[feature] Full lualint integration

[paudley]

Summary

Add full coding-ethos integration for lualint from the pyqa_lint catalog.

Parent tracker: #77

pyqa_lint source: ~/Active/pyqa_lint/tooling/catalog/languages/lua/lualint.json

Scope

This issue covers one tool only. Integration is complete only when coding-ethos owns acquisition, execution, diagnostics, Lua language facts, CEL/SARIF output, policy alignment, MCP/agent visibility, docs, and tests.

Required Integration Surface

1. Tool Acquisition

• Add deterministic managed acquisition for lualint.
• Pin the version and checksum where a release artifact is downloaded.
• Record provenance in the managed toolchain manifest.
• Validate the acquired executable during bootstrap and fail fast with a structured diagnostic if validation fails.
• Do not rely on an arbitrary host-installed lualint from PATH.

2. Command Orchestration

• Build command construction in Go through the hook runner or managed capture path.
• Select staged/changed targets when safe; if lualint requires project-level execution, document the reason and isolate the scope.
• Pass config paths explicitly and log the selected source of truth.
• Respect sandboxing, timeout, filesystem, and network policy.
• Avoid shell glue and Go-to-shell-to-Go execution paths.

3. Diagnostics Parsing

• Parse native lualint output into normalized diagnostics with tool, file, line, column, severity, rule/code, and message.
• Convert unparseable output into structured tool-failure diagnostics.
• Preserve raw output in traces without flooding TOON or MCP summaries.
• Add parser fixtures for success, warning/error severity mapping, empty output, and malformed output.

4. Language AST Facts

• Confirm Tree-sitter/AST fact support for Lua files is sufficient for policy context and SARIF locations.
• Extend shared AST fact collection first if policy context is missing.
• Do not add ad hoc text scanners or policy-specific AST walkers before checking the AST/CEL/SARIF architecture path.
• Add fixtures proving representative Lua files can be indexed, or explicitly document why AST facts are not applicable for this tool.

5. CEL and Policy Alignment

• Expose lualint findings through the existing CEL diagnostic inputs by tool, rule/code, file, severity, and path metadata.
• Add policy mappings only where coding-ethos has a clear repo-trust, maintainability, security, or safety opinion.
• Align actionable findings with relevant ethos principles and remediation skills.
• Keep advisory versus blocking behavior explicit and configurable.

6. SARIF Integration

• Emit SARIF with stable ruleId, source tool metadata, severity, and location data.
• Include related locations, fixes, or help text when lualint exposes them.
• Add SARIF shape tests for at least one real diagnostic.
• Preserve stable identities so CI, PR review, and IDE surfaces can correlate findings over time.

7. MCP and Agent Surface

• Ensure lint_check, lint_advice, SARIF remediation, risk summary, trend analysis, and hook traces identify lualint correctly.
• Add capability metadata for file reads, file writes, tool execution, network use, autofix support, and advisory/blocking role.
• Make failure modes actionable for agents and human contributors.

8. Docs and Config

• Document managed acquisition, config source of truth, generated config behavior, and common remediation guidance.
• Update README/tooling docs and examples for the Lua path.
• If coding-ethos generates config for lualint, add drift checks and hash manifest entries.

Acceptance Criteria

• lualint is acquired through the managed toolchain with version/checksum/provenance recorded where applicable.
• The hook runner or managed capture path invokes lualint without shell glue or implicit host config discovery.
• Native diagnostics are parsed into normalized diagnostics and SARIF.
• AST/language fact support for Lua is present or explicitly documented as not applicable.
• CEL policy inputs can reason over lualint findings by tool/code/file/severity.
• MCP lint and SARIF advice surfaces include lualint output cleanly.
• Documentation explains config ownership and expected operator workflow.
• Unit tests cover acquisition, command construction, parser success, parser failure, and SARIF shape.
• A functional workflow test exercises lualint on a representative fixture.
• make build, make pre-commit, and relevant Go package tests pass.

[paudley]

Stage 1 plan for lualint:

• Pin upstream philips/lualint to commit 26de0a93bf6665b9c50ee1fd8ad0e894b69dd312 with script SHA-256 e79281c8255d5a52db00f29fc2abe3fab499e5e495c359748fd171a48575cbc5.
• Add deterministic managed acquisition for the pinned raw script, with manifest provenance and checksum verification rather than relying on a host lualint from PATH.
• Register lualint as a managed Lua capture tool and run it through a selected Lua interpreter plus the managed script path, keeping command construction in Go.
• Add native text diagnostics parsing for historical lualint output, malformed-output handling, and SARIF/CEL-compatible normalized diagnostics.
• Add Lua Tree-sitter AST fact support where this branch does not already have it.
• Document the important upstream constraint: current host lua is 5.5 and the script crashes there, while Lua 5.4 bytecode no longer emits the old GETGLOBAL / SETGLOBAL opcodes that lualint scans. The functional smoke test will prove managed execution; parser fixtures will cover native historical diagnostic text.
• Validate with focused Go tests, make build, make check, and make pre-commit where feasible; if protected admin-file policy blocks commit, I will leave the staged work intact and post an admin handoff.

[paudley]

Stage 1 implementation is complete locally, but the commit is blocked by the repository admin-file policy. The staged index has been left intact in .worktrees/paudley-85-full-lualint-integration.

Implemented:

• Managed URL installer support for pinned raw binary/script assets.
• Managed lualint toolchain manifest entry pinned to philips/lualint@26de0a93bf6665b9c50ee1fd8ad0e894b69dd312 with SHA-256 e79281c8255d5a52db00f29fc2abe3fab499e5e495c359748fd171a48575cbc5.
• Native lualint diagnostics parser, SARIF coverage, tool catalog entry, policy-lualint hook, Lua hook group, and Lua AST fact support.
• Runtime handling that invokes the managed script via lua5.4 and runs from .coding-ethos/cache so upstream scratch-file behavior lands in a managed writable directory.
• README and pre-commit docs for acquisition, runtime requirements, cache behavior, and the historical-bytecode diagnostic limitation.

Validation run:

• go test -buildvcs=false ./diagnostics ./toolcatalog ./internal/hookrunnercli ./internal/managedcapture ./internal/toolchaincli ./internal/astfacts ./internal/codeintel ./internal/hookoutput
• make build
• Managed smoke via bin/coding-ethos-run policy-tool lualint <tmp.lua>
• make check passed; it still reports the existing non-blocking Go coverage warning below the 90% project goal.
• bin/coding-ethos-run policy-git diff --check

Commit attempt:

status: blocked
policy_id: git.staged_admin_files
message: Administrative staged files require explicit handling.
suggestion: Administrative staged files require a human/admin commit. Administrative staged files: pre-commit/PRE-COMMIT.md, pre-commit/hooks/managed-toolchain.tsv. Agent action: stop trying to commit these files. Human/admin handoff: from /home/paudley/Active/gmeow/coding-ethos/.worktrees/paudley-85-full-lualint-integration, run: git commit -m 'feat(toolchain): add managed lualint integration'.
files[2]{path}:
  pre-commit/PRE-COMMIT.md
  pre-commit/hooks/managed-toolchain.tsv
error: git exited with status 2

No PR was opened because Stage 1 cannot proceed past the protected admin-file commit gate without a human/admin commit.