Align mxcli check and lint reporting with shared Violation format (issue #10)

Convert all mxcli check validators (ValidateMicroflow, ValidateEnumeration,
ValidateEntity, ValidateOQLSyntax, ValidateOQLTypes) from returning []string
to []linter.Violation with structured rule IDs (MDL prefix for source-level
checks). Rename built-in lint rules from MDL001-MDL007 to MPR001-MPR007
since they operate on the project model. Add --format flag to mxcli check
for JSON/SARIF output. Simplify LSP diagnostics to run validators directly
instead of subprocess + regex parsing.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: ako

.claude/commands/mendix/lint.md

@@ -28,13 +28,13 @@ mxcli lint -p app.mpr --exclude System --exclude Administration
 
 | Rule | Category | Description |
 |------|----------|-------------|
-| MDL001 | naming | NamingConvention - PascalCase with 21 microflow prefixes (ACT_, SUB_, DS_, VAL_, SCH_, IVK_, BCO_, ACO_, etc.) |
-| MDL002 | quality | EmptyMicroflow - Microflows should have at least one activity |
-| MDL003 | design | DomainModelSize - Max persistent entities per domain model |
-| MDL004 | quality | ValidationFeedback - Validation feedback with empty message |
-| MDL005 | quality | ImageSource - IMAGE widgets with no source configured |
-| MDL006 | quality | EmptyContainer - Empty layout containers |
-| MDL007 | security | PageNavigationSecurity - Navigation pages need allowed roles (CE0557) |
+| MPR001 | naming | NamingConvention - PascalCase with 21 microflow prefixes (ACT_, SUB_, DS_, VAL_, SCH_, IVK_, BCO_, ACO_, etc.) |
+| MPR002 | quality | EmptyMicroflow - Microflows should have at least one activity |
+| MPR003 | design | DomainModelSize - Max persistent entities per domain model |
+| MPR004 | quality | ValidationFeedback - Validation feedback with empty message |
+| MPR005 | quality | ImageSource - IMAGE widgets with no source configured |
+| MPR006 | quality | EmptyContainer - Empty layout containers |
+| MPR007 | security | PageNavigationSecurity - Navigation pages need allowed roles (CE0557) |
 | SEC001 | security | NoEntityAccessRules - Persistent entities need access rules |
 | SEC002 | security | WeakPasswordPolicy - Password minimum length should be 8+ |
 | SEC003 | security | DemoUsersActive - Demo users should be off at Production security |
@@ -109,11 +109,11 @@ Place `.star` files in `.claude/lint-rules/` to add project-specific rules. They
 ```
 Sales
 -----
-  ⚠ Entity name 'customer_info' should use PascalCase [MDL001]
+  ⚠ Entity name 'customer_info' should use PascalCase [MPR001]
       at Sales.customer_info
       → CustomerInfo
 
-  ⚠ Microflow 'test' has no activities [MDL002]
+  ⚠ Microflow 'test' has no activities [MPR002]
       at Sales.test
       → Add activities or remove unused microflow
 

.claude/skills/mendix/assess-quality.md

@@ -65,7 +65,7 @@ After reviewing automated results, assess the following areas manually. The guid
 
 ### A. Naming Conventions
 
-**Enforced by rules:** MDL001, CONV001, CONV003, CONV004, CONV005
+**Enforced by rules:** MPR001, CONV001, CONV003, CONV004, CONV005
 
 | Element | Convention | Example |
 |---------|-----------|---------|
@@ -119,7 +119,7 @@ After reviewing automated results, assess the following areas manually. The guid
 
 ### C. Security
 
-**Enforced by rules:** SEC001-SEC009, CONV006, CONV007, CONV008, MDL007
+**Enforced by rules:** SEC001-SEC009, CONV006, CONV007, CONV008, MPR007
 
 #### C.1 Entity Access
 
@@ -137,7 +137,7 @@ After reviewing automated results, assess the following areas manually. The guid
 | Guideline | Rule | Priority |
 |-----------|------|----------|
 | 1:1 mapping between module roles and user roles | CONV008 | High |
-| Pages in navigation must have allowed roles | MDL007 | High |
+| Pages in navigation must have allowed roles | MPR007 | High |
 | No guest/anonymous access to sensitive data | SEC004 | Critical |
 | Strict security mode enabled | SEC005 | High |
 | No demo users in production | SEC003 | Critical |
@@ -165,15 +165,15 @@ The Dutch Institute for Vulnerability Disclosure (DIVD) found widespread authori
 
 ### D. Maintainability
 
-**Enforced by rules:** QUAL001-QUAL004, CONV009, CONV012, CONV014, MDL002, MDL004, MDL006
+**Enforced by rules:** QUAL001-QUAL004, CONV009, CONV012, CONV014, MPR002, MPR004, MPR006
 
 | Guideline | Rule/Check | Threshold |
 |-----------|-----------|-----------|
 | Microflow complexity (McCabe) | QUAL001 | Cyclomatic complexity <= 10 |
 | Microflow size | CONV009 | Max 15 activities |
 | Documentation on public microflows | QUAL002 | All ACT_, DS_, IVK_ should be documented |
 | No orphaned/unused elements | QUAL004 | Remove unused microflows, pages, entities |
-| No empty microflows | MDL002 | Every microflow should have at least one activity |
+| No empty microflows | MPR002 | Every microflow should have at least one activity |
 | Caption on exclusive splits | CONV012 | All decision points must have captions |
 | No "Continue" error handling | CONV014 | Never swallow errors silently |
 | ACT_ microflows: thin controllers | CONV010 | Only page activities + submicroflow calls |
@@ -211,14 +211,14 @@ The Dutch Institute for Vulnerability Disclosure (DIVD) found widespread authori
 
 ### F. Architecture
 
-**Enforced by rules:** ARCH001-ARCH003, CONV010, MDL003
+**Enforced by rules:** ARCH001-ARCH003, CONV010, MPR003
 
 | Guideline | Rule/Check | Details |
 |-----------|-----------|---------|
 | No cross-module direct data access | ARCH001 | Access data through microflows, not direct entity references |
 | Data changes through microflows only | ARCH002 | Don't change entities from pages directly |
 | Business key on entities | ARCH003 | Persistent entities should have a business key attribute |
-| Domain model size | MDL003 | Max 15 persistent entities per module |
+| Domain model size | MPR003 | Max 15 persistent entities per module |
 | Entity attribute count | DESIGN001 | Max 10 attributes per entity (consider splitting) |
 
 **Manual checks:**
@@ -404,7 +404,7 @@ Overall Score: [X]/100 (from `mxcli report`)
 This skill incorporates guidelines from:
 - **Conventions.pdf** — Squad Apps internal best practices (14 categories, 80+ guidelines)
 - **CONV001-CONV017 lint rules** — Automated checks derived from Conventions.pdf
-- **MDL001-MDL007, SEC001-SEC009** — Built-in linter rules
+- **MPR001-MPR007, SEC001-SEC009** — Built-in linter rules
 - **ARCH, DESIGN, QUAL series** — Starlark architecture/quality rules
 - **Mendix Performance Best Practices** — Official Mendix documentation on performance optimization
 - **Mendix Security Best Practices** — Official Mendix documentation on security configuration

CLAUDE.md

@@ -89,7 +89,7 @@ ModelSDKGo/
 │   ├── executor/            # Executes AST against modelsdk-go
 │   ├── catalog/             # SQLite-based catalog for querying project metadata
 │   ├── linter/              # Extensible linting framework
-│   │   └── rules/           # Built-in lint rules (MDL001, MDL002, etc.)
+│   │   └── rules/           # Built-in lint rules (MPR001, MPR002, etc.)
 │   └── repl/                # Interactive REPL interface
 │
 ├── sql/                     # External database connectivity (PostgreSQL, Oracle, SQL Server)

README.md

@@ -268,7 +268,7 @@ mxcli lint -p app.mpr --list-rules
 mxcli lint -p app.mpr --exclude System --exclude Administration
 ```
 
-14 built-in Go rules (MDL001-MDL007, SEC001-SEC003, CONV011-CONV014) plus 27 bundled Starlark rules covering security (SEC004-SEC009), architecture (ARCH001-003), quality (QUAL001-004), design (DESIGN001), and Mendix best practice conventions (CONV001-CONV010, CONV015-CONV017). Custom `.star` rules in `.claude/lint-rules/` are loaded automatically.
+14 built-in Go rules (MPR001-MPR007, SEC001-SEC003, CONV011-CONV014) plus 27 bundled Starlark rules covering security (SEC004-SEC009), architecture (ARCH001-003), quality (QUAL001-004), design (DESIGN001), and Mendix best practice conventions (CONV001-CONV010, CONV015-CONV017). Custom `.star` rules in `.claude/lint-rules/` are loaded automatically.
 
 ### Best Practices Report
 

cmd/mxcli/cmd_check.go

@@ -9,6 +9,7 @@ import (
 
 	"github.com/mendixlabs/mxcli/mdl/ast"
 	"github.com/mendixlabs/mxcli/mdl/executor"
+	"github.com/mendixlabs/mxcli/mdl/linter"
 	"github.com/mendixlabs/mxcli/mdl/visitor"
 	"github.com/spf13/cobra"
 )
@@ -26,18 +27,25 @@ that are created within the script itself. For example, if your script creates
 a module "MyModule" and then creates entities in it, no error will be reported
 for the module reference.
 
+Output includes structured rule IDs (MDL prefix) for each validation issue.
+
 Examples:
   # Check syntax only (no project needed)
   mxcli check script.mdl
 
   # Check syntax and validate references against a project
   mxcli check script.mdl -p app.mpr --references
+
+  # Output as JSON or SARIF
+  mxcli check script.mdl --format json
+  mxcli check script.mdl --format sarif
 `,
 	Args: cobra.ExactArgs(1),
 	Run: func(cmd *cobra.Command, args []string) {
 		filePath := args[0]
 		projectPath, _ := cmd.Flags().GetString("project")
 		checkRefs, _ := cmd.Flags().GetBool("references")
+		format, _ := cmd.Flags().GetString("format")
 
 		// Read the file
 		content, err := os.ReadFile(filePath)
@@ -67,54 +75,41 @@ Examples:
 		fmt.Printf("✓ Syntax OK (%d statements)\n", len(prog.Statements))
 
 		// Validate statements (doesn't require project connection)
-		var oqlErrors []string
-		for i, stmt := range prog.Statements {
+		var violations []linter.Violation
+		for _, stmt := range prog.Statements {
 			// Check enumeration values for reserved words
 			if enumStmt, ok := stmt.(*ast.CreateEnumerationStmt); ok {
-				if errs := executor.ValidateEnumeration(enumStmt); len(errs) > 0 {
-					for _, e := range errs {
-						oqlErrors = append(oqlErrors, fmt.Sprintf("statement %d (%s): %s", i+1, enumStmt.Name.String(), e))
-					}
-				}
+				violations = append(violations, executor.ValidateEnumeration(enumStmt)...)
 			}
 			// Check entity attributes for reserved system names
 			if entityStmt, ok := stmt.(*ast.CreateEntityStmt); ok {
-				if errs := executor.ValidateEntity(entityStmt); len(errs) > 0 {
-					for _, e := range errs {
-						oqlErrors = append(oqlErrors, fmt.Sprintf("statement %d (%s): %s", i+1, entityStmt.Name.String(), e))
-					}
-				}
+				violations = append(violations, executor.ValidateEntity(entityStmt)...)
 			}
 			// Check microflow body for common issues
 			if mfStmt, ok := stmt.(*ast.CreateMicroflowStmt); ok {
-				if warns := executor.ValidateMicroflow(mfStmt); len(warns) > 0 {
-					for _, w := range warns {
-						oqlErrors = append(oqlErrors, fmt.Sprintf("statement %d (%s): %s", i+1, mfStmt.Name.String(), w))
-					}
-				}
+				violations = append(violations, executor.ValidateMicroflow(mfStmt)...)
 			}
 			// Check view entity OQL
 			if viewStmt, ok := stmt.(*ast.CreateViewEntityStmt); ok {
 				if viewStmt.Query.RawQuery != "" {
-					if errs := executor.ValidateOQLSyntax(viewStmt.Query.RawQuery); len(errs) > 0 {
-						for _, e := range errs {
-							oqlErrors = append(oqlErrors, fmt.Sprintf("statement %d (%s): %s", i+1, viewStmt.Name.String(), e))
-						}
-					}
-					if errs := executor.ValidateOQLTypes(viewStmt.Query.RawQuery, viewStmt.Attributes); len(errs) > 0 {
-						for _, e := range errs {
-							oqlErrors = append(oqlErrors, fmt.Sprintf("statement %d (%s): %s", i+1, viewStmt.Name.String(), e))
-						}
-					}
+					violations = append(violations, executor.ValidateOQLSyntax(viewStmt.Query.RawQuery)...)
+					violations = append(violations, executor.ValidateOQLTypes(viewStmt.Query.RawQuery, viewStmt.Attributes)...)
 				}
 			}
 		}
-		if len(oqlErrors) > 0 {
-			fmt.Fprintf(os.Stderr, "\nValidation errors found:\n")
-			for _, e := range oqlErrors {
-				fmt.Fprintf(os.Stderr, "  - %s\n", e)
+
+		if len(violations) > 0 {
+			// Use structured output
+			outputFormat := linter.OutputFormat(format)
+			formatter := linter.GetFormatter(outputFormat, format == "" || format == "text")
+			fmt.Fprintln(os.Stderr)
+			formatter.Format(violations, os.Stderr)
+
+			// Exit with error if there are any error-severity violations
+			summary := linter.Summarize(violations)
+			if summary.Errors > 0 {
+				os.Exit(1)
 			}
-			os.Exit(1)
 		}
 
 		// If reference checking requested

cmd/mxcli/cmd_lint.go

@@ -20,13 +20,13 @@ var lintCmd = &cobra.Command{
 	Long: `Run linting rules against a Mendix project to find potential issues.
 
 Built-in rules check for:
-  - Naming conventions (MDL001) - entities, microflows, pages, enumerations
-  - Empty microflows (MDL002) - microflows with no activities
-  - Domain model size (MDL003) - max persistent entities per domain model
-  - Empty validation feedback (MDL004) - validation feedback with empty message
-  - Unconfigured images (MDL005) - IMAGE widgets with no source configured
-  - Empty containers (MDL006) - layout containers with no children
-  - Navigation page security (MDL007) - pages in navigation need allowed roles
+  - Naming conventions (MPR001) - entities, microflows, pages, enumerations
+  - Empty microflows (MPR002) - microflows with no activities
+  - Domain model size (MPR003) - max persistent entities per domain model
+  - Empty validation feedback (MPR004) - validation feedback with empty message
+  - Unconfigured images (MPR005) - IMAGE widgets with no source configured
+  - Empty containers (MPR006) - layout containers with no children
+  - Navigation page security (MPR007) - pages in navigation need allowed roles
   - Entity access rules (SEC001) - persistent entities need access rules
   - Password policy (SEC002) - password minimum length should be 8+
   - Demo users (SEC003) - demo users should be off at Production security
@@ -123,7 +123,7 @@ Examples:
 		ctx := linter.NewLintContext(cat)
 		ctx.SetExcludedModules(excludeModules)
 
-		// Set reader so rules that inspect raw BSON (MDL004, MDL005) work
+		// Set reader so rules that inspect raw BSON (MPR004, MPR005) work
 		if reader := exec.Reader(); reader != nil {
 			ctx.SetReader(reader)
 		}

cmd/mxcli/init.go

@@ -647,13 +647,13 @@ func generateClaudeMD(projectName, mprFile string) string {
 	w("### Built-in Rules\n\n")
 	w("| Rule | Category | Description |\n")
 	w("|------|----------|-------------|\n")
-	w("| MDL001 | quality | PascalCase naming conventions (entities, microflows, pages, enumerations) |\n")
-	w("| MDL002 | quality | Empty microflows (no activities) |\n")
-	w("| MDL003 | design | Domain model size (>15 persistent entities per module) |\n")
-	w("| MDL004 | correctness | Empty validation feedback message (CE0091) |\n")
-	w("| MDL005 | correctness | Unconfigured image widget source |\n")
-	w("| MDL006 | correctness | Empty containers (runtime crash) |\n")
-	w("| MDL007 | security | Navigation page without allowed role (CE0557) |\n")
+	w("| MPR001 | quality | PascalCase naming conventions (entities, microflows, pages, enumerations) |\n")
+	w("| MPR002 | quality | Empty microflows (no activities) |\n")
+	w("| MPR003 | design | Domain model size (>15 persistent entities per module) |\n")
+	w("| MPR004 | correctness | Empty validation feedback message (CE0091) |\n")
+	w("| MPR005 | correctness | Unconfigured image widget source |\n")
+	w("| MPR006 | correctness | Empty containers (runtime crash) |\n")
+	w("| MPR007 | security | Navigation page without allowed role (CE0557) |\n")
 	w("| SEC001 | security | Persistent entity without access rules |\n")
 	w("| SEC002 | security | Weak password policy (minimum length < 8) |\n")
 	w("| SEC003 | security | Demo users active at non-development security level |\n")

cmd/mxcli/lsp_diagnostics.go

@@ -8,6 +8,9 @@ import (
 	"strconv"
 	"strings"
 
+	"github.com/mendixlabs/mxcli/mdl/ast"
+	"github.com/mendixlabs/mxcli/mdl/executor"
+	"github.com/mendixlabs/mxcli/mdl/linter"
 	"github.com/mendixlabs/mxcli/mdl/visitor"
 	"go.lsp.dev/protocol"
 	"go.lsp.dev/uri"
@@ -71,6 +74,10 @@ func (s *mdlServer) publishDiagnostics(ctx context.Context, docURI uri.URI, text
 	}
 
 	diags := parseMDLDiagnostics(text)
+	// If no parse errors, run semantic validation inline
+	if len(diags) == 0 {
+		diags = append(diags, runSemanticValidation(text)...)
+	}
 	if diags == nil {
 		diags = []protocol.Diagnostic{} // send empty array to clear diagnostics
 	}
@@ -258,3 +265,73 @@ func mapStatementLines(text string) []uint32 {
 	}
 	return stmtLines
 }
+
+// runSemanticValidation runs the same validators as cmd_check.go directly on parsed text,
+// returning LSP diagnostics with structured rule IDs.
+func runSemanticValidation(text string) []protocol.Diagnostic {
+	prog, errs := visitor.Build(text)
+	if len(errs) > 0 || prog == nil {
+		return nil
+	}
+
+	stmtLines := mapStatementLines(text)
+
+	var diags []protocol.Diagnostic
+	for i, stmt := range prog.Statements {
+		var violations []linter.Violation
+		if enumStmt, ok := stmt.(*ast.CreateEnumerationStmt); ok {
+			violations = append(violations, executor.ValidateEnumeration(enumStmt)...)
+		}
+		if entityStmt, ok := stmt.(*ast.CreateEntityStmt); ok {
+			violations = append(violations, executor.ValidateEntity(entityStmt)...)
+		}
+		if mfStmt, ok := stmt.(*ast.CreateMicroflowStmt); ok {
+			violations = append(violations, executor.ValidateMicroflow(mfStmt)...)
+		}
+		if viewStmt, ok := stmt.(*ast.CreateViewEntityStmt); ok {
+			if viewStmt.Query.RawQuery != "" {
+				violations = append(violations, executor.ValidateOQLSyntax(viewStmt.Query.RawQuery)...)
+				violations = append(violations, executor.ValidateOQLTypes(viewStmt.Query.RawQuery, viewStmt.Attributes)...)
+			}
+		}
+
+		lineNum := uint32(0)
+		if i < len(stmtLines) {
+			lineNum = stmtLines[i]
+		}
+
+		for _, v := range violations {
+			msg := v.Message
+			if v.Suggestion != "" {
+				msg += " → " + v.Suggestion
+			}
+			diags = append(diags, protocol.Diagnostic{
+				Range: protocol.Range{
+					Start: protocol.Position{Line: lineNum, Character: 0},
+					End:   protocol.Position{Line: lineNum, Character: 0},
+				},
+				Severity: violationToLSPSeverity(v.Severity),
+				Source:   "mdl-check",
+				Code:    v.RuleID,
+				Message:  msg,
+			})
+		}
+	}
+	return diags
+}
+
+// violationToLSPSeverity maps linter.Severity to protocol.DiagnosticSeverity.
+func violationToLSPSeverity(s linter.Severity) protocol.DiagnosticSeverity {
+	switch s {
+	case linter.SeverityError:
+		return protocol.DiagnosticSeverityError
+	case linter.SeverityWarning:
+		return protocol.DiagnosticSeverityWarning
+	case linter.SeverityInfo:
+		return protocol.DiagnosticSeverityInformation
+	case linter.SeverityHint:
+		return protocol.DiagnosticSeverityHint
+	default:
+		return protocol.DiagnosticSeverityWarning
+	}
+}

cmd/mxcli/main.go

@@ -191,6 +191,7 @@ func init() {
 
 	// Check command flags
 	checkCmd.Flags().BoolP("references", "r", false, "Validate references against the project")
+	checkCmd.Flags().String("format", "text", "Output format: text, json, sarif")
 
 	// Diff command flags
 	diffCmd.Flags().StringP("format", "f", "unified", "Output format: unified, side, struct")