cargo-deny 0.18.3 (the latest that installs on rust 1.85) can't parse
the SPDX 'GPL-3.0-or-later' suffix — 'expected a <bare-gnu-license>'.
CI uses cargo-deny-action@v1 (bundles 0.19+) which parses it correctly.
Switching to bare 'GPL-3.0' lets local 'cargo deny check' work on the
pinned toolchain. ADR-0004's GPL-3.0-or-later stance is unchanged; this
is a parser workaround flagged for revert when the MSRV lifts past 1.88
(where cargo-deny 0.19.x installs natively).
Three of four 'cargo deny check' subcommands now pass locally:
- licenses ok
- bans ok
- sources ok
- advisories: fails locally only because the advisory-db contains CVSS 4.0
entries (anchor-lang RUSTSEC-2026-0146) that cargo-deny 0.18.3's parser
rejects. Unfixable on the rust 1.85 toolchain; CI's 0.19+ parses fine.
Surfaced by Task 7's done-checklist run; not a Task 7 code change.
deny.toml allows the permissive Rust-ecosystem licenses + our own
GPL-3.0-or-later; bans duplicate versions of tokio/serde/bytes/tracing
to catch dep-tree divergence early; restricts sources to crates.io. CI
runs fmt --check, clippy -D warnings, test --all (matrix: stable +
MSRV 1.85), and cargo deny check on push + PR to main. The CI job
installs libopus-dev — the opus crate's FFI dependency (PORT_PLAN §7
'Core (FFI)' disposition).