Bump lh from v8.0.0-rc.0 to stable v8.0.0, and bump rust from 1.89 to 1.91 as required. Add audit.toml to ignore irrevelent audit error in CI.

Author: JasonVranek

.cargo/audit.toml

@@ -0,0 +1,27 @@
+# RUSTSEC-2026-0049: CRL revocation checking bug in rustls-webpki 0.101.7.
+#
+# Background: CRL (Certificate Revocation List) checking is an optional TLS
+# feature where a client fetches a list of revoked certificates from URLs
+# embedded in the cert itself, to confirm it hasn't been invalidated since
+# issuance. This is distinct from normal certificate validation.
+#
+# The bug: when a cert lists multiple CRL distribution point URLs, only the
+# first URL is checked; the rest are silently ignored. This matters only when
+# CRL checking is enabled AND the UnknownStatusPolicy is set to Allow (meaning
+# "if I can't determine revocation status, accept the cert anyway"). With that
+# combination, a revoked certificate from a compromised CA could be accepted.
+#
+# Why this does not affect Commit-Boost: the vulnerable code path is never
+# reached because no code in this codebase enables CRL checking at all.
+# TLS is used in four places: (1) relay communication via reqwest with
+# rustls-tls uses default CA validation with no CRL configured; (2) the signer
+# server presents a TLS certificate but does not check client revocation;
+# (3) the signer client pins a single self-signed certificate via
+# add_root_certificate — CRL is irrelevant for self-signed certs; (4) the Dirk
+# remote signer uses mTLS with a custom CA but again no CRL. In all cases the
+# buggy CRL code in rustls-webpki is never invoked.
+#
+# Blocked on sigp/lighthouse upgrading past v8.0.1 without a compilation
+# regression (SseEventSource missing cfg guard in eth2 error.rs).
+[advisories]
+ignore = ["RUSTSEC-2026-0049"]