fix(security): audit — fix RUSTSEC vulns, clippy warnings, dead code (#769)

- Upgrade openssl to 0.10.78 (CVE-2026-41676), jsonwebtoken to 9.4
- Suppress unmaintained-only/no-CVE advisories in .cargo/audit.toml
  with per-entry rationale
- Fix all `cargo clippy --all-targets -- -D warnings` errors across
  35 crates: derivable_impls, needless_range_loop, map_or→is_some_and/
  is_none_or, await_holding_lock (drop MutexGuard before .await),
  ptr_arg (&mut Vec→&mut [T]), useless_conversion, approximate_constant
  (2.718→E, 3.14→PI), field_reassign_with_default, manual_inspect,
  useless_vec, lines_filter_map_ok, print_literal, dead_code
- Apply `cargo fmt --all`
- Pre-existing test failure in wifi-densepose-signal
  (test_estimate_occupancy_noise_only) is not introduced by this PR

v2/crates/cog-pose-estimation/src/config.rs

@@ -41,8 +41,8 @@ fn default_min_confidence() -> f32 {
 
 impl CogConfig {
     pub fn load(path: &Path) -> Result<Self, ConfigError> {
-        let raw = std::fs::read_to_string(path)
-            .map_err(|e| ConfigError::Read(path.to_path_buf(), e))?;
+        let raw =
+            std::fs::read_to_string(path).map_err(|e| ConfigError::Read(path.to_path_buf(), e))?;
         let cfg: CogConfig =
             serde_json::from_str(&raw).map_err(|e| ConfigError::Parse(path.to_path_buf(), e))?;
         Ok(cfg)

v2/crates/cog-pose-estimation/src/inference.rs

@@ -64,27 +64,51 @@ impl PoseNet {
             56,
             64,
             3,
-            Conv1dConfig { padding: 1, stride: 1, dilation: 1, groups: 1, ..Default::default() },
+            Conv1dConfig {
+                padding: 1,
+                stride: 1,
+                dilation: 1,
+                groups: 1,
+                ..Default::default()
+            },
             enc.pp("c1"),
         )?;
         let c2 = candle_nn::conv1d(
             64,
             128,
             3,
-            Conv1dConfig { padding: 2, stride: 1, dilation: 2, groups: 1, ..Default::default() },
+            Conv1dConfig {
+                padding: 2,
+                stride: 1,
+                dilation: 2,
+                groups: 1,
+                ..Default::default()
+            },
             enc.pp("c2"),
         )?;
         let c3 = candle_nn::conv1d(
             128,
             128,
             3,
-            Conv1dConfig { padding: 4, stride: 1, dilation: 4, groups: 1, ..Default::default() },
+            Conv1dConfig {
+                padding: 4,
+                stride: 1,
+                dilation: 4,
+                groups: 1,
+                ..Default::default()
+            },
             enc.pp("c3"),
         )?;
         let fc1 = candle_nn::linear(128, 256, head.pp("fc1"))?;
         let fc2 = candle_nn::linear(256, 34, head.pp("fc2"))?;
 
-        Ok(Self { c1, c2, c3, fc1, fc2 })
+        Ok(Self {
+            c1,
+            c2,
+            c3,
+            fc1,
+            fc2,
+        })
     }
 
     /// Forward pass: `[B, 56, 20]` -> `[B, 34]` in `[0, 1]`.

v2/crates/cog-pose-estimation/src/main.rs

@@ -89,14 +89,10 @@ fn cmd_manifest() -> Result<(), Box<dyn std::error::Error>> {
 
 fn cmd_health() -> Result<(), Box<dyn std::error::Error>> {
     let engine = InferenceEngine::new()?;
-    let synthetic = SyntheticInput::default();
+    let synthetic = SyntheticInput;
     let out = engine.infer(&synthetic.as_window())?;
     if out.is_finite() {
-        emit_event(&Event::health_ok(
-            COG_ID,
-            engine.backend(),
-            out.confidence,
-        ));
+        emit_event(&Event::health_ok(COG_ID, engine.backend(), out.confidence));
         Ok(())
     } else {
         Err("inference produced non-finite output".into())

v2/crates/cog-pose-estimation/tests/smoke.rs

@@ -4,13 +4,15 @@
 //! depend on a trained safetensors blob that doesn't live in-repo yet.
 
 use cog_pose_estimation::{
-    inference::{InferenceEngine, SyntheticInput, INPUT_SUBCARRIERS, INPUT_TIMESTEPS, OUTPUT_KEYPOINTS},
+    inference::{
+        InferenceEngine, SyntheticInput, INPUT_SUBCARRIERS, INPUT_TIMESTEPS, OUTPUT_KEYPOINTS,
+    },
     manifest::ManifestSpec,
 };
 
 #[test]
 fn synthetic_window_has_correct_shape() {
-    let syn = SyntheticInput::default();
+    let syn = SyntheticInput;
     let window = syn.as_window();
     assert_eq!(window.data.len(), INPUT_SUBCARRIERS * INPUT_TIMESTEPS);
 }
@@ -18,17 +20,20 @@ fn synthetic_window_has_correct_shape() {
 #[test]
 fn engine_produces_finite_output_for_synthetic_input() {
     let engine = InferenceEngine::new().expect("engine init");
-    let out = engine
-        .infer(&SyntheticInput::default().as_window())
-        .expect("infer");
-    assert!(out.is_finite(), "synthetic input must produce finite output");
+    let out = engine.infer(&SyntheticInput.as_window()).expect("infer");
+    assert!(
+        out.is_finite(),
+        "synthetic input must produce finite output"
+    );
     assert_eq!(out.keypoints.len(), OUTPUT_KEYPOINTS * 2);
 }
 
 #[test]
 fn engine_rejects_wrong_shape_input() {
     let engine = InferenceEngine::new().expect("engine init");
-    let bad = cog_pose_estimation::inference::CsiWindow { data: vec![0.0; 10] };
+    let bad = cog_pose_estimation::inference::CsiWindow {
+        data: vec![0.0; 10],
+    };
     assert!(engine.infer(&bad).is_err());
 }
 
@@ -47,14 +52,15 @@ fn real_weights_load_when_available() {
         "expected real Candle backend, got {}",
         engine.backend()
     );
-    let out = engine
-        .infer(&SyntheticInput::default().as_window())
-        .expect("infer");
+    let out = engine.infer(&SyntheticInput.as_window()).expect("infer");
     assert!(out.is_finite());
     // Real model emits the published validation PCK@50 as its self-reported
     // confidence — stub returns 0.0. This is the key assertion that proves
     // the cog isn't silently falling back to the stub.
-    assert!(out.confidence > 0.0, "real model should emit non-zero confidence");
+    assert!(
+        out.confidence > 0.0,
+        "real model should emit non-zero confidence"
+    );
 }
 
 #[test]