Security: suppress unfixable rsa advisory, verify all 2026 CVEs already patched

[Copilot]

Security audit flagged 8 vulnerabilities. 7 are already resolved in Cargo.lock; the remaining one (rsa Marvin Attack) has no upstream patch and needs explicit suppression in both cargo-deny and cargo-audit tooling.

Vulnerability Status

Advisory	Package	Resolution
RUSTSEC-2026-0066	astral-tokio-tar	✅ Lock has 0.6.0 (patched ≥0.6.0)
RUSTSEC-2026-0044/45/46/47/48	aws-lc-sys	✅ Lock has 0.39.0 (patched ≥0.38.0–0.39.0)
RUSTSEC-2026-0049	rustls-webpki	✅ Lock has 0.103.10 (patched ≥0.103.10)
RUSTSEC-2023-0071	rsa	⚠️ No upstream patch — suppressed with justification

Changes

• .cargo/audit.toml (new): Suppresses RUSTSEC-2023-0071 for cargo-audit, matching the existing deny.toml ignore entry. Without this, the scheduled workflow creates a new issue on every run for an advisory with no fix. Justification: rsa enters the graph via recoco-core → sqlx → sqlx-mysql; Thread doesn't use MySQL or expose RSA private-key operations to network timing observation.

---

💬 Send tasks to Copilot coding agent from Slack and Teams to turn conversations into code. Copilot posts an update in your thread when it's finished.

Summary by Sourcery

Configure security auditing to suppress an unpatchable rsa crate advisory while keeping other 2026 vulnerabilities verified as already resolved.

Bug Fixes:

• Prevent recurring false-positive security issues from cargo-audit for the rsa Marvin Attack advisory by explicitly ignoring it with justification.

Enhancements:

• Add a cargo-audit configuration file aligning advisory suppression with existing cargo-deny settings for the rsa crate advisory.