Changed: Unify dependency versions across workspace

[Sewer56]

Problem

Dependencies were declared independently in each crate's Cargo.toml, leading to version inconsistencies across the workspace:

Dependency	Versions before
serde	1.0, 1.0.228
serde_json	1.0, 1.0.145
thiserror	2.0, 2.0.18
tokio	1.51, 1
tempfile	3.27, 3
process-wrap	9.1, 9
soft-canonicalize	0.5.5, 0.5
dirs	6, 6.0.0

This made it easy for versions to drift apart over time, and required updating multiple files to bump a shared dependency.

Solution

Add [workspace.dependencies] to the root src/Cargo.toml and convert all 5 crates to reference workspace deps via workspace = true.

Root Cargo.toml - 40+ shared dependencies defined once:

• Serialization: serde, serde_json, serde_yaml, bitcode, bitflags
• Async/Runtime: tokio, maybe-async, async-trait, futures
• HTTP: reqwest, html-to-markdown-rs
• Data structures: hashbrown, indexmap, tinyvec, lite-strtab, ahash, parking_lot
• Grep/Glob: globset, grep-regex, grep-searcher, memchr, ignore
• Process: process-wrap
• Internal crates: llm-coding-tools-core, llm-coding-tools-bubblewrap, llm-coding-tools-agents, llm-coding-tools-models-dev
• Dev: criterion, rstest, serial_test, wiremock, indoc, temp-env

Per-crate Cargo.toml - all version strings replaced with workspace = true; feature overrides preserved locally.

Remaining duplicates (unavoidable)

Transitive duplicates from external crates (serdes-ai, AWS SDK) still exist in the lockfile — these are outside our control and would require upstream changes:

• thiserror v1 (serdes-ai) + v2 (our crates)
• reqwest v0.12 (serdes-ai) + v0.13 (our crates)
• rustls v0.21 (AWS SDK) + v0.23 (our crates)
• hashbrown v0.16 (html-to-markdown-rs) + v0.17 (our crates)

Files changed

File	Change
src/Cargo.toml	+79 lines — add [workspace.dependencies]
src/llm-coding-tools-core/Cargo.toml	Convert 23 deps to workspace
src/llm-coding-tools-agents/Cargo.toml	Convert 12 deps to workspace
src/llm-coding-tools-models-dev/Cargo.toml	Convert 14 deps to workspace
src/llm-coding-tools-serdesai/Cargo.toml	Convert 18 deps to workspace
src/llm-coding-tools-bubblewrap/Cargo.toml	Convert 6 deps to workspace

[coderabbitai]

Warning

Rate limit exceeded

@Sewer56 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 5 minutes and 1 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 5 minutes and 1 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 87db8fe3-4d95-4877-8c6d-f877f97cf7b1

📥 Commits

Reviewing files that changed from the base of the PR and between 2572d8e and f56e0cf.

📒 Files selected for processing (1)

• src/llm-coding-tools-bubblewrap/Cargo.toml

Walkthrough

The pull request centralizes Rust crate dependency management by introducing a new [workspace.dependencies] section in the root Cargo.toml that defines shared versions and feature flags for all project dependencies. Multiple internal crate manifests are subsequently updated to replace explicit version pins with workspace = true directives. This consolidates dependency declarations for serialization libraries, async runtimes, networking tools, filesystem utilities, and testing frameworks across the entire workspace. Additionally, various Rustdoc comments throughout the codebase are enhanced with explicit intra-doc link references to improve documentation link resolution.

Possibly related PRs

• Fixed: Document # Errors sections for 40 public API functions #107: Modifies identical rustdoc error documentation for the same functions (AgentLoader::add_directory, filesystem helper functions in blocking and async implementations).
• Move generic agent runtime foundation into llm-coding-tools-agents #59: Updates the same file src/llm-coding-tools-agents/src/loader.rs with documentation changes to AgentLoader::add_directory.
• Changed: switch examples to OpenRouter for free testing #19: Modifies src/llm-coding-tools-serdesai/Cargo.toml dependency declarations affecting the same crate's manifest configuration.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely summarizes the main change: unifying dependency versions across the workspace via workspace.dependencies.
Description check	✅ Passed	The description is comprehensive and well-structured, detailing the problem, solution, remaining duplicates, and files changed with clear examples and rationale.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch unify-deps-from-main

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 81.04%. Comparing base (6ed0ef3) to head (f56e0cf).
⚠️ Report is 5 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #109   +/-   ##
=======================================
  Coverage   81.04%   81.04%           
=======================================
  Files         110      110           
  Lines        4517     4517           
=======================================
  Hits         3661     3661           
  Misses        856      856           

Flag	Coverage Δ
async	80.29% <ø> (ø)
blocking	58.07% <ø> (-0.06%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
src/llm-coding-tools-agents/src/loader.rs	85.08% <ø> (ø)
src/llm-coding-tools-core/src/fs/blocking_impl.rs	100.00% <ø> (ø)
src/llm-coding-tools-core/src/fs/tokio_impl.rs	100.00% <ø> (ø)
src/llm-coding-tools-models-dev/src/api/schema.rs	100.00% <ø> (ø)
src/llm-coding-tools-models-dev/src/catalog/mod.rs	100.00% <ø> (ø)
src/llm-coding-tools-serdesai/src/convert.rs	93.10% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[Sewer56]

@coderabbitai full-review

[coderabbitai]

@Sewer56, I'll kick off a full review of the PR now!

✅ Actions performed

Full review triggered.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

src/Cargo.toml (1)

12-89: Centralization looks clean; a couple of optional polish suggestions.

Overall the [workspace.dependencies] block is well-organized. Two minor, optional tweaks:

• Version pins mix broad ("1.0", "2", "3") and narrow ("3.1.2", "0.5.5", "0.4.25"). Either is fine, but pinning only the patch level for a subset creates an inconsistent contract and can mask future MSRV bumps. Consider standardizing (typically to major.minor) unless there's a specific patch requirement.
• Comment headers like # Internal crates and # Dev dependencies are helpful; the block # Dev dependencies is still in [workspace.dependencies] — individual crates must still explicitly place them under [dev-dependencies] (you already do this correctly). Just flagging that the section label can confuse future readers if [workspace.dev-dependencies] is ever assumed.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Cargo.toml` around lines 12 - 89, Standardize the version pinning in the
[workspace.dependencies] block by choosing a scheme (e.g., major.minor like
"1.0" -> "1.0" or lock to patch "1.0.3" if needed) and update entries such as
serde, tokio, html-to-markdown-rs, shellexpand, soft-canonicalize, ignore, etc.,
to follow that scheme so the contract is consistent; also clarify the "# Dev
dependencies" comment (currently inside [workspace.dependencies]) by either
moving true development-only crates into a separate [workspace.dev-dependencies]
section or renaming the comment to avoid implying those entries are already
dev-dependencies.

src/llm-coding-tools-models-dev/README.md (1)

153-154: Remove the orphan [models.dev] link reference.

After renaming the in-text reference to [models.dev_link] on line 11, the [models.dev]: https://models.dev definition on line 154 is no longer referenced anywhere in the README. Keeping it is harmless but may trigger unused-reference warnings in some markdown linters and creates two definitions for the same URL.

🧹 Proposed cleanup

 [models.dev_link]: https://models.dev
-[models.dev]: https://models.dev

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/llm-coding-tools-models-dev/README.md` around lines 153 - 154, Remove the
unused/duplicate markdown reference definition "[models.dev]:
https://models.dev" since the in-text link was renamed to "[models.dev_link]";
locate the orphan reference definition (the "[models.dev]" link entry in README)
and delete that line so only the active "[models.dev_link]: https://models.dev"
reference remains.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/llm-coding-tools-bubblewrap/Cargo.toml`:
- Around line 19-24: Remove the redundant tempfile entry from [dev-dependencies]
in Cargo.toml: tempfile is already declared under [dependencies] (used by
runtime code such as TempSandboxDirs in profile/factory.rs) and tests inherit
regular dependencies, so delete the tempfile = { workspace = true } line from
the [dev-dependencies] section to avoid duplication.

---

Nitpick comments:
In `@src/Cargo.toml`:
- Around line 12-89: Standardize the version pinning in the
[workspace.dependencies] block by choosing a scheme (e.g., major.minor like
"1.0" -> "1.0" or lock to patch "1.0.3" if needed) and update entries such as
serde, tokio, html-to-markdown-rs, shellexpand, soft-canonicalize, ignore, etc.,
to follow that scheme so the contract is consistent; also clarify the "# Dev
dependencies" comment (currently inside [workspace.dependencies]) by either
moving true development-only crates into a separate [workspace.dev-dependencies]
section or renaming the comment to avoid implying those entries are already
dev-dependencies.

In `@src/llm-coding-tools-models-dev/README.md`:
- Around line 153-154: Remove the unused/duplicate markdown reference definition
"[models.dev]: https://models.dev" since the in-text link was renamed to
"[models.dev_link]"; locate the orphan reference definition (the "[models.dev]"
link entry in README) and delete that line so only the active
"[models.dev_link]: https://models.dev" reference remains.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f436b151-59a6-48eb-9e08-48772b4bae82

📥 Commits

Reviewing files that changed from the base of the PR and between 6ed0ef3 and 2572d8e.

📒 Files selected for processing (13)

• src/Cargo.toml
• src/llm-coding-tools-agents/Cargo.toml
• src/llm-coding-tools-agents/src/loader.rs
• src/llm-coding-tools-bubblewrap/Cargo.toml
• src/llm-coding-tools-core/Cargo.toml
• src/llm-coding-tools-core/src/fs/blocking_impl.rs
• src/llm-coding-tools-core/src/fs/tokio_impl.rs
• src/llm-coding-tools-models-dev/Cargo.toml
• src/llm-coding-tools-models-dev/README.md
• src/llm-coding-tools-models-dev/src/api/schema.rs
• src/llm-coding-tools-models-dev/src/catalog/mod.rs
• src/llm-coding-tools-serdesai/Cargo.toml
• src/llm-coding-tools-serdesai/src/convert.rs

📜 Review details

🧰 Additional context used

🧠 Learnings (3)

📚 Learning: 2026-03-28T02:14:04.465Z

Learnt from: Sewer56
Repo: Sewer56/llm-coding-tools PR: 69
File: src/llm-coding-tools-bubblewrap/src/profile/validation.rs:57-67
Timestamp: 2026-03-28T02:14:04.465Z
Learning: In `src/llm-coding-tools-bubblewrap/src/profile/` (Rust, llm-coding-tools-bubblewrap crate), the `Builder` API paths (workspace, synthetic_home, cache_root, mount lists, overlays, etc.) are always set by trusted application/operator code — the library consumer is the trusted party. Path normalization and `..`-component hardening in validators like `validate_absolute_path` is therefore NOT required to defend against traversal attacks. Untrusted input (LLM-generated shell commands) only enters through `wrap_command`/`execute_command_with_mode`, not through the `Builder`.

Applied to files:

• src/Cargo.toml
• src/llm-coding-tools-serdesai/Cargo.toml
• src/llm-coding-tools-core/Cargo.toml

📚 Learning: 2026-04-08T21:35:35.581Z

Learnt from: CR
Repo: Sewer56/llm-coding-tools PR: 0
File: src/AGENTS.md:0-0
Timestamp: 2026-04-08T21:35:35.581Z
Learning: If relevant to your review task, read `.cargo/{general,performance,documentation}.md` for guidance

Applied to files:

• src/llm-coding-tools-agents/Cargo.toml

📚 Learning: 2026-03-11T22:12:27.804Z

Learnt from: Sewer56
Repo: Sewer56/llm-coding-tools PR: 54
File: src/llm-coding-tools-models-dev/src/catalog/load_cache.rs:23-29
Timestamp: 2026-03-11T22:12:27.804Z
Learning: In `src/llm-coding-tools-models-dev/src/cache/` (Rust, llm-coding-tools-models-dev crate), the on-disk cache (models.dev.catalog.v1.cache) is assumed to be written only by the local user/process. Malicious or externally-crafted cache files are explicitly out of scope for this threat model, so there is no need to add upper-bound validation on `payload_len_decompressed` before calling `zstd::bulk::decompress`.

Applied to files:

• src/llm-coding-tools-models-dev/Cargo.toml

🔇 Additional comments (11)

src/llm-coding-tools-serdesai/src/convert.rs (1)

53-55: LGTM — correct rustdoc fix for a private helper.

Since core_error_to_serdes is pub(crate), an intra-doc link from public docs would warn/fail. Inline code plus the explicit [ToolError] link def is the right treatment.

src/llm-coding-tools-agents/src/loader.rs (1)

85-85: LGTM — private helper referenced as inline code.

load_directory_with is private to the module, so referencing it via inline code (rather than an intra-doc link) is correct and removes the rustdoc warning.

Also applies to: 108-108

src/llm-coding-tools-core/Cargo.toml (1)

41-115: LGTM — clean workspace conversion preserving existing feature semantics.

Feature gates (tokio, blocking, linux-bubblewrap) are unchanged. Dev-dep tokio correctly layers rt-multi-thread/macros on the workspace entry (features are additive). Optional deps (reqwest, tokio, llm-coding-tools-bubblewrap) still gate via optional = true.

src/llm-coding-tools-agents/Cargo.toml (1)

33-33: LGTM — explicit features = ["tokio"] is required here and correctly applied.

Matches the fix from commit 3 ("Workspace default-features unification caused tokio+blocking conflict") — this crate previously relied on llm-coding-tools-core's default tokio feature, so the explicit enablement is necessary now that the workspace entry sets default-features = false.

src/llm-coding-tools-serdesai/Cargo.toml (1)

54-95: LGTM — workspace redirection preserves provider feature pass-through and async/TLS configuration.

The provider feature gates (serdes-ai-models/openai, etc.) still work because serdes-ai-models is brought in via the workspace with default-features = false, matching the prior local setting. reqwest now inherits rustls + rustls-native-certs from the workspace, so the HTTP/TLS behavior is unchanged.

src/llm-coding-tools-models-dev/src/catalog/mod.rs (1)

78-78: LGTM — doctest now returns a value consistent with its signature.

Matches the pattern used in the load_at doctest below (line 148) and fixes the blocking-feature doctest compile error called out in commit 2.

src/Cargo.toml (1)

78-78: All internal consumers of llm-coding-tools-core correctly enable a backend feature.

• llm-coding-tools-agents (src/llm-coding-tools-agents/Cargo.toml:33): features = ["tokio"] ✓
• llm-coding-tools-serdesai (src/llm-coding-tools-serdesai/Cargo.toml:54): features = ["tokio"] ✓
• llm-coding-tools-models-dev (src/llm-coding-tools-models-dev/Cargo.toml:27): Declares default-features = false on the core dependency, but the package itself specifies default = ["tokio"] (line 11), which automatically propagates the tokio backend to consumers. ✓

No binary, example, or test crates were found with missing backend feature configuration.

src/llm-coding-tools-core/src/fs/blocking_impl.rs (1)

11-45: LGTM — intra-doc link definitions look correct.

Adding [ToolError::Io]: crate::error::ToolError::Io for each docblock resolves the previously bare references and will silence rustdoc::broken_intra_doc_links on this file. Consistent with the mirror fix in tokio_impl.rs.

src/llm-coding-tools-models-dev/src/api/schema.rs (1)

93-94: LGTM.

Reference definition matches the error variant that serde_json::Error converts into via the ? operator; fixes the intra-doc link without any API change.

src/llm-coding-tools-core/src/fs/tokio_impl.rs (1)

11-45: LGTM.

Async counterpart of the blocking_impl.rs doc fix; keeps the link resolution consistent between the two runtime variants.

src/llm-coding-tools-models-dev/Cargo.toml (1)

25-64: LGTM — workspace migration is consistent and feature wiring preserved.

• llm-coding-tools-core = { workspace = true, default-features = false } is the right belt-and-suspenders after the fix in commit 3 (tokio+blocking conflict).
• The reqwest optional flag and reqwest/blocking feature activation on line 20 still work because the rustls feature list now lives on the workspace entry.
• Declaring tokio as both an optional prod dep and a dev-dep with ["rt", "macros"] is fine — Cargo takes the union across normal and dev dependency graphs.