improve: globalize deny(unsafe_code)

Author: evansims

crates/inferadb-control-api/src/handlers/auth.rs

@@ -397,13 +397,13 @@ pub async fn logout(
     jar: CookieJar,
 ) -> Result<(CookieJar, Json<LogoutResponse>)> {
     // Get session ID from cookie
-    if let Some(cookie) = jar.get(SESSION_COOKIE_NAME) {
-        if let Ok(session_id) = cookie.value().parse::<i64>() {
-            let repos = RepositoryContext::new((*state.storage).clone());
-            // Revoke session
-            // Ignore errors if session doesn't exist
-            let _ = repos.user_session.revoke(session_id).await;
-        }
+    if let Some(cookie) = jar.get(SESSION_COOKIE_NAME)
+        && let Ok(session_id) = cookie.value().parse::<i64>()
+    {
+        let repos = RepositoryContext::new((*state.storage).clone());
+        // Revoke session
+        // Ignore errors if session doesn't exist
+        let _ = repos.user_session.revoke(session_id).await;
     }
 
     // Remove session cookie

crates/inferadb-control-api/src/handlers/organizations.rs

@@ -703,18 +703,17 @@ pub async fn create_invitation(
     }
 
     // Check if user with this email already exists and is a member
-    if let Some(existing_email) = repos.user_email.get_by_email(&payload.email).await? {
-        if repos
+    if let Some(existing_email) = repos.user_email.get_by_email(&payload.email).await?
+        && repos
             .org_member
             .get_by_org_and_user(org_ctx.organization_id, existing_email.user_id)
             .await?
             .is_some()
-        {
-            return Err(CoreError::AlreadyExists(
-                "User is already a member of this organization".to_string(),
-            )
-            .into());
-        }
+    {
+        return Err(CoreError::AlreadyExists(
+            "User is already a member of this organization".to_string(),
+        )
+        .into());
     }
 
     // Check for existing invitation

crates/inferadb-control-api/src/handlers/users.rs

@@ -99,14 +99,14 @@ pub async fn delete_user(
         if membership.role == inferadb_control_core::entities::OrganizationRole::Owner {
             // Check if this user is the only owner
             let owner_count = repos.org_member.count_owners(membership.organization_id).await?;
-            if owner_count <= 1 {
-                if let Some(org) = repos.org.get(membership.organization_id).await? {
-                    return Err(CoreError::Validation(format!(
-                        "Cannot delete account while being the only owner of organization '{}'. Please transfer ownership or delete the organization first.",
-                        org.name
-                    ))
-                    .into());
-                }
+            if owner_count <= 1
+                && let Some(org) = repos.org.get(membership.organization_id).await?
+            {
+                return Err(CoreError::Validation(format!(
+                    "Cannot delete account while being the only owner of organization '{}'. Please transfer ownership or delete the organization first.",
+                    org.name
+                ))
+                .into());
             }
         }
     }

crates/inferadb-control-api/src/lib.rs

@@ -1,5 +1,7 @@
 // REST API handlers and routes
 
+#![deny(unsafe_code)]
+
 use std::sync::Arc;
 
 use inferadb_control_core::{ControlConfig, startup};

crates/inferadb-control-api/src/middleware/engine_auth.rs

@@ -76,10 +76,10 @@ impl JwksCache {
         // Check cache first
         {
             let cache = self.jwks.read().await;
-            if let Some((jwks, cached_at)) = cache.as_ref() {
-                if cached_at.elapsed() < self.ttl {
-                    return Ok(jwks.clone());
-                }
+            if let Some((jwks, cached_at)) = cache.as_ref()
+                && cached_at.elapsed() < self.ttl
+            {
+                return Ok(jwks.clone());
             }
         }
 

crates/inferadb-control-config/src/lib.rs

@@ -26,6 +26,8 @@
 //! The control service reads its configuration from the `control:` section. Any `engine:` section
 //! is ignored by control (and vice versa when engine reads the same file).
 
+#![deny(unsafe_code)]
+
 pub mod refresh;
 
 use std::path::Path;

crates/inferadb-control-const/src/lib.rs

@@ -8,6 +8,8 @@
 //! - Business limit constants (max sessions, passkeys, organizations)
 //! - Rate limit category identifiers
 
+#![deny(unsafe_code)]
+
 pub mod auth;
 pub mod duration;
 pub mod limits;

crates/inferadb-control-core/src/lib.rs

@@ -1,3 +1,5 @@
+#![deny(unsafe_code)]
+
 // Re-export configuration from dedicated config crate
 pub use inferadb_control_config as config;
 pub use inferadb_control_config::{ConfigRefresher, ControlConfig};

crates/inferadb-control-discovery/src/lib.rs

@@ -9,6 +9,8 @@
 //! - **Static**: Use service URL directly (no discovery)
 //! - **Kubernetes**: Discover pod IPs from Kubernetes Endpoints API
 
+#![deny(unsafe_code)]
+
 use std::fmt;
 
 use async_trait::async_trait;

crates/inferadb-control-engine-client/src/client.rs

@@ -230,11 +230,11 @@ impl EngineClient {
         // Check cache first
         {
             let cache = self.endpoint_cache.read();
-            if let Some(cached) = cache.as_ref() {
-                if cached.is_valid() {
-                    debug!(count = cached.endpoints.len(), "Using cached engine endpoints");
-                    return cached.endpoints.clone();
-                }
+            if let Some(cached) = cache.as_ref()
+                && cached.is_valid()
+            {
+                debug!(count = cached.endpoints.len(), "Using cached engine endpoints");
+                return cached.endpoints.clone();
             }
         }