Release v0.2.38 — Apache + nginx parity wave Security: - referer DNS-label wildcard (closes example.evil.com over-match) - symlink escape via static serving (realpath docroot containment) - mod_expires no longer caches 4xx/5xx - double-encoded traversal (%252e%252e -> 400) - multi-range DoS cap (CVE-2011-3192 class) - explicit plaintext-htpasswd rejection + DES salt alphabet fix - error responses no longer leak prior handler headers Added: - ConditionalRequest evaluator (RFC 9110 If-Match/Unmod/None-Match/Mod-Since precedence + 412) - MimeResolver (multi-suffix Content-Type/Encoding/Language a la mod_mime) - ContentEncoding/ContentLanguage middleware - per-key ConcurrencyLimit (Store-backed, proxy-aware) + dry-run + configurable status - RateLimit burst/nodelay/dry-run/configurable-status, App::clientIp() keying - HostRouter trailing-wildcard + regex server_name + Host-400, IPv6 host parse - HeaderMiddleware nginx-style status-conditional add_header + always opt-out - Range If-Range HTTP-date; sendFile multi-range (206 multipart) - ExpiresMiddleware dual-header + M-base + error-suppress + clamp - Two source-diff audit docs: docs/apache-parity-audit.md, docs/nginx-parity-audit.md Changed: - HeaderMiddleware default = status-conditional (mild BC; per-rule always to restore) - Compression Vary merges instead of overwriting, q=0 refused, weak-ETag on compress - Redirect QSA merges query with & when target has one - BodySizeLimit chunked enforcement + 0 = unlimited - App::$limit_request_fields enforced (400 on excess); STANDARDS.md adds OpenSwoole-governed surfaces Tests: 1962 unit, Infection covered-MSI 92% (gate 92), plain-MSI 90% (gate 88). PR #38.