2.2.1-rc.2

What's Changed

• security: normalize login error messages to prevent user enumeration (#6) by @lakhansamani in #583
• security: reject query response_mode for token flows; harden GET /logout against CSRF (#9, #10) by @lakhansamani in #589
• security: add HTTP server timeouts, graceful shutdown, and security headers (#11, #12, #13) by @lakhansamani in #588
• security: GraphQL depth/complexity/alias limits and disable GET transport (#14) by @lakhansamani in #584
• security: prevent SSRF DNS rebinding by dialing validated IP directly (#3) by @lakhansamani in #582
• security: harden CSRF Origin check and CORS credentials handling (#5, #16) by @lakhansamani in #585
• security: require admin secret at startup and add configurable refresh token lifetime (#1, #15) by @lakhansamani in #586
• security: fix rate limiter bypass, error swallowing, race, window math (#2, #4, #17, #18) by @lakhansamani in #587
• security: hash OTPs and encrypt TOTP secrets at rest with idempotent migration (#7, #8) by @lakhansamani in #590
• feat(oidc)!: phase 1 spec conformance fixes (with /userinfo breaking change) by @lakhansamani in #591
• feat(oidc): phase 2 — standard params, ID token claims, logout polish by @lakhansamani in #592
• feat(oidc): phase 3 — introspection, hybrid flows, JWKS multi-key, back-channel logout by @lakhansamani in #593

Full Changelog: 2.2.1-rc.1...2.2.1-rc.2