deny.toml

# cargo-deny configuration — supply-chain gate for the Rust dependency tree.
# Enforced in CI (.github/workflows/ci.yml). Docs: https://embarkstudios.github.io/cargo-deny/
#
# Scope is intentionally the supply-chain relevant checks:
#   * advisories — known vulnerabilities / RUSTSEC advisories, yanked crates
#   * licenses   — only explicitly allowed dependency licenses pass
#   * bans       — wildcard version requirements (and duplicate-version noise)
#   * sources    — dependencies must come from the official crates.io registry

[advisories]
# RUSTSEC advisory database. cargo-deny errors on vulnerabilities by default.
# Refuse yanked crates — a yanked dependency is a supply-chain smell.
yanked = "deny"
# `paste` is pulled transitively by the new local memory stack
# (`turbovec -> faer`, plus fastembed/tokenizers). RUSTSEC-2024-0436 marks it
# unmaintained, not vulnerable, and reports no safe upgrade. Keep this scoped
# here until turbovec/faer/tokenizers move off paste or we replace that stack.
ignore = ["RUSTSEC-2024-0436"]

[licenses]
# Explicit allow-list for licenses currently present in the resolved workspace
# dependency graph. New licenses fail CI until they are reviewed here.
allow = [
    "0BSD",
    "Apache-2.0",
    "Apache-2.0 WITH LLVM-exception",
    "BSD-2-Clause",
    "BSD-3-Clause",
    "BSL-1.0",
    "CDLA-Permissive-2.0",
    "ISC",
    "MIT",
    "MPL-2.0",
    "Unicode-3.0",
    "Unlicense",
    "Zlib",
]
confidence-threshold = 0.8

[bans]
# Duplicate transitive versions are common and noisy — surface but don't fail.
multiple-versions = "warn"
# Our own crates must pin real version requirements, never "*".
wildcards = "deny"

[sources]
# Only the official crates.io registry is trusted. Reject unknown registries
# and any git sources (there are none today).
unknown-registry = "deny"
unknown-git = "deny"
allow-registry = ["https://github.com/rust-lang/crates.io-index"]