From 2c50a5e03d132cfcebdafe4df13c78d0a4f4d9ce Mon Sep 17 00:00:00 2001
From: Sephyi <me@sephy.io>
Date: Sun, 19 Apr 2026 19:07:30 +0200
Subject: [PATCH] chore(deps): pin reqwest to rustls-tls for reproducible
 pure-Rust TLS

Explicitly pin reqwest's TLS backend to rustls instead of relying on
the crate's `default-tls` feature, which can vary across platforms.
This aligns with CLAUDE.md's secure-defaults ethos by:

- Keeping the TLS stack pure Rust (hyper-rustls + tokio-rustls +
  rustls-platform-verifier) on every platform instead of
  SecureTransport on macOS / schannel on Windows.
- Dropping the platform-specific `system-configuration` (macOS) and
  `windows-registry` (Windows) transitive dependencies, shrinking
  the dep graph and making builds more reproducible across CI
  runners.
- Preserving existing functionality by explicitly enabling the
  `charset` and `http2` features that were previously pulled in via
  `default-tls`, alongside the already-used `json` and `stream`.

reqwest 0.13 renamed its old `rustls-tls` feature to `rustls`, so the
feature is spelled `rustls` in the Cargo.toml entry.

Closes audit entry F-005 from #3.
---
 Cargo.lock | 52 ----------------------------------------------------
 Cargo.toml |  2 +-
 2 files changed, 1 insertion(+), 53 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 8aa0e1e..a5bb825 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1748,11 +1748,9 @@ dependencies = [
  "percent-encoding",
  "pin-project-lite",
  "socket2",
- "system-configuration",
  "tokio",
  "tower-service",
  "tracing",
- "windows-registry",
 ]
 
 [[package]]
@@ -3291,27 +3289,6 @@ dependencies = [
  "syn",
 ]
 
-[[package]]
-name = "system-configuration"
-version = "0.7.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a13f3d0daba03132c0aa9767f98351b3488edc2c100cda2d2ec2b04f3d8d3c8b"
-dependencies = [
- "bitflags",
- "core-foundation 0.9.4",
- "system-configuration-sys",
-]
-
-[[package]]
-name = "system-configuration-sys"
-version = "0.6.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8e1d1b10ced5ca923a1fcb8d03e96b8d3268065d724548c0211415ff6ac6bac4"
-dependencies = [
- "core-foundation-sys",
- "libc",
-]
-
 [[package]]
 name = "tempfile"
 version = "3.27.0"
@@ -4130,35 +4107,6 @@ version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f0805222e57f7521d6a62e36fa9163bc891acd422f971defe97d64e70d0a4fe5"
 
-[[package]]
-name = "windows-registry"
-version = "0.6.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "02752bf7fbdcce7f2a27a742f798510f3e5ad88dbe84871e5168e2120c3d5720"
-dependencies = [
- "windows-link",
- "windows-result",
- "windows-strings",
-]
-
-[[package]]
-name = "windows-result"
-version = "0.4.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7781fa89eaf60850ac3d2da7af8e5242a5ea78d1a11c49bf2910bb5a73853eb5"
-dependencies = [
- "windows-link",
-]
-
-[[package]]
-name = "windows-strings"
-version = "0.5.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7837d08f69c77cf6b07689544538e017c1bfcf57e34b4c0ff58e6c2cd3b37091"
-dependencies = [
- "windows-link",
-]
-
 [[package]]
 name = "windows-sys"
 version = "0.45.0"
diff --git a/Cargo.toml b/Cargo.toml
index 5ecc876..3d1766f 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -50,7 +50,7 @@ directories = "6.0"
 figment = { version = "0.10", features = ["toml", "env"] }
 
 # HTTP client
-reqwest = { version = "0.13", features = ["json", "stream"] }
+reqwest = { version = "0.13", default-features = false, features = ["rustls", "charset", "http2", "json", "stream"] }
 
 # Git (pure Rust) - minimal features
 gix = { version = "0.80", default-features = false, features = ["revision"] }