From b4e144b48d6b18091d9efc5c791c5533effd8a51 Mon Sep 17 00:00:00 2001
From: maplesyzzurp <117tristan@gmail.com>
Date: Sat, 30 May 2026 04:52:59 -0400
Subject: [PATCH] ci: add cargo-deny supply-chain gate for Rust dependencies

CI ran fmt/clippy/test plus a secret scan, but nothing checked the
dependency tree for known vulnerabilities. Add a cargo-deny job
(advisories + bans + sources) so a RUSTSEC advisory, a yanked crate, a
wildcard version requirement, or a dependency from an unexpected registry
fails CI.

deny.toml is scoped to the security checks; license compliance is left for
a follow-up so the gate stays focused. The action is commit-pinned.
Verified locally with cargo-deny 0.19.8: advisories ok, bans ok, sources ok.
---
 .github/workflows/ci.yml | 11 +++++++++++
 deny.toml                | 31 +++++++++++++++++++++++++++++++
 2 files changed, 42 insertions(+)
 create mode 100644 deny.toml

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index bd97205..adf876e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -35,3 +35,14 @@ jobs:
         with:
           python-version: '3.x'
       - run: python scripts/check-secrets.py
+
+  cargo-deny:
+    name: Dependency audit
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      # Commit-pinned (v2.0.20): a supply-chain gate must not itself depend on a
+      # mutable action tag. Config lives in deny.toml at the repo root.
+      - uses: EmbarkStudios/cargo-deny-action@bb137d7af7e4fb67e5f82a49c4fce4fad40782fe # v2.0.20
+        with:
+          command: check advisories bans sources
diff --git a/deny.toml b/deny.toml
new file mode 100644
index 0000000..e2b9db6
--- /dev/null
+++ b/deny.toml
@@ -0,0 +1,31 @@
+# cargo-deny configuration — supply-chain gate for the Rust dependency tree.
+# Enforced in CI (.github/workflows/ci.yml). Docs: https://embarkstudios.github.io/cargo-deny/
+#
+# Scope is intentionally the security-relevant checks:
+#   * advisories — known vulnerabilities / RUSTSEC advisories, yanked crates
+#   * bans       — wildcard version requirements (and duplicate-version noise)
+#   * sources    — dependencies must come from the official crates.io registry
+#
+# License compliance is deliberately left out for now so this gate stays focused
+# on security and does not fail on license classification; it can be enabled as
+# a follow-up by adding a `[licenses]` allow-list and `check licenses` in CI.
+
+[advisories]
+# RUSTSEC advisory database. cargo-deny errors on vulnerabilities by default.
+# Refuse yanked crates — a yanked dependency is a supply-chain smell.
+yanked = "deny"
+# Only add advisory IDs here with a written justification, never silently.
+ignore = []
+
+[bans]
+# Duplicate transitive versions are common and noisy — surface but don't fail.
+multiple-versions = "warn"
+# Our own crates must pin real version requirements, never "*".
+wildcards = "deny"
+
+[sources]
+# Only the official crates.io registry is trusted. Reject unknown registries
+# and any git sources (there are none today).
+unknown-registry = "deny"
+unknown-git = "deny"
+allow-registry = ["https://github.com/rust-lang/crates.io-index"]