fix(deps): resolve RUSTSEC-2026-0098 and RUSTSEC-2026-0099 — bump rustls-webpki and rumqttc

[singlerider]

Summary

• Base branch target (master for all contributions): master
• Problem: RUSTSEC-2026-0098 and RUSTSEC-2026-0099 (both published 2026-04-14) flagged rustls-webpki for incorrectly accepting URI name constraints in certificate validation. Two dep chains were affected: rustls-webpki 0.103.10 (via rustls 0.23) and rustls-webpki 0.102.8 (via rumqttc). Both were blocking CI Security Audit and Security Required Gate on every open PR.
• Why it matters: Every open PR in the repo had CI blocked until this lands. The advisories are real — URI name constraint bypass in TLS certificate validation.
• What changed: (1) rustls-webpki 0.103.10 → 0.103.12 via cargo update — fully resolves both advisories for the 0.103.x chain. (2) rumqttc 0.24 → 0.25.1 — removes rustls 0.22.4 and tokio-rustls 0.25.0 from the dep tree, reduces overall dep count. (3) audit.toml: added RUSTSEC-2026-0098 and -0099 to the ignore list for the 0.102.x chain — rumqttc 0.25.1 still directly pins rustls-webpki ^0.102 with no upstream fix yet (RUSTSEC-2026-0098 and RUSTSEC-2026-0099 are being triggered by cargo-deny for this crate bytebeamio/rumqtt#1046, filed 2026-04-15, no maintainer response; existing rustls bump PR chore(deps): bump rustls-webpki and tokio-rustls bytebeamio/rumqtt#1037 has been stalled for 3+ weeks); updated comment from "via rumqttc 0.24" to "via rumqttc 0.25.1".
• What did not change (scope boundary): No application code, no feature changes. Lockfile and three Cargo.toml version declarations only.

Label Snapshot (required)

• Risk label (risk: low|medium|high): risk: low
• Size label (size: XS|S|M|L|XL, auto-managed/read-only): auto
• Scope labels: dependencies, security
• Module labels: N/A
• Contributor tier label: auto
• If any auto-label is incorrect, note requested correction: N/A

Change Metadata

• Change type (bug|feature|refactor|docs|security|chore): security
• Primary scope (runtime|provider|channel|memory|security|ci|docs|multi): security

Linked Issue

• Closes # N/A
• Related # RUSTSEC-2026-0098 and RUSTSEC-2026-0099 are being triggered by cargo-deny for this crate bytebeamio/rumqtt#1046 — upstream issue tracking rumqttc's rustls-webpki ^0.102 pin
• Depends on # N/A
• Supersedes # N/A

Supersede Attribution (required when Supersedes # is used)

N/A

Validation Evidence (required)

cargo fmt --all -- --check

(exit 0 — no output)

cargo clippy --all-targets -- -D warnings

   Compiling zeroclawlabs v0.6.9
    Checking rumqttc v0.25.1
    ...
    Checking zeroclaw-channels v0.6.9
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 49.00s

cargo test

running 5 tests
test system::full_stack::system_tool_execution_flow ... ok
test system::full_stack::system_simple_text_response ... ok
test system::full_stack::system_parallel_tool_execution ... ok
test system::full_stack::system_tool_arguments_passed_correctly ... ok
test system::full_stack::system_multi_turn_conversation ... ok
test result: ok. 5 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out; finished in 0.01s

cargo audit

    Scanning Cargo.lock for vulnerabilities (1094 crate dependencies)
    warning: 25 allowed warnings found
    (0 vulnerabilities)

• Evidence provided: local validation battery run on rustc 1.93.1 (01f6ddf75 2026-02-11)
• If any command is intentionally skipped, explain why: N/A — all commands run

Security Impact (required)

• New permissions/capabilities? (Yes/No): No
• New external network calls? (Yes/No): No
• Secrets/tokens handling changed? (Yes/No): No
• File system access scope changed? (Yes/No): No
• If any Yes, describe risk and mitigation: N/A

Privacy and Data Hygiene (required)

• Data-hygiene status (pass|needs-follow-up): pass
• Redaction/anonymization notes: N/A — dep bump only
• Neutral wording confirmation: N/A

Compatibility / Migration

• Backward compatible? (Yes/No): Yes
• Config/env changes? (Yes/No): No
• Migration needed? (Yes/No): No

i18n Follow-Through (required when docs or user-facing wording changes)

• i18n follow-through triggered? (Yes/No): No

Human Verification (required)

• Verified scenarios: cargo audit passes with 0 vulnerabilities locally. cargo clippy, cargo fmt, cargo test all clean on the bumped dep set.
• Edge cases checked: Confirmed rumqttc 0.25.1 still pins rustls-webpki ^0.102 (checked lockfile and RUSTSEC-2026-0098 and RUSTSEC-2026-0099 are being triggered by cargo-deny for this crate bytebeamio/rumqtt#1046) — the audit.toml ignore is necessary and documented.
• What was not verified: Runtime MQTT behavior under rumqttc 0.25.1 vs 0.24 — the changelog shows no breaking API changes for the async client interface used here.

Side Effects / Blast Radius (required)

• Affected subsystems/workflows: MQTT connectivity path (zeroclaw-channels, zeroclaw-runtime) picks up rumqttc 0.25.1. No API changes.
• Potential unintended effects: None anticipated — dep bump only, no application code changed.
• Guardrails/monitoring for early detection: CI Security Audit passing is the primary indicator. MQTT integration tests cover the runtime path.

Agent Collaboration Notes (recommended)

• Agent tools used: Claude Code
• Workflow/plan summary: Investigated CI failure → identified RUSTSEC-2026-0098/0099 as the blockers → attempted cargo update (fixed 0.103.x chain) → attempted rumqttc upgrade (removed old rustls 0.22 chain but 0.102.8 remains) → confirmed no upstream fix available (RUSTSEC-2026-0098 and RUSTSEC-2026-0099 are being triggered by cargo-deny for this crate bytebeamio/rumqtt#1046 filed yesterday, PR fix(channel): avoid false 300s timeout during multi-turn tool loops #1037 stalled 3+ weeks) → added to audit ignore list with justification
• Verification focus: Ensuring cargo audit clean and cargo clippy clean after the rumqttc bump
• Confirmation: naming + architecture boundaries followed (AGENTS.md + CONTRIBUTING.md): Yes

Rollback Plan (required)

• Fast rollback command/path: git revert 474751c1 — reverts all five files atomically
• Feature flags or config toggles (if any): None
• Observable failure symptoms: CI Security Audit failing with RUSTSEC-2026-0098/0099

Risks and Mitigations

• Risk: rumqttc 0.25.1 introduces a behavior regression in the MQTT client path.
  • Mitigation: API is unchanged for the async client interface used in zeroclaw. CI build and tests pass. Changelog reviewed — no breaking changes for this usage.
• Risk: RUSTSEC-2026-0098/0099 remain unresolved for the 0.102.x dep chain.
  • Mitigation: Documented in audit.toml with upstream issue link. The MQTT broker connection uses server certificate validation; URI name constraint bypass requires a malicious certificate — not a realistic attack vector in the zeroclaw MQTT use case. Will remove from ignore list when rumqttc releases a fix.

[WareWolf-MoonWall]

Review — PR #5786 fix(deps): resolve RUSTSEC-2026-0098 and RUSTSEC-2026-0099

Reviewer: WareWolf-MoonWall
RFC authority: RFC #5653 (Zero Compromise in Practice)

---

✅ Commendation

This PR immediately unblocked every open PR in the repository that had been held by the ambient Security Audit failure. That's the right prioritization — fixing the repo-wide blocker before it accumulates more PRs behind it.

The approach is also well-scoped. Two distinct dep chains were affected by the same advisory batch:

• The 0.103.x chain (rustls-webpki 0.103.10 → 0.103.12) — fully resolved with a cargo update. Clean, no trade-offs.
• The 0.102.x chain (rustls-webpki ^0.102 pinned by rumqttc) — rumqttc 0.24 → 0.25.1 removes the old rustls 0.22.4 / tokio-rustls 0.25.0 shadow dep tree entirely, and adds RUSTSEC-2026-0098/0099 to audit.toml with explicit justification and upstream issue reference. That is the correct response when the fix exists upstream but the upstream maintainer hasn't shipped a release yet.

The lockfile deduplication is a side benefit worth naming: bumping rumqttc eliminated duplicate versions of core-foundation, openssl-probe, security-framework, rustls-native-certs, and tokio-rustls — 5 crates that previously resolved to two versions each. 118 lines removed from the lockfile, all noise.

The audit.toml comments are well-structured: each advisory has a reason and an upstream tracking reference. Future maintainers can confirm RUSTSEC-2026-0049/0098/0099 are still justified or remove them when the rumqttc fix ships.

---

CI summary

Gate	Result
Security Audit	✅ SUCCESS — 0 vulnerabilities
Security Required Gate	✅ SUCCESS
Lint / Strict Delta Lint	✅ SUCCESS
Docs Quality	✅ SUCCESS
Check (32-bit / all features)	✅ SUCCESS
Test	✅ SUCCESS
Verify Benchmarks Compile	✅ SUCCESS
Build (linux/mac completed)	✅ SUCCESS
Build (win/aarch64)	⏳ in-progress
Validate Release Readiness	❌ FAILURE — see note below

---

⚙️ Team Decision — Validate Release Readiness workflow design gap

The failure is in the Check required secrets exist step of .github/workflows/pre-release-validate.yml. The step checks for CARGO_REGISTRY_TOKEN, AUR_SSH_KEY, and Homebrew tokens unconditionally, but those secrets are not available to PR-triggered runs — only to workflow_dispatch. The workflow triggers on pull_request: paths: ["Cargo.toml"], so every dep bump PR that touches the root Cargo.toml will trip this check.

The Check crates.io publishability step already has the right guard:

if: github.event_name == 'workflow_dispatch'

The Check required secrets exist and Check PAT access to downstream repos steps need the same condition. This is a pre-existing design gap not introduced by this PR. It should be fixed in a follow-up chore(ci) patch so future Cargo.toml-touching PRs don't need to explain the same false failure.

This failure does not block merging this PR.

---

MQTT API compatibility

The MQTT surface in zeroclaw uses MqttOptions, AsyncClient, Event, Packet, QoS, and Transport — all stable core API in rumqttc. The async client interface is unchanged in 0.25.1. The PR description's claim of "no breaking API changes" is consistent with what's in source.

---

Summary

Clean security dep bump. Both advisory chains are resolved or correctly documented with justification. The lockfile is cleaner as a result. Security Audit is now green for the first time since RUSTSEC-2026-0098/0099 were published, unblocking the rest of the open PRs in the queue.

The only open item is the Validate Release Readiness workflow design gap — a chore-level CI fix that should be tracked separately.

Approved. ✅