Supply-chain hygiene release — no code changes.
The 2.0.1 PyPI attestation was generated by a manual workflow_dispatch run from refs/heads/main that raced ahead of the release event. As a result the Sigstore certificate embedded in the PEP 740 attestation identified refs/heads/main as the source rather than refs/tags/v2.0.1, making it impossible to verify the package against the tagged commit. This release is published exclusively via the release: [published] trigger so the attestation identity is refs/tags/v2.0.2.