diff --git a/server/crates/arbiter-server/src/actors/keyholder/encryption/v1.rs b/server/crates/arbiter-server/src/actors/keyholder/encryption/v1.rs
index 99348f4..8befeb1 100644
--- a/server/crates/arbiter-server/src/actors/keyholder/encryption/v1.rs
+++ b/server/crates/arbiter-server/src/actors/keyholder/encryption/v1.rs
@@ -72,6 +72,10 @@ impl TryFrom<SafeCell<Vec<u8>>> for KeyCell {
 impl KeyCell {
     pub fn new_secure_random() -> Self {
         let key = SafeCell::new_inline(|key_buffer: &mut Key| {
+            #[allow(
+                clippy::unwrap_used,
+                reason = "Rng failure is unrecoverable and should panic"
+            )]
             let mut rng = StdRng::try_from_rng(&mut SysRng).unwrap();
             rng.fill_bytes(key_buffer);
         });
@@ -133,6 +137,10 @@ pub type Salt = [u8; ArgonSalt::RECOMMENDED_LENGTH];
 
 pub fn generate_salt() -> Salt {
     let mut salt = Salt::default();
+    #[allow(
+        clippy::unwrap_used,
+        reason = "Rng failure is unrecoverable and should panic"
+    )]
     let mut rng = StdRng::try_from_rng(&mut SysRng).unwrap();
     rng.fill_bytes(&mut salt);
     salt
@@ -141,6 +149,7 @@ pub fn generate_salt() -> Salt {
 /// User password might be of different length, have not enough entropy, etc...
 /// Derive a fixed-length key from the password using Argon2id, which is designed for password hashing and key derivation.
 pub fn derive_seal_key(mut password: SafeCell<Vec<u8>>, salt: &Salt) -> KeyCell {
+    #[allow(clippy::unwrap_used)]
     let params = argon2::Params::new(262_144, 3, 4, None).unwrap();
     let hasher = Argon2::new(Algorithm::Argon2id, argon2::Version::V0x13, params);
     let mut key = SafeCell::new(Key::default());
@@ -148,6 +157,10 @@ pub fn derive_seal_key(mut password: SafeCell<Vec<u8>>, salt: &Salt) -> KeyCell
         let mut key_buffer = key.write();
         let key_buffer: &mut [u8] = key_buffer.as_mut();
 
+        #[allow(
+            clippy::unwrap_used,
+            reason = "Better fail completely than return a weak key"
+        )]
         hasher
             .hash_password_into(password_source.deref(), salt, key_buffer)
             .unwrap();
diff --git a/server/crates/arbiter-server/src/actors/router/mod.rs b/server/crates/arbiter-server/src/actors/router/mod.rs
index a0a75b8..f1654b2 100644
--- a/server/crates/arbiter-server/src/actors/router/mod.rs
+++ b/server/crates/arbiter-server/src/actors/router/mod.rs
@@ -154,7 +154,7 @@ impl MessageRouter {
         ctx: &mut Context<Self, DelegatedReply<Result<bool, ApprovalError>>>,
     ) -> DelegatedReply<Result<bool, ApprovalError>> {
         let (reply, Some(reply_sender)) = ctx.reply_sender() else {
-            panic!("Exptected `request_client_approval` to have callback channel");
+            unreachable!("Expected `request_client_approval` to have callback channel");
         };
 
         let weak_refs = self
diff --git a/server/crates/arbiter-server/src/actors/user_agent/mod.rs b/server/crates/arbiter-server/src/actors/user_agent/mod.rs
index b4e048b..6b4a7d6 100644
--- a/server/crates/arbiter-server/src/actors/user_agent/mod.rs
+++ b/server/crates/arbiter-server/src/actors/user_agent/mod.rs
@@ -1,12 +1,13 @@
 use alloy::primitives::Address;
-use arbiter_proto::{transport::Bi};
+use arbiter_proto::transport::Bi;
 use kameo::actor::Spawn as _;
 use tracing::{error, info};
 
 use crate::{
     actors::{GlobalActors, evm, user_agent::session::UserAgentSession},
-    db::{self, models::KeyType}, evm::policies::{Grant, SpecificGrant},
+    db::{self, models::KeyType},
     evm::policies::SharedGrantSettings,
+    evm::policies::{Grant, SpecificGrant},
 };
 
 #[derive(Debug, thiserror::Error, PartialEq)]
@@ -47,6 +48,7 @@ impl AuthPublicKey {
             AuthPublicKey::EcdsaSecp256k1(k) => k.to_encoded_point(true).as_bytes().to_vec(),
             AuthPublicKey::Rsa(k) => {
                 use rsa::pkcs8::EncodePublicKey as _;
+                #[allow(clippy::expect_used)]
                 k.to_public_key_der()
                     .expect("rsa SPKI encoding is infallible")
                     .to_vec()
@@ -124,13 +126,19 @@ pub enum Request {
 
 #[derive(Debug)]
 pub enum Response {
-    AuthChallenge { nonce: i32 },
+    AuthChallenge {
+        nonce: i32,
+    },
     AuthOk,
-    UnsealStartResponse { server_pubkey: x25519_dalek::PublicKey },
+    UnsealStartResponse {
+        server_pubkey: x25519_dalek::PublicKey,
+    },
     UnsealResult(Result<(), UnsealError>),
     BootstrapResult(Result<(), BootstrapError>),
     VaultState(VaultState),
-    ClientConnectionRequest { pubkey: ed25519_dalek::VerifyingKey },
+    ClientConnectionRequest {
+        pubkey: ed25519_dalek::VerifyingKey,
+    },
     ClientConnectionCancel,
     EvmWalletCreate(Result<(), evm::Error>),
     EvmWalletList(Vec<Address>),
diff --git a/server/crates/arbiter-server/src/actors/user_agent/session/connection.rs b/server/crates/arbiter-server/src/actors/user_agent/session/connection.rs
index 627e5f1..f7cf2be 100644
--- a/server/crates/arbiter-server/src/actors/user_agent/session/connection.rs
+++ b/server/crates/arbiter-server/src/actors/user_agent/session/connection.rs
@@ -1,4 +1,4 @@
-use std::{ops::DerefMut, sync::Mutex};
+use std::sync::Mutex;
 
 use chacha20poly1305::{AeadInPlace, XChaCha20Poly1305, XNonce, aead::KeyInit};
 use kameo::error::SendError;
@@ -76,6 +76,10 @@ impl UserAgentSession {
         };
 
         let ephemeral_secret = {
+            #[allow(
+                clippy::unwrap_used,
+                reason = "Mutex poison is unrecoverable and should panic"
+            )]
             let mut secret_lock = unseal_context.secret.lock().unwrap();
             let secret = secret_lock.take();
             match secret {
diff --git a/server/crates/arbiter-server/src/context/tls.rs b/server/crates/arbiter-server/src/context/tls.rs
index 85196ec..0798dc8 100644
--- a/server/crates/arbiter-server/src/context/tls.rs
+++ b/server/crates/arbiter-server/src/context/tls.rs
@@ -91,6 +91,10 @@ impl TlsCa {
 
         let cert_key_pem = certified_issuer.key().serialize_pem();
 
+        #[allow(
+            clippy::unwrap_used,
+            reason = "Broken cert couldn't bootstrap server anyway"
+        )]
         let issuer = Issuer::from_ca_cert_pem(
             &certified_issuer.pem(),
             KeyPair::from_pem(cert_key_pem.as_ref()).unwrap(),
diff --git a/server/crates/arbiter-server/src/db/mod.rs b/server/crates/arbiter-server/src/db/mod.rs
index d8771dc..616bd92 100644
--- a/server/crates/arbiter-server/src/db/mod.rs
+++ b/server/crates/arbiter-server/src/db/mod.rs
@@ -92,6 +92,7 @@ fn initialize_database(url: &str) -> Result<(), DatabaseSetupError> {
 #[tracing::instrument(level = "info")]
 pub async fn create_pool(url: Option<&str>) -> Result<DatabasePool, DatabaseSetupError> {
     let database_url = url.map(String::from).unwrap_or(
+        #[allow(clippy::expect_used)]
         database_path()?
             .to_str()
             .expect("database path is not valid UTF-8")
@@ -135,11 +136,13 @@ pub async fn create_test_pool() -> DatabasePool {
     let tempfile_name = Alphanumeric.sample_string(&mut rand::rng(), 16);
 
     let file = std::env::temp_dir().join(tempfile_name);
+    #[allow(clippy::expect_used)]
     let url = file
         .to_str()
         .expect("temp file path is not valid UTF-8")
         .to_string();
 
+    #[allow(clippy::expect_used)]
     create_pool(Some(&url))
         .await
         .expect("Failed to create test database pool")
diff --git a/server/crates/arbiter-server/src/evm/safe_signer.rs b/server/crates/arbiter-server/src/evm/safe_signer.rs
index f1f5bcd..3d15a05 100644
--- a/server/crates/arbiter-server/src/evm/safe_signer.rs
+++ b/server/crates/arbiter-server/src/evm/safe_signer.rs
@@ -83,6 +83,7 @@ impl SafeSigner {
     }
 
     fn sign_hash_inner(&self, hash: &B256) -> Result<Signature> {
+        #[allow(clippy::expect_used)]
         let mut cell = self.key.lock().expect("SafeSigner mutex poisoned");
         let reader = cell.read();
         let sig: (ecdsa::Signature, RecoveryId) = reader.sign_prehash(hash.as_ref())?;
@@ -95,7 +96,8 @@ impl SafeSigner {
         {
             return Err(Error::TransactionChainIdMismatch {
                 signer: chain_id,
-                tx: tx.chain_id().unwrap(),
+                #[allow(clippy::expect_used)]
+                tx: tx.chain_id().expect("Chain ID is guaranteed to be set"),
             });
         }
         self.sign_hash_inner(&tx.signature_hash())