# cargo-deny v2 configuration for Pezkuwi SDK
# https://embarkstudios.github.io/cargo-deny/

[graph]
targets = [
	{ triple = "wasm32-unknown-unknown" },
	{ triple = "x86_64-unknown-linux-gnu" },
	{ triple = "x86_64-unknown-linux-musl" },
]
# Exclude no_std test runtime crates that cause krates crate to panic
# with "unable to locate std" when resolving the dependency graph.
exclude = ["bizinikiwi-test-runtime-transaction-pool"]

# Advisory database - check for known vulnerabilities
# In v2: all vulnerability/unsound/notice advisories automatically emit errors.
# Use `ignore` to suppress specific advisories.
[advisories]
yanked = "warn"
# All unmaintained crates are transitive upstream dependencies we cannot replace.
# Track via quarterly review instead of blocking CI.
unmaintained = "none"
ignore = [
	# wasmtime 37.0.3: no patch release for 37.x branch. Upgrade to 41+ requires
	# major API changes in pezsc-executor-wasmtime. Tracked for future major upgrade.
	"RUSTSEC-2026-0006", # wasmtime segfault with f64.copysign on x86-64
	"RUSTSEC-2026-0020", # wasmtime guest-controlled resource exhaustion
	"RUSTSEC-2026-0021", # wasmtime panic in wasi:http/types.fields

	# rustls-webpki 0.101.7 & 0.103.9: pulled transitively by kube (0.87.2) and
	# jsonrpsee (0.24.10). Fix requires >=0.103.10 but upstream hasn't released
	# compatible versions of kube/jsonrpsee yet.
	"RUSTSEC-2026-0049", # rustls-webpki certificate path building panic

	# rsa 0.9.10: Marvin Attack timing sidechannel. Pulled transitively by
	# sqlx-mysql (pezpallet-revive-eth-rpc). Not used for cryptographic signing.
	"RUSTSEC-2023-0071", # rsa Marvin Attack

	# tracing-subscriber 0.2.25: ANSI log poisoning. Pulled by ark-relations 0.5.1.
	# Upstream arkworks hasn't updated to tracing-subscriber 0.3.x yet.
	"RUSTSEC-2025-0055", # tracing-subscriber ANSI escape

	# tar 0.4.44: link following + path traversal. Pulled transitively.
	# No patch available for 0.4.x branch yet.
	"RUSTSEC-2026-0067", # tar symlink path traversal
	"RUSTSEC-2026-0068", # tar link following vulnerability
]

# License compliance
# In v2: all licenses are denied unless explicitly allowed.
# Removed v1 fields: unlicensed, deny, copyleft, allow-osi-fsf-free, default
[licenses]
confidence-threshold = 0.8
allow = [
	"Apache-2.0 WITH LLVM-exception",
	"Apache-2.0",
	"BSD-2-Clause",
	"BSD-3-Clause",
	"BSL-1.0",
	"CC0-1.0",
	"CDLA-Permissive-2.0",
	"GPL-3.0-only WITH Classpath-exception-2.0",
	"GPL-3.0-only",
	"GPL-3.0-or-later WITH Classpath-exception-2.0",
	"GPL-3.0-or-later",
	"ISC",
	"MIT",
	"MIT-0",
	"MPL-2.0",
	"NCSA",
	"OpenSSL",
	"Unicode-3.0",
	"Unicode-DFS-2016",
	"Unlicense",
	"Zlib",
]
exceptions = [
	# ring uses a custom ISC-style license
	{ allow = ["OpenSSL"], name = "ring" },
]

[licenses.private]
ignore = true

# Banned crates and duplicate version detection
[bans]
multiple-versions = "warn"
wildcards = "allow"
highlight = "simplest-path"
deny = []
skip = []
skip-tree = []

# Source origin checks
[sources]
unknown-registry = "warn"
unknown-git = "warn"
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
allow-git = []