saorsa-labs · grumbach · Jan 30, 2026 · Feb 3, 2026 · Feb 3, 2026 · Feb 3, 2026
diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
@@ -125,7 +125,7 @@ jobs:
     timeout-minutes: 15
     steps:
       - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@nightly
       - name: Install system dependencies
         run: |
           sudo apt-get update

diff --git a/Cargo.toml b/Cargo.toml
@@ -75,6 +75,8 @@ rand_chacha = "0.3"
 zeroize = { version = "1.8", features = ["derive"] }
 # Constant-time operations for cryptographic security
 subtle = "2.6"
+# Pin to fix stdsimd compilation error on newer Rust nightly (CVE-fix in 4.1.1+)
+curve25519-dalek = "4.1.3"
 # TODO: Remove once fully migrated to saorsa-pqc - keeping temporarily for compatibility
 blake3 = "1.6"
 hmac = "0.12"
@@ -134,7 +136,10 @@ reqwest = { version = "0.12", features = ["stream", "rustls-tls"], default-featu
 num_cpus = "1.16"
 
 # Database dependencies for message persistence (SQLite only, replaced sqlx to avoid rsa vulnerability)
+# Pin deadpool deps to avoid CI version conflict (deadpool-sync 0.1.5 pulls incompatible deadpool-runtime 0.2.0)
 deadpool-sqlite = "0.12.1"
+deadpool-runtime = "=0.1.4"
+deadpool-sync = "=0.1.4"
 rusqlite = { version = "0.37", features = ["chrono", "serde_json", "uuid", "bundled"] }
 
 # WebRTC implementation - using saorsa-webrtc with pluggable signaling

diff --git a/src/attestation/mod.rs b/src/attestation/mod.rs
@@ -29,26 +29,26 @@
 //! - **Phase 2**: Core Logic Extraction (saorsa-logic) ✅
 //!   - Pure derivation logic in `saorsa-logic` crate (no_std, zkVM-compatible)
 //!   - Integration via `derive_entangled_id`, `verify_entangled_id`, `xor_distance`
-//!   - zkVM proof structures defined in [`zkvm`] module
+//!   - zkVM proof structures defined in `zkvm` module
 //! - **Phase 3**: zkVM Integration (SP1 proofs) ✅
-//!   - [`prover`] module: Proof generation with `AttestationProver`
-//!   - [`verifier`] module: Proof verification with `AttestationVerifier`
-//!   - [`handshake`] module: Protocol for exchanging proofs during connection
-//!   - [`metrics`] module: Observability for verification timing and success rates
+//!   - `prover` module: Proof generation with `AttestationProver`
+//!   - `verifier` module: Proof verification with `AttestationVerifier`
+//!   - `handshake` module: Protocol for exchanging proofs during connection
+//!   - `metrics` module: Observability for verification timing and success rates
 //!   - Uses STARKs for post-quantum security (Groth16 available via feature flag)
 //!   - Mock prover for testing, real SP1 prover with `zkvm-prover` feature
 //!   - Groth16 verification with `zkvm-verifier-groth16` feature (NOT post-quantum)
 //! - **Phase 4**: Lightweight Signed Heartbeats ✅
-//!   - [`signed_heartbeat`] module: ML-DSA signed heartbeat proofs
-//!   - [`SignedHeartbeat`]: Lightweight liveness proof (microseconds vs VDF seconds)
-//!   - [`HeartbeatSigner`]: Generates signed heartbeats
+//!   - `signed_heartbeat` module: ML-DSA signed heartbeat proofs
+//!   - `SignedHeartbeat`: Lightweight liveness proof (microseconds vs VDF seconds)
+//!   - `HeartbeatSigner`: Generates signed heartbeats
 //!   - No expensive VDF computation - suitable for resource-constrained devices
 //!   - Multi-node-per-device deployment support
 //! - **Phase 5**: Heartbeat Protocol Integration ✅
-//!   - [`signed_heartbeat_manager`] module: Coordination of heartbeat lifecycle
-//!   - [`SignedHeartbeatManager`]: Generates, verifies, and tracks heartbeats
-//!   - [`network_resilience`] module: Intelligent network disruption handling
-//!   - [`trust_integration`] module: EigenTrust integration for heartbeat compliance
+//!   - `signed_heartbeat_manager` module: Coordination of heartbeat lifecycle
+//!   - `SignedHeartbeatManager`: Generates, verifies, and tracks heartbeats
+//!   - `network_resilience` module: Intelligent network disruption handling
+//!   - `trust_integration` module: EigenTrust integration for heartbeat compliance
 //!   - Epoch-based scheduling with configurable intervals
 //!   - Peer status tracking (Healthy → Suspect → Unresponsive)
 //!   - Trust score adjustments based on heartbeat compliance
@@ -76,7 +76,7 @@
 //! The attestation system now provides:
 //!
 //! 1. **EntangledId derivation**: Cryptographic binding of identity to software
-//! 2. **Handshake protocol**: [`AttestationHello`] exchange during connection
+//! 2. **Handshake protocol**: `AttestationHello` exchange during connection
 //! 3. **zkVM proofs**: Verify correct EntangledId derivation without revealing secrets
 //! 4. **Enforcement modes**: [`EnforcementMode::Soft`] (current) logs but doesn't reject
 //!

diff --git a/src/bgp_geo_provider.rs b/src/bgp_geo_provider.rs
@@ -17,10 +17,10 @@
 //! - Curated list of known hosting/VPN provider ASNs
 //!
 //! Data sources (all open/free):
-//! - RIPE RIS: https://www.ripe.net/analyse/internet-measurements/routing-information-service-ris
-//! - RouteViews: http://www.routeviews.org/
-//! - RIR delegation files: https://www.nro.net/statistics
-//! - PeeringDB (for hosting provider identification): https://www.peeringdb.com/
+//! - RIPE RIS: <https://www.ripe.net/analyse/internet-measurements/routing-information-service-ris>
+//! - RouteViews: <http://www.routeviews.org/>
+//! - RIR delegation files: <https://www.nro.net/statistics>
+//! - PeeringDB (for hosting provider identification): <https://www.peeringdb.com/>
 
 use crate::security::{GeoInfo, GeoProvider};
 use parking_lot::RwLock;