From 60ca0f8e1698f6c175ed1301cc60e630ffac69be Mon Sep 17 00:00:00 2001
From: bordumb <bordumbb@gmail.com>
Date: Mon, 23 Mar 2026 09:28:15 -0700
Subject: [PATCH] chore: defensive checks added to keep v0.2 stable

---
 CONTRIBUTING.md                | 1 +
 crates/capsec-core/src/lib.rs  | 3 +++
 crates/capsec-std/src/lib.rs   | 3 +++
 crates/capsec-tokio/src/lib.rs | 3 +++
 crates/capsec/Cargo.toml       | 6 ++++++
 5 files changed, 16 insertions(+)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index b608133..845bf4a 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -156,6 +156,7 @@ TRYBUILD=overwrite cargo test -p capsec --test compile_tests
 - **Include tests.** New authority patterns need integration tests. New type-system features need compile-fail tests.
 - **Run `cargo capsec audit`** against the repo itself before submitting — capsec dogfoods its own tool.
 - **Keep the security model intact.** `Cap<P>` must remain unforgeable and `!Send`. `Permission` must remain sealed. `Cap::new()` must remain `pub(crate)`. Any change that weakens these guarantees needs discussion in an issue first.
+- **`#[must_use]` convention.** Any new function or method returning `Result<T, CapSecError>`, `Cap<P>`, `SendCap<P>`, or `CapRoot` must have `#[must_use]`. Exception: if the return type itself already carries `#[must_use]` (e.g., `Cap<P>` does), a bare `#[must_use]` on the function is redundant and clippy will flag it — skip it in that case. The goal: discarding a capability check or proof token should always produce a compiler warning.
 - **Update docs** if you change public API. The facade crate's `lib.rs` doc comments and crate READMEs should stay current.
 
 ## Context pattern and macros
diff --git a/crates/capsec-core/src/lib.rs b/crates/capsec-core/src/lib.rs
index c2452be..e876153 100644
--- a/crates/capsec-core/src/lib.rs
+++ b/crates/capsec-core/src/lib.rs
@@ -1,3 +1,6 @@
+#![deny(missing_docs)]
+#![deny(rustdoc::broken_intra_doc_links)]
+
 //! # capsec-core
 //!
 //! Zero-cost capability tokens and permission traits for compile-time
diff --git a/crates/capsec-std/src/lib.rs b/crates/capsec-std/src/lib.rs
index 8106182..538116c 100644
--- a/crates/capsec-std/src/lib.rs
+++ b/crates/capsec-std/src/lib.rs
@@ -1,3 +1,6 @@
+#![deny(missing_docs)]
+#![deny(rustdoc::broken_intra_doc_links)]
+
 //! # capsec-std
 //!
 //! Capability-gated wrappers around the Rust standard library.
diff --git a/crates/capsec-tokio/src/lib.rs b/crates/capsec-tokio/src/lib.rs
index ec653ce..81cc54f 100644
--- a/crates/capsec-tokio/src/lib.rs
+++ b/crates/capsec-tokio/src/lib.rs
@@ -1,3 +1,6 @@
+#![deny(missing_docs)]
+#![deny(rustdoc::broken_intra_doc_links)]
+
 //! # capsec-tokio
 //!
 //! Async capability-gated wrappers for [tokio](https://tokio.rs/) — the async
diff --git a/crates/capsec/Cargo.toml b/crates/capsec/Cargo.toml
index a5585c0..1b42af2 100644
--- a/crates/capsec/Cargo.toml
+++ b/crates/capsec/Cargo.toml
@@ -22,3 +22,9 @@ trybuild.workspace = true
 capsec-core.workspace = true
 capsec-tokio = { workspace = true, features = ["full"] }
 tokio = { version = "1", features = ["rt-multi-thread", "macros", "fs", "net", "process", "io-util"] }
+
+[lints.rust]
+missing_docs = "deny"
+
+[lints.rustdoc]
+broken_intra_doc_links = "deny"