build(deps): bump the cargo group (with code fixes for rand/rubato/rcgen)

[kixelated]

Supersedes #1600. Brings in the dependabot grouped cargo bump plus the source changes the major-version updates require so CI compiles. #1600 failed Check on a moq-net compile error (rand 0.10 API change), with further breakage in moq-audio (rubato 3.0), moq-relay tests (rcgen 0.14), and the feature-gated moq-native noq/quiche backends.

Dependency updates

Package	From	To
qmux	0.0.7	0.0.8
web-transport-noq	0.0.3	0.1.1
web-transport-quiche	0.2.3	0.4.0
rubato	0.16.2	3.0.0
rand	0.9.4	0.10.1
rcgen	0.13.2	0.14.8
toml	0.9	1.1

Code changes

• rand 0.9 → 0.10: random_range and random_iter moved to the new RngExt trait. Swapped use rand::Rng for use rand::RngExt in moq-net (model/origin.rs, model/time.rs) and moq-native (quinn.rs, noq.rs).
• rubato 0.16 → 3.0: SincFixedIn is now Async + FixedAsync::Input, and process_into_buffer takes audioadapter buffers instead of &[Vec<f32>]. Rewrote the moq-audio resampler wrapper to wrap the planar buffers in SequentialSliceOfVecs and allocate the output via output_frames_max(). Also dropped rubato's default fft_resampler feature since we only use the sinc resampler, which removes the unused realfft/RustFFT deps. The existing upsample_44100_to_48000_preserves_energy_roughly and opus_round_trip_44100_s16_resampled tests still pass, so behavior is preserved.
• rcgen 0.13 → 0.14: CertificateParams::signed_by now takes an Issuer that bundles the CA cert and signing key. Build an Issuer::from_params once and reuse it in the moq-relay mTLS test fixtures (auth.rs, web.rs).
• web-transport-quiche 0.2 → 0.4 (moq-native, quiche feature): ClientBuilder::connect now returns a Connecting that must be .established().awaited into a Connection. Establish before Connection::connect / Connection::raw / alpn().
• web-transport-noq 0.0.3 → 0.1.1 (moq-native, noq feature; pulls noq 1.0.0-rc): EndpointConfig::cid_generator now takes an Arc<dyn Fn() -> Box<...> + Send + Sync>, so wrap the factory closure in Arc. The established Connection no longer exposes remote_address (noq 1.0 supports multipath), so capture the peer address from the Connecting before awaiting.

reqwest-middleware kept at 0.4

The original #1600 also bumped reqwest-middleware 0.4 → 0.5, but that breaks the relay HTTP cache: http-cache-reqwest's only stable release (0.16) still requires reqwest-middleware 0.4 + reqwest 0.12. The only http-cache-reqwest releases on reqwest-middleware 0.5 are 1.0.0-alpha.x pre-releases (which also pull reqwest 0.13). Taking 0.5 would force a pre-release dependency and a reqwest 0.12 → 0.13 migration across the relay, which is out of scope for a routine bump. Pinned it back to 0.4 so the rest of the group can land.

Test plan

• cargo check -p moq-native --all-features clean (covers the noq/quiche backends CI exercises)
• cargo clippy clean for moq-audio, moq-net, moq-native (incl. --all-features --all-targets), moq-relay
• cargo test passes for those crates (the moq-native alpn integration tests fail only in this sandbox because it has no IPv6 to bind [::]:0; they exercise networking, not the bumped deps)
• rubato migration validated by the existing resample/opus round-trip tests; realfft confirmed dropped from Cargo.lock

(Written by Claude)

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 161ca5ac-7ee4-4b77-b3e1-7065625329dd

📥 Commits

Reviewing files that changed from the base of the PR and between b932893 and 9014a0c.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (3)

• rs/moq-audio/Cargo.toml
• rs/moq-native/src/noq.rs
• rs/moq-native/src/quiche.rs

🚧 Files skipped from review as they are similar to previous changes (1)

• rs/moq-audio/Cargo.toml

---

Walkthrough

This PR upgrades dependencies across the moq workspace and adapts code to accommodate breaking changes in their APIs. The workspace-level transport dependencies (qmux, web-transport-noq, web-transport-quiche) are bumped. The audio resampler is migrated from rubato's fixed-in API to its newer async API. Random number generation calls throughout moq-native and moq-net are updated to use the RngExt trait following rand 0.10's API changes. Configuration parsing dependencies are uniformly upgraded to toml 1.1, and certificate test fixtures are refactored to use rcgen::Issuer for signing after the library's upgrade to 0.14.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: a grouped cargo dependency bump with accompanying code fixes for API changes in rand, rubato, and rcgen.
Description check	✅ Passed	The description provides comprehensive coverage of dependency updates, code changes required by those updates, rationale for kept dependencies, and test plan validation.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch claude/github-pr-1600-SasJw

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

rs/moq-audio/Cargo.toml (1)

23-23: 💤 Low value

Optional: disable rubato’s default FFT feature to avoid pulling RustFFT
rubato 3.0 enables fft_resampler by default, while audioadapter-buffers is used directly and isn’t gated behind another Cargo feature. If moq-audio only relies on Async::new_sinc, disabling default features can trim unused FFT-related deps.

♻️ Possible change

-rubato = "3.0"
+rubato = { version = "3.0", default-features = false }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@rs/moq-audio/Cargo.toml` at line 23, Disable rubato’s default features to
avoid pulling in RustFFT by changing the rubato dependency declaration to set
default-features = false and explicitly enable only the feature(s) required for
the sinc resampler used by Async::new_sinc (so rubato doesn't bring in the
fft_resampler default); update the rubato entry (the dependency named "rubato")
accordingly to only include the minimal feature set needed.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@rs/moq-audio/Cargo.toml`:
- Line 23: Disable rubato’s default features to avoid pulling in RustFFT by
changing the rubato dependency declaration to set default-features = false and
explicitly enable only the feature(s) required for the sinc resampler used by
Async::new_sinc (so rubato doesn't bring in the fft_resampler default); update
the rubato entry (the dependency named "rubato") accordingly to only include the
minimal feature set needed.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 541b0878-f19c-4367-ac19-380a08126140

📥 Commits

Reviewing files that changed from the base of the PR and between 796181c and b932893.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (12)

• Cargo.toml
• rs/moq-audio/Cargo.toml
• rs/moq-audio/src/resample.rs
• rs/moq-native/Cargo.toml
• rs/moq-native/src/noq.rs
• rs/moq-native/src/quinn.rs
• rs/moq-net/Cargo.toml
• rs/moq-net/src/model/origin.rs
• rs/moq-net/src/model/time.rs
• rs/moq-relay/Cargo.toml
• rs/moq-relay/src/auth.rs
• rs/moq-relay/src/web.rs