fix: restore lint env and clamp digits base

Author: flyingrobots

.github/workflows/pr-guard.yml

@@ -40,7 +40,7 @@ jobs:
 
       - name: Conventional-commit lint
         env:
-          PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
-          PR_BASE_REF: ${{ github.event.pull_request.base.ref }}
+          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+          BASE_REF: ${{ github.event.pull_request.base.ref }}
         run: |
-          scripts/ci/lint-commits.sh "$PR_BASE_REF...$PR_HEAD_SHA"
+          scripts/ci/lint-commits.sh "$BASE_REF...$HEAD_SHA"

AGENTS.md

@@ -96,3 +96,5 @@ See [docs/guides/DEBRIEF_FORMAT.md](docs/guides/DEBRIEF_FORMAT.md) for the JSONL
 {"date": "2025-10-19", "time": "22:37", "summary": "Reworked clock timing, hardened coverage collection, and silenced Semgrep by tightening workflows and container security.", "topics": [{"topic": "QCA timer", "what": "Swapped the non-standard TIME_MONOTONIC path for clock_gettime(CLOCK_MONOTONIC) with a timespec_get fallback.", "why": "GNU-GON-CRY job demanded a standards-compliant monotonic timer under Linux.", "context": "Earlier removal of _POSIX_C_SOURCE broke the old clock_gettime use, so we need guarded usage instead.", "issue": "timespec_get(TIME_MONOTONIC) is not portable and failed the clang-tidy include-cleaner check.", "resolution": "Guarded clock_gettime behind #ifdef CLOCK_MONOTONIC and kept TIME_UTC as the fallback path.", "future_work": "Verify downstream call sites accept the new failure mode (false when neither clock API succeeds).", "time_percent": 35}, {"topic": "Coverage artifacts", "what": "Pointed LLVM_PROFILE_FILE at an absolute workspace path and added a guard that fails fast when no profraw files appear.", "why": "Codecov job still exited with missing coverage-*.profraw after ctest changed directories inside build/.", "context": "Runner executes the coverage step from repo root while tests run inside build; relative paths double-counted the build prefix.", "issue": "The merge step globbed an empty set and llvm-profdata aborted.", "resolution": "Introduced PROFILE_DIR, verified file presence, and merged using the absolute glob.", "future_work": "Monitor the next CI run to ensure coverage artifacts upload successfully.", "time_percent": 25}, {"topic": "Security audit", "what": "Eliminated semgrep's blocking findings by using env indirection in workflows, running containers as a non-root user, and tightening docker-compose security opts.", "why": "Semgrep marked our workflows and Docker setup as high risk, causing the audit to exit with CRITICAL status.", "context": "GNU-GON-CRY pass plus security audit are required gates for PR #70.", "issue": "Run steps interpolated GitHub context directly and the Docker resources defaulted to root/writable FS; our script also detected false positives for 'gets'.", "resolution": "Bound GitHub context through env vars, created a metagraph user in the matrix image, applied no-new-privileges with read-only rootfs, and restricted the grep heuristics to real C sources.", "future_work": "Consider adding tmpfs mappings if read_only surfaces runtime issues in compose usage.", "time_percent": 25}, {"topic": "CI hardening", "what": "Installed semgrep via pip in the quality matrix workflow so Release jobs match security-audit expectations.", "why": "Semgrep availability previously flapped between local and CI environments.", "context": "scripts/security-audit.sh now depends on semgrep rather than treating its absence as CRITICAL.", "issue": "Without reproducible installation the job failed before scanning.", "resolution": "Added python3-pip dependency and exported ~/.local/bin on runners.", "future_work": "Evaluate caching Semgrep to speed up matrix builds.", "time_percent": 15}], "key_decisions": ["Favor guarded clock_gettime over reintroducing reserved feature-test macros for monotonic timing.", "Treat Semgrep's blocking rules as actionable and fix pipelines/containers rather than suppressing results."], "action_items": [{"task": "Verify coverage, clang-tidy, and security audit jobs succeed on the next CI cycle.", "owner": "James"}]}
 
 {"date": "2025-10-20", "time": "04:36", "summary": "Polished CI lint and coverage workflows per review feedback and addressed Codecov throttling.", "topics": [{"topic": "Nightly fuzz workflow", "what": "Removed the redundant DURATION self-assignment and quoted nproc expansions for jobs/workers.", "why": "Reviewer flagged the no-op assignment and shell word-splitting risk.", "context": "GNU fuzz job is part of PR #70 quality matrix.", "issue": "Potential shell lint issues and confusing scripting.", "resolution": "Tweaked env usage and quoting so the step is clean and deterministic.", "future_work": "None.", "time_percent": 15}, {"topic": "PR guard consistency", "what": "Standardized env variable prefixes (PR_*) across branch, version, and commit lint steps.", "why": "Feedback requested uniform naming.", "context": "Workflow readability/maintainability.", "issue": "Mixed naming conventions.", "resolution": "Renamed envs and adjusted script invocation to match.", "future_work": "Monitor for any scripts relying on old names (none expected).", "time_percent": 10}, {"topic": "Strict lint + static asserts", "what": "Simplified the _Static_assert in src/error.c to use the conventional sizeof expression.", "why": "Reviewer disliked the bool cast workaround.", "context": "STRICTNESS_GOD_TIER clang-tidy.", "issue": "Unconventional static assertion syntax.", "resolution": "Restored canonical `_Static_assert(sizeof(digits) >= 64U, ...)`.", "future_work": "None.", "time_percent": 15}, {"topic": "GNU-GON-CRY integration", "what": "Adjusted clang-tidy job to rely on MG_TIDY_BUILD_DIR instead of passing -p and upgraded Codecov action to v5 with a graceful retry policy.", "why": "CI failed because run-clang-tidy.sh doesn't accept -p and Codecov v3 hit rate limiting.", "context": "Maintaining green CI for PR #70.", "issue": "Unknown option errors and Codecov upload failures.", "resolution": "Removed the incompatible flag, set env, bumped Codecov action, and disabled fail-on-error so rate limits don't break the pipeline.", "future_work": "Investigate adding CODECOV_TOKEN if org allows to avoid 429s entirely.", "time_percent": 35}, {"topic": "Security audit hygiene", "what": "Updated the dangerous function grep to respect word boundaries and kept the docker compose/run scripts compliant with Semgrep.", "why": "Ensures the audit tool won\u2019t produce new false positives after the script tweak.", "context": "Semgrep gating Release matrix.", "issue": "Need to guarantee the refined regex is correct.", "resolution": "Escaped word-boundary regex properly and verified the audit runs clean locally.", "future_work": "Review future audit rule updates.", "time_percent": 25}], "key_decisions": ["Prefer environment configuration over CLI flags for run-clang-tidy.sh compatibility.", "Allow Codecov uploads to be non-blocking under rate limiting until a token is configured."], "action_items": []}
+
+{"date": "2025-10-20", "time": "04:42", "summary": "Tweaked PR guard env vars and hardened unsigned builder checks per latest review notes.", "topics": [{"topic": "PR guard env naming", "what": "Restored HEAD_SHA/BASE_REF env keys for lint-commits.sh compatibility.", "why": "Reviewer noted the script still references the original variables.", "context": "CI PR gate job was failing due to undefined variables.", "issue": "Renamed vars caused lint-commits.sh to read empty values.", "resolution": "Reintroduced HEAD_SHA and BASE_REF in the workflow step.", "future_work": "None.", "time_percent": 40}, {"topic": "Unsigned builder guard", "what": "Clamped numeric base to [2,16] and replaced the static_assert with a typedef-based compile-time check.", "why": "Feedback requested safe indexing into the digits alphabet and lint still flagged the assert expression.", "context": "metagraph_builder_append_unsigned handles arbitrary bases.", "issue": "Values >16 overflowed the lookup and clang-tidy kept complaining about implicit conversions.", "resolution": "Normalized base values and leveraged a typedef-sized array to enforce compile-time capacity.", "future_work": "Consider exposing constants for max supported base if more callers appear.", "time_percent": 60}], "key_decisions": ["Keep run-clang-tidy.sh interface unchanged by feeding its expected env vars instead of patching the script."], "action_items": []}

src/error.c

@@ -205,10 +205,13 @@ metagraph_builder_append_unsigned(metagraph_message_builder_t *builder,
                                   bool uppercase) {
     if (base < 2U) {
         base = 10U;
+    } else if (base > 16U) {
+        base = 16U;
     }
     char digits[64];
-    _Static_assert(sizeof(digits) >= 64U,
-                   "digits buffer must accommodate 64-bit conversion");
+    typedef char
+        metagraph_digits_static_assert_t[(sizeof digits >= 64U) ? 1 : -1];
+    (void)sizeof(metagraph_digits_static_assert_t);
     const char *alphabet = "0123456789abcdef";
     if (uppercase) {
         alphabet = "0123456789ABCDEF";