Release version 0.2.0

Security improvements and server implementation alignment.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

CHANGELOG.md

@@ -7,6 +7,34 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.2.0] - 2026-01-26
+
+### Added
+
+- SSRF protection with URL validation and private IP range blocking
+- `allowInsecureHttp` constructor parameter for development environments
+- Input validation in all DTO `fromArray()` methods
+- DateTime exception handling in DTOs
+- Recursive key sorting in `ResponseSignature` for nested objects
+
+### Changed
+
+- Key derivation now uses RFC 5869 compliant `hash_hkdf()` instead of custom HMAC
+- Exception messages sanitized to prevent information disclosure
+- Header normalization treats empty values as null
+
+### Fixed
+
+- JSON encoding error handling in `ResponseSignature::buildSignaturePayload()`
+- Header normalization null risk in `SecureLicenseClient`
+
+### Security
+
+- Comprehensive security audit performed
+- SSRF vulnerability mitigated
+- Information disclosure in error messages fixed
+- Improved cryptographic key derivation
+
 ## [0.1.0] - 2026-01-22
 
 ### Added

CLAUDE.md

@@ -29,7 +29,11 @@ This project is proudly **"vibe-coded"** using Claude.AI - the entire codebase w
 
 No known bugs at the moment
 
-### Version 0.2.0
+### Version 0.2.1
+
+No pending tasks at the moment.
+
+### Version 0.3.0
 
 No pending tasks at the moment.