BCX is security-sensitive protocol infrastructure. Treat changes to causal semantics, canonical encoding, signature envelopes, capabilities, replay handling, receipt validation, transport bindings, and WHY queries as high-risk until tested.
Run these regularly and before releases:
scripts/checks.sh
cargo deny check
cargo auditGitHub Actions run CI, and GitHub CodeQL default setup should be enabled in the repository security settings. Do not add an advanced CodeQL workflow while default setup is active.
BCX starts with zero third-party runtime dependencies. New dependencies require review, license checks, RustSec checks, tests, and documentation. Prefer small optional subcrates when an ecosystem dependency would break the root crate's no-std default.
Unknown registries and git sources are denied by deny.toml.
Do not publish exploitable security details before a fix is available. Open a private security advisory or contact the maintainers directly once public repository security channels are configured.