fce9f1cbf1
CI / Check (pull_request) Successful in 8m1s
CI / Detect Changes (pull_request) Has been skipped
CI / Deploy Agent (pull_request) Has been skipped
CI / Deploy Dashboard (pull_request) Has been skipped
CI / Deploy Docs (pull_request) Has been skipped
CI / Deploy MCP (pull_request) Has been skipped
Two new RUSTSEC advisories landed between 2026-06-18 and 2026-06-30 that started failing every PR's `cargo audit` step: - RUSTSEC-2026-0185 (quinn-proto 0.11.14): remote memory exhaustion via unbounded out-of-order stream reassembly. Patched in 0.11.15 (semver- compatible). `cargo update -p quinn-proto`, no API change. - RUSTSEC-2026-0189 (rmcp 0.16.0): DNS rebinding in Streamable HTTP server transport due to missing Host-header validation. Patched in rmcp >= 1.4.0, which is a major API jump from our pin (rmcp shipped 0.x -> 1.x -> 2.x in three months and the migration touches every tool handler + the auth middleware just landed in #92). Added to ignore with justification: our MCP server is exposed at a public hostname behind orca's TLS-terminating ingress with per-tenant bearer auth. The attack model (browser DNS-rebinding into a victim's localhost MCP server) doesn't apply to a public-hostname deployment. Defense-in-depth Host-header validation remains worthwhile, tracked as a multi-hour M7.3 follow-up to migrate rmcp 0.16 -> 2.x. Unblocks #96 and #94.