memento-mori-jester 0.1.82 → 0.1.84

package/CHANGELOG.md

@@ -4,6 +4,18 @@ All notable changes to Memento Mori Jester are tracked here.
 
 ## Unreleased
 
+## 0.1.84
+
+- Added `npm run framework:tuning:doctor`, a consumer-style smoke check that generates temporary preset configs and runs every cookbook `jester tune <rule-id> --json` command through the built CLI.
+- Wired the tuning doctor into `npm test` and the production-readiness guard.
+- Updated framework tuning docs, cookbook docs, release docs, demo docs, and README guidance for the new doctor check.
+
+## 0.1.83
+
+- Added `examples/tuning/framework-tuning-cookbook.json`, a small checked cookbook that maps framework-shaped noisy-rule reports to exact `jester tune <rule> --json` commands and fixture IDs.
+- Added `examples/tuning/README.md` and linked it from README, CLI docs, getting-started docs, demo docs, and the framework tuning guide.
+- Added `npm run framework:tuning:check` and wired it into `npm test` and production-readiness checks so cookbook recipes stay aligned with docs and fixtures.
+
 ## 0.1.82
 
 - Added six real-world quiet-pass fixtures for FastAPI dependency injection, frozen `uv` syncs, docs-only Terraform and Helm guidance, redacted Gitleaks scans, and Next.js workspace linting.

package/README.md

@@ -315,7 +315,7 @@ jester tune coverage --json
 
 `jester tune coverage` shows the fixture support and confidence signal for every rule, including suggested next actions such as adding coverage, reviewing surprise matches, checking quiet-pass boundaries, or leaving a healthy signal alone.
 
-For stack-shaped noise, see [Framework Tuning Examples](docs/FRAMEWORK_TUNING.md). It maps common Next.js, Vite React, FastAPI, Terraform/Kubernetes, security-scan, and AI/MCP false-positive reports to the `jester tune <rule>` command and fixture IDs worth checking first.
+For stack-shaped noise, see [Framework Tuning Examples](docs/FRAMEWORK_TUNING.md). It maps common Next.js, Vite React, FastAPI, Terraform/Kubernetes, security-scan, and AI/MCP false-positive reports to the `jester tune <rule>` command and fixture IDs worth checking first. The checked [framework tuning cookbook](examples/tuning) turns those rows into copy-paste recipes and a machine-readable JSON file, and `npm run framework:tuning:doctor` proves those recipes execute through the built CLI.
 
 Disable a noisy rule by adding its id to `disabledRules` in `jester.config.json`:
 
@@ -429,6 +429,7 @@ More setup examples:
 - [MCP Tool Reference](docs/MCP_TOOLS.md)
 - [GitHub Actions](docs/GITHUB_ACTIONS.md)
 - [Framework Tuning Examples](docs/FRAMEWORK_TUNING.md)
+- [Framework Tuning Cookbook](examples/tuning)
 - [Demo Script](docs/DEMO.md)
 - [Promo Share Kit](promo)
 - [Examples](examples)

package/ROADMAP.md

@@ -6,6 +6,8 @@ Memento Mori Jester is usable today as a CLI, MCP server, GitHub Action, and git
 
 ## Recently Shipped
 
+- Framework tuning doctor in v0.1.84, proving cookbook recipes execute through the built CLI with generated preset configs before release.
+- Framework tuning cookbook in v0.1.83, adding checked copy-paste recipes and a machine-readable JSON map for stack-shaped noisy-rule reports.
 - Framework tuning examples and quiet-pass fixture curation in v0.1.82, adding six safe real-world examples plus a guide for framework-shaped noisy-rule reports.
 - Repo-local landing page in v0.1.81, adding a static one-page share surface plus deterministic link checks.
 - Social preview card in v0.1.80, adding a deterministic 1200x630 promo card plus generation and freshness checks.
@@ -71,8 +73,8 @@ Memento Mori Jester is usable today as a CLI, MCP server, GitHub Action, and git
 
 ## Product Ideas
 
-- Collect real-world reports for the next lowest-count preset slices now highlighted by `fixtures:report`.
-- Add a small fixture issue template checklist that asks for the nearest framework tuning example and redacted `jester tune <rule-id> --json` output.
+- Collect real-world reports and fold the strongest redacted cases into more framework tuning cookbook recipes.
+- Add a small fixture issue template checklist that asks for the nearest framework tuning cookbook recipe and redacted `jester tune <rule-id> --json` output.
 - Add a hosted-page option or GitHub Pages instructions once the static page has settled.
 
 ## Quality And Safety

package/docs/CLI.md

@@ -158,7 +158,7 @@ Use `jester tune <id>` when the question is practical: should this noisy rule be
 
 When filing a false-positive issue, include redacted `jester summary` output and `jester tune <rule-id> --json` output when possible.
 
-For stack-shaped reports, see [Framework Tuning Examples](FRAMEWORK_TUNING.md). It points common Next.js, Vite React, FastAPI, Terraform/Kubernetes, security-scan, and AI/MCP noisy-rule reports at the relevant `jester tune <rule-id>` command and fixture IDs.
+For stack-shaped reports, see [Framework Tuning Examples](FRAMEWORK_TUNING.md). It points common Next.js, Vite React, FastAPI, Terraform/Kubernetes, security-scan, and AI/MCP noisy-rule reports at the relevant `jester tune <rule-id>` command and fixture IDs. The checked [framework tuning cookbook](../examples/tuning) keeps copy-paste recipes and fixture IDs in one machine-readable place. Maintainers can run `npm run framework:tuning:doctor` to prove every cookbook tune command executes through the built CLI with temporary preset configs.
 
 Use `jester tune coverage` when maintaining the rule set. It ranks every rule by fixture support and confidence, shows expected vs unexpected fixture weight, and suggests the next maintenance action for each rule.
 

package/docs/DEMO.md

@@ -373,6 +373,21 @@ Maintainers can run `npm run fixtures:report` to see coverage by verdict, kind,
 
 Maintainers can use `docs/MAINTAINER_TRIAGE.md` to turn useful false-positive reports into redacted fixture cases.
 
-## 14. Framework CI Examples
+## 14. Framework Tuning Cookbook
+
+For real repos with stack-shaped noisy rules, use [docs/FRAMEWORK_TUNING.md](FRAMEWORK_TUNING.md) and the checked cookbook in [examples/tuning](../examples/tuning).
+
+The cookbook maps recipe IDs such as `next-vite-public-config`, `terraform-kubernetes-docs-only`, and `ai-mcp-tooling` to the exact `jester tune <rule-id> --json` commands and fixture IDs worth comparing first.
+
+Maintainers can run:
+
+```powershell
+npm.cmd run framework:tuning:doctor
+npm.cmd run framework:tuning:check
+```
+
+The doctor runs every cookbook tune command through the built CLI with temporary preset configs. The check validates [framework-tuning-cookbook.json](../examples/tuning/framework-tuning-cookbook.json) against this guide, the cookbook README, and `examples/fixtures/preset-review-cases.json`.
+
+## 15. Framework CI Examples
 
 The workflow examples in `examples/ci` show copy-paste GitHub Actions setups for Next.js, Vite React, Express API, FastAPI, Terraform/Kubernetes, and AI MCP repos. Each workflow uploads SARIF and writes the readable Jester job summary.

package/docs/FRAMEWORK_TUNING.md

@@ -2,6 +2,8 @@
 
 Use this when a rule is noisy in a real project and you want the smallest evidence-backed next step before muting it.
 
+For copy-pasteable recipes, see [examples/tuning](../examples/tuning). The machine-readable cookbook is [framework-tuning-cookbook.json](../examples/tuning/framework-tuning-cookbook.json). `npm run framework:tuning:check` keeps it aligned with this guide and the fixture suite, while `npm run framework:tuning:doctor` runs the cookbook's tune commands through the built CLI with temporary preset configs.
+
 Start with the rule that actually fired:
 
 ```powershell
@@ -11,13 +13,13 @@ jester tune <rule-id> --json
 
 Then compare the output with the nearest fixture-backed examples below. If your case is closer to the safe examples than the risky examples, add a redacted fixture before changing a rule.
 
-| Stack | Common noisy rule | Useful tune command | Safe fixture examples |
-| --- | --- | --- | --- |
-| Next.js / Vite React | Public but non-secret frontend names or harmless workspace commands | `jester tune custom-web-public-secret-name --json` or `jester tune custom-node-install-script-change --json` | `web-public-analytics-env-command-pass`, `node-next-lint-command-pass` |
-| FastAPI / Python | Typed dependency injection, schema parsing, or locked dependency sync being confused with dynamic execution | `jester tune custom-python-eval-exec --json` or `jester tune custom-python-pickle-load --json` | `python-fastapi-dependency-diff-pass`, `python-pydantic-parse-diff-pass`, `python-uv-sync-frozen-command-pass` |
-| Terraform / Kubernetes / Helm | Docs-only infrastructure guidance mentioning sensitive tool names | `jester tune risky-domain --json` or `jester tune configured-sensitive-domain-terraform --json` | `infra-terraform-plan-docs-pass`, `infra-helm-values-docs-pass`, `infra-kubectl-describe-command-pass` |
-| Security scanning | Redacted scanner output or SBOM/report generation being confused with secret material | `jester tune secret-material --json` or `jester tune custom-insecure-tls-disabled --json` | `sec-gitleaks-redacted-command-pass`, `sec-sbom-command-pass`, `sec-vulnerability-report-docs-pass` |
-| AI / MCP tools | Static allowlists, model checks, or public model names being confused with unsafe tool dispatch or provider keys | `jester tune custom-ai-user-controlled-tool-dispatch --json` or `jester tune custom-ai-public-provider-key --json` | `ai-tool-registry-allowlist-diff-pass`, `ai-model-regression-command-pass`, `ai-public-model-env-diff-pass` |
+| Cookbook recipe | Stack | Common noisy rule | Useful tune command | Safe fixture examples |
+| --- | --- | --- | --- | --- |
+| `next-vite-public-config` | Next.js / Vite React | Public but non-secret frontend names or harmless workspace commands | `jester tune custom-web-public-secret-name --json` or `jester tune custom-node-install-script-change --json` | `web-public-analytics-env-command-pass`, `node-next-lint-command-pass` |
+| `fastapi-python-execution-boundary` | FastAPI / Python | Typed dependency injection, schema parsing, or locked dependency sync being confused with dynamic execution | `jester tune custom-python-eval-exec --json` or `jester tune custom-python-pickle-load --json` | `python-fastapi-dependency-diff-pass`, `python-pydantic-parse-diff-pass`, `python-uv-sync-frozen-command-pass` |
+| `terraform-kubernetes-docs-only` | Terraform / Kubernetes / Helm | Docs-only infrastructure guidance mentioning sensitive tool names | `jester tune risky-domain --json` or `jester tune configured-sensitive-domain-terraform --json` | `infra-terraform-plan-docs-pass`, `infra-helm-values-docs-pass`, `infra-kubectl-describe-command-pass` |
+| `security-scan-reporting` | Security scanning | Redacted scanner output or SBOM/report generation being confused with secret material | `jester tune secret-material --json` or `jester tune custom-insecure-tls-disabled --json` | `sec-gitleaks-redacted-command-pass`, `sec-sbom-command-pass`, `sec-vulnerability-report-docs-pass` |
+| `ai-mcp-tooling` | AI / MCP tools | Static allowlists, model checks, or public model names being confused with unsafe tool dispatch or provider keys | `jester tune custom-ai-user-controlled-tool-dispatch --json` or `jester tune custom-ai-public-provider-key --json` | `ai-tool-registry-allowlist-diff-pass`, `ai-model-regression-command-pass`, `ai-public-model-env-diff-pass` |
 
 ## What To Do With The Result
 

package/docs/GETTING_STARTED.md

@@ -106,7 +106,7 @@ npx -y memento-mori-jester@latest bootstrap --preset node
 
 Then tell them to open `MEMENTO_MORI.md`.
 
-For copy-paste agent and hook examples, see [examples](../examples). For stack-specific config examples, see [preset example packs](../examples/presets) for Next.js, Vite React, Express API, FastAPI, Terraform/Kubernetes, and AI MCP repos. For copy-paste CI workflows, see [framework CI examples](../examples/ci). For concrete pass, caution, and block cases, see [review fixtures](../examples/fixtures). For stack-shaped noisy-rule reports, see [framework tuning examples](FRAMEWORK_TUNING.md).
+For copy-paste agent and hook examples, see [examples](../examples). For stack-specific config examples, see [preset example packs](../examples/presets) for Next.js, Vite React, Express API, FastAPI, Terraform/Kubernetes, and AI MCP repos. For copy-paste CI workflows, see [framework CI examples](../examples/ci). For concrete pass, caution, and block cases, see [review fixtures](../examples/fixtures). For stack-shaped noisy-rule reports, see [framework tuning examples](FRAMEWORK_TUNING.md) and the checked [framework tuning cookbook](../examples/tuning).
 
 ## Need Help?
 

package/docs/PRODUCTION_READINESS.md

@@ -52,12 +52,14 @@ This checklist defines what "production grade" means for Memento Mori Jester rig
 - Package metadata points bug reports at the GitHub issues page.
 - `jester doctor --json`, `jester config validate`, and `jester rules` are the first troubleshooting commands.
 - `jester tune`, `jester tune coverage`, and the fixture suite give maintainers a way to inspect noisy rules before changing defaults.
-- [FRAMEWORK_TUNING.md](FRAMEWORK_TUNING.md) maps common stack-specific false-positive reports to the relevant `jester tune <rule-id>` evidence and fixture IDs.
+- [FRAMEWORK_TUNING.md](FRAMEWORK_TUNING.md) maps common stack-specific false-positive reports to the relevant `jester tune <rule-id>` evidence and fixture IDs, while [examples/tuning](../examples/tuning) provides checked copy-paste recipes.
 - GitHub issue templates collect bug reports, false-positive reports, and feature requests with the diagnostic context maintainers need.
 - `SECURITY.md` routes vulnerability reports away from public issues and asks for redacted diagnostics.
 - `docs/MAINTAINER_TRIAGE.md` explains how to turn useful false-positive reports into fixture coverage before changing rule logic.
 - `npm run fixtures:check` validates fixture IDs, metadata, unsafe-looking content, duplicate content, and explicit expected/absent rule intent.
 - `npm run fixtures:report` shows fixture coverage by rule, rule family, preset slice, kind, verdict, quiet-pass rule boundaries, and feasible pass-case gaps so maintainers can pick the next fixture target; `npm run fixtures:report -- --markdown` produces a paste-ready maintainer snapshot.
+- `npm run framework:tuning:check` keeps the framework tuning guide, cookbook JSON, cookbook README, and fixture IDs aligned.
+- `npm run framework:tuning:doctor` runs the cookbook tune commands through the built CLI with temporary preset configs, so package consumers do not inherit stale recipes.
 - `npm run promo:card` regenerates the deterministic social preview card, and `npm run promo:check` verifies current repo-local promo assets against the current fixture evidence before maintainers post or refresh the demo.
 - `npm run site:check` verifies the static landing page before maintainers post or host it.
 - npm publish has a manual workflow fallback, but the normal release path is tag-driven trusted publishing.
@@ -75,6 +77,8 @@ This checklist defines what "production grade" means for Memento Mori Jester rig
 - maintainer triage docs exist and link noisy-rule reports back to fixture coverage.
 - fixture authoring checks are wired into `npm test`.
 - fixture coverage reports are wired into `npm test`.
+- framework tuning cookbook checks are wired into `npm test`.
+- framework tuning cookbook doctor checks are wired into `npm test`.
 - promo freshness checks are wired into `npm test`.
 - site checks are wired into `npm test`.
 

package/docs/RELEASE.md

@@ -12,6 +12,8 @@ npm.cmd run fixtures:check
 npm.cmd run fixtures:report
 npm.cmd run fixtures:report -- --json
 npm.cmd run fixtures:report -- --markdown
+npm.cmd run framework:tuning:check
+npm.cmd run framework:tuning:doctor
 npm.cmd run promo:card:check
 npm.cmd run promo:check
 npm.cmd run site:check
@@ -24,7 +26,7 @@ Move the current changelog bullets into a matching version section and add `docs
 ## 2. Tag And Push
 
 ```powershell
-git add package.json package-lock.json CHANGELOG.md docs/RELEASE_NOTES_v0.1.x.md docs/PRODUCTION_READINESS.md docs/MAINTAINER_TRIAGE.md SECURITY.md .github/ISSUE_TEMPLATE
+git add package.json package-lock.json CHANGELOG.md docs/RELEASE_NOTES_v0.1.x.md docs/PRODUCTION_READINESS.md docs/MAINTAINER_TRIAGE.md docs/FRAMEWORK_TUNING.md examples/tuning scripts/check-framework-tuning.mjs scripts/doctor-framework-tuning.mjs SECURITY.md .github/ISSUE_TEMPLATE
 git commit -m "Release v0.1.x"
 git tag -a v0.1.x -m "Memento Mori Jester v0.1.x"
 git push origin main

package/docs/RELEASE_NOTES_v0.1.83.md

@@ -0,0 +1,54 @@
+# Memento Mori Jester v0.1.83
+
+## Summary
+
+This release makes the framework tuning guide easier to execute from real repos. It adds a tiny checked cookbook that maps common stack-shaped noisy-rule reports to exact `jester tune <rule-id> --json` commands and fixture IDs.
+
+## What Changed
+
+- Added `examples/tuning/framework-tuning-cookbook.json`.
+- Added `examples/tuning/README.md` with copy-paste recipes for:
+  - Next.js / Vite React,
+  - FastAPI / Python,
+  - Terraform / Kubernetes / Helm,
+  - security scanning,
+  - AI / MCP tools.
+- Added `npm run framework:tuning:check`.
+- Wired the cookbook checker into `npm test` and production-readiness checks.
+- Linked the cookbook from README, CLI docs, getting-started docs, demo docs, release docs, production-readiness docs, and `docs/FRAMEWORK_TUNING.md`.
+
+## Public Interface
+
+- No CLI command changes.
+- No MCP tool changes.
+- No config schema changes.
+- No review rule, scoring, matching, or verdict behavior changes.
+- No GitHub Action or release workflow changes.
+- Fixture count remains `222`; this release adds checked cookbook assets, not new review cases.
+
+## Release Validation
+
+```powershell
+npm.cmd test
+npm.cmd run demo:svg:check
+npm.cmd run promo:card:check
+npm.cmd run promo:check
+npm.cmd run framework:tuning:check
+npm.cmd run fixtures:report
+npm.cmd run fixtures:report -- --json
+npm.cmd run fixtures:report -- --markdown
+npm.cmd run site:check
+npm.cmd run pack:dry
+git diff --check
+node .\dist\cli.js tune coverage --no-config
+git diff | node .\dist\cli.js diff --fail-on block --subject "v0.1.83 framework tuning cookbook"
+```
+
+Expected:
+
+- `framework:tuning:check` passes for five recipes,
+- fixture report still shows `Fixtures: 222`,
+- no thin rule coverage,
+- no preset/kind gaps,
+- no rules without quiet-pass coverage,
+- GitHub Release and npm Publish complete from the `v0.1.83` tag.

package/docs/RELEASE_NOTES_v0.1.84.md

@@ -0,0 +1,50 @@
+# Memento Mori Jester v0.1.84
+
+## Summary
+
+This release adds a consumer-style doctor for the framework tuning cookbook. The cookbook was already checked for doc and fixture alignment; now maintainers can prove the cookbook's tune commands execute through the built CLI with generated preset configs.
+
+## What Changed
+
+- Added `scripts/doctor-framework-tuning.mjs`.
+- Added `npm run framework:tuning:doctor`.
+- Wired the doctor into `npm test` and production-readiness checks.
+- Updated README, CLI docs, demo docs, release docs, production-readiness docs, roadmap, changelog, and the tuning cookbook docs.
+
+## Public Interface
+
+- No CLI command changes.
+- No MCP tool changes.
+- No config schema changes.
+- No review rule, scoring, matching, or verdict behavior changes.
+- No GitHub Action or release workflow changes.
+- New maintainer/package script: `npm run framework:tuning:doctor`.
+
+## Release Validation
+
+```powershell
+npm.cmd test
+npm.cmd run demo:svg:check
+npm.cmd run promo:card:check
+npm.cmd run promo:check
+npm.cmd run framework:tuning:check
+npm.cmd run framework:tuning:doctor
+npm.cmd run fixtures:report
+npm.cmd run fixtures:report -- --json
+npm.cmd run fixtures:report -- --markdown
+npm.cmd run site:check
+npm.cmd run pack:dry
+git diff --check
+node .\dist\cli.js tune coverage --no-config
+git diff | node .\dist\cli.js diff --fail-on block --subject "v0.1.84 framework tuning doctor"
+```
+
+Expected:
+
+- `framework:tuning:check` passes for five recipes,
+- `framework:tuning:doctor` runs 10 executable tune commands,
+- fixture report still shows `Fixtures: 222`,
+- no thin rule coverage,
+- no preset/kind gaps,
+- no rules without quiet-pass coverage,
+- GitHub Release and npm Publish complete from the `v0.1.84` tag.

package/examples/tuning/README.md

@@ -0,0 +1,31 @@
+# Framework Tuning Cookbook
+
+These small recipes pair the [Framework Tuning Examples](../../docs/FRAMEWORK_TUNING.md) guide with checked, fixture-backed commands. Use them when a real repo reports a noisy rule and you want the smallest evidence-backed next step before changing config.
+
+The machine-readable source is [framework-tuning-cookbook.json](framework-tuning-cookbook.json). It is checked by `npm run framework:tuning:check`, so recipe commands and fixture IDs stay aligned with the public guide and fixture suite.
+
+Run `npm run framework:tuning:doctor` after `npm run build` when you want a consumer-style smoke check. It generates temporary preset configs with the built CLI, runs every cookbook `jester tune <rule-id> --json` command, validates the JSON advice shape, and confirms each recipe's fixture IDs are present in the packaged fixture suite.
+
+## Recipes
+
+| Recipe | Stack | Preset | Tune commands | Fixture examples |
+| --- | --- | --- | --- | --- |
+| `next-vite-public-config` | Next.js / Vite React | `web` | `jester tune custom-web-public-secret-name --json`; `jester tune custom-node-install-script-change --json` | `web-public-analytics-env-command-pass`, `node-next-lint-command-pass` |
+| `fastapi-python-execution-boundary` | FastAPI / Python | `python` | `jester tune custom-python-eval-exec --json`; `jester tune custom-python-pickle-load --json` | `python-fastapi-dependency-diff-pass`, `python-pydantic-parse-diff-pass`, `python-uv-sync-frozen-command-pass` |
+| `terraform-kubernetes-docs-only` | Terraform / Kubernetes / Helm | `infra` | `jester tune risky-domain --json`; `jester tune configured-sensitive-domain-terraform --json` | `infra-terraform-plan-docs-pass`, `infra-helm-values-docs-pass`, `infra-kubectl-describe-command-pass` |
+| `security-scan-reporting` | Security scanning | `security` | `jester tune secret-material --json`; `jester tune custom-insecure-tls-disabled --json` | `sec-gitleaks-redacted-command-pass`, `sec-sbom-command-pass`, `sec-vulnerability-report-docs-pass` |
+| `ai-mcp-tooling` | AI / MCP tools | `ai` | `jester tune custom-ai-user-controlled-tool-dispatch --json`; `jester tune custom-ai-public-provider-key --json` | `ai-tool-registry-allowlist-diff-pass`, `ai-model-regression-command-pass`, `ai-public-model-env-diff-pass` |
+
+## How To Use A Recipe
+
+1. Run `jester summary --kind <command|plan|diff|final> "<redacted minimal input>"` and copy the rule id that fired.
+2. Run the nearest recipe command, such as `jester tune custom-ai-user-controlled-tool-dispatch --json`.
+3. Compare `fixtureEvidence.quietPassFixtures` and sample fixture descriptions with the local hit.
+4. If the local case is safe but missing from the fixture suite, add a redacted pass fixture before loosening a rule.
+5. If the local case includes a real secret, destructive command, broad permission, skipped eval, or user-controlled execution path, fix the change instead of muting the rule.
+
+Maintainer smoke check:
+
+```powershell
+npm.cmd run framework:tuning:doctor
+```

package/examples/tuning/framework-tuning-cookbook.json

@@ -0,0 +1,96 @@
+[
+  {
+    "id": "next-vite-public-config",
+    "stack": "Next.js / Vite React",
+    "preset": "web",
+    "when": "Public-but-non-secret frontend names or harmless workspace commands look similar to browser secret or install-script risks.",
+    "commands": [
+      "jester tune custom-web-public-secret-name --json",
+      "jester tune custom-node-install-script-change --json"
+    ],
+    "fixtures": [
+      "web-public-analytics-env-command-pass",
+      "node-next-lint-command-pass"
+    ],
+    "next": [
+      "Compare fixtureEvidence.quietPassFixtures with the redacted local hit.",
+      "Prefer a local disabledRules entry only after repeated harmless hits in the same repo."
+    ]
+  },
+  {
+    "id": "fastapi-python-execution-boundary",
+    "stack": "FastAPI / Python",
+    "preset": "python",
+    "when": "Typed dependency injection, schema parsing, or locked dependency sync is mistaken for dynamic execution or unsafe deserialization.",
+    "commands": [
+      "jester tune custom-python-eval-exec --json",
+      "jester tune custom-python-pickle-load --json"
+    ],
+    "fixtures": [
+      "python-fastapi-dependency-diff-pass",
+      "python-pydantic-parse-diff-pass",
+      "python-uv-sync-frozen-command-pass"
+    ],
+    "next": [
+      "Compare the local change with the safe FastAPI and Pydantic fixture descriptions first.",
+      "Add a redacted pass fixture before loosening Python execution or pickle-shaped rules."
+    ]
+  },
+  {
+    "id": "terraform-kubernetes-docs-only",
+    "stack": "Terraform / Kubernetes / Helm",
+    "preset": "infra",
+    "when": "Docs-only infrastructure guidance mentions Terraform, Helm, or other sensitive infra words without changing deploy behavior.",
+    "commands": [
+      "jester tune risky-domain --json",
+      "jester tune configured-sensitive-domain-terraform --json"
+    ],
+    "fixtures": [
+      "infra-terraform-plan-docs-pass",
+      "infra-helm-values-docs-pass",
+      "infra-kubectl-describe-command-pass"
+    ],
+    "next": [
+      "Check that the local hit is documentation-only before muting broad sensitive-domain noise.",
+      "Keep destructive command, IAM widening, public exposure, and deploy-changing rules active."
+    ]
+  },
+  {
+    "id": "security-scan-reporting",
+    "stack": "Security scanning",
+    "preset": "security",
+    "when": "Redacted scanner output, SBOM generation, or reporting docs look like exposed secret material or skipped verification.",
+    "commands": [
+      "jester tune secret-material --json",
+      "jester tune custom-insecure-tls-disabled --json"
+    ],
+    "fixtures": [
+      "sec-gitleaks-redacted-command-pass",
+      "sec-sbom-command-pass",
+      "sec-vulnerability-report-docs-pass"
+    ],
+    "next": [
+      "Verify the report uses placeholders or scanner-generated summaries rather than live tokens.",
+      "If a real credential appears, rotate it and treat the Jester hit as correct."
+    ]
+  },
+  {
+    "id": "ai-mcp-tooling",
+    "stack": "AI / MCP tools",
+    "preset": "ai",
+    "when": "Static allowlists, model checks, or public model names are mistaken for unsafe tool dispatch, skipped evals, or provider keys.",
+    "commands": [
+      "jester tune custom-ai-user-controlled-tool-dispatch --json",
+      "jester tune custom-ai-public-provider-key --json"
+    ],
+    "fixtures": [
+      "ai-tool-registry-allowlist-diff-pass",
+      "ai-model-regression-command-pass",
+      "ai-public-model-env-diff-pass"
+    ],
+    "next": [
+      "Compare the local tool path with the allowlist fixture before changing an AI preset rule.",
+      "Keep concrete model-output execution and client-exposed provider-key hits treated as dangerous."
+    ]
+  }
+]

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "memento-mori-jester",
-  "version": "0.1.82",
+  "version": "0.1.84",
   "description": "A local court-jester sidecar for AI coding agents: review plans, commands, diffs, and final claims before they get too pleased with themselves.",
   "type": "module",
   "repository": {
@@ -40,12 +40,14 @@
     "build": "tsc -p tsconfig.json",
     "start": "node dist/server.js",
     "start:mcp": "node dist/server.js",
-    "test": "npm run build && node scripts/run-tests.mjs && npm run fixtures:check && npm run fixtures:report && npm run promo:check && npm run site:check && npm run production:check",
+    "test": "npm run build && node scripts/run-tests.mjs && npm run fixtures:check && npm run fixtures:report && npm run framework:tuning:check && npm run framework:tuning:doctor && npm run promo:check && npm run site:check && npm run production:check",
     "doctor": "node dist/cli.js doctor",
     "demo:svg": "node scripts/render-demo-svg.mjs",
     "demo:svg:check": "node scripts/render-demo-svg.mjs --check",
     "fixtures:check": "node scripts/check-fixtures.mjs",
     "fixtures:report": "node scripts/report-fixtures.mjs",
+    "framework:tuning:check": "node scripts/check-framework-tuning.mjs",
+    "framework:tuning:doctor": "node scripts/doctor-framework-tuning.mjs",
     "promo:card": "node scripts/render-social-card.mjs",
     "promo:card:check": "node scripts/render-social-card.mjs --check",
     "promo:check": "node scripts/check-promo-freshness.mjs",

package/scripts/check-framework-tuning.mjs

@@ -0,0 +1,214 @@
+#!/usr/bin/env node
+import { readFileSync } from "node:fs";
+import { join } from "node:path";
+
+const root = process.cwd();
+const cookbookPath = "examples/tuning/framework-tuning-cookbook.json";
+const cookbookReadmePath = "examples/tuning/README.md";
+const guidePath = "docs/FRAMEWORK_TUNING.md";
+const fixturesPath = "examples/fixtures/preset-review-cases.json";
+const failures = [];
+
+const allowedPresets = new Set(["default", "node", "python", "web", "api", "infra", "ai", "security"]);
+const unsafeContentPatterns = [
+  { name: "private key block", pattern: /-----BEGIN [A-Z ]*PRIVATE KEY-----/ },
+  { name: "OpenAI-looking secret key", pattern: /\bsk-(?:proj-)?[A-Za-z0-9_-]{20,}\b/ },
+  { name: "Anthropic-looking secret key", pattern: /\bsk-ant-[A-Za-z0-9_-]{20,}\b/ },
+  { name: "GitHub-looking token", pattern: /\bgh[pousr]_[A-Za-z0-9_]{20,}\b/ },
+  { name: "AWS access key id", pattern: /\bAKIA[0-9A-Z]{16}\b/ },
+  { name: "Slack-looking token", pattern: /\bxox[baprs]-[A-Za-z0-9-]{20,}\b/ },
+  { name: "absolute Unix home path", pattern: /(?:^|[\s"'`])\/(?:Users|home)\/[A-Za-z0-9._-]+/ },
+  { name: "absolute Windows user path", pattern: /[A-Za-z]:\\Users\\[A-Za-z0-9._-]+\\/ }
+];
+
+function read(path) {
+  return readFileSync(join(root, path), "utf8");
+}
+
+function readJson(path) {
+  return JSON.parse(read(path));
+}
+
+function checkString(value, label, options = {}) {
+  if (typeof value !== "string" || value.trim().length === 0) {
+    failures.push(`${label} should be a non-empty string.`);
+    return;
+  }
+
+  if (options.kebab && !/^[a-z0-9]+(?:-[a-z0-9]+)*$/.test(value)) {
+    failures.push(`${label} should use stable kebab-case.`);
+  }
+
+  if (options.minLength && value.trim().length < options.minLength) {
+    failures.push(`${label} should be at least ${options.minLength} characters.`);
+  }
+}
+
+function checkStringArray(value, label, options = {}) {
+  if (!Array.isArray(value) || value.length === 0) {
+    failures.push(`${label} should be a non-empty array.`);
+    return [];
+  }
+
+  const seen = new Set();
+  for (const [index, item] of value.entries()) {
+    if (typeof item !== "string" || item.trim().length === 0) {
+      failures.push(`${label}[${index}] should be a non-empty string.`);
+      continue;
+    }
+
+    if (seen.has(item)) {
+      failures.push(`${label} repeats ${item}.`);
+    }
+    seen.add(item);
+
+    if (options.pattern && !options.pattern.test(item)) {
+      failures.push(`${label}[${index}] should match ${options.description}. Saw ${item}.`);
+    }
+  }
+
+  return value.filter((item) => typeof item === "string" && item.trim().length > 0);
+}
+
+function requireIncludes(content, file, value, description) {
+  if (!content.includes(value)) {
+    failures.push(`${file} should include ${description}: ${value}`);
+  }
+}
+
+let cookbook;
+let fixtures;
+try {
+  cookbook = readJson(cookbookPath);
+  fixtures = readJson(fixturesPath);
+} catch (error) {
+  console.error(`Could not parse framework tuning inputs: ${error instanceof Error ? error.message : String(error)}`);
+  process.exit(1);
+}
+
+const cookbookRaw = read(cookbookPath);
+const cookbookReadme = read(cookbookReadmePath);
+const frameworkGuide = read(guidePath);
+
+for (const [file, content] of [
+  [cookbookPath, cookbookRaw],
+  [cookbookReadmePath, cookbookReadme],
+  [guidePath, frameworkGuide]
+]) {
+  for (const unsafe of unsafeContentPatterns) {
+    if (unsafe.pattern.test(content)) {
+      failures.push(`${file} appears to contain ${unsafe.name}; tuning examples should stay public and redacted.`);
+    }
+  }
+}
+
+if (!Array.isArray(cookbook)) {
+  failures.push(`${cookbookPath} should contain a JSON array.`);
+} else if (cookbook.length < 5) {
+  failures.push(`${cookbookPath} should contain at least five framework recipes.`);
+}
+
+if (!Array.isArray(fixtures)) {
+  failures.push(`${fixturesPath} should contain a JSON array.`);
+  fixtures = [];
+}
+
+const fixtureIds = new Set();
+const fixtureRuleIds = new Set();
+for (const fixture of fixtures) {
+  if (typeof fixture?.id === "string") {
+    fixtureIds.add(fixture.id);
+  }
+  for (const field of ["expectedRuleIds", "absentRuleIds"]) {
+    if (Array.isArray(fixture?.[field])) {
+      for (const ruleId of fixture[field]) {
+        if (typeof ruleId === "string") {
+          fixtureRuleIds.add(ruleId);
+        }
+      }
+    }
+  }
+}
+
+requireIncludes(frameworkGuide, guidePath, "framework-tuning-cookbook.json", "the cookbook JSON link");
+requireIncludes(frameworkGuide, guidePath, "examples/tuning", "the tuning examples link");
+requireIncludes(cookbookReadme, cookbookReadmePath, "framework-tuning-cookbook.json", "the cookbook JSON link");
+requireIncludes(cookbookReadme, cookbookReadmePath, "npm run framework:tuning:check", "the checker command");
+
+const ids = new Set();
+const commandPattern = /^jester tune ([a-z0-9]+(?:-[a-z0-9]+)*) --json$/;
+
+for (const [index, recipe] of (Array.isArray(cookbook) ? cookbook : []).entries()) {
+  const label = typeof recipe?.id === "string" ? recipe.id : `recipe[${index}]`;
+
+  if (!recipe || typeof recipe !== "object" || Array.isArray(recipe)) {
+    failures.push(`${label} should be an object.`);
+    continue;
+  }
+
+  checkString(recipe.id, `${label}.id`, { kebab: true });
+  checkString(recipe.stack, `${label}.stack`);
+  checkString(recipe.preset, `${label}.preset`);
+  checkString(recipe.when, `${label}.when`, { minLength: 40 });
+
+  if (typeof recipe.id === "string") {
+    if (ids.has(recipe.id)) {
+      failures.push(`${label}.id is duplicated.`);
+    }
+    ids.add(recipe.id);
+  }
+
+  if (!allowedPresets.has(recipe.preset)) {
+    failures.push(`${label}.preset should be one of: ${[...allowedPresets].join(", ")}.`);
+  }
+
+  const commands = checkStringArray(recipe.commands, `${label}.commands`, {
+    pattern: commandPattern,
+    description: "`jester tune <rule-id> --json`"
+  });
+  const fixturesForRecipe = checkStringArray(recipe.fixtures, `${label}.fixtures`, {
+    pattern: /^[a-z0-9]+(?:-[a-z0-9]+)*$/,
+    description: "a kebab-case fixture id"
+  });
+  checkStringArray(recipe.next, `${label}.next`);
+
+  for (const command of commands) {
+    const match = command.match(commandPattern);
+    const ruleId = match?.[1];
+    if (ruleId && !fixtureRuleIds.has(ruleId)) {
+      failures.push(`${label}.commands references ${ruleId}, but no fixture currently names that rule in expectedRuleIds or absentRuleIds.`);
+    }
+
+    requireIncludes(frameworkGuide, guidePath, command, `${label} command`);
+    requireIncludes(cookbookReadme, cookbookReadmePath, command, `${label} command`);
+  }
+
+  for (const fixtureId of fixturesForRecipe) {
+    if (!fixtureIds.has(fixtureId)) {
+      failures.push(`${label}.fixtures references missing fixture ${fixtureId}.`);
+    }
+
+    requireIncludes(frameworkGuide, guidePath, fixtureId, `${label} fixture id`);
+    requireIncludes(cookbookReadme, cookbookReadmePath, fixtureId, `${label} fixture id`);
+  }
+
+  if (typeof recipe.id === "string") {
+    requireIncludes(frameworkGuide, guidePath, recipe.id, `${label} recipe id`);
+    requireIncludes(cookbookReadme, cookbookReadmePath, recipe.id, `${label} recipe id`);
+  }
+
+  if (typeof recipe.stack === "string") {
+    requireIncludes(frameworkGuide, guidePath, recipe.stack, `${label} stack`);
+    requireIncludes(cookbookReadme, cookbookReadmePath, recipe.stack, `${label} stack`);
+  }
+}
+
+if (failures.length > 0) {
+  console.error("Framework tuning check failed:");
+  for (const failure of failures) {
+    console.error(`- ${failure}`);
+  }
+  process.exit(1);
+}
+
+console.log(`Framework tuning check passed for ${Array.isArray(cookbook) ? cookbook.length : 0} recipes.`);

package/scripts/check-production-readiness.mjs

@@ -68,6 +68,8 @@ for (const path of [
   "scripts/check-promo-freshness.mjs",
   "scripts/render-social-card.mjs",
   "scripts/check-site.mjs",
+  "scripts/check-framework-tuning.mjs",
+  "scripts/doctor-framework-tuning.mjs",
   "scripts/check-fixtures.mjs",
   "scripts/report-fixtures.mjs",
   ".github/ISSUE_TEMPLATE/bug_report.yml",
@@ -81,6 +83,8 @@ for (const path of [
   "examples/github-code-scanning.yml",
   "examples/ci/README.md",
   "examples/presets/README.md",
+  "examples/tuning/README.md",
+  "examples/tuning/framework-tuning-cookbook.json",
   "examples/fixtures/preset-review-cases.json",
   "site/index.html"
 ]) {
@@ -101,6 +105,7 @@ requireText("README.md", /fixtures:check/, "fixture authoring check guidance");
 requireText("README.md", /fixtures:report/, "fixture coverage report guidance");
 requireText("README.md", /fixtures:report -- --markdown/, "Markdown fixture report guidance");
 requireText("README.md", /FRAMEWORK_TUNING\.md/, "framework tuning guide link");
+requireText("README.md", /examples\/tuning/, "framework tuning cookbook link");
 requireText("README.md", /License: PolyForm Noncommercial/, "the noncommercial license badge");
 requireText("docs/PRODUCTION_READINESS.md", /npm package/i, "npm package readiness");
 requireText("docs/PRODUCTION_READINESS.md", /GitHub Action/i, "GitHub Action readiness");
@@ -114,14 +119,20 @@ requireText("docs/PRODUCTION_READINESS.md", /MAINTAINER_TRIAGE\.md/, "maintainer
 requireText("docs/PRODUCTION_READINESS.md", /fixtures:check/, "fixture authoring check readiness");
 requireText("docs/PRODUCTION_READINESS.md", /fixtures:report/, "fixture coverage report readiness");
 requireText("docs/PRODUCTION_READINESS.md", /fixtures:report -- --markdown/, "Markdown fixture report readiness");
+requireText("docs/PRODUCTION_READINESS.md", /framework:tuning:check/, "framework tuning cookbook readiness");
+requireText("docs/PRODUCTION_READINESS.md", /framework:tuning:doctor/, "framework tuning cookbook doctor readiness");
 requireText("docs/PRODUCTION_READINESS.md", /quiet-pass/, "quiet-pass fixture readiness");
 requireText("docs/CLI.md", /jester doctor --json/, "doctor JSON CLI docs");
 requireText("docs/CLI.md", /quiet-pass fixture/, "quiet-pass fixture CLI docs");
 requireText("docs/CLI.md", /FRAMEWORK_TUNING\.md/, "framework tuning CLI link");
+requireText("docs/CLI.md", /examples\/tuning/, "framework tuning cookbook CLI link");
+requireText("docs/CLI.md", /framework:tuning:doctor/, "framework tuning doctor CLI docs");
 requireText("docs/FRAMEWORK_TUNING.md", /Next\.js/, "Next.js framework tuning example");
 requireText("docs/FRAMEWORK_TUNING.md", /FastAPI/, "FastAPI framework tuning example");
 requireText("docs/FRAMEWORK_TUNING.md", /Terraform/, "Terraform framework tuning example");
 requireText("docs/FRAMEWORK_TUNING.md", /jester tune <rule-id> --json/, "framework tuning command guidance");
+requireText("docs/FRAMEWORK_TUNING.md", /framework-tuning-cookbook\.json/, "framework tuning cookbook JSON link");
+requireText("docs/FRAMEWORK_TUNING.md", /framework:tuning:doctor/, "framework tuning doctor guidance");
 requireText("docs/MAINTAINER_TRIAGE.md", /doctor --json/, "doctor JSON triage prompt");
 requireText("docs/MAINTAINER_TRIAGE.md", /tune <rule-id> --json/, "tune JSON triage prompt");
 requireText("docs/MAINTAINER_TRIAGE.md", /preset-review-cases\.json/, "fixture suite link");
@@ -132,6 +143,11 @@ requireText("examples/fixtures/README.md", /Adding A Fixture From A Report/, "fi
 requireText("examples/fixtures/README.md", /fixtures:check/, "fixture authoring check guidance");
 requireText("examples/fixtures/README.md", /fixtures:report/, "fixture coverage report guidance");
 requireText("examples/fixtures/README.md", /fixtures:report -- --markdown/, "Markdown fixture report guidance");
+requireText("examples/tuning/README.md", /framework-tuning-cookbook\.json/, "framework tuning cookbook JSON link");
+requireText("examples/tuning/README.md", /framework:tuning:doctor/, "framework tuning doctor guidance");
+requireText("examples/tuning/README.md", /jester tune <rule-id> --json|jester tune [a-z0-9-]+ --json/, "framework tuning command guidance");
+requireText("examples/tuning/framework-tuning-cookbook.json", /next-vite-public-config/, "Next/Vite tuning recipe");
+requireText("examples/tuning/framework-tuning-cookbook.json", /ai-mcp-tooling/, "AI/MCP tuning recipe");
 requireText("scripts/check-fixtures.mjs", /duplicated/, "duplicate fixture id check");
 requireText("scripts/check-fixtures.mjs", /unsafeContentPatterns/, "unsafe fixture content checks");
 forbidText("scripts/check-fixtures.mjs", /src\/config\.ts|src\/types\.ts/, "source-only fixture validator dependencies");
@@ -141,14 +157,25 @@ requireText("scripts/report-fixtures.mjs", /quietPassRuleCoverage/, "quiet-pass
 requireText("scripts/report-fixtures.mjs", /presetKindGaps/, "preset and kind gap report");
 requireText("scripts/report-fixtures.mjs", /--markdown/, "Markdown fixture report output");
 forbidText("scripts/report-fixtures.mjs", /src\/config\.ts|src\/types\.ts/, "source-only fixture report dependencies");
+requireText("scripts/check-framework-tuning.mjs", /framework-tuning-cookbook\.json/, "framework tuning cookbook check");
+requireText("scripts/check-framework-tuning.mjs", /preset-review-cases\.json/, "framework tuning fixture alignment");
+requireText("scripts/check-framework-tuning.mjs", /unsafeContentPatterns/, "unsafe tuning content checks");
+requireText("scripts/doctor-framework-tuning.mjs", /dist.*cli\.js|cliPath/, "built CLI doctor path");
+requireText("scripts/doctor-framework-tuning.mjs", /config.*init|config", "init"/, "generated preset config doctor");
+requireText("scripts/doctor-framework-tuning.mjs", /tune.*--json|tune", ruleId, "--json"/, "tune JSON doctor command");
+forbidText("scripts/doctor-framework-tuning.mjs", /src\/config\.ts|src\/types\.ts/, "source-only framework tuning doctor dependencies");
 requireText("package.json", /"fixtures:check": "node scripts\/check-fixtures\.mjs"/, "fixture authoring check script");
 requireText("package.json", /"fixtures:report": "node scripts\/report-fixtures\.mjs"/, "fixture coverage report script");
+requireText("package.json", /"framework:tuning:check": "node scripts\/check-framework-tuning\.mjs"/, "framework tuning cookbook check script");
+requireText("package.json", /"framework:tuning:doctor": "node scripts\/doctor-framework-tuning\.mjs"/, "framework tuning cookbook doctor script");
 requireText("package.json", /"promo:card": "node scripts\/render-social-card\.mjs"/, "social card render script");
 requireText("package.json", /"promo:card:check": "node scripts\/render-social-card\.mjs --check"/, "social card stale check script");
 requireText("package.json", /"promo:check": "node scripts\/check-promo-freshness\.mjs"/, "promo freshness check script");
 requireText("package.json", /"site:check": "node scripts\/check-site\.mjs"/, "site check script");
 requireText("package.json", /npm run fixtures:check/, "fixture authoring check in npm test");
 requireText("package.json", /npm run fixtures:report/, "fixture coverage report in npm test");
+requireText("package.json", /npm run framework:tuning:check/, "framework tuning cookbook check in npm test");
+requireText("package.json", /npm run framework:tuning:doctor/, "framework tuning cookbook doctor in npm test");
 requireText("package.json", /npm run promo:check/, "promo freshness check in npm test");
 requireText("package.json", /npm run site:check/, "site check in npm test");
 requireText("scripts/check-promo-freshness.mjs", /--require-package-version/, "optional strict package-version promo check");

package/scripts/doctor-framework-tuning.mjs

@@ -0,0 +1,263 @@
+#!/usr/bin/env node
+import { existsSync, mkdtempSync, readFileSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { dirname, join } from "node:path";
+import { fileURLToPath } from "node:url";
+import { spawnSync } from "node:child_process";
+
+const scriptDir = dirname(fileURLToPath(import.meta.url));
+const root = join(scriptDir, "..");
+const cliPath = join(root, "dist", "cli.js");
+const cookbookPath = join(root, "examples", "tuning", "framework-tuning-cookbook.json");
+const fixturesPath = join(root, "examples", "fixtures", "preset-review-cases.json");
+const failures = [];
+const commandPattern = /^jester tune ([a-z0-9]+(?:-[a-z0-9]+)*) --json$/;
+const presets = ["node", "python", "web", "api", "infra", "ai", "security"];
+
+function readJson(path) {
+  return JSON.parse(readFileSync(path, "utf8"));
+}
+
+function runCli(args, options = {}) {
+  const result = spawnSync(process.execPath, [cliPath, ...args], {
+    cwd: root,
+    encoding: "utf8",
+    maxBuffer: 10 * 1024 * 1024
+  });
+
+  if (result.error) {
+    throw result.error;
+  }
+
+  if (result.status !== 0) {
+    const detail = [result.stdout, result.stderr].filter(Boolean).join("\n").trim();
+    throw new Error(`jester ${args.join(" ")} failed${detail ? `:\n${detail}` : "."}`);
+  }
+
+  if (!options.json) {
+    return result.stdout;
+  }
+
+  try {
+    return JSON.parse(result.stdout);
+  } catch (error) {
+    throw new Error(`jester ${args.join(" ")} did not return JSON: ${error instanceof Error ? error.message : String(error)}`);
+  }
+}
+
+if (!existsSync(cliPath)) {
+  console.error("Framework tuning doctor failed:");
+  console.error(`- ${cliPath} is missing. Run npm run build first, or run this from an installed package.`);
+  process.exit(1);
+}
+
+let cookbook;
+let fixtures;
+try {
+  cookbook = readJson(cookbookPath);
+  fixtures = readJson(fixturesPath);
+} catch (error) {
+  console.error(`Could not parse framework tuning doctor inputs: ${error instanceof Error ? error.message : String(error)}`);
+  process.exit(1);
+}
+
+if (!Array.isArray(cookbook)) {
+  console.error(`Framework tuning doctor failed: ${cookbookPath} should contain a JSON array.`);
+  process.exit(1);
+}
+
+if (!Array.isArray(fixtures)) {
+  console.error(`Framework tuning doctor failed: ${fixturesPath} should contain a JSON array.`);
+  process.exit(1);
+}
+
+const fixtureById = new Map(fixtures.map((fixture) => [fixture.id, fixture]));
+const tmpRoot = mkdtempSync(join(tmpdir(), "jester-framework-tuning-"));
+const configByPreset = new Map();
+
+try {
+  for (const preset of presets) {
+    const configPath = join(tmpRoot, `${preset}.config.json`);
+    runCli(["config", "init", "--preset", preset, "--path", configPath, "--force"]);
+    runCli(["config", "validate", "--config", configPath]);
+    configByPreset.set(preset, configPath);
+  }
+
+  const noConfigCatalog = readRuleCatalog(["rules", "--json", "--no-config"]);
+  const presetCatalogs = new Map();
+  for (const [preset, configPath] of configByPreset.entries()) {
+    presetCatalogs.set(preset, readRuleCatalog(["rules", "--json", "--config", configPath]));
+  }
+
+  const recipeSummaries = [];
+  let commandCount = 0;
+  let fixtureReferenceCount = 0;
+
+  for (const recipe of cookbook) {
+    const label = typeof recipe?.id === "string" ? recipe.id : "unknown-recipe";
+    const commands = Array.isArray(recipe?.commands) ? recipe.commands : [];
+    const fixtureIds = Array.isArray(recipe?.fixtures) ? recipe.fixtures : [];
+    const recipeRuleIds = [];
+
+    for (const command of commands) {
+      const match = typeof command === "string" ? command.match(commandPattern) : null;
+      if (!match) {
+        failures.push(`${label} command should match "jester tune <rule-id> --json". Saw ${String(command)}.`);
+        continue;
+      }
+
+      recipeRuleIds.push(match[1]);
+    }
+
+    for (const fixtureId of fixtureIds) {
+      const fixture = fixtureById.get(fixtureId);
+      if (!fixture) {
+        failures.push(`${label} references missing fixture ${fixtureId}.`);
+        continue;
+      }
+
+      const refs = new Set([
+        ...(Array.isArray(fixture.expectedRuleIds) ? fixture.expectedRuleIds : []),
+        ...(Array.isArray(fixture.absentRuleIds) ? fixture.absentRuleIds : [])
+      ]);
+      fixtureReferenceCount += refs.size;
+    }
+
+    for (const ruleId of recipeRuleIds) {
+      const relatedFixtures = fixtureIds.filter((fixtureId) => {
+        const fixture = fixtureById.get(fixtureId);
+        const refs = new Set([
+          ...(Array.isArray(fixture?.expectedRuleIds) ? fixture.expectedRuleIds : []),
+          ...(Array.isArray(fixture?.absentRuleIds) ? fixture.absentRuleIds : [])
+        ]);
+        return refs.has(ruleId);
+      });
+
+      if (relatedFixtures.length === 0) {
+        failures.push(`${label} command for ${ruleId} should have at least one referenced fixture in expectedRuleIds or absentRuleIds.`);
+      }
+
+      const runContext = chooseRunContext(ruleId, recipe.preset, noConfigCatalog, presetCatalogs, configByPreset);
+      if (!runContext) {
+        failures.push(`${label} command for ${ruleId} did not resolve in built-in rules or generated preset configs.`);
+        continue;
+      }
+
+      const args = ["tune", ruleId, "--json"];
+      if (runContext.configPath) {
+        args.push("--config", runContext.configPath);
+      } else {
+        args.push("--no-config");
+      }
+
+      let advice;
+      try {
+        advice = runCli(args, { json: true });
+      } catch (error) {
+        failures.push(`${label} command for ${ruleId} failed: ${error instanceof Error ? error.message : String(error)}`);
+        continue;
+      }
+
+      commandCount += 1;
+      validateTuneAdvice(label, ruleId, runContext.name, advice);
+    }
+
+    recipeSummaries.push({
+      id: label,
+      commandCount: recipeRuleIds.length,
+      fixtureCount: fixtureIds.length
+    });
+  }
+
+  if (failures.length > 0) {
+    console.error("Framework tuning doctor failed:");
+    for (const failure of failures) {
+      console.error(`- ${failure}`);
+    }
+    process.exit(1);
+  }
+
+  console.log("Framework tuning doctor");
+  console.log("");
+  for (const recipe of recipeSummaries) {
+    console.log(`PASS ${recipe.id}: ${recipe.commandCount} tune command(s), ${recipe.fixtureCount} fixture reference(s)`);
+  }
+  console.log("");
+  console.log(`Checked ${recipeSummaries.length} recipe(s), ${commandCount} executable tune command(s), and ${fixtureReferenceCount} fixture rule reference(s).`);
+  console.log("Generated temporary preset configs and removed them after validation.");
+} finally {
+  rmSync(tmpRoot, { recursive: true, force: true });
+}
+
+function readRuleCatalog(args) {
+  const output = runCli(args, { json: true });
+  if (!Array.isArray(output.rules)) {
+    throw new Error(`jester ${args.join(" ")} did not return a rules array.`);
+  }
+  return new Set(output.rules.map((rule) => rule.id).filter((id) => typeof id === "string"));
+}
+
+function chooseRunContext(ruleId, preferredPreset, noConfigCatalog, presetCatalogs, configByPreset) {
+  if (typeof preferredPreset === "string" && presetCatalogs.get(preferredPreset)?.has(ruleId)) {
+    return {
+      name: preferredPreset,
+      configPath: configByPreset.get(preferredPreset)
+    };
+  }
+
+  for (const [preset, catalog] of presetCatalogs.entries()) {
+    if (catalog.has(ruleId)) {
+      return {
+        name: preset,
+        configPath: configByPreset.get(preset)
+      };
+    }
+  }
+
+  if (noConfigCatalog.has(ruleId)) {
+    return {
+      name: "built-in",
+      configPath: null
+    };
+  }
+
+  return null;
+}
+
+function validateTuneAdvice(recipeId, ruleId, contextName, advice) {
+  if (advice?.ruleId !== ruleId) {
+    failures.push(`${recipeId} expected tune JSON ruleId ${ruleId}; saw ${String(advice?.ruleId)}.`);
+  }
+
+  if (typeof advice?.title !== "string" || advice.title.length === 0) {
+    failures.push(`${recipeId} tune ${ruleId} should include a title.`);
+  }
+
+  if (!Number.isInteger(advice?.severity)) {
+    failures.push(`${recipeId} tune ${ruleId} should include numeric severity.`);
+  }
+
+  if (!Array.isArray(advice?.kinds) || advice.kinds.length === 0) {
+    failures.push(`${recipeId} tune ${ruleId} should include review kinds.`);
+  }
+
+  if (typeof advice?.recommendation !== "string" || advice.recommendation.length === 0) {
+    failures.push(`${recipeId} tune ${ruleId} should include a recommendation.`);
+  }
+
+  if (!Array.isArray(advice?.checksBeforeMuting) || advice.checksBeforeMuting.length === 0) {
+    failures.push(`${recipeId} tune ${ruleId} should include checksBeforeMuting.`);
+  }
+
+  if (advice?.fixtureEvidence?.ruleId !== ruleId) {
+    failures.push(`${recipeId} tune ${ruleId} should include fixtureEvidence for the same rule.`);
+  }
+
+  if (!advice?.commands?.inspect || !advice?.commands?.validate || !advice?.commands?.list) {
+    failures.push(`${recipeId} tune ${ruleId} should include inspect, validate, and list commands.`);
+  }
+
+  if (contextName !== "built-in" && advice?.configPath === null) {
+    failures.push(`${recipeId} tune ${ruleId} should report a generated config path when using the ${contextName} preset.`);
+  }
+}