flyingrobots
diff --git a/‎ACTIVITY.log.jsonl‎
Lines changed: 3 additions & 2 deletions b/‎ACTIVITY.log.jsonl‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎CMakeLists.txt‎
Lines changed: 10 additions & 4 deletions b/‎CMakeLists.txt‎
Lines changed: 10 additions & 4 deletions
diff --git a/‎Makefile‎
Lines changed: 2 additions & 2 deletions b/‎Makefile‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎docs/SPEC.md‎
Lines changed: 7 additions & 5 deletions b/‎docs/SPEC.md‎
Lines changed: 7 additions & 5 deletions
diff --git a/‎include/gitledger/context.h‎
Lines changed: 3 additions & 0 deletions b/‎include/gitledger/context.h‎
Lines changed: 3 additions & 0 deletions
@@ -72,8 +72,8 @@
 {"who": "AGENT", "what": "Debrief request acknowledged", "where": ["ACTIVITY.log.jsonl"], "when": "2025-10-24T10:22:09Z", "why": "Closing out the clang-tidy cleanup session", "how": "Ready to summarize findings and next steps for the branch", "protip": "Keep the ledger current even when the work shifts to review"}
 {"who": "AGENT", "what": "Re-enabled tidy checks with absolute header filter", "where": [".clang-tidy", "tools/lint/run_clang_tidy.sh"], "when": "2025-10-24T17:50:28Z", "why": "Review caught the over-broad disable—restored checks and confined analysis to project headers", "how": "Anchored HeaderFilterRegex, injected header filter path in run_clang_tidy.sh, and reran clang-tidy/make lint", "protip": "Let tidy focus on your tree via --header-filter instead of muting diagnostics"}
 {"who": "AGENT", "what": "Clarified clang-tidy baseline and restored checks", "where": [".clang-tidy", "tools/lint/run_clang_tidy.sh"], "when": "2025-10-24T19:28:49Z", "why": "Earlier log entries (lines 66-69) overstated system-header issues; review confirmed the real problem was over-broad disables", "how": "Re-enabled the security/readability checks, anchored the header filter to the repo root, and added validation so clang-tidy stays scoped", "protip": "Capture the actual diagnostic numbers next time—assumptions about system headers masked the real issue"}
-{"who": "AGENT", "what": "Resuming clang-tidy remediation for error subsystem", "where": [".clang-tidy", "libgitledger/core/domain/error.c", "tests/error_test.c"], "when": 1761383372, "why": "Need to finish outstanding issues and clean up lint/test failures", "how": "Review current diagnostics, adjust code, document fixes, and validate tooling", "protip": "Chip away at warnings with focused commits so reviewers can follow the thread"}
-{"who": "AGENT", "what": "Resolved clang-tidy violations and expanded error subsystem tests", "where": ["libgitledger/core/domain/error.c", "include/gitledger/error.h", "tests/error_test.c", "libgitledger/core/domain/gitledger.c", "src/version.c"], "when": 1761385465, "why": "Bring the error API branch to lint-clean status and cover new behaviour", "how": "Refactored JSON writer helpers, added variadic-safe wrappers, renamed factors, grew deep-chain and allocator tests, and verified lint/test targets", "protip": "When asserts vanish under NDEBUG, cast variables to void so release builds stay quiet"}
+{"who": "AGENT", "what": "Resuming clang-tidy remediation for error subsystem", "where": [".clang-tidy", "libgitledger/core/domain/error.c", "tests/error_test.c"], "when": "2025-10-25T09:09:32Z", "why": "Need to finish outstanding issues and clean up lint/test failures", "how": "Review current diagnostics, adjust code, document fixes, and validate tooling", "protip": "Chip away at warnings with focused commits so reviewers can follow the thread"}
+{"who": "AGENT", "what": "Resolved clang-tidy violations and expanded error subsystem tests", "where": ["libgitledger/core/domain/error.c", "include/gitledger/error.h", "tests/error_test.c", "libgitledger/core/domain/gitledger.c", "src/version.c"], "when": "2025-10-25T09:44:25Z", "why": "Bring the error API branch to lint-clean status and cover new behaviour", "how": "Refactored JSON writer helpers, added variadic-safe wrappers, renamed factors, grew deep-chain and allocator tests, and verified lint/test targets", "protip": "When asserts vanish under NDEBUG, cast variables to void so release builds stay quiet"}
 {"who": "AGENT", "what": "Start session: read AGENTS.md and README.md to align with repo rules", "where": ["AGENTS.md", "README.md"], "when": "2025-10-25T13:38:42Z", "why": "Repo mandates activity logging; need orientation before any code changes", "how": "Used shell to open and read AGENTS.md and README.md; no changes made", "protip": "Always log before touching code; read AGENTS.md scope rules"}
 {"who": "AGENT", "what": "Fix context teardown double-free; detach errors instead of releasing; remove debug prints; document ownership; sanitize macOS config; lint clean", "where": ["libgitledger/core/context.c", "libgitledger/core/domain/error.c", "libgitledger/core/internal/context_internal.h", "include/gitledger/error.h", "Makefile"], "when": "2025-10-25T13:47:44Z", "why": "Runtime abort from double free in context_destroy when releasing tracked errors; need robust ownership semantics and green tests", "how": "Analyzed release/untrack flow; patched context_destroy to detach error back-references and free only registry nodes; removed fprintf alloc/free instrumentation; added internal detach helper; documented retain/release rules in header; made ASAN leak detection conditional on macOS; ran cmake+ctest debug/release and ASAN/TSAN; ran format and clang-tidy", "protip": "Contexts are registries, not owners—never release errors from context teardown; detach and let refcounts drive lifetime"}
 {"who": "AGENT", "what": "Purge NOLINT; satisfy clang-tidy without suppression; split context_destroy; add safe debug logging; narrow .clang-tidy for callback false-positive", "where": ["libgitledger/core/context.c", "libgitledger/core/domain/error.c", ".clang-tidy"], "when": "2025-10-25T13:57:27Z", "why": "New repo rule bans NOLINT; prior fix introduced two NOLINT sites; tidy flagged default_free and debug fprintf—root-cause fixes preferred", "how": "Removed all NOLINT markers; replaced fprintf with bounded snprintf+fwrite; factored context teardown into helpers to meet function-size threshold; introduced named buffer constant; updated .clang-tidy to drop bugprone-easily-swappable-parameters (callback signatures)", "protip": "Prefer helper functions and small constants to quiet readability checks; if a tidy rule fights C callback conventions, adjust the rule—don’t paper over with NOLINT"}
@@ -85,3 +85,4 @@
 {"who": "AGENT", "what": "Added dependency toggles and documentation", "where": ["CMakeLists.txt", "meson.build", "meson_options.txt", "README.md", "CONTRIBUTING.md"], "when": "2025-10-25T06:16:07Z", "why": "Issue #3 requires libgit2 detection plus placeholders for CRoaring/BLAKE3", "how": "Hooked libgit2 via pkg-config in CMake/Meson, stubbed vendor options, and documented install commands", "protip": "Keep build options mirrored across CMake and Meson so contributors aren’t surprised"}
 {"who": "AGENT", "what": "Handled pkg-config absence on Windows", "where": ["CMakeLists.txt", "README.md"], "when": "2025-10-25T07:06:13Z", "why": "CI showed MSVC job missing pkg-config", "how": "Made pkg-config optional in CMake with a helpful error and documented Windows install command", "protip": "If CI uses MSVC, assume pkg-config isn’t preinstalled"}
 {"who": "AGENT", "what": "Made libgit2 optional across build systems", "where": ["CMakeLists.txt", "meson.build", "tools/container/Dockerfile", "README.md", "AGENTS.md"], "when": "2025-10-25T07:45:10Z", "why": "CI and reviewers flagged hard pkg-config/libgit2 dependency failures (esp. MSVC)", "how": "Added AUTO/ON/OFF toggle, fallback detection, private linkage, meson auto feature, pinned Docker install", "protip": "Treat optional deps as features: detect, warn, and gate definitions"}
+{"who": "AGENT", "what": "Address Code Rabbit review: CMake C99 + flags, -nostdlib link opts, docs JSON memoization + teardown semantics, purge unused status enum, lifecycle comments, safer JSON escape rationale, tests malloc idiom + teardown refusal test, activity timestamp fix, Meson test flags, container env propagation, sanitizer flags, macros capture caller location, context logging always-on, lock before destroy decision, try_release API, version header moved", "where": ["CMakeLists.txt", "docs/SPEC.md", "include/gitledger/error.h", "libgitledger/core/domain/error.c", "tests/error_test.c", "ACTIVITY.log.jsonl", "meson.build", "tools/container/run-matrix.sh", "Makefile", "include/gitledger/context.h", "libgitledger/core/context.c", "include/gitledger/version.h", "src/version.c", "tests/version_test.c"], "when": "2025-10-25T15:27:09Z", "why": "Bring build, docs, headers, tests, and tooling in line with review and repo policy", "how": "Edited CMake/Meson flags and link opts; updated SPEC wording; removed gitledger_status_t and refreshed lifetime comments; added rationale comments; added Release-only teardown refusal test; normalized activity timestamps; exported matrix env hints; hardened sanitizer flags; replaced inline helpers with macros; made diagnostic logging always compile; locked error list before destroy; added gitledger_context_try_release; moved version header under include/gitledger/ and updated includes", "protip": "Prefer caller-site macros for source location; lock before checking shared state; CAS-publish caches to avoid races"}
@@ -1,7 +1,7 @@
 cmake_minimum_required(VERSION 3.20)
 project(libgitledger VERSION 0.1.0 LANGUAGES C)
 
-set(CMAKE_C_STANDARD 17)
+set(CMAKE_C_STANDARD 99)
 set(CMAKE_C_STANDARD_REQUIRED ON)
 set(CMAKE_C_EXTENSIONS OFF)
 set(CMAKE_EXPORT_COMPILE_COMMANDS ON)
@@ -24,8 +24,9 @@ endif()
 if(MSVC)
     set(PROJECT_WARNING_FLAGS /W4 /WX /we4244 /we4267 /we4456 /we4457 /we4458 /we4459)
 else()
-    # Keep Unix builds strict and hide unintended symbol exports.
-    set(PROJECT_WARNING_FLAGS -Wall -Wextra -Werror -Wpedantic -Wshadow -Wconversion -fvisibility=hidden)
+    # Unix builds: enforce the strict policy and standard per project guidelines.
+    # Include -std=c99 here explicitly to match tooling expectations.
+    set(PROJECT_WARNING_FLAGS -Wall -Wextra -Werror -pedantic -std=c99 -Wno-fun)
 endif()
 
 set(LIBGITLEDGER_SOURCES
@@ -37,7 +38,7 @@ set(LIBGITLEDGER_SOURCES
 
 set(LIBGITLEDGER_HEADERS
     libgitledger/include/gitledger/gitledger.h
-    include/libgitledger/version.h
+    include/gitledger/version.h
     include/gitledger/context.h
     include/gitledger/error.h
     include/gitledger/export.h
@@ -46,6 +47,7 @@ set(LIBGITLEDGER_HEADERS
 add_library(gitledger STATIC ${LIBGITLEDGER_SOURCES} ${LIBGITLEDGER_HEADERS})
 target_compile_options(gitledger PRIVATE ${PROJECT_WARNING_FLAGS})
 target_compile_definitions(gitledger PRIVATE GITLEDGER_BUILD=1)
+target_link_options(gitledger PRIVATE -nostdlib)
 
 if(GITLEDGER_VENDOR_LIBGIT2)
     message(FATAL_ERROR "Vendored libgit2 support is not implemented yet.\n"
@@ -99,18 +101,22 @@ target_include_directories(gitledger
 add_executable(gitledger_version_test tests/version_test.c)
 target_compile_options(gitledger_version_test PRIVATE ${PROJECT_WARNING_FLAGS})
 target_link_libraries(gitledger_version_test PRIVATE gitledger)
+target_link_options(gitledger_version_test PRIVATE -nostdlib)
 
 add_executable(gitledger_tests libgitledger/tests/main.c)
 target_compile_options(gitledger_tests PRIVATE ${PROJECT_WARNING_FLAGS})
 target_link_libraries(gitledger_tests PRIVATE gitledger)
+target_link_options(gitledger_tests PRIVATE -nostdlib)
 
 add_executable(mg-ledger libgitledger/cli/mg-ledger.c)
 target_compile_options(mg-ledger PRIVATE ${PROJECT_WARNING_FLAGS})
 target_link_libraries(mg-ledger PRIVATE gitledger)
+target_link_options(mg-ledger PRIVATE -nostdlib)
 
 add_executable(gitledger_error_test tests/error_test.c)
 target_compile_options(gitledger_error_test PRIVATE ${PROJECT_WARNING_FLAGS})
 target_link_libraries(gitledger_error_test PRIVATE gitledger)
+target_link_options(gitledger_error_test PRIVATE -nostdlib)
 
 include(CTest)
 if(BUILD_TESTING)
 
@@ -126,14 +126,14 @@ sanitizers:
 
 host-sanitizers:
 	$(HOST_GUARD)
-	cmake -S . -B build-asan -G Ninja -DCMAKE_BUILD_TYPE=Debug -DCMAKE_C_STANDARD=17 -DCMAKE_C_STANDARD_REQUIRED=ON -DCMAKE_C_FLAGS="-fsanitize=address,undefined" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address,undefined"
+	cmake -S . -B build-asan -G Ninja -DCMAKE_BUILD_TYPE=Debug -DCMAKE_C_STANDARD=17 -DCMAKE_C_STANDARD_REQUIRED=ON -DCMAKE_C_FLAGS="-fsanitize=address,undefined -fno-omit-frame-pointer" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address,undefined -fno-omit-frame-pointer"
 	cmake --build build-asan
 	@if [ "$$(uname -s)" = "Darwin" ]; then \
 		ASAN_OPTIONS=detect_leaks=0:halt_on_error=1 ctest --test-dir build-asan --output-on-failure; \
 	else \
 		ASAN_OPTIONS=detect_leaks=1:halt_on_error=1 ctest --test-dir build-asan --output-on-failure; \
 	fi
-	cmake -S . -B build-tsan -G Ninja -DCMAKE_BUILD_TYPE=Debug -DCMAKE_C_STANDARD=17 -DCMAKE_C_STANDARD_REQUIRED=ON -DCMAKE_C_FLAGS="-fsanitize=thread" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=thread"
+	cmake -S . -B build-tsan -G Ninja -DCMAKE_BUILD_TYPE=Debug -DCMAKE_C_STANDARD=17 -DCMAKE_C_STANDARD_REQUIRED=ON -DCMAKE_C_FLAGS="-fsanitize=thread -fno-omit-frame-pointer -O1" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=thread -fno-omit-frame-pointer"
 	cmake --build build-tsan
 	TSAN_OPTIONS=halt_on_error=1 ctest --test-dir build-tsan --output-on-failure
 
 
@@ -788,14 +788,16 @@ Default guidance per domain/code:
 `gitledger_error_render_json` returns the exact byte count (including the terminating NUL) required
 to encode the full causal chain as deterministic JSON. Rendering is iterative, capped by
 `GITLEDGER_ERROR_MAX_DEPTH`, and emits `"truncated":true` when the chain exceeds that limit.
-`gitledger_error_json` memoises the JSON in a context-owned scratch buffer so repeated logging does not
-re-render; `gitledger_error_json_copy` duplicates it for callers that need the data to outlive the
-context. Messages are treated the same way via `gitledger_error_message_copy`. Domain / code / flag
+`gitledger_error_json` memoizes the JSON on the error itself so repeated logging does not re-render;
+`gitledger_error_json_copy` duplicates it for callers that need the data to outlive the error. Messages
+are treated the same way via `gitledger_error_message_copy`. In Release builds, context teardown is
+refused while live errors exist and a diagnostic is emitted to stderr; in Debug builds, teardown aborts.
+Domain / code / flag
 strings are available through `gitledger_domain_name`, `gitledger_code_name`, and
 `gitledger_error_flags_format` for bindings that want symbolic names.
 
-Errors are reference counted; contexts track all outstanding errors and free them during teardown.
-`gitledger_error_release` descends iteratively (no recursion) so deeply nested causal stacks cannot
+Errors are reference counted. Contexts register outstanding errors for diagnostics only; they do not
+own or free errors. `gitledger_error_release` descends iteratively (no recursion) so deeply nested causal stacks cannot
 overflow a thread’s call stack. Callers can opt into shared ownership via `gitledger_error_retain`
 when an error must outlive the originating context.
 
 
@@ -27,6 +27,9 @@ extern "C"
                        gitledger_context_create(const gitledger_allocator_t* allocator);
     GITLEDGER_API void gitledger_context_retain(gitledger_context_t* ctx);
     GITLEDGER_API void gitledger_context_release(gitledger_context_t* ctx);
+    /* Try to release the context; returns 1 on destroy, 0 when refused due to
+       live errors, and -1 for invalid ctx. Prefer this in new code. */
+    GITLEDGER_API int  gitledger_context_try_release(gitledger_context_t* ctx);
 
     GITLEDGER_API int gitledger_context_valid(const gitledger_context_t* ctx);
     GITLEDGER_API const gitledger_allocator_t*