From 91c3126eac821d409dc8efddc0288063e19518b4 Mon Sep 17 00:00:00 2001
From: John Morrissey <john@wardline.dev>
Date: Fri, 5 Jun 2026 22:01:21 +1000
Subject: [PATCH] fix(ci): restore green Lint + mypy on main

Two CI jobs (`ruff format --check src tests`, bare `mypy`) were red on main.
Causes were pre-existing/mechanical, not behavioural:

- `ruff format`: `src/wardline/core/legis.py` + `tests/conformance/test_legis_intake_contract.py`
  (from the legis merge 948daa4) and `src/wardline/core/judged.py` +
  `tests/unit/cli/test_cli.py` (from #28) were never `ruff format`-reflowed.
- `mypy`: `tests/unit/core/test_legis_artifact.py:175` carried a stale
  `# type: ignore[arg-type]` for a `subprocess.run(cwd=<object>)` call mypy now
  reports as `call-overload`; corrected the ignore code.

Formatting-only + an ignore-code correction; no logic changes. Full suite 2406
passed, ruff check/format + mypy strict all green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 src/wardline/core/judged.py                     | 4 +---
 src/wardline/core/legis.py                      | 3 +--
 tests/conformance/test_legis_intake_contract.py | 7 ++-----
 tests/unit/cli/test_cli.py                      | 4 +---
 tests/unit/core/test_legis_artifact.py          | 2 +-
 5 files changed, 6 insertions(+), 14 deletions(-)

diff --git a/src/wardline/core/judged.py b/src/wardline/core/judged.py
index 06873371..cdcd41dc 100644
--- a/src/wardline/core/judged.py
+++ b/src/wardline/core/judged.py
@@ -116,9 +116,7 @@ def load_judged(path: Path) -> JudgedSet:
         # always emits verdict: FALSE_POSITIVE, so machine round-trips stay valid.
         verdict = _require_str(e, "verdict", idx, path.name)
         if verdict != "FALSE_POSITIVE":
-            raise ConfigError(
-                f"{path.name} findings[{idx}].verdict must be FALSE_POSITIVE, got {verdict!r}"
-            )
+            raise ConfigError(f"{path.name} findings[{idx}].verdict must be FALSE_POSITIVE, got {verdict!r}")
         rationale = _require_str(e, "rationale", idx, path.name)
         # Provenance is the audit primitive — never default it. A judged record with
         # no attributable model / policy / confidence is an unauditable suppression.
diff --git a/src/wardline/core/legis.py b/src/wardline/core/legis.py
index de3140f3..8bdefe98 100644
--- a/src/wardline/core/legis.py
+++ b/src/wardline/core/legis.py
@@ -231,8 +231,7 @@ def build_legis_artifact(
     if key is not None:
         if commit is None:
             raise LegisArtifactError(
-                "cannot sign legis artifact: not a git repository, so commit/tree "
-                "provenance is unavailable"
+                "cannot sign legis artifact: not a git repository, so commit/tree provenance is unavailable"
             )
         if dirty and not allow_dirty:
             raise LegisArtifactError(
diff --git a/tests/conformance/test_legis_intake_contract.py b/tests/conformance/test_legis_intake_contract.py
index 0fd9af2e..cf5103e2 100644
--- a/tests/conformance/test_legis_intake_contract.py
+++ b/tests/conformance/test_legis_intake_contract.py
@@ -52,9 +52,7 @@
         "MIXED_RAW",
     }
 )
-_SUPPRESSION_PROOF_KEYS: frozenset[str] = frozenset(
-    {"suppression_proof", "suppression_ticket", "suppression_reason"}
-)
+_SUPPRESSION_PROOF_KEYS: frozenset[str] = frozenset({"suppression_proof", "suppression_ticket", "suppression_reason"})
 _SEVERITY_NAMES: frozenset[str] = frozenset({"CRITICAL", "ERROR", "WARN", "INFO", "NONE"})
 _MAX_FINDINGS = 500
 _ARTIFACT_SIGNATURE_FIELD = "artifact_signature"
@@ -93,8 +91,7 @@ def _validate_trust_properties(properties: Mapping[str, Any]) -> None:
 
 def _has_suppression_proof(properties: Mapping[str, Any]) -> bool:
     return any(
-        isinstance(properties.get(key), str) and bool(properties[key].strip())
-        for key in _SUPPRESSION_PROOF_KEYS
+        isinstance(properties.get(key), str) and bool(properties[key].strip()) for key in _SUPPRESSION_PROOF_KEYS
     )
 
 
diff --git a/tests/unit/cli/test_cli.py b/tests/unit/cli/test_cli.py
index dd7f592c..33b1a458 100644
--- a/tests/unit/cli/test_cli.py
+++ b/tests/unit/cli/test_cli.py
@@ -384,9 +384,7 @@ def test_scan_baseline_clears_gate_with_trust_suppressions(tmp_path) -> None:
         "version: 1\nentries:\n  - fingerprint: " + fp + "\n    rule_id: PY-WL-101\n    path: svc.py\n    message: m\n",
         encoding="utf-8",
     )
-    res = CliRunner().invoke(
-        scan, [str(proj), "--output", str(out), "--fail-on", "ERROR", "--trust-suppressions"]
-    )
+    res = CliRunner().invoke(scan, [str(proj), "--output", str(out), "--fail-on", "ERROR", "--trust-suppressions"])
     assert res.exit_code == 0, res.output
 
 
diff --git a/tests/unit/core/test_legis_artifact.py b/tests/unit/core/test_legis_artifact.py
index 87704cfd..8d7bdea2 100644
--- a/tests/unit/core/test_legis_artifact.py
+++ b/tests/unit/core/test_legis_artifact.py
@@ -172,7 +172,7 @@ def test_active_finding_carries_no_suppression_proof() -> None:
 
 
 def _git(repo: object, *args: str) -> None:
-    subprocess.run(["git", *args], cwd=repo, check=True, capture_output=True)  # type: ignore[arg-type]
+    subprocess.run(["git", *args], cwd=repo, check=True, capture_output=True)  # type: ignore[call-overload]
 
 
 def _committed_repo(tmp_path: object, source: str = _LEAKY):