Release 1.0.0rc4: doctor, C-9 store consolidation, dogfood friction-tail closeout

.agents/skills/filigree-workflow/SKILL.md

@@ -196,7 +196,7 @@ When parsing `--json` output or MCP responses, expect these unified envelopes:
   one of: `VALIDATION`, `NOT_FOUND`, `CONFLICT`, `INVALID_TRANSITION`,
   `PERMISSION`, `NOT_INITIALIZED`, `IO`, `INVALID_API_URL`,
   `FILE_REGISTRY_DISPLACED`, `REGISTRY_UNAVAILABLE`,
-  `CLARION_REGISTRY_VERSION_MISMATCH`, `CLARION_OUT_OF_SYNC`,
+  `LOOMWEAVE_REGISTRY_VERSION_MISMATCH`, `LOOMWEAVE_OUT_OF_SYNC`,
   `BRIEFING_BLOCKED`, `STOP_FAILED`, `SCHEMA_MISMATCH`, `INTERNAL`.
   Branch on `code` for retry policy
   (`CONFLICT` → exit 4, retryable; everything at exit 1 needs operator

.agents/skills/loomweave-workflow/.fingerprint

@@ -1 +1 @@
-fe04e6fd9d528b07738f527b41d817dff89344f051465af012fc42ed44377ea3
+4c1af074f42ec147611923aafeb704eba54cd7dca4dcec2489907921b7f94233

.agents/skills/loomweave-workflow/SKILL.md

@@ -26,7 +26,7 @@ calls this?" without reading a single file.
 - You need a function's neighborhood, execution paths, or which subsystem it belongs to.
 
 **Not for:** editing code, reading exact implementation bodies (use `summary` or
-read the file once you have its path), or codebases with no `.loomweave/` index.
+read the file once you have its path), or codebases with no `.weft/loomweave/` index.
 
 ## Entity IDs — the model
 
@@ -65,18 +65,27 @@ tell which case you're in.
 | `execution_paths_from` | bounded call paths out of an entity | `{"id": "<id>", "max_depth": 5}` |
 | `subsystem_members` | modules in a subsystem | `{"id": "core:subsystem:<hash>"}` |
 | `subsystem_of` | the subsystem an entity belongs to (reverse of `subsystem_members`) | `{"id": "<id>"}` |
-| `summary` | on-demand prose summary of one entity | `{"id": "<id>"}` |
+| `summary` † | on-demand prose summary of one entity | `{"id": "<id>"}` |
 | `summary_preview_cost` | preview a `summary` call's cache status / cost before spending | `{"id": "<id>"}` |
 | `issues_for` | Filigree issues attached to an entity | `{"id": "<id>"}` |
 | `source_for_entity` | an entity's exact indexed source span + bounded context | `{"id": "<id>", "context_lines": 10}` |
 | `call_sites` | the source line(s) behind a calls/references edge | `{"id": "<id>", "role": "caller"}` |
 | `orientation_pack` | one deterministic orientation packet for an entity or file:line (entity + context + neighbors + paths + issues + freshness) | `{"file": "rel/path.py", "line": 42}` |
 | `index_diff` | index freshness / drift vs. the current working tree | `{}` |
-| `analyze_start` | launch a background re-index, return its `run_id` | `{}` |
+| `analyze_start` † | launch a background re-index, return its `run_id` | `{}` |
 | `analyze_status` | poll a started analyze (queued/running/terminal + progress) | `{"run_id": "<id>"}` |
-| `analyze_cancel` | stop a running analyze (group-kills plugin + Pyright) | `{"run_id": "<id>"}` |
+| `analyze_cancel` † | stop a running analyze (group-kills plugin + Pyright) | `{"run_id": "<id>"}` |
 | `project_status` | index freshness, counts, LLM + Filigree status | `{}` |
 
+† **Write-gated.** `summary` (`entity_summary_get`), `analyze_start`,
+`analyze_cancel`, `propose_guidance`, and `promote_guidance` are registered only
+when `serve.mcp.enable_write_tools: true` is set in `loomweave.yaml` (default
+`false`). When the gate is off they do not appear in `tools/list` and a call
+returns a tool-disabled error — run `loomweave config check` to see the active
+policy. `summary` additionally requires the live LLM provider to be enabled
+(`llm_policy.enabled: true` + `allow_live_provider: true`), or it serves cache
+only.
+
 `callers_of` / `neighborhood` / `execution_paths_from` take a `confidence`
 tier — one of `"resolved"` (default; only high-confidence edges),
 `"ambiguous"`, or `"inferred"`. There is no `"all"` value. When you suspect an
@@ -152,7 +161,7 @@ honest-empty unless a plugin emits those tags. Likewise `high_churn` and
 
 `search_semantic` is also in the catalogue. It is opt-in under
 `semantic_search:`; when enabled, `loomweave analyze` populates the git-ignored
-`.loomweave/embeddings.db` sidecar and the query path filters stale vectors by
+`.weft/loomweave/embeddings.db` sidecar and the query path filters stale vectors by
 content hash.
 
 > Not in this catalogue: `emit_observation` as a general-purpose write surface.
@@ -163,6 +172,7 @@ for team sharing). Agents may call `propose_guidance` to create a Filigree
 observation, but that proposal is inert until an operator promotes it through
 `promote_guidance` or the CLI. Promoted sheets reach you through `guidance_for`
 and are composed into `summary` prompts with a real guidance fingerprint.
+(`propose_guidance` and `promote_guidance` are write-gated — see the † note above.)
 
 ## Workflow: orient, then navigate
 
@@ -192,7 +202,7 @@ and are composed into `summary` prompts with a real guidance fingerprint.
 
 ## Launch
 
-`loomweave serve --path <dir>` where `<dir>` contains `.loomweave/loomweave.db`
+`loomweave serve --path <dir>` where `<dir>` contains `.weft/loomweave/loomweave.db`
 (built by `loomweave analyze <dir>`). In an MCP client the tools appear as
 `mcp__loomweave__find_entity`, etc.
 

.claude/skills/filigree-workflow/SKILL.md

@@ -196,7 +196,7 @@ When parsing `--json` output or MCP responses, expect these unified envelopes:
   one of: `VALIDATION`, `NOT_FOUND`, `CONFLICT`, `INVALID_TRANSITION`,
   `PERMISSION`, `NOT_INITIALIZED`, `IO`, `INVALID_API_URL`,
   `FILE_REGISTRY_DISPLACED`, `REGISTRY_UNAVAILABLE`,
-  `CLARION_REGISTRY_VERSION_MISMATCH`, `CLARION_OUT_OF_SYNC`,
+  `LOOMWEAVE_REGISTRY_VERSION_MISMATCH`, `LOOMWEAVE_OUT_OF_SYNC`,
   `BRIEFING_BLOCKED`, `STOP_FAILED`, `SCHEMA_MISMATCH`, `INTERNAL`.
   Branch on `code` for retry policy
   (`CONFLICT` → exit 4, retryable; everything at exit 1 needs operator

.claude/skills/loomweave-workflow/.fingerprint

@@ -1 +1 @@
-fe04e6fd9d528b07738f527b41d817dff89344f051465af012fc42ed44377ea3
+4c1af074f42ec147611923aafeb704eba54cd7dca4dcec2489907921b7f94233

.claude/skills/loomweave-workflow/SKILL.md

@@ -26,7 +26,7 @@ calls this?" without reading a single file.
 - You need a function's neighborhood, execution paths, or which subsystem it belongs to.
 
 **Not for:** editing code, reading exact implementation bodies (use `summary` or
-read the file once you have its path), or codebases with no `.loomweave/` index.
+read the file once you have its path), or codebases with no `.weft/loomweave/` index.
 
 ## Entity IDs — the model
 
@@ -65,18 +65,27 @@ tell which case you're in.
 | `execution_paths_from` | bounded call paths out of an entity | `{"id": "<id>", "max_depth": 5}` |
 | `subsystem_members` | modules in a subsystem | `{"id": "core:subsystem:<hash>"}` |
 | `subsystem_of` | the subsystem an entity belongs to (reverse of `subsystem_members`) | `{"id": "<id>"}` |
-| `summary` | on-demand prose summary of one entity | `{"id": "<id>"}` |
+| `summary` † | on-demand prose summary of one entity | `{"id": "<id>"}` |
 | `summary_preview_cost` | preview a `summary` call's cache status / cost before spending | `{"id": "<id>"}` |
 | `issues_for` | Filigree issues attached to an entity | `{"id": "<id>"}` |
 | `source_for_entity` | an entity's exact indexed source span + bounded context | `{"id": "<id>", "context_lines": 10}` |
 | `call_sites` | the source line(s) behind a calls/references edge | `{"id": "<id>", "role": "caller"}` |
 | `orientation_pack` | one deterministic orientation packet for an entity or file:line (entity + context + neighbors + paths + issues + freshness) | `{"file": "rel/path.py", "line": 42}` |
 | `index_diff` | index freshness / drift vs. the current working tree | `{}` |
-| `analyze_start` | launch a background re-index, return its `run_id` | `{}` |
+| `analyze_start` † | launch a background re-index, return its `run_id` | `{}` |
 | `analyze_status` | poll a started analyze (queued/running/terminal + progress) | `{"run_id": "<id>"}` |
-| `analyze_cancel` | stop a running analyze (group-kills plugin + Pyright) | `{"run_id": "<id>"}` |
+| `analyze_cancel` † | stop a running analyze (group-kills plugin + Pyright) | `{"run_id": "<id>"}` |
 | `project_status` | index freshness, counts, LLM + Filigree status | `{}` |
 
+† **Write-gated.** `summary` (`entity_summary_get`), `analyze_start`,
+`analyze_cancel`, `propose_guidance`, and `promote_guidance` are registered only
+when `serve.mcp.enable_write_tools: true` is set in `loomweave.yaml` (default
+`false`). When the gate is off they do not appear in `tools/list` and a call
+returns a tool-disabled error — run `loomweave config check` to see the active
+policy. `summary` additionally requires the live LLM provider to be enabled
+(`llm_policy.enabled: true` + `allow_live_provider: true`), or it serves cache
+only.
+
 `callers_of` / `neighborhood` / `execution_paths_from` take a `confidence`
 tier — one of `"resolved"` (default; only high-confidence edges),
 `"ambiguous"`, or `"inferred"`. There is no `"all"` value. When you suspect an
@@ -152,7 +161,7 @@ honest-empty unless a plugin emits those tags. Likewise `high_churn` and
 
 `search_semantic` is also in the catalogue. It is opt-in under
 `semantic_search:`; when enabled, `loomweave analyze` populates the git-ignored
-`.loomweave/embeddings.db` sidecar and the query path filters stale vectors by
+`.weft/loomweave/embeddings.db` sidecar and the query path filters stale vectors by
 content hash.
 
 > Not in this catalogue: `emit_observation` as a general-purpose write surface.
@@ -163,6 +172,7 @@ for team sharing). Agents may call `propose_guidance` to create a Filigree
 observation, but that proposal is inert until an operator promotes it through
 `promote_guidance` or the CLI. Promoted sheets reach you through `guidance_for`
 and are composed into `summary` prompts with a real guidance fingerprint.
+(`propose_guidance` and `promote_guidance` are write-gated — see the † note above.)
 
 ## Workflow: orient, then navigate
 
@@ -192,7 +202,7 @@ and are composed into `summary` prompts with a real guidance fingerprint.
 
 ## Launch
 
-`loomweave serve --path <dir>` where `<dir>` contains `.loomweave/loomweave.db`
+`loomweave serve --path <dir>` where `<dir>` contains `.weft/loomweave/loomweave.db`
 (built by `loomweave analyze <dir>`). In an MCP client the tools appear as
 `mcp__loomweave__find_entity`, etc.
 

.github/workflows/ci.yml

@@ -15,8 +15,12 @@ jobs:
           enable-cache: true
       - name: Install dependencies
         run: uv sync --dev
+      - name: Run lint
+        run: uv run ruff check src
       - name: Run test suite
-        run: uv run pytest --cov=legis --cov-report=term-missing --cov-fail-under=70
+        run: uv run pytest --cov=legis --cov-report=term-missing --cov-report=json --cov-fail-under=88
+      - name: Enforce per-package coverage floors
+        run: uv run python scripts/check_coverage_floors.py
       - name: Run SEI conformance oracle
         run: uv run pytest tests/conformance/test_sei_oracle.py
       - name: Run live Loomweave oracle
@@ -46,4 +50,6 @@ jobs:
         # Remove this once a real governance DB is wired into CI.
         env:
           LEGIS_ALLOW_MISSING_GOVERNANCE_DB: "1"
-        run: uv run legis governance-gate --db sqlite:///legis-governance.db
+        # No --db: use the resolved default store (.weft/legis/legis-governance.db),
+        # the same location the server/MCP write to.
+        run: uv run legis governance-gate

.github/workflows/loomweave-conformance.yml

@@ -0,0 +1,64 @@
+name: loomweave-conformance
+
+# Live cross-repo Loomweave SEI conformance.
+#
+# Unlike the per-PR oracle step in ci.yml (opt-in, silently skipped when
+# LOOMWEAVE_URL is unset), this gate is FAIL-CLOSED: a missing endpoint, locator
+# fixture, or HMAC credential is an ERROR, not a pass. That closes the roadmap-12
+# hole where an absent var let Loomweave endpoint/header drift sail through CI.
+#
+# It runs on a schedule (catch drift between releases) and is callable as a
+# reusable workflow (`workflow_call`) so the release pipeline gates publish on it
+# — making conformance non-optional for releases.
+
+on:
+  schedule:
+    - cron: "0 7 * * *"   # daily 07:00 UTC drift sweep
+  workflow_dispatch:
+  workflow_call:
+
+permissions:
+  contents: read
+
+jobs:
+  live-loomweave-oracle:
+    name: Live Loomweave oracle (fail-closed)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: astral-sh/setup-uv@v5
+        with:
+          enable-cache: true
+      - name: Install dependencies
+        run: uv sync --dev
+      - name: Require live Loomweave configuration
+        env:
+          LOOMWEAVE_URL: ${{ vars.LOOMWEAVE_URL }}
+          LOOMWEAVE_LIVE_ORACLE_LOCATOR: ${{ vars.LOOMWEAVE_LIVE_ORACLE_LOCATOR }}
+          LEGIS_LOOMWEAVE_HMAC_KEY: ${{ secrets.LEGIS_LOOMWEAVE_HMAC_KEY }}
+        run: |
+          missing=0
+          if [ -z "${LOOMWEAVE_URL}" ]; then
+            echo "::error::LOOMWEAVE_URL variable is not set — live Loomweave conformance cannot run. Configure it under Settings → Secrets and variables → Actions → Variables."
+            missing=1
+          fi
+          if [ -z "${LOOMWEAVE_LIVE_ORACLE_LOCATOR}" ]; then
+            echo "::error::LOOMWEAVE_LIVE_ORACLE_LOCATOR variable is not set — the round-trip locator fixture is required for conformance."
+            missing=1
+          fi
+          if [ -z "${LEGIS_LOOMWEAVE_HMAC_KEY}" ]; then
+            echo "::error::LEGIS_LOOMWEAVE_HMAC_KEY secret is not set — the signed Loomweave channel credential is required."
+            missing=1
+          fi
+          if [ "${missing}" -ne 0 ]; then
+            exit 1
+          fi
+      - name: Run live Loomweave conformance oracle
+        env:
+          LOOMWEAVE_URL: ${{ vars.LOOMWEAVE_URL }}
+          LOOMWEAVE_LIVE_ORACLE_LOCATOR: ${{ vars.LOOMWEAVE_LIVE_ORACLE_LOCATOR }}
+          LEGIS_LOOMWEAVE_HMAC_KEY: ${{ secrets.LEGIS_LOOMWEAVE_HMAC_KEY }}
+        # -rs reports any skip in the log; the guard above makes the test file's
+        # own skipif conditions (unset URL / locator) unreachable, so a skip here
+        # would signal an unexpected gap rather than a benign opt-out.
+        run: uv run pytest tests/conformance/test_live_loomweave_oracle.py -q -rs

.github/workflows/release.yml

@@ -54,9 +54,17 @@ jobs:
           name: dist
           path: dist/
 
+  conformance:
+    # Live cross-repo Loomweave SEI conformance, required before publish. The
+    # reusable workflow is fail-closed: a missing LOOMWEAVE_URL / locator / HMAC
+    # credential fails the release rather than silently skipping (roadmap 12).
+    name: Live Loomweave conformance
+    uses: ./.github/workflows/loomweave-conformance.yml
+    secrets: inherit
+
   publish:
     name: Publish to PyPI
-    needs: build
+    needs: [build, conformance]
     runs-on: ubuntu-latest
     environment:
       name: pypi

.gitignore

@@ -1,4 +1,4 @@
-.worktrees/
+# OS / editor cruft
 .DS_Store
 Thumbs.db
 .idea/
@@ -8,14 +8,40 @@ Thumbs.db
 .venv/
 __pycache__/
 *.py[cod]
-.pytest_cache/
 *.egg-info/
-# Local audit/scratch databases (never commit audit data)
-*.db
-.filigree
-.filigree.conf
+.pytest_cache/
+.mypy_cache/
+.ruff_cache/
 .coverage
+coverage.json
+
+# Worktrees
+.worktrees/
+
+# Local tooling config (machine-specific, never commit)
 .mcp.json
+
+# Agent instruction files — filigree-generated, regenerated each session
+AGENTS.md
+CLAUDE.md
+
+# --- Weft suite working folders & local config (regenerated/local; never commit) ---
+# Filigree — issue-tracker database + project config
+.filigree/
+.filigree.conf
+# Loomweave — code-archaeology index/cache + config
+.loomweave/
 loomweave.yaml
+# Wardline — scanner cache + config
+.wardline/
 wardline.yaml
-.loomweave/loomweave.lock
+# Legis — local audit/scratch databases + their SQLite WAL sidecars
+# (audit data is never committed) and local working dir / config
+*.db
+*.db-shm
+*.db-wal
+# Federated runtime-state subtree (legis is the sole writer; never .weft/ wholesale)
+.weft/legis/
+
+# Filigree issue tracker
+.weft/