Add cargo-deny supply-chain policy with denylist for unmaintained Soroban deps

[Baskarayelu]

Description

Soroban contracts inherit security posture from every transitive dependency in Cargo.lock. Add a deny.toml enforcing: no duplicate soroban-sdk versions, no GPL/AGPL licenses in dependencies, denylist of known-vulnerable crates, advisory database checks, and unmaintained-crate warnings. Wire into CI to fail PRs that regress the policy.

Requirements and context

• Secure: cargo-deny runs in CI; advisory feed pinned to a known commit.
• Tested: violation against a fixture branch produces failure.
• Documented: docs/supply-chain-policy.md.
• Reference: Cargo.toml, Cargo.lock.

Suggested execution

git checkout -b feature/cargo-deny-policy

• Add deny.toml at repo root.
• CI workflow step running cargo deny check.
• Docs: docs/supply-chain-policy.md.
• Rust doc comments are not applicable; document policy choices in markdown.
• Validate that licenses, advisories, bans, and sources are all enforced.

Test and commit

Run cargo deny check. Cover edge cases: yanked versions, multi-version sdk, license drift. Include security note about transitive risk.

Example commit message

ci(supply-chain): add cargo-deny policy with advisory and license enforcement

Guidelines

• Minimum 95% test coverage
• Clear documentation in docs/supply-chain-policy.md
• Timeframe: 96 hours

[canicefavour]

Please assign me this issue