release/consolidation-2026-06-26: weft-seam conformance + project-root artifacts

.github/workflows/ci.yml

@@ -21,31 +21,32 @@ jobs:
     runs-on: ubuntu-latest
     if: github.event_name != 'schedule'
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v7
         with:
           persist-credentials: false
-      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
+      - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
         with:
           enable-cache: true
           python-version: "3.13"
       - run: uv sync --all-extras --group dev
       - run: uv run ruff check src tests
       - run: uv run ruff format --check src tests
-      - name: Layering contracts (import-linter, report-only)
-        # Report-only: `|| true` keeps this non-blocking. Encodes intended core/ layering
-        # (taint engine must not import the attestation layer). BROKEN today; the layering
-        # agent moves the code (wardline-9ec283d168). Surfaces drift without gating CI.
-        run: uv run lint-imports || true
+      - name: Layering contracts (import-linter, enforcing)
+        # Gating: the engine and policy tiers must not import up into orchestration,
+        # output, or federation (engine-purity + policy-purity, both KEPT). See
+        # [tool.importlinter] in pyproject.toml for the tier model; intra-tier cycles
+        # are guarded by tests/conformance/test_import_layering.py.
+        run: uv run lint-imports
 
   typecheck:
     name: Types (mypy strict)
     runs-on: ubuntu-latest
     if: github.event_name != 'schedule'
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v7
         with:
           persist-credentials: false
-      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
+      - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
         with:
           enable-cache: true
           python-version: "3.13"
@@ -60,10 +61,10 @@ jobs:
       matrix:
         python-version: ["3.12", "3.13"]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v7
         with:
           persist-credentials: false
-      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
+      - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
         with:
           enable-cache: true
           python-version: ${{ matrix.python-version }}
@@ -76,10 +77,10 @@ jobs:
     needs: test
     if: github.event_name != 'schedule'
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v7
         with:
           persist-credentials: false
-      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
+      - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
         with:
           enable-cache: true
           python-version: "3.13"
@@ -120,10 +121,10 @@ jobs:
     runs-on: ubuntu-latest
     if: github.event_name == 'schedule'
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v7
         with:
           persist-credentials: false
-      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
+      - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
         with:
           enable-cache: true
           python-version: "3.13"
@@ -163,10 +164,10 @@ jobs:
           - name: Warpline
             marker: warpline_e2e
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v7
         with:
           persist-credentials: false
-      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
+      - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
         with:
           enable-cache: true
           python-version: "3.13"
@@ -188,3 +189,58 @@ jobs:
             echo "- Trigger: \`${{ github.event_name }}\`"
             echo "- Missing local services, secrets, or capabilities fail this required oracle run."
           } >> "$GITHUB_STEP_SUMMARY"
+
+  # Producer-source drift: byte-compares wardline's vendored fixtures against the
+  # authoritative sibling SOURCE on origin/main (loomweave SEI oracle, warpline
+  # reverify-worklist wire). The default PR suite already fail-closes on a vendored-copy
+  # EDIT via the Layer-1 blob-pins; this job closes the other half — a silent divergence
+  # between the vendored copy and the upstream HEAD — which no PR-time test can see without
+  # the sibling source. Weekly/dispatch only (a sibling change must never block a wardline
+  # PR); needs WARDLINE_SIBLING_SOURCE_TOKEN (read-only) to check out the private siblings.
+  # crit-3b: wardline-79ba05f464 (SEI) / wardline-c0563eee74 (warpline worklist).
+  source-drift:
+    name: Sibling-source drift (weekly/manual, fail-closed)
+    runs-on: ubuntu-latest
+    if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
+    steps:
+      - uses: actions/checkout@v7
+        with:
+          persist-credentials: false
+      - name: Check out loomweave source (read-only)
+        uses: actions/checkout@v7
+        with:
+          repository: foundryside-dev/loomweave
+          token: ${{ secrets.WARDLINE_SIBLING_SOURCE_TOKEN }}
+          path: _siblings/loomweave
+          persist-credentials: false
+      - name: Check out warpline source (read-only)
+        uses: actions/checkout@v7
+        with:
+          repository: foundryside-dev/warpline
+          token: ${{ secrets.WARDLINE_SIBLING_SOURCE_TOKEN }}
+          path: _siblings/warpline
+          persist-credentials: false
+      - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
+        with:
+          enable-cache: true
+          python-version: "3.13"
+      - run: uv sync --all-extras --group dev
+      - name: Source-byte drift vs sibling origin/main (fail-closed)
+        # WARDLINE_LIVE_ORACLE_REQUIRED=1 turns a missing-source SKIP into a FAILURE
+        # (sei_drift/worklist_drift are in LIVE_ORACLE_MARKERS), so a broken checkout fails
+        # the required run instead of passing green. A genuine drift (a sibling shipped a new
+        # contract) reds this until wardline re-vendors per each module's RE-VENDOR PROCEDURE.
+        run: uv run pytest tests/conformance -m "sei_drift or worklist_drift" -v
+        env:
+          WARDLINE_LIVE_ORACLE_REQUIRED: "1"
+          WARDLINE_LOOMWEAVE_REPO: ${{ github.workspace }}/_siblings/loomweave
+          WARDLINE_WARPLINE_REPO: ${{ github.workspace }}/_siblings/warpline
+      - name: Summarize source-drift
+        if: always()
+        run: |
+          {
+            echo "### Sibling-source drift"
+            echo "- Markers: \`sei_drift\`, \`worklist_drift\` (byte-compare vs loomweave + warpline origin/main)"
+            echo "- Trigger: \`${{ github.event_name }}\`"
+            echo "- A vendored-fixture drift, or a failed sibling checkout, fails this required run."
+          } >> "$GITHUB_STEP_SUMMARY"

.github/workflows/deploy-site.yml

@@ -4,7 +4,7 @@
 # copied verbatim into the build output). It consumes the shared @weft/site-kit,
 # which lives in a SUBDIRECTORY of a DIFFERENT repo (foundryside-dev/weft).
 # npm cannot install a git subdirectory as a file: dep directly, so the build
-# sparse-fetches packages/site-kit into site/vendor/site-kit first
+# sparse-fetches a pinned packages/site-kit commit into site/vendor/site-kit first
 # (scripts/fetch-site-kit.mjs), then `npm install` resolves the file: dep and
 # `astro build` compiles it. The fetch also runs as a preinstall hook, but the
 # explicit step keeps the order legible.
@@ -29,6 +29,11 @@ concurrency:
   group: pages
   cancel-in-progress: false
 
+env:
+  # Privileged Pages builds must consume an immutable site-kit revision. Update
+  # this SHA deliberately when promoting a new foundryside-dev/weft site kit.
+  WEFT_SITE_KIT_REF: a8f9a6a77458d2ec697cfbc1f71dd88a51962cb7
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -37,13 +42,13 @@ jobs:
         working-directory: site
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v7
 
       - name: Configure Pages
         # Pin the Pages source to GitHub Actions (build_type=workflow); enables
         # Pages if needed. Without this, deploy-pages fails when the repo is
         # still set to "Deploy from a branch".
-        uses: actions/configure-pages@v5
+        uses: actions/configure-pages@v6
         with:
           enablement: true
 
@@ -78,4 +83,4 @@ jobs:
     steps:
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@v5

.github/workflows/release.yml

@@ -12,10 +12,10 @@ jobs:
     name: Build distributions
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           persist-credentials: false
-      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
+      - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
         with:
           enable-cache: true
           python-version: "3.13"
@@ -59,4 +59,4 @@ jobs:
         # twine reject it ("Unknown distribution format") and blocks the release.
         # Verification above already consumed it.
         run: rm -f dist/SHA256SUMS
-      - uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
+      - uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0

.gitignore

@@ -39,6 +39,12 @@ output/
 # port (a live, never-committed runtime artifact, not tracked state).
 .weft/*/ephemeral.port
 
+# Local sibling tool stores are runtime/tooling state for this checkout. Keep
+# wardline's own .weft/wardline/ suppression state visible and auditable.
+.weft/filigree/
+.weft/loomweave/
+.weft/warpline/
+
 # Filigree issue tracker
 .filigree/
 .env
@@ -56,7 +62,6 @@ coverage.json
 loomweave.yaml
 
 # Filigree issue tracker
-.weft/
 .filigree.conf
 .agents/skills/loomweave-workflow/.fingerprint
 .agents/skills/loomweave-workflow/SKILL.md

.jules/sentinel.md

@@ -0,0 +1,9 @@
+## 2025-02-14 - Prevent Git Config Code Execution
+**Vulnerability:** Invoking `git` via `subprocess` against untrusted directories without overriding config can allow malicious repositories to execute code via `.git/config` hooks like `core.fsmonitor`.
+**Learning:** `git` uses configurations from the `.git/config` file in the current working directory or `cwd` argument, which could be controlled by an attacker when analyzing untrusted codebases.
+**Prevention:** Explicitly pass `("-c", "core.fsmonitor=false")` as `_SAFE_GIT_CONFIG` to all `git` subprocess commands in the codebase.
+
+## 2026-06-21 - [Add Unsafe PyYAML Loaders to Taint Tracking]
+**Vulnerability:** The static analyzer was missing `yaml.unsafe_load` and `yaml.full_load` in its `_SERIALISATION_SINKS` mapping, potentially leading to false negatives when tracking untrusted data flowing into these dangerous deserialization functions.
+**Learning:** Even if functions are listed in rule specifications (like `_SINK_SPECS`), they also need to be properly categorized in the core taint propagation logic (`_SERIALISATION_SINKS`) to ensure the analyzer correctly sheds validation provenance (converting output to `UNKNOWN_RAW`).
+**Prevention:** When adding new sinks to rule definitions, always verify if they need to be added to core propagation mappings like `_SERIALISATION_SINKS` or `_PROPAGATING_BUILTINS`.

CHANGELOG.md

@@ -7,6 +7,96 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.1.0] - 2026-06-29
+
+### Changed
+- **BREAKING (unreleased contract):** attest bundle schema bumped `wardline-attest-1` → `wardline-attest-2`; each boundary now carries `content_hash` (entity-body span blake3 binding key, null when unresolved). `wardline-attest-1` bundles no longer verify.
+- Default scan artifacts now anchor to the weft-project root (the `weft.toml` directory)
+  rather than the scan cwd, so a subdirectory scan writes to `<project-root>/.wardline/`.
+  Retention is therefore project-root-wide across heterogeneous subdir/root scans sharing
+  one `.wardline/`. **Migration:** the artifact moves to the project root; `wardline doctor
+  --repair` sweeps now-stale per-subdir `.wardline/` dirs — update any CI/automation reading
+  a hardcoded `<subdir>/.wardline/*-findings.jsonl` path.
+
+### Added
+- **FastAPI / Starlette request-type taint source coverage.** `wardline` now seeds
+  untrusted taint from the raw request accessors on `fastapi.Request` /
+  `starlette.requests.Request` receivers — the `query_params` / `path_params` /
+  `headers` / `cookies` properties and the `json` / `body` / `form` / `stream`
+  methods — so request data flowing into a declared `@trusted` sink is flagged
+  without hand-annotating every access. Type-aware: a non-request attribute on the
+  same receiver (e.g. `req.app.state.db`) does not fire. Still annotation-driven —
+  it lights up on top of your declared trusted core, not on an unannotated app.
+- **Inert-gate visibility (enforcement-posture honesty).** Scan output now always
+  carries a `resolution.inert` posture field (agent-summary + MCP). An armed gate
+  (`--fail-on`) that passes while the scan recognized **zero** trust boundaries
+  prints a reliance-gated stderr banner — closing the "green while checking nothing"
+  false-assurance gap on annotation-driven scans. Calibrated to stay silent on bare/
+  advisory scans and on legitimately boundary-free pure-logic code.
+- **Third-party trust-vocabulary pack-bridge.** A wardline pack can now map another
+  project's own trust-boundary decorator vocabulary onto a wardline `BoundaryType`,
+  so a team with existing trust annotations in a different grammar gets enforcement
+  by referencing one pack under `[wardline] packs` in `weft.toml` (or `--trust-pack`)
+  — no re-annotation.
+- **`wardline doctor` engine self-test + loomweave-dep flag.** New `engine.selftest`
+  check runs the analyzer on a built-in trusted source→sink and asserts the taint
+  rule fires ("taint analysis fires correctly"); new `loomweave.dep` check flags a
+  configured-but-missing `[loomweave]` extra.
+- **`wardline doctor` repo-binding store-read check.** A present-but-unreadable
+  baseline store now reports a machine-readable reason and `binding_ok=false` — the
+  seam can say "I can't read my store" instead of returning a confident empty.
+- Delta-scan scope block now declares its `scope_source` and echoes warpline's unverified `producer_completeness` (warpline's `data.impact_completeness` — combined completeness+staleness object) across CLI/SARIF/MCP; MCP scope schema is key-parity-tested against `DeltaScopeReport`. Replaces the removed `producer_generated_at` (which read a phantom `data.generated_at` key warpline never emitted).
+- `wardline doctor --repair` gitignores the artifacts dir and sweeps stray managed
+  artifacts; deletion is available on both the CLI and the MCP `doctor` tool (`repair:true`,
+  advertised `destructiveHint: true`), bounded to managed (timestamped) files inside
+  non-standard `.wardline/` dirs under the project root; emptied dirs are removed
+  best-effort (non-empty dirs are left in place).
+- **`wardline doctor` detects and clears stale sibling `ephemeral.port` files** (new
+  `stale_sibling_ports` check, CLI + MCP `doctor` tool). A sibling's
+  `.weft/<sibling>/ephemeral.port` advertises a live `serve` instance; when that process
+  has exited or wedged, the file lingers and every scan dials a dead/hung origin —
+  stalling the agent gate up to the federation 30s `urlopen` timeout per round-trip on a
+  purely advisory emission (the reported `wardline scan` hang). The check probes each
+  advertised port (filigree, loomweave) at the host the scan dials, with a short 2s
+  deadline (not 30s): an unreachable port — connection refused **or** no HTTP reply within
+  the deadline (a wedged server) — is stale, and `--repair`/`fix:true` deletes the file so
+  the scan stops dialing it. A live server (any HTTP status) is never touched; the delete
+  is regular-file / no-follow confined (a symlinked `ephemeral.port` is never followed).
+  Advisory like the stray-artifact sweep — a stale port never flips the aggregate doctor
+  verdict.
+
+### Security
+- **Cross-interpreter fingerprint determinism (3.12 == 3.13).** `entity_source_fingerprint`
+  previously hashed `ast.dump`, whose output changed in CPython 3.13
+  (`show_empty=False` omits empty-list fields), making the cross-tool JOIN KEY
+  (baseline / waiver / judged stores + the Filigree wire) interpreter-dependent — a
+  silent-drop-on-join hazard where a finding suppressed under one interpreter could
+  reappear under another. The fingerprint now uses a structural, version-stable
+  canonical dump; the join key is byte-identical across 3.12 / 3.13, proven by the CI
+  matrix. **No scheme bump** — 3.13 reference values are unchanged.
+- **Agent-surface hardening batch.** Closed a set of MCP / federation policy-bypass
+  and resource-exhaustion holes: MCP network-policy gates on `waiver_add` entity
+  resolution and `rekey` cache-dir writes; rejection of untrusted MCP sibling and
+  doctor-caller URLs; rekey snapshot-provenance hardening; stdlib-submodule
+  spoof-taint prevention; Filigree diagnostic-URL redaction, response-body-amplification
+  bound, and unsafe-mint-token soft-fail; a quadratic foreign-fence scan bound (and,
+  under Fixed, the cubic candidate-set scan-DoS). Enforced by the soundness oracle +
+  the security regression suite; a new fail-open hole is treated as a P0.
+
+### Fixed
+- **Candidate-set merge no longer scales cubically (scan DoS).** The Level-2
+  branch-join merges for lambda bindings (`_merge_branch_bindings`) and
+  receiver-type candidates (`_merge_branch_types`) deduplicated with a nested
+  linear scan of the growing candidate list — O(bucket²) per merge, O(N³)
+  across a chain of `N` one-armed branches rebinding the same name. An
+  attacker-authored file (~1100 such branches) could drive a default-gate scan
+  to ~15s and exhaust CPU on every local and CI run. Both merges now dedup via
+  an identity/equality set (O(bucket) per merge, O(N²) cumulative), preserving
+  the exact candidate set and insertion order; the demonstrated 1100-branch case
+  drops from seconds to milliseconds. No analysis behavior changes — the
+  candidate sets are identical, so no false negative is introduced.
+  Reviewed regression source: `eff4eed2` (wardline-c797baf28b).
+
 ## [1.0.7] - 2026-06-24
 
 ### Fixed
@@ -1353,6 +1443,7 @@ for Python — enterprise-class trust-boundary analysis at small-team weight.
 - **Packaging** — MIT-licensed; optional extras `scanner` (config + CLI) and
   `weft` (HTTP integrations).
 
+[Unreleased]: https://github.com/foundryside-dev/wardline/compare/v1.0.6...HEAD
 [1.0.6]: https://github.com/foundryside-dev/wardline/compare/v1.0.5...v1.0.6
 [1.0.5]: https://github.com/foundryside-dev/wardline/compare/v1.0.4...v1.0.5
 [1.0.4]: https://github.com/foundryside-dev/wardline/compare/v1.0.3...v1.0.4

CONTRIBUTING.md

@@ -63,7 +63,7 @@ see `CLAUDE.md`).
 
 - **TDD.** Write the failing test first.
 - Keep PRs focused — one logical change per PR.
-- New behavior needs tests. New `wardline.yaml` keys need a `config_schema.py` update.
+- New behavior needs tests. New `[wardline]` keys in `weft.toml` need a `config_schema.py` update.
 - No back-compat shims for unreleased specs — make clean changes.
 - Wardline scans its own source as a CI gate; keep the tree finding-clean (or baselined).
 

Makefile

@@ -7,9 +7,10 @@ help:  ## Show this help message
 install:  ## Install all extras + dev tooling
 	uv sync --all-extras --group dev
 
-lint:  ## Run linter + format check
+lint:  ## Run linter + format check + layering contracts
 	uv run ruff check src tests
 	uv run ruff format --check src tests
+	uv run lint-imports
 
 format:  ## Auto-format and fix lint
 	uv run ruff format src tests