fix(controller): clippy pedantic compliance

[kaseonedge]

Summary

• enable clippy::pedantic across the controller crate by adding the required #![allow(...)] gates, #[must_use] annotations, and by simplifying async helpers so pedantic checks pass cleanly
• tighten remediation, resource, and task modules with Option::is_none_or/Result helpers plus better logging paths while keeping the observable behaviour unchanged
• harden the Codex security runner (gitleaks allowlist, GH token fallback, safe fetch) and document the new safeguards in the Cipher implementation guide so automation can recover from locked refs or missing gh auth

Testing

• cargo fmt --all --check
• cargo clippy --all-targets --all-features -- -D warnings
• cargo test -p controller

---

Note

Enables clippy::pedantic and refactors controllers, CLI adapters, and helpers (sync constructors, #[must_use], safer APIs) to satisfy linting while preserving behavior and improving cleanup/TTL/status handling.

• CI:
  • Enable clippy pedantic in controller workflow.
• Core/Controllers:
  • Add crate-level and API #[must_use], simplify/inline helpers, prefer map_or*/is_some_and patterns.
  • Improve TTL/cleanup/status updates for CodeRun/DocsRun; avoid unnecessary retries and handle GitHub verification paths.
  • Refine remediation/label orchestration (override constants, atomic ops wiring, clearer errors).
• CLI Layer:
  • Make adapter constructors/config builders sync; reduce needless async on health/record APIs.
  • Update AdapterFactory/health monitor to non-async init/record; expose #[must_use] getters.
  • Tighten adapters (Claude/Codex/Cursor/Factory/OpenCode): static str returns, safer casts, config rendering tweaks, performance-friendly parsing.
  • Bridge/Discovery/Router/Session/Types: replace lazy_static with LazyLock, add #[must_use], cleaner conversions, smaller public surface.
• Resources/Templates:
  • Safer name generation (K8s/DNS), idempotent ConfigMap/Job handling, hook script loading; normalize tool names via Toolman catalog.
  • Client-config generation respects agent tools, drops null servers; MCP config reuse.
• GitHub/Workflow:
  • Label client rate-limit handling/atomic ops scaffolding; minor workflow resume helpers.
• Docs:
  • Add modularity & pedantic refactor plan document.
• Misc/MCP:
  • Minor borrow/option handling fixes.

^{Written by Cursor Bugbot for commit 572741f. This will update automatically on new commits. Configure here.}

[cursor]

Bug: Silent PR Conversion Corrupts State

The webhook handler silently converts invalid PR numbers to 0 using .unwrap_or(0) when calling load_state, initialize_state, and force_state. GitHub PR numbers start at 1, so 0 is invalid. If pr_number is negative, exceeds u32::MAX/i32::MAX, or conversion fails, multiple invalid PRs will collide on PR #0, corrupting remediation state. The handler should validate pr_number is positive and within valid range before processing, returning BAD_REQUEST for invalid values rather than silently defaulting to 0.