chore(deps): bump rust blas-src from 0.10 to 0.14

[igerber]

Summary

• Bumps the Rust backend's blas-src crate 0.10 → 0.14 (rust/Cargo.toml).
• Recreation of Dependabot PR Chore(deps): Update blas-src requirement from 0.10 to 0.14 in /rust #386 as a same-repo PR so full CI + the Codex AI review run (Dependabot's restricted context — read-only token, separate secret store, and the reviewer's dependabot[bot] actor guard — blocks both).
• Replaces Chore(deps): Update blas-src requirement from 0.10 to 0.14 in /rust #386.

Blast radius

blas-src is a linker-only crate wired into exactly one path: the macOS accelerate feature (rust/src/lib.rs only does extern crate blas_src under #[cfg(feature = "accelerate")]). The Linux openblas path links system OpenBLAS via build.rs (deliberately bypassing blas-src to avoid the openblas-src → ureq → native-tls chain), and the default/Windows builds use the pure-Rust faer backend. So this bump only affects the macOS Accelerate wheel/dev build.

0.14 pulls the same accelerate-src 0.3.2 (the crate that links Apple's Accelerate.framework) as 0.10, so there is no API or numerical change — this is a linker-shim version bump, not a BLAS-implementation swap.

Methodology references

• N/A — no methodology / estimator math changes (build-dependency version bump only).

Validation

Local de-risk on the affected path (macOS, rustc 1.92, pinned ndarray 0.17.2):

• cargo build --features accelerate — clean (debug + release); blas-src resolves to 0.14.0, accelerate-src unchanged at 0.3.2.
• cargo test --features accelerate — 40 passed.
• maturin develop --release --features accelerate + DIFF_DIFF_BACKEND=rust pytest tests/test_rust_backend.py -m '' — 96 passed, 0 failed (full Python⇄Rust equivalence incl. slow).
• CI here covers the paths not exercisable locally: rust-test.yml 4-OS matrix (ubuntu/macos/windows/arm × accelerate/openblas/default) + publish.yml wheel builds (manylinux openblas, macOS accelerate, Windows, sdist).
• No test changes (existing equivalence + Rust unit tests are the coverage). Cargo.lock is gitignored, so CI resolves fresh.

Security / privacy

• Confirm no secrets/PII in this PR: Yes

🤖 Generated with Claude Code

[github-actions]

Overall Assessment

✅ Looks good — no unmitigated P0/P1 findings.

Executive Summary

• Affected method(s): none. This PR changes only CHANGELOG.md and the Rust optional blas-src dependency in rust/Cargo.toml.
• No estimator math, weighting, variance/SE logic, identification assumptions, or public defaults are changed.
• The accelerate feature is the only Cargo feature that pulls blas-src (rust/Cargo.toml:L20, rust/src/lib.rs:L11-L12); openblas links through build.rs (rust/build.rs:L8-L10).
• Existing CI config exercises the affected macOS Accelerate path via cargo test --features accelerate and maturin ... --features extension-module,accelerate (.github/workflows/rust-test.yml:L88-L97, .github/workflows/rust-test.yml:L135-L144).
• I did not run tests locally; the environment is read-only.

Methodology

Finding: No methodology defect.
Severity: P3 informational.
Impact: No causal estimators, statistical formulas, inference fields, or assumptions are modified. docs/methodology/REGISTRY.md does not require a method cross-check beyond confirming no method is affected.
Concrete fix: None.

Code Quality

Finding: No code quality issues in the diff.
Severity: P3 informational.
Impact: The feature wiring remains consistent: accelerate depends on dep:blas-src and blas-src/accelerate; non-macOS/default paths do not pull this dependency.
Concrete fix: None.

Performance

Finding: No performance issue identified.
Severity: P3 informational.
Impact: This is a linker/dependency version change on the optional macOS Accelerate path, not a new algorithmic code path.
Concrete fix: None.

Maintainability

Finding: No maintainability blocker.
Severity: P3 informational.
Impact: The changelog and inline Cargo comment document the intended blast radius at CHANGELOG.md:L11-L18 and rust/Cargo.toml:L36-L39.
Concrete fix: None.

Tech Debt

Finding: No new untracked tech debt.
Severity: P3 informational.
Impact: No new TODO/deferred-work item is needed for this dependency-only change. Existing TODO.md entries are unrelated.
Concrete fix: None.

Security

Finding: No security issue identified from the diff.
Severity: P3 informational.
Impact: No secrets, credentials, workflow permission changes, or executable review-surface changes are introduced.
Concrete fix: None.

Documentation/Tests

Finding: Validation is documented but not changed in tests.
Severity: P3 informational.
Impact: The changelog records the affected-path validation at CHANGELOG.md:L16-L18; existing Rust/macOS CI covers the changed feature path.
Concrete fix: None required.