From dbbc7bda6a8dc81775d0edba27b82bdde54fecea Mon Sep 17 00:00:00 2001
From: Rodin <4+rodin@noreply.gitea.weiker.me>
Date: Tue, 12 May 2026 20:52:37 +0000
Subject: [PATCH] docs: update DESIGN-57 to reflect goccy/go-yaml as the
 supported YAML library

---
 docs/DESIGN-57-yaml-persona.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/DESIGN-57-yaml-persona.md b/docs/DESIGN-57-yaml-persona.md
index 628e0a6..719a473 100644
--- a/docs/DESIGN-57-yaml-persona.md
+++ b/docs/DESIGN-57-yaml-persona.md
@@ -9,7 +9,7 @@ JSON is awkward for persona files that contain multi-line text (identity, severi
 - Backwards compatibility: existing JSON personas must continue to work
 - Security: protect against DoS via deeply nested YAML (AIKIDO-2024-10486)
 - Consistency: use `.yaml` extension (not `.yml`)
-- Library: use `gopkg.in/yaml.v3` (approved in CONVENTIONS.md) with explicit depth limiting
+- Library: use `github.com/goccy/go-yaml` v1.16.0+ (approved in CONVENTIONS.md); has built-in depth protection via `MaxYAMLDepth`/`MaxYAMLNodes` constants
 
 ## Proposed Approach
 
@@ -63,7 +63,7 @@ func checkYAMLDepth(node *yaml.Node, depth, maxDepth int) error {
 }
 ```
 
-The `gopkg.in/yaml.v3` library does not have built-in depth protection, so we implement explicit depth checking by first decoding into a `yaml.Node`, walking the tree to verify depth (including alias resolution), then decoding into the target struct.
+The `github.com/goccy/go-yaml` library provides built-in depth protection via `MaxYAMLDepth` and `MaxYAMLNodes` decoder options. We use these instead of a manual depth-checking walk.
 
 ## State/Data Model