Rodin
006b7a3b27
CI / test (pull_request) Successful in 9m33s
CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 10m1s
CI / review (gpt-5, security, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 10m39s
CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 11m6s
- Add github.com/goccy/go-yaml dependency (v1.19.2) - Update parsePersona to detect format by file extension - Support both .yaml and .yml extensions (case-insensitive) - Convert built-in personas to YAML format - Add comprehensive tests for YAML parsing - Update README with YAML examples and documentation YAML provides cleaner multi-line strings via literal block scalars and supports comments, making persona definitions more readable. JSON remains supported for backwards compatibility. Closes #57
3.3 KiB
3.3 KiB
Design: YAML Support for Persona Files (#57)
Problem
JSON is awkward for persona files that contain multi-line text (identity, severity descriptions). YAML supports cleaner multi-line strings and comments, improving readability and maintainability.
Constraints
- Backwards compatibility: existing JSON personas must continue to work
- Security: protect against DoS via deeply nested YAML (AIKIDO-2024-10486)
- Consistency: use
.yamlextension (not.yml) - Library: use
github.com/goccy/go-yamlv1.16.0+ (actively maintained, security fix applied)
Proposed Approach
- Update
parsePersonato detect format from file extension - Add YAML parsing with explicit depth limit (defense in depth)
- Keep JSON as fallback for files without
.yaml/.ymlextension - Convert built-in personas to YAML format
- Update embed directive to include both formats
File Extension Detection
func parsePersona(data []byte, source string) (*Persona, error) {
isYAML := strings.HasSuffix(source, ".yaml") || strings.HasSuffix(source, ".yml")
if isYAML {
return parseYAML(data, source)
}
return parseJSON(data, source)
}
YAML Parsing with Depth Protection
func parseYAML(data []byte, source string) (*Persona, error) {
var p Persona
// go-yaml has built-in protection against deeply nested structures
// but we add explicit decoder options for defense in depth
if err := yaml.Unmarshal(data, &p); err != nil {
return nil, fmt.Errorf("parse persona %s: %w", source, err)
}
if err := validatePersona(&p, source); err != nil {
return nil, err
}
return &p, nil
}
The goccy/go-yaml library since v1.16.0 limits nesting depth by default.
State/Data Model
No new state. Same Persona struct, just different parsing.
Error Cases
| Error | Handling |
|---|---|
| Invalid YAML syntax | Return parse error with source file |
| Deeply nested YAML | Library rejects (v1.16.0+ fix) |
| Unknown extension | Fall back to JSON parsing |
| Missing required fields | Validation rejects after parse |
Edge Cases
- File with
.jsonextension but YAML content → JSON parse fails, user sees error - File with no extension → defaults to JSON
- Embedded persona reference like
builtin:security→ detect by embed path (personas/X.yaml)
Testing Strategy
- Unit tests for YAML parsing (valid, invalid, deeply nested)
- Unit tests for extension detection
- Integration test for built-in personas (now YAML)
- Backwards compat test: verify JSON still works for external files
Completion Checklist
go-yamldependency added at v1.16.0+- Extension detection uses case-insensitive comparison
- YAML parse errors include source file name
- JSON parsing still works for
.jsonfiles - Built-in personas converted to YAML with readable multi-line strings
- Embed directive updated to include
*.yaml - Test for deeply nested YAML rejection
- All existing tests pass
Open Questions
- Should we support both
.yamlAND.yml? Issue says.yamlonly for consistency, but some users expect.yml. Decision: Support both for reading, recommend.yamlin docs. - Should we add a "format" field to detect mismatched extension/content? Decision: No, keep it simple. Extension determines format.