security: wasmtime 29.0.1 has 5 critical RUSTSECs — upgrade to >=36.0.7

[metavacua]

Summary

crates/model-compute/Cargo.toml pins wasmtime = { version = "29", optional = true, ... }, which resolves to wasmtime 29.0.1 in Cargo.lock. wasmtime 29.0.1 has five active security advisories:

Advisory	Title	Fix
RUSTSEC-2026-0021	Panic on out-of-bounds table access	>=36.0.7
RUSTSEC-2026-0085	Data race in async host functions	>=36.0.7
RUSTSEC-2026-0086	Use-after-free in component model	>=36.0.7
RUSTSEC-2026-0087	Bounds check bypass in memory64	>=36.0.7
RUSTSEC-2026-0088	Stack overflow in recursive component adapters	>=36.0.7

Impact

wasmtime is optional behind the wasm-jit feature flag in model-compute. Users who do not enable this feature are not exposed.
However, any cargo-audit run against this workspace will flag these advisories, blocking adoption of security scanning CI (see #165).

Fix

In crates/model-compute/Cargo.toml, change:

# before
wasmtime = { version = "29", optional = true, ... }

# after
wasmtime = { version = ">=36.0.7", optional = true, ... }

Then run cargo update -p wasmtime to update Cargo.lock.

wasmtime 36–44 maintains API compatibility for the cranelift + runtime + std feature set used here. The fork (metavacua/larql-to-sparql) already carries this change and its Cargo.lock resolves to wasmtime 44.0.2/45.0.1.

Note on rust-version

wasmtime 45.x declares rust-version = "1.93.0", which is above the workspace rust-version = "1.88". If resolution lands on 45.x, the workspace rust-version declaration will need updating as well (tracked in a separate issue).