hyper-mcp-remote 0.2.0

A stdio to streamable-http MCP proxy with OAuth support
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91

# cargo-deny configuration.
#
# Docs:        https://embarkstudios.github.io/cargo-deny/
# Run locally: `just security` or `cargo deny check`
#
# Editing rules of thumb:
#   * If a security advisory is unavoidable (e.g. transitive dep with no
#     fix yet), add it to `[advisories].ignore` *with a comment* linking
#     to the upstream issue and an estimated unblock date.
#   * If a new dep brings in a license not on the allow list below, prefer
#     replacing the dep over adding the license. License-graph drift is
#     hard to undo.
#   * `[bans].deny` is the place to record "we tried this crate and it was
#     bad" - keeps the lesson with the codebase.

[graph]
all-features = true

# ─────────────────────────────────────────────────────────────────────────
# Advisories - RustSec database checks. Overlaps with `cargo audit`; we
# keep both because they fail differently (audit is fast and focused;
# deny is policy-driven and can also catch yanked crates and unmaintained
# advisories).
# ─────────────────────────────────────────────────────────────────────────
[advisories]
db-urls = ["https://github.com/rustsec/advisory-db"]
yanked = "deny"

# ─────────────────────────────────────────────────────────────────────────
# Licenses - allowlist model. This list is intentionally conservative for
# proprietary internal use: copyleft (GPL/AGPL/LGPL) is excluded so it
# can't sneak in transitively.
#
# When a new permissive license shows up in a dep, evaluate it explicitly
# rather than auto-allowing - the SPDX list is large.
# ─────────────────────────────────────────────────────────────────────────
[licenses]
confidence-threshold = 0.9
allow = [
    "0BSD",
    "Apache-2.0",
    "Apache-2.0 WITH LLVM-exception",
    "BSD-2-Clause",
    "BSD-3-Clause",
    "BSL-1.0",
    "CC0-1.0",
    # Linux Foundation's permissive data-licence. Permissive, not
    # copyleft, no patent grant, no copyleft-style propagation -
    # obligations equivalent to MIT/BSD-3. Currently used by
    # `webpki-roots`, which embeds the Mozilla CA bundle (a dataset)
    # and reaches us transitively via `hyper-rustls` from both
    # `gcp-bigquery-client` and `firestore`.
    "CDLA-Permissive-2.0",
    "ISC",
    "MIT",
    "MPL-2.0",
    "Unicode-3.0",
    "Unicode-DFS-2016",
    "Zlib",
]
exceptions = []

# Don't require this crate (or any other `publish = false` workspace
# member) to declare a license - internal apps aren't published.
[licenses.private]
ignore = true

# ─────────────────────────────────────────────────────────────────────────
# Bans - duplicate versions, wildcards, blocklist.
#
# `multiple-versions = "warn"` because pinning the entire ecosystem to a
# single version of every transitive dep is a fight you can't win. Bump
# to "deny" only after consolidating duplicates.
# ─────────────────────────────────────────────────────────────────────────
[bans]
multiple-versions = "warn"
wildcards = "deny"
deny = []
skip = []
skip-tree = []

# ─────────────────────────────────────────────────────────────────────────
# Sources - only crates.io is allowed. Pulls from arbitrary git repos
# are denied; if you need one, list its URL under `allow-git` *with a
# comment* explaining why.
# ─────────────────────────────────────────────────────────────────────────
[sources]
unknown-registry = "deny"
unknown-git = "deny"
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
allow-git = []