Release v0.2.37 - BasicAuth APR1 (apr_md5) digest fix: byte-reversed encoding could never verify a real htpasswd -m hash; now pinned against Apache htpasswd/openssl oracles - Infection covered-MSI 65% -> 95% (1680/1763 killed; 83 survivors all provably-equivalent, catalogued in STANDARDS.md); gate ratcheted to 88/92 - Apache httpd core-logic diff + non-support register (ProxyPass/TLS/WebDAV/CGI/mod_rewrite/.htaccess/...) - Runnable HTTP fuzz harnesses: radamsa (500 muts, 0 hangs/0 leaks), gabbi (7/7), slowhttptest; wired into CI (fuzz.yml)