fix(compile): reject unknown front-matter fields with deny_unknown_fields

[jamesadevine]

Problem

FrontMatter didn't use #[serde(deny_unknown_fields)], so serde silently ignored any YAML key that didn't match a struct field. This caused a real bug where a user wrote safeoutputs: (no hyphen) instead of safe-outputs: — the config was silently dropped, bypassing the validate_write_permissions compile-time check entirely. The result was a confusing runtime error (AZURE_DEVOPS_ORG_URL not set) instead of a clear compile-time error.

The same class of bug affected all three example files, which used top-level schedule: instead of on: schedule: — their schedules were silently ignored.

Fix

• Add #[serde(deny_unknown_fields)] to FrontMatter so any unrecognized YAML key produces a clear compile error listing all valid fields.
• Fix all example files and docs that used top-level schedule: (should be on: schedule:).
• Add regression tests verifying safeoutputs: and top-level schedule: are rejected, and safe-outputs: is accepted.

Changes

File	Change
src/compile/types.rs	Added #[serde(deny_unknown_fields)] to FrontMatter + 3 regression tests
examples/*.md (3 files)	schedule: → on: schedule:
README.md	Fixed full front-matter example to use on: schedule:
docs/front-matter.md	Fixed reference example to use on: schedule:

Testing

• All existing tests pass (80 integration + unit tests)
• 3 new unit tests added
• cargo clippy --all-targets --all-features clean

[github-actions]

🔍 Rust PR Review

Summary: Solid fix for a real silent-failure bug. One minor documentation typo was introduced alongside the fix.

Findings

🐛 Bugs / Logic Issues

• docs/front-matter.md:26 — The refactor accidentally dropped the space before # on the workspace line:

  workspace: repo# Optional: "root", "repo" ...

  In YAML, # only starts a comment when preceded by whitespace. Without the space, the full string repo# Optional: "root", "repo" ... would be the parsed value rather than repo with a comment. Any user who copy-pastes this example verbatim will get an invalid workspace value. Easy fix: restore the space → workspace: repo # Optional: ...

✅ What Looks Good

• #[serde(deny_unknown_fields)] is exactly the right tool here. It surfaces misconfigured keys as compile-time errors rather than silently dropping them, which is a meaningful security/correctness improvement for a compiler that processes untrusted input.
• The three regression tests are well-chosen: they cover the motivating bug (safeoutputs without hyphen), the example-file bug (top-level schedule), and a positive case confirming the correct spelling still works.
• All example files and the README were consistently updated — no stragglers.
• Error message assertions (err.contains("unknown field \safeoutputs`")`) are appropriately specific without over-constraining serde's internals.

Generated by Rust PR Reviewer for issue #409 · ● 183.3K · ◷