Refactor CI: split monolith workflows into reusable components

Before: 2 monolith YAMLs (904 + 1127 lines), duplicated matrices,
inconsistent action versions, duplicate build-windows job.

After: 5 reusable workflows + 3 lean callers (1091 total lines):
- _lint.yml: lint + security-static + codeql-gate
- _test.yml: tests on 5 platforms with CBM_SKIP_PERF support
- _build.yml: standard + UI + portable builds, all platforms
- _smoke.yml: smoke test every binary variant
- _soak.yml: quick + ASan soak, parameterized duration

Fixes: duplicate build-windows, missing Windows CBM_SKIP_PERF,
missing timeout-minutes, inconsistent action versions,
VirusTotal check extracted to scripts/ci/check-virustotal.sh.

Author: DeusData

.github/workflows/_build.yml

@@ -0,0 +1,181 @@
+# Reusable: build binaries (standard + UI) on all platforms
+name: Build
+
+on:
+  workflow_call:
+    inputs:
+      version:
+        description: 'Version string (e.g. v0.8.0)'
+        type: string
+        default: ''
+
+permissions:
+  contents: read
+
+jobs:
+  build-unix:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            goos: linux
+            goarch: amd64
+            cc: gcc
+            cxx: g++
+          - os: ubuntu-24.04-arm
+            goos: linux
+            goarch: arm64
+            cc: gcc
+            cxx: g++
+          - os: macos-14
+            goos: darwin
+            goarch: arm64
+            cc: cc
+            cxx: c++
+          - os: macos-15-intel
+            goos: darwin
+            goarch: amd64
+            cc: cc
+            cxx: c++
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 15
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Install deps (Ubuntu)
+        if: startsWith(matrix.os, 'ubuntu')
+        run: sudo apt-get update && sudo apt-get install -y zlib1g-dev
+
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        with:
+          node-version: "22"
+
+      - name: Build standard binary
+        run: scripts/build.sh ${{ inputs.version && format('--version {0}', inputs.version) || '' }} CC=${{ matrix.cc }} CXX=${{ matrix.cxx }}
+
+      - name: Ad-hoc sign macOS binary
+        if: startsWith(matrix.os, 'macos')
+        run: codesign --sign - --force build/c/codebase-memory-mcp
+
+      - name: Archive standard binary
+        run: |
+          cp LICENSE install.sh build/c/
+          tar -czf codebase-memory-mcp-${{ matrix.goos }}-${{ matrix.goarch }}.tar.gz \
+            -C build/c codebase-memory-mcp LICENSE install.sh
+
+      - name: Build UI binary
+        run: scripts/build.sh --with-ui ${{ inputs.version && format('--version {0}', inputs.version) || '' }} CC=${{ matrix.cc }} CXX=${{ matrix.cxx }}
+
+      - name: Ad-hoc sign macOS UI binary
+        if: startsWith(matrix.os, 'macos')
+        run: codesign --sign - --force build/c/codebase-memory-mcp
+
+      - name: Frontend integrity scan
+        if: matrix.goos == 'linux' && matrix.goarch == 'amd64'
+        run: scripts/security-ui.sh
+
+      - name: Archive UI binary
+        run: |
+          cp LICENSE install.sh build/c/
+          tar -czf codebase-memory-mcp-ui-${{ matrix.goos }}-${{ matrix.goarch }}.tar.gz \
+            -C build/c codebase-memory-mcp LICENSE install.sh
+
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: binaries-${{ matrix.goos }}-${{ matrix.goarch }}
+          path: "*.tar.gz"
+
+  build-windows:
+    runs-on: windows-latest
+    timeout-minutes: 15
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - uses: msys2/setup-msys2@4f806de0a5a7294ffabaff804b38a9b435a73bda # v2
+        with:
+          msystem: CLANG64
+          path-type: inherit
+          install: >-
+            mingw-w64-clang-x86_64-clang
+            mingw-w64-clang-x86_64-zlib
+            make
+            zip
+
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        with:
+          node-version: "22"
+
+      - name: Build standard binary
+        shell: msys2 {0}
+        run: scripts/build.sh ${{ inputs.version && format('--version {0}', inputs.version) || '' }} CC=clang CXX=clang++
+
+      - name: Archive standard binary
+        shell: msys2 {0}
+        run: |
+          BIN=build/c/codebase-memory-mcp
+          [ -f "${BIN}.exe" ] && BIN="${BIN}.exe"
+          cp "$BIN" codebase-memory-mcp.exe
+          zip codebase-memory-mcp-windows-amd64.zip codebase-memory-mcp.exe LICENSE install.ps1
+
+      - name: Build UI binary
+        shell: msys2 {0}
+        run: scripts/build.sh --with-ui ${{ inputs.version && format('--version {0}', inputs.version) || '' }} CC=clang CXX=clang++
+
+      - name: Archive UI binary
+        shell: msys2 {0}
+        run: |
+          BIN=build/c/codebase-memory-mcp
+          [ -f "${BIN}.exe" ] && BIN="${BIN}.exe"
+          cp "$BIN" codebase-memory-mcp.exe
+          zip codebase-memory-mcp-ui-windows-amd64.zip codebase-memory-mcp.exe LICENSE install.ps1
+
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: binaries-windows-amd64
+          path: "*.zip"
+
+  build-linux-portable:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - arch: amd64
+            runner: ubuntu-latest
+          - arch: arm64
+            runner: ubuntu-24.04-arm
+    runs-on: ${{ matrix.runner }}
+    container:
+      image: alpine:3.21
+    timeout-minutes: 15
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Install musl build deps
+        run: apk add --no-cache build-base linux-headers zlib-dev zlib-static nodejs npm
+
+      - name: Build standard binary (static)
+        run: scripts/build.sh ${{ inputs.version && format('--version {0}', inputs.version) || '' }} CC=gcc CXX=g++ STATIC=1
+
+      - name: Verify static linking
+        run: file build/c/codebase-memory-mcp | grep -q "statically linked"
+
+      - name: Archive standard binary
+        run: |
+          cp LICENSE install.sh build/c/
+          tar -czf codebase-memory-mcp-linux-${{ matrix.arch }}-portable.tar.gz \
+            -C build/c codebase-memory-mcp LICENSE install.sh
+
+      - name: Build UI binary (static)
+        run: scripts/build.sh --with-ui ${{ inputs.version && format('--version {0}', inputs.version) || '' }} CC=gcc CXX=g++ STATIC=1
+
+      - name: Archive UI binary
+        run: |
+          cp LICENSE install.sh build/c/
+          tar -czf codebase-memory-mcp-ui-linux-${{ matrix.arch }}-portable.tar.gz \
+            -C build/c codebase-memory-mcp LICENSE install.sh
+
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: binaries-linux-${{ matrix.arch }}-portable
+          path: "*.tar.gz"

.github/workflows/_lint.yml

@@ -0,0 +1,102 @@
+# Reusable: lint + security-static + codeql-gate
+name: Lint & Security
+
+on:
+  workflow_call: {}
+
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Install build deps
+        run: sudo apt-get update && sudo apt-get install -y zlib1g-dev cmake
+
+      - name: Install LLVM 20
+        run: |
+          wget -qO- https://apt.llvm.org/llvm-snapshot.gpg.key | sudo tee /etc/apt/trusted.gpg.d/apt.llvm.org.asc
+          echo "deb http://apt.llvm.org/noble/ llvm-toolchain-noble-20 main" | sudo tee /etc/apt/sources.list.d/llvm-20.list
+          sudo apt-get update
+          sudo apt-get install -y clang-format-20
+
+      - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        id: cppcheck-cache
+        with:
+          path: /opt/cppcheck
+          key: cppcheck-2.20.0-ubuntu-amd64
+
+      - name: Build cppcheck 2.20.0
+        if: steps.cppcheck-cache.outputs.cache-hit != 'true'
+        run: |
+          git clone --depth 1 --branch 2.20.0 https://github.com/danmar/cppcheck.git /tmp/cppcheck
+          cmake -S /tmp/cppcheck -B /tmp/cppcheck/build -DCMAKE_BUILD_TYPE=Release -DHAVE_RULES=OFF -DCMAKE_INSTALL_PREFIX=/opt/cppcheck
+          cmake --build /tmp/cppcheck/build -j$(nproc)
+          cmake --install /tmp/cppcheck/build
+
+      - name: Add cppcheck to PATH
+        run: echo "/opt/cppcheck/bin" >> "$GITHUB_PATH"
+
+      - name: Lint
+        run: scripts/lint.sh CLANG_FORMAT=clang-format-20
+
+  security-static:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: "Layer 1: Static allow-list audit"
+        run: scripts/security-audit.sh
+      - name: "Layer 6: UI security audit"
+        run: scripts/security-ui.sh
+      - name: "Layer 8: Vendored dependency integrity"
+        run: scripts/security-vendored.sh
+
+  codeql-gate:
+    runs-on: ubuntu-latest
+    timeout-minutes: 50
+    steps:
+      - name: Wait for CodeQL on current commit (max 45 min)
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          CURRENT_SHA="${{ github.sha }}"
+          echo "Waiting for CodeQL to complete on $CURRENT_SHA..."
+          for attempt in $(seq 1 90); do
+            LATEST=$(gh api repos/${{ github.repository }}/actions/workflows/codeql.yml/runs?per_page=5 \
+              --jq '.workflow_runs[] | select(.head_sha == "'"$CURRENT_SHA"'") | "\(.conclusion) \(.status)"' 2>/dev/null | head -1 || echo "")
+            if [ -z "$LATEST" ]; then
+              echo "  $attempt/90: no run yet..."; sleep 30; continue
+            fi
+            CONCLUSION=$(echo "$LATEST" | cut -d' ' -f1)
+            STATUS=$(echo "$LATEST" | cut -d' ' -f2)
+            if [ "$STATUS" = "completed" ] && [ "$CONCLUSION" = "success" ]; then
+              echo "=== CodeQL passed ==="; exit 0
+            elif [ "$STATUS" = "completed" ]; then
+              echo "BLOCKED: CodeQL $CONCLUSION"; exit 1
+            fi
+            echo "  $attempt/90: $STATUS..."; sleep 30
+          done
+          echo "BLOCKED: CodeQL timeout"; exit 1
+
+      - name: Check for open code scanning alerts
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          echo "Waiting 60s for alert API to settle..."
+          sleep 60
+          ALERTS=$(gh api 'repos/${{ github.repository }}/code-scanning/alerts?state=open' --jq 'length' 2>/dev/null || echo "0")
+          sleep 15
+          ALERTS2=$(gh api 'repos/${{ github.repository }}/code-scanning/alerts?state=open' --jq 'length' 2>/dev/null || echo "0")
+          [ "$ALERTS" -lt "$ALERTS2" ] && ALERTS=$ALERTS2
+          if [ "$ALERTS" -gt 0 ]; then
+            echo "BLOCKED: $ALERTS open alert(s)"
+            gh api 'repos/${{ github.repository }}/code-scanning/alerts?state=open' \
+              --jq '.[] | "  #\(.number) [\(.rule.security_severity_level // .rule.severity)] \(.rule.id) — \(.most_recent_instance.location.path):\(.most_recent_instance.location.start_line)"' 2>/dev/null || true
+            exit 1
+          fi
+          echo "=== CodeQL gate passed (0 alerts) ==="