chore: migrate off reqwest 0.11 to clear unmaintained transitives

[dobby-coder]

Closes #186.

What

Bumps reqwest 0.11.x → 0.12 in pg-pkg and pg-cli, and vendors the irma crate at ./irma/ (workspace member, redirected via [patch.crates-io]) so its reqwest dependency can be bumped to 0.12 too. Upstream tweedegolf/irmars has been dormant since 2021-12 and never published a reqwest-0.12 release, so a published version isn't available.

Why

Eliminates the reqwest 0.11.27 → rustls-pemfile 1.0.4 transitive flagged by RUSTSEC-2025-0134, and reshapes the tokio-io (RUSTSEC-2026-0058) dependency tree so it no longer routes through reqwest 0.11.

After this PR, cargo audit from the repo root reports zero advisories beyond the existing rsa Marvin allowlist entry (tracked separately in #177).

Changes

File	Change
irma/ (new)	Vendored copy of irma 0.2.1 source from crates.io. Cargo.toml patched to use reqwest 0.12 (json + default-tls); license unchanged (Apache-2.0); other source files byte-identical to crates.io.
Cargo.toml	irma added to workspace members; new [patch.crates-io] irma = { path = "irma" } block.
pg-pkg/Cargo.toml	reqwest = "0.11.10" → reqwest = "0.12".
pg-cli/Cargo.toml	reqwest = { version = "0.11.14", default-features = false, features = ["json"] } → version = "0.12" with default-tls added back so the CLI still has a TLS backend.
.cargo/audit.toml	RUSTSEC-2025-0134 removed (cleared). RUSTSEC-2026-0058 retained with an updated comment — see Caveat below.

Caveat: tokio-io advisory partially cleared

The issue body assumed both advisories would be cleared by the same migration. The reqwest 0.11 path is gone, but RUSTSEC-2026-0058 (tokio-io 0.1.13) still surfaces through a different chain:

tokio-io 0.1.13
└── futures-util 0.3.32 (with "compat"/"io-compat")
    ├── tower-http 0.6.10 → reqwest 0.12.28
    ├── sqlx-sqlite 0.8.6, sqlx-postgres 0.8.6, sqlx-mysql 0.8.6

postguard does not call into the compat shim directly. The allowlist entry is retained with a revised comment explaining the remaining path; it'll need a tower-http / sqlx upstream fix to clear.

Verification

• cargo build --workspace — clean.
• cargo test --manifest-path pg-core/Cargo.toml --features test,rust,stream → 51 passed (matches CI matrix).
• cargo test --manifest-path pg-pkg/Cargo.toml --all-features → 30 passed.
• cargo test --manifest-path pg-cli/Cargo.toml --all-features → 7 passed.
• cargo test --manifest-path pg-ffi/Cargo.toml --all-features → 1 passed.
• cargo build --profile edge --bin pg-pkg — clean (matches Docker CI invocation; Dockerfile pins rustc 1.91.1 which the dep bump is compatible with).
• cargo audit — no advisories triggered; one allowed warning (the rsa Marvin entry from chore: refresh dependency lockfile and address audit warnings #177).
• cargo fmt --all -- --check — clean.
• Confirmed cargo tree -p pg-pkg -i rustls-pemfile no longer matches any package.

Reviewer quickstart

git fetch origin && git checkout dobby/reqwest-0.12-migration
cargo build --workspace
cargo audit

Risks

• Vendoring imports ~1300 LOC of irma source into the postguard tree. Acceptable given upstream is dormant; if you'd rather track an encryption4all fork or a different downstream maintainer, swap the [patch.crates-io] line to point at a git url instead — the rest of the diff is unaffected.

🤖 Generated with Claude Code

[dobby-coder]

Reviewed the diff, the vendored irma source, and CI. (Note: GitHub blocks self-approval since the bot authored this PR — leaving this as a comment review for @rubenhensen to approve.)

• All CI checks pass (build amd64/arm64, fmt, tests across core/cli/pkg/ffi, wasm tests, docker scan).
• irma/src/ is byte-identical to crates.io irma 0.2.1 (verified by diff against the published crate tarball). Only delta in irma/Cargo.toml is the reqwest = "0.12" bump plus a few dev-dep version bumps; license + authors preserved.
• [patch.crates-io] irma = { path = "irma" } correctly redirects existing irma = "0.2.1" requirements in pg-pkg/pg-cli/pg-core with no manifest churn.
• Dockerfile / dev.Dockerfile additions of COPY irma ./irma are necessary because each workspace member is copied explicitly.
• .cargo/audit.toml change accurately reflects the new state: RUSTSEC-2025-0134 cleared, RUSTSEC-2026-0058 retained with an updated comment explaining the remaining tower-http / sqlx futures-util io-compat path.
• pg-cli adding default-tls back alongside json is correct since reqwest 0.12 with default-features = false no longer pulls a TLS backend implicitly.

No blockers — ready to merge from this agent's side.

[rubenhensen]

Superseded by #192. The encryption4all fork is now published on crates.io as irmars 0.2.2 (which already uses reqwest 0.12), so the vendored ./irma/ source in this PR is no longer needed — #192 achieves the same dependency graph with ~1300 fewer lines of code in this repo. Will close this once #192 merges.