diff --git a/.circleci/config.yml b/.circleci/config.yml
index 5754bbc..c480c49 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -58,6 +58,9 @@ workflows:
       - toolkit/security:
           name: security audit only
           sonarcloud: false
+          # RUSTSEC-2025-0066: google-apis-common unmaintained — core transitive
+          # dependency of google-gmail1; no maintained Gmail API alternative exists.
+          ignore_advisories: RUSTSEC-2025-0066
           filters:
             branches:
               only:
@@ -67,6 +70,9 @@ workflows:
       - toolkit/security:
           name: security with sonarcloud
           context: SonarCloud
+          # RUSTSEC-2025-0066: google-apis-common unmaintained — core transitive
+          # dependency of google-gmail1; no maintained Gmail API alternative exists.
+          ignore_advisories: RUSTSEC-2025-0066
           filters:
             branches:
               ignore:
diff --git a/deny.toml b/deny.toml
new file mode 100644
index 0000000..7935ebb
--- /dev/null
+++ b/deny.toml
@@ -0,0 +1,26 @@
+# https://embarkstudios.github.io/cargo-deny/
+
+[advisories]
+ignore = [
+    # google-apis-common 8.0.0: project unmaintained (RUSTSEC-2025-0066).
+    # Core transitive dependency of google-gmail1 which is the only available
+    # Rust client for the Gmail API. No alternative available upstream.
+    { id = "RUSTSEC-2025-0066", reason = "transitive via google-gmail1; no maintained alternative for Gmail API access" },
+]
+
+[licenses]
+allow = [
+    "Apache-2.0",
+    "BSD-2-Clause",
+    "BSD-3-Clause",
+    "ISC",
+    "MIT",
+    "Unicode-3.0",
+]
+
+[bans]
+multiple-versions = "allow"
+
+[sources]
+unknown-registry = "deny"
+unknown-git = "deny"