fix: correct u64 error sentinel width and XMALLOC/XFREE pairing

[MarkAtwood]

Summary

Two independent correctness fixes in the kernel-side wolfcrypt glue code.

Fix 1: Correct u64 error sentinel width in wc_u64_keyed_hash (wolfcrypt_glue.h)

wc_u64_keyed_hash returns ~0UL as the error sentinel for a u64 return type. On 32-bit kernels, unsigned long is 32 bits, so ~0UL evaluates to 0xFFFFFFFF, which zero-extends to 0x00000000FFFFFFFF in the u64 return — not the intended all-ones pattern 0xFFFFFFFFFFFFFFFF.

The fix changes the sentinel to ~(u64)0, which is always 64 bits wide regardless of the native unsigned long size.

This bug is latent on all current 64-bit targets (where UL happens to be 64 bits), but the correct form is required for portability to 32-bit kernels and for clarity of intent.

Fix 2: Replace free() with XFREE() for XMALLOC-allocated buffers (wolfcrypt_glue.c)

In wc_AesGcm_crypt_sg_inplace (both the WOLFSSL_AESGCM_STREAM and non-stream variants), memory allocated with XMALLOC(..., NULL, DYNAMIC_TYPE_TMP_BUFFER) was being released with plain free():

• aes pointer in the WOLFSSL_AESGCM_STREAM path (out_aes_uninited label)
• buf pointer in the non-stream copy_after_all block
• aes pointer in the non-stream path (out_aes_uninited label)

All three are replaced with XFREE(ptr, NULL, DYNAMIC_TYPE_TMP_BUFFER) to match the allocator.

Under WOLFSSL_TRACK_MEMORY builds, XMALLOC routes through a tracking wrapper. Releasing such memory with free() bypasses the tracker, causing spurious leak reports and potentially corrupting the tracking state. This bug is latent until WOLFSSL_TRACK_MEMORY is enabled.

Note: other free() calls in the same file (for wc_hmac, aes in wc_AesGcm_oneshot_crypt, key, privKey, pubKey, ctx->rngs) were all allocated with plain malloc() and are correctly paired — those were not changed.

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Fixes two kernel-side wolfCrypt glue correctness issues (u64 error sentinel width on 32-bit, and allocator/free pairing under WOLFSSL_TRACK_MEMORY) and adds Beads/Dolt + agent tooling configuration files.

Changes:

• Use a 64-bit-wide error sentinel in wc_u64_keyed_hash for 32-bit kernel correctness.
• Replace free() with XFREE() for buffers allocated via XMALLOC() in AES-GCM SG paths.
• Add Beads/Dolt repo integration files and hook/config documentation.

Reviewed changes

Copilot reviewed 14 out of 15 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
kernel-src/wolfcrypt_glue.h	Fix u64 error sentinel to be 64-bit wide on 32-bit kernels
kernel-src/wolfcrypt_glue.c	Pair XMALLOC allocations with XFREE in AES-GCM paths
CLAUDE.md	Add AI-agent workflow + Beads integration instructions
AGENTS.md	Add agent instructions + Beads integration guidance
.gitignore	Ignore Dolt/Beads artifacts in repo root
.claude/settings.json	Configure Claude hooks to run bd prime
.beads/metadata.json	Add Beads project metadata for Dolt backend
.beads/hooks/prepare-commit-msg	Add Beads-managed git hook wrapper
.beads/hooks/pre-push	Add Beads-managed git hook wrapper
.beads/hooks/pre-commit	Add Beads-managed git hook wrapper
.beads/hooks/post-merge	Add Beads-managed git hook wrapper
.beads/hooks/post-checkout	Add Beads-managed git hook wrapper
.beads/config.yaml	Add Beads configuration scaffold
.beads/README.md	Add Beads usage documentation
.beads/.gitignore	Ignore Beads runtime/Dolt/credential artifacts under .beads/

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

These hooks run bd prime unconditionally. In environments where bd isn’t installed (or isn’t on PATH), this can cause startup/compaction hook failures and degrade developer experience. Consider wrapping the command so it becomes a no-op when bd is unavailable (e.g., shell-check command -v bd before running) or using whatever conditional/optional mechanism the hooks system supports.

[Copilot]

These hooks run bd prime unconditionally. In environments where bd isn’t installed (or isn’t on PATH), this can cause startup/compaction hook failures and degrade developer experience. Consider wrapping the command so it becomes a no-op when bd is unavailable (e.g., shell-check command -v bd before running) or using whatever conditional/optional mechanism the hooks system supports.

[Copilot]

The Beads integration block appears duplicated across AGENTS.md and CLAUDE.md (same markers/hash). Keeping two copies of the same operational instructions increases the risk they diverge over time. Consider having a single canonical location (one file) and linking to it from the other, or generating one from the other in a documented way, so updates don’t need to be made in multiple places.

Suggested change

	This project uses **bd (beads)** for issue tracking. Run `bd prime` to see full workflow context and commands.
	### Quick Reference
	```bash
	bd ready # Find available work
	bd show <id> # View issue details
	bd update <id> --claim # Claim work
	bd close <id> # Complete work
	```
	`AGENTS.md` is the canonical Beads instructions file for this repository.
	For Beads commands and project-specific shell guidance, use the sections above:
	- [Quick Reference](#quick-reference)
	- [Non-Interactive Shell Commands](#non-interactive-shell-commands)
	Run `bd prime` to see full workflow context and commands.