YASSERRMD · YASSERRMD · May 30, 2026 · May 16, 2026 · May 16, 2026 · May 16, 2026
diff --git a/.cargo/audit.toml b/.cargo/audit.toml
@@ -0,0 +1,11 @@
+[advisories]
+# RUSTSEC-2023-0071 — "Marvin Attack" timing sidechannel in the `rsa` crate.
+# No fixed upgrade is available upstream. The advisory affects RSA *private-key*
+# decryption/signing, which leaks key bits through timing. BarqFlow is not exposed:
+#   * Transitively, `rsa` is pulled in by `sqlx-mysql`, which is unavoidable while
+#     MySQL support is enabled.
+#   * Our only direct use (crates/api/src/extensions.rs) is RSA-SHA256 signature
+#     *verification* with public keys, which does not perform the vulnerable
+#     private-key operations.
+# Re-evaluate and remove this ignore once a patched `rsa` release ships.
+ignore = ["RUSTSEC-2023-0071"]
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/api/Cargo.toml b/crates/api/Cargo.toml
@@ -32,6 +32,7 @@ reqwest.workspace = true
 async-stream = "0.3"
 futures-core = "0.3"
 sha2 = "0.10"
+hmac = "0.12"
 hex = "0.4"
 rsa = { version = "0.9", features = ["sha2", "pem"] }