From 03d9f8cce56a8cdfe59d0cc65622d07e559cb439 Mon Sep 17 00:00:00 2001
From: Taylor Eernisse <teernisse@visiostack.com>
Date: Fri, 6 Feb 2026 08:38:41 -0500
Subject: [PATCH] docs(db): document safety invariants for sqlite-vec transmute

Adds a SAFETY comment explaining why the transmute of sqlite3_vec_init
to the sqlite3_auto_extension callback type is sound. The three
invariants (stable C-ABI signature, single-call-per-connection contract,
idempotency) were previously undocumented, which left the lone unsafe
block without justification for future readers.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 src/core/db.rs | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/core/db.rs b/src/core/db.rs
index d915c8c..6f6344d 100644
--- a/src/core/db.rs
+++ b/src/core/db.rs
@@ -55,6 +55,13 @@ const MIGRATIONS: &[(&str, &str)] = &[
 ];
 
 pub fn create_connection(db_path: &Path) -> Result<Connection> {
+    // SAFETY: `sqlite3_vec_init` is an extern "C" function provided by the sqlite-vec
+    // crate with the exact signature expected by `sqlite3_auto_extension`. The transmute
+    // converts the concrete function pointer to the `Option<unsafe extern "C" fn()>` type
+    // that the FFI expects. This is safe because:
+    // 1. The function is a C-ABI init callback with a stable signature.
+    // 2. SQLite calls it once per new connection, matching sqlite-vec's contract.
+    // 3. `sqlite3_auto_extension` is idempotent for the same function pointer.
     #[allow(clippy::missing_transmute_annotations)]
     unsafe {
         rusqlite::ffi::sqlite3_auto_extension(Some(std::mem::transmute(