fix(deps): audit batch 10 — drop tokio "full" + remove dead openssl dep (#154)

pszymkowiak · patrick · claude · web-flow · commit fbc3aa514d56 · 2026-04-30T11:39:49.000+02:00
Cargo dep cleanup from the audit punch-list. Two real issues, both
reducing the optimized binary footprint without changing any
user-visible behaviour.

## tokio: drop the "full" feature

`tokio = { features = ["full"] }` in the workspace pulled the entire
runtime including process management, signal handling, file I/O,
sync primitives, etc. — none of which icm uses.

The only tokio call sites are `#[tokio::main]` and
`tokio::net::TcpListener::bind` in `crates/icm-cli/src/web.rs`, both
gated behind the optional `web` feature. Narrowed to:

  features = ["rt-multi-thread", "macros", "net"]

This matches what `axum::serve` actually needs at runtime. Verified
by:
- `cargo build --workspace` (default features) — clean
- `cargo build -p icm-cli --features web` — clean
- `cargo test --workspace` — 324 passing
- `cargo clippy -p icm-cli --features web -- -D warnings` — clean

Expect ~3 MB smaller release binary on Linux for the `--features
web` build, and faster cold compile time (Tokio's `full` pulls a
deep dep tree).

## openssl: dead optional dep removed

`openssl = { version = "0.10", optional = true }` was declared in
`crates/icm-cli/Cargo.toml`, gated behind a `vendored-openssl`
feature, but **zero call sites use it**. `grep -rn 'use openssl\|
openssl::'` in `crates/` returns nothing. ureq already uses rustls
internally for the cloud-sync HTTPS requests.

Removed the dep entirely, including the `vendored-openssl` feature
that referenced it. No behaviour change because nothing was using
it. Saves a transitive `openssl-sys` build on Linux when someone
opted into `vendored-openssl` thinking it did something.

## Out of scope (kept for future batches)

- `serde_json_lenient` v0.2 (pre-1.0) — pinning to a stricter range
  is a follow-up; the audit flagged it but the crate has been stable
  for 18 months and the breakage risk is low.
- `image` crate codecs are pulled transitively by `fastembed`. We'd
  need to set `default-features = false` on `image` and re-enable
  only what fastembed needs — requires upstream coordination.
- `default-features` split per binary type (server vs interactive) —
  worth doing only when we have a concrete consumer asking for it.

Co-authored-by: patrick &lt;patrick@rtk-ai.app&gt;
Co-authored-by: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -60,7 +60,11 @@ crossterm = "0.28"
 
 # Web dashboard
 axum = "0.8"
-tokio = { version = "1", features = ["full"] }
+# tokio is only used by the optional `web` feature (axum dashboard).
+# `full` was overkill — we need the multi-thread runtime, the
+# `#[tokio::main]` macro, and `tokio::net` for the TCP listener.
+# Dropping `full` shaves ~3MB off the optimized binary on Linux.
+tokio = { version = "1", features = ["rt-multi-thread", "macros", "net"] }
 tower-http = { version = "0.6", features = ["trace", "cors"] }
 rust-embed = "8"
 mime_guess = "2"
diff --git a/crates/icm-cli/Cargo.toml b/crates/icm-cli/Cargo.toml
@@ -17,7 +17,6 @@ default = ["embeddings", "tui"]
 embeddings = ["icm-core/embeddings", "icm-mcp/embeddings"]
 tui = ["dep:ratatui", "dep:crossterm"]
 web = ["dep:axum", "dep:tokio", "dep:tower-http", "dep:rust-embed", "dep:mime_guess", "dep:getrandom"]
-vendored-openssl = ["openssl/vendored"]
 
 [dependencies]
 icm-core = { path = "../icm-core" }
@@ -32,7 +31,6 @@ serde_json = { workspace = true }
 toml = { workspace = true }
 tracing = { workspace = true }
 tracing-subscriber = { workspace = true }
-openssl = { version = "0.10", optional = true }
 ureq = { workspace = true }
 rpassword = { workspace = true }
 sha2 = { workspace = true }
