Wire ConfighubScanProvider.ScanCluster() to cub-scan via resource export

[monadic]

Context

ConfighubScanProvider.ScanCluster() currently delegates entirely to the legacy provider. cub-scan is a static file scanner with no cluster-scanning mode.

What's needed

To use cub-scan for cluster scanning:

1. Export live cluster resources to temp files via K8s API
2. Invoke cub-scan --format json on each exported manifest
3. Merge cub-scan findings with runtime scan results (state, timing bombs, dangling, lifecycle hazards) which inherently require live K8s APIs and stay on the legacy provider

Current state

• ScanFile() is fully wired to cub-scan (shipped in v1.2, v1.2: Wire ConfighubScanProvider.ScanFile() to cub-scan binary #190)
• ScanCluster() falls back to legacy — safe, correct, documented
• Comment in internal/scan/confighub_provider.go explains the limitation

Acceptance criteria

• Cluster resources exported to temp directory (namespace-scoped and cluster-scoped)
• cub-scan invoked on exported manifests when binary is available
• Runtime scan types (state, timing bombs, dangling, lifecycle hazards) remain on legacy provider
• Graceful fallback to legacy if cub-scan fails or isn't available
• Integration test with fake cub-scan binary (follows existing pattern in test/integration/scan_provider_test.go)

Spun out from v1.2 (#190) per roadmap known-limitation note.

[monadic]

Heads-up: scanner-side contract anchor is now landed in confighub-scan main (commit 2b28c60) for this issue's export-path wiring.

Reference assets:

• docs/CUB-SCOUT-INTEGRATION.md
• test/fixtures/cub-scout-integration/reference-findings-v1.json
• make test-cub-scout-contract (drift gate in make validate)

This gives ScanCluster() integration a deterministic expected risk-scan-findings-v1 output for the ConfigHub export-bundle path.

[monadic]

Scanner-side update landed in confighub-scan main (5e83368): SDK contract tests now pin both integration entry points to the cub-scout fixture.

Added tests:

• TestScanConfigUnitsMatchesCubScoutContractFixture
• TestScanConfigHubMatchesCubScoutContractFixture

Reference fixture:

• test/fixtures/cub-scout-integration/reference-findings-v1.json

This means ScanCluster() can use SDK wiring with exact contract confidence (same expected risk-scan-findings-v1 output as CLI path).

[monadic]

Scanner-side update for cub-scout#200 landed in confighub-scan main (70c812b):

cub-scout contract validation now emits a structured report artifact:

• dist/quality/cub-scout-contract-report.json
• schema: cub-scout-contract-report-v1
• includes pass/fail/error status + drift metadata + diff excerpt on mismatch

CI uploads this artifact as cub-scout-contract-report.

This gives ScanCluster() rollout a machine-readable contract signal, not just log output.

[monadic]

Completed via main commit 919187b (scan: run cub-scan for cluster exports with legacy fallback).\n\nWhat landed:\n- ConfighubScanProvider.ScanCluster now runs legacy runtime scans first, then exports live resources and invokes cub-scan --format json when available.\n- Export path enumerates namespace-scoped and cluster-scoped resources and writes a temp manifest bundle.\n- Raw risk-scan-findings-v1 payload is persisted before enrichment/mapping.\n- Failure paths (binary unavailable, export error, cub-scan error) gracefully return legacy-only result.\n- Tests added for cluster path + fallback in internal/scan/confighub_provider_test.go and validated with:\n - go test ./internal/scan -count=1\n - go test -tags=integration ./test/integration/... -run TestScanProvider -count=1\n