feat(1b): add lint/format toolchain — lint devshell + scripts/lint.sh + ruff/yamllint config

flake.nix

@@ -16,6 +16,19 @@
     let
       system = "x86_64-linux";
       pkgs = nixpkgs.legacyPackages.${system};
+      # Lint/format toolchain (Phase 1b, RL1). Same tools the `.drone.yml` lint stage and
+      # `scripts/lint.sh` use, built from the pinned nixpkgs so CI and local agree byte-for-byte.
+      # Nix: nixpkgs-fmt (format) · statix (lints) · deadnix (dead code).
+      # Python: ruff (lint + format). Shell: shellcheck + shfmt. YAML: yamllint.
+      lintTools = with pkgs; [
+        nixpkgs-fmt
+        statix
+        deadnix
+        ruff
+        shellcheck
+        shfmt
+        yamllint
+      ];
     in
     {
       nixosConfigurations.cc-ci = nixpkgs.lib.nixosSystem {
@@ -25,10 +38,23 @@
           ./hosts/cc-ci/configuration.nix
         ];
       };
+      nixosConfigurations.cc-ci = nixpkgs.lib.nixosSystem {
+        inherit system;
+        modules = [
+          sops-nix.nixosModules.sops
+          ./hosts/cc-ci/configuration.nix
+        ];
+      };
 
       # Devshell for working on the harness/bridge locally.
       devShells.${system}.default = pkgs.mkShell {
-        packages = with pkgs; [ git jq curl nixpkgs-fmt ];
+        packages = (with pkgs; [ git jq curl ]) ++ lintTools;
+      };
+
+      # `nix develop .#lint` — exactly the lint toolchain, nothing else. Used by `scripts/lint.sh`
+      # and the `.drone.yml` lint stage.
+      devShells.${system}.lint = pkgs.mkShell {
+        packages = lintTools;
       };
 
       formatter.${system} = pkgs.nixpkgs-fmt;