Security Model

Stoney is designed to enforce invariants safely.

Secret Handling

• Connection strings are referenced via url_env.
• Secrets are never stored in YAML.
• All secrets must be provided via CI environment variables or secret stores.

SQL Protections

By default:

• Write queries are blocked.
• Multi-statement queries are blocked.
• statement_timeout is enforced.

Environment overrides (use with caution):

STONEY_ALLOW_WRITE_SQL=true
STONEY_ALLOW_MULTI_SQL=true

Network Isolation

Stoney runs inside your CI runner.

It does not:

• Proxy your traffic
• Persist your data
• Store external state
• Emit telemetry

All execution happens inside your CI environment.

Least Privilege Recommendations

For SQL checks:

• Use a read-only database user.
• Limit schema permissions.
• Prefer staging over production.

Self-Hosted Runners

For private databases or internal APIs:

Use a self-hosted runner inside your network.

Stoney executes locally within your infrastructure boundary.

Threat Model

Stoney assumes:

• CI secrets are managed securely.
• The repository is trusted.
• Contract files are reviewed before merge.

Contracts are executable code. Treat them as such.