lum_ccc_rust/docs/ccc_rust_plan_phases.rst

==============================================
CCC Rust Implementation — Phase Tracking
==============================================

:Last Updated: 2026-06-20

Legend
------

* ``[ ]`` Not started
* ``[~]`` In progress
* ``[x]`` Complete
* ``[!]`` Blocked

----

Step 1 — Cargo Workspace Scaffold
----------------------------------

* ``[x]`` Create ``Cargo.toml`` (workspace manifest, 4 members)
* ``[x]`` Create ``rust-toolchain.toml`` (channel = "stable")
* ``[x]`` Create ``.cargo/config.toml`` (cross-compile target aliases)
* ``[x]`` Create ``vendors/README.md``

----

Step 2 — ``ccc-crypto-core`` Trait Crate
-----------------------------------------

* ``[x]`` Create ``crates/ccc-crypto-core/Cargo.toml``
* ``[x]`` ``algorithms.rs`` — AeadAlgorithm, KdfAlgorithm, MacAlgorithm,
  HashAlgorithm, KemAlgorithm enums (values == cipher_constants.dart)
* ``[x]`` ``capabilities.rs`` — AlgorithmCapability, ProviderCapabilities
* ``[x]`` ``error.rs`` — CryptoError enum
* ``[x]`` ``types.rs`` — KemKeyPair, SelfTestReport, BenchmarkReport,
  AlgoTestResult
* ``[x]`` ``provider.rs`` — AeadProvider, KdfProvider, MacProvider,
  HashProvider, KemProvider traits; CryptoProvider umbrella trait
* ``[x]`` ``registry.rs`` — ProviderRegistry (OnceLock<Mutex<...>>),
  register(), get(), list()
* ``[x]`` ``lib.rs`` — re-exports all public items
* ``[x]`` Unit tests for registry (5 passing)

----

Step 3 — wolfSSL Submodule + ``ccc-crypto-wolfssl``
-----------------------------------------------------

* ``[x]`` ``git submodule add`` wolfSSL → ``vendors/wolfssl``
* ``[x]`` Pin submodule to ``v5.7.2-stable``
* ``[x]`` Document pin in ``vendors/README.md``
* ``[x]`` Create ``crates/ccc-crypto-wolfssl/Cargo.toml``
* ``[x]`` ``build.rs`` — cmake build + bindgen; stub_ffi feature bypasses C build
* ``[x]`` ``aead.rs`` — AES-256-GCM implementation

  * ``[x]`` encrypt_aead (AES-256-GCM)
  * ``[x]`` decrypt_aead (AES-256-GCM)
  * ``[x]`` encrypt_aead (ChaCha20-Poly1305)
  * ``[x]`` decrypt_aead (ChaCha20-Poly1305)
  * ``[x]`` encrypt_aead (XChaCha20-Poly1305 via HChaCha20)
  * ``[x]`` decrypt_aead (XChaCha20-Poly1305)

* ``[x]`` ``kdf.rs`` — KDF implementations

  * ``[x]`` HKDF-SHA256
  * ``[x]`` HKDF-SHA384
  * ``[x]`` HKDF-SHA512
  * ``[x]`` Argon2id (64 MB / 3 iter / 4 threads — matches DEFAULT_CIPHER_PARAMS)
  * ``[x]`` BLAKE2b-512 KDF

* ``[x]`` ``mac.rs`` — MAC implementations

  * ``[x]`` HMAC-SHA256
  * ``[x]`` HMAC-SHA384
  * ``[x]`` HMAC-SHA512
  * ``[x]`` BLAKE2b-MAC (keyed)
  * ``[x]`` Constant-time verify

* ``[x]`` ``hash.rs`` — Hash implementations

  * ``[x]`` SHA-256 / SHA-384 / SHA-512
  * ``[x]`` SHA3-256 / SHA3-512
  * ``[x]`` BLAKE2b-512

* ``[x]`` ``kem.rs`` — KEM implementations

  * ``[x]`` X25519 (keygen + DH encap/decap)
  * ``[x]`` X448 (keygen + DH encap/decap)
  * ``[ ]`` ML-KEM-768 (deferred to Phase 5)
  * ``[ ]`` ML-KEM-1024 (deferred to Phase 5)
  * ``[ ]`` Classic McEliece (deferred to Phase 5)

* ``[x]`` ``capabilities.rs`` — probe-at-startup per algorithm
* ``[x]`` ``capabilities.rs`` — benchmark() throughput micro-bench
* ``[x]`` ``provider.rs`` — WolfSslProvider: CryptoProvider impl
* ``[x]`` ``provider.rs`` — self_test() with embedded NIST vectors (AES-256-GCM, ChaCha20-Poly1305)
* ``[x]`` Register WolfSslProvider in ProviderRegistry via init()
* ``[ ]`` Full native build verified (requires ``brew install cmake``)

----

Step 4 — ``ccc-flutter-bridge`` Entry-Point Crate
---------------------------------------------------

* ``[x]`` Create ``crates/ccc-flutter-bridge/Cargo.toml``
* ``[x]`` Set ``crate-type = ["cdylib", "staticlib"]``
* ``[x]`` Add ``flutter_rust_bridge = "=2.9.0"`` dependency
* ``[x]`` ``dto.rs`` — CapabilitiesDto, KemKeyPairDto, KemEncapDto,
  SelfTestDto, AlgoTestResultDto; From<core types> impls
* ``[x]`` ``bridge.rs`` — ccc_init()
* ``[x]`` ``bridge.rs`` — ccc_list_providers()
* ``[x]`` ``bridge.rs`` — ccc_capabilities() / ccc_available_algorithms()
* ``[x]`` ``bridge.rs`` — ccc_aead_encrypt() / ccc_aead_decrypt()
* ``[x]`` ``bridge.rs`` — ccc_kdf_derive()
* ``[x]`` ``bridge.rs`` — ccc_mac_compute() / ccc_mac_verify()
* ``[x]`` ``bridge.rs`` — ccc_hash()
* ``[x]`` ``bridge.rs`` — ccc_kem_generate_keypair()
* ``[x]`` ``bridge.rs`` — ccc_kem_encapsulate() / ccc_kem_decapsulate()
* ``[x]`` ``bridge.rs`` — ccc_self_test()
* ``[x]`` ``lib.rs`` — module declarations
* ``[x]`` ``flutter_rust_bridge.yaml`` — codegen config

----

Step 5 — Flutter Build Integration
------------------------------------

* ``[ ]`` Add ``flutter_rust_bridge: ^2`` to ``pubspec.yaml``
* ``[ ]`` Run ``flutter_rust_bridge_codegen generate``
* ``[ ]`` Verify generated ``flutter_src/lib/gen/rust/`` bindings
* ``[ ]`` iOS plugin scaffold (``ios/`` dir, cargokit integration)
* ``[ ]`` Android plugin scaffold (``android/`` dir, CMakeLists.txt)
* ``[ ]`` macOS plugin scaffold (``macos/`` dir)
* ``[ ]`` Confirm ``flutter build ios`` succeeds (static lib linked)
* ``[ ]`` Confirm ``flutter build apk`` succeeds (cdylib linked)

----

Step 6 — Dart Layer Wiring
---------------------------

* ``[ ]`` Wire ``crypto_wolfssl.dart`` ``encrypt()`` → ``ccc_aead_encrypt()``
* ``[ ]`` Wire ``crypto_wolfssl.dart`` ``decrypt()`` → ``ccc_aead_decrypt()``
* ``[ ]`` Convert ``CccProviderCatalog.capabilities`` to runtime-populated map
* ``[ ]`` Call ``ccc_init()`` at app startup
* ``[ ]`` Populate ``CccProviderCatalog`` from ``ccc_capabilities()``
* ``[ ]`` Create ``CccSelfTest`` Dart class (wraps ``ccc_self_test()``)
* ``[ ]`` Expose self-test pass/fail diagnostics in app debug screen

----

Step 7 — Conformance Test Suite
---------------------------------

* ``[x]`` ``tests/conformance/src/main.rs`` — NIST AES-256-GCM (2 vectors)
* ``[x]`` ``tests/conformance/src/main.rs`` — RFC 8439 ChaCha20-Poly1305
* ``[x]`` ``tests/conformance/src/main.rs`` — RFC 5869 HKDF-SHA256 (2 vectors)
* ``[x]`` ``tests/conformance/src/main.rs`` — RFC 4231 HMAC-SHA256 (2 vectors)
* ``[x]`` ``tests/conformance/src/main.rs`` — FIPS hash vectors (SHA-256/512, SHA3-256, BLAKE2b)
* ``[ ]`` Cross-provider conformance test (requires multiple providers)
* ``[ ]`` ``cargo run -p ccc-conformance-tests`` passes (requires cmake)

----

Step 8 — Architecture Documentation
--------------------------------------

* ``[ ]`` Create ``docs/phase4_rust_architecture.rst``
* ``[ ]`` Crate dependency graph (ASCII diagram)
* ``[ ]`` "How to add a new provider" — 7-step trait checklist
* ``[ ]`` ``algo: u32`` → cipher constant mapping table
* ``[ ]`` Phase 8 stretch-goal provider list documented

----

Final Verification Gate
------------------------

* ``[ ]`` ``cargo test --workspace`` — all pass (requires cmake for wolfSSL)
* ``[ ]`` ``cargo build --target aarch64-apple-ios`` — success
* ``[ ]`` ``cargo build --target aarch64-linux-android`` — success
* ``[ ]`` Flutter roundtrip integration test passes (1 KB encrypt/decrypt)
* ``[ ]`` ``CccSelfTest.runAll()`` all-pass in app debug screen
* ``[ ]`` Cross-provider conformance confirmed (``deterministic_io: true``
  verified for AES-256-GCM and ChaCha20-Poly1305)

----

Phase 8 — Stretch Goal Providers (Future)
------------------------------------------

*(Out of scope for Phase 4.  Tracked here for future scheduling.)*

* ``[ ]`` libsodium (``sodiumoxide`` / ``safe_libsodium``)
* ``[ ]`` OpenSSL (``openssl`` crate)
* ``[ ]`` BoringSSL (``boring`` crate)
* ``[ ]`` RustCrypto (pure-Rust, no native dep)
* ``[ ]`` liboqs — ML-KEM, BIKE, HQC, Falcon, Dilithium, SPHINCS+
* ``[ ]`` Signal ``libsignal``
* ``[ ]`` Botan
* ``[ ]`` mbedTLS
* ``[ ]`` Nettle


Legend
------

* ``[ ]`` Not started
* ``[~]`` In progress
* ``[x]`` Complete
* ``[!]`` Blocked

----

Step 1 — Cargo Workspace Scaffold
----------------------------------

* ``[ ]`` Create ``Cargo.toml`` (workspace manifest, 3 members)
* ``[ ]`` Create ``rust-toolchain.toml`` (stable, pinned version)
* ``[ ]`` Create ``.cargo/config.toml`` (cross-compile target aliases)
* ``[ ]`` Create ``vendors/README.md``

----

Step 2 — ``ccc-crypto-core`` Trait Crate
-----------------------------------------

* ``[ ]`` Create ``crates/ccc-crypto-core/Cargo.toml``
* ``[ ]`` ``algorithms.rs`` — AeadAlgorithm, KdfAlgorithm, MacAlgorithm,
  HashAlgorithm, KemAlgorithm enums (values == cipher_constants.dart)
* ``[ ]`` ``capabilities.rs`` — AlgorithmCapability, ProviderCapabilities
* ``[ ]`` ``error.rs`` — CryptoError enum
* ``[ ]`` ``types.rs`` — KemKeyPair, SelfTestReport, BenchmarkReport,
  AlgoTestResult
* ``[ ]`` ``provider.rs`` — AeadProvider, KdfProvider, MacProvider,
  HashProvider, KemProvider traits; CryptoProvider umbrella trait
* ``[ ]`` ``registry.rs`` — ProviderRegistry (OnceLock<Mutex<...>>),
  register(), get(), list()
* ``[ ]`` ``lib.rs`` — re-exports all public items
* ``[ ]`` Unit tests for registry (register, get, list)

----

Step 3 — wolfSSL Submodule + ``ccc-crypto-wolfssl``
-----------------------------------------------------

* ``[ ]`` ``git submodule add`` wolfSSL → ``vendors/wolfssl``
* ``[ ]`` Pin submodule to ``v5.7.2-stable``
* ``[ ]`` Document pin in ``vendors/README.md``
* ``[ ]`` Create ``crates/ccc-crypto-wolfssl/Cargo.toml``
* ``[ ]`` ``aead.rs`` — AES-256-GCM implementation

  * ``[ ]`` encrypt_aead (AES-256-GCM)
  * ``[ ]`` decrypt_aead (AES-256-GCM)
  * ``[ ]`` encrypt_aead (ChaCha20-Poly1305)
  * ``[ ]`` decrypt_aead (ChaCha20-Poly1305)

* ``[ ]`` ``kdf.rs`` — KDF implementations

  * ``[ ]`` HKDF-SHA256
  * ``[ ]`` HKDF-SHA384
  * ``[ ]`` HKDF-SHA512
  * ``[ ]`` Argon2id

* ``[ ]`` ``mac.rs`` — MAC implementations

  * ``[ ]`` HMAC-SHA256
  * ``[ ]`` HMAC-SHA384
  * ``[ ]`` HMAC-SHA512

* ``[ ]`` ``hash.rs`` — Hash implementations

  * ``[ ]`` SHA-256 / SHA-384 / SHA-512
  * ``[ ]`` SHA3-256 / SHA3-512
  * ``[ ]`` BLAKE2b-512

* ``[ ]`` ``kem.rs`` — KEM implementations

  * ``[ ]`` X25519
  * ``[ ]`` X448
  * ``[ ]`` ML-KEM-768 (conditional on PQ build)
  * ``[ ]`` ML-KEM-1024 (conditional on PQ build)

* ``[ ]`` ``capabilities.rs`` — probe-at-startup per algorithm
* ``[ ]`` ``capabilities.rs`` — benchmark() throughput micro-bench
* ``[ ]`` ``provider.rs`` — WolfSslProvider: CryptoProvider impl
* ``[ ]`` ``provider.rs`` — self_test() with embedded NIST vectors
* ``[ ]`` Register WolfSslProvider in ProviderRegistry via init()
* ``[ ]`` Unit tests for each implemented algorithm

----

Step 4 — ``ccc-flutter-bridge`` Entry-Point Crate
---------------------------------------------------

* ``[ ]`` Create ``crates/ccc-flutter-bridge/Cargo.toml``
* ``[ ]`` Set ``crate-type = ["cdylib", "staticlib"]``
* ``[ ]`` Add ``flutter_rust_bridge`` dependency
* ``[ ]`` ``dto.rs`` — CapabilitiesDto, KemKeyPairDto, KemEncapDto,
  SelfTestDto, AlgoTestResultDto
* ``[ ]`` ``bridge.rs`` — ccc_init()
* ``[ ]`` ``bridge.rs`` — ccc_list_providers()
* ``[ ]`` ``bridge.rs`` — ccc_provider_capabilities()
* ``[ ]`` ``bridge.rs`` — ccc_aead_encrypt() / ccc_aead_decrypt()
* ``[ ]`` ``bridge.rs`` — ccc_derive_key()
* ``[ ]`` ``bridge.rs`` — ccc_compute_mac() / ccc_verify_mac()
* ``[ ]`` ``bridge.rs`` — ccc_hash()
* ``[ ]`` ``bridge.rs`` — ccc_kem_generate_keypair()
* ``[ ]`` ``bridge.rs`` — ccc_kem_encapsulate() / ccc_kem_decapsulate()
* ``[ ]`` ``bridge.rs`` — ccc_self_test()
* ``[ ]`` ``lib.rs`` — frb_generated module import

----

Step 5 — Flutter Build Integration
------------------------------------

* ``[ ]`` Add ``flutter_rust_bridge: ^2`` to ``pubspec.yaml``
* ``[ ]`` Run ``flutter_rust_bridge_codegen generate``
* ``[ ]`` Verify generated ``flutter_src/ccc_crypto_bindings/ccc_crypto.dart``
* ``[ ]`` iOS plugin scaffold (``ios/`` dir, cargokit integration)
* ``[ ]`` Android plugin scaffold (``android/`` dir, CMakeLists.txt)
* ``[ ]`` macOS plugin scaffold (``macos/`` dir)
* ``[ ]`` Confirm ``flutter build ios`` succeeds (static lib linked)
* ``[ ]`` Confirm ``flutter build apk`` succeeds (cdylib linked)

----

Step 6 — Dart Layer Wiring
---------------------------

* ``[ ]`` Wire ``crypto_wolfssl.dart`` ``encrypt()`` → ``ccc_aead_encrypt()``
* ``[ ]`` Wire ``crypto_wolfssl.dart`` ``decrypt()`` → ``ccc_aead_decrypt()``
* ``[ ]`` Convert ``CccProviderCatalog.capabilities`` to runtime-populated map
* ``[ ]`` Call ``ccc_init()`` at app startup
* ``[ ]`` Populate ``CccProviderCatalog`` from ``ccc_provider_capabilities()``
* ``[ ]`` Create ``CccSelfTest`` Dart class (wraps ``ccc_self_test()``)
* ``[ ]`` Expose self-test pass/fail diagnostics in app debug screen

----

Step 7 — Conformance Test Suite
---------------------------------

* ``[ ]`` ``tests/conformance/aes_gcm_vectors.rs`` — NIST SP 800-38D vectors
* ``[ ]`` ``tests/conformance/chacha_vectors.rs`` — RFC 8439 vectors
* ``[ ]`` ``tests/conformance/hkdf_vectors.rs`` — RFC 5869 vectors
* ``[ ]`` ``tests/conformance/hmac_vectors.rs`` — RFC 4231 vectors
* ``[ ]`` ``tests/conformance/cross_provider.rs`` — wolfSSL output matches
  Dart ``cryptography`` reference output (byte-identity)
* ``[ ]`` ``cargo test --workspace`` all pass

----

Step 8 — Architecture Documentation
--------------------------------------

* ``[ ]`` Create ``docs/phase4_rust_architecture.rst``
* ``[ ]`` Crate dependency graph (ASCII diagram)
* ``[ ]`` "How to add a new provider" — 7-step trait checklist
* ``[ ]`` ``algo: u32`` → cipher constant mapping table
* ``[ ]`` Phase 8 stretch-goal provider list documented

----

Final Verification Gate
------------------------

* ``[ ]`` ``cargo test --workspace`` — all pass
* ``[ ]`` ``cargo build --target aarch64-apple-ios`` — success
* ``[ ]`` ``cargo build --target aarch64-linux-android`` — success
* ``[ ]`` Flutter roundtrip integration test passes (1 KB encrypt/decrypt)
* ``[ ]`` ``CccSelfTest.runAll()`` all-pass in app debug screen
* ``[ ]`` Cross-provider conformance confirmed (``deterministic_io: true``
  verified for AES-256-GCM and ChaCha20-Poly1305)

----

Phase 8 — Stretch Goal Providers (Future)
------------------------------------------

*(Out of scope for Phase 4.  Tracked here for future scheduling.)*

* ``[ ]`` libsodium (``sodiumoxide`` / ``safe_libsodium``)
* ``[ ]`` OpenSSL (``openssl`` crate)
* ``[ ]`` BoringSSL (``boring`` crate)
* ``[ ]`` RustCrypto (pure-Rust, no native dep)
* ``[ ]`` liboqs — ML-KEM, BIKE, HQC, Falcon, Dilithium, SPHINCS+
* ``[ ]`` Signal ``libsignal``
* ``[ ]`` Botan
* ``[ ]`` mbedTLS
* ``[ ]`` Nettle