RavenClaws 1.2.0

Lightweight, secure Rust agent framework with multi-provider LLM support
Documentation
# cargo-deny configuration for RavenClaws
# See: https://embarkstudios.github.io/cargo-deny/

[graph]
# Skip duplicate detection for these targets (we only care about the host)
targets = [
    { triple = "x86_64-unknown-linux-gnu" },
    { triple = "aarch64-unknown-linux-gnu" },
    { triple = "x86_64-apple-darwin" },
    { triple = "aarch64-apple-darwin" },
    { triple = "x86_64-unknown-linux-musl" },
]
all-features = false
no-default-features = false

[output]
feature-depth = 1

[advisories]
# Path to the advisory database (local clone)
db-path = "~/.cargo/advisory-db"
# Fetch the advisory database before checking
db-urls = ["https://github.com/rustsec/advisory-db"]
# Ignored advisories
# RUSTSEC-2024-0384: `instant` crate is unmaintained but pulled in by `notify` (v0.8 scheduler feature)
# No safe upgrade available; `notify` v7 still depends on `instant`
# RUSTSEC-2024-0436: `paste` crate is unmaintained — transitive dep of wasmtime 28, no alternative
# RUSTSEC-2025-0046: wasmtime Host panic with fd_renumber WASIp1 — not applicable, we don't use WASIp1
# RUSTSEC-2025-0118: wasmtime Unsound API access to shared linear memory — accepted risk, plugins are trusted
# RUSTSEC-2026-0020: wasmtime Guest-controlled resource exhaustion in WASI — accepted risk, plugins are trusted
# RUSTSEC-2026-0021: wasmtime Panic adding excessive fields to wasi:http/types.fields — not applicable, no HTTP fields
# RUSTSEC-2026-0085 through RUSTSEC-2026-0096: wasmtime 28 vulnerabilities — all accepted risks, plugins are trusted code
ignore = [
    "RUSTSEC-2024-0384",
    "RUSTSEC-2024-0436",
    "RUSTSEC-2025-0046",
    "RUSTSEC-2025-0118",
    "RUSTSEC-2026-0020",
    "RUSTSEC-2026-0021",
    "RUSTSEC-2026-0085",
    "RUSTSEC-2026-0086",
    "RUSTSEC-2026-0087",
    "RUSTSEC-2026-0088",
    "RUSTSEC-2026-0089",
    "RUSTSEC-2026-0091",
    "RUSTSEC-2026-0092",
    "RUSTSEC-2026-0093",
    "RUSTSEC-2026-0094",
    "RUSTSEC-2026-0095",
    "RUSTSEC-2026-0096",
]

[licenses]
# AGPLv3-or-later is our license. Allowed dependencies must be compatible.
allow = [
    "MIT",
    "Apache-2.0",
    "Apache-2.0 WITH LLVM-exception",
    "BSD-2-Clause",
    "BSD-3-Clause",
    "ISC",
    "Unicode-3.0",
    "Unicode-DFS-2016",
    "Zlib",
    "0BSD",
    "CC0-1.0",
    "MPL-2.0",
    "OpenSSL",
    "BSL-1.0",
    "NCSA",
    "Python-2.0",
    "WTFPL",
    "Unlicense",
    "AGPL-3.0-or-later",
    "CDLA-Permissive-2.0",
]
# Confidence threshold for license detection
confidence-threshold = 0.8
# Exceptions for specific crates that use allowed copyleft licenses
exceptions = [
    # Allow each exception with a reason
    { allow = ["AGPL-3.0-or-later"], name = "RavenClaws", version = "*" },
]

[licenses.private]
# Ignore workspace crates that aren't published
ignore = false
registries = []

[bans]
# Prevent multiple versions of the same crate
multiple-versions = "deny"
# Allow wildcard dependencies
wildcards = "allow"
# Highlight duplicate versions
highlight = "all"
# Workspace default features
workspace-default-features = "allow"
external-default-features = "allow"
# Allow workspace crates automatically
allow-workspace = false
# Specific crates to deny entirely
deny = []
# Skip these crates when checking for duplicates
skip = [
    # winnow has 3 versions: 0.6 (cron), 0.7 (toml_edit), 1.0 (config/toml)
    # All are transitive deps with no unified upgrade path
    { name = "winnow", version = "0.6" },
    { name = "winnow", version = "0.7" },
]
skip-tree = []

[sources]
# Only allow crates from crates.io (no git/path dependencies in release)
unknown-registry = "deny"
unknown-git = "deny"
allow-registry = [
    "https://github.com/rustsec/advisory-db",
    "https://github.com/rust-lang/crates.io-index",
]
allow-git = []