[chore] Modernize Rust dependency management

[limityan]

Summary

• Centralize more Rust third-party dependency versions in [workspace.dependencies] and switch direct crate declarations to workspace references where practical.
• Upgrade the core Rust stack to current stable-compatible ranges, including Tauri 2.11, Tokio 1.52, RMCP 1.7, ACP 0.12, Axum 0.8, tokio-tungstenite 0.29, git2 0.21, notify 8.2, zip 4.6, reqwest 0.13.4, and tower-http 0.6.11.
• Keep only the known CI compatibility exception as an exact bitflags constraint (=2.11.1); other upgraded dependencies remain normal Cargo-compatible version ranges.
• Adapt affected WebSocket, zip, and git API call sites for the upgraded crates while preserving existing behavior.
• Avoid committing Cargo.lock; validation was run after deleting the local ignored lockfile so dependency resolution is driven by the manifest.

Root cause

The original CI failure came from fresh dependency resolution picking a newly published bitflags release that triggered a macOS Tauri/dispatch2 macro recursion failure. Since this repository intentionally does not commit Cargo.lock, the fix keeps that single known-bad resolution constrained in Cargo.toml while leaving the broader dependency set on compatible version ranges.

The dependency cleanup also reduces direct version drift by moving repeated app/crate declarations to workspace dependencies. Remaining duplicate versions are primarily transitive platform or ecosystem stacks such as Tauri/Wry, Windows bindings, image 0.24/0.25, and ACP/RMCP schema layers, where forcing a single version would require a larger behavior migration.

Validation

• pnpm run fmt:rs
• cargo check --workspace
• cargo test -p bitfun-core --test remote_mcp_streamable_http -- --nocapture
• cargo test -p bitfun-services-integrations --test git_contracts -- --nocapture (compiled and ran; no tests selected in this target)
• cargo test -p bitfun-services-integrations --no-run
• git diff --check