|
| 1 | +# Async Admission Policy |
| 2 | + |
| 3 | +`base64-ng` does not currently provide async streaming wrappers. The `tokio` |
| 4 | +feature is intentionally inert and dependency-free until an async API is |
| 5 | +admitted through the same evidence-driven process used for SIMD and other |
| 6 | +security-sensitive surfaces. |
| 7 | + |
| 8 | +This keeps the published crate small and avoids adding a runtime dependency |
| 9 | +before the API, cancellation behavior, and security tradeoffs are documented. |
| 10 | + |
| 11 | +## Current Status |
| 12 | + |
| 13 | +- The `stream` feature provides `std::io` streaming wrappers. |
| 14 | +- The `tokio` feature is reserved and currently expands to an empty feature set. |
| 15 | +- `scripts/check_reserved_features.sh` verifies that `tokio` remains inert and |
| 16 | + dependency-free until admission. |
| 17 | +- No async traits, Tokio types, or async runtime dependencies are exported by |
| 18 | + the crate today. |
| 19 | + |
| 20 | +## Admission Requirements |
| 21 | + |
| 22 | +Before the `tokio` feature may add a dependency or public API, the change must |
| 23 | +include: |
| 24 | + |
| 25 | +- A written dependency review covering the Tokio version, transitive |
| 26 | + dependency graph, licenses, advisories, and why `std` is insufficient. |
| 27 | +- `tokio` must stay optional and must not become a default feature. |
| 28 | +- The non-async `stream` API must remain available without Tokio. |
| 29 | +- Cancellation behavior must be specified for partially buffered plaintext, |
| 30 | + encoded output, pending decode input, and terminal padding states. |
| 31 | +- Drop behavior must clear internal staging buffers with the same best-effort |
| 32 | + retention-reduction posture as the current `std::io` wrappers. |
| 33 | +- Chunk-boundary tests must cover reads and writes split at every Base64 |
| 34 | + quantum boundary. |
| 35 | +- Adjacent framed payload tests must prove decoder readers do not consume bytes |
| 36 | + beyond terminal padding. |
| 37 | +- Fuzz coverage must include fragmented async-like chunk schedules before any |
| 38 | + performance claim is made. |
| 39 | +- Release evidence must include `cargo deny check`, `cargo audit`, and |
| 40 | + `cargo license --json` output with the async feature enabled. |
| 41 | + |
| 42 | +## Non-Goals |
| 43 | + |
| 44 | +- Async wrappers are not a reason to weaken strict Base64 validation. |
| 45 | +- Async wrappers must not enable SIMD dispatch or unsafe code by default. |
| 46 | +- Async wrappers must not become the primary API; caller-owned buffers and |
| 47 | + scalar strict semantics remain the reference behavior. |
| 48 | + |
| 49 | +## Release Rule |
| 50 | + |
| 51 | +Do not advertise async or Tokio support in release notes until the feature |
| 52 | +exports a tested public API and the dependency/admission evidence is present. |
0 commit comments