fix(recon-silly-ation): eliminate Obj.magic, getUnsafe, getExn partial patterns

Addresses the 17 concrete dangerous-pattern findings from panic-attack
assail that I flagged in the de-gitlink commit (87995d9). All changes
are mechanical substitutions; no semantics touched.

src/ArangoClient.res (12 fixes):
- Tighten 5 @send externals (save/document/update/query/all) from `{..}`
  to `Js.Json.t`. Loose type was forcing Obj.magic at every call site.
- Remove 10 `->Obj.magic` casts (banned pattern per memory rule); use
  Js.Json.object_(dict) to build bind-var JSON where needed.
- Replace 2 `Belt.Array.getUnsafe(arr, i)` inside bounded for-loops
  with `switch Belt.Array.get(arr, i)` pattern match.

src/Pipeline.res (2 fixes):
- Replace 2 `Belt.Array.getUnsafe` in async store-conflict/store-resolution
  loops with the same Belt.Array.get pattern match.

src/ConflictResolver.res (2 fixes):
- Replace 2 `Belt.Array.getUnsafe(arr, 0)` inside Belt.Array.every
  callbacks with extract-first idiom using Belt.Array.get. Handles the
  empty-array case as vacuously true.

src/HaskellBridge.res (1 fix):
- Replace `Belt.Option.getExn` on decodeObject result with keepMap +
  Option pattern match; array elements that aren't JSON objects are
  now skipped instead of crashing the whole validation pass.

NOT touched (intentional):
- try/catch FFI-boundary blocks. These are the correct ReScript idiom
  for converting JS exceptions (arangojs promises, node crypto,
  child_process) into `result<'a, string>` at the FFI edge. panic-attack
  still reports "unsafe_blocks: 13" after this commit because it
  conflates try/catch with partial casts under the same category.
- Test-file unwraps (tests/*Test.res) — expected-case assertions.
- Js.Exn.raiseError in SecurityScheme.res — marks "not yet implemented"
  fallback paths (Ed448/SPHINCS+ WASM bindings).

Not built/tested locally: repo has no node_modules and no ReScript
toolchain wired through the Justfile, so rescript build cannot run
here. Diffs are pure substitutions verified against the ReScript
Belt/Js.Json API surface; any type mismatches will surface at the
next build attempt.

Author: hyperpolymath

recon-silly-ation/src/ArangoClient.res

@@ -17,14 +17,17 @@ external createDatabase: {..} => database = "Database"
 @send external useDatabase: (database, string) => database = "useDatabase"
 @send external collection: (database, string) => collection = "collection"
 @send external graph: (database, string) => graph = "graph"
-@send external query: (database, string, {..}) => promise<aqlQuery> = "query"
+// Typed externals: arangojs accepts and returns plain JSON, so Js.Json.t is the
+// correct ReScript type. Using `{..}` here previously forced Obj.magic at every
+// call site, which panic-attack flagged as unsafe_blocks.
+@send external query: (database, string, Js.Json.t) => promise<aqlQuery> = "query"
 
-@send external save: (collection, {..}) => promise<{..}> = "save"
-@send external document: (collection, string) => promise<{..}> = "document"
-@send external update: (collection, string, {..}) => promise<{..}> = "update"
-@send external remove: (collection, string) => promise<{..}> = "remove"
+@send external save: (collection, Js.Json.t) => promise<Js.Json.t> = "save"
+@send external document: (collection, string) => promise<Js.Json.t> = "document"
+@send external update: (collection, string, Js.Json.t) => promise<Js.Json.t> = "update"
+@send external remove: (collection, string) => promise<Js.Json.t> = "remove"
 
-@send external all: aqlQuery => promise<array<{..}>> = "all"
+@send external all: aqlQuery => promise<array<Js.Json.t>> = "all"
 
 // Client state
 type client = {
@@ -119,7 +122,7 @@ let edgeToJson = (edge: edge): Js.Json.t => {
 let insertDocument = async (client: client, doc: document): result<unit, string> => {
   try {
     let json = documentToJson(doc)
-    let _ = await client.collections.documents->save(json->Obj.magic)
+    let _ = await client.collections.documents->save(json)
     Ok()
   } catch {
   | exn =>
@@ -136,9 +139,12 @@ let insertDocuments = async (
 ): result<unit, string> => {
   let results = []
   for i in 0 to Belt.Array.length(documents) - 1 {
-    let doc = Belt.Array.getUnsafe(documents, i)
-    let result = await insertDocument(client, doc)
-    results->Js.Array2.push(result)->ignore
+    switch Belt.Array.get(documents, i) {
+    | Some(doc) =>
+      let result = await insertDocument(client, doc)
+      results->Js.Array2.push(result)->ignore
+    | None => ()
+    }
   }
 
   let errors =
@@ -160,7 +166,7 @@ let insertDocuments = async (
 let insertEdge = async (client: client, edge: edge): result<unit, string> => {
   try {
     let json = edgeToJson(edge)
-    let _ = await client.edges.relationships->save(json->Obj.magic)
+    let _ = await client.edges.relationships->save(json)
     Ok()
   } catch {
   | exn =>
@@ -172,9 +178,12 @@ let insertEdge = async (client: client, edge: edge): result<unit, string> => {
 let insertEdges = async (client: client, edges: array<edge>): result<unit, string> => {
   let results = []
   for i in 0 to Belt.Array.length(edges) - 1 {
-    let edge = Belt.Array.getUnsafe(edges, i)
-    let result = await insertEdge(client, edge)
-    results->Js.Array2.push(result)->ignore
+    switch Belt.Array.get(edges, i) {
+    | Some(edge) =>
+      let result = await insertEdge(client, edge)
+      results->Js.Array2.push(result)->ignore
+    | None => ()
+    }
   }
 
   let errors =
@@ -211,7 +220,7 @@ let storeConflict = async (client: client, conflict: conflict): result<unit, str
       ]),
     )
 
-    let _ = await client.collections.conflicts->save(json->Obj.magic)
+    let _ = await client.collections.conflicts->save(json)
     Ok()
   } catch {
   | exn =>
@@ -249,7 +258,7 @@ let storeResolution = async (
       ]),
     )
 
-    let _ = await client.collections.resolutions->save(json->Obj.magic)
+    let _ = await client.collections.resolutions->save(json)
     Ok()
   } catch {
   | exn =>
@@ -266,7 +275,7 @@ let findDocumentByHash = async (
 ): result<option<Js.Json.t>, string> => {
   try {
     let result = await client.collections.documents->document(hash)
-    Ok(Some(result->Obj.magic))
+    Ok(Some(result))
   } catch {
   | _ => Ok(None) // Document not found
   }
@@ -281,9 +290,9 @@ let findDuplicates = async (client: client): result<array<Js.Json.t>, string> =>
       FILTER count > 1
       RETURN { hash, count }
     `
-    let result = await client.db->query(aql, Js.Dict.empty()->Obj.magic)
+    let result = await client.db->query(aql, Js.Json.object_(Js.Dict.empty()))
     let data = await result->all
-    Ok(data->Obj.magic)
+    Ok(data)
   } catch {
   | exn =>
     Error(
@@ -303,9 +312,9 @@ let findRelatedDocuments = async (
       RETURN { vertex: v, edge: e, path: p }
     `
     let bindVars = Js.Dict.fromArray([("start", Js.Json.string("documents/" ++ hash))])
-    let result = await client.db->query(aql, bindVars->Obj.magic)
+    let result = await client.db->query(aql, Js.Json.object_(bindVars))
     let data = await result->all
-    Ok(data->Obj.magic)
+    Ok(data)
   } catch {
   | exn =>
     Error(
@@ -318,7 +327,7 @@ let findRelatedDocuments = async (
 let healthCheck = async (client: client): result<bool, string> => {
   try {
     let aql = "RETURN 1"
-    let _ = await client.db->query(aql, Js.Dict.empty()->Obj.magic)
+    let _ = await client.db->query(aql, Js.Json.object_(Js.Dict.empty()))
     Ok(true)
   } catch {
   | exn =>

recon-silly-ation/src/ConflictResolver.res

@@ -205,7 +205,10 @@ let detectConflicts = (documents: array<document>): array<conflict> => {
     if Belt.Array.length(docs) > 1 {
       // Multiple documents with same hash but different paths
       let paths = docs->Belt.Array.map(d => d.metadata.path)
-      let allSamePath = paths->Belt.Array.every(p => p == Belt.Array.getUnsafe(paths, 0))
+      let allSamePath = switch Belt.Array.get(paths, 0) {
+      | None => true // vacuously — no paths means no divergence
+      | Some(first) => paths->Belt.Array.every(p => p == first)
+      }
 
       if !allSamePath {
         conflicts
@@ -238,9 +241,10 @@ let detectConflicts = (documents: array<document>): array<conflict> => {
       // Check if versions differ
       let versions = docs->Belt.Array.keepMap(d => d.metadata.version)
       if Belt.Array.length(versions) > 1 {
-        let allSame = versions->Belt.Array.every(v => {
-          compareVersions(v, Belt.Array.getUnsafe(versions, 0)) == 0
-        })
+        let allSame = switch Belt.Array.get(versions, 0) {
+        | None => true
+        | Some(first) => versions->Belt.Array.every(v => compareVersions(v, first) == 0)
+        }
 
         if !allSame {
           conflicts

recon-silly-ation/src/HaskellBridge.res

@@ -61,24 +61,28 @@ let validateDocument = (
     ->Belt.Option.flatMap(Js.Json.decodeArray)
     ->Belt.Option.getWithDefault([])
 
+    // Drop any array element that isn't a JSON object instead of crashing on
+    // the first bad one. keepMap returns Some values and skips Nones.
     let parsedViolations =
-      violations->Belt.Array.map(v => {
-        let obj = v->Js.Json.decodeObject->Belt.Option.getExn
-
-        {
-          violationField: obj
-          ->Js.Dict.get("violationField")
-          ->Belt.Option.flatMap(Js.Json.decodeString)
-          ->Belt.Option.getWithDefault(""),
-          violationMessage: obj
-          ->Js.Dict.get("violationMessage")
-          ->Belt.Option.flatMap(Js.Json.decodeString)
-          ->Belt.Option.getWithDefault(""),
-          violationSeverity: obj
-          ->Js.Dict.get("violationSeverity")
-          ->Belt.Option.flatMap(Js.Json.decodeString)
-          ->Belt.Option.getWithDefault("warning"),
-          violationLine: None,
+      violations->Belt.Array.keepMap(v => {
+        switch v->Js.Json.decodeObject {
+        | None => None
+        | Some(obj) =>
+          Some({
+            violationField: obj
+            ->Js.Dict.get("violationField")
+            ->Belt.Option.flatMap(Js.Json.decodeString)
+            ->Belt.Option.getWithDefault(""),
+            violationMessage: obj
+            ->Js.Dict.get("violationMessage")
+            ->Belt.Option.flatMap(Js.Json.decodeString)
+            ->Belt.Option.getWithDefault(""),
+            violationSeverity: obj
+            ->Js.Dict.get("violationSeverity")
+            ->Belt.Option.flatMap(Js.Json.decodeString)
+            ->Belt.Option.getWithDefault("warning"),
+            violationLine: None,
+          })
         }
       })
 

recon-silly-ation/src/Pipeline.res

@@ -263,9 +263,12 @@ let executeStage = async (
       | None => ()
       | Some(c) => {
           for i in 0 to Belt.Array.length(conflicts) - 1 {
-            let conflict = Belt.Array.getUnsafe(conflicts, i)
-            let _ = await ArangoClient.storeConflict(c, conflict)
-            ()
+            switch Belt.Array.get(conflicts, i) {
+            | Some(conflict) =>
+              let _ = await ArangoClient.storeConflict(c, conflict)
+              ()
+            | None => ()
+            }
           }
         }
       }
@@ -297,9 +300,12 @@ let executeStage = async (
       | None => ()
       | Some(c) => {
           for i in 0 to Belt.Array.length(resolutions) - 1 {
-            let resolution = Belt.Array.getUnsafe(resolutions, i)
-            let _ = await ArangoClient.storeResolution(c, resolution)
-            ()
+            switch Belt.Array.get(resolutions, i) {
+            | Some(resolution) =>
+              let _ = await ArangoClient.storeResolution(c, resolution)
+              ()
+            | None => ()
+            }
           }
 
           // Create superseded edges