Release v0.2.25 Closes issue #13 with two complementary fixes: - Added: App::authChecker(?callable), adminChecker(?callable), usernameProvider(?callable) — apps wire ZealAPI's auth methods to their own session/auth state. Was hardcoded `return false;` in PR #10. - Fixed: session write/destroy now delegates to \SessionHandlerInterface when one is registered (PR #14). Redis-backed sessions actually persist now. Plus read-then-merge for the handler-write path to mitigate concurrent-request races on top-level session keys. Backwards-compatible — both fixes only change behaviour when the opt-in (authChecker registration / handler registration) is used. PHPStan level 10 clean. 383 unit + 147 integration tests pass.