Enhance ELF symbol extraction with comprehensive type support and visibility filtering

.cursor/commands/ci_check.md

@@ -0,0 +1,30 @@
+# CI Check
+
+## Description
+
+Ensure code changes pass all CI checks before merging.
+
+## Steps
+
+1. First, run `just ci-check` to identify any failures
+2. Analyze the output to understand what specific checks are failing. If everything passes, you’re done.
+3. Make minimal, targeted fixes to address ONLY the failing checks:
+   - For formatting issues: run `just format`
+   - For linting issues (clippy): fix the specific violations reported (rerun with `just lint-rust` / `just lint-rust-min`)
+   - For compilation/type errors: fix the underlying Rust code until `just check` (or `cargo check`) succeeds
+   - For test failures: fix the failing tests or underlying code (verify with `just test` or `just test-ci`)
+   - For dependency security/advisory issues: run `just audit` (cargo-audit) and/or update `Cargo.toml` then `cargo update`
+   - For license/compliance issues: run `just deny` and address cargo-deny findings
+4. After making fixes, run `just ci-check` again to verify all checks pass
+5. If any checks still fail, repeat steps 2-4 until all checks pass
+6. Provide a summary of what was fixed and confirm that `just ci-check` now passes completely
+
+Keep changes minimal and focused - only fix what's actually causing the CI failures. Do not make unnecessary refactoring or style changes beyond what's required to pass the checks.
+
+## Completion Checklist
+
+- [ ] Code conforms to Stringy project rules and standards
+- [ ] Tests pass (`just test`)
+- [ ] Linting is clean (`just lint`)
+- [ ] Full CI validation passes (`just ci-check`)
+- [ ] A short summary of what was done is reported

.cursor/commands/code_rabbit.md

@@ -0,0 +1,28 @@
+# CodeRabbit Review
+
+## Description
+
+Use CodeRabbit to identify issues and follow its recommendations in the current code branch.
+
+## Steps
+
+1. Run `coderabbit --prompt-only`, let it take as long as it needs to identify issues with this code branch. It will output a large list of recommended fixes and considerations.
+2. Evaluate the fixes and considerations. Fix major issues only, or fix any critical issues and ignore the nits.
+3. Once those changes are implemented, run CodeRabbit CLI one more time to make sure we addressed all the critical issues and didn't introduce any additional bugs.
+4. Do not change branches or mess with `git` at all. Just run the coderabbit tool, examine its output, fix its findings, and run it again to make sure you fixed everything.
+5. Then run `just ci-check` to make sure you didn't break anything and, if it does not complete without failures, fix those problems.
+6. Only run the loop (running coderabbit->fixing its recommendations->running `just ci-check`->fixing any failures) twice.
+7. If on the second run you don't find any critical issues, ignore the nits and you're complete.
+8. Give me a summary of everything that was completed and why.
+
+## Completion Checklist
+
+- [ ] Code conforms to Stringy project rules and standards
+- [ ] Tests pass (`just test`)
+- [ ] Linting is clean (`just lint`)
+- [ ] Full CI validation passes (`just ci-check`)
+- [ ] A short summary of what was done is reported
+- [ ] CodeRabbit issues have been addressed
+- [ ] CodeRabbit was run no more than twice
+- [ ] No unnecessary changes were made beyond addressing critical issues
+- [ ] No changes to git branches or history were made

.cursor/commands/code_review.md

@@ -0,0 +1,62 @@
+# Code Review
+
+## Description
+
+Analyze diff for code quality issues and apply safe improvements while preserving public APIs.
+
+## Focus Categories
+
+Analyze only the changed files (diff scope) and improve them while preserving public APIs. Focus categories: (1) Code Smells (large/duplicate/complex) (2) Design Patterns (traits, builder, newtype, factory) (3) Best Practices (Rust 2024, project conventions) (4) Readability (naming, structure, cohesion) (5) Maintainability (modularization, clarity) (6) Performance (binary parsing, memory usage, allocation, zero-copy operations) (7) Type Safety (strong types, avoid needless Option/Result layering) (8) Error Handling (thiserror context, no silent failures). Context: Stringy = zero-warnings, CLI-first, memory conscious, synchronous binary analysis. Prefer clear + correct over clever.
+
+## Steps
+
+1. Collect diff file list. 2. Analyze per focus category. 3. Classify each finding: `safe-edit` (apply now), `deferred`, `requires-approval`. 4. Auto-apply only `safe-edit` (mechanical, internal, non-breaking, warning removal, correctness, error handling improvements). 5. Run `just lint` then `just test`. On failure: isolate failing hunk, revert it, re-run, document skip. 6. Generate report (summary table, applied edits + rationale, deferred backlog, approval-needed with risks, next-step roadmap). 7. Output unified diff (never commit). If zero safe edits: state "No safe automatic edits applied" and still output full report.
+
+## Auto-Edit Constraints (Strict)
+
+- Scope: Only diff-related files
+- Gates: Must pass `just lint` + tests
+- User Control: Never commit/stage
+- Public API: No signature/visibility/export changes
+- Validation: Always run quality gates before reporting
+
+## Critical Requirements
+
+- Actionable suggestions (code examples when clearer)
+- Auto-apply only clearly safe internal fixes
+- Prioritize runtime correctness, safety, type rigor, security posture
+- Preserve all public APIs (no signature/visibility changes)
+- Avoid cleverness; optimize for clarity & maintainability
+
+## Repo Rules (Reinforced)
+
+Zero warnings (clippy -D warnings) | No unsafe | Precise typing | Trait-based parsers | `thiserror` for errors | CLI-first | Memory efficient | Zero-copy parsing where possible | rustdoc for all public APIs
+
+---
+
+## Execution Checklist
+
+1 Diff scan 2 Analyze 3 Classify 4 Safe edits applied 5 Gates pass 6 Report (summary/applied/deferred/approval-needed/roadmap) 7 Output diff. On blocker: report + remediation guidance.
+
+## Quick Reference Matrix
+
+Category -> Examples of Safe Edits:
+
+- Smells: remove dead code, split oversized internal fn (no visibility change)
+- Patterns: introduce small private helper or trait impl internally
+- Best Practices: use zero-copy parsing, efficient string extraction
+- Readability: rename local vars (non-public), add rustdoc/examples
+- Maintainability: extract internal module (keep re-export stable)
+- Performance: eliminate needless clone, memoize constant, bound Vec growth, use slice-based operations
+- Type Safety: replace `String` boolean flags with small internal enum (private)
+- Error Handling: add context via error messages, convert generic String errors to structured variants if already internal
+
+If ambiguity arises, default to: classify (deferred) instead of applying.
+
+## Completion Checklist
+
+- [ ] Code conforms to Stringy project rules and standards
+- [ ] Tests pass (`just test`)
+- [ ] Linting is clean (`just lint`)
+- [ ] Full CI validation passes (`just ci-check`)
+- [ ] A short summary of what was done is reported

.cursor/commands/performance_tuning.md

@@ -0,0 +1,83 @@
+# Performance Tuning
+
+## Description
+
+Analyze diff for performance, apply safe micro-optimizations, produce report.
+
+## FOCUS CATEGORIES
+
+Analyze ONLY changed files (diff scope) for runtime performance characteristics while preserving correctness, public APIs, and security constraints. Apply only clearly safe micro-optimizations.
+
+01. Algorithmic Complexity (unnecessary O(n^2), repeated scans, avoidable clones)
+02. Allocation Behavior (temporary allocations, Vec growth patterns, reserve vs push, string churn)
+03. Binary Parsing Efficiency (zero-copy operations, memory-mapped files for large binaries, efficient section iteration)
+04. I/O Efficiency (redundant reads, memory-mapped I/O for large files, efficient file handling)
+05. Data Structures (better fit: map vs vec scan, small vec, newtype for clarity/perf)
+06. Caching & Reuse (recomputing constants, repeated serialization, repeated formatting)
+07. Hot Path Error Handling (avoidable string formatting, cheap early exits)
+08. String Extraction (efficient UTF-8/UTF-16 parsing, slice-based operations, avoid unnecessary allocations)
+09. Memory Footprint (unbounded growth, retain vs shrink_to_fit decisions, large temporary clones, memory-mapped files)
+10. Instrumentation (where benchmarks would help future perf investigations)
+
+## Steps
+
+1 Diff list → 2 Perf analysis per category → 3 Classify (`safe-edit` / `deferred` / `requires-approval`) → 4 Apply only mechanical, behavior-preserving micro-optimizations (e.g., remove redundant clone, pre-allocate capacity, use zero-copy parsing, optimize string extraction) → 5 Run `just lint` & `just test` → 6 Revert failing hunk if gates fail → 7 Report (summary, applied, deferred, approval-needed, perf notes, next steps) → 8 Output unified diff (no commit).
+
+If zero safe edits: state "No safe performance edits applied" and still produce full report.
+
+## SAFE PERFORMANCE EDIT EXAMPLES
+
+- Replace `clone()` with reference when ownership not required
+- Preallocate Vec with `with_capacity` when length is known
+- Convert repeated `format!` in loop to pre-built prefix + push_str
+- Hoist constant regex / hashers / serializers
+- Short-circuit early on empty input slices
+- Use iterators instead of temporary Vec collects where semantic match
+- Use slice-based string extraction to avoid allocations
+- Use memory-mapped files for large binary processing
+- Prefer zero-copy parsing with goblin
+- Avoid converting to String just to log when `Display` exists
+
+## AUTO-EDIT CONSTRAINTS (STRICT)
+
+Scope: diff-only | Gates: `just lint` + tests must pass | No commits | No public signature/visibility changes | Validate after edits | No semantic changes
+
+## CRITICAL REQUIREMENTS
+
+- Do not trade readability or security for micro perf
+- Never introduce unsafe
+- Provide benchmarks only as recommendations (do not add heavy harness automatically)
+- Defer structural refactors (module splits) unless trivial & internal
+- Avoid premature caching introducing invalidation complexity
+
+## REPO RULES (REINFORCED)
+
+Zero warnings | No unsafe | Precise typing | Trait-based parsers | thiserror for errors | CLI-first | Memory efficiency | Zero-copy parsing | rustdoc for public APIs
+
+## EXECUTION CHECKLIST
+
+1 Diff scan 2 Analyze perf 3 Classify 4 Apply safe micro-optimizations 5 Gates pass 6 Report 7 Output diff | On blocker: report & remediate guidance.
+
+## QUICK PERFORMANCE MATRIX
+
+Category → Sample Safe Edit:
+
+- Complexity → Replace nested loop with `HashSet` membership check
+- Allocation → Pre-size Vec for known iteration length
+- Binary Parsing → Use memory-mapped files for large binaries, zero-copy section access
+- I/O → Use memory-mapped I/O for large file processing
+- Data Structure → Use `SmallVec` for typical \<=8 elements (internal)
+- Caching → Hoist constant serialization of static JSON template
+- String Extraction → Use slice-based operations, avoid unnecessary String allocations
+- Memory Footprint → Replace accumulating Vec with sliding window bound, use memory-mapped files
+- Instrumentation → Add benchmark tests for hot path performance
+
+Ambiguous? Defer and document.
+
+## Completion Checklist
+
+- [ ] Code conforms to Stringy project rules and standards
+- [ ] Tests pass (`just test`)
+- [ ] Linting is clean (`just lint`)
+- [ ] Full CI validation passes (`just ci-check`)
+- [ ] A short summary of what was done is reported

.cursor/commands/security_hardening.md

@@ -0,0 +1,82 @@
+# Security Hardening
+
+## Description
+
+Analyze diff for security posture, apply safe internal hardening edits, produce report.
+
+Analyze ONLY changed files (diff scope) for security posture and apply clearly safe hardening improvements while preserving all public APIs.
+
+## FOCUS CATEGORIES
+
+01. Memory Safety (no unsafe code, no added unsafe, boundary adherence)
+02. Input Validation & Parsing (CLI args, binary format detection, paths) – reject invalid early, no silent defaults
+03. Data Handling (no secrets logged, path validation, safe binary parsing, bounds checking)
+04. Binary Parsing Safety (validate offsets, check bounds, handle malformed binaries gracefully)
+05. Error Handling & Logging Hygiene (no sensitive leakage, structured context, no println! for operational info)
+06. Dependency & Surface Minimization (avoid unnecessary crates/features, dead code removal)
+07. Defense-in-Depth Opportunities (bounds checking, resource limits, memory usage bounds)
+08. Security Regression Risks (stubs flagged, TODOs categorized, unimplemented sections clearly documented)
+09. Supply Chain & Build Hygiene (forbid unsafe, clippy -D warnings, deny unknown features)
+10. File I/O Safety (validate file paths, handle large files safely, prevent path traversal)
+
+## Steps
+
+1 Diff list → 2 Security analysis per category → 3 Classify findings (`safe-edit` / `deferred` / `requires-approval`) → 4 Apply only mechanical non-breaking hardening edits (logging normalization, path validation + bound checks, converting println!/eprintln! to proper error handling, adding `#[deny(unsafe_code)]` locally if missing, adding missing error context, bounds checking for binary parsing) → 5 Run `just lint` & `just test` → 6 Revert any failing hunk → 7 Report (summary, applied, deferred, approval-needed, risk notes, roadmap) → 8 Output unified diff (no commit).
+
+If zero safe edits: state "No safe security edits applied" and still emit full report.
+
+## SAFE HARDENING EDIT EXAMPLES
+
+- Replace `println!/eprintln!` with proper error handling and structured output
+- Add bounds checking for binary parsing operations
+- Inline guard clauses for obvious panics or unchecked unwraps (if internal)
+- Validate file paths and prevent path traversal
+- Remove dead code exposing potential attack surface
+- Strengthen error messages (no raw system paths if sensitive)
+- Add length / size / iteration bounds for unbounded growth structures
+- Replace stringly-typed mode flags with private enums
+- Ensure all public API doc comments mention security considerations where relevant
+- Validate binary format headers before parsing
+- Check section offsets and sizes before accessing binary data
+
+## AUTO-EDIT CONSTRAINTS (STRICT)
+
+Scope: diff-only | Gates: `just lint` + tests must pass | No commits | No public signature/visibility changes | Validate after edits
+
+## CRITICAL REQUIREMENTS
+
+- Preserve functional behavior while reducing risk
+- No new dependencies unless strictly necessary for safety
+- Avoid speculative rewrites—minimal surface change
+- Avoid perf regressions; if added checks are non-trivial mark as deferred
+- Do not mask existing errors—surface with context instead
+
+## REPO RULES (REINFORCED)
+
+Zero warnings | No unsafe | Precise typing | Trait-based parsers | thiserror for errors | CLI-first | Memory efficiency | Safe binary parsing | Path validation | rustdoc for public APIs
+
+## EXECUTION CHECKLIST
+
+1 Diff scan 2 Analyze security 3 Classify 4 Apply safe hardening edits 5 Gates pass 6 Report 7 Output diff | On blocker: report with remediation.
+
+## QUICK SECURITY MATRIX
+
+Category → Sample Safe Edit:
+
+- Memory Safety → Remove unsafe code, add bounds checking
+- Input Validation → Add numeric range check before use, validate binary format headers
+- Data Handling → Validate file paths, check bounds before binary access
+- Binary Parsing → Add offset/size validation, handle malformed binaries gracefully
+- Error Handling → Replace raw error chain with safe error messages
+- Resource Bounds → Add comment + bound to vector growth pattern, limit memory usage
+- Stub Sections → Mark with `SECURITY_TODO:` prefix for tracking
+
+Ambiguous? Defer and document.
+
+## Completion Checklist
+
+- [ ] Code conforms to Stringy project rules and standards
+- [ ] Tests pass (`just test`)
+- [ ] Linting is clean (`just lint`)
+- [ ] Full CI validation passes (`just ci-check`)
+- [ ] A short summary of what was done is reported