audit stuff

Cargo.toml

@@ -74,7 +74,7 @@ jsonschema = "0.38"
 utoipa = { version = "5.4", features = ["chrono", "uuid"] }
 
 # JWT
-jsonwebtoken = { version = "10.2", features = ["rust_crypto"] }
+jsonwebtoken = { version = "10.2", features = ["hmac", "sha2"] }
 
 # Encryption
 argon2 = "0.5"

Makefile

@@ -317,8 +317,13 @@ update:
 	cargo update
 
 # Audit dependencies for security issues
+# Ignored advisories:
+#   RUSTSEC-2023-0071: rsa via sqlx-mysql (we only use postgres, no upstream fix)
+#   RUSTSEC-2025-0134: rustls-pemfile via lapin TLS stack (no alternative)
+AUDIT_IGNORE = --ignore RUSTSEC-2023-0071 --ignore RUSTSEC-2025-0134
+
 audit:
-	cargo audit
+	cargo audit $(AUDIT_IGNORE)
 
 deny:
 	cargo deny check
@@ -327,7 +332,7 @@ ci-rust:
 	cargo fmt --all -- --check
 	cargo clippy --workspace --all-targets --all-features -- -D warnings
 	cargo test --workspace --all-features
-	cargo audit
+	cargo audit $(AUDIT_IGNORE)
 	cargo deny check
 
 ci-web-blocking:

crates/cli/Cargo.toml

@@ -54,11 +54,10 @@ tokio-tungstenite = { workspace = true }
 # Terminal UI
 colored = "2.1"
 comfy-table = "7.1"
-indicatif = "0.17"
 dialoguer = "0.11"
 
 # Authentication
-jsonwebtoken = { version = "10.2", features = ["rust_crypto"] }
+jsonwebtoken = { workspace = true }
 
 # Logging
 tracing = { workspace = true }

crates/core-timer-sensor/Cargo.toml

@@ -3,6 +3,7 @@ name = "core-timer-sensor"
 version = "0.1.0"
 edition = "2021"
 authors = ["Attune Contributors"]
+license.workspace = true
 description = "Standalone timer sensor runtime for Attune core pack"
 
 [[bin]]
@@ -11,42 +12,42 @@ path = "src/main.rs"
 
 [dependencies]
 # Async runtime
-tokio = { version = "1.41", features = ["full"] }
-async-trait = "0.1"
+tokio = { workspace = true }
+async-trait = { workspace = true }
 
 # Serialization
-serde = { version = "1.0", features = ["derive"] }
-serde_json = "1.0"
+serde = { workspace = true }
+serde_json = { workspace = true }
 
 # HTTP client
-reqwest = { version = "0.12", features = ["json"] }
+reqwest = { workspace = true, features = ["json"] }
 
 # Message queue
-lapin = "2.3"
-futures = "0.3"
+lapin = { workspace = true }
+futures = { workspace = true }
 
 # Logging
-tracing = "0.1"
-tracing-subscriber = { version = "0.3", features = ["env-filter", "json"] }
+tracing = { workspace = true }
+tracing-subscriber = { workspace = true }
 
 # Error handling
-anyhow = "1.0"
-thiserror = "1.0"
+anyhow = { workspace = true }
+thiserror = { workspace = true }
 
 # Time handling
-chrono = { version = "0.4", features = ["serde"] }
+chrono = { workspace = true }
 
 # Cron scheduling
 tokio-cron-scheduler = "0.15"
 
 # CLI
-clap = { version = "4.5", features = ["derive"] }
+clap = { workspace = true, features = ["derive"] }
 
 # Utilities
-uuid = { version = "1.11", features = ["v4", "serde"] }
+uuid = { workspace = true }
 urlencoding = "2.1"
-base64 = "0.21"
+base64 = "0.22"
 
 [dev-dependencies]
-mockall = "0.13"
-tempfile = "3.13"
+mockall = { workspace = true }
+tempfile = { workspace = true }

deny.toml

@@ -4,7 +4,18 @@ all-features = true
 [advisories]
 version = 2
 yanked = "deny"
-ignore = []
+ignore = [
+    # rsa v0.9.10 - Marvin Attack timing sidechannel (medium severity)
+    # Pulled in transitively by sqlx-mysql, which sqlx compiles unconditionally
+    # for its macro system. We only use PostgreSQL — the rsa code is never
+    # executed. No upstream fix available.
+    { id = "RUSTSEC-2023-0071", reason = "transitive via sqlx-mysql; we only use postgres" },
+
+    # rustls-pemfile v2.x - unmaintained
+    # Transitive dependency via lapin → amq-protocol-tcp → tcp-stream.
+    # No alternative available until lapin updates its TLS stack.
+    { id = "RUSTSEC-2025-0134", reason = "transitive via lapin TLS stack; no alternative" },
+]
 
 [licenses]
 version = 2
@@ -21,6 +32,8 @@ allow = [
     "CC0-1.0",
     "OpenSSL",
     "BSL-1.0",
+    "MIT-0",
+    "CDLA-Permissive-2.0",
 ]
 
 [bans]