- Security: open-redirect block-by-default (#243), clientIp() XFF-spoof fix (#249),
  CIDR fail-closed (#248), access-log CRLF escaping (#250), CGI pool env / httpoxy (#257),
  session-fixation strict-mode (#244), Memcached object-injection (#251)
- Fixed: Store/Counter backends (#241 #242 #252 #254 #255 #256), HTTP/WS (#246 #247
  #253 #258 #259 #260), #227 reset-gate corruption
- ext-zealphp 0.3.32: IS_INDIRECT $GLOBALS isolation, superglobal session-leak reset,
  constant + class-static UAF, include-isolation + require_global (#8-#18), ASAN+Valgrind
- Docs: coroutine-isolation security-research guide
- Two behaviour changes (redirect, clientIp), both security-motivated