release: v1.2.0 — preview rules now gate (consolidation 2026-06-26)#83
Merged
Conversation
… installs don't drop it `uv tool install wardline[loomweave]` REPLACES extras (it does not merge), so a bare `loomweave = ["blake3>=1.0"]` dropped the scanner deps and broke `wardline init`/`scan` — users whack-a-moled scanner<->loomweave. Mirror the `rust` extra and self-include `wardline[scanner]` (loomweave's taint-store writes fire only during `wardline scan`, so it genuinely needs the pipeline). Broaden the doctor `loomweave.dep` remediation to name `uv tool install` vs `pip install`, and add a regression guard pinning that scan-pipeline extras self-include scanner. Fixes wardline-c8d7e020e8. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
… shared helper Extends the install-context wording from the loomweave.dep doctor check (87f13b0) to every extra-install hint — the scanner-extra CLI guard, the rust tree-sitter loader, the loomweave blake3 loader, and the optional_deps scanner message — through a single `extra_install_hint(extra)` helper in core.optional_deps. A uv-tool user must reinstall via `uv tool install` (pip targets the wrong env, and uv tool replaces rather than merges extras); the helper names both forms so the hint is right whichever installer is in use. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…clude scanner; PDR-0010 - PDR-0010: loomweave extra self-includes wardline[scanner] (uv-tool whack-a-mole fix); shared install-hint helper; regression guard. Within grant; PyPI publish owner-gated. - metrics.md: dated G4 reading (per-release extras re-check; base stays 0-dep; no trigger). - current-state.md: PR #69 scope + provenance updated; Now bet (seam probe) unchanged. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ot configured" `_resolve_probe_target` only ever finds a filigree *daemon* URL, so a project configured in ethereal mode (no daemon) — or with the daemon down — collapsed to the misleading "filigree not configured; nothing to verify", reading as "filigree absent" when it is fully set up. Read `.weft/filigree/config.json` mode: ethereal -> tell the user to put filigree in daemon mode (`filigree install --mode server`, then `filigree server start`); configured but no daemon reachable -> `filigree server start`; genuinely absent -> unchanged message. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ine-4ada23bb09) The --fail-on gate predicate silently skipped Maturity.PREVIEW findings, so six ERROR-severity rules — 118 (SQL injection), 119 (degenerate trust boundary), 120 (stored taint), 121 (XXE), 122 (SSTI), 124 (native-lib load) — fired as active ERROR defects but `wardline scan --fail-on ERROR` passed green (would_trip_at=None). A G2 false-green soundness hole, present in 1.1.0. maturity is now purely informational; preview rules gate AND are baselineable exactly like stable rules, matching the long-standing documented contract (docs/concepts/rules.md:60). Removed the preview-exclusion at all 5 sites: suppression.gate_trips, suppression.gate_breakdown, run.baseline_migration_hint, run._gate_reason, baseline._is_baselineable_finding. New universal regression pin (tests/unit/core/test_preview_gating.py) asserts every preview rule in the registry gates at its base severity, plus end-to-end scan->gate pins for 118/119. Inverted the two tests that encoded the old behavior (test_baseline, test_default_registry). CHANGELOG [Unreleased] + UPGRADING note the build-behavior change (a repo clean today with one of these flows now correctly fails --fail-on; recommend a minor bump). Also carried here (one shared working tree; run.py co-modified, so the hunks could not be split into separate commits): a concurrent session's `analyzed_paths` delta-coverage work (src/wardline/cli/scan.py, ScanResult.analyzed_paths in run.py, tests/unit/cli/test_scan_artifacts.py, uv.lock) and the glossary line-anchor reconciliation it required (tests/docs/test_glossary_vocabulary.py, docs/reference/finding-lifecycle-vocabulary.md run.py + scan.py citations). Full suite green (4557 passed); ruff + mypy clean. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Minor bump: preview-maturity rules now participate in the --fail-on gate (see [1.2.0] Fixed). This newly fails CI on repositories that scan green today but contain a previously-non-gating preview finding (118 SQLi / 119 / 120 / 121 XXE / 122 SSTI / 124 native-load at ERROR; 116/117/123/126 WARN; 125 INFO) — a deliberate, documented behavior change. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
… change Three reviewers (gate/FP-soundness, correctness+feature, citation-accuracy) audited the unpushed delta. The gate fix and the bundled analyzed_paths feature were both confirmed sound; these are the follow-ups they raised. CHANGELOG (CRITICAL — reviewer-found): the v1.2.0 edit had swallowed the published `## [1.1.0] - 2026-06-29` header, orphaning 1.1.0's Changed/Added body (attest-v2, FastAPI taint, pack-bridge, doctor checks) under [1.2.0] — and v1.1.0 is a released tag on origin. Restored the [1.1.0] section; [1.2.0] now carries ONLY the preview-gate Fixed entry. Dropped the now-inaccurate "(unreleased contract)" qualifier from the released attest entry. Secure-default remediation guidance (F1, CHANGELOG + UPGRADING): the "baseline/waive the finding" advice was wrong for CI — under the secure default the gate evaluates the unsuppressed population, so a committed baseline/waiver clears it only under --trust-suppressions (trusted local checkout). CI must scope with --new-since; a baselined/waived finding alone will not green the build. Corrected both docs to match the CLI's own reason/hint wording. baseline_ops docstring (F2): collect_and_write_baseline's docstring still said "EXCLUDING preview findings that never gate" — contradicts the fix (preview defects are now baselineable). Corrected, and added the missing e2e pin that the orchestration actually baselines a preview defect. Test hardening (F3/F4): added a gate_breakdown coherence pin (preview ERROR defect counts as (1 active, 0 suppressed) — guards against a future regression that trips the gate while the reason says "0 defects"); added precondition asserts to the universal invariant so a future NONE-severity / non-DEFECT preview rule fails cleanly instead of raising KeyError in gate_trips. Full suite green (4559 passed); ruff + mypy clean. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Lands the
release/consolidation-2026-06-26consolidation branch onmainand ships v1.2.0.Headline (v1.2.0) — preview-maturity rules now gate
Soundness fix (
wardline-4ada23bb09): the--fail-ongate predicate silently excludedmaturity: previewfindings, so six ERROR-severity rules — 118 (SQL injection), 119 (degenerate trust boundary), 120 (stored taint), 121 (XXE), 122 (SSTI), 124 (native-library load) — fired as active ERROR defects butwardline scan --fail-on ERRORpassed green (would_trip_at: null).maturityis now purely informational; preview rules gate and are baselineable exactly like stable rules, matching the long-documented contract.Behavior change (minor bump): a repo that scans clean today but contains one of these flows now correctly fails
--fail-on. Under the secure default, baseline/waive clears the gate only with--trust-suppressions; CI should scope with--new-since <merge-base>. WARN preview rules (116/117/123/126) and INFO (125) also now gate at their thresholds. See CHANGELOG[1.2.0]+ UPGRADING.md.Review
Three independent reviewers audited the new delta before this PR:
analyzed_pathsdelta-coverage feature are sound and genuinely tested; caught a CHANGELOG regression (a swallowed[1.1.0]header) since fixed.All findings addressed in
25097041.Verification
tests/unit/core/test_preview_gating.py) guards every preview rule in the registry against recurrence.🤖 Generated with Claude Code