chore: add pedantic workspace lints (#90)

Add [workspace.lints.rust] and wire each member crate up with
[lints] workspace = true:

  unsafe_code = "deny"        (forbid would break the Android JNI build)
  single_use_lifetimes = "warn"
  trivial_casts = "warn"
  unused_lifetimes = "warn"
  unused_qualifications = "warn"
  variant_size_differences = "warn"
  unexpected_cfgs = "warn"

unsafe_code is "deny" rather than the issue's "forbid" so the three
Android JNI FFI modules (android_keystore, android_clipboard, safe_area)
can opt back in with a scoped #![allow(unsafe_code)] — forbid cannot be
locally overridden. Pure crates carry no unsafe and stay clean.

Clean up the warnings the new lints surface:
- 150ish unused_qualifications removed via `cargo fix` (purely syntactic
  redundant-path-prefix removals).
- table_plugin: the TABLE_COLOUR import was #[cfg(test)]-gated while the
  camera clear-colour used the fully-qualified path; unqualifying it left
  a non-test build with no import. Made the import unconditional instead.
- assets/sources: the `as &[u8]` casts in embed_*_svg! coerce each
  fixed-size &[u8; N] to a uniform slice so the tuples fit the
  &[(&str, &[u8])] arrays — load-bearing, so scoped #[allow(trivial_casts)].

Workspace clippy -D warnings and the full test suite pass. Android build
not compiled here (needs the NDK; built separately per CLAUDE.md §15) —
the deny + scoped-allow keeps the JNI unsafe blocks legal.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

solitaire_server/Cargo.toml

@@ -32,3 +32,6 @@ dotenvy            = { workspace = true }
 
 [dev-dependencies]
 tower = { version = "0.5", features = ["util"] }
+
+[lints]
+workspace = true

solitaire_server/src/lib.rs

@@ -54,7 +54,7 @@ struct UserIdKeyExtractor {
 impl KeyExtractor for UserIdKeyExtractor {
     type Key = String;
 
-    fn extract<T>(&self, req: &axum::http::Request<T>) -> Result<Self::Key, GovernorError> {
+    fn extract<T>(&self, req: &Request<T>) -> Result<Self::Key, GovernorError> {
         if let Some(user_id) = self.try_extract_user_id(req.headers()) {
             return Ok(user_id);
         }

solitaire_server/tests/server_tests.rs

@@ -565,7 +565,7 @@ async fn register_login_push_pull_full_roundtrip() {
         },
         achievements: vec![],
         progress: PlayerProgress::default(),
-        last_modified: chrono::Utc::now(),
+        last_modified: Utc::now(),
     };
 
     let push_resp = post_authed(
@@ -1299,7 +1299,7 @@ async fn expired_access_token_returns_401() {
         exp: usize,
         kind: String,
     }
-    let exp = (chrono::Utc::now() - chrono::Duration::hours(2)).timestamp() as usize;
+    let exp = (Utc::now() - chrono::Duration::hours(2)).timestamp() as usize;
     let expired_token = encode(
         &Header::default(),
         &ExpiredClaims {
@@ -1375,7 +1375,7 @@ async fn refresh_with_expired_refresh_token_returns_401() {
         exp: usize,
         kind: String,
     }
-    let exp = (chrono::Utc::now() - chrono::Duration::hours(2)).timestamp() as usize;
+    let exp = (Utc::now() - chrono::Duration::hours(2)).timestamp() as usize;
     let expired_token = encode(
         &Header::default(),
         &ExpiredRefreshClaims {