feat(engine): UBSan gate blocking + clang-tidy baseline (E2 slice 1)

[dnplkndll]

What changed

The mechanical close-out of Engine track E1's static-analysis gate: make the UBSan gate blocking and add a clang-tidy baseline. Both sanitizers are now blocking + clean; static analysis is wired and reporting.

UBSan → blocking

The advisory baseline (#14) left exactly 2 distinct UBSan sites across the entire golden suite (post-merge advisory run: 156 occurrences, timeline.h:293 ×78 and model.h:8667 ×78) — both the iterator operator* null-binding idiom: a reference formed to a null end() sentinel that's never dereferenced (same UB the standard library has for *v.end()).

• Both operator* are marked FREPPLE_NO_SANITIZE_NULL — a new __attribute__((no_sanitize("null"))) macro in utils.h (GCC/Clang, no-op in normal builds; g++ has no runtime-suppressions file so the attribute is the portable route). The full golden suite is then UBSan-clean.
• engine-ubsan.yml flips to halt_on_error=1 + abort — a new UB site now fails CI, same contract as engine-asan.yml.

Verified locally (ubuntu g++ container): the attribute compiles with no warning, 0 UBSan findings remain across the timeline/problem-list/forecast-heavy tests + the operationdependency path.

clang-tidy baseline (E1 gate item 3)

• .clang-tidy — bug-finders only: clang-analyzer-* + high-signal bugprone-*; style/readability/modernize off, plus the two noisy checks (unhandled-self-assignment, exception-escape) excluded.
• engine-clang-tidy.yml — advisory gate (parse-only, never fails), runs on PRs into modernization + push, reports findings and uploads the report.
• Baseline (full src/, 57 TUs): 54 distinct findings (the raw line count over-states it ~3× because HeaderFilterRegex re-reports a header finding per including TU). The ~10 high-signal items — NullDereference, CallAndMessage, integer-division, NewDelete, uninitialised reads — are the E2 triage work-list before the gate tightens to "no new findings".

Docs

• ubsan-baseline.md: Finding 2 resolved, gate posture → blocking.
• clang-tidy-baseline.md: new — config rationale, the real distinct-finding breakdown, advisory→blocking path.
• MODERNIZATION_PLAN.md: E1 gate — sanitizer + clang-tidy items checked (the engine review report is the one open E1 item).

Self-review fixes (2nd commit)

A bugbot-style pass on my own clang-tidy gate caught two bugs, fixed in fix(ci): clang-tidy gate - per-file logs + distinct-finding dedup:

• Interleaving: parallel clang-tidy processes shared one redirect → garbled lines. Now each TU writes its own log, then concatenated.
• Misleading count: header findings counted once per including TU → "1076" was meaningless. Now deduped to distinct findings (54) in the summary, raw shown alongside.

Validation

• -DFREPPLE_SANITIZER=undefined Debug build with the annotations: compiles clean (no attribute warning), representative suite 0 UBSan findings.
• clang-tidy: config parses, 57 TUs analyze, dedup verified end-to-end (57 TUs → 54 distinct).
• build (ubuntu24 ×2) green on the PR — macro + annotations compile in Release, golden output unchanged. The blocking engine-ubsan/engine-asan gates run post-merge on modernization (the prior advisory run already proved those were the only 2 sites).
• No UI surface in this change → no PR screenshots.

Note

Per convention, not auto-merging — needs your go-ahead. After this, E1 has just the engine review report left; E2 proper (pegging tests 2→12, structural-invariant assertions, stress baseline, clang-tidy diff-gate) is the larger follow-on.