carson 2.11.2 → 2.12.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2ee87fb6195405a8984a69edfe853c54e4148e097ddeb68b664f3b174f76aa58
-  data.tar.gz: 1aff6cd40925b1e29a5317062963874428759a76932b5bc87ff49b1f181a433c
+  metadata.gz: 87aef62f0df0f4a298b22d5fd2dcc033b3fb8ff382e7c43fcc37399fb9e28b17
+  data.tar.gz: 50120a7c2252236e86736fbab59eeade47b80488c89b2901849b16dc77ed2c7f
 SHA512:
-  metadata.gz: 5431016b0e297bd23d69a781b633e6e786df4ebe5bb9625a9ed4052e8cdfb399e59e253b007d5403944f52ffdc6882c35eb0cf3babcb487740eadb178306d933
-  data.tar.gz: 713018f54df585927a2a86dc9d922bf750214603fb3daf89991c5eec9152a85ceeaad1ea130597f2fd357f8d95be282953c12c9a408bb169fd445ce26e4c6e10
+  metadata.gz: 790d1b70d2df69440acc5c7d13ed7566b243e3b69a7f6d5735bc6713c275702e72273cd13ff6c958e3635669ea2411af6289eefc69e6782d3182a7dd390e1f61
+  data.tar.gz: e9367dd0605946d9a2f7202c0f41cb2ebebfe6e19b463e606bb88e4e1d719b3c5fbdfc76911bf8b7be1a225f5dbbdd4518b88d5f9f0a5a92ad9a841d11f1f92d

data/API.md

@@ -16,7 +16,7 @@ carson <command> [subcommand] [arguments]
 | Command | Purpose |
 |---|---|
 | `carson setup` | Interactive quiz to configure remote, main branch, workflow, and merge method. Writes `~/.carson/config.json`. |
-| `carson lint setup --source <path-or-git-url> [--ref <git-ref>] [--force]` | Seed or refresh `~/.carson/lint` policy files from an explicit source. |
+| `carson lint policy --source <path-or-git-url> [--ref <git-ref>] [--force]` | Distribute lint configs from a central source into the governed repo's `.github/linters/`. |
 | `carson onboard [repo_path]` | Apply one-command baseline setup for a target git repository. Auto-triggers `setup` on first run. |
 | `carson prepare` | Install or refresh Carson-managed global hooks. |
 | `carson refresh [repo_path]` | Re-apply hooks, templates, and audit after upgrading Carson. |
@@ -78,6 +78,7 @@ Allowed Carson-managed persistence in host repositories:
 - `.github/CLAUDE.md` — agent discovery pointer for Claude Code
 - `.github/AGENTS.md` — agent discovery pointer for Codex
 - `.github/pull_request_template.md` — PR template
+- `.github/workflows/carson-lint.yml` — MegaLinter CI workflow
 
 ## Configuration interface
 
@@ -97,33 +98,31 @@ Environment overrides:
 - `CARSON_REVIEW_SWEEP_STATES`
 - `CARSON_WORKFLOW_STYLE`
 - `CARSON_RUBY_INDENTATION`
+- `CARSON_LINT_COMMAND`
+- `CARSON_LINT_ENFORCEMENT`
+- `CARSON_LINT_POLICY_SOURCE`
 
-`lint.languages` schema:
+`lint` schema:
 
 ```json
 {
   "lint": {
-    "languages": {
-      "ruby": {
-        "enabled": true,
-        "globs": ["**/*.rb"],
-        "command": ["ruby", "/absolute/path/to/carson/lib/carson/policy/ruby/lint.rb", "{files}"],
-        "config_files": ["~/.carson/lint/rubocop.yml"]
-      }
-    }
+    "command": "make lint",
+    "enforcement": "strict",
+    "policy_source": "wanghailei/lint.git"
   }
 }
 ```
 
-`lint.languages` semantics:
-- `enabled`: boolean toggle per language.
-- `globs`: file-match patterns applied to the selected audit target set.
-- `command`: argv array executed without shell interpolation.
-- `config_files`: required files that must exist before lint runs.
-- `{files}` token: replaced with matched files; if omitted, matched files are appended at the end of argv.
-- Default Ruby policy source is `~/.carson/lint/rubocop.yml`; Ruby execution logic is Carson-owned.
-- Client repositories containing repo-local `.rubocop.yml` are hard-blocked by `carson audit` in outsider mode.
-- Non-Ruby language entries (`javascript`, `css`, `html`, `erb`) are present but disabled by default.
+`lint` semantics:
+- `command`: string or array — local lint command executed during `carson audit`. If `null` (default), local lint is skipped.
+- `enforcement`: `"strict"` (default) blocks on lint failure; `"advisory"` warns but does not block.
+- `policy_source`: default source for `carson lint policy` when `--source` is not specified.
+
+Environment overrides:
+- `CARSON_LINT_COMMAND` — overrides `lint.command`.
+- `CARSON_LINT_ENFORCEMENT` — overrides `lint.enforcement`.
+- `CARSON_LINT_POLICY_SOURCE` — overrides `lint.policy_source`.
 
 Lint target file source precedence in `carson audit`:
 - staged files for local commit-time execution.
@@ -131,14 +130,12 @@ Lint target file source precedence in `carson audit`:
 - full repository tracked files in GitHub non-PR events.
 - local working-tree changes as fallback.
 
-Private-source clone token for `carson lint setup`:
+Private-source clone token for `carson lint policy`:
 - `CARSON_READ_TOKEN` (used when `--source` points to a private GitHub repository).
 
-Ruby source requirement for `carson lint setup` (when Ruby lint is enabled):
-- `CODING/rubocop.yml` must exist in the source tree.
-
 Policy layout requirement:
-- Language policy files are stored directly under `CODING/` and copied to `~/.carson/lint/` without language subdirectories.
+- Lint config files sit at the root of the source repo and are copied to `<governed-repo>/.github/linters/`.
+- MegaLinter auto-discovers configs in `.github/linters/` during CI.
 
 ## Output interface
 

data/MANUAL.md

@@ -27,22 +27,20 @@ carson version
 
 ### Step 1: Prepare your lint policy
 
-Carson enforces lint rules from a central policy source — a directory or git repository you control that contains a `CODING/` folder. For Ruby governance, the required file is `CODING/rubocop.yml`.
-
-Run `lint setup` to copy policy files into `~/.carson/lint/`:
+Carson distributes lint configuration files from a central policy source — a directory or git repository you control — into each governed repo's `.github/linters/` directory, where MegaLinter auto-discovers them.
 
 ```bash
-carson lint setup --source /path/to/your-policy-repo
+carson lint policy --source /path/to/your-policy-repo
 ```
 
-After this command, `~/.carson/lint/rubocop.yml` exists and is ready for Carson to use. Every governed repository will reference these same policy files — this is how Carson keeps lint consistent.
+After this command, `.github/linters/` contains your lint configs (`.rubocop.yml`, `biome.json`, `ruff.toml`, etc.). MegaLinter uses these in CI. Every governed repository gets the same rules — this is how Carson keeps lint consistent across languages.
 
 Options:
 - `--source <path-or-git-url>` — where to read policy files from (required).
 - `--ref <git-ref>` — branch or tag when `--source` is a git URL.
-- `--force` — overwrite existing `~/.carson/lint` files.
+- `--force` — overwrite existing `.github/linters/` files.
 
-Policy layout: language config files sit directly under `CODING/` (flat layout, no language subfolders). Non-Ruby entries are present but disabled by default.
+Policy layout: lint config files sit at the root of the source repo (flat layout, no subdirectories required).
 
 ### Step 2: Onboard a repository
 
@@ -105,7 +103,7 @@ Notes:
 
 ```bash
 carson sync                                          # fast-forward local main
-carson lint setup --source /path/to/your-policy-repo # refresh policy if needed
+carson lint policy --source /path/to/your-policy-repo # refresh policy if needed
 carson audit                                         # full governance check
 ```
 
@@ -183,7 +181,7 @@ Carson's `govern.merge.method` controls how `carson govern` merges ready PRs. Th
 These define what Carson *is*. They are not configurable.
 
 - **Outsider boundary** — Carson never places its own artefacts inside a governed repository.
-- **Centralised lint** — one policy source at `~/.carson/lint/`, shared across all repos, zero per-repo drift.
+- **Centralised lint** — one policy source distributed into each repo's `.github/linters/`, zero per-repo drift.
 - **Active review** — undisposed reviewer findings block merge; feedback must be acknowledged.
 - **Self-diagnosing output** — every message names the cause and the fix.
 - **Transparent governance** — Carson prepares everything for merge but never makes decisions without telling you.
@@ -238,11 +236,12 @@ Change: `CARSON_HOOKS_BASE_PATH`.
 
 #### Lint policy source
 
-Where lint configuration files live.
+Where lint configuration files come from and where they land.
 
-- Default: **`~/.carson/lint/`**. Centralised: one policy source governs all repos consistently. Repo-local `.rubocop.yml` is forbidden in outsider mode to prevent per-repo drift.
+- Default source: **`wanghailei/lint.git`**. A central repository containing lint configs for all languages.
+- Target: **`<repo>/.github/linters/`**. MegaLinter auto-discovers configs here in CI.
 
-Change the source: `carson lint setup --source <path-or-git-url>`.
+Change: `carson lint policy --source <path-or-git-url>` or `lint.policy_source` in config.
 
 #### Scope integrity
 
@@ -314,7 +313,7 @@ Common environment overrides:
 | `CARSON_WORKFLOW_STYLE` | Workflow style override (`branch` or `trunk`). |
 | `CARSON_RUBY_INDENTATION` | Ruby indentation policy (`tabs`, `spaces`, or `either`). |
 
-For the full configuration schema and `lint.languages` definition, see `API.md`.
+For the full configuration schema, see `API.md`.
 
 ## Troubleshooting
 
@@ -333,8 +332,8 @@ carson template apply
 carson template check
 ```
 
-**Audit blocks on repo-local `.rubocop.yml`**
-- Carson hard-blocks governed repositories that contain their own `.rubocop.yml`. Remove the repo-local file and rely on the central policy in `~/.carson/lint/rubocop.yml`.
+**Audit blocks on lint failure**
+- If `lint.command` is configured and fails, audit blocks (in `strict` mode) or warns (in `advisory` mode). Fix the lint issues and re-run `carson audit`.
 
 **Hook version mismatch after upgrade**
 - Run `carson refresh` to re-apply hooks and templates for the new Carson version.

data/README.md

@@ -22,7 +22,6 @@ Carson is an autonomous governance runtime that lives on your workstation and in
 │                                               │
 │  ~/.carson/            Carson config          │
 │  ~/.carson/hooks/      Git hooks              │
-│  ~/.carson/lint/       Lint policy            │
 │  ~/.carson/cache/      Reports                │
 │  ~/.carson/govern/     Dispatch state         │
 │                                               │
@@ -45,7 +44,7 @@ This separation is Carson's defining trait — the **outsider boundary**: no Car
 Carson is opinionated about governance. These are non-negotiable principles, not configurable defaults:
 
 - **Outsider boundary** — Carson lives outside your repo, never inside. No Carson-owned artefacts in your repository. Offboarding leaves no trace.
-- **Centralised lint** — lint policy at `~/.carson/lint/`, shared across all repos. Repo-local config files are forbidden — one source of truth, zero drift.
+- **Centralised lint** — lint policy distributed from a central source into each repo's `.github/linters/`. One source of truth, zero drift.
 - **Active review** — undisposed reviewer findings block merge. Feedback must be acknowledged, not buried.
 - **Self-diagnosing output** — every message names the cause and the fix. If you need to debug Carson's output, the output failed.
 - **Transparent governance** — Carson prepares everything for merge but never oversteps. It does not make decisions for you without telling you.
@@ -54,8 +53,8 @@ Everything else — workflow style, merge method, remote name, main branch — i
 
 The data flow:
 
-1. You maintain a **policy source** — a directory or git repository containing your lint rules (e.g. `CODING/rubocop.yml`). Carson copies these to `~/.carson/lint/` via `carson lint setup`.
-2. `carson onboard` installs git hooks, synchronises `.github/*` templates, and runs a first governance audit on a host repository.
+1. You maintain a **policy source** — a directory or git repository containing your lint config files (e.g. `.rubocop.yml`, `biome.json`, `ruff.toml`). `carson lint policy --source <repo>` copies these into each governed repo's `.github/linters/`, where MegaLinter auto-discovers them.
+2. `carson onboard` installs git hooks, synchronises `.github/*` templates (including a MegaLinter CI workflow), and runs a first governance audit on a host repository.
 3. From that point, every commit triggers `carson audit` through the managed `pre-commit` hook. The same `carson audit` runs in GitHub Actions. If it passes locally, it passes in CI.
 4. `carson review gate` enforces review accountability: it blocks merge until every actionable reviewer comment has been formally acknowledged by the PR author through a **disposition comment**.
 5. `carson govern` triages all open PRs across your portfolio. Ready PRs are merged and housekept. Failing PRs get a coding agent dispatched to fix them. Stuck PRs are escalated for your attention.
@@ -75,7 +74,7 @@ The data flow:
 
 | Command | What it does |
 |---|---|
-| `carson lint setup` | Seed `~/.carson/lint/` from your policy source. |
+| `carson lint policy --source <repo>` | Distribute lint configs from policy source into `.github/linters/`. |
 | `carson onboard` | One-command baseline: hooks + templates + first audit. |
 | `carson prepare` | Install or refresh Carson-managed global hooks. |
 | `carson refresh` | Re-apply hooks, templates, and audit after upgrading Carson. |
@@ -116,10 +115,10 @@ gem install --user-install carson
 carson version
 ```
 
-**Prepare your lint policy.** A policy source is any directory (or git URL) that contains a `CODING/` folder with your lint configuration files. For Ruby, the required file is `CODING/rubocop.yml`. Carson copies these into `~/.carson/lint/` so that every governed repository uses the same rules:
+**Prepare your lint policy.** A policy source is any directory (or git URL) containing your lint configuration files (`.rubocop.yml`, `biome.json`, `ruff.toml`, etc.). Carson copies these into the governed repo's `.github/linters/` where MegaLinter auto-discovers them:
 
 ```bash
-carson lint setup --source /path/to/your-policy-repo
+carson lint policy --source /path/to/your-policy-repo
 ```
 
 **Onboard a repository:**

data/RELEASE.md

@@ -5,6 +5,44 @@ Release-note scope rule:
 - `RELEASE.md` records only version deltas, breaking changes, and migration actions.
 - Operational usage guides live in `MANUAL.md` and `API.md`.
 
+## 2.12.0 — Language-Agnostic Lint Policy Distribution + MegaLinter
+
+### What changed
+
+- **Lint policy distribution is now language-agnostic.** `carson lint policy --source <path-or-git-url>` copies all files from the source repo root into the governed repo's `.github/linters/` directory, where MegaLinter auto-discovers them. Works for any linter config: rubocop.yml, biome.json, ruff.toml, .erb-lint.yml, etc.
+- **New `lint.command` config key.** Local audit lint is now a single user-configured command (e.g. `"make lint"`, `"trunk check"`, `["ruff", "check"]`). Replaces the old per-language `lint.languages` system entirely.
+- **New `lint.enforcement` config key.** `"strict"` (default) blocks on lint failure; `"advisory"` warns but does not block.
+- **New `lint.policy_source` config key.** Default: `wanghailei/lint.git`. Sets the default source for lint policy distribution.
+- **MegaLinter CI workflow template.** `carson onboard` now installs `.github/workflows/carson-lint.yml`, which runs MegaLinter on PRs and pushes to main.
+- **Interactive setup prompts.** `carson setup` now asks for lint command and enforcement mode.
+- **Removed `lint.languages`** — all per-language lint configuration, Ruby-specific lint runners, and hardcoded language definitions are gone.
+- **Removed `lint setup` subcommand alias** — use `carson lint policy` instead.
+- **Removed `--legacy` flag** from `carson lint policy`.
+- **Source repo layout simplified** — lint config files live at the source repo root; no `CODING/` subdirectory required.
+
+### Breaking changes
+
+- `lint.languages` config key no longer exists. If your config references it, remove it.
+- `carson lint setup` no longer works. Use `carson lint policy --source <path-or-git-url>`.
+- Lint policy files are now written to `<repo>/.github/linters/` (not `~/.carson/lint/`).
+
+### What users must do now
+
+1. Upgrade Carson to `2.12.0` and run `carson refresh`.
+2. Remove any `lint.languages` entries from your Carson config.
+3. Set `lint.command` in your config if you want local lint during audit (e.g. `"make lint"`).
+4. Run `carson lint policy --source <your-policy-repo>` to distribute linter configs to `.github/linters/`.
+
+## 2.11.3 — Refine RubyGems Description Tone
+
+### What changed
+
+- **Gemspec** — rewrote summary and description with engineer-professional tone. Factual, concrete, no slogans.
+
+### What users must do now
+
+Nothing. Metadata only.
+
 ## 2.11.2 — Improve RubyGems Summary and Description
 
 ### What changed

data/SKILL.md

@@ -33,7 +33,7 @@ When you see exit 2, do NOT bypass it. Read the output, fix the root cause, and
 Carson audit output is structured as labelled key-value lines prefixed with ⧓. Key sections:
 
 - **Working Tree** — staged/unstaged status.
-- **Local Lint Quality** — per-language lint results. `lint_ruby_status: ok` means clean.
+- **Local Lint Quality** — lint command result. `lint_command_status: ok` means clean.
 - **Main Sync Status** — whether local main matches remote. If ahead, reset drift before committing.
 - **Scope Integrity Guard** — checks that commits stay within a single business intent and scope group.
 - **Audit Result** — final verdict: `status: ok` (clean), `status: attention` (advisory, not blocking), `status: block` (must fix).
@@ -99,4 +99,4 @@ Check that `govern.merge.method` in config matches what GitHub allows. If the re
 - Carson never lives inside governed repositories. No `.carson.yml`, no `bin/carson`, no `.tools/carson/`.
 - Carson-managed files in repos are limited to `.github/*` templates.
 - Carson's hooks live at `~/.carson/hooks/<version>/`, never in `.git/hooks/`.
-- Lint policy lives at `~/.carson/lint/`, seeded by `carson lint setup --source <policy-repo>`.
+- Lint policy is distributed via `carson lint policy --source <policy-repo>` into each repo's `.github/linters/`.

data/VERSION

@@ -1 +1 @@
-2.11.2
+2.12.0

data/carson.gemspec

@@ -7,8 +7,8 @@ Gem::Specification.new do |spec|
 	spec.version = Carson::VERSION
 	spec.authors = [ "Hailei Wang" ]
 	spec.email = [ "wanghailei@users.noreply.github.com" ]
-	spec.summary = "You write the code, Carson manages everything from commit to merge."
-	spec.description = "Carson is an autonomous governance runtime that lives outside your repositories. It enforces lint policy on every commit, gates merges on unresolved reviewer feedback, triages open PRs across your entire portfolio, dispatches coding agents to fix failures, merges what's ready, and cleans up after itself. One gem, all your projects, unmanned."
+	spec.summary = "Autonomous governance runtime — lint, review gates, PR triage, and merge across repositories."
+	spec.description = "Carson lives outside the repositories it governs. On every commit it enforces centralised lint policy and scope checks. On PRs it gates merge on unresolved reviewer feedback, dispatches coding agents to fix CI failures, merges passing PRs, and housekeeps branches. Runs locally and in GitHub Actions."
 	spec.homepage = "https://github.com/wanghailei/carson"
 	spec.license = "MIT"
 	spec.required_ruby_version = ">= 3.4"

data/lib/carson/cli.rb

@@ -47,7 +47,7 @@ module Carson
 
 		def self.build_parser
 			OptionParser.new do |opts|
-				opts.banner = "Usage: carson [setup|audit|sync|prune|prepare|inspect|onboard [repo_path]|refresh [repo_path]|offboard [repo_path]|template check|template apply|lint setup --source <path-or-git-url>|review gate|review sweep|govern [--dry-run] [--json] [--loop SECONDS]|housekeep|version]"
+				opts.banner = "Usage: carson [setup|audit|sync|prune|prepare|inspect|onboard [repo_path]|refresh [repo_path]|offboard [repo_path]|template check|template apply|lint policy --source <path-or-git-url>|review gate|review sweep|govern [--dry-run] [--json] [--loop SECONDS]|housekeep|version]"
 			end
 		end
 
@@ -112,8 +112,8 @@ module Carson
 
 		def self.parse_lint_subcommand( argv:, parser:, err: )
 			action = argv.shift
-			unless action == "setup"
-				err.puts "#{BADGE} Missing or invalid subcommand for lint. Use: carson lint setup --source <path-or-git-url> [--ref <git-ref>] [--force]"
+			unless action == "policy"
+				err.puts "#{BADGE} Missing or invalid subcommand for lint. Use: carson lint policy --source <path-or-git-url> [--ref <git-ref>] [--force]"
 				err.puts parser
 				return { command: :invalid }
 			end
@@ -124,19 +124,19 @@ module Carson
 				force: false
 			}
 			lint_parser = OptionParser.new do |opts|
-				opts.banner = "Usage: carson lint setup --source <path-or-git-url> [--ref <git-ref>] [--force]"
+				opts.banner = "Usage: carson lint policy --source <path-or-git-url> [--ref <git-ref>] [--force]"
 				opts.on( "--source SOURCE", "Source repository path or git URL that contains CODING/" ) { |value| options[ :source ] = value.to_s.strip }
 				opts.on( "--ref REF", "Git ref used when --source is a git URL (default: main)" ) { |value| options[ :ref ] = value.to_s.strip }
-				opts.on( "--force", "Overwrite existing files in ~/.carson/lint" ) { options[ :force ] = true }
+				opts.on( "--force", "Overwrite existing files" ) { options[ :force ] = true }
 			end
 			lint_parser.parse!( argv )
 			if options.fetch( :source ).to_s.empty?
-				err.puts "#{BADGE} Missing required --source for lint setup."
+				err.puts "#{BADGE} Missing required --source for lint policy."
 				err.puts lint_parser
 				return { command: :invalid }
 			end
 			unless argv.empty?
-				err.puts "#{BADGE} Unexpected arguments for lint setup: #{argv.join( ' ' )}"
+				err.puts "#{BADGE} Unexpected arguments for lint policy: #{argv.join( ' ' )}"
 				err.puts lint_parser
 				return { command: :invalid }
 			end

data/lib/carson/config.rb

@@ -8,7 +8,8 @@ module Carson
 	class Config
 		attr_accessor :git_remote
 		attr_reader :main_branch, :protected_branches, :hooks_base_path, :required_hooks,
-			:path_groups, :template_managed_files, :lint_languages,
+			:path_groups, :template_managed_files,
+			:lint_command, :lint_enforcement, :lint_policy_source,
 			:review_wait_seconds, :review_poll_seconds, :review_max_polls, :review_sweep_window_days,
 			:review_sweep_states, :review_disposition_prefix, :review_risk_keywords,
 			:review_tracking_issue_title, :review_tracking_issue_label, :review_bot_usernames,
@@ -47,10 +48,12 @@ module Carson
 					}
 				},
 				"template" => {
-					"managed_files" => [ ".github/carson-instructions.md", ".github/copilot-instructions.md", ".github/CLAUDE.md", ".github/AGENTS.md", ".github/pull_request_template.md" ]
+					"managed_files" => [ ".github/carson-instructions.md", ".github/copilot-instructions.md", ".github/CLAUDE.md", ".github/AGENTS.md", ".github/pull_request_template.md", ".github/workflows/carson-lint.yml" ]
 				},
 				"lint" => {
-					"languages" => default_lint_languages_data
+					"command" => nil,
+					"enforcement" => "strict",
+					"policy_source" => "wanghailei/lint.git"
 				},
 				"workflow" => {
 					"style" => "branch"
@@ -94,42 +97,6 @@ module Carson
 				}
 			end
 
-			def self.default_lint_languages_data
-				ruby_runner = File.expand_path( "policy/ruby/lint.rb", __dir__ )
-				{
-					"ruby" => {
-						"enabled" => true,
-						"globs" => [ "**/*.rb", "Gemfile", "*.gemspec", "Rakefile" ],
-						"command" => [ "ruby", ruby_runner, "{files}" ],
-						"config_files" => [ "~/.carson/lint/rubocop.yml" ]
-					},
-					"javascript" => {
-						"enabled" => false,
-						"globs" => [ "**/*.js", "**/*.mjs", "**/*.cjs", "**/*.jsx" ],
-						"command" => [ "node", "~/.carson/lint/javascript.lint.js", "{files}" ],
-						"config_files" => [ "~/.carson/lint/javascript.lint.js" ]
-					},
-					"css" => {
-						"enabled" => false,
-						"globs" => [ "**/*.css" ],
-						"command" => [ "node", "~/.carson/lint/css.lint.js", "{files}" ],
-						"config_files" => [ "~/.carson/lint/css.lint.js" ]
-					},
-					"html" => {
-						"enabled" => false,
-						"globs" => [ "**/*.html" ],
-						"command" => [ "node", "~/.carson/lint/html.lint.js", "{files}" ],
-						"config_files" => [ "~/.carson/lint/html.lint.js" ]
-					},
-					"erb" => {
-						"enabled" => false,
-						"globs" => [ "**/*.erb" ],
-						"command" => [ "ruby", "~/.carson/lint/erb.lint.rb", "{files}" ],
-						"config_files" => [ "~/.carson/lint/erb.lint.rb" ]
-					}
-				}
-			end
-
 		def self.load_global_config_data( repo_root: )
 			path = global_config_path( repo_root: repo_root )
 			return {} if path.empty? || !File.file?( path )
@@ -200,6 +167,13 @@ module Carson
 			audit = fetch_hash_section( data: copy, key: "audit" )
 			advisory_names = env_string_array( key: "CARSON_AUDIT_ADVISORY_CHECK_NAMES" )
 			audit[ "advisory_check_names" ] = advisory_names unless advisory_names.empty?
+			lint = fetch_hash_section( data: copy, key: "lint" )
+			lint_command_env = ENV.fetch( "CARSON_LINT_COMMAND", "" ).to_s.strip
+			lint[ "command" ] = lint_command_env unless lint_command_env.empty?
+			lint_enforcement_env = ENV.fetch( "CARSON_LINT_ENFORCEMENT", "" ).to_s.strip
+			lint[ "enforcement" ] = lint_enforcement_env unless lint_enforcement_env.empty?
+			lint_policy_source_env = ENV.fetch( "CARSON_LINT_POLICY_SOURCE", "" ).to_s.strip
+			lint[ "policy_source" ] = lint_policy_source_env unless lint_policy_source_env.empty?
 			style = fetch_hash_section( data: copy, key: "style" )
 			ruby_indentation = ENV.fetch( "CARSON_RUBY_INDENTATION", "" ).to_s.strip
 			style[ "ruby_indentation" ] = ruby_indentation unless ruby_indentation.empty?
@@ -248,9 +222,10 @@ module Carson
 			@path_groups = fetch_hash( hash: fetch_hash( hash: data, key: "scope" ), key: "path_groups" ).transform_values { |value| normalize_patterns( value: value ) }
 
 			@template_managed_files = fetch_string_array( hash: fetch_hash( hash: data, key: "template" ), key: "managed_files" )
-			@lint_languages = normalize_lint_languages(
-				languages_hash: fetch_hash( hash: fetch_hash( hash: data, key: "lint" ), key: "languages" )
-			)
+			lint_hash = fetch_hash( hash: data, key: "lint" )
+			@lint_command = normalize_lint_command_setting( value: lint_hash[ "command" ] )
+			@lint_enforcement = normalize_lint_enforcement( value: lint_hash.fetch( "enforcement", "strict" ) )
+			@lint_policy_source = lint_hash.fetch( "policy_source", "" ).to_s.strip
 
 			workflow_hash = fetch_hash( hash: data, key: "workflow" )
 			@workflow_style = fetch_string( hash: workflow_hash, key: "style" ).downcase
@@ -296,7 +271,6 @@ module Carson
 				raise ConfigError, "hooks.base_path cannot be empty" if hooks_base_path.empty?
 				raise ConfigError, "hooks.required_hooks cannot be empty" if required_hooks.empty?
 				raise ConfigError, "scope.path_groups cannot be empty" if path_groups.empty?
-				raise ConfigError, "lint.languages cannot be empty" if lint_languages.empty?
 				raise ConfigError, "review.required_disposition_prefix cannot be empty" if review_disposition_prefix.empty?
 				raise ConfigError, "review.risk_keywords cannot be empty" if review_risk_keywords.empty?
 				raise ConfigError, "review.sweep.states must contain one or both of open, closed" if ( review_sweep_states - [ "open", "closed" ] ).any? || review_sweep_states.empty?
@@ -364,56 +338,21 @@ module Carson
 				patterns
 			end
 
-			def normalize_lint_languages( languages_hash: )
-				raise ConfigError, "lint.languages must be an object" unless languages_hash.is_a?( Hash )
-				normalised = {}
-				languages_hash.each do |language_key, raw_entry|
-					language = language_key.to_s.strip.downcase
-					raise ConfigError, "lint.languages contains blank language key" if language.empty?
-					raise ConfigError, "lint.languages.#{language} must be an object" unless raw_entry.is_a?( Hash )
-
-					normalised[ language ] = normalize_lint_language_entry( language: language, raw_entry: raw_entry )
+			def normalize_lint_command_setting( value: )
+				return nil if value.nil?
+				return value.to_s.strip if value.is_a?( String )
+				if value.is_a?( Array )
+					parts = value.map { |entry| entry.to_s.strip }.reject( &:empty? )
+					raise ConfigError, "lint.command array must contain at least one argument" if parts.empty?
+					return parts
 				end
-				normalised
-			end
-
-			def normalize_lint_language_entry( language:, raw_entry: )
-				{
-					enabled: fetch_optional_boolean(
-						hash: raw_entry,
-						key: "enabled",
-						default: true,
-						key_path: "lint.languages.#{language}.enabled"
-					),
-					globs: normalize_lint_globs( language: language, value: raw_entry[ "globs" ] ),
-					command: normalize_lint_command( language: language, value: raw_entry[ "command" ] ),
-					config_files: normalize_lint_config_files( language: language, value: raw_entry[ "config_files" ] )
-				}
-			end
-
-			def normalize_lint_globs( language:, value: )
-				raise ConfigError, "lint.languages.#{language}.globs must be an array" unless value.is_a?( Array )
-				patterns = Array( value ).map { |entry| entry.to_s.strip }.reject( &:empty? )
-				raise ConfigError, "lint.languages.#{language}.globs must contain at least one pattern" if patterns.empty?
-				patterns
-			end
-
-			def normalize_lint_command( language:, value: )
-				raise ConfigError, "lint.languages.#{language}.command must be an array" unless value.is_a?( Array )
-				command = Array( value ).map { |entry| entry.to_s.strip }.reject( &:empty? )
-				raise ConfigError, "lint.languages.#{language}.command must contain at least one argument" if command.empty?
-				command
+				raise ConfigError, "lint.command must be a string, array, or null"
 			end
 
-			def normalize_lint_config_files( language:, value: )
-				raise ConfigError, "lint.languages.#{language}.config_files must be an array" unless value.is_a?( Array )
-				files = Array( value ).map { |entry| entry.to_s.strip }.reject( &:empty? )
-				raise ConfigError, "lint.languages.#{language}.config_files must contain at least one path" if files.empty?
-				files.map do |path|
-					expanded = path.start_with?( "~" ) ? File.expand_path( path ) : path
-					raise ConfigError, "lint.languages.#{language}.config_files entries must be absolute paths or ~/ paths" unless expanded.start_with?( "/" )
-					expanded
-				end
+			def normalize_lint_enforcement( value: )
+				text = value.to_s.strip.downcase
+				raise ConfigError, "lint.enforcement must be one of strict, advisory" unless [ "strict", "advisory" ].include?( text )
+				text
 			end
 
 			def fetch_optional_boolean( hash:, key:, default:, key_path: nil )

data/lib/carson/runtime/audit.rb

@@ -162,9 +162,43 @@ module Carson
 					report
 				end
 
-			# Enforces configured multi-language lint policy before governance passes.
+			# Enforces configured lint policy before governance passes.
+			# Runs lint.command and gates on exit code. Skips when lint.command is not set.
 			def local_lint_quality_report
+				unless config.lint_command
+					report = {
+						status: "ok",
+						skip_reason: "lint.command not configured",
+						target_source: "none",
+						target_files_count: 0,
+						blocking_languages: 0,
+						languages: []
+					}
+					puts_verbose "lint: SKIP (lint.command not configured)"
+					return report
+				end
+
+				lint_command_report
+			rescue StandardError => e
+				report = {
+					status: "block",
+					skip_reason: e.message,
+					target_source: "unknown",
+					target_files_count: 0,
+					blocking_languages: 0,
+					languages: []
+				}
+				puts_line "BLOCK: local lint quality check failed (#{e.message})."
+				report
+			end
+
+			# Runs the lint.command and returns a structured report.
+			def lint_command_report
 				target_files, target_source = lint_target_files
+				advisory = config.lint_enforcement == "advisory"
+				command_value = config.lint_command
+				command_string = command_value.is_a?( Array ) ? command_value.join( " " ) : command_value.to_s
+
 				report = {
 					status: "ok",
 					skip_reason: nil,
@@ -175,32 +209,63 @@ module Carson
 				}
 				puts_verbose "lint_target_source: #{target_source}"
 				puts_verbose "lint_target_files_total: #{target_files.count}"
-				config.lint_languages.each do |language, entry|
-					language_report = lint_language_report(
-						language: language,
-						entry: entry,
-						target_files: target_files
-					)
-					report.fetch( :languages ) << language_report
-					next unless language_report.fetch( :status ) == "block"
+				puts_verbose "lint_command: #{command_string}"
+				puts_verbose "lint_enforcement: #{config.lint_enforcement}"
 
-					report[ :status ] = "block"
-					report[ :blocking_languages ] += 1
+				args = command_string.split( /\s+/ )
+				command_name = args.first.to_s.strip
+				unless command_available_for_lint?( command_name: command_name )
+					language_report = {
+						language: "lint.command",
+						enabled: true,
+						status: "block",
+						reason: "command not available: #{command_name}",
+						file_count: target_files.count,
+						files: target_files,
+						command: args,
+						config_files: [],
+						exit_code: EXIT_BLOCK
+					}
+					report[ :languages ] << language_report
+					report[ :status ] = advisory ? "ok" : "block"
+					report[ :blocking_languages ] = advisory ? 0 : 1
+					puts_verbose "lint_command_status: #{language_report.fetch( :status )}"
+					puts_line "WARN: lint command not available: #{command_name}" if advisory
+					return report
 				end
-				puts_verbose "lint_blocking_languages: #{report.fetch( :blocking_languages )}"
-				report
-			rescue StandardError => e
-				report ||= {
-					status: "block",
-					skip_reason: nil,
-					target_source: "unknown",
-					target_files_count: 0,
-					blocking_languages: 0,
-					languages: []
+
+				stdout_text, stderr_text, success, exit_code = local_command( *args )
+				language_report = {
+					language: "lint.command",
+					enabled: true,
+					status: success ? "ok" : "block",
+					reason: success ? nil : summarise_command_output(
+						stdout_text: stdout_text,
+						stderr_text: stderr_text,
+						fallback: "lint command failed"
+					),
+					file_count: target_files.count,
+					files: target_files,
+					command: args,
+					config_files: [],
+					exit_code: exit_code
 				}
-				report[ :status ] = "block"
-				report[ :skip_reason ] = e.message
-				puts_line "BLOCK: local lint quality check failed (#{e.message})."
+				report[ :languages ] << language_report
+
+				unless success
+					if advisory
+						report[ :status ] = "ok"
+						puts_verbose "lint_command_status: advisory_warn (exit #{exit_code})"
+						puts_line "WARN: lint command failed (exit #{exit_code}) — advisory mode, not blocking."
+					else
+						report[ :status ] = "block"
+						report[ :blocking_languages ] = 1
+						puts_verbose "lint_command_status: block (exit #{exit_code})"
+					end
+				else
+					puts_verbose "lint_command_status: ok"
+				end
+
 				report
 			end
 
@@ -274,85 +339,6 @@ module Carson
 				end.compact.uniq
 			end
 
-			def lint_language_report( language:, entry:, target_files: )
-				globs = entry.fetch( :globs )
-				candidate_files = Array( target_files ).select do |path|
-					globs.any? { |pattern| pattern_matches_path?( pattern: pattern, path: path ) }
-				end
-				report = {
-					language: language,
-					enabled: entry.fetch( :enabled ),
-					status: "ok",
-					reason: nil,
-					file_count: candidate_files.count,
-					files: candidate_files,
-					command: entry.fetch( :command ),
-					config_files: entry.fetch( :config_files ),
-					exit_code: 0
-				}
-				puts_verbose "lint_language: #{language} enabled=#{report.fetch( :enabled )} files=#{report.fetch( :file_count )}"
-				if language == "ruby" && outsider_mode?
-					local_rubocop_path = File.join( repo_root, ".rubocop.yml" )
-					if File.file?( local_rubocop_path )
-						report[ :status ] = "block"
-						report[ :reason ] = "repo-local RuboCop config is forbidden: #{relative_path( local_rubocop_path )}; remove it and use ~/.carson/lint/rubocop.yml."
-						report[ :exit_code ] = EXIT_BLOCK
-						puts_verbose "lint_#{language}_status: block"
-						puts_verbose "lint_#{language}_reason: #{report.fetch( :reason )}"
-						puts_verbose "ACTION: remove .rubocop.yml from this repository and run carson lint setup --source <path-or-git-url>."
-						return report
-					end
-				end
-				return report unless report.fetch( :enabled )
-				return report if candidate_files.empty?
-
-				missing_config_files = entry.fetch( :config_files ).reject { |path| File.file?( path ) }
-				unless missing_config_files.empty?
-					report[ :status ] = "block"
-					report[ :reason ] = "missing config files: #{missing_config_files.join( ', ' )}"
-					report[ :exit_code ] = EXIT_BLOCK
-					puts_verbose "lint_#{language}_status: block"
-					puts_verbose "lint_#{language}_reason: #{report.fetch( :reason )}"
-					puts_verbose "ACTION: run carson lint setup --source <path-or-git-url> to prepare ~/.carson/lint policy files."
-					return report
-				end
-
-				command = Array( entry.fetch( :command ) )
-				command_name = command.first.to_s.strip
-				if command_name.empty?
-					report[ :status ] = "block"
-					report[ :reason ] = "missing lint command"
-					report[ :exit_code ] = EXIT_BLOCK
-					puts_verbose "lint_#{language}_status: block"
-					puts_verbose "lint_#{language}_reason: #{report.fetch( :reason )}"
-					return report
-				end
-				unless command_available_for_lint?( command_name: command_name )
-					report[ :status ] = "block"
-					report[ :reason ] = "command not available: #{command_name}"
-					report[ :exit_code ] = EXIT_BLOCK
-					puts_verbose "lint_#{language}_status: block"
-					puts_verbose "lint_#{language}_reason: #{report.fetch( :reason )}"
-					return report
-				end
-
-				args = expanded_lint_command_args( command: command, files: candidate_files )
-				stdout_text, stderr_text, success, exit_code = local_command( *args )
-				report[ :exit_code ] = exit_code
-				unless success
-					report[ :status ] = "block"
-					report[ :reason ] = summarise_command_output(
-						stdout_text: stdout_text,
-						stderr_text: stderr_text,
-						fallback: "lint command failed for #{language}"
-					)
-				end
-				puts_verbose "lint_#{language}_status: #{report.fetch( :status )}"
-				puts_verbose "lint_#{language}_exit: #{report.fetch( :exit_code )}"
-				puts_verbose "lint_#{language}_reason: #{report.fetch( :reason )}" unless report.fetch( :reason ).nil?
-				report
-			end
-
 			def command_available_for_lint?( command_name: )
 				return false if command_name.to_s.strip.empty?
 
@@ -373,26 +359,6 @@ module Carson
 				end
 			end
 
-			def expanded_lint_command_args( command:, files: )
-				expanded_command = Array( command ).map do |arg|
-					text = arg.to_s
-					if text == "{files}"
-						text
-					elsif text.start_with?( "~" )
-						File.expand_path( text )
-					elsif text.include?( "/" ) && !text.start_with?( "/" )
-						File.expand_path( text, repo_root )
-					else
-						text
-					end
-				end
-				if expanded_command.include?( "{files}" )
-					return expanded_command.flat_map { |arg| arg == "{files}" ? Array( files ) : arg }
-				end
-
-				expanded_command + Array( files )
-			end
-
 			# Local command runner for repository-context tools used by audit lint checks.
 			def local_command( *args )
 				stdout_text, stderr_text, status = Open3.capture3( *args, chdir: repo_root )

data/lib/carson/runtime/lint.rb

@@ -5,13 +5,14 @@ require "tmpdir"
 module Carson
 	class Runtime
 		module Lint
-			# Prepares canonical lint policy files under ~/.carson/lint from an explicit source.
-			def lint_setup!( source:, ref: "main", force: false )
+			# Distributes lint policy files from a central source into the governed repository.
+			# Target: <repo>/.github/linters/ (MegaLinter auto-discovers here).
+			def lint_setup!( source:, ref: "main", force: false, **_ )
 				puts_verbose ""
-				puts_verbose "[Lint Setup]"
+				puts_verbose "[Lint Policy]"
 				source_text = source.to_s.strip
 				if source_text.empty?
-					puts_line "ERROR: lint setup requires --source <path-or-git-url>."
+					puts_line "ERROR: lint policy requires --source <path-or-git-url>."
 					return EXIT_ERROR
 				end
 
@@ -19,40 +20,26 @@ module Carson
 				ref_text = "main" if ref_text.empty?
 				source_dir, cleanup = lint_setup_source_directory( source: source_text, ref: ref_text )
 				begin
-					source_coding_dir = File.join( source_dir, "CODING" )
-					unless Dir.exist?( source_coding_dir )
-						puts_line "ERROR: source CODING directory not found at #{source_coding_dir}."
-						return EXIT_ERROR
-					end
-					target_coding_dir = ai_coding_dir
-					copy_result = copy_lint_coding_tree(
-						source_coding_dir: source_coding_dir,
-						target_coding_dir: target_coding_dir,
+					target_dir = repo_linters_dir
+					copy_result = copy_lint_policy_files(
+						source_dir: source_dir,
+						target_dir: target_dir,
 						force: force
 					)
-					puts_verbose "lint_setup_source: #{source_text}"
-					puts_verbose "lint_setup_ref: #{ref_text}" if lint_source_git_url?( source: source_text )
-					puts_verbose "lint_setup_target: #{target_coding_dir}"
-					puts_verbose "lint_setup_created: #{copy_result.fetch( :created )}"
-					puts_verbose "lint_setup_updated: #{copy_result.fetch( :updated )}"
-					puts_verbose "lint_setup_skipped: #{copy_result.fetch( :skipped )}"
-
-					missing_policy = missing_lint_policy_files
-					if missing_policy.empty?
-						puts_line "OK: lint policy setup is complete."
-						return EXIT_OK
-					end
-
-					missing_policy.each do |entry|
-						puts_verbose "missing_lint_policy_file: language=#{entry.fetch( :language )} path=#{entry.fetch( :path )}"
-					end
-					puts_line "ACTION: update source CODING policy files, rerun carson lint setup, then rerun carson audit."
-					EXIT_ERROR
+					puts_verbose "lint_policy_source: #{source_text}"
+					puts_verbose "lint_policy_ref: #{ref_text}" if lint_source_git_url?( source: source_text )
+					puts_verbose "lint_policy_target: #{target_dir}"
+					puts_verbose "lint_policy_created: #{copy_result.fetch( :created )}"
+					puts_verbose "lint_policy_updated: #{copy_result.fetch( :updated )}"
+					puts_verbose "lint_policy_skipped: #{copy_result.fetch( :skipped )}"
+
+					puts_line "OK: lint policy synced to .github/linters/ (#{copy_result.fetch( :created )} created, #{copy_result.fetch( :updated )} updated)."
+					EXIT_OK
 				ensure
 					cleanup&.call
 				end
 			rescue StandardError => e
-				puts_line "ERROR: lint setup failed (#{e.message})"
+				puts_line "ERROR: lint policy failed (#{e.message})"
 				EXIT_ERROR
 			end
 
@@ -119,22 +106,21 @@ module Carson
 				"/tmp/carson"
 			end
 
-			def ai_coding_dir
-				home = ENV.fetch( "HOME", "" ).to_s.strip
-				raise "HOME must be an absolute path for lint setup" unless home.start_with?( "/" )
-
-				File.join( home, ".carson", "lint" )
+			# Lint configs live inside the governed repository for MegaLinter.
+			def repo_linters_dir
+				File.join( repo_root, ".github", "linters" )
 			end
 
-			def copy_lint_coding_tree( source_coding_dir:, target_coding_dir:, force: )
-				FileUtils.mkdir_p( target_coding_dir )
+			def copy_lint_policy_files( source_dir:, target_dir:, force: )
+				FileUtils.mkdir_p( target_dir )
 				created = 0
 				updated = 0
 				skipped = 0
-				Dir.glob( "**/*", File::FNM_DOTMATCH, base: source_coding_dir ).sort.each do |relative|
+				Dir.glob( "**/*", File::FNM_DOTMATCH, base: source_dir ).sort.each do |relative|
 					next if [ ".", ".." ].include?( relative )
-					source_path = File.join( source_coding_dir, relative )
-					target_path = File.join( target_coding_dir, relative )
+					next if relative.start_with?( ".git/" ) || relative == ".git"
+					source_path = File.join( source_dir, relative )
+					target_path = File.join( target_dir, relative )
 					if File.directory?( source_path )
 						FileUtils.mkdir_p( target_path )
 						next
@@ -161,16 +147,6 @@ module Carson
 					skipped: skipped
 				}
 			end
-
-			def missing_lint_policy_files
-				config.lint_languages.each_with_object( [] ) do |( language, entry ), missing|
-					next unless entry.fetch( :enabled )
-
-					entry.fetch( :config_files ).each do |path|
-						missing << { language: language, path: path } unless File.file?( path )
-					end
-				end
-			end
 		end
 
 		include Lint

data/lib/carson/runtime/local.rb

@@ -371,7 +371,11 @@ module Carson
 
 			# Calculates whole-file expected content and returns sync status plus apply payload.
 			def template_result_for_file( managed_file: )
-				template_path = File.join( github_templates_dir, File.basename( managed_file ) )
+				# Try subdirectory-aware path first (e.g. .github/workflows/carson-lint.yml),
+				# then fall back to flat basename lookup for backward compatibility.
+				relative_within_github = managed_file.delete_prefix( ".github/" )
+				template_path = File.join( github_templates_dir, relative_within_github )
+				template_path = File.join( github_templates_dir, File.basename( managed_file ) ) unless File.file?( template_path )
 				return { file: managed_file, status: "error", reason: "missing template #{File.basename( managed_file )}", applied_content: nil } unless File.file?( template_path )
 
 				expected_content = normalize_text( text: File.read( template_path ) )

data/lib/carson/runtime/setup.rb

@@ -39,6 +39,12 @@ module Carson
 				merge_choice = prompt_merge_method
 				choices[ "govern.merge.method" ] = merge_choice unless merge_choice.nil?
 
+				lint_command_choice = prompt_lint_command
+				choices[ "lint.command" ] = lint_command_choice unless lint_command_choice.nil?
+
+				lint_enforcement_choice = prompt_lint_enforcement
+				choices[ "lint.enforcement" ] = lint_enforcement_choice unless lint_enforcement_choice.nil?
+
 				write_setup_config( choices: choices )
 			end
 
@@ -142,6 +148,34 @@ module Carson
 				prompt_choice( options: options, default: 0 )
 			end
 
+			def prompt_lint_command
+				puts_line ""
+				puts_line "Lint command"
+				options = [
+					{ label: "make lint", value: "make lint" },
+					{ label: "trunk check (Recommended)", value: "trunk check" },
+					{ label: "Other (enter command)", value: :other },
+					{ label: "Skip (no local lint)", value: nil }
+				]
+				choice = prompt_choice( options: options, default: 1 )
+
+				if choice == :other
+					prompt_custom_value( label: "Lint command" )
+				else
+					choice
+				end
+			end
+
+			def prompt_lint_enforcement
+				puts_line ""
+				puts_line "Lint enforcement"
+				options = [
+					{ label: "strict — block on lint failure (default)", value: "strict" },
+					{ label: "advisory — warn but don't block", value: "advisory" }
+				]
+				prompt_choice( options: options, default: 0 )
+			end
+
 			def prompt_choice( options:, default: )
 				options.each_with_index do |option, index|
 					puts_line "  #{index + 1}) #{option.fetch( :label )}"

data/templates/.github/workflows/carson-lint.yml

@@ -0,0 +1,23 @@
+name: Carson Lint
+on:
+  pull_request:
+    branches: [main, master]
+  push:
+    branches: [main, master]
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: oxsecurity/megalinter@v8
+        env:
+          VALIDATE_ALL_CODEBASE: false
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          LINTER_RULES_PATH: .github/linters

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: carson
 version: !ruby/object:Gem::Version
-  version: 2.11.2
+  version: 2.12.0
 platform: ruby
 authors:
 - Hailei Wang
@@ -9,10 +9,10 @@ bindir: exe
 cert_chain: []
 date: 1980-01-02 00:00:00.000000000 Z
 dependencies: []
-description: Carson is an autonomous governance runtime that lives outside your repositories.
-  It enforces lint policy on every commit, gates merges on unresolved reviewer feedback,
-  triages open PRs across your entire portfolio, dispatches coding agents to fix failures,
-  merges what's ready, and cleans up after itself. One gem, all your projects, unmanned.
+description: Carson lives outside the repositories it governs. On every commit it
+  enforces centralised lint policy and scope checks. On PRs it gates merge on unresolved
+  reviewer feedback, dispatches coding agents to fix CI failures, merges passing PRs,
+  and housekeeps branches. Runs locally and in GitHub Actions.
 email:
 - wanghailei@users.noreply.github.com
 executables:
@@ -46,7 +46,6 @@ files:
 - lib/carson/adapters/prompt.rb
 - lib/carson/cli.rb
 - lib/carson/config.rb
-- lib/carson/policy/ruby/lint.rb
 - lib/carson/runtime.rb
 - lib/carson/runtime/audit.rb
 - lib/carson/runtime/govern.rb
@@ -65,6 +64,7 @@ files:
 - templates/.github/carson-instructions.md
 - templates/.github/copilot-instructions.md
 - templates/.github/pull_request_template.md
+- templates/.github/workflows/carson-lint.yml
 homepage: https://github.com/wanghailei/carson
 licenses:
 - MIT
@@ -93,5 +93,6 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 rubygems_version: 4.0.3
 specification_version: 4
-summary: You write the code, Carson manages everything from commit to merge.
+summary: Autonomous governance runtime — lint, review gates, PR triage, and merge
+  across repositories.
 test_files: []

data/lib/carson/policy/ruby/lint.rb

@@ -1,60 +0,0 @@
-#!/usr/bin/env ruby
-
-require "open3"
-
-EXIT_OK = 0
-EXIT_ERROR = 1
-EXIT_BLOCK = 2
-
-def rubocop_config_path
-	File.expand_path( "~/.carson/lint/rubocop.yml" )
-end
-
-def print_stream( io, text )
-	content = text.to_s
-	return if content.empty?
-	io.print( content )
-end
-
-def run_rubocop( files: )
-	stdout_text, stderr_text, status = Open3.capture3(
-		"rubocop", "--config", rubocop_config_path, *files
-	)
-	print_stream( $stdout, stdout_text )
-	print_stream( $stderr, stderr_text )
-	{ status: :completed, exit_code: status.exitstatus.to_i }
-rescue Errno::ENOENT
-	$stderr.puts "ERROR: RuboCop executable `rubocop` is unavailable in PATH. Install the pinned RuboCop gem before running carson audit."
-	{ status: :unavailable, exit_code: nil }
-rescue StandardError => e
-	$stderr.puts "ERROR: RuboCop execution failed (#{e.message})"
-	{ status: :runtime_error, exit_code: nil }
-end
-
-def lint_exit_code( result: )
-	case result.fetch( :status )
-	when :unavailable
-		EXIT_BLOCK
-	when :runtime_error
-		EXIT_ERROR
-	else
-		case result.fetch( :exit_code )
-		when 0
-			EXIT_OK
-		when 1
-			EXIT_BLOCK
-		else
-			EXIT_ERROR
-		end
-	end
-end
-
-files = ARGV.map( &:to_s ).map( &:strip ).reject( &:empty? )
-config_path = rubocop_config_path
-unless File.file?( config_path )
-	$stderr.puts "ERROR: RuboCop config not found at #{config_path}. Run `carson lint setup --source <path-or-git-url>`."
-	exit EXIT_ERROR
-end
-
-result = run_rubocop( files: files )
-exit lint_exit_code( result: result )