v2.0.3

2.0.3 (2026-03-20)

Bug Fixes

• correct copyright to TheCryptoDonkey (af4fa47)

v2.0.2

2.0.2 (2026-03-17)

Bug Fixes

• zero sha256 intermediate buffers (padded, W) after use (b972391)

v2.0.1

2.0.1 (2026-03-17)

Bug Fixes

• add defensive validation and missing test vectors (8505de2)
• harden input validation and correct PROTOCOL.md bias claims (1bd9a6c)
• remove imprecise bias number from PIN_BYTES comment (8bebaf7)

v2.0.0

2.0.0 (2026-03-17)

• feat!: eliminate PIN bias, add directional pair domain separation (c087bb7)

BREAKING CHANGES

• PIN encoding and directional pair outputs change.

• Replace PIN byte formula with lookup table (PIN_BYTES) that keeps
  max per-value bias below 1% for all digit counts. Previously 7-digit
  PINs had ~40% bias (some values 2x as likely); now all are <1%.
• Add "pair\0" prefix to directional pair HMAC input, cryptographically
  isolating it from identity-bound derivation. Previously
  deriveDirectionalPair(s, "ns", ["role", ...], c) produced the same
  token as deriveTokenBytes(s, "ns", c, "role").
• Reject whitespace-only context strings, namespace, and roles.
• Document identity collision risk in verifyToken JSDoc for low-entropy
  encodings (single word + many identities).

v1.0.4

1.0.4 (2026-03-17)

Bug Fixes

• document PIN encoding bias and clarify crypto guard expression (734eca4)

v1.0.3

1.0.3 (2026-03-17)

Bug Fixes

• add runtime exhaustive check and input validation gaps (f507463)
• add workflow-level read-only permissions default (8d6c394)

v1.0.2

1.0.2 (2026-03-17)

Bug Fixes

• disable semantic-release issue/PR comments after permission tightening (ba09920)
• harden CI/CD supply chain (8e559c6)
• harden input validation and crypto hygiene (3b49ab1)

v1.0.1

1.0.1 (2026-03-17)

Bug Fixes

• harden crypto primitives (a1d8ffa)
• improve gitignore coverage and add wordlist integrity test (2ec9a32)
• validate context and identity for null bytes and empty strings (50243c9)