Add security audits to portable Linux smoke tests

Portable binaries now get the same security-strings, security-install,
and security-network audits as regular Linux/macOS builds. Closes gap
where the portable (musl static) binary was smoke-tested but not
security-audited.

Author: DeusData

.github/workflows/_smoke.yml

@@ -191,3 +191,10 @@ jobs:
           tar -xzf codebase-memory-mcp${SUFFIX}-linux-${{ matrix.arch }}-portable.tar.gz
           chmod +x codebase-memory-mcp
           scripts/smoke-test.sh ./codebase-memory-mcp
+
+      - name: Security audits (standard only)
+        if: matrix.variant == 'standard'
+        run: |
+          scripts/security-strings.sh ./codebase-memory-mcp
+          scripts/security-install.sh ./codebase-memory-mcp
+          scripts/security-network.sh ./codebase-memory-mcp

.github/workflows/release.yml

@@ -197,6 +197,14 @@ jobs:
           cp install.ps1 binaries/ 2>/dev/null || true
           ls -la binaries/
 
+      - name: Security audits on all release binaries
+        run: |
+          for bin in binaries/codebase-memory-mcp*; do
+            [ -f "$bin" ] || continue
+            echo "--- Auditing: $(basename "$bin") ---"
+            scripts/security-strings.sh "$bin"
+          done
+
       - name: VirusTotal scan
         uses: crazy-max/ghaction-virustotal@936d8c5c00afe97d3d9a1af26d017cfdf26800a2 # v5.0.0
         id: virustotal