Add security and license auditing guidelines to CONTRIBUTING.md; update allowed licenses in deny.toml

lxsaah · lxsaah · commit 742550386af4 · 2025-09-25T18:47:58.000Z
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -49,6 +49,16 @@ AimDB is an async, in-memory database designed for real-time data synchronizatio
 - `make doc` - Generate and open documentation
 - `make clean` - Clean build artifacts
 
+### Security and License Auditing
+
+AimDB uses `cargo deny` for dependency auditing:
+
+```bash
+cargo deny check          # Full audit (advisories, licenses, bans)
+cargo deny check licenses # License compliance only
+cargo deny check advisories # Security advisories only
+```
+
 ## Code Standards
 
 ### Rust Guidelines
@@ -170,7 +180,12 @@ cargo test test_name --all-features
    make test
    ```
 
-3. **Check documentation:**
+3. **Check license compliance:**
+   ```bash
+   cargo deny check  # Verify dependencies meet license requirements
+   ```
+
+4. **Check documentation:**
    ```bash
    make doc
    ```
@@ -229,6 +244,38 @@ examples/quickstart/ # Demo application
 - **Discussions**: Use GitHub discussions for general questions
 - **Code Review**: All PRs require review before merging
 
+## License Compliance
+
+### Dependency Licensing
+
+AimDB follows a permissive licensing strategy compatible with commercial use. The project accepts dependencies with these licenses:
+
+- **Primary**: MIT, Apache-2.0 (preferred for new dependencies)
+- **Compatible**: BSD-2-Clause, BSD-3-Clause, ISC
+- **Unicode Data**: Unicode-3.0, Unicode-DFS-2016 (for Unicode processing crates)
+
+### Adding Dependencies
+
+Before adding new dependencies:
+
+1. **Check the license** with `cargo deny check`
+2. **Ensure compatibility** with our allowed licenses in `deny.toml`
+3. **Avoid copyleft licenses** (GPL, LGPL, etc.) that could restrict commercial use
+4. **Document the rationale** for any new license additions in your PR
+
+If you need to add a dependency with a new license:
+- Verify it's OSI-approved and business-friendly
+- Update `deny.toml` to include the new license
+- Explain the necessity in your PR description
+
+### License Audit
+
+Run license checks as part of development:
+```bash
+cargo deny check licenses  # Check license compliance
+make check                 # Includes all development checks
+```
+
 ## Code of Conduct
 
 Please be respectful and constructive in all interactions. We're building this project together and want everyone to feel welcome to contribute.
diff --git a/deny.toml b/deny.toml
@@ -7,6 +7,7 @@ allow = [
     "BSD-3-Clause",
     "ISC",
     "Unicode-DFS-2016",
+    "Unicode-3.0",
 ]
 
 confidence-threshold = 0.8

Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,7 @@ allow = [`
`7`	`7`	`"BSD-3-Clause",`
`8`	`8`	`"ISC",`
`9`	`9`	`"Unicode-DFS-2016",`
	`10`	`+ "Unicode-3.0",`
`10`	`11`	`]`
`11`	`12`
`12`	`13`	`confidence-threshold = 0.8`