release/consolidation-2026-06-26: weft-seam conformance + project-root artifacts

.github/workflows/ci.yml

@@ -21,10 +21,10 @@ jobs:
     runs-on: ubuntu-latest
     if: github.event_name != 'schedule'
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v7
         with:
           persist-credentials: false
-      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
+      - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
         with:
           enable-cache: true
           python-version: "3.13"
@@ -42,10 +42,10 @@ jobs:
     runs-on: ubuntu-latest
     if: github.event_name != 'schedule'
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v7
         with:
           persist-credentials: false
-      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
+      - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
         with:
           enable-cache: true
           python-version: "3.13"
@@ -60,10 +60,10 @@ jobs:
       matrix:
         python-version: ["3.12", "3.13"]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v7
         with:
           persist-credentials: false
-      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
+      - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
         with:
           enable-cache: true
           python-version: ${{ matrix.python-version }}
@@ -76,10 +76,10 @@ jobs:
     needs: test
     if: github.event_name != 'schedule'
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v7
         with:
           persist-credentials: false
-      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
+      - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
         with:
           enable-cache: true
           python-version: "3.13"
@@ -120,10 +120,10 @@ jobs:
     runs-on: ubuntu-latest
     if: github.event_name == 'schedule'
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v7
         with:
           persist-credentials: false
-      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
+      - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
         with:
           enable-cache: true
           python-version: "3.13"
@@ -163,10 +163,10 @@ jobs:
           - name: Warpline
             marker: warpline_e2e
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v7
         with:
           persist-credentials: false
-      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
+      - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
         with:
           enable-cache: true
           python-version: "3.13"

.github/workflows/deploy-site.yml

@@ -4,7 +4,7 @@
 # copied verbatim into the build output). It consumes the shared @weft/site-kit,
 # which lives in a SUBDIRECTORY of a DIFFERENT repo (foundryside-dev/weft).
 # npm cannot install a git subdirectory as a file: dep directly, so the build
-# sparse-fetches packages/site-kit into site/vendor/site-kit first
+# sparse-fetches a pinned packages/site-kit commit into site/vendor/site-kit first
 # (scripts/fetch-site-kit.mjs), then `npm install` resolves the file: dep and
 # `astro build` compiles it. The fetch also runs as a preinstall hook, but the
 # explicit step keeps the order legible.
@@ -29,6 +29,11 @@ concurrency:
   group: pages
   cancel-in-progress: false
 
+env:
+  # Privileged Pages builds must consume an immutable site-kit revision. Update
+  # this SHA deliberately when promoting a new foundryside-dev/weft site kit.
+  WEFT_SITE_KIT_REF: a8f9a6a77458d2ec697cfbc1f71dd88a51962cb7
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -37,13 +42,13 @@ jobs:
         working-directory: site
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v7
 
       - name: Configure Pages
         # Pin the Pages source to GitHub Actions (build_type=workflow); enables
         # Pages if needed. Without this, deploy-pages fails when the repo is
         # still set to "Deploy from a branch".
-        uses: actions/configure-pages@v5
+        uses: actions/configure-pages@v6
         with:
           enablement: true
 
@@ -78,4 +83,4 @@ jobs:
     steps:
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@v5

.github/workflows/release.yml

@@ -12,10 +12,10 @@ jobs:
     name: Build distributions
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           persist-credentials: false
-      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
+      - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
         with:
           enable-cache: true
           python-version: "3.13"
@@ -59,4 +59,4 @@ jobs:
         # twine reject it ("Unknown distribution format") and blocks the release.
         # Verification above already consumed it.
         run: rm -f dist/SHA256SUMS
-      - uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
+      - uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0

.gitignore

@@ -39,6 +39,12 @@ output/
 # port (a live, never-committed runtime artifact, not tracked state).
 .weft/*/ephemeral.port
 
+# Local sibling tool stores are runtime/tooling state for this checkout. Keep
+# wardline's own .weft/wardline/ suppression state visible and auditable.
+.weft/filigree/
+.weft/loomweave/
+.weft/warpline/
+
 # Filigree issue tracker
 .filigree/
 .env
@@ -56,7 +62,6 @@ coverage.json
 loomweave.yaml
 
 # Filigree issue tracker
-.weft/
 .filigree.conf
 .agents/skills/loomweave-workflow/.fingerprint
 .agents/skills/loomweave-workflow/SKILL.md

.jules/sentinel.md

@@ -0,0 +1,9 @@
+## 2025-02-14 - Prevent Git Config Code Execution
+**Vulnerability:** Invoking `git` via `subprocess` against untrusted directories without overriding config can allow malicious repositories to execute code via `.git/config` hooks like `core.fsmonitor`.
+**Learning:** `git` uses configurations from the `.git/config` file in the current working directory or `cwd` argument, which could be controlled by an attacker when analyzing untrusted codebases.
+**Prevention:** Explicitly pass `("-c", "core.fsmonitor=false")` as `_SAFE_GIT_CONFIG` to all `git` subprocess commands in the codebase.
+
+## 2026-06-21 - [Add Unsafe PyYAML Loaders to Taint Tracking]
+**Vulnerability:** The static analyzer was missing `yaml.unsafe_load` and `yaml.full_load` in its `_SERIALISATION_SINKS` mapping, potentially leading to false negatives when tracking untrusted data flowing into these dangerous deserialization functions.
+**Learning:** Even if functions are listed in rule specifications (like `_SINK_SPECS`), they also need to be properly categorized in the core taint propagation logic (`_SERIALISATION_SINKS`) to ensure the analyzer correctly sheds validation provenance (converting output to `UNKNOWN_RAW`).
+**Prevention:** When adding new sinks to rule definitions, always verify if they need to be added to core propagation mappings like `_SERIALISATION_SINKS` or `_PROPAGATING_BUILTINS`.

CHANGELOG.md

@@ -7,6 +7,35 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Changed
+- Default scan artifacts now anchor to the weft-project root (the `weft.toml` directory)
+  rather than the scan cwd, so a subdirectory scan writes to `<project-root>/.wardline/`.
+  Retention is therefore project-root-wide across heterogeneous subdir/root scans sharing
+  one `.wardline/`. **Migration:** the artifact moves to the project root; `wardline doctor
+  --repair` sweeps now-stale per-subdir `.wardline/` dirs — update any CI/automation reading
+  a hardcoded `<subdir>/.wardline/*-findings.jsonl` path.
+
+### Added
+- `wardline doctor --repair` gitignores the artifacts dir and sweeps stray managed
+  artifacts; deletion is available on both the CLI and the MCP `doctor` tool (`repair:true`,
+  advertised `destructiveHint: true`), bounded to managed (timestamped) files inside
+  non-standard `.wardline/` dirs under the project root; emptied dirs are removed
+  best-effort (non-empty dirs are left in place).
+
+### Fixed
+- **Candidate-set merge no longer scales cubically (scan DoS).** The Level-2
+  branch-join merges for lambda bindings (`_merge_branch_bindings`) and
+  receiver-type candidates (`_merge_branch_types`) deduplicated with a nested
+  linear scan of the growing candidate list — O(bucket²) per merge, O(N³)
+  across a chain of `N` one-armed branches rebinding the same name. An
+  attacker-authored file (~1100 such branches) could drive a default-gate scan
+  to ~15s and exhaust CPU on every local and CI run. Both merges now dedup via
+  an identity/equality set (O(bucket) per merge, O(N²) cumulative), preserving
+  the exact candidate set and insertion order; the demonstrated 1100-branch case
+  drops from seconds to milliseconds. No analysis behavior changes — the
+  candidate sets are identical, so no false negative is introduced.
+  Reviewed regression source: `eff4eed2` (wardline-c797baf28b).
+
 ## [1.0.7] - 2026-06-24
 
 ### Fixed
@@ -1353,6 +1382,7 @@ for Python — enterprise-class trust-boundary analysis at small-team weight.
 - **Packaging** — MIT-licensed; optional extras `scanner` (config + CLI) and
   `weft` (HTTP integrations).
 
+[Unreleased]: https://github.com/foundryside-dev/wardline/compare/v1.0.6...HEAD
 [1.0.6]: https://github.com/foundryside-dev/wardline/compare/v1.0.5...v1.0.6
 [1.0.5]: https://github.com/foundryside-dev/wardline/compare/v1.0.4...v1.0.5
 [1.0.4]: https://github.com/foundryside-dev/wardline/compare/v1.0.3...v1.0.4

CONTRIBUTING.md

@@ -63,7 +63,7 @@ see `CLAUDE.md`).
 
 - **TDD.** Write the failing test first.
 - Keep PRs focused — one logical change per PR.
-- New behavior needs tests. New `wardline.yaml` keys need a `config_schema.py` update.
+- New behavior needs tests. New `[wardline]` keys in `weft.toml` need a `config_schema.py` update.
 - No back-compat shims for unreleased specs — make clean changes.
 - Wardline scans its own source as a CI gate; keep the tree finding-clean (or baselined).
 

README.md

@@ -24,7 +24,7 @@ def build_record(req):
 
 ```console
 $ wardline scan . --fail-on ERROR
-scanned 1 file(s); 3 finding(s) — 0 suppressed (0 baseline / 0 waiver / 0 judged), 1 active -> .wardline/20260620T153012Z-findings.jsonl
+scanned 1 file(s); 2 finding(s) — 0 suppressed (0 baseline / 0 waiver / 0 judged), 1 active -> .wardline/20260620T153012Z-findings.jsonl
 $ echo $?
 1
 ```
@@ -33,8 +33,8 @@ The gate trips (exit 1) and the findings land in timestamped JSON Lines under
 `.wardline/` by default (`--output PATH` writes to an exact path; `--format
 sarif` emits SARIF for GitHub code scanning). Wardline is agent-first — you
 don't read that file by hand. Your coding agent does: ask it *"why did the scan
-fail?"* and it surfaces the one active defect (the other two findings are
-`NONE`-severity engine facts):
+fail?"* and it surfaces the one active defect (the other finding is a
+`NONE`-severity engine fact):
 
 > **`demo.build_record`** declares return trust `ASSURED` but actually returns
 > `EXTERNAL_RAW` (less trusted) — untrusted data reaches a trusted producer.
@@ -137,7 +137,7 @@ Prefer `weft_markers` in application code. Wardline still recognizes
 | `scanner` | pyyaml, jsonschema, click | the `wardline` CLI and `wardline mcp` server |
 | `loomweave` | blake3 | persisting taint facts to a Loomweave store |
 | `rust` | scanner extra, tree-sitter, tree-sitter-rust | `wardline scan --lang rust` |
-| `docs` | mkdocs, mkdocs-material | building the documentation site |
+| `docs` | mkdocs, mkdocs-material | a local MkDocs render of `docs/` |
 
 The LLM triage judge (`wardline judge`) is dependency-free (stdlib `urllib` →
 OpenRouter) and needs no extra.
@@ -150,8 +150,9 @@ wardline install
 
 This injects a hash-fenced instruction block into `CLAUDE.md`/`AGENTS.md`,
 installs the `wardline-gate` skill, merges a `wardline` entry into `.mcp.json`,
-and writes Codex's `~/.codex/config.toml` MCP entry. Agents then run the scan →
-explain → fix-at-boundary → rescan loop natively. The `wardline mcp` server
+writes Codex's `~/.codex/config.toml` MCP entry, detects Loomweave/Filigree
+siblings, mints an attest signing key, and adds pre-commit hook config. Agents
+then run the scan → explain → fix-at-boundary → rescan loop natively. The `wardline mcp` server
 exposes the primary tool surface over JSON-RPC with no SDK, including scan,
 filtered findings, explain-taint, fix, judge, baseline/waiver, doctor, rekey,
 assure, attest, dossier, and Filigree filing tools.
@@ -196,23 +197,23 @@ It is **not** the right tool when you need:
 
 ## Documentation
 
-Full documentation lives at **<https://foundryside-dev.github.io/wardline/>**.
+Full documentation lives in the [`docs/`](https://github.com/foundryside-dev/wardline/tree/main/docs) tree.
 
 | Document | Description |
 |----------|-------------|
-| [Getting Started](https://foundryside-dev.github.io/wardline/getting-started/) | Install, decorate, first scan |
-| [Taint & Trust Model](https://foundryside-dev.github.io/wardline/concepts/model/) | The lattice, decorators, and propagation |
-| [Rules](https://foundryside-dev.github.io/wardline/concepts/rules/) | The boundary, exception-flow, and sink rules |
-| [Configuration](https://foundryside-dev.github.io/wardline/guides/configuration/) | `weft.toml` `[wardline]`: rules, severity, excludes |
-| [Suppression](https://foundryside-dev.github.io/wardline/guides/suppression/) | Baselines and waivers |
-| [LLM Triage Judge](https://foundryside-dev.github.io/wardline/guides/judge/) | Opt-in TRUE/FALSE-positive labelling |
-| [Rust Support](https://foundryside-dev.github.io/wardline/guides/rust-preview/) | Preview Rust command-injection frontend |
-| [Weft Integration](https://foundryside-dev.github.io/wardline/guides/weft/) | SARIF, Filigree, Loomweave, and sibling URL resolution |
-| [Assurance Posture](https://foundryside-dev.github.io/wardline/guides/assurance-posture/) | Coverage posture, attestations, and trust-surface evidence |
-| [Loomweave Taint Store](https://foundryside-dev.github.io/wardline/guides/loomweave-taint-store/) | Persisting taint facts |
-| [CLI Reference](https://foundryside-dev.github.io/wardline/reference/cli/) | Every command and flag |
-| [Trust Vocabulary](https://foundryside-dev.github.io/wardline/reference/vocabulary/) | The decorators and their arguments |
-| [Agent Integration](https://foundryside-dev.github.io/wardline/guides/agents/) | Using Wardline from a coding agent |
+| [Getting Started](https://github.com/foundryside-dev/wardline/blob/main/docs/getting-started.md) | Install, decorate, first scan |
+| [Taint & Trust Model](https://github.com/foundryside-dev/wardline/blob/main/docs/concepts/model.md) | The lattice, decorators, and propagation |
+| [Rules](https://github.com/foundryside-dev/wardline/blob/main/docs/concepts/rules.md) | The boundary, exception-flow, and sink rules |
+| [Configuration](https://github.com/foundryside-dev/wardline/blob/main/docs/guides/configuration.md) | `weft.toml` `[wardline]`: rules, severity, excludes |
+| [Suppression](https://github.com/foundryside-dev/wardline/blob/main/docs/guides/suppression.md) | Baselines and waivers |
+| [LLM Triage Judge](https://github.com/foundryside-dev/wardline/blob/main/docs/guides/judge.md) | Opt-in TRUE/FALSE-positive labelling |
+| [Rust Support](https://github.com/foundryside-dev/wardline/blob/main/docs/guides/rust-preview.md) | Preview Rust command-injection frontend |
+| [Weft Integration](https://github.com/foundryside-dev/wardline/blob/main/docs/guides/weft.md) | SARIF, Filigree, Loomweave, and sibling URL resolution |
+| [Assurance Posture](https://github.com/foundryside-dev/wardline/blob/main/docs/guides/assurance-posture.md) | Coverage posture, attestations, and trust-surface evidence |
+| [Loomweave Taint Store](https://github.com/foundryside-dev/wardline/blob/main/docs/guides/loomweave-taint-store.md) | Persisting taint facts |
+| [CLI Reference](https://github.com/foundryside-dev/wardline/blob/main/docs/reference/cli.md) | Every command and flag |
+| [Trust Vocabulary](https://github.com/foundryside-dev/wardline/blob/main/docs/reference/vocabulary.md) | The decorators and their arguments |
+| [Agent Integration](https://github.com/foundryside-dev/wardline/blob/main/docs/guides/agents.md) | Using Wardline from a coding agent |
 
 ## Development
 

ROADMAP.md

@@ -5,24 +5,26 @@ a direction sketch, not a commitment — dates are deliberately omitted.
 
 ## Where we are
 
-**0.3.0 — shipped.** The staged build (SP0–SP9) is complete:
+**1.0.6 — shipped.** The staged build (SP0–SP9) is complete:
 
 - Function-, variable-, and project-level taint over an inter-module call graph
   (L1–L2 with an L3 fixed point).
 - The NG-25 trust vocabulary and three opt-in decorators.
-- Four policy rules (PY-WL-101..104), severity/enable config, baselines + waivers.
+- 26 Python policy rules (PY-WL-101..126) plus Rust preview rules
+  (RS-WL-108/112), severity/enable config, baselines + waivers.
 - JSONL + SARIF + native Filigree emit.
 - Dependency-free MCP-over-stdio server (`wardline mcp`).
 - Opt-in LLM triage judge (`wardline judge`).
 - `wardline install` agent enablement.
 - Opt-in Loomweave taint-store integration.
-- Published to PyPI; docs site live; CI dogfoods Wardline on its own source.
+- Published to PyPI; CI dogfoods Wardline on its own source.
 
 ## Scope
 
 Wardline is deliberately **L1–L2 with an L3 project fixed point**, not an
-exhaustive path-sensitive whole-program prover, and Python-only. We favor a
-small, precise, opt-in rule set over broad SAST coverage.
+exhaustive path-sensitive whole-program prover, and Python-first (with a Rust
+preview, `wardline scan --lang rust`). We favor a small, precise, opt-in rule
+set over broad SAST coverage.
 
 ## Near-term threads
 
@@ -39,6 +41,6 @@ Tracked in the project's Filigree issues:
 
 ## Out of scope (for now)
 
-- Languages other than Python.
+- Broad multi-language coverage beyond the Python core and Rust preview.
 - A general-purpose, dozens-of-rules SAST suite.
 - A hosted/cloud service — Wardline stays local-first.

docs/concepts/model.md

@@ -66,6 +66,7 @@ emit the canonical list:
 
 ```console
 $ wardline vocab
+schema: wardline.vocabulary/v1
 version: wardline-generic-2
 entries:
 - canonical_name: external_boundary

docs/concepts/rules.md

@@ -258,7 +258,8 @@ handler to the specific exception you expect (`except ValueError:`).
 
 ### PY-WL-104 — silently swallowed exception in a trusted-tier function
 
-Fires on a handler whose body only `pass`/`...`/`continue`/`break` — it discards
+Fires on a handler whose body is only `pass`/`...`/`continue`/`break` or a bare
+constant expression (a docstring-like string literal or a number) — it discards
 the error with no logging, re-raise, or recovery. The failure vanishes
 silently.