1.0.0-alpha.9

Pre-HN copy polish + bug-bounty alignment. No runtime / wire-format changes — alpha.9 is a documentation, attribution, and metadata-only release. Decrypts produced by alpha.5+ remain byte-identical.

Note: 1.0.0-alpha.8 was never published to npm. alpha.9 includes the alpha.8 fix below.

Documentation

• docs(security) — align SECURITY.md bug-bounty section with shieldfive.com/security/bug-bounty. The previous wording said no paid bounty existed for the open-source crypto library; the operator-run program at shieldfive.com/security/bug-bounty has always covered this library with €1000 / €500 / €250 tiers, so SECURITY.md now points there instead of contradicting it. Audit punch-list item P0-4.

Changed

• chore(package) — drop "audited-ready" from the npm description. No external audit has been performed; the project's audit posture is documented in SECURITY.md and continues to be self-reviewed, external audit deferred. Description now reads: "Client-side post-quantum hybrid encryption for cloud storage. The cryptographic core of ShieldFive." Audit punch-list item P1-D.
• chore(license) — replace Copyright 2026 ShieldFive with Copyright 2026 Cho Garcia in LICENSE (Apache-2.0 attribution block). Natural-person attribution matches the package.json author field. Audit punch-list item P1-C.
• chore(crypto) — bump SHIELDFIVE_CRYPTO_VERSION constant in src/index.ts from the stale 1.0.0-alpha.6 to 1.0.0-alpha.9 so it tracks package.json.

Fixed (carried from unpublished alpha.8)

• fix(pq-hybrid-v1) — re-export generateMlKemKeypair and deriveMlKemKeypair from the public subpath so the README quick-start compiles.

---

Tests: 156 / 156 pass. See CHANGELOG.md for the full history.