v0.6.2 CDN/Xet CSP hotfix
v0.6.2 CDN/Xet CSP hotfix
Patch release over v0.6.1 for production model downloads.
Changes
- Allows the exact Hugging Face CDN/Xet redirect origin
https://us.aws.cdn.hf.coin productionconnect-srcalongsidehttps://huggingface.co. - Preserves direct-route SPA fallback and existing security headers.
- Preserves v0.6 task-first UI and all model/profile/storage/training/privacy schemas.
- Keeps v0.6.0 and v0.6.1 release tags/assets immutable.
Verification required for publication
- Required CI passes on the v0.6.2 release commit.
- Production alias returns direct routes with
connect-src 'self' https://huggingface.co https://us.aws.cdn.hf.co. - Browser smoke verifies the model install path under production CSP without broad wildcard origins.
Known limitations
- Issue #255 remains open for moderated release-usability participant evidence.
- ADR 0004 and ADR 0005 production accuracy/performance evidence limitations remain unresolved.