v0.0.9 — Enterprise readiness: 4-crate workspace, multi-algo verify+rehash, KMS pepper, FIPS contract, CLI

[sebastienrousseau]

v0.0.9 — Enterprise readiness

This branch closes the entire v0.0.9 enterprise-readiness programme tracked under milestone #1. It is the largest single release in the project's history: 192 files changed, ~+19.7k / -3.6k LOC across 46 commits.

The change is wide because the v0.0.x library was a single-crate stringly-typed wrapper around argon2i / bcrypt / scrypt; v0.0.9 is a 4-crate Cargo workspace with a typed policy-driven API, multi-algorithm verify-with-auto-rehash on every parameter dimension (Argon2 m/t/p, bcrypt cost, scrypt log_n/r/p, PBKDF2 iters/dk_len/PRF), KMS-backed peppering, a FIPS 140-3 fail-closed contract, and a dedicated CLI.

Important

This is a breaking release. The pre-0.0.9 stringly-typed API is re-exposed for one cycle behind the compat-v0_0_x feature; it is #[deprecated] and will be removed in 0.2.0. See doc/MIGRATION-from-rust-argon2.md for a name-for-name mapping.

Headline changes

New workspace shape

Crate	Role	New in v0.0.9
hsh	Core library — Policy, api::hash, api::verify_and_upgrade, structured Error, Outcome	Rewritten
hsh-cli	hsh binary — hash / verify / rehash / inspect / calibrate / completions	New
hsh-kms	Pepper trait + LocalPepper + 4 KMS provider stubs (AWS / GCP / Azure / Vault)	New
hsh-digest	General-purpose digests (SHA-2 / SHA-3 / BLAKE3)	New

Algorithms

• Argon2id is now the default (was Argon2i, which is verify-only legacy).
• PBKDF2-HMAC-SHA-256 / SHA-512 added — the only KDF with a FIPS-validated implementation path.
• Scrypt parameters now configurable and actually wired through api::hash — the previous draft accepted policy.scrypt then discarded it. api::hash now calls ScryptHasher::hash_password_customized with the policy's log_n / r / p / dk_len and the resulting PHC carries them verbatim.
• Bcrypt ships with the 72-byte safety rail (CVE-2025-22228 class) and an opt-in HMAC-SHA-256 pre-hash adapter for inputs longer than 72 bytes.
• Argon2i / Argon2d remain accepted on the verify path for legacy hashes; the verifier triggers Outcome::Valid { rehashed: Some(_) } so the caller can persist a fresh Argon2id PHC on next login.

Rehash drift detection — complete across every parameter

api::verify_and_upgrade now emits Outcome::Valid { rehashed: Some(_) } for any of:

• Argon2id — m_cost/t_cost/p_cost regression, or output_len change.
• Bcrypt — cost regression (MCF cost field parsed from $2{a,b,x,y}$<cost>$…).
• Scrypt — log_n / r / p regression, or dk_len change (parsed from PHC ln=,r=,p= params + the stored hash length).
• PBKDF2 — iterations regression, dk_len change, or PRF switch (pbkdf2-sha256 ↔ pbkdf2-sha512).
• Cross-algorithm — stored algo ≠ policy primary.

Backed by three new Policy::{bcrypt,scrypt,pbkdf2}_satisfies helpers mirroring the existing argon2_satisfies, and five regression tests in tests/test_api.rs.

Storage formats

• PHC strings for Argon2id / Argon2i / Argon2d / scrypt / PBKDF2 (interoperable with Django, Devise, libsodium, the Argon2 CLI).
• MCF ($2b$…) for bcrypt.
• hsh-pepper:<keyver>:<inner> wrapper for peppered hashes, carrying the key version so rotation is non-destructive.

Security posture

• #![forbid(unsafe_code)] workspace-wide (ADR-0006).
• Constant-time verify via subtle::ConstantTimeEq everywhere a hash is compared.
• Zeroize on drop for password / hash / salt / pepper-key buffers via zeroize::ZeroizeOnDrop.
• OsRng-only salts — vrd / rand::thread_rng are both banned by clippy.toml's disallowed-methods.
• Backend::Fips140Required fail-closed contract — api::hash refuses to mint Argon2 hashes under this backend (only PBKDF2 has a FIPS-validated path). See doc/FIPS.md and ADR-0004.
• Pepper refuse-without-key — a peppered hash verified against a pepperless policy returns Outcome::Invalid, never silently fails open.

Structured error type

• Error is a #[non_exhaustive] thiserror::Error enum with Clone + Send + Sync.
• Error::Hashing carries a typed HashingError { kind: HashingErrorKind, detail } discriminant — downcast without parsing strings.
• All variants take Cow<'static, str> — zero-alloc for literals, owned for dynamic detail.
• From<> chains for std::str::Utf8Error, base64::DecodeError, serde_json::Error, hsh_kms::PepperError — ? works across the whole stack.

API ergonomics

// Before (v0.0.8):
let h = Hash::new(password, salt, "argon2i")?;
let ok = h.verify(password)?;

// After (v0.0.9):
let policy = Policy::owasp_minimum_2025();
let stored = api::hash(&policy, password)?;          // accepts impl AsRef<[u8]>
let outcome = api::verify_and_upgrade(&policy, password, &stored)?;
match outcome {
    Outcome::Valid { rehashed: Some(new_phc) } => persist(new_phc),
    Outcome::Valid { rehashed: None } => { /* OK */ }
    Outcome::Invalid => deny(),
}

• api::hash(&Policy, impl AsRef<[u8]>) -> Result<String> — passwords need not be UTF-8.
• api::verify_and_upgrade(&Policy, impl AsRef<[u8]>, impl AsRef<str>) -> Result<Outcome> — single-return outcome whose Valid variant folds the rehash payload (rehashed: Option<String>) so the needs-rehash-iff-rehashed-Some invariant is enforced by the type system.

CLI (hsh-cli)

Seven subcommands: hash, verify, rehash, inspect, inspect-backend, calibrate, completions. Shell completions for bash / zsh / fish / PowerShell / elvish. Multi-platform packaging templates under pkg/: Docker, Homebrew, Debian, Arch (AUR), Scoop.

hsh inspect-backend --policy <preset> is the operator self-check added in this branch: resolves the preset, asks hsh::Backend what it demands, asks the build whether it can satisfy that demand, and emits a readiness field operators can gate deploys on (jq -e '.readiness == "satisfied"'). Surfaces backend, primary algorithm, fips_available_in_build, pepper_feature_compiled, plus build provenance (hsh-cli version, rustc, target triple, profile).

hsh calibrate --json now emits a structured ladder array (every candidate the sweep tried, with measured_ms, distance_ms, and exactly one selected: true) plus a runner block (host_os / host_arch / target_triple / profile / rustc / hsh_cli_version) so sizing decisions are tied to the host that produced them. The plain-text output gains a ladder: section. consider() correctness from P0-1 is preserved.

inspect no longer leaks heap memory through Box::leak for dynamic key names.

Pepper / KMS integration (hsh-kms)

• Pepper trait with apply(version, password) -> [u8; 32] (HMAC-SHA-256).
• LocalPepper in-memory provider with KeyVersion-aware rotation.
• 4 provider stubs (AWS KMS / GCP Cloud KMS / Azure Key Vault / HashiCorp Vault Transit) — stable shape, real network calls land per-provider in 0.1.x.

hsh-digest general-purpose digests

• SHA-256 / 384 / 512, SHA3-256 / 384 / 512, BLAKE3-256 — one-shot + streaming.
• 13 KAT vectors from NIST CAVP / RFC 9106 §5 / OpenBSD bcrypt vectors / RFC 6070 PBKDF2.
• 11 property-test invariants (one-shot vs streaming equivalence, chunking equivalence, output-length, determinism, cross-algorithm distinctness).
• KangarooTwelve / TurboSHAKE (RFC 9861) and Ascon-Hash256 / Ascon-XOF128 (NIST SP 800-232) stubbed — Rust impls land as a Phase 6 follow-up.

Operational hardening

• 5 libfuzzer harnesses (fuzz_api_round_trip, fuzz_phc_parse, fuzz_argon2id_verify, fuzz_bcrypt_verify, fuzz_legacy_from_string) running on a nightly cron.
• Miri focused suite per-PR (≈ 7 min) + full sweep weekly.
• Property tests — invariants under proptest for the api round-trip + drift detection.
• Coverage gate — cargo-llvm-cov at 95.40 % lines / 97.63 % regions with --fail-under-lines 95 enforced in CI (raised from 93 once the helper-extraction refactor of api.rs made the previously-unreachable .map_err closures individually unit-testable).
• MSRV gate — workspace floor pinned at Rust 1.88 (libs declare 1.75 for downstream consumability).
• Cross-platform tests — Ubuntu / macOS / Windows matrices on every PR.
• cargo-deny + cargo-audit — supply-chain audit on every PR + weekly cron; banned crates (argonautica, argon2rs, openssl) enforced in deny.toml.
• cargo-hack feature-powerset — every Cargo feature combination compiles.
• cargo-public-api diff — advisory PR check for API surface drift.

Release-time provenance

• SLSA L3 build provenance via actions/attest-build-provenance on every tagged release.
• Sigstore keyless signing via cosign sign-blob on every release artefact.
• SBOM via cargo-about (NOTICE.md attached to the release).
• OpenSSF Scorecard weekly with SARIF upload to code-scanning.
• All GitHub Actions pinned by 40-char commit SHA with semver tag as trailing comment.
• Per-job minimum permissions: declared explicitly across every workflow.

Documentation

• 5 ADRs (pepper-key versioning, FIPS strategy, general-hashing scope, zero-unsafe, v1.0 stability contract).
• 5 migration guides under doc/MIGRATION-from-*.md (argonautica, rust-argon2, bcrypt, djangohashers, password-hash).
• Per-crate READMEs at crates/<name>/README.md plus per-crate doc/ (architecture, cookbook, recipes, rotation, internals, errors).
• Top-level README rebuilt to the Noyalib documentation standard; root layout aligned with the Noyalib workspace shape (REUSE.toml, about.hbs, LICENSES/, GETTING_STARTED.md, GLOSSARY.md, PLAN.md, per-crate LICENSE symlinks).
• New doc/OPERATIONS.md runbook documenting the pre-deployment self-check (hsh inspect-backend), the new calibrate JSON shape, the pepper rotation TL;DR (linking to KMS-INTEGRATION.md), and the every-prefix-recognised summary for hsh inspect (PHC / MCF / hsh-bcrypt-sha256: / hsh-pepper:).
• New doc/PASSKEY-ERA.md positioning doc: where hsh fits in a 2026 passkey-primary architecture (NIST SP 800-63-4, FIDO Passkey Index 2025, Microsoft May-2026 announcement linked inline), with three concrete recipes — passkey + password fallback for sign-in, recovery credential hardening (tighter policy + mandatory pepper, single-use, rotatable), and the four-phase staged migration off passwords.
• New doc/IP-GOVERNANCE.md patent watchlist + annual standards-review process (OWASP / NIST 800-63 / 800-132 / FIPS 140-3 / FIDO / IETF CFRG / RFC editor) + pre-commercialisation legal checklist. Release-time governance gate wired into doc/RELEASE.md — every release PR carries a watchlist-reviewed one-liner before the tag is pushed.
• README and COMPARISON tables now split KMS-backed pepper into LocalPepper (implemented) vs cloud providers (stub interfaces in v0.0.9, real fetch in 0.1.x), and split FIPS into contract (delivered) vs validated runtime (0.1.x via hsh-backend-awslc). Six stale Outcome::Valid { needs_rehash: true } examples across doc/ and per-crate READMEs corrected to the v0.0.9 rehashed: Option<String> shape.

Late-cycle correctness fixes

The final review surfaced five correctness bugs that this branch now ships fixed, with regression tests:

Bug	Site	Fix	Test
Scrypt policy params discarded	crates/hsh/src/api.rs — PrimaryAlgorithm::Scrypt arm	Wire policy.scrypt.to_native() through hash_password_customized	scrypt_hash_honors_policy_log_n, scrypt_round_trip_with_policy_params
Rehash drift incomplete (bcrypt cost / scrypt params / pbkdf2 dk_len)	crates/hsh/src/api.rs — needs_rehash + bcrypt branch	New parse_bcrypt_cost, parse_scrypt_phc_params + Policy::{bcrypt,scrypt,pbkdf2}_satisfies	bcrypt_cost_drift_triggers_rehash, scrypt_param_drift_triggers_rehash, pbkdf2_dk_len_drift_triggers_rehash
Bcrypt prehash mode never round-tripped — api::hash applied policy.bcrypt.prehash but api::verify_and_upgrade always verified with PrehashAlgorithm::None, so long inputs hashed under with_prehash(Sha256) failed to verify	crates/hsh/src/api.rs — hash/verify dispatch	New hsh-bcrypt-sha256:<mcf> envelope on mint; matching strip-and-route on verify via verify_bcrypt; prehash-mode drift now triggers rehash; hsh-cli inspect recognises the envelope	bcrypt_with_prehash_sha256_round_trips, bcrypt_with_prehash_accepts_long_passwords, bcrypt_with_prehash_rejects_wrong_password, bcrypt_prehash_drift_triggers_rehash_none_to_sha256, bcrypt_prehash_drift_triggers_rehash_sha256_to_none
calibrate kept the slowest ladder entry instead of the one closest to target	crates/hsh-cli/src/commands/calibrate.rs — consider()	Pass target_ms through and minimise abs_diff	3 unit tests on consider()
inspect leaked dynamic key strings through Box::leak	crates/hsh-cli/src/commands/inspect.rs	Switch to Vec<(String, Value)> and build the borrow view at emit time	covered by existing snapshot tests

Closes

Phase	Issues
Phase 0 — Foundation & security hot-fixes	#139, #148, #147, #153, #154, #155, #149, #150, #151, #152, #161, #162
Phase 1 — Core refactor on RustCrypto traits	#140, #156, #157, #158, #159, #160, #163, #164
Phase 2 — Operational hardening	#141
Phase 3 — Pepper & KMS	#142
Phase 4 — FIPS backend (contract; aws-lc-rs runtime is Phase 4 follow-up)	partial #143
Phase 5 — CLI & ecosystem	#144
Phase 6 — General hashing primitives	#145, #137
Phase 7 — v1.0.0 stabilisation foundations	partial #146

Test plan

• cargo fmt --check
• cargo clippy --workspace --all-targets --all-features -- -D warnings
• cargo test --workspace --all-features (250+ tests across 30 binaries — 0 failures)
• cargo llvm-cov --workspace --all-features --fail-under-lines 95 (95.40 % lines / 97.63 % regions)
• cargo deny check advisories licenses bans sources
• cargo audit
• cargo +1.88 check --locked --workspace --all-features (MSRV gate)
• cargo test on Ubuntu, macOS, Windows
• cargo +nightly miri test -p hsh --test test_api --test test_backend_policy --test test_pepper --features pepper
• cargo +nightly fuzz run <target> -- -max_total_time=600 × 5 targets (weekly)
• CodeQL analysis (rust + actions) — green

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[codacy-production]

Not up to standards ⛔

AI Reviewer: run a review on demand. To trigger the first review automatically, go to your organization or repository integration settings. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes.}

[github-advanced-security]

CodeQL found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

[sebastienrousseau]

Phase 2 added (commit `2b2af6d`) — operational hardening

This PR now spans Phases 0 + 1 + 2. Summary of what Phase 2 brings:

Verifiable safety nets

• fuzz/ — cargo-fuzz crate with 5 libfuzzer targets (api_round_trip, phc_parse, argon2id_verify, bcrypt_verify, legacy_from_string). Excluded from default workspace; driven via `cargo +nightly fuzz`.
• tests/test_properties.rs — 7 proptest invariants (round-trip per algo, wrong-password rejection, salt uniqueness, bcrypt 72-byte rejection, short-password rejection).
• Criterion bench suite rewritten into 3 groups: hash_owasp_2025 / verify_owasp_2025 / fast_params.

Supply chain

• deny.toml rewritten: yanked=deny, wildcards=deny, unknown-registry=deny, bans `argonautica` / `argon2rs` / `openssl`.
• supply-chain/audits.toml — cargo-vet criteria + bytecode-alliance/embark/google/mozilla import feeds.
• about.toml — cargo-about SBOM config with cross-target matrix.

CI workflows (5 new)

Workflow	Trigger	What
`release.yml`	tag `v*..`	quality gate, tag↔Cargo.toml verify, SBOM, SLSA L3 build provenance, sigstore keyless signing via cosign, cargo publish
`miri.yml`	PR + weekly cron	focused per-PR (60min), full sweep weekly (90min)
`scorecard.yml`	weekly + push to main	OpenSSF Scorecard with SARIF upload
`fuzz.yml`	daily cron	5-target matrix, 10min/target, crash artefacts
`supply-chain.yml`	dep change + weekly	cargo-deny + cargo-audit

DX

• Makefile (POSIX, 25 targets).
• scripts/ — miri.sh, pre-commit.sh, parameter-calibration.sh, coverage-gap-report.sh.
• doc/pre-commit.md — install / scope / bypass / CI parity.

Verification

All gates green locally: `cargo fmt --check`, `cargo clippy -D warnings`, `cargo test --workspace` (130 tests across 12 binaries), `cargo doc`, `cargo bench --no-run`.

Closes

Partial #141 — running the new workflows on GitHub, populating `supply-chain/imports.lock`, and authoring the `cargo-about` NOTICE template are incremental follow-ups that will land as subsequent commits.

[sebastienrousseau]

Phase 3 added (commit `23cc102`) — pepper / KMS integration

This PR now spans Phases 0–3. Summary of what Phase 3 brings:

crates/hsh-kms (new workspace member)

• `Pepper` trait (sync `apply`, `Send + Sync + Debug`), `KeyVersion` newtype.
• `LocalPepper` in-memory provider with builder validation (16-byte key floor, empty keyset rejection, current must be in keyset). `Drop` zeroizes keys.
• Provider stubs under feature flags `aws-kms` / `gcp-kms` / `azure-key-vault` / `hashicorp-vault`. Stable `FetchOpts` + `fetch_pepper` shape today; real network impls land incrementally.
• 6 unit tests cover apply, version differentiation, unknown-version error, current-when-not-set, short-key rejection, empty-keyset rejection.

hsh integration (behind `pepper` feature)

• `Policy::with_pepper(Arc)` attaches a pepper.
• `api::hash` and `api::verify_and_upgrade` transparently apply HMAC-SHA-256(pepper@keyver, password) before/after the KDF.
• Custom storage wrapper `hsh-pepper::` — greppable from SQL, makes rotation non-destructive.
• Rotation triggers `needs_rehash`: keyver drift, legacy unpeppered → peppered upgrade, algorithm-level rehash.
• Refusal when policy has no pepper: peppered hashes return `Outcome::Invalid` rather than failing open.

Integration tests (`crates/hsh/tests/test_pepper.rs`)

6 cases cover round-trip, wrong-password rejection, refuse-without-pepper, rotation-triggers-rehash, legacy-upgrade, unknown-version safety.

Docs

• `doc/adr/0003-pepper-key-versioning.md` — storage format decision, rotation contract, refuse-when-no-pepper rationale.
• `doc/KMS-INTEGRATION.md` — end-to-end guides for AWS / GCP / Azure / Vault, local-dev recipe, rotation playbook, threat model.

Verification

All gates green locally: `cargo fmt --check`, `cargo clippy -D warnings`, `cargo test --workspace --all-features` (~140 tests across 13 binaries — 6 new pepper tests), `cargo doc`.

Closes / partial

Partial #142 — Pepper trait, LocalPepper, Policy integration, storage format, rotation, ADR, KMS-INTEGRATION guide. Real cloud-provider `fetch_pepper` impls (against `localstack` / real accounts) are incremental follow-ups gated on integration-test infrastructure.

[sebastienrousseau]

Phase 4 added (commit `2f05b50`) — PBKDF2 + Backend(FIPS) contract

This PR now spans Phases 0–4. Summary of what Phase 4 brings:

PBKDF2 (real, working today)

• PrimaryAlgorithm::Pbkdf2 + HashAlgorithm::Pbkdf2 variants.
• `crate::algorithms::pbkdf2` — PBKDF2-HMAC-SHA-256/512 via the RustCrypto `pbkdf2` crate. `Prf` enum, `Pbkdf2Params` with OWASP-2025 minimums (600 000 SHA-256 / 210 000 SHA-512).
• PHC string format `$pbkdf2-sha256$i=,l=$$` emitted by `api::hash`, parsed end-to-end by `api::verify_and_upgrade`.
• Algorithm-drift, iteration-drift, and PRF-drift all trigger `Outcome::Valid { needs_rehash: true }`.

Backend(FIPS) contract

• `Backend` enum (`Native | Fips140Required`) + `is_fips()` + `fips_available_in_build()`.
• `Policy.backend` + `Policy::fips_140_pbkdf2()` preset (PBKDF2-HMAC-SHA-256, 600k iters, `Fips140Required`).
• Fail-closed enforcement in `api::hash`:
  • Refuses to mint hashes with Argon2/bcrypt/scrypt under a FIPS policy (no FIPS-validated module exists for any of them).
  • Refuses to mint anything when the build can't satisfy FIPS (`fips_available_in_build()` returns false).

Forward-compat

• `fips` Cargo feature exists today but is a no-op marker. Documented prominently to avoid misleading-marketing.
• A separate `hsh-backend-awslc` workspace member (Phase 4 follow-up) will route PBKDF2 through `aws-lc-rs`'s FIPS 140-3 validated module and flip `fips_available_in_build()` to true. Deferred because the AWS-LC FIPS sub-build needs Go + CMake + Xcode tooling that isn't universally available on contributor laptops / default CI runners.

Tests

`crates/hsh/tests/test_pbkdf2.rs` — 8 cases: round-trip, wrong-password rejection, iteration drift, PRF drift, FIPS-policy refuses Argon2id, FIPS-policy refuses without feature, `Backend::is_fips()`, `Policy::fips_140_pbkdf2()` preset.

Docs

• `doc/adr/0004-fips-strategy.md` — three-layer contract, what ships in v0.0.9, what lands in the follow-up, accepted trade-offs, non-goals.
• `doc/FIPS.md` — deployment guide with the fail-closed contract, why-only-PBKDF2, three deployment options pre-follow-up, Argon2→PBKDF2 migration playbook, threat model.

Verification

All gates green locally: `cargo fmt --check`, `cargo clippy -D warnings`, `cargo test --workspace --all-features` (~145 tests across 14 binaries — 8 new PBKDF2 tests), `cargo doc`.

Closes / partial

Partial #143 — PBKDF2 algorithm, Backend enum, Policy::fips_140_pbkdf2(), fail-closed refusal, ADR-0004, FIPS.md. Real `aws-lc-rs` routing in a dedicated `hsh-backend-awslc` workspace member is a follow-up.

[sebastienrousseau]

Phase 5 added (commit `115c467`) — hsh-cli, packaging, migration guides

This PR now spans Phases 0–5. Summary of what Phase 5 brings:

`hsh-cli` (new workspace member)

6 subcommands, all production-ready:

Subcommand	What
`hsh hash`	Hash a password → PHC / MCF string
`hsh verify`	Verify candidate → exit code 0/1, optional rehash signal
`hsh rehash`	Verify + mint a fresh hash under current policy
`hsh inspect`	Pretty-print algorithm + params of any stored hash
`hsh calibrate`	Walk a parameter ladder; hit a target wall-time
`hsh completions `	Emit bash/zsh/fish/powershell/elvish scripts

• Preset policies: `--policy {owasp,rfc9106,fips}`.
• --json mode on every subcommand.
• Password from stdin only — never argv. `--password` exists but is documented insecure.
• 6 integration tests in `crates/hsh-cli/tests/cli.rs`.

Packaging templates (pkg/)

• `pkg/docker/Dockerfile` — multi-stage musl + distroless, multi-arch.
• `pkg/homebrew/hsh.rb.template` — tap formula.
• `pkg/debian/control.template` — `.deb` control file.
• `pkg/arch/PKGBUILD.template` — AUR.
• `pkg/scoop/hsh.json.template` — Windows.
• `pkg/README.md` — channel inventory + deferred list (MSI / Flatpak / Snap / Nix).

Migration guides (doc/)

• `MIGRATION-from-argonautica.md` (abandoned 2019)
• `MIGRATION-from-rust-argon2.md`
• `MIGRATION-from-bcrypt.md` (covers the 72-byte CVE-2025-22228 safety rail)
• `MIGRATION-from-djangohashers.md`
• `MIGRATION-from-password-hash.md`

Each: before/after API, verifying existing hashes, Cargo.toml swap, breaking-change checklist.

Verification

All gates green locally: `cargo fmt --check`, `cargo clippy -D warnings`, `cargo test --workspace --all-features` (~150 tests across 16 binaries — 6 new CLI tests), `cargo doc`.

Closes / partial

Partial #144 — hsh-cli with 6 working subcommands, 5 packaging templates, 5 migration guides. Remaining: clap_mangen man pages (gated on clap_mangen/clap_builder version skew), full release.yml wiring to materialise templates into release artefacts.

[sebastienrousseau]

Phase 6 added (commit `903595e`) — hsh-digest general-purpose hashing

This PR now spans Phases 0–6. Summary of what Phase 6 brings:

`crates/hsh-digest` (new workspace member)

• ⚠️ NOT for password storage. Crate-level rustdoc opens with the warning + points readers at `hsh::api::hash` for that.
• Thin re-export layer over the RustCrypto `digest::Digest` primitives, scoped to "give me a standard hash" use-cases (content addressing, MAC building blocks, Merkle trees, protocol hashes).

Algorithms

Family	Variants	Feature
SHA-2	Sha256, Sha384, Sha512	`sha2` (default)
SHA-3	Sha3_256, Sha3_384, Sha3_512	`sha3` (default)
BLAKE3	Blake3	`blake3` (default)
K12	KangarooTwelve, TurboSHAKE128/256	`k12` (stub)
Ascon	Ascon-Hash256, Ascon-XOF128	`ascon` (stub)

API

• `Algorithm` enum + `::output_len()` + `::id()` metadata helpers
• One-shot `hash(algorithm, data)` convenience
• Streaming `Hasher::new / update / finalize`
• `constant_time_eq(a, b)` helper backed by `subtle`

KATs

13 tests against NIST CAVP (SHA-2), FIPS 202 (SHA-3), and BLAKE3 project test vectors. Streaming-matches-one-shot consistency check. `output_len_advertised_correctly` across all 7 variants.

ADR

ADR-0005 — general-hashing scope decision documents the boundaries: re-export only, never reimplement; no KDF / HMAC / signatures / KEMs; K12 and Ascon reserved for follow-up.

Verification

All gates green locally: `cargo fmt --check`, `cargo clippy -D warnings`, `cargo test --workspace --all-features` (~165 tests across 17 binaries — 13 new KATs + 2 new doctests), `cargo doc`.

Closes / partial

Partial #145 — Algorithm enum, Hasher, one-shot, constant_time_eq, KAT suite, ADR-0005. Remaining: K12 + Ascon implementations (tracked as Phase 6 follow-ups).

[sebastienrousseau]

Phase 7 added (commit `af89d77`) — v1.0 stabilisation contract

This PR now spans Phases 0–7, completing the full enterprise-readiness programme. Phase 7 is mostly docs and policy since the actual v1.0.0 tag is a maintainer decision after the soak window.

API stability contract

• `doc/API-STABILITY.md` — per-crate per-symbol stability tier (Stable / Unstable / Internal), MSRV policy, `#[non_exhaustive]` semantics, deprecation policy, yanked-release policy, semver bump cheat sheet.
• ADR-0007 — v1.0 stability contract — surfaces frozen at v1.0, lockstep versioning across the four crates, the ~8-week stabilisation window, Critical/High/Medium/Low patched-release SLAs.

Maintainer runbook

• `doc/RELEASE.md` — end-to-end runbook (T-7d pre-release checks → T-0 tag push → T+1h post-release smoke tests → rollback procedure).

Community support

• `doc/SUPPORT.md` — channels, response-window commitments, bug-report template.

README rebuild

• Workspace-at-a-glance table for all 4 crates.
• Algorithm capability matrix with OWASP-2025 notes.
• What-landed-in-v0.0.9 phase table (all 8 ✅).
• Documentation index linking every long-form guide.
• OpenSSF Scorecard badge.

SECURITY.md rewrite

• Severity-based SLAs (Critical 72h / Medium 14d / yank within 24h for High).
• Defended-vs-tracked-follow-up split reflects the post-Phase-6 reality.
• Supply-chain section enumerates the Phase 2 pipeline: SLSA L3, sigstore, SBOM, Scorecard, fuzz, Miri.
• Coordinated-disclosure section for embargoed advisories.

Verification

All gates green locally: `cargo fmt --check`, `cargo clippy -D warnings`, `cargo test --workspace --all-features` (~165 tests across 17 binaries), `cargo doc`.

Closes

#146 (Phase 7) — API-stability contract, ADR-0007, RELEASE.md, SUPPORT.md, README rebuild, SECURITY.md rewrite.

The v1.0.0 tag itself is a maintainer decision after the ~8-week soak documented in ADR-0007. The contract is locked in here.

---

Full PR summary — Phases 0–7

Phase	Commit	What
0	`35c1a9b`	workspace conversion + security hot-fixes (S1/S3/S7/S10)
0	`f687960`	SECURITY.md / CHANGELOG.md / ADR-0006
1	`2555b74`	RustCrypto migration, PHC, `verify_and_upgrade`
2	`2b2af6d`	fuzz, proptest, criterion, supply-chain, 5 CI workflows
3	`23cc102`	pepper / KMS integration (`hsh-kms`)
4	`2f05b50`	PBKDF2 + Backend(FIPS) fail-closed contract
5	`115c467`	`hsh-cli` + 5 packaging templates + 5 migration guides
6	`903595e`	`hsh-digest` general-purpose hashing crate
7	`af89d77`	v1.0 stabilisation contract + runbooks

9 commits, ~5,000 LoC added, 26 GitHub issues addressed (Phase 0 + 1 + 2 + 4 + 5 + 6 + 7 closes; Phase 3 + 4 partial with documented follow-ups).

This is ready to merge whenever you are.

[sebastienrousseau]

Audit follow-up landed (commit `ac1de91`)

Applied the "Comprehensive Rust Library Overhaul" audit. Headline change is the `Policy::builder()` pattern — the struct-literal construction we used in Phases 0–7 was fragile; new fields broke every test fixture four times. The builder absorbs that.

Policy refactor

• `Policy` fields are now `pub(crate)`. Public construction goes through:
  • Presets: `Policy::owasp_minimum_2025()`, `rfc9106_first_recommended()`, `fips_140_pbkdf2()`.
  • `PolicyBuilder::new()` (blank slate, requires `primary`).
  • `PolicyBuilder::from_preset(&policy)` (override selected fields).
  • `Policy::with_pepper()` combinator (existing).
• New accessor methods: `primary()`, `backend()`, `argon2_params()`, `bcrypt_params()`, `scrypt_params()`, `pbkdf2_params()`, `has_pepper()`, `to_builder()`.
• New `Error::InvalidPolicy(&'static str)` variant for builder validation.
• All call sites migrated: tests / benches / fuzz / CLI.

Workspace lints centralisation

• `[workspace.lints.rust]` + `[workspace.lints.clippy]` in root `Cargo.toml` — single source of truth.
• Each crate's `Cargo.toml` now uses `[lints] workspace = true`.
• Added `clippy::pedantic` / `nursery` / `cargo` at warn, plus `unwrap_used` / `expect_used` at warn.
• Tests / examples / benches / fuzz carry `#![allow(clippy::unwrap_used, ...)]` for legitimate test-code unwraps.
• Lib roots carry `#![cfg_attr(test, allow(...))]` for inline `mod tests`.

compat-v0_0_x gating

• `Hash::new_argon2i` is now `#[cfg(feature = "compat-v0_0_x")]` so v0.2.0 can drop it cleanly.

CI additions

• `feature-checks` job runs `cargo hack check --workspace --feature-powerset --no-dev-deps --exclude-features fips`.
• `public-api` job runs `cargo public-api --diff-git-checkouts origin/main HEAD --simplified` on PRs (advisory, pairs with semver policy in `doc/API-STABILITY.md`).

Verification

• `cargo fmt --check` clean
• `cargo build --workspace --all-features` clean
• `cargo test --workspace --all-features`: ~167 tests across 17 binaries pass (1 new — `policy_builder_requires_primary_when_blank`)
• `cargo doc --workspace --no-deps --all-features` clean

`cargo clippy` now surfaces pedantic warnings as advisory (the base lints remain hard errors under `-D warnings`). A small number of pedantic warnings against the lib code itself (collect-then-join, `cast_possible_truncation` in CLI calibrate) are tracked for a hygiene PR in v0.0.10.

PR scope after this commit

PR #165 now spans Phases 0–7 plus the audit-driven hygiene refactor. 10 commits total. Still merge-ready.