Found two concrete issues:

• security-utils/src/reqwest.rs:154: This changes the shared client from TLS 1.2 minimum to TLS 1.3 minimum. That disables TLS 1.2 fallback entirely, so any pinned-CA endpoint that still only supports TLS 1.2 will fail even though the previous helper allowed it and TLS negotiation would still prefer 1.3 when available. Use TLS_1_2 unless the intended policy is explicitly TLS 1.3-only.

• security-utils/Cargo.toml:18 / security-utils/src/reqwest.rs:156: allow-http can be enabled in any build, including release, and then the shared helper silently disables https_only for all consumers in that Cargo build graph. Since this crate is meant to enforce HTTPS-only, this should have a hard guard like compile_error! for feature = "allow-http" outside debug/test builds, or be split into test-only construction that cannot be selected for production artifacts.

I could not run cargo check in this sandbox because rustup tried to write under a read-only home directory.

Found two concrete issues:

• security-utils/src/reqwest.rs:154: This changes the shared client from TLS 1.2 minimum to TLS 1.3 minimum. That disables TLS 1.2 fallback entirely, so any pinned-CA endpoint that still only supports TLS 1.2 will fail even though the previous helper allowed it and TLS negotiation would still prefer 1.3 when available. Use TLS_1_2 unless the intended policy is explicitly TLS 1.3-only.
• security-utils/Cargo.toml:18 / security-utils/src/reqwest.rs:156: allow-http can be enabled in any build, including release, and then the shared helper silently disables https_only for all consumers in that Cargo build graph. Since this crate is meant to enforce HTTPS-only, this should have a hard guard like compile_error! for feature = "allow-http" outside debug/test builds, or be split into test-only construction that cannot be selected for production artifacts.

I could not run cargo check in this sandbox because rustup tried to write under a read-only home directory.

you should admit urself in a scrapyard

Found one concrete issue:

• security-utils/src/reqwest.rs:156: allow-http silently disables https_only for any build where the Cargo feature is enabled, including release builds or --all-features builds. Cargo features are not dev-only, so a downstream crate can accidentally ship plaintext-HTTP-capable production clients despite the comment in security-utils/Cargo.toml:18. This should be guarded like update-agent-loader does, e.g. compile_error! for all(feature = "allow-http", not(debug_assertions)), or moved behind an explicit test-only builder/API.

I could not run cargo check because rustup tried to write under the read-only home directory.

No concrete merge-blocking issues found in the PR diff.

I could not run cargo check/cargo clippy because the sandbox is read-only and Cargo/Rustup need writable target/cache directories, so this review is based on source inspection only.

Found two concrete issues:

• security-utils/src/reqwest.rs:82: dangerously-allow-http disables https_only via an additive Cargo feature. Any --all-features release/ad-hoc build of a crate using client_builder() silently allows http:// in production clients. Unlike update-agent-loader’s allow_http, this has no release/debug guard. Please add a compile-time guard or make HTTP allowance test-only.

• security-utils/src/reqwest.rs:97: the old public http_client_builder() API, including the blocking variant, was removed rather than kept as a deprecated wrapper. That will break downstream users updating orb-security-utils without a lockstep rename. Add deprecated aliases forwarding to client_builder().

I did not run tests in this read-only review environment.