## Canvas Connect

### Resolved Issues
* Fixed: Already percent-encoded LTI path bytes may be double-encoded
during URL sanitization, which can corrupt canonicalized or redirect
URLs before allow/deny checks.
* Fixed: OpenID discovery URL validation may ignore configured global
`lti.security.paths` rules when deprecated LTI keys are still present.
* Fixed: LTI launches may accept and persist invalid NRPS
`context_memberships_url` values without validation.