feat: introduce v0.5.0 with new features and critical fixes

This release brings a comprehensive set of enhancements and security improvements for version 0.5.0.

**New Features:**
- Implemented cryptographic receipts with HMAC-SHA256 signatures and a verification API.
- Added seal statistics (access count), custom unlock messages, and configurable auto-expiration.
- Introduced blob hash preview (SHA-256) before unlock for content verification.
- Enhanced security with DB-backed rate limiting and nonce storage for replay protection.
- Incorporated browser fingerprinting for robust rate limit bypass prevention.
- Mitigated timing attacks with random response jitter.
- Added UTF-8 validation on decrypted content.

**Critical Fixes:**
- Resolved a critical pulse interval bug that applied a 1000x multiplier.
- Addressed serverless state vulnerabilities by moving state to D1 database.
- Fixed rate limit bypasses and replay attacks across worker instances.

**Database Changes:**
- Added columns for `blob_hash`, `unlock_message`, `expires_at`, and `access_count`.
- Introduced `rate_limits` and `nonces` tables for persistent security features.

Author: teycir

README.md

@@ -276,6 +276,18 @@ See [LICENSE](LICENSE) for full terms.
 
 ## 🔮 Roadmap
 
+**Recently Implemented (v0.5.0):**
+- ✅ Cryptographic Receipts - HMAC-signed proof of seal creation
+- ✅ Receipt Verification - API endpoint to verify signatures
+- ✅ Seal Statistics - Access count tracking
+- ✅ Custom Unlock Messages - Personalized messages on unlock
+- ✅ Auto-Expiration - Configurable seal deletion after unlock
+- ✅ Blob Hash Preview - SHA-256 hash visible before unlock
+- ✅ DB-Backed Security - Rate limits and nonces in D1
+- ✅ Browser Fingerprinting - Enhanced rate limit bypass prevention
+- ✅ Timing Attack Mitigation - Random response jitter
+- ✅ Pulse Interval Fix - Critical 1000x multiplier bug fixed
+
 **Recently Implemented:**
 - ✅ Audit Logging - Immutable access trail
 - ✅ Code Deduplication - Cleaner API routes  

docs/CHANGELOG.md

@@ -7,6 +7,43 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.5.0] - 2025-12-22
+
+### Added
+- Cryptographic receipts with HMAC-SHA256 signatures
+- Receipt download functionality (JSON format)
+- Receipt verification API endpoint
+- Seal statistics (access count tracking)
+- Custom unlock messages (shown after unlock)
+- Auto-expiration (configurable days after unlock)
+- Blob hash preview (SHA-256, visible before unlock)
+- DB-backed rate limiting (persistent across workers)
+- DB-backed nonce storage (replay protection)
+- Browser fingerprinting for rate limits (IP + UA + Lang)
+- Timing attack mitigation (random jitter 0-100ms)
+- UTF-8 validation on decrypted content
+
+### Fixed
+- CRITICAL: Pulse interval bug (1000x multiplier removed)
+- Serverless state vulnerabilities (moved to D1 database)
+- Rate limit bypass via IP rotation (fingerprinting added)
+- Replay attacks across worker instances (DB nonces)
+
+### Security
+- Rate limits now persist in D1 database
+- Nonces stored in D1 for distributed replay protection
+- Timing attacks prevented with response jitter
+- Decryption integrity validation added
+- Cryptographic receipts for tamper detection
+
+### Database
+- Added `blob_hash` column for content verification
+- Added `unlock_message` column for custom messages
+- Added `expires_at` column for auto-expiration
+- Added `access_count` column for statistics
+- Added `rate_limits` table for persistent rate limiting
+- Added `nonces` table for replay protection
+
 ## [0.4.0] - 2025-12-22
 
 ### Added