162c31a5b4
Add supply chain security gates: - cargo-deny.toml: License allowlist (MIT, Apache-2.0, BSD, ISC, Zlib, Unicode-DFS-2016, MPL-2.0), bans (openssl-sys, native-tls, git2, libgit2-sys), minimum versions (ring >= 0.17.5, rustls >= 0.23) - build/CHECKSUMS.sha256: SHA-256 checksum for build/glyph-shapes.json. build.rs already verifies checksums on every build (TH-06 supply-chain gate per plan line 909) These are part of the security hardening epic (pdftract-e9lz). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
21 lines
976 B
Text
21 lines
976 B
Text
# SHA-256 Checksums for build-time data files
|
|
#
|
|
# This file contains SHA-256 checksums for data files used during the build
|
|
# process. These checksums are verified by build.rs on every build to ensure
|
|
# the files have not been tampered with or corrupted.
|
|
#
|
|
# Per plan line 909: build/font-fingerprints.json and build/glyph-shapes.json
|
|
# have SHA-256 checksums committed in build/CHECKSUMS.sha256. build.rs
|
|
# verifies checksums on every build; a mismatch aborts the build with a clear
|
|
# error pointing to the regeneration script.
|
|
#
|
|
# Format: <checksum> <filename>
|
|
#
|
|
# To regenerate this file after legitimate updates:
|
|
# sha256sum build/glyph-shapes.json build/font-fingerprints.json > build/CHECKSUMS.sha256
|
|
|
|
# Glyph shapes database for Level 4 encoding fallback
|
|
a3cba1a5b82c6f04e25450608ceeffd3b66b3de2ee1c28da008bc59de6625a96 build/glyph-shapes.json
|
|
|
|
# Font fingerprints (not yet generated - placeholder)
|
|
# When font-fingerprints.json is added, include its checksum here
|