# cargo-deny configuration — cargo-deny 0.18+
# https://embarkstudios.github.io/cargo-deny/

[advisories]
db-path = "~/.cargo/advisory-db"
db-urls = ["https://github.com/rustsec/advisory-db"]
unmaintained = "workspace"
yanked = "warn"
ignore = [
    # RUSTSEC-2023-0071: rsa Marvin Attack (timing side-channel).
    # rsa is a transitive dep; not used in network-facing key operations here.
    # Revisit when rsa publishes a patched release.
    { id = "RUSTSEC-2023-0071" },
    # RUSTSEC-2026-0044 / RUSTSEC-2026-0048: aws-lc-sys X.509 CN and CRL bugs.
    # Transitive through surrealdb → stratum-db / stratum-state (stratumiops path deps).
    # Not fixable here until stratumiops bumps surrealdb. No CN wildcard or CRL checking used.
    { id = "RUSTSEC-2026-0044" },
    { id = "RUSTSEC-2026-0048" },
    # RUSTSEC-2026-0049: rustls-webpki CRL distribution point matching logic.
    # Transitive through surrealdb and async-nats. Same constraint as above.
    { id = "RUSTSEC-2026-0049" },
]

[licenses]
allow = [
    "MIT",
    "MIT-0",
    "Apache-2.0",
    "Apache-2.0 WITH LLVM-exception",
    "BSD-2-Clause",
    "BSD-3-Clause",
    "ISC",
    "Unicode-DFS-2016",
    "Unicode-3.0",
    "CC0-1.0",
    "Zlib",
    "Unlicense",
    "MPL-2.0",
    "OpenSSL",
    "CDLA-Permissive-2.0",
    "BUSL-1.1",
]
exceptions = []

[bans]
multiple-versions = "warn"
allow = []
deny = []
skip = []
skip-tree = []

[sources]
unknown-registry = "deny"
unknown-git = "deny"
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
allow-git = []