chore(deps): update rust crate casbin to v2.20.0

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
casbin (source)	workspace.dependencies	minor	2.19.1 → 2.20.0

---

Release Notes

casbin/casbin-rs (casbin)

v2.20.0

Compare Source

Features

• delete dependabot.yml (229759f)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[claude]

Pull Request Review: Casbin v2.19.1 → v2.20.0

Summary

This PR updates the casbin dependency from v2.19.1 to v2.20.0. Based on my analysis, this is a safe, low-risk dependency update that can be merged.

Analysis

Changes in This Update

• Lockfile only: The update only modifies Cargo.lock, not Cargo.toml
• Minor version bump: Following semantic versioning, this is a non-breaking change
• Release notes: According to the upstream release, v2.20.0 only includes internal maintenance changes (removed dependabot.yml)
• Dependency chain: Also updates windows-sys from 0.48.0 to 0.59.0 as a transitive dependency

Casbin Usage in Scotty

I reviewed how casbin is used throughout the codebase:

1. Authorization System (scotty/src/services/authorization/casbin.rs:67-69)

   • Uses CachedEnforcer for RBAC
   • Custom user_match function for domain/wildcard matching
   • Policy synchronization for scopes, roles, and assignments

2. API Configuration (Cargo.toml:87)

   • Using features: runtime-tokio, cached
   • No deprecated or experimental features used
   • Current version constraint: 2.8 (allows minor updates)

3. Test Coverage

   • Unit tests for user_match_impl covering exact, domain, and wildcard matching
   • Integration tests in scotty/tests/authorization_domain_test.rs
   • All critical authorization logic is tested

CI Status

• ✅ Rustfmt: PASSED
• ✅ Frontend: PASSED
• ✅ GitGuardian Security: PASSED
• 🔄 Test suites: IN PROGRESS (multiple configurations)
• 🔄 Clippy checks: IN PROGRESS

Risk Assessment

Low Risk - This update is safe because:

1. Minor version bump with no breaking changes
2. Only internal maintenance changes in upstream release
3. Comprehensive test coverage for casbin integration
4. No API changes to CachedEnforcer or add_function
5. CI checks show no formatting or security issues

Recommendation

✅ APPROVE - Safe to merge once CI completes successfully.

This is a routine dependency update with no functional changes. The test suite validates that all authorization functionality continues to work correctly.

Notes

• Wait for all CI checks to complete before merging
• No code changes required
• No migration steps needed

[claude]

PR Review: Casbin Update to v2.20.0

Summary

This PR updates the casbin dependency from 2.19.1 to 2.20.0 via Renovate. The update appears to be a minor version bump with minimal surface-level changes.

Analysis

Changes Reviewed

• Direct dependency: casbin 2.19.1 → 2.20.0
• Transitive dependencies: Minor updates to windows-sys versions (0.48.0 → 0.59.0, 0.52.0 → 0.61.1)

Release Notes

According to the release notes, v2.20.0 includes:

• Deletion of dependabot.yml (infrastructure change, no functional impact)
• No breaking changes mentioned
• No new features affecting the API surface

Code Quality ✅

The codebase uses casbin in a well-structured way:

• Custom user_match function for domain/wildcard matching (scotty/src/services/authorization/casbin.rs:19-64)
• Proper function registration with the enforcer
• Clean separation of concerns with CasbinManager

Test Coverage ✅

Excellent test coverage for casbin integration:

• Unit tests: Custom user_match_impl function (scotty/src/services/authorization/casbin.rs:188-248)
• Integration tests: Domain assignments, exact matches, wildcard matching (scotty/tests/authorization_domain_test.rs)
• Tests cover edge cases like:
  • Case-insensitive email matching
  • Domain pattern security (prevents subdomain attacks)
  • Precedence order (exact → domain → wildcard)

Security Considerations ✅

No security concerns identified:

• The version bump is minor with no breaking changes
• Casbin's RBAC implementation remains unchanged in the codebase
• Authorization logic is well-tested with security edge cases covered
• Domain validation prevents injection attacks (scotty/tests/authorization_domain_test.rs:97-104)

Performance Considerations ✅

No performance impact expected:

• Minor dependency update with no API changes
• Authorization service uses CachedEnforcer (already optimized)
• No new features that would affect performance

Potential Issues ⚠️

Minor consideration:

• Transitive dependency updates: The windows-sys crate has several version updates. While these are typically safe, they affect low-level Windows platform bindings. This should be verified on Windows environments if the project runs there.

Recommendations

1. Approve and merge - This is a safe dependency update with no breaking changes
2. Run existing tests - Ensure all authorization tests pass (particularly authorization_domain_test.rs)
3. Monitor CI - Verify all platforms (Linux/Windows/macOS) build successfully
4. Test on Windows (if applicable) - Given the windows-sys updates, verify Windows compatibility if the project runs on Windows

Specific Test Commands

# Run authorization tests
cargo test authorization --nocapture

# Run domain-specific tests
cargo test authorization_domain_test --nocapture

# Run all tests
cargo test

Verdict

LGTM ✅ - This is a routine dependency update with no breaking changes or security concerns. The codebase has strong test coverage for casbin functionality, and the update is low-risk.