fix(security): update rustls-webpki 0.103.10→0.103.13; run cargo fmt

Fixes 3 rustls-webpki CVEs (RUSTSEC-2026-0098, RUSTSEC-2026-0099,
RUSTSEC-2026-0104) via ureq→rustls dependency chain. Cargo fmt applied to
clear CI formatting gate (no logic changes, 200 tests pass).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: hyperpolymath

Cargo.lock

@@ -31,10 +31,7 @@ pub fn analyze<P: AsRef<Path>>(target: P) -> Result<AssailReport> {
     let root = if target_ref.is_dir() {
         target_ref.to_path_buf()
     } else {
-        target_ref
-            .parent()
-            .unwrap_or(Path::new("."))
-            .to_path_buf()
+        target_ref.parent().unwrap_or(Path::new(".")).to_path_buf()
     };
     apply_user_classifications(&mut report, &root);
     Ok(report)
@@ -51,14 +48,15 @@ pub fn analyze_verbose<P: AsRef<Path>>(target: P) -> Result<AssailReport> {
     let root = if target_ref.is_dir() {
         target_ref.to_path_buf()
     } else {
-        target_ref
-            .parent()
-            .unwrap_or(Path::new("."))
-            .to_path_buf()
+        target_ref.parent().unwrap_or(Path::new(".")).to_path_buf()
     };
     apply_user_classifications(&mut report, &root);
 
-    let active_count = report.weak_points.iter().filter(|wp| !wp.suppressed).count();
+    let active_count = report
+        .weak_points
+        .iter()
+        .filter(|wp| !wp.suppressed)
+        .count();
     let suppressed_count = report.suppressed_count;
 
     println!("Assail Analysis Complete");
@@ -130,7 +128,11 @@ pub fn analyze_verbose_browser_extension<P: AsRef<Path>>(target: P) -> Result<As
     let mut report = analyzer.analyze()?;
     apply_suppression(&mut report);
 
-    let active_count = report.weak_points.iter().filter(|wp| !wp.suppressed).count();
+    let active_count = report
+        .weak_points
+        .iter()
+        .filter(|wp| !wp.suppressed)
+        .count();
     let suppressed_count = report.suppressed_count;
 
     println!("Assail Analysis Complete (Browser Extension Mode)");
@@ -559,7 +561,10 @@ mod classifications_tests {
 
     #[test]
     fn apply_flips_matching_finding_to_suppressed() {
-        use crate::types::{AssailReport, AttackAxis, Language, ProgramStatistics, Severity, WeakPoint, WeakPointCategory};
+        use crate::types::{
+            AssailReport, AttackAxis, Language, ProgramStatistics, Severity, WeakPoint,
+            WeakPointCategory,
+        };
         let tmp = TempDir::new().unwrap();
         write_registry(
             tmp.path(),

src/assail/analyzer.rs

@@ -97,7 +97,11 @@ fn classify_reachable(
         )
     } else if vuln.semver_fix_available {
         // Semver-compatible fix — easiest mitigation
-        let fix_version = vuln.fixed_versions.first().map(String::as_str).unwrap_or("unknown");
+        let fix_version = vuln
+            .fixed_versions
+            .first()
+            .map(String::as_str)
+            .unwrap_or("unknown");
         (
             Classification::Mitigable,
             format!(

src/assail/mod.rs

@@ -180,8 +180,14 @@ fn osv_post_with_retry(body_bytes: &[u8]) -> Result<String> {
         match send_result {
             Err(e) => {
                 // Connection-level error — always retry
-                last_err = anyhow::anyhow!("OSV API request failed (attempt {}): {}", attempt + 1, e);
-                log::warn!("[bridge] OSV attempt {}/{}: {}", attempt + 1, OSV_MAX_RETRIES, last_err);
+                last_err =
+                    anyhow::anyhow!("OSV API request failed (attempt {}): {}", attempt + 1, e);
+                log::warn!(
+                    "[bridge] OSV attempt {}/{}: {}",
+                    attempt + 1,
+                    OSV_MAX_RETRIES,
+                    last_err
+                );
                 continue;
             }
             Ok(mut resp) => {
@@ -195,8 +201,18 @@ fn osv_post_with_retry(body_bytes: &[u8]) -> Result<String> {
                         .limit(64 * 1024)
                         .read_to_string()
                         .unwrap_or_default();
-                    last_err = anyhow::anyhow!("OSV API returned HTTP {} (attempt {}): {}", status, attempt + 1, buf);
-                    log::warn!("[bridge] OSV attempt {}/{}: HTTP {}", attempt + 1, OSV_MAX_RETRIES, status);
+                    last_err = anyhow::anyhow!(
+                        "OSV API returned HTTP {} (attempt {}): {}",
+                        status,
+                        attempt + 1,
+                        buf
+                    );
+                    log::warn!(
+                        "[bridge] OSV attempt {}/{}: HTTP {}",
+                        attempt + 1,
+                        OSV_MAX_RETRIES,
+                        status
+                    );
                     continue;
                 }
 

src/bridge/classify.rs

@@ -442,7 +442,10 @@ sqlalchemy[asyncio]==2.0.0; python_version >= "3.8"
         assert!(names.contains(&"flask"));
         assert!(names.contains(&"sqlalchemy"));
         assert_eq!(
-            deps.iter().find(|d| d.name == "sqlalchemy").unwrap().version,
+            deps.iter()
+                .find(|d| d.name == "sqlalchemy")
+                .unwrap()
+                .version,
             "2.0.0",
             "Env marker should be stripped"
         );

src/bridge/intelligence.rs

@@ -30,8 +30,7 @@ use serde::{Deserialize, Serialize};
 /// Each variant maps to an ISO 639-1 two-letter code. The enum is used by
 /// the CLI `--lang` flag and by report generators that emit human-readable
 /// text (axial markdown, assault recommendations, adjudicate verdicts).
-#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
-#[derive(Default)]
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize, Default)]
 pub enum Lang {
     #[default]
     En,
@@ -121,7 +120,6 @@ impl Lang {
     }
 }
 
-
 impl std::fmt::Display for Lang {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
         write!(f, "{}", self.code())

src/bridge/lockfile.rs

@@ -871,10 +871,7 @@ impl LogicEngine {
                     "weak_point",
                     vec![Term::atom("UnsafeCode"), v26.clone(), v27],
                 ),
-                LogicFact::new(
-                    "context",
-                    vec![v26.clone(), Term::atom("ffi_safe_wrapper")],
-                ),
+                LogicFact::new("context", vec![v26.clone(), Term::atom("ffi_safe_wrapper")]),
             ],
             RuleMetadata {
                 confidence: 0.92,
@@ -913,10 +910,7 @@ impl LogicEngine {
                     "weak_point",
                     vec![Term::atom("PanicPath"), v28.clone(), v29],
                 ),
-                LogicFact::new(
-                    "context",
-                    vec![v28.clone(), Term::atom("scanner_source")],
-                ),
+                LogicFact::new("context", vec![v28.clone(), Term::atom("scanner_source")]),
             ],
             RuleMetadata {
                 confidence: 0.85,
@@ -1057,8 +1051,8 @@ impl LogicEngine {
                 || path.contains("analyzer")
                 || path.contains("scanner")
                 || path.contains("detector");
-            let high_literal_ratio = fs.lines > 0
-                && (fs.unwrap_calls as f64 / fs.lines as f64) >= 0.10;
+            let high_literal_ratio =
+                fs.lines > 0 && (fs.unwrap_calls as f64 / fs.lines as f64) >= 0.10;
             if is_scanner_path && high_literal_ratio {
                 self.db.assert_fact(LogicFact::new(
                     "context",
@@ -1682,11 +1676,7 @@ mod tests {
         let mut engine = LogicEngine::new();
         engine.extract_context_facts(&report);
         assert!(
-            !has_context(
-                &engine,
-                "crates/oo7-core/src/plain.rs",
-                "ffi_safe_wrapper"
-            ),
+            !has_context(&engine, "crates/oo7-core/src/plain.rs", "ffi_safe_wrapper"),
             "ffi_safe_wrapper=false must not leak the context fact"
         );
     }
@@ -1756,16 +1746,8 @@ mod tests {
                 safe_unwrap_calls: 0,
             }],
             vec![
-                make_weak_point(
-                    WeakPointCategory::UnsafeCode,
-                    path,
-                    "8 unsafe blocks",
-                ),
-                make_weak_point(
-                    WeakPointCategory::PanicPath,
-                    path,
-                    "20 unwrap/expect calls",
-                ),
+                make_weak_point(WeakPointCategory::UnsafeCode, path, "8 unsafe blocks"),
+                make_weak_point(WeakPointCategory::PanicPath, path, "20 unwrap/expect calls"),
             ],
         );
         crate::assail::apply_suppression(&mut report);

src/i18n/catalog.rs

@@ -83,11 +83,7 @@ impl SearchStrategy {
 
 /// Compute risk scores for all files and return them in analysis order
 pub fn prioritise_files(report: &AssailReport, strategy: SearchStrategy) -> Vec<FileRisk> {
-    let mut scored: Vec<FileRisk> = report
-        .file_statistics
-        .iter()
-        .map(score_file)
-        .collect();
+    let mut scored: Vec<FileRisk> = report.file_statistics.iter().map(score_file).collect();
 
     // Sorting policy is strategy-dependent, but all strategies operate on the same base score set.
     match strategy {

src/kanren/core.rs

@@ -2306,38 +2306,36 @@ fn run_main() -> Result<()> {
             return Ok(());
         }
 
-        Commands::Attest { action } => {
-            match action {
-                AttestAction::Verify { file } => {
-                    match attestation::verify_attestation_file(&file)? {
-                        attestation::VerifyResult::Ok {
-                            issuer,
-                            issued_at,
-                            chain_hash,
-                            signature_verified,
-                        } => {
-                            println!("  [OK] Attestation verified");
-                            println!("       Issuer:    {}", issuer);
-                            println!("       Issued at: {}", issued_at);
-                            println!("       Chain:     {}", chain_hash);
-                            if signature_verified {
-                                println!("       Signature: verified (Ed25519)");
-                            } else {
-                                println!("       Signature: not present");
-                            }
+        Commands::Attest { action } => match action {
+            AttestAction::Verify { file } => {
+                match attestation::verify_attestation_file(&file)? {
+                    attestation::VerifyResult::Ok {
+                        issuer,
+                        issued_at,
+                        chain_hash,
+                        signature_verified,
+                    } => {
+                        println!("  [OK] Attestation verified");
+                        println!("       Issuer:    {}", issuer);
+                        println!("       Issued at: {}", issued_at);
+                        println!("       Chain:     {}", chain_hash);
+                        if signature_verified {
+                            println!("       Signature: verified (Ed25519)");
+                        } else {
+                            println!("       Signature: not present");
                         }
-                        attestation::VerifyResult::Failed(reasons) => {
-                            eprintln!("  [FAIL] Attestation verification failed:");
-                            for reason in &reasons {
-                                eprintln!("         - {}", reason);
-                            }
-                            return Err(anyhow::anyhow!("attestation verification failed"));
+                    }
+                    attestation::VerifyResult::Failed(reasons) => {
+                        eprintln!("  [FAIL] Attestation verification failed:");
+                        for reason in &reasons {
+                            eprintln!("         - {}", reason);
                         }
+                        return Err(anyhow::anyhow!("attestation verification failed"));
                     }
-                    return Ok(());
                 }
+                return Ok(());
             }
-        }
+        },
 
         Commands::Temporal { action } => {
             match action {