Skip to content

Release/v0.3.0#71

Merged
Adel2411 merged 76 commits into
mainfrom
release/v0.3.0
Mar 7, 2026
Merged

Release/v0.3.0#71
Adel2411 merged 76 commits into
mainfrom
release/v0.3.0

Conversation

@Adel2411

@Adel2411 Adel2411 commented Mar 7, 2026

Copy link
Copy Markdown
Collaborator

Added

  • Streaming encryption and decryption with chunk-based AES-256-GCM and ChaCha20-Poly1305, including progress callbacks for large file processing.
  • Zstd and Brotli compression with configurable levels, integrated into both the streaming pipeline and the EVFS.
  • Encrypted Virtual File System (EVFS): a .vault container supporting named segments, WAL crash recovery, shadow index, capacity management, and secure deletion.
  • Full-featured Flutter example app demonstrating all library APIs (hashing, encryption, KDF, streaming, compression, vault).

Fixed

  • Integration test reliability improvements for async race conditions and matcher corrections.

Adel-Ayoub and others added 30 commits February 26, 2026 13:46
…6B): magic/version/algorithm/reserved

  - ChunkAad (9B): index(u64 LE) + is_final(u8) for truncation protection                                          - ChunkReader: fill-in-place zero-alloc read_chunk(&mut chunk)
  - ChunkWriter: internal buffer for single-syscall writes
  - Last-chunk padding with zero-byte validation
  - EncryptedChunk pre-allocation + Default
  - StreamAlgorithm <-> Algorithm conversion bridge
  - Generic finish() + finish_file() for fsync
  - 22 unit tests covering all acceptance criteria
feat(streaming): add low-level streaming primitives                  …
  - encrypt_file_impl / decrypt_file_impl: 64KB AEAD chunk streaming
  - Per-chunk AAD (index + is_final) prevents reorder/truncation/append
  - Last-chunk padding to uniform ENCRYPTED_CHUNK_SIZE
  - Atomic temp-file-then-rename: failed ops leave no partial output
  - Algorithm cross-check between header and CipherHandle
  - Progress callbacks (0.0..1.0) via closure, FRB StreamSink wrappers
  - CipherHandle: add pub(crate) encrypt_raw/decrypt_raw/algorithm_id
  - 16 tests: roundtrip, tamper detection, progress, cleanup guarantees
  - Remove needless borrows in fs::write test calls
  - Replace unwrap_err() with expect_err() to satisfy deny(clippy::unwrap_used)
…pt-decrypt

feat(streaming): add high-level streaming encrypt/decrypt API
…noop.dart referenced core/traits.dart which is not generated (#[frb(ignore)] on Encryption trait).NoopEncryption itself does not need FRB scanning only create_noop_encryption() returning CipherHandle is the public API.
  - hash_file_impl reads file in 64KB chunks, feeds raw bytes to hasher
  - No encryption padding digest matches one-shot blake3_hash/sha3_hash
  - stream_hash_file FRB wrapper with StreamSink<f64> progress
  - pub(crate) update_raw/finalize_raw/reset_raw on HasherHandle
  - New tests: BLAKE3, SHA-3, empty file, 1MB+ file, exact boundary
…noop.dart referenced core/traits.dart which is not generated (#[frb(ignore)] on Encryption trait).NoopEncryption itself does not need FRB scanning only create_noop_encryption() returning CipherHandle is the public API.
feat(streaming): add streaming file hash with BLAKE3/SHA-3
…ity FRB drops the Vec<u8> return when a function also has StreamSink. Stream_hash_file now only feeds data Dart calls hasherFinalize() to obtain the digest.
- Add StreamingService with encryptFile, decryptFile, hashFile
- Add 8 integration tests (6/8 pass)
- Export StreamingService from lib/m_security.dart
… unawaited(executeNormal) for stream functions, so Rust errors arrive as zone errors after the progress stream closes. _guardedStream uses runZonedGuarded + deferred close to forward these to the stream.

  All 8 integration tests pass on macOS, Android, and iOS.
feat(streaming): add Dart StreamingService wrapper and integration tests
Add streaming encrypt decrypt and hash pipeline
feat(compression): add Zstd/Brotli core with algorithm enum and MIME-aware skip
  Rewrites the compress-encrypt pipeline to feed input through a streaming
  compressor and chunk the compressed output, instead of compressing each
  64KB chunk independently. A file that compresses 50% now produces half
  as many encrypted chunks on disk.
Adel-Ayoub and others added 29 commits March 5, 2026 09:55
feat(evfs): vault format structures and segment index
  HKDF domain-separated sub-keys (cipher/nonce/index), generation-aware
  nonce derivation, compress-then-encrypt pipeline with MIME-aware skip,
  BLAKE3 checksums with constant-time verification (subtle), CSPRNG
  pre-allocation in 64KB chunks, secure erase with fsync. 23 tests.
  HKDF domain-separated sub-keys (cipher/nonce/index), generation-aware
  nonce derivation for both segments and index, compress-then-encrypt
  pipeline with MIME-aware skip, BLAKE3 checksums with constant-time
  verification (subtle), CSPRNG pre-allocation in 64KB chunks, secure
  erase with fsync, intermediate buffer zeroization. 26 tests.
…cryption

feat(evfs): add per-segment encryption, checksums, and secure deletion
…recovery

feat(evfs): WAL crash recovery and advisory file locking
  - Add ENCRYPTED_INDEX_SIZE (INDEX_PAD_SIZE + 28) for on-disk layout
  - Update DATA_REGION_OFFSET and shadow/WAL offsets accordingly
  - Add total_vault_size() helper for vault file preallocation
  - Add pub(super) aead_encrypt_random_nonce and aead_decrypt_with_stored_nonce
    for index encryption without generation-based nonce derivation
  - Add VaultHandle (opaque) holding file, keys, index, WAL, and lock
  - Implement vault_create, vault_open, vault_write, vault_read,
    vault_delete, vault_list, vault_capacity, vault_close
  - Compress-then-encrypt pipeline with MIME-aware skip
  - BLAKE3 checksum on original plaintext (pre-compression)
  - Free-list allocation with best-fit search and adjacent merge
  - WAL crash recovery with snapshot size validation
  - Shadow index fallback when primary is corrupted
  - Zeroize master key and plaintext data after use
  - Safe usize cast for 32-bit platform compatibility
feat(evfs): implement Vault Rust API with VaultHandle
feat(evfs): add Dart VaultService wrapper and integration tests
EVFS: encrypted vault container
@Adel2411 Adel2411 merged commit 2b563fd into main Mar 7, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants