## Summary The CI runs fmt, clippy, and tests but doesn't audit dependencies for known vulnerabilities. Add `cargo audit` (or cargo-deny) to the contracts CI job. ## Files - `.github/workflows/ci.yml` ## Acceptance criteria - [ ] Install `cargo-audit` in the contracts job - [ ] Run `cargo audit` and fail on warnings - [ ] Document any allow-list in `contracts/audit.toml`
Summary
The CI runs fmt, clippy, and tests but doesn't audit dependencies for known vulnerabilities. Add
cargo audit(or cargo-deny) to the contracts CI job.Files
.github/workflows/ci.ymlAcceptance criteria
cargo-auditin the contracts jobcargo auditand fail on warningscontracts/audit.toml