tare gateway config lint

Apply the registered lint rules to a gateway config file.

The lint engine never reaches out to GCP, Azure, or Kubernetes — it is
safe to run in pre-merge CI on a config repo. Live-state checks (does
this static IP exist? Is AGIC enabled?) belong to the install Plan view,
not lint.

Pass --type to select the provider's rule set. GCP-only rules
(TAREL010 etc.) self-gate so an Azure config does not produce phantom
warnings about empty GCP fields.

Exit codes:
  0  No findings, or only info/warn findings (use --fail-on-warn to
     promote warnings to non-zero exits in CI).
  1  At least one error finding.
  2  Misuse (bad flags, missing config file, etc.).

Examples:
  tare gateway config lint --config gcp-gateway.json
  tare gateway config lint --config azure-gateway.json --type azure
  tare gateway config lint --config gcp-gateway.json --format json
  tare gateway config lint --list-rules

Usage:
  tare gateway config lint [flags]

Flags:
      --config string     Path to the gateway config file (gcp-gateway.json or azure-gateway.json) (default "gcp-gateway.json")
      --fail-on-warn      Exit non-zero when any warning is emitted
      --format string     Output format: text or json (default "text")
      --identity string   Path to identity (service-account) file; enables identity-aware rules (e.g. TAREL021)
      --list-rules        Print the registered rules and exit
      --severity string   Minimum severity to display: info, warn, or error (default "info")
      --type string       Gateway provider type (gcp|azure) (default "gcp")

Global Flags:
  -q, --quiet     Suppress progress output; only errors and the final summary go to stderr
  -v, --verbose   Verbose output: plain-mode progress lines plus full per-blob chunk logs to stderr