The plan as outlined seems fine to me. When turning them into a hard error, it seems prudent to me to convert them to forbid by default or to otherwise leave the compiler understanding that the lint did exist. That way stragglers mentioning the lint will get something better than an error saying the lint doesn’t exist.
How could crater better support testing here? Does cap-lints affect forbidden lints? ISTM that just converting the lint to forbid and running through crater should be sufficient.
I guess I’d prefer these lints can be simply switched to some final ‘enabled’ state, that preserves the existence of the lint name, that can’t be disabled, isn’t impacted by cap-lints, and can be switched on with a one-liner for ease of cratering.