Jump to content

Connect SuperML | Leeroopedia MCP: Equip your AI agents with best practices, code verification, and debugging knowledge. Powered by Leeroo — building Organizational Superintelligence. Contact us at founders@leeroo.com.

Implementation:Nautechsystems Nautilus trader Supply Chain Security Config

From Leeroopedia


Knowledge Sources
Domains Security, Rust
Last Updated 2026-02-10 08:00 GMT

Overview

Configuration file for cargo-vet that defines supply chain audit policies, trusted external audit sources, and safe-to-deploy exemptions for all Rust dependencies.

Description

The .supply-chain/config.toml file is the foundation of the project's Rust supply chain security strategy, spanning 2914 lines. It configures cargo-vet (version 0.10) with three layers: (1) Audit policies that mark all workspace crates (nautilus-analysis, nautilus-backtest, nautilus-core, etc.) with audit-as-crates-io = true, meaning they are held to the same audit standards as third-party crates. (2) Trusted audit imports from six external organizations: bytecode-alliance, embark-studios, google, isrg, mozilla, and zcash, whose community audits are trusted for shared dependencies. (3) Safe-to-deploy exemptions for approximately 900 transitive dependencies that have not yet been fully audited but are exempted with version-pinned entries.

Usage

This configuration is used by cargo vet which can be run manually or as part of CI. It ensures every third-party Rust dependency is either audited by the project, covered by a trusted community audit, or explicitly exempted with a documented version pin.

Code Reference

Source Location

Signature

[cargo-vet]
version = "0.10"

[imports.bytecode-alliance]
url = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml"

[imports.embark-studios]
url = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml"

[imports.google]
url = "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml"

[imports.isrg]
url = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml"

[imports.mozilla]
url = "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml"

[imports.zcash]
url = "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml"

[policy.nautilus-*]
audit-as-crates-io = true

[[exemptions.*]]
version = "x.y.z"
criteria = "safe-to-deploy"

Import

# Run supply chain audit
cargo vet

# Check for new unaudited dependencies
cargo vet check

# Certify a dependency after review
cargo vet certify <crate> <version>

I/O Contract

Inputs

Name Type Required Description
config.toml TOML Yes Audit policies, imports, and exemptions
Cargo.lock File Yes Resolved dependency graph for the workspace

Outputs

Name Type Description
audit result ExitCode 0 if all dependencies pass audit, non-zero otherwise
unaudited list Stdout Dependencies lacking audit coverage

Usage Examples

# Verify all dependencies are audited or exempted
cargo vet

# After adding a new dependency, check what needs auditing
cargo vet check

# Add an exemption for a new dependency
cargo vet certify new-crate 1.0.0

# Import audits from trusted sources
cargo vet import

Related Pages

Page Connections

Double-click a node to navigate. Hold to expand connections.
Principle
Implementation
Heuristic
Environment
Retrieved from "https://leeroopedia.com/index.php?title=Implementation:Nautechsystems_Nautilus_trader_Supply_Chain_Security_Config&oldid=16176"