diff --git a/deny.toml b/deny.toml
index e353846a..003f0678 100644
--- a/deny.toml
+++ b/deny.toml
@@ -4,20 +4,20 @@
 [advisories]
 # default uses the rustsec DB; keep empty to use defaults
 
-[licenses]
-# Allowlist of licenses. Edit to match project policy.
-allow = ["AGPL-3.0-only", "MIT", "Apache-2.0", "BSD-3-Clause"]
-## Temporary exceptions added by remediations/audit-2025-11-09
+## Temporary advisory exceptions added by remediations/audit-2025-11-09
 ## These exceptions are timeboxed and tracked in issues/TRACK-2025-11-09-RSA-PASTE.md
 
-[[licenses.exceptions]]
-crate = "rsa"
-version = "=0.9.8"
-reason = "RUSTSEC-2023-0071: no safe upgrade available; temporary exception; see issues/TRACK-2025-11-09-RSA-PASTE.md"
+[[advisories.exceptions]]
+id = "RUSTSEC-2023-0071"
+reason = "Transitive rsa = 0.9.8 (Marvin Attack); no safe published upgrade available at audit time. Temporary exception to unblock CI; see issues/TRACK-2025-11-09-RSA-PASTE.md"
 expires = "2026-02-01"
 
-[[licenses.exceptions]]
-crate = "paste"
-version = "=1.0.15"
-reason = "RUSTSEC-2024-0436: unmaintained; temporary exception; see issues/TRACK-2025-11-09-RSA-PASTE.md"
+[[advisories.exceptions]]
+id = "RUSTSEC-2024-0436"
+reason = "Transitive paste = 1.0.15 (unmaintained). Temporary exception to unblock CI; see issues/TRACK-2025-11-09-RSA-PASTE.md"
 expires = "2026-02-01"
+
+[licenses]
+# Allowlist of licenses. Edit to match project policy.
+allow = ["AGPL-3.0-only", "MIT", "Apache-2.0", "BSD-3-Clause"]
+exceptions = []