From 556cfb4a6bbf90d0c2d88df5262c424c869914e0 Mon Sep 17 00:00:00 2001
From: juangaitanv <juan@corgea.com>
Date: Thu, 4 Jun 2026 16:35:35 +0200
Subject: [PATCH] Replace cargo audit with cargo deny for CLI dependency policy
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

cargo audit only checked RustSec advisories. For a binary we distribute to
customers, that left licenses, sources, and bans untested. cargo deny covers
all three plus advisories from the same RustSec DB — a strict superset — so
consolidate to one supply-chain tool.

- deny.toml: advisories (deny), licenses (permissive allowlist + option-ext
  MPL-2.0), sources (lock to crates.io), bans (warn on duplicates/wildcards).
- harness: cmd_audit/_cmd_audit_inner -> cmd_deny/_cmd_deny_inner; ci + dispatch
  + help/header updated. Local stays lenient, CI stays strict.
- test.yml: install cargo-deny instead of cargo-audit.
- Cargo.toml: mark corgea publish=false. It ships via maturin (npm + pip),
  never crates.io, and its own LICENSE is LGPL-2.1; publish=false makes it
  "private" so deny skips license checks on our own source.
- AGENTS.md: document ./harness deny.

Verified: cargo deny check passes (advisories/licenses/sources/bans), negative
check fails when MPL-2.0 is dropped, ./harness ci green.
---
 .github/workflows/test.yml |  4 ++--
 AGENTS.md                  |  4 ++--
 Cargo.toml                 |  4 ++++
 deny.toml                  | 41 ++++++++++++++++++++++++++++++++++++++
 harness                    | 22 ++++++++++----------
 5 files changed, 60 insertions(+), 15 deletions(-)
 create mode 100644 deny.toml

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index d63857b..295ee24 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -23,8 +23,8 @@ jobs:
       - name: Install cargo-llvm-cov
         uses: taiki-e/install-action@cargo-llvm-cov
 
-      - name: Install cargo-audit
-        uses: taiki-e/install-action@cargo-audit
+      - name: Install cargo-deny
+        uses: taiki-e/install-action@cargo-deny
 
       - name: Cache cargo
         uses: Swatinem/rust-cache@v2
diff --git a/AGENTS.md b/AGENTS.md
index 3f48000..96aea1a 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -6,8 +6,8 @@ This subproject is the Corgea developer CLI (Rust → npm + pip via maturin).
 
 - After edits: `./harness check` — clippy fix, format, tests, suppression report
 - Pre-commit: `./harness pre-commit` — staged Rust files only (auto via git hook)
-- CI: `./harness ci` — strict clippy (`-D warnings`), format check, dep audit, tests + coverage gate (min 13%)
-- Audit: `./harness audit` — `cargo audit` for known dep vulnerabilities
+- CI: `./harness ci` — strict clippy (`-D warnings`), format check, dep policy (`cargo deny`: advisories + licenses + sources + bans), tests + coverage gate (min 13%)
+- Deny: `./harness deny` — `cargo deny check` (vulns, licenses, sources, bans) per `deny.toml`
 - Coverage: `./harness coverage [--min=N]` — cargo-llvm-cov; HTML report under `target/llvm-cov/`; fails if line coverage < N (default 13)
 - Lint: `./harness lint` — clippy + format check, no fixes
 - Test: `./harness test` — `cargo test`
diff --git a/Cargo.toml b/Cargo.toml
index dd14348..d950e39 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -2,6 +2,10 @@
 name = "corgea"
 version = "1.8.8"
 edition = "2021"
+# Distributed via maturin → npm + pip, never `cargo publish`ed to crates.io.
+# Marks the crate private so `cargo deny` skips license checks on our own
+# LGPL-2.1 source (see deny.toml `[licenses] private = { ignore = true }`).
+publish = false
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
diff --git a/deny.toml b/deny.toml
new file mode 100644
index 0000000..c76e851
--- /dev/null
+++ b/deny.toml
@@ -0,0 +1,41 @@
+# cargo-deny policy for the corgea CLI.
+# Run: ./harness deny   (CI runs it strict via ./harness ci)
+
+[advisories]
+version = 2
+# RustSec DB: fail on vulnerable/unmaintained/unsound/yanked crates.
+# ignore = []  # add "RUSTSEC-YYYY-NNNN" with a justification comment if ever needed
+
+[licenses]
+version = 2
+# SPDX ids allowed to ship in the distributed binary. All permissive,
+# plus option-ext's file-level MPL-2.0 (transitive via `dirs`).
+allow = [
+    "MIT",
+    "Apache-2.0",
+    "Apache-2.0 WITH LLVM-exception",
+    "BSD-3-Clause",
+    "Unicode-3.0",
+    "Unlicense",
+    "0BSD",
+    "CC0-1.0",
+    "MIT-0",
+    "Zlib",
+    "BSL-1.0",
+    "MPL-2.0",
+]
+# The `corgea` crate's own LICENSE file is LGPL-2.1; it ships only as a binary
+# (never `cargo publish`ed) so it's marked `publish = false` in Cargo.toml,
+# which makes it "private" and exempt from these dep-license rules.
+private = { ignore = true }
+confidence-threshold = 0.9
+
+[bans]
+# Duplicate versions are common & low-risk in a 310-crate tree → warn, don't fail.
+multiple-versions = "warn"
+wildcards = "warn"
+
+[sources]
+# Lock the supply chain to crates.io. Any git / alt-registry dep fails the gate.
+unknown-registry = "deny"
+unknown-git = "deny"
diff --git a/harness b/harness
index 61cc0b1..c9c58a8 100755
--- a/harness
+++ b/harness
@@ -2,7 +2,7 @@
 # Project development tasks. Bash + cargo + git only.
 # Usage: ./harness <command> [--verbose] [--min=N]
 #
-# Commands: check, fix, lint, test, audit, coverage, pre-commit, ci,
+# Commands: check, fix, lint, test, deny, coverage, pre-commit, ci,
 #           post-edit, setup-hooks, suppressions
 
 set -u
@@ -160,21 +160,21 @@ cmd_test() {
     run_with_summary "Tests" 0 -- cargo test
 }
 
-cmd_audit() {
-    _cmd_audit_inner 0
+cmd_deny() {
+    _cmd_deny_inner 0
 }
 
-_cmd_audit_inner() {
+_cmd_deny_inner() {
     local strict="$1"
-    if cargo audit --version >/dev/null 2>&1; then
-        run "Dep audit" 0 -- cargo audit
+    if cargo deny --version >/dev/null 2>&1; then
+        run "Dep policy" 0 -- cargo deny check
         return
     fi
     if [ "$strict" = "1" ]; then
-        printf "  %s✗%s Dep audit (cargo-audit not installed)\n" "$RED" "$RESET"
+        printf "  %s✗%s Dep policy (cargo-deny not installed)\n" "$RED" "$RESET"
         exit 1
     fi
-    printf "  %s⊘ Dep audit skipped (install: cargo install cargo-audit)%s\n" "$DIM" "$RESET"
+    printf "  %s⊘ Dep policy skipped (install: cargo install cargo-deny)%s\n" "$DIM" "$RESET"
 }
 
 cmd_coverage() {
@@ -244,7 +244,7 @@ cmd_ci() {
     printf "\n%s[ci]%s\n\n" "$BLUE" "$RESET"
     run "Clippy (strict)" 0 -- cargo clippy -- -D warnings
     run "Format check" 0 -- cargo fmt --check
-    _cmd_audit_inner 1
+    _cmd_deny_inner 1
     if ! cargo llvm-cov --version >/dev/null 2>&1; then
         printf "  %s✗%s Coverage (cargo-llvm-cov not installed)\n" "$RED" "$RESET"
         printf "  %sInstall:%s cargo install cargo-llvm-cov\n" "$DIM" "$RESET"
@@ -274,7 +274,7 @@ case "$cmd" in
     fix)          cmd_fix ;;
     lint)         cmd_lint ;;
     test)         cmd_test ;;
-    audit)        cmd_audit ;;
+    deny)         cmd_deny ;;
     coverage)     cmd_coverage ;;
     pre-commit)   cmd_pre_commit ;;
     ci)           cmd_ci ;;
@@ -283,7 +283,7 @@ case "$cmd" in
     suppressions) cmd_suppressions ;;
     -h|--help|help)
         printf "Usage: ./harness <command> [--verbose] [--min=N]\n\n"
-        printf "Commands: check, fix, lint, test, audit, coverage, pre-commit,\n"
+        printf "Commands: check, fix, lint, test, deny, coverage, pre-commit,\n"
         printf "          ci, post-edit, setup-hooks, suppressions\n"
         ;;
     *)