base64-ng 1.0.8

base64-ng 1.0.8

Highlights

• Makes stream decoder internal queue-overflow paths fail closed like the encoder.
• Adds DecodeErrorKind and DecodeError::kind() for redacted strict-error logging.
• Splits AArch64 CSDB attestation into a distinct runtime posture: hardware-speculation-barrier-build-asserted.
• Hardens CI toolchain bootstrap by requiring runner-provided rustup and cargo instead of downloading sh.rustup.rs.
• Updates fuzz, dudect, and performance harness metadata to 1.0.8.
• Expands security docs for strict decode error logging, input-size caps, AArch64 attestation, and CI bootstrap posture.

Notes

base64-ng remains scalar-only in 1.0.8. No runtime dependencies were added.

base64-ng 1.0.7

base64-ng 1.0.7

Highlights

• Enables the current bounded Kani proof gate on Rust 1.90.0 with cargo-kani 0.67.0.
• Confirms 17 no-default-features Kani harnesses pass with 0 failures.
• Strengthens constant-time-oriented byte accumulation through a non-inlined volatile helper.
• Documents the new CT accumulator in the reviewed unsafe-boundary inventory.
• Adds AArch64 CSDB attestation posture reporting through explicit --cfg base64_ng_aarch64_csdb_attested.
• Keeps AArch64 attestation out of Cargo features, so --all-features cannot enable it accidentally.
• Adds runtime memory-locking posture reporting for deployment audits.
• Improves macOS CI verification by routing macOS runners through the dedicated macOS check script.
• Expands documentation around Kani scope, CT posture, AArch64 attestation, and streaming decoder partial-output semantics.

Notes

base64-ng remains scalar-only in 1.0.7. The Kani evidence is scoped bounded proof coverage, not whole-crate formal verification or a formal cryptographic constant-time claim.

base64-ng 1.0.6

base64-ng v1.0.6

Highlights

• Added alloc-gated convenience APIs:

  • base64_ng::encode
  • base64_ng::decode

• Added new constant-time-oriented owned decode helpers:

  • ct::CtEngine::decode_vec
  • ct::CtEngine::decode_secret
  • ct::CtEngine::decode_secret_staged

• Added public base64_ng::constant_time_eq for explicit best-effort, public-length byte comparison.

Security and Hardening

• Added stack-staged owned secret decode for shared-memory, enclave-adjacent, HSM-style, and multi-principal deployments.
• Made stream decoder over-reporting fail closed, matching stream encoder behavior.
• Restored wipe_tail invariant checks so invalid internal offsets fail closed.
• Strengthened documentation around transient plaintext windows in CT owned decode APIs.
• Clarified that constant_time_eq is best-effort and not a formally verified MAC/password/token comparison primitive.
• Removed redundant double-wiping in the CT owned decode path.

Documentation

• Updated README examples for convenience encode/decode and CT secret decode.
• Added guidance for staged secret decode.
• Updated changelog, roadmap, migration docs, SIMD docs, and package metadata to 1.0.6.
• Kept serde deferred as a future optional integration candidate instead of adding a dependency.

Validation

• Added tests for staged CT secret decode.
• Added tests for stream decoder fail-closed behavior.
• Release checks and GitHub CI are green.

base64-ng 1.0.5

base64-ng 1.0.5

Final planned 1.0.x cleanup release before pausing feature work for broader community testing.

Changed

• Split remaining large internals out of src/lib.rs:
  • src/ct.rs
  • src/errors.rs
  • src/length.rs
  • src/scalar.rs
  • src/wrap.rs
• Preserved the public API and crate-root exports.
• Updated release gates, unsafe-boundary checks, panic-policy checks, and package metadata for the new source layout.

Security / Hardening

• Removed a mem::forget pattern from secret string conversion.
• Added failed-state diagnostics to the stream encoder for unrecoverable internal errors.
• Hardened wipe_tail against incorrect future call sites.
• Promoted the encode_in_place internal invariant to a release-mode assertion.
• Expanded CT platform posture documentation for AArch64 and RISC-V.
• Clarified strict non-CT decode behavior on secret-oriented conversion helpers.

Verification

• GitHub CI: green
• Pentest: green
• scripts/checks.sh: passing
• Zero runtime dependencies remain unchanged
• Published crate package excludes local README image assets

base64-ng 1.0.4

v1.0.4

What's Changed

• Continued the 1.0.x source-layout cleanup by moving stack-backed and owned buffer wrappers into src/buffers.rs.
• Preserved public root exports and API behavior for EncodedBuffer, DecodedBuffer, SecretBuffer, and exposed wrapper types.
• Kept stack-backed buffer length invariants encapsulated with checked internal setters after the module split.
• Added clearer security notes to DecodedBuffer and SecretBuffer idiomatic conversions, documenting that TryFrom and FromStr use the strict standard decoder rather than the constant-time-oriented ct decoder.
• Excluded local README image assets from the published crate package to keep crates.io artifacts smaller.
• Tightened AArch64 high-assurance runtime posture reporting by distinguishing unattested hardware speculation barriers.

Verification

• Full release gate passed.
• CodeQL and pentest clean.
• Zero runtime dependencies retained.
• no_std, wasm wipe policy, SIMD admission guards, panic policy, CT policy, fuzz harness, and docs checks passed.

base64-ng 1.0.3

base64-ng v1.0.3

Highlights

• Continued the source-layout cleanup by splitting more internals out of lib.rs.
• Added and hardened a dedicated macOS verification script for Apple Silicon and Intel Darwin targets.
• Improved cleanup hardening around secret buffer clearing and vector spare-capacity wiping.
• Removed an unsafe UTF-8 conversion path from secret string handling.
• Tightened release evidence checks for constant-time assembly symbols after the module split.
• Added clearer documentation for streaming decoder timing posture, RISC-V CT gate limitations, wrapped in-place decode behavior, and unsafe boundary policy.

Security and Assurance

• SecretBuffer::clear() now wipes before logically clearing the vector.
• wipe_vec_spare_capacity() now uses Vec::spare_capacity_mut() for a cleaner MaybeUninit-aware implementation.
• Secret string conversion now stays panic-free and avoids unchecked UTF-8.
• The unsafe boundary checker was updated to reflect the reduced unsafe surface.
• wasm32 wipe policy continues to fail closed by default unless allow-wasm32-best-effort-wipe is explicitly enabled.

Validation

Passed the project release checks, including tests, clippy, doctests, panic policy, unsafe boundary policy, wasm wipe policy, constant-time policy, and CT assembly evidence generation.

base64-ng 1.0.2

base64-ng v1.0.2

Source Layout

• Split the std::io streaming adapters into src/stream.rs.
• Split stream integration tests into tests/stream.rs.
• Preserved the public base64_ng::stream::* API surface.

Security And Documentation

• Added #[must_use] to ct::CtEngine::decode_slice_staged_clear_tail.
• Strengthened constant-time documentation around staged decode, transient output windows, AArch64 CSDB attestation, RISC-V ordering-fence posture, and high-assurance comparison boundaries.
• Added a debug UTF-8 invariant check before the internal unchecked secret-string conversion.
• Clarified SecretBuffer::clear() cleanup ordering.
• Made stream::Encoder reject empty writes after finalization, matching non-empty write behavior.

Validation

• Full release gate passed.
• CodeQL and pentest were clean before tagging.
• Runtime dependency count remains zero.

base64-ng 1.0.1

base64-ng 1.0.1

Patch release focused on wider compiler compatibility, documentation clarity, and security hardening.

Highlights

• Lowered MSRV from Rust 1.95.0 to Rust 1.90.0
• Added README compatibility evidence for Rust 1.90.0 through 1.96.0
• Added README artwork and included image assets in the published package
• Added the 1.0.x source-layout roadmap before future 1.1 feature work

Security And Correctness

• Hardened wrapped line-ending detection with checked offset arithmetic
• Added DecodeError::StagingTooSmall so staged constant-time decode distinguishes undersized staging buffers from undersized output buffers
• Shared legacy-whitespace traversal between validation and decode paths to reduce drift risk
• Tightened BackendPolicy::HighAssuranceScalarOnly to require a CT result gate classified as a hardware speculation barrier
• Added a guarded transfer path when converting SecretBuffer into ExposedSecretString
• Strengthened docs for LineWrap::new, cleanup-boundary escape hatches, CT loop guard behavior, and runtime posture reporting

Validation

• Full local release gate passed on Rust 1.90.0
• Checks confirmed through Rust 1.96.0
• GitHub CI and CodeQL green

base64-ng 1.0.0

base64-ng 1.0.0

First stable release of base64-ng.

Highlights

• Stable strict RFC 4648 Base64 API with standard, URL-safe, MIME, PEM, bcrypt, crypt, and custom alphabet support
• Zero runtime dependencies in the core crate
• no_std support with optional alloc, std, and stream features
• Strict canonical decoding by default, with explicit legacy/whitespace-tolerant APIs
• Allocation-free slice APIs, stack-backed buffers, and in-place decode support
• Constant-time-oriented decoding APIs for sensitive inputs, with clear-tail variants for failure-safe buffer handling
• Best-effort volatile wiping for internal secret buffers and stream staging buffers
• Streaming std::io encoder/decoder adapters
• Release-gated security evidence: fuzz harnesses, dudect harness, Miri-compatible tests, cargo-audit/cargo-deny checks, no-alloc smoke tests, and cross-target checks
• Scalar-only backend for 1.0.0; SIMD remains behind documented admission evidence for future releases

Notes

Kani/formal verification remains planned for a future 1.0.x assurance release once toolchain support is suitable. The constant-time and zeroization APIs are documented as best-effort Rust implementations, not formal hardware-level guarantees.

base64-ng 0.12.0

base64-ng 0.12.0

base64-ng 0.12.0 is the stabilization rehearsal release before the planned 1.0 candidate.

Highlights

• Added migration-guide smoke tests covering strict standard, URL-safe no-pad, MIME/PEM, legacy whitespace, custom alphabets, stack buffers, secret buffers, and stream wrappers.
• Added MSRV/toolchain policy validation for Cargo metadata, rust-toolchain.toml, docs.rs metadata, CI install paths, target matrices, Kani policy, and release evidence tooling.
• Completed the final 0.12 dependency admission review: the published crate remains zero-runtime-dependency, with optional ecosystem integrations still deferred.
• Hardened custom alphabet decoding so bcrypt-style, crypt(3)-style, and caller-defined alphabets scan all 64 symbols before returning.
• Clarified that default strict decoders are not constant-time decoders; secret-bearing payloads should use the ct module when timing posture matters.
• Refined stream output-queue saturation errors so bounded internal queue exhaustion is not reported as malformed caller input.
• Expanded volatile wipe documentation with software-only zeroization limits and guidance for applications that already use zeroize.

Release Evidence

• Full release gate passed.
• Miri passed for no-default and all-features surfaces.
• Fuzz harness compile passed.
• Cross-target no-alloc and SIMD-reserved checks passed.
• SBOM generation passed.
• Reproducible package/build check passed.
• Kani remains a documented policy skip until its bundled compiler supports the pinned Rust 1.95 toolchain.