vndangkhoa/openpencil
1
0
Fork 0
mirror of https://github.com/ZSeven-W/openpencil.git synced 2026-06-01 03:14:29 +07:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
openpencil/deny.toml
Kayshen-X d9d45d15e3 fix(ci): address native action failures
2026-05-31 17:30:30 +08:00

79 lines
2.5 KiB
TOML
Raw Blame History

# cargo-deny config — pinned to ≥ 0.16 schema
# Validated via openpencil-docs/superpowers/notes/2026-05-02-cargo-deny-validation.md
[graph]
all-features = false
# Scoped to the actual release targets (macOS/Linux/Windows native + wasm32).
# Without this, cargo-deny defaults to every target (including Android/iOS),
# pulling in edition-2024 deps like jni / android-activity, which makes
# `cargo metadata` fail on rustc 1.82.
targets = [
{ triple = "x86_64-unknown-linux-gnu" },
{ triple = "aarch64-unknown-linux-gnu" },
{ triple = "x86_64-apple-darwin" },
{ triple = "aarch64-apple-darwin" },
{ triple = "x86_64-pc-windows-msvc" },
{ triple = "wasm32-unknown-unknown" },
]
[licenses]
allow = [
"MIT",
"Apache-2.0",
"Apache-2.0 WITH LLVM-exception",
"BSD-2-Clause",
"BSD-3-Clause",
"ISC",
"Unicode-DFS-2016",
"Unicode-3.0",
"CDLA-Permissive-2.0",
"MPL-2.0",
"Zlib",
# Boost Software License — permissive, OSI-approved. Pulled in by
# `arboard`'s Windows clipboard path (`clipboard-win`, `error-code`).
"BSL-1.0",
]
confidence-threshold = 0.93
[advisories]
yanked = "deny"
ignore = [
# async-openai 0.36.x still depends on backoff 0.4.x, and RustSec
# reports no safe upgrade path yet. Keep this narrow to the advisory
# until async-openai moves to a maintained retry crate.
"RUSTSEC-2025-0012",
# Transitive through backoff 0.4.x; see the async-openai/backoff note
# above.
"RUSTSEC-2024-0384",
]
[bans]
multiple-versions = "warn"
# Workspace-internal path deps omit the version (standard practice — avoids
# editing two places on every bump). No crate ships to crates.io, so
# wildcard path deps are expected; hence allowed.
wildcards = "allow"
allow-wildcard-paths = true
deny = [
# WASM bundle blacklist (kickoff spec §1.2 invariant).
# `agent` is not listed: it is a native-only dependency of op-host-desktop
# (the desktop binary, never compiled to wasm); wasm isolation is
# structural (op-host-web does not depend on it) and verified by
# tools/check-wasm-bundle.sh.
"pen-agent-cli",
"pen-server",
"native-tls",
]
# tokio's process / rt-multi-thread features are no longer banned:
# op-host-desktop's native (async) agent runtime legitimately needs them.
# The wasm side is structurally safe — both features depend on OS
# threads/processes and cannot compile to wasm32 — and is verified by
# tools/check-wasm-bundle.sh.
[sources]
unknown-registry = "deny"
unknown-git = "deny"
# agent-rs is now pulled in as a path dependency via the vendor/agent
# submodule, no longer a git dependency.
allow-git = []
Reference in a new issue View git blame Copy permalink