0.2.0 release — taint soundness + hardening scrub, version bump + changelog

[tachyon-beep]

This is the 0.2.0 release PR. Merging it to main and pushing the
v0.2.0 tag triggers release.yml → build → PyPI Trusted Publishing.

Release prep (0adeda7): _version.py 0.1.0 → 0.2.0; CHANGELOG.md
[0.2.0] finalized (MCP server SP8, Clarion store SP9, docs site SP7, the
soundness + hardening fixes here, and the loom-extra removal); live-docs
version strings bumped. Build verified — 923 tests pass, mkdocs --strict
clean, sdist+wheel build as wardline-0.2.0, wheel metadata valid.

Publish steps (after merge):

git checkout main && git pull
git tag -a v0.2.0 -m "wardline 0.2.0"
git push origin v0.2.0    # → CI builds + publishes to PyPI

---

Summary

A full-codebase scrub of the one-shot SP0–SP9 system, driven by a 7-agent review panel → 9 findings, all fixed with test-first coverage. Each fix was implemented by a fresh subagent, independently reviewed, and empirically re-verified against a known-vulnerable taint battery. A later pass (commit 58cca6d) closes two of the three deferred residuals.

• Suite: 843 → 923 tests · ruff clean · mypy --strict clean · self-hosting green
• Acceptance oracle: a 30-case taint battery (FN-fires + FP-clean, both directions) — kept out-of-tree

P0 — L2 taint soundness hole (silent false negatives)

_resolve_expr fell through to return function_taint for unmodelled AST shapes. In a @trusted producer that resets untrusted data to the trusted tier (fail-open) and emits a clean report the user wrongly trusts — the worst outcome for a static analyzer. Verified-and-fixed shapes: f-strings, str()/.format()/.join(), dict.get()/subscript, BoolOp, attribute reads, await, comprehensions, container-writes, self/cls method calls, aliased serialization sinks.

• String-building combines via least_trusted (weakest-link), so a benign literal + validated data stays clean — no new false positives on validated code (caught and corrected mid-review via base-commit diffing).
• The unknown-call fallback is unchanged (no FP explosion). The expression combiners (BinOp/List/Dict/IfExp/BoolOp/…) were initially left on taint_join; they are now migrated to least_trusted in the follow-up below.

P0 — security: symlink confine_to_root bypass (THREAT-001 residual)

The per-file discovery loop used a lexical path check, so a symlinked .py inside a legit source-root could escape the root and the analyzer would read out-of-tree content (reproduced: → /etc/passwd) via the MCP scan tool. Now each discovered file is resolved under root when confine_to_root is set (MCP path). CLI default behavior unchanged.

Follow-up — expression-combiner over-tainting (false positives) · 58cca6d

Closes residuals #1 and #2 below. The L2 resolver used taint_join (provenance-clash; any cross-family pair → MIXED_RAW) for value-building / either-or / container-summary combiners, where the rank-meet least_trusted (weakest-link) is correct — the operator already used by the f-string/.format/.join paths. taint_join(INTEGRAL, ASSURED) = MIXED_RAW manufactured a spurious clash on benign literal+validated combinations, firing PY-WL-101 on validated data.

• 9 sites in variable_level.py switched to least_trusted: BinOp, List/Tuple/Set, Dict, IfExp, BoolOp, DictComp, .get/.pop/.setdefault default, augmented-assign, and container writes (_taint_container_base).
• Control-flow MERGES (if/else, loops, match arms) deliberately keep taint_join — the documented join lattice; the full-sweep conversion is tracked separately (wardline-4d9f840c24).
• No false negatives: both firing rules gate on a clean declared level, so any raw result (rank 6 or 7) is strictly above it and still fires — the MIXED_RAW→UNKNOWN_RAW relabel never straddles a threshold.
• Verified: +10 clean-direction tests, 15 buggy-MIXED_RAW assertions corrected to the precise least_trusted value, soundness battery 30/30, end-to-end FP repro 3 → 0, self-host 0 PY-WL defects.

Hardening

• Scan observability: parse-error / unreadable / recursion-skipped / missing-source-root files are now counted (ScanSummary.unanalyzed) and surfaced (CLI summary + MCP result), with opt-in --fail-on-unanalyzed. A no-module file (top-level __init__.py) emits an observable WLN-ENGINE-NO-MODULE FACT (deliberately not counted as unanalyzed, to avoid signal dilution).
• An explicit --config path that does not exist now raises ConfigError instead of silently running with default policy.
• Line-less engine-diagnostic DEFECTs (WLN-L3-* / WLN-ENGINE-DIAGNOSTIC) no longer crash the run via the suppression line-invariant assert.
• MCP: an unexpected exception in a tool handler now returns an isError result (which clients reliably surface) instead of a -32603 error; McpError still propagates as a JSON-RPC protocol fault.
• clarion/client docstring corrected (routes on HTTP status band, not envelope code).

Known residuals (left for triage)

• BinOp "" + validated over-taints — fixed in 58cca6d (wardline-4d94577013).
• .get/.pop tainted-default over-taints — fixed in 58cca6d (wardline-4d94577013).
• Star-import of markers is a false negative but observable via WLN-ENGINE-UNKNOWN-IMPORT (wardline-2b427a9579).
• Control-flow merges (if/else, loops, match) still over-taint two clean-but-different-family branches — the "full sweep" deferred from the combiner fix (wardline-4d9f840c24).

Test plan

• ruff check src tests · mypy · pytest -q (923 passed) · pytest tests/test_self_hosting.py
• 30-case soundness battery: all FN cases fire, all validated/clean cases stay clean

🤖 Generated with Claude Code

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.