base64-ng 1.0.6

base64-ng v1.0.6

Highlights

• Added alloc-gated convenience APIs:

  • base64_ng::encode
  • base64_ng::decode

• Added new constant-time-oriented owned decode helpers:

  • ct::CtEngine::decode_vec
  • ct::CtEngine::decode_secret
  • ct::CtEngine::decode_secret_staged

• Added public base64_ng::constant_time_eq for explicit best-effort, public-length byte comparison.

Security and Hardening

• Added stack-staged owned secret decode for shared-memory, enclave-adjacent, HSM-style, and multi-principal deployments.
• Made stream decoder over-reporting fail closed, matching stream encoder behavior.
• Restored wipe_tail invariant checks so invalid internal offsets fail closed.
• Strengthened documentation around transient plaintext windows in CT owned decode APIs.
• Clarified that constant_time_eq is best-effort and not a formally verified MAC/password/token comparison primitive.
• Removed redundant double-wiping in the CT owned decode path.

Documentation

• Updated README examples for convenience encode/decode and CT secret decode.
• Added guidance for staged secret decode.
• Updated changelog, roadmap, migration docs, SIMD docs, and package metadata to 1.0.6.
• Kept serde deferred as a future optional integration candidate instead of adding a dependency.

Validation

• Added tests for staged CT secret decode.
• Added tests for stream decoder fail-closed behavior.
• Release checks and GitHub CI are green.