## [1.3.0] - 2025-09-26
### Security / Hardening
- Removed all reflective private field access (`getDeclaredField` / `setAccessible`). Added explicit getters and helper methods.
- Migrated web session auth to `Authorization: Bearer <session>` header after initial load; SPA auto-migrates and strips `?session=` from URL history.
- Added hashed API token support via `web.api.token-hashes` (SHA-256 lowercase hex). Legacy plain `web.api.tokens` still accepted but deprecated (one-time warning when both present).
- Updated `SECURITY.md` to reflect mitigations.

### Developer / Internal
- Added utility methods in `WebServer` for token validation and constant-time hash comparison.

### Upgrade Notes
1. After updating, players' existing web links still work. On first load the UI migrates the token to a header and removes it from the address bar.
2. For API integrations using read-only tokens, you may begin migrating to hashed tokens:
- Generate hash: `echo -n "YourTokenValue" | sha256sum` (Linux/macOS) or use PowerShell `"YourTokenValue" | Out-File -NoNewline t.txt; certutil -hashfile t.txt SHA256 | Select-String -NotMatch "hash"; Remove-Item t.txt`.
- Place resulting 64-char hex in `web.api.token-hashes` list.
- Remove the clear token from `web.api.tokens` after deployment to drop the deprecation warning.
3. No config keys were removed; all changes are backward compatible.