chore(audit): format deny.toml license exceptions as [[licenses.exceptions]] (cargo-deny compatible)

deny.toml

@@ -9,11 +9,15 @@
 allow = ["AGPL-3.0-only", "MIT", "Apache-2.0", "BSD-3-Clause"]
 ## Temporary exceptions added by remediations/audit-2025-11-09
 ## These exceptions are timeboxed and tracked in issues/TRACK-2025-11-09-RSA-PASTE.md
-exceptions = [
+
-	# Allow RUSTSEC-2023-0071 (rsa 0.9.8) transitively required today via openidconnect
+[[licenses.exceptions]]
-	# Rationale: no safe published upgrade available at audit date; risk acknowledged and tracked.
+crate = "rsa"
-	{ crate = "rsa", version = "=0.9.8", reason = "RUSTSEC-2023-0071: no safe upgrade available; temporary exception; see issues/TRACK-2025-11-09-RSA-PASTE.md", expires = "2026-02-01" },
+version = "=0.9.8"
-	# Allow RUSTSEC-2024-0436 (paste 1.0.15) transitively required today via rmp/rmpv
+reason = "RUSTSEC-2023-0071: no safe upgrade available; temporary exception; see issues/TRACK-2025-11-09-RSA-PASTE.md"
-	# Rationale: crate marked unmaintained; temporary exception while replacement plan is executed.
+expires = "2026-02-01"
-	{ crate = "paste", version = "=1.0.15", reason = "RUSTSEC-2024-0436: unmaintained; temporary exception; see issues/TRACK-2025-11-09-RSA-PASTE.md", expires = "2026-02-01" }
+
-]
+[[licenses.exceptions]]
+crate = "paste"
+version = "=1.0.15"
+reason = "RUSTSEC-2024-0436: unmaintained; temporary exception; see issues/TRACK-2025-11-09-RSA-PASTE.md"
+expires = "2026-02-01"