From 6befc364487cf4a5a577edf99dc7fda6a043972b Mon Sep 17 00:00:00 2001
From: kalvinparker <106995826+kalvinparker@users.noreply.github.com>
Date: Mon, 10 Nov 2025 22:05:58 +0000
Subject: [PATCH] docs(audit): add license triage summary and PR body update
 file

---
 .github/PR_BODY_UPDATE-2.md         | 11 +++++++++
 issues/LICENSE-TRIAGE-2025-11-10.md | 36 +++++++++++++++++++++++++++++
 2 files changed, 47 insertions(+)
 create mode 100644 .github/PR_BODY_UPDATE-2.md
 create mode 100644 issues/LICENSE-TRIAGE-2025-11-10.md

diff --git a/.github/PR_BODY_UPDATE-2.md b/.github/PR_BODY_UPDATE-2.md
new file mode 100644
index 00000000..96729c97
--- /dev/null
+++ b/.github/PR_BODY_UPDATE-2.md
@@ -0,0 +1,11 @@
+Temporary license allowlist: MPL-2.0 and CDLA-Permissive-2.0 were added to deny.toml on branch experiment/webauthn-upgrade to unblock CI while coordinated upgrades/replacements are attempted. This is timeboxed and tracked in issues/FEASIBILITY-WEBAUTHN-WEBPKI.md and issues/TRACK-2025-11-09-RSA-PASTE.md. See the experiment artifacts in docker/audit/output/.
+
+## Tasks
+- [ ] Owner: Security lead — confirm timebox and approve temporary allowlist (by 2025-11-17)
+- [ ] Owner: Maintainer — attempt `webauthn-rs` upgrade or replacement; report feasibility (see issues/FEASIBILITY-WEBAUTHN-WEBPKI.md)
+- [ ] Owner: Maintainer — coordinate `reqwest`/`hyper-rustls`/`openidconnect` upgrades to remove `webpki-roots` (see docker/audit/output/* and reqwest/webpki trees)
+- [ ] Owner: Maintainer — verify cargo-deny clean runs on CI after each change
+- [ ] Owner: Maintainer — remove temporary allowlist and update deny.toml when all issues resolved
+
+## Triage summary
+See issues/LICENSE-TRIAGE-2025-11-10.md for a short summary of the top offenders and remediation options.
diff --git a/issues/LICENSE-TRIAGE-2025-11-10.md b/issues/LICENSE-TRIAGE-2025-11-10.md
new file mode 100644
index 00000000..26223855
--- /dev/null
+++ b/issues/LICENSE-TRIAGE-2025-11-10.md
@@ -0,0 +1,36 @@
+# License triage summary (2025-11-10)
+
+Summary
+-------
+This short report summarizes the top remaining license failures reported by `cargo-deny` after temporary allowlist adjustments and initial experiments.
+
+Top offenders (extracted from `docker/audit/output/license_triage_2025-11-09.csv`):
+
+- webauthn-rs family (MPL-2.0):
+  - `webauthn-rs v0.5.3` (direct dependency)
+  - `webauthn-rs-core v0.5.3`
+  - `webauthn-rs-proto v0.5.3`
+  - `webauthn-attestation-ca v0.5.3`
+  - `base64urlsafedata v0.5.3`
+
+- webpki-roots (CDLA-Permissive-2.0):
+  - `webpki-roots v1.0.3` pulled via `hyper-rustls v0.27.7` -> `reqwest v0.12.24` -> `openidconnect v4.0.1` (and also via `opendal`/`yubico_ng`).
+
+Counts and impact
+-----------------
+- cargo-deny reported 7 license errors in the most recent run. The list above represents the full set of failing crates.
+
+Short remediation guidance
+------------------------
+- `webauthn-rs`: direct dependency. Options: (a) upgrade (if a permissively licensed version exists), (b) replace with an alternative WebAuthn crate, or (c) vendor minimal functionality. Immediate step: contact upstream and search for forks/relicensing.
+- `webpki-roots`: transitive via the TLS/HTTP stack. Options: (a) coordinated upgrade of `reqwest`/`hyper-rustls`/`openidconnect` or (b) switch TLS backend/features to avoid `webpki-roots`.
+
+Artifacts
+---------
+- Full diagnostics and experiment artifacts: `docker/audit/output/` (files: `*_deny.err`, `*_deny.json`, `*_build.err`).
+
+Next steps
+----------
+1. Owner assignment and tasking in PR checklist (see draft PR #2).
+2. Continue coordinated upgrades for `reqwest` chain and attempt to upgrade/replace `webauthn-rs`.
+3. Remove temporary allowlist once all offenders are resolved.