Every cryptography library says it's secure and performant. Very few can explain how that security is validated and how that performance is proven after every change. One of the easiest mistakes in cryptographic engineering is assuming code is constant-time because it looks constant-time. The source looks branchless. The review looks clean. The helper uses the right equality function. Then an optimization, a target specific lowering decision, an tiny refactor, or a new fast path changes the bina