fix: modernize error assert and audit pie detection

Author: flyingrobots

AGENTS.md

@@ -104,3 +104,4 @@ See [docs/guides/DEBRIEF_FORMAT.md](docs/guides/DEBRIEF_FORMAT.md) for the JSONL
 {"date":"2025-10-20","time":"13:05","summary":"Silenced clang-tidy bool conversion in static assert to unblock CI clang builds.","topics":[{"topic":"clang-tidy parity","what":"Explicitly cast static assert condition to _Bool","why":"GNU-GON-CRY run flagged implicit int→bool conversion","context":"CI clang-tidy job runs clang-18 with readability-implicit-bool-conversion as error","issue":"_Static_assert expression returned int and triggered lint error","resolution":"Wrapped the predicate in (_Bool) to make the conversion explicit","future_work":"Verify the next pipeline cycle stays green","time_percent":100}],"key_decisions":[],"action_items":[]}
 {"date":"2025-10-20","time":"13:42","summary":"Hardened release builds with full stack canaries to satisfy CI security audit stack check.","topics":[{"topic":"Security audit parity","what":"Replaced -fstack-protector-strong with -fstack-protector-all","why":"Quality Matrix security audit marked stack canaries as disabled on the Linux runner","context":"Audit script checks mg-cli binary for __stack_chk_fail symbol","issue":"strong mode doesn’t emit canaries when functions lack risky frames","resolution":"Always request -fstack-protector-all so the guard symbol is emitted","future_work":"Monitor audit output on the next CI cycle","time_percent":100}],"key_decisions":[],"action_items":[]}
 {"date":"2025-10-20","time":"15:12","summary":"Taught the security audit to recognize safe-stack builds and dump details when failing in CI.","topics":[{"topic":"Audit false positive","what":"Detect __safestack_unsafe_stack_ptr alongside __stack_chk_fail","why":"Linux Release builds use Clang safe-stack so the previous detector flagged stack canaries as missing","context":"Quality Matrix security audit kept aborting despite hardening flags","issue":"Audit only looked for __stack_chk_fail which isn’t emitted with safe-stack","resolution":"Count either symbol and continue to report stack protection as enabled","future_work":"Keep an eye on future toolchain upgrades in case symbol names change","time_percent":70},{"topic":"CI diagnostics","what":"Emit the full .ignored/security-audit.txt before exiting","why":"Artifact upload isn’t always reliable, making it hard to inspect failures","context":"GitHub Actions quality matrix","issue":"Engineers could not see what triggered the critical flag","resolution":"Surface the report inline when the script exits non-zero","future_work":"None","time_percent":30}],"key_decisions":[],"action_items":[]}
+```

scripts/security-audit.sh

@@ -71,12 +71,23 @@ analyze_binary_security() {
             echo "❌ Stack protection: DISABLED" >> .ignored/security-audit.txt
         fi
 
-        # Check for PIE
-        if file "$binary" | grep -q "shared object"; then
-            echo "✅ PIE (Position Independent Executable): ENABLED" >> .ignored/security-audit.txt
-        elif file "$binary" | grep -q "Mach-O.*executable.*PIE"; then
-            echo "✅ PIE (Position Independent Executable): ENABLED" >> .ignored/security-audit.txt
+        pie_output="$(file "$binary" 2>/dev/null || true)"
+        pie_enabled=false
+
+        if echo "$pie_output" | grep -qi "shared object"; then
+            pie_enabled=true
+        elif echo "$pie_output" | grep -qi "pie executable"; then
+            pie_enabled=true
+        elif echo "$pie_output" | grep -q "Mach-O.*executable.*PIE"; then
+            pie_enabled=true
         elif otool -hv "$binary" 2>/dev/null | grep -q "PIE"; then
+            pie_enabled=true
+        elif command -v readelf >/dev/null 2>&1 && \
+            readelf -h "$binary" 2>/dev/null | grep -q "Type:[[:space:]]*DYN"; then
+            pie_enabled=true
+        fi
+
+        if [ "$pie_enabled" = true ]; then
             echo "✅ PIE (Position Independent Executable): ENABLED" >> .ignored/security-audit.txt
         else
             echo "❌ PIE: DISABLED" >> .ignored/security-audit.txt

src/error.c

@@ -209,7 +209,7 @@ metagraph_builder_append_unsigned(metagraph_message_builder_t *builder,
         base = 16U;
     }
     char digits[64];
-    _Static_assert((_Bool)(sizeof(digits) >= 64U),
+    _Static_assert(sizeof(digits) >= 64U,
                    "digits buffer must be at least 64 bytes");
     const char *alphabet = "0123456789abcdef";
     if (uppercase) {