hpke-ng v0.1.0

• Breaking: Context is split into one-directional SenderContext and ReceiverContext. setup_sender_* now returns SenderContext (exposes seal + export); setup_receiver_* returns ReceiverContext (exposes open + export). Neither implements Clone. A sender and the matching receiver derive the identical (key, base_nonce), so a single type that could both seal and open made using one session in both directions a catastrophic AEAD (key, nonce) reuse — the split turns that misuse into a compile error. For a bidirectional channel, run a separate HPKE setup per direction or derive independent per-direction keys via export (RFC 9180 §9.8).
• New HpkeError::InvalidKeyMaterial variant. ML-KEM-768/1024 derive_key_pair requires exactly 64 bytes of (d, z) seed (draft-connolly-cfrg-hpke-mlkem §3.2); any other IKM length now returns InvalidKeyMaterial rather than a less specific error.
• Internal hardening: the key schedule is split into PSK-free (Base/Auth) and PSK-bearing (PSK/AuthPSK) fast paths selected by sealed PskFreeMode / PskMode marker tags instead of a raw u8 mode byte. Routing a PSK mode through the PSK-free path (or vice versa) is now a compile error. The tags are #[doc(hidden)] and not part of the public API.