ci: gate fixture runner on analyzer binary presence

[ThomasPluck]

Summary

CI on master is red on the fixture integration step at commit 2a31911. Two fixtures fail with "expected hallucinated-import diagnostic":

• rust_analyzer/ — rust-analyzer binary is not installed in CI (the workflow only installs pyright and semgrep). The runner had no notion of optional analyzer binaries, so the fixture failed unconditionally.
• semgrep/ — the equivalent cargo test (semgrep_fixture_flags_multiple_rules_when_installed) passes in the same CI run, so semgrep itself works. The shell runner was suppressing daemon stderr (2>/dev/null), which made this undebuggable.

The deeper issue: test/run_fixtures.sh checked an overly broad "≥1 diagnostic per fixture" invariant. Detailed per-analyzer assertions already live in daemon/tests/fixtures.rs; this script is just the end-to-end smoke check.

Changes

• Map each fixture name to its required external binary; skip cleanly when missing — same pattern daemon/tests/fixtures.rs already uses.
• Capture daemon stderr to a tempfile and dump it on failure so the next regression doesn't require source-code spelunking.
• Update docstring + replace the misleading "expected hallucinated-import" message.

Test plan

• CI green on this branch (rust_analyzer skips, semgrep should now produce diagnostics OR surface stderr if it doesn't)
• If semgrep still emits 0, the captured stderr will tell us why and a follow-up commit can address it

[ThomasPluck]

Status

The original CI failure on master (the daemon (Rust) → fixture integration step) is fixed by this PR. The daemon (Rust) job is fully green:

• ✅ cargo fmt / cargo test --release --all
• ✅ fixture integration (rust_analyzer skips cleanly, semgrep produces 4 diagnostics, all others pass)

Two follow-up items surfaced

1. extension + webview (TS) job is broken (pre-existing, unrelated)

This job has needs: daemon so it never actually ran on master while daemon was red. With daemon now green it runs for the first time — and all 26 Playwright tests fail with net::ERR_CONNECTION_REFUSED at http://127.0.0.1:4173/. The vite preview webServer block in webview/playwright.config.ts is configured but the server never seems to start (no "Local:"/"Network:" output in the log). Likely needs separate investigation. Worth a dedicated PR.

2. Cargo test flake on pyright_fixture_flags_type_error_when_pyright_is_installed

Failed once on this PR (run attempt 1) with 0 pyright diagnostics, passed on rerun. Multiple integration tests invoke pyright in parallel; pyright-via-pip uses nodeenv which downloads node on first invocation, so the first concurrent caller wins and the others can race. Cheap fix: set IVE_SKIP_PYRIGHT=1 for the integration tests that don't specifically test pyright (they currently inherit the env). Out of scope for this PR.

3. Design question: how should IVE handle user workspaces with their own tests/ dir?

The .semgrepignore at the IVE root unblocks our self-tests, but for any user repo IVE scans, semgrep's built-in default .semgrepignore (which excludes test/, tests/, vendor/, node_modules/, etc.) will silently filter those files. IVE's scanner::walk_workspace already handles workspace traversal — semgrep second-guessing it produces silent false-negatives. Worth a daemon-level fix: either pass each file to semgrep explicitly, or write a temporary .semgrepignore at the project root for the duration of a scan.