feat: initial release

LZ4 compression, xxHash3 integrity, AES-256-GCM encryption for byte payloads.

- ByteStorage: LZ4 compression with xxHash3-64 checksums
- ZeroKnowledgeEncryptor: AES-256-GCM with counter-based nonces
- Key derivation: HKDF-SHA256 (RFC 5869)
- C FFI layer with auto-generated headers
- Fuzz targets and property-based tests

Author: 27Bslash6

.github/workflows/ci.yml

@@ -0,0 +1,59 @@
+name: CI
+
+on:
+  pull_request:
+    branches: [main]
+
+jobs:
+  test:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          components: rustfmt, clippy
+
+      - name: Cache cargo registry
+        uses: Swatinem/rust-cache@v2
+        with:
+          cache-all-crates: true
+
+      - name: Check formatting
+        run: cargo fmt --check
+
+      - name: Run clippy
+        run: cargo clippy --all-features -- -D warnings
+
+      - name: Run tests (all features)
+        run: cargo test --all-features
+
+      - name: Run FFI tests
+        run: cargo test --features ffi
+
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Cache cargo registry
+        uses: Swatinem/rust-cache@v2
+        with:
+          cache-all-crates: true
+
+      - name: Install security tools
+        run: cargo install cargo-deny cargo-audit
+
+      - name: Check dependencies (licenses & security advisories)
+        run: cargo deny check
+
+      - name: Run cargo audit
+        run: cargo audit

.github/workflows/release.yml

@@ -0,0 +1,49 @@
+name: Release
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  release-please:
+    runs-on: ubuntu-latest
+    outputs:
+      release_created: ${{ steps.release.outputs.release_created }}
+      tag_name: ${{ steps.release.outputs.tag_name }}
+    steps:
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
+      - uses: googleapis/release-please-action@v4
+        id: release
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+
+  publish:
+    needs: release-please
+    if: ${{ needs.release-please.outputs.release_created }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Cache cargo registry
+        uses: Swatinem/rust-cache@v2
+
+      - name: Run tests before publish
+        run: cargo test --all-features
+
+      - name: Publish to crates.io
+        run: cargo publish
+        env:
+          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}

.gitignore

@@ -0,0 +1,17 @@
+# Rust build artifacts
+/target/
+Cargo.lock
+
+# Generated files (keep .gitkeep but ignore generated header)
+include/cachekit.h
+
+# Editor files
+*.swp
+*.swo
+*~
+.idea/
+.vscode/
+
+# OS files
+.DS_Store
+Thumbs.db

.release-please-manifest.json

@@ -0,0 +1,3 @@
+{
+  ".": "0.0.1"
+}

CHANGELOG.md

@@ -0,0 +1,45 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+### Added
+
+- **ByteStorage**: LZ4 compression with xxHash3-64 checksums
+  - Automatic compression/decompression
+  - Integrity verification on retrieval
+  - Decompression bomb protection (512MB limit, 1000x ratio limit)
+
+- **ZeroKnowledgeEncryptor**: AES-256-GCM encryption
+  - Counter-based nonce generation (prevents reuse)
+  - Hardware acceleration detection (AES-NI, ARM Crypto)
+  - Operation metrics for observability
+
+- **Key Derivation**: HKDF-SHA256 (RFC 5869)
+  - Domain separation for multi-use keys
+  - Tenant isolation via salt
+  - Key fingerprinting for rotation support
+
+- **C FFI Layer**: Multi-language support
+  - Opaque handle management
+  - Panic-safe error handling
+  - Auto-generated `cachekit.h` header
+
+- **Security Infrastructure**
+  - 16 fuzz targets covering all attack surfaces
+  - Kani formal verification proofs
+  - Property-based testing with proptest
+  - `cargo-deny` supply chain security
+
+### Security
+
+- All key material zeroized on drop
+- Constant-time operations for encryption via `ring`
+- No panics in library code (Result-based error handling)
+- FFI boundary hardened with `catch_unwind`
+
+[Unreleased]: https://github.com/cachekit-io/cachekit-core/compare/main...HEAD

Cargo.toml

@@ -0,0 +1,99 @@
+[package]
+name = "cachekit-core"
+version = "0.0.1"
+edition = "2024"
+authors = ["cachekit Contributors"]
+description = "LZ4 compression, xxHash3 integrity, AES-256-GCM encryption for byte payloads"
+rust-version = "1.85"
+license = "MIT"
+repository = "https://github.com/cachekit-io/cachekit-core"
+homepage = "https://github.com/cachekit-io/cachekit-core"
+documentation = "https://docs.rs/cachekit-core"
+readme = "README.md"
+keywords = ["lz4", "xxhash", "aes-gcm", "encryption", "compression"]
+categories = ["compression", "cryptography"]
+
+[lib]
+name = "cachekit_core"
+# cdylib for C FFI, rlib for Rust crates, staticlib for static linking
+crate-type = ["cdylib", "rlib", "staticlib"]
+
+[dependencies]
+# Error handling
+thiserror = "1.0"
+
+# Core serialization
+serde = { version = "1.0", features = ["derive"] }
+serde_bytes = "0.11"
+
+# MessagePack serialization (optional)
+rmp-serde = { version = "1.3", optional = true }
+
+# High-performance LZ4 compression (optional)
+lz4_flex = { version = "0.11", features = ["frame", "std"], optional = true }
+
+# Fast non-cryptographic hashing for data integrity (optional)
+# xxHash3-64: ~36 GB/s, sufficient for corruption detection (security via AES-GCM auth tag)
+xxhash-rust = { version = "0.8", features = ["xxh3"], optional = true }
+
+
+# Encryption dependencies (all optional, gated by encryption feature)
+# Uses HKDF-SHA256 for key derivation (NOT Blake2b - that's only for Python cache keys)
+ring = { version = "0.17", optional = true }
+zeroize = { version = "1.8", features = ["derive"], optional = true }
+hkdf = { version = "0.12", optional = true }
+sha2 = { version = "0.10", optional = true }
+hmac = { version = "0.12", optional = true }
+generic-array = { version = "0.14", optional = true }
+
+# Byte utilities
+bytes = "1.5"
+byteorder = "1.5"
+
+[build-dependencies]
+# C header generation (required for ffi feature)
+cbindgen = "0.29"
+
+[dev-dependencies]
+proptest = "1.4"
+serde_json = "1.0"
+blake2 = "0.10"
+hex = "0.4"
+
+[features]
+default = ["compression", "checksum", "messagepack"]
+
+# Core features
+compression = ["dep:lz4_flex"]
+checksum = ["dep:xxhash-rust"]
+messagepack = ["dep:rmp-serde"]
+
+# Encryption (AES-256-GCM with HKDF-SHA256 key derivation)
+encryption = [
+    "dep:ring",
+    "dep:zeroize",
+    "dep:hkdf",
+    "dep:sha2",
+    "dep:hmac",
+    "dep:generic-array",
+]
+
+# C FFI layer (generates include/cachekit.h)
+ffi = []
+
+# Kani formal verification configuration
+# Provides mathematical proofs of memory safety for unsafe code and FFI boundaries
+[package.metadata.kani]
+default-unwind = 10
+output-format = "terse"
+concrete-playback = "print"
+enable-unstable = false
+solver = "cadical"
+
+[package.metadata.kani.unstable]
+stubbing = false
+
+# Lint configuration
+[lints.rust]
+# Suppress benign warnings about cfg(kani) which is set by Kani verifier
+unexpected_cfgs = { level = "warn", check-cfg = ['cfg(kani)'] }

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024-2025 cachekit Contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.