fix(security): widen release audit to all files in binaries/

Previously the verify job only ran scripts/security-strings.sh on
files matching binaries/codebase-memory-mcp* — install.sh, install.ps1,
LICENSE, and any future companion files in the release archives were
NOT covered by the binary-string audit (only by VirusTotal).

Changes:
- release.yml: loop over binaries/* (every file in the audit set).
- security-strings.sh: detect file type via 'file -b'. For shell
  scripts and other text files, skip the URL audit and dangerous-cmd
  audit (those rules are tuned for compiled binaries — install.sh
  legitimately uses wget as a curl fallback, and 'case https://*)'
  globs look like unauthorized URLs to a strings dump). Always run
  credential and base64 pattern audits — those are universally
  meaningful regardless of file type.
- Verified locally: install.sh and install.ps1 now both pass.

Net effect: every release artifact is now audited, with rule sets
appropriate to its file type.

Author: DeusData

.github/workflows/release.yml

@@ -197,12 +197,18 @@ jobs:
           cp install.ps1 binaries/ 2>/dev/null || true
           ls -la binaries/
 
-      - name: Security audits on all release binaries
+      - name: Security audits on all release files
         run: |
-          for bin in binaries/codebase-memory-mcp*; do
-            [ -f "$bin" ] || continue
-            echo "--- Auditing: $(basename "$bin") ---"
-            scripts/security-strings.sh "$bin"
+          # Audit every file that ships in the release archives — binaries,
+          # install scripts, LICENSE, and any future companion files.
+          # security-strings.sh detects file type and applies binary-only
+          # rules (URL allowlist, dangerous-command detection) only to real
+          # binaries; for shell scripts it still runs credential and base64
+          # pattern audits.
+          for f in binaries/*; do
+            [ -f "$f" ] || continue
+            echo "--- Auditing: $(basename "$f") ---"
+            scripts/security-strings.sh "$f"
           done
 
       - name: VirusTotal scan

scripts/security-strings.sh

@@ -20,8 +20,32 @@ fi
 
 FAIL=0
 
-echo "=== Layer 2: Binary String Audit ==="
-echo "Binary: $BINARY"
+# Detect file type. Shell scripts and other text files extract poorly via
+# `strings` (the entire content becomes the "strings"), and rules tuned for
+# compiled binaries (URL allowlist, wget/telnet detection) produce false
+# positives — install.sh legitimately uses `wget` as a curl fallback, and
+# `case` glob patterns like `https://*` look like unauthorized URLs.
+#
+# Strategy: for non-binary files we still run credential and base64 audits
+# (those are universally meaningful), but skip the URL and dangerous-command
+# audits which are designed for compiled artifacts. Script content is
+# reviewed in PRs and scanned end-to-end by VirusTotal in the same pipeline.
+IS_SCRIPT=false
+if command -v file &>/dev/null; then
+    FILE_TYPE=$(file -b "$BINARY" 2>/dev/null || echo "")
+    case "$FILE_TYPE" in
+        *"shell script"*|*"ASCII text"*|*"UTF-8 Unicode text"*|*"Unicode text"*|*"a /usr/bin/env"*)
+            IS_SCRIPT=true
+            ;;
+    esac
+fi
+
+if $IS_SCRIPT; then
+    echo "=== Layer 2: Script Content Audit ==="
+else
+    echo "=== Layer 2: Binary String Audit ==="
+fi
+echo "File: $BINARY"
 echo ""
 
 # Check for strings command (needs binutils on some MSYS2 setups)
@@ -37,8 +61,11 @@ SEC_CREDS=$(mktemp)
 trap 'rm -f "$STRINGS_FILE" "$SEC_CMDS" "$SEC_CREDS"' EXIT
 strings -n 4 "$BINARY" | sort -u > "$STRINGS_FILE"
 
-# ── 1. URL audit ─────────────────────────────────────────────────
+# ── 1. URL audit (binary only — scripts handled via VT + PR review) ────
 
+if $IS_SCRIPT; then
+    echo "--- URL audit (skipped — script file) ---"
+else
 echo "--- URL audit ---"
 
 # Allowed URL prefixes
@@ -93,6 +120,7 @@ done < <(grep -oE 'https?://[a-zA-Z0-9._/~:@!$&()*+,;=?#%[-]+' "$STRINGS_FILE" |
 if [[ $FAIL -eq 0 ]]; then
     echo "OK: All URLs are authorized."
 fi
+fi  # end !IS_SCRIPT URL audit
 
 # ── 2. Base64 payload detection ──────────────────────────────────
 
@@ -111,9 +139,13 @@ else
     echo "OK: No suspicious base64 payloads found."
 fi
 
-# ── 3. Dangerous command detection ───────────────────────────────
+# ── 3. Dangerous command detection (binary only) ─────────────────
 
 echo ""
+if $IS_SCRIPT; then
+    echo "--- Dangerous command detection (skipped — script file) ---"
+    DANGEROUS_CMDS=''
+else
 echo "--- Dangerous command detection ---"
 
 DANGEROUS_CMDS='wget|netcat|ncat|/dev/tcp|telnet'
@@ -136,6 +168,7 @@ if [ -s "$SEC_CMDS" ]; then
 else
     echo "OK: No dangerous commands found."
 fi
+fi  # end !IS_SCRIPT dangerous-cmd audit
 
 # ── 4. Credential pattern detection ──────────────────────────────