fix: resolve cargo-deny failures (wildcard deps + rand advisory) (#2370)

ilblackdragon · claude · web-flow · commit 3cb77fe0ed88 · 2026-04-12T21:44:21.000+09:00
* chore: fix cargo-deny failures (wildcard deps + new rand advisory) Add version constraints to ironclaw_engine, ironclaw_gateway, and ironclaw_tui path dependencies so cargo-deny's wildcard check passes for public crates. Ignore RUSTSEC-2026-0097 (rand unsoundness with custom logger calling rand::rng() during reseed) — we don't use that pattern. [skip-regression-check] https://claude.ai/code/session_01X86EZxqXEFiU9VetyhPKjM * chore: add revisit-by date to rand advisory ignore Address PR review feedback: add a concrete expiry date and upgrade target so the RUSTSEC-2026-0097 ignore doesn't become a permanent blind spot. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com>
diff --git a/Cargo.toml b/Cargo.toml
@@ -116,11 +116,11 @@ jsonschema = { version = "0.45", default-features = false }
 ironclaw_common = { path = "crates/ironclaw_common", version = "0.2.0" }
 
 # Safety/sanitization
-ironclaw_engine = { path = "crates/ironclaw_engine" }
-ironclaw_gateway = { path = "crates/ironclaw_gateway" }
+ironclaw_engine = { path = "crates/ironclaw_engine", version = "0.1.0" }
+ironclaw_gateway = { path = "crates/ironclaw_gateway", version = "0.1.0" }
 ironclaw_safety = { path = "crates/ironclaw_safety", version = "0.2.1" }
 ironclaw_skills = { path = "crates/ironclaw_skills", version = "0.1.0" }
-ironclaw_tui = { path = "crates/ironclaw_tui", optional = true }
+ironclaw_tui = { path = "crates/ironclaw_tui", optional = true, version = "0.1.0" }
 regex = "1"
 aho-corasick = "1"
 
diff --git a/deny.toml b/deny.toml
@@ -17,6 +17,9 @@ ignore = [
     "RUSTSEC-2026-0021",
     # rustls-webpki CRL distributionPoint matching — 0.102.8 pinned by libsql transitive dep
     "RUSTSEC-2026-0049",
+    # rand unsoundness with custom logger calling rand::rng() during reseed — we don't use this pattern;
+    # revisit/remove by 2026-06-30, or when transitive deps (tower, nanoid, phf_generator) release rand ≥0.9.3 compat
+    "RUSTSEC-2026-0097",
 ]
 
 [licenses]

Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,9 @@ ignore = [`
`17`	`17`	`"RUSTSEC-2026-0021",`
`18`	`18`	`# rustls-webpki CRL distributionPoint matching — 0.102.8 pinned by libsql transitive dep`
`19`	`19`	`"RUSTSEC-2026-0049",`
	`20`	`+ # rand unsoundness with custom logger calling rand::rng() during reseed — we don't use this pattern;`
	`21`	`+ # revisit/remove by 2026-06-30, or when transitive deps (tower, nanoid, phf_generator) release rand ≥0.9.3 compat`
	`22`	`+ "RUSTSEC-2026-0097",`
`20`	`23`	`]`
`21`	`24`
`22`	`25`	`[licenses]`