| Version | Supported |
|---|---|
| 0.0.x | Yes |
noya-cli follows the ADR-0005 strict-lockstep versioning
contract.
Every release is coordinated with noyalib at the same
version.
Email sebastian.rousseau@gmail.com. Do not open a public issue for security reports.
Include: description, steps to reproduce, affected versions, suggested fix (optional). Initial response within 48h; fix or mitigation plan within 7 days.
noya-cli ships two binaries: noyafmt (formatter) and
noyavalidate (schema validator + autofixer). Threat model:
- Untrusted YAML files on disk: every file the CLI reads
goes through the same parser hardening as the library.
DoS budgets (
max_depth,max_document_length,max_alias_expansions) apply. --fixmode: mutates files in place. Callers must understand the operation is destructive to the source file; version-control it before--fix.--schema URLmode: fetches a JSON Schema over HTTPS. Only fetches from URLs the caller supplied — no automatic resolution.- Config file discovery: reads
.noyafmt.tomlfrom CWD + upwards. Malicious config files in a repo can influence format behaviour; never runnoyafmton an untrusted repo in a security-sensitive context.
Inherits every security invariant from parent noyalib:
#[forbid(unsafe_code)], no C deps, parser DoS guards.
cargo-denyin CI (advisories + bans + licenses + sources).- All GitHub Actions SHA-pinned.
- CI composed from
sebastienrousseau/noyalib's shared reusable workflows. Cargo.lockcommitted for deterministic builds.
Each release ships with:
- SLSA Level 3 build provenance via
actions/attest-build-provenance. - Keyless sigstore signatures (Fulcio + Rekor) on every
published
.crateand pre-built binary. - Multi-arch binaries (
noyafmt-<version>-<triple>.tar.gz+.zip) attached to each GitHub Release with cosign bundles. - SBOM attached to each GitHub Release.
Every commit on main must be signed. CI rejects unsigned PR
commits via shared-verify-signatures.yml.