carson 2.11.3 → 2.13.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2f2b2563b55862fdda893bf17d8686d2bab9d280c060b24b82ef956949be57cd
-  data.tar.gz: eff8ccc66edcbed4b1cde495ad71f7430b727cb068a79d172d0ccd2a316b0a61
+  metadata.gz: fbc67303ff1efe52235731586e0fb13830d943764edfb67119ff3b8cd5605102
+  data.tar.gz: 6facbe0d10eebe0ef1f89d491799fa65d2993221574b1d3e7e898d82e3c0fc32
 SHA512:
-  metadata.gz: 366ae543bf2639e601ffc1556cd8e3681e898ffc73550abc63f3101ccb646a6f9ef1d3faa728d0efa5df98fc2f7bb2cf1362a1a26f5f7c3ee7865826ae103697
-  data.tar.gz: 656f7d30b869eeeae1273473698f6f6f450dc898cf0599a13c235dbd97bff266ada1251a768f38f1b0f90f3a1a2e20bdfeff3d85f9b57a7f673583a050b4f53f
+  metadata.gz: c606ed005e274ab872ccf9b50da945edcc8bffcf2a7e146679e0f6f9673c572d826a679e9575d9866a4c91ffe71ca648a89b415237cb63e97f7d023ffa05a453
+  data.tar.gz: fc3e7c8ba85a437aafc643f498c381bb8f617ee71c5527b08462af993f1b94cbcf51dbfc9298dd45b3dee92dbfad45c611513e449114051878e4c8239e4b7c23

data/.github/workflows/carson_policy.yml

@@ -71,7 +71,7 @@ jobs:
         env:
           CARSON_READ_TOKEN: ${{ secrets.CARSON_READ_TOKEN }}
         run: |
-          carson lint setup --source https://github.com/wanghailei/ai.git --ref main --force
+          carson lint policy --source https://github.com/wanghailei/ai.git --ref main --force
           carson prepare
           carson audit
 

data/API.md

@@ -16,7 +16,7 @@ carson <command> [subcommand] [arguments]
 | Command | Purpose |
 |---|---|
 | `carson setup` | Interactive quiz to configure remote, main branch, workflow, and merge method. Writes `~/.carson/config.json`. |
-| `carson lint setup --source <path-or-git-url> [--ref <git-ref>] [--force]` | Seed or refresh `~/.carson/lint` policy files from an explicit source. |
+| `carson lint policy --source <path-or-git-url> [--ref <git-ref>] [--force]` | Distribute lint configs from a central source into the governed repo's `.github/linters/`. |
 | `carson onboard [repo_path]` | Apply one-command baseline setup for a target git repository. Auto-triggers `setup` on first run. |
 | `carson prepare` | Install or refresh Carson-managed global hooks. |
 | `carson refresh [repo_path]` | Re-apply hooks, templates, and audit after upgrading Carson. |
@@ -78,6 +78,7 @@ Allowed Carson-managed persistence in host repositories:
 - `.github/CLAUDE.md` — agent discovery pointer for Claude Code
 - `.github/AGENTS.md` — agent discovery pointer for Codex
 - `.github/pull_request_template.md` — PR template
+- `.github/workflows/carson-lint.yml` — MegaLinter CI workflow
 
 ## Configuration interface
 
@@ -97,33 +98,31 @@ Environment overrides:
 - `CARSON_REVIEW_SWEEP_STATES`
 - `CARSON_WORKFLOW_STYLE`
 - `CARSON_RUBY_INDENTATION`
+- `CARSON_LINT_COMMAND`
+- `CARSON_LINT_ENFORCEMENT`
+- `CARSON_LINT_POLICY_SOURCE`
 
-`lint.languages` schema:
+`lint` schema:
 
 ```json
 {
   "lint": {
-    "languages": {
-      "ruby": {
-        "enabled": true,
-        "globs": ["**/*.rb"],
-        "command": ["ruby", "/absolute/path/to/carson/lib/carson/policy/ruby/lint.rb", "{files}"],
-        "config_files": ["~/.carson/lint/rubocop.yml"]
-      }
-    }
+    "command": "make lint",
+    "enforcement": "strict",
+    "policy_source": "wanghailei/lint.git"
   }
 }
 ```
 
-`lint.languages` semantics:
-- `enabled`: boolean toggle per language.
-- `globs`: file-match patterns applied to the selected audit target set.
-- `command`: argv array executed without shell interpolation.
-- `config_files`: required files that must exist before lint runs.
-- `{files}` token: replaced with matched files; if omitted, matched files are appended at the end of argv.
-- Default Ruby policy source is `~/.carson/lint/rubocop.yml`; Ruby execution logic is Carson-owned.
-- Client repositories containing repo-local `.rubocop.yml` are hard-blocked by `carson audit` in outsider mode.
-- Non-Ruby language entries (`javascript`, `css`, `html`, `erb`) are present but disabled by default.
+`lint` semantics:
+- `command`: string or array — local lint command executed during `carson audit`. If `null` (default), local lint is skipped.
+- `enforcement`: `"strict"` (default) blocks on lint failure; `"advisory"` warns but does not block.
+- `policy_source`: default source for `carson lint policy` when `--source` is not specified.
+
+Environment overrides:
+- `CARSON_LINT_COMMAND` — overrides `lint.command`.
+- `CARSON_LINT_ENFORCEMENT` — overrides `lint.enforcement`.
+- `CARSON_LINT_POLICY_SOURCE` — overrides `lint.policy_source`.
 
 Lint target file source precedence in `carson audit`:
 - staged files for local commit-time execution.
@@ -131,14 +130,12 @@ Lint target file source precedence in `carson audit`:
 - full repository tracked files in GitHub non-PR events.
 - local working-tree changes as fallback.
 
-Private-source clone token for `carson lint setup`:
+Private-source clone token for `carson lint policy`:
 - `CARSON_READ_TOKEN` (used when `--source` points to a private GitHub repository).
 
-Ruby source requirement for `carson lint setup` (when Ruby lint is enabled):
-- `CODING/rubocop.yml` must exist in the source tree.
-
 Policy layout requirement:
-- Language policy files are stored directly under `CODING/` and copied to `~/.carson/lint/` without language subdirectories.
+- Lint config files sit at the root of the source repo and are copied to `<governed-repo>/.github/linters/`.
+- MegaLinter auto-discovers configs in `.github/linters/` during CI.
 
 ## Output interface
 

data/MANUAL.md

@@ -27,22 +27,20 @@ carson version
 
 ### Step 1: Prepare your lint policy
 
-Carson enforces lint rules from a central policy source — a directory or git repository you control that contains a `CODING/` folder. For Ruby governance, the required file is `CODING/rubocop.yml`.
-
-Run `lint setup` to copy policy files into `~/.carson/lint/`:
+Carson distributes lint configuration files from a central policy source — a directory or git repository you control — into each governed repo's `.github/linters/` directory, where MegaLinter auto-discovers them.
 
 ```bash
-carson lint setup --source /path/to/your-policy-repo
+carson lint policy --source /path/to/your-policy-repo
 ```
 
-After this command, `~/.carson/lint/rubocop.yml` exists and is ready for Carson to use. Every governed repository will reference these same policy files — this is how Carson keeps lint consistent.
+After this command, `.github/linters/` contains your lint configs (`.rubocop.yml`, `biome.json`, `ruff.toml`, etc.). MegaLinter uses these in CI. Every governed repository gets the same rules — this is how Carson keeps lint consistent across languages.
 
 Options:
 - `--source <path-or-git-url>` — where to read policy files from (required).
 - `--ref <git-ref>` — branch or tag when `--source` is a git URL.
-- `--force` — overwrite existing `~/.carson/lint` files.
+- `--force` — overwrite existing `.github/linters/` files.
 
-Policy layout: language config files sit directly under `CODING/` (flat layout, no language subfolders). Non-Ruby entries are present but disabled by default.
+Policy layout: lint config files sit at the root of the source repo (flat layout, no subdirectories required).
 
 ### Step 2: Onboard a repository
 
@@ -96,7 +94,7 @@ jobs:
 
 Notes:
 - When upgrading Carson, update both `carson_ref` and `carson_version` together.
-- `CARSON_READ_TOKEN` must have read access to your policy source repository so CI can run `carson lint setup`.
+- `CARSON_READ_TOKEN` must have read access to your policy source repository so CI can run `carson lint policy`.
 - The reusable workflow installs a pinned RuboCop gem before `carson audit`; mirror the same pin in host governance workflows for deterministic checks.
 
 ## Daily Operations
@@ -105,7 +103,7 @@ Notes:
 
 ```bash
 carson sync                                          # fast-forward local main
-carson lint setup --source /path/to/your-policy-repo # refresh policy if needed
+carson lint policy --source /path/to/your-policy-repo # refresh policy if needed
 carson audit                                         # full governance check
 ```
 
@@ -183,7 +181,7 @@ Carson's `govern.merge.method` controls how `carson govern` merges ready PRs. Th
 These define what Carson *is*. They are not configurable.
 
 - **Outsider boundary** — Carson never places its own artefacts inside a governed repository.
-- **Centralised lint** — one policy source at `~/.carson/lint/`, shared across all repos, zero per-repo drift.
+- **Centralised lint** — one policy source distributed into each repo's `.github/linters/`, zero per-repo drift.
 - **Active review** — undisposed reviewer findings block merge; feedback must be acknowledged.
 - **Self-diagnosing output** — every message names the cause and the fix.
 - **Transparent governance** — Carson prepares everything for merge but never makes decisions without telling you.
@@ -238,11 +236,12 @@ Change: `CARSON_HOOKS_BASE_PATH`.
 
 #### Lint policy source
 
-Where lint configuration files live.
+Where lint configuration files come from and where they land.
 
-- Default: **`~/.carson/lint/`**. Centralised: one policy source governs all repos consistently. Repo-local `.rubocop.yml` is forbidden in outsider mode to prevent per-repo drift.
+- Default source: **`wanghailei/lint.git`**. A central repository containing lint configs for all languages.
+- Target: **`<repo>/.github/linters/`**. MegaLinter auto-discovers configs here in CI.
 
-Change the source: `carson lint setup --source <path-or-git-url>`.
+Change: `carson lint policy --source <path-or-git-url>` or `lint.policy_source` in config. After changing policy, run `carson refresh --all` to propagate to all governed repositories.
 
 #### Scope integrity
 
@@ -314,7 +313,7 @@ Common environment overrides:
 | `CARSON_WORKFLOW_STYLE` | Workflow style override (`branch` or `trunk`). |
 | `CARSON_RUBY_INDENTATION` | Ruby indentation policy (`tabs`, `spaces`, or `either`). |
 
-For the full configuration schema and `lint.languages` definition, see `API.md`.
+For the full configuration schema, see `API.md`.
 
 ## Troubleshooting
 
@@ -333,11 +332,12 @@ carson template apply
 carson template check
 ```
 
-**Audit blocks on repo-local `.rubocop.yml`**
-- Carson hard-blocks governed repositories that contain their own `.rubocop.yml`. Remove the repo-local file and rely on the central policy in `~/.carson/lint/rubocop.yml`.
+**Audit blocks on lint failure**
+- If `lint.command` is configured and fails, audit blocks (in `strict` mode) or warns (in `advisory` mode). Fix the lint issues and re-run `carson audit`.
 
 **Hook version mismatch after upgrade**
 - Run `carson refresh` to re-apply hooks and templates for the new Carson version.
+- Run `carson refresh --all` to refresh all governed repositories at once.
 
 ## Offboard a Repository
 

data/README.md

@@ -22,7 +22,6 @@ Carson is an autonomous governance runtime that lives on your workstation and in
 │                                               │
 │  ~/.carson/            Carson config          │
 │  ~/.carson/hooks/      Git hooks              │
-│  ~/.carson/lint/       Lint policy            │
 │  ~/.carson/cache/      Reports                │
 │  ~/.carson/govern/     Dispatch state         │
 │                                               │
@@ -45,7 +44,7 @@ This separation is Carson's defining trait — the **outsider boundary**: no Car
 Carson is opinionated about governance. These are non-negotiable principles, not configurable defaults:
 
 - **Outsider boundary** — Carson lives outside your repo, never inside. No Carson-owned artefacts in your repository. Offboarding leaves no trace.
-- **Centralised lint** — lint policy at `~/.carson/lint/`, shared across all repos. Repo-local config files are forbidden — one source of truth, zero drift.
+- **Centralised lint** — lint policy distributed from a central source into each repo's `.github/linters/`. One source of truth, zero drift.
 - **Active review** — undisposed reviewer findings block merge. Feedback must be acknowledged, not buried.
 - **Self-diagnosing output** — every message names the cause and the fix. If you need to debug Carson's output, the output failed.
 - **Transparent governance** — Carson prepares everything for merge but never oversteps. It does not make decisions for you without telling you.
@@ -54,8 +53,8 @@ Everything else — workflow style, merge method, remote name, main branch — i
 
 The data flow:
 
-1. You maintain a **policy source** — a directory or git repository containing your lint rules (e.g. `CODING/rubocop.yml`). Carson copies these to `~/.carson/lint/` via `carson lint setup`.
-2. `carson onboard` installs git hooks, synchronises `.github/*` templates, and runs a first governance audit on a host repository.
+1. You maintain a **policy source** — a directory or git repository containing your lint config files (e.g. `.rubocop.yml`, `biome.json`, `ruff.toml`). `carson lint policy --source <repo>` copies these into each governed repo's `.github/linters/`, where MegaLinter auto-discovers them.
+2. `carson onboard` installs git hooks, synchronises `.github/*` templates (including a MegaLinter CI workflow), and runs a first governance audit on a host repository.
 3. From that point, every commit triggers `carson audit` through the managed `pre-commit` hook. The same `carson audit` runs in GitHub Actions. If it passes locally, it passes in CI.
 4. `carson review gate` enforces review accountability: it blocks merge until every actionable reviewer comment has been formally acknowledged by the PR author through a **disposition comment**.
 5. `carson govern` triages all open PRs across your portfolio. Ready PRs are merged and housekept. Failing PRs get a coding agent dispatched to fix them. Stuck PRs are escalated for your attention.
@@ -75,10 +74,11 @@ The data flow:
 
 | Command | What it does |
 |---|---|
-| `carson lint setup` | Seed `~/.carson/lint/` from your policy source. |
+| `carson lint policy --source <repo>` | Distribute lint configs from policy source into `.github/linters/`. |
 | `carson onboard` | One-command baseline: hooks + templates + first audit. |
 | `carson prepare` | Install or refresh Carson-managed global hooks. |
 | `carson refresh` | Re-apply hooks, templates, and audit after upgrading Carson. |
+| `carson refresh --all` | Refresh all governed repositories at once. |
 | `carson offboard` | Remove Carson from a repository. |
 
 **Daily** — regular development workflow:
@@ -116,10 +116,10 @@ gem install --user-install carson
 carson version
 ```
 
-**Prepare your lint policy.** A policy source is any directory (or git URL) that contains a `CODING/` folder with your lint configuration files. For Ruby, the required file is `CODING/rubocop.yml`. Carson copies these into `~/.carson/lint/` so that every governed repository uses the same rules:
+**Prepare your lint policy.** A policy source is any directory (or git URL) containing your lint configuration files (`.rubocop.yml`, `biome.json`, `ruff.toml`, etc.). Carson copies these into the governed repo's `.github/linters/` where MegaLinter auto-discovers them:
 
 ```bash
-carson lint setup --source /path/to/your-policy-repo
+carson lint policy --source /path/to/your-policy-repo
 ```
 
 **Onboard a repository:**

data/RELEASE.md

@@ -5,6 +5,40 @@ Release-note scope rule:
 - `RELEASE.md` records only version deltas, breaking changes, and migration actions.
 - Operational usage guides live in `MANUAL.md` and `API.md`.
 
+## 2.13.0 — Refresh All Governed Repositories
+
+### What changed
+
+- **`carson refresh --all`** refreshes every governed repository in a single command. Iterates `govern.repos`, runs hooks + templates + audit on each, prints a per-repo summary line, and returns non-zero if any repo fails. Verbose mode streams full diagnostics per repo.
+
+## 2.12.0 — Language-Agnostic Lint Policy Distribution + MegaLinter
+
+### What changed
+
+- **Lint policy distribution is now language-agnostic.** `carson lint policy --source <path-or-git-url>` copies all files from the source repo root into the governed repo's `.github/linters/` directory, where MegaLinter auto-discovers them. Works for any linter config: rubocop.yml, biome.json, ruff.toml, .erb-lint.yml, etc.
+- **New `lint.command` config key.** Local audit lint is now a single user-configured command (e.g. `"make lint"`, `"trunk check"`, `["ruff", "check"]`). Replaces the old per-language `lint.languages` system entirely.
+- **New `lint.enforcement` config key.** `"strict"` (default) blocks on lint failure; `"advisory"` warns but does not block.
+- **New `lint.policy_source` config key.** Default: `wanghailei/lint.git`. Sets the default source for lint policy distribution.
+- **MegaLinter CI workflow template.** `carson onboard` now installs `.github/workflows/carson-lint.yml`, which runs MegaLinter on PRs and pushes to main.
+- **Interactive setup prompts.** `carson setup` now asks for lint command and enforcement mode.
+- **Removed `lint.languages`** — all per-language lint configuration, Ruby-specific lint runners, and hardcoded language definitions are gone.
+- **Removed `lint setup` subcommand alias** — use `carson lint policy` instead.
+- **Removed `--legacy` flag** from `carson lint policy`.
+- **Source repo layout simplified** — lint config files live at the source repo root; no `CODING/` subdirectory required.
+
+### Breaking changes
+
+- `lint.languages` config key no longer exists. If your config references it, remove it.
+- `carson lint setup` no longer works. Use `carson lint policy --source <path-or-git-url>`.
+- Lint policy files are now written to `<repo>/.github/linters/` (not `~/.carson/lint/`).
+
+### What users must do now
+
+1. Upgrade Carson to `2.12.0` and run `carson refresh`.
+2. Remove any `lint.languages` entries from your Carson config.
+3. Set `lint.command` in your config if you want local lint during audit (e.g. `"make lint"`).
+4. Run `carson lint policy --source <your-policy-repo>` to distribute linter configs to `.github/linters/`.
+
 ## 2.11.3 — Refine RubyGems Description Tone
 
 ### What changed

data/SKILL.md

@@ -33,7 +33,7 @@ When you see exit 2, do NOT bypass it. Read the output, fix the root cause, and
 Carson audit output is structured as labelled key-value lines prefixed with ⧓. Key sections:
 
 - **Working Tree** — staged/unstaged status.
-- **Local Lint Quality** — per-language lint results. `lint_ruby_status: ok` means clean.
+- **Local Lint Quality** — lint command result. `lint_command_status: ok` means clean.
 - **Main Sync Status** — whether local main matches remote. If ahead, reset drift before committing.
 - **Scope Integrity Guard** — checks that commits stay within a single business intent and scope group.
 - **Audit Result** — final verdict: `status: ok` (clean), `status: attention` (advisory, not blocking), `status: block` (must fix).
@@ -99,4 +99,4 @@ Check that `govern.merge.method` in config matches what GitHub allows. If the re
 - Carson never lives inside governed repositories. No `.carson.yml`, no `bin/carson`, no `.tools/carson/`.
 - Carson-managed files in repos are limited to `.github/*` templates.
 - Carson's hooks live at `~/.carson/hooks/<version>/`, never in `.git/hooks/`.
-- Lint policy lives at `~/.carson/lint/`, seeded by `carson lint setup --source <policy-repo>`.
+- Lint policy is distributed via `carson lint policy --source <policy-repo>` into each repo's `.github/linters/`.

data/VERSION

@@ -1 +1 @@
-2.11.3
+2.13.0

data/hooks/pre-commit

@@ -14,6 +14,6 @@ fi
 if ! "${carson_command[@]}" audit; then
 	echo "Carson policy: commit blocked by governance audit." >&2
 	echo "Resolve reported policy blocks before committing." >&2
-	echo "If lint policy files are missing, run: carson lint setup --source <path-or-git-url>" >&2
+	echo "If lint policy files are missing, run: carson lint policy --source <path-or-git-url>" >&2
 	exit 1
 fi

data/lib/carson/cli.rb

@@ -12,6 +12,12 @@ module Carson
 				return Runtime::EXIT_OK
 			end
 
+			if command == "refresh:all"
+				verbose = parsed.fetch( :verbose, false )
+				runtime = Runtime.new( repo_root: repo_root, tool_root: tool_root, out: out, err: err, verbose: verbose )
+				return dispatch( parsed: parsed, runtime: runtime )
+			end
+
 			target_repo_root = parsed.fetch( :repo_root, nil )
 			target_repo_root = repo_root if target_repo_root.to_s.strip.empty?
 			unless Dir.exist?( target_repo_root )
@@ -47,7 +53,7 @@ module Carson
 
 		def self.build_parser
 			OptionParser.new do |opts|
-				opts.banner = "Usage: carson [setup|audit|sync|prune|prepare|inspect|onboard [repo_path]|refresh [repo_path]|offboard [repo_path]|template check|template apply|lint setup --source <path-or-git-url>|review gate|review sweep|govern [--dry-run] [--json] [--loop SECONDS]|housekeep|version]"
+				opts.banner = "Usage: carson [setup|audit|sync|prune|prepare|inspect|onboard [repo_path]|refresh [--all|repo_path]|offboard [repo_path]|template check|template apply|lint policy --source <path-or-git-url>|review gate|review sweep|govern [--dry-run] [--json] [--loop SECONDS]|housekeep|version]"
 			end
 		end
 
@@ -68,8 +74,10 @@ module Carson
 			when "version"
 				parser.parse!( argv )
 				{ command: "version" }
-			when "onboard", "refresh", "offboard"
+			when "onboard", "offboard"
 				parse_repo_path_command( command: command, argv: argv, parser: parser, err: err )
+			when "refresh"
+				parse_refresh_command( argv: argv, parser: parser, err: err )
 			when "template"
 				parse_named_subcommand( command: command, usage: "check|apply", argv: argv, parser: parser, err: err )
 			when "lint"
@@ -99,6 +107,31 @@ module Carson
 			}
 		end
 
+		def self.parse_refresh_command( argv:, parser:, err: )
+			all_flag = argv.delete( "--all" ) ? true : false
+			parser.parse!( argv )
+
+			if all_flag && !argv.empty?
+				err.puts "#{BADGE} --all and repo_path are mutually exclusive. Use: carson refresh --all OR carson refresh [repo_path]"
+				err.puts parser
+				return { command: :invalid }
+			end
+
+			return { command: "refresh:all" } if all_flag
+
+			if argv.length > 1
+				err.puts "#{BADGE} Too many arguments for refresh. Use: carson refresh [repo_path]"
+				err.puts parser
+				return { command: :invalid }
+			end
+
+			repo_path = argv.first
+			{
+				command: "refresh",
+				repo_root: repo_path.to_s.strip.empty? ? nil : File.expand_path( repo_path )
+			}
+		end
+
 		def self.parse_named_subcommand( command:, usage:, argv:, parser:, err: )
 			action = argv.shift
 			parser.parse!( argv )
@@ -112,8 +145,8 @@ module Carson
 
 		def self.parse_lint_subcommand( argv:, parser:, err: )
 			action = argv.shift
-			unless action == "setup"
-				err.puts "#{BADGE} Missing or invalid subcommand for lint. Use: carson lint setup --source <path-or-git-url> [--ref <git-ref>] [--force]"
+			unless action == "policy"
+				err.puts "#{BADGE} Missing or invalid subcommand for lint. Use: carson lint policy --source <path-or-git-url> [--ref <git-ref>] [--force]"
 				err.puts parser
 				return { command: :invalid }
 			end
@@ -124,19 +157,19 @@ module Carson
 				force: false
 			}
 			lint_parser = OptionParser.new do |opts|
-				opts.banner = "Usage: carson lint setup --source <path-or-git-url> [--ref <git-ref>] [--force]"
+				opts.banner = "Usage: carson lint policy --source <path-or-git-url> [--ref <git-ref>] [--force]"
 				opts.on( "--source SOURCE", "Source repository path or git URL that contains CODING/" ) { |value| options[ :source ] = value.to_s.strip }
 				opts.on( "--ref REF", "Git ref used when --source is a git URL (default: main)" ) { |value| options[ :ref ] = value.to_s.strip }
-				opts.on( "--force", "Overwrite existing files in ~/.carson/lint" ) { options[ :force ] = true }
+				opts.on( "--force", "Overwrite existing files" ) { options[ :force ] = true }
 			end
 			lint_parser.parse!( argv )
 			if options.fetch( :source ).to_s.empty?
-				err.puts "#{BADGE} Missing required --source for lint setup."
+				err.puts "#{BADGE} Missing required --source for lint policy."
 				err.puts lint_parser
 				return { command: :invalid }
 			end
 			unless argv.empty?
-				err.puts "#{BADGE} Unexpected arguments for lint setup: #{argv.join( ' ' )}"
+				err.puts "#{BADGE} Unexpected arguments for lint policy: #{argv.join( ' ' )}"
 				err.puts lint_parser
 				return { command: :invalid }
 			end
@@ -206,6 +239,8 @@ module Carson
 				runtime.onboard!
 			when "refresh"
 				runtime.refresh!
+			when "refresh:all"
+				runtime.refresh_all!
 			when "offboard"
 				runtime.offboard!
 			when "template:check"

data/lib/carson/config.rb

@@ -8,7 +8,8 @@ module Carson
 	class Config
 		attr_accessor :git_remote
 		attr_reader :main_branch, :protected_branches, :hooks_base_path, :required_hooks,
-			:path_groups, :template_managed_files, :lint_languages,
+			:path_groups, :template_managed_files,
+			:lint_command, :lint_enforcement, :lint_policy_source,
 			:review_wait_seconds, :review_poll_seconds, :review_max_polls, :review_sweep_window_days,
 			:review_sweep_states, :review_disposition_prefix, :review_risk_keywords,
 			:review_tracking_issue_title, :review_tracking_issue_label, :review_bot_usernames,
@@ -47,10 +48,12 @@ module Carson
 					}
 				},
 				"template" => {
-					"managed_files" => [ ".github/carson-instructions.md", ".github/copilot-instructions.md", ".github/CLAUDE.md", ".github/AGENTS.md", ".github/pull_request_template.md" ]
+					"managed_files" => [ ".github/carson-instructions.md", ".github/copilot-instructions.md", ".github/CLAUDE.md", ".github/AGENTS.md", ".github/pull_request_template.md", ".github/workflows/carson-lint.yml" ]
 				},
 				"lint" => {
-					"languages" => default_lint_languages_data
+					"command" => nil,
+					"enforcement" => "strict",
+					"policy_source" => "wanghailei/lint.git"
 				},
 				"workflow" => {
 					"style" => "branch"
@@ -94,42 +97,6 @@ module Carson
 				}
 			end
 
-			def self.default_lint_languages_data
-				ruby_runner = File.expand_path( "policy/ruby/lint.rb", __dir__ )
-				{
-					"ruby" => {
-						"enabled" => true,
-						"globs" => [ "**/*.rb", "Gemfile", "*.gemspec", "Rakefile" ],
-						"command" => [ "ruby", ruby_runner, "{files}" ],
-						"config_files" => [ "~/.carson/lint/rubocop.yml" ]
-					},
-					"javascript" => {
-						"enabled" => false,
-						"globs" => [ "**/*.js", "**/*.mjs", "**/*.cjs", "**/*.jsx" ],
-						"command" => [ "node", "~/.carson/lint/javascript.lint.js", "{files}" ],
-						"config_files" => [ "~/.carson/lint/javascript.lint.js" ]
-					},
-					"css" => {
-						"enabled" => false,
-						"globs" => [ "**/*.css" ],
-						"command" => [ "node", "~/.carson/lint/css.lint.js", "{files}" ],
-						"config_files" => [ "~/.carson/lint/css.lint.js" ]
-					},
-					"html" => {
-						"enabled" => false,
-						"globs" => [ "**/*.html" ],
-						"command" => [ "node", "~/.carson/lint/html.lint.js", "{files}" ],
-						"config_files" => [ "~/.carson/lint/html.lint.js" ]
-					},
-					"erb" => {
-						"enabled" => false,
-						"globs" => [ "**/*.erb" ],
-						"command" => [ "ruby", "~/.carson/lint/erb.lint.rb", "{files}" ],
-						"config_files" => [ "~/.carson/lint/erb.lint.rb" ]
-					}
-				}
-			end
-
 		def self.load_global_config_data( repo_root: )
 			path = global_config_path( repo_root: repo_root )
 			return {} if path.empty? || !File.file?( path )
@@ -200,6 +167,13 @@ module Carson
 			audit = fetch_hash_section( data: copy, key: "audit" )
 			advisory_names = env_string_array( key: "CARSON_AUDIT_ADVISORY_CHECK_NAMES" )
 			audit[ "advisory_check_names" ] = advisory_names unless advisory_names.empty?
+			lint = fetch_hash_section( data: copy, key: "lint" )
+			lint_command_env = ENV.fetch( "CARSON_LINT_COMMAND", "" ).to_s.strip
+			lint[ "command" ] = lint_command_env unless lint_command_env.empty?
+			lint_enforcement_env = ENV.fetch( "CARSON_LINT_ENFORCEMENT", "" ).to_s.strip
+			lint[ "enforcement" ] = lint_enforcement_env unless lint_enforcement_env.empty?
+			lint_policy_source_env = ENV.fetch( "CARSON_LINT_POLICY_SOURCE", "" ).to_s.strip
+			lint[ "policy_source" ] = lint_policy_source_env unless lint_policy_source_env.empty?
 			style = fetch_hash_section( data: copy, key: "style" )
 			ruby_indentation = ENV.fetch( "CARSON_RUBY_INDENTATION", "" ).to_s.strip
 			style[ "ruby_indentation" ] = ruby_indentation unless ruby_indentation.empty?
@@ -248,9 +222,10 @@ module Carson
 			@path_groups = fetch_hash( hash: fetch_hash( hash: data, key: "scope" ), key: "path_groups" ).transform_values { |value| normalize_patterns( value: value ) }
 
 			@template_managed_files = fetch_string_array( hash: fetch_hash( hash: data, key: "template" ), key: "managed_files" )
-			@lint_languages = normalize_lint_languages(
-				languages_hash: fetch_hash( hash: fetch_hash( hash: data, key: "lint" ), key: "languages" )
-			)
+			lint_hash = fetch_hash( hash: data, key: "lint" )
+			@lint_command = normalize_lint_command_setting( value: lint_hash[ "command" ] )
+			@lint_enforcement = normalize_lint_enforcement( value: lint_hash.fetch( "enforcement", "strict" ) )
+			@lint_policy_source = lint_hash.fetch( "policy_source", "" ).to_s.strip
 
 			workflow_hash = fetch_hash( hash: data, key: "workflow" )
 			@workflow_style = fetch_string( hash: workflow_hash, key: "style" ).downcase
@@ -296,7 +271,6 @@ module Carson
 				raise ConfigError, "hooks.base_path cannot be empty" if hooks_base_path.empty?
 				raise ConfigError, "hooks.required_hooks cannot be empty" if required_hooks.empty?
 				raise ConfigError, "scope.path_groups cannot be empty" if path_groups.empty?
-				raise ConfigError, "lint.languages cannot be empty" if lint_languages.empty?
 				raise ConfigError, "review.required_disposition_prefix cannot be empty" if review_disposition_prefix.empty?
 				raise ConfigError, "review.risk_keywords cannot be empty" if review_risk_keywords.empty?
 				raise ConfigError, "review.sweep.states must contain one or both of open, closed" if ( review_sweep_states - [ "open", "closed" ] ).any? || review_sweep_states.empty?
@@ -364,56 +338,21 @@ module Carson
 				patterns
 			end
 
-			def normalize_lint_languages( languages_hash: )
-				raise ConfigError, "lint.languages must be an object" unless languages_hash.is_a?( Hash )
-				normalised = {}
-				languages_hash.each do |language_key, raw_entry|
-					language = language_key.to_s.strip.downcase
-					raise ConfigError, "lint.languages contains blank language key" if language.empty?
-					raise ConfigError, "lint.languages.#{language} must be an object" unless raw_entry.is_a?( Hash )
-
-					normalised[ language ] = normalize_lint_language_entry( language: language, raw_entry: raw_entry )
+			def normalize_lint_command_setting( value: )
+				return nil if value.nil?
+				return value.to_s.strip if value.is_a?( String )
+				if value.is_a?( Array )
+					parts = value.map { |entry| entry.to_s.strip }.reject( &:empty? )
+					raise ConfigError, "lint.command array must contain at least one argument" if parts.empty?
+					return parts
 				end
-				normalised
-			end
-
-			def normalize_lint_language_entry( language:, raw_entry: )
-				{
-					enabled: fetch_optional_boolean(
-						hash: raw_entry,
-						key: "enabled",
-						default: true,
-						key_path: "lint.languages.#{language}.enabled"
-					),
-					globs: normalize_lint_globs( language: language, value: raw_entry[ "globs" ] ),
-					command: normalize_lint_command( language: language, value: raw_entry[ "command" ] ),
-					config_files: normalize_lint_config_files( language: language, value: raw_entry[ "config_files" ] )
-				}
-			end
-
-			def normalize_lint_globs( language:, value: )
-				raise ConfigError, "lint.languages.#{language}.globs must be an array" unless value.is_a?( Array )
-				patterns = Array( value ).map { |entry| entry.to_s.strip }.reject( &:empty? )
-				raise ConfigError, "lint.languages.#{language}.globs must contain at least one pattern" if patterns.empty?
-				patterns
-			end
-
-			def normalize_lint_command( language:, value: )
-				raise ConfigError, "lint.languages.#{language}.command must be an array" unless value.is_a?( Array )
-				command = Array( value ).map { |entry| entry.to_s.strip }.reject( &:empty? )
-				raise ConfigError, "lint.languages.#{language}.command must contain at least one argument" if command.empty?
-				command
+				raise ConfigError, "lint.command must be a string, array, or null"
 			end
 
-			def normalize_lint_config_files( language:, value: )
-				raise ConfigError, "lint.languages.#{language}.config_files must be an array" unless value.is_a?( Array )
-				files = Array( value ).map { |entry| entry.to_s.strip }.reject( &:empty? )
-				raise ConfigError, "lint.languages.#{language}.config_files must contain at least one path" if files.empty?
-				files.map do |path|
-					expanded = path.start_with?( "~" ) ? File.expand_path( path ) : path
-					raise ConfigError, "lint.languages.#{language}.config_files entries must be absolute paths or ~/ paths" unless expanded.start_with?( "/" )
-					expanded
-				end
+			def normalize_lint_enforcement( value: )
+				text = value.to_s.strip.downcase
+				raise ConfigError, "lint.enforcement must be one of strict, advisory" unless [ "strict", "advisory" ].include?( text )
+				text
 			end
 
 			def fetch_optional_boolean( hash:, key:, default:, key_path: nil )

data/lib/carson/runtime/audit.rb

@@ -162,9 +162,43 @@ module Carson
 					report
 				end
 
-			# Enforces configured multi-language lint policy before governance passes.
+			# Enforces configured lint policy before governance passes.
+			# Runs lint.command and gates on exit code. Skips when lint.command is not set.
 			def local_lint_quality_report
+				unless config.lint_command
+					report = {
+						status: "ok",
+						skip_reason: "lint.command not configured",
+						target_source: "none",
+						target_files_count: 0,
+						blocking_languages: 0,
+						languages: []
+					}
+					puts_verbose "lint: SKIP (lint.command not configured)"
+					return report
+				end
+
+				lint_command_report
+			rescue StandardError => e
+				report = {
+					status: "block",
+					skip_reason: e.message,
+					target_source: "unknown",
+					target_files_count: 0,
+					blocking_languages: 0,
+					languages: []
+				}
+				puts_line "BLOCK: local lint quality check failed (#{e.message})."
+				report
+			end
+
+			# Runs the lint.command and returns a structured report.
+			def lint_command_report
 				target_files, target_source = lint_target_files
+				advisory = config.lint_enforcement == "advisory"
+				command_value = config.lint_command
+				command_string = command_value.is_a?( Array ) ? command_value.join( " " ) : command_value.to_s
+
 				report = {
 					status: "ok",
 					skip_reason: nil,
@@ -175,32 +209,63 @@ module Carson
 				}
 				puts_verbose "lint_target_source: #{target_source}"
 				puts_verbose "lint_target_files_total: #{target_files.count}"
-				config.lint_languages.each do |language, entry|
-					language_report = lint_language_report(
-						language: language,
-						entry: entry,
-						target_files: target_files
-					)
-					report.fetch( :languages ) << language_report
-					next unless language_report.fetch( :status ) == "block"
+				puts_verbose "lint_command: #{command_string}"
+				puts_verbose "lint_enforcement: #{config.lint_enforcement}"
 
-					report[ :status ] = "block"
-					report[ :blocking_languages ] += 1
+				args = command_string.split( /\s+/ )
+				command_name = args.first.to_s.strip
+				unless command_available_for_lint?( command_name: command_name )
+					language_report = {
+						language: "lint.command",
+						enabled: true,
+						status: "block",
+						reason: "command not available: #{command_name}",
+						file_count: target_files.count,
+						files: target_files,
+						command: args,
+						config_files: [],
+						exit_code: EXIT_BLOCK
+					}
+					report[ :languages ] << language_report
+					report[ :status ] = advisory ? "ok" : "block"
+					report[ :blocking_languages ] = advisory ? 0 : 1
+					puts_verbose "lint_command_status: #{language_report.fetch( :status )}"
+					puts_line "WARN: lint command not available: #{command_name}" if advisory
+					return report
 				end
-				puts_verbose "lint_blocking_languages: #{report.fetch( :blocking_languages )}"
-				report
-			rescue StandardError => e
-				report ||= {
-					status: "block",
-					skip_reason: nil,
-					target_source: "unknown",
-					target_files_count: 0,
-					blocking_languages: 0,
-					languages: []
+
+				stdout_text, stderr_text, success, exit_code = local_command( *args )
+				language_report = {
+					language: "lint.command",
+					enabled: true,
+					status: success ? "ok" : "block",
+					reason: success ? nil : summarise_command_output(
+						stdout_text: stdout_text,
+						stderr_text: stderr_text,
+						fallback: "lint command failed"
+					),
+					file_count: target_files.count,
+					files: target_files,
+					command: args,
+					config_files: [],
+					exit_code: exit_code
 				}
-				report[ :status ] = "block"
-				report[ :skip_reason ] = e.message
-				puts_line "BLOCK: local lint quality check failed (#{e.message})."
+				report[ :languages ] << language_report
+
+				unless success
+					if advisory
+						report[ :status ] = "ok"
+						puts_verbose "lint_command_status: advisory_warn (exit #{exit_code})"
+						puts_line "WARN: lint command failed (exit #{exit_code}) — advisory mode, not blocking."
+					else
+						report[ :status ] = "block"
+						report[ :blocking_languages ] = 1
+						puts_verbose "lint_command_status: block (exit #{exit_code})"
+					end
+				else
+					puts_verbose "lint_command_status: ok"
+				end
+
 				report
 			end
 
@@ -274,85 +339,6 @@ module Carson
 				end.compact.uniq
 			end
 
-			def lint_language_report( language:, entry:, target_files: )
-				globs = entry.fetch( :globs )
-				candidate_files = Array( target_files ).select do |path|
-					globs.any? { |pattern| pattern_matches_path?( pattern: pattern, path: path ) }
-				end
-				report = {
-					language: language,
-					enabled: entry.fetch( :enabled ),
-					status: "ok",
-					reason: nil,
-					file_count: candidate_files.count,
-					files: candidate_files,
-					command: entry.fetch( :command ),
-					config_files: entry.fetch( :config_files ),
-					exit_code: 0
-				}
-				puts_verbose "lint_language: #{language} enabled=#{report.fetch( :enabled )} files=#{report.fetch( :file_count )}"
-				if language == "ruby" && outsider_mode?
-					local_rubocop_path = File.join( repo_root, ".rubocop.yml" )
-					if File.file?( local_rubocop_path )
-						report[ :status ] = "block"
-						report[ :reason ] = "repo-local RuboCop config is forbidden: #{relative_path( local_rubocop_path )}; remove it and use ~/.carson/lint/rubocop.yml."
-						report[ :exit_code ] = EXIT_BLOCK
-						puts_verbose "lint_#{language}_status: block"
-						puts_verbose "lint_#{language}_reason: #{report.fetch( :reason )}"
-						puts_verbose "ACTION: remove .rubocop.yml from this repository and run carson lint setup --source <path-or-git-url>."
-						return report
-					end
-				end
-				return report unless report.fetch( :enabled )
-				return report if candidate_files.empty?
-
-				missing_config_files = entry.fetch( :config_files ).reject { |path| File.file?( path ) }
-				unless missing_config_files.empty?
-					report[ :status ] = "block"
-					report[ :reason ] = "missing config files: #{missing_config_files.join( ', ' )}"
-					report[ :exit_code ] = EXIT_BLOCK
-					puts_verbose "lint_#{language}_status: block"
-					puts_verbose "lint_#{language}_reason: #{report.fetch( :reason )}"
-					puts_verbose "ACTION: run carson lint setup --source <path-or-git-url> to prepare ~/.carson/lint policy files."
-					return report
-				end
-
-				command = Array( entry.fetch( :command ) )
-				command_name = command.first.to_s.strip
-				if command_name.empty?
-					report[ :status ] = "block"
-					report[ :reason ] = "missing lint command"
-					report[ :exit_code ] = EXIT_BLOCK
-					puts_verbose "lint_#{language}_status: block"
-					puts_verbose "lint_#{language}_reason: #{report.fetch( :reason )}"
-					return report
-				end
-				unless command_available_for_lint?( command_name: command_name )
-					report[ :status ] = "block"
-					report[ :reason ] = "command not available: #{command_name}"
-					report[ :exit_code ] = EXIT_BLOCK
-					puts_verbose "lint_#{language}_status: block"
-					puts_verbose "lint_#{language}_reason: #{report.fetch( :reason )}"
-					return report
-				end
-
-				args = expanded_lint_command_args( command: command, files: candidate_files )
-				stdout_text, stderr_text, success, exit_code = local_command( *args )
-				report[ :exit_code ] = exit_code
-				unless success
-					report[ :status ] = "block"
-					report[ :reason ] = summarise_command_output(
-						stdout_text: stdout_text,
-						stderr_text: stderr_text,
-						fallback: "lint command failed for #{language}"
-					)
-				end
-				puts_verbose "lint_#{language}_status: #{report.fetch( :status )}"
-				puts_verbose "lint_#{language}_exit: #{report.fetch( :exit_code )}"
-				puts_verbose "lint_#{language}_reason: #{report.fetch( :reason )}" unless report.fetch( :reason ).nil?
-				report
-			end
-
 			def command_available_for_lint?( command_name: )
 				return false if command_name.to_s.strip.empty?
 
@@ -373,26 +359,6 @@ module Carson
 				end
 			end
 
-			def expanded_lint_command_args( command:, files: )
-				expanded_command = Array( command ).map do |arg|
-					text = arg.to_s
-					if text == "{files}"
-						text
-					elsif text.start_with?( "~" )
-						File.expand_path( text )
-					elsif text.include?( "/" ) && !text.start_with?( "/" )
-						File.expand_path( text, repo_root )
-					else
-						text
-					end
-				end
-				if expanded_command.include?( "{files}" )
-					return expanded_command.flat_map { |arg| arg == "{files}" ? Array( files ) : arg }
-				end
-
-				expanded_command + Array( files )
-			end
-
 			# Local command runner for repository-context tools used by audit lint checks.
 			def local_command( *args )
 				stdout_text, stderr_text, status = Open3.capture3( *args, chdir: repo_root )

data/lib/carson/runtime/lint.rb

@@ -5,13 +5,14 @@ require "tmpdir"
 module Carson
 	class Runtime
 		module Lint
-			# Prepares canonical lint policy files under ~/.carson/lint from an explicit source.
-			def lint_setup!( source:, ref: "main", force: false )
+			# Distributes lint policy files from a central source into the governed repository.
+			# Target: <repo>/.github/linters/ (MegaLinter auto-discovers here).
+			def lint_setup!( source:, ref: "main", force: false, **_ )
 				puts_verbose ""
-				puts_verbose "[Lint Setup]"
+				puts_verbose "[Lint Policy]"
 				source_text = source.to_s.strip
 				if source_text.empty?
-					puts_line "ERROR: lint setup requires --source <path-or-git-url>."
+					puts_line "ERROR: lint policy requires --source <path-or-git-url>."
 					return EXIT_ERROR
 				end
 
@@ -19,40 +20,26 @@ module Carson
 				ref_text = "main" if ref_text.empty?
 				source_dir, cleanup = lint_setup_source_directory( source: source_text, ref: ref_text )
 				begin
-					source_coding_dir = File.join( source_dir, "CODING" )
-					unless Dir.exist?( source_coding_dir )
-						puts_line "ERROR: source CODING directory not found at #{source_coding_dir}."
-						return EXIT_ERROR
-					end
-					target_coding_dir = ai_coding_dir
-					copy_result = copy_lint_coding_tree(
-						source_coding_dir: source_coding_dir,
-						target_coding_dir: target_coding_dir,
+					target_dir = repo_linters_dir
+					copy_result = copy_lint_policy_files(
+						source_dir: source_dir,
+						target_dir: target_dir,
 						force: force
 					)
-					puts_verbose "lint_setup_source: #{source_text}"
-					puts_verbose "lint_setup_ref: #{ref_text}" if lint_source_git_url?( source: source_text )
-					puts_verbose "lint_setup_target: #{target_coding_dir}"
-					puts_verbose "lint_setup_created: #{copy_result.fetch( :created )}"
-					puts_verbose "lint_setup_updated: #{copy_result.fetch( :updated )}"
-					puts_verbose "lint_setup_skipped: #{copy_result.fetch( :skipped )}"
-
-					missing_policy = missing_lint_policy_files
-					if missing_policy.empty?
-						puts_line "OK: lint policy setup is complete."
-						return EXIT_OK
-					end
-
-					missing_policy.each do |entry|
-						puts_verbose "missing_lint_policy_file: language=#{entry.fetch( :language )} path=#{entry.fetch( :path )}"
-					end
-					puts_line "ACTION: update source CODING policy files, rerun carson lint setup, then rerun carson audit."
-					EXIT_ERROR
+					puts_verbose "lint_policy_source: #{source_text}"
+					puts_verbose "lint_policy_ref: #{ref_text}" if lint_source_git_url?( source: source_text )
+					puts_verbose "lint_policy_target: #{target_dir}"
+					puts_verbose "lint_policy_created: #{copy_result.fetch( :created )}"
+					puts_verbose "lint_policy_updated: #{copy_result.fetch( :updated )}"
+					puts_verbose "lint_policy_skipped: #{copy_result.fetch( :skipped )}"
+
+					puts_line "OK: lint policy synced to .github/linters/ (#{copy_result.fetch( :created )} created, #{copy_result.fetch( :updated )} updated)."
+					EXIT_OK
 				ensure
 					cleanup&.call
 				end
 			rescue StandardError => e
-				puts_line "ERROR: lint setup failed (#{e.message})"
+				puts_line "ERROR: lint policy failed (#{e.message})"
 				EXIT_ERROR
 			end
 
@@ -119,22 +106,21 @@ module Carson
 				"/tmp/carson"
 			end
 
-			def ai_coding_dir
-				home = ENV.fetch( "HOME", "" ).to_s.strip
-				raise "HOME must be an absolute path for lint setup" unless home.start_with?( "/" )
-
-				File.join( home, ".carson", "lint" )
+			# Lint configs live inside the governed repository for MegaLinter.
+			def repo_linters_dir
+				File.join( repo_root, ".github", "linters" )
 			end
 
-			def copy_lint_coding_tree( source_coding_dir:, target_coding_dir:, force: )
-				FileUtils.mkdir_p( target_coding_dir )
+			def copy_lint_policy_files( source_dir:, target_dir:, force: )
+				FileUtils.mkdir_p( target_dir )
 				created = 0
 				updated = 0
 				skipped = 0
-				Dir.glob( "**/*", File::FNM_DOTMATCH, base: source_coding_dir ).sort.each do |relative|
+				Dir.glob( "**/*", File::FNM_DOTMATCH, base: source_dir ).sort.each do |relative|
 					next if [ ".", ".." ].include?( relative )
-					source_path = File.join( source_coding_dir, relative )
-					target_path = File.join( target_coding_dir, relative )
+					next if relative.start_with?( ".git/" ) || relative == ".git"
+					source_path = File.join( source_dir, relative )
+					target_path = File.join( target_dir, relative )
 					if File.directory?( source_path )
 						FileUtils.mkdir_p( target_path )
 						next
@@ -161,16 +147,6 @@ module Carson
 					skipped: skipped
 				}
 			end
-
-			def missing_lint_policy_files
-				config.lint_languages.each_with_object( [] ) do |( language, entry ), missing|
-					next unless entry.fetch( :enabled )
-
-					entry.fetch( :config_files ).each do |path|
-						missing << { language: language, path: path } unless File.file?( path )
-					end
-				end
-			end
 		end
 
 		include Lint

data/lib/carson/runtime/local.rb

@@ -247,6 +247,40 @@ module Carson
 				audit_status
 			end
 
+			# Re-applies hooks, templates, and audit across all governed repositories.
+			def refresh_all!
+				repos = config.govern_repos
+				if repos.empty?
+					puts_line "ERROR: no governed repositories configured. Add repos via carson setup or govern.repos in ~/.carson/config.json."
+					return EXIT_ERROR
+				end
+
+				puts_line ""
+				puts_line "Refresh all (#{repos.length} repo#{plural_suffix( count: repos.length )})"
+				refreshed = 0
+				failed = 0
+
+				repos.each do |repo_path|
+					repo_name = File.basename( repo_path )
+					unless Dir.exist?( repo_path )
+						puts_line "#{repo_name}: FAIL (path not found)"
+						failed += 1
+						next
+					end
+
+					status = refresh_single_repo( repo_path: repo_path, repo_name: repo_name )
+					if status == EXIT_ERROR
+						failed += 1
+					else
+						refreshed += 1
+					end
+				end
+
+				puts_line ""
+				puts_line "Refresh all complete: #{refreshed} refreshed, #{failed} failed."
+				failed.zero? ? EXIT_OK : EXIT_ERROR
+			end
+
 			# Removes Carson-managed repository integration so a host repository can retire Carson cleanly.
 			def offboard!
 				puts_verbose ""
@@ -365,13 +399,41 @@ module Carson
 
 		private
 
+			# Refreshes a single governed repository using a scoped Runtime.
+			def refresh_single_repo( repo_path:, repo_name: )
+				if verbose?
+					rt = Runtime.new( repo_root: repo_path, tool_root: tool_root, out: out, err: err, verbose: true )
+				else
+					rt = Runtime.new( repo_root: repo_path, tool_root: tool_root, out: StringIO.new, err: StringIO.new )
+				end
+				status = rt.refresh!
+				label = refresh_status_label( status: status )
+				puts_line "#{repo_name}: #{label}"
+				status
+			rescue StandardError => e
+				puts_line "#{repo_name}: FAIL (#{e.message})"
+				EXIT_ERROR
+			end
+
+			def refresh_status_label( status: )
+				case status
+				when EXIT_OK then "OK"
+				when EXIT_BLOCK then "BLOCK"
+				else "FAIL"
+				end
+			end
+
 			def template_results
 				config.template_managed_files.map { |managed_file| template_result_for_file( managed_file: managed_file ) }
 			end
 
 			# Calculates whole-file expected content and returns sync status plus apply payload.
 			def template_result_for_file( managed_file: )
-				template_path = File.join( github_templates_dir, File.basename( managed_file ) )
+				# Try subdirectory-aware path first (e.g. .github/workflows/carson-lint.yml),
+				# then fall back to flat basename lookup for backward compatibility.
+				relative_within_github = managed_file.delete_prefix( ".github/" )
+				template_path = File.join( github_templates_dir, relative_within_github )
+				template_path = File.join( github_templates_dir, File.basename( managed_file ) ) unless File.file?( template_path )
 				return { file: managed_file, status: "error", reason: "missing template #{File.basename( managed_file )}", applied_content: nil } unless File.file?( template_path )
 
 				expected_content = normalize_text( text: File.read( template_path ) )

data/lib/carson/runtime/setup.rb

@@ -39,6 +39,12 @@ module Carson
 				merge_choice = prompt_merge_method
 				choices[ "govern.merge.method" ] = merge_choice unless merge_choice.nil?
 
+				lint_command_choice = prompt_lint_command
+				choices[ "lint.command" ] = lint_command_choice unless lint_command_choice.nil?
+
+				lint_enforcement_choice = prompt_lint_enforcement
+				choices[ "lint.enforcement" ] = lint_enforcement_choice unless lint_enforcement_choice.nil?
+
 				write_setup_config( choices: choices )
 			end
 
@@ -142,6 +148,34 @@ module Carson
 				prompt_choice( options: options, default: 0 )
 			end
 
+			def prompt_lint_command
+				puts_line ""
+				puts_line "Lint command"
+				options = [
+					{ label: "make lint", value: "make lint" },
+					{ label: "trunk check (Recommended)", value: "trunk check" },
+					{ label: "Other (enter command)", value: :other },
+					{ label: "Skip (no local lint)", value: nil }
+				]
+				choice = prompt_choice( options: options, default: 1 )
+
+				if choice == :other
+					prompt_custom_value( label: "Lint command" )
+				else
+					choice
+				end
+			end
+
+			def prompt_lint_enforcement
+				puts_line ""
+				puts_line "Lint enforcement"
+				options = [
+					{ label: "strict — block on lint failure (default)", value: "strict" },
+					{ label: "advisory — warn but don't block", value: "advisory" }
+				]
+				prompt_choice( options: options, default: 0 )
+			end
+
 			def prompt_choice( options:, default: )
 				options.each_with_index do |option, index|
 					puts_line "  #{index + 1}) #{option.fetch( :label )}"

data/templates/.github/workflows/carson-lint.yml

@@ -0,0 +1,23 @@
+name: Carson Lint
+on:
+  pull_request:
+    branches: [main, master]
+  push:
+    branches: [main, master]
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: oxsecurity/megalinter@v8
+        env:
+          VALIDATE_ALL_CODEBASE: false
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          LINTER_RULES_PATH: .github/linters

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: carson
 version: !ruby/object:Gem::Version
-  version: 2.11.3
+  version: 2.13.0
 platform: ruby
 authors:
 - Hailei Wang
@@ -46,7 +46,6 @@ files:
 - lib/carson/adapters/prompt.rb
 - lib/carson/cli.rb
 - lib/carson/config.rb
-- lib/carson/policy/ruby/lint.rb
 - lib/carson/runtime.rb
 - lib/carson/runtime/audit.rb
 - lib/carson/runtime/govern.rb
@@ -65,6 +64,7 @@ files:
 - templates/.github/carson-instructions.md
 - templates/.github/copilot-instructions.md
 - templates/.github/pull_request_template.md
+- templates/.github/workflows/carson-lint.yml
 homepage: https://github.com/wanghailei/carson
 licenses:
 - MIT

data/lib/carson/policy/ruby/lint.rb

@@ -1,60 +0,0 @@
-#!/usr/bin/env ruby
-
-require "open3"
-
-EXIT_OK = 0
-EXIT_ERROR = 1
-EXIT_BLOCK = 2
-
-def rubocop_config_path
-	File.expand_path( "~/.carson/lint/rubocop.yml" )
-end
-
-def print_stream( io, text )
-	content = text.to_s
-	return if content.empty?
-	io.print( content )
-end
-
-def run_rubocop( files: )
-	stdout_text, stderr_text, status = Open3.capture3(
-		"rubocop", "--config", rubocop_config_path, *files
-	)
-	print_stream( $stdout, stdout_text )
-	print_stream( $stderr, stderr_text )
-	{ status: :completed, exit_code: status.exitstatus.to_i }
-rescue Errno::ENOENT
-	$stderr.puts "ERROR: RuboCop executable `rubocop` is unavailable in PATH. Install the pinned RuboCop gem before running carson audit."
-	{ status: :unavailable, exit_code: nil }
-rescue StandardError => e
-	$stderr.puts "ERROR: RuboCop execution failed (#{e.message})"
-	{ status: :runtime_error, exit_code: nil }
-end
-
-def lint_exit_code( result: )
-	case result.fetch( :status )
-	when :unavailable
-		EXIT_BLOCK
-	when :runtime_error
-		EXIT_ERROR
-	else
-		case result.fetch( :exit_code )
-		when 0
-			EXIT_OK
-		when 1
-			EXIT_BLOCK
-		else
-			EXIT_ERROR
-		end
-	end
-end
-
-files = ARGV.map( &:to_s ).map( &:strip ).reject( &:empty? )
-config_path = rubocop_config_path
-unless File.file?( config_path )
-	$stderr.puts "ERROR: RuboCop config not found at #{config_path}. Run `carson lint setup --source <path-or-git-url>`."
-	exit EXIT_ERROR
-end
-
-result = run_rubocop( files: files )
-exit lint_exit_code( result: result )