docs: fix fabricated APIs and stale claims; add SECURITY.md#233
Merged
Conversation
…RITY.md - encrypt README (docs.rs front page): documented three convenience functions that don't exist (decrypt, encrypt_with_aad, decrypt_with_aad), the removed pre-visitor Decrypt call shape, a Vec<u8> Encrypt impl that never existed, and a shipped TODO marker — all hidden behind rust,ignore fences. Rewritten around the real API; every example is now doctested (12/12 pass). Version pins 0.1.0-pre4 → 0.2.0-pre.1; hlist feature documented. - root/facade README feature table: 'kms' is actually the aws-kms feature; 'password' is not a facade feature — both broke cargo add. - password README: mark unimplemented!() conversion API as planned, fix imports, Debug-output claim, and 'pronounceable' wording. - kms README: badge pointed at vitaminc-permutation; BehaviorVersion aligned with the crate's own tests; license footer added. - async-traits README: tagline was copy-pasted from permutation. - protected README: Exportable WIP claim stale; align transpose example with in-source doc; pointer to undocumented exports. - Add SECURITY.md; LICENSE year range 2024-2026.
Contributor
There was a problem hiding this comment.
Pull request overview
Documentation and meta-file maintenance sweep across the Vitamin C monorepo to remove stale/fabricated API claims, align README examples with the actual crate APIs/features, and add a repository-level security reporting policy.
Changes:
- Added
SECURITY.mdwith vulnerability reporting and disclosure process guidance. - Updated root/facade README feature table to reflect the real facade feature names/availability.
- Refreshed multiple crate READMEs (notably
vitaminc-encrypt) to match current APIs and improve example correctness; updated ancillary metadata (badges, license year).
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| SECURITY.md | Adds a security policy + reporting channel for vulnerabilities. |
| README.md | Fixes feature table rows to match actual facade feature exposure and names. |
| packages/protected/README.md | Updates README claims/examples to match current Protected/Exportable behavior. |
| packages/password/README.md | Updates versions and clarifies planned vs implemented API, correcting misleading examples/claims. |
| packages/kms/README.md | Fixes crate badge, aligns AWS behavior version with current usage, adds footer/license note. |
| packages/encrypt/README.md | Rewrites README around real encrypt/decrypt APIs and updates examples accordingly. |
| packages/async-traits/README.md | Fixes incorrect tagline/description. |
| LICENSE | Updates copyright year range. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Meta-file staleness sweep. The headline problem: the
vitaminc-encryptdocs.rs front page documented an API that doesn't exist — three "convenience functions" (decrypt,encrypt_with_aad,decrypt_with_aad) that were never in the crate, the removed pre-visitorString::decrypt(ct, &cipher)call shape, aVec<u8>encrypt example that can't compile (u8doesn't implementEncrypt), and a literal// TODO: Update to new Encrypt/Decrypt APIshipped to docs.rs. All invisible to CI because the blocks were fencedrust,ignore.The README is rewritten around the real API (
encrypt()free function +Aes256Cipher::decrypt/decrypt_with_aad, trait-basedencrypt_with_aad), and — the durable fix — every example is un-ignored and doctested:cargo test --doc -p vitaminc-encryptruns 12/12 green. The key-wrapping example now says plainly thatKeyimplementsEncryptbut not yetDecrypt.Also:
kmsrow is actually theaws-kmsfeature, andpasswordisn't wired into the facade at all — both rows produced failingcargo add vitaminc --features …invocations. (The facade README is a symlink to the root one, so one edit covers both.)into_protected_string()/into_unprotected_string(), which areunimplemented!()stubs that panic — contradicting the Current Limitations section below them. Now clearly marked as planned API, with imports and the Debug-output claim fixed, and "pronounceable" corrected (AlphaPassword is uniform random letters).vitaminc-permutation;BehaviorVersionaligned with the one the crate's own tests use (v2026_01_12); license footer added.Exportablewas described as WIP butSafeSerialize/SafeDeserializeship with passing doctests; thetransposeexample now matches the fixed in-source doc; short pointer added for the undocumented exports (TimingSafeEq,OpaqueDebug,Redacted, …).Usageis still marked WIP — left as-is.Suggestion (not done here)
vitaminc-passwordis the only crate whose README is notinclude_str!'d into lib.rs — which is exactly why it rotted while the doctested READMEs stayed accurate. Once the conversion functions land, adding#![doc = include_str!("../README.md")]would put it under the same protection.Verification
cargo test --doc -p vitaminc-encrypt12/12 pass;-p vitaminc-protected40/40;-p vitamincand-p vitaminc-async-traitscleanvitaminc-kmscan't build on my local rustc 1.90 (its AWS deps now need 1.91), so the kms README change is validated by matching the crate's own test code rather than a local doctest run — CI will confirmpackages/vitaminc/Cargo.toml; API claims checked againstpackages/aead/src/{encrypt,decipher}/impls.rsCloses #234