Skip to content

docs: fix fabricated APIs and stale claims; add SECURITY.md#233

Merged
coderdan merged 1 commit into
mainfrom
docs/meta-refresh
Jul 4, 2026
Merged

docs: fix fabricated APIs and stale claims; add SECURITY.md#233
coderdan merged 1 commit into
mainfrom
docs/meta-refresh

Conversation

@coderdan

@coderdan coderdan commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Summary

Meta-file staleness sweep. The headline problem: the vitaminc-encrypt docs.rs front page documented an API that doesn't exist — three "convenience functions" (decrypt, encrypt_with_aad, decrypt_with_aad) that were never in the crate, the removed pre-visitor String::decrypt(ct, &cipher) call shape, a Vec<u8> encrypt example that can't compile (u8 doesn't implement Encrypt), and a literal // TODO: Update to new Encrypt/Decrypt API shipped to docs.rs. All invisible to CI because the blocks were fenced rust,ignore.

The README is rewritten around the real API (encrypt() free function + Aes256Cipher::decrypt/decrypt_with_aad, trait-based encrypt_with_aad), and — the durable fix — every example is un-ignored and doctested: cargo test --doc -p vitaminc-encrypt runs 12/12 green. The key-wrapping example now says plainly that Key implements Encrypt but not yet Decrypt.

Also:

  • Root/facade README feature table: the kms row is actually the aws-kms feature, and password isn't wired into the facade at all — both rows produced failing cargo add vitaminc --features … invocations. (The facade README is a symlink to the root one, so one edit covers both.)
  • password README: examples called into_protected_string()/into_unprotected_string(), which are unimplemented!() stubs that panic — contradicting the Current Limitations section below them. Now clearly marked as planned API, with imports and the Debug-output claim fixed, and "pronounceable" corrected (AlphaPassword is uniform random letters).
  • kms README: crates.io badge pointed at vitaminc-permutation; BehaviorVersion aligned with the one the crate's own tests use (v2026_01_12); license footer added.
  • async-traits README: tagline said "a library for permuting data" — copy-paste from the permutation crate.
  • protected README: Exportable was described as WIP but SafeSerialize/SafeDeserialize ship with passing doctests; the transpose example now matches the fixed in-source doc; short pointer added for the undocumented exports (TimingSafeEq, OpaqueDebug, Redacted, …). Usage is still marked WIP — left as-is.
  • New SECURITY.md — a cryptography monorepo that aims to be "vetted by security experts" had no vulnerability-reporting channel.
  • LICENSE year → 2024-2026.

Suggestion (not done here)

vitaminc-password is the only crate whose README is not include_str!'d into lib.rs — which is exactly why it rotted while the doctested READMEs stayed accurate. Once the conversion functions land, adding #![doc = include_str!("../README.md")] would put it under the same protection.

Verification

  • cargo test --doc -p vitaminc-encrypt 12/12 pass; -p vitaminc-protected 40/40; -p vitaminc and -p vitaminc-async-traits clean
  • vitaminc-kms can't build on my local rustc 1.90 (its AWS deps now need 1.91), so the kms README change is validated by matching the crate's own test code rather than a local doctest run — CI will confirm
  • Feature names checked against packages/vitaminc/Cargo.toml; API claims checked against packages/aead/src/{encrypt,decipher}/impls.rs

Closes #234

…RITY.md

- encrypt README (docs.rs front page): documented three convenience
  functions that don't exist (decrypt, encrypt_with_aad,
  decrypt_with_aad), the removed pre-visitor Decrypt call shape, a
  Vec<u8> Encrypt impl that never existed, and a shipped TODO marker —
  all hidden behind rust,ignore fences. Rewritten around the real API;
  every example is now doctested (12/12 pass). Version pins
  0.1.0-pre4 → 0.2.0-pre.1; hlist feature documented.
- root/facade README feature table: 'kms' is actually the aws-kms
  feature; 'password' is not a facade feature — both broke cargo add.
- password README: mark unimplemented!() conversion API as planned,
  fix imports, Debug-output claim, and 'pronounceable' wording.
- kms README: badge pointed at vitaminc-permutation; BehaviorVersion
  aligned with the crate's own tests; license footer added.
- async-traits README: tagline was copy-pasted from permutation.
- protected README: Exportable WIP claim stale; align transpose
  example with in-source doc; pointer to undocumented exports.
- Add SECURITY.md; LICENSE year range 2024-2026.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Documentation and meta-file maintenance sweep across the Vitamin C monorepo to remove stale/fabricated API claims, align README examples with the actual crate APIs/features, and add a repository-level security reporting policy.

Changes:

  • Added SECURITY.md with vulnerability reporting and disclosure process guidance.
  • Updated root/facade README feature table to reflect the real facade feature names/availability.
  • Refreshed multiple crate READMEs (notably vitaminc-encrypt) to match current APIs and improve example correctness; updated ancillary metadata (badges, license year).

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
SECURITY.md Adds a security policy + reporting channel for vulnerabilities.
README.md Fixes feature table rows to match actual facade feature exposure and names.
packages/protected/README.md Updates README claims/examples to match current Protected/Exportable behavior.
packages/password/README.md Updates versions and clarifies planned vs implemented API, correcting misleading examples/claims.
packages/kms/README.md Fixes crate badge, aligns AWS behavior version with current usage, adds footer/license note.
packages/encrypt/README.md Rewrites README around real encrypt/decrypt APIs and updates examples accordingly.
packages/async-traits/README.md Fixes incorrect tagline/description.
LICENSE Updates copyright year range.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread packages/encrypt/README.md
@coderdan coderdan merged commit a17a685 into main Jul 4, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Docs drift: fabricated encrypt API on docs.rs, broken feature table, no SECURITY.md

2 participants