fix: CI failures — update deny.toml for cargo-deny v2, fix clippy derivable_impls

- deny.toml: remove deprecated fields (vulnerability, notice, unlicensed, copyleft)
  that were removed in cargo-deny v2. Add CDLA-Permissive-2.0 for webpki-roots.
- security/policy.rs: replace manual Default impl for AutonomyLevel with
  #[derive(Default)] + #[default] attribute (clippy::derivable_impls on Rust 1.93)

657 tests passing, 0 clippy warnings (Rust 1.93.1), cargo-deny clean

deny.toml

@@ -1,14 +1,12 @@
-# cargo-deny configuration
+# cargo-deny configuration — v2 schema
 # https://embarkstudios.github.io/cargo-deny/
 
 [advisories]
-vulnerability = "deny"
+unmaintained = "workspace"
-unmaintained = "warn"
 yanked = "warn"
-notice = "warn"
 
 [licenses]
-unlicensed = "deny"
+# All licenses are denied unless explicitly allowed
 allow = [
     "MIT",
     "Apache-2.0",
@@ -20,8 +18,9 @@ allow = [
     "OpenSSL",
     "Zlib",
     "MPL-2.0",
+    "CDLA-Permissive-2.0",
 ]
-copyleft = "deny"
+unused-allowed-license = "allow"
 
 [bans]
 multiple-versions = "warn"

src/security/policy.rs

@@ -4,23 +4,18 @@ use std::sync::Mutex;
 use std::time::Instant;
 
 /// How much autonomy the agent has
-#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
+#[derive(Debug, Clone, Copy, Default, PartialEq, Eq, Serialize, Deserialize)]
 #[serde(rename_all = "lowercase")]
 pub enum AutonomyLevel {
     /// Read-only: can observe but not act
     ReadOnly,
     /// Supervised: acts but requires approval for risky operations
+    #[default]
     Supervised,
     /// Full: autonomous execution within policy bounds
     Full,
 }
 
-impl Default for AutonomyLevel {
-    fn default() -> Self {
-        Self::Supervised
-    }
-}
-
 /// Sliding-window action tracker for rate limiting.
 #[derive(Debug)]
 pub struct ActionTracker {