fix: eliminate production .unwrap() panic sites (6 → 0 bare unwraps)

hyperpolymath · claude · hyperpolymath · commit 5ea9b7418add · 2026-04-25T16:42:32.000+01:00
Converts all bare `.unwrap()` calls in production code (outside test
modules) to `.expect("static regex is valid")` for the seven OnceLock
static-regex initialisers in analyzer.rs — matches the pattern already
used for the four LazyLock initialisers at the top of the file.

Fixes the one genuine panic risk: bridge/classify.rs line 100 called
`.first().unwrap()` on `fixed_versions` inside a branch guarded by
`semver_fix_available`, but that flag being true did not guarantee a
non-empty vec. Changed to `.first().map(String::as_str).unwrap_or("unknown")`.

All 6 surviving `.expect()` calls are structurally-unreachable invariants
with descriptive messages (infallible regex init; accumulator consumed by seal()).

200/200 lib tests passing.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/src/assail/analyzer.rs b/src/assail/analyzer.rs
@@ -1638,7 +1638,7 @@ impl Analyzer {
         stats.threading_constructs += content.matches("std::thread").count();
 
         let unchecked_malloc =
-            RE_UNCHECKED_MALLOC.get_or_init(|| Regex::new(r"malloc\([^)]+\)\s*;").unwrap());
+            RE_UNCHECKED_MALLOC.get_or_init(|| Regex::new(r"malloc\([^)]+\)\s*;").expect("static regex is valid"));
         if unchecked_malloc.is_match(content) {
             weak_points.push(WeakPoint {
                 file: None,
@@ -2494,7 +2494,7 @@ impl Analyzer {
 
         // Unsafe apply
         let apply_re =
-            RE_ELIXIR_APPLY.get_or_init(|| Regex::new(r"apply\([^,]+,\s*[^,]+,").unwrap());
+            RE_ELIXIR_APPLY.get_or_init(|| Regex::new(r"apply\([^,]+,\s*[^,]+,").expect("static regex is valid"));
         if apply_re.is_match(content) {
             weak_points.push(WeakPoint {
                 file: None,
@@ -4156,7 +4156,7 @@ impl Analyzer {
         file_path: &str,
     ) -> Result<()> {
         // FFI calls (@ prefix)
-        let ffi_re = RE_PONY_FFI.get_or_init(|| Regex::new(r"@[a-zA-Z_]\w*\[").unwrap());
+        let ffi_re = RE_PONY_FFI.get_or_init(|| Regex::new(r"@[a-zA-Z_]\w*\[").expect("static regex is valid"));
         let ffi_count = ffi_re.find_iter(content).count();
         stats.unsafe_blocks += ffi_count;
 
@@ -4361,7 +4361,7 @@ impl Analyzer {
             .collect::<Vec<_>>()
             .join("\n");
         let unquoted_var =
-            RE_SHELL_UNQUOTED_VAR.get_or_init(|| Regex::new(r#"\$[A-Za-z_]\w*"#).unwrap());
+            RE_SHELL_UNQUOTED_VAR.get_or_init(|| Regex::new(r#"\$[A-Za-z_]\w*"#).expect("static regex is valid"));
         let dollar_vars = unquoted_var.find_iter(&stripped_content).count();
         // Only flag if high number of unquoted vars
         if dollar_vars > 20 {
@@ -4710,9 +4710,9 @@ impl Analyzer {
     ) -> Result<()> {
         // HTTP (insecure) URLs - should be HTTPS
         // Count http:// URLs that are NOT localhost/127.0.0.1 (those are fine)
-        let http_re = RE_HTTP_URL.get_or_init(|| Regex::new(r#"http://[a-zA-Z0-9]"#).unwrap());
+        let http_re = RE_HTTP_URL.get_or_init(|| Regex::new(r#"http://[a-zA-Z0-9]"#).expect("static regex is valid"));
         let http_localhost_re = RE_HTTP_LOCALHOST.get_or_init(|| {
-            Regex::new(r#"http://(localhost|127\.0\.0\.1|0\.0\.0\.0|\[::1\])"#).unwrap()
+            Regex::new(r#"http://(localhost|127\.0\.0\.1|0\.0\.0\.0|\[::1\])"#).expect("static regex is valid")
         });
         let http_total = http_re.find_iter(content).count();
         let http_local = http_localhost_re.find_iter(content).count();
@@ -4733,7 +4733,7 @@ impl Analyzer {
         // Hardcoded secrets patterns
         let secret_re = RE_HARDCODED_SECRET.get_or_init(|| Regex::new(
             r#"(?i)(api[_-]?key|api[_-]?secret|password|passwd|secret[_-]?key|access[_-]?token|private[_-]?key)\s*[=:]\s*["'][^"']{8,}"#
-        ).unwrap());
+        ).expect("static regex is valid"));
         if secret_re.is_match(content) {
             weak_points.push(WeakPoint {
                 file: None,
diff --git a/src/bridge/classify.rs b/src/bridge/classify.rs
@@ -97,7 +97,7 @@ fn classify_reachable(
         )
     } else if vuln.semver_fix_available {
         // Semver-compatible fix — easiest mitigation
-        let fix_version = vuln.fixed_versions.first().unwrap();
+        let fix_version = vuln.fixed_versions.first().map(String::as_str).unwrap_or("unknown");
         (
             Classification::Mitigable,
             format!(

Original file line number	Diff line number	Diff line change
`@@ -97,7 +97,7 @@ fn classify_reachable(`
`97`	`97`	`)`
`98`	`98`	`} else if vuln.semver_fix_available {`
`99`	`99`	`// Semver-compatible fix — easiest mitigation`
`100`		`- let fix_version = vuln.fixed_versions.first().unwrap();`
	`100`	`+ let fix_version = vuln.fixed_versions.first().map(String::as_str).unwrap_or("unknown");`
`101`	`101`	`(`
`102`	`102`	`Classification::Mitigable,`
`103`	`103`	`format!(`