diff --git a/.cargo/audit.toml b/.cargo/audit.toml
index fa04a8b8b37..8de238038b2 100644
--- a/.cargo/audit.toml
+++ b/.cargo/audit.toml
@@ -1,24 +1,38 @@
 # cargo-audit configuration
 # https://rustsec.org/
+#
+# Tracking: ALL ignores below need a tracking issue reference.
+# Replace every `tracking TBD` with an actual issue URL once created.
 
 [advisories]
 ignore = [
-    "RUSTSEC-2026-0006",  # wasmtime f64.copysign segfault on x86-64
-    "RUSTSEC-2026-0020",  # WASI guest-controlled resource exhaustion
-    "RUSTSEC-2026-0021",  # WASI http fields panic
-    "RUSTSEC-2026-0085",  # panic when lifting `flags` component value
-    "RUSTSEC-2026-0086",  # host data leakage with 64-bit tables and Winch
-    "RUSTSEC-2026-0087",  # f64x2.splat Cranelift x86-64 segfault
-    "RUSTSEC-2026-0088",  # data leakage between pooling allocator instances
-    "RUSTSEC-2026-0089",  # Winch table.fill host panic
-    "RUSTSEC-2026-0091",  # OOB write/crash transcoding component model strings
-    "RUSTSEC-2026-0092",  # UTF-16 transcoding panic
-    "RUSTSEC-2026-0093",  # heap OOB read in UTF-16 to latin1+utf16 transcoding
-    "RUSTSEC-2026-0094",  # Winch table.grow improperly masked return value
-    "RUSTSEC-2026-0095",  # Winch sandbox-escape (critical)
-    "RUSTSEC-2026-0096",  # aarch64 Cranelift sandbox-escape (critical)
+    # ── wasmtime via extism 1.21.0 (14 advisories) ─────────────────────────
+    # extism 1.21.0 pins wasmtime 41.x; all CVEs fixed in wasmtime 42.0.2.
+    # plugins are feature-gated behind --features plugins-wasm. The critical
+    # aarch64 sandbox-escape CVEs require Winch backend (not in use).
+    "RUSTSEC-2026-0006",  # wasmtime f64.copysign segfault on x86-64; tracking TBD
+    "RUSTSEC-2026-0020",  # WASI guest-controlled resource exhaustion; tracking TBD
+    "RUSTSEC-2026-0021",  # WASI http fields panic; tracking TBD
+    "RUSTSEC-2026-0085",  # panic when lifting `flags` component value; tracking TBD
+    "RUSTSEC-2026-0086",  # host data leakage with 64-bit tables and Winch; tracking TBD
+    "RUSTSEC-2026-0087",  # f64x2.splat Cranelift x86-64 segfault; tracking TBD
+    "RUSTSEC-2026-0088",  # data leakage between pooling allocator instances; tracking TBD
+    "RUSTSEC-2026-0089",  # Winch table.fill host panic; tracking TBD
+    "RUSTSEC-2026-0091",  # OOB write/crash transcoding component model strings; tracking TBD
+    "RUSTSEC-2026-0092",  # UTF-16 transcoding panic; tracking TBD
+    "RUSTSEC-2026-0093",  # heap OOB read in UTF-16 to latin1+utf16 transcoding; tracking TBD
+    "RUSTSEC-2026-0094",  # Winch table.grow improperly masked return value; tracking TBD
+    "RUSTSEC-2026-0095",  # Winch sandbox-escape (critical); tracking TBD
+    "RUSTSEC-2026-0096",  # aarch64 Cranelift sandbox-escape (critical); tracking TBD
+
+    # ── instant (unmaintained) ──────────────────────────────────────────────
+    # informational advisory; transitive dep; tracking TBD
     "RUSTSEC-2024-0384",
-    "RUSTSEC-2026-0049",  # CRL matching bypass
-    "RUSTSEC-2026-0098",  # URI name constraint incorrectly accepted (2026-04-14)
-    "RUSTSEC-2026-0099",  # URI name constraint incorrectly accepted (2026-04-14)
+
+    # ── rustls-webpki via rumqttc v0.25.1 (old 0.102.x copy) ──────────────
+    # the 0.103.x copy in the rest of the tree is patched; awaiting rumqttc
+    # upgrade which will remove the old copy entirely.
+    "RUSTSEC-2026-0049",  # CRL matching bypass; tracking TBD
+    "RUSTSEC-2026-0098",  # URI name constraint incorrectly accepted; tracking TBD
+    "RUSTSEC-2026-0099",  # URI name constraint incorrectly accepted; tracking TBD
 ]
diff --git a/deny.toml b/deny.toml
index 7e8e0fb12d4..0d8135d452c 100644
--- a/deny.toml
+++ b/deny.toml
@@ -41,17 +41,19 @@ ignore = [
     # wasmtime 42+; plugins are feature-gated behind --features plugins-wasm;
     # the critical aarch64 sandbox-escape CVEs require the Winch compiler backend
     # which is not enabled in production (default Cranelift backend is unaffected)
-    { id = "RUSTSEC-2026-0085", reason = "wasmtime flags component panic; extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release" },
-    { id = "RUSTSEC-2026-0086", reason = "wasmtime 64-bit table data leakage (Winch); extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release" },
-    { id = "RUSTSEC-2026-0087", reason = "wasmtime f64x2.splat Cranelift segfault; extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release" },
-    { id = "RUSTSEC-2026-0088", reason = "wasmtime pooling allocator data leakage; extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release" },
-    { id = "RUSTSEC-2026-0089", reason = "wasmtime Winch table.fill panic; extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release" },
-    { id = "RUSTSEC-2026-0091", reason = "wasmtime OOB write transcoding strings; extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release" },
-    { id = "RUSTSEC-2026-0092", reason = "wasmtime UTF-16 transcoding panic; extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release" },
-    { id = "RUSTSEC-2026-0093", reason = "wasmtime heap OOB read UTF-16 transcoding; extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release" },
-    { id = "RUSTSEC-2026-0094", reason = "wasmtime Winch table.grow return value; extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release" },
-    { id = "RUSTSEC-2026-0095", reason = "wasmtime Winch aarch64 sandbox escape (critical); extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release; Winch backend not used in production" },
-    { id = "RUSTSEC-2026-0096", reason = "wasmtime Cranelift aarch64 sandbox escape (critical); extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release; default Cranelift backend on x86-64 unaffected" },
+    # Tracking: TBD — replace TBD with a tracking issue number once created
+    # (extism/wasmtime upgrade tracker)
+    { id = "RUSTSEC-2026-0085", reason = "wasmtime flags component panic; extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release; tracking TBD" },
+    { id = "RUSTSEC-2026-0086", reason = "wasmtime 64-bit table data leakage (Winch); extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release; tracking TBD" },
+    { id = "RUSTSEC-2026-0087", reason = "wasmtime f64x2.splat Cranelift segfault; extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release; tracking TBD" },
+    { id = "RUSTSEC-2026-0088", reason = "wasmtime pooling allocator data leakage; extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release; tracking TBD" },
+    { id = "RUSTSEC-2026-0089", reason = "wasmtime Winch table.fill panic; extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release; tracking TBD" },
+    { id = "RUSTSEC-2026-0091", reason = "wasmtime OOB write transcoding strings; extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release; tracking TBD" },
+    { id = "RUSTSEC-2026-0092", reason = "wasmtime UTF-16 transcoding panic; extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release; tracking TBD" },
+    { id = "RUSTSEC-2026-0093", reason = "wasmtime heap OOB read UTF-16 transcoding; extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release; tracking TBD" },
+    { id = "RUSTSEC-2026-0094", reason = "wasmtime Winch table.grow return value; extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release; tracking TBD" },
+    { id = "RUSTSEC-2026-0095", reason = "wasmtime Winch aarch64 sandbox escape (critical); extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release; Winch backend not used in production; tracking TBD" },
+    { id = "RUSTSEC-2026-0096", reason = "wasmtime Cranelift aarch64 sandbox escape (critical); extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release; default Cranelift backend on x86-64 unaffected; tracking TBD" },
 ]
 
 [licenses]
@@ -76,8 +78,11 @@ allow = [
 unused-allowed-license = "allow"
 
 [bans]
+# TODO: Change to "deny" once duplicate versions are resolved across the
+# workspace (23 duplicates with default features as of 2026-06-22).
+# Tracking: TBD — separate RFC/issue for dep cleanup.
 multiple-versions = "warn"
-wildcards = "allow"
+wildcards = "deny"
 
 [sources]
 unknown-registry = "deny"