feat: add --deep MIR-based analysis via capsec-driver

  Adds a `--deep` flag to `cargo capsec audit` that uses rustcs MIR
  (Mid-level IR) to analyze all crates in the dependency tree, catching
  authority usage that syntactic analysis misses — macro-expanded FFI
  calls try_call!, trait dispatch, and generic instantiation.

  Architecture:
  - New `crates/capsec-deep/` crate (excluded from workspace, requires nightly)
  - `capsec-driver` binary implements `rustc_driver::Callbacks::after_analysis`
  - Walks MIR BasicBlocks → TerminatorKind::Call → extracts DefId targets
  - Classifies calls against authority patterns via def_path_str
  - Detects FFI calls via tcx.is_foreign_item — sees through macro wrappers
  - Filters std/core/alloc and proc-macro crates to reduce noise
  - Uses RUSTC_WRAPPER to analyze all crates including transitive dependencies
  - Communicates findings via JSONL temp file ($CAPSEC_DEEP_OUTPUT)
  - CLI reads JSONL, patches crate names/versions to match Cargo metadata,
    deduplicates against syntactic findings, merges into unified output

  Tested on heartwood: 613 → 837 findings, 12 → 26 crates analyzed.
  New findings include std::net socket config calls, std::fs::OpenOptions,
  std::env::temp_dir, and FFI calls resolved through macros that the
  syntactic scanner could not see.

Author: bordumb

Cargo.toml

@@ -12,6 +12,7 @@ members = [
 ]
 exclude = [
     "crates/capsec-example-db",
+    "crates/capsec-deep",
 ]
 
 [workspace.package]

crates/capsec-deep/Cargo.lock

@@ -0,0 +1,18 @@
+[package]
+name = "capsec-deep"
+version = "0.1.0"
+edition = "2024"
+license = "Apache-2.0"
+description = "MIR-based deep analysis driver for capsec — requires nightly"
+publish = false
+
+[[bin]]
+name = "capsec-driver"
+path = "src/main.rs"
+
+[dependencies]
+serde = { version = "1", features = ["derive"] }
+serde_json = "1"
+
+[package.metadata.rust-analyzer]
+rustc_private = true

crates/capsec-deep/Cargo.toml

@@ -0,0 +1,14 @@
+/// Embeds the sysroot library path so the binary can find librustc_driver at runtime.
+fn main() {
+    let rustc = std::env::var("RUSTC").unwrap_or_else(|_| "rustc".to_string());
+    let output = std::process::Command::new(&rustc)
+        .arg("--print=sysroot")
+        .output()
+        .expect("Failed to run rustc --print=sysroot");
+    let sysroot = String::from_utf8(output.stdout)
+        .expect("Invalid UTF-8 from rustc --print=sysroot");
+    let sysroot = sysroot.trim();
+
+    // Link against the sysroot lib directory so librustc_driver.dylib/.so is found
+    println!("cargo:rustc-link-arg=-Wl,-rpath,{sysroot}/lib");
+}

crates/capsec-deep/build.rs

@@ -0,0 +1,4 @@
+[toolchain]
+channel = "nightly-2026-02-17"
+components = ["rustc-dev", "llvm-tools", "rust-src"]
+profile = "minimal"