Release v0.1.5 · Hawk-API/HawkAPI

Security & correctness fixes

All findings from the full code review of 0.1.4 are addressed here.

[HIGH] Double-execution of handler on StreamingResponse/FileResponse. Wave 3's trivial fast path classified these handlers as trivial; a late fallback to _execute_route re-ran the handler — doubling any side effects. _compute_trivial now inspects the return annotation and excludes streaming returns at registration time.
[MEDIUM] Path-param coercion missing on the trivial fast path. {id:int}-style typed path params were passed as raw str; the fast path now calls _coerce_fast (same behaviour as the general path).
[MEDIUM] GraphiQL CDN assets pinned + SRI. Default app.mount_graphql(...) ships with graphiql=True; the embedded HTML now uses exact pinned versions (graphiql@3.0.9, react@18.3.1, react-dom@18.3.1) and sha384 SRI hashes on every script / stylesheet — closes the supply-chain vector.
[LOW] FileFlagProvider cache/mtime write order. Under free-threaded CPython / thread-pool workers, readers could observe a new mtime + stale cache. Cache is now written first, mtime last.
[LOW] Lazy imports inside _execute_trivial_route hoisted to module scope.

hawkapi doctor --offline — skip rules that require network access (e.g. DOC050's PyPI version check). Rules opt in via requires_network: bool = True.
README Security section: always use secrets.compare_digest to compare credentials returned by HTTPBasic / HTTPBearer.

build_mypyc.py documents the MSVC reserved-identifier trap (__is_trivial, __is_class, etc.) so future additions to HOT_MODULES avoid _is_* / _has_* attribute names that collide with C++11 type-trait keywords on Windows.
Ruff lint scope tightened: benchmarks/**, examples/**, hatch_build.py excluded from rules that only apply to library code.