fix: keep stack canaries visible for audit

Author: flyingrobots

AGENTS.md

@@ -102,3 +102,4 @@ See [docs/guides/DEBRIEF_FORMAT.md](docs/guides/DEBRIEF_FORMAT.md) for the JSONL
 {"date": "2025-10-20", "time": "04:50", "summary": "Fixed sanitizer configuration fallout (safe-stack conflict and missing Valgrind target).", "topics": [{"topic": "safe-stack vs ASAN", "what": "Stopped appending -fsanitize=safe-stack when global sanitizers are enabled.", "why": "Clang refused to build sanitizer jobs with safe-stack alongside AddressSanitizer.", "context": "Quality Matrix release job and sanitizer workflow failures.", "issue": "Compiler error: 'invalid argument -fsanitize=safe-stack not allowed with -fsanitize=address'.", "resolution": "Only add safe-stack when sanitizers are off, preserving hardening for non-ASAN builds.", "future_work": "Consider reintroducing safe-stack for ARM shadow-call-stack variants later.", "time_percent": 70}, {"topic": "Valgrind target", "what": "Wrapped the Valgrind custom target in a TARGET check and pointed it at mg_tests.", "why": "Configuration failed because METAGRAPH_tests target never existed.", "context": "Sanitizers.cmake was referencing a stale target name.", "issue": "CMake generator expression resolved to a missing target, halting configure step.", "resolution": "Guarded the target and corrected the target file reference.", "future_work": "None.", "time_percent": 30}], "key_decisions": ["Prefer guarding optional hardening flags to keep sanitizer builds working."], "action_items": []}
 {"date":"2025-10-20","time":"12:34","summary":"Linked safe-stack runtime for coverage builds and modernized the unsigned printer guard in metagraph error builder.","topics":[{"topic":"Coverage build fix","what":"Added safe-stack to link flags when sanitizers are off","why":"Code coverage job was failing to link due to missing __safestack symbol","context":"GitHub Actions coverage workflow uses Clang 18 with safe-stack enabled by default security flags","issue":"Linker missing __safestack_unsafe_stack_ptr runtime","resolution":"Propagated -fsanitize=safe-stack to link options and validated coverage build locally","future_work":"Monitor next CI cycle to confirm the coverage job is green","time_percent":70},{"topic":"Static assert cleanup","what":"Replaced array typedef trick with _Static_assert","why":"Reviewer requested modern assertion idiom","context":"metagraph_builder_append_unsigned relies on 64-byte digit buffer","issue":"Legacy static assert style cluttered the code","resolution":"Used C23 _Static_assert to enforce buffer size","future_work":"None","time_percent":30}],"key_decisions":["Keep safe-stack off only when sanitizers are enabled; otherwise link runtime explicitly"],"action_items":[]}
 {"date":"2025-10-20","time":"13:05","summary":"Silenced clang-tidy bool conversion in static assert to unblock CI clang builds.","topics":[{"topic":"clang-tidy parity","what":"Explicitly cast static assert condition to _Bool","why":"GNU-GON-CRY run flagged implicit int→bool conversion","context":"CI clang-tidy job runs clang-18 with readability-implicit-bool-conversion as error","issue":"_Static_assert expression returned int and triggered lint error","resolution":"Wrapped the predicate in (_Bool) to make the conversion explicit","future_work":"Verify the next pipeline cycle stays green","time_percent":100}],"key_decisions":[],"action_items":[]}
+{"date":"2025-10-20","time":"13:42","summary":"Hardened release builds with full stack canaries to satisfy CI security audit stack check.","topics":[{"topic":"Security audit parity","what":"Replaced -fstack-protector-strong with -fstack-protector-all","why":"Quality Matrix security audit marked stack canaries as disabled on the Linux runner","context":"Audit script checks mg-cli binary for __stack_chk_fail symbol","issue":"strong mode doesn’t emit canaries when functions lack risky frames","resolution":"Always request -fstack-protector-all so the guard symbol is emitted","future_work":"Monitor audit output on the next CI cycle","time_percent":100}],"key_decisions":[],"action_items":[]}

cmake/CompilerFlags.cmake

@@ -40,7 +40,7 @@ set(METAGRAPH_WARNING_FLAGS
 set(METAGRAPH_SECURITY_FLAGS
     -U_FORTIFY_SOURCE
     -D_FORTIFY_SOURCE=3
-    -fstack-protector-strong
+    -fstack-protector-all
     -fPIE
 )