sweetGrass/deny.toml at main · ecoPrimals/sweetGrass · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
# SweetGrass Dependency Audit Configuration
# cargo-deny configuration for primal sovereignty

[advisories]
db-path = "~/.cargo/advisory-db"
db-urls = ["https://github.com/rustsec/advisory-db"]
yanked = "deny"
ignore = [
    # Dev-only: testcontainers → tokio-tar / bollard dep chain (no safe upgrades yet)
    "RUSTSEC-2024-0384",
    "RUSTSEC-2025-0057",
    "RUSTSEC-2025-0111",
    "RUSTSEC-2025-0134",
    "RUSTSEC-2025-0141",
]

[licenses]
allow = [
    "AGPL-3.0-or-later",
    "MIT",
    "Apache-2.0",
    "Apache-2.0 WITH LLVM-exception",
    "BSD-2-Clause",
    "BSD-3-Clause",
    "Zlib",
    "BSL-1.0",
    "Unicode-3.0",
]
confidence-threshold = 0.8

[bans]
multiple-versions = "deny"
wildcards = "deny"
allow-wildcard-paths = true
highlight = "all"

# Deny gRPC/protobuf dependencies - Primal Sovereignty
deny = [
    # gRPC and protobuf - FORBIDDEN (C++ toolchain, vendor lock-in)
    { name = "tonic", wrappers = [] },
    { name = "prost", wrappers = [] },
    { name = "prost-types", wrappers = [] },
    { name = "protobuf", wrappers = [] },
    { name = "grpcio", wrappers = [] },
    { name = "tonic-build", wrappers = [] },
    { name = "prost-build", wrappers = [] },
    { name = "quick-protobuf", wrappers = [] },
    { name = "pbjson", wrappers = [] },

    # C-backend TLS/crypto - Tower Atomic replaces these (Songbird + BearDog)
    { name = "openssl", wrappers = [], use-instead = "Tower Atomic (Songbird + BearDog)" },
    { name = "openssl-sys", wrappers = [], use-instead = "Tower Atomic (Songbird + BearDog)" },
    { name = "native-tls", wrappers = [], use-instead = "Tower Atomic (Songbird + BearDog)" },
    # ring/rustls: wrappers allow the testcontainers dev-dep chain (bollard → rustls → ring).
    # Any NEW production dep pulling these will still be caught.
    { name = "ring", wrappers = ["rustls", "rustls-webpki"], reason = "C/ASM crypto backend — Tower Atomic replaces this" },
    { name = "rustls", wrappers = ["bollard", "hyper-rustls", "tokio-rustls"], reason = "depends on ring (C/ASM) — Tower Atomic replaces this" },

    # Outbound HTTP clients - route through neuralAPI → Songbird instead
    { name = "reqwest", wrappers = [], use-instead = "neuralAPI capability.call(\"http.request\", ...)" },
    { name = "ureq", wrappers = [], use-instead = "neuralAPI capability.call(\"http.request\", ...)" },

    # Shared cross-primal types — sovereignty violation (each primal owns its own types)
    { name = "provenance-trio-types", wrappers = [], reason = "Boundary violation — primals communicate via JSON-RPC, not shared crates" },
]

skip = [
    # sqlx 0.8 → hashlink → hashbrown 0.15; indexmap 2 → hashbrown 0.16
    { name = "hashbrown", version = "=0.15.5" },
]
skip-tree = [
    # Dev-only: criterion benchmarks pull in older rand/getrandom chains
    { name = "criterion" },
    # Dev-only: proptest pulls in rand 0.8 / rand_chacha 0.3 chains
    { name = "proptest" },
    # Dev-only: testcontainers pulls in bollard → older base64, docker deps
    { name = "testcontainers" },
    { name = "testcontainers-modules" },
]

[sources]
unknown-registry = "deny"
unknown-git = "warn"
allow-registry = ["https://github.com/rust-lang/crates.io-index"]