Release v0.2.11 — open-redirect hardening + docs cleanup Security: - Response::redirect() rejects leading/trailing whitespace and backslash. Closes a real open-redirect / stored-XSS bypass of v0.2.5's scheme guard: ' javascript:alert(1)' was getting through because the regex anchor failed to match URLs with leading whitespace, and browsers strip the whitespace before parsing the Location header. - All v0.2.5 through v0.2.10 are affected. Upgrade recommended for any app that passes user input directly to Response::redirect(). - 7 new redirect regression tests. Tests: - 17 new RequestContext invariants tests pinning the v0.2.6 architectural contracts (class_alias identity, strict __set, response state location, ApacheContext lazy alloc, etc.). Docs: - deployment.php env var table rewritten with all 20 ZEALPHP_* vars. - migration / sessions / middleware / README updated for v0.2.6+ rename and v0.2.10 additions. 193 unit tests, PHPStan green. See CHANGELOG.md and CRITIC.md.