fix: add unsafe code guardrails

CHANGELOG.md

@@ -149,6 +149,12 @@ of the new YAML fields below until the version that ships them.
   snippets instead of illustrative API fragments.
   ([docs/architecture.md], [docs/audit-log.md], [docs/cache-reserve.md])
 
+- **Unsafe-code drift guardrails.** Crates that do not need unsafe now
+  forbid it at the crate root, while `sbproxy-vault` explicitly allows
+  its narrowly-scoped volatile zeroization unsafe with an inline
+  justification.
+  ([crates/sbproxy-*/src/lib.rs])
+
 - **AI client retry resilience.** `MemoryBatchStore` now uses
   `parking_lot::Mutex` so a panic in one worker cannot poison the
   in-memory batch map for every later operation. Provider retries now

crates/sbproxy-ai/src/lib.rs

@@ -1,5 +1,6 @@
 //! sbproxy-ai: AI gateway with provider routing, streaming, and guardrails.
 
+#![forbid(unsafe_code)]
 #![warn(missing_docs)]
 
 pub mod ai_metrics;

crates/sbproxy-cache/src/lib.rs

@@ -1,5 +1,6 @@
 //! sbproxy-cache: Response cache and object cache management.
 
+#![forbid(unsafe_code)]
 #![warn(missing_docs)]
 
 pub mod reserve;

crates/sbproxy-classifiers/src/lib.rs

@@ -32,6 +32,7 @@
 //! place it behind an [`std::sync::Arc`] and share it across worker
 //! threads without an outer lock.
 
+#![forbid(unsafe_code)]
 #![deny(missing_docs)]
 
 pub mod agent_class;

crates/sbproxy-config/src/lib.rs

@@ -5,6 +5,7 @@
 //! - Intermediate representation ([`raw`])
 //! - Compiling configs into immutable, performance-optimized snapshots ([`snapshot`], [`compiler`])
 
+#![forbid(unsafe_code)]
 #![warn(missing_docs)]
 
 pub mod compiler;

crates/sbproxy-core/src/lib.rs

@@ -8,6 +8,7 @@
 //! - [`server::SbProxy`] - Pingora `ProxyHttp` implementation
 //! - [`server::run`] - Server entry point
 
+#![forbid(unsafe_code)]
 #![warn(missing_docs)]
 
 pub mod admin;

crates/sbproxy-extension/src/lib.rs

@@ -4,6 +4,7 @@
 //! sbproxy for conditional logic in routing, access control, and policy
 //! enforcement.
 
+#![forbid(unsafe_code)]
 #![warn(missing_docs)]
 
 pub mod cel;

crates/sbproxy-httpkit/src/lib.rs

@@ -1,5 +1,6 @@
 //! sbproxy-httpkit: HTTP utilities, buffer pool, and compression.
 
+#![forbid(unsafe_code)]
 #![warn(missing_docs)]
 
 pub mod bufferpool;

crates/sbproxy-k8s-operator/src/lib.rs

@@ -24,6 +24,7 @@
 //! triple and applies it server-side. Config changes trigger a rollout-restart
 //! by stamping `sbproxy.dev/config-hash` on the Deployment's pod template.
 
+#![forbid(unsafe_code)]
 #![deny(missing_docs)]
 
 /// CRD type definitions.

crates/sbproxy-k8s-operator/src/main.rs

@@ -6,6 +6,7 @@
 //!
 //! See `docs/kubernetes.md` for end-user instructions.
 
+#![forbid(unsafe_code)]
 #![deny(missing_docs)]
 
 use std::sync::Arc;

crates/sbproxy-middleware/src/lib.rs

@@ -1,5 +1,6 @@
 //! sbproxy-middleware: CORS, HSTS, compression, callback, and header modifier middleware.
 
+#![forbid(unsafe_code)]
 #![warn(missing_docs)]
 
 pub mod callback;

crates/sbproxy-modules/src/lib.rs

@@ -5,6 +5,7 @@
 //! The `Plugin` variant on each enum is the only case that falls back to
 //! dynamic dispatch for third-party extensions.
 
+#![forbid(unsafe_code)]
 #![warn(missing_docs)]
 
 pub mod action;

crates/sbproxy-observe/src/lib.rs

@@ -1,5 +1,6 @@
 //! sbproxy-observe: Observability - logging, metrics, and events.
 
+#![forbid(unsafe_code)]
 #![warn(missing_docs)]
 
 pub mod access_log;

crates/sbproxy-openapi/src/lib.rs

@@ -26,6 +26,7 @@
 //! `x-sbproxy-auth-type` extension and skip the `security` requirement so
 //! the doc still validates.
 
+#![forbid(unsafe_code)]
 #![warn(missing_docs)]
 
 use sbproxy_config::{CompiledConfig, RawForwardRule};

crates/sbproxy-platform/src/lib.rs

@@ -1,6 +1,7 @@
 //! sbproxy-platform: Storage, messenger, circuit breaker, DNS, health checks,
 //! and network protocol utilities.
 
+#![forbid(unsafe_code)]
 #![warn(missing_docs)]
 
 pub mod adaptive_breaker;

crates/sbproxy-plugin/src/lib.rs

@@ -9,6 +9,7 @@
 //! - [`identity`] - Identity, classification, and anomaly hook surface.
 //! - [`audit`] - Admin-action audit emitter trait surface.
 
+#![forbid(unsafe_code)]
 #![warn(missing_docs)]
 
 pub mod audit;

crates/sbproxy-security/src/lib.rs

@@ -1,5 +1,6 @@
 //! sbproxy-security: Cryptography, IP utilities, host filtering, PII masking, and SSRF protection.
 
+#![forbid(unsafe_code)]
 #![warn(missing_docs)]
 
 #[cfg(feature = "agent-class")]

crates/sbproxy-tls/src/lib.rs

@@ -1,5 +1,6 @@
 //! TLS, ACME auto-cert, and HTTP/3 support for sbproxy.
 
+#![forbid(unsafe_code)]
 #![warn(missing_docs)]
 
 pub mod acme;

crates/sbproxy-transport/src/lib.rs

@@ -4,6 +4,7 @@
 //! rate limiting, self-tuning connection pools, and request deduplication
 //! for the proxy transport layer.
 
+#![forbid(unsafe_code)]
 #![warn(missing_docs)]
 
 pub mod auto_pool;

crates/sbproxy-vault/src/lib.rs

@@ -1,5 +1,7 @@
 //! sbproxy-vault: Secret management and secure variable interpolation.
 
+#![allow(unsafe_code)]
+// Volatile zeroization uses narrowly-scoped unsafe writes so secrets are not optimized away.
 #![warn(missing_docs)]
 
 pub mod convergent;

crates/sbproxy/src/main.rs

@@ -4,6 +4,7 @@
 //! mimalloc allocator, parses CLI args, and hands the config path to
 //! [`sbproxy_core::run`]. All real work happens in the workspace crates.
 
+#![forbid(unsafe_code)]
 #![warn(missing_docs)]
 
 use std::env;