|
| 1 | +# Public API Audit |
| 2 | + |
| 3 | +This document tracks the `v0.10` audit-preparation milestone. The goal is to |
| 4 | +enter the `v1.0` candidate series with a small, explicit, security-reviewed |
| 5 | +public surface. The audit favors removing or documenting ambiguous APIs over |
| 6 | +adding convenience. |
| 7 | + |
| 8 | +## Audit Rules |
| 9 | + |
| 10 | +- Keep strict, canonical decoding as the default. |
| 11 | +- Keep legacy, wrapped, profile-specific, and constant-time-oriented behavior |
| 12 | + explicit in names or modules. |
| 13 | +- Do not add broad conversion traits that hide alphabet, padding, wrapping, |
| 14 | + allocation, or secret-handling policy. |
| 15 | +- Do not admit optional ecosystem dependencies without a written dependency |
| 16 | + admission record. |
| 17 | +- Do not admit active SIMD dispatch through an API audit; SIMD remains governed |
| 18 | + by the dedicated SIMD admission manifest. |
| 19 | +- Treat any API that exposes owned bytes or backing arrays as a security |
| 20 | + boundary that must be documented. |
| 21 | +- Prefer caller-owned output APIs and recoverable errors for untrusted input. |
| 22 | + |
| 23 | +## Public Surface Under Review |
| 24 | + |
| 25 | +| Area | Status | Notes | |
| 26 | +| --- | --- | --- | |
| 27 | +| Engine constants and `Engine<A, PAD>` | review pending | Confirm strict/default semantics and constructor naming before `v1.0`. | |
| 28 | +| `Profile<A, PAD>` and named profiles | review pending | Freeze MIME, PEM, bcrypt-style, `crypt(3)`-style, wrapping, and padding behavior. | |
| 29 | +| Length helpers | review pending | Confirm all public helpers stay recoverable and panic-free for untrusted sizes. | |
| 30 | +| Slice encode/decode APIs | review pending | Confirm buffer sizing, clear-tail variants, and error semantics. | |
| 31 | +| In-place APIs | review pending | Confirm decode-to-front and encode-to-back contracts are clear. | |
| 32 | +| Validation-only APIs | review pending | Confirm validate/decode agreement across strict, legacy, wrapped, and ct paths. | |
| 33 | +| Stack-backed buffers | review pending | Confirm exposed-array escape hatches and cleanup boundaries are documented. | |
| 34 | +| `SecretBuffer` | review pending | Confirm redaction, cleanup limits, comparison semantics, and ownership escape hatches. | |
| 35 | +| `ct` module | review pending | Confirm non-claim wording and opaque error behavior remain explicit. | |
| 36 | +| `stream` module | review pending | Confirm fail-closed behavior, retry semantics, state helpers, and recovery helpers. | |
| 37 | +| Runtime backend reporting | review pending | Confirm scalar-only posture and stable log identifiers. | |
| 38 | +| Feature flags | review pending | Confirm `tokio`, `kani`, `fuzzing`, and `simd` remain inert or reserved as documented. | |
| 39 | +| Error types | review pending | Confirm variants and indexes are stable enough for downstream diagnostics. | |
| 40 | +| Macros and custom alphabets | review pending | Confirm compile-time validation and custom-alphabet performance/security tradeoffs. | |
| 41 | + |
| 42 | +## `v1.0` Admission Questions |
| 43 | + |
| 44 | +- Is the API name explicit about strict, legacy, wrapped, profile, or |
| 45 | + constant-time-oriented behavior? |
| 46 | +- Can the caller size memory before using the API? |
| 47 | +- Does the API have a caller-owned buffer form when it can allocate? |
| 48 | +- Does the API expose a clear cleanup boundary for sensitive data? |
| 49 | +- Does the API keep malformed input recoverable instead of panicking? |
| 50 | +- Does the API commit to behavior that future SIMD backends can reproduce |
| 51 | + exactly? |
| 52 | +- Does the API require dependency admission or feature-policy documentation? |
| 53 | + |
| 54 | +## Initial `v0.10` Direction |
| 55 | + |
| 56 | +- Keep async/Tokio, serde, bytes, zeroize, subtle, property-test, and |
| 57 | + Criterion-style integrations out unless a concrete admission record is |
| 58 | + written. |
| 59 | +- Keep `ct` documented as constant-time-oriented rather than formally |
| 60 | + cryptographic unless verification evidence improves during the `v0.10` to |
| 61 | + `v0.12` candidate series. |
| 62 | +- Keep active dispatch scalar-only until SIMD admission evidence is complete. |
| 63 | +- Focus implementation work on audit findings, documentation gaps, tests, and |
| 64 | + evidence rather than new feature breadth. |
0 commit comments