ci: declare cachekit-core first-party for cargo-vet (end self-audit treadmill)

[27Bslash6]

Problem

The weekly Security workflow's Cargo Vet (Supply Chain) job has been red since the 0.2.1 release (run 27465817162, 2026-06-13). Everything else in that run is green — all 11 Kani proofs and all 16 deep-fuzz targets (1h each) pass. The only failure:

Vetting Failed!  1 unvetted dependencies:
  cargo vet diff cachekit-core 0.2.0 0.2.1

The sole "unvetted dependency" is cachekit-core itself. config.toml had:

• [policy.cachekit-core] audit-as-crates-io = true — forces cargo-vet to audit the crate as if it were a third-party crates.io download
• [[exemptions.cachekit-core]] version = "0.2.0" — the matching self-exemption

When 0.2.1 published, the exemption stayed pinned to 0.2.0, so cargo-vet demanded a self-audit of the bump. This re-reds the gate on every release until someone hand-runs cargo vet certify — a treadmill with zero security value.

Fix

cachekit-core is the first-party crate of this repo — the local source is the crate, so auditing it against crates.io is circular. Declare it first-party:

• audit-as-crates-io = false
• drop the now-unused [[exemptions.cachekit-core]]

No loss of supply-chain coverage over genuine third-party deps; permanently ends the per-release re-red.

Note: sibling Rust crates (cachekit-rs) likely carry the same self-audit pattern — worth a follow-up sweep.

Verification

$ cargo vet --locked
Vetting Succeeded (83 fully audited, 5 partially audited, 97 exempted)

Diff is 1 insertion / 5 deletions in supply-chain/config.toml (canonicalized via cargo vet fmt).

Summary by CodeRabbit

• Chores
  • Strengthened supply chain security by tightening dependency audit policies and removing pre-existing exemptions from the configuration.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6b950a6c-baae-4cc7-b288-389836e4d942

📥 Commits

Reviewing files that changed from the base of the PR and between 0f6d0cf and e80618d.

📒 Files selected for processing (1)

• supply-chain/config.toml

---

Walkthrough

In supply-chain/config.toml, the cargo-vet policy for cachekit-core has audit-as-crates-io changed from true to false, and the pre-existing exemption entry for cachekit-core version 0.2.0 is removed from the exemptions list.

Changes

cargo-vet Supply Chain Config

Layer / File(s)	Summary
Disable audit-as-crates-io and remove v0.2.0 exemption supply-chain/config.toml	audit-as-crates-io for cachekit-core is set to false, and the [[exemptions.cachekit-core]] entry for version 0.2.0 is removed.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• cachekit-io/cachekit-core#32: Modifies the same supply-chain/config.toml cargo-vet policy and exemptions for cachekit-core, overlapping directly with the scope of this PR.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: declaring cachekit-core as first-party for cargo-vet to resolve the audit treadmill issue.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/cargo-vet-first-party

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}