chore: update vulnerable dependencies (aws-lc-sys, rustls-webpki)

[qhkm]

Summary

• Update aws-lc-rs 1.16.0 → 1.16.2 (pulls aws-lc-sys 0.37.1 → 0.39.0) — fixes RUSTSEC-2026-0045, -0046, -0047, -0048
• Update rustls-webpki 0.103.9 → 0.103.10 — fixes RUSTSEC-2026-0049
• Fix clippy push_str single-char lint in model_switch.rs

Note: rustls-webpki 0.102.8 remains pinned by rumqttc 0.25.1 (no upstream update available yet).

Test plan

• cargo nextest run --lib — 3258 tests pass
• cargo clippy -- -D warnings — clean
• cargo audit — down from 7 advisories to 1 (unfixable upstream)

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Enhanced /model list output with usage hints and config location

• Documentation

  • Added design spec and implementation plan for model discoverability, live model fetching, onboarding model selection, startup warnings, and refreshed default/suggested models

• Tests

  • Added unit test ensuring model list includes usage hints

• Chores

  • Updated CI/tooling, lint settings, deny.toml, and disabled an optional feature mapping

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds design and plan docs for provider-aware model discoverability, appends usage hints to /model list (with a unit test), updates cargo-deny and Cargo.toml (mqtt/lint changes), and bumps the cargo-deny action pin in CI.

Changes

Cohort / File(s)	Summary
Design & Plan docs docs/superpowers/specs/2026-03-23-model-discoverability-design.md, docs/superpowers/plans/2026-03-23-model-discoverability.md	New spec and implementation plan introducing provider-aware model discovery: update default/KNOWN_MODELS, add fetch_provider_models() helper, onboarding model-selection step, /model fetch command, startup mismatch warning, and detailed test/build checklists.
CLI output & tests src/channels/model_switch.rs	Append usage/help footer to format_model_list() (switch/reset hints and config path) and add test_format_model_list_includes_usage_hints.
Policy config deny.toml	Migrate/update cargo-deny v2 schema sections: adjust advisories/licenses entries and expand allowed licenses.
Build config / features Cargo.toml	Remove/comment out rumqttc dependency and disable mqtt feature mapping; add crate-level lint config to warn on unexpected cfgs.
CI workflow .github/workflows/ci.yml	Bump EmbarkStudios/cargo-deny-action commit reference (v2.0.11 → v2.0.15).

Sequence Diagram(s)

sequenceDiagram
    participant User as User
    participant CLI as CLI
    participant Agent as Agent
    participant Provider as ProviderAPI
    participant Config as Config

    Note over CLI,Agent: model fetch or onboarding model selection flow
    User->>CLI: run "/model fetch" or answer onboarding prompt
    CLI->>Agent: dispatch ModelCommand::Fetch / configure_model
    Agent->>Provider: fetch_provider_models(provider, api_key, api_base)
    Provider-->>Agent: return model list or error/timeout
    Agent->>Config: persist chosen `agents.defaults.model` or fallback to KNOWN_MODELS
    Agent-->>CLI: render models with usage hints

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• feat(providers): add DeepSeek and Kimi support #208: Updates KNOWN_MODELS content — overlaps with the spec and model-list behavior changes.
• fix(channels): show configured provider models in /model list #216: Modifies format_model_list in src/channels/model_switch.rs — directly related to the usage-hints footer and test.
• fix: per-provider model mapping for fallback chains #166: Implements provider-aware model fields and selection propagation — related to provider/model selection and onboarding behavior.

Poem

🐰 I hopped through specs and docs so wide,
I nudged a hint into the model guide,
I fetched live lists from distant lands,
I tucked the choice into config with gentle hands,
Hop, switch, discover—carrots for every stride! 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title describes updating vulnerable dependencies (aws-lc-sys, rustls-webpki), but the changeset includes substantial model discoverability feature planning, design documentation, implementation updates to model_switch.rs, and unrelated configuration changes (deny.toml, Cargo.toml feature removal, CI workflow updates). The title is misleading about the actual scope of changes.	Revise the title to accurately reflect the primary changes, such as 'feat: implement model discoverability with live provider fetching and improve dependency security' or split into separate PRs for dependency updates vs. feature work.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/update-vulnerable-deps

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

docs/superpowers/plans/2026-03-23-model-discoverability.md (1)

254-259: Minor inconsistency between plan snippet and actual implementation.

The snippet shows output.push_str("\n\n"); but the actual implementation at line 280 of model_switch.rs uses output.push('\n');. This is correct because there's already a trailing \n from line 250 (output.push('\n');). The implementation achieves the intended double-newline spacing correctly.

Consider updating the snippet to match the actual implementation for future reference:

📝 Suggested update

-    output.push_str("\n\n");
+    output.push('\n');

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/superpowers/plans/2026-03-23-model-discoverability.md` around lines 254
- 259, The plan snippet shows output.push_str("\n\n"); but the actual
implementation in model_switch.rs uses output.push('\n'); (relying on an earlier
trailing '\n') — update the documentation snippet to match the implementation by
replacing the double-newline push_str with the single output.push('\n');
(referencing the symbols output.push_str, output.push and model_switch.rs) so
the plan and code remain consistent.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@docs/superpowers/plans/2026-03-23-model-discoverability.md`:
- Around line 254-259: The plan snippet shows output.push_str("\n\n"); but the
actual implementation in model_switch.rs uses output.push('\n'); (relying on an
earlier trailing '\n') — update the documentation snippet to match the
implementation by replacing the double-newline push_str with the single
output.push('\n'); (referencing the symbols output.push_str, output.push and
model_switch.rs) so the plan and code remain consistent.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8c891ef4-bcd1-4f74-9bdd-7a22cff87248

📥 Commits

Reviewing files that changed from the base of the PR and between 87abe51 and 00bfeeb.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (3)

• docs/superpowers/plans/2026-03-23-model-discoverability.md
• docs/superpowers/specs/2026-03-23-model-discoverability-design.md
• src/channels/model_switch.rs

[coderabbitai]

🧹 Nitpick comments (2)

deny.toml (2)

39-40: Prefer crate-scoped license exceptions over new global allows.

licenses.allow permits these SPDX expressions for the entire dependency graph, while cargo-deny's licenses.exceptions is meant for licenses you only want to allow on specific crates. If these were added just to accommodate the updated TLS/crypto dependencies, scoping them to the owning crates keeps the policy narrower and makes future license drift visible. (embarkstudios.github.io)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@deny.toml` around lines 39 - 40, The global licenses.allow entries
("Apache-2.0 WITH LLVM-exception" and "CDLA-Permissive-2.0") should be removed
and instead added as crate-scoped exceptions using cargo-deny's
licenses.exceptions so the allowance applies only to the specific dependent
crates that require those SPDX exceptions; update deny.toml to delete those two
SPDX strings from licenses.allow and add corresponding entries under
licenses.exceptions that reference the exact crate/package selectors (package
names or cfg selectors) that need each exception, ensuring the SPDX string
matches the exception field for that crate.

---

17-22: Make this advisory waiver self-expiring.

Cargo.lock:1-30 and Cargo.toml:1-50 show this exception is only justified for feature-gated rustls-webpki 0.102.8 via rumqttc 0.25.1. This entry effectively suppresses any occurrence of RUSTSEC-2026-0049 in the graph; cargo-deny supports the structured { id, reason } form, and stale ignores only warn unless unused-ignored-advisory is tightened. Converting this to a structured ignore and making unused ignores fail would keep the waiver auditable and force cleanup once upstream catches up. (embarkstudios.github.io)

🛠️ Proposed change

 [advisories]
+unused-ignored-advisory = "deny"
 ignore = [
-    "RUSTSEC-2026-0049",
+    { id = "RUSTSEC-2026-0049", reason = "feature-gated rustls-webpki 0.102.8 via rumqttc 0.25.1; remove when upstream updates" },
 ]

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@deny.toml`:
- Around line 39-40: The global licenses.allow entries ("Apache-2.0 WITH
LLVM-exception" and "CDLA-Permissive-2.0") should be removed and instead added
as crate-scoped exceptions using cargo-deny's licenses.exceptions so the
allowance applies only to the specific dependent crates that require those SPDX
exceptions; update deny.toml to delete those two SPDX strings from
licenses.allow and add corresponding entries under licenses.exceptions that
reference the exact crate/package selectors (package names or cfg selectors)
that need each exception, ensuring the SPDX string matches the exception field
for that crate.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c0a67015-1df3-4415-a07f-3b35831432d3

📥 Commits

Reviewing files that changed from the base of the PR and between 00bfeeb and 95363d5.

📒 Files selected for processing (1)

• deny.toml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci.yml:
- Line 74: The pinned commit for the EmbarkStudios action (the line using
"EmbarkStudios/cargo-deny-action@44db170f6a7d12a6e90340e9e0fca1f650d34b14") does
not match the v2.0.15 release; either replace the pinned SHA with the actual
v2.0.15 commit (e.g., the commit that resolves from the v2.0.15 tag) or update
the trailing comment to reflect the actual commit you intend to pin (remove or
change "v2.0.15"), ensuring the action reference and comment are consistent.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: eccb14a5-edb5-444a-86d2-0c0fb7be1cf4

📥 Commits

Reviewing files that changed from the base of the PR and between 8a9fe5b and 610fc7a.

📒 Files selected for processing (1)

• .github/workflows/ci.yml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

repo="EmbarkStudios/cargo-deny-action"
expected_sha="44db170f6a7d12a6e90340e9e0fca1f650d34b14"

ref_type="$(gh api "repos/${repo}/git/ref/tags/v2.0.15" --jq '.object.type')"
ref_sha="$(gh api "repos/${repo}/git/ref/tags/v2.0.15" --jq '.object.sha')"

if [ "$ref_type" = "commit" ]; then
  tag_commit="$ref_sha"
else
  tag_commit="$(gh api "repos/${repo}/git/tags/${ref_sha}" --jq '.object.sha')"
fi

echo "v2.0.15 resolves to commit: ${tag_commit}"
echo "workflow pins commit:       ${expected_sha}"

test "${tag_commit}" = "${expected_sha}"
echo "✅ Verified: pinned SHA matches tag v2.0.15"

Repository: qhkm/zeptoclaw

Length of output: 88

---

🏁 Script executed:

cat -n .github/workflows/ci.yml | sed -n '70,80p'

Repository: qhkm/zeptoclaw

Length of output: 478

---

🌐 Web query:

EmbarkStudios cargo-deny-action v2.0.15 release commit SHA

💡 Result:

The release commit SHA for EmbarkStudios/cargo-deny-action v2.0.15 is 3fd3802.

Citations:

• 1: https://github.com/EmbarkStudios/cargo-deny-action/releases

---

🌐 Web query:

EmbarkStudios cargo-deny-action commit 44db170f6a7d12a6e90340e9e0fca1f650d34b14

💡 Result:

The commit 44db170f6a7d12a6e90340e9e0fca1f650d34b14 in EmbarkStudios/cargo-deny-action is a specific Git commit hash in the GitHub repository for cargo-deny-action, a GitHub Action that runs cargo-deny to check Rust project dependencies for banned crates, licenses, advisories, and sources. The repository is active as of 2026-01-08 with latest release v2.0.15. No sources explicitly describe this particular commit's content, author, date, or changes; it does not appear in release notes, PRs, or general web mentions. It may be an internal or minor commit not publicly highlighted.

Citations:

• 1: https://github.com/EmbarkStudios/cargo-deny-action
• 2: https://github.com/EmbarkStudios/cargo-deny-action/releases

---

🌐 Web query:

EmbarkStudios cargo-deny-action releases v2.0.15 full commit hash

💡 Result:

The full commit hash for EmbarkStudios/cargo-deny-action release v2.0.15 is 3fd3802.

Citations:

• 1: https://github.com/EmbarkStudios/cargo-deny-action/releases
• 2: https://github.com/EmbarkStudios/cargo-deny-action

---

Pinned SHA does not match v2.0.15 release tag.

The action pins commit 44db170f6a7d12a6e90340e9e0fca1f650d34b14, but v2.0.15 release resolves to a different commit (3fd3802...). Either update the pin to the actual v2.0.15 release commit, or correct the version comment if intentionally pinning to a different commit.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml at line 74, The pinned commit for the EmbarkStudios
action (the line using
"EmbarkStudios/cargo-deny-action@44db170f6a7d12a6e90340e9e0fca1f650d34b14") does
not match the v2.0.15 release; either replace the pinned SHA with the actual
v2.0.15 commit (e.g., the commit that resolves from the v2.0.15 tag) or update
the trailing comment to reflect the actual commit you intend to pin (remove or
change "v2.0.15"), ensuring the action reference and comment are consistent.