deps: bump vgi-rpc from 0.2.0 to 0.3.0

[dependabot]

Bumps vgi-rpc from 0.2.0 to 0.3.0.

Changelog

Sourced from vgi-rpc's changelog.

[0.3.0] — 2026-06-18

Headline: a new vgi-rpc-client crate — a blocking, dynamic, schema-first client for the canonical wire protocol — validated by running the Python reference conformance suite against it across pipe / subprocess / unix / HTTP / shm, driving the Rust, Python, and Go conformance servers.

• Added the vgi-rpc-client crate. RpcClient (unary / producer / exchange / cancel / describe / transport_options) over the byte-stream transports (subprocess, AF_UNIX, pipe, shm) plus an HttpClient. HTTP production surface: transparent external-location resolution, sticky sessions (with a session stack for nesting), 413 request-externalization via vended upload URLs, 415/zstd request-codec negotiation, a default request timeout, and connection-level retry on idempotent calls (never on exchange). The lockstep stream session opens its output reader lazily so it is compatible with both the Rust server (writes the output schema first) and the Python server (reads the input schema first). Native tests cover in-process round-trips and HTTP fault injection (timeout / retry / garbage responses).
• Added a lightweight external cargo feature on vgi-rpc (zstd only, no axum/tokio server stack) so a client can reuse the external-location module; http now implies external.
• Added external::fetch_external_ipc_bytes, and resolve_external_location now merges the inner externalized batch's metadata in addition to the outer pointer's — peers differ on where they stamp per-batch keys like the stream-state token (Rust on the outer pointer, Python inside the payload), and the client resolves either layout.
• Changed the HTTP unary and stream-init handlers to run inside call_guard, so a panicking handler surfaces as a structured Arrow EXCEPTION batch (HTTP 200) matching the stdio/unix loop, rather than a bare 500. New http_panic integration test.
• Internal the CallContext::with_auth_cookies / set_sticky helpers are now gated behind the http feature (they are http-only; this keeps non-http builds warning-clean). The conformance harness (scripts/conf.py, test_rust_conformance.py) gained --role {server,client} / --server {rust,python,go} so the Rust client is conformance-tested against all three servers, and CI runs a {server,rust} / {client,rust} / {client,python} matrix.

Commits

• ef0e4ce release: 0.3.0 — vgi-rpc-client + additive vgi-rpc changes
• c7343bc vgi-rpc: gate http-only CallContext helpers behind the http feature
• f4f63fe Add vgi-rpc-client crate + cross-language conformance + CI
• a175a33 http: isolate handler panics into the Arrow error envelope
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[rustyconover]

Holding — not merging yet. vgi 0.5.0 (latest SDK) transitively pins vgi-rpc ^0.2.0. Bumping the direct vgi-rpc to 0.3 pulls two incompatible vgi-rpc versions (TableProducer/OutputCollector trait mismatch — verified locally). Will merge in lockstep when vgi adopts vgi-rpc 0.3. Leaving open as a tracker.

[rustyconover]

Superseded — closing. main now pins vgi-rpc 0.4.0 directly, in lockstep with vgi 0.6.0 (which requires vgi-rpc ^0.4.0), pushed with the MSRV bump to Rust 1.90. The 0.3.0 bump here is below 0.4.0 and no longer applicable.

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.