First Trusted-Publishing release. See CHANGELOG.md for full details.

Highlights:
- PR-301: Bearer auth uses secrets.compare_digest (timing-safe)
- PR-302: [project.urls] table on PyPI listing
- PR-303: Defense-in-depth security headers (CSP, nosniff, frame-deny)
- PR-304: MCP pgrg_ingest enforces INGEST_ALLOWED_EXTS allowlist
- PR-305: Reranker actionable ImportError when fastembed missing
- bug fix: datetime metadata no longer crashes evolution-tier1 ingest
- 13 new integration tests + 2 new unit tests; 204 total tests passing
- CI lint+format hygiene cleared