update: upgrade deps and forward-port unreleased upstream russh fixes

[inureyes]

Summary

Upgrades workspace dependencies for bssh and bssh-russh, and forward-ports two unreleased upstream russh fixes (post-v0.60.1) so we get them ahead of the next russh release. Also fixes the patch infrastructure so sync-upstream.sh actually works and auto-retires patches once they land upstream.

Dependency bumps

bssh

• tokio 1.51.1 → 1.52.1
• clap 4.6.0 → 4.6.1
• tracing 0.1.43 → 0.1.44
• lru 0.16.2 → 0.17.0 (major; sources unaffected)
• uuid 1.23.0 → 1.23.1
• tokio-util 0.7.17 → 0.7.18

bssh-russh

• aws-lc-rs 1.16.2 → 1.16.3
• ecdsa rc.16 → rc.17
• elliptic-curve rc.30 → rc.31
• p256/p384/p521 rc.8 → rc.9
• tokio 1.51.1 → 1.52.1
• Pin pkcs5 = "=0.8.0-rc.13" because pkcs8 0.11.0-rc.11 still calls the rc.13-era Parameters::recommended API; stable pkcs5 0.8.0 renamed it to generate_recommended and breaks the build until pkcs8 ships a matching stable.

The wider RustCrypto trait stack (aes 0.9, digest 0.11, sha1/sha2 0.11, hmac 0.13, pbkdf2 0.13, getrandom 0.4, inout 0.2, block-padding 0.4, etc.) was deliberately not bumped here — bssh-russh is a temporary fork tracking upstream russh v0.60.1, which intentionally still uses the older stack. Diverging would break sync-upstream.sh. Upstream main is currently mid-transition (dual-version setup); we sync when they release.

Upstream russh forward-ports

Latest released russh = v0.60.1 (same as us). Three commits exist on main past v0.60.1; two are functional fixes worth forward-porting, one is CI tooling only.

Upstream	Effect	Forward-ported as
#690 (5cceacf)	Exclude SHA-1 MACs from Preferred::DEFAULT/COMPRESSED	patches/sha1-mac-exclude.patch
#693 (c31cbc9)	Fix channel write ordering: is_empty() && is_rekeying → is_empty() || is_rekeying so new data queues behind existing pending data even outside rekey	patches/channel-write-ordering.patch
#694	cargo-minimal-versions floor pins (no runtime effect)	skipped

Patch infrastructure refactor

The pre-existing patches/handle-data-fix.patch had absolute paths (/Users/...) that patch -p1 could not strip — it had been broken since inception. While here:

• All patches now use standard a/src/..., b/src/... paths so patch -p1 works cleanly
• sync-upstream.sh now iterates every patches/*.patch and, before applying each one, runs patch -p1 -R --dry-run first. If reverse-apply succeeds the change is already in upstream, so the patch is logged as obsolete and skipped
• At sync end, obsolete patches are listed with a ready-to-paste rm command

This means cherry-picks auto-retire when upstream releases a version including them.

Style

cargo clippy --fix applied 5 pre-existing collapsible-match-guard suggestions (unrelated to dep work) per /ship step 1.

Test plan

• cargo build --workspace clean
• cargo test -p bssh --lib — 1187/1187 pass
• cargo clippy -p bssh-russh --no-deps clean
• Patch loop simulation against current tree → all 3 [skip] (already applied)
• Patch loop simulation against upstream v0.60.1 → all 3 [apply]
• Patch loop simulation against upstream main → cherry-picks [skip], handle-data-fix [apply]
• Pre-existing localhost SSH integration tests still skip-or-fail on environments without SSHD (no regression)