Release v0.2.26 Closes issue #15: narrow whitelist for session unserialize. v0.2.25 set allowed_classes => false in all session decode paths, converting stdClass (the most common session object shape — json_decode output, OAuth tokens, API profiles) to __PHP_Incomplete_Class and breaking real apps. v0.2.26 narrows the whitelist to ['stdClass'] specifically — zero magic methods means no gadget chain — while keeping every other class refused. PHPStan level 10 clean. 385 unit + 147 integration tests pass.