Replace cargo audit with cargo deny for CLI dependency policy

.github/workflows/test.yml

@@ -23,8 +23,8 @@ jobs:
       - name: Install cargo-llvm-cov
         uses: taiki-e/install-action@cargo-llvm-cov
 
-      - name: Install cargo-audit
-        uses: taiki-e/install-action@cargo-audit
+      - name: Install cargo-deny
+        uses: taiki-e/install-action@cargo-deny
 
       - name: Cache cargo
         uses: Swatinem/rust-cache@v2

AGENTS.md

@@ -6,8 +6,8 @@ This subproject is the Corgea developer CLI (Rust → npm + pip via maturin).
 
 - After edits: `./harness check` — clippy fix, format, tests, suppression report
 - Pre-commit: `./harness pre-commit` — staged Rust files only (auto via git hook)
-- CI: `./harness ci` — strict clippy (`-D warnings`), format check, dep audit, tests + coverage gate (min 13%)
-- Audit: `./harness audit` — `cargo audit` for known dep vulnerabilities
+- CI: `./harness ci` — strict clippy (`-D warnings`), format check, dep policy (`cargo deny`: advisories + licenses + sources + bans), tests + coverage gate (min 13%)
+- Deny: `./harness deny` — `cargo deny check` (vulns, licenses, sources, bans) per `deny.toml`
 - Coverage: `./harness coverage [--min=N]` — cargo-llvm-cov; HTML report under `target/llvm-cov/`; fails if line coverage < N (default 13)
 - Lint: `./harness lint` — clippy + format check, no fixes
 - Test: `./harness test` — `cargo test`

Cargo.toml

@@ -2,6 +2,10 @@
 name = "corgea"
 version = "1.8.8"
 edition = "2021"
+# Distributed via maturin → npm + pip, never `cargo publish`ed to crates.io.
+# Marks the crate private so `cargo deny` skips license checks on our own
+# LGPL-2.1 source (see deny.toml `[licenses] private = { ignore = true }`).
+publish = false
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 

deny.toml

@@ -0,0 +1,41 @@
+# cargo-deny policy for the corgea CLI.
+# Run: ./harness deny   (CI runs it strict via ./harness ci)
+
+[advisories]
+version = 2
+# RustSec DB: fail on vulnerable/unmaintained/unsound/yanked crates.
+# ignore = []  # add "RUSTSEC-YYYY-NNNN" with a justification comment if ever needed
+
+[licenses]
+version = 2
+# SPDX ids allowed to ship in the distributed binary. All permissive,
+# plus option-ext's file-level MPL-2.0 (transitive via `dirs`).
+allow = [
+    "MIT",
+    "Apache-2.0",
+    "Apache-2.0 WITH LLVM-exception",
+    "BSD-3-Clause",
+    "Unicode-3.0",
+    "Unlicense",
+    "0BSD",
+    "CC0-1.0",
+    "MIT-0",
+    "Zlib",
+    "BSL-1.0",
+    "MPL-2.0",
+]
+# The `corgea` crate's own LICENSE file is LGPL-2.1; it ships only as a binary
+# (never `cargo publish`ed) so it's marked `publish = false` in Cargo.toml,
+# which makes it "private" and exempt from these dep-license rules.
+private = { ignore = true }
+confidence-threshold = 0.9
+
+[bans]
+# Duplicate versions are common & low-risk in a 310-crate tree → warn, don't fail.
+multiple-versions = "warn"
+wildcards = "warn"
+
+[sources]
+# Lock the supply chain to crates.io. Any git / alt-registry dep fails the gate.
+unknown-registry = "deny"
+unknown-git = "deny"

harness

@@ -2,7 +2,7 @@
 # Project development tasks. Bash + cargo + git only.
 # Usage: ./harness <command> [--verbose] [--min=N]
 #
-# Commands: check, fix, lint, test, audit, coverage, pre-commit, ci,
+# Commands: check, fix, lint, test, deny, coverage, pre-commit, ci,
 #           post-edit, setup-hooks, suppressions
 
 set -u
@@ -160,21 +160,21 @@ cmd_test() {
     run_with_summary "Tests" 0 -- cargo test
 }
 
-cmd_audit() {
-    _cmd_audit_inner 0
+cmd_deny() {
+    _cmd_deny_inner 0
 }
 
-_cmd_audit_inner() {
+_cmd_deny_inner() {
     local strict="$1"
-    if cargo audit --version >/dev/null 2>&1; then
-        run "Dep audit" 0 -- cargo audit
+    if cargo deny --version >/dev/null 2>&1; then
+        run "Dep policy" 0 -- cargo deny check
         return
     fi
     if [ "$strict" = "1" ]; then
-        printf "  %s✗%s Dep audit (cargo-audit not installed)\n" "$RED" "$RESET"
+        printf "  %s✗%s Dep policy (cargo-deny not installed)\n" "$RED" "$RESET"
         exit 1
     fi
-    printf "  %s⊘ Dep audit skipped (install: cargo install cargo-audit)%s\n" "$DIM" "$RESET"
+    printf "  %s⊘ Dep policy skipped (install: cargo install cargo-deny)%s\n" "$DIM" "$RESET"
 }
 
 cmd_coverage() {
@@ -244,7 +244,7 @@ cmd_ci() {
     printf "\n%s[ci]%s\n\n" "$BLUE" "$RESET"
     run "Clippy (strict)" 0 -- cargo clippy -- -D warnings
     run "Format check" 0 -- cargo fmt --check
-    _cmd_audit_inner 1
+    _cmd_deny_inner 1
     if ! cargo llvm-cov --version >/dev/null 2>&1; then
         printf "  %s✗%s Coverage (cargo-llvm-cov not installed)\n" "$RED" "$RESET"
         printf "  %sInstall:%s cargo install cargo-llvm-cov\n" "$DIM" "$RESET"
@@ -274,7 +274,7 @@ case "$cmd" in
     fix)          cmd_fix ;;
     lint)         cmd_lint ;;
     test)         cmd_test ;;
-    audit)        cmd_audit ;;
+    deny)         cmd_deny ;;
     coverage)     cmd_coverage ;;
     pre-commit)   cmd_pre_commit ;;
     ci)           cmd_ci ;;
@@ -283,7 +283,7 @@ case "$cmd" in
     suppressions) cmd_suppressions ;;
     -h|--help|help)
         printf "Usage: ./harness <command> [--verbose] [--min=N]\n\n"
-        printf "Commands: check, fix, lint, test, audit, coverage, pre-commit,\n"
+        printf "Commands: check, fix, lint, test, deny, coverage, pre-commit,\n"
         printf "          ci, post-edit, setup-hooks, suppressions\n"
         ;;
     *)