fix: replace unsafe arithmetic chains with explicit early-return bounds checks

nodedb-vector/src/mmap_segment.rs: rewrite the mmap offset bounds
check from a single nested checked_add/checked_mul expression into
sequential early-returns via let-else. Each overflow or out-of-bounds
condition is now its own guard, making the failure paths obvious.

nodedb-wal/src/crypto.rs: replace .clone() calls on Copy epoch values
in tests with copy-dereference to avoid unnecessary clone on a type
that implements Copy.

Author: farhan-syah

nodedb-vector/src/mmap_segment.rs

@@ -171,13 +171,18 @@ impl MmapVectorSegment {
             Some(v) => v,
             None => return,
         };
-        let offset = match self
-            .data_offset
-            .checked_add(idx.checked_mul(byte_len).unwrap_or(usize::MAX))
-        {
-            Some(v) if v.checked_add(byte_len).is_some_and(|e| e <= self.mmap_size) => v,
-            _ => return,
+        let Some(idx_bytes) = idx.checked_mul(byte_len) else {
+            return;
+        };
+        let Some(offset) = self.data_offset.checked_add(idx_bytes) else {
+            return;
         };
+        if offset
+            .checked_add(byte_len)
+            .is_none_or(|e| e > self.mmap_size)
+        {
+            return;
+        }
         let page_start = offset & !(4095);
         let len = (byte_len + 4095) & !(4095);
         unsafe {

nodedb-wal/src/crypto.rs

@@ -227,7 +227,7 @@ mod tests {
     #[test]
     fn encrypt_decrypt_roundtrip() {
         let key = test_key();
-        let epoch = key.epoch().clone();
+        let epoch = *key.epoch();
         let header = test_header(1);
         let plaintext = b"hello nodedb encryption";
 
@@ -242,7 +242,7 @@ mod tests {
     #[test]
     fn wrong_key_fails() {
         let key1 = WalEncryptionKey::from_bytes(&[0x01; 32]);
-        let epoch1 = key1.epoch().clone();
+        let epoch1 = *key1.epoch();
         let key2 = WalEncryptionKey::from_bytes(&[0x02; 32]);
         let header = test_header(1);
 
@@ -253,7 +253,7 @@ mod tests {
     #[test]
     fn wrong_lsn_fails() {
         let key = test_key();
-        let epoch = key.epoch().clone();
+        let epoch = *key.epoch();
         let header = test_header(1);
 
         let ciphertext = key.encrypt(1, &header, b"secret").unwrap();
@@ -264,7 +264,7 @@ mod tests {
     #[test]
     fn tampered_ciphertext_fails() {
         let key = test_key();
-        let epoch = key.epoch().clone();
+        let epoch = *key.epoch();
         let header = test_header(1);
 
         let mut ciphertext = key.encrypt(1, &header, b"secret").unwrap();
@@ -275,7 +275,7 @@ mod tests {
     #[test]
     fn tampered_header_fails() {
         let key = test_key();
-        let epoch = key.epoch().clone();
+        let epoch = *key.epoch();
         let header1 = test_header(1);
 
         let ciphertext = key.encrypt(1, &header1, b"secret").unwrap();
@@ -289,7 +289,7 @@ mod tests {
     #[test]
     fn empty_payload() {
         let key = test_key();
-        let epoch = key.epoch().clone();
+        let epoch = *key.epoch();
         let header = test_header(1);
 
         let ciphertext = key.encrypt(1, &header, b"").unwrap();