v0.2.0

Security hardening.

• OIDC id tokens are cryptographically validated: signature against provider JWKS plus iss/aud/exp/nonce; validated sub is authoritative (CWE-347). Adds PyJWT[crypto]
• PKCE code_verifier no longer placed in the state sent to the provider; kept server-side only (CWE-200)
• Host-derived redirect_uri validated against an allowed_hosts allowlist (CWE-601)
• OAuth error callback handled; redirects to failure_redirect
• State validation failures return a generic detail; reason logged internally (CWE-209)
• Provider URLs must be HTTPS; HTTP client disables redirect following (CWE-918)
• OAuthToken repr masks tokens (CWE-532)
• next redirect rejects any scheme/netloc (CWE-601)

v0.1.0 — Social SSO

Initial release. Six OAuth2 providers (Google, GitHub, Microsoft, Discord, Facebook, LinkedIn) with HMAC-signed state cookie + PKCE. Security review applied before ship — see CHANGELOG.