feat(dylint): land ban_raw_subprocess governance lint (#264)

Closes #264.

Lands the `ban_raw_subprocess` custom dylint that was prototyped in
PR #262 and deferred. The lint fires on
`Command::{spawn, output, status}` (both `std::process::Command` and
`tokio::process::Command`) outside an explicit allowlist, so every
subprocess fbuild launches has to flow through one of the blessed
wrappers in `fbuild-core::{subprocess, containment}` and the
running-process-core / Job-Object invariants can't drift.

This commit addresses all three CR blockers from PR #262:

1. **CI integration script.** Ports `ci/build_dylint_driver.py` from
   zccache (same script, same dylint git rev `4bd91ce…`). Published
   `dylint_driver 5.0.0` doesn't compile against nightly-2026-03-26
   (rustc internals drift — `env_depinfo` / `file_depinfo` no longer
   exist), so cargo-dylint needs a driver built from the same git rev
   as our `dylint_linting` pin. The script clones the dylint repo,
   builds a matching driver, and exports DYLINT_DRIVER_PATH. Two
   Windows-specific tweaks vs the zccache version:
   - Writes `rust-toolchain.toml` (not extensionless `rust-toolchain`)
     so rustup unambiguously parses TOML.
   - Anchors RUSTC/CARGO env vars to the nightly binaries so a
     chocolatey-installed stable `rustc` earlier in PATH can't shadow
     them and trip the build-script's `#![feature(...)]` with E0554.

2. **Scope filter.** Previous prototype's `SOURCE_PREFIX = "crates/"`
   matched `crates/*/tests/`, `examples/`, and `benches/` — flagging
   test drivers that legitimately spawn binaries under test. Tightened
   to `crates/*/src/` via `in_production_scope` (requires BOTH `crates/`
   AND a subsequent `/src/` segment in the file path). Out of scope by
   design: integration tests, example code, bench harnesses, `ci/`,
   `dylints/`, build scripts.

3. **Qualified-path call shape.** Prior prototype only handled
   `ExprKind::MethodCall` (`cmd.spawn()`) and missed
   `Command::spawn(&mut cmd)` written as a qualified-path call. Added
   an `ExprKind::Path` branch that uses `qpath_res` to resolve the
   path's DefId — mirrors zccache's `ban_unrooted_tempdir` pattern.

Other pieces:

- `dylints/ban_raw_subprocess/` — the dylint crate. Pinned to the same
  `nightly-2026-03-26` channel + `trailofbits/dylint` git rev as
  zccache's sibling dylints. `[workspace.exclude]`'d so the stable
  workspace build isn't affected by the nightly pin.
- `src/allowlist.txt` — 7 files: the wrappers themselves
  (`subprocess.rs`, `containment.rs`), `containment_harness.rs` test
  harness, daemon-bootstrap from CLI (`daemon_client.rs`) and Python
  (`fbuild-python/src/daemon.rs`), cross-tool zccache daemon launch
  (`fbuild-build/src/zccache.rs`), and CLI async fan-out
  (`clang_tools.rs`).
- 3 unit tests for scope / allowlist matching logic.
- `[workspace.metadata.dylint]` in root Cargo.toml so
  `cargo dylint --all` discovers the lint.
- `.github/workflows/dylint.yml` — Ubuntu-only CI job. Installs the
  pinned nightly + components, installs cargo-dylint 5.0.0, builds a
  matching driver via the python script, then runs the dylint crate's
  own unit tests plus `cargo dylint --all -- --workspace --all-targets`.

The pre-existing `ci/find_direct_subprocess.py` string-matching guard
stays — it catches `Command::new(` constructors (the import side); this
dylint catches `.spawn()` / `.output()` / `.status()` methods (the
call side). They're complementary.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: zackees

.github/workflows/dylint.yml

@@ -0,0 +1,52 @@
+name: Dylint
+
+# Runs the custom `ban_raw_subprocess` dylint over the workspace.
+# Lives in its own job (and uses its own nightly toolchain pin) so the
+# stable workspace check on `check-ubuntu.yml` isn't blocked by dylint
+# infrastructure issues. See #264.
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+env:
+  CARGO_TERM_COLOR: always
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
+
+jobs:
+  dylint:
+    name: Dylint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: astral-sh/setup-uv@v3
+      - uses: zackees/setup-soldr@v0
+        with:
+          cache: true
+          toolchain: 1.94.1
+          cache-key-suffix: dylint
+          prebuild-deps: none
+      - name: Install Dylint nightly toolchain
+        # Pin matches `dylints/ban_raw_subprocess/rust-toolchain.toml`
+        # and zccache's `ci/build_dylint_driver.py::TOOLCHAIN_CHANNEL`.
+        run: rustup toolchain install nightly-2026-03-26 --component llvm-tools-preview --component rust-src --component rustc-dev --profile minimal
+      - name: Install Dylint
+        run: soldr cargo install cargo-dylint dylint-link --version 5.0.0 --locked
+      - name: Build compatible Dylint driver
+        # Published dylint_driver 5.0.0 does not build against the
+        # nightly toolchain pinned by dylint_linting 5.0.0; this script
+        # builds a matching driver from the same git rev. Exports
+        # DYLINT_DRIVER_PATH into $GITHUB_ENV for subsequent steps.
+        run: uv run python ci/build_dylint_driver.py
+      - name: Check dylint crate formatting
+        run: soldr cargo fmt --manifest-path dylints/ban_raw_subprocess/Cargo.toml --all -- --check
+      - name: Test dylint crate
+        run: |
+          export PATH="${CARGO_HOME}/bin:${PATH}"
+          cargo +nightly-2026-03-26 test --manifest-path dylints/ban_raw_subprocess/Cargo.toml
+      - name: Run dylint over workspace
+        run: |
+          export PATH="${CARGO_HOME}/bin:${PATH}"
+          cargo dylint --all -- --workspace --all-targets

Cargo.toml

@@ -16,6 +16,14 @@ members = [
     "crates/fbuild-library-select",
     "bench/fastled-examples",
 ]
+# Custom dylints have their own nightly toolchain pin (see
+# `dylints/*/rust-toolchain.toml`) and must not be part of the
+# stable workspace build — `cargo dylint --all` builds them with
+# the pinned nightly via the discovery below. See #264.
+exclude = ["dylints/ban_raw_subprocess"]
+
+[workspace.metadata.dylint]
+libraries = [{ path = "dylints/*" }]
 
 [workspace.package]
 version = "2.2.6"

ci/build_dylint_driver.py

@@ -0,0 +1,176 @@
+"""Build a Dylint driver from the git revision used by the lint crate.
+
+The published `dylint_driver` 5.0.0 crate does not build against the
+nightly toolchain pinned by CI. The lint crate already pins Dylint's git
+revision for `dylint_linting` and `dylint_testing`; this script builds the
+matching driver from that checkout and exports DYLINT_DRIVER_PATH.
+"""
+
+from __future__ import annotations
+
+import os
+import shutil
+import subprocess
+import sys
+import tempfile
+from pathlib import Path
+
+
+DYLINT_REPO = "https://github.com/trailofbits/dylint"
+DYLINT_REV = "4bd91ce7729b74c7ee5664bbb588f7baf30b4a09"
+TOOLCHAIN_CHANNEL = "nightly-2026-03-26"
+
+
+def run(args: list[str], **kwargs) -> subprocess.CompletedProcess[str]:  # noqa: ANN003
+    print("+", " ".join(args), flush=True)
+    return subprocess.run(args, check=True, text=True, **kwargs)
+
+
+def rustc_host() -> str:
+    # Invoke rustc through `rustup run` so the call works even when PATH
+    # is fronted by shims (e.g. soldr) that do not understand the
+    # `+<toolchain>` directive that only the rustup `cargo`/`rustc`
+    # wrappers parse.
+    output = subprocess.check_output(
+        ["rustup", "run", TOOLCHAIN_CHANNEL, "rustc", "-vV"],
+        text=True,
+    )
+    for line in output.splitlines():
+        if line.startswith("host: "):
+            return line.split("host: ", 1)[1]
+    raise RuntimeError("could not determine rustc host triple")
+
+
+def rustc_toolchain_root(full_toolchain: str) -> Path:
+    rustc = subprocess.check_output(
+        ["rustup", "which", "--toolchain", full_toolchain, "rustc"],
+        text=True,
+    ).strip()
+    return Path(rustc).resolve().parent.parent
+
+
+def write_driver_package(package: Path, dylint_checkout: Path, full_toolchain: str) -> None:
+    src = package / "src"
+    src.mkdir(parents=True)
+
+    driver_path = str((dylint_checkout / "driver").resolve()).replace("\\", "\\\\")
+    (package / "Cargo.toml").write_text(
+        f"""
+[package]
+name = "dylint_driver-{full_toolchain}"
+version = "0.1.0"
+edition = "2018"
+
+[dependencies]
+anyhow = "1.0"
+env_logger = "0.11"
+dylint_driver = {{ path = "{driver_path}" }}
+""".lstrip(),
+        encoding="utf-8",
+    )
+    # Use `.toml` extension so rustup unambiguously parses as TOML.
+    # The extensionless `rust-toolchain` form is ambiguous (single-line
+    # vs TOML) and on Windows hosts has been observed to silently fall
+    # through to the default toolchain, leaving the build script's
+    # `#![feature(...)]` rejected as "stable channel".
+    (package / "rust-toolchain.toml").write_text(
+        f"""
+[toolchain]
+channel = "{full_toolchain}"
+components = ["llvm-tools-preview", "rustc-dev"]
+""".lstrip(),
+        encoding="utf-8",
+    )
+    (src / "main.rs").write_text(
+        """
+#![feature(rustc_private)]
+
+use anyhow::Result;
+use std::env;
+
+pub fn main() -> Result<()> {
+    env_logger::init();
+
+    let args: Vec<_> = env::args_os().collect();
+
+    dylint_driver::dylint_driver(&args)
+}
+""".lstrip(),
+        encoding="utf-8",
+    )
+
+
+def append_github_env(name: str, value: Path) -> None:
+    github_env = os.environ.get("GITHUB_ENV")
+    if github_env:
+        with open(github_env, "a", encoding="utf-8") as file:
+            file.write(f"{name}={value}\n")
+
+
+def main() -> int:
+    full_toolchain = f"{TOOLCHAIN_CHANNEL}-{rustc_host()}"
+    runner_temp = Path(os.environ.get("RUNNER_TEMP", tempfile.gettempdir())).resolve()
+    driver_root = runner_temp / "dylint-drivers"
+    driver_dir = driver_root / full_toolchain
+    driver_dir.mkdir(parents=True, exist_ok=True)
+
+    with tempfile.TemporaryDirectory(prefix="fbuild-dylint-") as temp:
+        temp_path = Path(temp)
+        checkout = temp_path / "dylint"
+        package = temp_path / "driver-package"
+
+        run(["git", "clone", "--filter=blob:none", DYLINT_REPO, str(checkout)])
+        run(["git", "-C", str(checkout), "checkout", DYLINT_REV])
+
+        package.mkdir()
+        write_driver_package(package, checkout, full_toolchain)
+
+        env = os.environ.copy()
+        # Force the rustup toolchain in the env so it propagates into
+        # nested cargo/rustc invocations (e.g. build-script compilation
+        # of dylint_driver which uses `#![feature(...)]` and requires
+        # nightly). Setting via env is more reliable than relying solely
+        # on the `rust-toolchain.toml` lookup, especially on Windows.
+        env["RUSTUP_TOOLCHAIN"] = full_toolchain
+        # Anchor RUSTC and CARGO to the specific nightly binaries to
+        # defeat shadowing by any stable `rustc`/`cargo` that may appear
+        # earlier in PATH (e.g. a Chocolatey-installed stable on
+        # Windows). Without this, cargo's build-script rustc invocation
+        # may resolve to a stable rustc and fail on `#![feature(...)]`
+        # with E0554.
+        nightly_bin = rustc_toolchain_root(full_toolchain) / "bin"
+        rustc_exe = nightly_bin / ("rustc.exe" if os.name == "nt" else "rustc")
+        cargo_exe = nightly_bin / ("cargo.exe" if os.name == "nt" else "cargo")
+        if rustc_exe.exists():
+            env["RUSTC"] = str(rustc_exe)
+        if cargo_exe.exists():
+            env["CARGO"] = str(cargo_exe)
+        if os.name != "nt":
+            toolchain_root = rustc_toolchain_root(full_toolchain)
+            rpath = f"-C link-args=-Wl,-rpath,{toolchain_root / 'lib'}"
+            env["RUSTFLAGS"] = f"{env.get('RUSTFLAGS', '')} {rpath}".strip()
+
+        # Use `rustup run` instead of `cargo +<toolchain>` because the
+        # cargo on PATH may be a shim (e.g. soldr's) that does not parse
+        # the `+<toolchain>` directive — that directive is only honored
+        # by the rustup-managed cargo wrapper. `rustup run` selects the
+        # toolchain explicitly and works regardless of which `cargo`
+        # comes first on PATH.
+        run(
+            ["rustup", "run", TOOLCHAIN_CHANNEL, "cargo", "build"],
+            cwd=package,
+            env=env,
+        )
+
+        exe_suffix = ".exe" if os.name == "nt" else ""
+        built_driver = package / "target" / "debug" / f"dylint_driver-{full_toolchain}{exe_suffix}"
+        installed_driver = driver_dir / f"dylint-driver{exe_suffix}"
+        shutil.copy2(built_driver, installed_driver)
+
+    append_github_env("DYLINT_DRIVER_PATH", driver_root)
+    print(f"DYLINT_DRIVER_PATH={driver_root}")
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())

dylints/README.md

@@ -0,0 +1,59 @@
+# `dylints/`
+
+Custom [dylint](https://github.com/trailofbits/dylint) lints for fbuild
+production code. Each lint lives in its own crate so it can pin its own
+nightly toolchain (the rustc internal API moves fast; the workspace
+itself stays on stable 1.94.1).
+
+## Crates
+
+- **`ban_raw_subprocess/`** — forbids `Command::{spawn, output, status}`
+  on `std::process::Command` and `tokio::process::Command` in production
+  code (`crates/*/src/`). All subprocess spawns must flow through
+  `fbuild_core::subprocess::run_command` /
+  `fbuild_core::containment::*`. See #264.
+
+## Running locally
+
+```bash
+# One-time setup
+rustup toolchain install nightly-2026-03-26 \
+    --component llvm-tools-preview --component rust-src --component rustc-dev \
+    --profile minimal
+soldr cargo install cargo-dylint dylint-link --version 5.0.0 --locked
+uv run python ci/build_dylint_driver.py   # builds a matching driver
+
+# Run all dylints over the workspace
+export PATH="${CARGO_HOME:-$HOME/.cargo}/bin:${PATH}"
+cargo dylint --all -- --workspace --all-targets
+```
+
+CI runs this on every push/PR via `.github/workflows/dylint.yml`.
+
+## Why a separate toolchain pin
+
+`dylint_linting` builds against a specific nightly rustc; the rustc
+internal API (`rustc_lint`, `rustc_hir`, `rustc_span`) changes between
+nightlies. Keeping the dylint crate in `[workspace.exclude]` lets it
+pin `nightly-2026-03-26` in its own `rust-toolchain.toml` without
+forcing the entire workspace to nightly.
+
+The workspace registers the lint directory via:
+
+```toml
+[workspace.metadata.dylint]
+libraries = [{ path = "dylints/*" }]
+```
+
+so `cargo dylint --all` picks it up automatically.
+
+## Why `build_dylint_driver.py`
+
+Published `dylint_driver` 5.0.0 doesn't compile against the
+nightly-2026-03-26 toolchain (rustc internals drift). `cargo-dylint` would
+try to build it from crates.io and fail with `E0609: no field
+env_depinfo`. The script clones the dylint repo at the same git rev
+`dylint_linting` is pinned to (`4bd91ce…`) and builds a matching driver
+from that source, installing it where `cargo-dylint` expects.
+
+This mirrors zccache's approach 1:1; the script is a direct port.

dylints/ban_raw_subprocess/.gitignore

@@ -0,0 +1,2 @@
+/target
+/Cargo.lock

dylints/ban_raw_subprocess/Cargo.toml

@@ -0,0 +1,20 @@
+[package]
+name = "ban_raw_subprocess"
+version = "0.1.0"
+description = "Ban raw std/tokio Command spawn/output/status in fbuild production code"
+edition = "2021"
+publish = false
+
+[lib]
+crate-type = ["cdylib"]
+
+[dependencies]
+# Pinned to the same dylint_linting rev zccache's dylints use — same
+# rustup channel in rust-toolchain.toml, same upstream commit.
+dylint_linting = { git = "https://github.com/trailofbits/dylint", rev = "4bd91ce7729b74c7ee5664bbb588f7baf30b4a09" }
+
+[dev-dependencies]
+dylint_testing = { git = "https://github.com/trailofbits/dylint", rev = "4bd91ce7729b74c7ee5664bbb588f7baf30b4a09" }
+
+[package.metadata.rust-analyzer]
+rustc_private = true