chore(supply-chain): pin Rust toolchain to 1.94.1 with commit SHA

[brettdavies]

Summary

Pin rust-toolchain.toml to a specific X.Y.Z release with a trailing rustc commit-SHA comment, replacing the
floating channel = "stable". Rustup verifies component SHA256s from the distribution manifest, so the version pin is
effectively a SHA pin (the manifest is the toolchain's lockfile). Both local and CI now read the same file and install
identical bits.

Mirrors the pattern just shipped in agentnative PR #17, which
was motivated by a real CI-only clippy failure during PR review: local clippy 1.94 passed a lint that CI clippy 1.95
rejected because channel = "stable" let rustc drift between environments.

Changelog

Type of Change

• chore: Maintenance tasks (supply-chain toolchain pin)

Related Issues/Stories

• Related PRs: brettdavies/agentnative#17 — pattern source

Testing

• All tests passing

Test Summary:

• Unit tests: 185 passing
• Integration tests: 38 + 14 = 52 passing
• Live integration tests: 1 ignored (requires live X API)
• Clippy: clean with -Dwarnings on rustc 1.94.1 (pinned)
• Fmt: clean
• Pre-push hook: passed (fmt, clippy, test, windows compat)

Files Modified

Modified:

• rust-toolchain.toml — pinned channel = "1.94.1" with trailing comment naming the rustc commit SHA and release
  date; bumped from floating channel = "stable". Added 4 lines of header comments documenting the supply-chain
  rationale and the ≥7-day quarantine policy.

Key Details

Toolchain pin format: channel = "1.94.1" # rustc e408947bfd200af42db322daf0fadfe7e26d3bd1, released 2026-03-25.
Comment mirrors the GitHub Actions SHA-pin pattern (action@<sha> # vN.N.N).

Policy: bump the channel only via reviewed PR, after the new stable has aged ≥7 days. Matches the broader
brettdavies supply-chain posture (UV_EXCLUDE_NEWER, bun minimumReleaseAge, npm_config_min_release_age already
in dotfiles).

MSRV compatibility: bird's rust-version = "1.87"; 1.94.1 satisfies it comfortably.

No hook / workflow changes needed: neither scripts/hooks/pre-push, .githooks/pre-push, nor any
.github/workflows/*.yml file references rustup update or pins a specific toolchain version — rustup reads
rust-toolchain.toml automatically on every cargo invocation, so the single-file change is sufficient.

Benefits

• Local and CI toolchains are guaranteed identical — no more "local clippy older than CI clippy" false greens
• Toolchain updates route through reviewed PRs with a 7-day quarantine
• Consistent with the supply-chain-pin pattern applied across brettdavies repos (GitHub Actions SHA pins, Docker image
  digest pins, package-manager lockfiles)

Breaking Changes

• No breaking changes

Deployment Notes

• No special deployment steps required

Checklist

• Code follows project conventions and style guidelines
• Commit messages follow Conventional Commits
• Self-review of code completed
• No new warnings or errors introduced
• Changes are backward compatible