** The C++ S3EC does not support re-encryption, nor custom instruction file suffixes
//= ../specification/s3-encryption/data-format/metadata-strategy.md#instruction-file
//= type=exception
//# The S3EC MAY support re-encryption/key rotation via Instruction Files.

//= ../specification/s3-encryption/data-format/metadata-strategy.md#instruction-file
//= type=exception
//# The S3EC SHOULD support providing a custom Instruction File suffix on GetObject requests, regardless of whether or not re-encryption is supported.

** We're not doing double encoding yet
//= ../specification/s3-encryption/data-format/metadata-strategy.md#object-metadata
//= type=exception
//# The S3EC SHOULD support decoding the S3 Server's "double encoding".

//= ../specification/s3-encryption/data-format/content-metadata.md#v3-only
//= type=exception
//# This material description string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server.

//= ../specification/s3-encryption/data-format/content-metadata.md#v3-only
//= type=exception
//# This encryption context string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server.

//= ../specification/s3-encryption/data-format/content-metadata.md#v1-v2-shared
//= type=exception
//# This string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server.


** The C++ S3EC does not support key rings nor cmms
//= ../specification/s3-encryption/client.md#cryptographic-materials
//= type=exception
//# The S3EC MUST accept either one CMM or one Keyring instance upon initialization.
//# If both a CMM and a Keyring are provided, the S3EC MUST throw an exception.
//# When a Keyring is provided, the S3EC MUST create an instance of the DefaultCMM using the provided Keyring.


** The C++ S3EC does not support Delayed Authentication buffer size configuration
//= ../specification/s3-encryption/client.md#set-buffer-size
//= type=exception
//# The S3EC SHOULD accept a configurable buffer size which refers to the maximum ciphertext length in bytes to store in memory when Delayed Authentication mode is disabled.
//# If Delayed Authentication mode is enabled, and the buffer size has been set to a value other than its default, the S3EC MUST throw an exception.
//# If Delayed Authentication mode is disabled, and no buffer size is provided, the S3EC MUST set the buffer size to a reasonable default.


** In the C++ S3EC, there is no connection between the S3 client and any potential KMS clients
//= ../specification/s3-encryption/client.md#inherited-sdk-configuration
//= type=exception
//# If the S3EC accepts SDK client configuration, the configuration MUST be applied to all wrapped SDK clients including the KMS client.


** In the C++ S3EC, the encryption algorithm is uniquely determined by the client version and the CommitmentPolicy

//= ../specification/s3-encryption/client.md#encryption-algorithm
//= type=exception
//# The S3EC MUST support configuration of the encryption algorithm (or algorithm suite) during its initialization.
//# The S3EC MUST validate that the configured encryption algorithm is not legacy.
//# If the configured encryption algorithm is legacy, then the S3EC MUST throw an exception.

//= ../specification/s3-encryption/client.md#key-commitment
//= type=exception
//# The S3EC MUST validate the configured Encryption Algorithm against the provided key commitment policy.
//# If the configured Encryption Algorithm is incompatible with the key commitment policy, then it MUST throw an exception.


** The C++ S3EC does not accept a source of randomness during client initialization
//= ../specification/s3-encryption/client.md#randomness
//= type=exception
//# The S3EC MAY accept a source of randomness during client initialization.


** This is silly, and I don't want to do it 
//= ../specification/s3-encryption/encryption.md#cipher-initialization
//= type=exception
//# The client SHOULD validate that the generated IV or Message ID is not zeros.

** The C++ S3EC does not support custom materials.
** The built in Raw Keyring always has an empty Materials Description
** Therefore "x-amz-m" will never be written.
//= ../specification/s3-encryption/data-format/content-metadata.md#content-metadata-mapkeys
//= type=exception
//# - The mapkey "x-amz-m" SHOULD be present for V3 format objects that use Raw Keyring Material Description.


** The C++ S3EC only implements GetObject and PutObject **

//= ../specification/s3-encryption/client.md#aws-sdk-compatibility
//= type=exception
//# The S3EC MUST adhere to the same interface for API operations as the conventional AWS SDK S3 client.

//= ../specification/s3-encryption/client.md#aws-sdk-compatibility
//= type=exception
//# The S3EC SHOULD support invoking operations unrelated to client-side encryption e.g.

//= ../specification/s3-encryption/client.md#required-api-operations
//= type=exception
//# - DeleteObject MUST be implemented by the S3EC.
//# - DeleteObject MUST delete the given object key.
//# - DeleteObject MUST delete the associated instruction file using the default instruction file suffix.
//# - DeleteObjects MUST be implemented by the S3EC.
//# - DeleteObjects MUST delete each of the given objects.
//# - DeleteObjects MUST delete each of the corresponding instruction files using the default instruction file suffix.

//= ../specification/s3-encryption/client.md#optional-api-operations
//= type=exception
//# - CreateMultipartUpload MAY be implemented by the S3EC.
//# - If implemented, CreateMultipartUpload MUST initiate a multipart upload.
//# - UploadPart MAY be implemented by the S3EC.
//# - UploadPart MUST encrypt each part.
//# - Each part MUST be encrypted in sequence.
//# - Each part MUST be encrypted using the same cipher instance for each part.
//# - CompleteMultipartUpload MAY be implemented by the S3EC.
//# - CompleteMultipartUpload MUST complete the multipart upload.
//# - AbortMultipartUpload MAY be implemented by the S3EC.
//# - AbortMultipartUpload MUST abort the multipart upload.

//= ../specification/s3-encryption/client.md#optional-api-operations
//= type=exception
//# - ReEncryptInstructionFile MAY be implemented by the S3EC.
//# - ReEncryptInstructionFile MUST decrypt the instruction file's encrypted data key for the given object using the client's CMM.
//# - ReEncryptInstructionFile MUST re-encrypt the plaintext data key with a provided keyring.
