base64-ng 0.5.0
base64-ng v0.5.0
Highlights
- Added AVX-512 VBMI candidate detection and audit reporting while keeping scalar as the only active backend.
- Hardened runtime backend reporting with structured snapshots, CPU feature requirements, and scalar-only deployment policy checks.
- Added inactive AVX-512, AVX2, and NEON prototype checks with scalar-equivalence evidence.
- Strengthened stream decoder/encoder hardening for framed payloads and sensitive buffer cleanup.
- Replaced stream reader allocator-backed queues with fixed-size internal queues that clear consumed slots and wipe full queue capacity on drop.
- Hardened constant-time-oriented decoding with opaque malformed-content errors and integer byte-mask helpers.
- Expanded release gates for reserved features, SIMD boundaries, packaged scripts, cross-target builds, SBOMs, and reproducible package/build checks.
- Added a zero-dependency roadmap for MIME/PEM/bcrypt profiles, custom alphabets, validation-only APIs, secret wrappers, and future high-assurance work.
Security
- Default runtime dependency graph remains zero external crates.
- Scalar execution remains the only active backend.
- Unsafe code remains isolated to the SIMD admission boundary.
- Clear-tail and stream cleanup APIs provide best-effort buffer-retention reduction.
- Constant-time-oriented APIs still do not claim a formally verified cryptographic constant-time guarantee.
Verification
Passed release gate for:
- formatting
- clippy
- default/all-features/no-default-features tests
- doctests and docs
- Miri
- nextest
- cargo-deny
- cargo-audit
- license inventory
- fuzz/perf harness checks
- cross-target checks
- SIMD feature-bundle checks
- SBOM generation
- reproducible package/build
Kani proof execution is currently skipped because installed Kani bundles rustc 1.93.0-nightly, while this crate requires Rust 1.95.