feat: repo hardening — RAII terminal guard, cargo-deny, 67 new tests (#40)

* feat: repo hardening — RAII terminal guard, cargo-deny, 67 new tests

RAII Terminal Guard:
- terminal::init() now returns TerminalGuard with Drop impl
- Automatic cleanup on panic/early-return — no more wedged terminals
- All 6 TUI apps migrated to guard pattern

cargo-deny:
- deny.toml: advisory denial, permissive license allowlist, copyleft
  denial, duplicate crate warnings, source restrictions
- .github/workflows/deny.yml: CI enforcement on push + PRs

Tests (67 new, 281 total):
- resq-dsa: 46 new tests across all 5 modules (bloom, count_min,
  graph, heap, trie) covering edge cases, invariants, and error paths
- resq-tui: 21 new tests for format_bytes, format_duration,
  centered_rect, Theme::default, and SPINNER_FRAMES

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Update crates/resq-tui/src/terminal.rs

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Signed-off-by: ResQ <engineer@resq.software>

* fix: address all PR review feedback — clippy, deny.toml, terminal safety

CI fixes:
- Fix clippy approx_constant (3.14 → 3.25), pedantic casts (as → From),
  format strings, and always-true comparisons across test code
- Fix deny.toml: use advisories v2 format, deny wildcards, scope
  allow-org to resq-software only

Terminal safety:
- Add #[must_use] on TerminalGuard
- Clean up partial init on failure (restore if Terminal::new errors)
- run_loop accepts &mut Term for flexibility (Deref still works)
- Health-checker: unconditional DisableMouseCapture cleanup on all paths

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use restore() for consistent cleanup on EnterAlternateScreen failure

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Signed-off-by: ResQ <engineer@resq.software>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: ResQ <engineer@resq.software>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

Author: 4 people

.github/workflows/deny.yml

@@ -0,0 +1,29 @@
+# Copyright 2026 ResQ
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: cargo-deny
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+
+jobs:
+  cargo-deny:
+    name: cargo-deny
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v4
+      - uses: EmbarkStudios/cargo-deny-action@v2

crates/resq-clean/src/main.rs

@@ -190,10 +190,8 @@ async fn main() -> Result<()> {
     let mut app = App::new(root, args.dry_run);
     app.scan();
 
-    let mut terminal = terminal::init()?;
-    let result = terminal::run_loop(&mut terminal, 100, &mut app);
-    terminal::restore();
-    result
+    let mut guard = terminal::init()?;
+    terminal::run_loop(&mut guard, 100, &mut app)
 }
 
 fn draw_ui(f: &mut Frame, app: &mut App) {

crates/resq-deploy/src/main.rs

@@ -263,10 +263,8 @@ async fn main() -> anyhow::Result<()> {
     let mut app = App::new(args.env, args.k8s, project_root);
     app.refresh_status();
 
-    let mut term = terminal::init()?;
-    let result = terminal::run_loop(&mut term, 50, &mut app);
-    terminal::restore();
-    result
+    let mut guard = terminal::init()?;
+    terminal::run_loop(&mut guard, 50, &mut app)
 }
 
 fn draw_ui(f: &mut Frame, app: &mut App) {

crates/resq-dsa/src/bloom.rs

@@ -286,4 +286,93 @@ mod tests {
         bf.add("");
         assert!(bf.has(""));
     }
+
+    #[test]
+    fn false_positive_rate_within_bounds() {
+        let capacity = 10_000;
+        let target_fpr = 0.05;
+        let mut bf = BloomFilter::new(capacity, target_fpr);
+
+        // Insert `capacity` items
+        for i in 0..capacity {
+            bf.add(format!("present-{i}"));
+        }
+
+        // Check a disjoint set of items that were NOT inserted
+        let test_count = 50_000;
+        let mut false_positives = 0;
+        for i in 0..test_count {
+            if bf.has(format!("absent-{i}")) {
+                false_positives += 1;
+            }
+        }
+
+        let observed_fpr = f64::from(false_positives) / f64::from(test_count);
+        // Allow 2x the target rate as headroom for hash quality variance
+        assert!(
+            observed_fpr < target_fpr * 2.0,
+            "Observed FPR {observed_fpr:.4} exceeds 2x target {target_fpr}"
+        );
+    }
+
+    #[test]
+    fn empty_filter_has_returns_false() {
+        let bf = BloomFilter::new(100, 0.01);
+        assert!(!bf.has("anything"));
+        assert!(!bf.has(""));
+        assert!(!bf.has(b"bytes" as &[u8]));
+    }
+
+    #[test]
+    fn single_item_insert_and_query() {
+        let mut bf = BloomFilter::new(1000, 0.01);
+        bf.add("only-one");
+        assert!(bf.has("only-one"));
+        assert_eq!(bf.len(), 1);
+        assert!(!bf.is_empty());
+    }
+
+    #[test]
+    fn clear_then_has_returns_false() {
+        let mut bf = BloomFilter::new(100, 0.01);
+        bf.add("x");
+        bf.add("y");
+        assert!(bf.has("x"));
+        bf.clear();
+        assert!(!bf.has("x"));
+        assert!(!bf.has("y"));
+        assert_eq!(bf.len(), 0);
+        assert!(bf.is_empty());
+    }
+
+    #[test]
+    fn duplicate_add_does_not_corrupt() {
+        let mut bf = BloomFilter::new(100, 0.01);
+        bf.add("dup");
+        bf.add("dup");
+        bf.add("dup");
+        assert!(bf.has("dup"));
+        // Count tracks calls, not unique items
+        assert_eq!(bf.len(), 3);
+    }
+
+    #[test]
+    fn from_raw_params_minimal() {
+        // Smallest possible filter: 1 bit, 1 hash
+        let mut bf = BloomFilter::from_raw_params(1, 1);
+        bf.add("a");
+        assert!(bf.has("a"));
+    }
+
+    #[test]
+    #[should_panic(expected = "bit_count must be > 0")]
+    fn from_raw_params_zero_bits_panics() {
+        let _ = BloomFilter::from_raw_params(0, 1);
+    }
+
+    #[test]
+    #[should_panic(expected = "hash_count must be > 0")]
+    fn from_raw_params_zero_hashes_panics() {
+        let _ = BloomFilter::from_raw_params(1, 0);
+    }
 }

crates/resq-dsa/src/count_min.rs

@@ -219,4 +219,101 @@ mod tests {
         cms.increment(b"sensor" as &[u8], 3);
         assert!(cms.estimate(b"sensor" as &[u8]) >= 3);
     }
+
+    #[test]
+    fn never_undercounts() {
+        let mut cms = CountMinSketch::new(0.01, 0.01);
+        // Insert many different keys and verify each estimate >= actual count
+        for i in 0..200 {
+            let key = format!("key-{i}");
+            let count = u64::try_from(i).unwrap() + 1;
+            cms.increment(&key, count);
+            assert!(
+                cms.estimate(&key) >= count,
+                "Undercount detected for {key}: estimate {} < actual {count}",
+                cms.estimate(&key)
+            );
+        }
+    }
+
+    #[test]
+    fn zero_increment_does_not_change_estimate() {
+        let mut cms = CountMinSketch::new(0.01, 0.01);
+        cms.increment("k", 0);
+        assert_eq!(cms.estimate("k"), 0);
+    }
+
+    #[test]
+    fn zero_increment_after_nonzero() {
+        let mut cms = CountMinSketch::new(0.01, 0.01);
+        cms.increment("k", 5);
+        cms.increment("k", 0);
+        assert!(cms.estimate("k") >= 5);
+    }
+
+    #[test]
+    fn very_large_counts() {
+        let mut cms = CountMinSketch::new(0.01, 0.01);
+        let large = u64::MAX / 2;
+        cms.increment("big", large);
+        assert!(cms.estimate("big") >= large);
+    }
+
+    #[test]
+    fn saturating_add_on_overflow() {
+        let mut cms = CountMinSketch::new(0.01, 0.01);
+        cms.increment("max", u64::MAX);
+        cms.increment("max", 1);
+        // Should saturate, not wrap around
+        assert_eq!(cms.estimate("max"), u64::MAX);
+    }
+
+    #[test]
+    fn unseen_key_returns_zero() {
+        let cms = CountMinSketch::new(0.01, 0.01);
+        assert_eq!(cms.estimate("never-added"), 0);
+    }
+
+    #[test]
+    fn from_raw_params_works() {
+        let mut cms = CountMinSketch::from_raw_params(100, 5);
+        cms.increment("x", 7);
+        assert!(cms.estimate("x") >= 7);
+        assert_eq!(cms.estimate("y"), 0);
+    }
+
+    #[test]
+    #[should_panic(expected = "width must be > 0")]
+    fn from_raw_params_zero_width_panics() {
+        let _ = CountMinSketch::from_raw_params(0, 5);
+    }
+
+    #[test]
+    #[should_panic(expected = "depth must be > 0")]
+    fn from_raw_params_zero_depth_panics() {
+        let _ = CountMinSketch::from_raw_params(5, 0);
+    }
+
+    #[test]
+    #[should_panic(expected = "epsilon must be in (0,1)")]
+    fn panics_on_zero_epsilon() {
+        let _ = CountMinSketch::new(0.0, 0.01);
+    }
+
+    #[test]
+    #[should_panic(expected = "delta must be in (0,1)")]
+    fn panics_on_one_delta() {
+        let _ = CountMinSketch::new(0.01, 1.0);
+    }
+
+    #[test]
+    fn multiple_keys_independent() {
+        let mut cms = CountMinSketch::new(0.001, 0.001);
+        cms.increment("alpha", 100);
+        cms.increment("beta", 200);
+        cms.increment("gamma", 300);
+        assert!(cms.estimate("alpha") >= 100);
+        assert!(cms.estimate("beta") >= 200);
+        assert!(cms.estimate("gamma") >= 300);
+    }
 }

crates/resq-dsa/src/graph.rs

@@ -357,4 +357,123 @@ mod tests {
         let (_, cost) = g.dijkstra(&"A", &"C").expect("Path should exist");
         assert_eq!(cost, 2); // takes the cheaper A->B edge
     }
+
+    #[test]
+    fn disconnected_graph_dijkstra_returns_none() {
+        let mut g = Graph::<&str>::new();
+        g.add_edge("A", "B", 1);
+        g.add_edge("C", "D", 1);
+        // A and C are in different components
+        assert!(g.dijkstra(&"A", &"D").is_none());
+        assert!(g.dijkstra(&"C", &"B").is_none());
+    }
+
+    #[test]
+    fn self_loop_dijkstra() {
+        let mut g = Graph::<&str>::new();
+        g.add_edge("A", "A", 5);
+        g.add_edge("A", "B", 1);
+        let (path, cost) = g.dijkstra(&"A", &"B").expect("Path should exist");
+        assert_eq!(path, vec!["A", "B"]);
+        assert_eq!(cost, 1);
+    }
+
+    #[test]
+    fn single_node_graph_dijkstra_self() {
+        let g = Graph::<&str>::new();
+        // No edges at all; start == end => cost 0
+        let (path, cost) = g.dijkstra(&"X", &"X").expect("Self path should exist");
+        assert_eq!(path, vec!["X"]);
+        assert_eq!(cost, 0);
+    }
+
+    #[test]
+    fn single_node_graph_dijkstra_unreachable() {
+        let g = Graph::<&str>::new();
+        assert!(g.dijkstra(&"X", &"Y").is_none());
+    }
+
+    #[test]
+    fn astar_nontrivial_heuristic() {
+        // Grid-like graph where heuristic is Manhattan distance
+        // Nodes are (row, col) encoded as row*10+col
+        let mut g = Graph::<i32>::new();
+        // Row 0: 0->1->2
+        g.add_edge(0, 1, 1);
+        g.add_edge(1, 2, 1);
+        // Row 1: 10->11->12
+        g.add_edge(10, 11, 1);
+        g.add_edge(11, 12, 1);
+        // Vertical: 0->10, 1->11, 2->12
+        g.add_edge(0, 10, 1);
+        g.add_edge(1, 11, 1);
+        g.add_edge(2, 12, 1);
+        // Also a long path: 0->10->11->12
+        // Shortest from 0 to 12: 0->1->2->12 (cost 3) or 0->1->11->12 (cost 3)
+
+        let manhattan = |a: &i32, b: &i32| -> u64 {
+            let (ar, ac) = (a / 10, a % 10);
+            let (br, bc) = (b / 10, b % 10);
+            u64::from((ar - br).unsigned_abs()) + u64::from((ac - bc).unsigned_abs())
+        };
+
+        let (path, cost) = g.astar(&0, &12, manhattan).expect("Path should exist");
+        assert_eq!(cost, 3);
+        assert_eq!(*path.first().unwrap(), 0);
+        assert_eq!(*path.last().unwrap(), 12);
+    }
+
+    #[test]
+    fn astar_unreachable() {
+        let mut g = Graph::<u64>::new();
+        g.add_edge(0, 1, 1);
+        assert!(g.astar(&0, &99, |a, b| a.abs_diff(*b)).is_none());
+    }
+
+    #[test]
+    fn bfs_ordering_is_breadth_first() {
+        // Build a tree:
+        //       A
+        //      / \
+        //     B   C
+        //    / \
+        //   D   E
+        let mut g = Graph::<&str>::new();
+        g.add_edge("A", "B", 1);
+        g.add_edge("A", "C", 1);
+        g.add_edge("B", "D", 1);
+        g.add_edge("B", "E", 1);
+        let result = g.bfs(&"A");
+        // A must be first
+        assert_eq!(result[0], "A");
+        // B and C must come before D and E
+        let pos = |node: &str| result.iter().position(|&n| n == node).unwrap();
+        assert!(pos("B") < pos("D"));
+        assert!(pos("B") < pos("E"));
+        assert!(pos("C") < pos("D"));
+        assert!(pos("C") < pos("E"));
+    }
+
+    #[test]
+    fn bfs_single_node_no_edges() {
+        let g = Graph::<&str>::new();
+        let result = g.bfs(&"lonely");
+        assert_eq!(result, vec!["lonely"]);
+    }
+
+    #[test]
+    fn default_creates_empty_graph() {
+        let g = Graph::<i32>::default();
+        assert!(g.dijkstra(&0, &1).is_none());
+        assert_eq!(g.bfs(&0), vec![0]);
+    }
+
+    #[test]
+    fn large_weight_path() {
+        let mut g = Graph::<&str>::new();
+        g.add_edge("A", "B", u64::MAX - 1);
+        let (path, cost) = g.dijkstra(&"A", &"B").expect("Path should exist");
+        assert_eq!(path, vec!["A", "B"]);
+        assert_eq!(cost, u64::MAX - 1);
+    }
 }