cloud-sdk-reqwest
Optional provider-neutral transport adapter for the main
cloud-sdk workspace and
cloud-sdk crate.
The crate remains no_std and transport-free by default. Its non-default
blocking-rustls and async-rustls features provide reviewed HTTPS
implementations for every provider without adding transport dependencies to
provider crates.
Most users should start with:
[]
= "0.17.0"
= { = "0.14.0", = ["blocking-rustls"] }
Blocking Example
#
#
#
#
Async Example
The async adapter uses reqwest's Tokio-based execution internally but does not create or own a runtime. Call it from an active Tokio executor:
#
# async
#
For a non-empty request body, set an explicit validated content type:
use ;
# use ;
# let Ok = new else ;
let request = new
.with_body
.with_content_type;
assert_eq!;
Enforced Policy
- HTTPS-only production endpoints with no embedded credentials, query, or fragment.
- Rustls with TLS 1.2 minimum and platform certificate verification.
- Explicit total and connect timeouts, each nonzero and at most 300 seconds.
- Explicit validated user agent and bounded bearer token.
- HTTP/1 and the system resolver are forced even under downstream reqwest HTTP/2 or Hickory DNS feature unification.
- No redirects, automatic retries, proxies, referer generation, or response decompression.
- Exact scheme, host, and port preservation after target composition.
- Caller-sized response buffers with overflow detection and cleanup.
- Async responses are buffered within the caller's capacity and copied only after complete success; cancellation leaves the caller buffer cleared.
- Payload-free errors and redacted client, token, target, and body diagnostics.
BearerToken clears its adapter-owned authorization bytes through
cloud-sdk-sanitization. It cannot clear the caller's original immutable
string or copies owned by reqwest, TLS, the operating system, or remote
services. Keep tokens scoped, rotate and revoke them, and erase caller-owned
mutable secret storage after transport use.
Features
| Feature | Default | Effect |
|---|---|---|
std |
no | Enables only std support in first-party boundary crates. |
blocking-rustls |
no | Enables the hardened blocking reqwest/rustls adapter and sanitization boundary. |
async-rustls |
no | Enables the hardened async reqwest/rustls adapter; callers provide an active Tokio runtime. |
Reqwest's default features are disabled. The complete dependency and security
decision is recorded in
docs/dependency-admission-reqwest.md.
Provider crates retain ownership of authentication, base URLs, request models, response interpretation, and provider-specific errors. This crate must not branch on provider names.