@@ -762,6 +762,211 @@ Completed `1.2.0` work packages:
762762 metadata to the ` 1.2.3 ` family.
763763- Keep runtime behavior, SIMD admission scope, and decode behavior unchanged.
764764
765+ ### Commit-Based ` 1.2.3 ` to ` 1.3.0 ` Completion Plan
766+
767+ The ` 1.3.0 ` line should be treated as the final implementation-completion
768+ line before the crate moves into maintenance-first development. Do not use
769+ patch tags as planning units in this line. Instead, land one reviewed commit at
770+ a time, run pentest after each commit, and advance only when the previous
771+ commit has clean local evidence, clean GitHub CI, and clean external review.
772+
773+ Each commit must follow these rules:
774+
775+ - Keep the change narrowly scoped and reviewable.
776+ - Update the relevant docs in the same commit.
777+ - Run the normal local checks before pentest.
778+ - Run pentest after the commit and fix findings before starting the next
779+ commit.
780+ - Do not publish crates.io packages or make release claims until the final
781+ ` 1.3.0 ` release candidate passes the full gate.
782+
783+ Recommended commit sequence:
784+
785+ 1 . Commit: decode SIMD design and API freeze.
786+ - Freeze the decode acceleration scope: strict Standard and URL-safe
787+ alphabets first, padded and unpadded, no line wrapping, no legacy
788+ whitespace, no custom alphabets, and no secret-decoding claim beyond the
789+ existing constant-time-oriented scalar API.
790+ - Add or refresh docs explaining why decode is harder than encode:
791+ invalid-input handling, canonical trailing bits, padding, output
792+ retention, and timing behavior.
793+ - Pentest focus: API wording, no accidental decode acceleration claim, and
794+ no weakened secret-handling guidance.
795+
796+ 2 . Commit: decode backend boundary hardening.
797+ - Ensure every public strict decode entry point routes through one internal
798+ decode backend boundary while still forcing scalar behavior.
799+ - Add scalar-equivalence tests around the boundary for canonical,
800+ malformed, undersized-output, padded, and unpadded inputs.
801+ - Pentest focus: no behavior change, no error-shape regression, no
802+ retained-output regression.
803+
804+ 3 . Commit: SSSE3/SSE4.1 decode prototype.
805+ - Add a non-dispatchable x86/x86_64 fixed-block decode prototype for
806+ Standard and URL-safe alphabets.
807+ - Keep malformed-input validation conservative: prototype output must not
808+ be observable through public APIs until scalar-equivalence and error
809+ agreement are complete.
810+ - Include register cleanup, generated assembly evidence hooks, and
811+ scalar-differential tests.
812+ - Pentest focus: invalid-byte handling, padding, canonical trailing bits,
813+ and cleanup on rejected inputs.
814+
815+ 4 . Commit: AVX2 decode prototype.
816+ - Add a non-dispatchable AVX2 fixed-block decode prototype with the same
817+ Standard and URL-safe scope.
818+ - Reuse the decode evidence harness rather than adding a second policy
819+ path.
820+ - Pentest focus: lane-boundary handling, fallback behavior, and no
821+ out-of-bounds reads near tails.
822+
823+ 5 . Commit: AVX-512 VBMI decode prototype.
824+ - Add a non-dispatchable AVX-512 VBMI fixed-block decode prototype only if
825+ the alphabet classification, invalid-byte detection, and register cleanup
826+ story are complete.
827+ - If evidence is incomplete, keep AVX-512 decode explicitly deferred and do
828+ not block ` 1.3.0 ` .
829+ - Pentest focus: table lookup semantics, invalid-byte masks, register
830+ cleanup, and generated assembly review.
831+
832+ 6 . Commit: AArch64 NEON decode prototype.
833+ - Add a non-dispatchable NEON fixed-block decode prototype for Standard and
834+ URL-safe alphabets.
835+ - Require real AArch64 Linux and macOS hardware evidence before any later
836+ dispatch admission.
837+ - Pentest focus: lane-boundary handling, canonicality, cleanup, and
838+ platform-specific feature assumptions.
839+
840+ 7 . Commit: decode fuzz, differential, and malformed-input evidence.
841+ - Expand fuzz and deterministic tests across scalar, prototype decode, and
842+ backend-boundary behavior.
843+ - Include malformed padding, non-canonical trailing bits, every invalid byte
844+ position, short outputs, tails, and mixed alphabet inputs.
845+ - Pentest focus: denial-of-service behavior, panic-free malformed inputs,
846+ and error/index consistency where public strict errors promise it.
847+
848+ 8 . Commit: admit SSSE3/SSE4.1 decode dispatch.
849+ - Activate runtime-dispatched SSSE3/SSE4.1 decode only if commits 2, 3, and
850+ 7 are clean and evidence is complete.
851+ - Keep scalar fallback for unsupported CPUs, ` no_std ` , custom alphabets,
852+ wrapped/legacy decode, short inputs, tails, and every CT secret decode
853+ path.
854+ - Pentest focus: active backend selection, fallback behavior, cleanup, and
855+ runtime report accuracy.
856+
857+ 9 . Commit: admit AVX2 decode dispatch.
858+ - Activate AVX2 decode above SSSE3/SSE4.1 when runtime CPU probing proves
859+ support and evidence is complete.
860+ - Keep every unsupported surface scalar.
861+ - Pentest focus: backend priority, scalar fallback, and no AVX2 illegal
862+ instruction risk.
863+
864+ 10 . Commit: admit AVX-512 VBMI and/or NEON decode dispatch.
865+ - Activate AVX-512 VBMI and NEON decode only for backends with complete
866+ hardware, assembly, fuzz, benchmark, and cleanup evidence.
867+ - If one backend lacks evidence, leave that backend prototype-only and
868+ document it as deferred rather than weakening the release.
869+ - Pentest focus: active-backend honesty, register cleanup, and hardware
870+ evidence traceability.
871+
872+ 11 . Commit: remaining encode surface review.
873+ - Review in-place encode, custom alphabets, bcrypt/crypt, line-wrapped
874+ encode, and no_std/wasm encode acceleration candidates.
875+ - Admit only low-risk surfaces with complete evidence. Otherwise document
876+ them as intentionally scalar.
877+ - Pentest focus: no accidental acceleration of custom/secret-indexed
878+ alphabet paths and no output-overlap mistakes in in-place encode.
879+
880+ 12 . Commit: full Tokio async streaming adapters.
881+ - Upgrade ` base64-ng-tokio ` from bounded helper APIs to reviewed
882+ ` AsyncRead ` /` AsyncWrite ` streaming state machines if cancellation,
883+ buffering, backpressure, drop cleanup, and dependency admission evidence
884+ are complete.
885+ - Keep bounded helper APIs as the simple path.
886+ - Pentest focus: cancellation safety, partial writes, buffered plaintext
887+ cleanup, framed-payload boundaries, and denial-of-service bounds.
888+
889+ 13 . Commit: const decode API.
890+ - Add strict const decode only if the API can stay explicit about output
891+ length, padding policy, and compile-time/runtime panic boundaries.
892+ - Prefer checked const helpers where stable Rust permits; avoid hiding
893+ malformed-input errors behind confusing panics.
894+ - Pentest focus: panic policy, runtime-callable const functions, and
895+ untrusted-length guidance.
896+
897+ 14 . Commit: companion-crate completion pass.
898+ - Expand ` base64-ng-serde ` , ` base64-ng-bytes ` , ` base64-ng-subtle ` ,
899+ ` base64-ng-sanitization ` , ` base64-ng-derive ` , and ` base64-ng-tokio `
900+ only where the addition removes real caller footguns.
901+ - Candidate work: profile-specific serde modules, bytes decode-to-buffer
902+ helpers, subtle comparison examples, locked-memory direct-fill examples,
903+ derive examples for URL-safe no-pad keys, and Tokio streaming docs.
904+ - Pentest focus: dependency admission, feature isolation, secret logging,
905+ and no new core dependencies.
906+
907+ 15 . Commit: formal verification expansion.
908+ - Add Kani harnesses for decode backend boundary invariants, wrapped
909+ decode bounds, stream state-machine failure latching, SIMD/scalar decode
910+ equivalence for bounded blocks where feasible, and no-panic public scalar
911+ malformed-input paths.
912+ - Keep claims precise: bounded Kani evidence, not whole-crate formal
913+ verification.
914+ - Pentest focus: proof scope wording and no unsupported formal-security
915+ claims.
916+
917+ 16 . Commit: benchmark and evidence refresh.
918+ - Add or refresh benchmark evidence against the established ` base64 ` crate
919+ for scalar, encode SIMD, and any admitted decode SIMD backends.
920+ - Record CPU, OS, Rust version, command, feature flags, and raw output.
921+ - Pentest focus: performance claims match admitted backends only.
922+
923+ 17 . Commit: wasm posture decision.
924+ - Decide whether wasm ` simd128 ` remains compile-evidence only or admits a
925+ specific runtime/deployment profile.
926+ - Keep wasm wipe behavior fail-closed unless the explicit
927+ ` allow-wasm32-best-effort-wipe ` feature is enabled.
928+ - Pentest focus: wasm JIT caveats, no overclaimed zeroization, and no
929+ runtime dispatch ambiguity.
930+
931+ 18 . Commit: final ` 1.3.0 ` release-candidate documentation.
932+ - Sync README, ` docs/SIMD.md ` , ` docs/SIMD_ADMISSION.md ` ,
933+ ` docs/UNSAFE.md ` , ` docs/CONSTANT_TIME.md ` , ` docs/BENCHMARKS.md ` ,
934+ companion crate docs, release metadata, and publish plan.
935+ - Explicitly name every active encode and decode backend.
936+ - Explicitly name every scalar-only surface that remains intentionally
937+ scalar.
938+ - Pentest focus: release claims, missing caveats, and documentation drift.
939+
940+ 19 . Commit: final release-gate rehearsal.
941+ - Run the full release gate, Kani, Miri where available, fuzz/dudect/perf
942+ evidence scripts, target matrix, macOS and AArch64 hardware checks,
943+ package listing checks, signed-tag checks, and publish dry runs.
944+ - Fix only release blockers after this commit. Any new feature discovered
945+ at this point moves out of ` 1.3.0 ` .
946+ - Pentest focus: final release candidate only.
947+
948+ ` 1.3.0 ` acceptance criteria:
949+
950+ - SIMD decode is active only for backends explicitly admitted in
951+ ` docs/SIMD_ADMISSION.md ` .
952+ - Decode acceleration covers strict Standard and URL-safe surfaces that have
953+ complete evidence; every other decode surface remains scalar and documented.
954+ - Encode acceleration remains correct and unchanged for all admitted ` 1.2.0 `
955+ backends unless a later commit deliberately expands the admitted encode
956+ scope with equal evidence.
957+ - CT-oriented secret decode remains scalar unless a separate formal
958+ side-channel evidence package proves otherwise. Do not route CT decode
959+ through normal SIMD decode.
960+ - Full Tokio streaming exists only if the cancellation/drop/buffering evidence
961+ is complete; otherwise it remains explicitly deferred and does not block
962+ ` 1.3.0 ` .
963+ - Const decode exists only if the panic and error contract is clear; otherwise
964+ it remains deferred and does not block SIMD decode release.
965+ - Kani, fuzz, Miri, dudect, generated assembly, benchmark, unsafe-boundary,
966+ panic-policy, dependency, package, macOS, AArch64, and GitHub CI evidence are
967+ clean for the exact release candidate.
968+ - Release notes make no claim that is broader than the admitted evidence.
969+
765970After ` 1.2.0 ` :
766971
767972- Pause encode feature work for roughly two weeks before starting SIMD decode
0 commit comments