Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
115 changes: 0 additions & 115 deletions .github/skills/pr-ready/SKILL.md

This file was deleted.

10 changes: 10 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,3 +28,13 @@ jobs:
run: cargo test
- name: Build without GPU feature
run: cargo build --no-default-features

deny:
name: Audit dependencies
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Run cargo-deny
uses: EmbarkStudios/cargo-deny-action@bb137d7af7e4fb67e5f82a49c4fce4fad40782fe # v2.0.20
with:
command: check
16 changes: 8 additions & 8 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

77 changes: 77 additions & 0 deletions deny.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
# cargo-deny configuration for kite.
# Audits dependencies for security advisories, license compliance,
# banned/duplicate crates, and crate sources.
#
# Run locally with: cargo deny --all-features check
# Docs: https://embarkstudios.github.io/cargo-deny/

[graph]
# Audit the full dependency graph, including every optional feature
# (gpu, battery, docker, k8s, ssh, prometheus) so nothing is missed.
all-features = true

[advisories]
# Fail on security vulnerabilities and yanked crates. Unmaintained crates
# are only gated when they are direct workspace dependencies; transitive
# unmaintained crates (e.g. `paste` via ratatui) stay visible as warnings
# without blocking CI.
unmaintained = "workspace"
yanked = "deny"
ignore = [
# rsa: "Marvin Attack" timing sidechannel (RSA key recovery).
# Pulled in only by `russh` (ssh feature) via the pre-release
# rsa 0.10.0-rc.x line, which has no patched release yet. Kite does
# not perform RSA private-key operations on attacker-controlled
# timing channels; revisit when russh moves to a fixed rsa release.
"RUSTSEC-2023-0071",

# time <0.3.47: DoS via stack exhaustion when parsing untrusted
# RFC 2822 input. Pulled transitively by `plist`. The fix (time
# 0.3.47) requires Rust 1.88, above kite's MSRV (1.85), and kite does
# not parse untrusted RFC 2822 input. Revisit when MSRV/plist allow.
"RUSTSEC-2026-0009",

# quick-xml <0.38.x fixed: quadratic runtime / unbounded namespace
# allocation DoS. Pulled transitively by `plist`; no in-range fix is
# available for the version plist requires. Kite does not parse
# untrusted XML. Revisit when plist bumps quick-xml.
"RUSTSEC-2026-0194",
"RUSTSEC-2026-0195",
]

[licenses]
# Permissive licenses present in the dependency tree. Kite itself is
# dual-licensed MIT OR Apache-2.0; the rest are transitive dependencies.
allow = [
"MIT",
"MIT-0",
"Apache-2.0",
"Apache-2.0 WITH LLVM-exception",
"BSD-1-Clause",
"BSD-2-Clause",
"BSD-3-Clause",
"0BSD",
"ISC",
"BSL-1.0",
"CC0-1.0",
"Zlib",
"Unicode-3.0",
"Unlicense",
# MPL-2.0: weak (file-level) copyleft, from `option-ext` (a
# transitive dep of `dirs`). Safe to link against for a CLI tool.
"MPL-2.0",
]
# Confidence threshold for detecting a license from its text (0.0-1.0).
confidence-threshold = 0.8

[bans]
# The tree contains several duplicated crate versions (common in large
# async/crypto graphs). Warn rather than fail so it stays visible.
multiple-versions = "warn"
wildcards = "allow"

[sources]
# Only allow crates from known registries / git sources.
unknown-registry = "deny"
unknown-git = "deny"
allow-registry = ["https://github.com/rust-lang/crates.io-index"]