cloud-sdk-reqwest
Optional provider-neutral transport adapter for the main
cloud-sdk workspace and
cloud-sdk crate.
The crate remains no_std and transport-free by default. Its non-default
blocking-rustls, blocking-rustls-fips, and async-rustls features provide
reviewed HTTPS implementations for every provider without adding transport
dependencies to provider crates.
Most users should start with:
[]
= "0.23.0"
= { = "0.16.0", = ["blocking-rustls"] }
Blocking Example
#
#
#
#
Blocking FIPS Example
Use the same blocking API with the dedicated feature:
[]
= "0.23.0"
= { = "0.16.0", = ["blocking-rustls-fips"] }
= "=0.23.42"
#
#
#
#
The application must authenticate, refresh, and supply complete CRLs for every issuer in an accepted chain. Construction rejects missing roots, missing or malformed CRLs, and a missing policy; handshakes reject unknown revocation status and expired CRLs. Client construction also fails closed unless both the provider and complete TLS client configuration report FIPS operation. If both blocking features are enabled, this explicit FIPS configuration wins.
A crate feature is not an application or deployment compliance claim; callers
remain responsible for the validated module's security policy, approved
operating environment, reviewed application lockfile or vendored sources,
toolchain, entropy, deployment, and operational controls. See
docs/dependency-admission-reqwest-fips.md.
Async Example
The async adapter uses reqwest's Tokio-based execution internally but does not create or own a runtime. Call it from an active Tokio executor:
#
# async
#
For a non-empty request body, set an explicit validated content type:
use ;
# use ;
# let Ok = new else ;
let request = new
.with_body
.with_content_type;
assert_eq!;
Enforced Policy
- HTTPS-only production endpoints with no embedded credentials, query, or fragment.
- Rustls with TLS 1.2 minimum; platform certificate verification for standard transports and mandatory deployment roots plus CRLs for FIPS.
- Explicit total and connect timeouts, each nonzero and at most 300 seconds.
- Explicit validated user agent and bounded bearer token.
- HTTP/1 and the system resolver are forced even under downstream reqwest HTTP/2 or Hickory DNS feature unification.
- No redirects, automatic retries, proxies, referer generation, or response decompression.
- Exact scheme, host, and port preservation after target composition.
- Caller-sized response buffers with overflow detection and cleanup.
- Strict all-or-none decimal parsing and propagation of exactly one
RateLimit-Limit,RateLimit-Remaining, andRateLimit-Resetresponse header; duplicates fail closed. - Async responses are buffered within the caller's capacity and copied only after complete success; cancellation leaves the caller buffer cleared.
- Payload-free errors and redacted client, token, target, and body diagnostics.
BearerToken clears its adapter-owned authorization bytes through
cloud-sdk-sanitization. It cannot clear the caller's original immutable
string or copies owned by reqwest, TLS, the operating system, or remote
services. Keep tokens scoped, rotate and revoke them, and erase caller-owned
mutable secret storage after transport use.
Features
| Feature | Default | Effect |
|---|---|---|
default |
yes | Empty; keeps the crate transport-free and no_std. |
std |
no | Enables only std support in first-party boundary crates. |
blocking-rustls |
no | Enables the hardened blocking reqwest/rustls adapter and sanitization boundary. |
blocking-rustls-fips |
no | Enables the blocking adapter with runtime-verified AWS-LC FIPS plus mandatory deployment roots and CRLs. |
async-rustls |
no | Enables the hardened async reqwest/rustls adapter; callers provide an active Tokio runtime. |
Reqwest's default features are disabled. The complete dependency and security
decision is recorded in
docs/dependency-admission-reqwest.md.
Provider crates retain ownership of authentication, base URLs, request models, response interpretation, and provider-specific errors. This crate must not branch on provider names.