fix(scan): gate on the unsuppressed population by default (secure --fail-on) — supersedes #24, #25

[tachyon-beep]

What

Closes a HIGH-severity CI-gate bypass. wardline scan --fail-on applied repository-controlled suppressions (.wardline/baseline.yaml, wardline.yaml waivers, .wardline/judged.yaml) to findings before evaluating the gate. Since all three are committed repo content, a malicious PR could add a suppression keyed to its own new defect's fingerprint and clear the gate. Reproduced live (baselining the sole ERROR defect zeroed the gate).

Model (maintainer-chosen): secure-by-default + opt-in

• gate_decision now evaluates a separate unsuppressed population (ScanResult.gate_findings). baseline/waiver/judged still annotate the emitted findings (suppressed=… stays visible) but no longer clear the gate.
• Gate population built via apply_suppressions over empty baseline + waivers + judged (not list(raw)), preserving the lineless-DEFECT→non-gating-FACT downgrade (no spurious trips).
• --new-since <ref> (operator-supplied, unforgeable) scopes both populations — the secure CI ratchet.
• --trust-suppressions (CLI) / trust_suppressions (run_scan, MCP scan), default False, restores the local ratchet / judge DX (None sentinel → gate falls back to suppressed findings). run_judge passes True.
• load_judged now requires verdict: FALSE_POSITIVE (rejects a hand-edited TRUE_POSITIVE / missing verdict).

Why this and not #24 / #25

• fix(scan): require explicit trust for .wardline/judged.yaml suppressions #24 (judged-only) closed just one of three identical repo-controlled vectors — baseline + waiver stayed exploitable.
• Fix scan fail-on bypass via repository-controlled suppressions #25 had the right mechanism but broke the documented baseline ratchet with no escape hatch, and used gate_findings = list(raw) (a lineless-DEFECT gate bug).

This combines them: #25's mechanism (fixed) + #24's verdict-hardening + the --trust-suppressions escape hatch + docs.

⚠️ BREAKING (acceptable at 0.x — called out in CHANGELOG)

A CI job relying on a committed baseline to keep scan --fail-on green goes red on upgrade until --new-since <merge-base> (recommended) or --trust-suppressions (trusted checkouts) is added. legis's artifact + the 'one judge' property derive from the annotated findings, so they're unchanged; only the local --fail-on exit code changed.

Verification

• Full suite 2406 passed, ruff + mypy clean.
• Repro: a baselined ERROR defect trips the gate by default and is cleared by --trust-suppressions, while staying annotated suppressed=baselined.
• Flipped existing gate-clears tests to the secure default + added --trust-suppressions variants; CLI + MCP parity covered.

🤖 Generated with Claude Code

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d9aea1afde

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Correct MCP summary active semantics

For scans where a repository baseline/waiver/judged record suppresses the only defect, the MCP response still reports summary.active from the emitted, suppressed result.findings population, so it will be 0 while the new unsuppressed gate can still trip. This description tells agents that active is the unsuppressed gate population, which makes the structured tool contract misleading precisely in the new secure-default scenario and can cause callers to conclude there are no defects to address even though gate.tripped is true.

Useful? React with 👍 / 👎.