chore(audit): add Dockerfile and scripts for cargo audit and deny integration

Cargo.lock

@@ -1738,7 +1738,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb"
 dependencies = [
  "libc",
- "windows-sys 0.61.2",
+ "windows-sys 0.59.0",
 ]
 
 [[package]]
@@ -2457,7 +2457,7 @@ dependencies = [
  "libc",
  "percent-encoding",
  "pin-project-lite",
- "socket2 0.6.1",
+ "socket2 0.5.10",
  "system-configuration",
  "tokio",
  "tower-service",
@@ -2672,7 +2672,7 @@ checksum = "3640c1c38b8e4e43584d8df18be5fc6b0aa314ce6ebf51b53313d4306cca8e46"
 dependencies = [
  "hermit-abi",
  "libc",
- "windows-sys 0.61.2",
+ "windows-sys 0.59.0",
 ]
 
 [[package]]
@@ -3098,7 +3098,7 @@ version = "0.50.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7957b9740744892f114936ab4a57b3f487491bbeafaf8083688b16841a4240e5"
 dependencies = [
- "windows-sys 0.61.2",
+ "windows-sys 0.59.0",
 ]
 
 [[package]]
@@ -3882,7 +3882,7 @@ dependencies = [
  "quinn-udp",
  "rustc-hash",
  "rustls 0.23.34",
- "socket2 0.6.1",
+ "socket2 0.5.10",
  "thiserror 2.0.17",
  "tokio",
  "tracing",
@@ -3919,9 +3919,9 @@ dependencies = [
  "cfg_aliases",
  "libc",
  "once_cell",
- "socket2 0.6.1",
+ "socket2 0.5.10",
  "tracing",
- "windows-sys 0.60.2",
+ "windows-sys 0.59.0",
 ]
 
 [[package]]
@@ -4416,7 +4416,7 @@ dependencies = [
  "errno",
  "libc",
  "linux-raw-sys",
- "windows-sys 0.61.2",
+ "windows-sys 0.59.0",
 ]
 
 [[package]]
@@ -5127,7 +5127,7 @@ dependencies = [
  "getrandom 0.3.4",
  "once_cell",
  "rustix",
- "windows-sys 0.61.2",
+ "windows-sys 0.59.0",
 ]
 
 [[package]]
@@ -6018,7 +6018,7 @@ version = "0.1.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22"
 dependencies = [
- "windows-sys 0.61.2",
+ "windows-sys 0.48.0",
 ]
 
 [[package]]

docker/audit/Dockerfile

@@ -0,0 +1,19 @@
+FROM rust:1.91-bullseye
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Install OS deps needed for building some crates
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+        pkg-config \
+        libssl-dev \
+        build-essential \
+        ca-certificates \
+        curl && \
+    rm -rf /var/lib/apt/lists/*
+
+# Install cargo tools (compiled into the image so subsequent runs are fast)
+RUN /usr/local/cargo/bin/cargo install cargo-audit cargo-deny
+
+WORKDIR /workspace
+
+CMD ["bash"]

docker/audit/audit.sh

@@ -0,0 +1,14 @@
+set -euo pipefail
+export PATH="/usr/local/cargo/bin:/usr/local/bin:$PATH"
+echo "=== cargo-audit --version ==="
+/usr/local/cargo/bin/cargo-audit --version || true
+echo "=== cargo-audit report ==="
+# Run cargo-audit on the workspace Cargo.lock if present; local crate otherwise
+/usr/local/cargo/bin/cargo-audit || true
+echo "=== cargo-deny --version ==="
+/usr/local/cargo/bin/cargo-deny --version || true
+echo "=== cargo-deny advisories ==="
+# Use --manifest-path as a global option and run check advisories and licenses
+/usr/local/cargo/bin/cargo-deny --manifest-path Cargo.toml check advisories || true
+echo "=== cargo-deny licenses ==="
+/usr/local/cargo/bin/cargo-deny --manifest-path Cargo.toml check licenses || true

docker/audit/output/cargo-audit.err

@@ -0,0 +1,12 @@
+Audit Cargo.lock for crates with security vulnerabilities
+
+Usage: cargo [OPTIONS] <COMMAND>
+
+Commands:
+  audit  Audit Cargo.lock files for vulnerable crates
+  help   Print this message or the help of the given subcommand(s)
+
+Options:
+  -v, --verbose  Increase verbosity
+  -h, --help     Print help
+  -V, --version  Print version

docker/audit/output/cargo-deny-advisories.err

@@ -0,0 +1,2 @@
+{"fields":{"level":"ERROR","message":"failed to fetch crates: failed to run cargo: No such file or directory (os error 2)","timestamp":"2025-11-09T08:15:15.688872215Z"},"type":"log"}
+{"fields":{"level":"ERROR","message":"failed to start `cargo metadata`: No such file or directory (os error 2): No such file or directory (os error 2)","timestamp":"2025-11-09T08:15:15.688872215Z"},"type":"log"}

docker/audit/output/cargo-deny-licenses.err

@@ -0,0 +1,2 @@
+{"fields":{"level":"ERROR","message":"failed to fetch crates: failed to run cargo: No such file or directory (os error 2)","timestamp":"2025-11-09T08:15:15.498450874Z"},"type":"log"}
+{"fields":{"level":"ERROR","message":"failed to start `cargo metadata`: No such file or directory (os error 2): No such file or directory (os error 2)","timestamp":"2025-11-09T08:15:15.498450874Z"},"type":"log"}

docker/audit/output/cargo-version.txt

@@ -0,0 +1,7 @@
+info: syncing channel updates for '1.91.0-x86_64-unknown-linux-gnu'
+info: latest update on 2025-10-30, rust version 1.91.0 (f8297e351 2025-10-28)
+info: downloading component 'clippy'
+info: downloading component 'rustfmt'
+info: installing component 'clippy'
+info: installing component 'rustfmt'
+cargo 1.91.0 (ea2d97820 2025-10-10)

docker/audit/output/license_triage_2025-11-09.csv

@@ -0,0 +1,8 @@
+crate,version,license,top_level_dependency
+ar_archive_writer,0.2.0,"Apache-2.0 WITH LLVM-exception",lettre
+base64urlsafedata,0.5.3,MPL-2.0,webauthn-rs
+webauthn-attestation-ca,0.5.3,MPL-2.0,webauthn-rs
+webauthn-rs,0.5.3,MPL-2.0,vaultwarden
+webauthn-rs-core,0.5.3,MPL-2.0,vaultwarden
+webauthn-rs-proto,0.5.3,MPL-2.0,vaultwarden
+webpki-roots,1.0.3,CDLA-Permissive-2.0,openidconnect

docker/audit/output/licenses.err

@@ -0,0 +1,8 @@
+{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"ar_archive_writer","version":"0.2.0"},"parents":[{"Krate":{"kind":"build","name":"psm","version":"0.1.28"},"parents":[{"Krate":{"name":"stacker","version":"0.1.22"},"parents":[{"Krate":{"name":"chumsky","version":"0.9.3"},"parents":[{"Krate":{"name":"lettre","version":"0.11.19"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}}]}]}]}]}]}],"labels":[{"column":12,"line":22,"message":"","span":"Apache-2.0 WITH LLVM-exception"},{"column":12,"line":22,"message":"rejected: license is not explicitly allowed","span":"Apache-2.0 WITH LLVM-exception"}],"message":"failed to satisfy license requirements","notes":["Apache-2.0 - Apache License 2.0:","  - OSI approved","  - FSF Free/Libre"],"severity":"error"},"type":"diagnostic"}
+{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"base64urlsafedata","version":"0.5.3"},"parents":[{"Krate":{"name":"webauthn-attestation-ca","version":"0.5.3"},"parents":[{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}]},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"repeat":true},{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"repeat":true},{"Krate":{"name":"webauthn-rs-proto","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true},{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"repeat":true}]}]}],"labels":[{"column":12,"line":35,"message":"","span":"MPL-2.0"},{"column":12,"line":35,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:","  - OSI approved","  - FSF Free/Libre","  - Copyleft"],"severity":"error"},"type":"diagnostic"}
+{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webauthn-attestation-ca","version":"0.5.3"},"parents":[{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}]}],"labels":[{"column":12,"line":30,"message":"","span":"MPL-2.0"},{"column":12,"line":30,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:","  - OSI approved","  - FSF Free/Libre","  - Copyleft"],"severity":"error"},"type":"diagnostic"}
+{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}}]}],"labels":[{"column":12,"line":39,"message":"","span":"MPL-2.0"},{"column":12,"line":39,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:","  - OSI approved","  - FSF Free/Libre","  - Copyleft"],"severity":"error"},"type":"diagnostic"}
+{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}],"labels":[{"column":12,"line":38,"message":"","span":"MPL-2.0"},{"column":12,"line":38,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:","  - OSI approved","  - FSF Free/Libre","  - Copyleft"],"severity":"error"},"type":"diagnostic"}
+{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webauthn-rs-proto","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}},{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}]}],"labels":[{"column":12,"line":38,"message":"","span":"MPL-2.0"},{"column":12,"line":38,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:","  - OSI approved","  - FSF Free/Libre","  - Copyleft"],"severity":"error"},"type":"diagnostic"}
+{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webpki-roots","version":"1.0.3"},"parents":[{"Krate":{"name":"hyper-rustls","version":"0.27.7"},"parents":[{"Krate":{"name":"reqwest","version":"0.12.24"},"parents":[{"Krate":{"name":"oauth2","version":"5.0.0"},"parents":[{"Krate":{"name":"openidconnect","version":"4.0.1"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}}]}]},{"Krate":{"name":"opendal","version":"0.54.1"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]},{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true},{"Krate":{"name":"yubico_ng","version":"0.14.1"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}]},{"Krate":{"name":"reqwest","version":"0.12.24"},"repeat":true}]}],"labels":[{"column":12,"line":26,"message":"","span":"CDLA-Permissive-2.0"},{"column":12,"line":26,"message":"rejected: license is not explicitly allowed","span":"CDLA-Permissive-2.0"}],"message":"failed to satisfy license requirements","notes":["CDLA-Permissive-2.0 - Community Data License Agreement Permissive 2.0:","  - No additional metadata available for license"],"severity":"error"},"type":"diagnostic"}
+{"fields":{"licenses":{"errors":7,"helps":530,"notes":0,"warnings":0}},"type":"summary"}

docker/audit/output/webauthn-tree.err

@@ -0,0 +1,288 @@
+info: syncing channel updates for '1.91.0-x86_64-unknown-linux-gnu'
+info: latest update on 2025-10-30, rust version 1.91.0 (f8297e351 2025-10-28)
+info: downloading component 'clippy'
+info: downloading component 'rustfmt'
+info: installing component 'clippy'
+info: installing component 'rustfmt'
+    Updating crates.io index
+ Downloading crates ...
+  Downloaded ahash v0.8.12
+  Downloaded darling v0.20.11
+  Downloaded chumsky v0.9.3
+  Downloaded kv-log-macro v1.0.7
+  Downloaded http-body v0.4.6
+  Downloaded inlinable_string v0.1.15
+  Downloaded openssl-macros v0.1.1
+  Downloaded asn1-rs-impl v0.2.0
+  Downloaded der-parser v9.0.0
+  Downloaded async-channel v1.9.0
+  Downloaded psl-types v2.0.11
+  Downloaded futures-timer v3.0.3
+  Downloaded httpdate v1.0.3
+  Downloaded binascii v0.1.4
+  Downloaded async-stream-impl v0.3.6
+  Downloaded num_threads v0.1.7
+  Downloaded migrations_internals v2.3.0
+  Downloaded glob v0.3.3
+  Downloaded hex v0.4.3
+  Downloaded hostname v0.4.1
+  Downloaded alloc-stdlib v0.2.2
+  Downloaded pem v3.0.6
+  Downloaded num-order v1.2.0
+  Downloaded phf v0.11.3
+  Downloaded multer v3.1.0
+  Downloaded pear v0.2.9
+  Downloaded phf_macros v0.11.3
+  Downloaded parking v2.2.1
+  Downloaded hyper-tls v0.6.0
+  Downloaded pico-args v0.5.0
+  Downloaded num_cpus v1.17.0
+  Downloaded jetscii v0.5.3
+  Downloaded base64urlsafedata v0.5.3
+  Downloaded cached_proc_macro_types v0.1.1
+  Downloaded oid-registry v0.7.1
+  Downloaded md-5 v0.10.6
+  Downloaded group v0.13.0
+  Downloaded diesel_table_macro_syntax v0.3.0
+  Downloaded num-derive v0.4.2
+  Downloaded async-stream v0.3.6
+  Downloaded num-integer v0.1.46
+  Downloaded darling_macro v0.21.3
+  Downloaded foreign-types-shared v0.1.1
+  Downloaded is-terminal v0.4.17
+  Downloaded devise_codegen v0.4.2
+  Downloaded pear_codegen v0.2.9
+  Downloaded derive_builder_macro v0.20.2
+  Downloaded foreign-types v0.3.2
+  Downloaded darling_macro v0.20.11
+  Downloaded argon2 v0.5.3
+  Downloaded alloc-no-stdlib v2.0.4
+  Downloaded cached_proc_macro v0.25.0
+  Downloaded async-global-executor v2.4.1
+  Downloaded asn1-rs-derive v0.5.1
+  Downloaded async-signal v0.2.13
+  Downloaded async-channel v2.5.0
+  Downloaded blocking v1.6.2
+  Downloaded atomic v0.5.3
+  Downloaded devise v0.4.2
+  Downloaded job_scheduler_ng v2.4.0
+  Downloaded pkcs8 v0.10.2
+  Downloaded quanta v0.12.6
+  Downloaded base16ct v0.2.0
+  Downloaded indexmap v1.9.3
+  Downloaded password-hash v0.5.0
+  Downloaded num-iter v0.1.45
+  Downloaded downcast-rs v2.0.2
+  Downloaded ordered-float v2.10.1
+  Downloaded diesel-derive-newtype v2.1.2
+  Downloaded dsl_auto_type v0.2.0
+  Downloaded r2d2 v0.8.10
+  Downloaded ref-cast v1.0.25
+  Downloaded nonzero_ext v0.3.0
+  Downloaded futures-executor v0.3.31
+  Downloaded migrations_macros v2.3.0
+  Downloaded dashmap v5.5.3
+  Downloaded diesel_migrations v2.3.0
+  Downloaded dotenvy v0.15.7
+  Downloaded data-encoding v2.9.0
+  Downloaded ff v0.13.1
+  Downloaded document-features v0.2.12
+  Downloaded native-tls v0.2.14
+  Downloaded pem-rfc7468 v0.7.0
+  Downloaded primeorder v0.13.6
+  Downloaded concurrent-queue v2.5.0
+  Downloaded cron v0.15.0
+  Downloaded piper v0.2.4
+  Downloaded event-listener-strategy v0.5.4
+  Downloaded env_home v0.1.0
+  Downloaded codemap v0.1.3
+  Downloaded devise_core v0.4.2
+  Downloaded quoted_printable v0.5.1
+  Downloaded phf_generator v0.11.3
+  Downloaded event-listener v2.5.3
+  Downloaded phf_shared v0.12.1
+  Downloaded futures-macro v0.3.31
+  Downloaded quick-error v2.0.1
+  Downloaded ar_archive_writer v0.2.0
+  Downloaded curve25519-dalek-derive v0.1.1
+  Downloaded email-encoding v0.4.1
+  Downloaded dyn-clone v1.0.20
+  Downloaded ed25519 v2.2.3
+  Downloaded proc-macro2-diagnostics v0.10.1
+  Downloaded data-url v0.3.2
+  Downloaded phf_shared v0.11.3
+  Downloaded async-task v4.7.1
+  Downloaded blake2 v0.10.6
+  Downloaded resolv-conf v0.7.5
+  Downloaded pastey v0.1.1
+  Downloaded phf v0.12.1
+  Downloaded derive_builder_core v0.20.2
+  Downloaded ref-cast-impl v1.0.25
+  Downloaded rand_core v0.6.4
+  Downloaded rfc6979 v0.4.0
+  Downloaded rand_chacha v0.3.1
+  Downloaded reopen v1.0.3
+  Downloaded hmac v0.12.1
+  Downloaded uncased v0.9.10
+  Downloaded iana-time-zone v0.1.64
+  Downloaded base64ct v1.8.0
+  Downloaded async-process v2.5.0
+  Downloaded serde_plain v1.0.2
+  Downloaded pest_derive v2.8.3
+  Downloaded email_address v0.2.9
+  Downloaded rocket_ws v0.1.1
+  Downloaded async-executor v1.13.3
+  Downloaded ecdsa v0.16.9
+  Downloaded psm v0.1.28
+  Downloaded cookie_store v0.22.0
+  Downloaded litrs v1.0.0
+  Downloaded async-trait v0.1.89
+  Downloaded quote v1.0.41
+  Downloaded enum-as-inner v0.6.1
+  Downloaded critical-section v1.2.0
+  Downloaded dashmap v6.1.0
+  Downloaded cookie_store v0.21.1
+  Downloaded pkcs1 v0.7.5
+  Downloaded stable-pattern v0.1.0
+  Downloaded stacker v0.1.22
+  Downloaded utf-8 v0.7.6
+  Downloaded rustc_version v0.4.1
+  Downloaded rtoolbox v0.0.3
+  Downloaded serde-value v0.7.0
+  Downloaded scheduled-thread-pool v0.2.7
+  Downloaded tagptr v0.2.0
+  Downloaded syslog v7.0.0
+  Downloaded threadpool v1.8.1
+  Downloaded rusticata-macros v4.1.0
+  Downloaded simple_asn1 v0.6.3
+  Downloaded tokio-macros v2.6.0
+  Downloaded thiserror v1.0.69
+  Downloaded totp-lite v2.0.1
+  Downloaded half v2.7.1
+  Downloaded rmpv v1.3.0
+  Downloaded backon v1.6.0
+  Downloaded serde_with_macros v3.15.1
+  Downloaded yubico_ng v0.14.1
+  Downloaded async-lock v3.4.1
+  Downloaded serde_path_to_error v0.1.20
+  Downloaded rustls-pemfile v1.0.4
+  Downloaded sec1 v0.7.3
+  Downloaded futures v0.3.31
+  Downloaded futures-lite v2.6.1
+  Downloaded signature v2.2.0
+  Downloaded async-io v2.6.0
+  Downloaded hickory-resolver v0.25.2
+  Downloaded http v0.2.12
+  Downloaded elliptic-curve v0.13.8
+  Downloaded svg-hush v0.9.5
+  Downloaded spki v0.7.3
+  Downloaded state v0.6.0
+  Downloaded num-modular v0.6.1
+  Downloaded cookie v0.18.1
+  Downloaded ubyte v0.10.4
+  Downloaded jsonwebtoken v9.3.1
+  Downloaded derive_builder v0.20.2
+  Downloaded const-oid v0.9.6
+  Downloaded webauthn-attestation-ca v0.5.3
+  Downloaded tokio-rustls v0.24.1
+  Downloaded tokio-native-tls v0.3.1
+  Downloaded sct v0.7.1
+  Downloaded thiserror-impl v1.0.69
+  Downloaded p256 v0.13.2
+  Downloaded webauthn-rs-proto v0.5.3
+  Downloaded tokio-tungstenite v0.21.0
+  Downloaded tokio-stream v0.1.17
+  Downloaded pest_generator v2.8.3
+  Downloaded web-time v1.1.0
+  Downloaded triomphe v0.1.15
+  Downloaded webauthn-rs v0.5.3
+  Downloaded which v8.0.0
+  Downloaded spinning_top v0.3.0
+  Downloaded siphasher v1.0.1
+  Downloaded spin v0.9.8
+  Downloaded hashbrown v0.12.3
+  Downloaded event-listener v5.4.1
+  Downloaded derive_more v2.0.1
+  Downloaded cached v0.56.0
+  Downloaded darling_core v0.20.11
+  Downloaded lasso v0.7.3
+  Downloaded darling_core v0.21.3
+  Downloaded darling v0.21.3
+  Downloaded serde_cbor_2 v0.13.0
+  Downloaded pest_meta v2.8.3
+  Downloaded mini-moka v0.10.3
+  Downloaded polling v3.11.0
+  Downloaded socket2 v0.5.10
+  Downloaded base64 v0.21.7
+  Downloaded handlebars v6.3.2
+  Downloaded crypto-bigint v0.5.5
+  Downloaded figment v0.10.19
+  Downloaded ucd-trie v0.1.7
+  Downloaded minimal-lexical v0.2.1
+  Downloaded publicsuffix v2.3.0
+  Downloaded oauth2 v5.0.0
+  Downloaded asn1-rs v0.6.2
+  Downloaded html5gum v0.8.0
+  Downloaded xml-rs v0.8.28
+  Downloaded num-bigint v0.4.6
+  Downloaded tungstenite v0.21.0
+  Downloaded openssl-sys v0.9.110
+  Downloaded uuid v1.18.1
+  Downloaded value-bag v1.11.1
+  Downloaded num-bigint-dig v0.8.4
+  Downloaded rsa v0.9.8
+  Downloaded schemars v0.9.0
+  Downloaded itertools v0.10.5
+  Downloaded der v0.7.10
+  Downloaded rand v0.8.5
+  Downloaded derive_more-impl v2.0.1
+  Downloaded rocket_http v0.5.1
+  Downloaded yansi v1.0.1
+  Downloaded zerocopy-derive v0.8.27
+  Downloaded cc v1.2.43
+  Downloaded diesel_derives v2.3.4
+  Downloaded ed25519-dalek v2.2.0
+  Downloaded schemars v1.0.4
+  Downloaded nom v8.0.0
+  Downloaded bigdecimal v0.4.9
+  Downloaded rpassword v7.4.0
+  Downloaded tokio-util v0.7.16
+  Downloaded nom v7.1.3
+  Downloaded x509-parser v0.16.0
+  Downloaded hashbrown v0.14.5
+  Downloaded raw-cpuid v11.6.0
+  Downloaded governor v0.10.1
+  Downloaded rocket_codegen v0.5.1
+  Downloaded libm v0.2.15
+  Downloaded pest v2.8.3
+  Downloaded hkdf v0.12.4
+  Downloaded grass_compiler v0.13.4
+  Downloaded brotli-decompressor v5.0.0
+  Downloaded iri-string v0.7.8
+  Downloaded webauthn-rs-core v0.5.3
+  Downloaded winnow v0.6.26
+  Downloaded lettre v0.11.19
+  Downloaded chrono v0.4.42
+  Downloaded async-std v1.13.2
+  Downloaded vcpkg v0.2.15
+  Downloaded portable-atomic v1.11.1
+  Downloaded openidconnect v4.0.1
+  Downloaded quick-xml v0.38.3
+  Downloaded p384 v0.13.1
+  Downloaded rustls-webpki v0.101.7
+  Downloaded hyper v0.14.32
+  Downloaded curve25519-dalek v4.1.3
+  Downloaded diesel v2.3.3
+  Downloaded serde_with v3.15.1
+  Downloaded rustls v0.23.34
+  Downloaded moka v0.12.11
+  Downloaded brotli v8.0.2
+  Downloaded chrono-tz v0.10.4
+  Downloaded openssl v0.10.74
+  Downloaded webpki-roots v1.0.3
+  Downloaded object v0.32.2
+  Downloaded rustls v0.21.12
+  Downloaded rocket v0.5.1
+  Downloaded syn v2.0.108
+  Downloaded hickory-proto v0.25.2
+  Downloaded opendal v0.54.1

docker/audit/output/webauthn-tree.txt

@@ -0,0 +1,2 @@
+webauthn-rs v0.5.3
+└── vaultwarden v1.0.0 (/workspace)

docker/audit/output/webpki-tree.txt

@@ -0,0 +1,12 @@
+webpki-roots v1.0.3
+├── hyper-rustls v0.27.7
+│   └── reqwest v0.12.24
+│       ├── oauth2 v5.0.0
+│       │   └── openidconnect v4.0.1
+│       │       └── vaultwarden v1.0.0 (/workspace)
+│       ├── opendal v0.54.1
+│       │   └── vaultwarden v1.0.0 (/workspace)
+│       ├── vaultwarden v1.0.0 (/workspace)
+│       └── yubico_ng v0.14.1
+│           └── vaultwarden v1.0.0 (/workspace)
+└── reqwest v0.12.24 (*)

docker/audit/pr-body.txt

@@ -0,0 +1,21 @@
+security(audit): remediation scaffold + deny policy
+
+This draft PR adds cargo-deny policy, a GitHub Actions audit workflow, and a local security audit note. It contains temporary, timeboxed ignore entries to allow iteration while remediation is planned.
+
+Key artifacts:
+- Audit note: SECURITY-AUDIT-2025-11-09.md
+- Tracking file: issues/TRACK-2025-11-09-RSA-PASTE.md
+- Exceptions added to deny.toml (advisories.ignore = ["RUSTSEC-2023-0071", "RUSTSEC-2024-0436"]) with expiry 2026-02-01
+
+Required checklist before merging:
+- [ ] Assign an owner for TRACK-2025-11-09-RSA-PASTE.md and confirm investigation steps (run `cargo tree -i rsa` and `cargo tree -i paste`).
+- [ ] Agree remediation path for RUSTSEC-2023-0071 (rsa): either a published upstream bump avoiding `rsa`, an alternative crate, or a vetted vendor shim. Attach a follow-up PR when chosen.
+- [ ] Agree remediation path for RUSTSEC-2024-0436 (paste): upgrade or replace the dependency chain (rmp/rmpv) or use a maintained alternative. Attach a follow-up PR when chosen.
+- [ ] Add unit/integration tests verifying replacement behavior (auth/serialization flows) in follow-up PR(s).
+- [ ] Remove the `advisories.ignore` entries from `deny.toml` and re-run the audit in CI to ensure no advisories remain.
+- [ ] Review license failures and add targeted license exceptions or plan replacements for crates with unapproved licenses.
+
+Notes:
+- The repository's Issues feature is disabled; use the tracking file in this branch (`issues/TRACK-2025-11-09-RSA-PASTE.md`) and the PR comment for workflow until issues are enabled.
+
+This PR is a draft while remediation work is planned and executed.

docker/audit/run-audit.ps1

@@ -0,0 +1,44 @@
+param(
+    [string]$Workspace = "$PSScriptRoot\..\..",
+    [string]$ImageName = "vaultwarden-audit:latest"
+)
+
+Push-Location $PSScriptRoot
+try {
+    Write-Host "Building Docker image '$ImageName' (this may take several minutes)..."
+    docker build -t $ImageName .
+
+    Write-Host "Running audit container... outputs will be written to: $Workspace"
+
+    # Create a small LF-only shell script to avoid CRLF issues when passing
+    # multi-line commands into bash on Linux containers from Windows hosts.
+    $auditScriptPath = Join-Path $PSScriptRoot 'audit.sh'
+    $scriptContent = @'
+set -euo pipefail
+export PATH="/usr/local/cargo/bin:/usr/local/bin:$PATH"
+echo "=== cargo-audit --version ==="
+/usr/local/cargo/bin/cargo-audit --version || true
+echo "=== cargo-audit report ==="
+# Run cargo-audit on the workspace Cargo.lock if present; local crate otherwise
+/usr/local/cargo/bin/cargo-audit || true
+echo "=== cargo-deny --version ==="
+/usr/local/cargo/bin/cargo-deny --version || true
+echo "=== cargo-deny advisories ==="
+# Use --manifest-path as a global option and run check advisories and licenses
+/usr/local/cargo/bin/cargo-deny --manifest-path Cargo.toml check advisories || true
+echo "=== cargo-deny licenses ==="
+/usr/local/cargo/bin/cargo-deny --manifest-path Cargo.toml check licenses || true
+'@
+
+    # Ensure the script uses LF-only line endings by replacing CRLF with LF
+    $scriptContent = $scriptContent -replace "`r`n", "`n"
+    # Write bytes directly to ensure exact newlines (UTF8 without BOM)
+    $bytes = [System.Text.Encoding]::UTF8.GetBytes($scriptContent)
+    [System.IO.File]::WriteAllBytes($auditScriptPath, $bytes)
+
+    # Run the audit script inside the container by mounting it read-only
+    docker run --rm -v "${Workspace}:/workspace" -v "${auditScriptPath}:/audit.sh:ro" -w /workspace $ImageName bash -lc 'bash /audit.sh'
+}
+finally {
+    Pop-Location
+}