chore(deps): update Cargo.lock for security patches

[KooshaPari]

Summary

Absorbs latest compatible patch/minor versions across direct and transitive dependencies.

Security Fixes (RUSTSEC)

Advisory	Package	Severity
RUSTSEC-2026-0104	rustls-webpki 0.103.10 → 0.103.13	HIGH
RUSTSEC-2026-0098	rustls-webpki	MED
RUSTSEC-2026-0099	rustls-webpki	MED
RUSTSEC-2026-0103	thin-vec 0.2.14 → 0.2.16	MED

Dependency Updates

• tokio 1.50 → 1.52
• rustls 0.23.37 → 0.23.39
• openssl 0.10.76 → 0.10.78
• hyper-rustls 0.27.7 → 0.27.9
• blake3 1.8.4 → 1.8.5
• Plus 25 additional packages

Checklist

• Lockfile-only change (no code changes)
• No major version bumps
• No new dependencies

---

Note

Low Risk
Lockfile-only dependency refresh; low code risk but may change runtime behavior in network/TLS paths due to rustls/rustls-webpki and tokio patch/minor bumps.

Overview
Updates Cargo.lock to pull in the latest compatible patch/minor versions across the dependency graph, including security-related upgrades (notably rustls-webpki, plus rustls, tokio, openssl, and related HTTP/TLS crates). No source code changes are included—this is strictly a lockfile refresh to pick up patched transitive versions.

^{Reviewed by Cursor Bugbot for commit 50f038c. Bugbot is set up for automated code reviews on this repo. Configure here.}

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[codeant-ai]

CodeAnt AI is reviewing your PR.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[Copilot]

Copilot wasn't able to review any files in this pull request.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 91242709-c799-4a76-a213-3e01a3e3f1ef

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Warning

.coderabbit.yaml has a parsing error

The CodeRabbit configuration file in this repository has a parsing error and default settings were used instead. Please fix the error(s) in the configuration file. You can initialize chat with CodeRabbit to get help with the configuration file.

💥 Parsing errors (1)

unknown escape sequence in ".coderabbit.yaml" (41:11)

 38 |       - "async_await_patterns"
 39 |     patterns_to_watch:
 40 |       - "^unsafe "
 41 |       - "\.unwrap\(\)"
----------------^
 42 |       - "\.expect\("
 43 |       - "std::panic"

⚙️ Configuration instructions

• Please see the configuration documentation for more information.
• You can also validate your configuration using the online YAML validator.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/cargo-lock-security-updates

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch fix/cargo-lock-security-updates

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔒 Snyk Security Scan Results

Snyk vulnerability scan completed. View results in GitHub Code Scanning dashboard.

[github-actions]

🔒 Snyk Security Scan Results

Snyk vulnerability scan completed. View results in GitHub Code Scanning dashboard.

[github-actions]

Legacy Tooling Scan Report

Total violations: 100

Severity	Count
critical	0
high	0
medium	100
low	0

Top findings:

• MEDIUM LT-GEN-005: src/thegent/planning/remediation_planner.py:1
• MEDIUM LT-GEN-005: tests/test_phench_runtime.py:1
• MEDIUM LT-GEN-005: tests/bdd/main.rs:1
• MEDIUM LT-GEN-005: python/src/agileplus_mcp/grpc_client.py:1
• MEDIUM LT-GEN-005: python/src/agileplus_proto/gen/agileplus/v1/integrations_pb2_grpc.py:1

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codeant-ai]

CodeAnt AI finished reviewing your PR.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is ON, but it could not run because on-demand usage is turned off. To enable Bugbot Autofix, turn on on-demand usage and set a spend limit in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 50f038c. Configure here.}

[cursor]

Cargo.lock format version downgraded from v4 to v3

Low Severity

The Cargo.lock format version was downgraded from 4 to 3. The project uses channel = "nightly" in rust-toolchain.toml, which defaults to generating v4 lockfiles. This mismatch means the next developer who runs cargo update or any resolve operation will have Cargo silently upgrade the format back to v4, producing a large diff of format-only changes and causing unnecessary churn.

 

^{Reviewed by Cursor Bugbot for commit 50f038c. Configure here.}