fix(audit): Batch 2 生产代码 unwrap 替换 (20 处)

P0 修复:
- viking_commands.rs: URI 路径构建 unwrap → ok_or_else 错误传播
- clip.rs: 临时文件路径 unwrap → ok_or_else (防 Windows 中文路径 panic)

P1 修复:
- personality_detector.rs: Mutex lock unwrap → unwrap_or_else 防中毒传播
- pptx.rs: HashMap.get unwrap → expect (来自 keys() 迭代)

P2 修复:
- 4 处 SystemTime.unwrap → expect("system clock is valid")
- 4 处 dev_server URL.parse.unwrap → expect("hardcoded URL is valid")
- 9 处 nl_schedule Regex.unwrap → expect("static regex is valid")
- 5 处 data_masking Regex.unwrap → expect("static regex is valid")
- 2 处 pipeline/state Regex.unwrap → expect("static regex is valid")

全量测试通过: 719 passed, 0 failed

crates/zclaw-hands/src/hands/clip.rs

@@ -459,7 +459,7 @@ impl ClipHand {
         let args = vec![
             "-f", "concat",
             "-safe", "0",
-            "-i", temp_file.to_str().unwrap(),
+            "-i", temp_file.to_str().ok_or_else(|| zclaw_types::ZclawError::HandError("Temp file path is not valid UTF-8".to_string()))?,
             "-c", "copy",
             &config.output_path,
         ];

crates/zclaw-kernel/src/director.rs

@@ -360,7 +360,7 @@ impl Director {
                 use std::time::{SystemTime, UNIX_EPOCH};
                 let now = SystemTime::now()
                     .duration_since(UNIX_EPOCH)
-                    .unwrap()
+                    .expect("system clock is valid")
                     .as_nanos();
                 let idx = (now as usize) % agents.len();
                 Some(agents[idx].clone())

crates/zclaw-kernel/src/export/pptx.rs

@@ -490,7 +490,7 @@ impl PptxExporter {
             paths.sort();
 
             for path in paths {
-                let content = files.get(path).unwrap();
+                let content = files.get(path).expect("path comes from files.keys(), must exist");
                 let options = SimpleFileOptions::default()
                     .compression_method(zip::CompressionMethod::Deflated);
 

crates/zclaw-kernel/src/generation/chat.rs

@@ -243,7 +243,7 @@ fn clean_fallback_response(text: &str) -> String {
 fn current_timestamp_millis() -> i64 {
     std::time::SystemTime::now()
         .duration_since(std::time::UNIX_EPOCH)
-        .unwrap()
+        .expect("system clock is valid")
         .as_millis() as i64
 }
 

crates/zclaw-kernel/src/generation/mod.rs

@@ -882,7 +882,7 @@ fn current_timestamp() -> i64 {
     use std::time::{SystemTime, UNIX_EPOCH};
     SystemTime::now()
         .duration_since(UNIX_EPOCH)
-        .unwrap()
+        .expect("system clock is valid")
         .as_millis() as i64
 }
 

crates/zclaw-pipeline/src/state.rs

@@ -48,7 +48,7 @@ impl ExecutionContext {
             steps_output: HashMap::new(),
             variables: HashMap::new(),
             loop_context: None,
-            expr_regex: Regex::new(r"\$\{([^}]+)\}").unwrap(),
+            expr_regex: Regex::new(r"\$\{([^}]+)\}").expect("static regex is valid"),
         }
     }
 
@@ -73,7 +73,7 @@ impl ExecutionContext {
             steps_output,
             variables,
             loop_context: None,
-            expr_regex: Regex::new(r"\$\{([^}]+)\}").unwrap(),
+            expr_regex: Regex::new(r"\$\{([^}]+)\}").expect("static regex is valid"),
         }
     }
 

crates/zclaw-runtime/src/middleware/data_masking.rs

@@ -20,19 +20,19 @@ use super::{AgentMiddleware, MiddlewareContext, MiddlewareDecision};
 // ---------------------------------------------------------------------------
 
 static RE_COMPANY: LazyLock<Regex> = LazyLock::new(|| {
-    Regex::new(r"[^\s]{1,20}(?:公司|厂|集团|工作室|商行|有限|股份)").unwrap()
+    Regex::new(r"[^\s]{1,20}(?:公司|厂|集团|工作室|商行|有限|股份)").expect("static regex is valid")
 });
 static RE_MONEY: LazyLock<Regex> = LazyLock::new(|| {
-    Regex::new(r"[¥￥$]\s*[\d,.]+[万亿]?元?|[\d,.]+[万亿]元").unwrap()
+    Regex::new(r"[¥￥$]\s*[\d,.]+[万亿]?元?|[\d,.]+[万亿]元").expect("static regex is valid")
 });
 static RE_PHONE: LazyLock<Regex> = LazyLock::new(|| {
-    Regex::new(r"1[3-9]\d-?\d{4}-?\d{4}").unwrap()
+    Regex::new(r"1[3-9]\d-?\d{4}-?\d{4}").expect("static regex is valid")
 });
 static RE_EMAIL: LazyLock<Regex> = LazyLock::new(|| {
-    Regex::new(r"[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}").unwrap()
+    Regex::new(r"[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}").expect("static regex is valid")
 });
 static RE_ID_CARD: LazyLock<Regex> = LazyLock::new(|| {
-    Regex::new(r"\b\d{17}[\dXx]\b").unwrap()
+    Regex::new(r"\b\d{17}[\dXx]\b").expect("static regex is valid")
 });
 
 // ---------------------------------------------------------------------------

crates/zclaw-runtime/src/nl_schedule.rs

@@ -69,7 +69,7 @@ const PERIOD: &str = "(凌晨|早上|早晨|上午|中午|下午|午后|傍晚|
 static RE_TIME_STRIP: LazyLock<Regex> = LazyLock::new(|| {
     Regex::new(
         r"^(?:凌晨|早上|早晨|上午|中午|下午|午后|傍晚|黄昏|晚上|晚间|夜里|夜晚|半夜|午夜)?\d{1,2}[点时:：]\d{0,2}分?"
-    ).unwrap()
+    ).expect("static regex pattern is valid")
 });
 
 // try_every_day
@@ -77,13 +77,13 @@ static RE_EVERY_DAY_EXACT: LazyLock<Regex> = LazyLock::new(|| {
     Regex::new(&format!(
         r"(?:每天|每日)(?:的)?{}(\d{{1,2}})[点时:：](\d{{1,2}})?",
         PERIOD
-    )).unwrap()
+    )).expect("static regex pattern is valid")
 });
 
 static RE_EVERY_DAY_PERIOD: LazyLock<Regex> = LazyLock::new(|| {
     Regex::new(
         r"(?:每天|每日)(?:的)?(凌晨|早上|早晨|上午|中午|下午|午后|傍晚|黄昏|晚上|晚间|夜里|夜晚|半夜|午夜)"
-    ).unwrap()
+    ).expect("static regex pattern is valid")
 });
 
 // try_every_week
@@ -91,7 +91,7 @@ static RE_EVERY_WEEK: LazyLock<Regex> = LazyLock::new(|| {
     Regex::new(&format!(
         r"(?:每周|每个?星期|每个?礼拜)(一|二|三|四|五|六|日|天|周一|周二|周三|周四|周五|周六|周日|周天|星期一|星期二|星期三|星期四|星期五|星期六|星期日|星期天|礼拜一|礼拜二|礼拜三|礼拜四|礼拜五|礼拜六|礼拜日|礼拜天)(?:的)?{}(\d{{1,2}})[点时:：](\d{{1,2}})?",
         PERIOD
-    )).unwrap()
+    )).expect("static regex pattern is valid")
 });
 
 // try_workday
@@ -99,18 +99,18 @@ static RE_WORKDAY_EXACT: LazyLock<Regex> = LazyLock::new(|| {
     Regex::new(&format!(
         r"(?:工作日|每个?工作日|工作日(?:的)?){}(\d{{1,2}})[点时:：](\d{{1,2}})?",
         PERIOD
-    )).unwrap()
+    )).expect("static regex pattern is valid")
 });
 
 static RE_WORKDAY_PERIOD: LazyLock<Regex> = LazyLock::new(|| {
     Regex::new(
         r"(?:工作日|每个?工作日)(?:的)?(凌晨|早上|早晨|上午|中午|下午|午后|傍晚|黄昏|晚上|晚间|夜里|夜晚|半夜|午夜)"
-    ).unwrap()
+    ).expect("static regex pattern is valid")
 });
 
 // try_interval
 static RE_INTERVAL: LazyLock<Regex> = LazyLock::new(|| {
-    Regex::new(r"每(\d{1,2})(小时|分钟|分|钟|个小时)").unwrap()
+    Regex::new(r"每(\d{1,2})(小时|分钟|分|钟|个小时)").expect("static regex pattern is valid")
 });
 
 // try_monthly
@@ -118,7 +118,7 @@ static RE_MONTHLY: LazyLock<Regex> = LazyLock::new(|| {
     Regex::new(&format!(
         r"(?:每月|每个月)(?:的)?(\d{{1,2}})[号日](?:的)?{}(\d{{1,2}})?[点时:：]?(\d{{1,2}})?",
         PERIOD
-    )).unwrap()
+    )).expect("static regex pattern is valid")
 });
 
 // try_one_shot
@@ -126,7 +126,7 @@ static RE_ONE_SHOT: LazyLock<Regex> = LazyLock::new(|| {
     Regex::new(&format!(
         r"(明天|后天|大后天)(?:的)?{}(\d{{1,2}})[点时:：](\d{{1,2}})?",
         PERIOD
-    )).unwrap()
+    )).expect("static regex pattern is valid")
 });
 
 // ---------------------------------------------------------------------------

desktop/src-tauri/src/classroom_commands/generate.rs

@@ -207,7 +207,7 @@ pub async fn classroom_generate(
         metadata: zclaw_kernel::generation::ClassroomMetadata {
             generated_at: std::time::SystemTime::now()
                 .duration_since(std::time::UNIX_EPOCH)
-                .unwrap()
+                .expect("system clock is valid")
                 .as_millis() as i64,
             source_document: kernel_request.document.map(|_| "user_document".to_string()),
             model: None,

desktop/src-tauri/src/dev_server.rs

@@ -48,10 +48,10 @@ async fn run_server(state: DevServerState) {
         .layer(
             CorsLayer::new()
                 .allow_origin([
-                    "http://localhost:1420".parse().unwrap(),
+                    "http://localhost:1420".parse().expect("hardcoded localhost URL is valid"),
-                    "http://127.0.0.1:1420".parse().unwrap(),
+                    "http://127.0.0.1:1420".parse().expect("hardcoded localhost URL is valid"),
-                    "http://localhost:5173".parse().unwrap(),
+                    "http://localhost:5173".parse().expect("hardcoded localhost URL is valid"),
-                    "http://127.0.0.1:5173".parse().unwrap(),
+                    "http://127.0.0.1:5173".parse().expect("hardcoded localhost URL is valid"),
                 ])
                 .allow_methods([Method::GET, Method::POST, Method::OPTIONS])
                 .allow_headers([header::CONTENT_TYPE, header::AUTHORIZATION]),

desktop/src-tauri/src/intelligence/personality_detector.rs

@@ -339,12 +339,12 @@ fn personality_store() -> &'static Mutex<std::collections::HashMap<String, Perso
 /// Load personality config for a given agent.
 /// Returns default config if none is stored.
 pub fn load_personality_config(agent_id: &str) -> PersonalityConfig {
-    let store = personality_store().lock().unwrap();
+    let store = personality_store().lock().unwrap_or_else(|e| e.into_inner());
     store.get(agent_id).cloned().unwrap_or_default()
 }
 
 /// Save personality config for a given agent.
 pub fn save_personality_config(agent_id: &str, config: &PersonalityConfig) {
-    let mut store = personality_store().lock().unwrap();
+    let mut store = personality_store().lock().unwrap_or_else(|e| e.into_inner());
     store.insert(agent_id.to_string(), config.clone());
 }

desktop/src-tauri/src/viking_commands.rs

@@ -489,7 +489,7 @@ pub async fn viking_tree(path: String, depth: Option<usize>) -> Result<serde_jso
             current = current
                 .get_mut(*part)
                 .and_then(|v| v.as_object_mut())
-                .unwrap();
+                .ok_or_else(|| format!("Invalid URI tree structure at segment: {}", part))?;
         }
 
         if let Some(last) = parts.last() {