# cargo-deny configuration — supply-chain hardening
# https://embarkstudios.github.io/cargo-deny/

[graph]
all-features = true

[advisories]
# Lint level for crates with security vulnerabilities
version = 2
# Only flag unmaintained crates that are direct workspace dependencies
unmaintained = "workspace"

[licenses]
# Only allow these licenses
allow = [
    "MIT",
    "Apache-2.0",
    "BSD-2-Clause",
    "BSD-3-Clause",
    "ISC",
    "Unicode-3.0",
    "Unicode-DFS-2016",
    "OpenSSL",
    "Zlib",
    "BSL-1.0",
    "CC0-1.0",
    "EUPL-1.2",
    "MPL-2.0",
    "CDLA-Permissive-2.0",
]
confidence-threshold = 0.8

[bans]
# Deny multiple versions of the same crate (warn only — too strict for initial rollout)
multiple-versions = "warn"
# Workspace crates use `workspace = true` which cargo-deny sees as wildcards
wildcards = "allow"
highlight = "all"

[sources]
# Only allow crates from crates.io
unknown-registry = "deny"
unknown-git = "deny"
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
allow-git = []