tokenix 0.23.4

Local semantic index CLI for LLM token optimization
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85

# cargo-deny — supply-chain policy gate for tokenix.
# Local run:  cargo install cargo-deny --locked && cargo deny check
# Enforced in CI by .github/workflows/supply-chain.yml on every PR, push, and weekly.

[graph]
# Evaluate the dependency graph for every target tokenix actually ships
# (the release matrix), so a platform-specific malicious/again dep cannot slip
# through on a target CI did not look at.
all-features = false
targets = [
  "x86_64-unknown-linux-gnu",
  "aarch64-unknown-linux-gnu",
  "x86_64-apple-darwin",
  "aarch64-apple-darwin",
  "x86_64-pc-windows-msvc",
]

[advisories]
version = 2
# Fail on any crate the RUSTSEC DB has yanked. Vulnerabilities are denied by
# default in the v2 format. Every entry below is a KNOWN, accepted exception with
# a written rationale — any NEW advisory still fails CI.
yanked = "deny"
ignore = [
  # ring AES/QUIC panic on overflow-check. Low severity for tokenix (it does not
  # use ring's AES/QUIC header-protection path; ring is a transitive TLS dep).
  # Upgrade to ring >=0.17.12 is currently blocked by a transitive `cc = "~1.0"`
  # pin in the graph (every ring >=0.17.12 needs cc >=1.1). Tracked follow-up:
  # relax the cc pin (bump the pinning crate), then `cargo update -p ring`.
  { id = "RUSTSEC-2025-0009", reason = "transitive ring TLS dep; AES/QUIC path unused; upgrade blocked by cc=~1.0 pin — remove after bumping ring>=0.17.12" },
  # number_prefix: unmaintained, pulled transitively via indicatif. No reachable
  # maintained replacement without an upstream indicatif change.
  { id = "RUSTSEC-2025-0119", reason = "unmaintained transitive dep via indicatif; no direct control — revisit on indicatif update" },
  # paste: unmaintained proc-macro, pulled transitively via tokenizers/ort. No
  # reachable maintained replacement without an upstream change.
  { id = "RUSTSEC-2024-0436", reason = "unmaintained transitive dep via tokenizers/ort; no direct control — revisit on upstream update" },
]

[licenses]
version = 2
confidence-threshold = 0.9
# Allowlist is the exact set the current dependency tree resolves to (verified
# with `cargo deny list`). Anything outside this list fails CI, forcing a review
# before a new license — and the supply-chain risk it implies — can ship.
allow = [
  "MIT",
  "Apache-2.0",
  "Apache-2.0 WITH LLVM-exception",
  "ISC",
  "BSD-2-Clause",
  "BSD-3-Clause",
  "Unicode-3.0",
  "MPL-2.0",
  "CC0-1.0",
  "CDLA-Permissive-2.0",
  "BSL-1.0",
  "Zlib",
  "OpenSSL",
]

# `ring` ships no SPDX `license` field (only a LICENSE file), so it reads as
# "Unlicensed". Clarify it to its real composite license. The file hash pins the
# clarification to a known license text; if `ring` is bumped and this fails, the
# Dependabot PR will flag it for a re-review of the license — that is intended.
[[licenses.clarify]]
crate = "ring"
expression = "ISC AND MIT AND OpenSSL"
license-files = [{ path = "LICENSE", hash = 0xbd0eed23 }]

[bans]
# Duplicate versions are noise here (windows-sys etc.), not a security gate — warn.
multiple-versions = "warn"
# Forbid `version = "*"` requirements: they silently pull whatever is newest,
# which is a supply-chain footgun.
wildcards = "deny"
allow-wildcard-paths = true
deny = []

[sources]
# Core control: the ONLY trusted source is crates.io. A dependency sneaked in via
# an arbitrary git repo or alternative registry is a hard CI failure.
unknown-registry = "deny"
unknown-git = "deny"
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
allow-git = []