features
- explicitly override secret in memory in some more cases when not used anymore
- added support for hybrid recipient / identities (thanks @yorickvP!)
With the new -pq flag (age-plugin-fido2-hmac -n -pq), generated recipients will be based on hybrid age recipients (using MLKEM768X25519 instead of X25519). If you don't specify this flag, it will still show both pq and non-pq versions if you opt for having a separate identity in the flow (both recipients will work with the same identity).
Recipients can now also be derived from existing plugin identities using the new -y flag, e.g. age-plugin-fido2-hmac -pq -y identity.txt (shows X25519-based recipient without -pq).
When encrypting using age -e -j fido2-hmac, there is now a prompt to ask if encryption should be pq-resistant or not. This can be hidden/overridden by setting the environment variable FIDO2_HMAC_PQ to either 1 (pq) or 0 (not pq).