chore(bootstrap): pin Rust toolchain to 1.95.0 (task 03)

[mpiton]

Summary

Add rust-toolchain.toml to pin Rust toolchain to channel = "1.95.0" with components = ["rustfmt", "clippy"]. Closes Sprint 0 reproducibility gap G6: rustup now auto-installs the exact version on first cargo invocation in the repo, eliminating version drift between contributors and CI.

Why

Contributors using different Rust versions locally vs CI see passing tests locally but CI failures (or vice versa). Pinning ensures bit-reproducibility across machines. Chosen 1.95.0 (latest stable at 2026-05-03); CI workflows already use dtolnay/rust-toolchain@stable which resolves to the same version, so no workflow modification is required.

Changes

• rust-toolchain.toml — new file at repo root pinning channel = "1.95.0" (exact version, not "stable" channel), components = ["rustfmt", "clippy"], profile = "default". Intentionally omits targets array; cross-target builds covered by GitHub Actions matrix in task 12.
• README.md Prerequisites — clarified that the exact Rust version is auto-installed from rust-toolchain.toml via rustup. Task 14 will expand this into the full quick-start section.
• CHANGELOG.md — added entry under [Unreleased] / Added documenting the gap closure and auto-install behavior.

Testing

• Verified rustup show active-toolchain reports 1.95.0-x86_64-unknown-linux-gnu (overridden by rust-toolchain.toml).
• Ran cargo fmt --check, cargo clippy --workspace -- -D warnings, cargo test --workspace — all green.
• cargo deny check confirms advisories ok, bans ok, licenses ok, sources ok.
• Pre-commit hooks passed locally (3 files changed).

Related Issues

• Closes Gap G6 (reproducibility pin)
• Unblocks task 12 (CI workflow green)

Notes for Reviewer

This is a minimal, non-controversial change: a new config file read transparently by Rust tooling. No code changes, no breaking changes. The toolchain is new, but it specifies a version already in use by the CI (so no surprise bumps). Later (when stable advances beyond 1.95.0), a separate PR will update this file + any affected docs; that's normal maintenance.

Checklist

• No secrets, debug prints, or commented-out code
• Docs updated (README, CHANGELOG)
• Self-reviewed the diff
• Local tests + checks passed
• CI expected to be green

Summary by CodeRabbit

• Chores
  • Pinned Rust toolchain to 1.95.0 (including rustfmt and clippy); toolchain is auto-installed via rustup and README prerequisites updated.
  • Continuous integration, release, and related automation updated to use the same pinned toolchain for reproducible builds and checks.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 09840ee7-1da9-464c-a407-2d5fa02d3bde

📥 Commits

Reviewing files that changed from the base of the PR and between da2b332 and b87343c.

📒 Files selected for processing (5)

• .github/workflows/ci.yml
• .github/workflows/codspeed.yml
• .github/workflows/mutants.yml
• .github/workflows/release.yml
• CHANGELOG.md

🚧 Files skipped from review as they are similar to previous changes (4)

• .github/workflows/release.yml
• .github/workflows/mutants.yml
• CHANGELOG.md
• .github/workflows/ci.yml

---

📝 Walkthrough

Walkthrough

A new rust-toolchain.toml pins the Rust toolchain to 1.95.0 (with rustfmt and clippy). CI workflows (.github/workflows/{ci,release,mutants,codspeed}.yml) are updated to use a pinned dtolnay/rust-toolchain commit (annotated # 1.95.0). CHANGELOG and README note the toolchain pin and that rustup auto-installs it.

Changes

Rust Toolchain Pinning

Layer / File(s)	Summary
Toolchain Configuration rust-toolchain.toml	Adds rust-toolchain.toml pinning channel = "1.95.0", enabling rustfmt and clippy, profile = "default".
CI Wiring .github/workflows/ci.yml, .github/workflows/release.yml, .github/workflows/mutants.yml, .github/workflows/codspeed.yml	Replaces uses of dtolnay/rust-toolchain@stable with a pinned commit reference dtolnay/rust-toolchain@e081816240890017053eacbb1bdf337761dc5582 (commented # 1.95.0) in multiple jobs.
Documentation / Changelog CHANGELOG.md, README.md	CHANGELOG documents the new toolchain file and the workflow pin; README prerequisites clarify the exact Rust version is auto-installed from rust-toolchain.toml via rustup.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• ci: add cargo-mutants + knip, drop cargo-audit (consolidate into cargo-deny) #6 — modifies mutants.yml; related because both PRs change the mutants workflow to use a pinned dtolnay/rust-toolchain.

Poem

🐰 I hopped in with a pin and a tune,
Set Rust to 1.95 beneath the moon,
rustfmt and clippy snug in their spot,
CI now fixed — no surprises or rot,
Tiny carrot of stability, neat and soon.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore(bootstrap): pin Rust toolchain to 1.95.0 (task 03)' directly and clearly describes the primary change: pinning the Rust toolchain version.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/task-03-rust-toolchain

---

_{Review rate limit: 4/5 reviews remaining, refill in 12 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@CHANGELOG.md`:
- Around line 9-10: The CHANGELOG claim is incorrect because CI uses
dtolnay/rust-toolchain@stable which does not pin to rust-toolchain.toml; locate
all CI workflow files referencing dtolnay/rust-toolchain@stable and replace with
the explicit tag dtolnay/rust-toolchain@1.95.0 (or alternatively add an explicit
rustup toolchain install step after checkout) so the CI toolchain matches
rust-toolchain.toml, and update the CHANGELOG entry text (the
rust-toolchain.toml paragraph) to reflect that workflows were updated to use the
pinned dtolnay/rust-toolchain@1.95.0 (or added rustup install) rather than
claiming stable already resolved to the same version.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f65af6d7-fa17-47e7-8dfa-f29880e2c9cd

📥 Commits

Reviewing files that changed from the base of the PR and between 24b21e6 and 21ffc19.

📒 Files selected for processing (3)

• CHANGELOG.md
• README.md
• rust-toolchain.toml

[cubic-dev-ai]

No issues found across 3 files

[codspeed-hq]

Merging this PR will not alter performance

✅ 7 untouched benchmarks

---

_{Comparing chore/task-03-rust-toolchain (b87343c) with main (24b21e6)}

[cubic-dev-ai]

1 issue found across 5 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/codspeed.yml">

<violation number="1" location=".github/workflows/codspeed.yml:39">
P2: `dtolnay/rust-toolchain@1.95.0` is not an immutable action pin; use a full commit SHA to make CI runs reproducible and reduce supply-chain drift.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

2 issues found across 5 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/ci.yml">

<violation number="1" location=".github/workflows/ci.yml:32">
P1: Pinning `dtolnay/rust-toolchain` by commit SHA without an explicit `with.toolchain` makes the action derive the toolchain from the SHA ref instead of Rust `1.95.0`.
Add `toolchain: 1.95.0` to each pinned step.</violation>
</file>

<file name=".github/workflows/codspeed.yml">

<violation number="1" location=".github/workflows/codspeed.yml:39">
P1: Pinning `dtolnay/rust-toolchain` by SHA without `with.toolchain` can break this workflow because the action no longer has a valid toolchain specifier to install.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}