diff --git a/deny.toml b/deny.toml
index e167dc1..93bd114 100644
--- a/deny.toml
+++ b/deny.toml
@@ -1,14 +1,12 @@
-# cargo-deny configuration
+# cargo-deny configuration — v2 schema
 # https://embarkstudios.github.io/cargo-deny/
 
 [advisories]
-vulnerability = "deny"
-unmaintained = "warn"
+unmaintained = "workspace"
 yanked = "warn"
-notice = "warn"
 
 [licenses]
-unlicensed = "deny"
+# All licenses are denied unless explicitly allowed
 allow = [
     "MIT",
     "Apache-2.0",
@@ -20,8 +18,9 @@ allow = [
     "OpenSSL",
     "Zlib",
     "MPL-2.0",
+    "CDLA-Permissive-2.0",
 ]
-copyleft = "deny"
+unused-allowed-license = "allow"
 
 [bans]
 multiple-versions = "warn"
diff --git a/src/security/policy.rs b/src/security/policy.rs
index 5d88e9c..bff7139 100644
--- a/src/security/policy.rs
+++ b/src/security/policy.rs
@@ -4,23 +4,18 @@ use std::sync::Mutex;
 use std::time::Instant;
 
 /// How much autonomy the agent has
-#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
+#[derive(Debug, Clone, Copy, Default, PartialEq, Eq, Serialize, Deserialize)]
 #[serde(rename_all = "lowercase")]
 pub enum AutonomyLevel {
     /// Read-only: can observe but not act
     ReadOnly,
     /// Supervised: acts but requires approval for risky operations
+    #[default]
     Supervised,
     /// Full: autonomous execution within policy bounds
     Full,
 }
 
-impl Default for AutonomyLevel {
-    fn default() -> Self {
-        Self::Supervised
-    }
-}
-
 /// Sliding-window action tracker for rate limiting.
 #[derive(Debug)]
 pub struct ActionTracker {