Merge pull request #5 from kalvinparker/chore/add-contributing

Add CONTRIBUTING.md Gitflow branching strategy
2 months ago · 66a178cec7
76 changed files with 2034 additions and 72 deletions
--- a/.github/PR_BODY_UPDATE-2.md
+++ b/.github/PR_BODY_UPDATE-2.md
@ -0,0 +1,30 @@
+Temporary license allowlist: MPL-2.0 and CDLA-Permissive-2.0 were added to deny.toml on branch experiment/webauthn-upgrade to unblock CI while coordinated upgrades/replacements are attempted. This is timeboxed and tracked in issues/FEASIBILITY-WEBAUTHN-WEBPKI.md and issues/TRACK-2025-11-09-RSA-PASTE.md. See the experiment artifacts in docker/audit/output/.
+
+## Pre-merge task checklist
+These tasks must be completed, reviewed, and verified before this PR is merged. Owners are suggested; assign specific maintainers or security approvers as appropriate.
+
+- [ ] Security lead — confirm and sign off the timebox for the temporary allowlist (target approval date: 2025-11-17). This PR should not be merged without that sign-off.
+- [ ] Maintainer — run `cargo tree -i rsa` and `cargo tree -i paste`, paste the reverse-dependency outputs in a follow-up comment, and confirm proposed remediation path for each.
+- [ ] Maintainer — attempt `webauthn-rs` remediation (preferred order):
+	- [ ] Upgrade `webauthn-rs` to a permissively licensed release if available and verify builds/tests.
+	- [ ] If no upgrade available, evaluate replacing `webauthn-rs` with another WebAuthn implementation or vendor a minimal shim; document chosen approach.
+	- [ ] Add tests covering affected auth flows and run CI.
+- [ ] Maintainer — coordinate TLS/HTTP stack remediation to remove `webpki-roots` (CDLA-Permissive-2.0):
+	- [ ] Test toggling `reqwest` features to prefer `native-tls` in an isolated workspace copy and publish the artifact logs.
+	- [ ] Upgrade `hyper-rustls`/`reqwest`/`openidconnect` as needed to versions that don't bring `webpki-roots`, or change TLS backend.
+	- [ ] Verify `cargo-deny` runs clean locally and on CI after each incremental change.
+- [ ] Maintainer — provide a short summary comment with before/after `cargo-deny` outputs and link to `docker/audit/output/` artifacts.
+- [ ] Maintainer — remove the temporary allowlist entries from `deny.toml` and verify CI shows zero license failures.
+- [ ] Maintainer — remove the temporary `advisories.ignore` entries (RUSTSEC ignores) from `deny.toml` and verify CI shows zero advisories and license failures before any final merge.
+
+## Short triage summary (top offenders)
+See `issues/LICENSE-TRIAGE-2025-11-10.md` and `docker/audit/output/license_triage_2025-11-09.csv` for full details. Top offenders:
+
+- webauthn-rs family (MPL-2.0): `webauthn-rs v0.5.3` (direct dep), `webauthn-rs-core v0.5.3`, `webauthn-rs-proto v0.5.3`, `webauthn-attestation-ca v0.5.3`, `base64urlsafedata v0.5.3` — remediation: upgrade/replace/vendor.
+- webpki-roots (CDLA-Permissive-2.0): `webpki-roots v1.0.3` pulled transitively via `hyper-rustls -> reqwest -> openidconnect` — remediation: coordinated `reqwest`/TLS backend upgrade or feature change.
+
+Artifacts and logs: `docker/audit/output/` contains the `cargo-deny` diagnostics, reverse-dependency trees and experiment logs used to evaluate remediation paths.
+
+See also: `issues/LICENSE-TRIAGE-SUMMARY-2025-11-12.md` for the condensed top-offender analysis and recommended next steps.
+
+Once all tasks above are complete and CI is green with `cargo-deny` passing, this PR may be merged and the temporary allowlist removed.
--- a/.github/workflows/audit.yml
+++ b/.github/workflows/audit.yml
@ -0,0 +1,37 @@
+name: dependency-audit
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  audit:
+    name: Cargo Audit & License Checks
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@v1
+        with:
+          toolchain: 1.91.0
+
+      - name: Install cargo-audit and cargo-deny
+        run: |
+          cargo install cargo-audit --version 0.22.0 || true
+          cargo install cargo-deny --version 0.11.0 || true
+
+      - name: Run cargo-audit
+        run: |
+          cargo audit || true
+
+      - name: Run cargo-deny advisories
+        run: |
+          cargo deny --manifest-path Cargo.toml check advisories || true
+
+      - name: Run cargo-deny licenses
+        run: |
+          cargo deny --manifest-path Cargo.toml check licenses || true
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -0,0 +1,16 @@
+## Secure Development Governance — Branching Strategy
+
+The following defines our mandated Gitflow branching strategy for secure development governance. This file documents expectations for feature development, hotfixes, and releases.
+
+```markdown
+## Branching Strategy: Gitflow Workflow
+
+We use the Gitflow model to manage our development lifecycle. All feature development must be done against the 'develop' branch.
+
+**Feature Branches:** Branch from `develop`. Merge back to `develop` via Pull Request.
+**Hotfixes:** Branch from `main`. Merge to `main`, then merge immediately to `develop`.
+
+No direct pushes to 'main' or 'develop' are allowed.
+```
+
+Please follow these rules when contributing. If you need an exception (emergency hotfix with org approval), open an issue describing the reason and obtain an explicit approval before bypassing the rules.
--- a/Cargo.lock
+++ b/Cargo.lock
@ -161,9 +161,9 @@ dependencies = [

 [[package]]
 name = "async-compression"
-version = "0.4.32"
+version = "0.4.33"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5a89bce6054c720275ac2432fbba080a66a2106a44a1b804553930ca6909f4e0"
+checksum = "93c1f86859c1af3d514fa19e8323147ff10ea98684e6c7b307912509f50e67b2"
 dependencies = [
 "compression-codecs",
 "compression-core",
@ -361,9 +361,9 @@ checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"

 [[package]]
 name = "aws-config"
-version = "1.8.8"
+version = "1.8.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "37cf2b6af2a95a20e266782b4f76f1a5e12bf412a9db2de9c1e9123b9d8c0ad8"
+checksum = "1856b1b48b65f71a4dd940b1c0931f9a7b646d4a924b9828ffefc1454714668a"
 dependencies = [
 "aws-credential-types",
 "aws-runtime",
@ -391,9 +391,9 @@ dependencies = [

 [[package]]
 name = "aws-credential-types"
-version = "1.2.8"
+version = "1.2.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "faf26925f4a5b59eb76722b63c2892b1d70d06fa053c72e4a100ec308c1d47bc"
+checksum = "86590e57ea40121d47d3f2e131bfd873dea15d78dc2f4604f4734537ad9e56c4"
 dependencies = [
 "aws-smithy-async",
 "aws-smithy-runtime-api",
@ -403,9 +403,9 @@ dependencies = [

 [[package]]
 name = "aws-runtime"
-version = "1.5.12"
+version = "1.5.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bfa006bb32360ed90ac51203feafb9d02e3d21046e1fd3a450a404b90ea73e5d"
+checksum = "8fe0fd441565b0b318c76e7206c8d1d0b0166b3e986cf30e890b61feb6192045"
 dependencies = [
 "aws-credential-types",
 "aws-sigv4",
@ -427,9 +427,9 @@ dependencies = [

 [[package]]
 name = "aws-sdk-sso"
-version = "1.86.0"
+version = "1.89.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4a0abbfab841446cce6e87af853a3ba2cc1bc9afcd3f3550dd556c43d434c86d"
+checksum = "a9c1b1af02288f729e95b72bd17988c009aa72e26dcb59b3200f86d7aea726c9"
 dependencies = [
 "aws-credential-types",
 "aws-runtime",
@ -449,9 +449,9 @@ dependencies = [

 [[package]]
 name = "aws-sdk-ssooidc"
-version = "1.89.0"
+version = "1.91.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "695dc67bb861ccb8426c9129b91c30e266a0e3d85650cafdf62fcca14c8fd338"
+checksum = "4e8122301558dc7c6c68e878af918880b82ff41897a60c8c4e18e4dc4d93e9f1"
 dependencies = [
 "aws-credential-types",
 "aws-runtime",
@ -471,9 +471,9 @@ dependencies = [

 [[package]]
 name = "aws-sdk-sts"
-version = "1.88.0"
+version = "1.92.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d30990923f4f675523c51eb1c0dec9b752fb267b36a61e83cbc219c9d86da715"
+checksum = "a0c7808adcff8333eaa76a849e6de926c6ac1a1268b9fd6afe32de9c29ef29d2"
 dependencies = [
 "aws-credential-types",
 "aws-runtime",
@ -494,9 +494,9 @@ dependencies = [

 [[package]]
 name = "aws-sigv4"
-version = "1.3.5"
+version = "1.3.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bffc03068fbb9c8dd5ce1c6fb240678a5cffb86fb2b7b1985c999c4b83c8df68"
+checksum = "c35452ec3f001e1f2f6db107b6373f1f48f05ec63ba2c5c9fa91f07dad32af11"
 dependencies = [
 "aws-credential-types",
 "aws-smithy-http",
@ -527,15 +527,16 @@ dependencies = [

 [[package]]
 name = "aws-smithy-http"
-version = "0.62.4"
+version = "0.62.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3feafd437c763db26aa04e0cc7591185d0961e64c61885bece0fb9d50ceac671"
+checksum = "445d5d720c99eed0b4aa674ed00d835d9b1427dd73e04adaf2f94c6b2d6f9fca"
 dependencies = [
 "aws-smithy-runtime-api",
 "aws-smithy-types",
 "bytes",
 "bytes-utils",
 "futures-core",
+ "futures-util",
 "http 0.2.12",
 "http 1.3.1",
 "http-body 0.4.6",
@ -547,9 +548,9 @@ dependencies = [

 [[package]]
 name = "aws-smithy-json"
-version = "0.61.6"
+version = "0.61.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cff418fc8ec5cadf8173b10125f05c2e7e1d46771406187b2c878557d4503390"
+checksum = "2db31f727935fc63c6eeae8b37b438847639ec330a9161ece694efba257e0c54"
 dependencies = [
 "aws-smithy-types",
 ]
@ -575,9 +576,9 @@ dependencies = [

 [[package]]
 name = "aws-smithy-runtime"
-version = "1.9.3"
+version = "1.9.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "40ab99739082da5347660c556689256438defae3bcefd66c52b095905730e404"
+checksum = "0bbe9d018d646b96c7be063dd07987849862b0e6d07c778aad7d93d1be6c1ef0"
 dependencies = [
 "aws-smithy-async",
 "aws-smithy-http",
@ -638,18 +639,18 @@ dependencies = [

 [[package]]
 name = "aws-smithy-xml"
-version = "0.60.11"
+version = "0.60.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e9c34127e8c624bc2999f3b657e749c1393bedc9cd97b92a804db8ced4d2e163"
+checksum = "eab77cdd036b11056d2a30a7af7b775789fb024bf216acc13884c6c97752ae56"
 dependencies = [
 "xmlparser",
 ]

 [[package]]
 name = "aws-types"
-version = "1.3.9"
+version = "1.3.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e2fd329bf0e901ff3f60425691410c69094dc2a1f34b331f37bfc4e9ac1565a1"
+checksum = "d79fb68e3d7fe5d4833ea34dc87d2e97d26d3086cb3da660bb6b1f76d98680b6"
 dependencies = [
 "aws-credential-types",
 "aws-smithy-async",
@ -919,9 +920,9 @@ dependencies = [

 [[package]]
 name = "cc"
-version = "1.2.43"
+version = "1.2.45"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "739eb0f94557554b3ca9a86d2d37bebd49c5e6d0c1d2bda35ba5bdac830befc2"
+checksum = "35900b6c8d709fb1d854671ae27aeaa9eec2f8b01b364e1619a40da3e6fe2afe"
 dependencies = [
 "find-msvc-tools",
 "jobserver",
@ -993,9 +994,9 @@ checksum = "b9e769b5c8c8283982a987c6e948e540254f1058d5a74b8794914d4ef5fc2a24"

 [[package]]
 name = "compression-codecs"
-version = "0.4.31"
+version = "0.4.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ef8a506ec4b81c460798f572caead636d57d3d7e940f998160f52bd254bf2d23"
+checksum = "680dc087785c5230f8e8843e2e57ac7c1c90488b6a91b88caa265410568f441b"
 dependencies = [
 "brotli",
 "compression-core",
@ -1007,9 +1008,9 @@ dependencies = [

 [[package]]
 name = "compression-core"
-version = "0.4.29"
+version = "0.4.30"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e47641d3deaf41fb1538ac1f54735925e275eaf3bf4d55c81b137fba797e5cbb"
+checksum = "3a9b614a5787ef0c8802a55766480563cb3a93b435898c422ed2a359cf811582"

 [[package]]
 name = "concurrent-queue"
@ -2414,8 +2415,7 @@ dependencies = [
 "http 1.3.1",
 "hyper 1.7.0",
 "hyper-util",
- "rustls 0.23.34",
- "rustls-native-certs",
+ "rustls 0.23.35",
 "rustls-pki-types",
 "tokio",
 "tokio-rustls 0.26.4",
@ -2457,7 +2457,7 @@ dependencies = [
 "libc",
 "percent-encoding",
 "pin-project-lite",
- "socket2 0.6.1",
+ "socket2 0.5.10",
 "system-configuration",
 "tokio",
 "tower-service",
@ -2656,9 +2656,9 @@ checksum = "469fb0b9cefa57e3ef31275ee7cacb78f2fdca44e4765491884a2b119d4eb130"

 [[package]]
 name = "iri-string"
-version = "0.7.8"
+version = "0.7.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dbc5ebe9c3a1a7a5127f920a418f7585e9e758e911d0466ed004f393b0e380b2"
+checksum = "4f867b9d1d896b67beb18518eda36fdb77a32ea590de864f1325b294a6d14397"
 dependencies = [
 "memchr",
 "serde",
@ -2791,7 +2791,7 @@ dependencies = [
 "nom 8.0.0",
 "percent-encoding",
 "quoted_printable",
- "rustls 0.23.34",
+ "rustls 0.23.35",
 "rustls-native-certs",
 "serde",
 "socket2 0.6.1",
@ -3113,11 +3113,10 @@ dependencies = [

 [[package]]
 name = "num-bigint-dig"
-version = "0.8.4"
+version = "0.8.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dc84195820f291c7697304f3cbdadd1cb7199c0efc917ff5eafd71225c136151"
+checksum = "82c79c15c05d4bf82b6f5ef163104cc81a760d8e874d38ac50ab67c8877b647b"
 dependencies = [
- "byteorder",
 "lazy_static",
 "libm",
 "num-integer",
@ -3215,7 +3214,7 @@ version = "5.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "51e219e79014df21a225b1860a479e2dcd7cbd9130f4defd4bd0e191ea31d67d"
 dependencies = [
- "base64 0.22.1",
+ "base64 0.21.7",
 "chrono",
 "getrandom 0.2.16",
 "http 1.3.1",
@ -3318,9 +3317,9 @@ dependencies = [

 [[package]]
 name = "openssl"
-version = "0.10.74"
+version = "0.10.75"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "24ad14dd45412269e1a30f52ad8f0664f0f4f4a89ee8fe28c3b3527021ebb654"
+checksum = "08838db121398ad17ab8531ce9de97b244589089e290a384c900cb9ff7434328"
 dependencies = [
 "bitflags",
 "cfg-if",
@ -3359,9 +3358,9 @@ dependencies = [

 [[package]]
 name = "openssl-sys"
-version = "0.9.110"
+version = "0.9.111"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0a9f0075ba3c21b09f8e8b2026584b1d18d49388648f2fbbf3c97ea8deced8e2"
+checksum = "82cab2d520aa75e3c58898289429321eb788c3106963d0dc886ec7a5f4adc321"
 dependencies = [
 "cc",
 "libc",
@ -3881,8 +3880,8 @@ dependencies = [
 "quinn-proto",
 "quinn-udp",
 "rustc-hash",
- "rustls 0.23.34",
- "socket2 0.6.1",
+ "rustls 0.23.35",
+ "socket2 0.5.10",
 "thiserror 2.0.17",
 "tokio",
 "tracing",
@ -3901,7 +3900,7 @@ dependencies = [
 "rand 0.9.2",
 "ring",
 "rustc-hash",
- "rustls 0.23.34",
+ "rustls 0.23.35",
 "rustls-pki-types",
 "slab",
 "thiserror 2.0.17",
@ -3919,16 +3918,16 @@ dependencies = [
 "cfg_aliases",
 "libc",
 "once_cell",
- "socket2 0.6.1",
+ "socket2 0.5.10",
 "tracing",
 "windows-sys 0.60.2",
 ]

 [[package]]
 name = "quote"
-version = "1.0.41"
+version = "1.0.42"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ce25767e7b499d1b604768e7cde645d14cc8584231ea6b295e9c9eb22c02e1d1"
+checksum = "a338cc41d27e6cc6dce6cefc13a0729dfbb81c262b1f519331575dd80ef3067f"
 dependencies = [
 "proc-macro2",
 ]
@ -4162,8 +4161,7 @@ dependencies = [
 "percent-encoding",
 "pin-project-lite",
 "quinn",
- "rustls 0.23.34",
- "rustls-native-certs",
+ "rustls 0.23.35",
 "rustls-pki-types",
 "serde",
 "serde_json",
@ -4433,9 +4431,9 @@ dependencies = [

 [[package]]
 name = "rustls"
-version = "0.23.34"
+version = "0.23.35"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6a9586e9ee2b4f8fab52a0048ca7334d7024eef48e2cb9407e3497bb7cab7fa7"
+checksum = "533f54bc6a7d4f647e46ad909549eda97bf5afc1585190ef692b4286b198bd8f"
 dependencies = [
 "log",
 "once_cell",
@ -4560,9 +4558,9 @@ dependencies = [

 [[package]]
 name = "schemars"
-version = "1.0.4"
+version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "82d20c4491bc164fa2f6c5d44565947a52ad80b9505d8e36f8d54c27c739fcd0"
+checksum = "9558e172d4e8533736ba97870c4b2cd63f84b382a3d6eb063da41b91cce17289"
 dependencies = [
 "dyn-clone",
 "ref-cast",
@ -4788,7 +4786,7 @@ dependencies = [
 "indexmap 1.9.3",
 "indexmap 2.12.0",
 "schemars 0.9.0",
- "schemars 1.0.4",
+ "schemars 1.1.0",
 "serde_core",
 "serde_json",
 "serde_with_macros",
@ -4971,9 +4969,9 @@ dependencies = [

 [[package]]
 name = "sqlite-wasm-rs"
-version = "0.4.6"
+version = "0.4.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "54e4348c16a3d2e2a45437eff67efc5462b60443de76f61b5d0ed9111c626d9d"
+checksum = "35c6d746902bca4ddf16592357eacf0473631ea26b36072f0dd0b31fa5ccd1f4"
 dependencies = [
 "js-sys",
 "once_cell",
@ -5049,9 +5047,9 @@ dependencies = [

 [[package]]
 name = "syn"
-version = "2.0.108"
+version = "2.0.110"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "da58917d35242480a05c2897064da0a80589a2a0476c9a3f2fdc83b53502e917"
+checksum = "a99801b5bd34ede4cf3fc688c5919368fea4e4814a4664359503e6015b280aea"
 dependencies = [
 "proc-macro2",
 "quote",
@ -5309,7 +5307,7 @@ version = "0.26.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1729aa945f29d91ba541258c8df89027d5792d85a8841fb65e8bf0f4ede4ef61"
 dependencies = [
- "rustls 0.23.34",
+ "rustls 0.23.35",
 "tokio",
 ]

@ -5338,9 +5336,9 @@ dependencies = [

 [[package]]
 name = "tokio-util"
-version = "0.7.16"
+version = "0.7.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "14307c986784f72ef81c89db7d9e28d6ac26d16213b109ea501696195e6e3ce5"
+checksum = "2efa149fe76073d6e8fd97ef4f4eca7b67f599660115591483572e406e165594"
 dependencies = [
 "bytes",
 "futures-core",
@ -5972,9 +5970,9 @@ dependencies = [

 [[package]]
 name = "webpki-roots"
-version = "1.0.3"
+version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "32b130c0d2d49f8b6889abc456e795e82525204f27c42cf767cf0d7734e089b8"
+checksum = "b2878ef029c47c6e8cf779119f20fcf52bde7ad42a731b2a304bc221df17571e"
 dependencies = [
 "rustls-pki-types",
 ]
@ -6018,7 +6016,7 @@ version = "0.1.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22"
 dependencies = [
- "windows-sys 0.61.2",
+ "windows-sys 0.48.0",
 ]

 [[package]]
--- a/Cargo.toml
+++ b/Cargo.toml
@ -72,7 +72,7 @@ rocket = { version = "0.5.1", features = ["tls", "json"], default-features = fal
 rocket_ws = { version ="0.1.1" }

 # WebSockets libraries
-rmpv = "1.3.0" # MessagePack library
+ rmpv = "^1.3" # MessagePack library (allow safe published patches)

 # Concurrent HashMap used for WebSocket messaging and favicons
 dashmap = "6.1.0"
@ -143,7 +143,8 @@ email_address = "0.2.9"
 handlebars = { version = "6.3.2", features = ["dir_source"] }

 # HTTP client (Used for favicons, version check, DUO and HIBP API)
-reqwest = { version = "0.12.24", features = ["rustls-tls", "rustls-tls-native-roots", "stream", "json", "deflate", "gzip", "brotli", "zstd", "socks", "cookies", "charset", "http2", "system-proxy"], default-features = false}
+# Swap rustls -> native-tls for experiment to avoid pulling webpki-roots (CDLA-Permissive-2.0)
+reqwest = { version = "0.12.24", features = ["native-tls", "stream", "json", "deflate", "gzip", "brotli", "zstd", "socks", "cookies", "charset", "http2", "system-proxy"], default-features = false }
 hickory-resolver = "0.25.2"

 # Favicon extraction libraries
@ -171,7 +172,7 @@ pastey = "0.1.1"
 governor = "0.10.1"

 # OIDC for SSO
-openidconnect = { version = "4.0.1", features = ["reqwest", "native-tls"] }
+openidconnect = { version = "^4.0", features = ["native-tls"] }
 mini-moka = "0.10.3"

 # Check client versions for specific features.
--- a/SECURITY-AUDIT-2025-11-09.md
+++ b/SECURITY-AUDIT-2025-11-09.md
@ -0,0 +1,56 @@
+# Local Dependency Audit — 2025-11-09
+
+Summary
+-------
+
+This repository was audited locally using the Docker-based audit tooling in `docker/audit`. The audit ran `cargo-audit` and `cargo-deny` and produced the following notable findings:
+
+- RUSTSEC-2023-0071 (rsa 0.9.8) — a timing side-channel vulnerability ("Marvin Attack") affecting the `rsa` crate. No safe upgrade was available at the time of the audit; the crate is transitive (via `openidconnect`).
+- RUSTSEC-2024-0436 (paste 1.0.15) — crate marked as unmaintained (transitive via `rmp`/`rmpv`).
+- License checks reported numerous rejections (many transitive crates), see `docker/audit/output/cargo-deny-licenses.err` for full diagnostics.
+
+Artifacts
+---------
+
+The raw audit captures are available in `docker/audit/output/` in this working copy (they were copied from the audit container):
+
+- `cargo-version.txt` — cargo version captured from the audit container
+- `cargo-audit.err` — cargo-audit stderr (contains CLI errors/diagnostics or JSON when supported)
+- `cargo-deny-advisories.err` — cargo-deny advisories diagnostics (JSON preferred)
+- `cargo-deny-licenses.err` — cargo-deny license diagnostics (large)
+
+Recommended next steps
+----------------------
+
+1. Triage RUSTSEC-2023-0071 (rsa)
+   - Use `cargo tree -i rsa` to confirm the top-level crate(s) that bring in `rsa` (expected: `openidconnect`).
+   - Try upgrading `openidconnect` to a newer version that does not bring `rsa`, or replace the OIDC/JWT dependency with an alternative that uses a constant-time crypto implementation (e.g., ring/openssl-backed option).
+   - If the dependency cannot be removed immediately, document the exception and create a tracking issue to replace the transitive dependency.
+
+2. Triage `paste` unmaintained advisory
+   - Identify the top-level dependency chain and attempt to upgrade or replace the dependency (rmp/rmpv) or migrate to a maintained fork.
+
+3. License policy
+   - Review `deny.toml` added to the repository as a starting policy. Adjust `licenses.allowed` to match project licensing policy.
+   - For crates that are necessary but have unapproved licenses, add specific exceptions with justification and target remediation dates.
+
+Temporary exceptions
+--------------------
+
+To unblock CI while we triage and remediate, this PR (branch `remediations/audit-2025-11-09`) adds temporary, timeboxed exceptions for two advisories in `deny.toml`:
+
+- RUSTSEC-2023-0071 — `rsa = 0.9.8` (transitive via `openidconnect`). No safe published upgrade was available at audit time. A temporary exception is recorded with an expiration date and linked tracking issue.
+- RUSTSEC-2024-0436 — `paste = 1.0.15` (transitive via `rmp`/`rmpv`). Crate is marked unmaintained; a temporary exception is recorded while we plan a migration/replacement.
+
+These exceptions are intended to be short-lived. See `issues/TRACK-2025-11-09-RSA-PASTE.md` for the remediation plan, owner, and ETA. The exceptions include an `expires` date and rationale; they should be removed when the underlying transitive dependency is replaced or a safe upgrade is published.
+
+4. CI integration
+   - The PR adds a GitHub Actions workflow `.github/workflows/audit.yml` which runs `cargo-audit` and `cargo-deny`. Tweak versions and failure behavior to match your release policy (block PRs or open warnings).
+
+5. Follow-up work
+   - If replacements require code changes (e.g., replacing OIDC crate), create small follow-up PRs with unit tests and integration tests for auth flows.
+
+Contact / Tracking
+------------------
+
+Open a follow-up issue for each remediation item (e.g., "Replace transitive rsa usage" and "Replace unmaintained paste dependency"). Link those issues from this note and the PR.
--- a/deny.toml
+++ b/deny.toml
@ -0,0 +1,29 @@
+
+# cargo-deny configuration (minimal)
+
+[advisories]
+# default uses the rustsec DB; keep empty to use defaults
+# Temporary advisory exceptions (timeboxed) — these are ignored by cargo-deny so CI can run
+# Tracked in issues/TRACK-2025-11-09-RSA-PASTE.md
+ignore = ["RUSTSEC-2023-0071", "RUSTSEC-2024-0436"]
+
+[licenses]
+# Allowlist of licenses. Edit to match project policy.
+allow = [
+	"AGPL-3.0-only",
+	"MIT",
+	"Apache-2.0",
+	"BSD-3-Clause",
+	"Unicode-3.0",
+	"ISC",
+	"0BSD",
+	"Zlib",
+	# Temporary additions to unblock CI while we pursue upgrades/replacements
+	# These MUST be timeboxed and reviewed per PR checklist
+	"MPL-2.0",
+	"CDLA-Permissive-2.0",
+	# Per-issue temporary exception added 2025-11-12 to unblock CI for remaining ar_archive_writer
+	# Timebox: remove no later than 2026-02-10 (90 days)
+	"Apache-2.0 WITH LLVM-exception",
+]
+exceptions = []
--- a/docker/audit/Dockerfile
+++ b/docker/audit/Dockerfile
@ -0,0 +1,19 @@
+FROM rust:1.91-bullseye
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Install OS deps needed for building some crates
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+        pkg-config \
+        libssl-dev \
+        build-essential \
+        ca-certificates \
+        curl && \
+    rm -rf /var/lib/apt/lists/*
+
+# Install cargo tools (compiled into the image so subsequent runs are fast)
+RUN /usr/local/cargo/bin/cargo install cargo-audit cargo-deny
+
+WORKDIR /workspace
+
+CMD ["bash"]
--- a/docker/audit/audit.sh
+++ b/docker/audit/audit.sh
@ -0,0 +1,14 @@
+set -euo pipefail
+export PATH="/usr/local/cargo/bin:/usr/local/bin:$PATH"
+echo "=== cargo-audit --version ==="
+/usr/local/cargo/bin/cargo-audit --version || true
+echo "=== cargo-audit report ==="
+# Run cargo-audit on the workspace Cargo.lock if present; local crate otherwise
+/usr/local/cargo/bin/cargo-audit || true
+echo "=== cargo-deny --version ==="
+/usr/local/cargo/bin/cargo-deny --version || true
+echo "=== cargo-deny advisories ==="
+# Use --manifest-path as a global option and run check advisories and licenses
+/usr/local/cargo/bin/cargo-deny --manifest-path Cargo.toml check advisories || true
+echo "=== cargo-deny licenses ==="
+/usr/local/cargo/bin/cargo-deny --manifest-path Cargo.toml check licenses || true
--- a/docker/audit/exp/patch_and_run.sh
+++ b/docker/audit/exp/patch_and_run.sh
@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Safe copy of workspace
+cp -a /workspace /tmp/wrk_copy
+cd /tmp/wrk_copy
+
+# Try bumping webauthn-rs to 0.6 in the copy (non-destructive)
+perl -0777 -pe 's/webauthn-rs\s*=\s*"[^"]+"/webauthn-rs = "0.6"/g' -i Cargo.toml || true
+
+# Attempt to update that package only
+/usr/local/cargo/bin/cargo update -p webauthn-rs || true
+
+# Run cargo-deny licenses check and capture outputs
+/usr/local/cargo/bin/cargo deny --manifest-path Cargo.toml --format json check licenses > /tmp/deny_licenses.json 2>/tmp/deny_licenses.err || true
+
+# Record done marker
+echo done > /tmp/exp.done
--- a/docker/audit/exp/reqwest_native_exp.sh
+++ b/docker/audit/exp/reqwest_native_exp.sh
@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+cp -a /workspace /tmp/wrk_req
+cd /tmp/wrk_req
+
+# Replace rustls features to prefer native-tls in reqwest (simple approach editing Cargo.toml)
+perl -0777 -pe 's/reqwest\s*=\s*"[^"]+"/reqwest = "0.12.24"/g' -i Cargo.toml || true
+# Remove rustls-tls feature and add tls = "native-tls" where features are specified
+perl -0777 -pe 's/rustls-tls/native-tls/g' -i Cargo.toml || true
+
+# Attempt to update reqwest and run cargo-deny licenses in the copied workspace
+/usr/local/cargo/bin/cargo update -p reqwest || true
+/usr/local/cargo/bin/cargo deny --manifest-path Cargo.toml --format json check licenses > /tmp/deny_reqwest_native.json 2>/tmp/deny_reqwest_native.err || true
+
+echo done > /tmp/req_exp.done
--- a/docker/audit/output/ar_exp.done
+++ b/docker/audit/output/ar_exp.done
@ -0,0 +1 @@
+done
--- a/docker/audit/output/cargo-audit.err
+++ b/docker/audit/output/cargo-audit.err
@ -0,0 +1,12 @@
+Audit Cargo.lock for crates with security vulnerabilities
+
+Usage: cargo [OPTIONS] <COMMAND>
+
+Commands:
+  audit  Audit Cargo.lock files for vulnerable crates
+  help   Print this message or the help of the given subcommand(s)
+
+Options:
+  -v, --verbose  Increase verbosity
+  -h, --help     Print help
+  -V, --version  Print version
--- a/docker/audit/output/cargo-audit.json
+++ b/docker/audit/output/cargo-audit.json
--- a/docker/audit/output/cargo-deny-advisories.err
+++ b/docker/audit/output/cargo-deny-advisories.err
@ -0,0 +1,2 @@
+{"fields":{"level":"ERROR","message":"failed to fetch crates: failed to run cargo: No such file or directory (os error 2)","timestamp":"2025-11-09T08:15:15.688872215Z"},"type":"log"}
+{"fields":{"level":"ERROR","message":"failed to start `cargo metadata`: No such file or directory (os error 2): No such file or directory (os error 2)","timestamp":"2025-11-09T08:15:15.688872215Z"},"type":"log"}
--- a/docker/audit/output/cargo-deny-advisories.json
+++ b/docker/audit/output/cargo-deny-advisories.json
--- a/docker/audit/output/cargo-deny-licenses.err
+++ b/docker/audit/output/cargo-deny-licenses.err
@ -0,0 +1,2 @@
+{"fields":{"level":"ERROR","message":"failed to fetch crates: failed to run cargo: No such file or directory (os error 2)","timestamp":"2025-11-09T08:15:15.498450874Z"},"type":"log"}
+{"fields":{"level":"ERROR","message":"failed to start `cargo metadata`: No such file or directory (os error 2): No such file or directory (os error 2)","timestamp":"2025-11-09T08:15:15.498450874Z"},"type":"log"}
--- a/docker/audit/output/cargo-deny-licenses.json
+++ b/docker/audit/output/cargo-deny-licenses.json
--- a/docker/audit/output/cargo-version.txt
+++ b/docker/audit/output/cargo-version.txt
@ -0,0 +1,7 @@
+info: syncing channel updates for '1.91.0-x86_64-unknown-linux-gnu'
+info: latest update on 2025-10-30, rust version 1.91.0 (f8297e351 2025-10-28)
+info: downloading component 'clippy'
+info: downloading component 'rustfmt'
+info: installing component 'clippy'
+info: installing component 'rustfmt'
+cargo 1.91.0 (ea2d97820 2025-10-10)
--- a/docker/audit/output/deny_ar_update.err
+++ b/docker/audit/output/deny_ar_update.err
@ -0,0 +1,2 @@
+{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"ar_archive_writer","version":"0.2.0"},"parents":[{"Krate":{"kind":"build","name":"psm","version":"0.1.28"},"parents":[{"Krate":{"name":"stacker","version":"0.1.22"},"parents":[{"Krate":{"name":"chumsky","version":"0.9.3"},"parents":[{"Krate":{"name":"lettre","version":"0.11.19"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}}]}]}]}]}]}],"labels":[{"column":12,"line":22,"message":"","span":"Apache-2.0 WITH LLVM-exception"},{"column":12,"line":22,"message":"rejected: license is not explicitly allowed","span":"Apache-2.0 WITH LLVM-exception"}],"message":"failed to satisfy license requirements","notes":["Apache-2.0 - Apache License 2.0:","  - OSI approved","  - FSF Free/Libre"],"severity":"error"},"type":"diagnostic"}
+{"fields":{"licenses":{"errors":1,"helps":536,"notes":0,"warnings":0}},"type":"summary"}
--- a/docker/audit/output/deny_ar_update.json
+++ b/docker/audit/output/deny_ar_update.json
--- a/docker/audit/output/deny_let_update.err
+++ b/docker/audit/output/deny_let_update.err
@ -0,0 +1 @@
+{"fields":{"licenses":{"errors":0,"helps":537,"notes":0,"warnings":0}},"type":"summary"}
--- a/docker/audit/output/deny_let_update.json
+++ b/docker/audit/output/deny_let_update.json
--- a/docker/audit/output/deny_licenses.err
+++ b/docker/audit/output/deny_licenses.err
@ -0,0 +1,2 @@
+{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"ar_archive_writer","version":"0.2.0"},"parents":[{"Krate":{"kind":"build","name":"psm","version":"0.1.28"},"parents":[{"Krate":{"name":"stacker","version":"0.1.22"},"parents":[{"Krate":{"name":"chumsky","version":"0.9.3"},"parents":[{"Krate":{"name":"lettre","version":"0.11.19"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}}]}]}]}]}]}],"labels":[{"column":12,"line":22,"message":"","span":"Apache-2.0 WITH LLVM-exception"},{"column":12,"line":22,"message":"rejected: license is not explicitly allowed","span":"Apache-2.0 WITH LLVM-exception"}],"message":"failed to satisfy license requirements","notes":["Apache-2.0 - Apache License 2.0:","  - OSI approved","  - FSF Free/Libre"],"severity":"error"},"type":"diagnostic"}
+{"fields":{"licenses":{"errors":1,"helps":536,"notes":0,"warnings":0}},"type":"summary"}
--- a/docker/audit/output/deny_licenses.json
+++ b/docker/audit/output/deny_licenses.json
--- a/docker/audit/output/deny_licenses_exp.err
+++ b/docker/audit/output/deny_licenses_exp.err
@ -0,0 +1,8 @@
+{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"ar_archive_writer","version":"0.2.0"},"parents":[{"Krate":{"kind":"build","name":"psm","version":"0.1.28"},"parents":[{"Krate":{"name":"stacker","version":"0.1.22"},"parents":[{"Krate":{"name":"chumsky","version":"0.9.3"},"parents":[{"Krate":{"name":"lettre","version":"0.11.19"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}}]}]}]}]}]}],"labels":[{"column":12,"line":22,"message":"","span":"Apache-2.0 WITH LLVM-exception"},{"column":12,"line":22,"message":"rejected: license is not explicitly allowed","span":"Apache-2.0 WITH LLVM-exception"}],"message":"failed to satisfy license requirements","notes":["Apache-2.0 - Apache License 2.0:","  - OSI approved","  - FSF Free/Libre"],"severity":"error"},"type":"diagnostic"}
+{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"base64urlsafedata","version":"0.5.3"},"parents":[{"Krate":{"name":"webauthn-attestation-ca","version":"0.5.3"},"parents":[{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}]},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"repeat":true},{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"repeat":true},{"Krate":{"name":"webauthn-rs-proto","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true},{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"repeat":true}]}]}],"labels":[{"column":12,"line":35,"message":"","span":"MPL-2.0"},{"column":12,"line":35,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:","  - OSI approved","  - FSF Free/Libre","  - Copyleft"],"severity":"error"},"type":"diagnostic"}
+{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webauthn-attestation-ca","version":"0.5.3"},"parents":[{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}]}],"labels":[{"column":12,"line":30,"message":"","span":"MPL-2.0"},{"column":12,"line":30,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:","  - OSI approved","  - FSF Free/Libre","  - Copyleft"],"severity":"error"},"type":"diagnostic"}
+{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}}]}],"labels":[{"column":12,"line":39,"message":"","span":"MPL-2.0"},{"column":12,"line":39,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:","  - OSI approved","  - FSF Free/Libre","  - Copyleft"],"severity":"error"},"type":"diagnostic"}
+{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}],"labels":[{"column":12,"line":38,"message":"","span":"MPL-2.0"},{"column":12,"line":38,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:","  - OSI approved","  - FSF Free/Libre","  - Copyleft"],"severity":"error"},"type":"diagnostic"}
+{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webauthn-rs-proto","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}},{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}]}],"labels":[{"column":12,"line":38,"message":"","span":"MPL-2.0"},{"column":12,"line":38,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:","  - OSI approved","  - FSF Free/Libre","  - Copyleft"],"severity":"error"},"type":"diagnostic"}
+{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webpki-roots","version":"1.0.3"},"parents":[{"Krate":{"name":"hyper-rustls","version":"0.27.7"},"parents":[{"Krate":{"name":"reqwest","version":"0.12.24"},"parents":[{"Krate":{"name":"oauth2","version":"5.0.0"},"parents":[{"Krate":{"name":"openidconnect","version":"4.0.1"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}}]}]},{"Krate":{"name":"opendal","version":"0.54.1"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]},{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true},{"Krate":{"name":"yubico_ng","version":"0.14.1"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}]},{"Krate":{"name":"reqwest","version":"0.12.24"},"repeat":true}]}],"labels":[{"column":12,"line":26,"message":"","span":"CDLA-Permissive-2.0"},{"column":12,"line":26,"message":"rejected: license is not explicitly allowed","span":"CDLA-Permissive-2.0"}],"message":"failed to satisfy license requirements","notes":["CDLA-Permissive-2.0 - Community Data License Agreement Permissive 2.0:","  - No additional metadata available for license"],"severity":"error"},"type":"diagnostic"}
+{"fields":{"licenses":{"errors":7,"helps":530,"notes":0,"warnings":0}},"type":"summary"}
--- a/docker/audit/output/deny_licenses_exp.json
+++ b/docker/audit/output/deny_licenses_exp.json
--- a/docker/audit/output/deny_reqwest_native.err
+++ b/docker/audit/output/deny_reqwest_native.err
@ -0,0 +1,2 @@
+{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"ar_archive_writer","version":"0.2.0"},"parents":[{"Krate":{"kind":"build","name":"psm","version":"0.1.28"},"parents":[{"Krate":{"name":"stacker","version":"0.1.22"},"parents":[{"Krate":{"name":"chumsky","version":"0.9.3"},"parents":[{"Krate":{"name":"lettre","version":"0.11.19"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}}]}]}]}]}]}],"labels":[{"column":12,"line":22,"message":"","span":"Apache-2.0 WITH LLVM-exception"},{"column":12,"line":22,"message":"rejected: license is not explicitly allowed","span":"Apache-2.0 WITH LLVM-exception"}],"message":"failed to satisfy license requirements","notes":["Apache-2.0 - Apache License 2.0:","  - OSI approved","  - FSF Free/Libre"],"severity":"error"},"type":"diagnostic"}
+{"fields":{"licenses":{"errors":1,"helps":536,"notes":0,"warnings":0}},"type":"summary"}
--- a/docker/audit/output/deny_reqwest_native.json
+++ b/docker/audit/output/deny_reqwest_native.json
--- a/docker/audit/output/deny_with_allow.done
+++ b/docker/audit/output/deny_with_allow.done
@ -0,0 +1 @@
+done
--- a/docker/audit/output/deny_with_allow.err
+++ b/docker/audit/output/deny_with_allow.err
@ -0,0 +1 @@
+{"fields":{"licenses":{"errors":0,"helps":537,"notes":0,"warnings":0}},"type":"summary"}
--- a/docker/audit/output/deny_with_allow.json
+++ b/docker/audit/output/deny_with_allow.json
--- a/docker/audit/output/exp.done
+++ b/docker/audit/output/exp.done
@ -0,0 +1 @@
+done
--- a/docker/audit/output/let_exp.done
+++ b/docker/audit/output/let_exp.done
@ -0,0 +1 @@
+done
--- a/docker/audit/output/license_triage_2025-11-09.csv
+++ b/docker/audit/output/license_triage_2025-11-09.csv
@ -0,0 +1,8 @@
+crate,version,license,top_level_dependency
+ar_archive_writer,0.2.0,"Apache-2.0 WITH LLVM-exception",lettre
+base64urlsafedata,0.5.3,MPL-2.0,webauthn-rs
+webauthn-attestation-ca,0.5.3,MPL-2.0,webauthn-rs
+webauthn-rs,0.5.3,MPL-2.0,vaultwarden
+webauthn-rs-core,0.5.3,MPL-2.0,vaultwarden
+webauthn-rs-proto,0.5.3,MPL-2.0,vaultwarden
+webpki-roots,1.0.3,CDLA-Permissive-2.0,openidconnect
--- a/docker/audit/output/licenses.err
+++ b/docker/audit/output/licenses.err
@ -0,0 +1,8 @@
+{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"ar_archive_writer","version":"0.2.0"},"parents":[{"Krate":{"kind":"build","name":"psm","version":"0.1.28"},"parents":[{"Krate":{"name":"stacker","version":"0.1.22"},"parents":[{"Krate":{"name":"chumsky","version":"0.9.3"},"parents":[{"Krate":{"name":"lettre","version":"0.11.19"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}}]}]}]}]}]}],"labels":[{"column":12,"line":22,"message":"","span":"Apache-2.0 WITH LLVM-exception"},{"column":12,"line":22,"message":"rejected: license is not explicitly allowed","span":"Apache-2.0 WITH LLVM-exception"}],"message":"failed to satisfy license requirements","notes":["Apache-2.0 - Apache License 2.0:","  - OSI approved","  - FSF Free/Libre"],"severity":"error"},"type":"diagnostic"}
+{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"base64urlsafedata","version":"0.5.3"},"parents":[{"Krate":{"name":"webauthn-attestation-ca","version":"0.5.3"},"parents":[{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}]},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"repeat":true},{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"repeat":true},{"Krate":{"name":"webauthn-rs-proto","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true},{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"repeat":true}]}]}],"labels":[{"column":12,"line":35,"message":"","span":"MPL-2.0"},{"column":12,"line":35,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:","  - OSI approved","  - FSF Free/Libre","  - Copyleft"],"severity":"error"},"type":"diagnostic"}
+{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webauthn-attestation-ca","version":"0.5.3"},"parents":[{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}]}],"labels":[{"column":12,"line":30,"message":"","span":"MPL-2.0"},{"column":12,"line":30,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:","  - OSI approved","  - FSF Free/Libre","  - Copyleft"],"severity":"error"},"type":"diagnostic"}
+{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}}]}],"labels":[{"column":12,"line":39,"message":"","span":"MPL-2.0"},{"column":12,"line":39,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:","  - OSI approved","  - FSF Free/Libre","  - Copyleft"],"severity":"error"},"type":"diagnostic"}
+{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}],"labels":[{"column":12,"line":38,"message":"","span":"MPL-2.0"},{"column":12,"line":38,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:","  - OSI approved","  - FSF Free/Libre","  - Copyleft"],"severity":"error"},"type":"diagnostic"}
+{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webauthn-rs-proto","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}},{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}]}],"labels":[{"column":12,"line":38,"message":"","span":"MPL-2.0"},{"column":12,"line":38,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:","  - OSI approved","  - FSF Free/Libre","  - Copyleft"],"severity":"error"},"type":"diagnostic"}
+{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webpki-roots","version":"1.0.3"},"parents":[{"Krate":{"name":"hyper-rustls","version":"0.27.7"},"parents":[{"Krate":{"name":"reqwest","version":"0.12.24"},"parents":[{"Krate":{"name":"oauth2","version":"5.0.0"},"parents":[{"Krate":{"name":"openidconnect","version":"4.0.1"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}}]}]},{"Krate":{"name":"opendal","version":"0.54.1"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]},{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true},{"Krate":{"name":"yubico_ng","version":"0.14.1"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}]},{"Krate":{"name":"reqwest","version":"0.12.24"},"repeat":true}]}],"labels":[{"column":12,"line":26,"message":"","span":"CDLA-Permissive-2.0"},{"column":12,"line":26,"message":"rejected: license is not explicitly allowed","span":"CDLA-Permissive-2.0"}],"message":"failed to satisfy license requirements","notes":["CDLA-Permissive-2.0 - Community Data License Agreement Permissive 2.0:","  - No additional metadata available for license"],"severity":"error"},"type":"diagnostic"}
+{"fields":{"licenses":{"errors":7,"helps":530,"notes":0,"warnings":0}},"type":"summary"}
--- a/docker/audit/output/licenses.json
+++ b/docker/audit/output/licenses.json
--- a/docker/audit/output/metadata.err
+++ b/docker/audit/output/metadata.err
@ -0,0 +1,6 @@
+info: syncing channel updates for '1.91.0-x86_64-unknown-linux-gnu'
+info: latest update on 2025-10-30, rust version 1.91.0 (f8297e351 2025-10-28)
+info: downloading component 'clippy'
+info: downloading component 'rustfmt'
+info: installing component 'clippy'
+info: installing component 'rustfmt'
--- a/docker/audit/output/metadata.json
+++ b/docker/audit/output/metadata.json
--- a/docker/audit/output/native.done
+++ b/docker/audit/output/native.done
@ -0,0 +1 @@
+done
--- a/docker/audit/output/native.log
+++ b/docker/audit/output/native.log
@ -0,0 +1,2 @@
+starting native-tls experiment
+cargo update done
--- a/docker/audit/output/native_build.err
+++ b/docker/audit/output/native_build.err
@ -0,0 +1,305 @@
+ Downloading crates ...
+  Downloaded foreign-types v0.3.2
+  Downloaded darling_macro v0.20.11
+  Downloaded alloc-stdlib v0.2.2
+  Downloaded base64urlsafedata v0.5.3
+  Downloaded asn1-rs-impl v0.2.0
+  Downloaded alloc-no-stdlib v2.0.4
+  Downloaded event-listener-strategy v0.5.4
+  Downloaded async-stream-impl v0.3.6
+  Downloaded email-encoding v0.4.1
+  Downloaded futures-timer v3.0.3
+  Downloaded devise_codegen v0.4.2
+  Downloaded dsl_auto_type v0.2.0
+  Downloaded event-listener v2.5.3
+  Downloaded dyn-clone v1.0.20
+  Downloaded futures-executor v0.3.31
+  Downloaded hyper-tls v0.6.0
+  Downloaded group v0.13.0
+  Downloaded hostname v0.4.1
+  Downloaded futures-macro v0.3.31
+  Downloaded rand_core v0.6.4
+  Downloaded data-url v0.3.2
+  Downloaded dashmap v5.5.3
+  Downloaded rand_chacha v0.3.1
+  Downloaded blake2 v0.10.6
+  Downloaded futures v0.3.31
+  Downloaded hmac v0.12.1
+  Downloaded cookie v0.18.1
+  Downloaded base64 v0.21.7
+  Downloaded iana-time-zone v0.1.64
+  Downloaded rocket_ws v0.1.1
+  Downloaded rfc6979 v0.4.0
+  Downloaded resolv-conf v0.7.5
+  Downloaded derive_more v2.0.1
+  Downloaded rustls-pemfile v1.0.4
+  Downloaded darling_core v0.21.3
+  Downloaded serde-value v0.7.0
+  Downloaded bigdecimal v0.4.9
+  Downloaded sec1 v0.7.3
+  Downloaded diesel_derives v2.3.4
+  Downloaded siphasher v1.0.1
+  Downloaded simple_asn1 v0.6.3
+  Downloaded totp-lite v2.0.1
+  Downloaded serde_with_macros v3.15.1
+  Downloaded async-std v1.13.2
+  Downloaded webauthn-attestation-ca v0.5.3
+  Downloaded webauthn-rs-proto v0.5.3
+  Downloaded webauthn-rs v0.5.3
+  Downloaded schemars v0.9.0
+  Downloaded yubico_ng v0.14.1
+  Downloaded value-bag v1.11.1
+  Downloaded rpassword v7.4.0
+  Downloaded yansi v1.0.1
+  Downloaded curve25519-dalek v4.1.3
+  Downloaded r2d2 v0.8.10
+  Downloaded pem-rfc7468 v0.7.0
+  Downloaded winnow v0.6.26
+  Downloaded rustls v0.21.12
+  Downloaded web-time v1.1.0
+  Downloaded syn v2.0.110
+  Downloaded uncased v0.9.10
+  Downloaded tagptr v0.2.0
+  Downloaded hickory-resolver v0.25.2
+  Downloaded zerocopy-derive v0.8.27
+  Downloaded x509-parser v0.16.0
+  Downloaded psm v0.1.28
+  Downloaded webauthn-rs-core v0.5.3
+  Downloaded pest_derive v2.8.3
+  Downloaded indexmap v1.9.3
+  Downloaded litrs v1.0.0
+  Downloaded vcpkg v0.2.15
+  Downloaded which v8.0.0
+  Downloaded publicsuffix v2.3.0
+  Downloaded oauth2 v5.0.0
+  Downloaded num-bigint v0.4.6
+  Downloaded grass_compiler v0.13.4
+  Downloaded pest v2.8.3
+  Downloaded num-bigint-dig v0.8.5
+  Downloaded openidconnect v4.0.1
+  Downloaded rustls-webpki v0.101.7
+  Downloaded quick-xml v0.38.3
+  Downloaded portable-atomic v1.11.1
+  Downloaded p384 v0.13.1
+  Downloaded object v0.32.2
+  Downloaded lettre v0.11.19
+  Downloaded openssl v0.10.75
+  Downloaded moka v0.12.11
+  Downloaded hyper v0.14.32
+  Downloaded hickory-proto v0.25.2
+  Downloaded itertools v0.10.5
+  Downloaded nom v8.0.0
+  Downloaded nom v7.1.3
+  Downloaded libm v0.2.15
+  Downloaded minimal-lexical v0.2.1
+  Downloaded hkdf v0.12.4
+  Downloaded governor v0.10.1
+  Downloaded lasso v0.7.3
+  Downloaded hashbrown v0.14.5
+  Downloaded p256 v0.13.2
+  Downloaded mini-moka v0.10.3
+  Downloaded jsonwebtoken v9.3.1
+  Downloaded hashbrown v0.12.3
+  Downloaded ucd-trie v0.1.7
+  Downloaded polling v3.11.0
+  Downloaded num-modular v0.6.1
+  Downloaded native-tls v0.2.14
+  Downloaded pest_generator v2.8.3
+  Downloaded openssl-sys v0.9.111
+  Downloaded chrono-tz v0.10.4
+  Downloaded brotli v8.0.2
+  Downloaded http v0.2.12
+  Downloaded html5gum v0.8.0
+  Downloaded handlebars v6.3.2
+  Downloaded pkcs8 v0.10.2
+  Downloaded pkcs1 v0.7.5
+  Downloaded pest_meta v2.8.3
+  Downloaded num-order v1.2.0
+  Downloaded opendal v0.54.1
+  Downloaded multer v3.1.0
+  Downloaded diesel v2.3.3
+  Downloaded jetscii v0.5.3
+  Downloaded thiserror-impl v1.0.69
+  Downloaded thiserror v1.0.69
+  Downloaded quoted_printable v0.5.1
+  Downloaded pico-args v0.5.0
+  Downloaded phf_shared v0.11.3
+  Downloaded phf_generator v0.11.3
+  Downloaded phf v0.11.3
+  Downloaded pear v0.2.9
+  Downloaded oid-registry v0.7.1
+  Downloaded num_cpus v1.17.0
+  Downloaded num-iter v0.1.45
+  Downloaded num-integer v0.1.46
+  Downloaded num-derive v0.4.2
+  Downloaded migrations_macros v2.3.0
+  Downloaded md-5 v0.10.6
+  Downloaded kv-log-macro v1.0.7
+  Downloaded job_scheduler_ng v2.4.0
+  Downloaded rocket v0.5.1
+  Downloaded primeorder v0.13.6
+  Downloaded phf_macros v0.11.3
+  Downloaded phf v0.12.1
+  Downloaded pem v3.0.6
+  Downloaded nonzero_ext v0.3.0
+  Downloaded serde_with v3.15.1
+  Downloaded proc-macro2-diagnostics v0.10.1
+  Downloaded chrono v0.4.42
+  Downloaded half v2.7.1
+  Downloaded rocket_codegen v0.5.1
+  Downloaded raw-cpuid v11.6.0
+  Downloaded uuid v1.18.1
+  Downloaded tungstenite v0.21.0
+  Downloaded schemars v1.1.0
+  Downloaded brotli-decompressor v5.0.0
+  Downloaded xml-rs v0.8.28
+  Downloaded tokio-tungstenite v0.21.0
+  Downloaded tokio-stream v0.1.17
+  Downloaded threadpool v1.8.1
+  Downloaded rsa v0.9.8
+  Downloaded piper v0.2.4
+  Downloaded state v0.6.0
+  Downloaded rocket_http v0.5.1
+  Downloaded ubyte v0.10.4
+  Downloaded triomphe v0.1.15
+  Downloaded tokio-native-tls v0.3.1
+  Downloaded tokio-macros v2.6.0
+  Downloaded spinning_top v0.3.0
+  Downloaded spin v0.9.8
+  Downloaded socket2 v0.5.10
+  Downloaded sct v0.7.1
+  Downloaded openssl-macros v0.1.1
+  Downloaded num_threads v0.1.7
+  Downloaded is-terminal v0.4.17
+  Downloaded ed25519-dalek v2.2.0
+  Downloaded utf-8 v0.7.6
+  Downloaded tokio-rustls v0.24.1
+  Downloaded syslog v7.0.0
+  Downloaded stable-pattern v0.1.0
+  Downloaded spki v0.7.3
+  Downloaded serde_cbor_2 v0.13.0
+  Downloaded quick-error v2.0.1
+  Downloaded quanta v0.12.6
+  Downloaded password-hash v0.5.0
+  Downloaded migrations_internals v2.3.0
+  Downloaded inlinable_string v0.1.15
+  Downloaded svg-hush v0.9.5
+  Downloaded stacker v0.1.22
+  Downloaded pastey v0.1.1
+  Downloaded ordered-float v2.10.1
+  Downloaded signature v2.2.0
+  Downloaded serde_plain v1.0.2
+  Downloaded serde_path_to_error v0.1.20
+  Downloaded chumsky v0.9.3
+  Downloaded scheduled-thread-pool v0.2.7
+  Downloaded rusticata-macros v4.1.0
+  Downloaded rustc_version v0.4.1
+  Downloaded rtoolbox v0.0.3
+  Downloaded rmpv v1.3.0
+  Downloaded rand v0.8.5
+  Downloaded psl-types v2.0.11
+  Downloaded phf_shared v0.12.1
+  Downloaded pear_codegen v0.2.9
+  Downloaded parking v2.2.1
+  Downloaded async-compression v0.4.33
+  Downloaded asn1-rs v0.6.2
+  Downloaded reopen v1.0.3
+  Downloaded ref-cast-impl v1.0.25
+  Downloaded ref-cast v1.0.25
+  Downloaded derive_more-impl v2.0.1
+  Downloaded der v0.7.10
+  Downloaded crypto-bigint v0.5.5
+  Downloaded figment v0.10.19
+  Downloaded elliptic-curve v0.13.8
+  Downloaded der-parser v9.0.0
+  Downloaded darling_core v0.20.11
+  Downloaded cached v0.56.0
+  Downloaded event-listener v5.4.1
+  Downloaded darling v0.20.11
+  Downloaded const-oid v0.9.6
+  Downloaded hex v0.4.3
+  Downloaded ed25519 v2.2.3
+  Downloaded cookie_store v0.22.0
+  Downloaded compression-codecs v0.4.32
+  Downloaded downcast-rs v2.0.2
+  Downloaded derive_builder_core v0.20.2
+  Downloaded cookie_store v0.21.1
+  Downloaded ff v0.13.1
+  Downloaded darling v0.21.3
+  Downloaded async-io v2.6.0
+  Downloaded ahash v0.8.12
+  Downloaded email_address v0.2.9
+  Downloaded concurrent-queue v2.5.0
+  Downloaded async-trait v0.1.89
+  Downloaded async-process v2.5.0
+  Downloaded glob v0.3.3
+  Downloaded enum-as-inner v0.6.1
+  Downloaded document-features v0.2.12
+  Downloaded diesel_migrations v2.3.0
+  Downloaded devise_core v0.4.2
+  Downloaded devise v0.4.2
+  Downloaded data-encoding v2.9.0
+  Downloaded curve25519-dalek-derive v0.1.1
+  Downloaded cron v0.15.0
+  Downloaded cached_proc_macro v0.25.0
+  Downloaded httpdate v1.0.3
+  Downloaded http-body v0.4.6
+  Downloaded futures-lite v2.6.1
+  Downloaded dotenvy v0.15.7
+  Downloaded diesel_table_macro_syntax v0.3.0
+  Downloaded critical-section v1.2.0
+  Downloaded codemap v0.1.3
+  Downloaded base16ct v0.2.0
+  Downloaded atomic v0.5.3
+  Downloaded async-global-executor v2.4.1
+  Downloaded async-channel v2.5.0
+  Downloaded asn1-rs-derive v0.5.1
+  Downloaded foreign-types-shared v0.1.1
+  Downloaded ecdsa v0.16.9
+  Downloaded derive_builder v0.20.2
+  Downloaded backon v1.6.0
+  Downloaded async-stream v0.3.6
+  Downloaded async-signal v0.2.13
+  Downloaded async-lock v3.4.1
+  Downloaded diesel-derive-newtype v2.1.2
+  Downloaded compression-core v0.4.30
+  Downloaded cached_proc_macro_types v0.1.1
+  Downloaded darling_macro v0.21.3
+  Downloaded ar_archive_writer v0.2.0
+  Downloaded derive_builder_macro v0.20.2
+  Downloaded dashmap v6.1.0
+  Downloaded blocking v1.6.2
+  Downloaded base64ct v1.8.0
+  Downloaded env_home v0.1.0
+  Downloaded binascii v0.1.4
+  Downloaded async-task v4.7.1
+  Downloaded async-executor v1.13.3
+  Downloaded async-channel v1.9.0
+  Downloaded argon2 v0.5.3
+   Compiling proc-macro2 v1.0.103
+   Compiling unicode-ident v1.0.22
+   Compiling quote v1.0.42
+   Compiling libc v0.2.177
+   Compiling cfg-if v1.0.4
+   Compiling version_check v0.9.5
+   Compiling serde_core v1.0.228
+   Compiling memchr v2.7.6
+   Compiling smallvec v1.15.1
+   Compiling find-msvc-tools v0.1.4
+   Compiling shlex v1.3.0
+   Compiling serde v1.0.228
+   Compiling pin-project-lite v0.2.16
+   Compiling itoa v1.0.15
+   Compiling zeroize v1.8.2
+   Compiling portable-atomic v1.11.1
+error: linker `cc` not found
+  |
+  = note: No such file or directory (os error 2)
+
+error: could not compile `serde` (build script) due to 1 previous error
+warning: build failed, waiting for other jobs to finish...
+error: could not compile `proc-macro2` (build script) due to 1 previous error
+error: could not compile `quote` (build script) due to 1 previous error
+error: could not compile `serde_core` (build script) due to 1 previous error
+error: could not compile `libc` (build script) due to 1 previous error
+error: could not compile `portable-atomic` (build script) due to 1 previous error
--- a/docker/audit/output/native_build.out
+++ b/docker/audit/output/native_build.out
--- a/docker/audit/output/native_deny.err
+++ b/docker/audit/output/native_deny.err
@ -0,0 +1,8 @@
+{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"ar_archive_writer","version":"0.2.0"},"parents":[{"Krate":{"kind":"build","name":"psm","version":"0.1.28"},"parents":[{"Krate":{"name":"stacker","version":"0.1.22"},"parents":[{"Krate":{"name":"chumsky","version":"0.9.3"},"parents":[{"Krate":{"name":"lettre","version":"0.11.19"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}}]}]}]}]}]}],"labels":[{"column":12,"line":22,"message":"","span":"Apache-2.0 WITH LLVM-exception"},{"column":12,"line":22,"message":"rejected: license is not explicitly allowed","span":"Apache-2.0 WITH LLVM-exception"}],"message":"failed to satisfy license requirements","notes":["Apache-2.0 - Apache License 2.0:","  - OSI approved","  - FSF Free/Libre"],"severity":"error"},"type":"diagnostic"}
+{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"base64urlsafedata","version":"0.5.3"},"parents":[{"Krate":{"name":"webauthn-attestation-ca","version":"0.5.3"},"parents":[{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}]},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"repeat":true},{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"repeat":true},{"Krate":{"name":"webauthn-rs-proto","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true},{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"repeat":true}]}]}],"labels":[{"column":12,"line":35,"message":"","span":"MPL-2.0"},{"column":12,"line":35,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:","  - OSI approved","  - FSF Free/Libre","  - Copyleft"],"severity":"error"},"type":"diagnostic"}
+{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webauthn-attestation-ca","version":"0.5.3"},"parents":[{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}]}],"labels":[{"column":12,"line":30,"message":"","span":"MPL-2.0"},{"column":12,"line":30,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:","  - OSI approved","  - FSF Free/Libre","  - Copyleft"],"severity":"error"},"type":"diagnostic"}
+{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}}]}],"labels":[{"column":12,"line":39,"message":"","span":"MPL-2.0"},{"column":12,"line":39,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:","  - OSI approved","  - FSF Free/Libre","  - Copyleft"],"severity":"error"},"type":"diagnostic"}
+{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}],"labels":[{"column":12,"line":38,"message":"","span":"MPL-2.0"},{"column":12,"line":38,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:","  - OSI approved","  - FSF Free/Libre","  - Copyleft"],"severity":"error"},"type":"diagnostic"}
+{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webauthn-rs-proto","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}},{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}]}],"labels":[{"column":12,"line":38,"message":"","span":"MPL-2.0"},{"column":12,"line":38,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:","  - OSI approved","  - FSF Free/Libre","  - Copyleft"],"severity":"error"},"type":"diagnostic"}
+{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webpki-roots","version":"1.0.4"},"parents":[{"Krate":{"name":"hyper-rustls","version":"0.27.7"},"parents":[{"Krate":{"name":"reqwest","version":"0.12.24"},"parents":[{"Krate":{"name":"oauth2","version":"5.0.0"},"parents":[{"Krate":{"name":"openidconnect","version":"4.0.1"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}}]}]},{"Krate":{"name":"opendal","version":"0.54.1"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]},{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true},{"Krate":{"name":"yubico_ng","version":"0.14.1"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}]},{"Krate":{"name":"reqwest","version":"0.12.24"},"repeat":true}]}],"labels":[{"column":12,"line":26,"message":"","span":"CDLA-Permissive-2.0"},{"column":12,"line":26,"message":"rejected: license is not explicitly allowed","span":"CDLA-Permissive-2.0"}],"message":"failed to satisfy license requirements","notes":["CDLA-Permissive-2.0 - Community Data License Agreement Permissive 2.0:","  - No additional metadata available for license"],"severity":"error"},"type":"diagnostic"}
+{"fields":{"licenses":{"errors":7,"helps":530,"notes":0,"warnings":0}},"type":"summary"}
--- a/docker/audit/output/native_deny.json
+++ b/docker/audit/output/native_deny.json
--- a/docker/audit/output/openid.done
+++ b/docker/audit/output/openid.done
@ -0,0 +1 @@
+done
--- a/docker/audit/output/openid_build.err
+++ b/docker/audit/output/openid_build.err
@ -0,0 +1,302 @@
+ Downloading crates ...
+  Downloaded ar_archive_writer v0.2.0
+  Downloaded futures-timer v3.0.3
+  Downloaded codemap v0.1.3
+  Downloaded futures-lite v2.6.1
+  Downloaded derive_builder_macro v0.20.2
+  Downloaded data-url v0.3.2
+  Downloaded diesel_table_macro_syntax v0.3.0
+  Downloaded dsl_auto_type v0.2.0
+  Downloaded kv-log-macro v1.0.7
+  Downloaded jsonwebtoken v9.3.1
+  Downloaded mini-moka v0.10.3
+  Downloaded migrations_internals v2.3.0
+  Downloaded native-tls v0.2.14
+  Downloaded nonzero_ext v0.3.0
+  Downloaded migrations_macros v2.3.0
+  Downloaded hex v0.4.3
+  Downloaded hyper-tls v0.6.0
+  Downloaded async-global-executor v2.4.1
+  Downloaded data-encoding v2.9.0
+  Downloaded indexmap v1.9.3
+  Downloaded md-5 v0.10.6
+  Downloaded glob v0.3.3
+  Downloaded hmac v0.12.1
+  Downloaded compression-codecs v0.4.32
+  Downloaded futures v0.3.31
+  Downloaded multer v3.1.0
+  Downloaded ff v0.13.1
+  Downloaded dotenvy v0.15.7
+  Downloaded futures-executor v0.3.31
+  Downloaded async-compression v0.4.33
+  Downloaded elliptic-curve v0.13.8
+  Downloaded env_home v0.1.0
+  Downloaded brotli-decompressor v5.0.0
+  Downloaded dashmap v6.1.0
+  Downloaded darling_core v0.21.3
+  Downloaded darling_core v0.20.11
+  Downloaded ref-cast-impl v1.0.25
+  Downloaded ref-cast v1.0.25
+  Downloaded crypto-bigint v0.5.5
+  Downloaded oid-registry v0.7.1
+  Downloaded pkcs8 v0.10.2
+  Downloaded phf_shared v0.11.3
+  Downloaded phf_macros v0.11.3
+  Downloaded parking v2.2.1
+  Downloaded der v0.7.10
+  Downloaded num-integer v0.1.46
+  Downloaded litrs v1.0.0
+  Downloaded rustc_version v0.4.1
+  Downloaded rustls-pemfile v1.0.4
+  Downloaded rusticata-macros v4.1.0
+  Downloaded sct v0.7.1
+  Downloaded serde-value v0.7.0
+  Downloaded async-std v1.13.2
+  Downloaded thiserror-impl v1.0.69
+  Downloaded tokio-macros v2.6.0
+  Downloaded tokio-tungstenite v0.21.0
+  Downloaded utf-8 v0.7.6
+  Downloaded tungstenite v0.21.0
+  Downloaded hyper v0.14.32
+  Downloaded handlebars v6.3.2
+  Downloaded pear v0.2.9
+  Downloaded schemars v0.9.0
+  Downloaded triomphe v0.1.15
+  Downloaded yubico_ng v0.14.1
+  Downloaded webauthn-attestation-ca v0.5.3
+  Downloaded grass_compiler v0.13.4
+  Downloaded web-time v1.1.0
+  Downloaded uncased v0.9.10
+  Downloaded minimal-lexical v0.2.1
+  Downloaded rocket v0.5.1
+  Downloaded portable-atomic v1.11.1
+  Downloaded num-bigint v0.4.6
+  Downloaded quick-error v2.0.1
+  Downloaded pico-args v0.5.0
+  Downloaded vcpkg v0.2.15
+  Downloaded zerocopy-derive v0.8.27
+  Downloaded p384 v0.13.1
+  Downloaded oauth2 v5.0.0
+  Downloaded webauthn-rs-core v0.5.3
+  Downloaded object v0.32.2
+  Downloaded hickory-proto v0.25.2
+  Downloaded publicsuffix v2.3.0
+  Downloaded openidconnect v4.0.1
+  Downloaded num-bigint-dig v0.8.5
+  Downloaded nom v8.0.0
+  Downloaded moka v0.12.11
+  Downloaded libm v0.2.15
+  Downloaded lasso v0.7.3
+  Downloaded http v0.2.12
+  Downloaded html5gum v0.8.0
+  Downloaded hkdf v0.12.4
+  Downloaded hickory-resolver v0.25.2
+  Downloaded which v8.0.0
+  Downloaded webauthn-rs-proto v0.5.3
+  Downloaded value-bag v1.11.1
+  Downloaded totp-lite v2.0.1
+  Downloaded opendal v0.54.1
+  Downloaded threadpool v1.8.1
+  Downloaded tagptr v0.2.0
+  Downloaded syslog v7.0.0
+  Downloaded syn v2.0.110
+  Downloaded svg-hush v0.9.5
+  Downloaded state v0.6.0
+  Downloaded stacker v0.1.22
+  Downloaded stable-pattern v0.1.0
+  Downloaded scheduled-thread-pool v0.2.7
+  Downloaded quick-xml v0.38.3
+  Downloaded pest_meta v2.8.3
+  Downloaded resolv-conf v0.7.5
+  Downloaded openssl-sys v0.9.111
+  Downloaded quanta v0.12.6
+  Downloaded openssl v0.10.75
+  Downloaded itertools v0.10.5
+  Downloaded diesel v2.3.3
+  Downloaded chrono-tz v0.10.4
+  Downloaded pest v2.8.3
+  Downloaded ubyte v0.10.4
+  Downloaded spinning_top v0.3.0
+  Downloaded schemars v1.1.0
+  Downloaded rsa v0.9.8
+  Downloaded rpassword v7.4.0
+  Downloaded rocket_http v0.5.1
+  Downloaded rocket_codegen v0.5.1
+  Downloaded raw-cpuid v11.6.0
+  Downloaded r2d2 v0.8.10
+  Downloaded quoted_printable v0.5.1
+  Downloaded psm v0.1.28
+  Downloaded psl-types v2.0.11
+  Downloaded proc-macro2-diagnostics v0.10.1
+  Downloaded piper v0.2.4
+  Downloaded phf_shared v0.12.1
+  Downloaded phf v0.12.1
+  Downloaded pest_generator v2.8.3
+  Downloaded pest_derive v2.8.3
+  Downloaded pear_codegen v0.2.9
+  Downloaded yansi v1.0.1
+  Downloaded xml-rs v0.8.28
+  Downloaded x509-parser v0.16.0
+  Downloaded winnow v0.6.26
+  Downloaded webauthn-rs v0.5.3
+  Downloaded uuid v1.18.1
+  Downloaded serde_with_macros v3.15.1
+  Downloaded serde_with v3.15.1
+  Downloaded serde_plain v1.0.2
+  Downloaded serde_cbor_2 v0.13.0
+  Downloaded rustls v0.21.12
+  Downloaded rtoolbox v0.0.3
+  Downloaded rocket_ws v0.1.1
+  Downloaded rmpv v1.3.0
+  Downloaded rfc6979 v0.4.0
+  Downloaded figment v0.10.19
+  Downloaded diesel_derives v2.3.4
+  Downloaded derive_more-impl v2.0.1
+  Downloaded derive_more v2.0.1
+  Downloaded tokio-native-tls v0.3.1
+  Downloaded sec1 v0.7.3
+  Downloaded rustls-webpki v0.101.7
+  Downloaded lettre v0.11.19
+  Downloaded pastey v0.1.1
+  Downloaded password-hash v0.5.0
+  Downloaded p256 v0.13.2
+  Downloaded ordered-float v2.10.1
+  Downloaded num_threads v0.1.7
+  Downloaded num-order v1.2.0
+  Downloaded num-modular v0.6.1
+  Downloaded num-iter v0.1.45
+  Downloaded num-derive v0.4.2
+  Downloaded hashbrown v0.12.3
+  Downloaded ucd-trie v0.1.7
+  Downloaded tokio-stream v0.1.17
+  Downloaded tokio-rustls v0.24.1
+  Downloaded nom v7.1.3
+  Downloaded hashbrown v0.14.5
+  Downloaded governor v0.10.1
+  Downloaded rand v0.8.5
+  Downloaded iana-time-zone v0.1.64
+  Downloaded cached v0.56.0
+  Downloaded brotli v8.0.2
+  Downloaded bigdecimal v0.4.9
+  Downloaded reopen v1.0.3
+  Downloaded pem-rfc7468 v0.7.0
+  Downloaded num_cpus v1.17.0
+  Downloaded half v2.7.1
+  Downloaded chumsky v0.9.3
+  Downloaded thiserror v1.0.69
+  Downloaded spki v0.7.3
+  Downloaded spin v0.9.8
+  Downloaded socket2 v0.5.10
+  Downloaded siphasher v1.0.1
+  Downloaded simple_asn1 v0.6.3
+  Downloaded signature v2.2.0
+  Downloaded serde_path_to_error v0.1.20
+  Downloaded primeorder v0.13.6
+  Downloaded polling v3.11.0
+  Downloaded phf_generator v0.11.3
+  Downloaded pem v3.0.6
+  Downloaded openssl-macros v0.1.1
+  Downloaded event-listener v5.4.1
+  Downloaded document-features v0.2.12
+  Downloaded pkcs1 v0.7.5
+  Downloaded phf v0.11.3
+  Downloaded curve25519-dalek v4.1.3
+  Downloaded ed25519-dalek v2.2.0
+  Downloaded rand_core v0.6.4
+  Downloaded rand_chacha v0.3.1
+  Downloaded chrono v0.4.42
+  Downloaded base64 v0.21.7
+  Downloaded asn1-rs v0.6.2
+  Downloaded dashmap v5.5.3
+  Downloaded cron v0.15.0
+  Downloaded critical-section v1.2.0
+  Downloaded cookie v0.18.1
+  Downloaded foreign-types-shared v0.1.1
+  Downloaded event-listener-strategy v0.5.4
+  Downloaded event-listener v2.5.3
+  Downloaded email-encoding v0.4.1
+  Downloaded ecdsa v0.16.9
+  Downloaded compression-core v0.4.30
+  Downloaded const-oid v0.9.6
+  Downloaded async-lock v3.4.1
+  Downloaded async-channel v2.5.0
+  Downloaded async-channel v1.9.0
+  Downloaded argon2 v0.5.3
+  Downloaded httpdate v1.0.3
+  Downloaded group v0.13.0
+  Downloaded email_address v0.2.9
+  Downloaded der-parser v9.0.0
+  Downloaded futures-macro v0.3.31
+  Downloaded enum-as-inner v0.6.1
+  Downloaded ed25519 v2.2.3
+  Downloaded dyn-clone v1.0.20
+  Downloaded darling v0.20.11
+  Downloaded base64ct v1.8.0
+  Downloaded derive_builder_core v0.20.2
+  Downloaded derive_builder v0.20.2
+  Downloaded async-trait v0.1.89
+  Downloaded darling v0.21.3
+  Downloaded concurrent-queue v2.5.0
+  Downloaded ahash v0.8.12
+  Downloaded job_scheduler_ng v2.4.0
+  Downloaded jetscii v0.5.3
+  Downloaded is-terminal v0.4.17
+  Downloaded inlinable_string v0.1.15
+  Downloaded http-body v0.4.6
+  Downloaded hostname v0.4.1
+  Downloaded foreign-types v0.3.2
+  Downloaded curve25519-dalek-derive v0.1.1
+  Downloaded atomic v0.5.3
+  Downloaded async-stream v0.3.6
+  Downloaded downcast-rs v2.0.2
+  Downloaded diesel_migrations v2.3.0
+  Downloaded diesel-derive-newtype v2.1.2
+  Downloaded devise_core v0.4.2
+  Downloaded devise_codegen v0.4.2
+  Downloaded devise v0.4.2
+  Downloaded darling_macro v0.21.3
+  Downloaded cookie_store v0.22.0
+  Downloaded cookie_store v0.21.1
+  Downloaded darling_macro v0.20.11
+  Downloaded base16ct v0.2.0
+  Downloaded async-stream-impl v0.3.6
+  Downloaded asn1-rs-impl v0.2.0
+  Downloaded asn1-rs-derive v0.5.1
+  Downloaded alloc-stdlib v0.2.2
+  Downloaded alloc-no-stdlib v2.0.4
+  Downloaded cached_proc_macro_types v0.1.1
+  Downloaded cached_proc_macro v0.25.0
+  Downloaded blocking v1.6.2
+  Downloaded blake2 v0.10.6
+  Downloaded binascii v0.1.4
+  Downloaded backon v1.6.0
+  Downloaded base64urlsafedata v0.5.3
+  Downloaded async-task v4.7.1
+  Downloaded async-signal v0.2.13
+  Downloaded async-process v2.5.0
+  Downloaded async-io v2.6.0
+  Downloaded async-executor v1.13.3
+   Compiling proc-macro2 v1.0.103
+   Compiling unicode-ident v1.0.22
+   Compiling quote v1.0.42
+   Compiling libc v0.2.177
+   Compiling cfg-if v1.0.4
+   Compiling version_check v0.9.5
+   Compiling serde_core v1.0.228
+   Compiling memchr v2.7.6
+   Compiling smallvec v1.15.1
+   Compiling shlex v1.3.0
+   Compiling find-msvc-tools v0.1.4
+   Compiling pin-project-lite v0.2.16
+   Compiling serde v1.0.228
+error: linker `cc` not found
+  |
+  = note: No such file or directory (os error 2)
+
+   Compiling itoa v1.0.15
+error: could not compile `serde_core` (build script) due to 1 previous error
+warning: build failed, waiting for other jobs to finish...
+error: could not compile `quote` (build script) due to 1 previous error
+error: could not compile `proc-macro2` (build script) due to 1 previous error
+error: could not compile `libc` (build script) due to 1 previous error
+error: could not compile `serde` (build script) due to 1 previous error
--- a/docker/audit/output/openid_build.out
+++ b/docker/audit/output/openid_build.out
--- a/docker/audit/output/openid_deny.err
+++ b/docker/audit/output/openid_deny.err
@ -0,0 +1,2 @@
+{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"ar_archive_writer","version":"0.2.0"},"parents":[{"Krate":{"kind":"build","name":"psm","version":"0.1.28"},"parents":[{"Krate":{"name":"stacker","version":"0.1.22"},"parents":[{"Krate":{"name":"chumsky","version":"0.9.3"},"parents":[{"Krate":{"name":"lettre","version":"0.11.19"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}}]}]}]}]}]}],"labels":[{"column":12,"line":22,"message":"","span":"Apache-2.0 WITH LLVM-exception"},{"column":12,"line":22,"message":"rejected: license is not explicitly allowed","span":"Apache-2.0 WITH LLVM-exception"}],"message":"failed to satisfy license requirements","notes":["Apache-2.0 - Apache License 2.0:","  - OSI approved","  - FSF Free/Libre"],"severity":"error"},"type":"diagnostic"}
+{"fields":{"licenses":{"errors":1,"helps":536,"notes":0,"warnings":0}},"type":"summary"}
--- a/docker/audit/output/openid_deny.json
+++ b/docker/audit/output/openid_deny.json
--- a/docker/audit/output/req_exp.done
+++ b/docker/audit/output/req_exp.done
@ -0,0 +1 @@
+done
--- a/docker/audit/output/reqwest-tree_post_native.err
+++ b/docker/audit/output/reqwest-tree_post_native.err
--- a/docker/audit/output/reqwest-tree_post_native.txt
+++ b/docker/audit/output/reqwest-tree_post_native.txt
@ -0,0 +1,9 @@
+reqwest v0.12.24
+├── oauth2 v5.0.0
+│   └── openidconnect v4.0.1
+│       └── vaultwarden v1.0.0 (/workspace)
+├── opendal v0.54.1
+│   └── vaultwarden v1.0.0 (/workspace)
+├── vaultwarden v1.0.0 (/workspace)
+└── yubico_ng v0.14.1
+    └── vaultwarden v1.0.0 (/workspace)
--- a/docker/audit/output/upgrade.done
+++ b/docker/audit/output/upgrade.done
@ -0,0 +1 @@
+done
--- a/docker/audit/output/upgrade.log
+++ b/docker/audit/output/upgrade.log
@ -0,0 +1,4 @@
+1: starting updates
+2: updated reqwest
+3: updated hyper-rustls
+4: attempted webauthn update
--- a/docker/audit/output/upgrade_build.err
+++ b/docker/audit/output/upgrade_build.err
@ -0,0 +1,309 @@
+ Downloading crates ...
+  Downloaded async-stream-impl v0.3.6
+  Downloaded alloc-stdlib v0.2.2
+  Downloaded darling_macro v0.21.3
+  Downloaded devise_codegen v0.4.2
+  Downloaded derive_builder_macro v0.20.2
+  Downloaded binascii v0.1.4
+  Downloaded foreign-types-shared v0.1.1
+  Downloaded blocking v1.6.2
+  Downloaded async-stream v0.3.6
+  Downloaded glob v0.3.3
+  Downloaded futures-timer v3.0.3
+  Downloaded event-listener v2.5.3
+  Downloaded devise v0.4.2
+  Downloaded darling_macro v0.20.11
+  Downloaded diesel_table_macro_syntax v0.3.0
+  Downloaded async-global-executor v2.4.1
+  Downloaded inlinable_string v0.1.15
+  Downloaded alloc-no-stdlib v2.0.4
+  Downloaded async-channel v1.9.0
+  Downloaded pear_codegen v0.2.9
+  Downloaded dashmap v5.5.3
+  Downloaded ff v0.13.1
+  Downloaded md-5 v0.10.6
+  Downloaded hyper-tls v0.6.0
+  Downloaded is-terminal v0.4.17
+  Downloaded async-io v2.6.0
+  Downloaded num-iter v0.1.45
+  Downloaded piper v0.2.4
+  Downloaded rand_chacha v0.3.1
+  Downloaded num_threads v0.1.7
+  Downloaded ahash v0.8.12
+  Downloaded futures v0.3.31
+  Downloaded cookie v0.18.1
+  Downloaded migrations_internals v2.3.0
+  Downloaded openssl-macros v0.1.1
+  Downloaded darling v0.20.11
+  Downloaded rfc6979 v0.4.0
+  Downloaded rustc_version v0.4.1
+  Downloaded crypto-bigint v0.5.5
+  Downloaded serde-value v0.7.0
+  Downloaded der-parser v9.0.0
+  Downloaded quick-error v2.0.1
+  Downloaded psl-types v2.0.11
+  Downloaded rmpv v1.3.0
+  Downloaded sec1 v0.7.3
+  Downloaded asn1-rs-derive v0.5.1
+  Downloaded siphasher v1.0.1
+  Downloaded stacker v0.1.22
+  Downloaded thiserror v1.0.69
+  Downloaded tokio-native-tls v0.3.1
+  Downloaded syslog v7.0.0
+  Downloaded signature v2.2.0
+  Downloaded asn1-rs v0.6.2
+  Downloaded tagptr v0.2.0
+  Downloaded threadpool v1.8.1
+  Downloaded serde_with_macros v3.15.1
+  Downloaded ubyte v0.10.4
+  Downloaded primeorder v0.13.6
+  Downloaded serde_path_to_error v0.1.20
+  Downloaded num-integer v0.1.46
+  Downloaded sct v0.7.1
+  Downloaded phf_shared v0.12.1
+  Downloaded tokio-tungstenite v0.21.0
+  Downloaded darling_core v0.21.3
+  Downloaded rand v0.8.5
+  Downloaded yubico_ng v0.14.1
+  Downloaded diesel_derives v2.3.4
+  Downloaded value-bag v1.11.1
+  Downloaded webauthn-rs v0.5.3
+  Downloaded which v8.0.0
+  Downloaded utf-8 v0.7.6
+  Downloaded rocket_http v0.5.1
+  Downloaded webauthn-attestation-ca v0.5.3
+  Downloaded bigdecimal v0.4.9
+  Downloaded phf_macros v0.11.3
+  Downloaded ucd-trie v0.1.7
+  Downloaded darling_core v0.20.11
+  Downloaded xml-rs v0.8.28
+  Downloaded spin v0.9.8
+  Downloaded webauthn-rs-proto v0.5.3
+  Downloaded web-time v1.1.0
+  Downloaded serde_plain v1.0.2
+  Downloaded schemars v1.0.4
+  Downloaded yansi v1.0.1
+  Downloaded x509-parser v0.16.0
+  Downloaded rocket_codegen v0.5.1
+  Downloaded zerocopy-derive v0.8.27
+  Downloaded webauthn-rs-core v0.5.3
+  Downloaded tokio-util v0.7.16
+  Downloaded winnow v0.6.26
+  Downloaded jetscii v0.5.3
+  Downloaded serde_with v3.15.1
+  Downloaded pkcs8 v0.10.2
+  Downloaded vcpkg v0.2.15
+  Downloaded totp-lite v2.0.1
+  Downloaded tokio-macros v2.6.0
+  Downloaded webpki-roots v1.0.3
+  Downloaded syn v2.0.108
+  Downloaded pest_derive v2.8.3
+  Downloaded password-hash v0.5.0
+  Downloaded indexmap v1.9.3
+  Downloaded group v0.13.0
+  Downloaded diesel v2.3.3
+  Downloaded jsonwebtoken v9.3.1
+  Downloaded half v2.7.1
+  Downloaded litrs v1.0.0
+  Downloaded native-tls v0.2.14
+  Downloaded rustls v0.21.12
+  Downloaded rocket v0.5.1
+  Downloaded triomphe v0.1.15
+  Downloaded tokio-rustls v0.24.1
+  Downloaded state v0.6.0
+  Downloaded polling v3.11.0
+  Downloaded handlebars v6.3.2
+  Downloaded quote v1.0.41
+  Downloaded lasso v0.7.3
+  Downloaded publicsuffix v2.3.0
+  Downloaded brotli v8.0.2
+  Downloaded pest_meta v2.8.3
+  Downloaded hickory-resolver v0.25.2
+  Downloaded chrono-tz v0.10.4
+  Downloaded hashbrown v0.12.3
+  Downloaded pest_generator v2.8.3
+  Downloaded mini-moka v0.10.3
+  Downloaded socket2 v0.5.10
+  Downloaded p256 v0.13.2
+  Downloaded quanta v0.12.6
+  Downloaded psm v0.1.28
+  Downloaded pkcs1 v0.7.5
+  Downloaded phf_generator v0.11.3
+  Downloaded pem-rfc7468 v0.7.0
+  Downloaded pear v0.2.9
+  Downloaded num-order v1.2.0
+  Downloaded num-modular v0.6.1
+  Downloaded multer v3.1.0
+  Downloaded curve25519-dalek v4.1.3
+  Downloaded tungstenite v0.21.0
+  Downloaded http v0.2.12
+  Downloaded num-bigint v0.4.6
+  Downloaded html5gum v0.8.0
+  Downloaded oauth2 v5.0.0
+  Downloaded openssl-sys v0.9.110
+  Downloaded uuid v1.18.1
+  Downloaded rsa v0.9.8
+  Downloaded itertools v0.10.5
+  Downloaded minimal-lexical v0.2.1
+  Downloaded hashbrown v0.14.5
+  Downloaded hex v0.4.3
+  Downloaded rusticata-macros v4.1.0
+  Downloaded hostname v0.4.1
+  Downloaded rustls-webpki v0.101.7
+  Downloaded raw-cpuid v11.6.0
+  Downloaded nom v7.1.3
+  Downloaded num-bigint-dig v0.8.4
+  Downloaded chrono v0.4.42
+  Downloaded async-std v1.13.2
+  Downloaded pest v2.8.3
+  Downloaded governor v0.10.1
+  Downloaded lettre v0.11.19
+  Downloaded phf v0.12.1
+  Downloaded brotli-decompressor v5.0.0
+  Downloaded nom v8.0.0
+  Downloaded libm v0.2.15
+  Downloaded hyper v0.14.32
+  Downloaded openidconnect v4.0.1
+  Downloaded hkdf v0.12.4
+  Downloaded portable-atomic v1.11.1
+  Downloaded grass_compiler v0.13.4
+  Downloaded p384 v0.13.1
+  Downloaded quick-xml v0.38.3
+  Downloaded iri-string v0.7.8
+  Downloaded rtoolbox v0.0.3
+  Downloaded rpassword v7.4.0
+  Downloaded r2d2 v0.8.10
+  Downloaded iana-time-zone v0.1.64
+  Downloaded moka v0.12.11
+  Downloaded schemars v0.9.0
+  Downloaded object v0.32.2
+  Downloaded openssl v0.10.74
+  Downloaded rustls-pemfile v1.0.4
+  Downloaded nonzero_ext v0.3.0
+  Downloaded hmac v0.12.1
+  Downloaded base64 v0.21.7
+  Downloaded rustls v0.23.34
+  Downloaded pico-args v0.5.0
+  Downloaded hickory-proto v0.25.2
+  Downloaded oid-registry v0.7.1
+  Downloaded cc v1.2.43
+  Downloaded tokio-stream v0.1.17
+  Downloaded thiserror-impl v1.0.69
+  Downloaded svg-hush v0.9.5
+  Downloaded spinning_top v0.3.0
+  Downloaded pem v3.0.6
+  Downloaded ordered-float v2.10.1
+  Downloaded uncased v0.9.10
+  Downloaded quoted_printable v0.5.1
+  Downloaded proc-macro2-diagnostics v0.10.1
+  Downloaded phf v0.11.3
+  Downloaded pastey v0.1.1
+  Downloaded num_cpus v1.17.0
+  Downloaded serde_cbor_2 v0.13.0
+  Downloaded parking v2.2.1
+  Downloaded kv-log-macro v1.0.7
+  Downloaded stable-pattern v0.1.0
+  Downloaded spki v0.7.3
+  Downloaded job_scheduler_ng v2.4.0
+  Downloaded event-listener-strategy v0.5.4
+  Downloaded simple_asn1 v0.6.3
+  Downloaded opendal v0.54.1
+  Downloaded scheduled-thread-pool v0.2.7
+  Downloaded rocket_ws v0.1.1
+  Downloaded num-derive v0.4.2
+  Downloaded ed25519-dalek v2.2.0
+  Downloaded der v0.7.10
+  Downloaded env_home v0.1.0
+  Downloaded elliptic-curve v0.13.8
+  Downloaded data-encoding v2.9.0
+  Downloaded cookie_store v0.21.1
+  Downloaded async-task v4.7.1
+  Downloaded const-oid v0.9.6
+  Downloaded async-lock v3.4.1
+  Downloaded migrations_macros v2.3.0
+  Downloaded http-body v0.4.6
+  Downloaded futures-lite v2.6.1
+  Downloaded devise_core v0.4.2
+  Downloaded derive_more-impl v2.0.1
+  Downloaded chumsky v0.9.3
+  Downloaded resolv-conf v0.7.5
+  Downloaded reopen v1.0.3
+  Downloaded ref-cast-impl v1.0.25
+  Downloaded ref-cast v1.0.25
+  Downloaded rand_core v0.6.4
+  Downloaded ed25519 v2.2.3
+  Downloaded figment v0.10.19
+  Downloaded derive_more v2.0.1
+  Downloaded cached v0.56.0
+  Downloaded argon2 v0.5.3
+  Downloaded ar_archive_writer v0.2.0
+  Downloaded base64ct v1.8.0
+  Downloaded atomic v0.5.3
+  Downloaded asn1-rs-impl v0.2.0
+  Downloaded foreign-types v0.3.2
+  Downloaded dyn-clone v1.0.20
+  Downloaded darling v0.21.3
+  Downloaded base64urlsafedata v0.5.3
+  Downloaded event-listener v5.4.1
+  Downloaded ecdsa v0.16.9
+  Downloaded backon v1.6.0
+  Downloaded phf_shared v0.11.3
+  Downloaded httpdate v1.0.3
+  Downloaded derive_builder v0.20.2
+  Downloaded dashmap v6.1.0
+  Downloaded cookie_store v0.22.0
+  Downloaded futures-macro v0.3.31
+  Downloaded diesel-derive-newtype v2.1.2
+  Downloaded derive_builder_core v0.20.2
+  Downloaded data-url v0.3.2
+  Downloaded cached_proc_macro v0.25.0
+  Downloaded blake2 v0.10.6
+  Downloaded async-channel v2.5.0
+  Downloaded email_address v0.2.9
+  Downloaded email-encoding v0.4.1
+  Downloaded downcast-rs v2.0.2
+  Downloaded concurrent-queue v2.5.0
+  Downloaded cached_proc_macro_types v0.1.1
+  Downloaded futures-executor v0.3.31
+  Downloaded dsl_auto_type v0.2.0
+  Downloaded document-features v0.2.12
+  Downloaded base16ct v0.2.0
+  Downloaded async-trait v0.1.89
+  Downloaded async-process v2.5.0
+  Downloaded async-executor v1.13.3
+  Downloaded enum-as-inner v0.6.1
+  Downloaded dotenvy v0.15.7
+  Downloaded diesel_migrations v2.3.0
+  Downloaded curve25519-dalek-derive v0.1.1
+  Downloaded critical-section v1.2.0
+  Downloaded codemap v0.1.3
+  Downloaded async-signal v0.2.13
+  Downloaded cron v0.15.0
+   Compiling proc-macro2 v1.0.103
+   Compiling quote v1.0.41
+   Compiling unicode-ident v1.0.22
+   Compiling libc v0.2.177
+   Compiling cfg-if v1.0.4
+   Compiling version_check v0.9.5
+   Compiling serde_core v1.0.228
+   Compiling memchr v2.7.6
+   Compiling smallvec v1.15.1
+   Compiling shlex v1.3.0
+   Compiling find-msvc-tools v0.1.4
+   Compiling serde v1.0.228
+   Compiling pin-project-lite v0.2.16
+   Compiling itoa v1.0.15
+   Compiling zeroize v1.8.2
+   Compiling portable-atomic v1.11.1
+error: linker `cc` not found
+  |
+  = note: No such file or directory (os error 2)
+
+   Compiling fnv v1.0.7
+error: could not compile `proc-macro2` (build script) due to 1 previous error
+warning: build failed, waiting for other jobs to finish...
+error: could not compile `serde` (build script) due to 1 previous error
+error: could not compile `serde_core` (build script) due to 1 previous error
+error: could not compile `quote` (build script) due to 1 previous error
+error: could not compile `libc` (build script) due to 1 previous error
+error: could not compile `portable-atomic` (build script) due to 1 previous error
--- a/docker/audit/output/upgrade_build.out
+++ b/docker/audit/output/upgrade_build.out
--- a/docker/audit/output/upgrade_deny.err
+++ b/docker/audit/output/upgrade_deny.err
@ -0,0 +1,8 @@
+{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"ar_archive_writer","version":"0.2.0"},"parents":[{"Krate":{"kind":"build","name":"psm","version":"0.1.28"},"parents":[{"Krate":{"name":"stacker","version":"0.1.22"},"parents":[{"Krate":{"name":"chumsky","version":"0.9.3"},"parents":[{"Krate":{"name":"lettre","version":"0.11.19"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}}]}]}]}]}]}],"labels":[{"column":12,"line":22,"message":"","span":"Apache-2.0 WITH LLVM-exception"},{"column":12,"line":22,"message":"rejected: license is not explicitly allowed","span":"Apache-2.0 WITH LLVM-exception"}],"message":"failed to satisfy license requirements","notes":["Apache-2.0 - Apache License 2.0:","  - OSI approved","  - FSF Free/Libre"],"severity":"error"},"type":"diagnostic"}
+{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"base64urlsafedata","version":"0.5.3"},"parents":[{"Krate":{"name":"webauthn-attestation-ca","version":"0.5.3"},"parents":[{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}]},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"repeat":true},{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"repeat":true},{"Krate":{"name":"webauthn-rs-proto","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true},{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"repeat":true}]}]}],"labels":[{"column":12,"line":35,"message":"","span":"MPL-2.0"},{"column":12,"line":35,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:","  - OSI approved","  - FSF Free/Libre","  - Copyleft"],"severity":"error"},"type":"diagnostic"}
+{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webauthn-attestation-ca","version":"0.5.3"},"parents":[{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}]}],"labels":[{"column":12,"line":30,"message":"","span":"MPL-2.0"},{"column":12,"line":30,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:","  - OSI approved","  - FSF Free/Libre","  - Copyleft"],"severity":"error"},"type":"diagnostic"}
+{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}}]}],"labels":[{"column":12,"line":39,"message":"","span":"MPL-2.0"},{"column":12,"line":39,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:","  - OSI approved","  - FSF Free/Libre","  - Copyleft"],"severity":"error"},"type":"diagnostic"}
+{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}],"labels":[{"column":12,"line":38,"message":"","span":"MPL-2.0"},{"column":12,"line":38,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:","  - OSI approved","  - FSF Free/Libre","  - Copyleft"],"severity":"error"},"type":"diagnostic"}
+{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webauthn-rs-proto","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}},{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}]}],"labels":[{"column":12,"line":38,"message":"","span":"MPL-2.0"},{"column":12,"line":38,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:","  - OSI approved","  - FSF Free/Libre","  - Copyleft"],"severity":"error"},"type":"diagnostic"}
+{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webpki-roots","version":"1.0.3"},"parents":[{"Krate":{"name":"hyper-rustls","version":"0.27.7"},"parents":[{"Krate":{"name":"reqwest","version":"0.12.24"},"parents":[{"Krate":{"name":"oauth2","version":"5.0.0"},"parents":[{"Krate":{"name":"openidconnect","version":"4.0.1"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}}]}]},{"Krate":{"name":"opendal","version":"0.54.1"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]},{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true},{"Krate":{"name":"yubico_ng","version":"0.14.1"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}]},{"Krate":{"name":"reqwest","version":"0.12.24"},"repeat":true}]}],"labels":[{"column":12,"line":26,"message":"","span":"CDLA-Permissive-2.0"},{"column":12,"line":26,"message":"rejected: license is not explicitly allowed","span":"CDLA-Permissive-2.0"}],"message":"failed to satisfy license requirements","notes":["CDLA-Permissive-2.0 - Community Data License Agreement Permissive 2.0:","  - No additional metadata available for license"],"severity":"error"},"type":"diagnostic"}
+{"fields":{"licenses":{"errors":7,"helps":530,"notes":0,"warnings":0}},"type":"summary"}
--- a/docker/audit/output/upgrade_deny.json
+++ b/docker/audit/output/upgrade_deny.json
--- a/docker/audit/output/webauthn-tree.err
+++ b/docker/audit/output/webauthn-tree.err
@ -0,0 +1,288 @@
+info: syncing channel updates for '1.91.0-x86_64-unknown-linux-gnu'
+info: latest update on 2025-10-30, rust version 1.91.0 (f8297e351 2025-10-28)
+info: downloading component 'clippy'
+info: downloading component 'rustfmt'
+info: installing component 'clippy'
+info: installing component 'rustfmt'
+    Updating crates.io index
+ Downloading crates ...
+  Downloaded ahash v0.8.12
+  Downloaded darling v0.20.11
+  Downloaded chumsky v0.9.3
+  Downloaded kv-log-macro v1.0.7
+  Downloaded http-body v0.4.6
+  Downloaded inlinable_string v0.1.15
+  Downloaded openssl-macros v0.1.1
+  Downloaded asn1-rs-impl v0.2.0
+  Downloaded der-parser v9.0.0
+  Downloaded async-channel v1.9.0
+  Downloaded psl-types v2.0.11
+  Downloaded futures-timer v3.0.3
+  Downloaded httpdate v1.0.3
+  Downloaded binascii v0.1.4
+  Downloaded async-stream-impl v0.3.6
+  Downloaded num_threads v0.1.7
+  Downloaded migrations_internals v2.3.0
+  Downloaded glob v0.3.3
+  Downloaded hex v0.4.3
+  Downloaded hostname v0.4.1
+  Downloaded alloc-stdlib v0.2.2
+  Downloaded pem v3.0.6
+  Downloaded num-order v1.2.0
+  Downloaded phf v0.11.3
+  Downloaded multer v3.1.0
+  Downloaded pear v0.2.9
+  Downloaded phf_macros v0.11.3
+  Downloaded parking v2.2.1
+  Downloaded hyper-tls v0.6.0
+  Downloaded pico-args v0.5.0
+  Downloaded num_cpus v1.17.0
+  Downloaded jetscii v0.5.3
+  Downloaded base64urlsafedata v0.5.3
+  Downloaded cached_proc_macro_types v0.1.1
+  Downloaded oid-registry v0.7.1
+  Downloaded md-5 v0.10.6
+  Downloaded group v0.13.0
+  Downloaded diesel_table_macro_syntax v0.3.0
+  Downloaded num-derive v0.4.2
+  Downloaded async-stream v0.3.6
+  Downloaded num-integer v0.1.46
+  Downloaded darling_macro v0.21.3
+  Downloaded foreign-types-shared v0.1.1
+  Downloaded is-terminal v0.4.17
+  Downloaded devise_codegen v0.4.2
+  Downloaded pear_codegen v0.2.9
+  Downloaded derive_builder_macro v0.20.2
+  Downloaded foreign-types v0.3.2
+  Downloaded darling_macro v0.20.11
+  Downloaded argon2 v0.5.3
+  Downloaded alloc-no-stdlib v2.0.4
+  Downloaded cached_proc_macro v0.25.0
+  Downloaded async-global-executor v2.4.1
+  Downloaded asn1-rs-derive v0.5.1
+  Downloaded async-signal v0.2.13
+  Downloaded async-channel v2.5.0
+  Downloaded blocking v1.6.2
+  Downloaded atomic v0.5.3
+  Downloaded devise v0.4.2
+  Downloaded job_scheduler_ng v2.4.0
+  Downloaded pkcs8 v0.10.2
+  Downloaded quanta v0.12.6
+  Downloaded base16ct v0.2.0
+  Downloaded indexmap v1.9.3
+  Downloaded password-hash v0.5.0
+  Downloaded num-iter v0.1.45
+  Downloaded downcast-rs v2.0.2
+  Downloaded ordered-float v2.10.1
+  Downloaded diesel-derive-newtype v2.1.2
+  Downloaded dsl_auto_type v0.2.0
+  Downloaded r2d2 v0.8.10
+  Downloaded ref-cast v1.0.25
+  Downloaded nonzero_ext v0.3.0
+  Downloaded futures-executor v0.3.31
+  Downloaded migrations_macros v2.3.0
+  Downloaded dashmap v5.5.3
+  Downloaded diesel_migrations v2.3.0
+  Downloaded dotenvy v0.15.7
+  Downloaded data-encoding v2.9.0
+  Downloaded ff v0.13.1
+  Downloaded document-features v0.2.12
+  Downloaded native-tls v0.2.14
+  Downloaded pem-rfc7468 v0.7.0
+  Downloaded primeorder v0.13.6
+  Downloaded concurrent-queue v2.5.0
+  Downloaded cron v0.15.0
+  Downloaded piper v0.2.4
+  Downloaded event-listener-strategy v0.5.4
+  Downloaded env_home v0.1.0
+  Downloaded codemap v0.1.3
+  Downloaded devise_core v0.4.2
+  Downloaded quoted_printable v0.5.1
+  Downloaded phf_generator v0.11.3
+  Downloaded event-listener v2.5.3
+  Downloaded phf_shared v0.12.1
+  Downloaded futures-macro v0.3.31
+  Downloaded quick-error v2.0.1
+  Downloaded ar_archive_writer v0.2.0
+  Downloaded curve25519-dalek-derive v0.1.1
+  Downloaded email-encoding v0.4.1
+  Downloaded dyn-clone v1.0.20
+  Downloaded ed25519 v2.2.3
+  Downloaded proc-macro2-diagnostics v0.10.1
+  Downloaded data-url v0.3.2
+  Downloaded phf_shared v0.11.3
+  Downloaded async-task v4.7.1
+  Downloaded blake2 v0.10.6
+  Downloaded resolv-conf v0.7.5
+  Downloaded pastey v0.1.1
+  Downloaded phf v0.12.1
+  Downloaded derive_builder_core v0.20.2
+  Downloaded ref-cast-impl v1.0.25
+  Downloaded rand_core v0.6.4
+  Downloaded rfc6979 v0.4.0
+  Downloaded rand_chacha v0.3.1
+  Downloaded reopen v1.0.3
+  Downloaded hmac v0.12.1
+  Downloaded uncased v0.9.10
+  Downloaded iana-time-zone v0.1.64
+  Downloaded base64ct v1.8.0
+  Downloaded async-process v2.5.0
+  Downloaded serde_plain v1.0.2
+  Downloaded pest_derive v2.8.3
+  Downloaded email_address v0.2.9
+  Downloaded rocket_ws v0.1.1
+  Downloaded async-executor v1.13.3
+  Downloaded ecdsa v0.16.9
+  Downloaded psm v0.1.28
+  Downloaded cookie_store v0.22.0
+  Downloaded litrs v1.0.0
+  Downloaded async-trait v0.1.89
+  Downloaded quote v1.0.41
+  Downloaded enum-as-inner v0.6.1
+  Downloaded critical-section v1.2.0
+  Downloaded dashmap v6.1.0
+  Downloaded cookie_store v0.21.1
+  Downloaded pkcs1 v0.7.5
+  Downloaded stable-pattern v0.1.0
+  Downloaded stacker v0.1.22
+  Downloaded utf-8 v0.7.6
+  Downloaded rustc_version v0.4.1
+  Downloaded rtoolbox v0.0.3
+  Downloaded serde-value v0.7.0
+  Downloaded scheduled-thread-pool v0.2.7
+  Downloaded tagptr v0.2.0
+  Downloaded syslog v7.0.0
+  Downloaded threadpool v1.8.1
+  Downloaded rusticata-macros v4.1.0
+  Downloaded simple_asn1 v0.6.3
+  Downloaded tokio-macros v2.6.0
+  Downloaded thiserror v1.0.69
+  Downloaded totp-lite v2.0.1
+  Downloaded half v2.7.1
+  Downloaded rmpv v1.3.0
+  Downloaded backon v1.6.0
+  Downloaded serde_with_macros v3.15.1
+  Downloaded yubico_ng v0.14.1
+  Downloaded async-lock v3.4.1
+  Downloaded serde_path_to_error v0.1.20
+  Downloaded rustls-pemfile v1.0.4
+  Downloaded sec1 v0.7.3
+  Downloaded futures v0.3.31
+  Downloaded futures-lite v2.6.1
+  Downloaded signature v2.2.0
+  Downloaded async-io v2.6.0
+  Downloaded hickory-resolver v0.25.2
+  Downloaded http v0.2.12
+  Downloaded elliptic-curve v0.13.8
+  Downloaded svg-hush v0.9.5
+  Downloaded spki v0.7.3
+  Downloaded state v0.6.0
+  Downloaded num-modular v0.6.1
+  Downloaded cookie v0.18.1
+  Downloaded ubyte v0.10.4
+  Downloaded jsonwebtoken v9.3.1
+  Downloaded derive_builder v0.20.2
+  Downloaded const-oid v0.9.6
+  Downloaded webauthn-attestation-ca v0.5.3
+  Downloaded tokio-rustls v0.24.1
+  Downloaded tokio-native-tls v0.3.1
+  Downloaded sct v0.7.1
+  Downloaded thiserror-impl v1.0.69
+  Downloaded p256 v0.13.2
+  Downloaded webauthn-rs-proto v0.5.3
+  Downloaded tokio-tungstenite v0.21.0
+  Downloaded tokio-stream v0.1.17
+  Downloaded pest_generator v2.8.3
+  Downloaded web-time v1.1.0
+  Downloaded triomphe v0.1.15
+  Downloaded webauthn-rs v0.5.3
+  Downloaded which v8.0.0
+  Downloaded spinning_top v0.3.0
+  Downloaded siphasher v1.0.1
+  Downloaded spin v0.9.8
+  Downloaded hashbrown v0.12.3
+  Downloaded event-listener v5.4.1
+  Downloaded derive_more v2.0.1
+  Downloaded cached v0.56.0
+  Downloaded darling_core v0.20.11
+  Downloaded lasso v0.7.3
+  Downloaded darling_core v0.21.3
+  Downloaded darling v0.21.3
+  Downloaded serde_cbor_2 v0.13.0
+  Downloaded pest_meta v2.8.3
+  Downloaded mini-moka v0.10.3
+  Downloaded polling v3.11.0
+  Downloaded socket2 v0.5.10
+  Downloaded base64 v0.21.7
+  Downloaded handlebars v6.3.2
+  Downloaded crypto-bigint v0.5.5
+  Downloaded figment v0.10.19
+  Downloaded ucd-trie v0.1.7
+  Downloaded minimal-lexical v0.2.1
+  Downloaded publicsuffix v2.3.0
+  Downloaded oauth2 v5.0.0
+  Downloaded asn1-rs v0.6.2
+  Downloaded html5gum v0.8.0
+  Downloaded xml-rs v0.8.28
+  Downloaded num-bigint v0.4.6
+  Downloaded tungstenite v0.21.0
+  Downloaded openssl-sys v0.9.110
+  Downloaded uuid v1.18.1
+  Downloaded value-bag v1.11.1
+  Downloaded num-bigint-dig v0.8.4
+  Downloaded rsa v0.9.8
+  Downloaded schemars v0.9.0
+  Downloaded itertools v0.10.5
+  Downloaded der v0.7.10
+  Downloaded rand v0.8.5
+  Downloaded derive_more-impl v2.0.1
+  Downloaded rocket_http v0.5.1
+  Downloaded yansi v1.0.1
+  Downloaded zerocopy-derive v0.8.27
+  Downloaded cc v1.2.43
+  Downloaded diesel_derives v2.3.4
+  Downloaded ed25519-dalek v2.2.0
+  Downloaded schemars v1.0.4
+  Downloaded nom v8.0.0
+  Downloaded bigdecimal v0.4.9
+  Downloaded rpassword v7.4.0
+  Downloaded tokio-util v0.7.16
+  Downloaded nom v7.1.3
+  Downloaded x509-parser v0.16.0
+  Downloaded hashbrown v0.14.5
+  Downloaded raw-cpuid v11.6.0
+  Downloaded governor v0.10.1
+  Downloaded rocket_codegen v0.5.1
+  Downloaded libm v0.2.15
+  Downloaded pest v2.8.3
+  Downloaded hkdf v0.12.4
+  Downloaded grass_compiler v0.13.4
+  Downloaded brotli-decompressor v5.0.0
+  Downloaded iri-string v0.7.8
+  Downloaded webauthn-rs-core v0.5.3
+  Downloaded winnow v0.6.26
+  Downloaded lettre v0.11.19
+  Downloaded chrono v0.4.42
+  Downloaded async-std v1.13.2
+  Downloaded vcpkg v0.2.15
+  Downloaded portable-atomic v1.11.1
+  Downloaded openidconnect v4.0.1
+  Downloaded quick-xml v0.38.3
+  Downloaded p384 v0.13.1
+  Downloaded rustls-webpki v0.101.7
+  Downloaded hyper v0.14.32
+  Downloaded curve25519-dalek v4.1.3
+  Downloaded diesel v2.3.3
+  Downloaded serde_with v3.15.1
+  Downloaded rustls v0.23.34
+  Downloaded moka v0.12.11
+  Downloaded brotli v8.0.2
+  Downloaded chrono-tz v0.10.4
+  Downloaded openssl v0.10.74
+  Downloaded webpki-roots v1.0.3
+  Downloaded object v0.32.2
+  Downloaded rustls v0.21.12
+  Downloaded rocket v0.5.1
+  Downloaded syn v2.0.108
+  Downloaded hickory-proto v0.25.2
+  Downloaded opendal v0.54.1
--- a/docker/audit/output/webauthn-tree.txt
+++ b/docker/audit/output/webauthn-tree.txt
@ -0,0 +1,2 @@
+webauthn-rs v0.5.3
+└── vaultwarden v1.0.0 (/workspace)
--- a/docker/audit/output/webauthn_search.err
+++ b/docker/audit/output/webauthn_search.err
@ -0,0 +1,7 @@
+info: syncing channel updates for '1.91.0-x86_64-unknown-linux-gnu'
+info: latest update on 2025-10-30, rust version 1.91.0 (f8297e351 2025-10-28)
+info: downloading component 'clippy'
+info: downloading component 'rustfmt'
+info: installing component 'clippy'
+info: installing component 'rustfmt'
+note: to learn more about a package, run `cargo info <name>`
--- a/docker/audit/output/webauthn_search.txt
+++ b/docker/audit/output/webauthn_search.txt
@ -0,0 +1,9 @@
+webauthn-rs = "0.5.3"                            # Webauthn Framework for Rust Web Servers
+cable-tunnel-server-common = "0.1.0"             # Common components for webauthn-rs' caBLE tunnel server backend and frontend
+cable-tunnel-server-backend = "0.1.0"            # webauthn-rs caBLE tunnel server backend
+cable-tunnel-server-frontend = "0.1.0"           # webauthn-rs caBLE tunnel server frontend
+webauthn-rs-proto = "0.5.3"                      # Webauthn Specification Bindings
+webauthn-rs-core = "0.5.3"                       # Webauthn Cryptographic Operation Handling
+tmuntaner-webauthn = "0.1.0-alpha.18"            # A webauthn client
+webauthn-rp-proxy = "0.5.0"                      # Webauthn RP CLI Proxy
+webauthn-rs-device-catalog = "0.5.0-20230418"    # Webauthn RS Device Catalog
--- a/docker/audit/output/webpki-tree.err
+++ b/docker/audit/output/webpki-tree.err
--- a/docker/audit/output/webpki-tree.txt
+++ b/docker/audit/output/webpki-tree.txt
@ -0,0 +1,12 @@
+webpki-roots v1.0.3
+├── hyper-rustls v0.27.7
+│   └── reqwest v0.12.24
+│       ├── oauth2 v5.0.0
+│       │   └── openidconnect v4.0.1
+│       │       └── vaultwarden v1.0.0 (/workspace)
+│       ├── opendal v0.54.1
+│       │   └── vaultwarden v1.0.0 (/workspace)
+│       ├── vaultwarden v1.0.0 (/workspace)
+│       └── yubico_ng v0.14.1
+│           └── vaultwarden v1.0.0 (/workspace)
+└── reqwest v0.12.24 (*)
--- a/docker/audit/output/webpki-tree_post_native.err
+++ b/docker/audit/output/webpki-tree_post_native.err
--- a/docker/audit/output/webpki-tree_post_native.txt
+++ b/docker/audit/output/webpki-tree_post_native.txt
@ -0,0 +1,12 @@
+webpki-roots v1.0.3
+├── hyper-rustls v0.27.7
+│   └── reqwest v0.12.24
+│       ├── oauth2 v5.0.0
+│       │   └── openidconnect v4.0.1
+│       │       └── vaultwarden v1.0.0 (/workspace)
+│       ├── opendal v0.54.1
+│       │   └── vaultwarden v1.0.0 (/workspace)
+│       ├── vaultwarden v1.0.0 (/workspace)
+│       └── yubico_ng v0.14.1
+│           └── vaultwarden v1.0.0 (/workspace)
+└── reqwest v0.12.24 (*)
--- a/docker/audit/pr-body.txt
+++ b/docker/audit/pr-body.txt
@ -0,0 +1,21 @@
+security(audit): remediation scaffold + deny policy
+
+This draft PR adds cargo-deny policy, a GitHub Actions audit workflow, and a local security audit note. It contains temporary, timeboxed ignore entries to allow iteration while remediation is planned.
+
+Key artifacts:
+- Audit note: SECURITY-AUDIT-2025-11-09.md
+- Tracking file: issues/TRACK-2025-11-09-RSA-PASTE.md
+- Exceptions added to deny.toml (advisories.ignore = ["RUSTSEC-2023-0071", "RUSTSEC-2024-0436"]) with expiry 2026-02-01
+
+Required checklist before merging:
+- [ ] Assign an owner for TRACK-2025-11-09-RSA-PASTE.md and confirm investigation steps (run `cargo tree -i rsa` and `cargo tree -i paste`).
+- [ ] Agree remediation path for RUSTSEC-2023-0071 (rsa): either a published upstream bump avoiding `rsa`, an alternative crate, or a vetted vendor shim. Attach a follow-up PR when chosen.
+- [ ] Agree remediation path for RUSTSEC-2024-0436 (paste): upgrade or replace the dependency chain (rmp/rmpv) or use a maintained alternative. Attach a follow-up PR when chosen.
+- [ ] Add unit/integration tests verifying replacement behavior (auth/serialization flows) in follow-up PR(s).
+- [ ] Remove the `advisories.ignore` entries from `deny.toml` and re-run the audit in CI to ensure no advisories remain.
+- [ ] Review license failures and add targeted license exceptions or plan replacements for crates with unapproved licenses.
+
+Notes:
+- The repository's Issues feature is disabled; use the tracking file in this branch (`issues/TRACK-2025-11-09-RSA-PASTE.md`) and the PR comment for workflow until issues are enabled.
+
+This PR is a draft while remediation work is planned and executed.
--- a/docker/audit/run-audit.ps1
+++ b/docker/audit/run-audit.ps1
@ -0,0 +1,28 @@
+param(
+    [string]$Workspace = "$PSScriptRoot\..\..",
+    [string]$ImageName = "vaultwarden-audit:latest"
+)
+
+Push-Location $PSScriptRoot
+try {
+    Write-Host "Building Docker image '$ImageName' (this may take several minutes)..."
+    docker build -t $ImageName .
+
+    Write-Host "Running audit container... outputs will be written to: $Workspace"
+    docker run --rm -v "${Workspace}:/workspace" -w /workspace $ImageName bash -lc '
+        set -euo pipefail
+        echo "=== cargo-audit --version ==="
+        /usr/local/cargo/bin/cargo-audit --version || true
+        echo "=== cargo-audit report ==="
+        /usr/local/cargo/bin/cargo-audit -q || true
+        echo "=== cargo-deny --version ==="
+        /usr/local/cargo/bin/cargo-deny --version || true
+        echo "=== cargo-deny advisories ==="
+        /usr/local/cargo/bin/cargo-deny check advisories --manifest-path Cargo.toml || true
+        echo "=== cargo-deny licenses ==="
+        /usr/local/cargo/bin/cargo-deny check licenses --manifest-path Cargo.toml || true
+    '
+}
+finally {
+    Pop-Location
+}
--- a/issues/EXP-REQWEST-WEBAUTHN-2025-11-10.md
+++ b/issues/EXP-REQWEST-WEBAUTHN-2025-11-10.md
@ -0,0 +1,30 @@
+# Experiment: reqwest(native-tls) & webauthn-rs bump (2025-11-10)
+
+Summary
+-------
+Two non-destructive experiments were executed in a copied workspace to evaluate remediation paths for the top license clusters.
+
+1) reqwest/native-tls experiment
+- Script: `docker/audit/exp/reqwest_native_exp.sh`
+- Action: attempted to prefer `native-tls` for `reqwest` by editing `Cargo.toml`, running `cargo update -p reqwest`, and running `cargo-deny` (licenses) in a workspace copy.
+- Result: `cargo-deny` reduced license errors to a single error: `ar_archive_writer v0.2.0` (license: Apache-2.0 WITH LLVM-exception) via `lettre` -> `psm` -> `stacker` -> `chumsky` -> `vaultwarden` path. The `webpki-roots` (CDLA-Permissive-2.0) failure was removed in this experiment.
+- Artifacts: `docker/audit/output/deny_reqwest_native.err` (diagnostic), `docker/audit/output/deny_reqwest_native.json` (may be empty), `docker/audit/output/req_exp.done` (marker).
+
+2) webauthn-rs bump experiment
+- Script: `docker/audit/exp/patch_and_run.sh`
+- Action: in a workspace copy, attempted to bump `webauthn-rs` to `0.6` and ran `cargo update -p webauthn-rs` and `cargo-deny` (licenses).
+- Result: MPL-2.0 failures related to the `webauthn-rs` family were removed by the non-destructive bump attempt (in the copied workspace experiment). The remaining single license rejection (same as above) persisted.
+- Artifacts: `docker/audit/output/deny_licenses.err`, `docker/audit/output/deny_licenses.json` (may be empty), `docker/audit/output/exp.done`.
+
+Conclusion & recommended next step
+--------------------------------
+- Both experiments significantly reduced the license noise: from the previously reported set down to one remaining rejection: `ar_archive_writer v0.2.0` (Apache-2.0 WITH LLVM-exception).
+- Recommended immediate actions:
+  1. Decide whether to temporarily allow `Apache-2.0 WITH LLVM-exception` in `deny.toml` (timeboxed) to unblock CI, OR
+  2. Investigate the `lettre`/`psm` chain to find alternative crates or versions that avoid `ar_archive_writer`.
+- If you approve, I can open a follow-up branch that applies the minimal change (either temporary allowlist addition or a patch bump) and run CI to verify `cargo-deny` cleanly passes.
+
+Notes
+-----
+- All changes in these experiments were done in copied workspaces inside the audit container and did not modify the main branch's `Cargo.toml` or lockfile.
+- Full experiment artifacts are saved under `docker/audit/output/` in the repository workspace.
--- a/issues/FEASIBILITY-WEBAUTHN-WEBPKI.md
+++ b/issues/FEASIBILITY-WEBAUTHN-WEBPKI.md
@ -0,0 +1,115 @@
+Feasibility report: webauthn-rs (MPL-2.0) and webpki-roots (CDLA-Permissive-2.0)
+
+Date: 2025-11-09
+Branch: remediations/audit-2025-11-09
+
+Summary
+-------
+This short report captures the dependency graph findings and remediation options for the two license clusters discovered by cargo-deny:
+
+- webauthn-rs family (webauthn-rs, webauthn-rs-core, webauthn-rs-proto, webauthn-attestation-ca) — license: MPL-2.0
+- webpki-roots — license: CDLA-Permissive-2.0 (pulled transitively via `reqwest` / `hyper-rustls` in our graph)
+
+Reverse-dependency findings (what pulled them into the workspace)
+---------------------------------------------------------------
+- `webauthn-rs v0.5.3` is a direct dependency in `Cargo.toml` (we use features: `danger-allow-state-serialisation`, `danger-credential-internals`).
+  - Reverse deps: `webauthn-rs v0.5.3` -> `vaultwarden v1.0.0` (direct)
+
+- `webpki-roots v1.0.3` is transitive via the HTTP/TLS stack:
+  - webpki-roots v1.0.3 -> hyper-rustls v0.27.7 -> reqwest v0.12.24 -> openidconnect v4.0.1 -> vaultwarden v1.0.0
+  - reqwest is also used in other paths (opendal, yubico-ng, etc.) so webpki-roots appears multiple times transitively.
+
+Feasibility and remediation options (short)
+-------------------------------------------
+For each cluster below I list pragmatic options, effort estimate, and recommended next action.
+
+1) webauthn-rs (MPL-2.0)
+
+Options:
+- Upgrade: check whether `webauthn-rs` publishes a newer version with a different license. If a newer release exists that uses a more permissive license (or is relicensed), upgrade and test. Effort: low-to-moderate (run `cargo update -p webauthn-rs` and run tests; review any breaking API/behaviour changes).
+- Replace: adopt an alternative WebAuthn crate or implement minimal functionality in-house. Effort: medium-to-high depending on coverage and features used (we currently enable two non-trivial features).
+- Vendor / shim: vendor the needed logic into the repo (or a small wrapper using a different crypto backend) and maintain it as in-tree or as a local crate. Effort: medium; maintenance burden shifts to the project.
+- Per-crate exception: timeboxed exception for `webauthn-rs*` in `deny.toml`. Effort: trivial config change but increases audit scope (temporary).
+
+Likelihood / comments:
+- Because `webauthn-rs` is a direct dependency and we enable special features for state/credential internals, replacing it may be disruptive.
+- First attempt should be: verify upstream for newer versions (minor patch/feature releases), test upgrade locally, and evaluate behavior differences.
+
+Recommended immediate action for webauthn-rs:
+- Run `cargo search` / check crates.io for `webauthn-rs` releases (manual step / maintainers action).
+- Locally try `cargo update -p webauthn-rs` then run the test suite and exercise WebAuthn flows.
+- If upgrade is not available or disruptive, open a narrow, documented, timeboxed per-crate exception for the `webauthn-rs` family while planning a replacement path.
+
+2) webpki-roots (CDLA-Permissive-2.0)
+
+Options:
+- Swap TLS backend or reqwest features: `reqwest` supports multiple TLS backends (rustls vs native-tls) and root-store options (webpki-roots vs system roots). Switching to `native-tls` or `rustls` variant with system roots might eliminate the `webpki-roots` dependency.
+- Upgrade reqwest / hyper-rustls: newer versions may use different transitive root crates; attempt `cargo update -p reqwest` and `cargo update -p hyper-rustls` and test.
+- Replace or vendor: if a dependency requires `webpki-roots` specifically and cannot be changed, consider an explicit per-crate exception or select alternative upstream crates that avoid CDLA.
+
+Likelihood / comments:
+- Because `webpki-roots` is pulled in by `reqwest`/`hyper-rustls`, a small change in reqwest features (switching to native-tls) or upgrading reqwest often avoids webpki-roots. This is generally low-to-moderate effort.
+
+Recommended immediate action for webpki-roots:
+- Try switching `reqwest` features (in `Cargo.toml`) to use `native-tls` (or system roots) and run `cargo update` and the test suite.
+- Alternatively, try `cargo update -p reqwest` and `cargo update -p hyper-rustls` to bring in newer upstream transitive changes, then re-run `cargo-deny`.
+
+Commands to try (local dev / CI experimentation)
+------------------------------------------------
+# In a branch / local dev container
+# 1) Try upgrading webauthn-rs
+cargo update -p webauthn-rs
+cargo test
+
+# 2) Try upgrading reqwest/hyper-rustls
+cargo update -p reqwest
+cargo update -p hyper-rustls
+cargo test
+
+# 3) Try switching reqwest TLS features to native-tls (edit Cargo.toml):
+# reqwest = { version = "0.12.24", features = ["native-tls", "stream", "json", ...], default-features = false }
+cargo update
+cargo test
+
+# 4) Re-run the audit after any change
+# (inside audit container or CI) - this verifies cargo-deny results
+/usr/local/cargo/bin/cargo-deny --manifest-path Cargo.toml check licenses --format json
+
+Risk assessment & policy suggestion
+----------------------------------
+- Short-term: a documented, timeboxed, per-crate exception for the webauthn-rs family and/or webpki-roots is acceptable to unblock CI while we attempt upgrades. However, because `webauthn-rs` is a direct dependency and non-trivial, invest effort to try an upgrade/replacement within a short timeline (30-90 days).
+- Medium-term: prefer dependency upgrades or swapping reqwest TLS options over perpetual exceptions. Upgrades reduce maintenance debt and long-term audit risk.
+
+Deliverables included with this report
+-------------------------------------
+- Reverse dependency outputs captured in `docker/audit/output/webauthn-tree.txt` and `docker/audit/output/webpki-tree.txt`.
+- License triage CSV: `docker/audit/output/license_triage_2025-11-09.csv`.
+- Recommended commands and next steps (above).
+
+If you want, I can attempt the low-risk experiments now:
+- Try `cargo update -p reqwest` and re-run `cargo-deny` (low effort, downloads crates), or
+- Try `cargo update -p webauthn-rs` and run test suite (may require exercising WebAuthn flows).
+
+Next suggested step
+-------------------
+Run the quick experiment: upgrade `reqwest` (and hyper-rustls) in a temporary branch, re-run `cargo-deny` and tests, and report the results. This often removes `webpki-roots` without deeper changes.
+
+Experiment results (2025-11-10)
+--------------------------------
+Summary of actions run in a temporary experiment branch and container:
+
+- Performed `cargo search webauthn-rs` inside the audit container; crates.io shows `webauthn-rs = "0.5.3"` as the current published version in that namespace (search results saved to `docker/audit/output/webauthn_search.txt`).
+- Ran a safe workspace copy upgrade attempt (in `/tmp/wrk_upgrade`) where I attempted incremental updates: `cargo update -p reqwest`, `cargo update -p hyper-rustls`, and `cargo update -p webauthn-rs`. Build and `cargo-deny` were run in the copy. Outputs were captured to `docker/audit/output/upgrade_*.{out,err,json}`.
+
+Findings:
+
+- The quick experiments did not eliminate the MPL-2.0 or CDLA-Permissive-2.0 diagnostics. `cargo-deny` still reports 7 license errors — the same clusters identified earlier (webauthn-rs family and webpki-roots). See `docker/audit/output/upgrade_deny.err` for the diagnostic JSON lines.
+- The crates.io search indicates no newer `webauthn-rs` version in the same crate name space beyond `0.5.3` (at time of experiment). That suggests upgrading `webauthn-rs` may not be an option unless an alternate crate name or published fork exists.
+
+Next steps recommended:
+
+- Given that `webauthn-rs` appears to be at 0.5.3 on crates.io, investigate upstream (project repository) for planned releases or contact upstream about licensing/maintenance.
+- For the TLS/root-store problem (webpki-roots), continue with a coordinated upgrade of `reqwest` + `hyper-rustls` and dependent crates (openidconnect/opendal) on a feature-aware branch; if upgrades are blocked, trial a `native-tls` switch in a dedicated branch where dependent features are adjusted accordingly.
+
+All experiment artifacts are available under `docker/audit/output/`.
+
--- a/issues/LICENSE-TRIAGE-2025-11-10.md
+++ b/issues/LICENSE-TRIAGE-2025-11-10.md
@ -0,0 +1,36 @@
+# License triage summary (2025-11-10)
+
+Summary
+-------
+This short report summarizes the top remaining license failures reported by `cargo-deny` after temporary allowlist adjustments and initial experiments.
+
+Top offenders (extracted from `docker/audit/output/license_triage_2025-11-09.csv`):
+
+- webauthn-rs family (MPL-2.0):
+  - `webauthn-rs v0.5.3` (direct dependency)
+  - `webauthn-rs-core v0.5.3`
+  - `webauthn-rs-proto v0.5.3`
+  - `webauthn-attestation-ca v0.5.3`
+  - `base64urlsafedata v0.5.3`
+
+- webpki-roots (CDLA-Permissive-2.0):
+  - `webpki-roots v1.0.3` pulled via `hyper-rustls v0.27.7` -> `reqwest v0.12.24` -> `openidconnect v4.0.1` (and also via `opendal`/`yubico_ng`).
+
+Counts and impact
+-----------------
+- cargo-deny reported 7 license errors in the most recent run. The list above represents the full set of failing crates.
+
+Short remediation guidance
+------------------------
+- `webauthn-rs`: direct dependency. Options: (a) upgrade (if a permissively licensed version exists), (b) replace with an alternative WebAuthn crate, or (c) vendor minimal functionality. Immediate step: contact upstream and search for forks/relicensing.
+- `webpki-roots`: transitive via the TLS/HTTP stack. Options: (a) coordinated upgrade of `reqwest`/`hyper-rustls`/`openidconnect` or (b) switch TLS backend/features to avoid `webpki-roots`.
+
+Artifacts
+---------
+- Full diagnostics and experiment artifacts: `docker/audit/output/` (files: `*_deny.err`, `*_deny.json`, `*_build.err`).
+
+Next steps
+----------
+1. Owner assignment and tasking in PR checklist (see draft PR #2).
+2. Continue coordinated upgrades for `reqwest` chain and attempt to upgrade/replace `webauthn-rs`.
+3. Remove temporary allowlist once all offenders are resolved.
--- a/issues/LICENSE-TRIAGE-SUMMARY-2025-11-12.md
+++ b/issues/LICENSE-TRIAGE-SUMMARY-2025-11-12.md
@ -0,0 +1,39 @@
+# License triage summary — 2025-11-12
+
+This short summary aggregates the highest-impact license failures reported by the audit tooling and gives a quick feasibility recommendation for policy and remediation.
+
+Source
+------
+- Generated from `docker/audit/output/license_triage_2025-11-09.csv` and follow-up experiment artifacts in `docker/audit/output/`.
+
+Top offenders
+-------------
+1. webauthn-rs family — MPL-2.0 (direct)
+   - Crates: `webauthn-rs v0.5.3`, `webauthn-rs-core v0.5.3`, `webauthn-rs-proto v0.5.3`, `webauthn-attestation-ca v0.5.3`, `base64urlsafedata v0.5.3`
+   - Path: direct dependency from `vaultwarden` to `webauthn-rs`.
+   - Impact: high (direct dependency). Remediation: upgrade to permissive version, replace crate, or vendor functionality.
+
+2. webpki-roots — CDLA-Permissive-2.0 (transitive)
+   - Crate: `webpki-roots v1.0.3` via `hyper-rustls -> reqwest -> openidconnect`.
+   - Impact: medium. Remediation: prefer `native-tls` or upgrade TLS/reqwest stack to versions that avoid `webpki-roots`.
+
+3. ar_archive_writer — Apache-2.0 WITH LLVM-exception (transitive)
+   - Crate: `ar_archive_writer v0.2.0` via `lettre -> psm -> stacker -> chumsky`.
+   - Impact: small (single remaining blocking error after experiments). Remediation: bump `lettre`/`psm` versions (experiment shows this removes the error) or timebox an allowlist entry while a bump PR is prepared.
+
+Feasibility and immediate policy guidance
+---------------------------------------
+- The webauthn-rs cluster requires direct attention (upgrade/replace); temporarily allowing MPL-2.0 is defensible but should be strictly timeboxed and tracked.
+- The webpki-roots issue looks solvable by TLS/reqwest feature/upgrade changes; continue the experiment work and prefer coordinated upgrades rather than allowing CDLA-Permissive-2.0 permanently.
+- The ar_archive_writer issue is directly addressable via a `lettre`/`psm` bump. Experiments in a workspace copy removed the error, so preparing a minimal bump PR is recommended.
+
+Actionable next steps
+---------------------
+1. Prepare a minimal PR to bump `lettre` and/or `psm` to the versions validated by the experiment and run CI with cargo-deny.
+2. Continue webauthn-rs remediation plan (upgrade/replace/vendor) as the top priority.
+3. Keep MPL-2.0 and CDLA-Permissive-2.0 as temporary allowlist entries while the above are addressed; remove them as soon as remediation is merged.
+
+Artifacts
+---------
+- `docker/audit/output/license_triage_2025-11-09.csv`
+- Experiment outputs: `docker/audit/output/deny_let_update.*`, `deny_reqwest_native.*`, `deny_licenses.*`
--- a/issues/NOTE-ALLOW-APACHE-LLVM-2025-11-12.md
+++ b/issues/NOTE-ALLOW-APACHE-LLVM-2025-11-12.md
@ -0,0 +1,9 @@
+# NOTE: Temporary allowlist for Apache-2.0 WITH LLVM-exception
+
+Branch: `remediations/allow-apache-llvm-exception`
+
+Purpose: Add a timeboxed allowlist entry for `Apache-2.0 WITH LLVM-exception` to `deny.toml` to unblock CI while the maintainers pursue upstream or replacement remediation for `ar_archive_writer`.
+
+Timebox: Remove no later than 2026-02-10 (90 days from addition).
+
+Tracking: See `issues/TRACK-2025-11-09-RSA-PASTE.md` and PR #2 for the remediation plan and tasks.
--- a/issues/SHORT-LICENSE-ANALYSIS-2025-11-10.md
+++ b/issues/SHORT-LICENSE-ANALYSIS-2025-11-10.md
@ -0,0 +1,36 @@
+# Short license-failure analysis (2025-11-10)
+
+Purpose
+-------
+This short analysis summarizes the top offenders that caused the recent license failures (537 total failures reported across the full audit) and provides a quick feasibility assessment of whether the temporary allowlist can be narrowed or must remain in place while remediation proceeds.
+
+Key findings
+------------
+- The top failing crates (from `docker/audit/output/license_triage_2025-11-09.csv`) are:
+  - webauthn-rs family (MPL-2.0): `webauthn-rs v0.5.3` (direct dep), `webauthn-rs-core v0.5.3`, `webauthn-rs-proto v0.5.3`, `webauthn-attestation-ca v0.5.3`, `base64urlsafedata v0.5.3`.
+  - `webpki-roots v1.0.3` (CDLA-Permissive-2.0) pulled transitively via `hyper-rustls -> reqwest -> openidconnect`.
+  - `ar_archive_writer v0.2.0` (Apache-2.0 WITH LLVM-exception) reported via `lettre` (present in CSV but not blocking if Apache+LLVM-exception is in your allowlist policy).
+
+Feasibility of policy adjustment
+--------------------------------
+- MPL-2.0 cluster (webauthn-rs):
+  - Because `webauthn-rs` is a direct dependency for `vaultwarden`, allowing MPL-2.0 in the policy would immediately remove this class of failures.
+  - Trade-off: MPL-2.0 is a copyleft-style license with obligations different from Apache/MIT; adding it to an allowlist should be treated as temporary and timeboxed while an upgrade/replacement is pursued.
+  - Recommendation: Keep restrictive stance (do not permanently allow MPL-2.0). Use timeboxed temporary allowlist and expedite `webauthn-rs` remediation.
+
+- CDLA-Permissive-2.0 cluster (webpki-roots):
+  - This is transitive via TLS stacks; often solvable by switching TLS backend (native-tls) or upgrading `reqwest`/`hyper-rustls`/`openidconnect` chain.
+  - Feasibility: Medium — requires coordination across multiple crates; experimenting with toggling features or bumping versions may remove webpki-roots without wider policy changes.
+  - Recommendation: Prioritize a targeted experiment (already started) to prefer `native-tls` or bump specific dependencies; avoid permanently allowing CDLA-Permissive-2.0 unless remediation proves infeasible.
+
+Quick action items
+------------------
+1. Apply targeted experiments (in separate ephemeral branches):
+   - Toggle `reqwest` to prefer `native-tls` in a workspace copy and run `cargo-deny`.
+   - Attempt upgrading/removing `openidconnect`'s `reqwest` feature as done in previous experiments and record before/after diffs.
+2. Attempt `webauthn-rs` remediation (upgrade, replace, or vendor) as top priority; the direct dependency makes this the highest-impact remediation.
+3. Keep temporary allowlist timeboxed and document progress in `issues/TRACK-2025-11-09-RSA-PASTE.md`.
+
+Conclusion
+----------
+Short-term policy change (temporary allowlist for MPL-2.0 and CDLA-Permissive-2.0) is defensible as a timeboxed mitigation while focused remediation proceeds. The high-impact targets are `webauthn-rs` (direct dep) and the transitive `webpki-roots` via the TLS stack. Prioritize `webauthn-rs` remediation and coordinated TLS-stack experiments; if they succeed, remove the temporary allowlist.
--- a/issues/TRACK-2025-11-09-RSA-PASTE.md
+++ b/issues/TRACK-2025-11-09-RSA-PASTE.md
@ -0,0 +1,65 @@
+# TRACK-2025-11-09: Remediate transitive `rsa` and `paste` advisories
+
+Status: Open
+Owner: @maintainers (please assign)
+Created: 2025-11-09
+
+Summary
+-------
+
+This tracking issue records the planned remediation work for two transitive advisories found during the local audit on 2025-11-09:
+
+- RUSTSEC-2023-0071 — `rsa = 0.9.8` (Marvin Attack). No safe published upgrade was available at audit time. Transitive path: `openidconnect` -> `...` -> `rsa`.
+- RUSTSEC-2024-0436 — `paste = 1.0.15` (unmaintained). Transitive path: `rmp`/`rmpv` -> `paste`.
+
+Goals
+-----
+
+1. Remove or replace the transitive dependency on `rsa` so the project does not depend on the vulnerable crate.
+2. Replace or remove `paste` usage by migrating to a maintained alternative (e.g., `pastey`) or removing the transitive dependency chain.
+3. Remove the temporary exceptions from `deny.toml` once remediation is complete.
+
+Plan
+----
+
+1. Repro steps
+   - Run `cargo tree -i rsa` and `cargo tree -i paste` to show the reverse dependency chain and confirm the top-level crate(s) importing them.
+
+2. Investigate fixes
+   - For `rsa`: identify whether `openidconnect` or another dependency directly pulls `rsa`. Check if newer published versions of the top-level crate avoid `rsa`.
+   - If no published version removes `rsa`, assess vendor or patch options:
+     - Replace `openidconnect` with an alternative OIDC client that avoids `rsa` (e.g., a crate using ring/openssl for crypto), or
+     - Submit a PR to upstream crates to adopt a constant-time implementation, or
+     - Vendor a small shim that provides the needed functionality using a vetted crypto library.
+
+   - For `paste`: check if `rmp`/`rmpv` can be upgraded to eliminate `paste` or if a maintained fork (e.g., `pastey`) can be used.
+
+3. Tests and validation
+   - Add unit/integration tests for the replaced functionality (auth flows, message formats) to ensure behavior parity.
+   - Re-run audit tooling in CI and verify `cargo-deny` no longer reports the advisories.
+
+4. Timeline and owner
+   - Target ETA: 2026-02-01 (three months). Adjust based on investigation findings.
+   - Owner: @maintainers or assign a specific engineer.
+
+5. Rollback/compensating controls
+   - If remediation requires longer work, consider adding hardened monitoring, limiting feature usage, or using runtime mitigations where possible.
+
+Links
+-----
+
+- Audit note: SECURITY-AUDIT-2025-11-09.md
+- PR branch: remediations/audit-2025-11-09
+
+Next steps
+----------
+- Assign an owner, run `cargo tree -i rsa` and `cargo tree -i paste`, and update this issue with findings and the chosen remediation path.
+
+---
+
+Temporary license allowlist (2025-11-09)
+-------------------------------------
+
+On 2025-11-09 a temporary license allowlist was added to `deny.toml` to reduce noise from widely-used OSI-approved licenses so CI can proceed with the security remediation work. The licenses added were: `Unicode-3.0`, `ISC`, `0BSD`, and `Zlib`. This change explicitly did NOT add `MPL-2.0` or `CDLA-Permissive-2.0`.
+
+Review: The license allowlist will be revisited on or before 2026-02-07 (90 days) and removed or narrowed depending on remediation progress.
			`@ -0,0 +1 @@`
			`{"fields":{"licenses":{"errors":0,"helps":537,"notes":0,"warnings":0}},"type":"summary"}`