v1.2.0 — Warpline federation interfaces

Warpline federation interfaces: an advisory preflight consumer and a forge-proof per-SEI attestation read. The agent MCP surface grows from 22 to 24 tools.

Added

• Advisory Warpline preflight consumer (warpline_preflight_get). A stdlib-only HTTP client (HttpWarplineClient) and a read_warpline_preflight service read surface Warpline's impact-radius and reverify-worklist hints. The consumer is purely advisory and structurally isolated from every governance verdict path — an acceptance test asserts governance output is byte-identical with and without advisory data present, and transport or configuration failures degrade to a discriminated unavailable rather than affecting a verdict or raising. The client reuses Legis's SSRF/redirect/size-cap gating (loopback or HTTPS only unless LEGIS_ALLOW_INSECURE_REMOTE_HTTP=1), with a clone-parity guard that fails if those primitives drift from the Filigree client.

• Forge-proof per-SEI attestation read (attestation_get). A read_sei_attestations classifier surfaces the operator-override and cleared-signoff attestations bound to a given SEI. Admission is gated on cryptographic signature markers drawn from the verified-trail selection: a sign-off's joined PENDING record is integrity-bound by recomputing and comparing its content hash against the signed request-payload hash, every surfaced field comes from the signed set, and any ambiguity resolves to omission (a false "attested" is a security hole; a missed attestation only costs wasted reverify work). The adversarial forge phase admitted zero forged records.

Note: the Warpline wire format (/api/impact-radius, /api/reverify-worklist) is inferred from the Filigree pattern and marked TO-CONFIRM; the client degrades to unavailable on any shape mismatch, so this release is fail-safe pending Warpline's own endpoints landing.

Full changes: see CHANGELOG.md.

v1.1.1 — posture and release hardening

Security and release-readiness hardening after the 1.1.0 dogfood release.

Highlights:

• Posture floor reads fail closed and ignore metadata tails.
• Operator elevation sessions require authenticated, recorded custody.
• Rekey recovery preserves the standing floor and now requires explicit key custody.
• Explicit posture installation fails closed when custody is unavailable.
• Env-configured coached API/MCP paths are wired without breaking chill behavior, including MCP retry/rate read honesty.
• Release publication gates now repeat lint, tests, coverage floors, mypy, SEI oracle, policy-boundary, build, twine, and live Loomweave conformance checks.

v1.1.0 — lacuna-dogfood defect fixes

Three defects surfaced by a lacuna dogfooding pass, confirmed against the shipped 1.0.0 surface (investigation + adversarial verification) and fixed test-first.

⚠️ Breaking (for pinned fingerprints)

• @policy_boundary test_fingerprint is now interpreter-stable (legis-13b4e97bf4). The fingerprint hashed raw ast.dump output, which is Python-version-dependent (3.13 omits default-empty AST fields 3.12 renders), causing spurious POLICY_BOUNDARY_TEST_FINGERPRINT_MISMATCH across interpreters. Now serialized via a version-stable _stable_ast_repr (every field of every node, fixed order), pinned by a cross-interpreter 3.12↔3.13 test. This changes the fingerprint value for all sources — consumers with pinned test_fingerprints must regenerate once against 1.1.0.

Fixed

• Posture reads degrade instead of crashing on an unprovisioned ledger (legis-5fd3b257c3). A pre-posture / empty (no audit_log table) DB made posture_get and policy_list raise OperationalError, surfaced as a non-recoverable INTERNAL_ERROR leaking the SQL string. AuditStore reads now treat an absent table as an empty store, so posture reads fail closed to structured.
• install --posture --insecure-key-in-env adopts the operator key instead of dropping it (legis-1844bf8ac9). Install minted a throwaway and ignored LEGIS_OPERATOR_KEY, leaving the floor read-only (fingerprint_mismatch). The env backend now adopts + validates LEGIS_OPERATOR_KEY as the epoch key and fails loud if absent/malformed.

Full suite: 1160 passed, 5 skipped · ruff check src + mypy src/legis clean · coverage floors hold. See CHANGELOG.md for details.

v1.0.0

Legis 1.0.0 — git/CI + governance member of the Weft federation.

Part of the five-member clean-break cutover (Filigree, Loomweave, Wardline, Legis, Warpline). Graded enforcement (chill/coached/structured/protected cells), SEI-keyed append-only audit trail surviving rename/move, and the Loomweave-bound rename feed.

Publishes to PyPI via Trusted Publishing (OIDC) on this release.

v1.0.0rc4

First publish of the 1.0.0rc4 line (rc4 was staged but never tagged).

Headline since rc3

• legis doctor — operator health view + safe repair for the install/config layer.
• C-9 store consolidation — all legis stores under .weft/legis/; weft.toml [legis] enrich-only; malformed/absent weft.toml boots on defaults.
• legis install self-install + --mcp registration; SessionStart hook; legis session-context.
• Dogfood #2 friction-tail: legis --version (LG-1), CELL_NOT_ENABLED recovery hint names the enablement path (Le1), charter documents the verified_author: null gap (C3).

Gates: ruff + mypy clean; 754 passed; coverage 92.29% (floor 88%). See CHANGELOG.md [1.0.0rc4].

v1.0.0rc3

Release candidate 3 — architecture-analysis P1/P2 remediation.

Supersedes rc2 (immutable on PyPI). Ships the full Q-H/Q-M/Q-L remediation from the 2026-06-06 architecture analysis, headlined by the Q-M4 transport correctness fix: Filigree requests now send the exact canonical bytes the Weft HMAC commits to (wire-bytes == signed-bytes), so a Filigree verifier checking the body hash against the request bytes will accept signed POSTs.

Highlights:

• Q-M4 transport: canonical signed bytes on the wire (mirrors the loomweave channel)
• Q-H1/H2/H3: writer-scoped single-secret auth, service-layer as the single governance decision path, advisory-only LLM judge on protected policies
• Q-M3/M5/M7/M8: non-finite-float tamper detection, atomic same-cell wardline batches, fail-closed policy cells, honesty-gate assertion-subject check
• Packaging: declared pydantic>=2 as a direct dependency

Known limit: the legis↔Filigree signed handshake is verified against legis's own transport and is byte-consistent with the proven loomweave channel, but has no live end-to-end integration test until Filigree ships its Weft verifier.

🤖 Generated with Claude Code

v1.0.0rc2

First tagged release of Legis as a member of the Weft suite (formerly Loom).

Highlights

• Full Clarion→Loomweave / Loom→Weft rebrand across the consumer wire seam, config, symbols, and docs.
• Security: MCP idempotency keys are now bound to a request hash (no cross-request replay).
• Security: check-override-rate fails closed — requires LEGIS_HMAC_KEY when protected records are present.

Pre-release (pip install legis needs --pre). Published to PyPI via Trusted Publishing.