- Bumped the crate to
1.1.2. - Updated
sanitizationandsanitization-crypto-interopfrom1.2.2to1.2.4. - Refreshed compatible transitive dependencies in the root and fuzz lockfiles.
- Updated the pinned development toolchain from Rust
1.96.1to Rust1.97.0while keeping the public MSRV at Rust1.90.0. - Updated the pinned GitHub CI
taiki-e/install-actioncommit from the tagged1.1.1release'sv2.82.8tov2.83.0. - Confirmed
actions/checkoutremains current atv7.0.0andSwatinem/rust-cacheremains current atv2.9.1. - Updated the fuzz dependency-policy invocation for the current
cargo-denyCLI while remaining compatible with the version installed by GitHub CI. - Moved identity, cache-key, and optional XXH3 temporary preimages into
sanitization::SecretVecguards before sensitive bytes are written, ensuring full-capacity cleanup on normal return and unwinding. - Removed temporary lowercase allocations from all public enum parsers.
- Expanded the panic-policy gate from
src/lib.rsto every production Rust module. - Documented offline dictionary enumeration of deterministic cache keys and keyed pseudonymization guidance for sensitive, guessable identifiers.
- Updated README installation snippets, Rust compatibility information, Kani
documentation, and release metadata for
1.1.2.
- Bumped the crate to
1.1.1. - Updated
randto0.10.2andxxhash-rustto0.8.16. - Refreshed compatible transitive dependencies in the root and fuzz lockfiles,
including
arrayvec,chacha20, andhybrid-array. - Updated the pinned GitHub CI
taiki-e/install-actioncommit tov2.82.8. - Confirmed
actions/checkoutremains current atv7.0.0andSwatinem/rust-cacheremains current atv2.9.1. - Updated README installation snippets, latest-stable Rust wording, and release
metadata for
1.1.1. - Added local compatibility evidence for Rust
1.96.1. - Switched the pinned development toolchain to Rust
1.96.1while keeping the crate MSRV at Rust1.90.0. - Added CI/release checks that verify backward compatibility on Rust
1.90.0. - Added bounded Kani proof harnesses for
AvatarSpecbounds, render-resource memory math, and rectangle arithmetic. - Added
scripts/check_kani.shusing the documented Rust1.90.0verifier toolchain when available, plusdocs/KANI.mdto define the proof scope and skip policy.
- Bumped the crate to
1.1.0. - Replaced direct
zeroizeusage with the nativesanitizationcrate API. - Added
sanitization1.2.2withallocsupport for digest, seed, preimage, pixel-buffer, and temporary encoder-buffer cleanup. - Added
sanitization-crypto-interop1.2.2so SHA-512 and optional BLAKE3 hashing use the crypto crates' own hasher-state cleanup hooks through thesanitizationsister crate. - Removed direct
zeroizedependency usage and thesha2/blake3zeroize feature hooks. - Moved cache-key and identity SHA-512 hashing through the crypto interop
helper, and moved optional BLAKE3 XOF output through the interop helper with a
sanitization::Secretoutput buffer. - Removed a redundant SHA-512 digest
Secretwrapper now that the interop helper owns hasher-state cleanup and the caller already guards the returned digest. - Moved the crate's direct
sha2dependency to dev-dependencies; production SHA-512 hashing now reachessha2throughsanitization-crypto-interop. - Guarded the optional XXH3 64-byte accumulator with
sanitization::Secret. - Promoted hash-preimage capacity checks from debug-only assertions to release assertions so future size-accounting drift cannot silently bypass temporary buffer sanitization.
- Collapsed optional XXH3 chunk capacity and length checks into one release assertion per chunk.
- Tightened
cargo-denyduplicate crate policy fromwarntodeny. - Updated
libfuzzer-sysin the fuzz harness to0.4.13. - Refreshed Cargo lockfiles with the latest compatible dependency versions.
- Split the former monolithic
src/lib.rsinto focused source files, including per-avatar raster and SVG renderer files, while preserving the public API and visual fingerprints. - Clarified that preimage-capacity assertions are active in all builds as an intentional fail-secure sanitization guard.
- Made starry-background seed rotation precedence explicit without changing generated visuals.
- Hardened internal gradient color interpolation against future oversized callers.
- Added consistent
identity()accessors and security notes to hashed dog and robot renderer structs, matching the existing hashed cat renderer. - Updated GitHub Actions pins to
actions/checkoutv7.0.0andtaiki-e/install-actionv2.82.3;Swatinem/rust-cacheremains current atv2.9.1. - Refreshed README installation snippets and release metadata for
1.1.0.
- Bumped the crate to
1.0.3. - Hardened encoded-output error paths by keeping encoder output in a
Zeroizing<Vec<u8>>until successful return, so partially encoded bytes are scrubbed on encoder errors. - Added debug/test assertions for exact identity, cache-key, and XXH3 chunk preimage capacities so future edits cannot silently introduce reallocations before zeroization.
- Redacted
AvatarBuildernamespace tenant and style-version values fromDebugoutput in addition to the identity input. - Updated
docs/SECURITY_CONTROLS.mdto accurately describe accepted upper-digest-byte visual parameter usage for1.xvisual stability. - Updated GitHub Actions pins to
actions/checkoutv6.0.3,Swatinem/rust-cachev2.9.1, andtaiki-e/install-actionv2.81.8. - Removed the temporary pentest report from the tree.
- Bumped the crate to
1.0.2. - Added
AvatarBuilderas a fluent, validation-preserving entry point for rendering SVG, raster images, encoded WebP/optional formats, and cache keys. - Added
AvatarErroras a unified high-level error type for builder callers. - Added
AvatarIdentity::cache_key()for stable opaque cache identifiers without exposing the raw identity digest. - Added a
preludemodule for common application imports. - Added an optional
serdefeature for public style enums only.AvatarIdentityintentionally remains non-serializable. - Added
AvatarStyleOptions::summary()andDisplayfor UI/log labels. - Expanded
AvatarSpec::newand builder docs around the style-variant seed. - Added runnable
examples/for the builder and cache-key workflows. - Removed the temporary gap analysis report from the tree.
- Bumped the crate to
1.0.1. - Refreshed compatible transitive dependencies in
Cargo.lockand the fuzz harness lockfile. - Updated the GitHub CI
taiki-e/install-actionpin tov2.79.14. - Lowered the documented and manifest MSRV to Rust
1.90.0after running the full release gate on1.90.0and compatibility checks through Rust1.96.0. - Added the README header artwork and Rust version support table. The README image is kept in the repository but excluded from the published crate package.
- Added a debug assertion for future out-of-range identity digest byte access while keeping release builds non-panicking.
- Changed public avatar size helper arithmetic to saturating multiplication for future-proofing.
- Clarified that the
StdRng::from_seedby-value seed argument copy is part of the documented zeroization residual.
- Bumped the crate to
1.0.0. - Declared the first stable public API and rendering contract for
hashavatar. - Added
docs/STABILITY.mdcovering Cargo semver expectations, visual output stability, automatic-style distribution, security/resource contracts, and known residual risks. - Updated README guidance for the stable contract and controlled visual
rollouts through namespace
style_versionvalues. - Added
docs/STABILITY.mdto release metadata/package validation so future releases keep the stability policy in the published crate. - Added 1.0 release notes.
- Hardened the 1.0 release after pentest review by keeping the renderer RNG
seed copy in a
Zeroizingguard until seeding, guarding the intermediate identity digest copy, making starry raster backgrounds identity-dependent, clamping gradient interpolation inputs, and removing the exact rejected byte count fromAvatarIdentityErrordisplay text. - Documented target-specific
getrandomconsiderations, XXH3 temporary preimage-copy overhead, and rectangle zero-size clamping behavior. - Added defensive digest-byte indexing and widened the avatar fuzz harness so it
covers the full supported
64..=2048dimension range. - No avatar families, backgrounds, visual layers, hash modes, output formats, or runtime dependencies were added in this release.
- Bumped the crate to
0.13.0. - Added seven
AvatarBackgroundvariants:polka-dot,striped,checkerboard,grid,sunrise,ocean, andstarry. - Implemented the new backgrounds for raster and SVG output with bounded, asset-free drawing paths.
- Added parser/display/
ALLcoverage, raster distinctness tests, and parser-backed SVG well-formedness coverage for the expanded background catalog. - Replaced raster frame-shape hit-testing with integer arithmetic for circle, squircle, hexagon, and octagon masks, reducing floating-point sensitivity in shape clipping.
- Updated automatic visual golden fingerprints because the expanded
AvatarBackground::ALLlist changes automatic background distribution. - Fixed documentation that still referenced
cargo test --all-features; theblake3andxxh3feature modes are intentionally mutually exclusive. - Refreshed README wording for feature-gated encoder testing and the expanded background catalog.
- Bumped the crate to
0.12.0. - Added eight built-in avatar families:
bear,penguin,dragon,ninja,astronaut,diamond,coffee-cup, andshield. - Implemented each new family in both raster and SVG rendering paths.
- Added face-layer anchor coverage for
bear,penguin,dragon,ninja, andastronaut. - Kept object/symbol families such as
diamond,coffee-cup, andshieldas deterministic no-ops for accessories and expressions. - Updated enum drift tests, parser/display coverage, golden visual fingerprints, README catalog, and release notes for the expanded family list.
- Documented that automatic style derivation can map some identities to
different families because
AvatarKind::ALLnow contains more variants. - Removed the public
AvatarIdentity::seed()helper and made the internal 256-bit RNG seed helper private so callers do not accidentally depend on raw digest-derived seed material. - Removed the public
AvatarIdentity::as_digest()helper so normal rendering callers cannot copy or log full identity digests through the public API. - Added a regression test and documentation that lock
AvatarSpec::default()to the deterministic256x256seed-1convenience spec. - Removed ad-hoc SVG string minification and added parser-backed SVG well-formedness coverage across avatar families, visual layers, representative identities, and the fuzz harness.
- Added
AvatarRenderResourceBudgetandAvatarSpec::render_resource_budgetso service integrations can size render concurrency limits from API-visible memory estimates instead of only README prose. - Hardened polygon scanline interpolation against debug-build integer overflow and added a dedicated fuzz target for arbitrary polygon rasterizer inputs.
- Removed runtime identity hash algorithm selection. SHA-512 remains the
default crate-wide mode, while
blake3andxxh3select mutually exclusive crate-wide optional modes. - Replaced derived
AvatarIdentitydebug formatting with a redacted implementation so accidental{:?}logging does not expose identity digests. - Added rustdoc and security-control guidance that
AvatarIdentityclones are independently zeroized on drop, but high-assurance callers should keep clone lifetimes short to limit extra live digest copies. - Enabled upstream hasher-state zeroization features for SHA-512 and BLAKE3, and explicitly zeroized BLAKE3 hasher/XOF reader state after digest derivation.
- Wrapped digest-derived renderer RNG seed copies in
zeroize::Zeroizingso the temporary mixed seed is scrubbed immediately after RNG initialization, and documentedStdRng's non-zeroized expanded internal state as a known residual. - Wrapped owned RGBA encode buffers and JPEG RGB flattening buffers in RAII zeroization guards so temporary pixel data is scrubbed during normal returns, encoder errors, and unwinding panics.
- Added a zero-dimension guard to polygon rasterization so fuzz-only zero-width or zero-height image inputs return cleanly instead of panicking.
- Moved PNG, JPEG, and GIF output behind explicit
png,jpeg, andgifCargo features, leaving WebP as the only default raster encoder. - Added rustdoc plus security documentation warning that
image's internal GIF quantization buffers are not zeroized byhashavatar. - Hardened rectangle intersection size calculation with saturating arithmetic for extreme internal coordinate ranges.
- Added a compile-time guard so the internal
fuzzingfeature cannot be used in ordinary non-fuzzing release builds. - Documented that XXH3-128 is non-cryptographic and must not be used with adversarial, user-controlled, or sensitive identifiers unless the application first maps those identifiers through its own cryptographic boundary.
- Bumped the crate to
0.11.0. - Added explicit
AvatarKind::supports_face_layers()guidance for families that can place accessories and expressions. - Made non-square SVG frame shapes clip the background, avatar body, accent, accessory, and expression content so SVG behavior matches raster masking.
- Fixed malformed Paws-family SVG output where one toe-pad ellipse wrote a
color value into its
ryradius attribute. - Lowered glasses placement slightly for dog, robot, monster, ghost, wizard, and knight families.
- Tuned eyepatch, horns, bowtie, crown, hat, and headphones placement for families where those overlays were visibly off-center.
- Expanded tests for face-layer support, deterministic fallback behavior, and SVG frame clipping.
- Bumped the crate to
0.10.0. - Added visual layer enums:
AvatarAccessory,AvatarColor,AvatarExpression, andAvatarShape. - Added
AvatarStyleOptionsfor explicit kind, background, accessory, color, expression, and frame-shape selection. - Added style-aware raster, SVG, and encode entry points alongside the existing
AvatarOptionsAPI. - Added automatic style rendering helpers that derive top-level style choices from distinct identity digest bytes.
- Kept existing
AvatarOptionsoutput unchanged by mapping it to no accessory, default color, default expression, and square frame. - Added generic raster and SVG support for all baseline visual layers.
- Added family-aware face anchors for accessories and expressions, with deterministic no-op behavior for non-face families where those layers do not make sense.
- Expanded enum drift tests, automatic derivation tests, layer rendering tests, fuzz coverage, and golden visual fingerprints for representative layered avatars.
- Bumped the crate to
0.9.0. - Kept
hashavataras a single image-generation crate rather than publishing a separate core crate. - Removed the near-term
no_std + alloccrate split from the roadmap because the public project goal is raster/SVG avatar generation. - Documented that lower-level planning boundaries should remain internal unless a future image-generation use case justifies exposing them.
- Bumped the crate to
0.8.0. - Added an internal render plan boundary shared by raster rendering, SVG rendering, and encoding entry points.
- Changed public enum
ALLlists to slices so variant lists no longer carry duplicated manual array lengths. - Added
from_bytehelpers forAvatarHashAlgorithm,AvatarKind,AvatarBackground, andAvatarOutputFormat. - Added tests that fail if public enum
ALLlists drift from parser/display behavior. - Documented the future
no_std + alloccore boundary and the dependencies that currently belong outside it. - Added public raw RGBA buffer budget constants and
AvatarSpechelpers for service-level memory/concurrency controls. - Documented the current variable-time rendering and floating-point cross-platform determinism boundaries.
- Hardened antialiasing channel blending against non-finite or zero-total weights.
- Zeroized temporary owned raster buffers after encode APIs finish encoding.
- Added documentation for fixed-minimum-latency API wrappers that can reduce render-time side-channel observability in high-assurance deployments.
- Bumped the crate to
0.7.0. - Added
AvatarHashAlgorithmandAvatarIdentityOptions. - Kept SHA-512 as the default identity hash and preserved the existing default identity preimage.
- Added optional BLAKE3 identity derivation behind the
blake3Cargo feature. - Added optional XXH3-128 identity derivation behind the
xxh3Cargo feature. - Added domain separation for non-default hash algorithms.
- Added generic render/encode/SVG entry points that accept identity hash options.
- Added tests for feature-gated hash modes, algorithm separation, parser round-trips, and oversized identity rejection across enabled algorithms.
- Documented the optional hash algorithms, dependency posture, and the non-cryptographic status of XXH3-128.
- Hardened JPEG alpha flattening with wider arithmetic intermediates.
- Hardened anti-aliased zero-length line drawing against NaN gradient propagation.
- Added
zeroizecleanup for derived identity digests and temporary identity hash preimage buffers. - Changed procedural cat RNG seeding to use 256 bits from the second half of the identity digest, intentionally updating cat-family golden fingerprints.
- Added constant-time equality for
AvatarIdentity. - Documented that rendering itself is not constant-time and should not be treated as secret-preserving against timing or output-size side channels.
- Removed the bundled demo web server from the crate
- Removed mandatory
axumandtokiodependencies from the crate package - Removed the bundled
hashavatar-clibinary so the package is a pure library crate - Pointed web/API usage to the separate
hashavatar-apiproject - Added crate-focused security policy checks for release metadata, dependencies, unsafe code, panic-like sites, package contents, and fuzz harness compilation
- Added fuzz harness coverage for arbitrary avatar identities, families, backgrounds, SVG rendering, and PNG encoding
- Added release security documentation for dependency policy, panic policy, release gates, and crate security controls
- Changed public render APIs and
AvatarRenderer::renderto returnResult<_, AvatarSpecError>for invalid dimensions instead of panicking - Changed
AvatarSpec::newto validate dimensions at construction and madeAvatarSpecfields private - Added enforced identity and namespace byte-length limits with typed errors to prevent accidental hashing of unbounded input
- Removed public path-writing export helpers so the crate does not provide filesystem APIs that can be wired to untrusted paths
- Changed namespace identity hashing to length-prefix tenant, style version, and input components, preventing embedded NUL separator ambiguity
- Hardened internal rectangle arithmetic with saturating and clamping operations
- Hardened internal polygon and ellipse rasterization against edge-case panics and large-radius precision loss
- Added post-0.6 version planning for pluggable hashing, no-std preparation, visual layers, variant expansion, and 1.0 stabilization
- Documented maintenance rules for dependency freshness, security review, GitHub CodeQL default setup, and self-testing expectations
- Starting with
0.5.0, project licensing is dualMIT OR Apache-2.0 - Added
LICENSE-MITandLICENSE-APACHE - Removed the previous EUPL license files
- Added Fluxheim-style local and GitHub CI checks through
scripts/checks.sh - Added Dependabot configuration for Cargo and GitHub Actions updates
- Pinned GitHub Actions to immutable commit SHAs for CodeQL-friendly workflow hardening
- Moved demo-server WebP rendering and encoding onto Tokio's blocking task pool
- Added defense-in-depth HTTP security headers to demo HTML, image, and error responses
- Updated
tokioto1.52.3
- Moved public repository and homepage metadata to GitHub
- Added GitHub contributor, security, issue, pull request, and CI files
- Kept docs.rs as the canonical Rust API documentation URL
- Updated direct dependencies to current compatible releases
- Moved deterministic randomization from
rand0.9 torand0.10 - Moved SHA-2 hashing from
sha20.10 tosha20.11
- Added
transparentbackground support for raster and SVG avatars - Added
black,dark, andlightbackground modes - Added
JPEGandGIFraster export formats - Added new avatar families:
planet,rocket,mushroom,cactus,frog, andpanda - Added new food and adventure families:
cupcake,pizza,icecream,octopus, andknight - Improved identity-driven variation for
ghost,slime,wizard, andskull - Added stricter input and dimension validation for safer public avatar endpoints
- Removed a vulnerable transitive dependency path while keeping drawing code asset-free
- Refreshed README examples and demo preset identities for the latest public API
- Added namespace-aware identity hashing through
AvatarNamespace - Declared
AVATAR_STYLE_VERSIONfor stable visual contract tracking - Added new avatar families:
ghost,slime,bird,wizard, andskull - Added golden visual regression fixtures for stable raster fingerprints
- Added stricter SVG regression coverage for determinism and minimal output
- Expanded the public API site with docs, metrics, SEO metadata, JSON-LD, sitemap, robots, favicon, and manifest support
- Added origin-side rate limiting, timeout handling, metrics, and object-storage deduplication in the API service
- Added OG/social preview image support
- Added a playful
pawsavatar family with variable cat paw colors and pad shapes
- Initial release of
hashavatar - Deterministic SHA-512-backed avatar generation
- Raster export in
WebPandPNG - SVG export support
- Initial families:
cat,dog,robot,fox,alien, andmonster