saml 0.0.1-alpha.1

Stateless, async-native SAML 2.0 toolkit with no libxml2/xmlsec C build chain
Documentation
# cargo-deny configuration.
# Run locally with: cargo deny check
# Docs: https://embarkstudios.github.io/cargo-deny/

# ---------------------------------------------------------------------------
# Graph traversal: consider all targets we actually support.
# Leaving this empty would walk every Tier-1+ target; we only care about
# what users actually build on.
# ---------------------------------------------------------------------------
[graph]
targets = [
    "x86_64-unknown-linux-gnu",
    "x86_64-apple-darwin",
    "aarch64-apple-darwin",
    "x86_64-pc-windows-msvc",
]
all-features = true

[output]
feature-depth = 1

# ---------------------------------------------------------------------------
# Advisories: fail the build on known CVEs / yanked crates.
# ---------------------------------------------------------------------------
[advisories]
version = 2
db-path = "~/.cargo/advisory-db"
db-urls = ["https://github.com/rustsec/advisory-db"]
yanked = "deny"
ignore = [
    # RUSTSEC-2023-0071 — "Marvin Attack" timing sidechannel in `rsa`. Accepted
    # with documented rationale (see SECURITY.md): no fixed release exists (the
    # mitigation is partial and unreleased in the dragging rsa 0.10 line,
    # RustCrypto/RSA#390), and pure-Rust RSA has no maintained alternative that
    # would not pull in a C/asm backend — defeating this crate's no-C-build-chain
    # premise. The practically-exploitable PKCS#1 v1.5 padding-oracle vector is
    # gated behind `weak-algos` and refused by default (only RSA-OAEP key
    # transport is accepted); the residual is generic non-constant-time modexp
    # timing, and SP-side signature verification (no private key) is unaffected.
    "RUSTSEC-2023-0071",
]

# ---------------------------------------------------------------------------
# Licenses: allow permissive only. No GPL/AGPL/LGPL/SSPL.
# ---------------------------------------------------------------------------
[licenses]
version = 2
allow = [
    "MIT",
    "Apache-2.0",
    "Apache-2.0 WITH LLVM-exception",
    "BSD-2-Clause",
    "BSD-3-Clause",
    "ISC",
    "Unicode-DFS-2016",
    "Unicode-3.0",
    "MPL-2.0",
    "Zlib",
    "CC0-1.0",
    # webpki-roots ships the Mozilla CA bundle; its *data* is licensed
    # CDLA-Permissive-2.0 (a permissive, no-copyleft data license). Pulled
    # transitively via reqwest -> rustls.
    "CDLA-Permissive-2.0",
]
confidence-threshold = 0.93

# Crates that ship without SPDX-tagged metadata can be allowlisted with a
# clarification. Keep this list short and audited.
[[licenses.clarify]]
name = "ring"
expression = "MIT AND ISC AND OpenSSL"
license-files = [
    { path = "LICENSE", hash = 0xbd0eed23 },
]

# ---------------------------------------------------------------------------
# Bans: no duplicate versions of major deps, no wildcard versions.
# Crypto crates are particularly prone to v0.x churn; we *do* allow some
# overlap because the RustCrypto ecosystem versions independently.
# ---------------------------------------------------------------------------
[bans]
multiple-versions = "deny"
wildcards = "deny"
highlight = "all"
workspace-default-features = "allow"
external-default-features = "allow"

# Pragmatic skips: these crates legitimately appear at multiple versions in
# the dep graph today via transitive deps and aren't worth blocking releases
# on. Re-evaluate periodically — ideally this list shrinks.
skip = [
    # `rand` / `rand_core` / `rand_chacha` / `getrandom` span multiple major
    # versions across INDEPENDENT transitive chains we don't control:
    #   - older line: the RustCrypto signature stack (elliptic-curve ->
    #     rand_core 0.6 -> getrandom 0.2) and rsa (num-bigint-dig -> rand 0.8);
    #   - newer line: our own rand 0.9 (proxy nonce generation) -> rand_core 0.9
    #     -> getrandom 0.3.
    # None are ours to unify; the rsa-side ones clear when rsa migrates off
    # num-bigint-dig in its 0.10 release (see [advisories] note). Skip the
    # older versions so the duplicate guard stays active elsewhere.
    { name = "rand", version = "0.8" },
    { name = "rand_chacha", version = "0.3" },
    { name = "rand_core", version = "0.6" },
    { name = "getrandom", version = "0.2" },
]
skip-tree = []

# Deny anything that would pull a C build toolchain back in — the whole
# point of this crate is to avoid libxml2/xmlsec.
deny = [
    { name = "openssl" },
    { name = "openssl-sys" },
    { name = "native-tls" },
]

# ---------------------------------------------------------------------------
# Sources: only crates.io + this repo. No random git deps.
# ---------------------------------------------------------------------------
[sources]
unknown-registry = "deny"
unknown-git = "deny"
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
allow-git = []