feat(gnovm): add extensible linting framework with AVL001 and GLOBAL001 rules

[MikaelVallenet]

fix #4421 & fix #1042

Summary (PR description is mostly AI generated and then adapted by me)

This PR adds an extensible linting framework to gno lint. You can now write pluggable rules, choose different
output formats, and suppress warnings with //nolint comments.

What's New

New Lint Package (gnovm/pkg/lint/)

Core stuff:

• Issue - represents a single lint finding (severity, location, message)
• Severity - three levels: info, warning, error
• Rule interface - implement this to create your own lint rules
• RuleContext - gives rules access to the file, source code, and parent nodes
• Registry - handles rule registration (rules self-register via init())
• Config - controls mode and which rules to disable
• NolintParser - reads //nolint comments to suppress specific issues

Reporters (how output gets formatted):

• TextReporter - human-friendly output, sorted by file/line, with a summary at the end
• JSONReporter - machine-readable JSON array for tooling integration
• DirectReporter - prints issues immediately as they're found (used by gno test)

Built-in rules:

• AVL001 - warns when you iterate an entire AVL tree without bounds (tree.Iterate("", "", ...))
• GLOBAL001 - warns about exported package-level variables (like var Counter int)

CLI Changes (gnovm/cmd/gno/lint.go)

New flags:

• --mode - choose between default, strict, or warn-only
• --format - output as text or json
• --list-rules - shows all available rules and exits
• --disable-rules - skip specific rules (e.g., --disable-rules=AVL001,GLOBAL001)

Output format changed:
Before

  file.gno:10:5: some message (code=someCode)

After

  file.gno:10:5: warning: some message (AVL001)

Docs

• Added docs/resources/gno-lint.md with usage examples, rule descriptions, and a guide for writing new rules

Tests

• Unit tests for everything in gnovm/pkg/lint/
• Integration tests (txtar format) covering AVL001, GLOBAL001, nolint directives, and mode flags

Breaking Changes

Output format - The lint output now includes severity and uses a different format (see above)

Exit codes - Now depend on the mode:

Mode	Exits with 1 when...
default	there are errors
strict	there are any issues (warnings become errors)
warn-only	never (errors become warnings)

[Gno2D2]

🛠 PR Checks Summary

All Automated Checks passed. ✅

Manual Checks (for Reviewers):

• IGNORE the bot requirements for this PR (force green CI check)

Read More

🤖 This bot helps streamline PR reviews by verifying automated checks and providing guidance for contributors and reviewers.

✅ Automated Checks (for Contributors):

🟢 Maintainers must be able to edit this pull request (more info)
🟢 Pending initial approval by a review team member, or review from tech-staff

☑️ Contributor Actions:

1. Fix any issues flagged by automated checks.
2. Follow the Contributor Checklist to ensure your PR is ready for review.
   • Add new tests, or document why they are unnecessary.
   • Provide clear examples/screenshots, if necessary.
   • Update documentation, if required.
   • Ensure no breaking changes, or include BREAKING CHANGE notes.
   • Link related issues/PRs, where applicable.

☑️ Reviewer Actions:

1. Complete manual checks for the PR, including the guidelines and additional checks if applicable.

📚 Resources:

• Report a bug with the bot.
• View the bot’s configuration file.

Debug

Automated Checks

Maintainers must be able to edit this pull request (more info)

If

🟢 Condition met
└── 🟢 And
    ├── 🟢 The base branch matches this pattern: ^master$
    └── 🟢 The pull request was created from a fork (head branch repo: MikaelVallenet/gno)

Then

🟢 Requirement satisfied
└── 🟢 Maintainer can modify this pull request

Pending initial approval by a review team member, or review from tech-staff

If

🟢 Condition met
└── 🟢 And
    ├── 🟢 The base branch matches this pattern: ^master$
    └── 🟢 Not (🔴 Pull request author is a member of the team: tech-staff)

Then

🟢 Requirement satisfied
└── 🟢 If
    ├── 🟢 Condition
    │   └── 🟢 Or
    │       ├── 🟢 User davd-gzl already reviewed PR 5068 with state APPROVED
    │       ├── 🔴 At least 1 user(s) of the team tech-staff reviewed pull request
    │       └── 🔴 This pull request is a draft
    └── 🟢 Then
        └── 🟢 Not (🔴 This label is applied to pull request: review/triage-pending)

Manual Checks

**IGNORE** the bot requirements for this PR (force green CI check)

If

🟢 Condition met
└── 🟢 On every pull request

Can be checked by

• Any user with comment edit permission

[codecov]

Codecov Report

❌ Patch coverage is 85.74257% with 72 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
gnovm/cmd/gno/lint.go	61.76%	21 Missing and 5 partials ⚠️
gnovm/cmd/gno/common.go	60.97%	16 Missing ⚠️
gnovm/pkg/lint/rules/avl001.go	77.04%	9 Missing and 5 partials ⚠️
gnovm/pkg/lint/rules/render001.go	82.97%	8 Missing ⚠️
gnovm/pkg/lint/registry.go	92.59%	2 Missing ⚠️
gnovm/pkg/lint/reporters/direct.go	86.66%	2 Missing ⚠️
gnovm/pkg/lint/rules/global001.go	95.00%	1 Missing and 1 partial ⚠️
gnovm/pkg/lint/severity.go	92.30%	1 Missing and 1 partial ⚠️

📢 Thoughts on this report? Let us know!

[davd-gzl]

Overall implementations seems working great from my testing, there's some nitpick and code can be simplified at some place but it seems like an efficient V1.
I need to do a second review to be sure!

[MikaelVallenet]

c6d99f0

[MikaelVallenet]

173adb0

[davd-gzl]

This rule is triggered on the variables of the next code snippets, which I don't think should.
If it's possible with the AST you are working with, we would have better to trigger this warning only on dangerous exported variable (e.g.: structure containing public method returning object, not readonly tainted value, whatever else).

package grc1155

import "errors"

var (
	ErrInvalidAddress                         = errors.New("invalid address")
	ErrMismatchLength                         = errors.New("accounts and ids length mismatch")
	ErrCannotTransferToSelf                   = errors.New("cannot send transfer to self")
	ErrTransferToRejectedOrNonGRC1155Receiver = errors.New("transfer to rejected or non GRC1155Receiver implementer")
	ErrCallerIsNotOwnerOrApproved             = errors.New("caller is not token owner or approved")
	ErrInsufficientBalance                    = errors.New("insufficient balance for transfer")
	ErrBurnAmountExceedsBalance               = errors.New("burn amount exceeds balance")
	ErrInvalidAmount                          = errors.New("invalid amount")
)

davd@davd ~/P/g/e/g/p/d/t/grc1155 (mikael/experiment/linter-archi)> gno lint .
errors.gno:6:2: warning: exported package-level variable: ErrInvalidAddress (GLOBAL001)
errors.gno:7:2: warning: exported package-level variable: ErrMismatchLength (GLOBAL001)
errors.gno:8:2: warning: exported package-level variable: ErrCannotTransferToSelf (GLOBAL001)
errors.gno:9:2: warning: exported package-level variable: ErrTransferToRejectedOrNonGRC1155Receiver (GLOBAL001)
errors.gno:10:2: warning: exported package-level variable: ErrCallerIsNotOwnerOrApproved (GLOBAL001)
errors.gno:11:2: warning: exported package-level variable: ErrInsufficientBalance (GLOBAL001)
errors.gno:12:2: warning: exported package-level variable: ErrBurnAmountExceedsBalance (GLOBAL001)
errors.gno:13:2: warning: exported package-level variable: ErrInvalidAmount (GLOBAL001)

Found 8 issue(s): 0 error(s), 8 warning(s), 0 info

[MikaelVallenet]

what about using the // nolint directive for these one
it's a way to acknowledge you know what you do IMO
will fix the others reviews asap

[davd-gzl]

I don't think it's a good idea, it's gonna pollute the code base especially if we have to refactor everything.
I feel we would have better to set it deactivated by default with a warning on that flag, fix the flag with only problematic global variable, or remove it entirely as the false positive will be too high.

[davd-gzl]

It would be great to be able to inline this comment (or add an example if it's already implemented)

var Config = DefaultConfig() //nolint:GLOBAL001

[MikaelVallenet]

Out of scope IMO can be done in another PR

[davd-gzl]

This is duplicated

[MikaelVallenet]

text and json implementations shared some common business logic, we could use a common base but i don't think it make sense here, just for 2 implem. can you developp your thinking

[davd-gzl]

This specific switch case is duplicated 4 times and is related to a constant behavior, I think this should be moved in a generic helper.
The sort function from the flush too, but I agree we don't have to use a common base in that case.

[MikaelVallenet]

f0e468e

[MikaelVallenet]

12ee757

[moonia]

Overall, LGTM.
The implementation appears to be working as expected based on my testing. As Davphla mentioned, it might be worth adding this to docs/README.md

[thehowl]

I'll review this when I can; can you make sure to include the additions you made in #4943 as well? :)

[davd-gzl]

I tested every features, it all works great except the edge case of avl001

[davd-gzl]

This specific switch case is duplicated 4 times and is related to a constant behavior, I think this should be moved in a generic helper.
The sort function from the flush too, but I agree we don't have to use a common base in that case.

[davd-gzl]

For some reason this rule is not triggered on examples/gno.land/p/demo/microblog/microblog.gno:L39

[MikaelVallenet]

fixed: f0e468e

[jefft0]

@MikaelVallenet , the failed Lint CI check for "images/manifesto/boards2.jpeg" has been fixed in master. If you merge master again, then it should fix this CI check.