feat(#84): clippy::unwrap_used/expect_used guard for the Rust SDK #5

Merged

buildagent merged 1 commit from fix/84-unwrap-used-guard into main

2026-05-29 08:58:33 +02:00

buildagent commented

2026-05-29 08:58:27 +02:00

Member

Summary

Final crate of the runtime-side #84 panic-guard rollout (ixt-core → host/cli/bundle/codegen → SDK). The MIT SDK is what module authors build against, so a bare .unwrap() that fires inside it crashes their module — exactly the panic-on-bug surface #84 closes.

Changes

#![warn(clippy::unwrap_used, clippy::expect_used)] at the crate root (src/lib.rs). The SDK CI gate is cargo clippy -- -D warnings, so these are effectively deny.
New clippy.toml with allow-unwrap-in-tests / allow-expect-in-tests (mirrors the superproject) — test code may panic freely.
The 4 generated *_capnp.rs modules (module/services/ipc_services/ipc_streaming) get explicit #[allow(clippy::unwrap_used, clippy::expect_used)] — clippy::all does not cover restriction-group lints, so the existing #[allow(clippy::all)] was insufficient.

Production-path fixes

Site	Fix
`conversions.rs::response_from_capnp` (8 sites)	`.expect()` on Cap'n Proto `Result` decode → `?`-propagated as `IxtError::internal`. The fn already returns `Result` and carried inline `// TODO: Replace expects with proper error handling`. A malformed `Response` on the wire now returns an error instead of crashing the module.
`types.rs::SessionToken` (2 sites)	`SystemTime::now().duration_since(UNIX_EPOCH).unwrap()` → `unwrap_or_default()`; a pre-epoch clock is impossible and `ZERO` is a safe non-panicking fallback.

One ALLOW-with-reason

ffi_services.rs::capnp_serialize — writing a capnp message into an in-memory Vec<u8> is infallible except on OOM (which aborts anyway).

Test plan

cargo clippy -- -D warnings (SDK CI gate) GREEN
cargo clippy --all-targets -- -D warnings GREEN
cargo test --lib — 24/24 pass
cargo check --all-targets clean (examples build)
cargo fmt --all --check clean

Lockstep: superproject submodule pin bumps to this branch's merge commit after merge. Closes the SDK leg of #84.

🤖 Generated with Claude Code

## Summary Final crate of the runtime-side #84 panic-guard rollout (ixt-core → host/cli/bundle/codegen → **SDK**). The MIT SDK is what module authors build against, so a bare `.unwrap()` that fires inside it crashes *their* module — exactly the panic-on-bug surface #84 closes. ## Changes - `#![warn(clippy::unwrap_used, clippy::expect_used)]` at the crate root (`src/lib.rs`). The SDK CI gate is `cargo clippy -- -D warnings`, so these are effectively deny. - New `clippy.toml` with `allow-unwrap-in-tests` / `allow-expect-in-tests` (mirrors the superproject) — test code may panic freely. - The 4 generated `*_capnp.rs` modules (`module`/`services`/`ipc_services`/`ipc_streaming`) get explicit `#[allow(clippy::unwrap_used, clippy::expect_used)]` — `clippy::all` does **not** cover restriction-group lints, so the existing `#[allow(clippy::all)]` was insufficient. ## Production-path fixes | Site | Fix | |---|---| | `conversions.rs::response_from_capnp` (8 sites) | `.expect()` on Cap'n Proto `Result` decode → `?`-propagated as `IxtError::internal`. The fn already returns `Result` and carried inline `// TODO: Replace expects with proper error handling`. A malformed `Response` on the wire now returns an error instead of crashing the module. | | `types.rs::SessionToken` (2 sites) | `SystemTime::now().duration_since(UNIX_EPOCH).unwrap()` → `unwrap_or_default()`; a pre-epoch clock is impossible and `ZERO` is a safe non-panicking fallback. | ## One ALLOW-with-reason `ffi_services.rs::capnp_serialize` — writing a capnp message into an in-memory `Vec<u8>` is infallible except on OOM (which aborts anyway). ## Test plan - [x] `cargo clippy -- -D warnings` (SDK CI gate) GREEN - [x] `cargo clippy --all-targets -- -D warnings` GREEN - [x] `cargo test --lib` — 24/24 pass - [x] `cargo check --all-targets` clean (examples build) - [x] `cargo fmt --all --check` clean Lockstep: superproject submodule pin bumps to this branch's merge commit after merge. Closes the SDK leg of #84. 🤖 Generated with [Claude Code](https://claude.com/claude-code)

buildagent added 1 commit

2026-05-29 08:58:27 +02:00

feat(#84 ): clippy::unwrap_used/expect_used guard for the Rust SDK 75a2a4d3dc

Mirrors the runtime-side #84 guard (ixt-core/host/cli/bundle/codegen) on
the MIT SDK that module authors build against — a bare `.unwrap()` that
fires inside the SDK crashes their module.

- `#![warn(clippy::unwrap_used, clippy::expect_used)]` at the crate root
  (src/lib.rs); the SDK's own CI runs `cargo clippy -- -D warnings`, so
  these are effectively deny.
- New `clippy.toml` with `allow-unwrap-in-tests` / `allow-expect-in-tests`
  (mirrors the superproject) so test code may panic freely.
- Generated `*_capnp.rs` modules (module/services/ipc_services/
  ipc_streaming) get explicit `#[allow(clippy::unwrap_used,
  clippy::expect_used)]` — `clippy::all` does not cover restriction lints.

Production-path fixes:
- `conversions.rs::response_from_capnp` — 8 `.expect()` on Cap'n Proto
  Result decode → `?`-propagated as `IxtError::internal` (the fn already
  returns `Result`; the inline TODOs asked for exactly this). A malformed
  Response on the wire now returns an error instead of crashing the module.
- `types.rs::SessionToken` (2 sites) — `SystemTime::duration_since(UNIX_EPOCH)
  .unwrap()` → `unwrap_or_default()`; a pre-epoch clock is impossible and
  ZERO is a safe non-panicking fallback.

One ALLOW-with-reason: `ffi_services.rs::capnp_serialize` — writing into an
in-memory `Vec` is infallible except on OOM.

cargo clippy -- -D warnings (SDK CI gate) GREEN; cargo clippy --all-targets
-- -D warnings GREEN; 24 lib tests pass; fmt clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

buildagent merged commit c28f467d66 into main

2026-05-29 08:58:33 +02:00

buildagent referenced this pull request from a commit

2026-05-29 08:58:33 +02:00

Merge pull request 'feat(#84): clippy::unwrap_used/expect_used guard for the Rust SDK' (#5) from fix/84-unwrap-used-guard into main