From efc53929f761125f5d7d16fcd30c138e7bf81e2e Mon Sep 17 00:00:00 2001
From: chiri <chirizxc@proton.me>
Date: Fri, 12 Jun 2026 23:08:09 +0300
Subject: [PATCH 01/14] add `assert_unchecked` to `BoundTupleIterator` and
 `BorrowedTupleIterator` `len()`

---
 src/types/tuple.rs | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/types/tuple.rs b/src/types/tuple.rs
index 08256d7156d..25c63883598 100644
--- a/src/types/tuple.rs
+++ b/src/types/tuple.rs
@@ -510,6 +510,7 @@ impl DoubleEndedIterator for BoundTupleIterator<'_> {
 
 impl ExactSizeIterator for BoundTupleIterator<'_> {
     fn len(&self) -> usize {
+        unsafe { std::hint::assert_unchecked(self.index <= self.length) };
         self.length.saturating_sub(self.index)
     }
 }
@@ -608,6 +609,7 @@ impl DoubleEndedIterator for BorrowedTupleIterator<'_, '_> {
 
 impl ExactSizeIterator for BorrowedTupleIterator<'_, '_> {
     fn len(&self) -> usize {
+        unsafe { std::hint::assert_unchecked(self.index <= self.length) };
         self.length.saturating_sub(self.index)
     }
 }

From a812a1aa691f376b55b85d316d311a2d45f2821a Mon Sep 17 00:00:00 2001
From: chiri <chirizxc@proton.me>
Date: Fri, 12 Jun 2026 23:11:56 +0300
Subject: [PATCH 02/14] add SAFETY

---
 src/types/tuple.rs | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/types/tuple.rs b/src/types/tuple.rs
index 25c63883598..8652f8e58a6 100644
--- a/src/types/tuple.rs
+++ b/src/types/tuple.rs
@@ -510,6 +510,7 @@ impl DoubleEndedIterator for BoundTupleIterator<'_> {
 
 impl ExactSizeIterator for BoundTupleIterator<'_> {
     fn len(&self) -> usize {
+        // SAFETY: `index <= length` is maintained by all iterator methods: `new()`, `next_back()`
         unsafe { std::hint::assert_unchecked(self.index <= self.length) };
         self.length.saturating_sub(self.index)
     }
@@ -609,6 +610,7 @@ impl DoubleEndedIterator for BorrowedTupleIterator<'_, '_> {
 
 impl ExactSizeIterator for BorrowedTupleIterator<'_, '_> {
     fn len(&self) -> usize {
+        // SAFETY: same invariant as BoundTupleIterator
         unsafe { std::hint::assert_unchecked(self.index <= self.length) };
         self.length.saturating_sub(self.index)
     }

From 738f8a5d8e6a353d9a399031832f57aa413ea114 Mon Sep 17 00:00:00 2001
From: chiri <chirizxc@proton.me>
Date: Fri, 12 Jun 2026 23:25:03 +0300
Subject: [PATCH 03/14] fix clippy

---
 src/types/tuple.rs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/types/tuple.rs b/src/types/tuple.rs
index 8652f8e58a6..1bac2fd620b 100644
--- a/src/types/tuple.rs
+++ b/src/types/tuple.rs
@@ -511,7 +511,7 @@ impl DoubleEndedIterator for BoundTupleIterator<'_> {
 impl ExactSizeIterator for BoundTupleIterator<'_> {
     fn len(&self) -> usize {
         // SAFETY: `index <= length` is maintained by all iterator methods: `new()`, `next_back()`
-        unsafe { std::hint::assert_unchecked(self.index <= self.length) };
+        unsafe { core::hint::assert_unchecked(self.index <= self.length) };
         self.length.saturating_sub(self.index)
     }
 }
@@ -611,7 +611,7 @@ impl DoubleEndedIterator for BorrowedTupleIterator<'_, '_> {
 impl ExactSizeIterator for BorrowedTupleIterator<'_, '_> {
     fn len(&self) -> usize {
         // SAFETY: same invariant as BoundTupleIterator
-        unsafe { std::hint::assert_unchecked(self.index <= self.length) };
+        unsafe { core::hint::assert_unchecked(self.index <= self.length) };
         self.length.saturating_sub(self.index)
     }
 }

From 33a06e62cdd93eff9be7b2cd29435afede3706b8 Mon Sep 17 00:00:00 2001
From: chiri <chirizxc@proton.me>
Date: Sat, 13 Jun 2026 00:16:23 +0300
Subject: [PATCH 04/14] more `core::hint::assert_unchecked`

---
 src/conversions/jiff.rs       | 20 ++++++++++++++++----
 src/conversions/num_bigint.rs |  5 ++++-
 src/types/list.rs             |  3 +++
 3 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/src/conversions/jiff.rs b/src/conversions/jiff.rs
index 593811f7641..d5dbe208d44 100644
--- a/src/conversions/jiff.rs
+++ b/src/conversions/jiff.rs
@@ -68,6 +68,9 @@ fn datetime_to_pydatetime<'py>(
     fold: bool,
     timezone: Option<&TimeZone>,
 ) -> PyResult<Bound<'py, PyDateTime>> {
+    let micros = datetime.subsec_nanosecond() / 1000;
+    // SAFETY: `subsec_nanosecond()` [0, 999_999_999], after / 1000 always non-negative
+    unsafe { core::hint::assert_unchecked(micros >= 0) };
     PyDateTime::new_with_fold(
         py,
         datetime.year().into(),
@@ -76,7 +79,7 @@ fn datetime_to_pydatetime<'py>(
         datetime.hour().try_into()?,
         datetime.minute().try_into()?,
         datetime.second().try_into()?,
-        (datetime.subsec_nanosecond() / 1000).try_into()?,
+        micros as u32,
         timezone
             .map(|tz| tz.into_pyobject(py))
             .transpose()?
@@ -87,10 +90,17 @@ fn datetime_to_pydatetime<'py>(
 
 #[cfg(not(Py_LIMITED_API))]
 fn pytime_to_time(time: &impl PyTimeAccess) -> PyResult<Time> {
+    // SAFETY: Python guarantees hour belongs to [0,23],
+    // minute / second belong to [0,59], all < 128
+    unsafe {
+        core::hint::assert_unchecked(time.get_hour() < 128);
+        core::hint::assert_unchecked(time.get_minute() < 128);
+        core::hint::assert_unchecked(time.get_second() < 128);
+    }
     Ok(Time::new(
-        time.get_hour().try_into()?,
-        time.get_minute().try_into()?,
-        time.get_second().try_into()?,
+        time.get_hour() as i8,
+        time.get_minute() as i8,
+        time.get_second() as i8,
         (time.get_microsecond() * 1000).try_into()?,
     )?)
 }
@@ -479,6 +489,8 @@ impl<'py> FromPyObject<'_, 'py> for Offset {
             "Offset must be between -24 hours and 24 hours but was {}h",
             total_seconds / 3600
         );
+        // SAFETY: Python `utcoffset()` is documented to return timedelta in [-24h, 24h]
+        unsafe { core::hint::assert_unchecked((total_seconds / 3600).abs() <= 24) };
         // This cast is safe since the timedelta is limited to -24 hours and 24 hours.
         Ok(Offset::from_seconds(total_seconds as i32)?)
     }
diff --git a/src/conversions/num_bigint.rs b/src/conversions/num_bigint.rs
index 2a0c101ef89..aee60770bd8 100644
--- a/src/conversions/num_bigint.rs
+++ b/src/conversions/num_bigint.rs
@@ -278,10 +278,13 @@ fn int_to_u32_vec<const SIGNED: bool>(long: &Bound<'_, PyInt>) -> PyResult<Vec<u
     let n_digits = n_bytes_unsigned.div_ceil(4);
     buffer.reserve_exact(n_digits);
     unsafe {
+        // SAFETY: `n_bytes_unsigned <= isize::MAX` (try_into above) and
+        // `n_digits * 4 <= n_bytes_unsigned + 3`
+        core::hint::assert_unchecked(n_digits * 4 <= isize::MAX as usize);
         ffi::PyLong_AsNativeBytes(
             long.as_ptr().cast(),
             buffer.as_mut_ptr().cast(),
-            (n_digits * 4).try_into().unwrap(),
+            (n_digits * 4) as isize,
             flags,
         );
         buffer.set_len(n_digits);
diff --git a/src/types/list.rs b/src/types/list.rs
index 07643c5dbc7..1594a81aedc 100644
--- a/src/types/list.rs
+++ b/src/types/list.rs
@@ -867,6 +867,9 @@ impl DoubleEndedIterator for BoundListIterator<'_> {
 
 impl ExactSizeIterator for BoundListIterator<'_> {
     fn len(&self) -> usize {
+        // SAFETY: `index.0 <= length.0` is maintained by all iterator methods:
+        // `new()`, `next_back_unchecked()`
+        unsafe { core::hint::assert_unchecked(self.index.0 <= self.length.0) };
         self.length.0.saturating_sub(self.index.0)
     }
 }

From 3019088b6d97f97702f05e658d10b13bc49bc5c9 Mon Sep 17 00:00:00 2001
From: chiri <chirizxc@proton.me>
Date: Sat, 13 Jun 2026 00:45:59 +0300
Subject: [PATCH 05/14] fix clippy

---
 src/conversions/num_bigint.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/conversions/num_bigint.rs b/src/conversions/num_bigint.rs
index aee60770bd8..7509fb7c931 100644
--- a/src/conversions/num_bigint.rs
+++ b/src/conversions/num_bigint.rs
@@ -280,7 +280,7 @@ fn int_to_u32_vec<const SIGNED: bool>(long: &Bound<'_, PyInt>) -> PyResult<Vec<u
     unsafe {
         // SAFETY: `n_bytes_unsigned <= isize::MAX` (try_into above) and
         // `n_digits * 4 <= n_bytes_unsigned + 3`
-        core::hint::assert_unchecked(n_digits * 4 <= isize::MAX as usize);
+        core::hint::assert_unchecked(isize::try_from(n_digits * 4).is_ok());
         ffi::PyLong_AsNativeBytes(
             long.as_ptr().cast(),
             buffer.as_mut_ptr().cast(),

From dfa59e78a0fb52397aede19d5e422725c2c3aac8 Mon Sep 17 00:00:00 2001
From: chiri <chirizxc@proton.me>
Date: Sat, 13 Jun 2026 00:47:26 +0300
Subject: [PATCH 06/14] fix clippy (x2)

---
 src/conversions/num_bigint.rs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/conversions/num_bigint.rs b/src/conversions/num_bigint.rs
index 7509fb7c931..a353acc6d9d 100644
--- a/src/conversions/num_bigint.rs
+++ b/src/conversions/num_bigint.rs
@@ -280,7 +280,8 @@ fn int_to_u32_vec<const SIGNED: bool>(long: &Bound<'_, PyInt>) -> PyResult<Vec<u
     unsafe {
         // SAFETY: `n_bytes_unsigned <= isize::MAX` (try_into above) and
         // `n_digits * 4 <= n_bytes_unsigned + 3`
-        core::hint::assert_unchecked(isize::try_from(n_digits * 4).is_ok());
+        #[expect(clippy::checked_conversions)]  
+        unsafe { std::hint::assert_unchecked(n_digits * 4 <= isize::MAX as usize) };
         ffi::PyLong_AsNativeBytes(
             long.as_ptr().cast(),
             buffer.as_mut_ptr().cast(),

From fbe8d44937287e789fff36436489c53f1cfaeaba Mon Sep 17 00:00:00 2001
From: chiri <chirizxc@proton.me>
Date: Sat, 13 Jun 2026 00:50:01 +0300
Subject: [PATCH 07/14] fmt

---
 src/conversions/num_bigint.rs | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/conversions/num_bigint.rs b/src/conversions/num_bigint.rs
index a353acc6d9d..649d8481f8c 100644
--- a/src/conversions/num_bigint.rs
+++ b/src/conversions/num_bigint.rs
@@ -281,7 +281,9 @@ fn int_to_u32_vec<const SIGNED: bool>(long: &Bound<'_, PyInt>) -> PyResult<Vec<u
         // SAFETY: `n_bytes_unsigned <= isize::MAX` (try_into above) and
         // `n_digits * 4 <= n_bytes_unsigned + 3`
         #[expect(clippy::checked_conversions)]  
-        unsafe { std::hint::assert_unchecked(n_digits * 4 <= isize::MAX as usize) };
+        unsafe { 
+            std::hint::assert_unchecked(n_digits * 4 <= isize::MAX as usize) 
+        };
         ffi::PyLong_AsNativeBytes(
             long.as_ptr().cast(),
             buffer.as_mut_ptr().cast(),

From 2c4207f7d733f02b155052149f0f129ea542c721 Mon Sep 17 00:00:00 2001
From: chiri <chirizxc@proton.me>
Date: Sat, 13 Jun 2026 00:52:01 +0300
Subject: [PATCH 08/14] cargo fmt

---
 src/conversions/num_bigint.rs | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/conversions/num_bigint.rs b/src/conversions/num_bigint.rs
index 649d8481f8c..8b06afbe0d4 100644
--- a/src/conversions/num_bigint.rs
+++ b/src/conversions/num_bigint.rs
@@ -280,9 +280,9 @@ fn int_to_u32_vec<const SIGNED: bool>(long: &Bound<'_, PyInt>) -> PyResult<Vec<u
     unsafe {
         // SAFETY: `n_bytes_unsigned <= isize::MAX` (try_into above) and
         // `n_digits * 4 <= n_bytes_unsigned + 3`
-        #[expect(clippy::checked_conversions)]  
-        unsafe { 
-            std::hint::assert_unchecked(n_digits * 4 <= isize::MAX as usize) 
+        #[expect(clippy::checked_conversions)]
+        unsafe {
+            std::hint::assert_unchecked(n_digits * 4 <= isize::MAX as usize)
         };
         ffi::PyLong_AsNativeBytes(
             long.as_ptr().cast(),

From 9a881e578eab560cabf98be938112c65fd80a896 Mon Sep 17 00:00:00 2001
From: chiri <chirizxc@proton.me>
Date: Sat, 13 Jun 2026 01:12:30 +0300
Subject: [PATCH 09/14] fix clippy

---
 src/conversions/num_bigint.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/conversions/num_bigint.rs b/src/conversions/num_bigint.rs
index 8b06afbe0d4..e287f28a54c 100644
--- a/src/conversions/num_bigint.rs
+++ b/src/conversions/num_bigint.rs
@@ -282,7 +282,7 @@ fn int_to_u32_vec<const SIGNED: bool>(long: &Bound<'_, PyInt>) -> PyResult<Vec<u
         // `n_digits * 4 <= n_bytes_unsigned + 3`
         #[expect(clippy::checked_conversions)]
         unsafe {
-            std::hint::assert_unchecked(n_digits * 4 <= isize::MAX as usize)
+            core::hint::assert_unchecked(n_digits * 4 <= isize::MAX as usize)
         };
         ffi::PyLong_AsNativeBytes(
             long.as_ptr().cast(),

From 48f50c8c9b234ca04bca7ecb60c4155906361352 Mon Sep 17 00:00:00 2001
From: chiri <chirizxc@proton.me>
Date: Sat, 13 Jun 2026 10:02:18 +0300
Subject: [PATCH 10/14] fix clippy

---
 src/conversions/num_bigint.rs | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/src/conversions/num_bigint.rs b/src/conversions/num_bigint.rs
index e287f28a54c..9947890316a 100644
--- a/src/conversions/num_bigint.rs
+++ b/src/conversions/num_bigint.rs
@@ -281,9 +281,7 @@ fn int_to_u32_vec<const SIGNED: bool>(long: &Bound<'_, PyInt>) -> PyResult<Vec<u
         // SAFETY: `n_bytes_unsigned <= isize::MAX` (try_into above) and
         // `n_digits * 4 <= n_bytes_unsigned + 3`
         #[expect(clippy::checked_conversions)]
-        unsafe {
-            core::hint::assert_unchecked(n_digits * 4 <= isize::MAX as usize)
-        };
+        core::hint::assert_unchecked(n_digits * 4 <= isize::MAX as usize)
         ffi::PyLong_AsNativeBytes(
             long.as_ptr().cast(),
             buffer.as_mut_ptr().cast(),

From 2be97b4b39bbe9a43ea11d7bbbc4e5b7bb5c18fb Mon Sep 17 00:00:00 2001
From: chiri <chirizxc@proton.me>
Date: Sat, 13 Jun 2026 10:04:35 +0300
Subject: [PATCH 11/14] fix

---
 src/conversions/num_bigint.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/conversions/num_bigint.rs b/src/conversions/num_bigint.rs
index 9947890316a..da0638d9d40 100644
--- a/src/conversions/num_bigint.rs
+++ b/src/conversions/num_bigint.rs
@@ -281,7 +281,7 @@ fn int_to_u32_vec<const SIGNED: bool>(long: &Bound<'_, PyInt>) -> PyResult<Vec<u
         // SAFETY: `n_bytes_unsigned <= isize::MAX` (try_into above) and
         // `n_digits * 4 <= n_bytes_unsigned + 3`
         #[expect(clippy::checked_conversions)]
-        core::hint::assert_unchecked(n_digits * 4 <= isize::MAX as usize)
+        core::hint::assert_unchecked(n_digits * 4 <= isize::MAX as usize);
         ffi::PyLong_AsNativeBytes(
             long.as_ptr().cast(),
             buffer.as_mut_ptr().cast(),

From 0e8145479cfc39b2d6daa1d59b0c66152f333d5c Mon Sep 17 00:00:00 2001
From: chiri <chirizxc@proton.me>
Date: Mon, 15 Jun 2026 16:29:57 +0300
Subject: [PATCH 12/14] update

---
 src/conversions/jiff.rs | 2 --
 1 file changed, 2 deletions(-)

diff --git a/src/conversions/jiff.rs b/src/conversions/jiff.rs
index d5dbe208d44..9d2211431cc 100644
--- a/src/conversions/jiff.rs
+++ b/src/conversions/jiff.rs
@@ -489,8 +489,6 @@ impl<'py> FromPyObject<'_, 'py> for Offset {
             "Offset must be between -24 hours and 24 hours but was {}h",
             total_seconds / 3600
         );
-        // SAFETY: Python `utcoffset()` is documented to return timedelta in [-24h, 24h]
-        unsafe { core::hint::assert_unchecked((total_seconds / 3600).abs() <= 24) };
         // This cast is safe since the timedelta is limited to -24 hours and 24 hours.
         Ok(Offset::from_seconds(total_seconds as i32)?)
     }

From ed81a2c77faa66506b5c749041163e049de7eaf0 Mon Sep 17 00:00:00 2001
From: chiri <chirizxc@proton.me>
Date: Wed, 17 Jun 2026 18:13:25 +0300
Subject: [PATCH 13/14] review

---
 src/types/list.rs | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/src/types/list.rs b/src/types/list.rs
index 1594a81aedc..07643c5dbc7 100644
--- a/src/types/list.rs
+++ b/src/types/list.rs
@@ -867,9 +867,6 @@ impl DoubleEndedIterator for BoundListIterator<'_> {
 
 impl ExactSizeIterator for BoundListIterator<'_> {
     fn len(&self) -> usize {
-        // SAFETY: `index.0 <= length.0` is maintained by all iterator methods:
-        // `new()`, `next_back_unchecked()`
-        unsafe { core::hint::assert_unchecked(self.index.0 <= self.length.0) };
         self.length.0.saturating_sub(self.index.0)
     }
 }

From 33997b5e274bd79a312c1d3063b82fa932155918 Mon Sep 17 00:00:00 2001
From: chiri <chirizxc@proton.me>
Date: Wed, 17 Jun 2026 18:13:56 +0300
Subject: [PATCH 14/14] review (x2)

---
 src/types/tuple.rs | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/src/types/tuple.rs b/src/types/tuple.rs
index 1bac2fd620b..08256d7156d 100644
--- a/src/types/tuple.rs
+++ b/src/types/tuple.rs
@@ -510,8 +510,6 @@ impl DoubleEndedIterator for BoundTupleIterator<'_> {
 
 impl ExactSizeIterator for BoundTupleIterator<'_> {
     fn len(&self) -> usize {
-        // SAFETY: `index <= length` is maintained by all iterator methods: `new()`, `next_back()`
-        unsafe { core::hint::assert_unchecked(self.index <= self.length) };
         self.length.saturating_sub(self.index)
     }
 }
@@ -610,8 +608,6 @@ impl DoubleEndedIterator for BorrowedTupleIterator<'_, '_> {
 
 impl ExactSizeIterator for BorrowedTupleIterator<'_, '_> {
     fn len(&self) -> usize {
-        // SAFETY: same invariant as BoundTupleIterator
-        unsafe { core::hint::assert_unchecked(self.index <= self.length) };
         self.length.saturating_sub(self.index)
     }
 }