Decouple security gate from pipeline, fix clang-format-20 and Linux agent detection

Workflow:
- Split _lint.yml (cppcheck + clang-format) from _security.yml
  (security-static + codeql-gate)
- Dry Run: security runs as independent island, not blocking
  lint → test → build → smoke/soak
- Release: security only blocks final verify step

Fixes:
- pass_semantic_edges.c: typedef hyperplane_row_t avoids function-returning-
  array-pointer syntax that clang-format-20 rejects
- cli.c: Linux agent detection uses home_dir-relative .config/ paths
  instead of cbm_app_config_dir() which ignores the test home_dir

Author: DeusData

.github/workflows/_lint.yml

@@ -1,4 +1,5 @@
-# Reusable: lint + security-static + codeql-gate
+# Reusable: lint only (cppcheck + clang-format).
+# Security-static and CodeQL gate are separate — see _security.yml.
 name: Lint & Security
 
 on:
@@ -43,60 +44,3 @@ jobs:
 
       - name: Lint (cppcheck + clang-format, no clang-tidy — enforced locally)
         run: scripts/lint.sh --ci CLANG_FORMAT=clang-format-20
-
-  security-static:
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: "Layer 1: Static allow-list audit"
-        run: scripts/security-audit.sh
-      - name: "Layer 6: UI security audit"
-        run: scripts/security-ui.sh
-      - name: "Layer 8: Vendored dependency integrity"
-        run: scripts/security-vendored.sh
-
-  codeql-gate:
-    runs-on: ubuntu-latest
-    timeout-minutes: 50
-    steps:
-      - name: Wait for CodeQL on current commit (max 45 min)
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          CURRENT_SHA="${{ github.sha }}"
-          echo "Waiting for CodeQL to complete on $CURRENT_SHA..."
-          for attempt in $(seq 1 90); do
-            LATEST=$(gh api repos/${{ github.repository }}/actions/workflows/codeql.yml/runs?per_page=5 \
-              --jq '.workflow_runs[] | select(.head_sha == "'"$CURRENT_SHA"'") | "\(.conclusion) \(.status)"' 2>/dev/null | head -1 || echo "")
-            if [ -z "$LATEST" ]; then
-              echo "  $attempt/90: no run yet..."; sleep 30; continue
-            fi
-            CONCLUSION=$(echo "$LATEST" | cut -d' ' -f1)
-            STATUS=$(echo "$LATEST" | cut -d' ' -f2)
-            if [ "$STATUS" = "completed" ] && [ "$CONCLUSION" = "success" ]; then
-              echo "=== CodeQL passed ==="; exit 0
-            elif [ "$STATUS" = "completed" ]; then
-              echo "BLOCKED: CodeQL $CONCLUSION"; exit 1
-            fi
-            echo "  $attempt/90: $STATUS..."; sleep 30
-          done
-          echo "BLOCKED: CodeQL timeout"; exit 1
-
-      - name: Check for open code scanning alerts
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          echo "Waiting 60s for alert API to settle..."
-          sleep 60
-          ALERTS=$(gh api 'repos/${{ github.repository }}/code-scanning/alerts?state=open' --jq 'length' 2>/dev/null || echo "0")
-          sleep 15
-          ALERTS2=$(gh api 'repos/${{ github.repository }}/code-scanning/alerts?state=open' --jq 'length' 2>/dev/null || echo "0")
-          [ "$ALERTS" -lt "$ALERTS2" ] && ALERTS=$ALERTS2
-          if [ "$ALERTS" -gt 0 ]; then
-            echo "BLOCKED: $ALERTS open alert(s)"
-            gh api 'repos/${{ github.repository }}/code-scanning/alerts?state=open' \
-              --jq '.[] | "  #\(.number) [\(.rule.security_severity_level // .rule.severity)] \(.rule.id) — \(.most_recent_instance.location.path):\(.most_recent_instance.location.start_line)"' 2>/dev/null || true
-            exit 1
-          fi
-          echo "=== CodeQL gate passed (0 alerts) ==="

.github/workflows/_security.yml

@@ -0,0 +1,68 @@
+# Reusable: security-static + CodeQL gate.
+# Runs independently from lint/test/build — does not block the main pipeline.
+# Affects overall workflow success status.
+name: Security Gate
+
+on:
+  workflow_call: {}
+
+permissions:
+  contents: read
+
+jobs:
+  security-static:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: "Layer 1: Static allow-list audit"
+        run: scripts/security-audit.sh
+      - name: "Layer 6: UI security audit"
+        run: scripts/security-ui.sh
+      - name: "Layer 8: Vendored dependency integrity"
+        run: scripts/security-vendored.sh
+
+  codeql-gate:
+    runs-on: ubuntu-latest
+    timeout-minutes: 50
+    steps:
+      - name: Wait for CodeQL on current commit (max 45 min)
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          CURRENT_SHA="${{ github.sha }}"
+          echo "Waiting for CodeQL to complete on $CURRENT_SHA..."
+          for attempt in $(seq 1 90); do
+            LATEST=$(gh api repos/${{ github.repository }}/actions/workflows/codeql.yml/runs?per_page=5 \
+              --jq '.workflow_runs[] | select(.head_sha == "'"$CURRENT_SHA"'") | "\(.conclusion) \(.status)"' 2>/dev/null | head -1 || echo "")
+            if [ -z "$LATEST" ]; then
+              echo "  $attempt/90: no run yet..."; sleep 30; continue
+            fi
+            CONCLUSION=$(echo "$LATEST" | cut -d' ' -f1)
+            STATUS=$(echo "$LATEST" | cut -d' ' -f2)
+            if [ "$STATUS" = "completed" ] && [ "$CONCLUSION" = "success" ]; then
+              echo "=== CodeQL passed ==="; exit 0
+            elif [ "$STATUS" = "completed" ]; then
+              echo "BLOCKED: CodeQL $CONCLUSION"; exit 1
+            fi
+            echo "  $attempt/90: $STATUS..."; sleep 30
+          done
+          echo "BLOCKED: CodeQL timeout"; exit 1
+
+      - name: Check for open code scanning alerts
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          echo "Waiting 60s for alert API to settle..."
+          sleep 60
+          ALERTS=$(gh api 'repos/${{ github.repository }}/code-scanning/alerts?state=open' --jq 'length' 2>/dev/null || echo "0")
+          sleep 15
+          ALERTS2=$(gh api 'repos/${{ github.repository }}/code-scanning/alerts?state=open' --jq 'length' 2>/dev/null || echo "0")
+          [ "$ALERTS" -lt "$ALERTS2" ] && ALERTS=$ALERTS2
+          if [ "$ALERTS" -gt 0 ]; then
+            echo "BLOCKED: $ALERTS open alert(s)"
+            gh api 'repos/${{ github.repository }}/code-scanning/alerts?state=open' \
+              --jq '.[] | "  #\(.number) [\(.rule.security_severity_level // .rule.severity)] \(.rule.id) — \(.most_recent_instance.location.path):\(.most_recent_instance.location.start_line)"' 2>/dev/null || true
+            exit 1
+          fi
+          echo "=== CodeQL gate passed (0 alerts) ==="

.github/workflows/dry-run.yml

@@ -1,12 +1,18 @@
 # Manual trigger: test everything before pushing a release.
 # Each step can be skipped for faster iteration.
+#
+# Pipeline:  lint → test → build → smoke/soak   (sequential chain)
+# Security:  security-static + codeql-gate       (independent island)
+#
+# Security does NOT block lint/test/build/smoke/soak. All jobs must pass
+# for the overall workflow to be green.
 name: Dry Run
 
 on:
   workflow_dispatch:
     inputs:
       skip_lint:
-        description: 'Skip lint + security + CodeQL'
+        description: 'Skip lint (cppcheck + clang-format)'
         type: boolean
         default: false
       skip_tests:
@@ -27,33 +33,37 @@ permissions:
   contents: read
 
 jobs:
-  # ── Lint + Security ──────────────────────────────────────────
+  # ── Security (independent island — does not block main pipeline) ──
+  security:
+    uses: ./.github/workflows/_security.yml
+    secrets: inherit
+
+  # ── Lint (cppcheck + clang-format) ────────────────────────────
   lint:
     if: ${{ inputs.skip_lint != true }}
     uses: ./.github/workflows/_lint.yml
-    secrets: inherit
 
-  # ── Tests (all platforms, perf tests skipped on CI) ──────────
+  # ── Tests (all platforms, perf tests skipped on CI) ────────────
   test:
     needs: [lint]
     if: ${{ inputs.skip_tests != true && !cancelled() && (needs.lint.result == 'success' || needs.lint.result == 'skipped') }}
     uses: ./.github/workflows/_test.yml
     with:
       skip_perf: true
 
-  # ── Build all platforms ──────────────────────────────────────
+  # ── Build all platforms ────────────────────────────────────────
   build:
     if: ${{ inputs.skip_builds != true && !cancelled() && (needs.test.result == 'success' || needs.test.result == 'skipped') }}
     needs: [test]
     uses: ./.github/workflows/_build.yml
 
-  # ── Smoke test every binary ─────────────────────────────────
+  # ── Smoke test every binary ────────────────────────────────────
   smoke:
     if: ${{ inputs.skip_builds != true && !cancelled() && needs.build.result == 'success' }}
     needs: [build]
     uses: ./.github/workflows/_smoke.yml
 
-  # ── Soak tests (optional, parallel with smoke) ──────────────
+  # ── Soak tests (optional, parallel with smoke) ────────────────
   soak:
     if: ${{ inputs.soak_level != 'none' && !cancelled() && needs.build.result == 'success' }}
     needs: [build]

.github/workflows/release.yml

@@ -1,4 +1,8 @@
-# Release pipeline: lint → test → build → smoke → soak → draft → verify → publish
+# Release pipeline: lint → test → build → smoke/soak → draft → verify → publish
+#
+# Security (security-static + codeql-gate) starts immediately and runs in
+# parallel with lint/test/build/smoke/soak. It only blocks the final verify
+# step — everything else proceeds independently.
 name: Release
 
 on:
@@ -27,31 +31,35 @@ permissions:
   contents: read
 
 jobs:
-  # ── 1. Lint + Security + CodeQL ────────────────────────────────
+  # ── Security (starts immediately, blocks only verify) ───────────
+  security:
+    uses: ./.github/workflows/_security.yml
+    secrets: inherit
+
+  # ── 1. Lint (cppcheck + clang-format) ───────────────────────────
   lint:
     uses: ./.github/workflows/_lint.yml
-    secrets: inherit
 
-  # ── 2. Tests (all platforms, full suite for release) ───────────
+  # ── 2. Tests (all platforms, full suite for release) ────────────
   test:
     needs: [lint]
     uses: ./.github/workflows/_test.yml
     with:
       skip_perf: false
 
-  # ── 3. Build all platforms ─────────────────────────────────────
+  # ── 3. Build all platforms ──────────────────────────────────────
   build:
     needs: [test]
     uses: ./.github/workflows/_build.yml
     with:
       version: ${{ inputs.version }}
 
-  # ── 4. Smoke test every binary ─────────────────────────────────
+  # ── 4. Smoke test every binary ──────────────────────────────────
   smoke:
     needs: [build]
     uses: ./.github/workflows/_smoke.yml
 
-  # ── 5. Soak tests ─────────────────────────────────────────────
+  # ── 5. Soak tests ──────────────────────────────────────────────
   soak:
     if: ${{ inputs.soak_level != 'none' }}
     needs: [build]
@@ -61,9 +69,9 @@ jobs:
       run_asan: ${{ inputs.soak_level == 'full' }}
       version: ${{ inputs.version }}
 
-  # ── 6. Create DRAFT release ───────────────────────────────────
+  # ── 6. Create DRAFT release ────────────────────────────────────
   release-draft:
-    needs: [smoke, soak, lint]
+    needs: [smoke, soak]
     if: ${{ !cancelled() && !failure() }}
     runs-on: ubuntu-latest
     permissions:
@@ -157,9 +165,9 @@ jobs:
           body: ${{ inputs.release_notes || '' }}
           generate_release_notes: ${{ inputs.release_notes == '' }}
 
-  # ── 7. Verify + Publish ────────────────────────────────────────
+  # ── 7. Verify + Publish (requires security gate) ───────────────
   verify:
-    needs: [release-draft]
+    needs: [release-draft, security]
     runs-on: ubuntu-latest
     permissions:
       contents: write

src/cli/cli.c

@@ -997,12 +997,7 @@ cbm_detected_agents_t cbm_detect_agents(const char *home_dir) {
         }
     }
 #else
-    {
-        const char *zed_cfg = cbm_app_config_dir();
-        if (zed_cfg) {
-            snprintf(path, sizeof(path), "%s/zed", zed_cfg);
-        }
-    }
+    snprintf(path, sizeof(path), "%s/.config/zed", home_dir);
 #endif
     agents.zed = dir_exists(path);
 
@@ -1020,24 +1015,14 @@ cbm_detected_agents_t cbm_detect_agents(const char *home_dir) {
     snprintf(path, sizeof(path),
              "%s/Library/Application Support/Code/User/globalStorage/kilocode.kilo-code", home_dir);
 #else
-    {
-        const char *kc_cfg = cbm_app_config_dir();
-        if (kc_cfg) {
-            snprintf(path, sizeof(path), "%s/Code/User/globalStorage/kilocode.kilo-code", kc_cfg);
-        }
-    }
+    snprintf(path, sizeof(path), "%s/.config/Code/User/globalStorage/kilocode.kilo-code", home_dir);
 #endif
     agents.kilocode = dir_exists(path);
 
 #ifdef __APPLE__
     snprintf(path, sizeof(path), "%s/Library/Application Support/Code/User", home_dir);
 #else
-    {
-        const char *vs_cfg = cbm_app_config_dir();
-        if (vs_cfg) {
-            snprintf(path, sizeof(path), "%s/Code/User", vs_cfg);
-        }
-    }
+    snprintf(path, sizeof(path), "%s/.config/Code/User", home_dir);
 #endif
     agents.vscode = dir_exists(path);
 

src/pipeline/pass_semantic_edges.c

@@ -657,10 +657,13 @@ enum {
     SEM_MAX_CANDIDATES = 200,
 };
 
+/* Row of a hyperplane matrix: float[CBM_SEM_DIM]. */
+typedef float hyperplane_row_t[CBM_SEM_DIM];
+
 typedef struct {
     cbm_sem_func_t *funcs;
     uint64_t *signatures;
-    float (*hyperplanes)[CBM_SEM_DIM];
+    hyperplane_row_t *hyperplanes;
     int func_count;
     _Atomic int next_idx;
 } sig_build_ctx_t;
@@ -975,8 +978,8 @@ static void phase3c_export_token_vectors(cbm_gbuf_t *gbuf, cbm_sem_corpus_t *cor
 
 /* Phase 5a: generate NUM_HYPERPLANES × CBM_SEM_DIM deterministic random
  * float hyperplanes seeded from XXH3 so signatures are reproducible. */
-static float (*phase5a_build_hyperplanes(void)) [CBM_SEM_DIM] {
-    float (*hyperplanes)[CBM_SEM_DIM] = malloc(sizeof(float[NUM_HYPERPLANES][CBM_SEM_DIM]));
+static hyperplane_row_t *phase5a_build_hyperplanes(void) {
+    hyperplane_row_t *hyperplanes = malloc(sizeof(hyperplane_row_t) * NUM_HYPERPLANES);
     if (!hyperplanes) {
         return NULL;
     }
@@ -1058,7 +1061,7 @@ static void phase4_build_and_store_vectors(cbm_gbuf_t *gbuf, cbm_sem_func_t *fun
  * caller frees both. */
 static void phase5_lsh_build(cbm_sem_func_t *funcs, int func_count, int worker_count,
                              uint64_t **out_signatures, sem_bucket_t ***out_buckets) {
-    float (*hyperplanes)[CBM_SEM_DIM] = phase5a_build_hyperplanes();
+    hyperplane_row_t *hyperplanes = phase5a_build_hyperplanes();
     uint64_t *signatures = calloc((size_t)func_count, sizeof(uint64_t));
     if (hyperplanes && signatures) {
         sig_build_ctx_t sc = {