fix(ci): restore green Lint + mypy on main

src/wardline/core/judged.py

@@ -116,9 +116,7 @@ def load_judged(path: Path) -> JudgedSet:
         # always emits verdict: FALSE_POSITIVE, so machine round-trips stay valid.
         verdict = _require_str(e, "verdict", idx, path.name)
         if verdict != "FALSE_POSITIVE":
-            raise ConfigError(
-                f"{path.name} findings[{idx}].verdict must be FALSE_POSITIVE, got {verdict!r}"
-            )
+            raise ConfigError(f"{path.name} findings[{idx}].verdict must be FALSE_POSITIVE, got {verdict!r}")
         rationale = _require_str(e, "rationale", idx, path.name)
         # Provenance is the audit primitive — never default it. A judged record with
         # no attributable model / policy / confidence is an unauditable suppression.

src/wardline/core/legis.py

@@ -231,8 +231,7 @@ def build_legis_artifact(
     if key is not None:
         if commit is None:
             raise LegisArtifactError(
-                "cannot sign legis artifact: not a git repository, so commit/tree "
-                "provenance is unavailable"
+                "cannot sign legis artifact: not a git repository, so commit/tree provenance is unavailable"
             )
         if dirty and not allow_dirty:
             raise LegisArtifactError(

tests/conformance/test_legis_intake_contract.py

@@ -52,9 +52,7 @@
         "MIXED_RAW",
     }
 )
-_SUPPRESSION_PROOF_KEYS: frozenset[str] = frozenset(
-    {"suppression_proof", "suppression_ticket", "suppression_reason"}
-)
+_SUPPRESSION_PROOF_KEYS: frozenset[str] = frozenset({"suppression_proof", "suppression_ticket", "suppression_reason"})
 _SEVERITY_NAMES: frozenset[str] = frozenset({"CRITICAL", "ERROR", "WARN", "INFO", "NONE"})
 _MAX_FINDINGS = 500
 _ARTIFACT_SIGNATURE_FIELD = "artifact_signature"
@@ -93,8 +91,7 @@ def _validate_trust_properties(properties: Mapping[str, Any]) -> None:
 
 def _has_suppression_proof(properties: Mapping[str, Any]) -> bool:
     return any(
-        isinstance(properties.get(key), str) and bool(properties[key].strip())
-        for key in _SUPPRESSION_PROOF_KEYS
+        isinstance(properties.get(key), str) and bool(properties[key].strip()) for key in _SUPPRESSION_PROOF_KEYS
     )
 
 

tests/unit/cli/test_cli.py

@@ -384,9 +384,7 @@ def test_scan_baseline_clears_gate_with_trust_suppressions(tmp_path) -> None:
         "version: 1\nentries:\n  - fingerprint: " + fp + "\n    rule_id: PY-WL-101\n    path: svc.py\n    message: m\n",
         encoding="utf-8",
     )
-    res = CliRunner().invoke(
-        scan, [str(proj), "--output", str(out), "--fail-on", "ERROR", "--trust-suppressions"]
-    )
+    res = CliRunner().invoke(scan, [str(proj), "--output", str(out), "--fail-on", "ERROR", "--trust-suppressions"])
     assert res.exit_code == 0, res.output
 
 

tests/unit/core/test_legis_artifact.py

@@ -172,7 +172,7 @@ def test_active_finding_carries_no_suppression_proof() -> None:
 
 
 def _git(repo: object, *args: str) -> None:
-    subprocess.run(["git", *args], cwd=repo, check=True, capture_output=True)  # type: ignore[arg-type]
+    subprocess.run(["git", *args], cwd=repo, check=True, capture_output=True)  # type: ignore[call-overload]
 
 
 def _committed_repo(tmp_path: object, source: str = _LEAKY):