Added

• Sliding token expiration for OAuth2 access tokens.
• Mastodon-compatible API: /api/v1/accounts/update_credentials endpoint.

Fixed

• Prevent pinning of (and auto-unpin) private objects.
• Don't save a quote if the quoted actor cannot be dereferenced.
• Fix rendering of federated actor profile attachment values.
• Remove href attributes with unsafe schemes from sanitized HTML.
• Escape interpolated values in view helpers and the actor icon streaming refresh.
• Restrict upload extensions and serve uploads with X-Content-Type-Options: nosniff.
• Escape publicKey and scrub Tag.href.
• Sanitizer no longer permits single-quote attribute injection.
• Ensure bearer-token sessions cannot reach the web UI.
• Require client authentication on the OAuth token endpoint.