Rust Security and Supply Chain
Relevant Rust source files
Cargo.lockdeny.toml.supply-chain/config.toml.supply-chain/audits.tomlSECURITY.mdscripts/ci/security-audit-gate.shscripts/ci/check-github-action-shas.sh
The Rust supply-chain contract combines a locked dependency graph, advisory/license/policy checks, reviewed dependency audits, pinned CI actions, artifact checksums, and release attestations.
Dependency controls
Cargo.lock fixes resolved versions for reproducible workspace builds. cargo-deny policy in deny.toml checks advisories, licenses, bans, and source provenance. Cargo Vet data under .supply-chain/ records trust and audit criteria for dependencies. These tools answer different questions and should not be collapsed into one green badge.
Dependency updates require source and license review proportional to their role. Parsers, TLS/crypto, database drivers, provider SDKs, serialization, and unsafe/native dependencies deserve extra scrutiny. Keep default features minimal and verify the exact target-feature graph with Cargo metadata or tree inspection.
CI and artifacts
CI actions are pinned and checked by repository scripts. Release workflows create checksums and attestations, verify GitHub assets, and confirm published registry state. The verified subject is the produced artifact and source revision, not merely a successful compilation log.
Runtime secrets
Databento API keys and Interactive Brokers credentials/session state belong in deployment secret stores. Do not place secrets in Cargo config, examples, logs, fixtures, URLs, or crash reports. Diagnostics should report whether required configuration is present and which identity/endpoint is selected, never secret values.
Network and decoding boundaries
Treat all provider, broker, and database input as untrusted. Enforce frame sizes, timeouts, bounded retries, schema/version checks, numeric ranges, and explicit deserialization errors. Reconnect code must avoid unbounded task creation and duplicate subscription fan-out.
Security reports follow SECURITY.md. Public issues are not the correct channel for undisclosed vulnerabilities.