fix(pr-x1): two P2 codex findings on PR #167

1. array_chunks_checked: guard N == 0 before modulo
   `data.len() % 0` would panic via `slice::as_chunks::<0>()` (and the
   modulo itself). The strict-fallible contract folds N==0 into Err
   so callers on the checked surface never see an unexpected panic.
   New test `array_chunks_checked_rejects_zero_n` covers the edge.

2. Fingerprint<8>::as_u8x64: gate to target_endian = "little"
   The pointer-reinterpret returns a native-endian view; on a BE
   target the byte order would contradict the project-wide LE
   convention used by Fingerprint::to_bytes / from_bytes (both
   `u64::to_le_bytes` / `from_le_bytes`). `.cargo/config.toml` pins
   `target-cpu=x86-64-v4` so all supported targets are LE in
   practice — the cfg gate just makes the LE assumption explicit
   instead of implicit. SAFETY comment item 6 now cites the gate.
   The accompanying `pr_x1_as_u8x64_tests` module is gated to LE
   to match.

Both fixes per codex review threads on PR #167.

Author: claude

src/hpc/fingerprint.rs

@@ -650,6 +650,19 @@ impl Fingerprint<8> {
     /// For other `N` widths, use [`Fingerprint::chunks_u8x64`] which yields
     /// 64-byte chunks without the compile-time length guarantee.
     ///
+    /// # Endianness contract — little-endian only
+    ///
+    /// Gated to `#[cfg(target_endian = "little")]` so the returned byte view
+    /// matches the project-wide little-endian word convention used by
+    /// [`Fingerprint::to_bytes`] / [`Fingerprint::from_bytes`]
+    /// (both use `u64::to_le_bytes` / `u64::from_le_bytes`).
+    /// On a big-endian target the raw memory layout of `[u64; 8]` would put
+    /// the high byte first, contradicting the LE contract and breaking
+    /// cross-platform SIMD consumers. The `.cargo/config.toml` pins
+    /// `target-cpu=x86-64-v4`, so all supported targets (x86_64 + aarch64)
+    /// are little-endian; the cfg gate makes the LE assumption explicit
+    /// rather than implicit. See P2 review on PR #167.
+    ///
     /// # Design reference
     ///
     /// `.claude/knowledge/pr-x1-design.md` § "2. `Fingerprint::as_u8x64`".
@@ -679,6 +692,7 @@ impl Fingerprint<8> {
     /// assert_eq!(view[7], 0x01);
     /// assert_eq!(view[8], 0x00); // word[1] is zero
     /// ```
+    #[cfg(target_endian = "little")]
     #[inline]
     pub fn as_u8x64(&self) -> &[u8; 64] {
         // SAFETY:
@@ -696,11 +710,14 @@ impl Fingerprint<8> {
         // 5. The returned reference borrows from `&self`, so its lifetime cannot
         //    outlive `self`, satisfying the borrow-checker lifetime rule and
         //    preventing dangling references.
+        // 6. The `#[cfg(target_endian = "little")]` gate guarantees the byte
+        //    order matches the project-wide LE convention (P2 review fix #167).
         unsafe { &*(self.words.as_ptr() as *const [u8; 64]) }
     }
 }
 
 #[cfg(test)]
+#[cfg(target_endian = "little")]
 mod pr_x1_as_u8x64_tests {
     use super::*;
 

src/simd_ops.rs

@@ -337,6 +337,13 @@ pub fn array_chunks<T, const N: usize>(data: &[T]) -> impl Iterator<Item = &[T;
 /// the buffer is lane-aligned and wants the error surfaced rather than
 /// silently truncating.
 ///
+/// # Edge case — `N == 0`
+///
+/// Returns `Err(())` when `N == 0`. The underlying `slice::as_chunks::<0>`
+/// would panic on a zero divisor; the strict-fallible contract here folds
+/// that into the existing error path so callers never see an unexpected
+/// panic on the checked surface.
+///
 /// # Examples
 ///
 /// ```
@@ -347,11 +354,19 @@ pub fn array_chunks<T, const N: usize>(data: &[T]) -> impl Iterator<Item = &[T;
 ///
 /// let bad: Vec<u8> = (0..7).collect();
 /// assert!(array_chunks_checked::<u8, 4>(&bad).is_err());
+///
+/// // N == 0 surfaces as Err rather than panicking.
+/// assert!(array_chunks_checked::<u8, 0>(&[0u8; 8]).is_err());
 /// ```
 #[inline]
 pub fn array_chunks_checked<T, const N: usize>(
     data: &[T],
 ) -> Result<impl Iterator<Item = &[T; N]> + '_, ()> {
+    if N == 0 {
+        // `data.len() % 0` would panic; the strict-fallible contract
+        // folds N==0 into Err. See P2 review on PR #167.
+        return Err(());
+    }
     if data.len() % N != 0 {
         return Err(());
     }
@@ -401,4 +416,13 @@ mod array_chunks_tests {
         let it = array_chunks_checked::<u8, 4>(&[]).expect("0 % 4 == 0, should be Ok");
         assert_eq!(it.count(), 0);
     }
+
+    #[test]
+    fn array_chunks_checked_rejects_zero_n() {
+        // P2 review fix on PR #167: N == 0 must surface as Err, not panic
+        // via `data.len() % 0`.
+        assert!(array_chunks_checked::<u8, 0>(&[]).is_err());
+        assert!(array_chunks_checked::<u8, 0>(&[0u8; 8]).is_err());
+        assert!(array_chunks_checked::<u32, 0>(&[1u32, 2, 3]).is_err());
+    }
 }