/ deny.toml
deny.toml
1 [licenses] 2 # Minimum confidence threshold for license detection 3 confidence-threshold = 0.8 4 5 # Only these licenses are allowed — anything else (including GPL variants) is denied 6 allow = [ 7 "MIT", 8 "Apache-2.0", 9 "Apache-2.0 WITH LLVM-exception", 10 "ISC", 11 "BSD-2-Clause", 12 "BSD-3-Clause", 13 "Unicode-3.0", 14 "CC0-1.0", 15 "Zlib", 16 "MPL-2.0", 17 # MIT without attribution clause (more permissive than MIT) 18 "MIT-0", 19 # Community Data License Agreement Permissive 2.0 (permissive, used by webpki-roots) 20 "CDLA-Permissive-2.0", 21 # OpenSSL License (permissive, FSF Free/Libre; pulled in by aws-lc-sys via rustls) 22 "OpenSSL", 23 ] 24 25 [bans] 26 multiple-versions = "warn" 27 28 deny = [ 29 { crate = "reqwest", wrappers = [ 30 "auths-infra-http", 31 "auths-cli", 32 "auths-mcp-server", 33 "auths-id", 34 "xtask", 35 "jsonschema", 36 ], reason = "HTTP clients must be confined to adapter layer" }, 37 38 # dialoguer is a terminal UX dependency — CLI only 39 { crate = "dialoguer", wrappers = ["auths-cli"], reason = "interactive TUI confined to CLI" }, 40 41 # axum is an HTTP framework — adapter crates only 42 { crate = "axum", wrappers = [ 43 "auths-infra-http", 44 "auths-cli", 45 "auths-core", 46 "auths-mcp-server", 47 ], reason = "HTTP framework confined to adapter crates" }, 48 49 # git2 must not be a production dependency of auths-sdk or auths-core 50 { crate = "git2", wrappers = [ 51 "auths-storage", 52 "auths-id", 53 "auths-infra-git", 54 "auths-cli", 55 "auths-index", 56 "auths-radicle", 57 "auths-sdk", 58 "auths-test-utils", 59 ], reason = "git2 must stay in storage/adapter layer; auths-sdk dev-dep only" }, 60 ] 61 62 [advisories] 63 ignore = [ 64 # rsa Marvin Attack (RUSTSEC-2023-0071) — transitive via ssh-key v0.6; 65 # no fix available until ssh-key upgrades to rsa v0.10+ 66 "RUSTSEC-2023-0071", 67 ] 68 69 [sources] 70 unknown-registry = "warn" 71 unknown-git = "warn"