Skip to content

Commit 61f4313

Browse files
committed
Start 0.10 audit cycle
1 parent 73d5b03 commit 61f4313

14 files changed

Lines changed: 104 additions & 22 deletions

CHANGELOG.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,11 @@
11
# Changelog
22

3+
## 0.10.0-alpha.0 - Unreleased
4+
5+
- Started the next development cycle after the `0.9.0` release.
6+
- Added a dedicated public API audit checklist for the `v0.10`
7+
release-candidate audit-preparation milestone.
8+
39
## 0.9.0 - 2026-05-17
410

511
- Started the next development cycle after the `0.8.0` release.

Cargo.lock

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Cargo.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
[package]
22
name = "base64-ng"
3-
version = "0.9.0"
3+
version = "0.10.0-alpha.0"
44
edition = "2024"
55
rust-version = "1.95"
66
license = "MIT OR Apache-2.0"

README.md

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,8 @@ The crate starts conservative: a small scalar implementation, strict RFC 4648 be
66

77
## Current Status
88

9-
The current public release is `0.9.0`.
9+
The current public release is `0.9.0`. The development branch is
10+
`0.10.0-alpha.0`.
1011

1112
Implemented now:
1213

@@ -47,9 +48,8 @@ Implemented now:
4748
Planned behind admission evidence:
4849

4950
- Admitted AVX2, AVX-512, SSSE3/SSE4.1, ARM NEON, and wasm `simd128`
50-
fast paths after the SIMD admission evidence is complete. The `0.9.0`
51-
release remains scalar-only because that full evidence package has not
52-
landed.
51+
fast paths after the SIMD admission evidence is complete. Current `0.10`
52+
development remains scalar-only unless that full evidence package lands.
5353
- Async streaming wrappers only after the `tokio` feature passes the
5454
dependency and cancellation-safety admission bar in [docs/ASYNC.md](docs/ASYNC.md).
5555
- Optional `serde` or `bytes` integration only if a concrete use case clears

docs/API_AUDIT.md

Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
# Public API Audit
2+
3+
This document tracks the `v0.10` audit-preparation milestone. The goal is to
4+
enter the `v1.0` candidate series with a small, explicit, security-reviewed
5+
public surface. The audit favors removing or documenting ambiguous APIs over
6+
adding convenience.
7+
8+
## Audit Rules
9+
10+
- Keep strict, canonical decoding as the default.
11+
- Keep legacy, wrapped, profile-specific, and constant-time-oriented behavior
12+
explicit in names or modules.
13+
- Do not add broad conversion traits that hide alphabet, padding, wrapping,
14+
allocation, or secret-handling policy.
15+
- Do not admit optional ecosystem dependencies without a written dependency
16+
admission record.
17+
- Do not admit active SIMD dispatch through an API audit; SIMD remains governed
18+
by the dedicated SIMD admission manifest.
19+
- Treat any API that exposes owned bytes or backing arrays as a security
20+
boundary that must be documented.
21+
- Prefer caller-owned output APIs and recoverable errors for untrusted input.
22+
23+
## Public Surface Under Review
24+
25+
| Area | Status | Notes |
26+
| --- | --- | --- |
27+
| Engine constants and `Engine<A, PAD>` | review pending | Confirm strict/default semantics and constructor naming before `v1.0`. |
28+
| `Profile<A, PAD>` and named profiles | review pending | Freeze MIME, PEM, bcrypt-style, `crypt(3)`-style, wrapping, and padding behavior. |
29+
| Length helpers | review pending | Confirm all public helpers stay recoverable and panic-free for untrusted sizes. |
30+
| Slice encode/decode APIs | review pending | Confirm buffer sizing, clear-tail variants, and error semantics. |
31+
| In-place APIs | review pending | Confirm decode-to-front and encode-to-back contracts are clear. |
32+
| Validation-only APIs | review pending | Confirm validate/decode agreement across strict, legacy, wrapped, and ct paths. |
33+
| Stack-backed buffers | review pending | Confirm exposed-array escape hatches and cleanup boundaries are documented. |
34+
| `SecretBuffer` | review pending | Confirm redaction, cleanup limits, comparison semantics, and ownership escape hatches. |
35+
| `ct` module | review pending | Confirm non-claim wording and opaque error behavior remain explicit. |
36+
| `stream` module | review pending | Confirm fail-closed behavior, retry semantics, state helpers, and recovery helpers. |
37+
| Runtime backend reporting | review pending | Confirm scalar-only posture and stable log identifiers. |
38+
| Feature flags | review pending | Confirm `tokio`, `kani`, `fuzzing`, and `simd` remain inert or reserved as documented. |
39+
| Error types | review pending | Confirm variants and indexes are stable enough for downstream diagnostics. |
40+
| Macros and custom alphabets | review pending | Confirm compile-time validation and custom-alphabet performance/security tradeoffs. |
41+
42+
## `v1.0` Admission Questions
43+
44+
- Is the API name explicit about strict, legacy, wrapped, profile, or
45+
constant-time-oriented behavior?
46+
- Can the caller size memory before using the API?
47+
- Does the API have a caller-owned buffer form when it can allocate?
48+
- Does the API expose a clear cleanup boundary for sensitive data?
49+
- Does the API keep malformed input recoverable instead of panicking?
50+
- Does the API commit to behavior that future SIMD backends can reproduce
51+
exactly?
52+
- Does the API require dependency admission or feature-policy documentation?
53+
54+
## Initial `v0.10` Direction
55+
56+
- Keep async/Tokio, serde, bytes, zeroize, subtle, property-test, and
57+
Criterion-style integrations out unless a concrete admission record is
58+
written.
59+
- Keep `ct` documented as constant-time-oriented rather than formally
60+
cryptographic unless verification evidence improves during the `v0.10` to
61+
`v0.12` candidate series.
62+
- Keep active dispatch scalar-only until SIMD admission evidence is complete.
63+
- Focus implementation work on audit findings, documentation gaps, tests, and
64+
evidence rather than new feature breadth.

docs/SIMD.md

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
11
# SIMD Admission Policy
22

3-
`base64-ng` is intentionally scalar-only in the `0.9.0` release because no
4-
complete SIMD admission evidence package has landed. The crate uses
5-
`#![deny(unsafe_code)]` and permits reviewed
3+
`base64-ng` is intentionally scalar-only in the `0.10.0-alpha.0` development
4+
branch unless a complete SIMD admission evidence package lands in the same
5+
release series. The crate uses `#![deny(unsafe_code)]` and permits reviewed
66
`allow(unsafe_code)` exceptions only for volatile wipe helpers in `src/lib.rs`
77
and the private `src/simd.rs` boundary. The `simd` feature remains reserved
88
until architecture-specific code has enough evidence to justify enabling it.
@@ -61,10 +61,10 @@ weakening the scalar trust base.
6161
- Unit tests compare dispatch behavior against the scalar reference for
6262
canonical inputs, malformed inputs, and undersized output buffers.
6363
- The `simd` feature does not enable accelerated code yet.
64-
- The `0.9.0` release remains scalar-only because the SIMD admission manifest,
65-
scalar differential tests, fuzz evidence, unsafe inventory, architecture
66-
evidence, benchmark evidence, and release wording were not updated together
67-
for an admitted backend.
64+
- Current `0.10` development remains scalar-only unless the SIMD admission
65+
manifest, scalar differential tests, fuzz evidence, unsafe inventory,
66+
architecture evidence, benchmark evidence, and release wording are updated
67+
together.
6868
- CI checks the reserved `simd` feature in `no_std` mode for x86_64, aarch64,
6969
FreeBSD, wasm32, and Cortex-M targets.
7070
- Performance claims must be backed by local benchmark evidence, not roadmap

docs/SIMD_ADMISSION.md

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -10,8 +10,9 @@ the admitted implementation.
1010
- Admitted backends: none.
1111
- Active backend: scalar only.
1212
- Public performance claims: none.
13-
- Release status: `0.9.0` remains scalar-only because this manifest has not
14-
been updated with a complete backend admission evidence package.
13+
- Release status: current `0.10.0-alpha.0` development remains scalar-only
14+
unless this manifest is updated with a complete backend admission evidence
15+
package in the same release series.
1516

1617
## Required For Every Admitted Backend
1718

dudect/Cargo.lock

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

dudect/Cargo.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,4 +5,4 @@ edition = "2024"
55
publish = false
66

77
[dependencies]
8-
base64-ng = { path = "..", version = "0.9.0-alpha.0", default-features = false }
8+
base64-ng = { path = "..", version = "0.10.0-alpha.0", default-features = false }

fuzz/Cargo.lock

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)