Roadmap Summary Security Functions

Here is a logical way to group the 13 test categories 

into new versions, following standard practices.

Versioning Plan

The strategy is to release Patch versions (0.0.z) for bug fixes and Minor versions (0.y.0) if you add new features or make any backward-incompatible API changes (which you should avoid right now).

Since all 13 categories are about introducing and fixing errors, they are all patch releases. You can group them into logical themes.

0.0.1 (Current)

• Status: Functional. Passes the three "happy-path" tests.

0.0.2: Input Validation & Edge Cases

• Goal: Make the library panic-proof.

• Group your categories related to feeding the functions bad data.

• Examples:

  • Tests for zero-length inputs.

  • Tests for inputs that are too short or too long.

  • Tests for malformed public/secret keys.

  • Tests for tampered ciphertext (which you already have under alloc).

0.0.3: Security & Hardening

• Goal: Fix subtle security-related bugs.

• Group your categories that test for specific security flaws.

• Examples:

  • Tests to ensure zeroize is working on all sensitive data.

  • Tests for buffer overflows (though Rust helps here).

  • Side-channel resistance tests (if applicable, very advanced).

0.0.4: API & State Errors

• Goal: Improve error messages and API misuse.

• Group your categories related to improving the developer experience.

• Examples:

  • Tests that ensure you return the correct PqcError for each failure.

  • Tests for any other API logic errors.

0.1.0: First Minor Release

• Goal: Signal a more stable, tested, and complete API.

• Do this after all 13 categories of tests are passing.

• This release tells the world that the library has moved beyond initial functionality and is now hardened and robustly tested.

Passing your functional and error-handling tests is step 1. 

Getting "CNSA compliant" is a completely different, multi-year, expert-level process.

The good news is that your library, pqc-combo, implements the exact two PQC algorithms 

that the NSA mandated for CNSA 2.0 (Commercial National Security Algorithm Suite 2.0):

• KEM: CRYSTALS-Kyber-1024

• Signatures: CRYSTALS-Dilithium-3

However, "compliance" isn't just about using the right algorithm names. It's about a formal, rigorous validation of the implementation.