v0.11.0 — token firewall

Token firewall (epic ccsc-z0n)

One SECRET_DECLARATIONS table in lib.ts is the single source of truth for every secret the bridge holds; the agent-facing placeholder, both exfiltration guards, and host-bound routing all derive from it — no drift.

• ccsc-z0n.1 — secret-declaration schema (#216): the one table; secretPlaceholder / buildSecretValueSet / allowedSinkFor derive from it.
• ccsc-z0n.3 — outbound value guard (#217): assertNoSecretValues blocks a live token leaving in reply/edit text, a file body, or an attachment filename. Additive companion to the existing assertSendable path guard (no signature change — lib.ts is vendored by AGP).
• ccsc-z0n.2 — inbound result scrub (#218): redactSecretValues over the tool-dispatch chokepoint swaps any token that surfaces in a result for its placeholder before the agent reads it. Premise finding: CCSC's MCP-stdio split means the agent (a separate process) never holds the token anyway — documented in THREAT-MODEL.md T4 as a structural placeholder-swap guarantee.

Net posture: the agent can't leak a token outbound, can't receive one in a tool result, and never held it to begin with — now proven, not hoped.

Also in this release

• Relicensed MIT → Apache 2.0 (#194) with a NOTICE file.
• Stryker mutation-score floor wired as a scheduled CI gate (ccsc-0mn / ccsc-2et).

Quality

Suite 986 → 1050 tests; coverage 96.03% line / 97.90% func; mutation baselines in 000-docs/MUTATION_REPORT.md. Nine-gate CI (typecheck, Biome, tests, coverage floor, depcruise, gherkin-lint, harness-hash, audit, crap-score) + CodeQL + gitleaks all green.

Full detail in CHANGELOG.md.