hardening(deps): govern matrix indexeddb derivative advisory

.github/security/deny-ignore-governance.json

@@ -14,6 +14,13 @@
       "reason": "Upstream rust-nostr advisory mitigation is still in progress; monitor until released fix lands.",
       "ticket": "RMN-21",
       "expires_on": "2026-12-31"
+    },
+    {
+      "id": "RUSTSEC-2024-0388",
+      "owner": "repo-maintainers",
+      "reason": "Transitive via matrix-sdk indexeddb dependency chain in current matrix release line; track removal when upstream drops derivative.",
+      "ticket": "RMN-21",
+      "expires_on": "2026-12-31"
     }
   ]
 }

deny.toml

@@ -12,6 +12,9 @@ ignore = [
     # bincode v2.0.1 via probe-rs — upstream project ceased; accepted transitive risk for current hardware stack.
     { id = "RUSTSEC-2025-0141", reason = "Transitive via probe-rs in current release path; tracked for replacement when probe-rs updates." },
     { id = "RUSTSEC-2024-0384", reason = "Reported to `rust-nostr/nostr` and it's WIP" },
+    # derivative v2.2.0 via wasm_evt_listener -> matrix_indexed_db_futures -> matrix-sdk-indexeddb.
+    # This chain is transitive under matrix-sdk's IndexedDB integration path; matrix-sdk remains pinned to 0.16 in current release line.
+    { id = "RUSTSEC-2024-0388", reason = "Transitive via matrix-sdk indexeddb dependency chain; tracked until matrix-sdk ecosystem removes derivative." },
 ]
 
 [licenses]