structured-world · polaz · Mar 26, 2026 · Mar 26, 2026 · Mar 26, 2026 · Mar 26, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -10,21 +10,51 @@ env:
   RUSTFLAGS: -Dwarnings
 
 jobs:
-  build:
+  build-matrix:
+    name: build-matrix (${{ matrix.rust }})
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        rust: [stable, "1.92.0"]
     steps:
       - uses: actions/checkout@v6
       - uses: dtolnay/rust-toolchain@stable
+        with:
+          toolchain: ${{ matrix.rust }}
       - uses: Swatinem/rust-cache@v2
       - run: cargo build --all-features
 
-  test:
+  build:
+    runs-on: ubuntu-latest
+    needs: build-matrix
+    if: ${{ always() }}
+    steps:
+      - run: test "${{ needs.build-matrix.result }}" = "success"
+
+  test-matrix:
+    name: test-matrix (${{ matrix.rust }})
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        rust: [stable, "1.92.0"]
     steps:
       - uses: actions/checkout@v6
       - uses: dtolnay/rust-toolchain@stable
+        with:
+          toolchain: ${{ matrix.rust }}
+      - uses: taiki-e/install-action@nextest
       - uses: Swatinem/rust-cache@v2
-      - run: cargo test --all-features
+      - run: cargo nextest run --all-features
+      - run: cargo test --doc --all-features
+
+  test:
+    runs-on: ubuntu-latest
+    needs: test-matrix
+    if: ${{ always() }}
+    steps:
+      - run: test "${{ needs.test-matrix.result }}" = "success"
 
   clippy:
     runs-on: ubuntu-latest

diff --git a/Cargo.toml b/Cargo.toml
@@ -1,7 +1,7 @@
 [package]
 name = "xml-sec"
 version = "0.1.0"
-edition = "2021"
+edition = "2024"
 rust-version = "1.92"
 license = "Apache-2.0"
 description = "Pure Rust XML Security: XMLDSig, XMLEnc, C14N. Drop-in replacement for libxmlsec1."
@@ -23,13 +23,12 @@ ring = "0.17"
 x509-parser = "0.18"
 der = "0.8"
 
+# Base64 encoding/decoding
+base64 = "0.22"
+
 # Error handling
 thiserror = "2"
 
-[dev-dependencies]
-# W3C test vectors
-base64 = "0.22"
-
 [features]
 default = ["xmldsig", "c14n"]
 xmldsig = []           # XML Digital Signatures (sign + verify)

diff --git a/README.md b/README.md
@@ -25,6 +25,9 @@ Every SAML, SOAP, and WS-Security implementation depends on libxmlsec1 — a C l
 
 **Pre-release.** API is unstable. Not ready for production use.
 
+Current toolchain target: latest stable Rust.
+Current MSRV: Rust 1.92.
+
 ## Specifications
 
 | Spec | Status |

diff --git a/rust-toolchain.toml b/rust-toolchain.toml
@@ -0,0 +1,2 @@
+[toolchain]
+channel = "stable"
diff --git a/src/c14n/mod.rs b/src/c14n/mod.rs
@@ -36,7 +36,7 @@ use roxmltree::{Document, Node};
 
 use ns_exclusive::ExclusiveNsRenderer;
 use ns_inclusive::InclusiveNsRenderer;
-use serialize::{serialize_canonical, C14nConfig};
+use serialize::{C14nConfig, serialize_canonical};
 
 /// C14N algorithm mode (without the comments flag).
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]

diff --git a/src/c14n/ns_exclusive.rs b/src/c14n/ns_exclusive.rs
@@ -78,7 +78,7 @@ fn visibly_utilized_prefixes<'a>(node: Node<'a, '_>) -> HashSet<&'a str> {
 #[cfg(test)]
 #[allow(clippy::unwrap_used)]
 mod tests {
-    use super::super::serialize::{serialize_canonical, C14nConfig};
+    use super::super::serialize::{C14nConfig, serialize_canonical};
     use super::*;
     use roxmltree::Document;
     use std::collections::HashSet;

diff --git a/src/c14n/ns_inclusive.rs b/src/c14n/ns_inclusive.rs
@@ -33,7 +33,7 @@ impl NsRenderer for InclusiveNsRenderer {
 #[cfg(test)]
 #[allow(clippy::unwrap_used)]
 mod tests {
-    use super::super::serialize::{serialize_canonical, C14nConfig};
+    use super::super::serialize::{C14nConfig, serialize_canonical};
     use super::*;
     use roxmltree::Document;
 

diff --git a/src/c14n/serialize.rs b/src/c14n/serialize.rs
@@ -8,10 +8,10 @@ use std::collections::{HashMap, HashSet};
 
 use roxmltree::{Document, Node, NodeType};
 
+use super::C14nError;
 use super::escape::{escape_attr, escape_cr, escape_text};
 use super::prefix::{attribute_prefix, element_prefix};
 use super::xml_base::{compute_effective_xml_base, resolve_uri};
-use super::C14nError;
 
 /// The XML namespace URI.
 ///
@@ -143,10 +143,8 @@ fn serialize_children(
                 if in_set {
                     // Document-level text nodes are ignored by C14N.
                     // Only text inside elements is serialized.
-                    if !is_doc_root {
-                        if let Some(text) = child.text() {
-                            escape_text(text, output);
-                        }
+                    if !is_doc_root && let Some(text) = child.text() {
+                        escape_text(text, output);
                     }
                 }
             }
@@ -164,20 +162,18 @@ fn serialize_children(
                 }
             }
             NodeType::PI => {
-                if in_set {
-                    if let Some(pi) = child.pi() {
-                        if is_doc_root {
-                            write_doc_level_separator(&child, output);
-                        }
-                        output.extend_from_slice(b"<?");
-                        output.extend_from_slice(pi.target.as_bytes());
-                        if let Some(value) = pi.value {
-                            output.push(b' ');
-                            // C14N spec: \r in PI content must be escaped to &#xD;
-                            escape_cr(value, output);
-                        }
-                        output.extend_from_slice(b"?>");
+                if in_set && let Some(pi) = child.pi() {
+                    if is_doc_root {
+                        write_doc_level_separator(&child, output);
+                    }
+                    output.extend_from_slice(b"<?");
+                    output.extend_from_slice(pi.target.as_bytes());
+                    if let Some(value) = pi.value {
+                        output.push(b' ');
+                        // C14N spec: \r in PI content must be escaped to &#xD;
+                        escape_cr(value, output);
                     }
+                    output.extend_from_slice(b"?>");
                 }
             }
             NodeType::Root => {
@@ -389,10 +385,11 @@ fn collect_inherited_xml_attrs<'a>(
 
     // If parent element is in the node set, no inheritance needed — the parent
     // will render its own xml:* attributes, and the element inherits normally.
-    if let Some(parent) = node.parent() {
-        if parent.is_element() && pred(parent) {
-            return Vec::new();
-        }
+    if let Some(parent) = node.parent()
+        && parent.is_element()
+        && pred(parent)
+    {
+        return Vec::new();
     }
 
     // Collect inheritable xml:* attr names already on this element (own attrs

diff --git a/src/c14n/xml_base.rs b/src/c14n/xml_base.rs
@@ -44,13 +44,13 @@ pub(crate) fn compute_effective_xml_base(
             // xml:base in the canonical output. However, we still collect
             // its xml:base value as the resolution seed, so that the
             // omitted chain below resolves against an absolute base.
-            if let Some(pred) = node_set {
-                if pred(n) {
-                    if let Some(base) = xml_base_value(n) {
-                        bases.push(base);
-                    }
-                    break;
+            if let Some(pred) = node_set
+                && pred(n)
+            {
+                if let Some(base) = xml_base_value(n) {
+                    bases.push(base);
                 }
+                break;
             }
             if let Some(base) = xml_base_value(n) {
                 bases.push(base);
@@ -157,10 +157,10 @@ pub(crate) fn resolve_uri(base: &str, reference: &str) -> String {
     if let Some(rest) = ref_path.strip_prefix("//") {
         let mut auth_end = rest.len();
         for ch in ['/', '?', '#'] {
-            if let Some(pos) = rest.find(ch) {
-                if pos < auth_end {
-                    auth_end = pos;
-                }
+            if let Some(pos) = rest.find(ch)
+                && pos < auth_end
+            {
+                auth_end = pos;
             }
         }
         let new_authority = &rest[..auth_end];
@@ -235,10 +235,10 @@ fn parse_base(base: &str) -> Option<BaseParts<'_>> {
         rest = &rest[2..];
         let mut auth_end = rest.len();
         for ch in ['/', '?', '#'] {
-            if let Some(pos) = rest.find(ch) {
-                if pos < auth_end {
-                    auth_end = pos;
-                }
+            if let Some(pos) = rest.find(ch)
+                && pos < auth_end
+            {
+                auth_end = pos;
             }
         }
         authority = Some(&rest[..auth_end]);