timeglyph decodes raw timestamp values and byte sequences that, in real forensic use, originate from untrusted artifacts: disk images, memory dumps, captured network data, files under examination. The security-relevant property is therefore simple and absolute:

No input may cause a panic, a crash, or silently wrong output.

The engine is built to that standard:

• #![forbid(unsafe_code)] across the crate.
• No unwrap/expect/panic! in library or binary code (enforced by clippy::unwrap_used / expect_used set to deny); every length, width, and arithmetic step is bounds-checked and overflow-checked (i128 spine, checked_mul/checked_add, try_from).
• Out-of-range or malformed input is surfaced as a typed ChronoError, never as a default value that masks the failure.

fuzz/ holds cargo-fuzz targets whose invariant is no panic on any input:

• interpret_int — arbitrary i64 values through the full auto-detect path.
• interpret_hex — arbitrary byte/UTF-8 input through the hex byte-decoder.

Run locally with a nightly toolchain:

cargo +nightly fuzz run interpret_hex

For an actual security issue — a parser panic on crafted input, a memory-safety concern, or silently wrong decoding — email albert@securityronin.com with details and a reproducer. Please do not open a public issue for security reports.

We aim to acknowledge within a few business days and to ship a fix promptly, crediting the reporter unless anonymity is requested.