[codex] fix Dependabot Rust alerts

[Vasanthdev2004]

Summary

Follow-up to #14 that addresses the open Rust Dependabot alerts.

What changed:

• Updates vulnerable Rust dependencies in Cargo.lock:
  • libp2p-gossipsub to the patched 0.49.4 line.
  • rand to patched 0.8.6 / 0.9.3 versions.
  • rustls-webpki to patched 0.103.13 and removes the old 0.101.x AWS TLS stack by disabling the legacy S3 rustls feature.
  • Removes vulnerable lru 0.12.x from the lockfile via AWS/libp2p updates.
• Removes the libp2p umbrella crate from gitlawb-node and depends only on the libp2p subcrates the node actually uses, so optional vulnerable mDNS/Hickory dependencies are not recorded in Cargo.lock.
• Moves P2P transport from TCP/Noise/Yamux to QUIC/UDP to remove the vulnerable Yamux dependency path.
• Updates Docker, Compose, Fly, README, .env.example, and run-node docs so the P2P port is exposed/documented as UDP.
• Updates Rust source-build requirement to Rust 1.91+, matching the current dependency floor.

Operational note

This changes the libp2p transport from TCP/Yamux to QUIC/UDP. HTTP fallback sync and bootstrap peer announcement remain available, but operators exposing P2P must expose UDP on GITLAWB_P2P_PORT.

Validation

• cargo fmt --all -- --check
• cargo check --workspace
• cargo clippy --workspace --all-targets -- -D warnings
• cargo test --workspace
• cargo build --release -p gitlawb-node -p gl -p git-remote-gitlawb
• docker compose config
• git diff --check
• Cargo.lock check confirms the alerted vulnerable package specs are no longer present: hickory-proto, yamux, libp2p-mdns, libp2p umbrella, rand 0.8.5/0.9.2, rustls-webpki 0.101.7/0.103.10, and lru 0.12.5.

cargo-audit is not installed in this environment, so advisory validation used GitHub Dependabot alert data plus local dependency graph/lockfile checks.

[Vasanthdev2004]

Blockers

None found.

Non-Blocking

• This is a real operational change, not only a lockfile bump: P2P moves from TCP/Yamux to QUIC/UDP. The docs/env/Docker/Fly updates cover that, but operators will need to expose UDP on GITLAWB_P2P_PORT during rollout.
• PR is still Draft, so leave it draft until CI finishes and Kevin/Anand are ready to review the transport change.

Looks Good

• Vulnerable dependency paths are removed or upgraded: hickory-proto, yamux, libp2p-mdns, the libp2p umbrella crate, vulnerable rand, vulnerable rustls-webpki, and old lru 0.12.x are no longer present as the alerted package specs.
• P2P now depends only on the needed libp2p subcrates and uses QUIC/UDP with updated bootstrap multiaddr examples.
• Rust version docs are aligned to the new dependency floor.
• Verified locally: cargo fmt --all -- --check, cargo check --workspace, cargo clippy --workspace --all-targets -- -D warnings, cargo test --workspace — 291/291 passing, and git diff --check clean.

---

Verdict: Approve once out of Draft — clean Dependabot/security follow-up, with the expected QUIC/UDP operator rollout note.