From a7f23437d8238c4c3d16ddc37b22130edc66f12f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jesu=CC=81s=20Pe=CC=81rez?= Date: Fri, 13 Mar 2026 21:14:55 +0000 Subject: [PATCH] feat: unified auth model, project onboarding, install pipeline, config management MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The full scope across this batch: POST /sessions key→token exchange, SessionStore dual-index with revoke_by_id, CLI Bearer injection (ONTOREF_TOKEN), ontoref setup --gen-keys, install scripts, daemon config form roundtrip, ADR-004/005, on+re self-description update (fully-self-described), and landing page refresh. --- .pre-commit-config.yaml | 4 +-- deny.toml | 70 +++++++++++++---------------------------- 2 files changed, 24 insertions(+), 50 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 4f9dcfc..08a68ea 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -30,14 +30,14 @@ repos: language: system types: [rust] pass_filenames: false - stages: [manual] + stages: [pre-commit] - id: cargo-deny name: Cargo deny (licenses & advisories) entry: bash -c 'cargo deny check licenses advisories' language: system pass_filenames: false - stages: [manual] + stages: [pre-commit] # ============================================================================ # Nushell Hooks (optional - enable if using Nushell) diff --git a/deny.toml b/deny.toml index a6a8652..bf4b555 100644 --- a/deny.toml +++ b/deny.toml @@ -1,23 +1,19 @@ -# Generated by dev-system/ci -# Configuration for cargo-deny -# See: https://embarkstudios.github.io/cargo-deny/ +# cargo-deny configuration — cargo-deny 0.18+ +# https://embarkstudios.github.io/cargo-deny/ [advisories] -# The path where the advisory database is cloned/fetched into db-path = "~/.cargo/advisory-db" -# The url(s) of the advisory databases to use db-urls = ["https://github.com/rustsec/advisory-db"] -# How to handle crates with security vulnerabilities -vulnerability = "deny" -# How to handle unmaintained crates -unmaintained = "warn" -# How to handle crates that have been yanked from crates.io +unmaintained = "workspace" yanked = "warn" +ignore = [ + # RUSTSEC-2023-0071: rsa Marvin Attack (timing side-channel). + # rsa is a transitive dep; not used in network-facing key operations here. + # Revisit when rsa publishes a patched release. + { id = "RUSTSEC-2023-0071" }, +] [licenses] -# The lint level for crates which do not have a detectable license -unlicensed = "deny" -# List of explicitly allowed licenses allow = [ "MIT", "MIT-0", @@ -27,48 +23,26 @@ allow = [ "BSD-3-Clause", "ISC", "Unicode-DFS-2016", + "Unicode-3.0", + "CC0-1.0", + "Zlib", + "Unlicense", + "MPL-2.0", + "OpenSSL", + "CDLA-Permissive-2.0", + "BUSL-1.1", ] -# List of explicitly disallowed licenses -deny = [ - "GPL-2.0", - "GPL-3.0", - "AGPL-3.0", -] -# Lint level for licenses considered copyleft -copyleft = "warn" -# Blanket approval or denial for OSI-approved or FSF Free/Libre licenses -allow-osi-fsf-free = "both" -# Lint level used when no other predicates are matched -default = "deny" +exceptions = [] [bans] -# Lint level for when multiple versions of the same crate are detected multiple-versions = "warn" -# Lint level for when an allow-listed crate is detected without an exact version -allow = [ - # Each entry can be just the name and an optional wildcard version. - # This would ideally be pulled from Cargo.lock deps to keep up to date - # but that is more complex. It depends on the use case. -] -# Each entry must be a single version number -deny = [ - # Each entry is a crate name. Optionally with a version -] -# Certain crates/versions that will be skipped when doing duplicate detection -skip = [ - # { name = "ansi_term", version = "<= 0.11.0" } -] -# Similarly named crates that are allowed to coexist -skip-tree = [ - # { name = "windows", version = "<=0.46.0" } -] +allow = [] +deny = [] +skip = [] +skip-tree = [] [sources] -# Lint level for what to happen when a crate from a crate registry that is not in the allow list is detected unknown-registry = "deny" -# Lint level for what to happen when a crate from a Git repository that is not in the allow list is detected unknown-git = "deny" -# The allow list of crate registries allow-registry = ["https://github.com/rust-lang/crates.io-index"] -# The allow list of Git repositories allow-git = []