chore: add deny.toml, fix supply chain, resolve primalSpring audit gaps

SD-01: Create deny.toml with ecoBin v3.0 C-sys ban list (16 crates),
advisory ignores for tarpc 0.34 transitives, cargo deny check passing.
Discovery C→A: Remove cosmetic "BearDog" primal name from genomebin
sign error message, replace with capability-agnostic wording.
blake3 pure feature: eliminate cc build dependency from application.
tar 0.4.44→0.4.45: fix RUSTSEC-2026-0067 and RUSTSEC-2026-0068.
Stale genomebin.rs module doc cleaned (removed bash fallback reference).

Made-with: Cursor

Author: eastgate

CHANGELOG.md

@@ -8,6 +8,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 
 ### Added
+- `deny.toml` supply chain auditing with ecoBin v3.0 C-sys ban list (16 crates)
 - Workspace-level lint configuration (`[workspace.lints]`): pedantic, nursery, forbid(unsafe_code)
 - Release profile optimizations: LTO, codegen-units=1, strip
 - E2E tests: full scaffold -> build -> test -> validate lifecycle (2 tests)
@@ -18,6 +19,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - server --port N/A documented in specification (sourDough is meta-primal)
 
 ### Changed
+- blake3 dependency uses `pure` feature (no C/asm build dependency)
+- `tar` crate updated to 0.4.45 (fixes RUSTSEC-2026-0067, RUSTSEC-2026-0068)
+- Removed cosmetic "BearDog" primal name from genomebin sign error message (Discovery A)
 - Scaffold command refactored: `scaffold.rs` (789 lines) -> `scaffold/{mod,generators,templates}.rs` (max 438)
 - All 3 ignored doctests rewritten to compile (native async trait syntax, edition 2024)
 - `sourdough-genomebin` Cargo.toml migrated to workspace metadata

Cargo.lock

@@ -47,7 +47,7 @@ tracing = "0.1"
 tracing-subscriber = { version = "0.3", features = ["env-filter"] }
 
 # Cryptography
-blake3 = "1.5"
+blake3 = { version = "1.5", default-features = false, features = ["pure"] }
 
 # RPC
 tarpc = { version = "0.34", features = ["tokio1", "serde1", "serde-transport"] }

Cargo.toml

@@ -17,7 +17,9 @@
 - [x] All `#[allow()]` replaced with `#[expect(reason)]`
 - [x] `cargo fmt` clean
 - [x] `cargo doc` zero warnings, all doctests compile (0 ignored)
-- [x] Zero C dependencies (Pure Rust)
+- [x] Zero C application dependencies (Pure Rust, blake3 `pure` feature)
+- [x] `cargo deny check` passing (ecoBin v3.0 C-sys ban list, supply chain audit)
+- [x] Zero hardcoded primal names in crate code (Discovery grade A)
 - [x] JSON-RPC 2.0 primary IPC with semantic `domain.verb` method naming
 - [x] tarpc secondary high-throughput path with `bytes::Bytes` zero-copy
 - [x] Edition 2024
@@ -30,8 +32,10 @@
 - [x] Parallel genomeBin processing implemented
 - [x] E2E tests: scaffold -> build -> test -> validate lifecycle
 - [x] WHATS_NEXT.md and START_HERE.md documentation
-- [ ] Cross-compilation validation (musl)
-- [ ] genomeBin signing (Pure Rust, sequoia-openpgp)
+- [x] `deny.toml` supply chain auditing (SD-01 resolved)
+- [x] `tar` crate updated to 0.4.45 (RUSTSEC-2026-0067, RUSTSEC-2026-0068 resolved)
+- [ ] Cross-compilation validation (musl) — SD-02, stretch
+- [ ] genomeBin signing (Pure Rust, sequoia-openpgp) — SD-03, stretch
 
 ## Crate Health
 

STATUS.md

@@ -1,7 +1,6 @@
 //! `GenomeBin` creation and management commands.
 //!
-//! This module provides genomeBin operations using the Pure Rust `sourdough-genomebin`
-//! library. The bash script fallback is maintained for compatibility during migration.
+//! Pure Rust genomeBin operations via the `sourdough-genomebin` library.
 
 use anyhow::Result;
 use clap::Subcommand;
@@ -128,6 +127,6 @@ fn sign_genomebin(genomebin: &Path) -> Result<()> {
 
     anyhow::bail!(
         "genomeBin signing requires Pure Rust cryptography (sequoia-openpgp). \
-         This will be implemented when BearDog identity services are available."
+         This will be implemented when identity services are available via capability discovery."
     )
 }

crates/sourdough/src/commands/genomebin.rs

@@ -0,0 +1,79 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# cargo-deny configuration for sourDough
+# https://embarkstudios.github.io/cargo-deny/
+
+[graph]
+targets = []
+all-features = true
+
+[advisories]
+yanked = "deny"
+ignore = [
+    # Transitive from tarpc 0.34 → tokio-serde → bincode v1; awaiting tarpc upstream migration.
+    { id = "RUSTSEC-2025-0141", reason = "bincode v1 is transitive via tarpc; no direct usage" },
+    # Transitive from tarpc 0.34 → tracing-opentelemetry → opentelemetry_sdk 0.18.
+    { id = "RUSTSEC-2026-0007", reason = "opentelemetry_sdk is transitive via tarpc; no direct usage" },
+    # Transitive from tarpc 0.34 → opentelemetry_api merged into opentelemetry crate.
+    { id = "RUSTSEC-2024-0387", reason = "opentelemetry_api is transitive via tarpc; awaiting tarpc upgrade" },
+]
+
+[licenses]
+allow = [
+    "MIT",
+    "Apache-2.0",
+    "Apache-2.0 WITH LLVM-exception",
+    "BSD-2-Clause",
+    "BSD-3-Clause",
+    "ISC",
+    "MPL-2.0",
+    "Unicode-3.0",
+    "Zlib",
+    "BSL-1.0",
+    "AGPL-3.0-or-later",
+    "CC0-1.0",
+]
+confidence-threshold = 0.8
+exceptions = []
+
+[licenses.private]
+ignore = true
+
+[bans]
+multiple-versions = "warn"
+wildcards = "warn"
+highlight = "all"
+allow-wildcard-paths = true
+
+# ecoBin v3.0 compliance: C-backed crates banned from application builds.
+# blake3 uses cc as a build-dep for optional SIMD backends; sourDough builds
+# with features = ["pure"] so no C code is compiled, but cc remains in the
+# resolved graph. iana-time-zone-haiku uses cc only on Haiku OS (not our targets).
+deny = [
+    { crate = "openssl-sys", wrappers = [] },
+    { crate = "openssl-src", wrappers = [] },
+    { crate = "native-tls", wrappers = [] },
+    { crate = "aws-lc-sys", wrappers = [] },
+    { crate = "cmake", wrappers = [] },
+    { crate = "cc", wrappers = ["blake3", "iana-time-zone-haiku"] },
+    { crate = "bindgen", wrappers = [] },
+    { crate = "bzip2-sys", wrappers = [] },
+    { crate = "curl-sys", wrappers = [] },
+    { crate = "libz-sys", wrappers = [] },
+    { crate = "pkg-config", wrappers = [] },
+    { crate = "vcpkg", wrappers = [] },
+    { crate = "zstd-sys", wrappers = [] },
+    { crate = "lz4-sys", wrappers = [] },
+    { crate = "libsqlite3-sys", wrappers = [] },
+    { crate = "cryptoki-sys", wrappers = [] },
+]
+
+# Duplicate crate versions — all transitive from tarpc 0.34 (old opentelemetry,
+# rand 0.8, syn 1.x, thiserror 1.x) and proptest (rand 0.9). No action possible
+# until tarpc upgrades its dependency tree.
+skip = []
+
+[sources]
+unknown-registry = "deny"
+unknown-git = "deny"
+allow-registry = ["https://github.com/rust-lang/crates.io-index"]
+allow-git = []