1  # Alpha/Delta License & Dependency Policy
  2  # cargo-deny 0.19.0+ format
  3  # MODE: NON-BLOCKING (warnings only, does not fail CI)
  4  # Updated: 2026-01-27
  5  # Reference: alpha-delta-context/infra/machine/ci-pipelines.cspec
  6  
  7  # Root options
  8  [graph]
  9  all-features = true
 10  no-default-features = false
 11  
 12  [output]
 13  feature-depth = 1
 14  
 15  # ═══════════════════════════════════════════════════════════════════════════
 16  # ADVISORIES - Security vulnerability checks (NON-BLOCKING)
 17  # ═══════════════════════════════════════════════════════════════════════════
 18  [advisories]
 19  # Use writable path for advisory database in CI environment
 20  version = 2
 21  db-path = "/var/tmp/cargo/advisory-db"
 22  db-urls = ["https://github.com/rustsec/advisory-db"]
 23  # Note: Vulnerabilities/yanked crates reported via CI || echo pattern
 24  
 25  # Specific advisories to ignore (with justification)
 26  ignore = [
 27      # Example: { id = "RUSTSEC-0000-0000", reason = "False positive for our use case" },
 28  ]
 29  
 30  # ═══════════════════════════════════════════════════════════════════════════
 31  # LICENSES - What licenses are allowed (NON-BLOCKING via CI)
 32  # ═══════════════════════════════════════════════════════════════════════════
 33  [licenses]
 34  # Set version 2 for modern cargo-deny format
 35  version = 2
 36  # List of explicitly allowed licenses (Alpha/Delta standard policy)
 37  allow = [
 38      "MIT",
 39      "Apache-2.0",
 40      "Apache-2.0 WITH LLVM-exception",
 41      "BSD-2-Clause",
 42      "BSD-3-Clause",
 43      "ISC",
 44      "Zlib",
 45      "0BSD",
 46      "CC0-1.0",
 47      "MPL-2.0",
 48      "Unicode-DFS-2016",
 49      "Unicode-3.0",              # Unicode data crates (OSI-approved permissive)
 50      "CDLA-Permissive-2.0",      # Community Data License (webpki-roots)
 51      "Unlicense",
 52  ]
 53  
 54  # License detection confidence threshold
 55  confidence-threshold = 0.8
 56  
 57  # Per-crate license exceptions (if needed)
 58  exceptions = [
 59      # Example: { allow = ["OpenSSL"], name = "ring" },
 60  ]
 61  
 62  # Clarifications for crates with non-standard license files
 63  [[licenses.clarify]]
 64  name = "ring"
 65  expression = "ISC AND MIT AND OpenSSL"
 66  license-files = [
 67      { path = "LICENSE", hash = 0xbd0eed23 }
 68  ]
 69  
 70  [[licenses.clarify]]
 71  name = "webpki"
 72  expression = "ISC"
 73  license-files = [
 74      { path = "LICENSE", hash = 0x001c7e6c }
 75  ]
 76  
 77  [licenses.private]
 78  ignore = false
 79  registries = []
 80  
 81  # ═══════════════════════════════════════════════════════════════════════════
 82  # BANS - Crates to avoid (NON-BLOCKING)
 83  # ═══════════════════════════════════════════════════════════════════════════
 84  [bans]
 85  # Warn about multiple versions (non-blocking)
 86  multiple-versions = "warn"
 87  
 88  # Allow wildcard dependencies
 89  wildcards = "allow"
 90  
 91  # Graph highlighting for duplicates
 92  highlight = "all"
 93  
 94  # Workspace default features
 95  workspace-default-features = "allow"
 96  external-default-features = "allow"
 97  
 98  # Specifically banned crates (these still get denied even in warn mode)
 99  deny = [
100      # Prefer rustls over OpenSSL for memory safety
101      { name = "openssl", wrappers = ["openssl-sys"] },
102  
103      # Known copyleft-licensed crates (violation of license policy)
104      # Note: These should be caught by license check, but double-check here
105  ]
106  
107  # Skip duplicate version warnings for these crates
108  skip = [
109      # Example: { name = "windows-sys", version = "=0.45" },
110  ]
111  
112  # Skip entire dependency trees
113  skip-tree = [
114      # Example: { name = "windows", depth = 20 },
115  ]
116  
117  # ═══════════════════════════════════════════════════════════════════════════
118  # SOURCES - Where crates can come from (NON-BLOCKING)
119  # ═══════════════════════════════════════════════════════════════════════════
120  [sources]
121  # Warn about unknown sources (non-blocking)
122  unknown-registry = "warn"
123  unknown-git = "warn"
124  
125  # Allow crates.io
126  allow-registry = ["https://github.com/rust-lang/crates.io-index"]
127  
128  # Allow internal Alpha/Delta git sources
129  allow-git = [
130      "https://source.ac-dc.network",
131      "http://source.ac-dc.network",
132      "http://10.106.0.2:3000",
133  ]
134  
135  [sources.allow-org]
136  # Allow crates from these GitHub organizations
137  github = [
138      "AluVM",           # Upstream AlphaVM dependencies
139      "rust-lang",       # Rust official crates
140      "AleoHQ",          # Aleo ecosystem (snarkvm, etc.)
141  ]
142  gitlab = []
143  bitbucket = []
144  
145  # ═══════════════════════════════════════════════════════════════════════════
146  # NOTES ON NON-BLOCKING MODE
147  # ═══════════════════════════════════════════════════════════════════════════
148  # This configuration is set to REPORT issues without failing CI builds.
149  #
150  # CI Integration (nightly.yml):
151  #   cargo deny check licenses || echo "::warning::License issues detected"
152  #   cargo deny check advisories || echo "::warning::Security advisories detected"
153  #
154  # The || echo pattern ensures failures produce warnings but don't fail the build.
155  #
156  # Manual Usage:
157  #   cargo deny check          # Check all (licenses, advisories, bans, sources)
158  #   cargo deny check --show-stats  # Show detailed statistics
159  #   cargo deny list           # List all dependencies and their licenses
160  #
161  # Migration to Blocking Mode (future):
162  #   1. Review nightly CI reports for issues
163  #   2. Address or exempt known violations
164  #   3. Remove || echo "::warning::..." from nightly.yml to enforce strictly