Hashavatar API 0.6.0
hashavatar-api v0.6.0
This release updates the public API service to hashavatar 0.6.0 and adds a stronger security/self-testing baseline.
Changed
- Updated
hashavatar-apito0.6.0. - Updated renderer dependency to
hashavatar 0.6.0. - Updated README and security documentation for the 0.6.0 release.
- Refreshed README structure with current status, trust dashboard, API examples, limits, caching behavior, deployment notes, and release evidence.
Security
- Added path-safe namespace validation for
tenantandstyle_version. - Added a 512-byte service-level identity limit.
- Switched S3 object keys to use the full SHA-256 digest.
- Made the rate limiter recover from mutex poisoning instead of panicking.
- Kept email-shaped avatar identifiers allowed as an accepted compatibility/privacy tradeoff.
- Documented that stable internal IDs or one-way hashes are preferred when minimizing URL log PII matters.
Testing And Release Evidence
- Added security invariant checks.
- Added local HTTP smoke testing.
- Added SBOM generation.
- Added reproducible release build checks.
- Added default GitHub CodeQL setup guidance.
- CI now runs the expanded security/self-test gate.