[advisories]
# Ignored advisories. Each entry must record why the fix isn't being applied here so
# future maintainers can re-evaluate. Track upstream fixes and reopen as bumps land.
ignore = [
    # hickory-proto v0.25.0-alpha.5 — pulled in via libp2p v0.55 -> libp2p-dns v0.43 ->
    # hickory-resolver v0.25.0-alpha.5. The fix is only in hickory-proto v0.26.x, which
    # requires libp2p v0.56 (libp2p-dns v0.44). `libp2p` comes from the upstream
    # `logos-blockchain-cryptarchia-sync` git dep, and as of master commit f0b8974dde
    # (2026-05-07) that repo still pins libp2p = "0.55".
    { id = "RUSTSEC-2026-0118", reason = "transitive via libp2p 0.55; needs upstream cryptarchia-sync libp2p bump" },
    { id = "RUSTSEC-2026-0119", reason = "transitive via libp2p 0.55; needs upstream cryptarchia-sync libp2p bump" },
    # rsa v0.9 — Marvin Attack timing sidechannel. No patched 0.9.x release; fix lands
    # in a future release. Used transitively by several deps; revisit when upstream
    # patches.
    { id = "RUSTSEC-2023-0071", reason = "rsa crate Marvin Attack; awaiting patched release" },
    # tracing-subscriber — ANSI escape injection in log values. Patched in newer
    # tracing-subscriber; pinned by transitive deps. Bump requires coordinated update
    # of dependents.
    { id = "RUSTSEC-2025-0055", reason = "tracing-subscriber ANSI; pinned by transitive deps, needs coordinated bump" },
    # rand — unsoundness when a custom logger uses rand::rng(). We don't use a custom
    # logger this way; risk profile is low.
    { id = "RUSTSEC-2026-0097", reason = "rand unsoundness only triggered by custom logger pattern we don't use" },
    # Unmaintained crates. Not vulnerabilities; flagged because upstream stopped
    # publishing. Each is a transitive dep — bumping out requires the consumer to
    # switch alternatives.
    { id = "RUSTSEC-2023-0089", reason = "atomic-polyfill unmaintained; transitive only" },
    { id = "RUSTSEC-2024-0388", reason = "derivative unmaintained; transitive only" },
    { id = "RUSTSEC-2024-0436", reason = "paste unmaintained; transitive only" },
    { id = "RUSTSEC-2025-0141", reason = "bincode unmaintained; transitive only" },
]

[licenses]
# Mirrors the implicit set previously accepted on `main` (origin reported `licenses ok`
# with no deny.toml). Adding deny.toml triggers strict enforcement, so the licenses
# already present in the dependency graph must be enumerated here.
allow = [
    "0BSD",
    "Apache-2.0",
    "Apache-2.0 WITH LLVM-exception",
    "BSD-1-Clause",
    "BSD-2-Clause",
    "BSD-3-Clause",
    "BSL-1.0",
    "CC0-1.0",
    "CDLA-Permissive-2.0",
    "ISC",
    "LGPL-2.1-or-later",
    "LGPL-3.0-only",
    "LGPL-3.0-or-later",
    "MIT",
    "MPL-2.0",
    "Unicode-3.0",
    "Unlicense",
    "Zlib",
]
confidence-threshold = 0.8