Skip to content

Hashavatar API 0.6.0

Choose a tag to compare

@eldryoth eldryoth released this 17 May 09:00
Immutable release. Only release title and notes can be modified.
ed39564

hashavatar-api v0.6.0

This release updates the public API service to hashavatar 0.6.0 and adds a stronger security/self-testing baseline.

Changed

  • Updated hashavatar-api to 0.6.0.
  • Updated renderer dependency to hashavatar 0.6.0.
  • Updated README and security documentation for the 0.6.0 release.
  • Refreshed README structure with current status, trust dashboard, API examples, limits, caching behavior, deployment notes, and release evidence.

Security

  • Added path-safe namespace validation for tenant and style_version.
  • Added a 512-byte service-level identity limit.
  • Switched S3 object keys to use the full SHA-256 digest.
  • Made the rate limiter recover from mutex poisoning instead of panicking.
  • Kept email-shaped avatar identifiers allowed as an accepted compatibility/privacy tradeoff.
  • Documented that stable internal IDs or one-way hashes are preferred when minimizing URL log PII matters.

Testing And Release Evidence

  • Added security invariant checks.
  • Added local HTTP smoke testing.
  • Added SBOM generation.
  • Added reproducible release build checks.
  • Added default GitHub CodeQL setup guidance.
  • CI now runs the expanded security/self-test gate.