Harden the leptos/dioxus dependency-update workflow

#1 in tonybierman/arium — merged 2026-05-24

Makes staying current with Leptos/Dioxus releases (and the wider dep tree) less painful and less risky. Detection of outdated deps already existed (nightly cargo outdated/audit); this adds the pieces that catch breakage and make resolution reproducible.

Changes

1. Server-fn HTTP round-trip test, per adapter (crates/arium-{leptos,dioxus}/tests/server_fn_roundtrip.rs). Boots the real install-layered router on an ephemeral port and drives register → login → authenticated read → logout over HTTP with a cookie jar. The adapters previously had zero runtime tests (the engine has 112) — they were only cargo check-compiled, so a framework release that compiled but changed the server-fn wire format / response shape / session-cookie handling would pass CI silently. These turn that red. (Confirmed empirically: Leptos posts form-encoded; Dioxus #[post] takes JSON and reads the profile via #[get].)

2. Pin dioxus-primitives to an explicit git rev in both manifests. It's a git dep with no crates.io release, so a bare cargo update could otherwise pull a breaking HEAD.

3. Dependabot (.github/dependabot.yml): weekly, grouped cargo + github-actions updates, with dioxus and leptos each in their own isolated group so a framework bump (0.x minor = breaking) lands as a standalone, separately-reviewable PR rather than buried in a batch.

4. rust-toolchain.toml pins the compiler (1.95.0 + rustfmt/clippy + wasm32). A toolchain bump becomes a deliberate PR instead of silent drift through the gating clippy job. CI now provisions from the file (rustup show) instead of dtolnay/rust-toolchain@stable, so the file is the single source of truth.

5. Wasm-target logic test, per adapter (tests/wasm_client.rs). Runs in Node via wasm-bindgen-test-runner (no browser), exercising the re-exported wire-type serde round-trip (and, for Leptos, friendly_server_error) on the client/hydrate build — turning the wasm job from "compiles" into "runs". New wasm-test CI job auto-derives the matching wasm-bindgen version from the resolved graph, so a wasm-bindgen bump needs no edit here.

6. Commit Cargo.lock (un-gitignored). Without it, CI resolved fresh on every run, so a compatible-but-broken upstream release could redden an unrelated PR and not reproduce locally. Now every build resolves identically and dependency bumps show up as explicit lockfile diffs.

Notes

• Dev-deps are split by target (native server stack under cfg(not(wasm32)), wasm-bindgen-test under cfg(wasm32)) and each test file is cfg-guarded, so a --target wasm32 test build never pulls the tokio/sqlx/reqwest stack that can't build for wasm.
• The Dioxus round-trip test mounts via register_server_functions() onto FullstackState::headless() because dioxus::server::router(app) requires a built public/ asset dir.

Verification (local)

• Both round-trip tests pass (real HTTP).
• Both wasm tests pass in Node.
• cargo fmt --all --check clean; cargo clippy --tests -- -D warnings clean on both adapters.
• Toolchain pin active (1.95.0); Cargo.lock resolves cleanly under --locked.

🤖 Generated with Claude Code