feat: refactor sgclaw around zeroclaw compat runtime

third_party/zeroclaw/deny.toml

@@ -0,0 +1,53 @@
+# cargo-deny configuration — v2 schema
+# https://embarkstudios.github.io/cargo-deny/
+
+[advisories]
+# In v2, vulnerability advisories always emit errors (not configurable).
+# unmaintained: scope of unmaintained-crate checks (all | workspace | transitive | none)
+unmaintained = "all"
+# yanked: deny | warn | allow
+yanked = "deny"
+# Ignore known unmaintained transitive deps we cannot easily replace
+ignore = [
+    # bincode v2.0.1 via probe-rs — project ceased but 1.3.3 considered complete
+    "RUSTSEC-2025-0141",
+    { id = "RUSTSEC-2024-0384", reason = "Reported to `rust-nostr/nostr` and it's WIP" },
+    { id = "RUSTSEC-2024-0388", reason = "derivative via extism → wasmtime transitive dep" },
+    { id = "RUSTSEC-2025-0057", reason = "fxhash via extism → wasmtime transitive dep" },
+    { id = "RUSTSEC-2025-0119", reason = "number_prefix via indicatif — cosmetic dep" },
+    # wasmtime vulns via extism 1.13.0 — no upstream fix yet; plugins feature-gated
+    { id = "RUSTSEC-2026-0006", reason = "wasmtime segfault via extism; awaiting extism upgrade" },
+    { id = "RUSTSEC-2026-0020", reason = "WASI resource exhaustion via extism; awaiting extism upgrade" },
+    { id = "RUSTSEC-2026-0021", reason = "WASI http fields panic via extism; awaiting extism upgrade" },
+]
+
+[licenses]
+# All licenses are denied unless explicitly allowed
+allow = [
+    "MIT",
+    "Apache-2.0",
+    "Apache-2.0 WITH LLVM-exception",
+    "BSD-2-Clause",
+    "BSD-3-Clause",
+    "ISC",
+    "Unicode-3.0",
+    "Unicode-DFS-2016",
+    "OpenSSL",
+    "Zlib",
+    "MPL-2.0",
+    "CDLA-Permissive-2.0",
+    "0BSD",
+    "BSL-1.0",
+    "CC0-1.0",
+]
+unused-allowed-license = "allow"
+
+[bans]
+multiple-versions = "warn"
+wildcards = "allow"
+
+[sources]
+unknown-registry = "deny"
+unknown-git = "deny"
+allow-registry = ["https://github.com/rust-lang/crates.io-index"]
+allow-git = []