chore: bump versions

[LudeeD]

closes https://github.com/Teton-ai/smith/security/dependabot/7

[coderabbitai]

Walkthrough

The pull request updates Rust dependencies in the CLI Cargo.toml, upgrading russh and adding rand_core while removing obsolete dependencies. It disables three services (api, bore, device) in the Docker Compose configuration through commenting while adding an explicit build configuration for the postgres service.

Changes

Cohort / File(s)	Summary
Rust CLI Dependencies cli/Cargo.toml	Updated russh from 0.53 to 0.56; removed openssl (vendored), async-trait, and ed25519-dalek; added rand_core 0.9
Docker Compose Configuration compose.yaml	Commented out api, bore, and device service blocks; added postgres service with explicit build instruction (dockerfile: postgres.Dockerfile); networks and volume definitions preserved

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore: bump versions' accurately summarizes the main change—updating dependency versions in cli/Cargo.toml.
Description check	✅ Passed	The description references a Dependabot security issue, which is related to the version bumps and dependency changes in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@cli/Cargo.toml`:
- Around line 39-44: The Cargo.toml currently lists an explicit rand_core
dependency that conflicts with rand 0.8's transitive rand_core 0.6; remove the
explicit rand_core = { version = "0.9" } line (or change it to rand_core = "0.6"
if you need to keep it) so the project relies on rand 0.8's compatible
rand_core; verify code uses only rand public API (OsRng, Rng) and run cargo
update/build to confirm no duplicate dependency warnings.

🧹 Nitpick comments (1)

compose.yaml (1)

3-25: Prefer profiles/overrides instead of commenting out services.

Commenting out api, bore, and device removes them from default workflows and makes re-enabling error-prone. If the intent is “disabled by default,” consider using profiles or a compose.override.yaml so the definitions stay valid and easy to toggle. Also confirm this behavior change is intended for a “bump versions” PR.

Also applies to: 40-67

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

rand 0.8 crate dependencies rand_core version

💡 Result:

rand 0.8.x depends on rand_core 0.6.

• In rand 0.8.5’s published Cargo.toml, the dependency is rand_core = ... version = "0.6.0" (Cargo will resolve this as the 0.6.* line, i.e. ^0.6.0). [1]
• Dependency summary pages also report rand_core required as ^0.6.0 for rand 0.8.5. [2]

So, if you’re aligning versions manually, use:

rand = "0.8"
rand_core = "0.6"

Sources: [1] https://docs.rs/crate/rand/0.8.5/source/Cargo.toml.orig | [2] https://deps.rs/crate/rand/0.8.5

---

🏁 Script executed:

# Let's also search for any Cargo dependency information in the repo
git ls-files | head -20

Repository: Teton-ai/smith

Length of output: 470

---

🏁 Script executed:

rg "rand_core" --type rust

Repository: Teton-ai/smith

Length of output: 40

---

🏁 Script executed:

rg "RngCore" --type rust

Repository: Teton-ai/smith

Length of output: 40

---

🏁 Script executed:

# Check the full Cargo.toml to understand context
cat cli/Cargo.toml

Repository: Teton-ai/smith

Length of output: 1234

---

🏁 Script executed:

# Check dependencies of the main workspace crates
cat Cargo.toml | grep -A 50 "\[dependencies\]" | head -60

Repository: Teton-ai/smith

Length of output: 40

---

🏁 Script executed:

# Look for any usage patterns that might justify rand_core 0.9
find . -name "Cargo.toml" -type f | xargs grep -l "rand_core"

Repository: Teton-ai/smith

Length of output: 74

---

🏁 Script executed:

# Check if rand_core is actually needed in the project
rg "use.*rand" --type rust -A 2 | head -50

Repository: Teton-ai/smith

Length of output: 363

---

Remove or align rand_core version with rand 0.8's dependency.

The explicit rand_core = { version = "0.9" } is unnecessary—rand 0.8 already depends on rand_core 0.6. This creates dependency duplication. Since the codebase uses only rand's public API (OsRng, Rng), remove the explicit rand_core dependency or pin it to "0.6" to match rand's requirement.

🤖 Prompt for AI Agents

In `@cli/Cargo.toml` around lines 39 - 44, The Cargo.toml currently lists an
explicit rand_core dependency that conflicts with rand 0.8's transitive
rand_core 0.6; remove the explicit rand_core = { version = "0.9" } line (or
change it to rand_core = "0.6" if you need to keep it) so the project relies on
rand 0.8's compatible rand_core; verify code uses only rand public API (OsRng,
Rng) and run cargo update/build to confirm no duplicate dependency warnings.