build(deps): bump reqwest to 0.13, refresh dependencies

[polaz]

Summary

Updates dependencies (including the major reqwest bump) and fixes the resulting API/feature changes so the workspace builds cleanly. Supersedes #62, which bumped reqwest to 0.13 without adapting the removed rustls-tls feature and so failed CI at the cargo metadata stage.

Changes

• reqwest 0.12 → 0.13. The rustls-tls feature was removed in 0.13 (root cause of the chore(deps): update reqwest requirement from 0.12 to 0.13 #62 failure).
• 0.13's rustls feature hardwires the aws-lc-rs provider (C FFI, awkward for the x86_64-unknown-linux-musl static build). Switched to rustls-no-provider and keep the pure-Rust ring provider — aws-lc-rs is gone from the dependency tree entirely.
• The JWKS client is built from a fully preconfigured rustls ClientConfig: ring provider set per-config (no process-global install_default side effect) and Mozilla's root store bundled via webpki-roots. This keeps the binary self-contained — no system CA bundle needed — so it works on musl / scratch / distroless images, matching reqwest 0.12's old rustls-tls behaviour.
• Refreshed anyhow, envoy-types, getrandom and transitive deps.

No public API change.

Testing

• cargo build / cargo nextest run ✅ 132/132
• cargo check --features redis ✅
• cargo check --no-default-features --features aws_lc_rs ✅
• RUSTFLAGS=-Dwarnings cargo clippy --all-targets ✅ no warnings
• cargo fmt --check ✅
• cargo deny check advisories ✅
• cargo publish --dry-run ✅
• Verified aws-lc-rs is gone from the tree; ring is the sole crypto provider
• Verified the JWKS TLS config path handshakes against a live HTTPS JWKS endpoint (HTTP 200)

Closes #62

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 74a743e5-18c3-41e3-8434-22673b922b7f

📥 Commits

Reviewing files that changed from the base of the PR and between 50bf34f and 81a02b9.

📒 Files selected for processing (2)

• Cargo.toml
• src/auth/jwks.rs

---

📝 Walkthrough

Summary by CodeRabbit

• Bug Fixes
  • Improved authentication-related network requests by updating TLS handling for better compatibility and reliability.
  • Added bundled root certificates, helping connections work consistently even when system CA certificates are unavailable.

Walkthrough

reqwest is bumped to 0.13 with rustls-no-provider and json features. rustls and webpki-roots are added explicitly. JwksCache::new now builds a preconfigured Rustls TLS backend and passes it to the HTTP client.

Changes

TLS Provider Wiring

Layer / File(s)	Summary
Dependency update Cargo.toml	reqwest is updated to 0.13 with rustls-no-provider and json, and explicit rustls and webpki-roots dependencies are added.
JWKS TLS backend setup src/auth/jwks.rs	build_tls_config() creates a Rustls ClientConfig with the ring provider and Mozilla root certificates, and JwksCache::new uses it with tls_backend_preconfigured(...).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: bumping reqwest and refreshing dependencies.
Description check	✅ Passed	The description directly matches the dependency bump and TLS/config updates in the changeset.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch build/update-deps

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Cargo.toml`:
- Around line 72-78: The JWKS client setup currently relies on the platform
verifier and does not add any custom roots, which can break in musl or minimal
images. Update the dependency/configuration around reqwest and rustls so the
JWKS trust store is explicit, using the relevant JWKS initialization path in
JwksCache::new and the rustls-no-provider setup. If explicit roots are not being
added, document that a system CA bundle is required for those environments.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: c3affa94-ae22-4b1e-a4be-cf362214a014

📥 Commits

Reviewing files that changed from the base of the PR and between 2d2b8fa and 50bf34f.

📒 Files selected for processing (2)

• Cargo.toml
• src/auth/jwks.rs

[greptile-apps]

Greptile Summary

This PR migrates reqwest from 0.12 to 0.13, replacing the removed rustls-tls feature with rustls-no-provider and supplying a fully preconfigured rustls ClientConfig (ring provider + bundled Mozilla roots via webpki-roots) directly to the HTTP client — keeping the binary self-contained with no system CA bundle dependency.

• reqwest 0.13 + rustls-no-provider: avoids the aws-lc-rs C FFI bundled by the new rustls feature, preserving the pure-Rust ring backend and musl/scratch/distroless compatibility.
• Per-config TLS setup in build_tls_config(): ring provider is installed per ClientConfig via builder_with_provider, not via a process-global install_default(), so there is no ordering constraint for library or test callers.
• Dependency refresh: anyhow, envoy-types, getrandom, and transitives updated alongside the major reqwest bump.

Confidence Score: 5/5

Safe to merge — the reqwest 0.13 migration is mechanically correct, the TLS configuration is well-scoped, and no regressions are introduced.

The change is narrowly scoped: it replaces a removed feature flag, adds two small direct dependencies, and introduces a single build_tls_config() helper that correctly wires the ring provider per-config with bundled Mozilla roots. The previous concern about process-global install_default() has been addressed. The unwrap_or_default() fallback is pre-existing and unchanged. All declared tests pass per the PR description.

No files require special attention.

Important Files Changed

Filename	Overview
Cargo.toml	Bumps reqwest 0.12→0.13, replaces removed rustls-tls feature with rustls-no-provider, adds explicit rustls 0.23 (ring + tls12) and webpki-roots 1 dependencies; no breaking API changes to dependents.
src/auth/jwks.rs	Adds build_tls_config() to construct a per-config rustls ClientConfig using the ring provider and bundled Mozilla roots, then passes it via tls_backend_preconfigured — eliminates the previous process-global install_default() side effect cleanly.

_{Reviews (2): Last reviewed commit: "fix(auth): pin self-contained rustls TLS..." | Re-trigger Greptile}

[polaz]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.