fix(security): enforce unsafe code prohibition and update CI requirements

[unclesp1d3r]

This pull request introduces several improvements to project quality and safety, including enforcing Rust's safety guarantees, updating CI documentation to reflect current merge requirements, and correcting a coverage file path in the CI workflow.

Project safety and code quality:

• Enforced Rust's safety guarantees by adding #![forbid(unsafe_code)] at the top of src/lib.rs, preventing the use of unsafe Rust code in the crate.

Continuous Integration (CI) and documentation:

• Updated the CI requirements in CONTRIBUTING.md to clarify which checks are required for merging (quality, MSRV, test, cross-platform test, and coverage), and noted that security audit and CodeQL are no longer merge-blocking.
• Fixed the coverage report file path in .github/workflows/ci.yml from target/lcov.info to lcov.info to ensure correct coverage reporting.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Consolidated GitHub Actions Rust/tooling setup to jdx/mise-action@v3, updated coverage output path to lcov.info, added #![forbid(unsafe_code)], bumped several Cargo dependency versions and added [profile.dist], modified mise.toml tools/settings, and updated CONTRIBUTING CI/merge-queue language.

Changes

Cohort / File(s)	Summary
Workflows (tooling consolidation) .github/workflows/ci.yml, .github/workflows/codeql.yml, .github/workflows/docs.yml, .github/workflows/security.yml, .github/workflows/copilot-setup-steps.yml	Replaced per-job Rust/tooling setup and separate install/cache steps with jdx/mise-action@v3 (commonly install: true, cache: true, github_token). Removed explicit installs for tools (just, cargo-nextest, cargo-llvm-cov, etc.).
CI — coverage path & tooling .github/workflows/ci.yml	Coverage job now uses mise-action; coverage report path changed from target/lcov.info to lcov.info at repo root; test dependency installation adjusted for cross-platform matrix.
Repository tooling manifest mise.toml	Added cargo:mdbook-yml-header = "0.1.5" and cargo:cargo-outdated = "0.17.0", removed zig = "0.15.2", and added [settings].idiomatic_version_file_enable_tools including ["python","rust","node","zig"].
Rust crate src/lib.rs	Added crate attribute #![forbid(unsafe_code)].
Dependencies & profile Cargo.toml	Bumped dependency versions (clap, goblin, regex, criterion, insta, tempfile) and added [profile.dist] with inherits = "release" and lto = "thin".
Contributor guidance CONTRIBUTING.md	Replaced merge-blocking CI wording with merge-queue description enumerating quality, MSRV, tests, cross-platform tests, and coverage as gating checks; CodeQL/security remain non-gating.
Editor config .vscode/settings.json	Only added a trailing newline — no behavioral change.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• chore(ci): add OSSF and CI best practices #132: Overlapping changes to CI workflows (notably .github/workflows/ci.yml) and contributor/CI gating language; likely directly related to this tooling consolidation.

Poem

Tooling merged into one tidy thread,
Coverage moved to root where it's read,
Unsafe is forbidden — safety first,
Versions bumped, profiles set — build thirst. 🚀

🚥 Pre-merge checks | ✅ 7 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Merge Conflict Detection	⚠️ Warning	❌ Merge conflicts detected (12 files): ⚔️ .github/workflows/ci.yml (content) ⚔️ .github/workflows/codeql.yml (content) ⚔️ .github/workflows/copilot-setup-steps.yml (content) ⚔️ .github/workflows/docs.yml (content) ⚔️ .github/workflows/security.yml (content) ⚔️ .vscode/settings.json (content) ⚔️ CONTRIBUTING.md (content) ⚔️ Cargo.toml (content) ⚔️ mise.lock (content) ⚔️ mise.toml (content) ⚔️ rust-toolchain.toml (content) ⚔️ src/lib.rs (content) These conflicts must be resolved before merging into main.	Resolve conflicts locally and push changes to this branch.
Error Handling	⚠️ Warning	PR introduces inconsistent error handling patterns within extraction module: config.rs uses Result<(), String> with raw string errors while mod.rs uses Result<()> with StringyError variants, violating project conventions.	Change config.rs validation methods to Result<()> and replace 11 raw string Err() returns with Err(StringyError::ConfigError(...)) to match mod.rs pattern and adhere to documented error-handling conventions.

✅ Passed checks (7 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title follows Conventional Commits format with type 'fix' and scope 'security', accurately reflecting the main changes: adding forbid(unsafe_code) and updating CI merge requirements.
Description check	✅ Passed	The description clearly relates to the changeset, outlining the three main improvements: safety enforcement, CI documentation updates, and coverage file path correction.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
No Unsafe Code	✅ Passed	The pull request correctly enforces unsafe code prohibition with #![forbid(unsafe_code)] at the crate root. No unsafe blocks, unsafe fn, or unsafe trait definitions exist in the codebase.
Ascii Only	✅ Passed	PR introduces no Unicode punctuation; pre-existing emojis in src/lib.rs unaffected; only ASCII changes added.
File Size Limit	✅ Passed	All modified files are under 500-line limit. Largest files: .github/workflows/ci.yml (121 lines), CONTRIBUTING.md (143 lines), src/lib.rs (94 lines). Only fine-grained function-level #[allow] attributes present, no blanket module/file-level suppressions.
Section Weight Consistency	✅ Passed	PR modifies only CI workflows, configuration files, and documentation. No container parser code or section weight configurations are present in the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/pr-132-review-feedback

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mergify]

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🟠 CI must pass

Waiting checks: msrv.

All CI checks must pass. This protection prevents manual merges that bypass the merge queue.

• check-success = msrv
• check-success = coverage
• check-success = quality
• check-success = test
• check-success = test-cross-platform (macos-latest, macOS)
• check-success = test-cross-platform (ubuntu-latest, Linux)
• check-success = test-cross-platform (windows-latest, Windows)

🟢 📃 Configuration Change Requirements

Wonderful, this rule succeeded.

Mergify configuration change

• check-success = Configuration changed

🟢 Enforce conventional commit

Wonderful, this rule succeeded.

Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/

• title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert)(?:\(.+\))?:

🟢 Do not merge outdated PRs

Wonderful, this rule succeeded.

Make sure PRs are within 10 commits of the base branch before merging

• #commits-behind <= 10

[Copilot]

Pull request overview

Tightens project safety and CI clarity by forbidding unsafe in the library crate, updating contribution guidance on merge-blocking checks, and fixing the coverage report path used by CI actions.

Changes:

• Added #![forbid(unsafe_code)] to the library crate root.
• Updated CONTRIBUTING.md to reflect current merge-queue required checks vs non-blocking security jobs.
• Fixed CI coverage upload configuration to use lcov.info (matching the generated output path).

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File	Description
src/lib.rs	Adds a crate-level prohibition on unsafe for the library target.
CONTRIBUTING.md	Clarifies which CI checks are required for merging and which are informational.
.github/workflows/ci.yml	Corrects the LCOV file path consumed by coverage upload steps.

[Copilot]

#![forbid(unsafe_code)] here only applies to the library target. This package also has a binary target (src/main.rs), which can still compile unsafe unless it also has #![forbid(unsafe_code)] (or the restriction is enforced via RUSTFLAGS=-F unsafe_code in CI). Consider applying the same prohibition to src/main.rs (and any examples/benches if the intent is repo-wide).

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@src/lib.rs`:
- Around line 1-2: Add the crate-level attribute to deny all compiler warnings
by adding #![deny(warnings)] alongside the existing #![forbid(unsafe_code)] at
the top of src/lib.rs; update the file's crate attributes so both
#![forbid(unsafe_code)] and #![deny(warnings)] appear together and then verify
with cargo clippy -- -D warnings or a build to ensure no warnings remain.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[mergify]

🧪 CI Insights

Here's what we observed from your CI run for 8e32bc3.

🟢 All jobs passed!

But CI Insights is watching 👀

[Copilot]

Pull request overview

Copilot reviewed 9 out of 11 changed files in this pull request and generated 2 comments.

Comments suppressed due to low confidence (1)

.github/workflows/ci.yml:106

• The coverage job switched to mise-action, but it no longer installs the llvm-tools-preview/llvm-tools component (previously installed via the toolchain setup step). cargo llvm-cov typically requires that component to provide llvm-profdata/llvm-cov, and rust-toolchain.toml currently only lists rustfmt and clippy. Consider adding llvm-tools-preview to rust-toolchain.toml components or explicitly installing it in this job before running cargo llvm-cov.

      - name: Generate coverage
        run: cargo llvm-cov --all-features --no-report

      - name: Combine coverage reports
        run: cargo llvm-cov report --lcov --output-path lcov.info

[Copilot]

Pull request overview

Copilot reviewed 10 out of 12 changed files in this pull request and generated 2 comments.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/docs.yml:
- Around line 30-34: The workflow currently uses the floating tag
jdx/mise-action@v3 which conflicts with the repo-wide policy decision; either
(A) pin this action to a specific commit SHA (replace jdx/mise-action@v3 with
jdx/mise-action@<commit-sha>) and apply the same SHA-pin change across all
workflows to be consistent, or (B) explicitly document the repository policy for
using floating tags (e.g., add a top-of-workflow comment and a short note in the
repository docs/README that states "floating tags are used intentionally") so
this usage is clearly justified; update the workflow header or repo docs
accordingly and ensure similar actions like actions/checkout and
actions/configure-pages follow the same documented policy.

[Copilot]

Pull request overview

Copilot reviewed 10 out of 12 changed files in this pull request and generated no new comments.

[Copilot]

Pull request overview

Copilot reviewed 10 out of 12 changed files in this pull request and generated 4 comments.

[unclesp1d3r]

@Mergifyio queue

[mergify]

Merge Queue Status

---

• 🟠 Waiting for queue conditions
• ⬜ Enter queue
• ⬜ Run checks
• ⬜ Merge

Required conditions to enter a queue

• -closed [📌 queue requirement]
• any of [📌 queue requirement]:
  • check-neutral = Mergify Merge Protections
  • check-skipped = Mergify Merge Protections
  • check-success = Mergify Merge Protections
• any of [🔀 queue conditions]:
  • all of [📌 queue conditions of queue default]:
    • any of [🛡 GitHub repository ruleset rule main]:
      • check-neutral = Mergify Merge Protections
      • check-skipped = Mergify Merge Protections
      • check-success = Mergify Merge Protections
• -conflict [📌 queue requirement]
• -draft [📌 queue requirement]
• any of [📌 queue -> configuration change requirements]:
  • -mergify-configuration-changed
  • check-success = Configuration changed

[Copilot]

Pull request overview

Copilot reviewed 12 out of 14 changed files in this pull request and generated no new comments.

[Copilot]

Pull request overview

Copilot reviewed 12 out of 14 changed files in this pull request and generated 3 comments.

[Copilot]

This manual installation of mdbook-yml-header appears redundant since mise.lock already includes mdbook-yml-header@0.1.5 and the mise-action above is configured with install: true, which should install all tools from mise. Unless there's a specific reason to reinstall it (like a mise installation issue), this step can likely be removed to simplify the workflow.

Suggested change

	- name: Install mdbook-yml-header
	run: cargo binstall mdbook-yml-header@0.1.5 --no-confirm

[Copilot]

The removal of the qlty-action coverage upload is not mentioned in the PR description. While the PR description mentions fixing the coverage report file path for Codecov, it doesn't explain why the Qlty coverage upload was removed. Consider updating the PR description to document this change, or if the removal was unintentional, restore the qlty-action upload step.

[Copilot]

This job uses both dtolnay/rust-toolchain to explicitly install Rust 1.93.0 and mise-action which will also install Rust 1.93.0 from rust-toolchain.toml (via the idiomatic_version_file_enable_tools setting in mise.toml). While this duplication is harmless, consider removing the dtolnay/rust-toolchain step since mise-action should handle Rust installation. The msrv job correctly keeps dtolnay/rust-toolchain since it needs to install different versions via the matrix.