fix(boot): install rustls CryptoProvider to prevent rc.8 panic on first TLS call

Cargo.toml

@@ -58,6 +58,17 @@ tracing-subscriber = { version = "0.3", features = ["env-filter", "json"] }
 # Includes errors, traces, AND Sentry Logs (structured log forwarding).
 sentry = { version = "0.47", features = ["tracing", "logs", "reqwest", "rustls", "panic", "backtrace", "contexts", "debug-images", "test"], default-features = false, optional = true }
 sentry-tracing = { version = "0.47", optional = true }
+# rustls 0.23 explicit CryptoProvider install at boot. We use rustls
+# transitively via reqwest (`ring` backend) AND sentry's reqwest (which
+# pulls rustls-platform-verifier → `aws-lc-rs` backend). When both
+# backends are linked, rustls 0.23 refuses to auto-pick and panics on
+# the first TLS connection with the "Could not automatically determine
+# the process-level CryptoProvider" message. Direct dep with the `ring`
+# feature lets us call `install_default()` at boot to disambiguate
+# (matches the `ring` backend the rest of the binary uses via
+# jsonwebtoken + reqwest's rustls-tls feature). Single-binary fix —
+# no Cargo.lock surgery needed. rc.8 panic root cause.
+rustls = { version = "0.23", default-features = false, features = ["ring", "std"] }
 
 # Optional OpenTelemetry integration (off by default, enable with --features otel).
 # HTTP/protobuf transport at runtime, reqwest-based, rustls — same rationale

src/core/logging.rs

@@ -50,6 +50,24 @@ pub fn init(mode: LogMode, verbose: bool) -> InitGuards {
         _ => EnvFilter::new("info"),
     };
 
+    // rc.8 panic fix: rustls 0.23 ships with multiple crypto backends
+    // (we transitively link both `ring` via reqwest 0.12's rustls-tls
+    // feature and `aws-lc-rs` via sentry's reqwest 0.13 →
+    // rustls-platform-verifier chain). When both are present, rustls
+    // refuses to auto-pick and panics with "Could not automatically
+    // determine the process-level CryptoProvider" on the FIRST TLS
+    // connection. The canonical fix is to install one explicitly at
+    // boot, before any TLS use. We pick `ring` because it matches the
+    // backend the rest of the binary uses (jsonwebtoken, reqwest's
+    // rustls-tls feature).
+    //
+    // `install_default()` returns `Err` if a provider was already
+    // installed — safe to ignore because the first installer wins and
+    // we don't care who got there first. Both `ring` and `aws-lc-rs`
+    // implement the same TLS standards; consistency at the process
+    // level is what matters.
+    install_crypto_provider();
+
     // Init Sentry first (before subscriber) so sentry-tracing layer can be wired in.
     let sentry_guard = init_sentry();
 
@@ -166,6 +184,23 @@ fn before_send(
     Some(event)
 }
 
+/// Install the rustls 0.23 process-level `CryptoProvider`.
+///
+/// Pinned to `ring` because that's the backend the rest of the binary
+/// already uses (jsonwebtoken signs/verifies with ring; reqwest's
+/// rustls-tls feature pulls ring transitively). The `--features sentry`
+/// build additionally links `aws-lc-rs` via sentry's reqwest 0.13 →
+/// rustls-platform-verifier dependency chain, which is what triggered
+/// the rc.8 panic. Calling install_default() here disambiguates before
+/// any TLS connection.
+///
+/// Safe to call multiple times across the process — `install_default()`
+/// returns `Err` after the first successful install and we discard
+/// that result. No `Once` wrapper needed.
+fn install_crypto_provider() {
+    let _ = rustls::crypto::ring::default_provider().install_default();
+}
+
 /// Initialize Sentry if a DSN is configured. Returns `None` when Sentry is
 /// disabled (no DSN, or feature not compiled in).
 fn init_sentry() -> Option<SentryGuard> {