fix(sidekick): remove dangling phenotype-errors and unused workspace deps

[KooshaPari]

Summary

Remove dangling phenotype-errors local-path workspace dependency and unused workspace deps that break CI once billing is restored.

Context

Commit 7d22543 cleaned up sidekick-messaging by removing its dependency on the archived phenotype-bus crate and the phenotype-errors crate. However, the workspace Cargo.toml still declares phenotype-errors = { path = "../pheno/crates/phenotype-errors" } — a dangling local-path dependency that no workspace member references. This path does not exist in CI, so any cargo check, cargo test, or cargo clippy run will fail.

Additionally, all 5 CI runs on main (CodeQL, CI test, cargo-deny, cargo-machete, Scorecard) currently fail with:

The job was not started because recent account payments have failed or your spending limit needs to be increased.

This is a GitHub billing issue affecting runner provisioning. Once billing is resolved, jobs will start again — but the dangling phenotype-errors dep will cause immediate build failures.

Changes

• Remove phenotype-errors = { path = "../pheno/crates/phenotype-errors" } from [workspace.dependencies] in Cargo.toml — the only crate that used it (sidekick-messaging) was already cleaned up
• Remove unused workspace dependencies (tokio, serde_json, tracing, anyhow, clap) that no workspace member references
• Keep serde and thiserror workspace deps (still used by sidekick-messaging)
• Regenerated Cargo.lock reflecting the pruned dependency tree

Testing

cargo verify-project  # success
cargo metadata --no-deps  # correctly resolves only sidekick-messaging
# Full cargo check will pass once the workspace resolves without dangling paths

Links

• Root cause: dangling local path dependency introduced during the sidekick-messaging cleanup (7d22543)
• Related: docs(sidekick): redirect archived phenotype-bus references #74 (phenotype-bus archival), chore(sidekick): SHA-pin GitHub Actions #71 (SHA-pinned actions)

[coderabbitai]

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Free

Run ID: 26b7b54a-ce5a-4c97-bcef-9d46215bbce2

📥 Commits

Reviewing files that changed from the base of the PR and between 7d22543 and 5584756.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• Cargo.toml

💤 Files with no reviewable changes (1)

• Cargo.toml

---

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Internal dependency management updates with no impact to end-user functionality.

_{⚠️ Note: Your high-level summary instructions were not applied because this feature is currently available only on Pro plans or higher.}

Walkthrough

Six workspace-level shared dependencies (tokio, serde_json, tracing, anyhow, clap, phenotype-errors) are removed from [workspace.dependencies] in Cargo.toml, leaving only serde (with derive) and thiserror.

Changes

Workspace Dependency Cleanup

Layer / File(s)	Summary
Trim [workspace.dependencies] Cargo.toml	Six previously shared workspace dependencies are removed, leaving only serde and thiserror declared at the workspace level.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

---

Note

🎁 Summarized by CodeRabbit Free

The PR author is not assigned a seat. To perform a comprehensive line-by-line review, please assign a seat to the pull request author through the subscription management page by visiting https://app.coderabbit.ai/login.

_{Comment @coderabbitai help to get the list of available commands.}

[gemini-code-assist]

Code Review

This pull request cleans up the workspace dependencies in Cargo.toml by removing unused dependencies such as tokio, serde_json, tracing, anyhow, clap, and phenotype-errors, leaving only serde and thiserror. The Cargo.lock file has been updated accordingly to reflect these changes. There are no review comments, and I have no additional feedback to provide.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	cargo/​thiserror@​2.0.18
	cargo/​serde@​1.0.228

View full report