build(application): upgrade azure_iot_operations binaries in 500 applications

[kgmwang1]

Summary

This PR upgrades Azure IoT Operations dependencies across 500-application services to current crates.io releases, refreshes related lockfiles and runtime code paths, and hardens Rust CI behavior for private-registry scenarios.

Why

Move off older aio-sdks-pinned crate versions in application services.
Align service dependency versions and lockfiles for consistent builds.
Reduce CI fragility when private registry auth is unavailable.
Carry forward security/build fixes from dependency refreshes.

What Changed

Upgraded/migrated Azure IoT Operations Rust dependencies across application services:
azure_iot_operations_mqtt moved to 1.0.2 in multiple services.
azure_iot_operations_protocol moved to 1.0.0 where required.
azure_iot_operations_services standardized to 1.2.0 with state_store.
Refreshed Cargo lockfiles and selected Docker/runtime code for affected services.
Updated CI workflow behavior in rust-tests.yml :
Handles aio-sdks token-based auth more explicitly.
Skips token-required coverage jobs when token is missing.
Uses cargo llvm-cov --locked for reproducibility.

API Breaking changes resolved:

• SessionConnectionMonitor -> SessionMonitor
• publish -> publish_qos1
• Adopted TopicName, TopicFilter, SubscribeProperties, and PublishProperties
• message.topic -> message.topic_name

Additional note for 507:

Removed its direct azure_iot_operations_protocol dependency.

Closes #298

[codecov-commenter]

Codecov Report

❌ Patch coverage is 0% with 97 lines in your changes missing coverage. Please review.
✅ Project coverage is 31.80%. Comparing base (5c30b25) to head (a771adf).

Files with missing lines	Patch %	Lines
...i-inference/services/ai-edge-inference/src/mqtt.rs	0.00%	26 Missing ⚠️
...rvices/mqtt-otel-trace-exporter/src/mqtt_client.rs	0.00%	24 Missing ⚠️
...tp-connector/services/broker/src/mqtt_publisher.rs	0.00%	14 Missing ⚠️
...services/media-capture-service/src/mqtt_handler.rs	0.00%	13 Missing ⚠️
...ust-http-connector/services/subscriber/src/main.rs	0.00%	10 Missing ⚠️
...ion/501-rust-telemetry/services/sender/src/main.rs	0.00%	4 Missing ⚠️
...n/501-rust-telemetry/services/receiver/src/main.rs	0.00%	3 Missing ⚠️
...02-rust-http-connector/services/broker/src/main.rs	0.00%	2 Missing ⚠️
...tp-connector/services/broker/src/uptime_monitor.rs	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #519      +/-   ##
==========================================
- Coverage   32.09%   31.80%   -0.30%     
==========================================
  Files          40       40              
  Lines        5960     6015      +55     
==========================================
  Hits         1913     1913              
- Misses       4047     4102      +55     

Flag	Coverage Δ
rust	31.80% <0.00%> (-0.30%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
...vices/media-capture-service/src/video_processor.rs	12.92% <ø> (ø)
...tp-connector/services/broker/src/uptime_monitor.rs	0.00% <0.00%> (ø)
...02-rust-http-connector/services/broker/src/main.rs	0.00% <0.00%> (ø)
...n/501-rust-telemetry/services/receiver/src/main.rs	66.44% <0.00%> (ø)
...ion/501-rust-telemetry/services/sender/src/main.rs	47.45% <0.00%> (ø)
...ust-http-connector/services/subscriber/src/main.rs	0.00% <0.00%> (ø)
...services/media-capture-service/src/mqtt_handler.rs	0.00% <0.00%> (ø)
...tp-connector/services/broker/src/mqtt_publisher.rs	0.00% <0.00%> (ø)
...rvices/mqtt-otel-trace-exporter/src/mqtt_client.rs	0.00% <0.00%> (ø)
...i-inference/services/ai-edge-inference/src/mqtt.rs	3.11% <0.00%> (-0.13%)	⬇️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[bindsi]

🤖 Automated review: AIO SDK upgrades (0.x→1.x) look correct across .NET and Rust crates. One observation:

reqwest downgrade (non-blocking): In 502-rust-http-connector/services/broker/Cargo.toml, reqwest is changed from 0.12 to 0.11.6. This is a semver downgrade — reqwest 0.12 has different APIs from 0.11 (e.g., the Body type and builder patterns changed). If the AIO SDK 1.0.2 pins to reqwest 0.11.x internally, this may be intentional for compatibility, but please confirm this doesn't regress any HTTP client functionality in the broker service. The same version (0.11.6) is also added as a new dep in media-capture-service.

[bindsi]

Automated batch review: requesting changes for one blocking lockfile issue.

[github-actions]

Dependency Review

The following issues were found:

• ❌ 1 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 14 package(s) with unknown licenses.
• ⚠️ 27 packages with OpenSSF Scorecard issues.

View full job summary

[bindsi]

Approving — all previously blocking feedback has been addressed and CI is green.

Verified on the current head (e2b52a0):

• Lockfiles in sync (was blocking): Cargo.lock files were regenerated and all Rust Tests / coverage jobs now pass with cargo llvm-cov --locked. The original --locked failure is resolved.
• reqwest no longer downgraded: 502-rust-http-connector/services/broker/Cargo.toml now pins reqwest = "0.12.28" (kept on 0.12, json feature added) instead of the earlier 0.11.6. No hyper 0.14/1.x regression.
• ort default-features concern: the 507-ai-inference/.../ai-edge-inference-crate/Cargo.toml change is no longer in the diff, so load-dynamic is not being silently dropped.
• Workflow precision fixes applied: the aio-sdks registry grep now excludes commented lines (grep -v '^\s*#') and the Codecov upload is guarded by hashFiles() so skipped crates don't produce noisy failures.

All 5 review threads are resolved and all 61 checks are passing (success/skipped/neutral, none failing or pending). AIO SDK 0.x→1.x upgrades across the .NET and Rust crates look consistent, with matching lockfile updates.

Non-blocking observation for a follow-up: .cargo/config.toml removes the aio-sdks registry definition (packages now resolved from crates.io), while rust-tests.yml still contains the cargo login --registry aio-sdks step and the registry = "aio-sdks" skip guard. These are now effectively dead paths since no Cargo.toml references that registry — safe to leave, but worth pruning later to avoid confusion.

[katriendg]

Thanks for the iterative work on this 🙏

Big thanks to @kgmwang1 and Marcel Bindseil for pushing this AIO SDK GA migration through a long series of iterations and for cleaning up the merge-conflict artifacts that were breaking CI. The app coverage is spot on — I verified against main that exactly the six src/500-application services that depend on the AIO SDKs (500, 501, 502, 503, 504, 507) are updated, with no app missed, and the 507 mqtt.rs API migration lines up cleanly with the GA SDK surface. 👏

I'm marking this Request changes for a few valid items that should be applied before we merge. They're small and mostly mechanical — I've left inline suggestions where possible.

🔴 Please address before merge

1. Pin to GA, not beta — azure_iot_operations_services is set to 1.3.0-beta1 in 501 (sender + receiver) and 507. crates.io confirms 1.2.0 is the max stable release, which is the GA target in #298. Inline suggestion blocks are attached on all three manifests. If any code path actually requires a 1.3.0-beta1-only API, let's call that out explicitly rather than ship a pre-release.
2. Remove out-of-scope files — src/500-application/514-wasm-msg-to-dss/operators/msg-to-dss-key/src/enricher.rs and .../resources/graphs/lowcode-pallet-correlation-enrichment.yaml are new feature files unrelated to the SDK upgrade (#298 explicitly lists new AIO usage as out of scope). Inline comments attached.
3. Drop the dead aio-sdks CI logic — since every 500-application crate moved off the private registry to crates.io, the CARGO_REGISTRIES_AIO_SDKS_TOKEN secret, the auth step, and the coverage-skip branch in rust-tests.yml are no longer needed. Inline comment attached.

🟠 PR hygiene (required, no inline anchor)

4. Use the PR template and link the issue — please rewrite the description with the repo PR template and add Closes #298 so it auto-closes on merge.
5. Capture upgrade notes — #298's acceptance criteria asks for notes on non-obvious breaking changes. Worth summarizing the 507/504 API migration (SessionConnectionMonitor → SessionMonitor, publish → publish_qos1, new TopicName/TopicFilter/SubscribeProperties/PublishProperties, message.topic → message.topic_name) and noting that 507 dropped its direct azure_iot_operations_protocol dependency.

✅ Looks good / no action

• 507 azure_iot_operations_protocol removal is safe — verified no .rs file references it.
• mqtt (1.0.2) and protocol (1.0.0) pins are GA.
• Keeping .devcontainer/devcontainer-lock.json is fine.

One thing to keep an eye on: the Dependency Review check still flags 1 vulnerable package, and a RUSTSEC-2026-0186 (memmap2) ignore was added to 507's audit list — acceptable given the documented candle-core constraint, but please acknowledge it in the PR so it's an explicit decision.

Thanks again — once the above are in, this should be ready to go. 🚀

[katriendg]

Thanks for the quick turnaround 🙏

Really nice iteration here, @kgmwang1 (and Marcel Bindseil) — almost everything from the last pass is addressed:

• ✅ azure_iot_operations_services now pinned to GA 1.2.0 across 501 sender/receiver and 507 (and the C# 500-basic-inference is on GA too). No more 1.3.0-beta1.
• ✅ Both out-of-scope 514-wasm-msg-to-dss files removed.
• ✅ PR description rewritten with the template, Closes #298, the documented API breaking changes, and the 507 azure_iot_operations_protocol removal note.

One remaining item (then this is good to go)

The rust-tests.yml aio-sdks token/auth handling is still in place, and I'm now confident it should be removed. I validated the registry directly and it requires no auth (config.json returns "auth-required":false; the wasm_graph_sdk index and tarball both download anonymously with 200). The WASM crates that still use registry = "aio-sdks" build fine without a token, and this coverage matrix doesn't even run those crates — it's only 501–507 + 901, which all moved to crates.io in this PR. Details in the inline comment.

Once the env, the "Configure aio-sdks registry authentication" step, and the token-based coverage-skip branch are removed (keep --locked), I'm happy to approve. Thanks again! 🚀

[katriendg]

Thank you for the additional changes! All good