feat(warpline): advisory preflight consumer + forge-proof per-SEI attestation read

CHANGELOG.md

@@ -9,6 +9,36 @@ versions per [PEP 440](https://peps.python.org/pep-0440/) /
 
 _Post-1.0.0 work lands here; legis versions independently from the Weft 1.0 launch on._
 
+## [1.2.0] — 2026-06-25
+
+Warpline federation interfaces: an advisory preflight consumer and a
+forge-proof per-SEI attestation read. The agent MCP surface grows from 22 to
+24 tools.
+
+### Added
+
+- **Advisory Warpline preflight consumer (`warpline_preflight_get`).** A
+  stdlib-only HTTP client (`HttpWarplineClient`) and a `read_warpline_preflight`
+  service read surface Warpline's impact-radius and reverify-worklist hints. The
+  consumer is purely advisory and structurally isolated from every governance
+  verdict path — an acceptance test asserts governance output is byte-identical
+  with and without advisory data present, and transport or configuration
+  failures degrade to a discriminated `unavailable` rather than affecting a
+  verdict or raising. The client reuses Legis's SSRF/redirect/size-cap gating
+  (loopback or HTTPS only unless `LEGIS_ALLOW_INSECURE_REMOTE_HTTP=1`), with a
+  clone-parity guard that fails if those primitives drift from the Filigree
+  client.
+- **Forge-proof per-SEI attestation read (`attestation_get`).** A
+  `read_sei_attestations` classifier surfaces the operator-override and
+  cleared-signoff attestations bound to a given SEI. Admission is gated on
+  cryptographic signature markers drawn from the verified-trail selection: a
+  sign-off's joined PENDING record is integrity-bound by recomputing and
+  comparing its content hash against the signed request-payload hash, every
+  surfaced field comes from the signed set, and any ambiguity resolves to
+  omission (a false "attested" is a security hole; a missed attestation only
+  costs wasted reverify work). The adversarial forge phase admitted zero forged
+  records.
+
 ## [1.1.1] — 2026-06-23
 
 Security and release-readiness hardening after the 1.1.0 dogfood release.

docs/product/current-state.md

@@ -0,0 +1,22 @@
+# Current State — Legis        Checkpoint: 2026-06-25 (2nd) · committed (PDR-0004)
+
+## The bet right now
+**Keep the governance-honesty surface true post-gold** (north-star: open governance-honesty defects → 0, currently **3**) — close the three confirmed P2 findings. The **Warpline federation seam is COMPLETE** (Tasks 1–8 + spec fix), held on merge by the owner until warpline's own body of work lands.
+
+## In flight
+- **Warpline interfaces** (legis-1734128d34) — **COMPLETE** on branch `warpline-interfaces` (`5a30cd8..1e21418`): advisory preflight consumer + `attestation_get` with the **forge-proof per-SEI attestation classifier** (Task 8, both kinds shipped) + byte-identical advisory-boundary spine. All CI gates green (pytest 1237, mypy clean, coverage 92.13%, ruff). **Held on merge** (owner: warpline mid-work, will push when done). Adversarial forge phase: zero forges admitted.
+- **Governance-honesty P2 findings** — confirmed, ready, unclaimed: unverified posture tail (legis-476ab6f125); protected batch without HeadAnchor advance (legis-0c310712a7); policy_boundary_check accepts roots outside source root (legis-0186c23a2c). The north-star Now bet; untouched.
+
+## Open questions / blocked-on-owner
+- **Merge / publish** `warpline-interfaces` — held by owner (warpline's body of work mid-flight; they push when done). This is the only remaining gate; nothing else blocks.
+- **Warpline wire format** (§6) — inferred/TO-CONFIRM; ships shape-validating, degrades to `unavailable`. Gates real integration (confirmed when warpline lands), not unit work.
+- **Inferred vision/metrics** — PDR-0001's reversal trigger fires on the owner's first review (the `(set)` time-to-close TARGET still needs an owner number).
+- *(Resolved this session: Task 8 ratification → done (PDR-0004); spec §4.1 correction → done.)*
+
+## Last checkpoint did
+- **Ratified + implemented Task 8** — the forge-proof attestation classifier (both `operator_override` + `signoff_cleared`), via a ground→implement→adversarial-forge workflow; zero forges admitted, both positives admit (PDR-0004).
+- Corrected design spec §4.1/§4.2/§7 (false unconditional fail-closed claim → conditional; confirmed discriminator).
+- Independently re-ran the full CI gate (pytest 1237, mypy clean, coverage 92.13%, ruff) — green.
+
+## Next session, start here
+Either the owner's merge sign-off when warpline's work lands (the branch is complete and green), **or** pick up the north-star Now bet — the three P2 governance-honesty findings (legis-476ab6f125, -0c310712a7, -0186c23a2c), still unclaimed.

docs/product/decisions/0001-bootstrap-from-observed-state.md

@@ -0,0 +1,21 @@
+# PDR-0001 — Bootstrap the Legis product workspace from observed state
+
+Date: 2026-06-24   Status: accepted   Author: claude (opus, product-owner)   Owner sign-off: partial (grant confirmed live; inferred vision/metrics not yet confirmed)
+Supersedes: —   Related: vision.md, roadmap.md, metrics.md, current-state.md
+
+## Context
+Legis had no product-ownership workspace (`/product-checkpoint` halted on the missing precondition). Legis is a shipped gold product (v1.1.1) with a rich repo, README, CHANGELOG, a Weft member briefing, and a 145-issue filigree tracker. A workspace had to be constructed from that observed reality rather than fabricated from memory, so the next session can resume cold.
+
+## Options considered
+1. **Bootstrap from observed reality (README + git log + tracker + member briefing), confirm only the authority grant live.** — pro: grounded in fact, fast, the one load-bearing item (the grant) is human-confirmed; con: purpose/audience/metric _numbers_ are inferred and may need correction.
+2. **Interrogate the owner for vision/metrics before writing anything.** — pro: maximally accurate; con: slow, and the README + member briefing already state purpose and direction plainly — interrogation would mostly re-elicit what's already written.
+3. **Do nothing / stay stateless.** — pro: no risk of a wrong inference; con: forfeits continuity entirely, which is the whole point of ownership.
+
+## The call
+Option 1. Seeded `vision.md`, `roadmap.md`, `metrics.md`, `current-state.md` from the README, the Weft member briefing (`~/weft/members/legis.md`), git history, and the filigree tracker. The **authority grant was proposed and confirmed live** by the owner (Standard variant) during this `/own-product` run, so it is written as authoritative (not draft). Everything else is inferred-from-repo and marked as such.
+
+## Rationale
+The repo states purpose, audience, anti-goals, and recent direction explicitly and consistently with the federation doctrine; inference here is reading, not guessing. The only item that genuinely required a human (the delegation boundary) was confirmed interactively. Metric _numbers_ that the repo doesn't expose are left as `(set)` placeholders rather than invented, keeping every target falsifiable-or-flagged.
+
+## Reversal trigger
+Revisit on the **first owner review of this workspace**: if the owner corrects the purpose/audience framing in `vision.md` or sets real numbers against any `(set)` metric placeholder, supersede the inferred portions with a new PDR. Also revisit if the north-star ("open confirmed governance-honesty defects = 0") proves to be the wrong success measure once the P2 findings close.

docs/product/decisions/0002-accept-warpline-bet-defer-classifier.md

@@ -0,0 +1,23 @@
+# PDR-0002 — Accept the warpline interfaces bet (Tasks 1–7); defer the attestation classifier (Task 8) as BLOCKED
+
+Date: 2026-06-25   Status: accepted (build/accept within grant; MERGE is owner-gated — see flags)   Author: claude (opus, product-owner)
+Supersedes: —   Related: [[0003-federation-read-doctrine]]; tracker legis-1734128d34; spec `docs/superpowers/specs/2026-06-24-legis-warpline-interfaces-design.md`; plan `docs/superpowers/plans/2026-06-24-legis-warpline-interfaces-plan.md`
+
+## Context
+Warpline (Weft sibling; impact-radius / reverify-worklist analysis) requested two Legis interfaces: an advisory preflight consumer and a per-SEI attestation read (governance-as-verification, Rung 2). This was the Now federation-seam bet (legis-1734128d34). Load-bearing constraint: governance verdicts must be **byte-identical** whether warpline is present or absent; Legis stays the **only** governance/attestation authority.
+
+## Options considered
+1. Build the whole feature including the attestation classifier in one pass.
+2. Build the advisory boundary + the attestation **fail-closed scaffolding**, and DEFER the positive-admission classifier pending owner ratification of a forge-proof discriminator.
+3. Don't build / defer the whole bet.
+
+## The call
+Option 2. Built Tasks 1–7 via subagent-driven TDD from a grounded, adversarially-reviewed plan: the stdlib `HttpWarplineClient`, `warpline_preflight_get` (advisory), `attestation_get` fail-closed scaffolding, the byte-identical advisory-boundary acceptance spine, and a derived structural guard over all tool handlers. The positive-admission classifier (Task 8) is **BLOCKED** and ships an honest `unavailable` (no false-green) because grounding proved the obvious operator-override discriminator is **forgeable** (the chill engine writes caller `extensions` verbatim) — shipping it unratified risks a false-"attested" → warpline skips reverify on un-cleared code (a security hole). Accepted on all CI-equivalent gates green (pytest 1225 passed, mypy clean, coverage 92.14% ≥88% floor, ruff) + a whole-branch review.
+
+## Rationale
+The advisory boundary is the whole point of the bet and is now proven (structural + behavioral byte-identity), not asserted. The classifier is the single piece that can introduce a false-green on the honesty surface, and its safe discriminator is a **spec-level security decision** that requires the owner. Deferring it (fail-closed, surfaces nothing) is honest and reversible; guessing it is a one-way security risk. Two review-caught defects — a stale structural guard and a false-green BLOCKED stub (`checked: []` in wired deployments) — were found and fixed before merge.
+
+## Reversal trigger
+- If the byte-identical advisory-boundary invariant ever fails (a governance verdict diverges with warpline present vs absent) → **reopen immediately**; that invariant is the guardrail (metrics.md).
+- If the owner ratifies the four Task-8 classifier questions → Task 8 unblocks as a **new** decision (new PDR), flipping `attestation_get` from `unavailable` to real attestations.
+- If warpline's real wire format contradicts the inferred §6 parser → the client's URL/parse layer reopens (isolated; degrades to `unavailable` until then).

docs/product/decisions/0003-federation-read-doctrine.md

@@ -0,0 +1,22 @@
+# PDR-0003 — Federation-read doctrine: Legis exposes verified FACTS, never a verdict; advisory context is structurally isolated
+
+Date: 2026-06-25   Status: accepted (reinforces existing vision anti-goals — no new sign-off)   Author: claude (opus, product-owner)
+Supersedes: —   Related: [[0002-accept-warpline-bet-defer-classifier]]; vision.md anti-goals ("a second judge of trust", "an identity owner")
+
+## Context
+The warpline seam is Legis's first time being an HTTP **client** of a sibling on a path next to governance reads, and the first time it **exposes** a read a sibling treats as proof. This pattern recurs (Clarion SEI consume; future sibling fact-providers), so it needs a durable principle to stop future seams from eroding the authority boundary.
+
+## Options considered
+1. Legis returns a `proven_good` / skip-reverify **verdict** the sibling acts on directly (Legis decides).
+2. Legis returns verified **FACTS** (attested content_hash, kind, seq); the sibling does its own Rung-2 commit-match and skip decision (Legis attests, the sibling decides).
+3. Embed advisory sibling reads **inside** the governance honesty reads.
+
+## The call
+Option 2 for attestation; option 3 **rejected** — advisory context lives in a DEDICATED sibling tool structurally isolated from every verdict path. `attestation_get` returns facts; warpline makes the skip-reverify call. `warpline_preflight_get` is a sibling tool whose data is never an input to `policy_evaluate` / the gates / sign-off / the honesty reads, enforced by a derived structural test over all tool handlers (covers future tools by construction).
+
+## Rationale
+"Wardline analyses, Legis governs." Legis must never become a second judge of trust, and advisory context must be **structurally incapable** of reaching a verdict — not merely "we didn't wire it." Facts-not-verdict keeps Legis the sole authority while still letting siblings build verification on top. This is the doctrine for every future federation read.
+
+## Reversal trigger
+- If a sibling shows a need Legis cannot meet with facts-only (a genuine case where Legis must *decide*) → revisit as an explicit **vision / authority-grant escalation** (it would change the "not a second judge" anti-goal).
+- If any future seam is found feeding sibling data into a verdict path → treat as a **Critical** regression against this doctrine.

docs/product/decisions/0004-ratify-implement-forge-proof-attestation-classifier.md

@@ -0,0 +1,25 @@
+# PDR-0004 — Ratify + implement the forge-proof attestation classifier (Task 8); correct spec §4
+
+Date: 2026-06-25   Status: accepted (owner ratified the discriminator 2026-06-25; merge still owner-gated)   Author: claude (opus, product-owner)
+Unblocks the Task-8 deferral in [[0002-accept-warpline-bet-defer-classifier]]   Related: [[0003-federation-read-doctrine]]; tracker legis-1734128d34; commits da85e16, 1e21418
+
+## Context
+PDR-0002 shipped `attestation_get` fail-closed and **deferred** its positive-admission classifier, because the obvious operator-override discriminator is forgeable. The owner **ratified** the four classifier resolutions (2026-06-25, "Done"): (a) operator-override = a *verifying* signature, never the bare field; (b) only *signed* sign-offs attest; (c) no-key deployments → `unavailable`; (d) absent `content_hash` → omit.
+
+## Options considered
+1. Key off the (signed) verdict value, trusting that the record is in the verified set.
+2. Key off the **signature MARKER presence** (`judge_metadata_signature` / `signoff_signature`) — a strict subset of `_requires_verification`, so "admitted ⟹ verified" holds — integrity-bind the sign-off `content_hash` join via the signed `request_payload_hash`, and read only the signed `entity_key` dict.
+3. Keep it blocked (ship no classifier).
+
+## The call
+Option 2. Grounding confirmed the load-bearing facts against the real code: `judge_verdict`, `protected_cell`, and the inline `content_hash` are inside `signing_fields` (**FORGE-A closed**); the signed `SIGNED_OFF` carries a signed `request_payload_hash` (**FORGE-B closed**). Both kinds (`operator_override`, `signoff_cleared`) shipped forge-proof. The *necessary-but-not-sufficient* trap (membership in the verified set ≠ the field is signed) is closed by gating admission on the signature marker (a subset of the verification predicate) and keying only on signed fields; the sign-off join recomputes the PENDING hash and compares it to the signed `request_payload_hash` rather than trusting the `request_seq` pointer.
+
+Verified by an **adversarial forge phase** (4 lenses, live-run probes): **zero forges admitted**, both genuine positives admit; full CI gate green (pytest 1237, mypy clean, coverage 92.13%, ruff). Spec §4.1/§4.2/§7 corrected (the false *unconditional* fail-closed claim → conditional on a signature-verifiable trail; lowercase `signed_off` → `SIGNED_OFF`; hand-wave → the confirmed discriminator).
+
+## Rationale
+The forge-proof property is **structural**: admission requires the signature marker → the record was cryptographically verified → the keyed fields are authentic. A mutated unsigned field either breaks the signature (→ `AUDIT_INTEGRITY_FAILURE`) or isn't a field the classifier keys off. The sign-off join is integrity-checked, not pointer-trusted. This is the strongest "governed-good" signal warpline can safely skip reverification on, and it keeps the asymmetric rule (any ambiguity → omit).
+
+## Reversal trigger
+- If any adversarial review or production incident finds a forged / non-human-cleared record **admitted** → reopen immediately (Critical; the asymmetric rule is breached).
+- If the protected / sign-off **signing surface** changes (a keyed field moves out of `signing_fields` / `signoff_signing_fields`) → re-audit the discriminator against the new signed-field set.
+- Broadening the admitted set beyond the two human-cleared kinds is additive and requires the same signing-coverage proof per new kind.

docs/product/metrics.md

@@ -0,0 +1,27 @@
+# Metrics — Legis             Last read: 2026-06-25
+
+> Legis is a governance-_honesty_ tool, not an engagement product. Its north-star
+> is integrity of the honesty surface (no provable false-greens, no unverified
+> trust on a hot path), not usage. Targets below carry a number and a date so a
+> bet can be accepted or a PDR reversal trigger can fire. BASELINE/TARGET
+> placeholders marked `(set)` need a real number from the owner.
+
+## North-star
+| Metric | Target (falsifiable) | Current | Read on | Trend |
+|--------|----------------------|---------|---------|-------|
+| Open **confirmed governance-honesty defects** (security/governance findings that let the honesty surface be bypassed or trust be trusted unverified) | = 0 by 2026-07-15 | 3 (legis-476ab6f125, -0c310712a7, -0186c23a2c) | 2026-06-24 | → |
+
+## Input metrics (the levers that move the north-star)
+| Metric | Target | Current | Read on |
+|--------|--------|---------|---------|
+| Confirmed P2 security findings remaining open | 0 by 2026-07-15 | 3 | 2026-06-24 |
+| Median time-to-close on a confirmed security finding | ≤ 14 days `(set)` | unmeasured | 2026-06-24 |
+
+## Guardrails (must NOT degrade)
+| Metric | Floor / ceiling | Current | Read on |
+|--------|-----------------|---------|---------|
+| **Advisory-boundary invariant** — governance verdicts byte-identical with a sibling (Warpline) absent vs present | must hold (binary) | **holds — proven** by `tests/mcp/test_warpline_advisory_boundary.py` (byte-identical on real verdicts) + a derived structural guard over all tool handlers; warpline consumed only in its sibling tool | 2026-06-25 |
+| CI green (tests + mypy) | 100% | `warpline-interfaces` branch (Tasks 1–8 complete): pytest 1237 passed, mypy clean (78 files), coverage 92.13% — CI-equivalent gate run locally; `main` green at 1.1.1 | 2026-06-25 |
+| **Attestation classifier forge-resistance** — `attestation_get` admits no forged / non-human-cleared record | must hold (binary) | **holds** — adversarial forge phase (4 lenses, live-run probes) admitted **0** forges; admission gates on the signature marker + keys only on signed fields + integrity-bound sign-off join (PDR-0004) | 2026-06-25 |
+| Release publish gated on **live Loomweave SEI conformance** | must pass before any PyPI publish | gate in place (PR #8 line) | 2026-06-24 |
+| Test coverage vs configured floors (`scripts/check_coverage_floors.py`) | ≥ floors | **92.14% total** (floor 88); all per-package floors hold (mcp.py 92.4%, service/ 95.0%) — read on `warpline-interfaces` | 2026-06-25 |