diff --git a/artifacts/program_methods/privacy_preserving_circuit.bin b/artifacts/program_methods/privacy_preserving_circuit.bin
index c6e5a28b..ada917b7 100644
Binary files a/artifacts/program_methods/privacy_preserving_circuit.bin and b/artifacts/program_methods/privacy_preserving_circuit.bin differ
diff --git a/deny.toml b/deny.toml
new file mode 100644
index 00000000..72d80da3
--- /dev/null
+++ b/deny.toml
@@ -0,0 +1,56 @@
+[advisories]
+# Ignored advisories. Each entry must record why the fix isn't being applied here so
+# future maintainers can re-evaluate. Track upstream fixes and reopen as bumps land.
+ignore = [
+    # hickory-proto v0.25.0-alpha.5 — pulled in via libp2p v0.55 -> libp2p-dns v0.43 ->
+    # hickory-resolver v0.25.0-alpha.5. The fix is only in hickory-proto v0.26.x, which
+    # requires libp2p v0.56 (libp2p-dns v0.44). `libp2p` comes from the upstream
+    # `logos-blockchain-cryptarchia-sync` git dep, and as of master commit f0b8974dde
+    # (2026-05-07) that repo still pins libp2p = "0.55".
+    { id = "RUSTSEC-2026-0118", reason = "transitive via libp2p 0.55; needs upstream cryptarchia-sync libp2p bump" },
+    { id = "RUSTSEC-2026-0119", reason = "transitive via libp2p 0.55; needs upstream cryptarchia-sync libp2p bump" },
+    # rsa v0.9 — Marvin Attack timing sidechannel. No patched 0.9.x release; fix lands
+    # in a future release. Used transitively by several deps; revisit when upstream
+    # patches.
+    { id = "RUSTSEC-2023-0071", reason = "rsa crate Marvin Attack; awaiting patched release" },
+    # tracing-subscriber — ANSI escape injection in log values. Patched in newer
+    # tracing-subscriber; pinned by transitive deps. Bump requires coordinated update
+    # of dependents.
+    { id = "RUSTSEC-2025-0055", reason = "tracing-subscriber ANSI; pinned by transitive deps, needs coordinated bump" },
+    # rand — unsoundness when a custom logger uses rand::rng(). We don't use a custom
+    # logger this way; risk profile is low.
+    { id = "RUSTSEC-2026-0097", reason = "rand unsoundness only triggered by custom logger pattern we don't use" },
+    # Unmaintained crates. Not vulnerabilities; flagged because upstream stopped
+    # publishing. Each is a transitive dep — bumping out requires the consumer to
+    # switch alternatives.
+    { id = "RUSTSEC-2023-0089", reason = "atomic-polyfill unmaintained; transitive only" },
+    { id = "RUSTSEC-2024-0388", reason = "derivative unmaintained; transitive only" },
+    { id = "RUSTSEC-2024-0436", reason = "paste unmaintained; transitive only" },
+    { id = "RUSTSEC-2025-0141", reason = "bincode unmaintained; transitive only" },
+]
+
+[licenses]
+# Mirrors the implicit set previously accepted on `main` (origin reported `licenses ok`
+# with no deny.toml). Adding deny.toml triggers strict enforcement, so the licenses
+# already present in the dependency graph must be enumerated here.
+allow = [
+    "0BSD",
+    "Apache-2.0",
+    "Apache-2.0 WITH LLVM-exception",
+    "BSD-1-Clause",
+    "BSD-2-Clause",
+    "BSD-3-Clause",
+    "BSL-1.0",
+    "CC0-1.0",
+    "CDLA-Permissive-2.0",
+    "ISC",
+    "LGPL-2.1-or-later",
+    "LGPL-3.0-only",
+    "LGPL-3.0-or-later",
+    "MIT",
+    "MPL-2.0",
+    "Unicode-3.0",
+    "Unlicense",
+    "Zlib",
+]
+confidence-threshold = 0.8