Refresh Tauri lockfile while keeping the glib 0.18.5 RustSec exception narrow

[Copilot]

RUSTSEC-2024-0429 for glib 0.18.5 remains upstream-owned in the Tauri GTK/WebKit stack even after the latest compatible desktop lockfile refresh. This change updates the lockfile and repo-controlled policy evidence so the exception stays narrow, documented, and removable when upstream moves to patched glib >=0.20.0. It does not close the tracker issue yet because the vulnerable upstream-owned chain is still present.

• Compatible desktop lockfile refresh

  • Refreshes apps/desktop/src-tauri/Cargo.lock to the latest compatible patch set available from the current dependency constraints.
  • Captures the currently reachable upstream chain without broadening the exception:
    • tauri 2.11.3
    • wry 0.55.1
    • tao 0.35.3
    • muda 0.19.3

• Supply-chain policy evidence

  • Updates docs/security/dependency-policy.md to reflect the new state:
    • a compatible lockfile refresh exists
    • the refresh does not remove glib 0.18.5
    • the remaining exception is still limited to the Tauri/wry/webkit2gtk/gtk GTK3 chain

• Guardrail expectation update

  • Adjusts services/analysis-engine/tests/test_supply_chain_policy.py so the policy test asserts the new documented evidence instead of stale version wording.

# apps/desktop/src-tauri/.cargo/audit.toml
"RUSTSEC-2024-0429", # glib 0.18.5: VariantStrIter unsoundness, transitive via Tauri/wry/webkit2gtk/gtk GTK3 stack; remove when upstream drops or patches the chain

Security Notes:

• Untrusted inputs: no new runtime input path is introduced; this is dependency metadata and lockfile policy enforcement.
• Trust boundary: the remaining vulnerable package is externally owned by the desktop framework stack, so the repo enforces a narrow owner-chain allowlist instead of broad suppression.
• Safe failure: policy checks fail closed if glib versions are non-numeric, below patched range, unowned, or owned by unexpected packages.
• Logging/privacy: no runtime user data is logged or exported by this tracking work.
• Test points: python3 scripts/checks/verify_supply_chain.py, uv run --project services/analysis-engine pytest services/analysis-engine/tests/test_supply_chain_policy.py -q, cargo tree --manifest-path apps/desktop/src-tauri/Cargo.toml --target all -i glib@0.18.5, and cargo audit --no-fetch --stale.

Refs #196.

[Copilot]

Pull request overview

This PR refreshes the Tauri desktop Rust dependency lockfile while keeping the documented RUSTSEC-2024-0429 (glib 0.18.5) exception explicitly scoped to the upstream GTK3/WebKit dependency chain, and updates the repo-controlled policy evidence + guardrail test to match the new state.

Changes:

• Refresh apps/desktop/src-tauri/Cargo.lock to a newer compatible patch set (including tauri 2.11.2, wry 0.55.1, tao 0.35.3, muda 0.19.2, plus transitive updates).
• Update docs/security/dependency-policy.md to record that a compatible lockfile refresh exists but still cannot reach patched glib >=0.20.0 due to upstream chain constraints.
• Update services/analysis-engine/tests/test_supply_chain_policy.py to assert the new documented evidence string(s) instead of the prior “no compatible lockfile-only update” wording.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.

File	Description
services/analysis-engine/tests/test_supply_chain_policy.py	Updates the supply-chain policy guardrail assertions to match the refreshed lockfile evidence language.
docs/security/dependency-policy.md	Updates the documented scope/justification for the narrow glib 0.18.5 RustSec exception after a compatible lockfile refresh.
apps/desktop/src-tauri/Cargo.lock	Refreshes the desktop Rust lockfile to newer compatible patch versions while retaining the upstream-owned glib 0.18.5 chain.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated no new comments.

[opencode-agent]

OpenCode Review Overview

• Head SHA: 8bb9c0b6c7204f52af04883684ec6c3cf8418d64
• Workflow run: 27753520530
• Workflow attempt: 1
• Gate result: APPROVE (approval step)

Pull request overview

PR updates Rust dependencies and documentation. The autocfg crate update is a patch version bump with no breaking changes. Policy doc and test changes are minor and non-functional. Structural analysis shows no call chain impacts.

Findings

No blocking findings from OpenCode's independent review.

Verification

• Review source: independent OpenCode review of the current checkout, focused changed hunks, and current-head GitHub Check evidence.
• Structural exploration: completed before approval; if structural exploration, changed-file inspection, or evidence completeness is missing, OpenCode must not approve.
• Result: APPROVE
• Reason: Minor dependency updates with no detected risks

Gate evidence

• Head SHA: 8bb9c0b6c7204f52af04883684ec6c3cf8418d64
• Workflow run: 27753520530
• Workflow attempt: 1

[opencode-agent]

Pull request overview

PR updates Rust dependencies and documentation. The autocfg crate update is a patch version bump with no breaking changes. Policy doc and test changes are minor and non-functional. Structural analysis shows no call chain impacts.

Findings

No blocking findings from OpenCode's independent review.

Verification

• Review source: independent OpenCode review of the current checkout, focused changed hunks, and current-head GitHub Check evidence.
• Structural exploration: completed before approval; if structural exploration, changed-file inspection, or evidence completeness is missing, OpenCode must not approve.
• Result: APPROVE
• Reason: Minor dependency updates with no detected risks

Gate evidence

• Head SHA: 8bb9c0b6c7204f52af04883684ec6c3cf8418d64
• Workflow run: 27753520530
• Workflow attempt: 1

[seonghobae]

Merge evidence for current head 8bb9c0b6c7204f52af04883684ec6c3cf8418d64:

• OpenCode approved the current head in run 27753520530; structural exploration was completed before approval and is mandatory for approval.
• Copilot review threads are resolved (PRRT_kwDORjvEXs6Kgkei, PRRT_kwDORjvEXs6KgkfB).
• Required checks pass: CodeQL, ci / build-and-test, dependency-review, gate / build / macos, gate / build / windows, release-preflight, sbom, security-audit, trivy-fs-scan.
• Full check surface also passes, including Bandit, Trivy, both CodeQL language jobs, OpenCode Review, ossf-scorecard, scorecard-sarif-upload, secret-scan-gate, supply-chain-inventory, and Windows/macOS amd64/arm64 builds.
• Local verification passed: python3 scripts/checks/verify_supply_chain.py, targeted supply-chain policy pytest (158 passed), cargo audit --no-fetch --stale, cargo tree ... -i glib@0.18.5, and git diff --check.
• Issue [Security] Track upstream-owned glib 0.18.5 RustSec exception #196 remains intentionally open and tracked; this PR uses Refs #196 because the upstream-owned glib 0.18.5 exception is narrowed but not removed.

Security Notes:

• No new runtime network, file, URL, subprocess, IPC, WebView, update, model-download, logging, telemetry, or export path is introduced.
• The change refreshes lockfile evidence for the existing upstream-owned GTK/WebKit/Tauri stack and keeps the RustSec exception narrow to glib 0.18.5 while documenting that compatible updates still do not reach glib >=0.20.0.
• Supply-chain guardrails remain enforced by dependency review, SBOM, security audit, CodeQL, Trivy, Scorecard upload, and the policy regression test.