fix(security): Verify magic bytes instead of file(1) for trace_processor

The previous check ran `file /tmp/trace_processor | grep -q executable` after
downloading the Perfetto trace_processor wrapper. That is unreliable in both
directions:

- get.perfetto.dev currently serves a Python wrapper script (#!/usr/bin/env
  python3). Depending on the file(1) version and magic database, shebang
  scripts may be reported as "Python script, ASCII text" without the word
  "executable", failing the check.
- If Perfetto ever switches to native PIE ELF binaries, older file(1) versions
  (< 5.36) report them as "shared object" without "executable", also failing.

In both cases the valid download was deleted and the workflow aborted.

Check magic bytes directly instead — shebang (#!), ELF, or Mach-O — which is
stable across platforms and file(1) versions. Also add `curl --fail` so HTTP
errors do not leave a partial/HTML response on disk that would then be
validated.

Refs LINEAR-EME-1060
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: romtsn

.claude/skills/btrace-perfetto/SKILL.md

@@ -22,15 +22,23 @@ Before starting, verify:
    ```
 3. **Perfetto trace_processor**: Check if `/tmp/trace_processor` exists. If not, download it:
    ```bash
-   # Download trace_processor
-   curl -sL "https://get.perfetto.dev/trace_processor" -o /tmp/trace_processor
-
-   # Verify the file is a valid executable (check file type and size)
-   if [[ ! -s /tmp/trace_processor ]] || ! file /tmp/trace_processor | grep -q "executable"; then
-     echo "Error: Downloaded file is not a valid executable"
-     rm -f /tmp/trace_processor
-     exit 1
-   fi
+   # Download trace_processor (--fail ensures HTTP errors don't leave a file behind)
+   curl -sSL --fail "https://get.perfetto.dev/trace_processor" -o /tmp/trace_processor
+
+   # Verify magic bytes directly — file(1) output is too inconsistent across
+   # versions/platforms to rely on for scripts or PIE binaries.
+   magic=$(head -c 4 /tmp/trace_processor 2>/dev/null | od -An -vtx1 -N4 | tr -d ' \n')
+   case "$magic" in
+     2321*)                               ;; # #! shebang (script)
+     7f454c46)                            ;; # ELF (Linux)
+     cffaedfe|cefaedfe|feedfacf|feedface) ;; # Mach-O (macOS)
+     cafebabe)                            ;; # Mach-O universal
+     *)
+       echo "Error: Downloaded file is not a valid script or executable (magic: ${magic:-empty})"
+       rm -f /tmp/trace_processor
+       exit 1
+       ;;
+   esac
 
    # Make executable only after verification
    chmod +x /tmp/trace_processor