Overhaul pre-commit hook and CI checks

This rewrites pre-commit hook from 7 basic checks to 11, adding
compiler-based syntax verification, security pattern detection, and
expanded banned function enforcement. All checks now operate on staged
index content via a materialized temp tree.

New checks:
 - Compiler -fsyntax-only pass (Linux only) with -Werror for format
   strings, implicit declarations, pointer type mismatches, and VLA
 - Security pattern scan on newly-added lines: non-literal format
   strings, missing O_CLOEXEC, positive errno returns, unchecked
   malloc multiplication, unbounded scanf, thread-unsafe functions
 - Expanded banned function list (13 functions)
 - Whitespace error detection via git diff --check
 - TODO/FIXME enforcement on new lines

Change-Id: Ic25657aaee3df44b155e92ae69e695c1c139f546

Author: jserv

.ci/check-cppcheck.sh

@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+
+# Run cppcheck static analysis on kbox source files (src/ only).
+# Tests are excluded -- they use stubs and have different rules.
+
+set -e -u -o pipefail
+
+mapfile -t SOURCES < <(git ls-files -z -- 'src/*.c' | tr '\0' '\n')
+
+if [ ${#SOURCES[@]} -eq 0 ]; then
+    echo "No tracked C source files found."
+    exit 0
+fi
+
+NPROC=$(nproc 2>/dev/null || echo 1)
+
+cppcheck -j"$NPROC" -I. -Iinclude -Isrc --enable=all --error-exitcode=1 \
+    --max-configs=4 --inline-suppr \
+    --suppress=checkersReport --suppress=unmatchedSuppression \
+    --suppress=missingIncludeSystem --suppress=noValidConfiguration \
+    --suppress=unusedFunction --suppress=syntaxError \
+    --suppress=preprocessorErrorDirective \
+    --suppress=normalCheckLevelMaxBranches \
+    --suppress=constParameterPointer --suppress=constParameterCallback \
+    --suppress=constVariablePointer --suppress=constParameter \
+    --suppress=unusedStructMember --suppress=redundantAssignment \
+    --suppress=staticFunction --suppress=checkLevelNormal \
+    --suppress=variableScope --suppress=compareValueOutOfTypeRangeError \
+    --suppress=constVariable --suppress=knownConditionTrueFalse \
+    --suppress=unreadVariable --suppress=redundantInitialization \
+    --suppress=shadowVariable \
+    -D_GNU_SOURCE -DKBOX_UNIT_TEST \
+    "${SOURCES[@]}"

.ci/check-format.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+# Verify clang-format-20 conformance for all tracked C/H files.
+
+# Require clang-format-20 -- older versions produce different output.
+if [ -z "${CLANG_FORMAT:-}" ]; then
+    if command -v clang-format-20 >/dev/null 2>&1; then
+        CLANG_FORMAT="clang-format-20"
+    else
+        echo "Error: clang-format-20 is required (older versions differ in style)" >&2
+        exit 1
+    fi
+fi
+
+ret=0
+while IFS= read -r -d '' file; do
+    expected=$(mktemp)
+    "$CLANG_FORMAT" "$file" >"$expected" 2>/dev/null
+    if ! diff -u -p --label="$file" --label="expected coding style" "$file" "$expected"; then
+        ret=1
+    fi
+    rm -f "$expected"
+done < <(git ls-files -z -- '*.c' '*.h')
+
+exit $ret

.ci/check-newline.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+# Ensure all tracked C/H files end with a newline.
+
+set -e -u -o pipefail
+
+ret=0
+while IFS= read -rd '' f; do
+    if file --mime-encoding "$f" | grep -qv binary; then
+        if [ -n "$(tail -c1 < "$f")" ]; then
+            echo "Warning: No newline at end of file $f"
+            ret=1
+        fi
+    fi
+done < <(git ls-files -z -- '*.c' '*.h')
+
+exit $ret

.ci/check-security.sh

@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+# Security checks for kbox source files (src/ and include/ only).
+# Tests and guest/stress binaries are excluded -- they have different rules.
+#
+# 1. Banned functions -- unsafe libc calls with safer alternatives.
+# 2. Credential / secret patterns -- catch accidental key leaks.
+# 3. Dangerous preprocessor -- detect disabled security features.
+
+set -u -o pipefail
+
+failed=0
+
+# --- Patterns ---
+banned='(^|[^[:alnum:]_])(gets|sprintf|vsprintf|strcpy|stpcpy|strcat|atoi|atol|atoll|atof|mktemp|tmpnam|tempnam)[[:space:]]*\('
+secrets='(password|secret|api_key|private_key|token)[[:space:]]*=[[:space:]]*"[^"]+'
+dangerous_pp='#[[:space:]]*(undef|define)[[:space:]]+((_FORTIFY_SOURCE[[:space:]]+0)|(__SSP__))'
+comment_only='^[[:space:]]*(//|/\*|\*|\*/)'
+
+# Only scan kbox source, not tests/guest/stress.
+while IFS= read -r -d '' f; do
+    # Skip comment-only matches before checking.
+    code=$(grep -vE "$comment_only" "$f")
+
+    if echo "$code" | grep -qE "$banned"; then
+        echo "Banned function in $f:"
+        grep -nE "$banned" "$f" | grep -vE "$comment_only"
+        failed=1
+    fi
+    if echo "$code" | grep -iqE "$secrets"; then
+        echo "Possible hardcoded secret in $f:"
+        grep -inE "$secrets" "$f" | grep -vE "$comment_only"
+        failed=1
+    fi
+    if echo "$code" | grep -qE "$dangerous_pp"; then
+        echo "Dangerous preprocessor directive in $f:"
+        grep -nE "$dangerous_pp" "$f" | grep -vE "$comment_only"
+        failed=1
+    fi
+done < <(git ls-files -z -- 'src/*.c' 'src/*.h' 'include/*.h' 'include/**/*.h')
+
+if [ $failed -eq 0 ]; then
+    echo "Security checks passed."
+fi
+
+exit $failed

.editorconfig

@@ -1,14 +1,40 @@
-# Top-level EditorConfig file
 root = true
 
-# Shell script-specific settings
+[*]
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[Makefile]
+indent_style = tab
+indent_size = 4
+
+[mk/*]
+indent_style = tab
+indent_size = 4
+
+[*.[ch]]
+indent_style = space
+indent_size = 4
+max_line_length = 80
+
+[*.py]
+indent_style = space
+indent_size = 4
+
 [*.sh]
 indent_style = space
 indent_size = 4
-end_of_line = lf
-trim_trailing_whitespace = true
-insert_final_newline = true
-function_next_line = true
-switch_case_indent = true
-space_redirects = true
-binary_next_line = true
+
+[*.hook]
+indent_style = space
+indent_size = 4
+
+[*.yml]
+indent_style = space
+indent_size = 2
+# test
+# test
+# test
+# test
+# x

.github/workflows/build-kbox.yml

@@ -1,12 +1,15 @@
 # Build kbox and run full test suite.
 # Zero root required -- everything runs as an unprivileged user.
 #
-# Parallelism:
-#   unit-tests   -- no LKL, no rootfs, runs immediately
-#   build-kbox   -- fetches LKL, compiles kbox + guest/stress bins, builds rootfs
-#   integration  -- needs build-kbox artifacts, runs integration + stress tests
+# Parallelism (5 independent jobs, 1 sequential):
+#   coding-style     -- clang-format + newline checks (fast)
+#   static-analysis  -- security patterns + cppcheck
+#   unit-tests       -- no LKL dependency, ASAN/UBSAN
+#   build-kbox       -- fetches LKL, compiles kbox + guest/stress bins, builds rootfs
+#   integration      -- needs build-kbox artifacts, runs integration + stress tests
 #
-# unit-tests and build-kbox run in parallel. integration waits for build-kbox.
+# coding-style, static-analysis, unit-tests, and build-kbox run in parallel.
+# integration-tests waits for build-kbox only.
 name: Build and Test
 
 on:
@@ -16,6 +19,42 @@ on:
     branches: [main]
 
 jobs:
+  # ---- Coding style: formatting checks (fast, ~10s) ----
+  coding-style:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Install clang-format
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y clang-format-20
+
+      - name: Check trailing newline
+        run: .ci/check-newline.sh
+
+      - name: Check clang-format
+        run: .ci/check-format.sh
+
+  # ---- Static analysis: security patterns + cppcheck ----
+  static-analysis:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Install cppcheck
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y cppcheck
+
+      - name: Security checks
+        run: .ci/check-security.sh
+
+      - name: Static analysis (cppcheck)
+        run: .ci/check-cppcheck.sh
+
   # ---- Unit tests: no LKL dependency, fast ----
   unit-tests:
     runs-on: ubuntu-24.04

Makefile

@@ -15,8 +15,8 @@ KCONFIG_CONF := configs/Kconfig
 
 # Targets that don't require .config
 CONFIG_TARGETS    := config defconfig oldconfig savedefconfig clean distclean indent \
-                     check-unit fetch-lkl build-lkl fetch-minislirp install-hooks \
-                     guest-bins stress-bins rootfs
+                     check-unit check-syntax fetch-lkl build-lkl fetch-minislirp \
+                     install-hooks guest-bins stress-bins rootfs
 CONFIG_GENERATORS := config defconfig oldconfig
 
 # Require .config for build targets.

mk/tests.mk

@@ -111,4 +111,45 @@ $(ROOTFS): scripts/mkrootfs.sh scripts/alpine-sha256.txt $(GUEST_BINS) $(STRESS_
 	@echo "  GEN     $@"
 	$(Q)ALPINE_ARCH=$(ARCH) ./scripts/mkrootfs.sh
 
-.PHONY: check check-unit check-integration check-stress guest-bins stress-bins rootfs
+# ---- Syntax-only compilation check (used by pre-commit hook) ----
+# Usage: make check-syntax CHK_SOURCES="src/foo.c src/bar.c"
+# Uses the project's real CFLAGS with -fsyntax-only (no linking, no .o output).
+# Skips gracefully on non-Linux compilers.
+
+CHK_CC_TARGET := $(shell $(CC) -dumpmachine 2>/dev/null)
+check-syntax:
+ifeq ($(findstring linux,$(CHK_CC_TARGET)),)
+	@echo "  SKIP    check-syntax (non-Linux compiler: $(CHK_CC_TARGET))"
+else
+ifdef CHK_SOURCES
+	@echo "  SYNTAX  $(words $(CHK_SOURCES)) file(s)"
+	$(Q)$(CC) $(CFLAGS) -DKBOX_UNIT_TEST -fsyntax-only \
+	    -Werror=implicit-function-declaration \
+	    -Werror=incompatible-pointer-types \
+	    -Werror=int-conversion \
+	    -Werror=return-type \
+	    -Werror=format=2 \
+	    -Werror=format-security \
+	    -Werror=strict-prototypes \
+	    -Werror=old-style-definition \
+	    -Werror=sizeof-pointer-memaccess \
+	    -Werror=vla \
+	    $(CHK_SOURCES)
+else
+	@echo "  SYNTAX  all source files"
+	$(Q)$(CC) $(CFLAGS) -DKBOX_UNIT_TEST -fsyntax-only \
+	    -Werror=implicit-function-declaration \
+	    -Werror=incompatible-pointer-types \
+	    -Werror=int-conversion \
+	    -Werror=return-type \
+	    -Werror=format=2 \
+	    -Werror=format-security \
+	    -Werror=strict-prototypes \
+	    -Werror=old-style-definition \
+	    -Werror=sizeof-pointer-memaccess \
+	    -Werror=vla \
+	    $(SRCS)
+endif
+endif
+
+.PHONY: check check-unit check-integration check-stress guest-bins stress-bins rootfs check-syntax

scripts/build-lkl.sh

@@ -12,7 +12,7 @@
 set -eu
 
 case "${1:-$(uname -m)}" in
-    x86_64 | amd64)  ARCH="x86_64"  ;;
+    x86_64 | amd64) ARCH="x86_64" ;;
     aarch64 | arm64) ARCH="aarch64" ;;
     *)
         echo "error: unsupported architecture: ${1:-$(uname -m)}" >&2
@@ -24,7 +24,11 @@ LKL_DIR="${LKL_DIR:-lkl-${ARCH}}"
 LKL_SRC="${LKL_SRC:-build/lkl-src}"
 LKL_UPSTREAM="https://github.com/lkl/linux"
 
-die() { echo "error: $*" >&2; exit 1; }
+die()
+{
+    echo "error: $*" >&2
+    exit 1
+}
 
 # ---- Clone or update source tree ----------------------------------------
 
@@ -66,8 +70,7 @@ for opt in \
     CONFIG_PRINTK \
     CONFIG_TRACEPOINTS \
     CONFIG_FTRACE \
-    CONFIG_DEBUG_FS \
-; do
+    CONFIG_DEBUG_FS; do
     "${LKL_SRC}/scripts/config" --file "${LKL_SRC}/.config" --enable "${opt}"
 done
 
@@ -80,16 +83,15 @@ for opt in \
     CONFIG_USB_SUPPORT \
     CONFIG_INPUT \
     CONFIG_NFS_FS \
-    CONFIG_CIFS \
-; do
+    CONFIG_CIFS; do
     "${LKL_SRC}/scripts/config" --file "${LKL_SRC}/.config" --disable "${opt}"
 done
 
 make -C "${LKL_SRC}" ARCH=lkl olddefconfig
 
 # ---- Build ---------------------------------------------------------------
 
-NPROC=$(nproc 2>/dev/null || echo 1)
+NPROC=$(nproc 2> /dev/null || echo 1)
 
 echo "  BUILD   ARCH=lkl kernel (-j${NPROC})"
 make -C "${LKL_SRC}" ARCH=lkl -j"${NPROC}"
@@ -104,10 +106,10 @@ test -f "${LKL_SRC}/tools/lkl/liblkl.a" \
 
 echo "  VERIFY  symbols"
 for sym in lkl_init lkl_start_kernel lkl_cleanup lkl_syscall \
-           lkl_strerror lkl_disk_add lkl_mount_dev \
-           lkl_host_ops lkl_dev_blk_ops; do
-    if ! nm "${LKL_SRC}/tools/lkl/liblkl.a" 2>/dev/null \
-         | awk -v s="$sym" '$3==s && $2~/^[TtDdBbRr]$/{found=1} END{exit !found}'; then
+    lkl_strerror lkl_disk_add lkl_mount_dev \
+    lkl_host_ops lkl_dev_blk_ops; do
+    if ! nm "${LKL_SRC}/tools/lkl/liblkl.a" 2> /dev/null \
+        | awk -v s="$sym" '$3==s && $2~/^[TtDdBbRr]$/{found=1} END{exit !found}'; then
         die "MISSING symbol: ${sym}"
     fi
 done
@@ -117,17 +119,17 @@ done
 echo "  INSTALL ${LKL_DIR}/"
 mkdir -p "${LKL_DIR}"
 
-cp "${LKL_SRC}/tools/lkl/liblkl.a"               "${LKL_DIR}/"
-cp "${LKL_SRC}/tools/lkl/include/lkl.h"          "${LKL_DIR}/" 2>/dev/null || true
-cp "${LKL_SRC}/tools/lkl/include/lkl/autoconf.h" "${LKL_DIR}/" 2>/dev/null || true
-cp "${LKL_SRC}/scripts/gdb/vmlinux-gdb.py"        "${LKL_DIR}/" 2>/dev/null || true
+cp "${LKL_SRC}/tools/lkl/liblkl.a" "${LKL_DIR}/"
+cp "${LKL_SRC}/tools/lkl/include/lkl.h" "${LKL_DIR}/" 2> /dev/null || true
+cp "${LKL_SRC}/tools/lkl/include/lkl/autoconf.h" "${LKL_DIR}/" 2> /dev/null || true
+cp "${LKL_SRC}/scripts/gdb/vmlinux-gdb.py" "${LKL_DIR}/" 2> /dev/null || true
 
 printf 'commit=%s\ndate=%s\narch=%s\n' \
     "$(git -C "${LKL_SRC}" rev-parse HEAD)" \
     "$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
     "${ARCH}" \
     > "${LKL_DIR}/BUILD_INFO"
 
-( cd "${LKL_DIR}" && sha256sum ./* > sha256sums.txt )
+(cd "${LKL_DIR}" && sha256sum ./* > sha256sums.txt)
 
 echo "OK: ${LKL_DIR}/liblkl.a"