1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
// Copyright (c) 2025-2026 Federico Hoerth <memparanoid@gmail.com>
// SPDX-License-Identifier: GPL-3.0-only
// See LICENSE in the repository root for full license text.
//! Systematic memory zeroization with compile-time and runtime guarantees.
//!
//! # Overview
//!
//! **redoubt-zero** provides RAII guards and derive macros for automatic, verifiable zeroization.
//! Zeroization happens automatically on drop with runtime verification that it actually occurred.
//!
//! This is a convenience re-export crate combining [`redoubt-zero-core`] and [`redoubt-zero-derive`].
//!
//! # Quick Start
//!
//! ```rust
//! use redoubt_zero::{RedoubtZero, ZeroizeOnDropSentinel, AssertZeroizeOnDrop};
//!
//! #[derive(RedoubtZero)]
//! #[fast_zeroize(drop)]
//! struct TempBuffer {
//! data: Vec<u8>,
//! capacity: usize,
//! __sentinel: ZeroizeOnDropSentinel,
//! }
//!
//! let mut buffer = TempBuffer {
//! data: vec![1, 2, 3, 4],
//! capacity: 1024,
//! __sentinel: ZeroizeOnDropSentinel::default(),
//! };
//!
//! // Use buffer...
//!
//! // Automatically zeroized on drop
//! drop(buffer);
//! ```
//!
//! # How It Works
//!
//! ## 1. The Sentinel Pattern
//!
//! Every struct includes a [`ZeroizeOnDropSentinel`] field. This sentinel:
//! - Flips a flag on drop
//! - Can be cloned to verify the original was zeroized
//! - Provides runtime proof of zeroization
//!
//! ## 2. Automatic Trait Implementation
//!
//! The `#[derive(RedoubtZero)]` macro generates:
//!
//! - **[`FastZeroizable`]**: Implements `fast_zeroize(&mut self)` to zero all fields
//! - **[`ZeroizationProbe`]**: Implements `is_zeroized(&self)` to check if data is zeroed
//! - **[`AssertZeroizeOnDrop`]**: Test helper to verify drop behavior
//! - **Optional Drop impl**: With `#[fast_zeroize(drop)]`, generates `Drop` that calls `fast_zeroize()`
//!
//! ## 3. Field Skipping
//!
//! Fields can be excluded from zeroization with `#[fast_zeroize(skip)]`:
//!
//! ```rust
//! # use redoubt_zero::{RedoubtZero, ZeroizeOnDropSentinel};
//! #[derive(RedoubtZero)]
//! struct SessionData {
//! token: Vec<u8>, // Zeroized
//! #[fast_zeroize(skip)]
//! id: u64, // Not zeroized (just metadata)
//! __sentinel: ZeroizeOnDropSentinel,
//! }
//! ```
//!
//! # Core Types
//!
//! - **[`ZeroizeOnDropSentinel`]**: Drop sentinel for verifiable zeroization
//! - **[`ZeroizingGuard<T>`]**: RAII wrapper that zeroizes on drop (owned)
//! - **[`ZeroizingMutGuard<'a, T>`]**: RAII wrapper that zeroizes on drop (borrowed)
//!
//! # Traits
//!
//! - **[`FastZeroizable`]**: Provides `fast_zeroize(&mut self)` for efficient zeroization
//! - **[`ZeroizationProbe`]**: Provides `is_zeroized(&self)` to check if data is zeroed
//! - **[`AssertZeroizeOnDrop`]**: Test helper to verify drop zeroization
//! - **[`ZeroizeMetadata`]**: Field count metadata for verification
//!
//! # Testing Zeroization
//!
//! Use [`AssertZeroizeOnDrop::assert_zeroize_on_drop()`] in tests to verify behavior:
//!
//! ```rust
//! # use redoubt_zero::{RedoubtZero, ZeroizeOnDropSentinel, AssertZeroizeOnDrop};
//! #[derive(RedoubtZero)]
//! #[fast_zeroize(drop)]
//! struct Workspace {
//! buffer: Vec<u8>,
//! __sentinel: ZeroizeOnDropSentinel,
//! }
//!
//! #[test]
//! fn test_workspace_zeroizes() {
//! let ws = Workspace {
//! buffer: vec![1, 2, 3, 4],
//! __sentinel: ZeroizeOnDropSentinel::default(),
//! };
//! ws.assert_zeroize_on_drop(); // Panics if not zeroized
//! }
//! ```
//!
//! # Design Rationale
//!
//! ## The Sentinel Pattern
//!
//! The sentinel enables runtime verification without unsafe code:
//! - Clone the sentinel before drop
//! - Drop the original
//! - Check the sentinel's flag flipped
//!
//! This proves `Drop` ran and zeroization occurred.
//!
//! ## FastZeroizable Implementation
//!
//! `FastZeroizable` uses compiler fences for zeroization:
//! - Matches LLVM's optimization model
//! - Allows vectorization and unrolling
//! - Prevents dead store elimination
//!
//! See [`redoubt-zero-core`](redoubt_zero_core) for implementation details.
//!
//! # Use Cases
//!
//! Useful for any data that needs guaranteed cleanup:
//!
//! - **Cryptographic material**: Keys, nonces, IVs
//! - **Temporary buffers**: Workspace memory, intermediate results
//! - **Session data**: Tokens, cookies, auth state
//! - **Parser state**: Untrusted input, partial parses
//! - **Any heap allocation** you want cleaned up reliably
//!
//! # Crate Structure
//!
//! This crate re-exports:
//! - [`redoubt-zero-core`](redoubt_zero_core): Core types and traits
//! - [`redoubt-zero-derive`](redoubt_zero_derive): `#[derive(RedoubtZero)]` macro
//!
//! [`ZeroizeOnDropSentinel`]: redoubt_zero_core::ZeroizeOnDropSentinel
//! [`ZeroizingGuard<T>`]: redoubt_zero_core::ZeroizingGuard
//! [`ZeroizingMutGuard<'a, T>`]: redoubt_zero_core::ZeroizingMutGuard
//! [`FastZeroizable`]: redoubt_zero_core::FastZeroizable
//! [`ZeroizationProbe`]: redoubt_zero_core::ZeroizationProbe
//! [`AssertZeroizeOnDrop`]: redoubt_zero_core::AssertZeroizeOnDrop
//! [`ZeroizeMetadata`]: redoubt_zero_core::ZeroizeMetadata
//! [`AssertZeroizeOnDrop::assert_zeroize_on_drop()`]: redoubt_zero_core::AssertZeroizeOnDrop::assert_zeroize_on_drop
//!
//! ## License
//!
//! GPL-3.0-only
pub use *;
pub use *;