build(deps): bump freenet-stdlib 0.3.5 → 0.6.0 with V10 delegate migration

[sanity]

Problem

River pins freenet-stdlib = "0.3.5" and is three minor versions behind the just-released 0.6.0 (see freenet-core 0.2.44 for the matching host release). Running without this bump means:

• River delegates cannot receive MessageOrigin::Delegate(..) attestations (no scenario today, but the API surface is there);
• The #[non_exhaustive] hardening on InboundDelegateMsg, UpdateData, MessageOrigin, etc. from 0.6.0 means any future variant addition would silently break river at the source level without a wildcard arm;
• River keeps accumulating stdlib debt.

The 0.2.44 freenet-core release is already running clean on nova + vega gateways (~4 hour soak, no regressions, VisitedPeers bloom filter populating correctly).

Approach

Mechanical stdlib bump with wildcard arms where the 0.6.0 non_exhaustive attribute now requires them. No behavioural change for known variants.

Source fixes (5 sites)

• contracts/room-contract/tests/common/test_utils.rs — 0.4.0 terminology rename seeding_contracts → hosting_contracts.
• delegates/chat-delegate/src/lib.rs — three exhaustive matches get wildcard arms. The MessageOrigin match gains an explicit Some(MessageOrigin::Delegate(caller_key)) arm that rejects inter-delegate calls: chat-delegate is driven exclusively by the River web app via WebApp, and there is no scenario today where another delegate should be able to invoke it.
• contracts/room-contract/src/lib.rs — replaced _ => unreachable!() on the UpdateData match with _ => Err(InvalidUpdate). A panic inside contract WASM kills the runtime for the room; returning InvalidUpdate is recoverable. With 0.6.0 making the enum non_exhaustive, future variants could actually reach this arm.
• ui/src/components/app/freenet_api/response_handler/update_notification.rs — _ => warn!("unknown UpdateData variant, ignored") wildcard matching the existing Related* arms.

Drive-by

• common/tests/migration_test.rs — fixes a pre-existing clippy manual_is_multiple_of lint. Eight other pre-existing clippy warnings in ui/src/ are out of scope for this PR — river's CI has clippy disabled (.github/workflows/clippy.yml.disabled) so none of these gate the build. Follow-up issue to be filed for re-enabling clippy CI + cleaning up.

Migration (V10)

Added V10 entry to legacy_delegates.toml before any WASM-altering edits landed in the working tree, per .claude/rules/river-publish.md. The V10 entry records the CURRENT deployed V9-era delegate's hash:

```
[[entry]]
version = "V10"
description = "Before freenet-stdlib 0.6.0 bump (non_exhaustive hardening + MessageOrigin::Delegate)"
delegate_key = "c2c96b97ab5e2f38bfdfb1ea697906fb947a5cdbaea25747f4670561b3edb61b"
code_hash = "9ef1e02d5c99d9a9743972c5e618e061e0e2278658cfa178900b31a2834313c1"
```

When users' River clients update after this merges and is republished, they will migrate room data from the old V9-era delegate key to the new V10+ delegate key via the LEGACY_DELEGATES array generated from this TOML by ui/build.rs.

Migration-chain risk — assessed low

• The stdlib 0.5.0 and 0.6.0 CHANGELOG is explicit that bincode discriminants for existing variants are unchanged; wire format is preserved. Wire-format pin tests at freenet-stdlib/rust/src/delegate_interface.rs:1205+ lock the InboundDelegateMsg::ApplicationMessage tag. The V4-V6 removal cause (bincode wire mismatch) does not apply here. V10 migration probe should succeed.
• Will still grep nova logs post-publish for de/serialization error.*Invalid size (V4-V6 failure signature) as a belt-and-suspenders check.

Pre-existing V9 entry drift (noted by skeptical reviewer, not addressed in this PR)

V9 lists code_hash=3a794f5e… but git history shows the actual deployed chat_delegate.wasm since commit 7456f51b has been 9ef1e02d…. Nothing in the TOML corresponds to 3a794f5e… being on disk. Either V9 was recorded from an ephemeral local build or the real "V9.5" deployed state was never recorded until now as V10. This PR's V10 entry is correct for what's actually been deployed, so users are protected. The stale V9 entry is out of scope here; follow-up issue will be filed.

WASMs rebuilt

File	Purpose
ui/public/contracts/chat_delegate.wasm	New chat delegate (code_hash 05bc461d…)
ui/public/contracts/room_contract.wasm	New room contract
cli/contracts/room_contract.wasm	Synced to match (byte-identical, verified sha256 ade1e4a0…)

Built via cargo make sync-wasm after the stdlib bump landed. Staged explicitly by name — never git add -A per .claude/rules/wasm-safety.md.

Testing

• cargo make build — full workspace build succeeds in ~5 min
• cargo test --package room-contract --features net — clean
• cargo test -p river-core --test delegate_key_test — clean
• cargo test -p river-core --test migration_test — 4 tests pass
• cargo test -p chat-delegate — 10 tests pass (9 existing + 1 new regression for `MessageOrigin::Delegate` rejection path — addresses code-first + testing reviewer feedback)
• cargo make check-migration — confirms V9 → V10 migration entry exists and matches committed WASM hashes
• cargo check -p river-ui --target wasm32-unknown-unknown --features no-sync — clean

Not run locally

• Playwright tests — the only UI code change is a trivial new warn! arm on the UpdateData wildcard; CI will exercise them automatically. Per AGENTS.md Playwright is "REQUIRED before publishing"; this PR does not publish, so the CI gate covers us. Will re-run locally if the CI run flags anything.

Review status

All four internal reviewers completed:

• Code-first: Clean mechanical bump. Verified V10 migration hashes match parent-commit WASM bytes. WASM sync across 3 paths verified byte-identical. Only actionable finding: add a test for the new Delegate-origin rejection path — addressed in 4779211.
• Testing: Same test gap — addressed. Flagged manual V9→V10 migration probe as a pre-publish (not pre-merge) requirement. Filing follow-up issues for: automated host-runtime migration harness, unknown UpdateData variant test, MessageOrigin bincode compat test.
• Skeptical: "Ship it. Migration math is correct; wire format is preserved; WASMs are in sync. No correctness defects introduced by this PR." Pre-existing V9 entry drift noted above.
• Big-picture: Goal-aligned, no removals, no anti-patterns, migration entry hygiene compliant with V7-V9 format. Safe to merge after CI green.

Post-merge publish plan

1. Merge this PR to main (after CI green)
2. Pull main locally
3. Manual V9→V10 migration probe on a local node (register V9 chat_delegate.wasm from the parent commit, store a secret, swap to V10 WASM, verify the secret is readable). If the probe fails, same V4-V6 cleanup applies.
4. cargo make publish-all — coordinated republish of BOTH River UI to Freenet AND riverctl to crates.io (they both embed room contract WASM and derive the contract key from it, so they MUST stay in lockstep)
5. Smoke-test riverctl member list against nova
6. Grep nova/vega logs for de/serialization error.*Invalid size — V4-V6 failure signature
7. Move to delta and ghostkeys upgrades (same pattern)

Follow-up issues to file

• Re-enable clippy CI and clean up 8 pre-existing ui/src/ lint errors
• Automated host-runtime migration harness (cargo test that runs old delegate WASM on current host to verify migration chain)
• Unknown UpdateData variant test for room-contract
• MessageOrigin bincode compat test in river/common
• V9 legacy_delegates.toml entry drift — annotate or remove

Related

• Unblocks parallel stdlib bumps for delta and ghostkeys
• Matches freenet-core 0.2.44 (merged + released earlier today)
• freenet-stdlib 0.6.0 on crates.io

[AI-assisted - Claude]