Module command 

command — shell out to an external CLI per matched file.

Per-file rule: for every file matching paths, spawn the given command: argv with path-template substitution, capture exit code and stdout/stderr. Exit 0 is a pass; non-zero is one violation whose message is the (truncated) stdout+stderr. Spawn / wait failures and timeouts produce a violation with a clear cause line.

- id: workflows-clean
  kind: command
  paths: ".github/workflows/*.{yml,yaml}"
  command: ["actionlint", "{path}"]
  level: error

Path templates supported in argv tokens (and in the alint-injected ALINT_PATH env var): {path}, {dir}, {stem}, {ext}, {basename}, {parent_name}. Working directory is the alint root. Stdin is closed (/dev/null).

Environment threaded into the child:

• ALINT_PATH — relative path of the matched file.
• ALINT_ROOT — absolute repo root.
• ALINT_RULE_ID — the rule’s id:.
• ALINT_LEVEL — error / warning / info.
• ALINT_VAR_<NAME> — one per top-level vars: entry, uppercased.
• ALINT_FACT_<NAME> — one per resolved fact, stringified.

Trust model: command rules are only allowed in the user’s own top-level config. Any extended source (local file, HTTPS URL, alint://bundled/) declaring kind: command is rejected at load time by alint_dsl::reject_command_rules_in — otherwise a malicious or compromised ruleset would gain arbitrary process execution simply by being fetched. Mirrors the existing custom: fact gate.

Structs

CommandRule

Functions

build