dev: Use expect rather than allow

Cargo.toml

@@ -20,15 +20,16 @@ license = "Apache-2.0"
 repository = "https://github.com/Firma-AI/openfirma"
 
 [workspace.lints.clippy]
-pedantic = { level = "deny", priority = -1 }
+pedantic = { level = "warn", priority = -1 }
 nursery = { level = "warn", priority = -1 }
-unwrap_used = "deny"
-expect_used = "deny"
-panic = "deny"
+unwrap_used = "warn"
+expect_used = "warn"
+panic = "warn"
 missing_const_for_fn = "allow"
+allow_attributes = "warn"
 
 [workspace.lints.rust]
-unsafe_code = "deny"
+unsafe_code = "warn"
 
 [workspace.dependencies]
 anyhow = "1"

crates/firma-authority/src/authorized_clients.rs

@@ -94,7 +94,10 @@ struct AuthorizedClientsFile {
 }
 
 #[derive(Deserialize)]
-#[allow(dead_code)]
+#[expect(
+    dead_code,
+    reason = "backward-compatible TOML schema accepts metadata fields that serde deserializes even when the loader ignores them"
+)]
 struct AuthorizedEntry {
     #[serde(default)]
     cn: Option<String>,
@@ -112,7 +115,6 @@ struct ClientEntry {
 }
 
 #[cfg(test)]
-#[allow(clippy::unwrap_used, clippy::panic)]
 mod tests {
     use super::*;
     use std::io::Write as _;

crates/firma-authority/src/cedar_loader.rs

@@ -326,7 +326,6 @@ fn compute_version_hash(policies: &str, schema: &str) -> String {
 }
 
 #[cfg(test)]
-#[allow(clippy::unwrap_used, clippy::expect_used, clippy::panic)]
 mod tests {
     use super::*;
     use std::fs;

crates/firma-authority/src/config.rs

@@ -283,7 +283,6 @@ pub enum ConfigError {
 }
 
 #[cfg(test)]
-#[allow(clippy::unwrap_used, clippy::panic)]
 mod tests {
     use super::*;
 

crates/firma-authority/src/issuance.rs

@@ -109,7 +109,6 @@ pub async fn issue_capability(
 }
 
 #[cfg(test)]
-#[allow(clippy::unwrap_used, clippy::expect_used, clippy::panic)]
 mod tests {
     use super::*;
     use pasetors::keys::{AsymmetricKeyPair, Generate};

crates/firma-authority/src/revocation.rs

@@ -424,7 +424,6 @@ impl RevocationStoreWatcher {
 }
 
 #[cfg(test)]
-#[allow(clippy::unwrap_used, clippy::panic)]
 mod tests {
     use super::*;
 

crates/firma-authority/src/server.rs

@@ -239,7 +239,10 @@ where
 // Per-mode server future builders
 // ---------------------------------------------------------------------------
 
-#[allow(clippy::too_many_arguments)]
+#[expect(
+    clippy::too_many_arguments,
+    reason = "mTLS server construction needs explicit TLS paths, services, listener, and shutdown signal"
+)]
 async fn build_mtls_future<F, H>(
     cert_path: &Path,
     key_path: &Path,

crates/firma-authority/src/service.rs

@@ -528,7 +528,6 @@ pub(crate) fn clamp_ttl(requested: i32, max: i32) -> i32 {
 }
 
 #[cfg(test)]
-#[allow(clippy::unwrap_used, clippy::panic)]
 mod tests {
     use super::*;
 

crates/firma-authority/src/startup/log_contract.rs

@@ -39,7 +39,6 @@ pub fn log_ready_sequence(report: &StartupReport<'_>) {
 }
 
 #[cfg(test)]
-#[allow(clippy::unwrap_used, clippy::expect_used, clippy::panic)]
 mod tests {
     use super::*;
     use std::path::PathBuf;

crates/firma-authority/src/tls_verifier.rs

@@ -158,7 +158,6 @@ fn extract_identity(cert_der: &CertificateDer<'_>) -> Option<String> {
 }
 
 #[cfg(test)]
-#[allow(clippy::unwrap_used, clippy::panic, clippy::expect_used)]
 mod tests {
     use super::*;
     fn make_allow_list(ids: &[&str]) -> Arc<AuthorizedClientSet> {

crates/firma-config/src/provider.rs

@@ -30,7 +30,6 @@ impl DirProvider for SystemDirs {
 }
 
 #[cfg(test)]
-#[allow(clippy::unwrap_used, clippy::panic)]
 mod tests {
     use super::*;
 

crates/firma-config/src/resolver.rs

@@ -102,7 +102,6 @@ pub fn resolve_config(
 }
 
 #[cfg(test)]
-#[allow(clippy::unwrap_used, clippy::panic)]
 mod tests {
     use super::*;
     use tempfile::tempdir;

crates/firma-config/src/schema.rs

@@ -78,7 +78,6 @@ pub fn load_section(path: &Path, section: &str) -> Result<String, String> {
 }
 
 #[cfg(test)]
-#[allow(clippy::unwrap_used, clippy::panic)]
 mod tests {
     use super::*;
     use tempfile::tempdir;

crates/firma-config/tests/resolution.rs

@@ -1,8 +1,6 @@
 //! End-to-end: a sectioned firma.toml resolves and the sidecar section
 //! parses through `load_section`.
 
-#![allow(clippy::unwrap_used, clippy::panic)]
-
 use firma_config::{ConfigSource, SystemDirs, load_section, resolve_config};
 use tempfile::tempdir;
 

crates/firma-core/src/agent.rs

@@ -7,7 +7,10 @@ use serde::{Deserialize, Serialize};
 
 const AGENT_ID_PATTERN: &str = "^[a-zA-Z0-9_-]{1,128}$";
 
-#[allow(clippy::expect_used)]
+#[expect(
+    clippy::expect_used,
+    reason = "compiles a fixed AgentId regex literal that is only invalid if edited"
+)]
 static AGENT_ID_RE: LazyLock<Regex> =
     LazyLock::new(|| Regex::new(AGENT_ID_PATTERN).expect("compile-time literal pattern"));
 

crates/firma-core/src/capability_seed.rs

@@ -56,7 +56,6 @@ impl CapabilitySeed {
 }
 
 #[cfg(test)]
-#[allow(clippy::unwrap_used, clippy::expect_used, clippy::panic)]
 mod tests {
     use super::*;
     use crate::TokenId;

crates/firma-core/src/decision.rs

@@ -119,7 +119,6 @@ pub enum DenyReason {
 }
 
 #[cfg(test)]
-#[allow(clippy::unwrap_used, clippy::expect_used, clippy::panic)]
 mod tests {
     use super::*;
     use std::fmt::Display;

crates/firma-core/src/envelope.rs

@@ -279,7 +279,6 @@ pub struct ExecutionContext {
 }
 
 #[cfg(test)]
-#[allow(clippy::unwrap_used, clippy::expect_used, clippy::panic)]
 mod tests {
     use super::*;
     use chrono::Utc;

crates/firma-core/src/session.rs

@@ -7,7 +7,10 @@ use serde::{Deserialize, Serialize};
 
 const SESSION_ID_PATTERN: &str = "^[a-zA-Z0-9_-]{1,128}$";
 
-#[allow(clippy::expect_used)]
+#[expect(
+    clippy::expect_used,
+    reason = "compiles a fixed SessionId regex literal that is only invalid if edited"
+)]
 static SESSION_ID_RE: LazyLock<Regex> =
     LazyLock::new(|| Regex::new(SESSION_ID_PATTERN).expect("compile-time literal pattern"));
 

crates/firma-core/src/token.rs

@@ -189,7 +189,6 @@ pub fn matches_resource_scope(scope: &str, resource: &str) -> bool {
 }
 
 #[cfg(test)]
-#[allow(clippy::unwrap_used, clippy::expect_used, clippy::panic)]
 mod tests {
     use super::*;
     use chrono::Utc;

crates/firma-core/src/token/paseto.rs

@@ -266,7 +266,6 @@ fn extract_capability_claims(claims: &Claims) -> Result<CapabilityClaims, TokenE
 }
 
 #[cfg(test)]
-#[allow(clippy::unwrap_used)]
 mod tests {
     use super::*;
 

crates/firma-core/src/transport.rs

@@ -92,7 +92,6 @@ impl TransportView {
 }
 
 #[cfg(test)]
-#[allow(clippy::expect_used)]
 mod tests {
     use super::*;
     use crate::{ActionParams, ExecutionIntent, ExecutionMetadata, HttpMethod, HttpParams};

crates/firma-grpc-interceptor-proto/src/lib.rs

@@ -24,6 +24,10 @@
 pub mod firma {
     pub mod interceptor {
         pub mod v1 {
+            #![allow(
+                clippy::allow_attributes,
+                reason = "prost/tonic emits outer #[allow(...)] attributes in generated Rust"
+            )]
             tonic::include_proto!("firma.interceptor.v1");
         }
     }

crates/firma-run/src/authority/bootstrap.rs

@@ -118,7 +118,6 @@ pub fn persist_authority_section(path: &Path) -> Result<(), RunError> {
 }
 
 #[cfg(test)]
-#[allow(clippy::unwrap_used, clippy::expect_used, clippy::panic)]
 mod tests {
     use super::*;
     use tempfile::tempdir;

crates/firma-run/src/authority/config.rs

@@ -150,7 +150,6 @@ fn validate_connect_section(
 }
 
 #[cfg(test)]
-#[allow(clippy::unwrap_used, clippy::expect_used, clippy::panic)]
 mod tests {
     use super::*;
     use tempfile::tempdir;

crates/firma-run/src/authority/selection.rs

@@ -75,7 +75,6 @@ fn section_to_selection(s: &AuthoritySection) -> Option<AuthoritySelection> {
 }
 
 #[cfg(test)]
-#[allow(clippy::unwrap_used, clippy::expect_used, clippy::panic)]
 mod tests {
     use super::*;
     use tempfile::tempdir;

crates/firma-run/src/authority/supervisor.rs

@@ -100,7 +100,7 @@ impl AuthoritySupervisor {
     ///
     /// See the platform-stub variant of this method for the full list.
     #[cfg(unix)]
-    #[allow(
+    #[expect(
         clippy::too_many_lines,
         reason = "single linear spawn-then-scrape sequence reads more clearly inline"
     )]
@@ -397,7 +397,7 @@ fn send_sigterm(_pid: u32) {}
 const LISTENING_TOKEN: &str = "listening";
 
 #[doc(hidden)]
-#[allow(
+#[expect(
     clippy::needless_pass_by_value,
     reason = "tx is moved into the spawned thread"
 )]

crates/firma-run/src/backend/linux_bwrap.rs

@@ -37,10 +37,6 @@ impl SandboxBackend for BwrapBackend {
         BackendKind::Bwrap
     }
 
-    #[allow(
-        clippy::too_many_lines,
-        reason = "sequential preflight checks + mount assembly read more clearly inline"
-    )]
     fn prepare(&self, request: &PrepareRequest) -> Result<SandboxHandle, RunError> {
         if !cfg!(target_os = "linux") {
             return Err(RunError::UnsupportedBackend {
@@ -237,7 +233,10 @@ impl SandboxBackend for BwrapBackend {
         }
 
         #[cfg(target_os = "linux")]
-        #[allow(clippy::collection_is_never_read)]
+        #[expect(
+            clippy::collection_is_never_read,
+            reason = "keeps the seccomp file descriptor alive until bwrap inherits it"
+        )]
         let mut _seccomp_file: Option<File> = None;
         #[cfg(target_os = "linux")]
         let seccomp_path = launch

crates/firma-run/src/backend/mod.rs

@@ -83,7 +83,10 @@ impl BackendKind {
             return Self::Wsl2;
         }
 
-        #[allow(unreachable_code)]
+        #[expect(
+            unreachable_code,
+            reason = "fallback satisfies exhaustive return typing after cfg-gated platform branches"
+        )]
         Self::Bwrap
     }
 }

crates/firma-run/src/capability/guard.rs

@@ -37,12 +37,6 @@ impl Drop for CapabilityFileGuard {
 }
 
 #[cfg(test)]
-#[allow(
-    clippy::unwrap_used,
-    clippy::expect_used,
-    clippy::panic,
-    reason = "test module"
-)]
 mod tests {
     use super::*;
 

crates/firma-run/src/capability/issue.rs

@@ -170,12 +170,6 @@ fn write_seed(seed: &CapabilitySeed, out_path: &Path) -> Result<(), RunError> {
 }
 
 #[cfg(test)]
-#[allow(
-    clippy::unwrap_used,
-    clippy::expect_used,
-    clippy::panic,
-    reason = "test module"
-)]
 mod tests {
     use super::*;
     use firma_core::{CapabilityClaims, TokenId};

crates/firma-run/src/config.rs

@@ -472,7 +472,7 @@ impl ProfilePatch {
 ///
 /// Returns an error when profile resolution fails due to invalid inputs,
 /// parse errors, or resulting validation failures.
-#[allow(
+#[expect(
     clippy::too_many_lines,
     reason = "sequential profile resolution (patch merge + endpoint/selection + network + capability) reads more clearly inline"
 )]
@@ -1060,7 +1060,10 @@ mod tests {
             return BackendKind::Wsl2;
         }
 
-        #[allow(unreachable_code)]
+        #[expect(
+            unreachable_code,
+            reason = "fallback satisfies exhaustive return typing after cfg-gated platform branches"
+        )]
         BackendKind::Firecracker
     }
 

crates/firma-run/src/mediator.rs

@@ -133,7 +133,10 @@ pub fn enforce_local_command_governance(
 }
 
 /// Build and send one local-exec governance request; return the parsed response.
-#[allow(clippy::too_many_arguments)]
+#[expect(
+    clippy::too_many_arguments,
+    reason = "governance request fields are passed through as separate inputs"
+)]
 fn call_mediator(
     mediator: &CommandMediatorConfig,
     identity: &RunIdentity,
@@ -292,7 +295,13 @@ fn request_over_unix(
 
 #[cfg(target_family = "unix")]
 #[cfg(target_os = "linux")]
-#[cfg_attr(test, allow(dead_code))]
+#[cfg_attr(
+    test,
+    expect(
+        dead_code,
+        reason = "linux peer-credential validation is compiled but not exercised by unit tests"
+    )
+)]
 fn validate_unix_peer_credentials(stream: &UnixStream) -> Result<(), RunError> {
     let creds = getsockopt(stream, PeerCredentials).map_err(|error| {
         RunError::Governance(format!(