Version 2.1.3

Security: large hardening wave covering log/credential leaks, OAuth/Apple validation, and email-confirmation replay protection. Credit to @paskal.

Changes since v2.1.2

• #289 close service-level typed-nil store + adapter-author guidance
• #287 bind dev oauth and custom-server to localhost by default
• #286 never expose bot token in avatar URL
• #285 don't log email body, log size instead
• #284 redact tokens from exchange-response debug log
• #283 go fix ./...
• #282 backport "from" redirect validator to v1 (sibling of #275)
• #281 one-shot consumption of email confirmation tokens
• #280 validate id_token iss and aud on Sign in with Apple
• #279 don't log admin password on basic-auth failure
• #276 caveat that email proves control, not stable identity

Full Changelog: v2.1.2...v2.1.3