fix(deps): patch rust advisories quinn-proto and memmap2

[bindsi]

Description

Patches two newly published Rust security advisories that are failing the Dependency Audit (cargo-audit) CI job and blocking unrelated PRs (for example #519) from merging. Both fixes are semver-compatible, lockfile-only dependency bumps with no source or behavior changes.

• quinn-proto 0.11.14 → 0.11.15 in src/500-application/502-rust-http-connector/services/broker to resolve RUSTSEC-2026-0185 — Remote memory exhaustion from unbounded out-of-order stream reassembly (CVSS 7.5 HIGH, denial-of-service).
• memmap2 0.9.10 → 0.9.11 in src/500-application/507-ai-inference/services/ai-edge-inference and ai-edge-inference-crate to resolve RUSTSEC-2026-0186 — Unchecked pointer offset (unsound).

These were addressed by upgrading the affected dependencies to their patched releases rather than allow-listing them in .github/audit.toml / osv-scanner.toml, because fixed versions are available and semver-compatible.

Related Issue

Relates to #519 (the cargo-audit failures were blocking that PR)

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Blueprint modification or addition
• Component modification or addition
• Documentation update
• CI/CD pipeline change
• Other (please describe):

Implementation Details

• Ran cargo update -p quinn-proto --precise 0.11.15 in the 502-rust-http-connector broker crate.
• Ran cargo update -p memmap2 --precise 0.9.11 in both 507-ai-inference crates.
• Only Cargo.lock files changed; the affected entries are transitive dependencies, so no Cargo.toml manifest edits were required.
• The diff is limited to the dependency version and checksum lines (6 lines across 3 lockfiles); no other dependencies were moved.

Testing Performed

• Terraform plan/apply
• Blueprint deployment test
• Unit tests
• Integration tests
• Bug fix includes regression test (see Test Policy)
• Manual validation
• Other:

Ran cargo audit --deny warnings (with the repo .github/audit.toml allow-list applied) against each affected crate; all three now report no advisories. The remaining allow-listed advisories (instant, paste, rustls-pemfile, rand) are unchanged.

Validation Steps

1. For each affected crate, copy the allow-list: cp .github/audit.toml <crate>/.cargo/audit.toml.
2. Run cargo audit --deny warnings in:
   • src/500-application/502-rust-http-connector/services/broker
   • src/500-application/507-ai-inference/services/ai-edge-inference
   • src/500-application/507-ai-inference/services/ai-edge-inference-crate
3. Confirm each reports no error: advisories.

Checklist

• I have updated the documentation accordingly
• I have added tests to cover my changes
• All new and existing tests passed
• I have run terraform fmt on all Terraform code
• I have run terraform validate on all Terraform code
• I have run az bicep format on all Bicep code
• I have run az bicep build to validate all Bicep code
• I have checked for any sensitive data/tokens that should not be committed
• Lint checks pass (run applicable linters for changed file types)

Security Review

• No credentials, secrets, or tokens are hardcoded or logged
• RBAC and identity changes follow least-privilege principles
• No new network exposure or public endpoints introduced without justification
• Dependency additions or updates have been reviewed for known vulnerabilities
• Container image changes use pinned digests or SHA references

Additional Notes

• Terraform/Bicep checklist items are not applicable; this change touches only Rust Cargo.lock files.
• This change does not touch any security-sensitive paths (SECURITY.md, src/000-cloud/010-security-identity/, deploy/), so the security-reviewed label should not be required.

[katriendg]

Thanks!

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 32.09%. Comparing base (78bcd91) to head (ea2ccb0).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #632   +/-   ##
=======================================
  Coverage   32.09%   32.09%           
=======================================
  Files          40       40           
  Lines        5960     5960           
=======================================
  Hits         1913     1913           
  Misses       4047     4047           

Flag	Coverage Δ
rust	32.09% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.