report-fixtures.mjs", /--markdown/, "Markdown fixture report output");
 forbidText("scripts/report-fixtures.mjs", /src\/config\.ts|src\/types\.ts/, "source-only fixture report dependencies");
+requireText("scripts/check-framework-tuning.mjs", /framework-tuning-cookbook\.json/, "framework tuning cookbook check");
+requireText("scripts/check-framework-tuning.mjs", /preset-review-cases\.json/, "framework tuning fixture alignment");
+requireText("scripts/check-framework-tuning.mjs", /unsafeContentPatterns/, "unsafe tuning content checks");
 requireText("package.json", /"fixtures:check": "node scripts\/check-fixtures\.mjs"/, "fixture authoring check script");
 requireText("package.json", /"fixtures:report": "node scripts\/report-fixtures\.mjs"/, "fixture coverage report script");
+requireText("package.json", /"framework:tuning:check": "node scripts\/check-framework-tuning\.mjs"/, "framework tuning cookbook check script");
 requireText("package.json", /"promo:card": "node scripts\/render-social-card\.mjs"/, "social card render script");
 requireText("package.json", /"promo:card:check": "node scripts\/render-social-card\.mjs --check"/, "social card stale check script");
 requireText("package.json", /"promo:check": "node scripts\/check-promo-freshness\.mjs"/, "promo freshness check script");
 requireText("package.json", /"site:check": "node scripts\/check-site\.mjs"/, "site check script");
 requireText("package.json", /npm run fixtures:check/, "fixture authoring check in npm test");
 requireText("package.json", /npm run fixtures:report/, "fixture coverage report in npm test");
+requireText("package.json", /npm run framework:tuning:check/, "framework tuning cookbook check in npm test");
 requireText("package.json", /npm run promo:check/, "promo freshness check in npm test");
 requireText("package.json", /npm run site:check/, "site check in npm test");
 requireText("scripts/check-promo-freshness.mjs", /--require-package-version/, "optional strict package-version promo check");