Version 1.25.3

Security: large hardening wave covering log/credential leaks, OAuth/Apple validation, and email-confirmation replay protection. Credit to @paskal.

Changes since v1.25.2

• #289 close service-level typed-nil store + adapter-author guidance
• #287 bind dev oauth and custom-server to localhost by default
• #286 never expose bot token in avatar URL
• #285 don't log email body, log size instead
• #284 redact tokens from exchange-response debug log
• #283 go fix ./...
• #282 backport "from" redirect validator to v1, Thanks to Admir Bajric @AdmirBajric for flagging on 2026-05-08 that v1 was still vulnerable after #275 fixed v2
• #281 one-shot consumption of email confirmation tokens
• #280 validate id_token iss and aud on Sign in with Apple
• #279 don't log admin password on basic-auth failure
• #276 caveat that email proves control, not stable identity

Full Changelog: v1.25.2...v1.25.3