Release 1.3.0 — nested .weft/legis/.gitignore (suite standard) + 6 cross-repo Weft seam conformance oracles#20
Release 1.3.0 — nested .weft/legis/.gitignore (suite standard) + 6 cross-repo Weft seam conformance oracles#20tachyon-beep wants to merge 4 commits into
Conversation
Closes legis's part of the cross-suite "every tool ships a complete nested .gitignore for its own dot-dir, with a durable-vs-ephemeral header" standard (filigree-4ed8152630). legis previously protected its dot-dir only with a project-root `.weft/legis/` rule — which evaporates the moment a consuming repo drops it, re-arming the "git add -A commits a live DB" footgun the standard exists to defuse. - install.py: WEFT_LEGIS_GITIGNORE template + marker-guarded, append-not-clobber _ensure_nested_gitignore helper + ensure_legis_dir_gitignore(project_root). Unlike filigree's durable filigree.db, legis commits NOTHING durable here, so the ignore enumerates legis-*.db + WAL/SHM/journal sidecars and names the operator-elevation secrets (operator.age, operator_session.json). Enumerate- with-glob (not bare `*`) to match the sibling tools and leave the nested .gitignore itself tracked. - cli.py: `legis install` / `--gitignore` ships it alongside the root rule. - doctor.py: install.dir_gitignore check — flags an existing dot-dir missing the nested ignore, ships it on --repair; absent dot-dir is OK (created lazily). Repair proactively creates the dir so protection exists before any lazy DB open in the same pass. Tests: real `git check-ignore` proof (in a repo with NO root .weft/ rule, so the nested file is provably load-bearing), idempotency, append-without-clobber, doctor detect+repair, install wiring. Full suite green (1250 passed, 92% cov), per-package floors hold, ruff check + mypy + policy-boundary gate clean. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Legis-resident halves of four cross-repo Weft seams, each driving legis's REAL code over a byte-identical golden with a Layer-1 byte-pin (fail-closed in the default suite) + a skip-clean Layer-2 source recheck: - SEI(loomweave->legis): byte-pin the vendored sei-conformance-oracle.json (0ea5770...) so a vendored-fixture drift fails closed without a loomweave checkout (the existing source recheck was skip-clean only). - git-renames(legis->loomweave): freeze GET /git/renames to git_renames.v1.json (74f69ee...) from the REAL endpoint; loomweave's real parser accepts the same bytes. Producer + consumer AGREE. - signoff-binding(legis->filigree): freeze the governed POST body carrying the signoff_seq+signature extension (8796aeb...) by driving the REAL HttpFiligreeClient; filigree's real route persists + governs it. Distinct wire, not subsumed by entity-associations. AGREE. - loomweave-HMAC-wire(legis->loomweave): cross-impl agreement of legis's real signer with loomweave's real Rust verifier (live-gated) + a skip-clean Layer-2 recheck of loomweave's canonical-message template. The SEI-semantics and legis-own-HMAC axes were already pinned; only the cross-impl agreement was uncovered (no frozen loomweave golden exists to vendor). All negative-probed. 8 passed / 2 skipped (live-gated) focused; full legis suite green. No pyproject/markers changed; no existing tests altered. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
… side)
Warpline is mid-flight on plan/verification-freshness; per the freeze-shipped-side-
note-the-obligation discipline, build the durable LEGIS half of each warpline seam
and document the outstanding warpline obligation rather than chase the branch.
- legis->warpline preflight read (legis CONSUMER): froze legis's client-expected
flat REST contract ({affected:[{sei}],count} / {entries:[{sei}],count}) and drove
it through legis's REAL read_warpline_preflight/_decode_json_response (byte-pin
44bb515...). FINDING surfaced (not papered over): warpline ships NO HTTP producer
for this shape — its real surface is the rich MCP envelope (data.affected/data.items,
no count). Obligation: warpline must ship the flat producer + fixture; the Layer-2
recheck auto-arms when it lands.
- legis per-SEI attestation read for warpline (legis PRODUCER): froze legis's REAL
attestation_get MCP wire (status/sei/attestations[kind,content_hash,recorded_at,seq],
fail-closed unavailable discriminant), reproduced by the live serializer + MCP wire
(byte-pin ad894cc...). Keyed on SEI (rename-stable). Obligation: warpline's
LegisClient.governance_for_sei is unwired ('disabled') — it must read attestation_get
and map status->posture (unavailable != empty, the asymmetric-error security rule).
Both legis sides negative-probed (byte-pin + field-rename non-circularity). 10 passed
/ 2 skipped focused. No pyproject/markers; PROVENANCE.md additive only.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Cut 1.3.0 combining two workstreams already linear on top of 1.2.0: - feat(install) nested .weft/legis/.gitignore (suite standard, filigree-4ed8152630) - the legis-resident halves of six cross-repo Weft seam conformance oracles Version bump + CHANGELOG finalize only; no code change. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 47ec1b41ce
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| (install_all or args.gitignore, ".gitignore", lambda: ensure_gitignore(project_root)), | ||
| ( | ||
| install_all or args.gitignore, | ||
| ".weft/legis/.gitignore", | ||
| lambda: ensure_legis_dir_gitignore(project_root), |
There was a problem hiding this comment.
When legis install or legis install --gitignore runs in a Git repo, the preceding step adds .weft/legis/ to the root .gitignore, so Git ignores the nested .weft/legis/.gitignore created here as well (git check-ignore .weft/legis/.gitignore points at the root rule, and git add . will only add the root .gitignore). That means the new nested ignore is not tracked by normal installs, so the promised safety net disappears as soon as a consuming repo drops the root rule; the root ignore needs an exception for this file or a non-directory ignore pattern.
Useful? React with 👍 / 👎.
| install_all or args.gitignore, | ||
| ".weft/legis/.gitignore", | ||
| lambda: ensure_legis_dir_gitignore(project_root), |
There was a problem hiding this comment.
With legis install --posture on a fresh repo, install_all and args.gitignore are both false, so this nested-ignore step is skipped while the later posture step creates .weft/legis/legis-posture.db and, for the age-file backend, operator.age. That leaves the newly created runtime state and encrypted operator key unignored unless the operator had already run the broader install; include the posture path here or have install_posture ship the nested ignore before writing into the directory.
Useful? React with 👍 / 👎.
| [project] | ||
| name = "legis" | ||
| version = "1.2.0" | ||
| version = "1.3.0" |
There was a problem hiding this comment.
This release bumps the package metadata to 1.3.0, but src/legis/__init__.py still defines __version__ = "1.2.0", and the CLI, FastAPI health/version, and MCP serverInfo all report that runtime value. In source/editable installs or any path that imports legis.__version__, users and clients will see the previous version for a 1.3.0 release, so the runtime version should be bumped in the same release change.
Useful? React with 👍 / 👎.
1 participant
Summary
Cuts legis 1.3.0, combining two independent workstreams that were already linear on top of 1.2.0 (no merge commit needed):
feat(install): ship a nested.weft/legis/.gitignore(46544fe) — closes legis's part of the cross-suite "every tool ships a complete nested.gitignorefor its own dot-dir, with a durable-vs-ephemeral header" standard (filigree-4ed8152630). legis previously protected its dot-dir only with a project-root.weft/legis/rule, which evaporates the moment a consuming repo drops it.6a750cc,6f50a33) — the legis-resident halves of six wire seams, byte-pinned + fail-closed.1 — Nested dot-dir ignore (behavior change)
install.py:WEFT_LEGIS_GITIGNOREtemplate + marker-guarded, append-not-clobber writer +ensure_legis_dir_gitignore(). legis is the sole writer of.weft/legis/and commits nothing durable, so the ignore enumerateslegis-*.db+ WAL/SHM/journal sidecars, names the operator-elevation secrets (operator.age,operator_session.json), and covers themkstempstaging temps (*.tmp,.operator.age.*). Enumerate-with-glob (not bare*) to match the sibling tools and keep the nested.gitignoretracked.cli.py:legis install/--gitignoreships it alongside the root rule.doctor.py: newinstall.dir_gitignorecheck — flags an existing dot-dir missing the nested ignore, ships it on--repair; an absent dot-dir is OK (created lazily).git check-ignoretest in a repo with no root.weft/rule, so the nested file is provably load-bearing.2 — Conformance oracles (test-only, +1388 lines)
Legis-resident halves of six cross-repo seams, each driving legis's real code over a byte-identical golden (Layer-1 byte-pin, fail-closed in the default suite; Layer-2 source recheck skip-clean): SEI (loomweave→legis), git-renames (legis→loomweave), signoff-binding (legis→filigree), loomweave-HMAC-wire (legis→loomweave, live-gated), the warpline preflight read (legis consumer), and the per-SEI
attestation_getread (legis producer).Two outstanding peer obligations are recorded rather than papered over: warpline ships no flat HTTP producer for the preflight shape, and warpline's
LegisClient.governance_for_seiis unwired — with Layer-2 rechecks armed to fire when each peer lands its half.CI gate (full legis pipeline, run locally on the release HEAD)
ruff check src✅ ·mypy src/legis✅pytest --cov=legis --cov-fail-under=88: 1264 passed, 9 skipped (live-gated), 92.02% coverage ✅legis policy-boundary-check: PASS ✅🤖 Generated with Claude Code