- Session-correctness sweep: regenerate-id sid desync (broke
  session_regenerate_id(true) login flows in every mode), strict-mode
  rotation of issued-but-empty sessions, and superglobal OWNERSHIP gating
  with ext-zealphp 0.3.36/0.3.37 — the go()-child steal (first-request
  501s, #332) and the service-coroutine restore wipe (ext#32). Session
  counters deterministic across bare Mode 4 + coroutine-legacy on
  PHP 8.3 + 8.4.
- Security: WS rooms/routing follow session auth (#234), ScopedMiddleware
  path-normalization bypass (#232), IpAccessMiddleware trusted proxies
  (#239).
- mod_php parity: REQUEST_URI query string (#306), $_COOKIE treat-data
  (#305), $_FILES field-major (#304), Basic-auth $_SERVER (#307),
  Set-Cookie byte-parity + SameSite=None warning (#293/#319), raw
  status-line passthrough (#327), filter_input in CGI workers (#316).
- Pool cold-start TOCTOU connection leak (#322), sendFile delegates to
  ConditionalRequest + MimeResolver (#321/#317), per-coroutine CWD
  isolation (#323, ext 0.3.35), quick-wins #308-#311/#318/#320,
  fcgi hang (#289), session handlers in coroutine mode (#295).
- ext-zealphp default pin -> v0.3.37.