vardheim 0.3.1

Security-first ACME and certificate lifecycle framework for Rust
Documentation

vardheim

vardheim is a no_std-first Rust workspace for security-focused ACME and certificate lifecycle building blocks.

The project target is a serious production-ready certificate lifecycle framework at 1.0.0, reached through small releases with explicit RFC, security, compatibility, dependency, testing, and pentest evidence. Protocol logic remains separate from networking, runtimes, cryptographic providers, challenge presentation, persistent storage, and certificate deployment.

Current Status

Status: v0.3.1 release candidate; pentest and remediation retest passed, awaiting GitHub checks.

Vardheim does not issue, validate, renew, revoke, or deploy certificates yet. The current release establishes the crate boundaries and enforcement needed before security-sensitive protocol implementation begins.

Implemented now:

  • Rust workspace pinned to stable 1.97.0.
  • MSRV policy and verified checks for Rust 1.90.0 through 1.97.0.
  • Dependency-free no_std facade, core, and challenge-family crates.
  • Future-proof HTTP, DNS, and TLS challenge crate boundaries.
  • Workspace-wide #![forbid(unsafe_code)].
  • Maximum 500-line policy for every Rust source file.
  • MIT OR Apache-2.0 licensing.
  • GitHub CI, CODEOWNERS, funding, Dependabot, and SHA-pinned Actions.
  • GitHub CodeQL Default setup policy.
  • cargo-deny, cargo-audit, package, documentation, and SPDX SBOM gates.
  • Mandatory exact-commit pentest stop before every release tag.
  • Independent crate versions and dependency-ordered publication enforcement.
  • Complete implementation and version plan through 1.0.0.
  • Tracked, byte-locked reference copies of all required RFC texts, excluded from published crates.
  • Generated proof that all normative RFC references from every published ACME family document are present in the 105-document local source set.
  • Complete generated section index for all tracked RFCs and reviewed all-status errata evidence for every published ACME RFC.
  • Complete bounded fixtures for all 107 records in all 13 IANA ACME registries, current HTTP replacements, supporting standards, and pinned external-profile revisions.
  • Complete inventory of all normative non-RFC ACME sources, including byte-pinned supporting IANA registries and exact external revisions.
  • Linux, Windows, BSD, macOS, Android, iOS, and future custom-target architecture requirements.

Not implemented yet:

  • No ACME directory or account operations.
  • No JOSE, JWK, JWS, EAB, or nonce implementation.
  • No order, authorization, challenge, finalization, or revocation workflow.
  • No CSR or certificate parsing and verification.
  • No HTTP, DNS, TLS, cryptographic, storage, or deployment backend.
  • No durable orchestration, CLI, daemon, or remote agent.
  • No stable RFC conformance claim.

Every missing item has a concrete pre-1.0 version in the release plan. There is no unversioned post-1.0 backlog for known requirements.

Trust Dashboard

Area Status
License MIT OR Apache-2.0
MSRV Rust 1.90.0
Pinned toolchain Rust 1.97.0
Default target no_std
External dependencies zero
Unsafe policy first-party crates use #![forbid(unsafe_code)]
Default networking none
Default cryptographic backend none
Maximum Rust source size 500 physical lines
Release evidence checks, deny, audit, SBOM, exact-commit pentest
crates.io payload Cargo metadata, crate README, and Rust source only
Panic policy application-owned; expected failures use typed errors
Current RFC conformance none claimed
1.0 target complete production-ready ACME lifecycle framework

Install

The latest published foundation release is:

[dependencies]
vardheim = "0.3.0"

Most users should depend only on vardheim. Lower-level crates exist for applications that need direct protocol or challenge-family boundaries.

Workspace Crates

Crate Responsibility
vardheim public facade and common re-exports
vardheim-core bounded, runtime-independent ACME protocol foundations
vardheim-challenge-http current and future HTTP challenge methods
vardheim-challenge-dns current and future DNS challenge methods
vardheim-challenge-tls current and future TLS challenge methods

The challenge crate names intentionally do not contain protocol revision numbers. For example, dns-01 and a future dns-02 belong to versioned modules inside vardheim-challenge-dns, not separate packages.

vardheim-rustls is assigned to version 0.51.0, after the generic TLS challenge identity boundary is complete.

Rust Version Support

The minimum supported Rust version is 1.90.0. New development and release verification use pinned stable Rust 1.97.0.

Rust Required evidence
1.90.0 cargo check --workspace --all-features
1.91.0 cargo check --workspace --all-features
1.92.0 cargo check --workspace --all-features
1.93.0 cargo check --workspace --all-features
1.94.0 cargo check --workspace --all-features
1.95.0 cargo check --workspace --all-features
1.96.0 cargo check --workspace --all-features
1.96.1 cargo check --workspace --all-features
1.97.0 full local and release gates

Platform Policy

Runtime-independent crates must remain portable across Linux, Windows, BSD, macOS, Android, iOS, and custom no_std targets. Platform-specific adapters live outside the core and fail closed on unsupported targets. Clocks, entropy, networking, storage, signing, allocation, and deployment remain injectable so a future custom operating system is not locked out.

Security And Release Policy

Every release, including patches and release candidates, stops for an independent pentest of the exact implementation commit. A tag cannot pass the release gate without a permanent Status: PASS report.

Read:

Development

scripts/checks.sh
scripts/check-rust-version-matrix.sh
cargo deny check
cargo audit
scripts/generate-sbom.sh
scripts/release_crates.py --check
scripts/validate-package-contents.py
python3 scripts/test-package-contents.py
scripts/rfc_inventory.py
scripts/rfc_errata.py
scripts/registry_baseline.py
python3 scripts/test-registry-baseline.py

The networked freshness check verifies pinned Cargo tools and GitHub Actions:

scripts/check_latest_tools.sh

License

Licensed under either of:

  • Apache License, Version 2.0
  • MIT License

at your option.