diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml
index 45ab1aea..8021f2c5 100644
--- a/.github/workflows/format.yml
+++ b/.github/workflows/format.yml
@@ -41,8 +41,8 @@ jobs:
       - name: Run cargo fmt
         uses: actions-rust-lang/rustfmt@v1
 
-      - name: Run cargo clipply
-        run: cargo clippy --all-targets --all-features
+      - name: Run cargo clippy
+        run: cargo clippy --all-targets --all-features -- -D warnings
 
   format-typescript:
     runs-on: ubuntu-latest
diff --git a/Cargo.toml b/Cargo.toml
index 9545c847..5133b733 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -12,6 +12,28 @@ default-members = [
     "crates/fastly",
 ]
 
+[workspace.lints.clippy]
+# Correctness - Force explicit error handling in production code
+unwrap_used = "deny"
+expect_used = "allow"  # Allow expect with context message
+panic = "deny"
+
+# Style
+module_name_repetitions = "allow"
+must_use_candidate = "warn"
+
+# Pedantic (selective)
+doc_markdown = "warn"
+missing_errors_doc = "warn"
+missing_panics_doc = "warn"
+needless_pass_by_value = "warn"  # Encourage borrowing over ownership
+redundant_closure_for_method_calls = "warn"
+
+# Restriction (selective)
+print_stdout = "warn"
+print_stderr = "warn"
+dbg_macro = "warn"
+
 [profile.release]
 debug = 1
 
diff --git a/clippy.toml b/clippy.toml
new file mode 100644
index 00000000..07564932
--- /dev/null
+++ b/clippy.toml
@@ -0,0 +1,40 @@
+# Clippy configuration for trusted-server
+# See: https://doc.rust-lang.org/clippy/configuration.html
+
+# =============================================================================
+# Complexity Thresholds
+# =============================================================================
+
+# Cognitive complexity threshold for functions (default: 25)
+# Set to 30 to accommodate existing complex HTML/RSC processing functions
+# like `create_html_processor` and `rewrite_rsc_scripts_combined`.
+# Consider refactoring functions that exceed this threshold.
+cognitive-complexity-threshold = 30
+
+# Maximum number of lines in a function (default: 100)
+# Set to 200 to allow larger handler functions that process HTTP requests
+# with multiple validation steps. Prefer extracting helpers when possible.
+too-many-lines-threshold = 200
+
+# =============================================================================
+# Test Allowances
+# =============================================================================
+
+# Allow expect() in tests for clearer failure messages than unwrap()
+allow-expect-in-tests = true
+
+# Allow unwrap() in tests where panicking on failure is acceptable
+allow-unwrap-in-tests = true
+
+# =============================================================================
+# Future Considerations
+# =============================================================================
+# 
+# As the codebase matures, consider tightening these thresholds:
+# - cognitive-complexity-threshold = 25 (default)
+# - too-many-lines-threshold = 100 (default)
+#
+# Additional lints to consider enabling in Cargo.toml:
+# - needless_pass_by_value = "warn"
+# - redundant_closure_for_method_calls = "warn"
+# - missing_const_for_fn = "warn"
diff --git a/crates/common/Cargo.toml b/crates/common/Cargo.toml
index ab3058ce..17a0e04b 100644
--- a/crates/common/Cargo.toml
+++ b/crates/common/Cargo.toml
@@ -8,6 +8,9 @@ edition = "2021"
 publish = false
 license = "Apache-2.0"
 
+[lints]
+workspace = true
+
 [dependencies]
 base64 = { workspace = true }
 brotli = { workspace = true }
diff --git a/crates/common/build.rs b/crates/common/build.rs
index a97734b7..4bac64f0 100644
--- a/crates/common/build.rs
+++ b/crates/common/build.rs
@@ -1,3 +1,5 @@
+#![allow(clippy::unwrap_used, clippy::panic)]
+
 #[path = "src/error.rs"]
 mod error;
 
@@ -29,7 +31,7 @@ fn rerun_if_changed() {
     let settings_json = serde_json::to_value(&default_settings).unwrap();
 
     let mut env_vars = HashSet::new();
-    collect_env_vars(&settings_json, &mut env_vars, vec![]);
+    collect_env_vars(&settings_json, &mut env_vars, &[]);
 
     // Print rerun-if-env-changed for each variable
     let mut sorted_vars: Vec<_> = env_vars.into_iter().collect();
@@ -60,10 +62,10 @@ fn merge_toml() {
     fs::write(dest_path, merged_toml).unwrap_or_else(|_| panic!("Failed to write {:?}", dest_path));
 }
 
-fn collect_env_vars(value: &Value, env_vars: &mut HashSet<String>, path: Vec<String>) {
+fn collect_env_vars(value: &Value, env_vars: &mut HashSet<String>, path: &[String]) {
     if let Value::Object(map) = value {
         for (key, val) in map {
-            let mut new_path = path.clone();
+            let mut new_path = path.to_owned();
             new_path.push(key.to_uppercase());
 
             match val {
@@ -79,7 +81,7 @@ fn collect_env_vars(value: &Value, env_vars: &mut HashSet<String>, path: Vec<Str
                 }
                 Value::Object(_) => {
                     // Recurse into nested objects
-                    collect_env_vars(val, env_vars, new_path);
+                    collect_env_vars(val, env_vars, &new_path);
                 }
                 _ => {}
             }
diff --git a/crates/common/src/auction/config.rs b/crates/common/src/auction/config.rs
index 8ffe5a5f..0262f33a 100644
--- a/crates/common/src/auction/config.rs
+++ b/crates/common/src/auction/config.rs
@@ -1,6 +1,6 @@
 //! Configuration structures for auction orchestration.
 //!
-//! The base types are defined in auction_config_types.rs to avoid circular dependencies
-//! with build.rs. This module re-exports them.
+//! The base types are defined in `auction_config_types.rs` to avoid circular dependencies
+//! with `build.rs`. This module re-exports them.
 
 pub use crate::auction_config_types::AuctionConfig;
diff --git a/crates/common/src/auction/endpoints.rs b/crates/common/src/auction/endpoints.rs
index 29aa18bc..c2175caf 100644
--- a/crates/common/src/auction/endpoints.rs
+++ b/crates/common/src/auction/endpoints.rs
@@ -15,7 +15,15 @@ use super::AuctionOrchestrator;
 ///
 /// This is the main entry point for running header bidding auctions.
 /// It orchestrates bids from multiple providers (Prebid, APS, GAM, etc.) and returns
-/// the winning bids in OpenRTB format with creative HTML inline in the `adm` field.
+/// the winning bids in `OpenRTB` format with creative HTML inline in the `adm` field.
+///
+/// # Errors
+///
+/// Returns an error if:
+/// - The request body cannot be parsed
+/// - The auction request conversion fails (e.g., invalid ad units)
+/// - The auction execution fails
+/// - The response cannot be serialized
 pub async fn handle_auction(
     settings: &Settings,
     orchestrator: &AuctionOrchestrator,
diff --git a/crates/common/src/auction/formats.rs b/crates/common/src/auction/formats.rs
index a9eece28..6b446f05 100644
--- a/crates/common/src/auction/formats.rs
+++ b/crates/common/src/auction/formats.rs
@@ -2,7 +2,7 @@
 //!
 //! This module handles:
 //! - Parsing incoming tsjs/Prebid.js format requests
-//! - Converting internal auction results to OpenRTB 2.x responses
+//! - Converting internal auction results to `OpenRTB` 2.x responses
 
 use error_stack::{ensure, Report, ResultExt};
 use fastly::http::{header, StatusCode};
@@ -63,7 +63,13 @@ pub struct BannerUnit {
     pub sizes: Vec<Vec<u32>>,
 }
 
-/// Convert tsjs/Prebid.js request format to internal AuctionRequest.
+/// Convert tsjs/Prebid.js request format to internal `AuctionRequest`.
+///
+/// # Errors
+///
+/// Returns an error if:
+/// - Synthetic ID generation fails
+/// - Request contains invalid banner sizes (must be [width, height])
 pub fn convert_tsjs_to_auction_request(
     body: &AdRequest,
     settings: &Settings,
@@ -122,7 +128,9 @@ pub fn convert_tsjs_to_auction_request(
 
     // Get geo info if available
     let device = GeoInfo::from_request(req).map(|geo| DeviceInfo {
-        user_agent: req.get_header_str("user-agent").map(|s| s.to_string()),
+        user_agent: req
+            .get_header_str("user-agent")
+            .map(std::string::ToString::to_string),
         ip: req.get_client_ip_addr().map(|ip| ip.to_string()),
         geo: Some(geo),
     });
@@ -148,9 +156,15 @@ pub fn convert_tsjs_to_auction_request(
     })
 }
 
-/// Convert OrchestrationResult to OpenRTB response format.
+/// Convert `OrchestrationResult` to `OpenRTB` response format.
 ///
 /// Returns rewritten creative HTML directly in the `adm` field for inline delivery.
+///
+/// # Errors
+///
+/// Returns an error if:
+/// - A winning bid is missing a price
+/// - The response serialization fails
 pub fn convert_to_openrtb_response(
     result: &OrchestrationResult,
     settings: &Settings,
diff --git a/crates/common/src/auction/mod.rs b/crates/common/src/auction/mod.rs
index 36187862..e78f2ecf 100644
--- a/crates/common/src/auction/mod.rs
+++ b/crates/common/src/auction/mod.rs
@@ -47,6 +47,7 @@ fn provider_builders() -> &'static [ProviderBuilder] {
 ///
 /// # Arguments
 /// * `settings` - Application settings used to configure the orchestrator and providers
+#[must_use]
 pub fn build_orchestrator(settings: &Settings) -> AuctionOrchestrator {
     log::info!("Building auction orchestrator");
 
diff --git a/crates/common/src/auction/orchestrator.rs b/crates/common/src/auction/orchestrator.rs
index a6614709..c53cc9b9 100644
--- a/crates/common/src/auction/orchestrator.rs
+++ b/crates/common/src/auction/orchestrator.rs
@@ -20,6 +20,7 @@ pub struct AuctionOrchestrator {
 
 impl AuctionOrchestrator {
     /// Create a new orchestrator with the given configuration.
+    #[must_use]
     pub fn new(config: AuctionConfig) -> Self {
         Self {
             config,
@@ -35,6 +36,7 @@ impl AuctionOrchestrator {
     }
 
     /// Get the number of registered providers.
+    #[must_use]
     pub fn provider_count(&self) -> usize {
         self.providers.len()
     }
@@ -44,6 +46,11 @@ impl AuctionOrchestrator {
     /// Strategy is determined by mediator configuration:
     /// - If mediator is configured: runs parallel mediation (bidders → mediator decides)
     /// - If no mediator: runs parallel only (bidders → highest CPM wins)
+    ///
+    /// # Errors
+    ///
+    /// Returns an error if the auction execution fails due to provider errors or
+    /// mediation errors.
     pub async fn run_auction(
         &self,
         request: &AuctionRequest,
@@ -89,8 +96,7 @@ impl AuctionOrchestrator {
         let provider_responses = self.run_providers_parallel(request, context).await?;
 
         let floor_prices = self.floor_prices_by_slot(request);
-        let (mediator_response, winning_bids) = if self.config.has_mediator() {
-            let mediator_name = self.config.mediator.as_ref().unwrap();
+        let (mediator_response, winning_bids) = if let Some(mediator_name) = &self.config.mediator {
             let mediator = self.get_provider(mediator_name)?;
 
             log::info!(
@@ -450,6 +456,7 @@ impl AuctionOrchestrator {
     }
 
     /// Check if orchestrator is enabled.
+    #[must_use]
     pub fn is_enabled(&self) -> bool {
         self.config.enabled
     }
@@ -472,11 +479,13 @@ pub struct OrchestrationResult {
 
 impl OrchestrationResult {
     /// Get the winning bid for a specific slot.
+    #[must_use]
     pub fn get_winning_bid(&self, slot_id: &str) -> Option<&Bid> {
         self.winning_bids.get(slot_id)
     }
 
     /// Get all bids from all providers for a specific slot.
+    #[must_use]
     pub fn get_all_bids_for_slot(&self, slot_id: &str) -> Vec<&Bid> {
         self.provider_responses
             .iter()
@@ -486,6 +495,7 @@ impl OrchestrationResult {
     }
 
     /// Get the total number of bids received.
+    #[must_use]
     pub fn total_bids(&self) -> usize {
         self.provider_responses.iter().map(|r| r.bids.len()).sum()
     }
diff --git a/crates/common/src/auction/provider.rs b/crates/common/src/auction/provider.rs
index 3c7b7900..827b33fb 100644
--- a/crates/common/src/auction/provider.rs
+++ b/crates/common/src/auction/provider.rs
@@ -15,20 +15,29 @@ pub trait AuctionProvider: Send + Sync {
     /// Submit a bid request to this provider and return a pending request.
     ///
     /// Implementations should:
-    /// - Transform AuctionRequest to provider-specific format
-    /// - Make HTTP call to provider endpoint using send_async()
-    /// - Return PendingRequest for orchestrator to await
+    /// - Transform `AuctionRequest` to provider-specific format
+    /// - Make HTTP call to provider endpoint using `send_async()`
+    /// - Return `PendingRequest` for orchestrator to await
     ///
     /// The orchestrator will handle waiting for responses and parsing them.
+    ///
+    /// # Errors
+    ///
+    /// Returns an error if the request cannot be created or if the provider endpoint
+    /// cannot be reached (though usually network errors happen during `PendingRequest` await).
     fn request_bids(
         &self,
         request: &AuctionRequest,
         context: &AuctionContext<'_>,
     ) -> Result<PendingRequest, Report<TrustedServerError>>;
 
-    /// Parse the response from the provider into an AuctionResponse.
+    /// Parse the response from the provider into an `AuctionResponse`.
+    ///
+    /// Called by the orchestrator after the `PendingRequest` completes.
+    ///
+    /// # Errors
     ///
-    /// Called by the orchestrator after the PendingRequest completes.
+    /// Returns an error if the response cannot be parsed into a valid `AuctionResponse`.
     fn parse_response(
         &self,
         response: fastly::Response,
diff --git a/crates/common/src/auction/types.rs b/crates/common/src/auction/types.rs
index 8593e061..6c6c4d63 100644
--- a/crates/common/src/auction/types.rs
+++ b/crates/common/src/auction/types.rs
@@ -146,7 +146,7 @@ pub struct Bid {
     pub metadata: HashMap<String, serde_json::Value>,
 }
 
-/// OpenRTB response metadata for the orchestrator.
+/// `OpenRTB` response metadata for the orchestrator.
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct OrchestratorExt {
     pub strategy: String,
diff --git a/crates/common/src/auction_config_types.rs b/crates/common/src/auction_config_types.rs
index e1cabd7a..916e839f 100644
--- a/crates/common/src/auction_config_types.rs
+++ b/crates/common/src/auction_config_types.rs
@@ -39,11 +39,13 @@ fn default_creative_store() -> String {
 #[allow(dead_code)] // Methods used in runtime but not in build script
 impl AuctionConfig {
     /// Get all provider names.
+    #[must_use]
     pub fn provider_names(&self) -> &[String] {
         &self.providers
     }
 
     /// Check if this config has a mediator configured.
+    #[must_use]
     pub fn has_mediator(&self) -> bool {
         self.mediator.is_some()
     }
diff --git a/crates/common/src/backend.rs b/crates/common/src/backend.rs
index ba5a1c84..798131f4 100644
--- a/crates/common/src/backend.rs
+++ b/crates/common/src/backend.rs
@@ -11,6 +11,10 @@ use crate::error::TrustedServerError;
 /// The backend name is derived from the scheme and `host[:port]` to avoid collisions across
 /// http/https or different ports. If a backend with the derived name already exists,
 /// this function logs and reuses it.
+///
+/// # Errors
+///
+/// Returns an error if the host is empty or if backend creation fails (except for `NameInUse` which reuses the existing backend).
 pub fn ensure_origin_backend(
     scheme: &str,
     host: &str,
@@ -75,6 +79,13 @@ pub fn ensure_origin_backend(
     }
 }
 
+/// Ensures a dynamic backend exists for the given origin URL.
+///
+/// Parses the URL and delegates to `ensure_origin_backend` to create or reuse a backend.
+///
+/// # Errors
+///
+/// Returns an error if the URL cannot be parsed or lacks a host, or if backend creation fails.
 pub fn ensure_backend_from_url(origin_url: &str) -> Result<String, Report<TrustedServerError>> {
     let parsed_url = Url::parse(origin_url).change_context(TrustedServerError::Proxy {
         message: format!("Invalid origin_url: {}", origin_url),
diff --git a/crates/common/src/cookies.rs b/crates/common/src/cookies.rs
index de78b109..48f397bb 100644
--- a/crates/common/src/cookies.rs
+++ b/crates/common/src/cookies.rs
@@ -62,6 +62,7 @@ pub fn handle_request_cookies(
 ///
 /// Generates a properly formatted cookie with security attributes
 /// for storing the synthetic ID.
+#[must_use]
 pub fn create_synthetic_cookie(settings: &Settings, synthetic_id: &str) -> String {
     format!(
         "synthetic_id={}; Domain={}; Path=/; Secure; SameSite=Lax; Max-Age={}",
diff --git a/crates/common/src/creative.rs b/crates/common/src/creative.rs
index 79e1e9dc..0265ad79 100644
--- a/crates/common/src/creative.rs
+++ b/crates/common/src/creative.rs
@@ -297,6 +297,7 @@ pub(super) fn proxied_attr_value(settings: &Settings, attr_val: Option<String>)
 
 /// Rewrite a full CSS stylesheet body by normalizing url(...) references to the
 /// unified first-party proxy. Relative URLs are left unchanged.
+#[must_use]
 pub fn rewrite_css_body(settings: &Settings, css: &str) -> String {
     rewrite_style_urls(settings, css)
 }
@@ -307,6 +308,7 @@ pub fn rewrite_css_body(settings: &Settings, css: &str) -> String {
 /// - `<iframe src>` (absolute or protocol-relative) → `/first-party/proxy?tsurl=&lt;base-url&gt;&lt;params&gt;&tstoken=&lt;sig&gt;`
 /// - Injects the `tsjs-creative` script once at the top of `<body>` to safeguard click URLs inside creatives
 ///   (served from `/static/tsjs=tsjs-creative.min.js`).
+#[must_use]
 pub fn rewrite_creative_html(settings: &Settings, markup: &str) -> String {
     // No size parsing needed now; all absolute/protocol-relative URLs are proxied uniformly.
     let mut out = Vec::with_capacity(markup.len() + 64);
@@ -495,6 +497,7 @@ pub struct CreativeHtmlProcessor<'a> {
 
 impl<'a> CreativeHtmlProcessor<'a> {
     /// Create a new HTML processor with the given settings.
+    #[must_use]
     pub fn new(settings: &'a Settings) -> Self {
         Self {
             settings,
@@ -529,7 +532,7 @@ impl StreamProcessor for CreativeHtmlProcessor<'_> {
     }
 }
 
-/// Stream processor for CSS that rewrites url() references to first-party proxy.
+/// Stream processor for CSS that rewrites `url()` references to first-party proxy.
 ///
 /// This processor buffers input chunks and processes the complete CSS
 /// when the stream ends, using `rewrite_css_body` internally.
@@ -540,6 +543,7 @@ pub struct CreativeCssProcessor<'a> {
 
 impl<'a> CreativeCssProcessor<'a> {
     /// Create a new CSS processor with the given settings.
+    #[must_use]
     pub fn new(settings: &'a Settings) -> Self {
         Self {
             settings,
diff --git a/crates/common/src/fastly_storage.rs b/crates/common/src/fastly_storage.rs
index d39170de..932bb8fc 100644
--- a/crates/common/src/fastly_storage.rs
+++ b/crates/common/src/fastly_storage.rs
@@ -19,6 +19,11 @@ impl FastlyConfigStore {
         }
     }
 
+    /// Retrieves a configuration value from the store.
+    ///
+    /// # Errors
+    ///
+    /// Returns an error if the key is not found in the config store.
     pub fn get(&self, key: &str) -> Result<String, TrustedServerError> {
         // TODO use try_open and return the error
         let store = ConfigStore::open(&self.store_name);
@@ -44,6 +49,12 @@ impl FastlySecretStore {
         }
     }
 
+    /// Retrieves a secret value from the store.
+    ///
+    /// # Errors
+    ///
+    /// Returns an error if the secret store cannot be opened, the key is not found,
+    /// or the secret plaintext cannot be retrieved.
     pub fn get(&self, key: &str) -> Result<Vec<u8>, TrustedServerError> {
         let store =
             SecretStore::open(&self.store_name).map_err(|_| TrustedServerError::Configuration {
@@ -67,6 +78,11 @@ impl FastlySecretStore {
             .map(|bytes| bytes.into_iter().collect())
     }
 
+    /// Retrieves a secret value from the store and decodes it as a UTF-8 string.
+    ///
+    /// # Errors
+    ///
+    /// Returns an error if the secret cannot be retrieved or is not valid UTF-8.
     pub fn get_string(&self, key: &str) -> Result<String, TrustedServerError> {
         let bytes = self.get(key)?;
         String::from_utf8(bytes).map_err(|e| TrustedServerError::Configuration {
@@ -82,10 +98,20 @@ pub struct FastlyApiClient {
 }
 
 impl FastlyApiClient {
+    /// Creates a new Fastly API client using the default secret store.
+    ///
+    /// # Errors
+    ///
+    /// Returns an error if the secret store cannot be opened or the API key cannot be retrieved.
     pub fn new() -> Result<Self, TrustedServerError> {
         Self::from_secret_store("api-keys", "api_key")
     }
 
+    /// Creates a new Fastly API client from a specified secret store.
+    ///
+    /// # Errors
+    ///
+    /// Returns an error if the API backend cannot be ensured or the API key cannot be retrieved.
     pub fn from_secret_store(store_name: &str, key_name: &str) -> Result<Self, TrustedServerError> {
         let backend_name = ensure_backend_from_url(FASTLY_API_HOST).map_err(|e| {
             TrustedServerError::Configuration {
@@ -145,6 +171,11 @@ impl FastlyApiClient {
             })
     }
 
+    /// Updates a configuration item in a Fastly config store.
+    ///
+    /// # Errors
+    ///
+    /// Returns an error if the API request fails or returns a non-OK status.
     pub fn update_config_item(
         &self,
         store_id: &str,
@@ -182,6 +213,11 @@ impl FastlyApiClient {
         }
     }
 
+    /// Creates a secret in a Fastly secret store.
+    ///
+    /// # Errors
+    ///
+    /// Returns an error if the API request fails or returns a non-OK status.
     pub fn create_secret(
         &self,
         store_id: &str,
@@ -219,6 +255,11 @@ impl FastlyApiClient {
         }
     }
 
+    /// Deletes a configuration item from a Fastly config store.
+    ///
+    /// # Errors
+    ///
+    /// Returns an error if the API request fails or returns a non-OK/NO_CONTENT status.
     pub fn delete_config_item(&self, store_id: &str, key: &str) -> Result<(), TrustedServerError> {
         let path = format!("/resources/stores/config/{}/item/{}", store_id, key);
 
@@ -247,6 +288,11 @@ impl FastlyApiClient {
         }
     }
 
+    /// Deletes a secret from a Fastly secret store.
+    ///
+    /// # Errors
+    ///
+    /// Returns an error if the API request fails or returns a non-OK/NO_CONTENT status.
     pub fn delete_secret(
         &self,
         store_id: &str,
diff --git a/crates/common/src/geo.rs b/crates/common/src/geo.rs
index dff097d5..a903c31d 100644
--- a/crates/common/src/geo.rs
+++ b/crates/common/src/geo.rs
@@ -71,11 +71,13 @@ impl GeoInfo {
     }
 
     /// Returns coordinates as a formatted string "latitude,longitude"
+    #[must_use]
     pub fn coordinates_string(&self) -> String {
         format!("{},{}", self.latitude, self.longitude)
     }
 
     /// Checks if a valid metro code is available (non-zero)
+    #[must_use]
     pub fn has_metro_code(&self) -> bool {
         self.metro_code > 0
     }
diff --git a/crates/common/src/html_processor.rs b/crates/common/src/html_processor.rs
index 1803436e..e3d827fb 100644
--- a/crates/common/src/html_processor.rs
+++ b/crates/common/src/html_processor.rs
@@ -1,6 +1,6 @@
 //! Simplified HTML processor that combines URL replacement and Prebid injection
 //!
-//! This module provides a StreamProcessor implementation for HTML content.
+//! This module provides a `StreamProcessor` implementation for HTML content.
 use std::cell::Cell;
 use std::io;
 use std::rc::Rc;
@@ -94,6 +94,7 @@ pub struct HtmlProcessorConfig {
 
 impl HtmlProcessorConfig {
     /// Create from settings and request parameters
+    #[must_use]
     pub fn from_settings(
         _settings: &Settings,
         integrations: &IntegrationRegistry,
@@ -111,6 +112,7 @@ impl HtmlProcessorConfig {
 }
 
 /// Create an HTML processor with URL replacement and optional Prebid injection
+#[must_use]
 pub fn create_html_processor(config: HtmlProcessorConfig) -> impl StreamProcessor {
     let post_processors = config.integrations.html_post_processors();
     let document_state = IntegrationDocumentState::default();
@@ -568,7 +570,7 @@ mod tests {
     #[test]
     fn test_html_processor_config_from_settings() {
         let settings = create_test_settings();
-        let registry = IntegrationRegistry::new(&settings);
+        let registry = IntegrationRegistry::new(&settings).expect("should create registry");
         let config = HtmlProcessorConfig::from_settings(
             &settings,
             &registry,
@@ -674,7 +676,7 @@ mod tests {
             )
             .expect("should insert testlight config");
 
-        let registry = IntegrationRegistry::new(&settings);
+        let registry = IntegrationRegistry::new(&settings).expect("should create registry");
         let mut config = create_test_config();
         config.integrations = registry;
 
diff --git a/crates/common/src/http_util.rs b/crates/common/src/http_util.rs
index 132d6bd8..1bfa4441 100644
--- a/crates/common/src/http_util.rs
+++ b/crates/common/src/http_util.rs
@@ -6,7 +6,7 @@ use sha2::{Digest, Sha256};
 
 use crate::settings::Settings;
 
-/// Build a static text response with strong ETag and standard caching headers.
+/// Build a static text response with strong `ETag` and standard caching headers.
 /// Handles If-None-Match to return 304 when appropriate.
 pub fn serve_static_with_etag(body: &str, req: &Request, content_type: &str) -> Response {
     // Compute ETag for conditional caching
@@ -44,6 +44,11 @@ pub fn serve_static_with_etag(body: &str, req: &Request, content_type: &str) ->
 
 /// Encrypts a URL using XChaCha20-Poly1305 with a key derived from the publisher `proxy_secret`.
 /// Returns a Base64 URL-safe (no padding) token: b"x1" || nonce(24) || ciphertext+tag.
+///
+/// # Panics
+///
+/// Panics if encryption fails (which should not happen under normal circumstances).
+#[must_use]
 pub fn encode_url(settings: &Settings, plaintext_url: &str) -> String {
     // Derive a 32-byte key via SHA-256(secret)
     let key_bytes = Sha256::digest(settings.publisher.proxy_secret.as_bytes());
@@ -71,6 +76,7 @@ pub fn encode_url(settings: &Settings, plaintext_url: &str) -> String {
 }
 
 /// Decrypts and verifies a token produced by `encode_url`. Returns None if invalid.
+#[must_use]
 pub fn decode_url(settings: &Settings, token: &str) -> Option<String> {
     let data = URL_SAFE_NO_PAD.decode(token.as_bytes()).ok()?;
     if data.len() < 2 + 24 + 16 {
@@ -92,11 +98,12 @@ pub fn decode_url(settings: &Settings, token: &str) -> Option<String> {
 }
 
 /// Compute a deterministic signature token (tstoken) for a clear-text URL using the
-/// publisher's proxy_secret. This enables proxy URLs to retain the original URL in
+/// publisher's `proxy_secret`. This enables proxy URLs to retain the original URL in
 /// clear text while still providing integrity/authenticity via a keyed digest.
 ///
 /// Token format: Base64 URL-safe (no padding) of SHA-256("ts-proxy-v2" || secret || url)
 /// - Not intended as a general HMAC; sufficient for validating unmodified URLs under a secret.
+#[must_use]
 pub fn sign_clear_url(settings: &Settings, clear_url: &str) -> String {
     let mut hasher = Sha256::new();
     hasher.update(b"ts-proxy-v2");
@@ -107,6 +114,7 @@ pub fn sign_clear_url(settings: &Settings, clear_url: &str) -> String {
 }
 
 /// Verify a `tstoken` for the given clear-text URL.
+#[must_use]
 pub fn verify_clear_url_signature(settings: &Settings, clear_url: &str, token: &str) -> bool {
     sign_clear_url(settings, clear_url) == token
 }
@@ -118,6 +126,7 @@ pub fn verify_clear_url_signature(settings: &Settings, clear_url: &str, token: &
 /// 2) Base64-decode the `x1||nonce||ciphertext+tag` bytes
 /// 3) Compute SHA-256 over those bytes
 /// 4) Return Base64 URL-safe (no padding) digest as `tstoken`
+#[must_use]
 pub fn compute_encrypted_sha256_token(settings: &Settings, full_url: &str) -> String {
     // Encrypt deterministically using existing helper
     let enc = encode_url(settings, full_url);
diff --git a/crates/common/src/integrations/adserver_mock.rs b/crates/common/src/integrations/adserver_mock.rs
index f2102e15..253a7a88 100644
--- a/crates/common/src/integrations/adserver_mock.rs
+++ b/crates/common/src/integrations/adserver_mock.rs
@@ -80,6 +80,7 @@ pub struct AdServerMockProvider {
 
 impl AdServerMockProvider {
     /// Create a new mock ad server provider.
+    #[must_use]
     pub fn new(config: AdServerMockConfig) -> Self {
         Self { config }
     }
@@ -183,7 +184,7 @@ impl AdServerMockProvider {
         }))
     }
 
-    /// Parse OpenRTB response from mediation endpoint.
+    /// Parse `OpenRTB` response from mediation endpoint.
     /// Mediation returns decoded prices for all bids (including APS bids that were encoded).
     fn parse_mediation_response(&self, json: &Json, response_time_ms: u64) -> AuctionResponse {
         // Parse OpenRTB response
@@ -348,6 +349,7 @@ impl AuctionProvider for AdServerMockProvider {
 // ============================================================================
 
 /// Auto-register ad server mock provider based on settings configuration.
+#[must_use]
 pub fn register_providers(settings: &Settings) -> Vec<Arc<dyn AuctionProvider>> {
     let mut providers: Vec<Arc<dyn AuctionProvider>> = Vec::new();
 
diff --git a/crates/common/src/integrations/aps.rs b/crates/common/src/integrations/aps.rs
index fa100377..02d946f8 100644
--- a/crates/common/src/integrations/aps.rs
+++ b/crates/common/src/integrations/aps.rs
@@ -144,7 +144,7 @@ struct ApsSlotResponse {
     #[serde(skip_serializing_if = "Option::is_none")]
     amznp: Option<String>,
 
-    /// Amazon size in WxH format (e.g., "300x250")
+    /// Amazon size in `WxH` format (e.g., "300x250")
     #[serde(skip_serializing_if = "Option::is_none")]
     amznsz: Option<String>,
 
@@ -177,7 +177,7 @@ pub struct ApsConfig {
     pub timeout_ms: u32,
 }
 
-/// Custom deserializer for pub_id that accepts both string and integer
+/// Custom deserializer for `pub_id` that accepts both string and integer
 fn deserialize_pub_id<'de, D>(deserializer: D) -> Result<String, D::Error>
 where
     D: serde::Deserializer<'de>,
@@ -262,11 +262,12 @@ pub struct ApsAuctionProvider {
 
 impl ApsAuctionProvider {
     /// Create a new APS auction provider.
+    #[must_use]
     pub fn new(config: ApsConfig) -> Self {
         Self { config }
     }
 
-    /// Convert unified AuctionRequest to APS TAM bid request format.
+    /// Convert unified `AuctionRequest` to APS TAM bid request format.
     fn to_aps_request(&self, request: &AuctionRequest) -> ApsBidRequest {
         let slots: Vec<ApsSlot> = request
             .slots
@@ -313,7 +314,7 @@ impl ApsAuctionProvider {
     /// Note: Price is NOT decoded here. The encoded price is stored in metadata
     /// and will be decoded by the mediation layer (mocktioneer). This simulates
     /// real-world APS where only Amazon/GAM can decode the proprietary price encoding.
-    fn parse_aps_slot(&self, slot: ApsSlotResponse) -> Result<Bid, ()> {
+    fn parse_aps_slot(&self, slot: &ApsSlotResponse) -> Result<Bid, ()> {
         // Only process filled slots (fif == "1")
         if slot.fif.as_deref() != Some("1") {
             return Err(());
@@ -368,7 +369,7 @@ impl ApsAuctionProvider {
         })
     }
 
-    /// Parse APS TAM response into unified AuctionResponse.
+    /// Parse APS TAM response into unified `AuctionResponse`.
     fn parse_aps_response(&self, json: &Json, response_time_ms: u64) -> AuctionResponse {
         let mut bids = Vec::new();
 
@@ -380,7 +381,7 @@ impl ApsAuctionProvider {
             );
 
             for slot in aps_response.contextual.slots {
-                match self.parse_aps_slot(slot) {
+                match self.parse_aps_slot(&slot) {
                     Ok(bid) => {
                         let encoded_price = bid
                             .metadata
@@ -531,6 +532,7 @@ use std::sync::Arc;
 /// Auto-register APS provider based on settings configuration.
 ///
 /// Returns the APS provider if enabled in settings.
+#[must_use]
 pub fn register_providers(settings: &Settings) -> Vec<Arc<dyn AuctionProvider>> {
     let mut providers: Vec<Arc<dyn AuctionProvider>> = Vec::new();
 
@@ -830,7 +832,7 @@ mod tests {
         };
 
         let bid = provider
-            .parse_aps_slot(aps_slot)
+            .parse_aps_slot(&aps_slot)
             .expect("should parse slot");
 
         assert_eq!(bid.slot_id, "test-slot");
@@ -889,7 +891,7 @@ mod tests {
             amznactt: Some("OPEN".to_string()),
         };
 
-        let bid = provider.parse_aps_slot(aps_slot).expect("should parse");
+        let bid = provider.parse_aps_slot(&aps_slot).expect("should parse");
 
         // Key assertions:
         // 1. creative should be None for APS bids
diff --git a/crates/common/src/integrations/didomi.rs b/crates/common/src/integrations/didomi.rs
index 6c1a2ed0..457a39bf 100644
--- a/crates/common/src/integrations/didomi.rs
+++ b/crates/common/src/integrations/didomi.rs
@@ -167,6 +167,7 @@ fn build(settings: &Settings) -> Option<Arc<DidomiIntegration>> {
 }
 
 /// Register the Didomi consent notice integration when enabled.
+#[must_use]
 pub fn register(settings: &Settings) -> Option<IntegrationRegistration> {
     let integration = build(settings)?;
     Some(
@@ -272,7 +273,7 @@ mod tests {
             .insert_config(DIDOMI_INTEGRATION_ID, &config(true))
             .expect("should insert config");
 
-        let registry = IntegrationRegistry::new(&settings);
+        let registry = IntegrationRegistry::new(&settings).expect("should create registry");
         assert!(registry.has_route(&Method::GET, "/integrations/didomi/consent/loader.js"));
         assert!(registry.has_route(&Method::POST, "/integrations/didomi/consent/api/events"));
         assert!(!registry.has_route(&Method::GET, "/other"));
diff --git a/crates/common/src/integrations/lockr.rs b/crates/common/src/integrations/lockr.rs
index 733b8a74..83c10dfa 100644
--- a/crates/common/src/integrations/lockr.rs
+++ b/crates/common/src/integrations/lockr.rs
@@ -44,12 +44,12 @@ pub struct LockrConfig {
     #[validate(length(min = 1))]
     pub app_id: String,
 
-    /// Base URL for Lockr API (default: https://identity.lockr.kr)
+    /// Base URL for Lockr API (default: <https://identity.lockr.kr>)
     #[serde(default = "default_api_endpoint")]
     #[validate(url)]
     pub api_endpoint: String,
 
-    /// SDK URL (default: https://aim.loc.kr/identity-lockr-v1.0.js)
+    /// SDK URL (default: <https://aim.loc.kr/identity-lockr-v1.0.js>)
     #[serde(default = "default_sdk_url")]
     #[validate(url)]
     pub sdk_url: String,
@@ -69,7 +69,7 @@ pub struct LockrConfig {
 
     /// Override the Origin header sent to Lockr API.
     /// Use this when running locally or from a domain not registered with Lockr.
-    /// Example: "https://www.example.com"
+    /// Example: "<https://www.example.com>"
     #[serde(default)]
     #[validate(url)]
     pub origin_override: Option<String>,
@@ -316,6 +316,7 @@ fn build(settings: &Settings) -> Option<Arc<LockrIntegration>> {
 }
 
 /// Register the Lockr integration.
+#[must_use]
 pub fn register(settings: &Settings) -> Option<IntegrationRegistration> {
     let integration = build(settings)?;
     Some(
diff --git a/crates/common/src/integrations/nextjs/html_post_process.rs b/crates/common/src/integrations/nextjs/html_post_process.rs
index f3798725..c85bf517 100644
--- a/crates/common/src/integrations/nextjs/html_post_process.rs
+++ b/crates/common/src/integrations/nextjs/html_post_process.rs
@@ -39,7 +39,9 @@ impl IntegrationHtmlPostProcessor for NextJsHtmlPostProcessor {
             .document_state
             .get::<Mutex<NextJsRscPostProcessState>>(NEXTJS_INTEGRATION_ID)
         {
-            let guard = state.lock().unwrap_or_else(|e| e.into_inner());
+            let guard = state
+                .lock()
+                .unwrap_or_else(std::sync::PoisonError::into_inner);
             if !guard.payloads.is_empty() {
                 return true;
             }
@@ -56,7 +58,9 @@ impl IntegrationHtmlPostProcessor for NextJsHtmlPostProcessor {
             .document_state
             .get::<Mutex<NextJsRscPostProcessState>>(NEXTJS_INTEGRATION_ID)
             .map(|state| {
-                let mut guard = state.lock().unwrap_or_else(|e| e.into_inner());
+                let mut guard = state
+                    .lock()
+                    .unwrap_or_else(std::sync::PoisonError::into_inner);
                 guard.take_payloads()
             })
             .unwrap_or_default();
@@ -333,6 +337,7 @@ fn find_rsc_push_scripts(html: &str) -> Vec<RscPushScriptRange> {
     since = "0.1.0",
     note = "Use NextJsHtmlPostProcessor for production RSC rewriting. This function re-parses HTML."
 )]
+#[must_use]
 pub fn post_process_rsc_html(
     html: &str,
     origin_host: &str,
diff --git a/crates/common/src/integrations/nextjs/mod.rs b/crates/common/src/integrations/nextjs/mod.rs
index d79e98c2..522dae01 100644
--- a/crates/common/src/integrations/nextjs/mod.rs
+++ b/crates/common/src/integrations/nextjs/mod.rs
@@ -56,6 +56,7 @@ fn default_max_combined_payload_bytes() -> usize {
     10 * 1024 * 1024
 }
 
+#[must_use]
 pub fn register(settings: &Settings) -> Option<IntegrationRegistration> {
     let config = match build(settings) {
         Some(config) => {
@@ -142,7 +143,7 @@ mod tests {
                 }),
             )
             .expect("should update nextjs config");
-        let registry = IntegrationRegistry::new(&settings);
+        let registry = IntegrationRegistry::new(&settings).expect("should create registry");
         let config = config_from_settings(&settings, &registry);
         let processor = create_html_processor(config);
         let pipeline_config = PipelineConfig {
@@ -205,7 +206,7 @@ mod tests {
                 }),
             )
             .expect("should update nextjs config");
-        let registry = IntegrationRegistry::new(&settings);
+        let registry = IntegrationRegistry::new(&settings).expect("should create registry");
         let config = config_from_settings(&settings, &registry);
         let processor = create_html_processor(config);
         let pipeline_config = PipelineConfig {
@@ -253,7 +254,7 @@ mod tests {
                 }),
             )
             .expect("should update nextjs config");
-        let registry = IntegrationRegistry::new(&settings);
+        let registry = IntegrationRegistry::new(&settings).expect("should create registry");
         let config = config_from_settings(&settings, &registry);
         let processor = create_html_processor(config);
         let pipeline_config = PipelineConfig {
@@ -304,7 +305,7 @@ mod tests {
                 }),
             )
             .expect("should update nextjs config");
-        let registry = IntegrationRegistry::new(&settings);
+        let registry = IntegrationRegistry::new(&settings).expect("should create registry");
         let config = config_from_settings(&settings, &registry);
         let processor = create_html_processor(config);
         let pipeline_config = PipelineConfig {
@@ -370,7 +371,7 @@ mod tests {
             )
             .expect("should update nextjs config");
 
-        let registry = IntegrationRegistry::new(&settings);
+        let registry = IntegrationRegistry::new(&settings).expect("should create registry");
         let config = config_from_settings(&settings, &registry);
         let processor = create_html_processor(config);
         let pipeline_config = PipelineConfig {
@@ -442,7 +443,7 @@ mod tests {
                 }),
             )
             .expect("should update nextjs config");
-        let registry = IntegrationRegistry::new(&settings);
+        let registry = IntegrationRegistry::new(&settings).expect("should create registry");
         let config = config_from_settings(&settings, &registry);
         let processor = create_html_processor(config);
         // Use small chunk size to force fragmentation
diff --git a/crates/common/src/integrations/nextjs/rsc.rs b/crates/common/src/integrations/nextjs/rsc.rs
index 534c912e..704aa56f 100644
--- a/crates/common/src/integrations/nextjs/rsc.rs
+++ b/crates/common/src/integrations/nextjs/rsc.rs
@@ -3,7 +3,7 @@ use regex::Regex;
 
 use super::shared::RscUrlRewriter;
 
-/// T-chunk header pattern: hex_id:Thex_length,
+/// T-chunk header pattern: `hex_id:Thex_length`,
 static TCHUNK_PATTERN: Lazy<Regex> =
     Lazy::new(|| Regex::new(r"([0-9a-fA-F]+):T([0-9a-fA-F]+),").expect("valid T-chunk regex"));
 
@@ -13,8 +13,8 @@ pub(crate) const RSC_MARKER: &str = "\x00SPLIT\x00";
 /// Default maximum combined payload size for cross-script processing (10 MB).
 pub(crate) const DEFAULT_MAX_COMBINED_PAYLOAD_BYTES: usize = 10 * 1024 * 1024;
 
-/// Maximum reasonable T-chunk length to prevent DoS from malformed input (100 MB).
-/// A T-chunk larger than this is almost certainly malformed and would cause excessive
+/// Maximum reasonable T-chunk length to prevent `DoS` from malformed input (100 MB).
+/// A `T-chunk` larger than this is almost certainly malformed and would cause excessive
 /// memory allocation or iteration.
 const MAX_REASONABLE_TCHUNK_LENGTH: usize = 100 * 1024 * 1024;
 
@@ -328,6 +328,7 @@ fn calculate_unescaped_byte_length_skip_markers(s: &str) -> usize {
 }
 
 /// Process multiple RSC script payloads together, handling cross-script T-chunks.
+#[must_use]
 pub fn rewrite_rsc_scripts_combined(
     payloads: &[&str],
     origin_host: &str,
@@ -475,7 +476,7 @@ pub(crate) fn rewrite_rsc_scripts_combined_with_limit(
     let remaining = &combined[last_end..];
     result.push_str(rewriter.rewrite(remaining).as_ref());
 
-    result.split(RSC_MARKER).map(|s| s.to_string()).collect()
+    result.split(RSC_MARKER).map(String::from).collect()
 }
 
 #[cfg(test)]
diff --git a/crates/common/src/integrations/nextjs/rsc_placeholders.rs b/crates/common/src/integrations/nextjs/rsc_placeholders.rs
index e26a98fe..1aa0b391 100644
--- a/crates/common/src/integrations/nextjs/rsc_placeholders.rs
+++ b/crates/common/src/integrations/nextjs/rsc_placeholders.rs
@@ -87,7 +87,9 @@ impl IntegrationScriptRewriter for NextJsRscPlaceholderRewriter {
             .get_or_insert_with(NEXTJS_INTEGRATION_ID, || {
                 Mutex::new(NextJsRscPostProcessState::default())
             });
-        let mut guard = state.lock().unwrap_or_else(|e| e.into_inner());
+        let mut guard = state
+            .lock()
+            .unwrap_or_else(std::sync::PoisonError::into_inner);
 
         let placeholder_index = guard.payloads.len();
         let placeholder = rsc_payload_placeholder(placeholder_index);
diff --git a/crates/common/src/integrations/permutive.rs b/crates/common/src/integrations/permutive.rs
index 13c2f3a2..96e7630b 100644
--- a/crates/common/src/integrations/permutive.rs
+++ b/crates/common/src/integrations/permutive.rs
@@ -41,12 +41,12 @@ pub struct PermutiveConfig {
     #[serde(default)]
     pub project_id: String,
 
-    /// Base URL for Permutive API (default: https://api.permutive.com)
+    /// Base URL for Permutive API (default: <https://api.permutive.com>)
     #[serde(default = "default_api_endpoint")]
     #[validate(url)]
     pub api_endpoint: String,
 
-    /// Base URL for Permutive Secure Signals (default: https://secure-signals.permutive.app)
+    /// Base URL for Permutive Secure Signals (default: <https://secure-signals.permutive.app>)
     #[serde(default = "default_secure_signals_endpoint")]
     #[validate(url)]
     pub secure_signals_endpoint: String,
@@ -85,7 +85,7 @@ impl PermutiveIntegration {
     }
 
     /// Build the Permutive SDK URL from configuration.
-    /// Returns URL like: https://myorg.edge.permutive.app/workspace-12345-web.js
+    /// Returns URL like: <https://myorg.edge.permutive.app/workspace-12345-web.js>
     fn sdk_url(&self) -> String {
         format!(
             "https://{}.edge.permutive.app/{}-web.js",
@@ -521,6 +521,7 @@ fn build(settings: &Settings) -> Option<Arc<PermutiveIntegration>> {
 }
 
 /// Register the Permutive integration.
+#[must_use]
 pub fn register(settings: &Settings) -> Option<IntegrationRegistration> {
     let integration = build(settings)?;
     Some(
diff --git a/crates/common/src/integrations/prebid.rs b/crates/common/src/integrations/prebid.rs
index 70b6e7c4..7fa65896 100644
--- a/crates/common/src/integrations/prebid.rs
+++ b/crates/common/src/integrations/prebid.rs
@@ -230,6 +230,7 @@ fn build(settings: &Settings) -> Option<Arc<PrebidIntegration>> {
     Some(PrebidIntegration::new(config))
 }
 
+#[must_use]
 pub fn register(settings: &Settings) -> Option<IntegrationRegistration> {
     let integration = build(settings)?;
     Some(
@@ -681,7 +682,7 @@ fn append_query_params(url: &str, params: &str) -> String {
 
 /// Extracts the `adm` field from the first bid matching the given slot (by `impid`).
 ///
-/// Searches through the OpenRTB seatbid/bid structure for a bid whose `impid`
+/// Searches through the `OpenRTB` seatbid/bid structure for a bid whose `impid`
 /// matches `slot` and returns its `adm` (ad markup) value.
 #[allow(dead_code)]
 fn extract_adm_for_slot(response: &Json, slot: &str) -> Option<String> {
@@ -708,11 +709,12 @@ pub struct PrebidAuctionProvider {
 
 impl PrebidAuctionProvider {
     /// Create a new Prebid auction provider.
+    #[must_use]
     pub fn new(config: PrebidIntegrationConfig) -> Self {
         Self { config }
     }
 
-    /// Convert auction request to OpenRTB format with all enrichments.
+    /// Convert auction request to `OpenRTB` format with all enrichments.
     fn to_openrtb(
         &self,
         request: &AuctionRequest,
@@ -833,7 +835,7 @@ impl PrebidAuctionProvider {
         }
     }
 
-    /// Parse OpenRTB response into auction response.
+    /// Parse `OpenRTB` response into auction response.
     fn parse_openrtb_response(&self, json: &Json, response_time_ms: u64) -> AuctionResponse {
         let mut bids = Vec::new();
 
@@ -861,7 +863,7 @@ impl PrebidAuctionProvider {
         }
     }
 
-    /// Parse a single bid from OpenRTB response.
+    /// Parse a single bid from `OpenRTB` response.
     fn parse_bid(&self, bid_obj: &Json, seat: &str) -> Result<AuctionBid, ()> {
         let slot_id = bid_obj
             .get("impid")
@@ -869,32 +871,41 @@ impl PrebidAuctionProvider {
             .ok_or(())?
             .to_string();
 
-        let price = bid_obj.get("price").and_then(|v| v.as_f64()).ok_or(())?;
+        let price = bid_obj
+            .get("price")
+            .and_then(serde_json::Value::as_f64)
+            .ok_or(())?;
 
         let creative = bid_obj
             .get("adm")
             .and_then(|v| v.as_str())
-            .map(|s| s.to_string());
+            .map(std::string::ToString::to_string);
 
-        let width = bid_obj.get("w").and_then(|v| v.as_u64()).unwrap_or(300) as u32;
-        let height = bid_obj.get("h").and_then(|v| v.as_u64()).unwrap_or(250) as u32;
+        let width = bid_obj
+            .get("w")
+            .and_then(serde_json::Value::as_u64)
+            .unwrap_or(300) as u32;
+        let height = bid_obj
+            .get("h")
+            .and_then(serde_json::Value::as_u64)
+            .unwrap_or(250) as u32;
 
         let nurl = bid_obj
             .get("nurl")
             .and_then(|v| v.as_str())
-            .map(|s| s.to_string());
+            .map(std::string::ToString::to_string);
 
         let burl = bid_obj
             .get("burl")
             .and_then(|v| v.as_str())
-            .map(|s| s.to_string());
+            .map(std::string::ToString::to_string);
 
         let adomain = bid_obj
             .get("adomain")
             .and_then(|v| v.as_array())
             .map(|arr| {
                 arr.iter()
-                    .filter_map(|v| v.as_str().map(|s| s.to_string()))
+                    .filter_map(|v| v.as_str().map(std::string::ToString::to_string))
                     .collect()
             });
 
@@ -1052,6 +1063,7 @@ impl AuctionProvider for PrebidAuctionProvider {
 ///
 /// This function checks the settings for Prebid configuration and returns
 /// the provider if enabled.
+#[must_use]
 pub fn register_auction_provider(settings: &Settings) -> Vec<Arc<dyn AuctionProvider>> {
     let mut providers: Vec<Arc<dyn AuctionProvider>> = Vec::new();
 
@@ -1164,7 +1176,7 @@ mod tests {
                 }),
             )
             .expect("should update prebid config");
-        let registry = IntegrationRegistry::new(&settings);
+        let registry = IntegrationRegistry::new(&settings).expect("should create registry");
         let config = config_from_settings(&settings, &registry);
         let processor = create_html_processor(config);
         let pipeline_config = PipelineConfig {
@@ -1214,7 +1226,7 @@ mod tests {
                 }),
             )
             .expect("should update prebid config");
-        let registry = IntegrationRegistry::new(&settings);
+        let registry = IntegrationRegistry::new(&settings).expect("should create registry");
         let config = config_from_settings(&settings, &registry);
         let processor = create_html_processor(config);
         let pipeline_config = PipelineConfig {
diff --git a/crates/common/src/integrations/registry.rs b/crates/common/src/integrations/registry.rs
index a302bfb3..7fe9e778 100644
--- a/crates/common/src/integrations/registry.rs
+++ b/crates/common/src/integrations/registry.rs
@@ -116,6 +116,12 @@ impl std::fmt::Debug for IntegrationDocumentState {
 }
 
 impl IntegrationDocumentState {
+    #[must_use]
+    /// Retrieves a value stored for an integration.
+    ///
+    /// # Panics
+    ///
+    /// Panics if the inner lock is poisoned.
     pub fn get<T>(&self, integration_id: &'static str) -> Option<Arc<T>>
     where
         T: Any + Send + Sync + 'static,
@@ -130,6 +136,11 @@ impl IntegrationDocumentState {
         })
     }
 
+    /// Retrieves or initializes a value for an integration.
+    ///
+    /// # Panics
+    ///
+    /// Panics if the inner lock is poisoned.
     pub fn get_or_insert_with<T>(
         &self,
         integration_id: &'static str,
@@ -157,6 +168,11 @@ impl IntegrationDocumentState {
         value
     }
 
+    /// Clears all stored values.
+    ///
+    /// # Panics
+    ///
+    /// Panics if the inner lock is poisoned.
     pub fn clear(&self) {
         let mut guard = self
             .inner
@@ -490,7 +506,15 @@ pub struct IntegrationRegistry {
 
 impl IntegrationRegistry {
     /// Build a registry from the provided settings.
-    pub fn new(settings: &Settings) -> Self {
+    ///
+    /// # Errors
+    ///
+    /// Returns an error if route registration fails due to duplicate routes or invalid paths.
+    ///
+    /// # Panics
+    ///
+    /// Panics if a route path ends with `/*` but `strip_suffix` unexpectedly fails (invariant violation).
+    pub fn new(settings: &Settings) -> Result<Self, Report<TrustedServerError>> {
         let mut inner = IntegrationRegistryInner::default();
 
         for builder in crate::integrations::builders() {
@@ -501,7 +525,13 @@ impl IntegrationRegistry {
 
                         // Convert /* wildcard to matchit's {*rest} syntax
                         let matchit_path = if route.path.ends_with("/*") {
-                            format!("{}/{{*rest}}", route.path.strip_suffix("/*").unwrap())
+                            format!(
+                                "{}/{{*rest}}",
+                                route
+                                    .path
+                                    .strip_suffix("/*")
+                                    .expect("path should end with '/*'")
+                            )
                         } else {
                             route.path.clone()
                         };
@@ -524,10 +554,12 @@ impl IntegrationRegistry {
                         };
 
                         if let Err(e) = router.insert(&matchit_path, value) {
-                            panic!(
-                                "Integration route registration failed for {} {}: {:?}",
-                                route.method, route.path, e
-                            );
+                            return Err(Report::new(TrustedServerError::Configuration {
+                                message: format!(
+                                    "Integration route registration failed for {} {}: {:?}",
+                                    route.method, route.path, e
+                                ),
+                            }));
                         }
 
                         inner.routes.push((route, registration.integration_id));
@@ -545,9 +577,9 @@ impl IntegrationRegistry {
             }
         }
 
-        Self {
+        Ok(Self {
             inner: Arc::new(inner),
-        }
+        })
     }
 
     fn find_route(&self, method: &Method, path: &str) -> Option<&RouteValue> {
@@ -564,11 +596,13 @@ impl IntegrationRegistry {
     }
 
     /// Return true when any proxy is registered for the provided route.
+    #[must_use]
     pub fn has_route(&self, method: &Method, path: &str) -> bool {
         self.find_route(method, path).is_some()
     }
 
     /// Dispatch a proxy request when an integration handles the path.
+    #[must_use]
     pub async fn handle_proxy(
         &self,
         method: &Method,
@@ -584,6 +618,7 @@ impl IntegrationRegistry {
     }
 
     /// Give integrations a chance to rewrite HTML attributes.
+    #[must_use]
     pub fn rewrite_attribute(
         &self,
         attr_name: &str,
@@ -616,16 +651,19 @@ impl IntegrationRegistry {
     }
 
     /// Expose registered script/text rewriters for HTML processing.
+    #[must_use]
     pub fn script_rewriters(&self) -> Vec<Arc<dyn IntegrationScriptRewriter>> {
         self.inner.script_rewriters.clone()
     }
 
     /// Expose registered HTML post-processors.
+    #[must_use]
     pub fn html_post_processors(&self) -> Vec<Arc<dyn IntegrationHtmlPostProcessor>> {
         self.inner.html_post_processors.clone()
     }
 
     /// Provide a snapshot of registered integrations and their hooks.
+    #[must_use]
     pub fn registered_integrations(&self) -> Vec<IntegrationMetadata> {
         let mut map: BTreeMap<&'static str, IntegrationMetadata> = BTreeMap::new();
 
@@ -657,6 +695,7 @@ impl IntegrationRegistry {
     }
 
     #[cfg(test)]
+    #[must_use]
     pub fn from_rewriters(
         attribute_rewriters: Vec<Arc<dyn IntegrationAttributeRewriter>>,
         script_rewriters: Vec<Arc<dyn IntegrationScriptRewriter>>,
@@ -677,6 +716,12 @@ impl IntegrationRegistry {
     }
 
     #[cfg(test)]
+    #[must_use]
+    /// Test helper to create a registry from routes.
+    ///
+    /// # Panics
+    ///
+    /// Panics if route registration fails due to duplicate or invalid paths.
     pub fn from_routes(routes: Vec<(Method, &str, RouteValue)>) -> Self {
         let mut get_router = Router::new();
         let mut post_router = Router::new();
@@ -687,7 +732,10 @@ impl IntegrationRegistry {
         for (method, path, value) in routes {
             // Convert /* wildcard to matchit's {*rest} syntax
             let matchit_path = if path.ends_with("/*") {
-                format!("{}/{{*rest}}", path.strip_suffix("/*").unwrap())
+                format!(
+                    "{}/{{*rest}}",
+                    path.strip_suffix("/*").expect("path should end with '/*'")
+                )
             } else {
                 path.to_string()
             };
@@ -701,7 +749,9 @@ impl IntegrationRegistry {
                 _ => continue,
             };
 
-            router.insert(&matchit_path, value).unwrap();
+            router
+                .insert(&matchit_path, value)
+                .expect("route registration should succeed");
         }
 
         Self {
diff --git a/crates/common/src/integrations/testlight.rs b/crates/common/src/integrations/testlight.rs
index 29ecb599..d3d48af9 100644
--- a/crates/common/src/integrations/testlight.rs
+++ b/crates/common/src/integrations/testlight.rs
@@ -108,7 +108,7 @@ fn build(settings: &Settings) -> Option<Arc<TestlightIntegration>> {
 
     Some(TestlightIntegration::new(config))
 }
-
+#[must_use]
 pub fn register(settings: &Settings) -> Option<IntegrationRegistration> {
     let integration = build(settings)?;
     Some(
diff --git a/crates/common/src/lib.rs b/crates/common/src/lib.rs
index 99289f57..a01865f6 100644
--- a/crates/common/src/lib.rs
+++ b/crates/common/src/lib.rs
@@ -21,6 +21,17 @@
 //! - [`test_support`]: Testing utilities and mocks
 //! - [`why`]: Debugging and introspection utilities
 
+#![cfg_attr(
+    test,
+    allow(
+        clippy::print_stdout,
+        clippy::print_stderr,
+        clippy::panic,
+        clippy::dbg_macro,
+        clippy::unwrap_used,
+    )
+)]
+
 pub mod auction;
 pub mod auction_config_types;
 pub mod auth;
diff --git a/crates/common/src/openrtb.rs b/crates/common/src/openrtb.rs
index 3d2d7b84..b87afc2f 100644
--- a/crates/common/src/openrtb.rs
+++ b/crates/common/src/openrtb.rs
@@ -3,7 +3,7 @@ use serde_json::Value;
 
 use crate::auction::types::OrchestratorExt;
 
-/// Minimal subset of OpenRTB 2.x bid request used by Trusted Server.
+/// Minimal subset of `OpenRTB` 2.x bid request used by Trusted Server.
 #[derive(Debug, Serialize)]
 #[serde(rename_all = "lowercase")]
 pub struct OpenRtbRequest {
@@ -72,7 +72,7 @@ pub struct Device {
 
 #[derive(Debug, Serialize)]
 pub struct Geo {
-    /// Location type per OpenRTB spec (1=GPS, 2=IP address, 3=user provided)
+    /// Location type per `OpenRTB` spec (1=GPS, 2=IP address, 3=user provided)
     #[serde(rename = "type")]
     pub geo_type: u8,
     #[serde(skip_serializing_if = "Option::is_none")]
@@ -131,7 +131,7 @@ pub struct PrebidImpExt {
     pub bidder: std::collections::HashMap<String, Value>,
 }
 
-/// Minimal subset of OpenRTB 2.x bid response used by Trusted Server.
+/// Minimal subset of `OpenRTB` 2.x bid response used by Trusted Server.
 #[derive(Debug, Serialize)]
 pub struct OpenRtbResponse {
     pub id: String,
diff --git a/crates/common/src/proxy.rs b/crates/common/src/proxy.rs
index 677c9586..e3932111 100644
--- a/crates/common/src/proxy.rs
+++ b/crates/common/src/proxy.rs
@@ -82,7 +82,7 @@ impl<'a> ProxyRequestConfig<'a> {
     }
 }
 
-/// Encodings we support decompressing in finalize_proxied_response.
+/// Encodings we support decompressing in `finalize_proxied_response`.
 /// We override the client's Accept-Encoding to only advertise these.
 const SUPPORTED_ENCODINGS: &str = "gzip, deflate, br";
 
@@ -107,7 +107,7 @@ fn copy_proxy_forward_headers(src: &Request, dst: &mut Request) {
 /// If `preserve_encoding` is true, the Content-Encoding header is kept (for compressed responses).
 /// If false, Content-Encoding is stripped (for decompressed responses).
 fn rebuild_response_with_body(
-    beresp: Response,
+    beresp: &Response,
     content_type: &'static str,
     body: Vec<u8>,
     preserve_encoding: bool,
@@ -161,7 +161,7 @@ fn process_response_with_pipeline<P: StreamProcessor>(
         })?;
 
     Ok(rebuild_response_with_body(
-        beresp,
+        &beresp,
         content_type,
         output,
         compression != Compression::None,
@@ -606,6 +606,10 @@ async fn proxy_with_redirects(
 /// - If the response is an image or the request `Accept` indicates images, ensures a
 ///   generic `image/*` content type if origin omitted it, and logs likely 1×1 pixels
 ///   using simple size/URL heuristics. No special response (still proxied).
+///
+/// # Errors
+///
+/// Returns an error if the signed target cannot be reconstructed or validation fails.
 pub async fn handle_first_party_proxy(
     settings: &Settings,
     req: Request,
@@ -635,6 +639,10 @@ pub async fn handle_first_party_proxy(
 /// content, it validates the URL and issues a 302 redirect to the reconstructed
 /// target URL. This avoids parsing/downloading the content and lets the browser
 /// navigate directly to the destination under first-party control.
+///
+/// # Errors
+///
+/// Returns an error if the signed target cannot be reconstructed or validation fails.
 pub async fn handle_first_party_click(
     settings: &Settings,
     req: Request,
@@ -717,6 +725,10 @@ pub async fn handle_first_party_click(
 /// in the signature so the signed URL cannot be replayed indefinitely. Returns JSON
 /// `{ href, base }` where `href` is the signed `/first-party/proxy?...` path and `base`
 /// is the normalized clear URL.
+///
+/// # Errors
+///
+/// Returns an error if JSON parsing fails, the URL cannot be parsed, or the URL uses an unsupported scheme.
 pub async fn handle_first_party_proxy_sign(
     settings: &Settings,
     mut req: Request,
@@ -820,6 +832,10 @@ struct ProxyRebuildResp {
 /// Body: { tsclick: "/first-party/click?tsurl=...&a=1", add: {"b":"2"}, del: ["c"] }
 /// - Only allows adding new parameters or removing existing ones.
 /// - Base tsurl cannot change.
+///
+/// # Errors
+///
+/// Returns an error if JSON parsing fails, the URL is invalid, or the request body cannot be read.
 pub async fn handle_first_party_proxy_rebuild(
     settings: &Settings,
     mut req: Request,
diff --git a/crates/common/src/publisher.rs b/crates/common/src/publisher.rs
index 5d3b8a08..58907cc6 100644
--- a/crates/common/src/publisher.rs
+++ b/crates/common/src/publisher.rs
@@ -76,7 +76,13 @@ fn detect_request_scheme(req: &Request) -> String {
 
 /// Unified tsjs static serving: `/static/tsjs=<filename>`
 /// Accepts: `tsjs-core(.min).js`, `tsjs-ext(.min).js`, `tsjs-creative(.min).js`
-pub fn handle_tsjs_dynamic(req: Request) -> Result<Response, Report<TrustedServerError>> {
+///
+/// Returns 404 for invalid paths or missing bundle files; otherwise serves the requested bundle.
+///
+/// # Errors
+///
+/// This function never returns an error; the Result type is for API consistency.
+pub fn handle_tsjs_dynamic(req: &Request) -> Result<Response, Report<TrustedServerError>> {
     const PREFIX: &str = "/static/tsjs=";
     let path = req.get_path();
     if !path.starts_with(PREFIX) {
@@ -90,7 +96,7 @@ pub fn handle_tsjs_dynamic(req: Request) -> Result<Response, Report<TrustedServe
         return Ok(Response::from_status(StatusCode::NOT_FOUND).with_body("Not Found"));
     };
 
-    let mut resp = serve_static_with_etag(body, &req, "application/javascript; charset=utf-8");
+    let mut resp = serve_static_with_etag(body, req, "application/javascript; charset=utf-8");
     resp.set_header(HEADER_X_COMPRESS_HINT, "on");
     Ok(resp)
 }
@@ -110,7 +116,7 @@ struct ProcessResponseParams<'a> {
 /// Process response body in streaming fashion with compression preservation
 fn process_response_streaming(
     body: Body,
-    params: ProcessResponseParams,
+    params: &ProcessResponseParams,
 ) -> Result<Body, Report<TrustedServerError>> {
     // Check if this is HTML content
     let is_html = params.content_type.contains("text/html");
@@ -337,7 +343,7 @@ pub fn handle_publisher_request(
             content_type: &content_type,
             integration_registry,
         };
-        match process_response_streaming(body, params) {
+        match process_response_streaming(body, &params) {
             Ok(processed_body) => {
                 // Set the processed body back
                 response.set_body(processed_body);
diff --git a/crates/common/src/request_signing/discovery.rs b/crates/common/src/request_signing/discovery.rs
index b5de8370..964027e3 100644
--- a/crates/common/src/request_signing/discovery.rs
+++ b/crates/common/src/request_signing/discovery.rs
@@ -18,6 +18,7 @@ pub struct TrustedServerDiscovery {
 
 impl TrustedServerDiscovery {
     /// Creates a new discovery document with the given JWKS
+    #[must_use]
     pub fn new(jwks_value: serde_json::Value) -> Self {
         Self {
             version: "1.0".to_string(),
diff --git a/crates/common/src/request_signing/endpoints.rs b/crates/common/src/request_signing/endpoints.rs
index c3073ac2..2c3d5f4c 100644
--- a/crates/common/src/request_signing/endpoints.rs
+++ b/crates/common/src/request_signing/endpoints.rs
@@ -18,6 +18,10 @@ use crate::settings::Settings;
 /// This endpoint provides a standardized discovery mechanism following the IAB
 /// Data Subject Rights framework pattern. It returns JWKS keys and API endpoints
 /// in a single discoverable location.
+///
+/// # Errors
+///
+/// Returns an error if JWKS cannot be retrieved, parsed, or serialized.
 pub fn handle_trusted_server_discovery(
     _settings: &Settings,
     _req: Request,
@@ -65,6 +69,10 @@ pub struct VerifySignatureResponse {
 
 /// Will verify a signature given a payload and kid
 /// Useful for testing integration with signatures
+///
+/// # Errors
+///
+/// Returns an error if the request body cannot be parsed as JSON or if verification fails.
 pub fn handle_verify_signature(
     _settings: &Settings,
     mut req: Request,
@@ -132,6 +140,10 @@ pub struct RotateKeyResponse {
 }
 
 /// Rotates the current active kid by generating and saving a new one
+///
+/// # Errors
+///
+/// Returns an error if the request signing settings are missing, JSON parsing fails, or key rotation fails.
 pub fn handle_rotate_key(
     settings: &Settings,
     mut req: Request,
@@ -232,6 +244,10 @@ pub struct DeactivateKeyResponse {
 }
 
 /// Deactivates an active key
+///
+/// # Errors
+///
+/// Returns an error if the request signing settings are missing, JSON parsing fails, or key deactivation fails.
 pub fn handle_deactivate_key(
     settings: &Settings,
     mut req: Request,
diff --git a/crates/common/src/request_signing/jwks.rs b/crates/common/src/request_signing/jwks.rs
index abbf20cd..2b89c9a5 100644
--- a/crates/common/src/request_signing/jwks.rs
+++ b/crates/common/src/request_signing/jwks.rs
@@ -19,6 +19,7 @@ pub struct Keypair {
 }
 
 impl Keypair {
+    #[must_use]
     pub fn generate() -> Self {
         let mut csprng = OsRng;
 
@@ -31,6 +32,7 @@ impl Keypair {
         }
     }
 
+    #[must_use]
     pub fn get_jwk(&self, kid: String) -> Jwk {
         let public_key_bytes = self.verifying_key.as_bytes();
 
@@ -51,13 +53,18 @@ impl Keypair {
     }
 }
 
+/// Retrieves active JSON Web Keys from the config store.
+///
+/// # Errors
+///
+/// Returns an error if the config store cannot be accessed or if active keys cannot be retrieved.
 pub fn get_active_jwks() -> Result<String, TrustedServerError> {
     let store = FastlyConfigStore::new("jwks_store");
     let active_kids_str = store.get("active-kids")?;
 
     let active_kids: Vec<&str> = active_kids_str
         .split(',')
-        .map(|s| s.trim())
+        .map(str::trim)
         .filter(|s| !s.is_empty())
         .collect();
 
diff --git a/crates/common/src/request_signing/rotation.rs b/crates/common/src/request_signing/rotation.rs
index fd77dcaf..affc84d4 100644
--- a/crates/common/src/request_signing/rotation.rs
+++ b/crates/common/src/request_signing/rotation.rs
@@ -28,6 +28,11 @@ pub struct KeyRotationManager {
 }
 
 impl KeyRotationManager {
+    /// Creates a new key rotation manager.
+    ///
+    /// # Errors
+    ///
+    /// Returns an error if the API client cannot be initialized.
     pub fn new(
         config_store_id: impl Into<String>,
         secret_store_id: impl Into<String>,
@@ -46,6 +51,11 @@ impl KeyRotationManager {
         })
     }
 
+    /// Rotates the signing key by generating a new keypair and storing it.
+    ///
+    /// # Errors
+    ///
+    /// Returns an error if key storage or update operations fail.
     pub fn rotate_key(&self, kid: Option<String>) -> Result<KeyRotationResult, TrustedServerError> {
         let new_kid = kid.unwrap_or_else(generate_date_based_kid);
 
@@ -118,6 +128,11 @@ impl KeyRotationManager {
             })
     }
 
+    /// Lists all active key IDs.
+    ///
+    /// # Errors
+    ///
+    /// Returns an error if the active keys cannot be retrieved from the config store.
     pub fn list_active_keys(&self) -> Result<Vec<String>, TrustedServerError> {
         let active_kids_str = self.config_store.get("active-kids")?;
 
@@ -130,6 +145,11 @@ impl KeyRotationManager {
         Ok(active_kids)
     }
 
+    /// Deactivates a key by removing it from the active keys list.
+    ///
+    /// # Errors
+    ///
+    /// Returns an error if this would deactivate the last active key, or if the update fails.
     pub fn deactivate_key(&self, kid: &str) -> Result<(), TrustedServerError> {
         let mut active_kids = self.list_active_keys()?;
 
@@ -144,6 +164,11 @@ impl KeyRotationManager {
         self.update_active_kids(&active_kids)
     }
 
+    /// Deletes a key by deactivating it and removing it from storage.
+    ///
+    /// # Errors
+    ///
+    /// Returns an error if deactivation fails or if the key cannot be deleted from storage.
     pub fn delete_key(&self, kid: &str) -> Result<(), TrustedServerError> {
         self.deactivate_key(kid)?;
 
@@ -163,6 +188,7 @@ impl KeyRotationManager {
     }
 }
 
+#[must_use]
 pub fn generate_date_based_kid() -> String {
     use chrono::Utc;
     format!("ts-{}", Utc::now().format("%Y-%m-%d"))
diff --git a/crates/common/src/request_signing/signing.rs b/crates/common/src/request_signing/signing.rs
index 6420a120..bd1ae0a3 100644
--- a/crates/common/src/request_signing/signing.rs
+++ b/crates/common/src/request_signing/signing.rs
@@ -9,6 +9,11 @@ use ed25519_dalek::{Signature, Signer as Ed25519Signer, SigningKey, Verifier, Ve
 use crate::error::TrustedServerError;
 use crate::fastly_storage::{FastlyConfigStore, FastlySecretStore};
 
+/// Retrieves the current active key ID from the config store.
+///
+/// # Errors
+///
+/// Returns an error if the config store cannot be accessed or the current-kid key is not found.
 pub fn get_current_key_id() -> Result<String, TrustedServerError> {
     let store = FastlyConfigStore::new("jwks_store");
     store.get("current-kid")
@@ -40,6 +45,11 @@ pub struct RequestSigner {
 }
 
 impl RequestSigner {
+    /// Creates a `RequestSigner` from the current key ID stored in config.
+    ///
+    /// # Errors
+    ///
+    /// Returns an error if the key ID cannot be retrieved or the key cannot be parsed.
     pub fn from_config() -> Result<Self, TrustedServerError> {
         let config_store = FastlyConfigStore::new("jwks_store");
         let key_id = config_store.get("current-kid")?;
@@ -54,6 +64,11 @@ impl RequestSigner {
         })
     }
 
+    /// Signs a payload using the Ed25519 signing key.
+    ///
+    /// # Errors
+    ///
+    /// Returns an error if signing fails.
     pub fn sign(&self, payload: &[u8]) -> Result<String, TrustedServerError> {
         let signature_bytes = self.key.sign(payload).to_bytes();
 
@@ -61,6 +76,11 @@ impl RequestSigner {
     }
 }
 
+/// Verifies a signature using the public key associated with the given key ID.
+///
+/// # Errors
+///
+/// Returns an error if the JWK cannot be retrieved, parsed, or if signature verification fails.
 pub fn verify_signature(
     payload: &[u8],
     signature_b64: &str,
diff --git a/crates/common/src/settings.rs b/crates/common/src/settings.rs
index 52a0837a..84bbd9a3 100644
--- a/crates/common/src/settings.rs
+++ b/crates/common/src/settings.rs
@@ -28,7 +28,7 @@ pub struct Publisher {
 }
 
 impl Publisher {
-    /// Extracts the host (including port if present) from the origin_url.
+    /// Extracts the host (including port if present) from the `origin_url`.
     ///
     /// # Examples
     ///
@@ -43,6 +43,7 @@ impl Publisher {
     /// assert_eq!(publisher.origin_host(), "origin.example.com:8080");
     /// ```
     #[allow(dead_code)]
+    #[must_use]
     pub fn origin_host(&self) -> String {
         Url::parse(&self.origin_url)
             .ok()
@@ -78,6 +79,11 @@ pub trait IntegrationConfig: DeserializeOwned + Validate {
 }
 
 impl IntegrationSettings {
+    /// Inserts a configuration value for an integration.
+    ///
+    /// # Errors
+    ///
+    /// Returns an error if the configuration cannot be serialized to JSON.
     #[cfg_attr(not(test), allow(dead_code))]
     pub fn insert_config<T>(
         &mut self,
@@ -116,6 +122,11 @@ impl IntegrationSettings {
         }
     }
 
+    /// Retrieves and validates a typed configuration for an integration.
+    ///
+    /// # Errors
+    ///
+    /// Returns an error if the configuration cannot be parsed from JSON or fails validation.
     pub fn get_typed<T>(
         &self,
         integration_id: &str,
@@ -180,6 +191,11 @@ pub struct Synthetic {
 }
 
 impl Synthetic {
+    /// Validates that the secret key is not the placeholder value.
+    ///
+    /// # Errors
+    ///
+    /// Returns a validation error if the secret key is `"secret_key"` (the placeholder).
     pub fn validate_secret_key(secret_key: &str) -> Result<(), ValidationError> {
         match secret_key {
             "secret_key" => Err(ValidationError::new("Secret key is not valid")),
@@ -199,6 +215,7 @@ pub struct Rewrite {
 impl Rewrite {
     /// Checks if a URL should be excluded from rewriting based on domain matching
     #[allow(dead_code)]
+    #[must_use]
     pub fn is_excluded(&self, url: &str) -> bool {
         // Parse URL to extract host
         let Ok(parsed) = url::Url::parse(url) else {
@@ -350,6 +367,11 @@ impl Settings {
             .find(|handler| handler.matches_path(path))
     }
 
+    /// Retrieves the integration configuration of a specific type.
+    ///
+    /// # Errors
+    ///
+    /// Returns an error if the integration configuration exists but cannot be deserialized as the requested type.
     pub fn integration_config<T>(
         &self,
         integration_id: &str,
@@ -404,7 +426,7 @@ where
             } else {
                 let parts = if txt.contains(',') {
                     txt.split(',')
-                        .map(|p| p.trim())
+                        .map(str::trim)
                         .filter(|p| !p.is_empty())
                         .collect::<Vec<_>>()
                 } else {
diff --git a/crates/common/src/settings_data.rs b/crates/common/src/settings_data.rs
index f02eaca6..6596f92a 100644
--- a/crates/common/src/settings_data.rs
+++ b/crates/common/src/settings_data.rs
@@ -10,15 +10,13 @@ pub use crate::auction_config_types::AuctionConfig;
 const SETTINGS_DATA: &[u8] = include_bytes!("../../../target/trusted-server-out.toml");
 
 /// Creates a new [`Settings`] instance from the embedded configuration file.
-// /
-// / Loads the configuration from the embedded `trusted-server.toml` file
-// / and applies any environment variable overrides.
-// /
-// / # Errors
-// /
-// / - [`TrustedServerError::InvalidUtf8`] if the embedded TOML file contains invalid UTF-8
-// / - [`TrustedServerError::Configuration`] if the configuration is invalid or missing required fields
-// / - [`TrustedServerError::InsecureSecretKey`] if the secret key is set to the default value
+/// Loads the configuration from the embedded `trusted-server.toml` file
+/// and applies any environment variable overrides.
+///
+/// # Errors
+///
+/// - [`TrustedServerError::InvalidUtf8`] if the embedded TOML file contains invalid UTF-8
+/// - [`TrustedServerError::Configuration`] if the configuration is invalid or missing required fields
 pub fn get_settings() -> Result<Settings, Report<TrustedServerError>> {
     let toml_bytes = SETTINGS_DATA;
     let toml_str = str::from_utf8(toml_bytes).change_context(TrustedServerError::InvalidUtf8 {
diff --git a/crates/common/src/streaming_processor.rs b/crates/common/src/streaming_processor.rs
index 6ca668af..4a31b70f 100644
--- a/crates/common/src/streaming_processor.rs
+++ b/crates/common/src/streaming_processor.rs
@@ -21,6 +21,10 @@ pub trait StreamProcessor {
     ///
     /// # Returns
     /// Processed data or error
+    ///
+    /// # Errors
+    ///
+    /// Returns an error if processing fails (e.g., I/O errors, encoding issues).
     fn process_chunk(&mut self, chunk: &[u8], is_last: bool) -> Result<Vec<u8>, io::Error>;
 
     /// Reset the processor state (useful for reuse)
@@ -38,6 +42,7 @@ pub enum Compression {
 
 impl Compression {
     /// Detect compression from content-encoding header
+    #[must_use]
     pub fn from_content_encoding(encoding: &str) -> Self {
         match encoding.to_lowercase().as_str() {
             "gzip" => Self::Gzip,
@@ -76,11 +81,19 @@ pub struct StreamingPipeline<P: StreamProcessor> {
 
 impl<P: StreamProcessor> StreamingPipeline<P> {
     /// Create a new streaming pipeline
+    ///
+    /// # Errors
+    ///
+    /// No errors are returned by this constructor.
     pub fn new(config: PipelineConfig, processor: P) -> Self {
         Self { config, processor }
     }
 
     /// Process a stream from input to output
+    ///
+    /// # Errors
+    ///
+    /// Returns an error if the compression transformation is unsupported or if reading/writing fails.
     pub fn process<R: Read, W: Write>(
         &mut self,
         input: R,
@@ -433,10 +446,10 @@ impl<P: StreamProcessor> StreamingPipeline<P> {
     }
 }
 
-/// Adapter to use lol_html HtmlRewriter as a StreamProcessor
-/// Important: Due to lol_html's ownership model, we must accumulate input
+/// Adapter to use `lol_html` `HtmlRewriter` as a `StreamProcessor`
+/// Important: Due to `lol_html`'s ownership model, we must accumulate input
 /// and process it all at once when the stream ends. This is a limitation
-/// of the lol_html library's API design.
+/// of the `lol_html` library's API design.
 pub struct HtmlRewriterAdapter {
     settings: lol_html::Settings<'static, 'static>,
     accumulated_input: Vec<u8>,
@@ -444,6 +457,7 @@ pub struct HtmlRewriterAdapter {
 
 impl HtmlRewriterAdapter {
     /// Create a new HTML rewriter adapter
+    #[must_use]
     pub fn new(settings: lol_html::Settings<'static, 'static>) -> Self {
         Self {
             settings,
@@ -510,7 +524,7 @@ impl StreamProcessor for HtmlRewriterAdapter {
     }
 }
 
-/// Adapter to use our existing StreamingReplacer as a StreamProcessor
+/// Adapter to use our existing `StreamingReplacer` as a `StreamProcessor`
 use crate::streaming_replacer::StreamingReplacer;
 
 impl StreamProcessor for StreamingReplacer {
diff --git a/crates/common/src/streaming_replacer.rs b/crates/common/src/streaming_replacer.rs
index 9b975c51..1bfa370e 100644
--- a/crates/common/src/streaming_replacer.rs
+++ b/crates/common/src/streaming_replacer.rs
@@ -31,6 +31,7 @@ impl StreamingReplacer {
     /// # Arguments
     ///
     /// * `replacements` - List of string replacements to perform
+    #[must_use]
     pub fn new(replacements: Vec<Replacement>) -> Self {
         // Calculate the maximum pattern length we need to buffer
         let max_pattern_length = replacements.iter().map(|r| r.find.len()).max().unwrap_or(0);
@@ -48,6 +49,7 @@ impl StreamingReplacer {
     ///
     /// * `find` - The string to find
     /// * `replace_with` - The string to replace it with
+    #[must_use]
     pub fn new_single(find: &str, replace_with: &str) -> Self {
         Self::new(vec![Replacement {
             find: find.to_string(),
@@ -146,10 +148,11 @@ impl StreamingReplacer {
 }
 
 // Note: The stream_process function has been removed in favor of using
-// StreamingPipeline from the streaming_processor module, which provides
+// `StreamingPipeline` from the `streaming_processor` module, which provides
 // a more comprehensive solution with compression support.
 
-/// Helper function to create a StreamingReplacer for URL replacements
+/// Helper function to create a `StreamingReplacer` for URL replacements
+#[must_use]
 pub fn create_url_replacer(
     origin_host: &str,
     origin_url: &str,
diff --git a/crates/common/src/synthetic.rs b/crates/common/src/synthetic.rs
index d84a95ef..5ae78aa2 100644
--- a/crates/common/src/synthetic.rs
+++ b/crates/common/src/synthetic.rs
@@ -118,6 +118,17 @@ pub fn get_synthetic_id(req: &Request) -> Result<Option<String>, Report<TrustedS
     Ok(None)
 }
 
+/// Gets or creates a synthetic ID from the request.
+///
+/// Attempts to retrieve an existing synthetic ID from:
+/// 1. The `x-psid-ts` header
+/// 2. The `synthetic_id` cookie
+///
+/// If neither exists, generates a new synthetic ID.
+///
+/// # Errors
+///
+/// Returns an error if template rendering fails during generation or if ID generation fails.
 pub fn get_or_generate_synthetic_id(
     settings: &Settings,
     req: &Request,
diff --git a/crates/common/src/test_support.rs b/crates/common/src/test_support.rs
index 3b2f85c7..5e0d8f97 100644
--- a/crates/common/src/test_support.rs
+++ b/crates/common/src/test_support.rs
@@ -2,6 +2,7 @@
 pub mod tests {
     use crate::settings::Settings;
 
+    #[must_use]
     pub fn crate_test_settings_str() -> String {
         r#"
             [[handlers]]
@@ -35,6 +36,12 @@ pub mod tests {
             "#.to_string()
     }
 
+    #[must_use]
+    /// Creates test settings from embedded TOML configuration.
+    ///
+    /// # Panics
+    ///
+    /// Panics if the embedded TOML configuration is invalid.
     pub fn create_test_settings() -> Settings {
         let toml_str = crate_test_settings_str();
         Settings::from_toml(&toml_str).expect("Invalid config")
diff --git a/crates/common/src/tsjs.rs b/crates/common/src/tsjs.rs
index 26690da4..d15b9133 100644
--- a/crates/common/src/tsjs.rs
+++ b/crates/common/src/tsjs.rs
@@ -22,11 +22,13 @@ fn script_tag_for(bundle: TsjsBundle, attrs: &str) -> String {
 }
 
 /// `/static` URL for the unified bundle with cache-busting hash.
+#[must_use]
 pub fn unified_script_src() -> String {
     script_src_for(TsjsBundle::Unified)
 }
 
 /// `<script>` tag for injecting the unified bundle.
+#[must_use]
 pub fn unified_script_tag() -> String {
     script_tag_for(TsjsBundle::Unified, "id=\"trustedserver-js\"")
 }
diff --git a/crates/fastly/Cargo.toml b/crates/fastly/Cargo.toml
index 35824a5a..42fae0c2 100644
--- a/crates/fastly/Cargo.toml
+++ b/crates/fastly/Cargo.toml
@@ -3,6 +3,9 @@ name = "trusted-server-fastly"
 version = "0.1.0"
 edition = "2021"
 
+[lints]
+workspace = true
+
 [dependencies]
 chrono = { workspace = true }
 error-stack = { workspace = true }
diff --git a/crates/fastly/src/error.rs b/crates/fastly/src/error.rs
index b5c19c33..a055ecba 100644
--- a/crates/fastly/src/error.rs
+++ b/crates/fastly/src/error.rs
@@ -7,7 +7,7 @@ use fastly::Response;
 use trusted_server_common::error::{IntoHttpResponse, TrustedServerError};
 
 /// Converts a [`TrustedServerError`] into an HTTP error response.
-pub fn to_error_response(report: Report<TrustedServerError>) -> Response {
+pub fn to_error_response(report: &Report<TrustedServerError>) -> Response {
     // Get the root error for status code and message
     let root_error = report.current_context();
 
diff --git a/crates/fastly/src/main.rs b/crates/fastly/src/main.rs
index 431e0d93..0112bd99 100644
--- a/crates/fastly/src/main.rs
+++ b/crates/fastly/src/main.rs
@@ -31,7 +31,7 @@ fn main(req: Request) -> Result<Response, Error> {
         Ok(s) => s,
         Err(e) => {
             log::error!("Failed to load settings: {:?}", e);
-            return Ok(to_error_response(e));
+            return Ok(to_error_response(&e));
         }
     };
     log::info!("Settings {settings:?}");
@@ -39,7 +39,13 @@ fn main(req: Request) -> Result<Response, Error> {
     // Build the auction orchestrator once at startup
     let orchestrator = build_orchestrator(&settings);
 
-    let integration_registry = IntegrationRegistry::new(&settings);
+    let integration_registry = match IntegrationRegistry::new(&settings) {
+        Ok(r) => r,
+        Err(e) => {
+            log::error!("Failed to create integration registry: {:?}", e);
+            return Ok(to_error_response(&e));
+        }
+    };
 
     futures::executor::block_on(route_request(
         &settings,
@@ -71,7 +77,7 @@ async fn route_request(
     // Match known routes and handle them
     let result = match (method, path.as_str()) {
         // Serve the tsjs library
-        (Method::GET, path) if path.starts_with("/static/tsjs=") => handle_tsjs_dynamic(req),
+        (Method::GET, path) if path.starts_with("/static/tsjs=") => handle_tsjs_dynamic(&req),
 
         // Discovery endpoint for trusted-server capabilities and JWKS
         (Method::GET, "/.well-known/trusted-server.json") => {
@@ -124,7 +130,7 @@ async fn route_request(
     };
 
     // Convert any errors to HTTP error responses
-    let mut response = result.unwrap_or_else(to_error_response);
+    let mut response = result.unwrap_or_else(|e| to_error_response(&e));
 
     for (key, value) in &settings.response_headers {
         response.set_header(key, value);
diff --git a/crates/js/Cargo.toml b/crates/js/Cargo.toml
index 1ebd7550..1917e9b8 100644
--- a/crates/js/Cargo.toml
+++ b/crates/js/Cargo.toml
@@ -6,6 +6,9 @@ description = "Trusted Server tsjs — TypeScript-built JS embedded in a Rust cr
 license = "Apache-2.0"
 build = "build.rs"
 
+[lints]
+workspace = true
+
 [lib]
 name = "trusted_server_js"
 path = "src/lib.rs"
diff --git a/crates/js/build.rs b/crates/js/build.rs
index 26d12a17..15417160 100644
--- a/crates/js/build.rs
+++ b/crates/js/build.rs
@@ -1,3 +1,5 @@
+#![allow(clippy::unwrap_used, clippy::panic)]
+
 use std::env;
 use std::fs;
 use std::path::{Path, PathBuf};
@@ -43,7 +45,11 @@ fn main() {
                     .arg("install")
                     .current_dir(&ts_dir)
                     .status();
-                if !status.as_ref().map(|s| s.success()).unwrap_or(false) {
+                if !status
+                    .as_ref()
+                    .map(std::process::ExitStatus::success)
+                    .unwrap_or(false)
+                {
                     println!(
                         "cargo:warning=tsjs: npm install failed; using existing dist if available"
                     );
@@ -71,7 +77,11 @@ fn main() {
                 .args(["run", "build:custom"])
                 .current_dir(&ts_dir)
                 .status();
-            if !status.as_ref().map(|s| s.success()).unwrap_or(false) {
+            if !status
+                .as_ref()
+                .map(std::process::ExitStatus::success)
+                .unwrap_or(false)
+            {
                 panic!("tsjs: npm run build:custom failed - refusing to use stale bundle");
             }
         }
diff --git a/crates/js/src/bundle.rs b/crates/js/src/bundle.rs
index ef29249c..3ad93d9a 100644
--- a/crates/js/src/bundle.rs
+++ b/crates/js/src/bundle.rs
@@ -31,10 +31,12 @@ const ALL_BUNDLES: [TsjsBundle; TSJS_BUNDLE_COUNT] = [TsjsBundle::Unified];
 impl TsjsBundle {
     pub const COUNT: usize = TSJS_BUNDLE_COUNT;
 
+    #[must_use]
     pub const fn filename(self) -> &'static str {
         METAS[self as usize].filename
     }
 
+    #[must_use]
     pub fn minified_filename(self) -> String {
         let base = self.filename();
         match base.strip_suffix(".js") {
@@ -60,19 +62,23 @@ impl TsjsBundle {
         })
     }
 
+    #[must_use]
     pub fn from_filename(name: &str) -> Option<Self> {
         Self::filename_map().get(name).copied()
     }
 }
 
+#[must_use]
 pub fn bundle_hash(bundle: TsjsBundle) -> String {
     hash_bundle(bundle.bundle())
 }
 
+#[must_use]
 pub fn bundle_for_filename(name: &str) -> Option<&'static str> {
-    TsjsBundle::from_filename(name).map(|bundle| bundle.bundle())
+    TsjsBundle::from_filename(name).map(TsjsBundle::bundle)
 }
 
+#[must_use]
 pub fn bundle_hash_for_filename(name: &str) -> Option<String> {
     TsjsBundle::from_filename(name).map(|bundle| hash_bundle(bundle.bundle()))
 }