v0.3.2

No wire-protocol or runtime-behaviour changes since 0.3.1; operators
upgrading need no action. The one code change is a django-oauth-toolkit
3.3 compatibility fix (model-state only, no schema migration).

Fixed

• Compatibility with django-oauth-toolkit 3.3. DOT 3.3 reworked the
  help_text of the inherited client_secret field on its abstract
  AbstractApplication; because that field is materialised into this
  app's 0001 migration, makemigrations --check went dirty under DOT
  3.3 (caught by test_makemigrations_check_dry_run_clean on the
  off-lock AA4 matrix). AllianceAuthApplication now overrides
  client_secret with attributes mirroring the frozen 0001 state,
  pinning the model so makemigrations --check stays clean across the
  whole supported range (>=3.2,<4). Metadata-only change — no schema
  migration and no database effect.

Documentation

• Close 14 README/code drifts found in a two-critic review. Operators
  were missing the entire Prometheus surface, two of five audit signals,
  and the dead-letter table — all shipped, none documented. Now covered:
  the [metrics] extra and the nine aa_oidc_* metrics (linking
  docs/METRICS{,.ru}.md), the OIDC_RSA_PRIVATE_KEYS_INACTIVE rotation
  window, all five audit signals with their default receiver names (was
  three), and the BackChannelLogoutAttempt dead-letter table. Three
  BCL / private-network settings move into the main settings table,
  /o/authorized_tokens/ joins the endpoints table, and README.ru.md
  reaches parity (logo_url, backchannel_logout_uri,
  backchannel_logout_on_revoke_only).

Tooling

• CI: the pip-audit job now runs actions/checkout before its local
  composite ./.github/actions/setup step. Local action references
  resolve against files already on the runner, so without the checkout
  the runner could not find action.yml and the job failed.
• Dev: wire the codegraph code-intelligence MCP server via .mcp.json
  (its .codegraph/ index directory is git-ignored) and document the
  codegraph / agentmemory MCP workflow in CLAUDE.md.