chore(deps): batch bump clap-cargo / ripemd (+3 deferred)

[tangletools]

Summary

Consolidates dependabot bumps. Two land here; three are documented as blocked and deferred to follow-up PRs.

Landed

Crate	From	To	Origin PR
clap-cargo	0.14.1	0.18.3	#1412
ripemd	0.1.3	0.2.0	#1410

ripemd is declared as an optional dep of blueprint-keystore (gated behind the ecdsa feature) and is not referenced by any Rust source under crates/keystore/src/, so the 0.1 -> 0.2 trait-based Digest API change is transparent here.

clap-cargo is consumed in cli/src/main.rs via clap_cargo::Manifest / clap_cargo::Features. The 0.14 -> 0.18 range only changes internal clap plumbing; the public derive-flatten surface used by cargo-tangle is unchanged.

Deferred (with reason)

Crate	Bump	Origin PR	Blocker
alloy-contract	1.8.3 -> 2.0.0	#1409	Per the crates.io index, alloy-contract 2.0.x requires alloy-consensus, alloy-network, alloy-network-primitives, alloy-provider, alloy-pubsub, alloy-rpc-types-eth, alloy-signer, alloy-signer-local all at ^2.0.x. The workspace pins these at 1.8.x and they are referenced across crates/runner, crates/clients/eigenlayer, crates/clients/tangle, crates/chain-setup/anvil, crates/tangle-aggregation-svc, cli, plus three examples. This is a full-stack alloy 1.x -> 2.x migration that needs its own PR.
alloy-signer-ledger	1.8.3 -> 2.0.1	#1411	Same blocker: alloy-signer-ledger 2.0.x requires alloy-signer ^2.0.x, alloy-network ^2.0.x, alloy-consensus ^2.0.x. Lands with the alloy 2.x migration above.
ark-bn254	0.5.0 -> 0.6.0	#1408	The published external crate tnt-bls 0.1.8 (consumed via blueprint-crypto-bls) pins ark-bls12-377, ark-bls12-381, ark-ec, ark-ff, ark-serialize, ark-serialize-derive at ^0.5.0. Bumping our ark stack to 0.6 produces two ark_serialize versions in the dep graph; the tnt_bls::SecretKey/PublicKey types only implement the 0.5 CanonicalSerialize/CanonicalDeserialize traits, so re-exporting them through crates/crypto/bls fails to compile against the 0.6 trait bounds. Needs a tnt-bls release re-pinned to ark 0.6 (or a fork) before this can land. Note that ark-bn254 cannot move alone -- 0.6.0 requires ark-ec ^0.6.0 and ark-ff ^0.6.0, so this is in practice a full ark-bn254/ec/ff/serialize stack bump.

Verification

• cargo check --workspace --all-targets — clean, no warnings introduced
• cargo test --workspace --lib --no-fail-fast — 1128 passed, 0 failed, 23 ignored
  • blueprint-keystore (the ripemd consumer): 8 passed, 0 failed, 3 ignored (hardware-only AWS/GCP/Ledger)
  • cargo-tangle (the clap-cargo consumer): 75 passed, 0 failed, 1 ignored

Closing originals

Will close #1408, #1409, #1410, #1411, #1412 as superseded after this PR is opened. The three deferred bumps remain tracked in this PR body so the next attempt has the blocker context.

[github-actions]

PR Quality Gate Summary

• Status: fail
• Selected class: not set
• Required class: Class B
• Reason: Code changes detected with local blast radius.
• Changed files: 2

Blocking issues

• Missing required section: '## Change Class'
• Missing required section: '## Behavior Contract'
• Missing required section: '## Risk And Scope'
• Missing required section: '## Verification'
• Missing required section: '## Harness Evidence'
• Missing required section: '## Checklist'
• Change Class section must specify 'Selected class: ...'
• Verification section must include at least one command (inline or fenced).