chore: introduce cargo-deny and justfile improvements

[shikhar]

Summary

• Add cargo-deny for dependency auditing (advisories, licenses, bans, sources)
• Ban openssl/openssl-sys in favor of rustls, aspirational ban on ring in favor of aws-lc-rs
• Switch rcgen from ring to aws_lc_rs crypto backend
• Add deny CI job and justfile recipe
• Add *args propagation to build, clippy, test, deny justfile recipes
• Rename serve to lite in justfile
• Bump dep versions (crossterm, ratatui, indexmap, proptest)

Test plan

• cargo deny check passes locally
• CI deny job passes

🤖 Generated with Claude Code

[greptile-apps]

Greptile Overview

Greptile Summary

• Adds a new CI job (deny) to run cargo deny check and introduces a deny.toml policy for advisories/licenses/bans/sources.
• Updates the workspace to prefer rustls/aws-lc (rcgen switches backend; openssl/openssl-sys denied) and bumps several dependency versions.
• Enhances justfile recipes to pass through extra args and adds deny/_ensure-deny helpers; renames serve to lite.
• Ties into existing Rust workspace flow by gating dependency policy via CI and local just recipes.

Confidence Score: 3/5

• This PR is mostly safe to merge, but cargo-deny may fail in CI due to its advisory DB path configuration.
• Core changes are additive (new CI job, deny config, just recipes) and dependency bumps are standard, but deny.toml hard-codes ~/.cargo/advisory-db, which is unlikely to exist in GitHub Actions and will prevent the new CI gate from passing until fixed.
• deny.toml

Important Files Changed

Filename	Overview
.github/workflows/ci.yml	Adds a new GitHub Actions job to run cargo deny check via taiki-e/install-action@cargo-deny.
Cargo.toml	Bumps workspace dependency versions and changes rcgen to disable default features and use aws_lc_rs backend; needs verification that all rcgen use-sites still compile.
cli/Cargo.toml	Bumps crossterm to 0.29 and ratatui to 0.30 for the CLI; may require API updates in TUI code depending on upstream changes.
cli/src/tui/ui.rs	Drops import of Stylize from ratatui style module; needs confirmation that no remaining code relies on that trait being in scope after the ratatui upgrade.
deny.toml	Introduces cargo-deny policy config; current config depends on a per-user advisory DB path and allows a git URL that appears to not match the dependency source used in this repo.
justfile	Adds args passthrough to several recipes, adds cargo-deny install/check recipes, and renames serve to lite.
Cargo.lock	Updates lockfile for dependency bumps (ratatui/crossterm/proptest/indexmap) and switches rcgen away from ring to aws-lc; verify this aligns with intended workspace dependency graph.

Sequence Diagram

sequenceDiagram
  participant Dev as Developer
  participant Just as justfile
  participant CI as GitHub Actions (ci.yml)
  participant Install as taiki-e/install-action@cargo-deny
  participant Cargo as cargo
  participant Deny as cargo-deny
  participant Config as deny.toml

  Dev->>Just: just deny [args]
  Just->>Cargo: cargo deny --version
  alt cargo-deny missing
    Just->>Cargo: cargo install cargo-deny
  end
  Just->>Deny: cargo deny check [args]
  Deny->>Config: read policy (advisories/licenses/bans/sources)
  Deny-->>Dev: pass/fail

  CI->>CI: start job "Deny"
  CI->>CI: actions/checkout@v4
  CI->>CI: dtolnay/rust-toolchain@stable
  CI->>Install: install cargo-deny
  CI->>Deny: cargo deny check
  Deny->>Config: read deny.toml
  Deny-->>CI: pass/fail (gate CI job)

Loading

[greptile-apps]

_{7 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}