fix(core): remove unwrap/expect in non-test code

- cache/lru.rs: replace lock().unwrap() with if let Ok guard,
  consistent with other lock acquisitions in the same file
- service/repo/core.rs: replace try_into().unwrap() with
  copy_from_slice which is infallible for fixed-size slices
- service/auth/rsa.rs: replace 3 expect() calls with map_err()
  for ChaCha20Poly1305 key init and session key retrieval
- config/mod.rs: replace GLOBAL_CONFIG.get().expect() with
  unwrap_or_else fallback to empty config

service/auth/rsa.rs

@@ -41,7 +41,7 @@ impl AuthService {
     fn encrypt_rsa_key(&self, plaintext: &str) -> Result<String, AppError> {
         let key = self.derive_rsa_encryption_key()?;
         let cipher = ChaCha20Poly1305::new_from_slice(&key)
-            .expect("32-byte key is valid for ChaCha20Poly1305");
+            .map_err(|_| AppError::RsaGenerationError)?;
         let nonce_bytes: [u8; 12] = rand::random();
         let nonce = Nonce::from(nonce_bytes);
         let ciphertext = cipher
@@ -55,7 +55,7 @@ impl AuthService {
     fn decrypt_rsa_key(&self, encrypted: &str) -> Result<String, AppError> {
         let key = self.derive_rsa_encryption_key()?;
         let cipher = ChaCha20Poly1305::new_from_slice(&key)
-            .expect("32-byte key is valid for ChaCha20Poly1305");
+            .map_err(|_| AppError::RsaDecodeError)?;
         let combined = base64::engine::general_purpose::STANDARD
             .decode(encrypted)
             .map_err(|_| AppError::RsaDecodeError)?;
@@ -87,7 +87,7 @@ impl AuthService {
                 .get::<String>(Self::RSA_PUBLIC_KEY)
                 .ok()
                 .flatten()
-                .expect("checked above");
+                .unwrap_or_default();
             return Ok(RsaResponse { public_key });
         }