chore(deps): update Tier 1 + Tier 2 dependencies (backend & frontend)

[staging-devin-ai-integration]

Summary

Updates all safe patch-level and 0.x minor-level dependencies across both backend (Cargo) and frontend (Bun).

Tier 1 — safe patch/lockfile bumps:

• cargo update (lockfile refresh for aws-lc-rs, opentelemetry-otlp, tar, toml, moq-lite, moq-native, hang, etc.)
• serde-saphyr 0.0.21 → 0.0.22
• bun update in ui/, docs/, e2e/ (codemirror suite, react-query 5.91, motion 12.38, zustand 5.0.12, astro 5.18, playwright 1.58, etc.)

Tier 2 — 0.x minor bumps with code fixes:

• bzip2 0.5 → 0.6 — now uses pure-Rust libbz2-rs-sys instead of C bzip2-sys
• getrandom 0.3 → 0.4
• tokio-tungstenite 0.28 → 0.29 (in apps/skit + apps/skit-cli)
• rand 0.9 → 0.10 — migrated Rng → RngExt trait imports in load test code
• Added cargo-deny license exception for libbz2-rs-sys (bzip2-1.0.6 license)

Bug fix:

• Fixed pre-existing TypeScript #private field error in waitForSignalValue by widening the parameter type from Signal<T> to Getter<T>. The function only uses peek() and subscribe() (both on the Getter interface), so using the concrete Signal class was unnecessarily strict and broke when bun deduplicated @moq/signals into separate physical copies under each @moq/* package.

Not included (Tier 3 — separate PRs):

• wasmtime/wasmtime-wasi 41 → 43
• astro 5 → 6, starlight 0.38
• knip 5 → 6

Review & Testing Checklist for Human

• Verify cargo deny check licenses passes (the libbz2-rs-sys exception in deny.toml is correctly scoped)
• Verify rand 0.10 RngExt migration in apps/skit-cli/src/load_test/{scenarios,workers,metrics}.rs — ensure sample_iter and random_range still work as expected
• Run just test locally to validate all backend tests pass
• Spot-check frontend behavior after bun dependency bumps (codemirror editor, motion animations, zustand stores)
• Verify waitForSignalValue still works correctly with Getter<T> — the MoQ stream connection flow should establish without regressions

Recommended test plan: just lint && just test, then start the dev server (just skit + just ui) and verify the compositor UI loads and basic streaming works.

Notes

• The Signal<T> → Getter<T> fix in waitForSignalValue also resolves the pre-existing TypeScript error on main at ui/src/stores/streamStoreHelpers.ts:490.

Link to Devin session: https://staging.itsdev.in/sessions/89e6e91be8c44642a4c13b8f5aed416a
Requested by: @streamer45

---

[staging-devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[staging-devin-ai-integration]

Devin Review found 2 potential issues.

View 2 additional findings in Devin Review.

Debug

Playground

[staging-devin-ai-integration]

🚩 getrandom 0.3→0.4 may have API changes affecting auth key generation

The getrandom dependency was bumped from 0.3 to 0.4, a major version bump. The usage at apps/skit/src/auth/stores/file.rs:342 calls getrandom::fill(&mut seed).map_err(...) which expects fill to return a Result. In getrandom 0.4, the fill function signature or error type may have changed. While any incompatibility would be caught by the compiler, the reviewer should verify this code path works correctly since it's in the security-critical auth key generation flow.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

Debug

Playground

[staging-devin-ai-integration]

Good callout. I verified this compiles cleanly with cargo clippy --workspace — the getrandom::fill API in 0.4 is compatible (still returns Result). The getrandom 0.3→0.4 bump is a semver major but the fill() function signature is unchanged. The compiler would catch any breakage here regardless.

[staging-devin-ai-integration]

Runtime Test Results — CodeMirror Deduplication Fix

Ran frontend locally (localhost:3045 via just ui) against local backend, tested the CodeMirror YAML pipeline editor via Playwright headless browser.

CodeMirror YAML Editor — Primary Fix

• It should load Stream view without ErrorBoundary crash — passed
• It should render CodeMirror YAML editor in Stream view with syntax highlighting — passed
• It should allow clicking into the Stream view editor (interactive) — passed
• It should load Convert view without ErrorBoundary crash — passed
• It should render CodeMirror YAML editor in Convert view with syntax highlighting — passed
• It should allow clicking into the Convert view editor (interactive) — passed
• It should have zero CodeMirror-related console errors — passed (0 errors — no "Unrecognized extension value" or "multiple instances of @codemirror/state")
• It should have zero uncaught page errors — passed (0 errors)

Stream View — CodeMirror Editor

Convert View — CodeMirror Editor

Notes

• Autocomplete (Ctrl+Space) was not tested because headless Playwright keyboard interactions with CodeMirror can be unreliable. The fact that all @codemirror/* extensions loaded without crashing proves they share the same @codemirror/state instance.
• The "Streaming is not configured" warning in Stream view is expected (requires moqGatewayUrl in server config, unrelated to this PR).
• Testing was done headless because the GUI browser didn't launch in this environment. Screenshots serve as visual evidence.