-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathdeny.toml
More file actions
104 lines (93 loc) · 3.38 KB
/
deny.toml
File metadata and controls
104 lines (93 loc) · 3.38 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
[licenses]
# Minimum confidence threshold for license detection
confidence-threshold = 0.8
# Only these licenses are allowed — anything else (including GPL variants) is denied
allow = [
"MIT",
"Apache-2.0",
"Apache-2.0 WITH LLVM-exception",
"ISC",
"BSD-2-Clause",
"BSD-3-Clause",
"Unicode-3.0",
"CC0-1.0",
"Zlib",
"MPL-2.0",
# MIT without attribution clause (more permissive than MIT)
"MIT-0",
# Community Data License Agreement Permissive 2.0 (permissive, used by webpki-roots)
"CDLA-Permissive-2.0",
# OpenSSL License (permissive, FSF Free/Libre; pulled in by aws-lc-sys via rustls)
"OpenSSL",
]
[bans]
multiple-versions = "warn"
deny = [
{ crate = "reqwest", wrappers = [
"auths-infra-http",
"auths-infra-rekor",
"auths-api",
"auths-cli",
"auths-mcp-server",
"auths-telemetry",
"jsonschema",
], reason = "HTTP clients must be confined to adapter layer" },
# dialoguer is a terminal UX dependency — CLI only
{ crate = "dialoguer", wrappers = ["auths-cli"], reason = "interactive TUI confined to CLI" },
# axum is an HTTP framework — adapter crates only
{ crate = "axum", wrappers = [
"auths-infra-http",
"auths-api",
"auths-cli",
"auths-core",
"auths-mcp-server",
"auths-pairing-daemon",
], reason = "HTTP framework confined to adapter crates" },
# git2 must not be a production dependency of auths-sdk or auths-core
{ crate = "git2", wrappers = [
"auths-storage",
"auths-id",
"auths-infra-git",
"auths-cli",
"auths-index",
"auths-radicle",
"auths-sdk",
"auths-test-utils",
], reason = "git2 must stay in storage/adapter layer; auths-sdk dev-dep only" },
]
[advisories]
ignore = [
# rsa Marvin Attack (RUSTSEC-2023-0071) — transitive via ssh-key v0.6;
# no fix available until ssh-key upgrades to rsa v0.10+
"RUSTSEC-2023-0071",
# rustls-pemfile unmaintained (RUSTSEC-2025-0134)
# Transitive via axum-server → rustls-pemfile. No updated axum-server available.
# Not a vulnerability — the crate is archived but functionally correct.
"RUSTSEC-2025-0134",
# rustls-webpki URI name constraint issues (RUSTSEC-2026-0098, RUSTSEC-2026-0099)
# Transitive via aws-smithy-http-client → hyper-rustls 0.24 → rustls 0.21 → rustls-webpki 0.101.7
# Not exploitable: auths doesn't validate X.509 certificates; identity is KERI/DID-based.
# Waiting for AWS SDK to release with rustls 0.23+ (tracks hyper-rustls 0.27+).
# NOTE: These may already be resolved — keep until CI confirms.
"RUSTSEC-2026-0098",
"RUSTSEC-2026-0099",
]
[sources]
# fn-128.T9: tighten from warn → deny. Only pull from the official
# crates.io registry; deny ad-hoc git deps and private registries unless
# explicitly allowlisted with a documented rationale.
unknown-registry = "deny"
unknown-git = "deny"
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
# Radicle integration depends on a fork with auths integration patches.
# Track upstream merge: https://github.com/radicle-dev/heartwood
allow-git = ["https://github.com/bordumb/heartwood"]
[graph]
# Check every target we build for. Prevents a config that is green on
# x86_64 but pulls a GPL transitive on aarch64.
targets = [
{ triple = "x86_64-unknown-linux-gnu" },
{ triple = "aarch64-apple-darwin" },
{ triple = "x86_64-pc-windows-msvc" },
{ triple = "wasm32-unknown-unknown" },
]