v1.1.0

Correctness and tooling release on top of the stable 1.0 line. Headline: non-PSK handshakes (enterprise 802.1X / FT-802.1X / Cisco CCKM / pure SAE) are no longer mis-emitted as uncrackable PSK hashes, and a KDV=3 PMKID on a WPA2-PSK / FT-PSK network no longer manufactures a phantom PSK-SHA256-PMKID (type 04). Also in this release: the wpawolf-fixturegen test vectors are now wire-realistic Pairwise frames validated against hcxpcapngtool, the --strict profile gains an explicit --nc-tolerance and a rotating-ANonce --max-eapol-per-type cap, outputs gain a --prefix flag and shareable /dev/* sinks, and the dependency set is refreshed. Genuine PSK / FT-PSK / PSK-SHA256 output is byte-identical to v1.0.0; the only difference is that non-PSK false-positives are now correctly dropped (counted in the new emit_dropped_notpsk_akm row).

• Fix: non-PSK handshakes are no longer emitted as PSK hashes. wpawolf classified the 01-11 hash type from the EAPOL Key Descriptor Version (KDV) byte, which is shared between PSK and non-PSK key management (KDV=2 = HMAC-SHA1 is used by WPA2-PSK and 802.1X; KDV=3 = AES-CMAC by PSK-SHA256, FT-PSK, FT-802.1X, 802.1X-SHA256, SAE, CCKM). Any 802.1X / FT-802.1X / CCKM / pure-SAE network using KDV-2/3 was emitted as a PSK type (02/03/04/05) that can never crack — its PMK comes from EAP / SAE, not PBKDF2(PSK, SSID). A new AkmType::NotPsk records "an AKM was observed and it is not PSK," set by the RSN parser via a negative discriminator (no PSK-family suite 2/4/6/19/20 present) and resolved per-(AP, STA) so mixed PSK + 802.1X and WPA3-transition PSK + SAE APs keep emitting their genuine PSK clients. NotPsk is never promoted by the KDV override and is dropped at emit (counted in the new emit_dropped_notpsk_akm banner row). Separately, the PMKID path now routes off the raw AKM-IE value instead of the KDV-overridden one (ARCHITECTURE.md §2.3: "PMKID: no KDV"), so a KDV=3 carrier frame on a WPA2-PSK / FT-PSK network no longer manufactures a phantom PSK-SHA256-PMKID (type 04). On the multi-AKM XWJK regression fixture the lone misclassified WPA*04* is now correctly a WPA*02* (WPA2-PSK-PMKID); no genuine hash is lost. Residuals: a capture with zero AKM evidence still uses the optimistic Wpa2Psk default (never-miss invariant), and legacy WPA1-802.1X (KDV=1) still routes to type 1. See docs/akm-classification-falsepositive.md.
• Wire-realistic generated test fixtures. wpawolf-fixturegen was emitting every EAPOL-Key frame with Key Type = Group instead of Pairwise (a 4-way handshake is always Pairwise), and an empty Key Data field on non-FT M3. Both are fixed: key_info() now sets the Pairwise bit on M1-M4, and M3 carries an opaque GTK blob with the Encrypted Key Data bit set on RSN. The whole generated corpus is regenerated; tshark confirms every frame is Pairwise, and tests/integration/superset_test.rs now runs its parity oracle over all 11 type fixtures, comparing against hcxpcapngtool by hash identity (PMKID/MIC, AP, STA, ESSID) so FT mode routing and the SHA-384 family do not cause false mismatches.
• --strict bundle completed. Added --nc-tolerance=8 (hashcat's NONCE_ERROR_CORRECTIONS, pinned explicitly) and --max-eapol-per-type=100 (bounds a rotating-ANonce AP the way hcxpcapngtool's ring buffer does) to the --strict profile, alongside the existing --eapoltimeout=5, --rc-drift=8, --dedup-hash-combos, and --nc-dedup. The cap appears in the output filters active banner row.
• --prefix and shared /dev/* output sinks. --prefix PREFIX derives a default path for every hash and auxiliary sink at once (PREFIX.22000, PREFIX.37100, PREFIX.combined, the six per-AKM sinks, PREFIX.essid, PREFIX.wordlist, PREFIX.log, ...); an explicit per-sink flag overrides its prefix-derived path. /dev/* targets (/dev/stdout, /dev/stderr, /dev/null, /dev/fd/N) are now exempt from the duplicate-output-path rejection and the parent-directory writability probe, so several sinks can all stream to /dev/stdout. Real files must still be unique.
• Dependency refresh. sysinfo 0.39.3 -> 0.39.5 (runtime); CI actions actions/checkout 6.0.3 -> 7.0.0 and actions/cache 5.0.5 -> 6.0.0 (both SHA-pinned).
• 966 tests; make check-all passes clean.

Full Changelog: v1.0.0...v1.1.0