memento-mori-jester 0.1.83 → 0.1.85

package/CHANGELOG.md

@@ -4,6 +4,18 @@ All notable changes to Memento Mori Jester are tracked here.
 
 ## Unreleased
 
+## 0.1.85
+
+- Added `examples/ci/adoption-smoke.yml`, a read-only GitHub Actions recipe for checking `doctor`, `summary`, and packaged framework tuning cookbook commands in real repos.
+- Added `npm run ci:adoption:check` to keep the adoption smoke workflow and docs aligned with current commands and safety expectations.
+- Updated README, GitHub Actions docs, CI examples, release docs, production-readiness docs, roadmap, and release notes for the new adoption path.
+
+## 0.1.84
+
+- Added `npm run framework:tuning:doctor`, a consumer-style smoke check that generates temporary preset configs and runs every cookbook `jester tune <rule-id> --json` command through the built CLI.
+- Wired the tuning doctor into `npm test` and the production-readiness guard.
+- Updated framework tuning docs, cookbook docs, release docs, demo docs, and README guidance for the new doctor check.
+
 ## 0.1.83
 
 - Added `examples/tuning/framework-tuning-cookbook.json`, a small checked cookbook that maps framework-shaped noisy-rule reports to exact `jester tune <rule> --json` commands and fixture IDs.

package/README.md

@@ -68,6 +68,8 @@ npx -y memento-mori-jester@latest github-action --write
 
 The generated workflow uploads SARIF for code scanning and adds a readable Jester summary to the GitHub Actions run.
 
+For a first read-only CI smoke, copy [examples/ci/adoption-smoke.yml](examples/ci/adoption-smoke.yml). It runs `doctor`, `summary --kind command "git reset --hard"`, and the published package's `framework:tuning:doctor` without requiring code-scanning permissions.
+
 Expected vibe:
 
 ```text
@@ -315,7 +317,7 @@ jester tune coverage --json
 
 `jester tune coverage` shows the fixture support and confidence signal for every rule, including suggested next actions such as adding coverage, reviewing surprise matches, checking quiet-pass boundaries, or leaving a healthy signal alone.
 
-For stack-shaped noise, see [Framework Tuning Examples](docs/FRAMEWORK_TUNING.md). It maps common Next.js, Vite React, FastAPI, Terraform/Kubernetes, security-scan, and AI/MCP false-positive reports to the `jester tune <rule>` command and fixture IDs worth checking first. The checked [framework tuning cookbook](examples/tuning) turns those rows into copy-paste recipes and a machine-readable JSON file.
+For stack-shaped noise, see [Framework Tuning Examples](docs/FRAMEWORK_TUNING.md). It maps common Next.js, Vite React, FastAPI, Terraform/Kubernetes, security-scan, and AI/MCP false-positive reports to the `jester tune <rule>` command and fixture IDs worth checking first. The checked [framework tuning cookbook](examples/tuning) turns those rows into copy-paste recipes and a machine-readable JSON file, and `npm run framework:tuning:doctor` proves those recipes execute through the built CLI.
 
 Disable a noisy rule by adding its id to `disabledRules` in `jester.config.json`:
 
@@ -436,6 +438,7 @@ More setup examples:
 - [Preset Example Packs](examples/presets)
 - [Review Fixtures](examples/fixtures)
 - [Framework CI Examples](examples/ci)
+- [Adoption Smoke CI](examples/ci/adoption-smoke.yml)
 - [Security Policy](SECURITY.md)
 - [Maintainer Triage](docs/MAINTAINER_TRIAGE.md)
 - [Changelog](CHANGELOG.md)
@@ -453,6 +456,7 @@ Preset example packs:
 
 Framework CI examples:
 
+- [Adoption Smoke CI](examples/ci/adoption-smoke.yml)
 - [Next.js CI](examples/ci/nextjs.yml)
 - [Vite React CI](examples/ci/vite-react.yml)
 - [Express API CI](examples/ci/express-api.yml)

package/ROADMAP.md

@@ -6,6 +6,8 @@ Memento Mori Jester is usable today as a CLI, MCP server, GitHub Action, and git
 
 ## Recently Shipped
 
+- Adoption smoke CI example in v0.1.85, giving real repos a read-only workflow for `doctor`, `summary`, and packaged framework tuning checks.
+- Framework tuning doctor in v0.1.84, proving cookbook recipes execute through the built CLI with generated preset configs before release.
 - Framework tuning cookbook in v0.1.83, adding checked copy-paste recipes and a machine-readable JSON map for stack-shaped noisy-rule reports.
 - Framework tuning examples and quiet-pass fixture curation in v0.1.82, adding six safe real-world examples plus a guide for framework-shaped noisy-rule reports.
 - Repo-local landing page in v0.1.81, adding a static one-page share surface plus deterministic link checks.

package/docs/CLI.md

@@ -158,7 +158,7 @@ Use `jester tune <id>` when the question is practical: should this noisy rule be
 
 When filing a false-positive issue, include redacted `jester summary` output and `jester tune <rule-id> --json` output when possible.
 
-For stack-shaped reports, see [Framework Tuning Examples](FRAMEWORK_TUNING.md). It points common Next.js, Vite React, FastAPI, Terraform/Kubernetes, security-scan, and AI/MCP noisy-rule reports at the relevant `jester tune <rule-id>` command and fixture IDs. The checked [framework tuning cookbook](../examples/tuning) keeps copy-paste recipes and fixture IDs in one machine-readable place.
+For stack-shaped reports, see [Framework Tuning Examples](FRAMEWORK_TUNING.md). It points common Next.js, Vite React, FastAPI, Terraform/Kubernetes, security-scan, and AI/MCP noisy-rule reports at the relevant `jester tune <rule-id>` command and fixture IDs. The checked [framework tuning cookbook](../examples/tuning) keeps copy-paste recipes and fixture IDs in one machine-readable place. Maintainers can run `npm run framework:tuning:doctor` to prove every cookbook tune command executes through the built CLI with temporary preset configs.
 
 Use `jester tune coverage` when maintaining the rule set. It ranks every rule by fixture support and confidence, shows expected vs unexpected fixture weight, and suggests the next maintenance action for each rule.
 

package/docs/DEMO.md

@@ -382,10 +382,11 @@ The cookbook maps recipe IDs such as `next-vite-public-config`, `terraform-kuber
 Maintainers can run:
 
 ```powershell
+npm.cmd run framework:tuning:doctor
 npm.cmd run framework:tuning:check
 ```
 
-That validates [framework-tuning-cookbook.json](../examples/tuning/framework-tuning-cookbook.json) against this guide, the cookbook README, and `examples/fixtures/preset-review-cases.json`.
+The doctor runs every cookbook tune command through the built CLI with temporary preset configs. The check validates [framework-tuning-cookbook.json](../examples/tuning/framework-tuning-cookbook.json) against this guide, the cookbook README, and `examples/fixtures/preset-review-cases.json`.
 
 ## 15. Framework CI Examples
 

package/docs/FRAMEWORK_TUNING.md

@@ -2,7 +2,7 @@
 
 Use this when a rule is noisy in a real project and you want the smallest evidence-backed next step before muting it.
 
-For copy-pasteable recipes, see [examples/tuning](../examples/tuning). The machine-readable cookbook is [framework-tuning-cookbook.json](../examples/tuning/framework-tuning-cookbook.json), and `npm run framework:tuning:check` keeps it aligned with this guide and the fixture suite.
+For copy-pasteable recipes, see [examples/tuning](../examples/tuning). The machine-readable cookbook is [framework-tuning-cookbook.json](../examples/tuning/framework-tuning-cookbook.json). `npm run framework:tuning:check` keeps it aligned with this guide and the fixture suite, while `npm run framework:tuning:doctor` runs the cookbook's tune commands through the built CLI with temporary preset configs.
 
 Start with the rule that actually fired:
 

package/docs/GITHUB_ACTIONS.md

@@ -20,6 +20,21 @@ The generated workflow reviews pull request diffs, writes `jester.sarif`, upload
 
 This repository dogfoods that generated workflow in [.github/workflows/memento-mori.yml](../.github/workflows/memento-mori.yml).
 
+## Adoption Smoke Workflow
+
+Use [examples/ci/adoption-smoke.yml](../examples/ci/adoption-smoke.yml) when you want a first read-only CI check before enabling SARIF/code scanning.
+
+It runs:
+
+```powershell
+npx -y memento-mori-jester@latest doctor
+npx -y memento-mori-jester@latest summary --kind command "git reset --hard"
+npm run framework:tuning:check
+npm run framework:tuning:doctor
+```
+
+The workflow downloads the published npm tarball into a temporary directory before running the framework tuning checks, so it verifies package contents rather than relying on this repository checkout.
+
 ## Composite Action
 
 This repo can be used directly as a GitHub Action:

package/docs/PRODUCTION_READINESS.md

@@ -26,6 +26,7 @@ This checklist defines what "production grade" means for Memento Mori Jester rig
 - Action inputs cover `fail-on`, `subject`, `config`, `no-config`, `format`, `output-file`, and `summary`.
 - SARIF output and GitHub step summaries remain separate so users can enable readable summaries without new GitHub write permissions.
 - Example workflows in `examples/` and `examples/ci/` stay aligned with the action shape.
+- `examples/ci/adoption-smoke.yml` gives new repos a read-only smoke workflow for `doctor`, `summary`, and packaged framework tuning checks before code scanning is enabled.
 
 ## MCP And Agent Setup
 
@@ -59,6 +60,7 @@ This checklist defines what "production grade" means for Memento Mori Jester rig
 - `npm run fixtures:check` validates fixture IDs, metadata, unsafe-looking content, duplicate content, and explicit expected/absent rule intent.
 - `npm run fixtures:report` shows fixture coverage by rule, rule family, preset slice, kind, verdict, quiet-pass rule boundaries, and feasible pass-case gaps so maintainers can pick the next fixture target; `npm run fixtures:report -- --markdown` produces a paste-ready maintainer snapshot.
 - `npm run framework:tuning:check` keeps the framework tuning guide, cookbook JSON, cookbook README, and fixture IDs aligned.
+- `npm run framework:tuning:doctor` runs the cookbook tune commands through the built CLI with temporary preset configs, so package consumers do not inherit stale recipes.
 - `npm run promo:card` regenerates the deterministic social preview card, and `npm run promo:check` verifies current repo-local promo assets against the current fixture evidence before maintainers post or refresh the demo.
 - `npm run site:check` verifies the static landing page before maintainers post or host it.
 - npm publish has a manual workflow fallback, but the normal release path is tag-driven trusted publishing.
@@ -77,6 +79,8 @@ This checklist defines what "production grade" means for Memento Mori Jester rig
 - fixture authoring checks are wired into `npm test`.
 - fixture coverage reports are wired into `npm test`.
 - framework tuning cookbook checks are wired into `npm test`.
+- framework tuning cookbook doctor checks are wired into `npm test`.
+- CI adoption example checks are wired into `npm test`.
 - promo freshness checks are wired into `npm test`.
 - site checks are wired into `npm test`.
 

package/docs/RELEASE.md

@@ -13,6 +13,8 @@ npm.cmd run fixtures:report
 npm.cmd run fixtures:report -- --json
 npm.cmd run fixtures:report -- --markdown
 npm.cmd run framework:tuning:check
+npm.cmd run framework:tuning:doctor
+npm.cmd run ci:adoption:check
 npm.cmd run promo:card:check
 npm.cmd run promo:check
 npm.cmd run site:check
@@ -25,7 +27,7 @@ Move the current changelog bullets into a matching version section and add `docs
 ## 2. Tag And Push
 
 ```powershell
-git add package.json package-lock.json CHANGELOG.md docs/RELEASE_NOTES_v0.1.x.md docs/PRODUCTION_READINESS.md docs/MAINTAINER_TRIAGE.md docs/FRAMEWORK_TUNING.md examples/tuning scripts/check-framework-tuning.mjs SECURITY.md .github/ISSUE_TEMPLATE
+git add package.json package-lock.json CHANGELOG.md docs/RELEASE_NOTES_v0.1.x.md docs/PRODUCTION_READINESS.md docs/MAINTAINER_TRIAGE.md docs/FRAMEWORK_TUNING.md docs/GITHUB_ACTIONS.md examples/ci examples/tuning scripts/check-ci-adoption.mjs scripts/check-framework-tuning.mjs scripts/doctor-framework-tuning.mjs SECURITY.md .github/ISSUE_TEMPLATE
 git commit -m "Release v0.1.x"
 git tag -a v0.1.x -m "Memento Mori Jester v0.1.x"
 git push origin main

package/docs/RELEASE_NOTES_v0.1.84.md

@@ -0,0 +1,50 @@
+# Memento Mori Jester v0.1.84
+
+## Summary
+
+This release adds a consumer-style doctor for the framework tuning cookbook. The cookbook was already checked for doc and fixture alignment; now maintainers can prove the cookbook's tune commands execute through the built CLI with generated preset configs.
+
+## What Changed
+
+- Added `scripts/doctor-framework-tuning.mjs`.
+- Added `npm run framework:tuning:doctor`.
+- Wired the doctor into `npm test` and production-readiness checks.
+- Updated README, CLI docs, demo docs, release docs, production-readiness docs, roadmap, changelog, and the tuning cookbook docs.
+
+## Public Interface
+
+- No CLI command changes.
+- No MCP tool changes.
+- No config schema changes.
+- No review rule, scoring, matching, or verdict behavior changes.
+- No GitHub Action or release workflow changes.
+- New maintainer/package script: `npm run framework:tuning:doctor`.
+
+## Release Validation
+
+```powershell
+npm.cmd test
+npm.cmd run demo:svg:check
+npm.cmd run promo:card:check
+npm.cmd run promo:check
+npm.cmd run framework:tuning:check
+npm.cmd run framework:tuning:doctor
+npm.cmd run fixtures:report
+npm.cmd run fixtures:report -- --json
+npm.cmd run fixtures:report -- --markdown
+npm.cmd run site:check
+npm.cmd run pack:dry
+git diff --check
+node .\dist\cli.js tune coverage --no-config
+git diff | node .\dist\cli.js diff --fail-on block --subject "v0.1.84 framework tuning doctor"
+```
+
+Expected:
+
+- `framework:tuning:check` passes for five recipes,
+- `framework:tuning:doctor` runs 10 executable tune commands,
+- fixture report still shows `Fixtures: 222`,
+- no thin rule coverage,
+- no preset/kind gaps,
+- no rules without quiet-pass coverage,
+- GitHub Release and npm Publish complete from the `v0.1.84` tag.

package/docs/RELEASE_NOTES_v0.1.85.md

@@ -0,0 +1,54 @@
+# Memento Mori Jester v0.1.85
+
+## Summary
+
+This release adds a narrow adoption smoke workflow for real repos. It gives teams a read-only GitHub Actions recipe that checks the package health, proves a summary review path, and verifies the published framework tuning cookbook scripts before they enable heavier code-scanning workflows.
+
+## What Changed
+
+- Added `examples/ci/adoption-smoke.yml`.
+- Added `scripts/check-ci-adoption.mjs`.
+- Added `npm run ci:adoption:check`.
+- Wired the adoption checker into `npm test` and production-readiness checks.
+- Updated README, GitHub Actions docs, CI example docs, release docs, production-readiness docs, roadmap, and changelog.
+
+## Public Interface
+
+- No CLI command changes.
+- No MCP tool changes.
+- No config schema changes.
+- No review rule, scoring, matching, or verdict behavior changes.
+- No GitHub Action input changes.
+- New maintainer/package script: `npm run ci:adoption:check`.
+- New checked example workflow: `examples/ci/adoption-smoke.yml`.
+
+## Release Validation
+
+```powershell
+npm.cmd test
+npm.cmd run demo:svg:check
+npm.cmd run promo:card:check
+npm.cmd run promo:check
+npm.cmd run framework:tuning:check
+npm.cmd run framework:tuning:doctor
+npm.cmd run ci:adoption:check
+npm.cmd run fixtures:report
+npm.cmd run fixtures:report -- --json
+npm.cmd run fixtures:report -- --markdown
+npm.cmd run site:check
+npm.cmd run pack:dry
+git diff --check
+node .\dist\cli.js summary --kind command "git reset --hard"
+node .\dist\cli.js tune coverage --no-config
+git diff | node .\dist\cli.js diff --fail-on block --subject "v0.1.85 adoption smoke CI"
+```
+
+Expected:
+
+- `ci:adoption:check` passes for `examples/ci/adoption-smoke.yml`,
+- `framework:tuning:doctor` still runs 10 executable tune commands,
+- fixture report still shows `Fixtures: 222`,
+- no thin rule coverage,
+- no preset/kind gaps,
+- no rules without quiet-pass coverage,
+- GitHub Release and npm Publish complete from the `v0.1.85` tag.

package/examples/ci/README.md

@@ -13,8 +13,15 @@ npx -y memento-mori-jester@latest bootstrap --preset web
 
 Then copy the workflow that best matches your stack into `.github/workflows/memento-mori.yml`.
 
+If you want a first CI smoke before enabling code scanning, copy [Adoption Smoke](adoption-smoke.yml). It runs:
+
+- `npx -y memento-mori-jester@latest doctor`
+- `npx -y memento-mori-jester@latest summary --kind command "git reset --hard"`
+- `npm run framework:tuning:check` and `npm run framework:tuning:doctor` from the published package tarball
+
 ## Workflows
 
+- [Adoption Smoke](adoption-smoke.yml): read-only setup check for doctor, summary, and framework tuning cookbook commands.
 - [Next.js](nextjs.yml): app-router, middleware, redirects, public env, and browser-rendered UI.
 - [Vite React](vite-react.yml): browser storage, public config, redirects, and unsafe HTML surfaces.
 - [Express API](express-api.yml): CORS, auth bypasses, raw SQL, webhooks, and migrations.
@@ -25,5 +32,6 @@ Then copy the workflow that best matches your stack into `.github/workflows/meme
 ## Notes
 
 - Workflows upload SARIF and add a readable Actions job summary.
+- The adoption smoke workflow is read-only and does not upload SARIF.
 - Most stacks fail CI only on `BLOCK`.
 - The Terraform/Kubernetes example uses `fail-on: caution` because infra repos often want lower tolerance for risky changes.

package/examples/ci/adoption-smoke.yml

@@ -0,0 +1,42 @@
+name: Memento Mori Jester Adoption Smoke
+
+on:
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  adoption-smoke:
+    name: Adoption smoke
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Setup Node
+        uses: actions/setup-node@v6
+        with:
+          node-version: 24
+
+      - name: Jester doctor
+        run: npx -y memento-mori-jester@latest doctor
+
+      - name: Command summary smoke
+        run: npx -y memento-mori-jester@latest summary --kind command "git reset --hard"
+
+      - name: Framework tuning cookbook smoke
+        shell: bash
+        run: |
+          set -euo pipefail
+          workdir="$(mktemp -d)"
+          trap 'rm -rf "$workdir"' EXIT
+          npm pack memento-mori-jester@latest --pack-destination "$workdir" --silent
+          tar -xzf "$workdir"/memento-mori-jester-*.tgz -C "$workdir"
+          npm install --omit=dev --ignore-scripts --prefix "$workdir/package"
+          npm run framework:tuning:check --prefix "$workdir/package"
+          npm run framework:tuning:doctor --prefix "$workdir/package"

package/examples/tuning/README.md

@@ -4,6 +4,8 @@ These small recipes pair the [Framework Tuning Examples](../../docs/FRAMEWORK_TU
 
 The machine-readable source is [framework-tuning-cookbook.json](framework-tuning-cookbook.json). It is checked by `npm run framework:tuning:check`, so recipe commands and fixture IDs stay aligned with the public guide and fixture suite.
 
+Run `npm run framework:tuning:doctor` after `npm run build` when you want a consumer-style smoke check. It generates temporary preset configs with the built CLI, runs every cookbook `jester tune <rule-id> --json` command, validates the JSON advice shape, and confirms each recipe's fixture IDs are present in the packaged fixture suite.
+
 ## Recipes
 
 | Recipe | Stack | Preset | Tune commands | Fixture examples |
@@ -21,3 +23,9 @@ The machine-readable source is [framework-tuning-cookbook.json](framework-tuning
 3. Compare `fixtureEvidence.quietPassFixtures` and sample fixture descriptions with the local hit.
 4. If the local case is safe but missing from the fixture suite, add a redacted pass fixture before loosening a rule.
 5. If the local case includes a real secret, destructive command, broad permission, skipped eval, or user-controlled execution path, fix the change instead of muting the rule.
+
+Maintainer smoke check:
+
+```powershell
+npm.cmd run framework:tuning:doctor
+```

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "memento-mori-jester",
-  "version": "0.1.83",
+  "version": "0.1.85",
   "description": "A local court-jester sidecar for AI coding agents: review plans, commands, diffs, and final claims before they get too pleased with themselves.",
   "type": "module",
   "repository": {
@@ -40,13 +40,15 @@
     "build": "tsc -p tsconfig.json",
     "start": "node dist/server.js",
     "start:mcp": "node dist/server.js",
-    "test": "npm run build && node scripts/run-tests.mjs && npm run fixtures:check && npm run fixtures:report && npm run framework:tuning:check && npm run promo:check && npm run site:check && npm run production:check",
+    "test": "npm run build && node scripts/run-tests.mjs && npm run fixtures:check && npm run fixtures:report && npm run framework:tuning:check && npm run framework:tuning:doctor && npm run ci:adoption:check && npm run promo:check && npm run site:check && npm run production:check",
     "doctor": "node dist/cli.js doctor",
     "demo:svg": "node scripts/render-demo-svg.mjs",
     "demo:svg:check": "node scripts/render-demo-svg.mjs --check",
     "fixtures:check": "node scripts/check-fixtures.mjs",
     "fixtures:report": "node scripts/report-fixtures.mjs",
     "framework:tuning:check": "node scripts/check-framework-tuning.mjs",
+    "framework:tuning:doctor": "node scripts/doctor-framework-tuning.mjs",
+    "ci:adoption:check": "node scripts/check-ci-adoption.mjs",
     "promo:card": "node scripts/render-social-card.mjs",
     "promo:card:check": "node scripts/render-social-card.mjs --check",
     "promo:check": "node scripts/check-promo-freshness.mjs",

package/scripts/check-ci-adoption.mjs

@@ -0,0 +1,89 @@
+#!/usr/bin/env node
+import { readFileSync } from "node:fs";
+import { join } from "node:path";
+
+const root = process.cwd();
+const failures = [];
+const workflowPath = "examples/ci/adoption-smoke.yml";
+const workflow = read(workflowPath);
+const examplesReadme = read("examples/ci/README.md");
+const githubActionsDocs = read("docs/GITHUB_ACTIONS.md");
+const readme = read("README.md");
+
+const unsafeContentPatterns = [
+  { name: "private key block", pattern: /-----BEGIN [A-Z ]*PRIVATE KEY-----/ },
+  { name: "OpenAI-looking secret key", pattern: /\bsk-(?:proj-)?[A-Za-z0-9_-]{20,}\b/ },
+  { name: "Anthropic-looking secret key", pattern: /\bsk-ant-[A-Za-z0-9_-]{20,}\b/ },
+  { name: "GitHub-looking token", pattern: /\bgh[pousr]_[A-Za-z0-9_]{20,}\b/ },
+  { name: "AWS access key id", pattern: /\bAKIA[0-9A-Z]{16}\b/ },
+  { name: "Slack-looking token", pattern: /\bxox[baprs]-[A-Za-z0-9-]{20,}\b/ },
+  { name: "absolute Unix home path", pattern: /(?:^|[\s"'`])\/(?:Users|home)\/[A-Za-z0-9._-]+/ },
+  { name: "absolute Windows user path", pattern: /[A-Za-z]:\\Users\\[A-Za-z0-9._-]+\\/ }
+];
+
+function read(path) {
+  return readFileSync(join(root, path), "utf8");
+}
+
+function requireText(path, content, pattern, description) {
+  if (!pattern.test(content)) {
+    failures.push(`${path} should include ${description}.`);
+  }
+}
+
+function forbidText(path, content, pattern, description) {
+  if (pattern.test(content)) {
+    failures.push(`${path} should not include ${description}.`);
+  }
+}
+
+for (const [path, content] of [
+  [workflowPath, workflow],
+  ["examples/ci/README.md", examplesReadme],
+  ["docs/GITHUB_ACTIONS.md", githubActionsDocs],
+  ["README.md", readme]
+]) {
+  for (const unsafe of unsafeContentPatterns) {
+    if (unsafe.pattern.test(content)) {
+      failures.push(`${path} appears to contain ${unsafe.name}; adoption examples should stay public and redacted.`);
+    }
+  }
+}
+
+requireText(workflowPath, workflow, /^name: Memento Mori Jester Adoption Smoke/m, "the adoption smoke workflow name");
+requireText(workflowPath, workflow, /^\s*pull_request:/m, "a pull_request trigger");
+requireText(workflowPath, workflow, /^\s*workflow_dispatch:/m, "a manual trigger");
+requireText(workflowPath, workflow, /^permissions:\s*\n\s*contents: read/m, "read-only contents permission");
+requireText(workflowPath, workflow, /actions\/checkout@v6/, "checkout@v6");
+requireText(workflowPath, workflow, /actions\/setup-node@v6/, "setup-node@v6");
+requireText(workflowPath, workflow, /node-version:\s*24/, "Node 24");
+requireText(workflowPath, workflow, /npx -y memento-mori-jester@latest doctor/, "the doctor command");
+requireText(workflowPath, workflow, /npx -y memento-mori-jester@latest summary --kind command "git reset --hard"/, "the command summary smoke");
+requireText(workflowPath, workflow, /npm pack memento-mori-jester@latest --pack-destination "\$workdir" --silent/, "the registry package smoke");
+requireText(workflowPath, workflow, /npm run framework:tuning:check --prefix "\$workdir\/package"/, "the framework tuning check command");
+requireText(workflowPath, workflow, /npm run framework:tuning:doctor --prefix "\$workdir\/package"/, "the framework tuning doctor command");
+requireText(workflowPath, workflow, /trap 'rm -rf "\$workdir"' EXIT/, "temporary package cleanup");
+forbidText(workflowPath, workflow, /pull_request_target/, "pull_request_target");
+forbidText(workflowPath, workflow, /security-events:\s*write|contents:\s*write|pull-requests:\s*write|id-token:\s*write/, "write permissions");
+forbidText(workflowPath, workflow, /npm publish|gh release|git push/, "release or publish commands");
+
+for (const [path, content] of [
+  ["examples/ci/README.md", examplesReadme],
+  ["docs/GITHUB_ACTIONS.md", githubActionsDocs],
+  ["README.md", readme]
+]) {
+  requireText(path, content, /adoption-smoke\.yml/, "the adoption smoke workflow link");
+  requireText(path, content, /doctor/, "doctor adoption guidance");
+  requireText(path, content, /summary --kind command "git reset --hard"/, "summary smoke guidance");
+  requireText(path, content, /framework:tuning:doctor/, "framework tuning doctor guidance");
+}
+
+if (failures.length > 0) {
+  console.error("CI adoption example check failed:");
+  for (const failure of failures) {
+    console.error(`- ${failure}`);
+  }
+  process.exit(1);
+}
+
+console.log("CI adoption example check passed for examples/ci/adoption-smoke.yml.");

package/scripts/check-production-readiness.mjs

@@ -69,6 +69,8 @@ for (const path of [
   "scripts/render-social-card.mjs",
   "scripts/check-site.mjs",
   "scripts/check-framework-tuning.mjs",
+  "scripts/doctor-framework-tuning.mjs",
+  "scripts/check-ci-adoption.mjs",
   "scripts/check-fixtures.mjs",
   "scripts/report-fixtures.mjs",
   ".github/ISSUE_TEMPLATE/bug_report.yml",
@@ -81,6 +83,7 @@ for (const path of [
   "examples/github-action.yml",
   "examples/github-code-scanning.yml",
   "examples/ci/README.md",
+  "examples/ci/adoption-smoke.yml",
   "examples/presets/README.md",
   "examples/tuning/README.md",
   "examples/tuning/framework-tuning-cookbook.json",
@@ -105,6 +108,7 @@ requireText("README.md", /fixtures:report/, "fixture coverage report guidance");
 requireText("README.md", /fixtures:report -- --markdown/, "Markdown fixture report guidance");
 requireText("README.md", /FRAMEWORK_TUNING\.md/, "framework tuning guide link");
 requireText("README.md", /examples\/tuning/, "framework tuning cookbook link");
+requireText("README.md", /adoption-smoke\.yml/, "adoption smoke CI link");
 requireText("README.md", /License: PolyForm Noncommercial/, "the noncommercial license badge");
 requireText("docs/PRODUCTION_READINESS.md", /npm package/i, "npm package readiness");
 requireText("docs/PRODUCTION_READINESS.md", /GitHub Action/i, "GitHub Action readiness");
@@ -119,16 +123,23 @@ requireText("docs/PRODUCTION_READINESS.md", /fixtures:check/, "fixture authoring
 requireText("docs/PRODUCTION_READINESS.md", /fixtures:report/, "fixture coverage report readiness");
 requireText("docs/PRODUCTION_READINESS.md", /fixtures:report -- --markdown/, "Markdown fixture report readiness");
 requireText("docs/PRODUCTION_READINESS.md", /framework:tuning:check/, "framework tuning cookbook readiness");
+requireText("docs/PRODUCTION_READINESS.md", /framework:tuning:doctor/, "framework tuning cookbook doctor readiness");
+requireText("docs/PRODUCTION_READINESS.md", /adoption-smoke\.yml/, "adoption smoke CI readiness");
 requireText("docs/PRODUCTION_READINESS.md", /quiet-pass/, "quiet-pass fixture readiness");
 requireText("docs/CLI.md", /jester doctor --json/, "doctor JSON CLI docs");
 requireText("docs/CLI.md", /quiet-pass fixture/, "quiet-pass fixture CLI docs");
 requireText("docs/CLI.md", /FRAMEWORK_TUNING\.md/, "framework tuning CLI link");
 requireText("docs/CLI.md", /examples\/tuning/, "framework tuning cookbook CLI link");
+requireText("docs/CLI.md", /framework:tuning:doctor/, "framework tuning doctor CLI docs");
 requireText("docs/FRAMEWORK_TUNING.md", /Next\.js/, "Next.js framework tuning example");
 requireText("docs/FRAMEWORK_TUNING.md", /FastAPI/, "FastAPI framework tuning example");
 requireText("docs/FRAMEWORK_TUNING.md", /Terraform/, "Terraform framework tuning example");
 requireText("docs/FRAMEWORK_TUNING.md", /jester tune <rule-id> --json/, "framework tuning command guidance");
 requireText("docs/FRAMEWORK_TUNING.md", /framework-tuning-cookbook\.json/, "framework tuning cookbook JSON link");
+requireText("docs/FRAMEWORK_TUNING.md", /framework:tuning:doctor/, "framework tuning doctor guidance");
+requireText("docs/GITHUB_ACTIONS.md", /adoption-smoke\.yml/, "adoption smoke GitHub Actions docs");
+requireText("docs/GITHUB_ACTIONS.md", /summary --kind command "git reset --hard"/, "adoption summary smoke docs");
+requireText("docs/GITHUB_ACTIONS.md", /framework:tuning:doctor/, "adoption framework tuning doctor docs");
 requireText("docs/MAINTAINER_TRIAGE.md", /doctor --json/, "doctor JSON triage prompt");
 requireText("docs/MAINTAINER_TRIAGE.md", /tune <rule-id> --json/, "tune JSON triage prompt");
 requireText("docs/MAINTAINER_TRIAGE.md", /preset-review-cases\.json/, "fixture suite link");
@@ -139,7 +150,12 @@ requireText("examples/fixtures/README.md", /Adding A Fixture From A Report/, "fi
 requireText("examples/fixtures/README.md", /fixtures:check/, "fixture authoring check guidance");
 requireText("examples/fixtures/README.md", /fixtures:report/, "fixture coverage report guidance");
 requireText("examples/fixtures/README.md", /fixtures:report -- --markdown/, "Markdown fixture report guidance");
+requireText("examples/ci/README.md", /adoption-smoke\.yml/, "adoption smoke CI index link");
+requireText("examples/ci/adoption-smoke.yml", /npx -y memento-mori-jester@latest doctor/, "adoption smoke doctor command");
+requireText("examples/ci/adoption-smoke.yml", /summary --kind command "git reset --hard"/, "adoption smoke summary command");
+requireText("examples/ci/adoption-smoke.yml", /framework:tuning:doctor/, "adoption smoke tuning doctor command");
 requireText("examples/tuning/README.md", /framework-tuning-cookbook\.json/, "framework tuning cookbook JSON link");
+requireText("examples/tuning/README.md", /framework:tuning:doctor/, "framework tuning doctor guidance");
 requireText("examples/tuning/README.md", /jester tune <rule-id> --json|jester tune [a-z0-9-]+ --json/, "framework tuning command guidance");
 requireText("examples/tuning/framework-tuning-cookbook.json", /next-vite-public-config/, "Next/Vite tuning recipe");
 requireText("examples/tuning/framework-tuning-cookbook.json", /ai-mcp-tooling/, "AI/MCP tuning recipe");
@@ -155,9 +171,18 @@ forbidText("scripts/report-fixtures.mjs", /src\/config\.ts|src\/types\.ts/, "sou
 requireText("scripts/check-framework-tuning.mjs", /framework-tuning-cookbook\.json/, "framework tuning cookbook check");
 requireText("scripts/check-framework-tuning.mjs", /preset-review-cases\.json/, "framework tuning fixture alignment");
 requireText("scripts/check-framework-tuning.mjs", /unsafeContentPatterns/, "unsafe tuning content checks");
+requireText("scripts/doctor-framework-tuning.mjs", /dist.*cli\.js|cliPath/, "built CLI doctor path");
+requireText("scripts/doctor-framework-tuning.mjs", /config.*init|config", "init"/, "generated preset config doctor");
+requireText("scripts/doctor-framework-tuning.mjs", /tune.*--json|tune", ruleId, "--json"/, "tune JSON doctor command");
+forbidText("scripts/doctor-framework-tuning.mjs", /src\/config\.ts|src\/types\.ts/, "source-only framework tuning doctor dependencies");
+requireText("scripts/check-ci-adoption.mjs", /adoption-smoke\.yml/, "adoption smoke checker target");
+requireText("scripts/check-ci-adoption.mjs", /pull_request_target/, "adoption smoke unsafe trigger guard");
+requireText("scripts/check-ci-adoption.mjs", /framework:tuning:doctor/, "adoption smoke tuning doctor guard");
 requireText("package.json", /"fixtures:check": "node scripts\/check-fixtures\.mjs"/, "fixture authoring check script");
 requireText("package.json", /"fixtures:report": "node scripts\/report-fixtures\.mjs"/, "fixture coverage report script");
 requireText("package.json", /"framework:tuning:check": "node scripts\/check-framework-tuning\.mjs"/, "framework tuning cookbook check script");
+requireText("package.json", /"framework:tuning:doctor": "node scripts\/doctor-framework-tuning\.mjs"/, "framework tuning cookbook doctor script");
+requireText("package.json", /"ci:adoption:check": "node scripts\/check-ci-adoption\.mjs"/, "CI adoption check script");
 requireText("package.json", /"promo:card": "node scripts\/render-social-card\.mjs"/, "social card render script");
 requireText("package.json", /"promo:card:check": "node scripts\/render-social-card\.mjs --check"/, "social card stale check script");
 requireText("package.json", /"promo:check": "node scripts\/check-promo-freshness\.mjs"/, "promo freshness check script");
@@ -165,6 +190,8 @@ requireText("package.json", /"site:check": "node scripts\/check-site\.mjs"/, "si
 requireText("package.json", /npm run fixtures:check/, "fixture authoring check in npm test");
 requireText("package.json", /npm run fixtures:report/, "fixture coverage report in npm test");
 requireText("package.json", /npm run framework:tuning:check/, "framework tuning cookbook check in npm test");
+requireText("package.json", /npm run framework:tuning:doctor/, "framework tuning cookbook doctor in npm test");
+requireText("package.json", /npm run ci:adoption:check/, "CI adoption check in npm test");
 requireText("package.json", /npm run promo:check/, "promo freshness check in npm test");
 requireText("package.json", /npm run site:check/, "site check in npm test");
 requireText("scripts/check-promo-freshness.mjs", /--require-package-version/, "optional strict package-version promo check");

package/scripts/doctor-framework-tuning.mjs

@@ -0,0 +1,263 @@
+#!/usr/bin/env node
+import { existsSync, mkdtempSync, readFileSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { dirname, join } from "node:path";
+import { fileURLToPath } from "node:url";
+import { spawnSync } from "node:child_process";
+
+const scriptDir = dirname(fileURLToPath(import.meta.url));
+const root = join(scriptDir, "..");
+const cliPath = join(root, "dist", "cli.js");
+const cookbookPath = join(root, "examples", "tuning", "framework-tuning-cookbook.json");
+const fixturesPath = join(root, "examples", "fixtures", "preset-review-cases.json");
+const failures = [];
+const commandPattern = /^jester tune ([a-z0-9]+(?:-[a-z0-9]+)*) --json$/;
+const presets = ["node", "python", "web", "api", "infra", "ai", "security"];
+
+function readJson(path) {
+  return JSON.parse(readFileSync(path, "utf8"));
+}
+
+function runCli(args, options = {}) {
+  const result = spawnSync(process.execPath, [cliPath, ...args], {
+    cwd: root,
+    encoding: "utf8",
+    maxBuffer: 10 * 1024 * 1024
+  });
+
+  if (result.error) {
+    throw result.error;
+  }
+
+  if (result.status !== 0) {
+    const detail = [result.stdout, result.stderr].filter(Boolean).join("\n").trim();
+    throw new Error(`jester ${args.join(" ")} failed${detail ? `:\n${detail}` : "."}`);
+  }
+
+  if (!options.json) {
+    return result.stdout;
+  }
+
+  try {
+    return JSON.parse(result.stdout);
+  } catch (error) {
+    throw new Error(`jester ${args.join(" ")} did not return JSON: ${error instanceof Error ? error.message : String(error)}`);
+  }
+}
+
+if (!existsSync(cliPath)) {
+  console.error("Framework tuning doctor failed:");
+  console.error(`- ${cliPath} is missing. Run npm run build first, or run this from an installed package.`);
+  process.exit(1);
+}
+
+let cookbook;
+let fixtures;
+try {
+  cookbook = readJson(cookbookPath);
+  fixtures = readJson(fixturesPath);
+} catch (error) {
+  console.error(`Could not parse framework tuning doctor inputs: ${error instanceof Error ? error.message : String(error)}`);
+  process.exit(1);
+}
+
+if (!Array.isArray(cookbook)) {
+  console.error(`Framework tuning doctor failed: ${cookbookPath} should contain a JSON array.`);
+  process.exit(1);
+}
+
+if (!Array.isArray(fixtures)) {
+  console.error(`Framework tuning doctor failed: ${fixturesPath} should contain a JSON array.`);
+  process.exit(1);
+}
+
+const fixtureById = new Map(fixtures.map((fixture) => [fixture.id, fixture]));
+const tmpRoot = mkdtempSync(join(tmpdir(), "jester-framework-tuning-"));
+const configByPreset = new Map();
+
+try {
+  for (const preset of presets) {
+    const configPath = join(tmpRoot, `${preset}.config.json`);
+    runCli(["config", "init", "--preset", preset, "--path", configPath, "--force"]);
+    runCli(["config", "validate", "--config", configPath]);
+    configByPreset.set(preset, configPath);
+  }
+
+  const noConfigCatalog = readRuleCatalog(["rules", "--json", "--no-config"]);
+  const presetCatalogs = new Map();
+  for (const [preset, configPath] of configByPreset.entries()) {
+    presetCatalogs.set(preset, readRuleCatalog(["rules", "--json", "--config", configPath]));
+  }
+
+  const recipeSummaries = [];
+  let commandCount = 0;
+  let fixtureReferenceCount = 0;
+
+  for (const recipe of cookbook) {
+    const label = typeof recipe?.id === "string" ? recipe.id : "unknown-recipe";
+    const commands = Array.isArray(recipe?.commands) ? recipe.commands : [];
+    const fixtureIds = Array.isArray(recipe?.fixtures) ? recipe.fixtures : [];
+    const recipeRuleIds = [];
+
+    for (const command of commands) {
+      const match = typeof command === "string" ? command.match(commandPattern) : null;
+      if (!match) {
+        failures.push(`${label} command should match "jester tune <rule-id> --json". Saw ${String(command)}.`);
+        continue;
+      }
+
+      recipeRuleIds.push(match[1]);
+    }
+
+    for (const fixtureId of fixtureIds) {
+      const fixture = fixtureById.get(fixtureId);
+      if (!fixture) {
+        failures.push(`${label} references missing fixture ${fixtureId}.`);
+        continue;
+      }
+
+      const refs = new Set([
+        ...(Array.isArray(fixture.expectedRuleIds) ? fixture.expectedRuleIds : []),
+        ...(Array.isArray(fixture.absentRuleIds) ? fixture.absentRuleIds : [])
+      ]);
+      fixtureReferenceCount += refs.size;
+    }
+
+    for (const ruleId of recipeRuleIds) {
+      const relatedFixtures = fixtureIds.filter((fixtureId) => {
+        const fixture = fixtureById.get(fixtureId);
+        const refs = new Set([
+          ...(Array.isArray(fixture?.expectedRuleIds) ? fixture.expectedRuleIds : []),
+          ...(Array.isArray(fixture?.absentRuleIds) ? fixture.absentRuleIds : [])
+        ]);
+        return refs.has(ruleId);
+      });
+
+      if (relatedFixtures.length === 0) {
+        failures.push(`${label} command for ${ruleId} should have at least one referenced fixture in expectedRuleIds or absentRuleIds.`);
+      }
+
+      const runContext = chooseRunContext(ruleId, recipe.preset, noConfigCatalog, presetCatalogs, configByPreset);
+      if (!runContext) {
+        failures.push(`${label} command for ${ruleId} did not resolve in built-in rules or generated preset configs.`);
+        continue;
+      }
+
+      const args = ["tune", ruleId, "--json"];
+      if (runContext.configPath) {
+        args.push("--config", runContext.configPath);
+      } else {
+        args.push("--no-config");
+      }
+
+      let advice;
+      try {
+        advice = runCli(args, { json: true });
+      } catch (error) {
+        failures.push(`${label} command for ${ruleId} failed: ${error instanceof Error ? error.message : String(error)}`);
+        continue;
+      }
+
+      commandCount += 1;
+      validateTuneAdvice(label, ruleId, runContext.name, advice);
+    }
+
+    recipeSummaries.push({
+      id: label,
+      commandCount: recipeRuleIds.length,
+      fixtureCount: fixtureIds.length
+    });
+  }
+
+  if (failures.length > 0) {
+    console.error("Framework tuning doctor failed:");
+    for (const failure of failures) {
+      console.error(`- ${failure}`);
+    }
+    process.exit(1);
+  }
+
+  console.log("Framework tuning doctor");
+  console.log("");
+  for (const recipe of recipeSummaries) {
+    console.log(`PASS ${recipe.id}: ${recipe.commandCount} tune command(s), ${recipe.fixtureCount} fixture reference(s)`);
+  }
+  console.log("");
+  console.log(`Checked ${recipeSummaries.length} recipe(s), ${commandCount} executable tune command(s), and ${fixtureReferenceCount} fixture rule reference(s).`);
+  console.log("Generated temporary preset configs and removed them after validation.");
+} finally {
+  rmSync(tmpRoot, { recursive: true, force: true });
+}
+
+function readRuleCatalog(args) {
+  const output = runCli(args, { json: true });
+  if (!Array.isArray(output.rules)) {
+    throw new Error(`jester ${args.join(" ")} did not return a rules array.`);
+  }
+  return new Set(output.rules.map((rule) => rule.id).filter((id) => typeof id === "string"));
+}
+
+function chooseRunContext(ruleId, preferredPreset, noConfigCatalog, presetCatalogs, configByPreset) {
+  if (typeof preferredPreset === "string" && presetCatalogs.get(preferredPreset)?.has(ruleId)) {
+    return {
+      name: preferredPreset,
+      configPath: configByPreset.get(preferredPreset)
+    };
+  }
+
+  for (const [preset, catalog] of presetCatalogs.entries()) {
+    if (catalog.has(ruleId)) {
+      return {
+        name: preset,
+        configPath: configByPreset.get(preset)
+      };
+    }
+  }
+
+  if (noConfigCatalog.has(ruleId)) {
+    return {
+      name: "built-in",
+      configPath: null
+    };
+  }
+
+  return null;
+}
+
+function validateTuneAdvice(recipeId, ruleId, contextName, advice) {
+  if (advice?.ruleId !== ruleId) {
+    failures.push(`${recipeId} expected tune JSON ruleId ${ruleId}; saw ${String(advice?.ruleId)}.`);
+  }
+
+  if (typeof advice?.title !== "string" || advice.title.length === 0) {
+    failures.push(`${recipeId} tune ${ruleId} should include a title.`);
+  }
+
+  if (!Number.isInteger(advice?.severity)) {
+    failures.push(`${recipeId} tune ${ruleId} should include numeric severity.`);
+  }
+
+  if (!Array.isArray(advice?.kinds) || advice.kinds.length === 0) {
+    failures.push(`${recipeId} tune ${ruleId} should include review kinds.`);
+  }
+
+  if (typeof advice?.recommendation !== "string" || advice.recommendation.length === 0) {
+    failures.push(`${recipeId} tune ${ruleId} should include a recommendation.`);
+  }
+
+  if (!Array.isArray(advice?.checksBeforeMuting) || advice.checksBeforeMuting.length === 0) {
+    failures.push(`${recipeId} tune ${ruleId} should include checksBeforeMuting.`);
+  }
+
+  if (advice?.fixtureEvidence?.ruleId !== ruleId) {
+    failures.push(`${recipeId} tune ${ruleId} should include fixtureEvidence for the same rule.`);
+  }
+
+  if (!advice?.commands?.inspect || !advice?.commands?.validate || !advice?.commands?.list) {
+    failures.push(`${recipeId} tune ${ruleId} should include inspect, validate, and list commands.`);
+  }
+
+  if (contextName !== "built-in" && advice?.configPath === null) {
+    failures.push(`${recipeId} tune ${ruleId} should report a generated config path when using the ${contextName} preset.`);
+  }
+}