Skip to content

release/consolidation-2026-06-26: weft-seam conformance + project-root artifacts#69

Merged
tachyon-beep merged 122 commits into
mainfrom
release/consolidation-2026-06-26
Jun 28, 2026
Merged

release/consolidation-2026-06-26: weft-seam conformance + project-root artifacts#69
tachyon-beep merged 122 commits into
mainfrom
release/consolidation-2026-06-26

Conversation

@tachyon-beep

Copy link
Copy Markdown
Collaborator

Consolidation release of two bodies of work onto main.

1. Weft-seam conformance program (this cycle)

Brings every weft peer-to-peer interface to the SEI bar — a frozen contract + golden-vector oracle + fail-closed CI gate + two-layer drift alarm — enforced by a single lie-detector gate.

  • Enforceable seam registry + gate (tests/conformance/test_seam_registry.py, seam_registry.json): a fail-closed, unmarked-default-suite gate that parses the 3 real marker sources; at_bar requires a real oracle + byte-pin + applied marker. Verdicts: at_bar 12, peer_conformant 4, gap 20, deferred 1, one_sided_na 3.
  • Shared WeftHttp transport + federation-status envelope single-sourcing (dedup across MCP/CLI/scan-jobs), behaviour-preserving.
  • 12 at_bar seams incl. G1 (the wardline→legis signed scan-artifact wire) reaching the bar via a single byte-identical shared vector — wardline's real signer reproduces legis's byte-exact expected_signature, byte-pinned to legis's copy.
  • Legis fence lifted: the legis-involving seams were brought to the bar in their own repos (legis/loomweave/filigree) — SEI(loomweave→legis), git-rename, governed sign-off(→filigree), loomweave HMAC. Where wardline isn't a party, rows carry the new peer_conformant verdict (gated to require peer repo + commit + test evidence, never bare gap). Genuinely-incomplete seams (plainweave consumer unbuilt; two warpline obligations) stay gap with structured notes — no manufactured contracts.

2. Project-root-anchored artifacts + doctor hygiene (from …06-25)

Default scan artifacts anchor to the weft-project root; wardline doctor --repair gitignores the artifacts dir and sweeps stray managed artifacts (CLI + MCP doctor with destructiveHint); the wlfp2 move-stable fingerprint rekey (with fan-out). Already reviewed on the feat/project-root-anchored-artifacts line.

Merge integrity

The weft feature was merged clean (the 3 superseded artifacts-spec drafts dropped). All 5 conflicts were resolved by combining both sides (WeftHttp + URL redaction; federation_status imports ∪ redact; CHANGELOG [Unreleased] + [1.0.7]; 37 glossary line-anchors recomputed against merged source — verified no doc content lost). 3 frozen goldens re-frozen, each root-caused as a legitimate …06-25 feature and guard-verified to change only the expected fields.

Verification

Full suite 4419 passed, ruff clean, wardline scan --fail-on ERROR exit 0. Version: 1.0.7.

🤖 Generated with Claude Code

John Morrissey and others added 30 commits June 21, 2026 16:58
This ensures that the output of these potentially unsafe deserialization
functions correctly sheds validation provenance (becomes `UNKNOWN_RAW`)
in the taint propagation logic.

Co-authored-by: tachyon-beep <544926+tachyon-beep@users.noreply.github.com>
Bumps the actions-minor-patch group with 1 update: [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish).


Updates `pypa/gh-action-pypi-publish` from 1.13.0 to 1.14.0
- [Release notes](https://github.com/pypa/gh-action-pypi-publish/releases)
- [Commits](pypa/gh-action-pypi-publish@ed0c539...cef2210)

---
updated-dependencies:
- dependency-name: pypa/gh-action-pypi-publish
  dependency-version: 1.14.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/configure-pages](https://github.com/actions/configure-pages) from 5 to 6.
- [Release notes](https://github.com/actions/configure-pages/releases)
- [Commits](actions/configure-pages@v5...v6)

---
updated-dependencies:
- dependency-name: actions/configure-pages
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/deploy-pages](https://github.com/actions/deploy-pages) from 4 to 5.
- [Release notes](https://github.com/actions/deploy-pages/releases)
- [Commits](actions/deploy-pages@v4...v5)

---
updated-dependencies:
- dependency-name: actions/deploy-pages
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Commits](actions/checkout@v4...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) from 7.6.0 to 8.2.0.
- [Release notes](https://github.com/astral-sh/setup-uv/releases)
- [Commits](astral-sh/setup-uv@37802ad...fac544c)

---
updated-dependencies:
- dependency-name: astral-sh/setup-uv
  dependency-version: 8.2.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
The waiver_add entity_symbol path resolves a qualname through Loomweave
(SeiResolver.detect + resolve_locator) before writing the waiver — an
outbound/loopback network side effect. But the tool declared only
READ|WRITE and _effective_tool_capabilities had no waiver_add branch, so
ToolPolicy never denied it under allow_network=false: any client allowed
the write tools could trigger signed Loomweave requests despite the
network being fenced off.

Add a waiver_add branch that declares NETWORK under the exact predicate
that fires the resolve — entity_symbol present, entity_id absent (entity_id
wins and is carried opaque), and a Loomweave URL configured — mirroring the
scan/explain_taint/dossier gates. Also align the handler so it only builds
the Loomweave client when entity_symbol and not entity_id, matching the
declared side effect. resolve_entity_binding_input is the sole network path
in _waiver_add (add_waiver is a local FS write); the gate is a precise,
fail-closed match.

Regression tests: entity_symbol under no-network policy is denied before the
handler runs; entity_id-only and entity_id-wins-over-symbol stay ungated.

Closes wardline-14359d070b.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The Level-2 branch-join merges deduplicated candidates with a nested
linear scan of the growing candidate list: `any(lam is seen for seen in
bucket)` in _merge_branch_bindings and `if fqn not in bucket` in
_merge_branch_types. That is O(bucket) per insert, O(bucket**2) per
merge. Across a chain of N one-armed branches rebinding the same name
(`if flagK: cb = lambda c: sinkK(c)`), the candidate set grows to N over
N merges -> O(N**3). An attacker-authored file with ~1100 such branches
drove a DEFAULT-gate scan to ~15s, exhausting CPU on every local and CI
run (wardline-c797baf28b).

Both merges now dedup via a per-name identity/equality set: O(1) per
insert, O(bucket) per merge, O(N**2) cumulative. The change is
behavior-identical -- same candidate set, same first-seen insertion
order, same dedup semantics -- so no false negative is introduced. A cap
was deliberately avoided: dropping candidates would be an FN, against
this module's no-FN discipline; this mirrors the d7ecb90 precedent of
eliminating the complexity soundly rather than capping.

The 1100-branch PoC drops 4.388s -> 0.080s (55x); the var_types sibling
1.015s -> 0.037s (27x). Full scanner suite (1363 tests) stays green.

Tests:
- test_lambda_candidate_merge_is_not_cubic_on_chained_rebinds (DoS guard)
- test_var_type_candidate_merge_is_not_cubic_on_chained_rebinds (sibling)
- test_chained_one_armed_rebinds_keep_every_lambda_candidate (no-FN lock)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Passed `_SAFE_GIT_CONFIG = ("-c", "core.fsmonitor=false")` to all untrusted Git subprocess executions in delta and legis.

Co-authored-by: tachyon-beep <544926+tachyon-beep@users.noreply.github.com>
Passed `_SAFE_GIT_CONFIG = ("-c", "core.fsmonitor=false")` to all untrusted Git subprocess executions in delta and legis.

Co-authored-by: tachyon-beep <544926+tachyon-beep@users.noreply.github.com>
John Morrissey and others added 4 commits June 26, 2026 23:56
… consumer drift check

Phase C of warpline integration. Publishes the versioned, drift-checked
wardline.delta_scope.v1 producer artifact (the DeltaScopeReport.to_dict() shape,
13 fields incl. scope_source + producer_generated_at) with a drift test, and
extends the warpline.reverify_worklist.v1 consumer conformance test to assert
generated_at capture plus a WARPLINE_REPO-gated published-artifact drift marker
(skips clean until warpline publishes its half). Closes the contract-integrity
portion of wardline-c0563eee74.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…t whole-file

Final-review Critical: the attest-2 boundary content_hash is EntityBinding.content_hash
= Loomweave identity-resolve content_hash, which per the Accepted ADR
2026-06-02-wardline-hash-granularity-two-model is the ENTITY-BODY span hash (same
granularity as Filigree content_hash_at_attach), NOT whole-file. The published
artifacts had it inverted (whole-file / 'not entity-span' / 'do not key as
entity-precise') — a fail-open instruction that contradicted a live conformance
test and would make warpline cross-compare granularities (permanent false-STALE)
or transfer a clean verdict across sibling entities. The data was always correct
(entity-body is the right key for a SEI-scoped boundary); only the labels were
wrong. Relabelled across contract doc, attest.py comment, MCP _ATTEST_OUTPUT_SCHEMA
(+ golden re-frozen, VENDORED_BLOB_SHA cd08480), attestation.md, CHANGELOG,
seam_registry. Also (Minor): noted verdict=='defect' as a proven-bad signal
distinct from the non-exhaustive enrichment_reasons triple; marked the
WARPLINE_REPO-gated test as an existence-only placeholder.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ness (D1)

Replaces the phantom producer_generated_at (which read data.generated_at — a key
warpline never emits) with producer_completeness: a VERBATIM, unverified echo of
warpline's now-shipped data.impact_completeness object (self-assessed completeness
+ staleness of the change-impact analysis, in one object). Captured defensively
(dict-or-None), namespaced, and never fed into mode/gate_authority/any verdict —
wardline stays the trust authority. Threaded AffectedScope -> run_scan ->
DeltaScopeReport.to_dict() (auto-propagates CLI/SARIF); MCP scope schema mirrors it
as a loose object (wardline echoes verbatim, does not pin warpline's inner shape);
key-parity test + wardline.delta_scope.v1 fields updated; golden re-frozen.

Realigned the vendored warpline_delta fixtures to warpline's REAL published envelope
(full reverify_worklist.v1 shape: completeness/impact_completeness/staleness/items/
resolved/unresolved) and made the WARPLINE_REPO-gated drift test REAL — it now
validates every fixture against warpline's published
contracts/reverify_worklist.v1.schema.json via jsonschema (was existence-only).
Verified live: WARPLINE_REPO=/home/john/warpline -> 10/10 pass. Closes D1; the
warpline<->wardline reverify seam is now two-sided drift-checked (wardline-c0563eee74).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ung-2)

Agent-facing operational counterpart to the wardline-attest-2 contract: the prompt
warpline's risk-as-verification step uses to turn a bundle into proven_good /
proven_bad / risk=unavailable, with wardline as the sole trust authority. Aligned
to the shipped contract: content_hash is ENTITY-BODY span (entity-precise; compare
same-granularity only, never whole-file), defect is a distinct proven_bad signal,
and the enrichment_reasons triple is non-exhaustive (+ content_drift). Cross-linked
from wardline-attest-2.md.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@tachyon-beep

Copy link
Copy Markdown
Collaborator Author

Added: warpline integration (item 4, P1) — 9f5924bf..b1a97d5e

Six commits implementing the wardline↔warpline P1 integration (evaluated + planned earlier this cycle):

  • (a) delta-scope provenancescope_source + warpline's UNVERIFIED producer_generated_at in the --affected scope block (9f5924bf); published+drift-checked wardline.delta_scope.v1 (ab0754fe).
  • (b) attest-2 — bumped attest bundle to wardline-attest-2 with per-boundary content_hash binding (dffa092d); final-review Critical fix: content_hash is entity-body span (= Loomweave EntityBinding/Filigree content_hash_at_attach granularity per ADR 2026-06-02-hash-granularity-two-model), not whole-file — relabelled across all published artifacts (7b4afcda).
  • (D1) warpline-published completeness mirrored as producer_completeness (33d5d5f2).
  • Consumer prompt — agent-facing docs/contracts/wardline-attest-2-consumer-prompt.md for warpline's Rung-2 risk-as-verification, aligned to the corrected contract (b1a97d5e).

Boundary preserved: wardline never calls warpline (consumes pushed/untrusted scope); warpline never declares clean (relays wardline's fail-closed 3-valued verdict; unknown/drift → risk=unavailable).

Gate (local, full tree): pytest 4436 passed / 1 skipped · ruff check clean · mypy clean (530 files).

⚠️ Pre-existing (NOT warpline-p1): ruff format --check flags ~12 files (tests/unit/rust/*, etc.) already present at df0a79f8 — outside this work's scope; flagging for the release owner to address before merge if CI gates on format.

John Morrissey and others added 24 commits June 27, 2026 11:55
Pure formatting (no logic change) across 12 files flagged by `ruff format --check`
on the release branch — whitespace/line-wrapping in tests + install/doctor.py. Brings
the branch's Lint+Format CI check green so PR #69 is merge-ready. No warpline-p1
source files affected.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
A sibling's .weft/<sibling>/ephemeral.port advertises a live `serve`
instance. When that process exits or wedges, the file lingers and every
`wardline scan` dials a dead/hung origin, stalling the agent gate up to the
federation 30s urlopen timeout per round-trip on a purely advisory emission
— the reported ~90s `wardline scan .` hang in dogfood repos (~/elspeth).

New `stale_sibling_ports` doctor check (CLI + MCP `doctor` tool):
- Probes each advertised port (filigree, loomweave) at the host the scan
  dials — filigree→localhost (self-heals over IPv4/IPv6 so a ::1-only
  filigree is not falsely cleared), loomweave→127.0.0.1 — with a short 2s
  deadline, NOT the 30s federation default.
- Unreachable (connection refused OR no HTTP reply within the deadline — a
  wedged server) is stale; --repair / fix:true deletes the file so
  resolve_*_url falls back to "no sibling" and the scan stops dialing it.
- A live server (any HTTP status) is never touched; the delete is
  regular-file / no-follow confined (a symlinked ephemeral.port is never
  followed). Advisory like the stray-artifact sweep — never flips the
  aggregate doctor verdict.

Verified end-to-end against ~/elspeth: a wedged filigree port that made
`wardline scan .` take 1m47s clears in ~4s, and the subsequent scan
completes in 24s (pure CPU) with the wedged trap still up.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Make durable the bet rotation a prior 2026-06-27 session decided but crashed
before checkpointing. PDR-0002 records the within-grant Later→Now promotion
(Codex hardening close-out paid off — both P1s closed, codex-security-2026-06-20
batch 0 open, G2 at target → ACCEPT). Commits the orphaned metrics.md (G2 +
G2-seam readings) and PRD-0002; rotates roadmap.md Now; rewrites current-state.md;
re-stamps the grant review date (re-confirmed unchanged).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…'t read my store"

Extend the MCP doctor tool with a READ-ONLY repo-binding probe so a stale-but-running
wardline (server starts, --root resolves, but it cannot read its repo-scoped baseline
store) reports honestly instead of looking healthy — the wardline analog of the
2026-06-26 loomweave silent-de-attach incident, and the producer half of lacuna's
MCP-attachment regression harness (weft-seam-conformance Now bet, PDR-0002 / G2-seam).

- inspect_baseline_store(root) -> BaselineStoreStatus (core/baseline.py, next to
  BASELINE_VERSION; reuses require_yaml + _build_baseline; never writes/migrates/mkdirs).
  The non-tautological signal is the schema version READ STRICTLY from inside the store —
  null unless an int version was actually read (a degenerate empty store -> null + binding_ok
  false, never the served constant), so "root == cwd" can never fake a pass.
- _check_repo_binding(root) (install/doctor.py) emits a top-level repo_binding block
  {resolved_root, store{present,readable,schema_version,baseline_finding_count}, binding_ok}
  + a uniform doctor.repo_binding check. Fork-1 split (honors the not-noisy anti-goal):
  present-but-unreadable (version mismatch/corrupt — the incident) is status=error and flips
  doctor.ok; ABSENT (baseline is opt-in) stays status=ok and never nags a baseline-less repo.
- repo_binding declared in _DOCTOR_OUTPUT_SCHEMA so the structuredContent emission carries it;
  golden re-frozen (mcp_output_schemas.golden.json + VENDORED_BLOB_SHA) per the re-freeze procedure.
- Trust-boundary: the unreadable diagnostic is content-free (names only the store filename +
  served version) — a crafted store can no longer echo its content back through the seam.

Consumer contract (lacuna probe reads verbatim): repo_binding.binding_ok and
repo_binding.store.schema_version; predicate binding_ok==true AND schema_version not null.

Full suite green (4472 passed); ruff/mypy clean; wardline self-gate exit 0 / 0 active.
Built via ultracode workflow (1 TDD implementer + 5 adversarial verifiers + gate), all lenses pass.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…-0003

Record this session's delivery on the weft-seam-conformance Now bet: the wardline
doctor.repo_binding store-read seam (commit c661286). PDR-0003 captures the
load-bearing call — the Fork-1 split (absent baseline stays silent, only an
unreadable/corrupt store errors) deviating from the literal lacuna prompt to honor
the not-noisy anti-goal, contract-safe by construction and live-proven. Adds a dated
G2-seam reading (new honesty surface landed + round-trip-proven; 6-set target
unchanged); refreshes current-state.md. Roadmap untouched (no horizon change).
Nothing escalated — the editable global-install reinstall was owner-confirmed in-session.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Formal ACCEPT of the Codex hardening bet, deferred across two sessions. Judged
against all 5 PRD-0001 criteria with evidence re-run at HEAD: c797 DoS bound pinned
O(N^2) (test_lambda_candidate_merge_is_not_cubic_on_chained_rebinds), d96b credential
gate fail-closed (test_check_does_not_send_token_to_project_published_port), G1
precision held via the no-candidate-dropped soundness-lock family + full suite 4472 +
dogfood 0-active. All met -> ACCEPT. PRD-0001 status -> ACCEPTED; dated G2 reading
added; current-state ACCEPT item retired. Criterion-3 honesty note recorded (verified
the no-finding-dropped property via durable soundness-lock tests, not a one-time
pre/post byte-diff that would need risky pre-fix checkout on the shared tree).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…(crit-3b)

Make the SEI-oracle and warpline reverify-worklist producer-SOURCE drift checks
required & fail-closed in CI (PRD-0002 crit-3b; wardline-79ba05f464 / wardline-c0563eee74).

TAXONOMY CHANGE (src semantic, not just a CI job): sei_drift + worklist_drift are added
to wardline._live_oracle.LIVE_ORACLE_MARKERS, so an armed WARDLINE_LIVE_ORACLE_REQUIRED=1
run turns a missing-source SKIP into a FAILURE. Until now _drift markers were the
skip-clean release-gate tier; they now fail closed because the new weekly source-drift
job provisions their sibling source.

- .github/workflows/ci.yml: new `source-drift` job (schedule/dispatch) checks out
  loomweave + warpline origin/main (read-only WARDLINE_SIBLING_SOURCE_TOKEN) and runs
  `pytest -m "sei_drift or worklist_drift"` fail-closed.
- src/wardline/_live_oracle.py: add the two markers to LIVE_ORACLE_MARKERS.
- tests/unit/test_live_oracle.py: lock the contract (the two are in; the four unrun
  _drift markers stay out, fail-closed-only-when-armed).
- tests/conformance/test_warpline_delta_scope.py: normalize the published-schema check
  to the standard WARDLINE_WARPLINE_REPO (was a dead WARPLINE_REPO env var); kept OUT of
  the fail-closed job until warpline pushes its schema to origin/main.
- tests/conformance/test_seam_registry.py: update the marker-taxonomy doc block.
- docs/plans/2026-06-28-weft-seam-crit3-ci-drift.md: reality-validation + plan.

crit-3a (wardline.delta_scope.v1 producer artifact + its in-CI drift check) was already
shipped; this closes the consumer/producer source-drift CI leg. Full suite 4475 passed;
ruff/mypy clean; vendored fixtures verified byte-synced to loomweave + warpline origin/main.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…3.12==3.13)

Python 3.13's ast.dump (new default show_empty=False) OMITS empty-list fields
(posonlyargs=[], decorator_list=[], type_params=[], ...) that <=3.12 emit. The entity-body
discriminator hashed ast.dump output, so wardline under 3.12 vs 3.13 minted DIFFERENT
fingerprints for the same source — and the fingerprint is the cross-tool JOIN KEY
(baseline/waiver/judged stores + the Filigree wire). The identity parity corpus (frozen on
3.13) drifted on 3.12; 5 golden tests failed on the 3.12 CI matrix leg
(test_identity_corpus_is_byte_identical x3, test_golden_matches_live_producer,
test_builtin_findings_match_golden), all from this one root cause.

Fix: _canonical_ast_dump reproduces the 3.13 show_empty=False canonical form on EVERY
interpreter (verified node-for-node equal to 3.13's ast.dump across the fixtures), so the
fingerprint is byte-identical 3.12==3.13. Done STRUCTURALLY, not by regex-stripping the dump
string, because a string literal like "x=[]" renders as Constant(value='x=[]') and a text
strip would corrupt the join key.

3.13 output is byte-unchanged (cdump==ast.dump there), so NO corpus re-freeze and NO
fingerprint-scheme bump — only the broken 3.12 values converge to the 3.13 reference.

- src/wardline/scanner/rules/_fingerprint.py: structural _canonical_ast_dump.
- tests/unit/scanner/rules/test_entity_fingerprint_stability.py: pin the canonical form +
  the string-literal-preservation guard.

Verified: full suite 3.12 4478 passed (was 5 failed), 3.13 unchanged; the 5 goldens green on
both interpreters; ruff/mypy clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…oss-interpreter determinism fix; PDR-0005, PDR-0006

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Closes wardline-a0eaa7dd12 (and subsumes wardline-7971cbcf9e). The arch-analysis
H1 finding framed ~102 deferred imports as "masking real cycles." Graph analysis
showed the runtime module graph was already acyclic and only TWO latent runtime
cycles remained, each closed by a tiny set of deferred edges; the other ~99
deferred imports are legitimate lazy loads (optional federation, CLI/MCP
fast-start, narrow import surface). So the fix is cycle-elimination + enforced
layering, not chasing the count to zero.

Cycles broken (combined runtime graph now fully acyclic):
- scanner.grammar <-> scanner.rules: extracted the boundary primitives
  (BoundaryType/LevelArg/BUILTIN_BOUNDARY_TYPES) into engine-floor
  scanner/boundary_types.py; grammar re-exports them as a facade; the 3 cycle
  members + doctor import the primitive directly.
- run -> suppression -> finding_identity -> baseline -> run: relocated the
  scan-running orchestration (collect_and_write_baseline, generate_baseline) out
  of policy-tier core/baseline.py into surface-tier core/baseline_ops.py; hoisted
  two redundant deferred gate_breakdown imports in run.py.

Deferred-import count 103 -> 92 (cycle fix + 8 redundant promotions where the
target was already module-level imported); cycle-MASKING count driven to 0.

Enforcement (the durable guard):
- 2 enforcing import-linter contracts (engine-purity, policy-purity); CI
  `lint-imports || true` -> gating; stale "BROKEN" comment removed; added
  lint-imports to `make lint`.
- tests/conformance/test_import_layering.py: combined-graph acyclicity (the
  intra-tier guard contracts can't express) + a Python tier-purity backstop over
  EVERY module + a contract-module-resolve drift guard + absolute-import check.

make ci green (4486 tests, 92.40% cov), lint-imports 2 kept/0 broken.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ibility

wardline fires only when untrusted data crosses a DECLARED trust boundary
(@trusted / @external_boundary / @trust_boundary, builtin or pack). A codebase
that declares none produces zero defects no matter what it does, so a
`wardline scan . --fail-on ERROR` gate over it passes green while checking
nothing. The elspeth FastAPI gate hit exactly this; the only prior hint was
buried INFO-severity WLN-L3-LOW-RESOLUTION — the severity agents filter out.

Adds a scan-level enforcement-posture verdict derived from the engine's existing
WLN-ENGINE-METRICS finding (taint_source_counts.anchored/config = recognized
boundaries; histogram sum = functions analyzed). A scan that recognized ZERO
boundaries over a non-trivial codebase is flagged INERT — no engine change:

- core/resolution_posture.py: compute_resolution_posture() (pure read of findings)
- cli/scan.py: Python inert-gate stderr banner — the counterpart of the existing
  Rust empty-trust-surface anti-false-green warning
- core/agent_summary.py: structured `resolution` block (the agent-facing surface)
- mcp/server.py: `resolution` in the scan outputSchema (+ re-froze the MCP schema golden)

Calibrated live: elspeth -> inert=True; wardline corpus (anchored=43) -> inert=False.
Part A of wardline-bd9d1e65cb. blake3 was a red herring; FastAPI source coverage is
moot without declared boundaries (pack-bridge tracked separately).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The elspeth gate is inert because wardline is annotation-driven and doesn't read
elspeth's OWN trust vocabulary — elspeth annotates ~25 external-data boundaries with
elspeth.contracts.trust_boundary.trust_boundary(tier=3, source_param=...), which
wardline ignores, so it recognizes zero boundaries (blake3 and FastAPI source
coverage are both irrelevant to this — proven in wardline-bd9d1e65cb).

Rather than re-annotate elspeth in wardline's vocabulary, bind elspeth's existing
vocabulary with a pack: a BoundaryType mapping the decorator to wardline's
validating-boundary seed (EXTERNAL_RAW args -> ASSURED return). elspeth's
tier/source/source_param kwargs are not trust LEVELS, so level_args=() and the
matcher ignores them.

Validated end-to-end on an elspeth-shaped target:
- WITH the pack: both @trust_boundary functions recognized (scan non-inert,
  recognized_boundaries=2); a boundary that returns its untrusted source_param
  unvalidated fires PY-WL-119 ERROR.
- WITHOUT the pack: zero boundaries recognized, no defect (the inert state).

The pack (tests/grammar/fixtures/elspeth_trust_boundary_pack.py) is the copy-ready
deliverable for elspeth: place on the import path + reference under [wardline] packs
in weft.toml (or --trust-pack). Full elspeth-repo FP calibration over the 25 real
boundaries is the remaining follow-on (tracked).

Part of wardline-bd9d1e65cb.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ridge; PDR-0007, PDR-0008

Owner-directed investigation of the ~/elspeth/ report. Corrected diagnosis (wardline
is annotation-driven; blake3 a red herring), shipped Part A inert-gate visibility
(b3d0a81) and the elspeth-vocab pack-bridge (72bc9eb). Now bet (weft-seam-conformance)
unchanged. Flags: PR #69 release scope grew; install pack in elspeth; auto-inference
strategic question (vision tension) escalated; pack FP UNMEASURED (calibration follow-on).
…rust vocab

elspeth is an unrelated project; no elspeth-specific code belongs in wardline. The
committed pack-bridge fixtures embedded `elspeth.contracts.trust_boundary` into the
suite. Genericize to a fictional `acme.security.trust_boundary` vocab so the test still
proves the GENERIC pack-bridge mechanism (a third-party @trust_boundary decorator whose
kwargs are not trust levels maps to a validating-boundary seed; PY-WL-119 fires WITH the
pack, inert WITHOUT) without naming an unrelated project.

- tests/grammar/fixtures/{thirdparty_trust_boundary_pack,target_thirdparty_boundary}.py
  + tests/grammar/test_thirdparty_pack_bridge.py replace the three elspeth_* files.
- Scrub the two incidental elspeth mentions in src/ comments (resolution_posture.py,
  judge.py) and the Part A test names/comments (test_resolution_posture, test_cli,
  test_scan_inert_posture) to generic "framework app" phrasing.

`grep -rI elspeth src/ tests/ docs/reference --include='*.py'` is now empty.

Part of wardline-bd9d1e65cb.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
… flag

Part B of wardline-bd9d1e65cb. Two new doctor checks, wired into both the
machine-readable surface (machine_readable_doctor → MCP `doctor` / `--fix`) and the CLI
text path.

- engine.selftest: runs the taint analyzer on a tiny BUILT-IN @trusted source→sink
  fixture (flask request multidict → os.system) in a throwaway tempdir and asserts
  PY-WL-108 fires → "taint analysis fires correctly". Proves the analysis pipeline is
  wired and FIRING in this install. Deliberately worded engine-not-target: a passing
  self-test does NOT mean the user's scans enforce (an annotation-free codebase is still
  inert by design — Part A's per-scan posture carries that). The fixture lives outside
  the source tree so it can never enter wardline's own corpus golden.
- loomweave.dep: flags a configured-but-uninstalled Loomweave integration. VERIFICATION
  FINDING (the issue flagged "verify the config shape first"): there is NO
  [wardline.loomweave].url config key — resolve_loomweave_url reads only the
  --loomweave-url flag / WARDLINE_LOOMWEAVE_URL env / published port. "Configured" =
  explicit operator intent (launch flag, env, or .mcp.json --loomweave-url arg);
  ambient published-port auto-discovery is deliberately NOT flagged (the write is
  fail-soft, and flagging it would nag every base install near a Loomweave sibling).
  require_blake3() raises LoomweaveError when the [loomweave] extra is absent.

_mcp_filigree_url generalized to _mcp_wardline_arg(root, flag) with a _mcp_loomweave_url
sibling. MCP output golden unchanged (it is a schema; checks is a generic array).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Part C of wardline-bd9d1e65cb. wardline shipped Flask request coverage but none for
FastAPI/starlette, so a FastAPI+pydantic app's request entry points were invisible and a
`wardline scan --fail-on ERROR` gate over it was inert.

Annotation-based source seeding via the typed-receiver + curated-member model (NOT
whole-param tainting): a parameter whose annotation resolves (via the alias map, never
the parameter NAME) to fastapi.Request / starlette.requests.Request is a request
boundary, and curated DATA members read off it yield EXTERNAL_RAW —
.query_params/.path_params/.headers/.cookies (property reads) and .json()/.body()/
.form()/.stream() (method calls). Framework objects (.app/.state/.url/.scope/.client/
.base_url) stay clean; a bare uncalled `req.json` (a coroutine-method object) stays
clean. The mechanism is general (a request-type → member table); seeding is scoped to
the two FQNs deliberately (precision over recall).

- variable_level.py: `_REQUEST_SOURCE_TYPES` table + two seed points (Seed A = property
  read in _resolve_expr's Attribute handler; Seed B = method call in _resolve_call's
  typed-receiver block, after the project-summary dispatch so a real summary wins first).
- project_resolver.py: _RESOLVER_VERSION sp1e→sp1f so warm/persisted summaries of
  request-handler modules recompute rather than serve stale-CLEAN results.

Return-pass FN closure (adversarial review): _CURRENT_VAR_TYPES is reset before
compute_return_taint, so a @trusted boundary that DIRECTLY returns a request source
(`return req.query_params.get('x')`) was summarized clean and its PY-WL-101 boundary-leak
went undetected — while the local-var form already fired. Re-establish the receiver-type
map for the return VALUE pass, FILTERED to request FQNs (so the general typed-receiver
dispatch stays inert in return-taint — zero blast radius on `return typed.method()`),
scoped to compute_return_taint (not the explain-only compute_return_callee).

Corpus byte-identical (wardline's own src imports no fastapi/starlette; both seeds are
structurally dead on it). Tests: 14 must-fire + 12 must-not-fire + 3 return-leak +
1 freedom-zone-return. Annotation-driven throughout — an undecorated handler fires
nothing; this makes the SOURCE visible, it does not declare the boundary.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ck shift

The Part A inert-gate commit (b3d0a81) added lines to cli/scan.py and core/
agent_summary.py, shifting the summary-block and agent-summary-key line numbers the
finding-lifecycle glossary cites — leaving tests/docs/test_glossary_vocabulary.py
(the two-way doc↔code anchor lock) red on the branch. Re-point both the `_ANCHORS`
table and the glossary citations to the current lines (scan.py suppressed/active/gate
→ 569/570/622; agent_summary.py keys +1, informational-display 165→172). No behavior
change; restores the branch to green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…-gate prevalence; PDR-0009

Owner decision A+C: do not make the framework-auto-inference vision change;
instrument inert-gate prevalence (within grant). Baseline 2026-06-29: of 9
armed-gate repos, 5 framework-shaped, 5/5 inert, but realized reliance-gated
harm = 1. Option B (per-parameter engine change + vision change) parked, gated
on a metric-bound non-self-sealing trigger (>=5; baseline 1). Reconciled drift:
Part B/C now DONE+committed, dogfood ticket bd9d1e65cb CLOSED. Grant re-confirmed
2026-06-29 (date-only).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Cut [Unreleased] -> [1.1.0]. Headline: FastAPI/Starlette request-source
coverage, inert-gate visibility, third-party trust-vocab pack-bridge, doctor
engine self-test + repo-binding/stale-port/repair, delta-scope. Security:
cross-interpreter fingerprint determinism (3.12==3.13 join-key) + the
agent-surface hardening batch. Owner-authorized release (v1.1.0 minor).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…-bump-robust

CI red on the feature head: install/doctor.py (Part B) was never ruff-formatted,
and test_package asserted version startswith('1.0.') which the 1.1.0 bump broke.
Format the file; assert a 1.x semver shape (re.fullmatch r'1\.\d+\.\d+') so future
point/minor releases don't re-break it. Local: ruff format/check clean, test passes.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@tachyon-beep tachyon-beep merged commit 19be199 into main Jun 28, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant