Releases: valkyoth/hashavatar
Release list
Hashavatar 1.1.2
hashavatar 1.1.2
1.1.2 is a maintenance release focused on dependency, Rust toolchain, and CI
pin freshness. It does not intentionally change the public API, avatar
rendering behavior, or visual fingerprints.
Dependencies
- Updated
sanitizationfrom1.2.2to1.2.4. - Updated
sanitization-crypto-interopfrom1.2.2to1.2.4. - Refreshed compatible transitive dependencies in the root and fuzz
lockfiles. - Confirmed all other direct runtime, optional, development, and fuzz
dependencies remain current.
Both sanitization crates continue to declare Rust 1.90 support.
Rust Support
- Updated the pinned development and release toolchain from Rust
1.96.1to
Rust1.97.0. - Kept
Cargo.tomlrust-version = "1.90"as the public MSRV. - Retained focused CI compatibility checks on Rust
1.90.0. - Retained the Kani verifier default on its documented Rust
1.90.0
toolchain, independently of the development compiler.
CI And Tooling
- Updated the immutable
taiki-e/install-actionpin from thev1.1.1tag's
v2.82.8tov2.83.0(including the intervening post-releasev2.82.9
maintenance update). - Confirmed
actions/checkoutremains current atv7.0.0. - Confirmed
Swatinem/rust-cacheremains current atv2.9.1. - Confirmed the repository's audit, deny, fuzz, outdated, and Kani tooling is
current at release preparation time. - Updated the fuzz dependency-policy check to use the current
cargo-deny
CLI without relying on version-sensitive--configoption ordering.
Compatibility
- No intentional public API changes.
- No intentional avatar visual fingerprint changes.
- The default SHA-512 mode and optional BLAKE3/XXH3 feature model are
unchanged. - WebP remains the default raster encoder; PNG, JPEG, and GIF remain opt-in.
Security Hardening
- Moved identity, cache-key, and optional XXH3 chunk preimages into
sanitization::SecretVecbefore sensitive bytes are written. Full allocation
capacity is now cleared by RAII on normal return and unwinding, and secure
growth clears an old allocation before replacement. - Replaced production preimage capacity assertions with debug-only correctness
checks; cleanup no longer depends on those assertions executing. - Removed attacker-sized lowercase-copy allocations from all seven public enum
parsers while preserving case-insensitive aliases. - Expanded the panic-policy scanner from only
src/lib.rsto every production
Rust module, excluding only dedicated tests and Kani proofs. - Documented that deterministic cache keys permit offline enumeration of
low-entropy identifiers, with a keyed BLAKE3 pseudonymization example for
sensitive service boundaries. - Added focused regression tests for RAII preimage guards, allocation-free
parser implementation, case-insensitive parser behavior, and whole-source
panic-policy coverage.
Verification
- Passed all-format compatibility checks on Rust
1.90.0,1.91.0,
1.92.0,1.93.0,1.94.0,1.95.0,1.96.0,1.96.1, and1.97.0. - Passed the stable release gate: formatting, metadata, dependency boundary,
unsafe and panic policies, clippy, unit tests, doctests, MSRV feature checks,
documentation, cargo-deny, RustSec audit, fuzz harness compilation, four
bounded Kani proofs, reproducible packaging, SBOM generation, and crates.io
publish dry run. - Confirmed both the root and fuzz direct dependency sets are current with
cargo outdated.
Hashavatar 1.1.1
hashavatar 1.1.1
1.1.1 is a maintenance release for hashavatar focused on dependency and CI
pin freshness. It does not intentionally change avatar rendering behavior or
the public API.
Dependency Updates
- Updated
randfrom0.10.1to0.10.2. - Updated optional
xxhash-rustfrom0.8.15to0.8.16. - Refreshed compatible transitive dependencies in the root lockfile:
arrayvec0.7.7to0.7.8chacha200.10.0to0.10.1hybrid-array0.4.12to0.4.13
- Refreshed compatible transitive dependencies in the fuzz lockfile:
chacha200.10.0to0.10.1hybrid-array0.4.12to0.4.13
CI
- Updated pinned
taiki-e/install-actionfromv2.82.7tov2.82.8. - Confirmed
actions/checkoutremains current atv7.0.0. - Confirmed
Swatinem/rust-cacheremains current atv2.9.1.
Documentation
- Updated README installation snippets and release metadata for
1.1.1. - Updated latest-stable Rust wording to Rust
1.96.1. - Added local
cargo check --features all-formatscompatibility evidence for
Rust1.96.1. - Documented the split between the Rust
1.96.1development toolchain and the
Rust1.90.0MSRV.
Toolchain
- Switched
rust-toolchain.tomlfrom Rust1.90.0to Rust1.96.1. - Kept
Cargo.tomlrust-version = "1.90"as the public MSRV. - Added project checks that run focused compatibility coverage on Rust
1.90.0
in addition to the normal development-toolchain checks.
Verification
- Added bounded Kani proof harnesses for pure invariants that matter to this
crate: avatar spec bounds, render-resource memory math, and rectangle
arithmetic. - Added
scripts/check_kani.sh, pinned by default to the Rust
1.90.0-x86_64-unknown-linux-gnuverifier toolchain when Kani is installed. - Added
docs/KANI.mddocumenting that these harnesses are scoped bounded
evidence, not a whole-crate formal-verification claim. - Added the Kani check to the stable release gate. Missing or incompatible Kani
is reported as an explicit verifier skip, not as a completed proof.
Compatibility
- No intentional public API changes.
- No intentional avatar visual fingerprint changes.
Hashavatar 1.1.0
hashavatar 1.1.0
1.1.0 is a minor release for hashavatar focused on dependency,
sanitization, tooling, source layout, and documentation freshness.
Dependency Updates
- Replaced direct
zeroizeusage with the nativesanitizationcrate API. - Added
sanitization1.2.2withallocsupport. - Added
sanitization-crypto-interop1.2.2so SHA-512 and optional BLAKE3
hashing use the crypto crates' own hasher-state cleanup hooks through the
sanitizationsister crate. - Removed direct
zeroizedependency usage and thesha2/blake3zeroize
feature hooks. - Updated the fuzz harness
libfuzzer-sysdependency to0.4.13. - Refreshed Cargo lockfiles with the latest compatible crate versions.
Sanitization
- Fixed-size digest and renderer seed copies now use
sanitization::Secret. - SHA-512 identity hashing and cache-key hashing now route through the
sanitization-crypto-interopSHA-512 helper. - The crate's direct
sha2dependency is now dev-only; production SHA-512
hashing reachessha2throughsanitization-crypto-interop. - Removed a redundant SHA-512 digest
Secretwrapper now that the interop
helper owns hasher-state cleanup and the caller already guards the returned
digest. - Optional BLAKE3 XOF output now uses the
sanitization-crypto-interopfill
helper with asanitization::Secretoutput buffer. - Optional XXH3 digest accumulation now uses a
sanitization::Secretguard for
the 64-byte accumulator. - Hash-preimage capacity checks now use release-mode assertions, so future
size-accounting drift cannot silently bypass temporary buffer cleanup. - Optional XXH3 chunk capacity and length checks are collapsed into one
release assertion per chunk. - Hash preimage vectors, encoded-output buffers, temporary JPEG RGB buffers,
and owned RGBA buffers are cleared throughsanitizationvolatile clearing
helpers. - Security controls now document the
sanitization-crypto-interopcleanup
boundary for SHA-512 and optional BLAKE3. cargo-denynow denies duplicate crate versions instead of only warning.
CI
- Updated pinned GitHub Actions:
actions/checkouttov7.0.0taiki-e/install-actiontov2.82.3
- Confirmed
Swatinem/rust-cacheremains current atv2.9.1.
Documentation
- Updated README installation snippets and compatibility wording to
1.1.0. - Updated the changelog for the
1.1.0release. - Split the former monolithic
src/lib.rsinto focused source files, including
per-avatar raster and SVG renderer files, without changing the public API. - Clarified that preimage-capacity assertions are active in all builds as an
intentional fail-secure sanitization guard. - Made starry-background seed rotation precedence explicit without changing the
generated visuals. - Hardened internal gradient color interpolation against future oversized
max_positioncallers. - Added consistent
identity()accessors to hashed dog and robot renderer
structs, matching the existing hashed cat renderer.
Compatibility
- No intentional avatar visual fingerprint changes.
- No public API removals.
Hashavatar 1.0.3
hashavatar 1.0.3
1.0.3 is a security-hardening and CI maintenance release for hashavatar.
Security And Hardening
- Encoded output is now accumulated in a
Zeroizing<Vec<u8>>until successful
return. If an encoder returns an error after writing partial bytes, those
partially encoded bytes are scrubbed before being dropped. - Identity, cache-key, and XXH3 chunk preimage builders now assert exact
capacity in debug/test builds. This catches future component-size drift that
would otherwise allow reallocations before zeroization. AvatarBuilderdebug output now redacts namespace tenant and style-version
values, not only the raw identity input.- Security controls now document the accepted
1.xvisual-stability tradeoff
that some established renderers use selected upper digest bytes directly for
visible geometry.
CI
- Updated pinned GitHub Actions:
actions/checkouttov6.0.3Swatinem/rust-cachetov2.9.1taiki-e/install-actiontov2.81.8
Compatibility
- No intentional avatar visual fingerprint changes.
- No public API removals.
- No dependency version changes.
Hashavatar 1.0.2
hashavatar 1.0.2
1.0.2 is an additive ergonomics and documentation release for hashavatar.
Added
AvatarBuilderas a fluent high-level API for common SVG, raster, encoded
output, and cache-key workflows.AvatarErroras a unified high-level error type for builder-based code.AvatarIdentity::cache_key()andAvatarBuilder::cache_key()for stable
opaque cache identifiers without exposing the raw identity digest.hashavatar::preludewith the common application-facing types.- Optional
serdefeature for public style enums.AvatarIdentityremains
intentionally non-serializable. AvatarStyleOptions::summary()andDisplayfor human-readable UI/log
labels.- Runnable examples for builder-based SVG rendering and cache-key derivation.
Security And Compatibility
- The builder stores validation failures and returns them as
Resultvalues;
invalid dimensions or namespace components do not panic. AvatarBuilderuses a redactedDebugimplementation so accidental builder
logging does not print the raw identity input.- Cache keys are derived by hashing the internal digest under a separate
cache-key domain. They are display-safe and opaque, but still correlate equal
identities. - Serde support is limited to public style enums. The identity digest type does
not implementSerializeorDeserialize. - No avatar visual fingerprints were intentionally changed.
Documentation
- Documented the
AvatarSpec::new(width, height, seed)seed as a deterministic
style variant, not a replacement for identity hashing. - Updated README installation examples, builder guidance, cache-key guidance,
dependency policy, security controls, and API summary for1.0.2.
Verification
- Full release gate passed.
- Serde feature path passed.
- Package publish dry-run passed.
Hashavatar 1.0.1
hashavatar 1.0.1
1.0.1 is a maintenance and documentation release for hashavatar.
Changed
- Refreshed compatible transitive dependencies in
Cargo.lockand
fuzz/Cargo.lock. - Updated the GitHub CI
taiki-e/install-actionpin tov2.79.14. - Lowered the manifest and toolchain MSRV to Rust
1.90.0after validating the
release gate and compatibility matrix. - Added a polished README header with the project image, documentation links,
and Rust version support table. - Kept the README image in the repository while excluding
.github/images/**
from the published crate package.
Security And Hardening
- Added a debug assertion for out-of-range internal identity digest byte access
so future renderer mistakes fail in debug/test builds while release builds
remain non-panicking. - Changed
AvatarSpec::pixel_count()andAvatarSpec::rgba_buffer_len()to
use saturating multiplication as defense-in-depth for future dimension-limit
changes. - Clarified that the transient by-value seed argument passed to
StdRng::from_seedis part of the documented zeroization residual.
Compatibility Evidence
- Rust
1.90.0: full release gate. - Rust
1.91.0through1.96.0:cargo check --features all-formats. - Rust
1.90.0: additional checks forblake3 all-formatsand
xxh3 all-formats.
Hashavatar 1.0.0
hashavatar 1.0.0
1.0.0 is the first stable release of hashavatar.
This release does not add new avatar families, backgrounds, visual layers,
hash modes, output formats, or runtime dependencies. It freezes the public API
shape and documents the rendering stability contract built through the 0.x
series.
Stable Contract
- Public Rust API changes now follow Cargo semver expectations.
- Explicit rendering output is intended to remain stable within the
1.x
series for the same active identity hash mode, namespace, identity, avatar
options, dimensions, and seed, except for documented correctness or security
fixes. - Automatic style rendering remains deterministic, but future minor releases
may change automatic distribution when public enumALLlists gain new
variants. - Services that need deliberate visual rollouts should use
AvatarNamespace::new(tenant, style_version)and bumpstyle_versiononly
when they are ready for a new visual distribution.
Documentation
- Added
docs/STABILITY.mdwith the stable API, rendering, security/resource,
and residual-risk policies. - Updated README guidance for the 1.0 stable contract.
- Added the stability policy to release metadata validation so it remains part
of the published crate package.
Security Posture
- The crate remains a pure library crate with no HTTP server, CLI, filesystem
writing API, async runtime, or network dependency. - Public dimensions, identity inputs, and namespace components remain bounded.
- Public render APIs return typed errors for invalid inputs instead of
panicking. AvatarIdentityErrorkeeps the rejected length available through structured
accessors, but its display text no longer prints the exact rejected byte
count.- Temporary renderer seed and intermediate identity digest copies are guarded
withzeroize::Zeroizingbefore their final required by-value copies. - Starry raster backgrounds incorporate identity digest bytes in their
deterministic local star-position generator. - Internal identity digest byte access is defensive against future
out-of-range renderer mistakes, and the avatar fuzz harness now samples the
full supported dimension range. - The default build remains SHA-512 identity hashing plus WebP encoding.
- Optional BLAKE3, XXH3-128, PNG, JPEG, and GIF support remain explicit Cargo
features.
Compatibility Notes
- No visual variants were added in this release.
- No intentional golden fingerprint changes were made for
1.0.0. - The known residuals documented in
docs/STABILITY.mdand
docs/SECURITY_CONTROLS.mdstill apply: family-specific geometry uses some
floating-point arithmetic, rendering is not constant-time, and service-level
concurrency/rate limiting belongs in callers such ashashavatar-api.
base64-ng 0.13.0
hashavatar 0.13.0
0.13.0 expands the background catalog and applies targeted determinism
hardening without adding new avatar families.
Added
- Added seven
AvatarBackgroundvalues:polka-dotstripedcheckerboardgridsunriseoceanstarry
- Implemented each new background in raster and SVG output.
- Added tests that prove the new raster backgrounds are distinct and that the
new SVG backgrounds remain well-formed XML.
Changed
- Raster frame-shape hit-testing now uses integer arithmetic for circle,
squircle, hexagon, and octagon masks. This reduces one source of
platform-specific floating-point rounding in clipped output. - Automatic style derivation can now map some identities to different
backgrounds becauseAvatarBackground::ALLcontains more variants. Services
that need old automatic output should keep their existing namespace
style_versionuntil they intentionally migrate. - Documentation now avoids
cargo test --all-featuresguidance because
blake3andxxh3are intentionally mutually exclusive crate-wide identity
hash modes. - README fuzz wording now reflects default WebP coverage and feature-gated
encoder paths instead of describing PNG as always available.
Compatibility Notes
- Explicit
AvatarOptionsandAvatarStyleOptionsselections remain
deterministic for the selected kind, background, dimensions, seed, namespace,
crate identity hash mode, and identity. - The new background variants are public API and therefore affect automatic
background distribution. - No new avatar families were added in this release.
Hashavatar 0.12.0
hashavatar 0.12.0
0.12.0 expands the built-in avatar catalog while keeping hashavatar as a
single, asset-free image-generation crate.
Added
- Added raster and SVG renderers for eight new
AvatarKindvalues:bearpenguindragonninjaastronautdiamondcoffee-cupshield
- Added face-layer anchors for the new face families:
bear,penguin,
dragon,ninja, andastronaut. - Added golden visual fingerprints for every new family.
- Updated README option catalogs and examples for the expanded family list.
Compatibility Notes
- Explicit
AvatarOptionsselections remain deterministic for the selected
kind, background, dimensions, seed, namespace, crate identity hash mode, and
identity. - Automatic style derivation uses
AvatarKind::ALL, so adding new family
variants changes the automatic family distribution. Services that need old
automatic output should keep their existing namespacestyle_versionuntil
they intentionally migrate. AvatarIdentity::seed()andAvatarIdentity::as_digest()are removed from
the public API, and the internal 256-bit RNG seed helper is private.
Rendering callers should not handle raw identity digest bytes.docs/SECURITY_CONTROLS.mdnow states that identity preimage allocation does
not hide input length at the allocator level. High-assurance callers should
pad or normalize sensitive identifiers before passing them to the crate.AvatarSpec::default()is documented and tested as a fixed deterministic
256x256seed-1convenience spec, not as a random or production policy
default.- SVG rendering no longer uses ad-hoc
String::replaceminification. The test
suite and fuzz harness now parse generated SVG withroxmltreeto verify
XML well-formedness across families, layers, and representative identities. AvatarRenderResourceBudgetandAvatarSpec::render_resource_budget(...)
make raw RGBA memory estimates explicit for service-level render concurrency
limits without adding an async runtime or semaphore dependency to the crate.- Polygon scanline interpolation now widens coordinate deltas before rounding,
and the fuzz harness includes a dedicated polygon rasterizer target for
degenerate, negative-coordinate, and extreme-point inputs. - Runtime identity hash algorithm selection has been removed. The crate uses
SHA-512 by default, BLAKE3 when built withblake3, and XXH3-128 when built
withxxh3. Theblake3andxxh3features are mutually exclusive, and
XXH3-128 remains documented as non-cryptographic and unsuitable for
adversarial, user-controlled, or sensitive identifiers. AvatarIdentitydebug formatting is now redacted, preventing accidental
{:?}logging from exposing the raw 64-byte identity digest.AvatarIdentityrustdoc and security controls now state that clones are
zeroized independently on drop, and that high-assurance callers should keep
clone lifetimes short to avoid unnecessary live digest copies.- SHA-512 is built with upstream
zeroizesupport so its block buffer uses
ZeroizeOnDrop. BLAKE3 is built with upstreamzeroizesupport, and the
BLAKE3 hasher plus XOF reader are explicitly zeroized after digest
derivation. - Digest-derived renderer RNG seed copies are now wrapped in
zeroize::Zeroizing, so the temporary mixed seed is scrubbed immediately
after RNG initialization. The security controls also documentStdRng's
non-zeroized expanded internal state as a known residual. - Owned RGBA encode buffers and JPEG RGB flattening buffers now use RAII
zeroization guards, so temporary pixel data is scrubbed during normal
returns, encoder errors, and unwinding panics. - Polygon rasterization now returns immediately for zero-width or zero-height
images, keeping the fuzz-only polygon harness from reporting artificial
zero-sized-image crashes. - PNG, JPEG, and GIF output are now behind explicit
png,jpeg, andgif
Cargo features, leaving WebP as the only default raster encoder. The
AvatarOutputFormat::Gifrustdoc and security controls call out that the
imagecrate's internal GIF quantization buffers are not zeroized by
hashavatar, so high-assurance deployments should prefer WebP or PNG. - Rectangle intersection size calculation now uses saturating arithmetic for
extreme internal coordinate ranges. - The hidden
fuzzingfeature now has a compile-time guard that rejects
ordinary non-fuzzing release builds, reducing the chance that internal fuzz
harness entry points are accidentally exposed in production. diamond,coffee-cup, andshieldare object/symbol families. They do
not have face anchors, so accessories and expressions are deterministic
no-ops for those families. Accent palettes and frame shapes still apply.
Deferred
- Pattern, gradient, and environment backgrounds were not admitted in this
release. They need their own bounded raster/SVG texture path and visual
contrast review before becoming public API.
Hashavatar 0.11.0
hashavatar 0.11.0
0.11.0 polishes the visual layer model introduced in 0.10.0.
Changes
- Added explicit
AvatarKind::supports_face_layers()support metadata. - Documented that non-face families accept accessory/expression options but
skip those layers deterministically. - Updated SVG frame shapes so non-square shapes use clip paths, matching the
raster renderer's transparent outside-frame masking behavior. - Fixed malformed Paws-family SVG output where one toe-pad ellipse emitted a
color value in theryradius attribute instead of a numeric radius. - Lowered glasses placement slightly for dog, robot, monster, ghost, wizard,
and knight families. - Tuned eyepatch, horns, bowtie, crown, hat, and headphones placement for
families where those overlays were visibly off-center. - Refreshed README guidance for the full layer model, single-accessory
behavior, supported face-layer families, endpoint query mapping, and style
recipes. - Added tests for supported face-layer families, unsupported fallback families,
SVG frame clipping, and SVG radius-attribute integrity.
Compatibility
Baseline AvatarOptions rendering is unchanged. Styled SVG output for
non-square frame shapes now clips content to the selected frame shape; this is
an intentional visual polish change for style-aware SVG callers.