base64-ng 1.3.5

no_std-first Base64 encoding and decoding with strict APIs and a security-heavy release process
Documentation
# Pentest Evidence Policy

Root `PENTEST.md` is temporary scratch input. It is used only while findings
are being triaged and must not be committed.

For every future tag:

1. Stop implementation at the candidate commit.
2. Run the normal local gates and GitHub CI.
3. Run the external pentest against the exact candidate commit.
4. Put temporary findings in root `PENTEST.md`.
5. Fix or document each finding.
6. Delete root `PENTEST.md`.
7. Run the local gates again.
8. Commit one permanent report at `security/pentest/vX.Y.Z.md`.
9. The permanent report commit must only change that report file.
10. Run `scripts/validate-release-readiness.sh vX.Y.Z` before tagging.

The permanent report must include:

- `Status: PASS`
- `Reviewed-Commit: <full 40-character commit>`
- `Tester: ...`
- `Scope: ...`
- `Date: YYYY-MM-DD`
- a finding/remediation/retest summary

CodeQL, GitHub security findings, and maintainer-supplied external pentest
results belong in the same permanent report when they are part of the release
decision. If a finding is intentionally accepted as documented residual risk,
the report must name the exact documentation section that carries that risk.

Historical reports generated for older tags are best-effort reconstructions.
They preserve the release trail from tags, changelog sections, and commit
messages, but they are not the original raw `PENTEST.md` transcripts.