Skip to content

Commit d70e98d

Browse files
committed
Document 1.3.0 completion commit plan
1 parent 0d4df28 commit d70e98d

2 files changed

Lines changed: 211 additions & 0 deletions

File tree

docs/PLAN.md

Lines changed: 205 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -762,6 +762,211 @@ Completed `1.2.0` work packages:
762762
metadata to the `1.2.3` family.
763763
- Keep runtime behavior, SIMD admission scope, and decode behavior unchanged.
764764

765+
### Commit-Based `1.2.3` to `1.3.0` Completion Plan
766+
767+
The `1.3.0` line should be treated as the final implementation-completion
768+
line before the crate moves into maintenance-first development. Do not use
769+
patch tags as planning units in this line. Instead, land one reviewed commit at
770+
a time, run pentest after each commit, and advance only when the previous
771+
commit has clean local evidence, clean GitHub CI, and clean external review.
772+
773+
Each commit must follow these rules:
774+
775+
- Keep the change narrowly scoped and reviewable.
776+
- Update the relevant docs in the same commit.
777+
- Run the normal local checks before pentest.
778+
- Run pentest after the commit and fix findings before starting the next
779+
commit.
780+
- Do not publish crates.io packages or make release claims until the final
781+
`1.3.0` release candidate passes the full gate.
782+
783+
Recommended commit sequence:
784+
785+
1. Commit: decode SIMD design and API freeze.
786+
- Freeze the decode acceleration scope: strict Standard and URL-safe
787+
alphabets first, padded and unpadded, no line wrapping, no legacy
788+
whitespace, no custom alphabets, and no secret-decoding claim beyond the
789+
existing constant-time-oriented scalar API.
790+
- Add or refresh docs explaining why decode is harder than encode:
791+
invalid-input handling, canonical trailing bits, padding, output
792+
retention, and timing behavior.
793+
- Pentest focus: API wording, no accidental decode acceleration claim, and
794+
no weakened secret-handling guidance.
795+
796+
2. Commit: decode backend boundary hardening.
797+
- Ensure every public strict decode entry point routes through one internal
798+
decode backend boundary while still forcing scalar behavior.
799+
- Add scalar-equivalence tests around the boundary for canonical,
800+
malformed, undersized-output, padded, and unpadded inputs.
801+
- Pentest focus: no behavior change, no error-shape regression, no
802+
retained-output regression.
803+
804+
3. Commit: SSSE3/SSE4.1 decode prototype.
805+
- Add a non-dispatchable x86/x86_64 fixed-block decode prototype for
806+
Standard and URL-safe alphabets.
807+
- Keep malformed-input validation conservative: prototype output must not
808+
be observable through public APIs until scalar-equivalence and error
809+
agreement are complete.
810+
- Include register cleanup, generated assembly evidence hooks, and
811+
scalar-differential tests.
812+
- Pentest focus: invalid-byte handling, padding, canonical trailing bits,
813+
and cleanup on rejected inputs.
814+
815+
4. Commit: AVX2 decode prototype.
816+
- Add a non-dispatchable AVX2 fixed-block decode prototype with the same
817+
Standard and URL-safe scope.
818+
- Reuse the decode evidence harness rather than adding a second policy
819+
path.
820+
- Pentest focus: lane-boundary handling, fallback behavior, and no
821+
out-of-bounds reads near tails.
822+
823+
5. Commit: AVX-512 VBMI decode prototype.
824+
- Add a non-dispatchable AVX-512 VBMI fixed-block decode prototype only if
825+
the alphabet classification, invalid-byte detection, and register cleanup
826+
story are complete.
827+
- If evidence is incomplete, keep AVX-512 decode explicitly deferred and do
828+
not block `1.3.0`.
829+
- Pentest focus: table lookup semantics, invalid-byte masks, register
830+
cleanup, and generated assembly review.
831+
832+
6. Commit: AArch64 NEON decode prototype.
833+
- Add a non-dispatchable NEON fixed-block decode prototype for Standard and
834+
URL-safe alphabets.
835+
- Require real AArch64 Linux and macOS hardware evidence before any later
836+
dispatch admission.
837+
- Pentest focus: lane-boundary handling, canonicality, cleanup, and
838+
platform-specific feature assumptions.
839+
840+
7. Commit: decode fuzz, differential, and malformed-input evidence.
841+
- Expand fuzz and deterministic tests across scalar, prototype decode, and
842+
backend-boundary behavior.
843+
- Include malformed padding, non-canonical trailing bits, every invalid byte
844+
position, short outputs, tails, and mixed alphabet inputs.
845+
- Pentest focus: denial-of-service behavior, panic-free malformed inputs,
846+
and error/index consistency where public strict errors promise it.
847+
848+
8. Commit: admit SSSE3/SSE4.1 decode dispatch.
849+
- Activate runtime-dispatched SSSE3/SSE4.1 decode only if commits 2, 3, and
850+
7 are clean and evidence is complete.
851+
- Keep scalar fallback for unsupported CPUs, `no_std`, custom alphabets,
852+
wrapped/legacy decode, short inputs, tails, and every CT secret decode
853+
path.
854+
- Pentest focus: active backend selection, fallback behavior, cleanup, and
855+
runtime report accuracy.
856+
857+
9. Commit: admit AVX2 decode dispatch.
858+
- Activate AVX2 decode above SSSE3/SSE4.1 when runtime CPU probing proves
859+
support and evidence is complete.
860+
- Keep every unsupported surface scalar.
861+
- Pentest focus: backend priority, scalar fallback, and no AVX2 illegal
862+
instruction risk.
863+
864+
10. Commit: admit AVX-512 VBMI and/or NEON decode dispatch.
865+
- Activate AVX-512 VBMI and NEON decode only for backends with complete
866+
hardware, assembly, fuzz, benchmark, and cleanup evidence.
867+
- If one backend lacks evidence, leave that backend prototype-only and
868+
document it as deferred rather than weakening the release.
869+
- Pentest focus: active-backend honesty, register cleanup, and hardware
870+
evidence traceability.
871+
872+
11. Commit: remaining encode surface review.
873+
- Review in-place encode, custom alphabets, bcrypt/crypt, line-wrapped
874+
encode, and no_std/wasm encode acceleration candidates.
875+
- Admit only low-risk surfaces with complete evidence. Otherwise document
876+
them as intentionally scalar.
877+
- Pentest focus: no accidental acceleration of custom/secret-indexed
878+
alphabet paths and no output-overlap mistakes in in-place encode.
879+
880+
12. Commit: full Tokio async streaming adapters.
881+
- Upgrade `base64-ng-tokio` from bounded helper APIs to reviewed
882+
`AsyncRead`/`AsyncWrite` streaming state machines if cancellation,
883+
buffering, backpressure, drop cleanup, and dependency admission evidence
884+
are complete.
885+
- Keep bounded helper APIs as the simple path.
886+
- Pentest focus: cancellation safety, partial writes, buffered plaintext
887+
cleanup, framed-payload boundaries, and denial-of-service bounds.
888+
889+
13. Commit: const decode API.
890+
- Add strict const decode only if the API can stay explicit about output
891+
length, padding policy, and compile-time/runtime panic boundaries.
892+
- Prefer checked const helpers where stable Rust permits; avoid hiding
893+
malformed-input errors behind confusing panics.
894+
- Pentest focus: panic policy, runtime-callable const functions, and
895+
untrusted-length guidance.
896+
897+
14. Commit: companion-crate completion pass.
898+
- Expand `base64-ng-serde`, `base64-ng-bytes`, `base64-ng-subtle`,
899+
`base64-ng-sanitization`, `base64-ng-derive`, and `base64-ng-tokio`
900+
only where the addition removes real caller footguns.
901+
- Candidate work: profile-specific serde modules, bytes decode-to-buffer
902+
helpers, subtle comparison examples, locked-memory direct-fill examples,
903+
derive examples for URL-safe no-pad keys, and Tokio streaming docs.
904+
- Pentest focus: dependency admission, feature isolation, secret logging,
905+
and no new core dependencies.
906+
907+
15. Commit: formal verification expansion.
908+
- Add Kani harnesses for decode backend boundary invariants, wrapped
909+
decode bounds, stream state-machine failure latching, SIMD/scalar decode
910+
equivalence for bounded blocks where feasible, and no-panic public scalar
911+
malformed-input paths.
912+
- Keep claims precise: bounded Kani evidence, not whole-crate formal
913+
verification.
914+
- Pentest focus: proof scope wording and no unsupported formal-security
915+
claims.
916+
917+
16. Commit: benchmark and evidence refresh.
918+
- Add or refresh benchmark evidence against the established `base64` crate
919+
for scalar, encode SIMD, and any admitted decode SIMD backends.
920+
- Record CPU, OS, Rust version, command, feature flags, and raw output.
921+
- Pentest focus: performance claims match admitted backends only.
922+
923+
17. Commit: wasm posture decision.
924+
- Decide whether wasm `simd128` remains compile-evidence only or admits a
925+
specific runtime/deployment profile.
926+
- Keep wasm wipe behavior fail-closed unless the explicit
927+
`allow-wasm32-best-effort-wipe` feature is enabled.
928+
- Pentest focus: wasm JIT caveats, no overclaimed zeroization, and no
929+
runtime dispatch ambiguity.
930+
931+
18. Commit: final `1.3.0` release-candidate documentation.
932+
- Sync README, `docs/SIMD.md`, `docs/SIMD_ADMISSION.md`,
933+
`docs/UNSAFE.md`, `docs/CONSTANT_TIME.md`, `docs/BENCHMARKS.md`,
934+
companion crate docs, release metadata, and publish plan.
935+
- Explicitly name every active encode and decode backend.
936+
- Explicitly name every scalar-only surface that remains intentionally
937+
scalar.
938+
- Pentest focus: release claims, missing caveats, and documentation drift.
939+
940+
19. Commit: final release-gate rehearsal.
941+
- Run the full release gate, Kani, Miri where available, fuzz/dudect/perf
942+
evidence scripts, target matrix, macOS and AArch64 hardware checks,
943+
package listing checks, signed-tag checks, and publish dry runs.
944+
- Fix only release blockers after this commit. Any new feature discovered
945+
at this point moves out of `1.3.0`.
946+
- Pentest focus: final release candidate only.
947+
948+
`1.3.0` acceptance criteria:
949+
950+
- SIMD decode is active only for backends explicitly admitted in
951+
`docs/SIMD_ADMISSION.md`.
952+
- Decode acceleration covers strict Standard and URL-safe surfaces that have
953+
complete evidence; every other decode surface remains scalar and documented.
954+
- Encode acceleration remains correct and unchanged for all admitted `1.2.0`
955+
backends unless a later commit deliberately expands the admitted encode
956+
scope with equal evidence.
957+
- CT-oriented secret decode remains scalar unless a separate formal
958+
side-channel evidence package proves otherwise. Do not route CT decode
959+
through normal SIMD decode.
960+
- Full Tokio streaming exists only if the cancellation/drop/buffering evidence
961+
is complete; otherwise it remains explicitly deferred and does not block
962+
`1.3.0`.
963+
- Const decode exists only if the panic and error contract is clear; otherwise
964+
it remains deferred and does not block SIMD decode release.
965+
- Kani, fuzz, Miri, dudect, generated assembly, benchmark, unsafe-boundary,
966+
panic-policy, dependency, package, macOS, AArch64, and GitHub CI evidence are
967+
clean for the exact release candidate.
968+
- Release notes make no claim that is broader than the admitted evidence.
969+
765970
After `1.2.0`:
766971

767972
- Pause encode feature work for roughly two weeks before starting SIMD decode

docs/SIMD.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -74,6 +74,12 @@ The SIMD roadmap separates implementation evidence from active acceleration:
7474
the `1.2.x` decode evidence line is complete and the encode acceleration line
7575
has remained stable.
7676

77+
The detailed `1.2.3` to `1.3.0` workflow is commit-based rather than
78+
tag-based. Each planned commit is followed by pentest and CI review before the
79+
next implementation commit starts. See
80+
[`docs/PLAN.md`](PLAN.md#commit-based-123-to-130-completion-plan) for the
81+
complete sequence and `1.3.0` acceptance criteria.
82+
7783
Patch releases in the `1.1.x` and `1.2.x` series may be small by design. Each
7884
patch should move one evidence boundary forward without changing the active
7985
runtime behavior for that line.

0 commit comments

Comments
 (0)