Releases: valkyoth/hashavatar-api
Releases · valkyoth/hashavatar-api
Release list
Hashavatar API 1.1.1
hashavatar-api 1.1.1 Release Notes
Status: draft
Summary
1.1.1 is the next stable patch release for the API, renderer dependency,
documentation, and build tooling.
These notes are based on the current working tree and should be rechecked
against the final tag before publishing.
Changed
- Bumped
hashavatar-apito1.1.1. - Updated the renderer dependency to
hashavatar1.1.1. - Refreshed the lockfile with current compatible crate updates.
- Updated GitHub workflow tooling where newer action versions are available.
- Kept the project Rust toolchain pinned to Rust
1.96.0. - Updated the README for the
1.1.1service and renderer versions. - Expanded the website language note to state that translations are
AI-assisted best effort and that native-speaker fixes are welcome.
Verification
cargo outdated --workspace --root-deps-only
scripts/checks.sh
scripts/smoke_local.sh
scripts/podman_smoke.shHashavatar API 1.1.0
Immutable
release. Only release title and notes can be modified.
hashavatar-api 1.1.0
This release updates hashavatar-api to the hashavatar 1.1.0 renderer and expands the public demo site while tightening several security and release-path details.
Highlights
- Updated hashavatar-api to 1.1.0.
- Updated the renderer dependency to crates.io hashavatar 1.1.0.
- Added a large TOML-backed website translation set with RTL support where needed.
- Added a searchable, scrollable language selector for the expanded language list.
- Added privacy-policy wording that translations are AI-assisted/best-effort and can be improved on GitHub.
- Added privacy-preserving OpenTelemetry metrics for aggregate page views, clicks, outbound links, avatar generation, and visitor interaction patterns.
- Kept telemetry bounded and non-identifying: no raw IDs, tenant/style namespaces, IPs, user agents, referrers, cookies, full URLs, or free-form text in telemetry labels.
Security And Hardening
- Added rate limiting for telemetry endpoints.
- Added a dedicated telemetry rate-limit bucket.
- Improved rate limiting with a sliding-window approximation to reduce boundary bursts.
- Added early avatar size validation before render semaphore acquisition.
- Escaped shared page i18n heading/lead text before HTML body insertion.
- Restricted remote OTLP endpoints to HTTPS, while still allowing localhost loopback collectors for development.
- Preserved strict CSP behavior for inline scripts via nonces.
- Kept the language selector CSP-compatible.
Container And CI
- Updated GitHub checkout action to actions/checkout@v7.0.0.
- Fixed the Wolfi container build by copying compile-time locale config into the build stage.
- Verified the Wolfi image locally with /healthz, /, and WebP avatar generation.
- Release image tag for the fixed container build: v1.1.0-release.
Verification
- scripts/checks.sh passes.
- 68 tests pass.
- Clippy passes.
- Cargo deny and cargo audit pass.
- Local Wolfi container smoke test passes.
Hashavatar API 1.0.3
Release notes for hashavatar-api 1.0.3:
- Updated hashavatar renderer crate to 1.0.3.
- Bumped service version and documentation references to 1.0.3.
- Refreshed Rust dependencies, including AWS SDK crates.
- Updated GitHub workflow actions.
- Updated the Podman/Fluxheim deployment example to use ghcr.io/valkyoth/fluxheim:v1.5.14-wolfi.
- Verified local checks, smoke tests, dependency policy, RustSec audit, and Wolfi container smoke test.
Hashavatar API 1.0.2
hashavatar-api 1.0.2
Security hardening and renderer update release.
- Updated the API and demo to
hashavatar 1.0.2. - Added stricter no-cache behavior for API error responses.
- Added
X-RateLimit-*headers on rate-limit responses. - Hardened trusted-proxy client IP handling against reserved/private forwarded IPs.
- Validated S3 object prefixes and enabled explicit SSE-S3 on stored avatars.
- Improved cache-key construction to avoid delimiter ambiguity.
- Expanded browser security headers and added cross-domain policy hardening.
- Added safer hashed-identity guidance in the documentation.
Hashavatar API 1.0.1
hashavatar-api 1.0.1
Security hardening patch release.
- Added process-wide backpressure for avatar and Open Graph rendering work.
- Sharded the in-memory rate limiter to reduce hot-path lock contention.
- Tightened S3 persistence behavior so only real missing objects trigger writes.
- Clamped S3 presigned URL TTLs to the SigV4-safe range.
- Documented
/metricsproxying and trusted-proxy deployment boundaries. - Re-enabled yanked-crate checks and crates.io index refresh for
cargo audit. - Updated to Hashavatar 1.0.1 crate.
Hashavatar API 1.0.0
hashavatar-api 1.0.0
Stable 1.0 release of the public Hashavatar API and demo site.
Highlights
- Updated to
hashavatarcrate1.0.0. - Finalized the API/demo site for SHA-512 + WebP avatar generation.
- Added stricter security handling for rate limiting, forwarded IPs, storage links, and Open Graph rendering.
- Open Graph PNG generation now runs off the async executor with timeout protection.
- Direct
persist=trueavatar requests now use the stricter storage rate limit. - Signed storage link responses return a hashed cache key instead of the raw identity-bearing cache key.
- Updated Wolfi container deployment and hardened the Podman Compose example.
- Refreshed dependencies, including direct
lru 0.18.0. - Updated documentation, security controls, and release metadata for
1.0.0.
Verification
- CI green before tagging.
- Local release gate passed.
- Local Wolfi image smoke test passed.
Hashavatar API 0.13.0
hashavatar-api v0.13.0
This release updates the API and demo site for hashavatar 0.13.0.
Changed
- Uses the published
hashavatar 0.13.0crate. - Adds demo/API support for the new background modes:
polka-dotstripedcheckerboardgridsunriseoceanstarry
- Keeps the demo/API on SHA-512 identity hashing and WebP avatar responses.
- Updates README, security docs, OpenAPI-driven options, and smoke tests for the new background set.
Security and Reliability
- Applies origin-side rate limiting to
/og.png. - Raises the in-memory rate limiter capacity to 65,536 buckets.
- Avoids CSP nonce generation on non-HTML routes.
- Stops exposing signed S3 URL/object-key metadata on standard avatar responses; signed metadata is returned only through
/v1/avatar/link. - Adds regression tests and smoke coverage for the new hardening.
Validation
- Local test suite, clippy, smoke tests, dependency policy, RustSec audit, GitHub CI, and CodeQL passed before tagging.
Hashavatar API 0.12.0
hashavatar-api v0.12.0
This release updates the API and demo site for hashavatar 0.12.0.
Changed
- Uses the published
hashavatar 0.12.0crate. - Demo/API avatar rendering is now SHA-512 only.
- Demo/API avatar responses are now WebP only.
- Removed algorithm and format selectors from the demo UI.
- Updated OpenAPI, README, security docs, and smoke tests for the stricter 0.12.0 behavior.
- Updated CSP script hash for the revised demo page.
Security and Reliability
- Keeps the recent hardening around rate limiting, metrics access, security headers, generic error responses, and health check disclosure.
- Local checks, smoke tests, dependency policy, RustSec audit, and GitHub checks passed before tagging.
Hashavatar API 0.11.0
hashavatar-api 0.11.0
Changed
- Updated to
hashavatar 0.11.0. - Replaced the local API-side face-layer compatibility map with the crate-provided
AvatarKind::supports_face_layers()helper.
Validation
- Updated service/docs metadata for
0.11.0. - Verified GitHub checks are green before tagging.
- Local verification included checks, smoke test, and Wolfi image smoke before commit.
Hashavatar API 0.10.0
hashavatar-api 0.10.0
Added
- Updated to
hashavatar 0.10.0. - Added demo/API support for avatar style options:
accessorycolorexpressionshape
- Added UI handling for avatar families that do not support accessory/expression layers.
Security
- Reworked rate limiter storage to bounded O(1) LRU updates.
- Hardened trusted proxy
X-Forwarded-Forhandling. - Replaced Open Graph PNG panic path with logged error handling.
- Changed local default bind to
127.0.0.1; container deployment explicitly binds0.0.0.0.
Validation
- Updated docs, OpenAPI metadata, smoke tests, and security invariants.
- Verified local checks, local smoke, and Wolfi container smoke before release.