feat(linters): add native Rust kubelint and helmlint tools

Add comprehensive Kubernetes and Helm chart linting capabilities with
~20,000 lines of new Rust code, translated from StackRox's Go implementations.

## New Analyzers

### KubeLint (src/analyzer/kubelint/)
Native Rust translation of stackrox/kube-linter with:
- 63 built-in security and best practice checks
- Kubernetes manifest validation (Deployments, Services, RBAC, etc.)
- Helm chart rendering support (shells to `helm template`)
- Kustomize directory support
- Annotation-based rule ignoring (@ignore-check.kube-linter.io)
- Multiple output formats (JSON, SARIF, plain text)
- Graceful fallback to raw YAML parsing when Helm render fails

Security checks include:
- Privileged containers, privilege escalation
- Run as non-root, read-only root filesystem
- Linux capabilities (NET_RAW, etc.)
- Host namespace access (network, PID, IPC)
- RBAC wildcards, secrets access, cluster-admin bindings
- Resource limits and requests
- Health probes (liveness, readiness)
- Service account configuration

### Helmlint (src/analyzer/helmlint/)
Native Rust implementation inspired by stackrox/helmtest with:
- Chart.yaml validation (apiVersion, metadata, dependencies)
- values.yaml validation (types, unused values detection)
- Go template syntax analysis (unclosed blocks, undefined variables)
- Security checks for rendered templates
- Best practice validation (resource limits, probes, deprecated APIs)
- Inline pragma support for ignoring rules

Rule categories (HL1xxx-HL5xxx):
- HL1xxx: Chart structure validation
- HL2xxx: Values file validation
- HL3xxx: Template syntax checking
- HL4xxx: Security checks
- HL5xxx: Kubernetes best practices

## Agent Tool Integration

- KubelintTool: Agent tool with AI-optimized JSON output
  - Priority-based issue categorization (critical/high/medium/low)
  - Category tagging (security/rbac/best-practice/validation)
  - Quick fixes and remediation guidance
  - Decision context for AI reasoning

- HelmlintTool: Agent tool for Helm chart validation
  - Structured output with action plans
  - File-level issue grouping
  - Template error highlighting

## Terminal UI (Claude Code style)

- Rich inline preview in tool call display
- Priority indicators with emoji (🔴🟠🟡🟢)
- Category badges ([SEC], [RBAC], [BP], [VAL], [TPL])
- Kubernetes (☸) and Helm (⎈) icons
- Collapsible output with "+N more" indicators
- Quick fix hints for high-priority issues

## Bug Fixes

- Fixed double-encoding bug in hooks.rs where Rig framework's
  JSON serialization caused kubelint/helmlint to always show
  "OK - no issues found" even when issues existed
- Added graceful fallback for broken Helm charts that can't be
  rendered - now parses raw template YAML files instead of failing

## Attribution

Both tools are derivative works under Apache-2.0 license:
- kubelint: https://github.com/stackrox/kube-linter
- helmlint: https://github.com/stackrox/helmtest

Original copyright: StackRox, Inc. (now part of Red Hat)
See THIRD_PARTY_NOTICES.md for full attribution details.

## Test Files

Added test fixtures in tests/test-lint/:
- helm-chart/: Intentionally broken Helm chart for testing
- k8s/: Insecure Kubernetes manifests with 46 total issues

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: 2 people

THIRD_PARTY_NOTICES.md

@@ -83,6 +83,88 @@ original project.
 
 ---
 
+## KubeLint (kube-linter)
+
+The Kubernetes manifest linting functionality in `src/analyzer/kubelint/` is a Rust
+translation of the original kube-linter project by StackRox (Red Hat).
+
+**Original Project:** [kube-linter](https://github.com/stackrox/kube-linter)
+
+**Original Authors:**
+- StackRox, Inc. (now part of Red Hat)
+- And all contributors to the kube-linter project
+
+**Original License:** Apache License 2.0
+
+**Original Copyright:**
+```
+Copyright (c) 2020-2024 StackRox, Inc.
+```
+
+**What was translated:**
+- Kubernetes manifest parsing and validation logic (originally in Go)
+- 63 built-in security and best practice checks
+- Pragma/ignore directive handling via annotations
+- Helm chart rendering integration
+- Kustomize directory support
+- Check severity and priority system
+- SARIF and JSON output formats
+
+**Modifications made:**
+- Complete rewrite from Go to Rust
+- Integration with Syncable-CLI's agent and tool system
+- Native async support for streaming output
+- Adaptation to Rust error handling patterns
+- Graceful fallback for broken Helm charts
+- Additional rules and improvements specific to Syncable's use cases
+
+**License Notice:**
+This derivative work maintains compatibility with the Apache-2.0 license.
+The full text of the Apache-2.0 license can be found at:
+https://www.apache.org/licenses/LICENSE-2.0
+
+---
+
+## Helmlint (helmtest)
+
+The Helm chart linting functionality in `src/analyzer/helmlint/` is a Rust
+implementation inspired by and partially derived from the helmtest project
+by StackRox (Red Hat).
+
+**Original Project:** [helmtest](https://github.com/stackrox/helmtest)
+
+**Original Authors:**
+- StackRox, Inc. (now part of Red Hat)
+- And all contributors to the helmtest project
+
+**Original License:** Apache License 2.0
+
+**Original Copyright:**
+```
+Copyright (c) 2020-2024 StackRox, Inc.
+```
+
+**What was implemented:**
+- Helm chart structure validation (Chart.yaml, values.yaml)
+- Go template syntax analysis
+- Values validation and unused value detection
+- Security checks for rendered templates
+- Best practice validation patterns
+
+**Modifications made:**
+- Complete implementation in Rust (original was Go)
+- Integration with Syncable-CLI's agent and tool system
+- Native async support for streaming output
+- Adaptation to Rust error handling patterns
+- Additional rules (HL1xxx-HL5xxx series) specific to Syncable's use cases
+
+**License Notice:**
+This derivative work maintains compatibility with the Apache-2.0 license.
+The full text of the Apache-2.0 license can be found at:
+https://www.apache.org/licenses/LICENSE-2.0
+
+---
+
 ## ShellCheck (Rule Concepts)
 
 Some shell-related lint rules are inspired by ShellCheck.
@@ -101,11 +183,17 @@ concepts and documentation.
 
 ## Acknowledgments
 
-We are grateful to the open source community and the authors of Hadolint and
-docker-compose-linter for creating and maintaining excellent container configuration
-linting tools. These Rust implementations allow native integration with Syncable-CLI
-while preserving the valuable rule definitions and linting logic developed by the
-original authors.
+We are grateful to the open source community and the authors of:
+
+- **Hadolint** - For the comprehensive Dockerfile linting rules
+- **docker-compose-linter** - For Docker Compose best practices
+- **kube-linter (StackRox/Red Hat)** - For the extensive Kubernetes security checks
+- **helmtest (StackRox/Red Hat)** - For Helm chart validation patterns
+
+These Rust implementations allow native integration with Syncable-CLI while
+preserving the valuable rule definitions and linting logic developed by the
+original authors. Special thanks to StackRox (now part of Red Hat) for their
+excellent Kubernetes and Helm security tooling.
 
 If you are the author of any software mentioned here and believe the attribution
 is incorrect or incomplete, please open an issue at:

src/agent/mod.rs

@@ -362,6 +362,8 @@ pub async fn run_interactive(
                         .tool(VulnerabilitiesTool::new(project_path_buf.clone()))
                         .tool(HadolintTool::new(project_path_buf.clone()))
                         .tool(DclintTool::new(project_path_buf.clone()))
+                        .tool(KubelintTool::new(project_path_buf.clone()))
+                        .tool(HelmlintTool::new(project_path_buf.clone()))
                         .tool(TerraformFmtTool::new(project_path_buf.clone()))
                         .tool(TerraformValidateTool::new(project_path_buf.clone()))
                         .tool(TerraformInstallTool::new())
@@ -438,6 +440,8 @@ pub async fn run_interactive(
                         .tool(VulnerabilitiesTool::new(project_path_buf.clone()))
                         .tool(HadolintTool::new(project_path_buf.clone()))
                         .tool(DclintTool::new(project_path_buf.clone()))
+                        .tool(KubelintTool::new(project_path_buf.clone()))
+                        .tool(HelmlintTool::new(project_path_buf.clone()))
                         .tool(TerraformFmtTool::new(project_path_buf.clone()))
                         .tool(TerraformValidateTool::new(project_path_buf.clone()))
                         .tool(TerraformInstallTool::new())
@@ -518,6 +522,8 @@ pub async fn run_interactive(
                         .tool(VulnerabilitiesTool::new(project_path_buf.clone()))
                         .tool(HadolintTool::new(project_path_buf.clone()))
                         .tool(DclintTool::new(project_path_buf.clone()))
+                        .tool(KubelintTool::new(project_path_buf.clone()))
+                        .tool(HelmlintTool::new(project_path_buf.clone()))
                         .tool(TerraformFmtTool::new(project_path_buf.clone()))
                         .tool(TerraformValidateTool::new(project_path_buf.clone()))
                         .tool(TerraformInstallTool::new())
@@ -1410,6 +1416,8 @@ pub async fn run_query(
                 .tool(VulnerabilitiesTool::new(project_path_buf.clone()))
                 .tool(HadolintTool::new(project_path_buf.clone()))
                 .tool(DclintTool::new(project_path_buf.clone()))
+                .tool(KubelintTool::new(project_path_buf.clone()))
+                .tool(HelmlintTool::new(project_path_buf.clone()))
                 .tool(TerraformFmtTool::new(project_path_buf.clone()))
                 .tool(TerraformValidateTool::new(project_path_buf.clone()))
                 .tool(TerraformInstallTool::new())
@@ -1453,6 +1461,8 @@ pub async fn run_query(
                 .tool(VulnerabilitiesTool::new(project_path_buf.clone()))
                 .tool(HadolintTool::new(project_path_buf.clone()))
                 .tool(DclintTool::new(project_path_buf.clone()))
+                .tool(KubelintTool::new(project_path_buf.clone()))
+                .tool(HelmlintTool::new(project_path_buf.clone()))
                 .tool(TerraformFmtTool::new(project_path_buf.clone()))
                 .tool(TerraformValidateTool::new(project_path_buf.clone()))
                 .tool(TerraformInstallTool::new())
@@ -1499,6 +1509,8 @@ pub async fn run_query(
                 .tool(VulnerabilitiesTool::new(project_path_buf.clone()))
                 .tool(HadolintTool::new(project_path_buf.clone()))
                 .tool(DclintTool::new(project_path_buf.clone()))
+                .tool(KubelintTool::new(project_path_buf.clone()))
+                .tool(HelmlintTool::new(project_path_buf.clone()))
                 .tool(TerraformFmtTool::new(project_path_buf.clone()))
                 .tool(TerraformValidateTool::new(project_path_buf.clone()))
                 .tool(TerraformInstallTool::new())

src/agent/prompts/mod.rs

@@ -146,12 +146,23 @@ You have access to tools to help analyze and understand the project:
 - analyze_project - Detect languages, frameworks, dependencies, and architecture
 - security_scan - Find potential vulnerabilities and secrets
 - check_vulnerabilities - Check dependencies for known CVEs
-- hadolint - Lint Dockerfiles for best practices
-- terraform_fmt - Format Terraform configuration files
-- terraform_validate - Validate Terraform configurations
 - read_file - Read file contents
 - list_directory - List files and directories
 
+**Linting Tools (use NATIVE tools, not shell commands):**
+- hadolint - Lint Dockerfiles for best practices and security
+- dclint - Lint docker-compose files for best practices
+- kubelint - Lint Kubernetes manifests for SECURITY and BEST PRACTICES
+  • Use for: raw YAML files, Helm charts (renders them), Kustomize directories
+  • Checks: privileged containers, missing probes, RBAC issues, resource limits
+- helmlint - Lint Helm chart STRUCTURE and TEMPLATES (before rendering)
+  • Use for: Chart.yaml validation, values.yaml, Go template syntax
+  • Checks: chart metadata, template errors, undefined values, unclosed blocks
+
+**Terraform Tools:**
+- terraform_fmt - Format Terraform configuration files
+- terraform_validate - Validate Terraform configurations
+
 **Generation Tools:**
 - write_file - Write content to a file (creates parent directories automatically)
 - write_files - Write multiple files at once
@@ -220,6 +231,12 @@ pub fn get_code_development_prompt(project_path: &std::path::Path) -> String {
 - read_file - Read file contents
 - list_directory - List files and directories
 
+**Linting Tools (for DevOps artifacts):**
+- hadolint - Lint Dockerfiles
+- dclint - Lint docker-compose files
+- kubelint - Lint K8s manifests (security, best practices)
+- helmlint - Lint Helm charts (structure, templates)
+
 **Development Tools:**
 - write_file - Write or update a single file
 - write_files - Write multiple files at once
@@ -296,16 +313,29 @@ pub fn get_devops_prompt(project_path: &std::path::Path) -> String {
 - analyze_project - Detect languages, frameworks, dependencies, build commands
 - security_scan - Find potential vulnerabilities
 - check_vulnerabilities - Check dependencies for known CVEs
-- hadolint - Native Dockerfile linter (use this, NOT shell hadolint)
 - read_file - Read file contents
 - list_directory - List files and directories
 
+**Linting Tools (use NATIVE tools, not shell commands):**
+- hadolint - Native Dockerfile linter for best practices and security
+- dclint - Native docker-compose linter for best practices
+- kubelint - Native Kubernetes manifest linter for SECURITY and BEST PRACTICES
+  • Use for: K8s YAML files, Helm charts (renders them first), Kustomize directories
+  • Checks: privileged containers, missing probes, RBAC wildcards, resource limits
+- helmlint - Native Helm chart linter for STRUCTURE and TEMPLATES
+  • Use for: Chart.yaml, values.yaml, Go template syntax validation
+  • Checks: missing apiVersion, unused values, undefined template variables
+
+**Terraform Tools:**
+- terraform_fmt - Format Terraform configuration files
+- terraform_validate - Validate Terraform configurations
+
 **Generation Tools:**
 - write_file - Write Dockerfile, terraform config, helm values, etc.
 - write_files - Write multiple files (Terraform modules, Helm charts)
 
-**Validation Tools:**
-- shell - Execute validation commands (docker build, terraform validate, helm lint)
+**Shell Tool:**
+- shell - Execute build/test commands (docker build, terraform init)
 
 **Plan Execution Tools:**
 - plan_list - List available plans in plans/ directory
@@ -358,16 +388,24 @@ When the user says "execute the plan" or similar:
 1. **Analyze**: Use analyze_project to understand the project
 2. **Plan**: Determine what files need to be created
 3. **Generate**: Use write_file or write_files to create artifacts
-4. **Validate**:
-   - Docker: hadolint tool FIRST, then shell docker build
-   - Terraform: shell terraform init && terraform validate
-   - Helm: shell helm lint ./chart
+4. **Validate** (use NATIVE linting tools, not shell commands):
+   - **Docker**: hadolint tool FIRST, then shell docker build
+   - **docker-compose**: dclint tool
+   - **Terraform**: terraform_validate tool (or shell terraform init && terraform validate)
+   - **Helm charts**: helmlint tool for chart structure/templates
+   - **K8s manifests**: kubelint tool for security/best practices
+   - **Helm + K8s**: Use BOTH helmlint (structure) AND kubelint (security on rendered output)
 5. **Self-Correct**: If validation fails, analyze error, fix files, re-validate
 
-**CRITICAL for hadolint**: If hadolint finds ANY errors or warnings:
+**CRITICAL for linting tools**: If ANY linter finds errors or warnings:
 1. STOP and report ALL issues to the user FIRST
-2. Show each violation with line number, rule code, message
-3. DO NOT proceed to docker build until user acknowledges
+2. Show each violation with line number, rule code, message, and fix recommendation
+3. DO NOT proceed to build/deploy until user acknowledges or issues are fixed
+
+**When to use helmlint vs kubelint:**
+- helmlint: Chart.yaml issues, values.yaml unused values, template syntax errors
+- kubelint: Security (privileged, RBAC), best practices (probes, limits), after Helm renders
+- For Helm charts: Run BOTH - helmlint catches template issues, kubelint catches security issues
 </work_protocol>
 
 <error_handling>
@@ -554,7 +592,14 @@ Task status markers:
 - list_directory - List files and directories
 - shell - Run read-only commands only (ls, cat, grep, find, git status/log/diff)
 - analyze_project - Analyze project architecture, dependencies
-- hadolint - Lint Dockerfiles (read-only analysis)
+
+**Linting Tools (read-only analysis):**
+- hadolint - Lint Dockerfiles for best practices
+- dclint - Lint docker-compose files
+- kubelint - Lint K8s manifests for security/best practices (works on YAML, Helm charts, Kustomize)
+- helmlint - Lint Helm chart structure and templates
+
+**Planning Tools:**
 - **plan_create** - Create structured plan files with task checkboxes
 - **plan_list** - List existing plans in plans/ directory