chore(crypto)!: use blake3 instead of sha2

[m4tx]

This uses blake3 for static file content hashing as well as calculating the session auth hash (using blake3's native keyed mode instead of HMAC). This is done to improve the performance without sacrificing security and to reduce the number of deps when we merge #443.

[github-actions]

Bencher Report

Branch	blake3
Testbed	github-ubuntu-latest

Click to view all benchmark results

Benchmark	Latency	Benchmark Result microseconds (µs) (Result Δ%)	Upper Boundary microseconds (µs) (Limit %)
empty_router/empty_router	📈 view plot 🚷 view threshold	5,744.50 µs (-2.87%) Baseline: 5,914.08 µs	7,010.59 µs (81.94%)
json_api/json_api	📈 view plot 🚷 view threshold	1,074.50 µs (+5.18%) Baseline: 1,021.56 µs	1,165.89 µs (92.16%)
nested_routers/nested_routers	📈 view plot 🚷 view threshold	989.33 µs (+5.06%) Baseline: 941.65 µs	1,068.88 µs (92.56%)
single_root_route/single_root_route	📈 view plot 🚷 view threshold	955.07 µs (+5.84%) Baseline: 902.40 µs	1,027.63 µs (92.94%)
single_root_route_burst/single_root_route_burst	📈 view plot 🚷 view threshold	17,310.00 µs (-1.08%) Baseline: 17,499.05 µs	20,641.40 µs (83.86%)

🐰 View full continuous benchmarking report in Bencher

[Copilot]

Pull request overview

Switches hashing primitives in cot from SHA-2/HMAC to BLAKE3 for performance and dependency reduction, affecting static file versioning and session authentication hashing.

Changes:

• Replace static file content hashing (for cache-busting/versioned URLs) with blake3::hash.
• Replace session auth hashing from HMAC-SHA512 to BLAKE3 keyed mode with derive_key + keyed_hash.
• Update workspace/crate dependencies to add blake3 and remove digest, hmac, and sha2.

Reviewed changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
cot/src/static_files.rs	Uses BLAKE3 for static file hash used in rewritten URLs.
cot/src/auth/db.rs	Switches DatabaseUser::session_auth_hash to BLAKE3 keyed hashing.
cot/src/auth.rs	Updates docs/examples for session auth hashing (but one doctest example still references removed deps).
cot/src/lib.rs	Adjusts public re-exports for bytes and http (no functional change intended).
cot/Cargo.toml	Adds blake3 dependency; removes SHA2/HMAC/digest-related deps.
Cargo.toml	Adds blake3 to workspace deps; removes SHA2/HMAC/digest from workspace deps.
Cargo.lock	Adds BLAKE3 transitive deps and includes additional dependency version churn.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 7 out of 8 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag	Coverage Δ
rust	89.99% <100.00%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
cot/src/auth.rs	91.11% <ø> (ø)
cot/src/auth/db.rs	85.08% <100.00%> (-0.13%)	⬇️
cot/src/static_files.rs	96.05% <100.00%> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[seqre]

LGTM overall. Remember to mark it as semver-breaking change - the auth would break and any functionality based on static file hashes

[m4tx]

any functionality based on static file hashes

We don't really make any promises about the static file hashes, so technically this isn't breaking. But yeah, this will cause the existing sessions to invalidate, so I guess it might be considered a breaking change.