CI: Verify Cargo.lock sync with Cargo.toml without updating dependencies

[coderabbitai]

Context

• From discussion in PR fix(ci): Run Rust workflows only when changes affect Rust code (fixes #1463, resolves #1464); Update Cargo lock file. #1466 (link below). We want to verify that the Rust Cargo.lock file is in sync with Cargo.toml without updating dependencies, to maintain deterministic builds and CI runs.

Problem

• The current "Validate lock files" step in clp-rust-checks may perform an update or otherwise mutate the lockfile, which undermines deterministic behaviour and creates noisy diffs.

Goals

• Determine a reliable, non-mutating way to fail CI when Cargo.lock is out-of-sync with Cargo.toml.
• Keep the step fast and side-effect free.

Ideas to evaluate

• Use "cargo metadata --locked" (fast, no build; fails if the lockfile needs updates).
• Use "cargo check --locked" (compiles; also fails if the lockfile needs updates).
• Use "cargo fetch --locked" (network-only; fails if the lockfile is missing/out-of-date).
• Ensure all workspace members are covered.

Acceptance criteria

• A documented command/script that exits non-zero when Cargo.lock is not in sync with Cargo.toml and never modifies files.
• CI updated to run this command as part of clp-rust-checks.
• Taskfile target (e.g., deps:lock:check-rust) updated accordingly.
• Works for both PRs and direct pushes.

References

• PR: fix(ci): Run Rust workflows only when changes affect Rust code (fixes #1463, resolves #1464); Update Cargo lock file. #1466
• Request comment: fix(ci): Run Rust workflows only when changes affect Rust code (fixes #1463, resolves #1464); Update Cargo lock file. #1466 (comment)
• Related: CI: Rust lock file validation step failing in clp-rust-checks workflow #1463, CI: Skip Rust checks workflow when no Rust-related changes are detected #1464

[junhaoliao]

duplicated by #1471